Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf
Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf
Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf
Day 01
1. What is Firewall?
5. SP3
6. Packet Flow
7. Initial Access
What is Firewall?
A firewall is security devices used to stop or mitigate unauthorized access. The only traffic allowed on
the network is defined via firewall policies. Firewall is placed between a trusted network and an
untrusted network. Firewall grants or rejects access to traffic flows between untrusted & trusted zone. A
firewall inspect incoming and outgoing network related traffic.
State Full Inspection:
In State full Inspection firewall create the state table (conn table) on the basis of source IP, source port,
destination IP, destination port, protocol number and ingress zone. When firewall receive subsequent
request and reply packet for a flow then It will perform the lookup and session table if session
information is available in that case it will bypass the session setup stage and it will process the packet in
fast path.
2. Virtual devices:
Supported environment:
ESXi: All
KVM/Openstack: All
Hyper-V: All
AWS: VM100-700
Azure: VM100-700
IPsec throughput, all models: Varies according to model (originally was 250mbps, per the training,
however documentation states otherwise. Please see the hardware spec sheet at the top of this post for
specifics)
Virtual Systems
PAN OS:
Palo Alto Operating System is known as PAN-OS. PAN-OS based on Linux kernel. Palo Alto coded on top
of free BSD similar to Juniper firewall. Latest PAN-OS version is 10.x.
The strength of the Palo Alto Networks firewall is its Single Pass Parallel Processing™ (SP3) engine. Each
of the current protection features in the device (Anti-Virus, Spyware, Data Filtering and vulnerability
protection) utilize the same stream-based signature format. As a result, the SP3 engine can search for all
of these risks simultaneously.
The advantage of providing a stream-based engine is that the traffic is scanned as it crosses the box with
a minimal amount of buffering. This speed allows you to turn on advanced features like scanning for
viruses and malware without slowing down the firewall’s performance.
Palo Alto Networks offers processors dedicated to specific security functions that work in parallel.
On the higher end hardware models, the Data Plane contains three types of FPGA processors that are
connected by high-speed 1 Gbps busses:
• Signature Match Processor: Performs vulnerability and virus detection
• Security Processors: Multicore processors that handle security tasks such as SSL
decryption
• Network Processor: Responsible for routing, NAT, and network layer communication
On the higher-end hardware models, the control plane has its own dual core processor, RAM, and hard
drive. This processor is responsible for tasks such as management UI, logging, and route updates.
Single-Pass Architecture
Per-Packet Operations:
User/group mapping
Parallel Processing
Data plane:
Security Processing: App-ID, User-ID, URL Match, Policy Match, App Decoding, SSL/IPsec, decompression
Network Processing: Flow Control, Route Lookup, MAC lookup, QoS, NAT
Control Plane:
App-ID, User-ID, URL filtering, Vulnerability filtering, anti-spyware, anti-virus, Traps, file blocking, DOS
protection, Zone Protection, Wildfire
Packet Flow:
SECTION 1: OVERVIEW
SECTION 2: INGRESS STAGE
2.1 PACKET PARSING
2.2 TUNNEL DECAPSULATION
2.3 IP DEFRAGMENTATION
Ingress State:
The ingress stage receives packets from the network interface, parses those packets,
And then determines whether a given packet is subject to further inspection. If the
Packet is subject to further inspection, the firewall continues with a session lookup and
The packet enters the security processing stage. Otherwise, the firewall forwards the
Packet to the egress stage. Section 3 summarizes cases when the firewall forwards
Packets without inspection, depending on the packet type and the operational mode of
The interface.
Note: During packet processing, the firewall may discard a packet because of a protocol
Violation. In certain cases, due to firewall attack prevention features, it discards packets
Without configurable options. Section 2.1 enumerates such cases when the firewall
The wire.
The ingress port, 802.1q tag, and destination MAC address are used as keys to lookup
The ingress logical interface. If the interface is not found, the packet is discarded. The
IPv4: The firewall will discard the packet for any one of the following reasons:
• Truncated IP header
• IP protocol number 0
• TTL zero
• Land attack
• Ping of death
• Martian IP address
• IP checksum errors
IPv6: The firewall will discard the packet for any one of the following reasons:
• Truncated IP packet (IP payload buffer length less than IP payload field)
TCP: The firewall will discard the packet for any one of the following reasons:
• Checksum error
• Port is zero
• Invalid combination of TCP flags
UDP:
The firewall will discard the packet for any one of the following reasons:
• UDP payload truncated (not IP fragment and UDP buffer length less than
• Checksum error
The packet, if the firewall determines that it matches a tunnel, i.e. IPsec, SSL-VPN
1. The firewall decapsulates the packet first and discards it if errors exist.
2. The tunnel interface associated with the tunnel is assigned to the packet as
Its new ingress interface and then the packet is fed back through the parsing
Process, starting with the packet header defined by the tunnel type. Currently,
The supported tunnel types are IP layer tunneling, thus packet parsing (for a
2.3 IP Defragmentation
The firewall parses IP fragments, reassembles using the defragmentation process, and
Then feeds the packet back to the parser starting with the IP header. At this stage, a
Fragmentation errors, or if the firewall hits system limits on buffered fragments (hits
A packet is subject to firewall processing depending on the packet type and the
Interface mode. The following table summarizes the packet processing behavior for a
If the packet is subject to firewall inspection, it performs a flow lookup on the packet. A
PAN-OS’s implementation, the firewall identifies the flow using a 6-tuple key.
• Source and destination ports: Port numbers from TCP/UDP protocol headers.
For non-TCP/UDP, different protocol fields are used (e.g. for ICMP the ICMP
Identifier and sequence numbers are used, for IPsec terminating on device the
Security Parameter Index (SPI) is used, and for unknown, a constant reserved
• Protocol: The IP protocol number from the IP header is used to derive the flow
Key.
• Security zone: This field is derived from the ingress interface at which a packet
Arrives.
The firewall stores active flows in the flow lookup table. When a packet is determined to
Be eligible for firewall inspection, the firewall extracts the 6-tuple flow key from the
Packet and then performs a flow lookup to match the packet with an existing flow. Each
Flow has a client and server component, where the client is the sender of the first
Packet of the session from firewall’s perspective, and the server is the receiver of this
First packet.
Note: The distinction of client and server is from the firewall’s point of view and may or
May not be the same from the end hosts’ point of view.
Based on the above definition of client and server, there will be a client-to-server (C2S)
And server-to- client (S2C) flow, where all client-to-server packets should contain the
Same key as that of the C2S flow, and so on for the S2C flow.
After the packet arrives on a firewall interface, the ingress interface information is
Used to determine the ingress zone. If any zone protection profiles exist for that
If the first packet in a session is a TCP packet and it does not have the SYN bit set,
If SYN flood settings are configured in the zone protection profile and action is set to
SYN Cookies, then TCP SYN cookie is triggered if the number of SYN matches the
• The seed to encode the cookie is generated via random number generator
• If an ACK packet received from the client does not match cookie encoding,
Number translation because the firewall acted as a proxy for TCP 3-way
Handshake.
If the SYN Flood protection action is set to Random Early Drop (RED) instead, which
Is the default, then the firewall simply drops any SYN messages that are received
After hitting the threshold. SYN Cookies is preferred when you want to permit more
Legitimate traffic to pass through while being able to distinguish SYN flood packets
and drop those instead. RED, on the other hand, will drop SYN packets randomly and
can impact legitimate traffic equally.
Note: You can configure the firewall to allow the first TCP packet, even if it does not
have SYN bit set. Altering the default behavior and allowing non-SYN TCP packets
Through poses a security risk by opening up the Firewall to malicious packets not
You should configure the firewall to reject TCP non-SYN when SYN cookies are
Enabled.
Section 8: Summary
Palo Alto Networks next-generation firewalls use a unique Single Pass Parallel
Processing (SP3) Architecture–which enables high-throughput, low-latency network
Security, all while incorporating unprecedented features and technology. Palo Alto
Networks solves the performance problems that plague today’s security infrastructure
With the SP3 architecture, which combines two complementary components-Single
Pass software, Parallel Processing hardware. The result is an excellent mix of raw
Throughput, transaction processing, and network security that today’s high performance
Networks require.
Multipass Architecture:
However, if you looked within the UTM devices, you would find that each functionality was being
handled by a different software stack in a serial manner. So each security feature introduced its own
latency to the network traffic. For example, the firewall would process traffic with a significant reduction
in speed if you turned on antivirus detection.
An additional cost of UTM devices is that the features are typically managed independently. This
management complexity adds significant time to any configurational response.
In the past, service providers and network engineers usually preferred to have single devices provide
individual functions within the network. For example, one device would do URL filtering, another device
would do antivirus scanning, and another device would provide QoS. This approach assumed that using
the “best-of-breed” for each device provided the highest quality service.
This approach had many problems. Each device added its own latency to the network traffic. Also, it was
difficult to get a comprehensive overview of traffic and threats on a network from so many disparate
devices.
This problem led vendors to provide Unified Threat Management (UTM) devices that performed all the
necessary functions to protect a network in a single device.
Initial Access:
Palo Alto Networks firewalls are built with a dedicated out-of-band management interface, labeled
MGT. This interface only passes management traffic for the device and cannot be configured as a
standard traffic interface. Administrators use this interface for direct connectivity to the management
plane of the firewall. By default, this interface has an IP address of 192.168.1.1.
Initial configuration of the firewall can be accomplished by connecting to the MGT interface address or
through a console session on the firewall. The console interface is an RJ-45 connection for all devices.
The default username of “admin” has a default password of “admin”. A warning message appears in the
Web UI and the CLI until the default password is changed. This admin account cannot be deleted or
disabled.
#commit
The MGT interface can also be set up within the WebUI. By default, Palo Alto Networks firewalls are
configured with an IP address of 192.168.1.1 on the MGT interface.
1. Address your laptop Ethernet port with an address in the 192.168.1.0/24 subnet.
7. From this location, set the networking information for the MGT interface of the firewall.
The WebUI is supported on Internet Explorer 7+, Firefox 3.6+, Safari 5+, and Chrome 11+.
By default, HTTP, SNMP, and Telnet are disabled on the MGT interface, but HTTPS, SSH, and Ping are
enabled by default. These settings can be configured as appropriate for the environment. For additional
security, the Permitted IP Addresses field restricts administrative access to specific IP addresses.
When you experience intermittent WebUI connectivity issues, change the Speed attribute from auto-
negotiate to match the settings of the network. This change can alleviate the problem.
DNS and NTP Configuration:
------------------------- END ------------------------
Day 03
!
Changes to the configuration of the firewall are logged within the Configuration Log, which is accessed
through the Monitor Tab > Logs > Configuration. The configuration log contains details that include the
date and time of the configuration change, the Administrator who made the change, the host IP address
of the Administrator’s system, and the command and its result. For specific information and searches,
you can set filters to find specific information within this log.
Licensing and Registration of Palo Alto Firewall in Support Portal:
When you purchase a VM-Series firewall, you receive a set of authorization codes by email. Typically the
email includes authorization code(s) to license the VM-Series model that was purchased (VM-100, VM-
200, VM300, VM-1000-HV), support entitlement that provides access to software/content updates (for
example, PAN-SVC-PREM-VM-100 SKU auth-code), and any additional subscriptions such as, Threat
Prevention, URL Filtering, GlobalProtect, or WildFire.
To use the authorization code(s), register the code to the Support account on the Palo Alto Networks
Support portal. If you have an existing Support account, access the VM-Series Authentication Code link
on the Support portal to manage the VM-Series firewall licenses and download the software.
If you do not have an existing Support account, use the capacity auth-code to register and create an
account on the Support portal. After the new account is verified and the registration is complete, you
can log in and download the software package that is needed to install the VM-Series firewall.
To activate the license on your VM-Series firewall, you must have deployed the VM-Series firewall
already and completed initial configuration. The firewall must be configured with an IP address,
netmask, default gateway, and DNS server IP address.
Until you activate the license on the VM-Series firewall, the firewall does not have a serial number, the
MAC address of the dataplane interfaces are not unique, and only a minimal number of sessions are
supported. The MAC addresses are not unique until the firewall is licensed, so to prevent issues caused
by overlapping MAC addresses, make sure that you do not have multiple, unlicensed VM-Series
firewalls.
When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine
to generate a unique serial number for the VM-Series firewall. The capacity auth-code is used in
conjunction with the serial number to validate your entitlement.
The Palo Alto Networks firewall features are licensed individually. You can activate just the functionality
that is required for implementation. Only the features that are currently licensed are displayed in the
Device > Licenses section of the WebUI. Several types of feature licenses are available: threat
prevention, WildFire, URL filtering databases, virtual systems, decryption port mirroring, GlobalProtect,
and multiple gateways and host checks require a license.
In addition to the feature licenses, the firewall must also have a valid support license. The support
license entitles access to the Support portal where trouble tickets can be submitted to the Technical
Assistance Center (TAC). Additionally, the support license enables you to receive product and security
alerts from Palo Alto Networks based on the serial number of your firewall.
Also, you can purchase a Palo Alto Networks firewall with a “software license” option. This option is
necessary in countries that have a high tax on hardware but a low tax on software. Before the license
key is installed using the console or SSH, the PAN-OS is in maintenance mode. This on-demand license
option allows the customer to purchase the hardware and software as two separate items.
On-demand or usage-based licensing is available in Amazon Web Services (AWS) that allows you to
obtain the Amazon Machine Image (AMI) for the VM-Series firewall from the AWS Marketplace and
deploy the firewall for use in a virtual private cloud (VPC). This option allows you to consolidate your
billing of AWS resources and the usage fees—at an hourly or a yearly rate—for the VM-Series firewall.
Also, a self-service license is available that allows you to deactivate the active licenses on a firewall to
make them available for another firewall.
Dynamic Updates:
Palo Alto Networks posts updates with new or revised application definitions, information on new
security threats (such as, antivirus signatures, URL filtering criteria), and updates to GlobalProtect data.
You can also view the latest updates, read the release notes for each update, and then select an update
to download and install.
To download application and threat updates, you must have a threat prevention license.
Updates are issued on the following schedule:
• Antivirus: daily
On the Dynamic Updates page, you may see two entries listed in the Application and Threats, Antivirus,
or URL Filtering area, one for the currently installed version and one for the latest version available on
the update server. If the latest version is already installed, only a single entry is listed.
Power Operations:
The firewall can be gracefully shut down or rebooted from the WebUI. Either
action deletes the candidate configuration in memory, so be sure to save or
commit to preserve changes.
-> request restart system
-> request shutdown system
-> request restart dataplane
If the firewall is shut down by these commands, it must be powered up manually by unplugging and
reconnecting the power cords on the firewall.
Reset to factory configuration
-> request system private-data-reset
To reset the system to factory default, you must enter maintenance mode. To enter maintenance mode,
reboot the box, and as the system is booting up, type the word “maint” into the CLI through the console
port. After some time, you can choose an option to have the system reset to default, including the
default admin password.
After the system is reset to default, the MGT port IP address must be configured through the serial port
CLI. Use the “set deviceconfig system ip-address <IP> netmask <mask> default-gateway <IP>” command.
This is a critical process following a product evaluation, that will ensure that no information remains on
the evaluation device for later use.
Administrative Controls
WebUI
Panorama
CLI
XML API
Initial Access to System
MGT is out of band, connected to the management plane; default IP it is [192.168.1.1/24]
(https://192.168.1.1/24) for physical. VM is DHCP.
Console port (RJ45) 9600,8,N,1
Admin/Admin default login (nag screen until changed)
MGT can be set for DHCP (although Static is highly recommended)
Initial config
Factory Reset instructions:
o ‘Request system private-data-reset’ if you have CLI access
o If no CLI access, reboot into MAINT mode (see PAN documentation for further
information)
Hostname limited to 31 characters
Configure new IP if needed, hostname, domain name (if wanted), and Gateway
MGT does updates for updates, DNS, NTP, unless done on a data port.
Add Service route(s) if any are needed.
HTTPS, SSH and Ping are enabled by default on the MGT Interface
Minimum MGT Config are IP Address, Netmask and Default Gateway
MGT port is used by default to access external management services, such as:
o PAN Update Servers
o NTP
o DNS
Inband port can be set up to for service routes to perform these services which ports to
retrieve them from if MGT port is not able to.
Configuration Management
Running config: active config running on the FW – running-config.xml
Candidate config: sandbox configuration; when a commit is done, candidate replaces the
running config.
Previous configurations are saved. These can be reverted, exported, saved out, and
imported.
Admin-Level commit will commit all changes made by anyone (if commit all changes is
selected)
Config changes are logged under the admin logged in for change tracking
Commit locks stop other admins from committing changes
Config locks stop other admins from making any candidate config changes
Admin Locks can only be removed by the admin that put the lock in place, or by a super
admin.
Candidate Configuration is stored on control plane memory
Running configuration is written to both control and dataplane memory
Licensing and Software Updates
Registration with PAN is first step – support page and register new device. Generally this will
send an activation code to your email.
Retrieve License from PAN License server
VM’s can be downloaded from the software page after registration
Activate support license needed before activating other optional licenses
(URL/threat/Wildfire, etc)
(if licensed) Set the dynamic updates for update/install on specific intervals
Update the Dynamic updates before upgrading the PanOS code. If no subscription,
download and install manually.
Update the PanOS software. Steps to upgrade will likely be needed if upgrading
between major versions (7.0 ->8.0 for example)
Account Administration
Administrators can be created with specific access, using Admin Roles.
External auth servers supported are LDAP, Kerberos, RADIUS, TACACS+, SAML,
along with 2FA are supported.
For non-local admins, create an admin role profile, server profile, authentication
profile. authentication sequence is optional.
2 types of admin role profiles:
o predefined dynamic profiles
super user, superuser(read-only), device administrator, DA (read-only), VS
Admin, VS Admin (read-only).
administrator defined role based profiles
These can be granularity specified for specifically what they have access to,
and functions they can change, update or view.
o Predefined local admin accounts are:
o super user, superuser(read-only), device administrator, DA (read-only)
o local admin accounts can be set for minimum passwords, password aging and
password complexity. Not enabled by default.
Creating non-local admins by creating an authentication profile.
o Multiple servers can be used. LDAP, then RADIUS would be an example.
o Create Server profile, then (optional) auth sequence, then authentication profile.
o Allow list can be used for those that will be allowed to use certain auth profiles.
Viewing and Filtering Logs
Clicking any link in the Monitor > Traffic (or other entries) will filter the logs to only
show entries with those
Filters can be saved and loaded for quick access
GUI -> Monitor -> System -> See details by setting up the filter ( eventid eq link-change ) and
( object eq 'ethernet1/21' )
Or
show log system query equal "( eventid eq link-change ) and ( object eq 'ethernet1/21' )"
show log system query equal "( eventid eq link-change ) and ( object eq 'ethernet1/21' )"
direction equal backward
show log system (display all system log)
show log traffic app ssl (Display traffic log for ssl traffic)
show log traffic query equal "( addr.src in 11.50.151.228 ) and ( addr.dst in 17.188.145.51 )"
show log traffic from equal 11.50.136.218 to equal 199.19.250.205 dport equal 80
Show log traffic src in 11.50.136.218 DST in 199.19.250.205 dport equal 80
2. L2 Tshoot
Layer 2 MAC leaning, VLAN missmatched, Layer 2 loop, Aggregated interface and LACP
show mac all (Shows the mac details for vlan, interfaces)
show routing interface (it will show all interfaces which will participate on Routing)
show routing interface | match ae1.960
!
show arp all (This is shows the ARP is resolving or not for an IP/nextHop IP)
show arp all | match 30.191.60.39
!
test routing fib-lookup virtual-router Extranet-VR ip "26.122.64.10" (for getting the next hop)
!
show routing route destination 10.1.1.0/24 (Used to see the all next hops for the 10.1.1.0/24
)
show routing fib virtual-router Extranet-VR | match 10.1.1.0/24 (It will give the active
nexthop or preferred next hop).
!
Case 01 :: Static Route issues
!
1. A route can be down 1. Local interface to reach NextHop is down. 2. NextHop can not be
resolved locally via ARP.
!
We use the following command to test an active route exit for a destination.
#show routing route destination 10.1.1.0/24
#show arp all
#test routing fib-lookup ip 10.1.1.100 virtual-router Extranet-VR
!
2. If a static route remain inactive make sure to
!
Use correct nexthop type (IP address)
Use the correct Virtual router (If dealing with multiple VR)
Use the correct routing table (Unicast/Multicast)
!
3. Also check the routing table exceed limits
#show routing fib virtual-router default afi ipv4
#show routing resource
!
show interface all (Use to see the IP address/Zone of an interface)
ping count 3 source 165.197.216.4 host 165.197.216.1
traceroute source 165.197.216.4 host 165.197.216.1
!
Case 02 :: Missing Route
!
ping count 3 source 10.1.1.250 host 10.1.1.221 (Not pinging)
show routing route destination 10.1.1.0/24 (look for next hop)
show arp all (For next hop) (No arp for next hop) Fix the route for the route
ping count 3 source 10.1.1.250 host 10.1.1.221
!
@@@@@@@@@@@@@@@@@
debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source 192.168.140.60 destination
192.168.122.60
debug dataplane packet-diag set capture stage drop file DP.pcap
debug dataplane packet-diag set capture stage firewall file FW.pcap
debug dataplane packet-diag set capture stage receive file RX.pcap
debug dataplane packet-diag set capture stage transmit file TX.pcap
debug dataplane packet-diag set capture on
!
> show counter global filter delta yes packet-filter yes
!
> debug dataplane packet-diag show setting
!
Packet capture is disabled
> debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag set clear all
!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
tcpdump filter "host 10.16.0.106 and not port 22"
tcpdump filter "host 10.16.0.106 and not port 443"
!
view-pcap mgmt-pcap mgmt.pcap
!
Filter By Port
> tcpdump filter "port 80"
Filter By Source IP
> tcpdump filter "src x.x.x.x"
Filter By Destination IP
> tcpdump filter "dst x.x.x.x"
Filter By Host (src & dst) IP
> tcpdump filter "host x.x.x.x"
Filter By Host (src & dst) IP, excluding SSH traffic
> tcpdump filter "host x.x.x.x and not port 22"
!!! Exporting the log by scp.
> scp export mgmt-pcap from mgmt.pcap to 192.168.137.1
!!! Exporting the log by tftp.
> tftp export mgmt-pcap from mgmt.pcap to 192.168.137.1
!
@@@@@@@@@@@@@@@@@@@@@@@@@@@
Verify Sessions
---------------
>show session all filter source ip1 destination ip2
Clear debug logs & filters
--------------------------
>debug dataplane packet-diag clear all
>debug dataplane packet-diag clear log log
Investigate Counters
--------------------
>debug dataplane packet-diag set filter match source ip1 destination ip2
>debug dataplane packet-diag set filter match source ip2 destination ip1
>debug dataplane packet-diag set filter on
> show counter global filter delta yes packet-filter yes severity drop
---- Type the command above many time ----
Full debug Mode
---------------
>debug dataplane packet-diag set filter match source ip1 destination ip2
>debug dataplane packet-diag set filter match source ip2 destination ip1
>debug dataplane packet-diag set filter on
>debug dataplane packet-diag set log feature flow basic
>debug dataplane packet-diag set log feature appid basic
>debug dataplane packet-diag set log feature tcp all
> debug dataplane packet-diag set log on
---- Wait for the problem to surface ----
> debug dataplane packet-diag set log off
> debug dataplane packet-diag aggregate-logs
> less mp-log pan_packet_diag.log
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
admin@firewall> debug dataplane packet-diag set filter match ?
+ destination Destination IP address
+ destination-netmask Destination netmask <<<< new option for network
+ destination-port Destination port
+ ingress-interface Ingress traffic interface name
+ ipv6-only IPv6 packet only
+ lacp LACP packet
+ non-ip Non-IP packet
+ protocol IP protocol value
+ source Source IP address
+ source-netmask Source netmask <<<< new option for network
+ source-port Source port
| Pipe through a command
!
Use the following command to configure the firewall to bypass asymmetric routing globally.
# set deviceconfig setting tcp asymmetric-path bypass
Use the following command to check the current action on asymmetric traffic:
> show running tcp state | match asymmetric
session with asymmetric path : drop packet
!
IPsec VPN Tshoot ::
!
Phase 01
1. PSK, Phase 01, Phase 02 Parameter mismtach
2. Wrong IKE Egress Interface
Phase 02
3. Wrong tunnel interface and zone
4. Proxy ID mismatch
!
5. NAT Traversal
6. Routing :: Incorrect route
!
If IPsec not comming up:: 1. Check the session table, If session not exist which means its a
routing or Security policy issue. If session is exist then check tunnel interface is used or not.
>show session id 1111
!
Phase 1 Mismatch can we identify by running below command:
> show vpn ike-sa
!
-> system log :: filter: ( subtype eq vpn )
!
IKE Log ::
> tail follow yes mp-log ikemgr.log
!
Phase 02 Tshoot ::
!
1. Check tunel interface and zone
2. check security policy
3. Check Phase 02 Policies (IPsec Crypto Profile) and Proxy ID.
Default Proxy ID :: local 0.0.0.0/0, remote 0.0.0.0/0, Protocol any.
!
Check the System Logs;: -> system log :: filter: ( subtype eq vpn )
!
NAT Traversal :: NAT-T is mandatory if vpn gateway behind the NAT Device.
-> IPsec packets dont have a layer 4 header by default.
-> NAT-T will add an extra UDP header to the IPsec packet to allow PAT.
-> With-Out NAT-T, The IPsec tunnel can establise but ESP packet are lost in the transit.
-> in case of any NAT device, enable NAT-T on both side.
!
Routing Issues :: For IPsec forwarding decision start with a route, make sure you have a route
pointing to the tunnel interface.
!
-> system log :: filter: ( subtype eq vpn )
-> show log system subtype equal vpn direction equal backward
!
-> test vpn IPsec-sa tunnel <name>
-> show vpn IPsec-sa
-> show vpn ike-sa
-> show vpn flow
-> show vpn flow tunnel-id 1
-> show session all filter protocol 50
-> show session all filter destination <peerIP> destination-port 500
-> less mp-log ikemgr.log
Packet capture
-> debug ike pcap on/off/delete
-> debug ike global on debug
-> scp export debug-pcap
-> view-pcap <options> debug-pcap ikemgr.pcap
!
IKE Log ::
> tail follow yes mp-log ikemgr.log
!
Description of Issues:
Wrong IP: The IP address used for the remote gateway is either wrong or there is no IP
connectivity between the two public interfaces.
No matching P1 or P2 Proposal: The peers cannot find matches for the 5 parameters of the IKE
Phase 1 or Phase 2 proposals.
Mismatched Peer ID: Value entered for Peer ID’s do not match.
PFS Group mismatch: Both sides have PFS enabled but with different DH groups.
Mismatched Proxy ID: The values for local and remote proxy ID are not correct. Most commonly
happens when interoperating with policy based VPNs.
Error Messages:
P1 – Timeout: IKE phase-1 negotiation failed as initiator, main mode. Due to timeout.
No suitable proposal (P1): IKE phase-1 negotiation failed. no suitable proposal found in peer's
SA payload.
Peer identifier does not match: peer identifier does not match remote Remote2.
No proposal chosen: IKE protocol notification message received.
No suitable proposal (P2): IKE phase-2 negotiation failed when processing SA payload.
P2 – Timeout: IKE phase-2 negotiation is failed as initiator, quick mode. Due to timeout.
PFS group mismatch: pfs group mismatched: my:2 peer:5.
Cannot find matching tunnel: IKE phase-2 negotiation failed when processing proxy ID.
Security zones are used to group like-devices, user groups, locations or specific-use systems.
In-band interfaces are traffic-passing ports, ex: ethernet1/1, 1/2, etc
Each interface (or subinterface) can only be assigned to one zone
A zone can have multiple physical or logical interfaces
!
Traffic inside zones is allowed by default. Example: Trust to trust is permitted by default
Traffic outside zones is denied by default. Example: Untrust to DMZ is NOT permitted by
default
Palo Alto Networks firewalls use the concept of security zones to secure and manage your
networks. These zones are a logical grouping based on a particular type of traffic on your
network. The physical location of a zone and its traffic is irrelevant. In fact, zones may reside at
different locations throughout your enterprise network.
Zone names have no predefined meaning or policy associations. They may help designate
specific users, a group, a location, a function, or an entity.
Systems with similar security needs are grouped into zones. For example, the traffic going out
of a DMZ server is very different than the traffic on a server inside the corporate data center.
We would expect to see traffic initiated from the Internet making connections into the DMZ but
we would never want to see this same kind of traffic going into the data center.
This depiction of zones shows five distinct security zones: DMZ, Guests, Users, Internet, and
Data Center.
By default, PAN-OS zone rules allow intra-zone traffic to pass because it resides within the same
zone. However, inter-zone traffic (that traffic that is traversing to another zone) is denied by
default. More information about these zone rule types is provided in the next module, “Security
and NAT Policies.”
A logical interface, including VLAN-tagged subinterfaces, must be a member of only one zone.
However, a zone can have multiple interfaces.
Numerous methods can be used to integrate Palo Alto Networks firewalls into your
environment. Many implementations evolve over time, and they transition between some or all
of these possible configurations.
Let’s review some of the few Ethernet interfaces that can be utilized and employed based upon
your deployment method:
• Tap: Using Tap interfaces, the firewall can be connected to a core switch’s span
port to identify applications running on the network. This option requires no
changes to the existing network design. In this mode the firewall cannot block
any traffic.
• Virtual Wire: Using Virtual Wire interfaces, the firewall can be inserted into an
existing topology without requiring any reallocation of network addresses or
redesign on the network topology. In this mode, all of the protection and
decryption features of the device can be used. NAT functionality is provided in
this mode.
• Layer 2: Using Layer 2 interfaces, all of the protection and decryption features of
the firewall can be used for trunk (VLAN) interfaces. Layer 3 support, for VLAN
switching, can be employed with VLAN interfaces.
• Layer 3: Using Layer 3 interfaces, the firewall can take the place of any current
enterprise firewall deployment.
A unique advantage of the firewall is the ability to mix and match these interface types on a
single device. The same firewall can be deployed in Tap mode for one portion of the network
and be in Virtual Wire mode for another
TAP Interfaces:
Interface for receiving data from a mirror port on a switch. Generally used to gather data on the
network in preparation for building security polices prior to cutover.
TAP cannot do anything with the traffic, be it control or shaping.
TAP must be assigned to a TAP security zone.
An Any/Any/Allow rule set with source/dest zones to the TAP zone the interface is in is needed
to start this data gathering, or the data is dropped by the FW in the default deny rule.
Tap mode deployment allows the ability to passively monitor traffic flows across a network by
way of a switch SPAN or mirror port.
• Useful for evaluating and auditing an existing network.
• No network or design changes are needed.
By using Tap interfaces, the device can be connected to a core switch’s SPAN or mirror port to
identify applications running on the network. This option does not require changes to the
existing network design. In this mode, the device cannot block traffic or filter based on URL.
If the SPAN port passes encrypted traffic, the Tap interfaces support only SSL inbound
decryption. An internal server certificate must be installed on the firewall and a decryption
policy must be defined for the traffic to be decrypted. Decryption is discussed in detail later in
this course.
Even though Tap interfaces do not pass traffic like the other interfaces, a zone assignment still
is required. Policies are required for logging, and policies require zones to work. To allow
logging, policies are configured with the source and destination zones set to the zone that
contains the Tap interface.
This is used as a L2 firewall installation in-line. This way, the firewall can be ‘dropped’ in without
any reconfiguration of the network.
Interfaces will be L2, no IP’s, L3 routing ,FW managment or IPSec termination point is available.
Create VWire instance, and add the interfaces if they have been set to VWire. If interfaces are
not set, save the VWire instance and then go to the interfaces and add them into the VWire
under interface type. A Vwire Zone is also needed.
Vwire fully supports 802.1q VLAN tagging, and will pass tagged and untagged traffic as long as
there is a security policy to allow it.
Multiple VWire subinterfaces can also be created. Each sub-interface can be set in any zone,
and set as L2 or L3 interfaces.
An L3 subinterface can be used for IP-routing, IPSec termination tunnels, and zone traffic
routing and traffic control.
!
If the Virtual Wire interfaces have not yet been configured, the interface fields can be left blank.
A Virtual Wire can block or allow traffic based on 802.1Q VLAN tag values. Specific tag numbers
(0 to 4094) or a range of tag numbers (tag1-tag2) can be specified to limit the traffic allowed on
the Virtual Wire.
A tag value of zero, which indicates untagged traffic, is the default. Multiple tags or ranges must
be separated by commas. Traffic that has an excluded tag value is dropped. Tag values are not
changed on incoming or outgoing packets.
To allow all traffic, tagged and untagged, set Tag Allowed to 0-4094.
To apply security rules to multicast traffic, select the Multicast Firewalling check box. If this
setting is not enabled, multicast traffic is forwarded across the Virtual Wire.
If the Virtual Wire object has not been configured, the Virtual Wire field can be left blank. The
interface names can be specified when the Virtual Wire object is created.
A zone is required because traffic will flow between Virtual Wire interfaces. Only zones that
match the interface type are listed in the pull-down menu in the interface.
The firewall can generate and export NetFlow Version 9 records with unidirectional IP traffic
flow information to an outside collector. NetFlow export can be enabled on any ingress
interface in the system. This feature is available on all platforms except the PAN-4000 Series
models.
Layer 2 Interfaces:
Layer 2 switches traffic between 2+ interfaces. This makes the networks into a single ether
broadcast domain.
Steps to create a Layer 2 interface:
create a vlan object under Network >
configuring the L2 interfaces
L2 does not participate in STP, but forwards STP packets.
L2 can do SSL Decrypt, User-ID, App-ID, Content ID, QoS.
Cannot do FW management, as no IP address.
Subinterfaces can be added to an 802.1q vlan
More than one VLAN can be added to the same top level port (example: e1/1.1 in vlan1 and
e1/1.2 in vlan2). However, as there is no routing function, an external router, and security
policies would be needed to route the data between the vlans.
Best practice is to use L3 subinterfaces to provide inter-VLAN routing.
Layer 3 Interfaces:
To configure a Layer 3 interface, the minimum required properties are the IP address, zone, and
virtual router.
When the Palo Alto Networks firewall operates in the Layer 3 mode, it can provide routing and
Network Address Translation functions.
All Layer 3 interfaces in a specific virtual router share the same routing table.
Layer 3 interfaces can be configured as a DHCP client for situations where the firewall must
have a dynamically assigned IP address.
Layer 3 interfaces can also be configured to provide access to the management interfaces by
assigning them a management profile.
The local MTU setting on an interface overrides the global MTU setting set in Session Settings.
To enable jumbo frames on the device and set a default global MTU value, select Device >
Setup > Session and edit the Session Settings.
You can assign multiple IP address to the same interface, though they shouldn’t be in the same
subnet.
You can configure the firewall to be a Point-to-Point Protocol over Ethernet (PPPoE)
termination point to support connectivity in a digital subscriber line (DSL) environment where
there is a DSL modem but no other PPPoE device to terminate the connection.
You can configure the firewall interface to act as a DHCP client and receive a dynamically
assigned IP address. The firewall also provides the capability to propagate settings received by
the DHCP client interface into a DHCP server operating on the firewall. This capability is most
commonly used to propagate DNS server settings from an Internet service provider to client
machines operating on the network protected by the firewall.
The default gateway received from the DHCP server is injected into the routing table as a
default route.
Management Profile:
By default, any management traffic sent to or from the firewall goes through the out-of-band
management (MGT) interface. Alternatively, a Layer 3 interface can be used to source this
traffic and also receive inbound management traffic.
Management features enabled by the profile can be restricted to a specific IP address with the
Permitted IP Addresses panel. If configured, only the IP addresses listed can use the services
selected when the profile is defined. If the field is left blank, the profile allows any IP address to
use the configured services.
Profile can be applied to an L3 interface. Protocols that can be allowed or denied are:
Ping, Telnet, SSH, HTTP, HTTP-OCSP, HTTPS, SNMP, Response Pages, User-ID, User-ID Syslog
Listener-SSL, User-ID Syslog Listener-UDP
Can be assigned to L3, loopback and tunnel interfaces (interfaces that have an IP address).
Security Policies are required to allow traffic to non-MGT interfaces
Can have a ‘permitted IP’ list that will only allow a specific source IP address or subnet access to
that specific set of permitted services.
Layer 3 Sub-interfaces
Assigned to a Layer 2 802.1q vlan
different L3 sub-ints can be added to the same physical interface, but can only route at layer 3
between them if there is a route at (and security policy for the traffic) in the VR.
Configured under Network > Interfaces > Ethernet
The configuration is the same as a standard Layer 3 interfaces configuration, with the exception
of adding a vlan tagged
Untagged L3 sub-ints can be used, but the ‘untagged interface’ must be selected on the main
interface advanced tab.
Virtual Routers:
Used for Layer 3 IP routing
Supports one or more static routes
Supports multiple dynamic routing protocols, including RIPv2, OSPFv2, OSPFv3, BGPv4
Supports Multicast routing protocols PIM-SM and PIM-SSM (both using pimv2)
IGMP v1, v2, v3 are also supported on host-facing interfaces.
Virtual routers can be linked together so that traffic can be routed between more than one
virtual router.
click: Network > Virtual Routers > Static Routes > Add
Give the VR a name
add a default of [0.0.0.0/0;](https://0.0.0.0/0;) specify the interface this route will forward
packets on (security policy will be needed to route the traffic).
Set the next hop type from the list: IP Address, Next VR, Discard or None. Typically a default
route is sent to a next hop IP address (upstream to an edge router or ISP link). Next VR sends it
to the specified Virtual router (not this one), Discard will Discard (and no log). None is used if
there is no text hop for the route.
Set any changes to the admin distance that are needed. Administrative distance defaults are
specified by the type of route (static, connected, ospf, bgp, etc). leaving this blank will set it to
the default value.
Set any metric changes desired. This is useful if you have multiple links out and want to prefer
one over the other. If the preferred link fails, the other route can be used to forward packets.
Select which routing table to install the route in: Unicast, Multicast, Both or no install. No install
would stage the route, but would not be actively used.
Bi-Directional Forwarding can be selected. Both endpoints must support BFD. (see docs for
more details)
BFD is not supported on the PA-200 or the PA-500
Multiple Static Default Routes
Multiple SDR’s can be configured
Route with lowest metric will be installed in the forwarding table
Path Monitoring can be used to determine if the route is usable.
if Path Monitoring detects a failure, FW will switch to the higher metric route until the lower
metric path is restored.
Virtual routers provide support for static routing and dynamic routing using the Routing
Information Protocol (RIP), Open Shortest Path First (OSPF) protocol, and Border Gateway
Protocol (BGP).
The multicast routing feature allows the firewall to route multicast streams using Protocol
Independent Multicast Sparse Mode (PIM-SM), and PIM Source Specific Multicast (PIM-SSM)
for applications such as media broadcasting (radio and video) with PIMv2.
The firewall performs Internet Group Management Protocol (IGMP) queries for hosts that are
on the same network as the interface in which IGMP is configured. PIM-SM and IGMP can be
enabled on Layer 3 interfaces.
IGMP v1, v2, and v3 are supported. PIM and IGMP must be enabled on host-facing interfaces.
Standards-based support for OSPF: With PAN-OS 6.0, OSPF v2 and OSPF v3 are supported.
Path Monitoring can be configured under: Network > Virtual Routers > Static Routes > Add
On the bottom of the static route configuration, click the check on Path Monitoring
Multiple failure conditions can be added. single or multiple source/dest entries can be set as
criteria. select either ‘any’ or ‘all’ when configuring more than one condition.
On the source IP, a drop-down provides all IP’s configured on the firewall. Generally the IP on
the interface being configured for path monitoring is selected.
Add the destination IP to send ping requests
Set interval for ping interval and ping counts.
If the lowest metric link fails monitoring, and then is restored, the ‘Preemptive hold time’
setting will be the timeout that the firewall will wait before failing traffic back to the lower
metric link. This is defaulted to 2 minutes, but can be changed.
Troubleshooting Routing:
The ‘More Runtime Stats’ on the Network > Virtual Routers page will pull up a new screen to
show the stats on the current VR.
Routing and Route table has all known routes (RIB)
Forwarding Table has all routes of where traffic will be forwarded to (FIB)
Static Route Monitoring tab will show the status of all Path Monitors configured.
The More Runtime Stats link displays detail tabs to check the configuration of the supported
dynamic routing protocols: RIP, OSPF, and BGP.
VLAN Interfaces:
VLAN are Layer 2 802.1q network
VLAN objects can be assigned and IP address, and connected to Layer 3 networks for Layer 3
routing
Configure under Network > Network > VLAN > Add
All vlan interfaces will start with ‘vlan’ – add the ID number (NOT a vlan ID, but matching them
is recommended to avoid confusion).
Interface must be assigned to an exiting vlan
If one doesn’t exist or a new VLAN interface is needed, selecting ‘New VLAN’ on the drop down
can be done to create a new VLAN.
Select the virtual router to add the interface to
Select the Security Zone to add the interface to.
Loopback Interfaces:
Loopbacks are logical interfaces that do not have a physical presence. They are assigned in a
security zone and can be reached by their IP through another physical main or sub interface.
Typical use includes Management UI access, Global Protect interface, or IPSEC tunnel interface
termination point.
Configure under Network > Interfaces > Loopback
Loopback interfaces always start with ‘loopback’, which cannot be changed. the ID number is
set by the admin
Configured the same as a Layer 3 interface; Only exception is a loopback IP must be a /32 host
IP.
Set the VR and the Security Zone the LB will be added to.
Policy-Based Forwarding:
Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route
that determines the outgoing interface and destination security zone based on the destination
IP address.
With policy-based forwarding (PBF), you can specify other information to determine the
outgoing interface, including:
• Source and destination IP addresses
• Source zone
• Source user
• Destination application
• Destination service
The initial session on a given destination IP address and port that is associated with an
application does not match an application-specific rule. The session is forwarded according to
subsequent PBF rules that do not specify an application or the forwarding table of the virtual
router.
All subsequent sessions on that destination IP address and port for the same application
matches an application-specific rule.
To ensure forwarding through PBF rules, application-specific rules are not recommended.
PBF rules are used to send specific traffic to an interface that is not the default route the traffic
would follow from the routing table.
Use cases would include a private leased line you want to use for unencrypted traffic or traffic
that needs low latency (VoIP, etc), while letting non-critical encrypted traffic over a DIA (direct
internet access) circuit using an IPSec Tunnel.
PBF can be set using specific criteria, including source zone or interface, source user,
destination IP and/or port.
Includes a Path Monitoring feature; if the interface the PBF is sent out goes down, the traffic
will be able to go out the other interface.
Note: ethernet1/1 and ethernet1/11 are ISP interfaces configured in different zones L3-Untrust
and VPN respectively. However, these interfaces can be configured in same zone also
Route configuration with both default routes having "equal-cost"
Note: If both ISP interfaces are in the same zone, then destination interfaces need to be added
to the NAT policy as in the following screenshot:
Security policy configuration to allow the traffic: (covers both scenario when interfaces are in
same or different zone)
Note:
Max Path 2 means that only 2 equal cost paths will be installed in FIB table. If there are
more than 2 equal-cost paths that need to be installed in FIB table, change Max Path
value. Max supported value is 4.
Load balance method can be selected according to the requirement. For more
information about load balance algorithm, please click here
Enable Symmetric Return if reply packet should be sent out the same interface that the
request packet came in.
------------------------- END ------------------------
Day 05 and 06
1. Secuirty Policies
IntraZOne
InterZone
Universal
Unused Rules
Actions (Allow, Deny, Drop, reset client, reset server, Reset Both)
Profile Setting
Log Setting
Policy Schedule
2. NAT
Dynamic NAT
Dynamic IP and Port
Static NAT
Destination NAT
1. Destination NAT Example—One-to-One Mapping
2. Destination NAT Example—One-to-Many Mapping
3. Destination NAT with Port Translation Example
U-Turn NAT
1. WebServer in same Zone
2. Webserver in Diffirent Zone
!
show running security-policy
test security-policy-match from trust to untrust application web-browsing
show session id
show log traffic show-tracker equal yes
show running nat-policy (View NAT rules on the dataplane)
show running global-ippool (View NAT pools by index)
show running ippool (View NAT pools in use)
test nat-policy-match from L3-untrust to L3-untrust destination 172.16.5.1 source 15.1.3.71
protocol 255
The security policy consists of a list of security policy rules. Each security policy rule consists of
objects that describe the endpoints of the communication and the traffic to be matched. Rules
can be as specific as required. They are built using objects that hold values of addresses,
applications, users, and services.
The configured action, deny or allow, is taken only if a session matches all defined fields of the
security policy rule. If a match is not made, the session is compared against the next policy rule
on the list. When a match is found, no further policy rules are checked.
Security Policy:
When a session is initiated, the source and destination zones and addresses are determined
and the policy rule base is checked. A rule base exists for each zone pair. Rules can be created
with multiple source and destination zones, which is commonly done to define access to a DMZ
resource that is used in a similar fashion by clients in internal and external zones.
If a rule matches the addresses and can match the application, the session is allowed and the
system begins to examine the traffic to determine if the application is in use. For this reason, it
can be beneficial to configure specific or default ports for the applications being allowed. If the
service is defined as “any”, all sessions must be allowed to proceed until the point where
application-layer data is exchanged. Then the firewall can determine which application is inside
the session. If the service is anything but “any”, then many unwanted connections can be
dropped immediately. If the traffic and resulting application do not match any rule, the session
is dropped.
The policy rules are uni-directional, which means they only allow traffic that is initiated in the
direction the policy rule specifies: source zone(s) to destination zone(s). The replies to the client
are always allowed as part of the policy. If traffic is intended to be initiated in both directions
(bi-directional), two uni-directional policy rules are recommended: one for each direction. You
can accomplish the same task by slightly modifying the original rule and turning it into a bi-
directional rule.
The interzone rule type matches traffic between the specified source and destination zones and
each rule can match on multiple source and destination zone pairs. For example, an interzone
rule with source zones A and B, and destination zones A and B matches traffic as follows:
• from ZoneA to ZoneB
• from ZoneB to ZoneA
This rule does NOT match traffic within ZoneA, nor within ZoneB. The reason is that interzone
rule type applies to traffic from any source zone to any destination zone. It does not apply to
traffic within a zone, even if the same zone is listed in the Source and Destination columns.
In this example, traffic from ZoneA to ZoneB, and from ZoneB to ZoneA, does match the rule
and is allowed. However, traffic from ZoneA to ZoneA, and from ZoneB to ZoneB, does NOT
match the rule and is not allowed.
Universal rule: The universal rule type matches intrazone and interzone traffic in the
specified source and destination zones. This rule type is the default when creating a new
security rule. When upgrading from a version previous to PAN-OS 6.1, all existing rules in the
current security rule base are converted to universal rules.
Notice within the rule base that two predefined default rules are at the bottom. These two
rules are “read only” and so these rules cannot to be modified at this time. They are “grayed
out” and not active for editing. To edit these rules, click the rule to be modified. Override
becomes active, which allows you to change the default setting.
To enable logging, override the default and modify the rule as shown on the next slide.
Logging:
The default action for logging is to log only at the session end. Here we show how to enable
session logging at session start and/or end only.
The Actions tab allows you to configure this predefined rule by setting the action, enabling
logging, and to also modify the profile settings of your profile types.
The ability to enable logging is a key feature. Without it, a number of policies would need to be
created in both directions just to enable intrazone traffic logging.
Benefits of enabling logging on Intrazone and Interzone traffic:
• Logs associated with the intrazone-default and interzone-default rules are
treated the same as any other logs from other rules.
• This enables the ability to filter and see the traffic that is being blocked.
Best Practice:
Care should be taken when activating the Log at Session Start setting, as it can lead to
significant logging pressure depending on the type of traffic flowing through the firewall.
Logging at Session End is the recommended setting for deployment. If troubleshooting live
traffic, the Session Viewer can be used as an alternative to Log at Session Start.
Session Logs:
• When creating or editing a security rule, an option to log the transaction is available.
There is two options to log the transaction, Log at Session Start or Log at Session End.
• Log at Session Start disabled by default, generates traffic log entry for start of a session.
• Don’t enable Log at Session Start except for troubleshooting purposes or for tunnel logs.
• Session start logs are generated on first data packet & not right after three-way handshake.
• Log at Session End enabled by default, generates traffic log entry for the end of session.
• In Palo Alto Firewall for regular logging, the best practice is to log at Session End.
• The reason for that is that applications are likely to change throughout the session.
• Facebook for example will start as web-browsing and change to Facebook-base app.
• For example, from Facebook-base application to change to Facebook-chat application.
• Logging at Session Start would only show web-browsing which might lack important info.
• Logging at Session Start is used when troubleshooting applications that don't change.
• Logging at Session Start in used when applications that aren't recognized by firewall.
• It is not recommended to log both at Session Start & End its puts extra load on CPU.
Traffic Logs:
Displays an entry for the start and end of each session. Each entry includes:
• date and time
• source and destination zones
• Addresses
• ports
• application name
• security rule name applied to the flow
• rule action (allow, deny, or drop)
• ingress and egress interface
• number of bytes
Click the Magnifying Glass icon next to an entry to view additional details about the session,
such as whether an ICMP entry aggregates multiple sessions between the same source and
destination (count value will be greater than one).
The Type column indicates whether the entry is for the start or end of the session, or whether
the session was denied or dropped. A drop indicates that the security rule that blocked the
traffic specified any application. A deny indicates that the rule identified a specific application.
If traffic is dropped before the application is identified, such as when a rule drops all traffic for a
specific service, the application is shown as not-applicable.
Address Objects:
Address objects are named objects that are configured on the firewall to make it easier for
administrators to complete configurations with a predefined address. An address object can
include an IPv4 or IPv6 address (single IP, range, subnet) or a FQDN. It allows you to reuse the
same object as a source or destination address across all the policy rule bases without having to
add it manually each time. In the WebUI, go to Objects > Addresses. Multiple address objects
can be specified within a policy. Up to 2,500 address objects can be created.
Name: Enter a name that describes the addresses to be defined (up to 63 characters). This
name appears in the address list when security policies are defined. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Three Types:
• IP Netmask example: 192.168.80.150/32 indicates one address, and 192.168.80.0/24
indicates all addresses from 192.168.80.0 through 192.168.80.255.
• IP Range example: 10.0.0.1-10.0.0.11
• FQDN example: webservers.company.com
• The FQDN initially resolves at commit time. Entries are subsequently refreshed
when the firewall performs a check every 30 minutes. All changes in the IP
address for the entries are picked up at the refresh cycle.
• The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy
is configured.
Tags: Select the tag(s) that you want to apply to this address object.
You can tag objects to group-related items and add color to the tag to visually distinguish
tagged objects. Tags can be added to these objects: address objects, address groups, zones,
service groups, and policy rules. The firewall and Panorama support static tags and dynamic
tags. Dynamic tags are registered from a variety of sources and are not displayed with the static
tags because dynamic tags are not part of the device configuration.
Apply to Policy:
Add the dynamic address group as match criteria in a policy.
A commit job must be performed to push the candidate configuration into memory as the
running configuration.
Dynamic address group members can be changed dynamically at this point.
Entities can be associated with IP addresses, and IP addresses can be associated with tags
through the XML API or the VM Monitoring Agent.
It is not necessary to perform successive commit jobs for such changes because they become
part of the running configuration.
An administrator can view the IP addresses that have been registered dynamically to the
address group by clicking the name of the group, moving the cursor over Inspect, and then
clicking the More link.
The action settings within the security policy rule enable you to specify how the firewall will
handle the attempt.
The Palo Alto Networks firewall is based on application intelligence, so the TCP session must be
allowed to complete before the application is discovered. If the firewall then silently drops
packets, it can break applications and cause them to behave improperly. The applications may
hang, continue to send packets blindly, or hold open resources unnecessarily. To gracefully
deny the traffic, a TCP reset is needed to clean up the session.
More than half of the applications recognized by the firewall automatically receive a TCP reset.
But the administrator can specify which applications will receive a reset, and which applications
will cause packet drops, by manually configuring the action in the policy rule.
URL Categories in Security Policy rules:
The URL Category match criteria is used in three different policy types: security, QoS, and
captive portal. This field matches URLs against predefined categories provided by the dynamic
updates.
In addition to the categories provided by Palo Alto Networks, custom URL categories can be
created. This feature requires the URL Filtering license, except for custom categories. If the
license expires, only custom categories are used by the policy.
• Policy lookups occur each time the URL category for the session changes.
• Traffic logs show entries for each URL category transition.
• Lookups are cached for faster retrieval.
• The engine checks the data plane cache then checks the management
plane cache before querying the external URL lookup servers.
• If the category is not resolved before the web server responds, the
security policy looks for a match in a not-resolved category.
URL category matching uses the same block page as the URL filtering profile and does not have
either the Continue or Override option.
If more granular URL filtering is required, a URL filtering profile should be used instead. The URL
Filtering profile can match specific URLs (for example, www.facebook.com), while the URL
category only matches broad categories (for example, social-networking).
URL filtering profiles are discussed in more detail in the Content-ID module.
Static IP:
Use static IP to change destination IP address while leaving destination port unchanged.
Statically translates original destination address to same translated destination address.
Original packet have single destination IP address, range of IP addresses, or list.
Port Forwarding:
Can translate public destination address and port number to private destination address. Technique
used to manage traffic through NAT policies based on destination port numbers. It is used to map a
single public IP address to multiple private servers and services. The destination ports can stay the
same or be directed to different destination ports.
Port Translation:
Translate public destination address & port no to private destination address different port. Port
Translation keeping the real port number private and change the destination port. It is configured
by entering Translated Port on Translated Packet tab in NAT policy rule. Example is suppose the
web server is configured to listen for HTTP traffic on port 8080. The clients access the web server
using the public Internet Protocol (IP) and TCP Port 80. The destination NAT rule is configured to
translate both IP address and TCP port to 8080.
NAT Example:
Example 01: In this example, a host with the IP address 192.168.15.47 exists on an private
network. The user at this address wants to connect to a server on the Internet. To prevent the
exposure of the private IP address, the firewall administrator has configured a NAT policy so
that all traffic from the private network appears to come from the address on the ethernet1/4
interface.
Example 02: In this scenario, a user at an external system with the IP address 65.124.57.5,
queries the DNS server for the IP address of the web server www.xyz.com.
The DNS server returns an address of 172.16.15.1, the external address of the firewall interface
in the Untrust-L3 zone. To reach the web server, the destination IP address must be set to the
private IP 192.168.15.47.
Remember: A security policy must cross zones. Also, the security policy is enforced after the
NAT policy is evaluated.
Destination NAT Example Policies:
NAT rules must be configured to use the zones associated with pre-NAT IP addresses configured
in the policy. For example, when translating traffic that is incoming to an internal server (which
is reached via a public IP by Internet users), you must configure the NAT policy using the zone in
which the public IP address resides. In this case, the source and destination zones would be the
same.
As another example, when translating outgoing host traffic to a public IP address, you must
configure the NAT policy with a source zone that corresponds to the private IP addresses of
those hosts. The pre-NAT zone is required because this match occurs before the packet has
been modified by NAT.
Security policy differs from the NAT policy in that post-NAT zones must be used to control
traffic. NAT may influence the source or destination IP addresses and can potentially modify the
outgoing interface and zone. When creating security policies with specific IP addresses, note
that pre-NAT IP addresses are used in the policy match. Traffic subject to NAT must be explicitly
permitted by the security policy when that traffic traverses multiple zones.
Source NAT configuration: Source NAT is generally used from traffic on private internal IP’s
to a publicly routable IP (user inside to server outside). Types of Source NAT’s include:
Static IP: fixed 1-to-1 translation; used when a NAT IP needs to remain the same IP and Port.
This can be done with an IP address range, but the translation will always be static 1:1; in a 10-
IP range, a x.y.z.2 source will always translate to z.y.x.2 destination.
Dynamic IP: 1-to-1 ip address translation only (no port number); can be used with a single or
pool of IP’s. Generally used for a set number of internal hosts with a matching number of
external IP’s, but static isn’t required.
Dynamic IP and port (DIPP): This is used for multiple IP’s to one or a few IP’s, by allowing
the connection to use another port than the default service. This is generally used for internet
access outbound from home and business connections.
High Availability:
To perform access control functions properly, a network firewall must be placed at the single
point through which all traffic must pass. Because all traffic must pass through the firewall, it is
vital that the traffic-flow remains uninterrupted, even in the event of a device or network
failure. A well-designed security infrastructure needs to offer high availability tools to create a
resilient, scalable, and easy to manage solution.
A PAN-OS HA pair consists of two identical Palo Alto Networks Next-Generation Firewalls with
identical software that enforce the same overall security policy and share the same
configuration settings. A heartbeat connection between the two devices ensures seamless
failover in the event that the a device goes down.
Ensuring seamless failover with either type of high availability requires careful planning of the
network design. Refer to the document “Designing Networks with Palo Alto Networks
Firewalls” on Knowledge Point for additional information.
High Availability is used to synchronize the following: active and candidate configurations
(including objects and policies), routing information, and session states (even for sessions
traversing VPN tunnels).
The High availability (HA) is a deployment in which two firewalls are placed in a group. Their
configuration is synchronized to prevent a single point of failure on your network. Heartbeat
connection between firewall peers ensures failover in event peer goes down. Setting up two
firewalls in an HA pair provides redundancy & ensure business continuity. Firewalls in an HA
pair use HA links to synchronize data and maintain state information. Some models of Firewall
have dedicated HA ports—Control link (HA1) & Data link (HA2). While others Palo Alto Network
Firewall require you to use the in-band ports as HA links. Firewalls with dedicated HA ports such
as PA-800, PA-3200, PA-5200 & PA-7000 Series. Use dedicated HA ports to manage
communication & synchronization between firewalls. For firewalls without dedicated HA ports
such as the PA-200 Series. Best practice use the management port for the HA1 link to allow for
a direct connection. And use Palo Alto Network Firewall an in-band port or links for the Data
Link (HA2) link.
High availability will not synchronize: most management settings (management IP and admin
accounts for example), HA settings (one needs to be primary, one needs to be secondary, and
this is often determined by HA settings), and logs.
HA Types:
Service providers and enterprises that deliver revenue-generating and business-critical services
over the Internet face a myriad of performance and security challenges. However critical those
challenges may be, high availability (HA) remains the paramount concern. On Palo Alto
Networks firewalls, you can set up two devices as an HA pair. HA allows you to minimize
downtime by making sure that an alternate device is available if the primary device fails.
Palo Alto Networks firewalls support stateful active/passive or active/active high availability
with session and configuration synchronization. They use dedicated or in-band HA ports to
synchronize data—network, object, and policy configurations—and to maintain state
information. Setting up the firewalls in a two-device pair provides redundancy and allows you to
ensure business continuity.
To perform access control functions properly, a network firewall must be placed at the single
point through which all traffic must pass. Because all traffic must pass through the firewall, it is
vital that the traffic-flow remains uninterrupted, even in the event of a device or network
failure. A well-designed security infrastructure needs to offer high availability tools to create a
resilient, scalable, and easy to manage solution.
A PAN-OS HA pair consists of two identical Palo Alto Networks Next-Generation Firewalls with
identical software that enforce the same overall security policy and share the same
configuration settings. A heartbeat connection between the two devices ensures seamless
failover in the event that the a device goes down.
Ensuring seamless failover with either type of high availability requires careful planning of the
network design. Refer to the document “Designing Networks with Palo Alto Networks
Firewalls” on KnowledgePoint for additional information.
Active-Passive:
In Active-Passive one firewall actively manages traffic while other is synchronized. In Active-
Passive passive is ready to transition to active state, should a failure occur. One actively
manages traffic until a path, link, system, or network failure occurs. When active firewall fails,
passive firewall transitions to active state and takes over. Active-passive HA is supported in the
virtual wire, Layer 2, and Layer 3 deployments. Active-Passive does not increase session
capacity or network throughput in firewall. Active-Passive has simple design concept, so it is
easier to troubleshooting routing.
There are several deployment options for HA depending upon whether the firewall is deployed
as the firewall or behind the firewall in an augmentation role. The mode of implementation
(Virtual Wire, Layer 2, or Layer 3) can also influence the options.
An important fact to consider in designing an HA architecture is that the traffic-handling links
on the passive device are maintained in a down state. Upstream and downstream devices that
are connected to the passive firewall will not see a valid path unless the passive firewall
becomes active.
These rules apply to active/passive HA operation and failover:
• The active firewall continuously synchronizes its configuration and session
information with the passive firewall over the HA interfaces.
• If the active firewall fails, the passive firewall detects the loss of heartbeats and
automatically becomes active.
• If the state synchronization connection is lost, then no state synchronization
occurs. If the configuration synchronization is lost, heartbeats are lost. Both
devices determine that the other is down, and both become active.
• You can configure the management interfaces on the HA devices to provide a
backup path for heartbeat and hello messages using the heartbeat backup
configuration option.
Beginning with PAN-OS 7.0, Palo Alto Networks firewalls (physical and VM-Series) support
active/passive and active/active high availability configurations, complete with session and
configuration synchronization. PA-200 only supports HA Lite without session synchronization
capability. Also, the VM-Series firewall in Amazon Web Services supports only active/passive
HA.
The HA1 link is used to exchange hellos, heartbeats, and the HA state information. The HA1
link is used to exchange management plane sync for routing & User-ID info. HA1 acts to
monitor HA status such configuration synchronization for active-passive. HA1 acts keepalive
between HA agents, it senses power cycle, reboot & power down. The PA firewalls also use this
link to synchronize configuration changes with its peer. HA1 link is a Layer 3 link and the only
HA link that requires an IP address information. Internet Control Message Protocol is used to
exchange heartbeats between HA peers. Ports used for HA1 link—TCP port 28769 and TCP
28260 for clear text communication. Port used for HA1 link- Port 28 for encrypted
communication Secure Shell over TCP. Default monitor hold time is 3000 ms & HA1 link also
called Control or management.
Active/Passive configuration support the use of layer 2, layer 3, and v-wire interfaces, but not
Tap interfaces.
Dedicated interfaces for HA1 and HA2 exist on PA-3000, PA-4000, and PA-5000 Series firewalls.
All other devices requires data interfaces to be configured for HA use. Links do not have to be
directly connected.
Cabling: For devices with dedicated HA ports, use an Ethernet cable (straight through) to
connect the dedicated HA1 ports and the HA2 ports on the device pair. For devices that are
directly connected, auto-sensing will take place and so you may use either an Ethernet cable
(straight through) or a crossover cable.
For devices without dedicated HA ports, select two data interfaces for the HA2 link and the
backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across
both devices. Use the management port for the HA1 link and ensure that the management
ports can connect to each other across your network.
Please note that heartbeat polling occurs in both directions between the control planes of the
active and passive devices to determine the health of each.
HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations. The
HA2 link is also used to synchronize ARP tables between PA firewalls in the HA pair. HA2 is used
to synchronize HA states, routing info, IPSec security association, ARP table. Data flow on the
HA2 or data link is always unidirectional except for the HA2 keep-alive. It flows from active or
active-primary firewall to the passive or active-secondary firewall. The Data link are
unidirectional and flows from the active firewall to the passive firewall. HA2 is layer 2 link, no IP
address is required although you can specify layer3 information. A layer 3 link or IP address is
required only if the data link are not on the same subnet.
Hello Messages, are send from one peer to the other to verify the state of the firewall. The
Heartbeat is an ICMP ping to the HA peer over the Control Link or Management Link. Firewalls
use hello message and heartbeats to verify that the peer firewall is responsive. Firewalls use
hello message and heartbeats to verify that the peer firewall is operational. Hello messages are
sent from one peer to other at the configured Hello Interval to verify. The heartbeat is an
Internet Control Message Protocol ping to HA peer over control link. The peer responds to the
ping to establish that the firewalls are connected and responsive. By default, In Palo Alto
Network Firewall the interval for the heartbeat is 1000 milliseconds. Ping is sent every 1000ms
& if there are three consecutive heartbeat losses failovers occurs.
Link Monitoring:
Monitors physical interfaces (“Link Group”)
Monitor link state (link up / link down)
Multiple mechanisms can be configured to monitor status of the HA pair. Any of these events
can cause a device to enter the nonfunctional state and to trigger a switchover in the event of a
failure on the active device.
Link monitoring watches physical interface state on one or more interfaces. A set of interfaces
can be grouped to create a link group and any or all logic can be applied to the group.
Physical interfaces to be monitored are grouped into a link group and their state is monitor.
Palo Alto Network Firewall, link group can contain one or more physical interfaces or links. A PA
Firewall failure is triggered when any or all of the interfaces or link in the group fail. Default
behavior is failure of any one link in the link group will cause the firewall to change. The High
Availability (HA) state to non-functional to indicate a failure of a monitored object.
Path Monitoring:
Define one or more paths to monitor specific destinations
Path types: vwire, VLAN or virtual router
Uses ICMP Ping to verify IP address reachability
Ping interval = 200 ms
Down = 10 consecutive ping failures
Path Monitoring monitors full path through the network to mission-critical IP addresses.
Internet Control Message Protocol pings are used to verify reachability of the IP address. In Palo
Alto Next Generation Network Firewall, the default interval for the pings is 200ms. The IP
address is considered unreachable when 10 consecutive pings the default value fail. Firewall
failure is triggered when any or all of IP addresses monitored become unreachable. Default
behavior is any one of the IP addresses becoming unreachable will cause firewall. To change
High Availability state to non-functional to indicate failure of monitored object.
Priority:
When two Palo Alto Networks firewalls are deployed in the active-passive cluster. It is
mandatory to configure device priority higher priority for passive low for active. Firewall with
lower numerical value & therefore higher priority, is designated as active. The device priority
decides which Palo Alto firewall will preferably take the active role. Which Palo Alto firewall will
take over the passive role when both the firewalls boot up.
Preemption:
The Preemptive behavior allows firewall with lower numerical value to resume as active. By
default, preemption is disabled on the firewalls and must be enabled on both firewalls.
Preemption which influences this behavior on the event of it being enabled or disabled. When
preemption occurs, event is logged in the in Palo Alto Network Firewall system logs.
For the VM-Series firewalls, both peers must be on the same hypervisor and must have the
same number of CPU cores allocated on each peer.
Note these exceptions: The PA-200 only supports HA Lite without session synchronization
capability and cannot be configured for active/active HA. Also, the VM-Series firewall in Amazon
Web Services (AWS) only supports active/passive HA.
For devices without dedicated HA ports, select two data interfaces for the HA2 link and the
backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across
both devices. Use the management port for the HA1 link and ensure that the management
ports can connect to each other across your network.
Cabling: For devices with dedicated HA ports, use an Ethernet cable (straight through) to
connect the dedicated HA1 ports and the HA2 ports on the device pair. For devices that are
directly connected, auto-sensing will take place and so you may use either an Ethernet cable
(straight through) or a crossover cable.
While in Active/Active pairs, the member Devices have specific tasks they perform:
Active-Primary – processing traffic and acting as the primary device
Handles User-ID agent connections
Runs DHCP server/relay
Matches NAT / PBF rules
Active-Secondary – processing traffic, backs up Active-Primary
Active-Active HA Links:
In addition to the HA1 and HA2 links used in active-passive, active-active deployments require a
dedicated HA3 link. This link is used as a packet-forwarding link for session setup and
asymmetric traffic handling.
Due to this requirement, carefully consider the sizing of the HA3 link. Excessive packet passing
between session owner and setup devices could overrun a single HA3 link. Aggregate interfaces
should be considered for HA3 links if the firewall model supports link aggregation.
Each device is assigned a device ID of either 0 or 1 during configuration.
If the devices are assigned the same device ID, the pair will not form successfully.
The device ID is used only to differentiate between the firewalls during configuration.
Active-primary or active-secondary status is determined by an assigned priority value.
Session Ownership:
The device that receives the first packet (in a new session) is the session owner.
All Layer 7 processing in that session is handled by the session owner.
Session Setup:
Session setup may be distributed among devices in HA group using IP modulo or IP hash.
Layer 2 through Layer 4 processing is handled by the session setup device.
In an active-active pair, the packet handling can be distributed between the two devices. Two
important functions are handled by the devices in a pair:
Within an active–active pair, the session owner device can be either the firewall that receives
the first packet of a new session, or the device in the active-primary state. This device is
responsible for all Layer 7 processing (i.e. App-ID, Content-ID, and threat scanning) for this
session. This device is also responsible for generating all traffic logs for the session.
The session setup device is responsible for the Layer 2 through Layer 4 processing required to
set up a new session.
Address translation is performed by the session setup device.
The session setup device is determined by configuring the Session Setup option in the Active-
Active tab. After session setup, the packet is forwarded back to the session owner for all Layer 7
processing to preserve the forwarding path.
The separation of session owner and session setup devices is necessary to avoid race conditions
that can occur in asymmetrically routed environments. If the session owner and session setup
device are different firewalls, the packets will be passed between the devices over the HA3 link.
Session ownership can be done in one of two ways:
First packet: The device that receives the first packet (in a new session) from the source host
owns the session (session owner).
Primary device: The device in the active-primary state owns the session. If this option is
selected and the device that received the first packet is not in the active-primary state, the
packets are forwarded to the peer device over the HA3 link.
Palo Alto Networks recommends setting the session ownership option to First Packet for
production environments.
The Primary Device option is provided as a troubleshooting tool to ensure that all logs are on a
single device for ease of access. However, this option potentially adds additional load to the
HA3 link, which makes it less desirable for general use.
For devices with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports
and the HA2 ports on the device pair. Use a crossover cable if the devices are directly
connected to each other.
For devices without dedicated HA ports, select two data interfaces for the HA2 link and the
backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across
both devices. Use the management port for the HA1 link and ensure that the management
ports can connect to each other across your network.
Session Owner:
When a packet for arrives at the firewall, it is compared against existing sessions to see if it is
part of an established connection. If not, the packet is assigned a session owner. If the receiving
firewall is not the session owner, the packet is forwarded across the HA3 link to the peer
device.
Next, the session owner determines the session setup device, based on the HA configuration.
Session Setup:
The setup device is responsible for Layer 2 to Layer 4 processing
Address translation is performed by session setup FW
If session ownership is set to active-primary firewall:
Session setup defaults to active-primary
Not recommended since all traffic will be handled by active-primary FW.
Active/Active HA States:
Device states – Active/Active
Tentative – State caused by path/link monitor failure
A device in this state will synchronize sessions, and configurations from the peer device.
Non-effected Layer 3 interfaces will stay up and continue participating in routing and packet
forwarding utilizing the HA3 interface.
Non-functional – Error state due to mismatched A/A settings, HA3 link down
Suspended – Administrative suspend
Active/Active HA Deployment
Floating IP Deployment:
In a floating IP deployment, network redundancy is achieved through the use of IP address that
can be moved between the HA devices. The individual devices host the floating IP address on a
Layer 3 interface that is also assigned a static address. To ensure no disruption of connectivity
due to ARP request errors, a virtual MAC address is assigned with the floating IP, which
prevents the need for ARP resets after a failover.
Floating IP addresses are recommended when Virtual Router Redundancy Protocol (VRRP) style
functionality is required. Floating IP addresses can be used in VPN and Network Address
Translation (NAT) configurations, which allows for persistent connections when a failure occurs
on the device offering those services.
End users are configured to connect to the floating IP address instead of the static address of
the interface, which allows their connections to seamlessly migrate to the other firewall on
failover. Both devices should be configured with floating IP addresses so that traffic can be
distributed among them. Load balancing can be implemented manually (e.g., assign default
gateways on different clients to different firewalls) or through the use of external load
balancers.
Decryption Overview:
Why does the Palo Alto Networks firewall decrypt traffic?
Sessions that attempt to hide their application signature encrypt the
Layer 7 information
Sessions attempt to hide sensitive data in encrypted file transfers
Palo Alto Networks firewall acts as a forward proxy for outbound SSL decryption
Palo Alto Networks firewalls listen on all ports and can decrypt:
SSL inbound and outbound traffic
SSHv2
You can configure the firewall to decrypt traffic for visibility, control, and granular
security.
Decryption policies can apply to SSL and Secure Shell (SSH) traffic.
With the SSH option, the firewall selectively decrypts outbound and inbound SSH
traffic to assure that secure protocols are not being used to tunnel disallowed
applications and content.
SSL decryption and SSH decryption are disabled by default.
Decryption Policies:
The firewall can be configured to decrypt SSL and SSH traffic going to external sites. With the
SSH option, you can selectively decrypt outbound and inbound SSH traffic to assure that secure
protocols are not being used to tunnel disallowed applications and content. You can also apply
decryption profiles to your policies to block and control various aspects of SSL traffic.
Assume a scenario where a user will connect via an encrypted connection to Facebook. The
company policy is to allow employees to read Facebook, but prevent facebook-chat and
facebook-posting. If SSL decryption is enabled for the Facebook application, this limitation can
be accomplished easily with the Palo Alto Networks firewall. If SSL decryption is not enabled,
then the firewall cannot tell what application is inside the SSL connection; let alone that
application shifts are occurring within the connection.
Note that the Tap interface does not support SSL forward proxy or SSH decryption.
Decryption Impact:
While critical to security, Decryption is the most resource intensive operation on the firewall
and will have significant performance impact.
The amount of traffic being decrypted must be considered when sizing a network for an
appropriate appliance.
Resource intensive: 1. Impacted by Private Key size. 2. Impacted by Object size.
Performance impact: 1. All firewalls are significantly impacted by Decryption. 2.The PA-7000
series are equipped with additional processors that assist this function.
Certificate Management:
Self-Signed vs CA-Issued Certificates:
Certificate Configuration:
The certificate management interface provides access to all of the certificates that may be
needed on the firewall. A self-signed certificate can be created for forward proxy SSL decryption
or existing certificates and keys can be loaded for forward proxy and inbound SSL decryption.
Using an existing CA ultimately makes deployment of SSL decryption simpler:
• Any environment running Microsoft Active Directory or Novell eDirectory already
has a certificate server available.
• The type of certificate needed for SSL decryption is a subordinate CA certificate.
• This certificate needs to be in PEM format, with the certificate in one file and the
private key in another file.
Self-signed certificates can be generated easily using the WebUI:
• All fields of the certificate should be filled in.
• The name entered in this interface is the Publisher name on all decrypted
certificates.
• If self-signed certificates are used for either the administrative WebUI or the SSL
forward proxy, they can be exported from this page.
• After the certificates are exported, they can be added to users’ browsers to avoid
warning messages about unknown publishers.
How to Generate Certificate for SSL Decryption and Import it on Client Machine:
Going to Device > Certificate Management > Certificates > Generate
Type a name under Certificate Name (SSL-CERT) > type a name under Common Name (P-Certificate)
> check Certificate Authority > leave the default settings under Cryptographic Settings. Under
Certificate Attributes > click Add >Country > type and search for your country (SA in my case)
> add and fill other Certificate Attributes as needed >Click Generate.
You need to modify the certificate by clicking on the Name of the certificate (SSL-CERT) > check
Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA > click OK.
You can export the PAN certificate and install it on the PC web browser by clicking on the Name of
the certificate and click Export. Leave the File Format of Base64 Encoded Certificate (PEM) >
check Export private key > type a passphrase twice to confirm > click OK.
Go to the folder where the PEM certificate got downloaded. Copy the file and manually install the
certificate on client PC. On the web browser (Mozilla Firefox) by going to Tools > Options. Go to
Privacy & Security> Certificates > View Certificates.
Under Authorities > click Import And Go to Downloads folder and choose the created PEM
certificate > click Open > click Trust the CA to identify websites > click OK
Go to Downloads folder and choose the created PEM certificate > click Open > click Trust the
CA to identify websites > click OK.
Check Trust this CA to identify websites & Trust this CA to identify email users and Click OK.
Configure a Decryption policy from left to right. Under General > type the Name of the
Decryption rule. Under Source tab > choose Inside under Source Zone > leave the default of
Any. Under Destination tab > choose Outside under Destination Zone > leave Any under
Destination Address> leave the default of Any.
Under Options tab > select Decrypt under Action > leave the default of SSL Forward Proxy under
Type and None under Decryption Profile > click OK.
Certificate Signing Requests:
The Generate button generates certificate signing requests (CSRs) if the Signed By field is set to
External Authority (CSR).
1. A key pair is created on the machine and exported in PKCS10 format.
2. The administrator then sends the CSR to the CA, which generates the
requested certificate.
3. When the resulting certificate is received from the CA, import it with the same
name as the CSR.
4. When the issued certificate is imported, the certificate signing request is
removed and the certificate is added to the private key.
Certificate Revocation:
If both OCSP and CRL are configured, the firewall tries the OCSP method first. If the OCSP server
is unavailable, the device uses the CRL method.
To enable CRL or OSCP, go to Device > Setup > Session, and in the Decryption Settings section,
open Certificate Revocation Checking.
Palo Alto Networks firewall devices can be configured to check whether a certificate has
been revoked by the CA
CRL or OCSP can be used to verify certificate status for
SSL/TLS Decryption
GlobalProtect, captive portal, IPsec VPNs, and MGT access
Certificate Revocation List (CRL)
Each CA issues a CRL listing to a public repository
Revoked certificates listed by serial number
Palo Alto Networks firewall downloads the CRL for every trusted CA
Online Certificate Status Protocol (OCSP)
Clients send the certificate serial number to OCSP server to check status
Palo Alto Networks firewall caches OCSP info for every listed CA
With SSL forward proxy decryption, the firewall resides between the internal client and outside
server. The firewall uses forward trust or forward untrust certificates to establish itself as a
trusted third party to the session between the client and the server.
When the client initiates an SSL session with the server, the firewall intercepts the server SSL
request and forwards the SSL request to the server. The server sends a certificate intended for
the client that is intercepted by the firewall.
If the server certificate is signed by a CA that the firewall trusts, the firewall creates a copy of
the server certificate signed by the forward trust certificate and sends the certificate to the
client to authenticate. (The issuing authority of the firewall-generated certificate is the firewall
itself. If the firewall certificate is not part of an existing hierarchy, or is not added to the
browser cache of the client, the client receives a warning message when browsing to the site,
even if the site is a secure site.)
If the server certificate is signed by a CA that the firewall does not trust, the firewall creates a
copy of the server certificate and signs it with the forward untrust certificate and sends it to the
client. In this case, the client sees a block page warning that the site they are attempting to
connect to is not trusted and the client can choose to proceed or terminate the session. When
the client authenticates the certificate, the SSL session is established with the firewall
functioning as a trusted forward proxy to the site that the client is accessing.
The client browser should NOT trust this CA so that a warning message DOES appear
Create a Decryption Policy:
SSL decryption policies are similar to the other rule sets in PAN-OS.
• The rules are parsed from top to bottom, comparing traffic to each rule in order.
• When the traffic matches a particular rule, the actions defined are taken and no
further rules are checked.
The supported types of decryption policies are:
• SSL Forward Proxy: Decrypts client traffic destined for an external server.
• SSH Proxy: Decrypts SSHv2 traffic, which allows you to control SSHv2 tunneling
in policies by specifying the SSH-tunnel App-ID.
• SSL Inbound Inspection: Decrypt SSLs inbound inspection traffic.
Recommended Ruleset:
Decrypt everything except sensitive traffic
Apply SSL controls to undecrypted traffic via profile
Create exception rules for specific destination IP, source users, URLs
!
Inbound SSL Inspection:
The Palo Alto Networks firewall can inspect secure inbound SSL traffic for potential external
threats and control applications that run over secure channels. This activity is accomplished via
application firewall rules, as well as the server vulnerability protection profiles.
To inspect the traffic going to internal SSL servers, the firewall needs a copy of the certificate
and key of the internal server. The SSL decryption policy must be configured on the firewall to
inspect the inbound traffic. After this configuration is complete, the device can decrypt and
read the traffic before it forwards the traffic to the server. The original encrypted data packet is
sent to the server and no changes are made to the data. The secure channel is built from the
client system to the internal SSL server.
No Decryption:
Even if the decryption policy action is No Decrypt, the profile can be configured to block
sessions with certificates that are expired or untrusted .
Select No Decryption to block and control specific aspects of traffic that you are excluding from
decryption. Normally, for unsupported modes and failures, the session information is cached
for 12 hours, so future sessions between the same host and server pair are not decrypted.
Check these boxes to block those sessions instead.
You can use the No Decryption tab to block traffic that is matched to a decryption policy
configured with the No Decrypt action (Policies > Decryption > Action). Use these options to
control server certificates for the session, even though the firewall does not decrypt and inspect
the session traffic.
Block sessions with expired certificates: Terminate the SSL connection if the server certificate is
expired. This action prevents a user from being able to accept an expired certificate and
continuing with an SSL session. A traffic log entry is generated.
Block sessions with untrusted issuers: Terminate the SSL session if the server certificate issuer is
untrusted.
Application identification is at the core of PAN-OS security, QoS, and PBF policies
Each session contains the information that is necessary to identify the applications
traversing the firewall
Accurate traffic classification is the heart of any firewall, with the result becoming the
basis of the security policy. Traditional firewalls classify traffic by port and protocol,
which, at one point, was a satisfactory mechanism for securing the perimeter. Today,
applications can easily bypass a port-based firewall by hopping ports, using SSL and
SSH, sneaking across port 80, or using non-standard ports. App-ID is the Palo Alto
Networks traffic classification mechanism that addresses the traffic classification
limitations that plague traditional firewalls.
App-ID uses multiple identification mechanisms to determine the exact identity of
applications traversing the network. We discuss these methods in the following slides.
What is an Application?
Gmail
GoogleTalk
Google Cale
Google
Sybase
eMule
UltraSurf
The term “application” does not have an industry-accepted definition in the way that
“session” or “packet” do. Applications can be delivered through a web browser, a client-
server model, or a decentralized peer-to-peer design. In Palo Alto Network terms, an
application is a specific program or feature that can be detected, monitored, and blocked if
necessary.
Applications include business tools and services, which must be allowed, as well as
entertainment or personal services, which may need to be blocked.
Evasive Applications:
Port
✗ Blocke5050
Yahoo d
Messenger
Port 80
Open
BitTorrent
Client Port
✗ Blocke 6681
d
Port-Based
Firewall
One category of applications that are difficult to track and control are those applications that
change port numbers as needed. These applications are known as “evasive applications.” In a
traditional, port-based firewall, Yahoo Messenger is defined as any TCP traffic destined for port
5050. In reality, Yahoo Messenger can automatically try other common ports, including port 80,
if port 5050 is blocked.
Other applications can be configured by the user to be evasive by using a nonstandard port. The
BitTorrent client traditionally uses a port number of 6681 or greater. It is a simple procedure to
force BitTorrent to use a common port like 80 instead.
Many application proxies will take well-behaved, fixed-port applications and tunnel them
through any port the user wants. The net result is that the destination port of any given
connection has no bearing on the service or application that is generating the traffic.
Traditional firewalls use port blocking to control traffic. To allow a service, such as DNS, which
uses port 53, the traditional firewall is configured to allow Port 53 traffic.
The Palo Alto Networks Next-Generation Firewall is configured to allow the DNS service. And
when it is configured to run with the application default, the Palo Alto Networks firewall allows
only DNS traffic on port 53 and denies all other traffic that is not DNS on this port. In this way,
the Palo Alto Networks firewall protects the network from evasive applications.
This protection does not happen on the network protected by the traditional firewall. On that
network, DNS would be allowed on port 53, but so would other evasive applications attempting
to use port 53, such as BitTorrent in this example here, thus exposing the traditional firewall’s
network and leaving it unprotected.
The previous two examples dealt with a well-behaved, known threat. The situation changes if
the threat is unknown, like a zero-day virus.
In the application IPS blade example, the zero-day virus using Port 53 is allowed through the
firewall because it is using an allowed port. However, since the IPS appliance does not know
about this new threat, the malware is not blocked and is passed onto the network. This is an
inherent problem with application block policies – you cannot block what you do not know. Not
only does the 0-day malware get through, but there are no logs generated that identify this
problem.
The Palo Alto Networks firewall is configured to allow only DNS traffic. Even if the zero-day
malware is unknown to PAN-OS, it is not allowed to pass because it does not match the allowed
DNS service. Additionally, the blocked traffic is logged for later analysis.
App-ID Flow:
App-ID uses multiple identification mechanisms to determine the exact identity of applications
traversing the network. The identification mechanisms are applied in this manner:
1. Traffic is first classified based on the IP address and port.
2. Signatures are then applied to the allowed traffic to identify the application
based on unique application properties and related transaction characteristics.
3. If App-ID determines that encryption (SSL or SSH) is in use and a decryption
policy is in place, the application is decrypted and application signatures are
applied again on the decrypted flow.
4. Decoders for known protocols are then used to apply additional context-based
signatures to detect other applications that may be tunneling inside of the
protocol (for example, Yahoo! Instant Messenger used across HTTP). For
applications that are particularly evasive and cannot be identified through
advanced signature and protocol analysis, heuristics, or behavioral analysis
may be used to determine the identity of the application.
After the application is identified, the policy check determines how to treat the application:
block, allow and scan for threats/file transfers/data patters, or rate-limit them using QoS.
Application Signature:
• Database of application signature updated weekly as part of firewall content updates.
• Application Signature can also be manually downloaded and installed in PA Firewall.
Protocol Decryption:
• Uses SSH (Secure Shell) and SSL (Secure Socket Layer) for encryption capabilities.
Protocol Decoders:
These software constructs understand the application at the protocol level and provide
contexts for the application. For example, the HTTP decoder understands that there will be a
method and a version for each HTTP request. The decoders assist in detecting when a second
protocol is tunneled within an existing session. This is called “Protocol in Protocol.”
Application Signatures:
Palo Alto Networks maintains a database of known application signatures for use in the App-ID
engine. Updates to the database are issued weekly.
You can view the application signatures in three ways:
• In the WebUI under Objects > Applications
• On the Web at http://apps.paloaltonetworks.com/applipedia/
• On an Apple iOS device with the Applipedia app
Each signature covers multiple versions of an application.
In the information about the application, you may see the application identified as a SaaS. SaaS
is a service where the software and infrastructure is owned and managed by the application
service provider but where the customer retains full control of the data, including who can
create, access, share, and transfer the data.
Application Dependencies:
Parent applications must also be allowed by security policy for the dependent applications to
function.
When creating a policy to allow specific applications, you must also be sure that you are
allowing any other applications on which the application depends. In many cases, you do not
have to explicitly allow access to the dependent applications for the traffic to flow because the
firewall is able to determine the dependencies and allow them implicitly. This implicit support
also applies to custom applications that are based on HTTP, SSL, MS-RPC, or RTSP. Applications
for which the firewall cannot determine dependent applications on time require that you
explicitly allow the dependent applications when defining your policies. You can determine
application dependencies in Applipedia.
In this example, a user wants to translate text using Google Translate. Before doing so, the
user must first initiate an HTTP web-browsing session and so the security policy must account
for this by enabling the web-browsing application in addition to allowing the google-
translate-base application.
Application dependencies can be found by accessing App-ID in the WebUI. Select Objects >
Applications to see application information. The App-ID listings are also available through
Applipedia.
Implicit Applications:
PAN-OS implicitly allows parent applications for a set of commonly used applications
such as ssl and web-browsing.
In this example, Facebook access will work even if the Allow Web-browsing policy rule
were to be removed.
Requiring that dependencies be allowed in order to enable an application can often allow more
traffic than intended. For example, enabling access to web-browsing just to allow facebook-
base allows users to browse other sites, which means that the administrator must configure
other policies to regulate this access. PAN-OS addresses this concern by implicitly allowing
dependencies for a set of commonly used applications to streamline the security policy process.
Implicit permissions of a parent application are only handled only if there is no match with an
explicit rule.
When working with App-ID, it is important to understand that each App-ID signature may have
dependencies that are needed to fully control an application. For example, with Facebook
applications, the App-ID facebook-base is needed to access the Facebook website and to
control other Facebook applications. Therefore, to configure the firewall to control Facebook
email, you must allow the App-IDs facebook-base and facebook-mail. To determine application
dependencies for App-ID signatures, visit Applipedia, search for the given application, and then
click the application for details.
Application Dependencies:
To successfully enable Office-on-Demand, the policy is configured to allow all of its dependent
applications, services, and URL categories.
Application Default:
Application Default option is found in the Service column
Example: Policy matches only if the application matches SSH and is using TCP port 22 as
would be expected
To limit services to their published default port values, policies can be configured with
the application-default setting. With this setting configured, the policy matches only if
the port number associated with the session matches the port listed in the matched
application’s entry in the App-ID database. This feature is intended to limit port hopping
and port spoofing.
In this example, user Joe wants to access the website http://translate.google.com across the
firewall. Joe’s computer is in the Trust-L3 zone and the firewall interface connected to the
public Internet is in the Untrust-L3 zone.
When Joe opens a browser connection to the website, a session is started. The firewall scans
the traffic and finds the application signature for the http-get process, which matches the web-
browsing application in App-ID. Based on the source and destination addresses, the firewall
determines that the traffic is flowing from Trust-L3 (Source) to Untrust-L3 (Destination) zones.
Only these parameters are needed to match the General Internet policy, so the traffic is
allowed. The Google Translate rule is not checked at this time because a match has already
been found.
However, connecting to the website and actually using Google Translate are two different
events. We evaluate that action in the next slide.
Security policy rules are examined for every packet that traverses the firewall in a session. The
firewall can detect application shifts, or changes, within an established session.
For example, if a user to a website and tries to access Google Translate, this initiates an
application shift in the current session. The App-ID engine detects the shift and finds the
application signature for google-translate-base. The session still exists between Trust-L3 and
Untrust-L3.
Using these three conditions (application, source zone, destination zone), the first rule is
checked. There is no match because google-translate-base does not match the applications
listed in the rule so the firewall moves on to the next rule. The second rule matches on all
conditions, and google-translate-base is allowed to run.
Does the order of the two rules matter in this example?
In this example, the order is not relevant. Traffic that matches one rule cannot match the other
rule so neither rule prevents the other from being evaluated.
Application Block Response Pages:
When a security policy blocks a web-based application, a response page can be displayed on
the user’s browser.
Device > Response Pages > Application Block Page
By default, if a policy denies a Web-based application, in this case Zynga-games, the user simply
gets generic browser-based error pages. In many cases, this results in additional support calls
because users assume network problems rather than a policy violation. Therefore, custom
response pages such as the one shown can be created to notify users when their action is
blocked by a policy of the firewall.
The default response page includes the prohibited application name, as well as the username (if
User-ID is enabled).
Application block response pages do not require an interface management profile to be set.
Application Filters:
Application filters are used to cover families of applications
New application signatures are automatically included in the filter when released
Objects > Application Filters > Add
Application Groups:
Application groups can contain applications, filters, or other application groups
To group specific applications, application groups allow administrators to create custom lists of
applications for policies to check. Application groups can combine applications, application
filters, and application groups into a single entry that can be added to security policies.
Application groups are not automatically updated when new applications are added to App-ID
database unless the group contains a filter that contains the new signature.
An application group is an object that contains applications that you want to treat similarly in a
policy. Application groups are useful for enabling access to applications that you explicitly
sanction for use within your organization. Grouping sanctioned applications simplifies
administration of your rule bases: instead of updating individual policy rules when there is a
change in the applications you support, instead you update only the affected application
groups.
When deciding how to group applications, consider how you plan to enforce access to your
sanctioned applications and create an application group that aligns with each of your policy
goals. For example, you might have some applications that you allow only your IT
administrators to access, and other applications that you want to make available for any known
user in your organization. In this case, you create separate application groups for each of these
policy goals. Although you generally want to enable access to applications on the default port
only, you may want to group applications that are an exception to this and enforce access to
those applications in a separate rule.
In this example, the administrator was given a list of applications to allow and deny on the
network. For instance, some of the known good applications include: dns, web-browsing, ssl,
and flash.
However, the company acknowledges that they do not know all of the applications that the
users are using. Therefore the administrator must set allow and deny policies and determine
what other applications are in use so they can be added to their respective rule. The three rules
you see here enable the administrator to do just that.
Looking at the Actions column, the first “Known_Good rule” allows the known good
applications to pass through the firewall, whereas the “Known_Bad rule” blocks those known
bad applications that are disallowed by company policy.
The last “Unclassified_Traffic Rule” is what enables the administrator to determine what other
applications are hitting the firewall by matching traffic that is not caught by the first two rules.
Whether this rule is set to allow or deny the traffic, in this case deny, any traffic matched by this
rule is logged by the firewall. The administrator can then use the logs to identify applications in
use on the network and add them to the appropriate application group as necessary. Hence,
this last rule is an important one that should not be omitted. This last rule also helps you
identify newly classified applications, or reclassified applications, that you want to allow or deny
and can easily do so by adding them to the rule.
Application Shifts:
Applications can change during lifetime of a session called an application shift.
example, user types www.facebook.com into web browser to access Facebook-chat.
Initial request goes out as HTTP request, & application is recognized as web‐browsing.
After the HTTP request is completed, the application is changed to Facebook‐base.
After Facebook‐base application is processed, application changes to Facebook-chat.
Custom Application:
Let’s create custom Signature, on the same our create Filter category. On the Signatures tab,
click Add and define a Signature Name. Specify the Scope of the signature: whether it matches
to a full Session or a single Transaction. Specify conditions to define signatures by clicking Add
And Condition or Add Or Condition. Select an Operator to define the type of match conditions.
Lets tested go to Inside-PC and type yahoo.com/apptest it will show block page because our
custom created app is under social networking category, which is block in our filter, so it
dynamically added to that Filter and blocked by Palo Alto Network Firewall.
Application Override:
Firewall is configured to override normal App-ID of specific traffic passing through firewall.
Application Override policy takes effect, all further App-ID inspection of traffic is stopped.
Change the firewall classifies network traffic into apps, specify application override policies.
Application override with custom application will prevent session from being processed.
Application override prevent session to process by App-ID engine, which is L7 inspection.
In simple words, with Application Override Policy, Firewall stops doing Layer 7 processing.
Instead it forces firewall to handle the session as regular stateful inspection firewall at L4.
So, in other words application override policy thereby saves application processing time.
Customers build own custom applications to address specific needs unique to the company.
May not have signatures to properly identify expected behavior and identify traffic & app.
Creating application override to allow easier identification & reporting & prevent confusion.
Network applications that are classified as unknown can create new application definitions.
Let’s create custom application go to Objects>Applications then click Add in lower left corner
name application in our case Test-MSN select values for Category, Subcategory & Technology.
Go to Advanced > Defaults and select Port to list the ports in the application. click Add type the
port tcp/443 and press OK. We don't need a signature, so go ahead and click OK to complete
this custom application.
Go to Advanced > Defaults and select Port to list the ports in the application. click Add type the
port tcp/443 and press OK. We don't need a signature, so go ahead and click OK to complete
this custom application.
To create an Application Override policy, go to Policies > Application Override, then click Add:
Under the General tab, enter a name for the policy. In our case TEST-MSN.
Go to Source and add the Source Zone. Specify a Source/Destination Address if the source is a
static address; otherwise, leave as Any.
Go to Protocol/Application and select the Protocol, enter the Port number in our case 443, and
select the custom application created in our case Test-MSN.
Note: Create Security Policy to allow this new application through firewall or modify an
existing rule.
Now commit all the changes and lets test the new created Application Override policy.
Application Updates:
From the WebGUI, go to Device > Dynamic Updates
Aggregate:
• Apply DoS thresholds configured in profile to all packets that match rule criteria.
• Aggregate profile allows creation of a max session rate for all packets matching policy.
• Example, aggregate rule with a SYN flood threshold of 10000 pps counts all packets.
Classified:
• Apply DoS thresholds configured in profile to all packets satisfying classification criteria.
• Classified example is such as the source IP, destination IP or source-and-destination IP.
• Classified profile allows the creation of a threshold that applies to a single source IP.
Go to Device > Setup > Session : Session Settings enable Packet Buffer Protection & set
values.
Go to Network > Zones tick Enable Packet Buffer Protection on every zone Inside, Outside
etc.
DoS Protection Profile:
Using DoS protection profiles, you can create DoS rules much like security policies, allowing
traffic based on the configured criteria. These profiles are configured under the
Objects tab > Security Profiles > DoS Protection. Enter name, description and choose type of
profile.
Go to Objects > Security Profiles > DoS Protection Flood Protection Tab.
Go to Objects > Security Profiles > DoS Protection Resources Protection Tab.
Go to Objects > Security Profiles > DoS Protection choose type Classified this
time.
Finally, we created two different type of DoS protection Profiles, Aggregate & Classified.
Next we'll go to Policies > DoS Protection to create a DoS policy similar to the way we create
a security rule. Enter a name to identify the rule.
Select the Source tab to define the source interface(s) or source zone(s), & optionally source
address(es) & source user(s) that define incoming traffic to which DoS policy rule applies.
Select the Destination tab to define the destination zone or interface and destination address
that define the destination traffic to which the policy applies.
Select the Option/Protection tab to configure options for the DoS Protection policy rule.
Finally, the DoS Protection Policy rule look like below.
SYN Cookies:
• The PA Network Firewall acts as man-in-the-middle for the TCP handshake.
• Firewall does sequence number translation for active legitimate session.
• SYN Cookies alarms can be viewed in the threat logs or dashboard in PA.
UDP Flood:
• UDP is activated when number of UDP packets zone receives per second is reached.
• Firewall uses an algorithm to progressively drop more packets as attack rate increase.
• The Palo Alto Network Firewall drop packets until the rate reaches the Maximum rate.
• Firewall stops dropping UDP packets if incoming rate drops below Activate threshold.
ICMP Flood:
• ICMP is activated when number of ICMP packets zone receives per second is reached.
• Firewall uses an algorithm to progressively drop more packets as attack rate increases.
• The Palo Alto Network Firewall drop packets until the rate reaches the Maximum rate.
• Firewall stops dropping ICMP packets if incoming rate drops below Activate threshold.
Other IP Flood:
• Other IP is activated when number of other IP packets non‐TCP, ICMP & UDP packets.
• Firewall uses an algorithm to progressively drop more packets as attack rate increases.
• The Palo Alto Network Firewall drop packets until the rate reaches the Maximum rate.
• Firewall stops dropping ICMP packets if incoming rate drops below Activate threshold.
Reconnaissance Protection:
• Palo Alto Firewall reconnaissance protection protects against reconnaissance attacks.
• Reconnaissance attack is the first type of attacks within a Cyber‐Attack Lifecycle.
Zone Protection:
Go to Network > Network Profiles > Zone Protection Enter a profile name.
Network > Network Profiles > Zone Protection > Reconnaissance Protection tab.
Network > Network Profiles > Zone Protection > Packet Based Attack Protection.
Network > Network Profiles > Zone Protection > Packet Based Attack Protection >TCP Drop Tab.
Network > Network Profiles > Zone Protection > Packet Based Attack Protection >ICMP Drop.
Apply the Zone protection Profile to the Zone wanted by going to Network > Zones. Click the
Zone, for example "Outside," to add the Zone Protection Profile and select it from the drop-
down menu in the Zone Protection Profile. Once has been selected, click OK.
Now Let’s check ICMP Flood logs, go to Monitor > Logs>Threat
Go back to Network > Network Profiles > Zone Protection>>Reconnaissance Protection tab.
Now Let’s check TCP/UDP Port Scan logs, go to Monitor > Logs>Threat
Select Objects>Security Profile Groups and Add a new security profile group.
Give the profile group a descriptive Name , for example, in my case Security-Pro-Group. Add
existing profiles to the group. Click OK to save the profile group.
Finally, after created Security Profile Groups will look like below.
Select Policies>Security and Add or modify a security policy rule. Select the Actions tab. In
the Profile Setting section, select Group for the Profile Type. In the Group Profile drop-down,
select the group you created. Click OK to save the policy and Commit your changes.
Finally, it show like below Security Profile Group is attached to Allow Policy rule.
Content-ID:
Content-ID combines a real-time threat prevention engine with a comprehensive URL database.
Content-ID uses some of the same elements of App-ID to limit unauthorized data and file
transfers, detect and block a wide range of threats, and control nonwork-related web surfing.
Advantages of Content-ID include:
• A stream-based (not file-based) architecture for real-time performance
• The ability to block transfer of sensitive data and file transfers by type
• URL filtering capability enabled via a fully-integrated URL Database
• The ability to detect zero-day attacks with WildFire
Note: The first arrow on the left side in the diagram refers to traffic that has been matched to a
security policy with an action of allow that has one or more security profiles attached to it.
For additional information about threat prevention in PAN-OS, refer to the Threat Prevention
Deployment Tech Note available on the support website.
Security Profiles:
Security profiles are objects that are added to security policies with the “allow” action. Profiles
are not necessary for security policies with the “deny” action because no further processing is
needed if the packet is to be dropped. As with policies, profiles are applied to all packets over
the life of a session.
The profiles represent additional security checks to be performed on the allowed traffic. They
look for improper or malicious use of applications that are allowed in the environment. For
example, web browsing may be allowed, but there is still worry that users can download a virus
from a website. The security policy allows web browsing, and an antivirus profile is added to
detect and react to viruses.
Types of security profiles include:
• Antivirus: Detects infected files being transferred with the application
• Anti-Spyware: Detects spyware downloads and traffic from already installed
spyware
• Vulnerability Protection: Detects attempts to exploit known software
vulnerabilities
• URL Filtering: Classifies and controls web browsing based on content
• File Blocking: Tracks and blocks file uploads and downloads based upon file
type and application
• WildFire Analysis: Forwards files to the WildFire Public Cloud, the WF-500
Private Appliance, or both.
• Data Filtering: Looks for specific patterns of data in the traffic
The Antivirus security profile defines actions to be taken if an infected file is detected as part of
an application. The listed applications represent the wide variety of vectors that modern viruses
can take in infecting a system. For each application type an action can be defined.
If a virus is detected, the default action is to “reset-both”, which equals a drop action if UDP. If
TCP, the action resets the server and the client.
If the decoder is either IMAP or POP3, the default action is to “alert”. These protocols are store-
and-forward protocols: if an intermediate device drops the packets, POP3 and IMAP are
designed to continually resend until the data is ultimately delivered. For these kinds of
applications, the infected file needs to be removed at either the server or the client, not on the
wire.
If the decoder is SMTP the default action is also to “alert”, however, an SMTP 541 error
message is sent as part of the reset action when a virus is detected. This message tells the mail
server not to retry sending the message, which allows the firewall to drop the mail without the
mail server trying to resend.
The Actions column configures the action taken if the infected file is identified by the firewall
antivirus definitions file. The WildFire Action column defines the action taken if the infected file
is matched against the threat list maintained by the WildFire subscription feature, which is
discussed later in this module. When the action is set to “alert”, no traffic is blocked. The only
action taken is to generate an entry in the threat log. By selecting the Packet Capture check
box, any alert is also accompanied by a packet capture of the portion of the file that triggered
the virus signature. This capture can be used to verify the presence of the virus and rule out
false positives.
The sinkhole action provides administrators with an easy way to quickly identify infected hosts
on the protected network using DNS traffic. When an anti-spyware profile is enabled in a
security profile, the anti-spyware signatures and DNS-based signatures will trigger on DNS
queries directed at threat domains.
These signatures can identify a network's local DNS resolver as the source of the traffic rather
than the infected host. Then the firewall is unable to determine the originator of the query.
Sinkholing DNS queries involves the forging of responses to DNS queries which are directed at
malicious domains. The clients on the network attempt to connect to the sinkhole address
rather than the actual host pointed to by DNS. Infected hosts can then be identified in the
traffic logs because any host that attempts to connect to the sinkhole address is assumed to be
an infected host.
After selecting the sinkhole action, specify an IPv4 and/or IPv6 address that will be used as the
sinkhole (the default IPv4 address is a public address owned by Palo Alto Networks, which can
be used if you do not wish to redirect the DNS traffic internally). When a sinkhole IP address is
configured, the infected clients can be identified by filtering the traffic logs, or by building a
custom report that checks for sessions to the specified IP address.
A security policy can include specification of a vulnerability protection profile that determines
the level of protection against buffer overflows, illegal code execution, and other attempts to
exploit system vulnerabilities.
The firewall includes two predefined vulnerability protection security profiles:
• Default: The profile applies the default action to all client and server critical-,
high-, and medium-severity vulnerability protection events. This profile is
typically used for Proof of Concept (POC) or first-phase deployments.
• Strict: The profile applies the block response to all client and server critical-,
high-, and medium-severity vulnerability protection events and uses the
default action for low and informational vulnerability protection events. Strict
profiles are used for out-of-the-box protection with recommended block of
critical, high, and medium threats.
The predefined profiles cannot be modified or deleted.
One security feature that is sometimes overlooked by security professionals is the Packet
Capture option inside of the Security Profiles. This option is available in the event you need to
report any False Positives or in the event you would like to troubleshoot other suspect
behaviors found in result of the Security Profiles. The may be especially true for Antivirus, Anti-
Spyware and Vulnerability Protection profiles. Enabling this option will capture the data that
the inspection engine tags as a threat.
Threat Log:
Anything logged from antivirus, anti-spyware ,or vulnerability protection profiles is viewed in
the threat log.
Monitor > Logs > Threat
The threat log records each security alarm generated by the firewall. Each entry includes the
date and time, the threat type, such as a virus or spyware/vulnerability filtering violation, the
source and destination zones, addresses, and ports, the application name, and the action and
severity.
Threat log entries can be logged remotely by severity level by defining log forwarding profiles,
and then assigning the profiles to security rules. Threats are logged remotely only for the traffic
that matches the security rules where the logging profile is assigned.
Threat logs are used in generating reports and in the Application Command Center.
Often, the need for exceptions to the vulnerability and anti-spyware profiles are not known
until a user complains that they have lost functionality. The situation is further complicated by
the fact that multiple profiles may need to have the same exception defined.
Check the box next to the profiles that should have an exemption for this threat and, optionally,
specify the IP address exemptions in the adjacent panel.
Note: The Threat Details Interface is exclusively for adding functionality. The values shown do
not reflect the current state of the listed profile exemption lists. Check the individual profiles to
verify whether or not an exemption already exists.
URL Filtering security profiles enable you to monitor and control how users access the web over
HTTP and HTTPS. The firewall comes with a default profile that is configured to block websites
such as known malware sites, phishing sites, and adult content sites. You can use the default
profile in a security policy, clone it to be used as a starting point for new URL Filtering profiles,
or add a new URL profile that will have all categories set to allow for visibility into the traffic on
your network. You can then customize the newly added URL profiles and add lists of specific
websites that should always be blocked or allowed, which provides more granular control over
URL categories.
A security policy can include specification of a URL Filtering security profile that blocks access to
specific web sites and web site categories, or generates an alert when the specified web sites
are accessed (a URL Filtering license is required). It is possible to define a block list of websites
that are always blocked (or generate alerts) and an allow list of websites that are always
allowed.
Predefined sets of web categories can be downloaded from Palo Alto Networks.
Administrators can also define custom URL categories to customize the behavior of the URL
Filtering security profiles.
Logged as part of the entry for a policy Logged in the URL Filtering log
in the traffic log
The URL Filtering feature can be used by placing categories directly into policies or attaching a
URL Filtering profile to a security rule. URL Filtering affects only HTTP and HTTPS traffic.
The URL Category field can be used as a match condition for security, QoS, decryption, and
captive portal policies. Predefined and custom categories can be matched when using the URL
Category field. The URL Category itself does not have an associated action; traffic behavior is
controlled by the policy.
The URL Filtering security profile provides granular control for traffic allowed by a security
policy.
As with other profiles, the URL Filtering profile is applied only if the associated policy allows
traffic. The profile can match URL categories, as well as individual URLs. Each category can be
assigned a different action for more focused management. For example, a security policy can be
created to allow all web browsing, but has a policy that blocks all access to file sharing websites
and logs all access to social networks.
Each URL Filtering profile can be configured with an explicit block list and allow list, which take
precedence over URL categories. Omit the http[s]:// portion of the URLs when populating these
lists. Entries in the block list and allow list are case-insensitive and must match exactly. For
example, www.ebay.com is different from ebay.com.
The block list, allow list, and custom categories support wildcard patterns. A token is a string of
characters that begins or ends with a valid separator character (. / ? & = ; +). For example, the
following patterns are valid:
*.yahoo.com (Tokens are: "*", "yahoo" and "com")
www.*.com (Tokens are: "www", "*" and "com")
www.yahoo.com/search=* (Tokens are: "www", "yahoo", "com", "search", "*")
It is recommended to enter the firewall administrator’s domain in the allow list to avoid
possible miscategorization.
For additional reading on this topic, refer to the document URL Categorization Components and
Process on the Support website.
Note: * Depending on which URL Filtering database you are using, subsequent actions will vary.
More details on each database, and their respective actions, are covered later in this module.
PAN-DB
Uses a seed database for initial configuration, then the device stays in sync with cloud servers.
Private, offline PAN-DB server option requires the Palo Alto Networks M-500.
The Palo Alto Networks URL Filtering solution compliments App-ID by enabling you to configure
the firewall to identify and control access to web (HTTP and HTTPS) traffic and to protect your
network from advanced attacks in the cyber kill chain.
A URL Filtering database categorizes millions of websites into approximately 60-80 categories.
You can use these URL categories as a match criteria in policies (captive portal, decryption,
security, and QoS) or attach them as URL Filtering profiles within a security policy to safely
enable web access and control the traffic that traverses your network.
The PAN-DB URL Filtering solution allows you to choose between the PAN-DB public cloud and
the PAN-DB private cloud. Use the public cloud solution if the firewalls on your network can
access the Internet directly. If the network security requirements in your enterprise prohibit the
firewalls from directly accessing the Internet, you can deploy a PAN-DB private cloud on one or
more M-500 appliances that function as PAN-DB servers within your network. The PAN-DB
public cloud solution is the default.
A URL Filtering database developed by Palo Alto Networks that is tightly integrated into PAN-OS
and the Palo Alto Networks threat intelligence cloud. PAN-DB provides high-performance local
caching for maximum inline performance on URL lookups, and offers coverage against malicious
URLs and IP addresses. As WildFire, which is a part of the Palo Alto Networks threat intelligence
cloud, identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs),
the PAN-DB database is updated with information on malicious URLs so that you can block
malware downloads, and disable Command and Control (C&C) communications to protect your
network from cyber threats. To view a list of PAN-DB URL Filtering categories, refer to
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Each firewall accesses the PAN-DB servers in the cloud to download the list of eligible servers to
which it can connect for URL lookups. With the PAN-DB private cloud, configure the firewalls
with a static list of PAN-DB servers that will be used for URL lookups.
• URL Continue Timeout: Specifies the interval in minutes following a user's continue
action before the user must press Continue again for URLs in the same category (range
is 1-86400 seconds with a default of 900 seconds or 15 minutes).
• URL Admin Override Timeout: Specifies the interval in minutes after the user enters
the admin override password before the user must re-enter the admin override
password for URLs in the same category. (Range is 1-86400 seconds with a default of
900 seconds or 15 minutes.)
• URL Admin Lockout Timeout: Specifies the period of time in minutes that a user is
locked out from attempting to use the URL Admin Override password after three
unsuccessful attempts. (Range is 1-86400 seconds with a default of 1800 seconds or 30
minutes.)
• PAN-DB-Server: Required for connecting to a private PAN-DB server. Specify the IPv4
address, IPv6 address, or FQDN for the private PAN-DB server(s) on your network. You
can enter up to 20 entries. The firewall connects to the public PAN-DB cloud, by
default. The private PAN-DB solution is for enterprises that disallow the firewall(s)
from directly accessing the PAN-DB servers in the public cloud. The firewalls access the
servers included in this PAN-DB server(s) list for the URL database, URL updates, and
URL lookups for categorizing web pages.
Recategorization Requests:
Sometimes URLs are miscategorized by the database providers, which causes users to be
unable to access sites that should be allowed.
Requests for recategorization can be submitted through the Request Categorization Change link
in the details window of a log entry. The link redirects the browser to a change request form
that is submitted to the database vendor.
Check that Valid Licensing either PAN-DB or BrightCloud URL Filtering is installed.
URL Filtering Profile Overrides Tab:
Select Objects > Security Profiles > URL Filtering > User Credential Detection to enable the
firewall to detect when users submit corporate credentials.
Let’s modify the URL Filtering Profile go to Objects > Security Profiles > URL Filtering > click on
custom created ULR Profile named: URL-Profile on categories tab in search type social and type
enter button or arrow to search for Social-networking in Site access change the action to block.
Click OK and commit the changes.
Go to Monitor > Logs >Logs >URL Filtering to see the URL logs.
admin@PA-VM> show log url
Let’s go to Device > Setup > Content-ID URL Settings for URL Admin Override click on Add and
specify the settings that apply when URL filtering profile blocks page & Override action is
specified.
Password/Confirm Password—Enter the password that the user must enter to override the
block page.
SSL/TLS Service Profile—To specify a certificate and the allowed TLS protocol versions for
securing communications when redirecting through the specified server, select an SSL/TLS
Service profile.
Mode—Determines whether the block page is delivered transparently (it appears to originate
at the blocked website) or redirects the user to the specified server. If you choose Redirect,
enter the IP address for redirection.