Palo Alto Networks, Inc Palo Alto Networks Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N

Transcription

1 Palo Alto Networks 4.0 5/10/11 / - Palo Alto Networks

2 Palo Alto Networks, Inc Palo Alto Networks Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N A

3 5 10, Palo Alto Networks Web Palo Alto Networks 3

4 SNMP PAN-OS RADIUS LDAP Active Directory (Kerberos) Log Destinations HIP SNMP Syslog / HA / HA HA HA Virtual Systems Palo Alto Networks

5 Aggregate Aggregate Ethernet VLAN HA VLAN DHCP DNS NAT DoS Palo Alto Networks 5

6 URL DoS URL Botnet Botnet Botnet PDF Palo Alto Networks

7 Active Directory User-ID Agent PC User-ID Agent User-ID Agent User-ID Agent edirectory API User-ID Agent User-ID Agent User-ID Agent User-ID Agent Terminal Server Agent Terminal Server Agent Terminal Server Agent Terminal Server Agent IPSec IPSec VPN SSL-VPN VPN IPSec IKE IPSec IKE IPSec VPN IKE IPSec IKE IPSec IPSec VPN VPN VPN Palo Alto Networks 7

8 9 GlobalProtect SSL-VPN GlobalProtect GlobalProtect GlobalProtect GlobalProtect SSL-VPN SSL-VPN SSL-VPN SSL-VPN NetConnect SSL-VPN QoS QoS QoS QoS QoS Panorama Panorama Panorama Panorama Panorama SSL Panorama Web Panorama Panorama HA HA Panorama Palo Alto Networks

9 A URL Web URL SSL VPN SSL B C D BSD GNU GNU MIT/X OpenSSH PSF PHP Zlib Palo Alto Networks 9

10 10 Palo Alto Networks

11 5 10, Palo Alto Networks Web Palo Alto Networks / Palo Alto Networks 11

12 6 7 8 IPSec IP (IPSec) 9 GlobalProtect SSL-VPN GlobalProtect (SSL) (VPN) 10 (QoS) 11 Panorama High Definition Firewall (CMS) 12 Panorama A HTML B Palo Alto Networks C D 12 Palo Alto Networks

13 Web (URL) SecuritySecurity Rules Palo Alto Networks a:\setup Devices Administrators Clone Rule Palo Alto Networks 13

14 Web Help / KnowledgePoint [email protected] 14 Palo Alto Networks

15 Palo Alto Networks 80 IPv4 IPv6 IPv4 IPv6 Palo Alto Networks 15

16 (SSL) 135 URL URL 141 Web 169 HA 67 Web (CLI) Panorama Web Web Web Internet Explorer (IE) Firefox HTTP HTTPS CLI Telnet (SSH) PAN-OS Panorama Palo Alto Networks Web Panorama Web Panorama Panorama 259 Panorama Palo Alto Networks

17 (SNMP) RFC 1213 (MIB-II) RFC 2665 SNMP SNMP 53 Syslog Syslog Syslog 55 XML API (REST) Palo Alto Networks 17

18 18 Palo Alto Networks

19 2 20 Web 21 Panorama Panorama App-ID 3. IP 4. IP Palo Alto Networks 19

20 1. RJ-45 (MGT) IP Web Palo Alto Networks 4. Name Password admin Login OK 5. Device Quick Start Setup Quick Start Setup 1. Quick Start Setup 6. Quick Start Setup a. Management Configuration (DNS) IP (NTP) IP NTP Setup 77 b. Palo Alto Networks Support 20 Palo Alto Networks

21 Web c. Update Application and Threat Content Update Software d. Proceed 7. Devices Administrators 8. admin 9. New Password Confirm New Password OK Web Object Devices Add Palo Alto Networks 21

22 Web Delete OK Cancel Clone OK Save OK candidate Commit Palo Alto Networks

23 Web Vulnerability Protection Profiles Objects Security Profiles Vulnerability Profiles Objects > Security Profiles > Vulnerability Profiles Web Config lock Commit Lock Locks Take a Lock OK Close Lock Locks Yes Close Lock Device Setup Management Automatically acquire commit lock 26 Palo Alto Networks 23

24 Web 24 Palo Alto Networks

25 3 36 PAN-OS SNMP 53 Syslog Virtual Systems Palo Alto Networks 25

26 Device > Setup Setup IP Panorama (DNS) (NTP) (RADIUS) IP 94 Edit 1. Host Name Domain Name Mgt Interface Speed 31 (FQDN) 31 10Mbps 100Mbps 1Gbps 26 Palo Alto Networks

27 1. MGT Interface IP Address Netmask Default Gateway MGT Interface IPv6 Address Default IPv6 Gateway MGT Interface Services Login Banner Authentication Profile Client Certificate Profile DNS Proxy Primary NTP Server Secondary NTP Server System Location System Contact Timezone Update Server IP IP IP IP IPv6 IPv6 IPv6 HTTP HTTPS Telnet (SSH) / Ping Name Password DNS Servers DNS DNS IP DNS DNS FDQN DNS Proxy DNS DNS DNS DNS 114 NTP IP NTP Quick Start Setup NTP Palo Alto Networks updates.paloaltonetworks.com Palo Alto Networks 27

28 1. Proxy Server: Server Port User Password Panorama Panorama 2 Permitted IP Addresses Geo Location SNMP Community String Configuration Links Custom Logo Manage Data Protection Service Route Configuration CRL/OCSP Settings Palo Alto Networks IP Panorama Palo Alto Networks IP Panorama Panorama Disabled Shared Policies Panorama Import shared policies from Panorama before disabling OK Panorama (HA) HA Panorama IPv4 IPv (SNMP) Custom Logo Browse OK Remove OK 192 Manage Data Protection Set data access password Change data access password Delete data access password and protected data Service Route Configuration Use Management Interface for all Select Source Address Palo Alto Networks

29 1. Quick Start SNMP Setup Statistics Service Setup Container Pages Multi-Virtual Systems Multi Virtual System Capability Reboot/Restart Reboot Device Restart Data Plane Date and Time Set Time Settings IPv6 Firewalling Rematch Sessions Jumbo Frame Jumbo Frame MTU Dynamic URL Cache Timeout URL Continue Timeout 20 SNMP SNMP Setup Multi Virtual System Capability Edit OK Virtual Systems 72 Reboot Device PAN-OS 33 Restart Dataplane Set Time YYYY/MM/DD 24 (HH:MM:SS) IPv6 Edit IPv6 Firewalling IPv6 IPv6 Edit Rematch all sessions on config policy change Telnet Deny Telnet MTU 9192 Edit URL BrightCloud URL URL 141 continue URL continue Palo Alto Networks 29

30 1. URL Admin Override Timeout URL Admin Lockout Timeout x-forwarded-for Strip-x-forwarded-for ICMPv6 Token Bucket Size ICMPv6 Error Packet Rate Management Log Storage Automatically acquire commit lock Idle Timeout Max. Rows in CSV Export Max. Rows in User Activity Report Receive Timeout for connection to Panorama Send Timeout for connection to Panorama Retry Count for SSL send to Panorama URL URL IP X-Forwarded-For X-Forwarded-For HTTP IP Src x.x.x.x URL x.x.x.x IP Source User IP X-Forwarded-For IP ICMPv6 ICMPv ICMPv / 100 Restore Defaults Web CLI CSV Panorama TCP TCP Panorama (SSL) Panorama Palo Alto Networks

31 1. # Failed Attempts Lockout Time Number of Versions for Config Audit Stop Traffic when LogDb full Number of Versions for Config Backups URL Admin Override Settings for URL admin override Web CLI Panorama 100 URL Override URL 141 Edit URL Virtual System Password/Confirm Password Server Certificate SSL Mode Redirect IP Palo Alto Networks 31

32 Device > Config Audit Config Audit Submit 2. Panorama Panorama 32 Palo Alto Networks

33 Device > Setup OK Commit Save Commit Save 2. Save (running-config.xml ) (running-config.xml ) (running-config.xml ) / Browse Commit commit CLI Web CLI 23 Palo Alto Networks 33

34 Device > Setup (CA) (CRL) SSL SSL (OCSP) SSL 129 CRL OCSP Setup Server CRL/OCSP Setting 3. CRL/OCSP Enable Receive Timeout Enable OCSP Receive Timeout Block Unknown Certificate Block Timeout Certificate Certificate Status Timeout CRL SSL CRL 1-60 OCSP SSL OCSP Palo Alto Networks

35 SNMP Device > Setup SNMPv2c SNMPv3 SNMP (MIB) Setup SNMP Setup 4. SNMP Location Contact Access Setting MIB SNMPv2c SNMPv3 MIB V2c SNMP Community String SNMP V3 Views Add Name View OID (OID) Option OID Mask 0xf0 OID Users Add Users View Auth Password Priv Password Device > Setup Palo Alto Networks URL Panorama URL Palo Alto Networks 35

36 Report Sample Device > Setup text/html text/xml text/plain (pdf) (jpeg) URL 5. VSYS URL Content Types Add Device > Licenses Palo Alto Networks Licenses URL BrightCloud URL Active Retrieve license keys from license server Activate feature using authorization code OK a. b. c. Manually upload license key Browse OK 36 Palo Alto Networks

37 PAN-OS Web URL CLI request url-filtering upgrade brightcloud CLI tail follow yes mp-log Pan_bc_download.log Licenses BrightCloud URL PAN-OS Device > Software PAN-OS Palo Alto Networks PAN-OS Software Refresh Palo Alto Networks Release Notes Download Downloaded Install Upload PC Install from File OK PAN-OS PAN-OS PAN-OS Decrypt failed: GnuPG edit non-zero, with code Failed to load into PAN software manager. Palo Alto Networks 37

38 Device > Dynamic Updates Palo Alto Networks URL GlobalProtect Dynamic Updates Application and Threats Antivirus URL Filtering Check Now Palo Alto Networks Upgrade Revert Release Notes Upload PC Install from File OK Schedule Download Only Dynamic Updates Upgrade OK Local database RADIUS RADIUS LDAP (LDAP) Kerberos Kerberos Client Certificate 38 Palo Alto Networks

39 RADIUS LDAP Kerberos DB SSL (VPN) GlobalProtect SSL-VPN Device > Admin Roles Admin Roles Name Role WebUI CLI Role Web / CLI disable CLI superuser superreader deviceadmin devicereader Palo Alto Networks 39

40 Device > Administrators admin 7. Name Authentication Profile New Password Confirm New Password Role Virtual System 15 RADIUS LDAP Kerberos DB Dynamic Superuser Superuser (Read Only) Device Admin Device Admin (Read Only) Vsys Admin Vsys Admin (Read Only) Role Based Admin 39 Role Based 39 Add Available Selected Panorama Administrators 40 Palo Alto Networks

41 Device > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS RADIUS RADIUS 8. Name Virtual Systems 31 Available Add RADIUS LDAP Kerberos SSL-VPN SSL-VPN Setup 26 Setup RADIUS RADIUS RADIUS paloaltonetworks.com Settings None Palo Alto Networks 41

42 Device > Authentication Profile Authentication Profile 9. Profile Name Virtual System Failed Attempts Lockout Time Allow List Authentication Server Profile Login Attribute Edit Allow List Available Add Selected All Search Available Add Selected Remove any None Local DB RADIUS RADIUS LDAP LDAP Kerberos Kerberos RADIUS LDAP Kerberos Server RADIUS 44 LDAP 45 Active Directory (Kerberos) 46 LDAP LDAP 42 Palo Alto Networks

43 9. Password Expiration Warning LDAP Active Directory edirectory Sun ONE Directory SSL-VPN GlobalProtect SSL- VPN 237 SSL-VPN <SCRIPT> function getpasswarnhtml(expdays) { var str = "Your password will expire in " + expdays + " days"; return str; } </SCRIPT> str Device > Local User Database > Users Local Users 10. Local User Name Virtual System Mode Enabled Password Phash Palo Alto Networks 43

44 Device > Local User Database > User Groups Local User Groups 11. Local User Group Name Virtual System All Local Users RADIUS Device > Server Profiles > RADIUS RADIUS RADIUS RADIUS Name Location Shared Virtual System Domain Timeout Retries Retrieve User Group Servers 31 Shared Shared RADIUS RADIUS VSA Name IP address IPv4 IPv6 Port Secret/Confirm Secret RADIUS 44 Palo Alto Networks

45 LDAP Device > Server Profiles > LDAP LDAP LDAP LDAP Name Location Servers Domain Type Base Bind DN Bind Password/ Confirm Bind Password SSL Time Limit Bind Time Limit Retry Interval 31 Shared LDAP IPv4 IPv6 Palo Alto Networks SSL (TLS) LDAP Palo Alto Networks 45

46 Active Directory (Kerberos) Device > Server Profiles > Kerberos Kerberos Active Directory RADIUS Internet (IAS) Kerberos Kerberos Kerberos 41 Kerberos domain realm Kerberos domain\username 14. Kerberos Name Location Realm Domain Servers 31 Shared 127 example.local 63 Kerberos Add Server IP Host FQDN Port Active Directory LDAP 46 Palo Alto Networks

47 Device > Authentication Sequence Authentication Sequence Profile Name Location Failed Attempts Lockout Time Profile List Shared Move Up Move Down Device > Client Certificate Profile Setup SSL-VPN Profile Name Location Shared Virtual System Username Field Domain Shared shared Palo Alto Networks 47

48 16. CA Certificates Use CRL Use OCSP CRL Receive Timeout OCSP Receive Timeout Certificate Status Timeout Block Unknown Certificate Block Timeout Certificate CA OCSP URL CA Add (CRL) OCSP CRL 1-60 OCSP Panorama SNMP syslog 17. Configuration System Threat Panorama syslog SNMP HA SNMP / Palo Alto Networks

49 17. Traffic URL Filtering Data Filtering allow deny drop / 169 URL URL URL Log Destinations Panorama SNMP syslog 18. Destination Panorama Panorama Panorama 26 SNMP trap SNMP SNMP SNMP 53 Syslog Syslog syslog Syslog Palo Alto Networks 49

50 Device > Scheduled Log Export CSV (FTP) FTP 3 FTP OK Scheduled Log Export 19. Name Enabled Log Type Scheduled export start time (daily) Hostname Port Passive Mode Username Password URL HIP 24 (hh:mm) (00:00-23:59) FTP IP FTP 21 FTP FTP anonymous Device > Log Settings > Config Panorama syslog / 20. Panorama Syslog Panorama 56 syslog syslog syslog Syslog Palo Alto Networks

51 Device > Log Settings > System Panorama SNMP syslog / HA 21. Panorama SNMP Trap Syslog Panorama Panorama 26 Critical HA High syslog RADIUS Medium Low Informational / SNMP syslog / SNMP 53 Syslog Palo Alto Networks 51

52 HIP Device > Log Settings > HIP Match (HIP) GlobalProtect GlobalProtect HIP Panorama Syslog SNMP Trap Panorama 56 syslog syslog syslog Syslog 55 HIP SNMP SNMP SNMP 53 Device > Log Settings > Alarms Alarms 23. Enable Alarms Enable CLI Alarm Notifications Enable Web Alarm Notifications Enable Audible Alarms Encryption/Decryption Failure Threshold Log DB Alarm Threshold % Full CLI Web CLI / 52 Palo Alto Networks

53 SNMP 23. Security Policy Limits Security Rule Group Tags Security Rule Group Limits Selective Audit Security Violations Time Period Security Violations Threshold Security Rule Group Violations Time Period Security Rule Group Violations Threshold Common Criteria Alarms CC Specific Logging Common Criteria (CC) Login Success Logging Login Failure Logging Suppressed Administrators Device > Log Settings > Manage Logs SNMP Device > Server Profiles > SNMP Trap SNMP SNMP SNMP Name Location SNMP 31 Shared Palo Alto Networks 53

54 SNMP 24. SNMP Version V2c settings V3 settings SNMP SNMP V2c Server SNMP 31 Manager IP Community V3 Server SNMP 31 Manager IP User SNMP EngineID - SNMP ID Auth Password SNMP Priv Password SNMP SNMP MIB SNMP MIB SNMPv2-MIB DISMAN-EVENT-MIB IF-MIB HOST-RESOURCES-MIB ENTITY-SENSOR-MIB PAN-COMMON-MIB Palo Alto Networks MIB 54 Palo Alto Networks

55 Syslog Syslog Device > Server Profiles > Syslog HIP syslog Syslog syslog Syslog Name Location Servers Name Server Port Facility Custom Log Format Log Type Escaping syslog 31 Shared Add Syslog 31 syslog IP syslog 514 Log Format Log Format OK Escaped characters Palo Alto Networks 55

56 Device > Server Profiles > Name Location Servers Server Display Name From To And Also To Gateway Custom Log Format Log Type Escaping 31 Shared 1-31 From (SMTP) IP Log Format OK 56 Palo Alto Networks

57 Device > Certificates Certificates Forward Trust CA CA Certificates Forward Trust Certificate Forward Untrust CA CA Trusted Root CA CA CA CA CA CA CA SSL Exclude SSL SSL Certificate for Secure Web GUI Web Web Certificates Web CA SSL a. Import b. c. PKCS #12 PEM d. Import Private Key PKCS #12 PEM *.key e. Palo Alto Networks 57

58 a. b. Export c. PKCS#12.pfx.pem d. Export Private Key e. Save a. Generate Generate Certificate b. Forward Trust Forward Untrust Trusted Root CA SSL Exclude Certificate for Secure Web GUI Panorama Panorama Panorama Certificate Name Common Name Location Passphrase Confirm Passphrase Number of Bits Digest Country Code State Locality Organization Department 31 IP FQDN Shared / / ISO 3166 Country Codes 58 Palo Alto Networks

59 27. Signed By Certificate Authority CA CA Device > Master Key and Diagnostics Master Key and Diagnostics 28. Master Key New Master Key Confirm Master Key Life Time Time for Reminder Common Criteria Common Criteria Palo Alto Networks 59

60 PAN-OS / / (HA) HA / HA / HA HA HA HA HA / HA / HA App-ID Content-ID App-ID Content-ID 7 PAN-OS HA3 / 3 3 HA3 App-ID Content-ID 60 Palo Alto Networks

61 3 Static interface IP HA Floating IP (VRRP) HA IP ARP load sharing (ARP) / App-ID Content-ID (1) (2) primary device / HA IP modulo IP IP IP HA Primary Device Hash HA App-ID Content-ID HA HA3 7 Palo Alto Networks 61

62 / HA 3 IPv6 / IPv6 Virtual Wire Deployment / App-ID Content-ID Layer 3 Floating IP Deployment HA IP IP MAC ARP VRRP IP IP VPN (NAT) Layer 3 ARP Load-Sharing ARP Load-Sharing HA IP IP ARP HA IP ARP ARP Load-Sharing 3 ARP Load-Sharing Layer 3 Route Based Redundancy (OSPF) IP HA 62 Palo Alto Networks

63 NAT / NAT / HA / / Web NAT NAT NAT NAT NAT NAT 1 1 NAT 0 NAT Device 0 and Device 1 NAT ID IP NAT Both NAT NAT Primary NAT NAT NAT ARP 0/1 / NAT Palo Alto Networks 63

64 IP IP/ IP IP/ NAT Device ID 0 1 HA IP Device Device IP 3. IP 64 Palo Alto Networks

65 Internet (ISP) IP NAT Device ID 0 1Device Device Device 0 Device 1 IP ISP ISP IP IP 4. IP Palo Alto Networks 65

66 IP NAT IP 66 Palo Alto Networks

67 HA HA Factory Reset PAN-OS 3. Internet 4. RJ-45 HA1 HA2 HA1 HA2 / HA3 HA HA 1/15 1/16 5. Network HA HA 6. HA 6. HA HA 67 HA HA HA Device > High Availability HA 67 HA HA High Availability Edit Palo Alto Networks 67

68 29. HA Setup Enable HA ID Mode Peer HA IP Address Backup Peer HA IP Address Enable Config Sync Link Speed HA Link Duplex HA Election Settings Device Priority Heartbeat Backup Preemptive Preemption Hold Time Promotion Hold Time HA / / / active-active active-passive Control Link HA1 IP HA IP IP HA IP HA1 HA ms 0 ms / / HA Hello Interval HA PA-4000/PA ms PA-2000/ PA ms PA-4000/PA ms PA-2000/PA ms Heartbeat Interval HA ICMP Ping ms 1000ms Maximum No. of Flaps Palo Alto Networks

69 29. HA Monitor Fail Hold Up Time (ms) Additional Master Hold Up Time (min) Control Link Port IP Address Netmask Gateway Control Link Monitor Hold Time (ms) Encryption Enabled Data Link Port IP Address Netmask Gateway State Synchronization Enabled Transport Link Speed HA Link Duplex HA HA ms 0 ms Monitor Fail Hold Up Time ms 500 ms / / / HA1 HA HA1 HA IP HA1 IP HA1 IP ms 3000 ms HA1 HA HA HA HA HA1 / Certificates 57 HA HA2 HA2 HA IP HA2 HA HA2 HA Ethernet (Ethertype 0x7261) IP 3 IP 99 UDP IP UDP HA2 HA2 Palo Alto Networks 69

70 29. HA Active Passive Configuration Passive Link State Monitor Fail Hold Down Time Active Active Configuration HA3 Port Sync Virtual Router Sync QoS Packet Forward Session Load Sharing Session Setup auto 3 auto shutdown / HA QoS QoS Network QoS QoS HA3 App-ID Content-ID 7 First packet App-ID Content-ID 7 HA3 Primary Device / 7 IP Modulo IP Primary Device IP Hash IP IP 70 Palo Alto Networks

71 29. HA Path Monitoring Enabled Failure Condition Path Groups Link Monitoring Enabled Failure Condition Link Groups ICMP ping IP 3 Add Type VLAN Name Enabled Failure Condition Source IP VLAN IP IP Destination IPs Delete 3 Add Name Enabled Failure Condition Interfaces Delete HA HA Preemption HA Preemption Palo Alto Networks 71

72 Virtual Systems IP OS LED HA CLI request high-availability state suspend High Availability Device Suspend CLI request high-availability state functional HA CLI show high-availability all CLI show high-availability state Device Config Audit Dashboard HA Push Configuration Web CLI request high-availability sync-to-remote runningconfig CLI show jobs processed Virtual Systems VLAN 98 PA-4000 PA-5000 PA-2000 PA Palo Alto Networks

73 Virtual Systems 7 Internet Device admin Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies vsys admin vsys admin vsys admin vsys admin 7. (vsys1) Policies Objects Virtual System VLAN 76 SNMP syslog Palo Alto Networks 73

74 Virtual Systems external 98 1 VSYS 2 VSYS 1 VSYS 2 VSYS 2 VSYS 1 VSYS Internet Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies Palo Alto Networks

75 Virtual Systems 74 IP Internet a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 9. ISP IP IP 10 Internet x.x.x.x Shared gateway a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 10. NAT Virtual System Palo Alto Networks 75

76 Virtual Systems Device > Virtual Systems Device > Setup Multi Virtual System Capability Edit Allow multiple virtual systems Virtual Systems Virtual Systems Add 30. ID Name General Resource 31 DNS DNS DNS 114 VLAN Add Delete Sessions Limit Security Rules NAT Rules NAT Decryption Rules QoS Rules QoS Application Override Rules PBF Rules (PBF) CP Rules (CP) DoS Rules (DoS) Site to Site VPN Tunnels VPN Concurrent SSL-VPN Tunnels SSL- VPN VLAN OK Network > Zones 98 Network > Interfaces 76 Palo Alto Networks

77 Device > Shared Gateways ID Name Interfaces 31 Device > Response Pages URL HTML A 32. Antivirus Block Captive Portal Comfort SSL Certificate Revoked Notify URL Filtering Block SSL-VPN Custom Login GlobalProtect Portal Login Application Block File Blocking Block Active Directory SSL URL SSL-VPN SSL-VPN SSL-VPN 248 GlobalProtect GlobalProtect GlobalProtect 237 Palo Alto Networks 77

78 32. SSL URL File Blocking Continue GlobalProtect Portal Help Continue URL 1 URL 143 GlobalProtect Response Pages HTML Import HTML HTML Export Application Block SSL Decryption Opt-out Enable Enable Restore Block Page Restore Device > Support Support Palo Alto Networks Create Ticket View Ticket Palo Alto Networks Generate Tech Support Download Tech Support File Knowledge Base 78 Palo Alto Networks

79 VLAN DHCP 112 DNS VPN IPSec 221 IPSec 221 (QoS) 253 Palo Alto Networks 79

80 Internet LAN (VLAN) default-vwire 1 2 (NAT) No routing or switching performed User network Internet Palo Alto Networks

81 2 2 VLAN 2 12 Switching between two networks User network Internet IP NAT 13 Routing between two networks / /24 User network Internet (PPPoE) (DSL) DSL PPPoE 3 PPPoE 3 85 Palo Alto Networks 81

82 SPAN SPAN SPAN SPAN QoS Network > Virtual Wires Virtual Wire Name Interfaces Tags Allowed Multicast Firewalling Link State Pass Through (tag1- tag2) Multicast Firewalling Virtual Wires OK Interfaces 90 Delete Interfaces 82 Palo Alto Networks

83 34. Interface Aggregate Ethernet 2 3 Virtual Wire VLAN Interface High Availability 2 3 Aggregate Ethernet 92 QoS Aggregate Ethernet VLAN 2 VLAN VLAN 3 IP GlobalProtect IPSec 3 IP 94 VLAN NAT 90 VLAN VLAN VLAN 3 VLAN 93 SPAN URL 96 Palo Alto (HA) HA 96 Network > Interfaces Interfaces IP VLAN VLAN Security Zone Group By Interfaces none Palo Alto Networks 83

84 2 Network > Interfaces VLAN VLAN 2 85 VLAN VLAN 3 VLAN Security Zone None OK 2. VLAN/Virtual Wire None OK Type Link Speed Link Duplex Link State L2 Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) VLAN VLAN New VLAN VLAN 99 None Virtual System None Zone New 98 None 84 Palo Alto Networks

85 2 Network > Interfaces 2 VLAN Interfaces New L2 Interface Physical Interface Logical Interface Name Tag VLAN Zone Virtual System ethernetx/y.<1-9999> VLAN New VLAN 115 None None New 98 None 3 Network > Interfaces 3 VLAN PPPoE Security Zone None OK 2. VLAN/Virtual Wire None OK 3. Palo Alto Networks 85

86 37. 3 Type Link Speed Link Duplex Link State MTU Adjust TCP MSS Untagged Subinterface Management Profile L3 Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) 3 (MTU) MTU (PMTUD) MTU ICMP MTU (MSS) 40 MTU MSS MSS 3 IP VLAN 86 Palo Alto Networks

87 37. 3 IP Address - Manual PPPoE Manual IPv4 IPv6 IPv4 ip_address/mask IP Add IP IP Delete (ARP) IP MAC Add Delete ARP ARP man-in-the-middle IPv6 Enable IPv6 Interface ID 64 00:26:08:FF:FE:DE:4E:29 Interface ID MAC EUI-64 Address IPv6 Prefix IPv6 Interface ID Anycast Prefix IPv6 (DAD) Enable DAD DAD DAD Attempts DAD Neighbor Solicitation Interval 1-10 Neighbor Solicitation Interval DAD 1-10 Reachable Time Neighbors IP MAC Add Palo Alto Networks 87

88 37. 3 IP Address - PPPoE PPPoE PPPoE Enable PPPoE Username Password/Confirm Password Advanced PPPoE Settings Show Advanced PPPoE Settings Authentication CHAP PAP Auto PPPoE Static IP Address IP Create Default Route PPPoE Default Route Metric Access Concentrator Service ARP Entries Passive PPPoE (ARP) IP MAC Add Delete ARP ARP man-in-the-middle Virtual Router Virtual System Zone New 99 None None New 98 None 88 Palo Alto Networks

89 3 Network > Interfaces 3 VLAN Interfaces New L3 Interface Physical Interface Logical Interface Name Tag MTU Adjust TCP MSS Management Profile IPv4 Settings IP Address and Subnet Mask ARP Entries IPv6 Settings Enable Interface ID Address ethernetx/y.<1-9999> MTU PMTUD MTU ICMP MTU MSS 40 MTU MSS MSS IPv4 ip_address/mask IP Add IP IP Delete ARP IP (MAC) Add Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast Palo Alto Networks 89

90 38. 3 Neighbor Discovery Virtual Router Virtual System Zone 3 85 Neighbor Discovery New 99 None None New 98 None Network > Interfaces VLAN NAT Security Zone None OK Type Link Speed Link Duplex Link State Virtual Wire Virtual System Zone Virtual Wire Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) New 82 None None New 98 None VLAN/Virtual Wire None OK 90 Palo Alto Networks

91 Aggregate Network > Interfaces Aggregate 1 Gbps 802.3ad 1 Gbps 10Gbps XFP Aggregate VPN VLAN Aggregate Aggregate Aggregate Ethernet Aggregate Aggregate Ethernet 2 3 Aggregate Gig Aggregate Aggregate Aggregate Aggregate Ethernet 3 89 Aggregate New Aggregate Group 40. Aggregate Name Type Virtual System ae.n n (1-8) Layer 2 Layer 3 Virtual Wire HA Layer 2 VLAN Layer 3 Virtual Wire HA None Palo Alto Networks 91

92 Aggregate Ethernet Network > Interfaces Aggregate Ethernet ae.number 2 3 Aggregate Ethernet 41. Aggregate Ethernet Type Link Speed Link Duplex Link State Virtual Router Aggregate Group Virtual System Zone Aggregate Ethernet Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) New 99 Aggregate Aggregate ae.n Aggregate Ethernet Aggregate Aggregate Ethernet 2 3 Aggregate 91 None New 98 None 92 Palo Alto Networks

93 VLAN Network > Interfaces 2 VLAN VLAN VLAN VLAN New VLAN Interface 42. VLAN VLAN Interface Name MTU Management Profile IPv4 Settings IP Address and Subnet Mask ARP Entries IPv6 Settings Enable Interface ID Address Neighbor Discovery ARP/Interface Entries Virtual Router VLAN Virtual System Zone vlan (1-9999) vlan.<1-9999> MTU PMTUD MTU ICMP MTU IPv4 ip_address/mask IP Add IP IP Delete ARP IP (MAC) Add Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast 3 85 Neighbor Discovery ARP IP (MAC) 3 Add Delete New 99 None VLAN New VLAN 115 None None New 98 None Palo Alto Networks 93

94 Network > Interfaces 3 New Loopback Interface 43. Loopback Interface Name MTU Management Profile IPv4 Settings IP Address IPv6 Settings Enable Interface ID Address Virtual Router Virtual System Zone loopback loopback.<1-9999> MTU PMTUD MTU ICMP MTU IPv4 IP Add IP IP Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast New 99 None None New 98 None 94 Palo Alto Networks

95 Network > Interfaces New Tunnel Interface 44. Tunnel Interface Name MTU IP Address Management Profile Virtual Router Virtual System Zone 3 MTU PMTUD MTU ICMP MTU IP TCP (MSS) IPv4 New 99 None None New 98 None Palo Alto Networks 95

96 Network > Interfaces SPAN 82 Edit Ethernet Interface 45. Type Link Speed Link Duplex Link State Virtual System Zone Tap Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) None New 98 None 1. OK Cancel HA HA / HA Palo Alto Networks HA HA HA HA 67 HA Edit Ethernet Interface 46. HA Type Link Speed Link Duplex Link State HA Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) 96 Palo Alto Networks

97 Internet 2 3 VLAN VLAN VLAN Palo Alto Networks 97

98 Network > Zones New 47. Virtual System Zone Type Interfaces Zone Protection Profiles Log Setting Enable User Identification User Identification ACL Include List User Identification ACL Exclude List 31 Layer2 Layer3 Virtual Wire Tap External vsys Layer 2 Layer 3 External vsys IP IP / ip_address/mask /24 IP IP IP / ip_address/mask /24 IP 98 Palo Alto Networks

99 VLAN VLAN Network > VLANs IEEE 802.1Q VLAN 2 VLAN VLAN 2 VLAN VLAN VLAN 3 VLAN 48. VLAN Dot1q VLAN Name Interfaces VLAN Interface L3 Forwarding Enabled VLAN 31 VLAN VLAN 2 VLAN 83 VLAN VLAN VLAN VLAN 93 VLAN 3 3 VLAN 3 (RIP) (OSPF) (BGP) 3 Palo Alto Networks 99

100 RIP IP RIP UDP RIP OSPF (LSA) OSPF LSA LSA OSPF RIP (BGP) Internet BGP (AS) IP AS IP BGP (RIB) RIB RIB BGP BGP BGP BGP BGP AS BGP IGP-BGP BGP 100 Palo Alto Networks

101 BGP ID AS AS BGP MD5 AS Network > Virtual Routers 3 3 VLAN General General Interfaces Interfaces 83 Palo Alto Networks 101

102 49. - General Admin Distances Admin Distances Static Routes Name Destination Interface Next Hop Admin Distance Metric No Install OSPF OSPF BGP (IBGP) BGP (EBGP) RIP IPv4 IPv6 IPv4 IPv6 ( /0) Add ip_address/mask IP / Next Hop None IP IP Discard Next VR ( ) 102 Palo Alto Networks

103 Redistribution Profiles RIP OSPF Redistribution Rules BGP Redistribution Profiles Profile Name Priority Filter OSPF Params BGP Params Action Add New Redistribution Profile Type Interface Destination IP x.x.x.x x.x.x.x/n Add Next Hop IP x.x.x.x x.x.x.x/n Add OSPF Path Type OSPF Area OSPF OSPF ID x.x.x.x Add Tag OSPF (1-255) Add Community BGP Extended Community BGP Redistribute Metric Palo Alto Networks 103

104 RIP (RIP) RIP OSPF RIP Enable Reject Default Route Allow Redist Default Route Auth Profiles RIP RIP RIP RIP RIP Add OK Name Password Type simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred Export Rules Interfaces RIP Timing Add OK Interface RIP Enable Advertise and Metric RIP Auth Profile Mode normal passive send-only Interval Duration RIP Timing (1-60) # Update Intervals (1-3600) # Expire Intervals (1-3600) # Delete Intervals (1-3600) 104 Palo Alto Networks

105 OSPF (OSPF) RIP OSPF OSPF Enable Reject Default Route Allow Redist Default Route Router ID RFC 1583 Compatibility Export Rules Auth Profiles OSPF OSPF OSPF ID OSPF ID OSPF OSPF OSPF ID OSPF ID OSPF RFC 1583 OSPF Add OK Name New Metric Type New Tag 32 OSPF OSPF Add Name Password Type simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred Areas Area ID OSPF New Done x.x.x.x Palo Alto Networks 105

106 52. - OSPF Type Ranges Interface Virtual Link Normal Stub (LSA) Accept Summary LSA (1-255) stub stub (ABR) Accept Summary OSPF Stubby ABR LSA NSSA(not so stub area) OSPF LSA Accept Summary LSA (1-255) stub LSA NSSA External Ranges Add Add LSA LSA OK Add OK Name Enable OSPF Passive OSPF OSPF OSPF LSA Link type OSPF broadcast p2p p2mp p2mp Metric OSPF ( ) Priority OSPF (0-255) OSPF (DR) DR (BDR) DR BDR Timing Auth Profile Neighbors p2pmp IP ( ) Add OK Name Neighbor ID ID Transit Area ID Enable Timing Auth Profile 106 Palo Alto Networks

107 BGP (BGP) BGP General Enable Router ID AS Number Reject Default Route Allow Redist Default Route Install Route Aggregate MED Reflector Cluster ID Confederation Number AS Auth Profiles Dampening Profiles BGP IP AS ID BGP BGP BGP (MED) IPv4 AS AS BGP Add Profile Name Secret/Confirm Secret BGP Profile Name Enable Cutoff Reuse Max. Hold Time Decay Half Life Reachable Decay Half Life Unreachable Palo Alto Networks 107

108 53. - BGP Graceful Restart General > Show Advanced Enable Stale Route Time Local Restart Time Max Peer Restart Time Path Selection General > Show Advanced Always Compare MED MED Deterministic MED comparison MED IBGP BGP AS Format General > Show Advanced 2-byte 4-byte 108 Palo Alto Networks

109 53. - BGP Peer Group/Peer General New Name Enable Type IBGP Next Hop original Next Hop use-self IP Next Hop EBGP Next Hop Import Next Hop Export BGP AS Remove Private AS resolve Next Hop use-self IP Next Hop original Next Hop use-peer IP Next Hop IBGP-Confed Next Hop Export original Next Hop use-self IP Next Hop EBGP-Confed Next Hop Export original Next Hop use-self IP Next Hop Palo Alto Networks 109

110 53. - BGP Peers New Name Enable Peer AS AS Local Address IP Connection Options Passive Connection Auth Profile Keep Alive Interval disabled 30 Multi Hop IP (TTL) ebgp 2 ibgp 255 Open Delay Time TCP BGP Hold Time KEEPALIVE UPDATE disabled 90 Idle Hold Time Peer Address IP Advanced Options Reflector Client Non-Client Client Meshed Client BGP Aggregated Confed AS Path AS Max. Prefixes IP Soft Reset With Stored Info 110 Palo Alto Networks

111 53. - BGP Import Rules/Export Rules Import Rules/Export Rules Conditional Advertisements BGP Import Rules Export Rules New General Name Enable Used by Match AS-Path Regular Expression AS Community Regular Expression Extended Community Regular Expression Address Prefix IP MED MED Next Hop From Peer Action Action Allow Deny Local Preference Allow MED MED ( ) Allow Weight Allow ( ). Next Hop Allow Origin IGP EGP incomplete Allow AS Path Limit AS Allow AS Path AS None Remove Prepend Remove and Prepend Allow Community None Remove All Remove Regex Append Overwrite Allow Extended Community None Remove All Remove Regex Append Overwrite Allow Dampening Allow Clone BGP Conditional Advertisement New General Non Exist Filters Advertise Filters Done Policies Import Rules Export Rules Palo Alto Networks 111

112 DHCP BGP Aggregate Redistribution Rule BGP Aggregate New General Suppress Filters Advertise Filters Aggregate Route Attributes Done Addresses Import Rules Export Rules BGP Redistribution Rules New Done Import Rules Export Rules Network > Virtual Routers Virtual Routers More Runtime Stats 99 DHCP Network > DHCP DHCP DHCP 3 IP DHCP DHCP IPSec VPN IPSec DHCP IP IPSec VPN IPSec 221 DHCP Server DHCP Relay 54. DHCP Interface Type DHCP Mode Probe IP Lease Preferred DNS Alternate DNS DHCP IP Ping DHCP (DNS) IP 112 Palo Alto Networks

113 DHCP 54. DHCP Preferred WINS Alternate WINS Preferred NIS Alternate NIS Gateway POP3 Server SMTP Server DNS Suffix IP Pools Reserved Addresses DHCP IPv4 IPv6 Windows Internet (WINS) IP (NIS) IP DHCP IP (POP3) IP (SMTP) IP DHCP IP Add IP /24 IP IP Edit Done Delete IP DHCP IP x.x.x.x MAC xx:xx:xx:xx:xx:xx Edit Done Delete IP Enabled IPv4 DHCP DHCP IPv4 Enabled IPv6 DHCP DHCP IPv6 IPv6 Palo Alto Networks 113

114 DNS DNS Network > DNS Proxy IP DNS DNS TCP UDP DNS DNS UDP UDP TCP DNS DNS DNS 55. DNS Enable Name Default DNS Settings Interfaces DNS Proxy Rules Static Entries Advanced DNS DNS DNS DNS IP Interface DNS Add Delete DNS Add Turn on/off caching of domains resolved by this mapping Primary/Secondary DNS DNS IP Domain Name Add Delete DNS Add Domain Name DNS Address Add IP Delete Cache DNS Size MB Timeout DNS Palo Alto Networks

115 55. DNS Advanced TCP Queries TCP DNS Max Pending Requests TCP DNS UDP Queries Retries UDP Interval e Attempts DNS IKE IPSec IKE IPSec VPN IPSec 221 IKE IPSec VPN IKE IKE VPN 1 IPSec VPN 2 IPSec (PBF) IPSec Interface 3 VLAN Flood SYN ICMP UDP IP flood IP ICMP ICMP QoS QoS QoS 255 Palo Alto Networks 115

116 Network > Network Profiles > Interface Mgmt Name Ping Telnet SSH HTTP HTTPS SNMP Permitted IP 31 IPv4 IPv6 Network > Network Profiles > Zone Protection Name 31 Flood - SYN Flood Action SYN flood Random Early Drop SYN flood Alert Activate SYN Maximum SYN cookie SYN-ACK 116 Palo Alto Networks

117 57. Alert Activate Maximum SYN SNMP syslog SNMP 53 Syslog 55 SYN SYN Flood - ICMP Flood Alert ICMP (ping) Activate ICMP ICMP Maximum ICMP Flood - ICMPv6 Flood Alert ICMPv6 (ping) Activate ICMPv6 ICMPv6 ICMPv6 Maximum ICMPv6 Flood - UDP Flood Alert UDP Activate UDP UDP UDP Maximum UDP Flood - IP Flood Alert IP Activate IP IP IP Maximum IP - TCP UDP Interval Threshold Action Allow Alert Drop Palo Alto Networks 117

118 57. IPv6 Drop Packets with Type 0 Router Header IPv4 Compatible Address Multicast Source Address Anycast Source Address IP address spoof Block fragmented traffic ICMP ping ID 0 ICMP fragment ICMP large packet (>1024) Suppress ICMP TTL expired error Suppress ICMP NEEDFRAG Discard Strict Source Routing Discard Loose Source Routing Discard Timestamp Discard Record Route Reject non-syn TCP Packet 0 IPv6 IPv4 IPv6 IPv6 IPv6 IP IP ping ID 0 ICMP 1024 ICMP ICMP TTL ICMP MTU (DF) PMTUD Strict Source Routing IP Loose Source Routing IP Timestamp IP Record Route IP TCP SYN Global CLI Yes SYN TCP No SYN TCP 118 Palo Alto Networks

119 / 121 (NAT) NAT URL SSH SSH SSH (DoS) DoS DoS 134 Panorama Web Palo Alto Networks 119

120 Web 21 Policies Filter Rules Filter Add Clone Rule Clone Rule rulen n Move Up Move Down Move Top Move Bottom Move 15. Enable Highlight Unused Rules 16. Log Viewer Value 17. Address 120 Palo Alto Networks

121 Policies > Security Policies > Decryption Security Decryption Decryption RADIUS User-ID Agent 2. any known-user unknown select 3. Available User Groups Add User Group Add User Group 4. User Find Add User Additional Users 5. OK HTTP Internet Palo Alto Networks 121

122 Policies > Security Security General Name Source Source Zone Source Address User Source User HIP Destination Destination Zone Destination Address Application/Service Application 31 Add Add Address Address Group Regions Add Add (HIP) HIP GlobalProtect 237 Add Add Address Palo Alto Networks

123 58. Service Actions Action Setting Profile Setting Log Setting Other Settings TCP / UDP any any application-default Palo Alto Networks applicationdefault service-http service-https Web allow deny URL / Profile Groups Group New 165 Log Setting Panorama syslog Log Forwarding Profile New 166 Send At Session Start Send At Session End drop deny Schedule New 167 QoS Marking (QoS) IP DSCP IP QoS QoS 253 Disable Server Response Inspection Palo Alto Networks 123

124 NAT 3 (NAT) IP IP NAT NAT Dynamic IP/Port IP IP/ NAT IP IP IP IP/NAT Palo Alto Networks Dynamic IP/port NAT NAT IP NAT IP PA-2000 IP PA-4020 PA-4050/4060 Dynamic IP IP NAT IP IP IP Static IP IP IP IP / IP NAT TCP UDP HTTP (service-http) TCP TCP 80 NAT (M) NAT (N) M N N 1 Dynamic IP/Port NAT Dynamic IP NAT TCP UDP Dynamic IP/Port Dynamic IP NAT IP Static IP NAT IP IP M M 124 Palo Alto Networks

125 59. NAT PAN-OS NAT Dynamic IP/ Port M N 254 Dynamic IP M N 16k Static IP 1 1 M M MIP 1 VIP PAT NAT NAT NAT NAT IP Internet IP IP NAT IP IP NAT NAT NAT NAT NAT NAT IP IP NAT IP NAT NAT NAT NAT NAT NAT NAT IP NAT source translation No Source Translation Palo Alto Networks 125

126 NAT NAT NAT NAT IP IP IP IP NAT 18. NAT NAT NAT L3 trust IP L3 untrust L3 trust L3 untrust NAT NAT / / 19. NAT IP L3 trust L3 untrust Rule2 L3untrust NAT NAT NAT IP L3untrust Palo Alto Networks

127 Policies > NAT NAT HTTP NAT NAT Name Source Zone Destination Zone Destination Interface Source Address Destination Address Service Source Translation Destination Translation / NAT any NAT IP VLAN IP ISP IP 160 IP (address1-address2) Dynamic IP/port 64K IP 254 IP Dynamic IP 16K IP Static IP IP IP port number Palo Alto Networks 127

128 Policies > Policy Based Forwarding (PBF) IP ID IP PBF IP PBF PBF Forward-to-VSYS PBF General Name Tag Source Source Zone Source Address Source User Destination/ Application/Service Destination Address Application Service 31 Add Add Add Address Address Group Regions Add Add Address Address Group Regions Palo Alto Networks

129 61. Forwarding Action Monitoring Schedule Forward IP Forward To VSYS Discard No PBF Monitor Profile Disable if unreachable IP Address IP Ping 167 Policies > Decryption (SSL) (SSH) SSH SSH URL ID URL SSL SSL Palo Alto Networks SSL CA SSL Device > Certificates Forward Trust Certificate 57 Palo Alto Networks 129

130 62. General Name Tag Source Source Zone Source Address Source User Destination Destination Zone Destination Address Options Action Type Category Block sessions that cannot be decrypted 31 Add Add Add Address Address Group Regions Add Add Add Address Address Group Regions decrypt no-decrypt SSL Forward Proxy SSH Proxy SSH sshtunnel App-ID SSH SSL Inbound Inspection SSL Add URL 130 Palo Alto Networks

131 unknown 153 PAN-OS ID IP IP IP IP Policies > Application Override 63. General Name Tag Source Source Zone 31 Add Add Palo Alto Networks 131

132 63. Source Address Source User Destination Destination Zone Destination Address Protocol/Application Protocol Port Application Add Address Address Group Regions Add Add Add Address Address Group Regions (port1-port2) New Application 153 User-ID Agent Active Directory IP 132 Palo Alto Networks

133 Policies > Captive Portal User Identification Name Tag Source Source Destination Service/Action Action Setting Service 31 Add Add Source Address DoS Negate Add Add Destination Address Negate Add captive-portal no-captive-portal ntlm-auth Web NT LAN (NTLM) Web TCP / UDP any any application-default Palo Alto Networks default Palo Alto Networks 133

134 DoS DoS / IP / DoS Policies > DoS Protection DoS 65. DoS Name Shared Tag Source Source Destination 31 Add Type Interface DoS DoS Zone Add Source Address DoS Negate Add Source User DoS Add Type Interface DoS DoS Zone Add Destination Address DoS Negate Add 134 Palo Alto Networks

135 65. DoS Option/Protection Service Action Schedule Aggregate Classified DoS Deny Allow Protect DoS DoS / DoS DoS Profile Address IP IP IP IP 100 source Address IP URL URL Palo Alto Networks 135

136 DoS (DoS) DoS 147 Default Alert Block Allow None Default Alert Drop Drop-all-packets Reset-both Reset-client Reset-server Block-IP - Phone Home DoS 136 Palo Alto Networks

137 Objects > Security Profiles > Antivirus (SMTP) Internet (IMAP) 3 (POP3) Internet Name Antivirus Packet Capture Decoders and Actions Applications Exceptions and Actions Virus Exception Threat ID 31 HTTP Block HTTP Allow ID Add ID 183 Palo Alto Networks 137

138 Objects > Security Profiles > Anti-Spyware Phone Home phone-home Internet 67. Name Anti-Spyware Rule Type:Simple Rule Type:Custom Packet Capture Spyware Exception Threat ID 31 Simple None Default Allow Alert Block Enable All None Alert Block-IP Default Drop Drop All Packets Reset Both Reset Client Reset Server Block IP IP ID Add ID Palo Alto Networks

139 Objects > Security Profiles > Vulnerability Protection Internet Name Shared Vulnerability Rule Type:Simple Rule Type:Custom 31 Simple None Default Allow Alert Block Enable All None Alert Block-IP Default Drop Drop All Packets Reset Both Reset Client Reset Server Block IP IP Palo Alto Networks 139

140 68. Threats Packet Capture Vulnerability Exception Threat ID Enable All Action FTP ID Vulnerability Custom IP IP IP IP CVE (CVE) ID Add ID Palo Alto Networks

141 URL Objects > Security Profiles > URL Filtering URL URL Web Palo Alto Networks URL 121 URL URL URL URL Name Shared Action on License Expiration Dynamic URL Filtering Log Container Page Only 31 URL URL Block Allow URL URL URL URL URL 2 BrightCloud URL 1 URL 5 Category and Action Category ActionNot resolved URL URL 36 Palo Alto Networks 141

142 69. URL Block List Allow List Category/Action IP URL URL http[s]:// /en/US. /? & = ; + ASCII * *.yahoo.com search * ) * yahoo com ) www * com ) www yahoo com * ww*.yahoo.com IP URL Set for all categories Allow Block Continue Continue Override Settings URL Admin Override 26 1 Alert URL 142 Palo Alto Networks

143 Objects > Security Profiles > File Blocking / Name Shared Rules 31 Add Name 31 Applications any File Types Direction Upload Download Both Action Continue Move Up Move Down Edit Delete 71. exe dll pe doc xls ppt docx Microsoft Windows Microsoft Windows Microsoft Windows exe dll com scr ocx cpl sys drv tlb Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office 2007 Palo Alto Networks 143

144 71. xlsx pptx msoffice enc-doc enc-docx enc-xls enc-xlsx enc-ppt enc-pptx enc-office2007 zip enc-zip Zcompressed gzip tar rar enc-rar lha avi bat cab ocx cmd flv hta iso mdb mdi mov mpeg msi pdf pgp pif pl reg Microsoft Office 2007 Excel Microsoft Office 2007 PowerPoint Microsoft Office doc xls ppt pub pst Microsoft Office Microsoft Office 2007 Microsoft Office Excel Microsoft Office 2007 Excel Microsoft Office PowerPoint Microsoft Office 2007 PowerPoint Microsoft Office 2007 Winzip/pkzip zip Unix Z uncompress gzip Unix tar winrar rar lha / Microsoft AVI (RIFF) MS DOS Microsoft Windows Microsoft ActiveX Microsoft Adobe Flash HTML ISO-9660 Microsoft Access Microsoft Apple Quicktime MPEG-1 MPEG-2 Microsoft Windows Installer Adobe PGP Windows Perl Windows 144 Palo Alto Networks

145 71. rtf sh tif wmf wmv wri wsf Windows Unix Windows Windows Metafile Windows Media Windows Windows Objects > Security Profiles > Data Filtering Name Shared Data Capture 31 Settings Manage Data Protection 26 Palo Alto Networks 145

146 Add 73. Data Pattern Applications File Types Direction Alert Threshold Block Threshold Data Pattern Data Pattern Name Description Shared CC# SSN# SSN# Custom Patterns Add (regex) any Select Add Remove any Select Add Remove 146 Palo Alto Networks

147 DoS Objects > Security Profiles > DoS Protection DoS DoS DoS DoS DoS DoS DoS Name Shared Type 31 aggregate DoS (pps) SYN Flood DoS classified DoS IP IP IP Flood Protection Syn Flood UDP Flood ICMP Flood SYN flood Choice SYN Flood Random early drop DoS SYN cookies SYN cookies SYN flood Alarm Rate DoS (pps) pps pps Activate Rate DoS (pps) pps pps Maximal Rate Block Duration Resources Protection Sessions Max Concurrent Limit DoS DoS DoS DoS IP IP IP DoS DoS Palo Alto Networks 147

148 URL URL URL URL Objects > Addresses Name Shared Palo Alto Networks

149 75. IP Address IP Range FQDN IPv4 IPv6 FQDN IPv4 ip_address/mask ip_address mask / / IPv6 IPv6 2001:db8:123:1::1 2001:db8:123:1::/64 IP Range ip_address-ip_address IPv4 IPv6 2001:db8:123:1::1-2001:db8:123:1::22 FQDN FQDN FQDN DNS FQDN DNS DNS DNS DNS 114 Palo Alto Networks 149

150 Objects > Address Groups 76. Address Group Name 31 All Addresses & Groups / Objects > Regions / DoS / 77. Name Geo Location Addresses 31 xxx.xxxxxx App-Scope 174 IP IP x.x.x.x x.x.x.x-y.y.y.y x.x.x.x/n> 150 Palo Alto Networks

151 Applications 1 5 Networking Networking Attribute Technology Objects > Application Filters Palo Alto Networks 151

152 Search Enter 78. Name Additional Information Standard Ports Capable of File Transfer Used by Malware Excessive Bandwidth Use Evasive Widely used Has Known Vulnerabilities Tunnels Other Applications Depends on Applications Category Subcategory Technology Risk Prone to Misuse Session Timeout TCP Timeout (seconds) UDP Timeout (seconds): Web Wikipedia Google Yahoo! Customize (1-5) OK Customize OK TCP Customize OK UCP Customize OK 152 Palo Alto Networks

153 ID unknown-tcp unknown-udp HTTP 193 Objects > Applications Applications 79. Configuration Name Shared Category Sub Category Technology Parent Application Risk Characteristics Advanced Defaults - Port IP Protocol 31 database 285 Top Ten Application Categories 171 database 285 Top Ten Application Categories TCP / UDP Port <protocol>/<port> <port>, dynamic TCP/dynamic UDP/32 Service app-default TCP UDP IP IP Protocol Palo Alto Networks 153

154 79. ICMP Type None Timeouts TCP Timeout UDP Timeout Scanning Signature Signatures Internet (ICMP) ICMP Type IPv4 ICMP6 Type IPv None TCP UDP TCP UDP TCP UDP TCP UDP Add Name Comment Scope Ordered Condition Match Add AND Condition Add OR Condition Add Condition Pattern Match Equal To Context Pattern 83 Qualifier and Value / Context TCP UDP Position Mask 4 0xaabbccdd Value 4 0xffffff00 Move Up Move Down Move Up Move Down Import Destination Export 154 Palo Alto Networks

155 PAN-OS Command Line Interface Reference Guide - Web Web GET /001/guest/ viewprofile.act?fa=25&tg=m&mg=f&searchtype=zipcode&type=quick&pict=true&cont ext=adrr&zip=94024&ta=34&sb=&item=0&pn=0 HTTP/1.1 Host: User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/3.0.7 Accept:text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language:en-us,en;q=0.5 Accept- Encoding:gzip,deflate Accept-Charset:ISO ,utf-8;q=0.7,*;q=0.7 Keep- Alive:300 Connection:keep-alive Referer: guest/ search.act?type=quick&pict=true&sb=&fa=25&ta=34&mg=f&tg=m&searchtype=zipcode &zip=94024&context=adrr&context=adrr Cookie:JSESSIONID=A41B41A19B D6E88190B7F0B3D.001; specifiedsite.com/ jumpcookie= *google.com/search?q=lava+life&; locale=en_us; campaign=1; imagenum=2; cftag_logsid= a ; utma= ; utmb= ; utmc= ; utmz= utmcsr=(direct) utmccn=(direct) utmcmd=(none) ; utmv= gender%3df; launch=1 specifiedsite username@hostname# show application specifiedsite specifiedsite { category collaboration; subcategory social-networking; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern www\.specifiedsite\.com; } } } } } } } - POST /wp-admin/post.php HTTP/1.1 Host:panqa100.specifiedblog.com User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Palo Alto Networks 155

156 Gecko/ Firefox/3.0.7 Accept:text/html,application/ xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:en-us,en;q=0.5 Accept-Encoding:gzip,deflate Accept-Charset:ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive:300 Connection:keep-alive Referer: panqa100.specifiedblog.com/wp-admin/post.php?action=edit&post=1 Cookie: utma= ; utmb= ; utmc= ; utmz= utmccn=(organic) utmcsr=google utmctr=blog+ho st utmcmd=organic; wordpressuser_bfbaae d9f388265e737a177c8=panqa100; wordpresspass_bfbaae d9f388265e737a177c8=c68a8c4eca c58668eacc05 fc2 Content-Type:application/x-www-form-urlencoded Content-Length:462 user_id=1&action=editpost&post_author=1&post_id=1&post_title=hello+world%21& post_category%5b%5d=1&advanced_view=1&comment_status=open&post_password=&exc erpt=&content=hello+world.%3cbr+%2f%3e&use_instant_preview=1&post_pingback=1 &prev_status=publish&submit=save&referredby=http%3a%2f%2fpanqa100.specifiedb log.com%2fwp-admin%2f&post_status=publish&trackback_url=&post_name=helloworld&post_author_override=1&mm=3&jj=27&aa=2009&hh=23&mn=14&ss=42&metakeyinp ut=&metavalue=http/1.1 specifiedblog.com specifiedblog.com post_title post-author show application specifiedblog_blog_posting specifiedblog_blog_posting { category collaboration; subcategory web-posting; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern specifiedblog\.com; method POST; } } } a2 { or-condition { o2 { context http-req-params; pattern post_title; method POST; } } } a3 { or-condition { o3 { context http-req-params; pattern post_author; method POST; } } } } } } } 156 Palo Alto Networks

157 Objects > Application Groups Name Applications Filters Groups 31 any deny Select 285 Search Available Add Filters Add Filter Groups Add Group Palo Alto Networks 157

158 Objects > Application Filters Add Networking Networking Technology 158 Palo Alto Networks

159 any TCP UDP HTTP HTTPS Objects > Services any TCP UDP HTTP HTTPS Service Name Shared Protocol Destination Port Port 31 TCP UDP (port1-port2) (port1-port2) Palo Alto Networks 159

160 Objects > Services Groups Name Service 31 Add Service confidential Confidential CONFIDENTIAL PAN-OS PAN-OS 83..? 0 1 (abc)? * 0 (abc)* + 1 (abc)+ 160 Palo Alto Networks

161 83. or ((bif) (scr) (exe)) bif scr exe - [c-z] c z c z [ ] [abz]: a b z ^ [^abz] a b z { } / {10,20} \ \ &amp & & &amp.*((confidential) (CONFIDENTIAL)) Confidential CONFIDENTIAL.* confidential.*((proprietary &amp Confidential) (Proprietary and Confidential)) Proprietary & Confidential Proprietary and Confidential Confidential.*(Press Release).*((Draft) (DRAFT) (draft)) draft Press Release Press Release.*(Trinidad) Trinidad Palo Alto Networks 161

162 URL Objects > Custom URL Categories URL URL URL URL URL Allow Block Continue Override Alert URL URL * *.example.com URL URL URL Name Shared Members URL 31 URL Members Import URL Objects > Custom Signatures > Data Patterns Data Patterns Name Shared Palo Alto Networks

163 85. Add Pattern Weight Alert Block Objects > Custom Signatures > Spyware Objects > Custom Signatures > Vulnerability Phone Home HTTP SMTP IMAP FTP POP3 Custom Signatures Configuration Threat ID Name Palo Alto Networks 163

164 86. - Shared Comment Severity Default Action Direction Affected System CVE Vendor Bugtraq Reference Signature Standard Signature Alert Drop Packets Reset Both Reset Client Reset Server Block IP (CVE) bugtraq CVE ACC Standard Add Standard Comment Ordered Condition Match Scope Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down 164 Palo Alto Networks

165 86. - Combination Signature Combination Combination Signatures Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down Time Attribute Number of Hits (1-3600) (1-1000) Aggregation Criteria IP IP IP Objects > Security Profile Groups URL Profile Group Name Profiles 31 URL / 145 Palo Alto Networks 165

166 Objects > Log Forwarding Panorama / SNMP syslog, Name Panorama SNMP Trap Setting Setting Syslog Setting Panorama SNMP Trap Setting Setting Syslog Setting 31 Panorama Panorama 26 SNMP syslog / SNMP Syslog 55 Panorama Critical High Medium URL Low Informational SNMP syslog / 166 Palo Alto Networks

167 Objects > Schedules Name Recurrence Times Day of Week Start Time End Time Start Date End Date 31 Daily Weekly Non-Recurring Add Delete Weekly 24 (HH:MM) Non-Recurring (YYYY/MM/DD) Palo Alto Networks 167

168 168 Palo Alto Networks

169 Botnet 186 PDF Palo Alto Networks 169

170 Dashboard Dashboard 10 Refresh 1 min 2 mins 5 mins Manual 90. Top Applications Top High Risk Applications General Information Interface Status Threat Logs Config Logs Data Filtering Logs URL Filtering Logs System Logs Resource Information Logged In Admins ACC Risk Factor High Availability Top Applications PAN-OS URL 10 ID ID URL URL 10 Web CLI 60 URL Config installed CPU IP Web CLI 1 5 (HA) HA HA HA Palo Alto Networks

171 ACC Application Command Center (ACC) ACC ACC Go a. b. Time Frame c. Sort By d. Top N Palo Alto Networks 171

172 2. 3. Set Filter OK Applications URL Filtering Threat 91. Applications URL Filtering Threats Data Filtering Applications Technology Risk URL URL URL URL URL URL ID Threats File Types 172 Palo Alto Networks

173 Palo Alto Networks 173

174 Monitor > App Scope Monitor App-Scope 92. Summary Change Monitor Threat Monitor Threat Map Network Monitor Traffic Map Palo Alto Networks

175 Palo Alto Networks 175

176 Palo Alto Networks

177 93. None Palo Alto Networks 177

178 ( 25) Palo Alto Networks

179 / Zoom Out 95. Palo Alto Networks 179

180 Palo Alto Networks

181 96. None Palo Alto Networks 181

182 Palo Alto Networks

183 97. Monitor > Logs URL (HIP) 39 Monitor Host Web Browsing AND Add Log Filter (AND/OR) Add Close Apply Filter Expression in Last 60 seconds Clear Filter Save Filter OK Palo Alto Networks 183

184 Save Filter OK 1 min 30 seconds 10 seconds Manual Rows 10 Resolve Hostname IP 29. Addresses IP IP IP 98. Traffic allow deny drop ICMP Count Type dropanydeny not-applicable 184 Palo Alto Networks

185 98. Threat URL Filtering Data Filtering Configuration System HIP URL allow block Count Type virus spywarename URL Category keylogger URL 135 URL URL URL URL OK 77 IP Web CLI GlobalProtect GlobalProtect 237 Palo Alto Networks 185

186 Botnet Monitor > Session Browser Session Browser 183 Botnet Botnet botnet URL DNS 30 Internet (IRC) botnet 1 5 botnet Botnet Monitor > Botnet botnet Botnet Configuration 99. Botnet HTTP IRC Enable Malware URL visit botnet URL URL Use of dynamic DNS botnet DNA Browsing to IP domains IP URL Browsing to recently registered domains 30 Executable files from unknown sites URL TCP UDP Sessions per Hour Destinations per Hour Minimum Bytes Maximum Bytes IRC 186 Palo Alto Networks

187 Botnet Botnet Monitor > Botnet > Report Setting botnet botnet Botnet 186 IP Run Now Botnet botnet Botnet Report Setting Export to PDF Export to CSV 100. Botnet 24 # Rows Scheduled Query Negate Botnet Run Now Add Connector (AND/OR) Attribute Operator Value Palo Alto Networks 187

188 PDF PDF Monitor > PDF Reports PDF PDF 188 Palo Alto Networks

189 PDF PDF New Manage PDF Summary Reports 31. PDF 18 Save OK PDF PDF Summary Report Palo Alto Networks 189

190 Monitor > PDF Reports > User Activity New 101. Name User Time frame IP IPv4 IPv6 Edit Run Monitor > PDF Reports > Report Groups PDF 102. Report Group Name Title Page Custom Title Report selection Add 190 Palo Alto Networks

191 Monitor > PDF Reports > Scheduler :00 AM 103. Name Report Group Recurrence Profile Override Recipient (s) Monitor 50 Monitor Select CSV Export to CSV PDF Export to PDF PDF Palo Alto Networks 191

192 Monitor > Manage Custom Reports Reports Add Load Template 104. Name Database Time Frame Sort By Group By Scheduled Columns Query and Query Builder 31 Custom amount amount Reports Available Selected Add Connector (and/or) Attribute Operator = Value Traffic Log 24 untrust Negate 24 untrust 192 Palo Alto Networks

193 Palo Alto Networks Web (ACC) ACC 32. ACC Palo Alto Networks 193

194 Monitor Reports 33. unknown-tcp Palo Alto Networks

195 Palo Alto Networks App-ID Palo Alto Networks App-ID TCP UDP IP 131 App-ID Palo Alto Networks App-ID IP Palo Alto Networks Internet Palo Alto Networks Internet URL (PCAP) ACCunknown Incomplete Insufficient-Data Palo Alto Networks 195

196 Monitor > Packet Capture PAN-OS Clear All Settings 105. Filtering Manage Filters Filtering Pre-Parse Match Manage Filters Add Id Ingress Interface Source IP Destination IP Src Port Dest Port Proto Non-IP IP IP IP IP IP IPv6 IPv6 ON 196 Palo Alto Networks

197 105. Capture Files Capturing Capture Settings Add Stage drop firewall receive transmit File Packet Count Byte Count Palo Alto Networks 197

198 198 Palo Alto Networks

199 Active Directory User-ID Agent 203 edirectory API User-ID Agent VPN IPSec VPN IPSec 221 (User-ID Agent) Palo Alto Networks IP User-ID Agent IP IP Active Directory IP Active Directory IP edirectory IP edirectory User-ID Agent Palo Alto Networks 199

200 edirectory WMI NetBIOS PC IP 20 IP IP User-ID Agent API IP User-ID Agent Active Directory edirectory (LDAP) Active Directory edirectory/ldap Active Directory User- ID Agent IP edirectory User-ID Agent IP User/group membership User-IP address mapping Active Directory User-ID Agent performs both functions LDAP and/or edirectory Firewall is responsible for user/group membership User-ID Agent is responsible for IP-address mapping 35. User-ID Agent NAT IP IP NAT User-ID Agent TS User-ID Agent IP 200 Palo Alto Networks

201 201 Active Directory User-ID Agent 203 edirectory API User-ID Agent User-ID Agent IP Web NT LAN (NTLM) Web Web Web HTTP Web Web form Web NTLM Internet Explorer Firefox NTLM Web HTTP IP Device > User Identification IP 106. User-ID Agent Name Virtual System IP Address Port User-ID Agent User-ID Agent Windows PC IP Palo Alto Networks 201

202 RADIUS Captive Portal Edit 107. Virtual System Enable Captive Portal Idle Timer Expiration Server Certificate Client Certificate Authentication Profile User Identification Agent Host Name Mode NTLM User-ID Agent HTTP NTLM NTLM cookie cookie Address IP Enable Timeout Enable Roaming IP cookie Roaming cookie 202 Palo Alto Networks

203 Active Directory User-ID Agent LDAP LDAP Server Add 108. User-ID Agent Virtual System Enable Name Server Profile Domain Update Interval Group Filter User Filter Groups Users LDAP LDAP LDAP LDAP objectclass=group objectclass=group Active Directory User-ID Agent User-ID Agent Active Directory IP IP Palo Alto Networks User-ID Agent Windows PC App- Scope IP Active Directory User-ID Agent ISP Palo Alto Networks 203

204 Active Directory User-ID Agent PC User-ID Agent PC PC Server Operator PC 1. Control Panel > Administrative Tools > Services 2. PANAgentService Properties 3. Log On 36. User-ID Agent 4. Server Operator This Account Server Operator 5. OKServices User-ID Agent User-ID Windows 2008 Windows XP Windows Server 2003 PC Active Directory Active Directory 204 Palo Alto Networks

205 Active Directory User-ID Agent 201 User-ID Agent 165 User-ID Agent User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 37. User-ID Agent Agent Status User-ID Agent Get Groups IP to Username Information IP IP Get IP Information Get All LDAP LDAP Get LDAP tree Configure User-ID Agent Palo Alto Networks 205

206 Active Directory User-ID Agent Filter Group Members User-ID Agent Ignore Groups User-ID Agent User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Configure Domain Controller Address Active Directory IP Add 5. Allow Distribution Groups 6. WMI/NetBIOS Disable NetBIOS Probing User-ID Agent NetBIOS WMI WMI Pan Agent PC Windows 206 Palo Alto Networks

207 Active Directory User-ID Agent 7. Enable Group Cache User-ID Agent 8. Age-out Timeout IP IP 45 NetBIOS User Membership Timer 60 Security Log Timer 1 NetBIOS Probing Timer NetBIOS 20 Server Session Timer 9. Allow List IP Add IP Address Subnet Mask ip_address/mask / Ignore List IP Add IP Address Subnet Mask ip_address/mask / Save User-ID Agent OK User-ID Agent User-ID Agent Cancel Palo Alto Networks User-ID Agent File > Show Logs Palo Alto Networks 207

208 edirectory API User-ID Agent User-ID Agent User-ID Agent PC Control Panel Add or Remove Programs User Identification Agent PC edirectory API User-ID Agent edirectory API User-ID Agent edirectory API User-ID Agent 201 User-ID Agent User-ID Agent User-ID Agent Start > All Programs > Palo Alto Networks > User- ID Agent 39. User-ID Agent Palo Alto Networks

209 edirectory API User-ID Agent Configuration Monitor Device Connection List User-Identification Agent Device IP IP Connection Status Connected Disconnected Connecting Connection List User-ID Server Connection List ID Server Down Credential invalid Connecting User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Configure 40. User-ID Agent - 3. Device Listening Port PC User-ID Agent Entry Timeout edirectory LDAP Palo Alto Networks 209

210 edirectory API User-ID Agent 5. Enable Network Address Allow/Ignore List IP Allowed List Ignore List User-ID Agent Add Delete x.x.x.x x.x.x.x/y 6. Device Access Control Enable Device Access Control List IP Add Remove 7. Commit Commit User-ID Agent Cancel User-ID Agent 8. Configure edirectory edirectory 41. User ID Agent - edirectory 9. LDAP Server Selection EDirectory LDAP IP IP IP Add Remove 10. Copy Settings OK 210 Palo Alto Networks

211 edirectory API User-ID Agent 11. Basic Settings Basic Settings Advanced Settings Search Base dc=domain1, dc=example, dc=com Bind Distinguished Name LDAP cn=admin, ou=it, dc=domain1, dc=example, dc=com Bind Password Confirm Bind Password Server Domain Prefix Search Interval User-ID Agent Advanced Settings EDirectory Search Filter LDAP objectclass=person Login Address Attribute Names IP networkaddress Login Time Attribute Name logintime Login ID Attribute Name ID uniqueid Bind Port 636 Other / SSL SSL Verify Server Certificate SSL edirectory Palo Alto Networks 211

212 edirectory API User-ID Agent 13. Configure User-ID API User- ID API 42. User ID-Agent - API a. Enable User-ID API User-ID API b. ConfigureUser- ID API 5006 c. Server Allow List IP User-ID Agent User-ID API Add Remove d. Commit 212 Palo Alto Networks

213 edirectory API User-ID Agent User-ID Agent User-ID Agent PC Control Panel Add or Remove Programs User-ID Agent PC User-ID Agent Monitor User-ID Agent IP 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Monitor Monitor 43. LDAP - Monitor 3. Search IP IP Search Name User-ID Agent Ready Connected Palo Alto Networks 213

214 Terminal Server Agent TS IP TS TCP/UDP TS TS TCP/UDP TCP/UDP TS TCP/UDP ID Terminal Server Agent Device > User Identification TS User Identification Terminal Server Agent Add 109. Terminal Server Agent Name Virtual system IP Address Port Alternative IP Addresses TS TS Windows PC IP IP TS IP IP IP Terminal Server Agent TS Microsoft Terminal Services 2003 Microsoft Terminal Services 2008 Citrix Metaframe Presentation Server 4.0 Citrix Metaframe Presentation Server 4.5, Citrix XenApp 5, Palo Alto Networks

215 TS TS TS TS TS TS 4. TS 5. Terminal Server Agent TS 1. Start TS 2. Terminal Server Agent 44. Terminal Server Agent - Palo Alto Networks 215

216 TS Palo Alto Networks Device IP IP Connection Status Connected Disconnected Connecting TS Connection List 3. TS Enable Device Access Control List IP Add Remove Save 4. Configure 45. Terminal Server Agent - Configure 5. Save 216 Palo Alto Networks

217 110. Terminal Server Agent System Source Port Allocation Range System Reserved Source Ports Listening Port Source Port Allocation Range Reserved Source Ports Port Allocation Start Size Per User Port Allocation Maximum Size Per User Fail port binding when available ports are used up UDP TCP Palo Alto Networks TS ,3500, TS 200 TS TS 200 Port Allocation Start Size Per User TS System Source Port Allocation Range ID Palo Alto Networks 217

218 6. Monitor 46. Terminal Server Agent - Monitor Terminal Server Agent User Name Ports Range Ports Count , Port Allocation Start Size Per User Port Allocation Maximum Size Per User Refresh Ports Count Ports Count Refresh Interval 218 Palo Alto Networks

219 TS 112. Terminal Server Agent Configure Monitor Restart Service Show Logs Debug Exit Help Configuration Monitor TS None Error Information Debug Verbose TS TS Terminal Server Agent TS Add/Remove Programs Terminal Server Agent Palo Alto Networks 219

220 220 Palo Alto Networks

221 8 IPSec (VPN) IP (IPSec) VPN VPN IPSec IPSec IKE 223 IPSec VPN 224 IKE 226 IPSec 227 IKE 229 IPSec IPSec 231 VPN 232 Palo Alto Networks IPSec 221

222 (VPN) (LAN) IP (IPSec) VPN TCP/IP IPSec IPSec VPN Secure Socket Layer (SSL) VPN VPN VPN 9 GlobalProtect SSL-VPN IPSec IPSec Firewall Switch Router Internet Router Switch Firewall IPSec tunnel Local network Local network 47. IPSec VPN Palo Alto Networks Palo Alto Networks VPN IP VPN VPN VPN IP VPN VPN ID 2 ID IPSec 227 IPSec IP IP IP IP IP IPSec IPSec (SA) (SPI) IP IPSec SA 222 IPSec Palo Alto Networks

223 IPSec IKE IPSec VPN SSL-VPN IPSec VPN GlobalProtect SSL-VPN 237 SSL-VPN IPSec VPN Palo Alto Networks SSL-VPN Web SSL Web SSL-VPN IPSec VPN VPN VPN VPN 10 IPSec IPSec IPSec IKE IPSec VPN Internet (IKE) IPSec IKE IKE IPSec IP ID IP PKI Palo Alto Networks IKE IKE IKE Diffie-Hellman PAN-OS IKE NAT Palo Alto Networks IPSec 223

224 IPSec VPN IPSec IKE IKE IKE 1 IKE IKE SA IKE 2 1 SA IPSec IPSec SA IPSec IKE IPSec IKE SA IKE SA Diffie-Hellman (DH) Group IKE DH Encryption Hash Algorithm Lifetime IPSec SA Encapsulating Security Payload (ESP) Authentication Header (AH) Perfect Forward Security (PFS) Diffie-Hellman (DH) group IPSec DH Lifetime IPSec IKE IPSec 227 IPSec 230 IPSec VPN IPSec VPN VPN IPSec VPN IKE IKE IKE IPSec Palo Alto Networks

225 IPSec VPN 3. IKE SA VPN IKEv1 Phase-1 IPSec 227 IKEv1 Phase-2 IPSec IPSec VPN IPSec IPSec (RIP) (OSPF) Outgoing traffic entering the tunnel Incoming traffic egressing the tunnel VPN VPN VPN VPN IKE IPSec Palo Alto Networks IPSec 225

226 IKE IKE Network > Network Profiles > IKE Gateways IKE Gateways IKE 113. IKE IKE Gateway Local IP Address Peer IP Address Pre-shared key IP IP Show advanced Phase 1 options Local Identification (FQDN) ID FQDN IP Peer Identification FQDN ID FQDN IP Exchange Mode IKE Crypto Profile Dead Peer Detection ICMP ping IKE auto 226 IPSec Palo Alto Networks

227 IPSec IPSec Network > IPSec Tunnels IPSec Tunnels IPSec VPN 114. IPSec IPSec Tunnel Tunnel Interface Type IKE Gateway Local IP Address Peer IP Address Pre-shared key Local Identification Peer Identification Exchange Mode IKE Crypto Profile Dead Peer Detection IPSec Crypto Profile New 95 Auto key IKE IKE 226 IP IP Dynamic FQDN IP address Key ID User FQDN IP FQDN IP address Key ID User FQDN IP auto aggressive main ICMP ping IKE New IPSec 230 Palo Alto Networks IPSec 227

228 IPSec 114. IPSec Proxy IDs Replay Protection Copy TOS Header Tunnel Monitor ID Proxy ID Name Local Proxy ID IP ip_address/mask /24 Remote Proxy ID IP ip_address/mask /24 Protocol any TCP / UDP TCP TCP UDP UDP Number IPSec IP (TOS) IP TOS Enable Destination IP ICMP IP Palo Alto Networks IP IP Profile New ICMP 228 IPSec Palo Alto Networks

229 IKE IPSec VPN IPSec VPN 1 / IPSec IP IP IPSec 1 IP IP IPSec ID IPSec ID IKE Network > Network Profiles > IKE Crypto IKE Crypto Profiles IPSec SA (IKEv1 Phase-1) VPN IKE DH Group Priority Hash Algorithm Priority Encryption Priority Lifetime Diffie-Hellman (DH) group14 group2 sha1 Encapsulating Security Payload (ESP) aes256 aes192 aes128 3des Palo Alto Networks IPSec 229

230 IPSec IPSec Network > Network Profiles > IPSec Crypto IPSec Crypto Profiles IPSec SA (IKEv1 Phase-2) VPN IPSec Name AH Priority ESP Authentication ESP Encryption DH Group Lifetime Lifesize sha1 ESP sha1 None ESP aes256 aes192 aes128 3des DH 1 Network > Network Profiles > Monitor IPSec IPSec Tunnels IP 230 IPSec Palo Alto Networks

231 IPSec 117. Name Action Interval Threshold 31 wait-recover fail-over IPSec IPSec Network > IPSec Tunnels IPSec VPN IPSec Tunnels Tunnel Status IPSec SA IPSec SA IKE Gateway Status IKE 1 SA IKE 1 SA Tunnel Interface Status UPDOWN Palo Alto Networks IPSec 231

232 VPN VPN VPN 233 VPN 234 VPN 235 IP ethernet1/1 ISPpublic /16 ethernet1/5 (IP ) server internal IP ethernet1/2 ISP-branch branch PC /24 ethernet1/10 branch-office branch ethernet1/2 branch-office ISP-branch PC Internet Headquarters firewall Branch office firewall eth1/ /16 Zone: server Virtual router: HQ eth1/ Zone: ISP Virtual router: HQ Internet eth1/ Zone: ISP-branch Virtual router: branch /24 PC network eth1/ /24 Zone: branch-office Virtual router: branch /16 Server farm 48. VPN IPSec Palo Alto Networks

233 VPN branch-vpn tunnel.1 branch-vpn /24 IP /24 tunnel IP branch-vpn server central-vpn tunnel.2 central-vpn / 24 IP /16 tunnel IP branch central-vpn Headquarters firewall Branch office firewall /16 Server farm eth1/ /16 Zone: server Virtual router: HQ eth1/ Zone: ISP Virtual router: HQ Internet Tunnel interface: tunnel /24 Zone: branch-vpn Virtual router: HQ eth1/ Zone: ISP-branch Virtual router: branch Tunnel interface: tunnel /24 Zone: central-vpn Virtual router: branch /24 PC network eth1/ /24 Zone: branch-office Virtual router: branch 49. VPN - Palo Alto Networks IPSec 233

234 VPN VPN IKE branch-1-gw Peer-address Local-address ethernet1/1 Peer-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec branch-1-vpn ike-gateway-profile branch-1-gw ipsec-crypto-profile Tunnel interface tunnel.1 proxy-id / / /24 IKE central-gw Peer-address Local-address ethernet1/2 Local-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec central -vpn ike-gateway-profile central -gw ipsec-crypto-profile Tunnel interface tunnel.2 proxy-id / /16 branch-1-gw peer-address local-id peer-id IKE proxy-id proxy-id IKE 234 IPSec Palo Alto Networks

235 VPN VPN VPN VPN VPN 234 VPN ping ping (ethernet1/5) 4. ping (ethernet1/10) 5. CLI test vpn ike-sa gateway central-gw show vpn ike-sa gateway central-gw IKE 1 SA 6. CLI show vpn ike-sa gateway branch-1-gw IKE 1 SA 7. CLI test vpn ipsec-sa tunnel central-vpn show vpn ipsec-sa tunnel central-vpn IKE 2 SA 8. CLI show vpn ipsec-sa tunnel branch-1-vpn IKE 2 SA 9. ethernet1/5 IP / PC traceroute 11. PC ping CLI show vpn flow 12. syslog IKE debug ike pcap PCAP IKE Palo Alto Networks IPSec 235

236 VPN 236 IPSec Palo Alto Networks

237 9 GlobalProtect SSL-VPN GlobalProtect (SSL) (VPN) GlobalProtect SSL-VPN 248 VPN IPSec VPN IPSec 221 GlobalProtect GlobalProtect GlobalProtect Palo Alto Networks (HIP) HIP HIP GlobalProtect Palo Alto Networks GlobalProtect Palo Alto Networks GlobalProtect Palo Alto Networks GlobalProtect SSL-VPN 237

238 GlobalProtect 1. SSL GlobalProtect GlobalProtect 2. (DNS) 3. SSL 4. SSL IPSec IPSec 5. HIP GlobalProtect HIP HIP HIP HIP HIP HIP HIP HIP (CA) HIP HIP HIP HIP (ACC) GlobalProtect GlobalProtect SSL (CA) CA CA CA CA CA CA CA CA CA GlobalProtect SSL-VPN Palo Alto Networks

239 GlobalProtect GlobalProtect GlobalProtect 1. HIP HIP HIP HIP GlobalProtect GlobalProtect HIP GlobalProtect GlobalProtect HIP Objects > GlobalProtect > HIP Objects GlobalProtect HIP HIP HIP 118. HIP General Name Shared Host Info Domain OS Patch Management Patch Management HIP 31 (OS) HIP Palo Alto Networks GlobalProtect SSL-VPN 239

240 GlobalProtect 118. HIP Criteria Vendor Firewall Firewall Antivirus Antivirus Is Enabled (yes) (no) Is Installed Severity Check Patches Add Add Add OK Patch Management Is Enabled (yes) (no) Is Installed Vendor and Product Add Add OK Firewall Exclude Vendor Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Antivirus Exclude Vendor 240 GlobalProtect SSL-VPN Palo Alto Networks

241 GlobalProtect 118. HIP Anti-Spyware Anti-Spyware Disk Backup Disk Backup Disk Encryption Disk Encryption Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Anti-Spyware Exclude Vendor Is Installed Last Backup Time Within Not Within Vendor and Product Add Add OK Disk Backup Exclude Vendor Is Installed Encrypted Locations Add Add OK Disk Encryption Exclude Vendor Palo Alto Networks GlobalProtect SSL-VPN 241

242 GlobalProtect 118. HIP Criteria Vendor Custom Checks Process List Registry Key Is Enabled (yes) (no) Is Installed Encrypted Locations Add OK Disk Encryption Add Add OK Disk Encryption Add Add HIP Objects > GlobalProtect > HIP Profiles HIP HIP 239 GlobalProtect HIP HIP HIP 119. HIP Name Shared Match 31 HIP Browse HIP AND OR NOT HIP 242 GlobalProtect SSL-VPN Palo Alto Networks

243 GlobalProtect GlobalProtect Network > GlobalProtect > Portals GlobalProtect 120. GlobalProtect Name Location Authentication Profile Client Certificate Server Certificate Custom Login Page Custom Help Page Gateway Address Client Configuration General subtab settings 31 Shared 41 GlobalProtect SSL Interface Choice (HA) IP On demand Use single sign-on External Gateways Add IP Root CA Add CA Internal Gateways Add IP Palo Alto Networks GlobalProtect SSL-VPN 243

244 GlobalProtect 120. GlobalProtect Advanced subtab settings Third Party VPN Clients Add VPN VPN Internal Host Detection DNS IP Address IP Hostname IP Agent UI User can save password Passcode/Confirm Passcode Agent User Override Disabled With-comment GlobalProtect With-passcode GlobalProtect Data Collection Subtab Settings Max Wait Time Exclude Categories Add Add OK Custom Checks Process List Add Registry Key Add 244 GlobalProtect SSL-VPN Palo Alto Networks

245 GlobalProtect GlobalProtect Network > GlobalProtect > Gateways GlobalProtect 121. GlobalProtect Name Location Server Certificate Authentication Profile Client Certificate Tunnel Mode 31 Shared 41 Tunnel Interface Max Users Enable IPSec IPSec IPSec SSL - VPN Gateway Address Timeout Configuration Interface Choice / HA IP Login Lifetime Inactivity Logout Palo Alto Networks GlobalProtect SSL-VPN 245

246 GlobalProtect 121. GlobalProtect Client Configuration On demand Primary DNS Secondary DNS Primary WINS Secondary WINS IP Pool DNS Suffix Access Route HIP HIP Notification DNS IP Windows Internet (WINS) IP Add IP IP IP IP IP / Add Move Up Move Down Remove Add VPN VPN Internet Internet Add PC/ Move Up Move Down Remove Add 246 GlobalProtect SSL-VPN Palo Alto Networks

247 GlobalProtect GlobalProtect Devices > GlobalProtect Client GlobalProtect Client GlobalProtect GlobalProtect GlobalProtect 1. Download Close 2. Activate 3. Upload Activate from File OK 4. Remove GlobalProtect GlobalProtect (PanGP Agent) GlobalProtect GlobalProtect PanGP 1. > > Palo Alto Networks > GlobalProtect > GlobalProtect Settings 50. GlobalProtect - Settings Palo Alto Networks GlobalProtect SSL-VPN 247

248 SSL-VPN 2. GlobalProtect Remember Me 3. GlobalProtect IP 4. Apply GlobalProtect GlobalProtect Status tab Details tab IP Host State tab HIP Troubleshooting Network Configurations Routing Table GlobalProtect Sockets Logs GlobalProtect PanGP PanGP Start Stop SSL-VPN Windows 7 Vista Windows XP SSL-VPN VPN SSL-VPN Web SSL-VPN IPSec VPN IPSec VPN IPSec VPN IPSec 221 SSL-VPN SSL- VPN 3 Aggregate SSL-VPN 222 VPN Palo Alto Networks Palo Alto Networks 248 GlobalProtect SSL-VPN Palo Alto Networks

249 SSL-VPN SSL-VPN SSL-VPN 1. URL Start VPN 4. SSL-VPN VPN IPSec SSL 5. Internet 6. VPN SSL-VPN 1. URL Internet 4. VPN SSL-VPN SSL-VPN 1. SSL-VPN SSL-VPN SSL-VPN PC SSL-VPN NetConnect SSL-VPN RADIUS VPN SSL-VPN VPN SSL-VPN 121 Palo Alto Networks GlobalProtect SSL-VPN 249

250 SSL-VPN SSL-VPN Network > SSL-VPN SSL-VPN Client Configuration 122. SSL-VPN Name Server Certificate Authentication Profile Client Certificate Profile Custom Login Page Tunnel Interface Max User Enable IPSec Redirect HTTP traffic to HTTPS login page Gateway Address Timeout configuration Client Configuration Primary DNS Secondary DNS Primary WINS Secondary WINS DNS Suffix VPN VPN VPN 41 VPN 77 VPN VPN VPN SSL-VPN IPSec VPN HTTP HTTPS Interface Choice / HA IP Login Lifetime Inactivity Logout DNS IP Windows (WINS) IP Add Move Up Move Down Remove 250 GlobalProtect SSL-VPN Palo Alto Networks

251 SSL-VPN 122. SSL-VPN IP Pool - Subnet/Range Split Tunnel - Access Route IP IP IP IP / VPN VPN Internet Internet Add PC/ Move Up Move Down Remove NetConnect SSL-VPN Device > SSL-VPN Client SSL-VPN Client SSL-VPN NetConnect SSL-VPN SSL-VPN NetConnect SSL-VPN 1. Download Close Cancel Download 2. Activate SSL-VPN OK Cancel 3. Upload SSL-VPN Activate from File OK 4. SSL-VPN Remove Yes Palo Alto Networks GlobalProtect SSL-VPN 251

252 SSL-VPN 252 GlobalProtect SSL-VPN Palo Alto Networks

253 10 (QoS) QoS QoS 254 QoS 255 QoS 256 QoS 258 QoS QoS QoS Aggregate Ethernet QoS QoS QoS Network QoS QoS QoS 254 QoS QoS QoS 255 QoS Policies Policies QoS QoS 256 Palo Alto Networks 253

254 QoS QoS QoS QoS 4 QoS PA PA PA PA PA PA QoS Network > QoS QoS QoS 123. QoS Physical Interface Interface Name Maximum Egress Enable QoS Clear Text Default Profile Tunnel Interface Default Profile Advanced Options Tunneled Traffic Clear Text Traffic Guaranteed Egress Maximum Egress (Mbps) QoS QoS QoS QoS 255 Tunneled Traffic Clear Text Traffic Detail Configuration (Mbps) 254 Palo Alto Networks

255 QoS 123. QoS Detail Configuration Group Configuration 45 Mbps T1 T1 QoS 45 Mbps Clear Text Add Name Source Interface Source Subnet any QoS Profile QoS QoS QoS 255 QoS Move Up Move Down Tunneled Traffic Add Tunnel Interface QoS Profile QoS Remove QoS Network > Network Profiles > QoS Profiles QoS QoS QoS QoS 254 QoS QoS QoS Profile Name Guaranteed Egress Maximum Egress (Mbps) (Mbps) Palo Alto Networks 255

256 QoS 124. QoS Classes QoS Class QoS QoS 4 Guaranteed Egress (Mbps) Maximum Egress (Mbps) Priority QoS Network > Network Profiles > QoS Profiles QoS QoS 4 QoS QoS 254 QoS 255 Virtual System Go Filter Rules Source Zone / Destination Zone Filter by Zone Panorama QoS Add Rule Clone Rule Clone Rule 256 Palo Alto Networks

257 QoS 125. QoS Name / rulen n Source Zone Destination Zone Source Address Destination Address Source User Application Service Class any IPv4 IPv6 select Available / Add Selected Search Available Add IP <ip_address>/<mask> Selected Remove any New Address QoS any Select Add Available Selected + - Search Enter Selected Remove New Application 153 OK New Service QoS OK QoS QoS QoS 255 Palo Alto Networks 257

258 QoS QoS Network > QoS QoS Policies QoS QoS QoS Policies 51. QoS QoS QoS Bandwidth Session Browser / Application View QoS / 258 Palo Alto Networks

259 11 Panorama Panorama (CMS) Panorama 260 Panorama 261 Panorama 261 Panorama 262 SSL 262 Panorama 263 Panorama VMware Panorama VMware Server VMware ESX(i) 4.x 3.5 VMware Server VMware Server VMware ESX(i) Palo Alto Networks Panorama 259

260 Panorama (OVF) VMware ESX(i) 4.x 3.5 2GHz CPU 2-4 GB RAM GB VMware vsphere Client 4.x VMware Infrastructure Client 3.5 Panorama Panorama Panorama zip Panorama Panorama Panorama 1. Panorama zip panorama-esx.ovf 2. VMware vsphere Client VMware 3. File > Deploy OVF Template 4. Panorama panorama-esx.ovf Next 5. Next 6. Panorama Next 7. Panorama Next 8. Thick provisioned format Next 9. Finish 10. Panorama Power On Panorama 260 Panorama Palo Alto Networks

261 Panorama Panorama Panorama 10 GB VMware Server 950 GB ESX ESXi 2TB 1. VMware Panorama 2. Edit Virtual Machine Settings 3. Add Add Hardware wizard 4. Hard Disk Next 5. Create a new virtual disk Next 6. Virtual Disk Type IDE Next 7. Browse 8. Finish RAID 1/0 RAID 1/0 RAID 5 IDE 9. Panorama Panorama Panorama 10 GB Panorama Panorama 1. admin admin CLI CLI 2. IP 3. CLI Palo Alto Networks Panorama 261

262 Panorama 4. set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-ip> dns-setting servers primary <DNS-IP> <Panorama-IP> IP <netmask> <gateway-ip> IP <DNS-IP> (DNS) IP 5. commit exit 6. (<target-ip>) ping host <target-ip> ping Internet Panorama Panorama 1. Web IP address> Palo Alto Networks 2. Name Password admin Login 3. Panorama > Administrators > admin 4. Old Password admin 5. New Password 15 Confirm New Password 6. OK Panorama Panorama IP SSL Panorama SSL SSL Panorama 1. Panorama > 2. Generate Import 3. OK 4. Commit 262 Panorama Palo Alto Networks

263 12 Panorama (CMS) Panorama Web Panorama 264 HA Panorama 275 Panorama Web Panorama Panorama Web 1. Web IP address> Palo Alto Networks 2. Login Palo Alto Networks 263

264 Panorama Panorama Panorama Web Palo Alto Networks Panorama Panorama 1. Panorama IP Panorama 269 Panorama Panorama Panorama 126. Panorama Dashboard 10 ACC Monitor 191 Objects 271 Policies Panorama 271 Panorama Panorama Panorama Panorama Devices 127. Panorama Setup Config Audit Managed Devices Device Groups Admin Roles Panorama DNS NTP Panorama 269 Panorama 270 Panorama Palo Alto Networks

265 Panorama 127. Panorama Administrators High Availability Certificates Log Settings Server Profiles Panorama 40 Administrators Panorama (HA) HA 267 Web Panorama 57 Panorama 77 (SNMP) Syslog Log Destinations 49 Panorama SNMP 53 Syslog RADIUS 44 LDAP 45 Authentication Profile Authentication Sequence Client Certificate Profile Access Domain Scheduled Config Export Software Dynamic Updates Support Deployment Active Directory (Kerberos) 46 Panorama 41 Panorama 46 Panorama (FTP) 275 Panorama Panorama 275 Panorama 38 Palo Alto Networks Palo Alto Networks 265

266 Panorama Context Panorama Panorama 269 Web Panorama 52. Panorama Panorama Panorama Panorama 128. Panorama Panorama Location Panorama Panorama SNMP Syslog (RADIUS) (LDAP) Kerberos Device Groups Panorama 270 Policies Objects Device Groups Shared Panorama Location Panorama Location Shared Objects Shared 266 Palo Alto Networks

267 HA HA Panorama > High Availability Panorama HA Panorama Panorama Panorama Preemption HA Panorama HA Panorama Network File System NFS NFS Local Logging Panorama HA 129. Panorama HA Setup Enable HA Peer HA IP Address Enable Encryption Monitor Hold Time (ms) Election Settings Priority Preemptive Preemption Hold Time (min) Promotion Hold Time (ms) Hello Interval (ms) Heartbeat Interval (ms) Monitor Fail Hold Up Time (ms) HA Control Link HA1 IP Panorama Panorama (ms) ms 3000 ms Primary Secondary Panorama ms ms 8000 Panorama ICMP Ping HA ms 1000 Panorama 0 ms Palo Alto Networks 267

268 HA 129. Panorama HA Additional Master Hold Up Time (ms) Path Monitoring Enabled Failure Condition Path Groups 7000 ms ICMP Ping Panorama IP Add Name Enabled Failure Condition Ping interval ICMP ms 5000 Destination IPs Delete HA HP NFS Panorama NFS NFS 2 S1 S2 S2 S2 1. S1 2. S2 a. Panorama> High Availability b. Priority Secondary Primary c. NFS 3. CLI request high-availability convert-to-primary S1 HA S2 NFS convert-to-primary HA (S1) NFS S2 268 Palo Alto Networks

269 4. S2 S2 NFS Panorama > Managed Devices Managed Devices HA Panorama HA HA Panorama TCP 3978 SSL 1. Panorama Managed Devices Managed Devices 2. Group by 3. Add/Remove Devices 4. Add OK Managed Devices 7. Commit All Panorama IP Connected 8. a. Add/Remove Devices b. Delete c. OK Palo Alto Networks 269

270 Panorama > Device Groups / Panorama Panorama Device Groups 130. Device Group Name Devices Master Device Add Panorama > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS 131. Name Devices Device Groups 31 Devices Available Add Device Groups Available Add 270 Palo Alto Networks

271 Panorama 119 Panorama Panorama Panorama Target Install on all but specified devices 53. Panorama Panorama Palo Alto Networks 271

272 Panorama deny all Panorama > Setup > Storage Partition Setup Panorama Panorama NFS Panorama Setup Storage Partition Setup 132. Internal NFS v3 Panorama NFS Server NFS (FQDN) IP Log Directory Protocol NFS UDP TCP Port NFS Read Size NFS Write Size NFS Copy On Setup Panorama NFS Test Logging Partition NFS 272 Palo Alto Networks

273 Panorama 15 Panorama ACC Monitor Panorama ACC Panorama > Managed devices Panorama Managed Devices 54 Commit All 54. Managed Devices Diff All 5 OK Panorama Monitor > PDF Reports > User Activity Report Panorama Panorama 190 Panorama > Deployment Deployment Palo Alto Networks 273

274 133. Panorama Deployment Software SSL VPN Client GlobalProtect Client Dynamic Updates Licenses SSL VPN GlobalProtect 38 Refresh Software SSL VPN GlobalProtect Refresh Palo Alto Networks Release Notes Download Downloaded Install Upload PC Install from File Activate from File OK Delete Activate Palo Alto Networks Panorama > Setup Panorama Panorama Setup Panorama Panorama Panorama > Managed Devices Backups Manage Load Commit 274 Palo Alto Networks

275 Panorama > Scheduled Config Export Panorama Scheduled Config Export gzip FTP XML 134. Name Enable Scheduled export start time (daily) Hostname Port Passive Mode Username Password Confirm Password HH:MM FTP IP FTP Panorama Panorama > Software Panorama Palo Alto Networks Panorama Panorama Refresh Palo Alto Networks Release Notes 1. a. Download Downloaded b. Install Panorama 2. Palo Alto Networks 275

276 Panorama 276 Palo Alto Networks

277 A IP URL URL HTML URL Web 282 URL 282 SSL VPN 283 SSL <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions {font-family:"microsoft Sans Serif"; Palo Alto Networks 277

278 panose-1: ;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> 278 Palo Alto Networks

279 <html> <head> <title>application Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>application Blocked</h1> <p>access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>application:</b> <appname/> </p> </div> </body> </html> <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions {font-family:"microsoft Sans Serif"; panose-1: ;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} Palo Alto Networks 279

280 span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> </div> </body> </html> 280 Palo Alto Networks

281 <application-type> <category> <entry name="networking" id="1"> <subcategory> <entry name="remote-access" id="1"/> <entry name="proxy" id="2"/> <entry name="encrypted-tunnel" id="3"/> <entry name="routing" id="4"/> <entry name="infrastructure" id="5"/> <entry name="ip-protocol" id="6"/> </subcategory> </entry> <entry name="collaboration" id="2"> <subcategory> <entry name=" " id="7"/> <entry name="instant-messaging" id="8"/> <entry name="social-networking" id="9"/> <entry name="internet-conferencing" id="10"/> <entry name="voip-video" id="11"/> </subcategory> </entry> <entry name="media" id="3"> <subcategory> <entry name="video" id="12"/> <entry name="gaming" id="13"/> <entry name="audio-streaming" id="14"/> </subcategory> </entry> <entry name="business-systems" id="4"> <subcategory> <entry name="auth-service" id="15"/> <entry name="database"id="16"/> <entry name="erp-crm" id="17"/> <entry name="general-business" id="18"/> <entry name="management" id="19"/> <entry name="office-programs" id="20"/> <entry name="software-update" id="21"/> <entry name="storage-backup" id="22"/> </subcategory> </entry> <entry name="general-internet" id="5"> <subcategory> <entry name="file-sharing" id="23"/> <entry name="internet-utility" id="24"/> </subcategory> </entry> </category> <technology> <entry name="network-protocol" id="1"/> <entry name="client-server" id="2"/> <entry name="peer-to-peer" id="3"/> <entry name="web-browser" id="4"/> </technology> </application-type> <h1>ssl Inspection</h1> <p>in accordance with company security policy, the SSL encrypted connection you have initiated will be temporarily unencrypted so that it can be inspected for viruses, spyware, and other malware.</p> <p>after the connection is inspected it will be re-encrypted and sent to its destination. No data will be stored or made available for other purposes.</p> <p><b>ip:</b> <url/> </p> <p><b>category:</b> <category/> </p> Palo Alto Networks 281

282 Web <h1 ALIGN=CENTER>Captive Portal</h1> <h2 ALIGN=LEFT>In accordance with company security policy, you have to authenticate before accessing the network.</h2> <pan_form/> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} form td, form input { font-size: 11px; font-weight: bold; } #formtable { height: 100%; width: 100%; } #formtd { vertical-align: middle; } #formdiv { margin-left: auto; margin-right: auto; } </style> <script type="text/javascript"> function pwdcheck() { if(document.getelementbyid("pwd")) { document.getelementbyid("continuetext").innerhtml = "If you require access to this page, have an administrator enter the override password here:"; } } </script> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> <hr> <p id="continuetext">if you feel this page has been incorrectly blocked, you may click Continue to proceed to the page.however, this action will be logged.</p> <div id="formdiv"> <pan_form/> </div> <a href="#" onclick="history.back();return false;">return to previous page</ a> </div> </body> </html> 282 Palo Alto Networks

283 SSL VPN <HTML> <HEAD> <TITLE>Palo Alto Networks - SSL VPN</TITLE> <meta http-equiv="content-type" content="text/html; charset=iso "> <link rel="stylesheet" type="text/css" href="/styles/ falcon_content.css?v=@@version"> <style> td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: black; /*#FFFFFF; */ }.msg { background-color: #ffff99; border-width: 2px; border-color: #ff0000; border-style: solid; padding-left: 20px; padding-right: 20px; max-height: 150px; height: expression( this.scrollheight > 150?"150px" : "auto" ); /* sets max-height for IE */ overflow: auto; }.alert {font-weight: bold;color: red;} </style> </HEAD> <BODY bgcolor="#f2f6fa"> <table style="background-color: white; width:100%; height:45px; borderbottom: 2px solid #888888;"> <tr style="background-image:url(/images/logo_pan_158.gif); background-repeat: no-repeat"> <td align="left"> </td> </tr> </table> <div align="center"> <h1>palo Alto Networks - SSL VPN Portal</h1> </div> <div id="formdiv"> <pan_form/> </div> </BODY> </HTML> Palo Alto Networks 283

284 SSL <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso "> <html> <head> <title>certificate Error</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>certificate Error</h1> <p>there is an issue with the SSL certificate of the server you are trying to contact.</p> <p><b>certificate Name:</b> <certname/> </p> <p><b>ip:</b> <url/> </p> <p><b>issuer:</b> <issuer/> </p> <p><b>status:</b> <status/> </p> <p><b>reason:</b> <reason/> </p> </div> </body> </html> 284 Palo Alto Networks

285 B Palo Alto Networks business-system auth-service database erp-crm general-business infrastructure office-program software-update storage-backup collaboration instant-messaging internet-conferencing internet-utility Palo Alto Networks 285

286 social-networking voip-video web-posting general-internet file-sharing internet-utility media audio-streaming gaming photo-video networking audio-streaming encrypted-tunnel infrastructure ip-protocol proxy remote-access routing unknown 286 Palo Alto Networks

287 135. network-protocol client-server peer-to-peer browser-based IP - Web 136. Transfers Files Evasive Excessive Bandwidth Used by Malware Prone to Misuse Widely Used Tunnels Other Applications Continue Scanning for Other Applications 1 Mbps Palo Alto Networks 287

288 288 Palo Alto Networks

289 C (FIPS 140-2) FIPS FIPS Set FIPS Mode PAN-OS Command Line Interface Reference Guide FIPS TLS 1.0 Device > Setup > Management FIPS FIPS FIPS IPSec 2048 Telnet TFTP HTTP (HA) PAP Palo Alto Networks 289

290 290 Palo Alto Networks

291 D (GPL) $5 Palo Alto Networks Open Source Request 232 E. Java Drive Sunnyvale, CA 291 BSD 293 GNU 293 GNU 296 MIT/X OpenSSH 302 PSF 305 PHP 305 Zlib 306 Larry Wall Perl v4.0 Palo Alto Networks 291

292 CrackUnix Password Cracker CrackLibUnix Password Checking Alec David Edward Muffett a) Usenet uunet.uu.net b) c) d) 4. a) b) c) d) Palo Alto Networks

293 BSD BSD BSD Julian Steward Thai Open Source Software Center Ltd The Regents of the University of California Nick Mathewson Niels Provos Dug Song Todd C. Miller University of Cambridge Sony Computer Science Laboratories Inc / 3. GNU (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA , USA GNU GNU Palo Alto Networks 293

294 GNU (1) (2) / / a) b) c) 294 Palo Alto Networks

295 GNU a) 1 2 b) 1 2 c) b / Palo Alto Networks 295

296 GNU 8. / 9. / / 12. / GNU (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA USA [ GPL (Lesser GPL) GNU (GNU Library Public License) ] GNU 296 Palo Alto Networks

297 GNU (1) (2) / GNU GNU GNU GNU C GNU GNU/ Linux / Palo Alto Networks 297

298 GNU / * a) * b) * c) * d) 2d 3. GNU GNU 2 2 GNU GNU 298 Palo Alto Networks

299 GNU * a) 1 2 / * b) (1) (2) * c) 6a * d) * e) Palo Alto Networks 299

300 GNU 7. * a) * b) / 12. / 13. / 300 Palo Alto Networks

301 MIT/X11 MIT/X / 16. / (C) Daniel Veillard (C) Thomas Broyer Charlie Bozeman Daniel Veillard (C) 1998 Bjorn Reese Daniel Stenberg (C) 2000 Gary Pennington Daniel Veillard (C) 2001 Bjorn Reese <[email protected]> (c) 2001, 2002, 2003 Python (c) Paramjit Oberoi <param.cs.wisc.edu> (c) 2007 Tim Lauridsen <[email protected]> / Palo Alto Networks 301

302 OpenSSH OpenSSH OpenSSH BSD OpenSSH GPL 1) (c) 1995 Tatu Ylonen Espoo, Finland RFC ssh Secure Shell [Tatu ] GNU [ OpenSSH -RSA OpenSSL -IDEA -DES OpenSSL -GMP OpenSSL BN -Zlib -make-ssh-known-hosts -TSS -MD5 OpenSSL -RC4 OpenSSL ARC4 -Blowfish OpenSSL [ ] Internet / 302 Palo Alto Networks

303 OpenSSH / 2) deattack.c 32 CRC CORE SDI S.A. BSD ssh - (c) 1998 CORE SDI S.A., Buenos Aires, Argentina CORE SDI S.A. Ariel Futoransky <[email protected]> < 3) ssh-keyscan David Mazieres BSD 1995, 1996 by David Mazieres <[email protected]> OpenBSD Project 4) Vincent Rijmen Antoon Bosselaers Paulo Barreto Rijndael ANSI C Vincent Rijmen Antoon Bosselaers Paulo Barreto <[email protected]> 5) ssh 3 BSD University of California Berkeley (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California / 3. Palo Alto Networks 303

304 OpenSSH THE REGENTS THE REGENTS 6) 2 BSD -Markus Friedl -Theo de Raadt -Niels Provos -Dug Song -Aaron Campbell -Damien Miller -Kevin Steves -Daniel Kouril -Wesley Griffin -Per Allansson -Nils Nordman -Simon Wilkinson / 304 Palo Alto Networks

305 PSF PSF 1. Python PSF Python PSF Python 2.3 / Python 2.3 PSF PSF (c) 2001, 2002, 2003 Python Software Foundation 3. Python 2.3 Python PSF Python 2.3 PSF PSF Python PSF Python 2.3 Python PSF PSF 8. Python 2.3 PHP PHP 3.01 (c) The PHP Group / 3. PHP [email protected] 4. [email protected] PHP PHPFoo PHP PHP Foo phpfoo PHP 5. PHP Group / PHP Group PHP Group Palo Alto Networks 305

306 Zlib 6. < PHP PHP PHP PHP Group PHP Group PHP Group PHP < PHP < Zend Zlib (C) Jean-loup Gailly Mark Adler Jean-loup Gailly Mark Adler 306 Palo Alto Networks

307 A Active Directory User-ID Agent 204 User-ID Agent 205 User-ID Agent 203 User-ID Agent 208 Aggregate Ethernet Aggregate 91 App-ID 195 ARP VLAN , 93 AS BGP Authentication Header (AH) , (SA) , NAT , Panorama 260 B BGP botnet BrightCloud , PDF , PDF , / 60, HA 68, , (REST) Palo Alto Networks

308 IKE 223 (DF) PPPoE C CPU 170 CRL 34 DoS 134 NAT , NAT , 74, QoS , (DAD) , 29, Panorama 272 D DHCP , Diffie-Hellman (DH) group 224, 229 DNS 112 SSL VPN 250 DNS DoS GlobalProtect GlobalProtect 247 GlobalProtect , , Palo Alto Networks

309 , DOS 118 URL , , Panorama , 73, 76 E edirectory User-ID Agent 208 User-ID Agent 208 User-ID Agent 213 Encapsulating Security Payload (ESP) 224 F FIPS 289 flood 115 flood 116, 255 FTP, User-ID Agent , 41 Panorama , 167 (TOS) 228 Kerberos 46 LDAP 45 RADIUS 44 syslog 55 (QoS) , 160, 167 G GlobalProtect , 78 botnet Panorama Panorama 267 / 60 / , Palo Alto Networks 309

310 231 CLI 16 Panorama 16 26, 32 Web , 39, 38, , 265, 40, , H HA 96 HA1 HA2 67 HTML , HA , 95 26, 33 I ICMP flood 117 IKE AH DH , 227 ESP , , IKE , 226 IPSec AH 224 DH ESP IPv6 28 IPv6 149 J , 118 (CMS) , CMS , Aggregate 91 83, , Aggregate Ethernet 91, (Dos) 147 K Kerberos (OVF) Palo Alto Networks

311 botnet 186 GlobalProtect 247 L LDAP LSA , HA , 141, HA 71, 268 BGP OSPF 105 RIP 104 M MD5 105 MIB 35, 54 GlobalProtect GlobalProtect , 28, QoS 254 N NAT NFS Panorama NIS 113 NSSA (not so stub area) 106 NT LAN (NTLM) 133, 201 NTP O OCSP 34 OSPF P Panorama ACC , , 264, Panorama 264 IP , , 265 PAN-OS , 41, 270 PAN-OS, 37 passive link state 70 PDF , Perfect Forward Security (PFS) 224 PPPoE Palo Alto Networks 311

312 88 proxy DNS 114 server , 52, , , flood , 137, IKE 229 IKE 229 IPSec 230 IPSec , 141 QoS 253, , URL , , 165 VPN 232 Q QoS , , 134 Web 77, , NAT R RADIUS random early drop 116 RFC 1583 Compatibility 105 RIP ACC 172 FTP URL , 52, HIP 185 HIP Palo Alto Networks

313 SNMP 53 syslog , 41, 270, 274, 275 Panorama 275 S SNMP 53 MIB 54 MIB SNMP SSL , 130 SSL VPN , , Web SYN flood 116 syslog , HA 68, GlobalProtect IKE 223 LDAP 38 RADIUS , Kerberos 46 LDAP 45 RADIUS , Panorama 274, 275 PAN-OS 37, 41, , 32 VPN 232, 26, APP-ID , 138, ACC , , 147 Palo Alto Networks 313

314 , , , 96 SSL VPN 246, 251 VPN 223 IPSec 223 SSL VPN , QoS 254 T Terminal Server Agent 214, TS URL U UDP flood 117 URL ACC , , User-ID Agent Active Directory 207 Active Directory, 203 API, 208 edirectory, PC LDAP Active Directory 204 Active Directory 205 Active Directory V VLAN VMware ESX(i) 259 VPN 222 IPSec IKE 224 SSL 237, VPN IKE , vsphere 259 W Windows XP Vista 248 WINS 113 SSL VPN 250 GlobalProtect GlobalProtect , Palo Alto Networks

315 ACC App-ID , X XML API , 277 GlobalProtect portal help 78 GlobalProtect portal login 77 47, 77 77, 282 SSL 78 SSL VPN 77 SSL 77, 284 URL 77, 78, , , , , 76, , Y , 179, ACC , , , (ACC) , 157 Palo Alto Networks 315

316 SSL VPN , SSL VPN , URL 142 Z 40, CRL Aggregate , , URL 142 (MSS) GlobalProtect CA 57 OCSP 34 Panorama Web 57 (CA) CRL 34 GlobalProtect 238 CA 57 OCSP 34, , 78 78, 215 / 60 / 60, 26, 32 (HIP) HIP (TLS) 45, HA Palo Alto Networks