admin_guide.book

Transcription

1 Palo Alto Networks /21/11 - Palo Alto Networks

2 Palo Alto Networks, Inc Palo Alto Networks Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N A

3 12 21, Palo Alto Networks Web ID Palo Alto Networks 3

4 SNMP PAN-OS RADIUS LDAP Kerberos Active Directory HIP SNMP Syslog Netflow / HA / HA NAT HA HA Palo Alto Networks

5 Aggregate Ethernet VLAN HA VLAN DHCP DNS NAT NAT NAT NAT DoS DoS Palo Alto Networks 5

6 URL DoS URL Botnet Botnet Botnet PDF Palo Alto Networks App-ID Palo Alto Networks

7 User-ID User-ID Agent PAN-OS User-ID Agent User-ID Agent User-ID Agent User-ID Agent User-ID Agent Terminal Server Agent Terminal Server Agent IPSec IPSec VPN SSL-VPN VPN IPSec IKE IPSec IKE IPSec VPN IKE IPSec IKE IPSec IPSec VPN VPN VPN GlobalProtect GlobalProtect GlobalProtect GlobalProtect GlobalProtect Palo Alto Networks 7

8 QoS QoS QoS QoS QoS Panorama Panorama Panorama Panorama SSL Panorama HA HA Panorama Panorama Web Panorama Panorama Panorama Panorama WildFire WildFire WildFire WildFire WildFire WildFire WildFire Palo Alto Networks

9 A URL Web URL SSL VPN SSL B C D BSD GNU GNU MIT/X OpenSSH PSF PHP Zlib Palo Alto Networks 9

10 10 Palo Alto Networks

11 12 21, Palo Alto Networks Web Palo Alto Networks / IPSec IP (IPSec) Palo Alto Networks 11

12 9 GlobalProtect GlobalProtect 10 (QoS) 11 Panorama Palo Alto Networks 12 Panorama Panorama 13 WildFire WildFire A HTML B Palo Alto Networks C D 12 Palo Alto Networks

13 Web (URL) SecuritySecurity Rules Palo Alto Networks a:\setup Devices Administrators Clone Rule Palo Alto Networks 13

14 14 Palo Alto Networks

15 Palo Alto Networks 80 IPv4 IPv6 IPv4 IPv6 Palo Alto Networks 15

16 SSL 137 URL 141 URL Web 167 GlobalProtect GlobalProtect / 67 HA WildFire Web (CLI) Panorama Web Web 16 Palo Alto Networks

17 25 Web Web HTTP HTTPS CLI Telnet (SSH) PAN-OS Panorama Palo Alto Networks Web Panorama Web Panorama 243 Panorama Panorama 251 Panorama (SNMP) RFC 1213 (MIB-II) RFC 2665 SNMP 54 SNMP Syslog Syslog 56 Syslog XML API (REST) API <firewall> IP API DevCenter XML API Palo Alto Networks 17

18 18 Palo Alto Networks

19 Web 25 Panorama 243 Panorama App-ID 3. IP Palo Alto Networks 19

20 1. RJ-45 (MGT) IP Web Palo Alto Networks 4. admin Login OK 5. Device Setup Web 21 Web Management Management Interface Settings IP Services (DNS) IP (NTP) IP Support Palo Alto Networks Register Device Activate support using authorization codes 6. Devices Administrators 7. admin 8. New Password Confirm New Password OK IP Palo Alto Networks

21 Web Web Objects Device Add Delete OK Cancel Clone Palo Alto Networks 21

22 Web Help Tasks Task Manager Show Devices Setup OK Save OK candidate 22 Palo Alto Networks

23 Web Web Commit Advanced Include Device and Network configuration Include Shared Object configuration Include Policy and Objects Include virtual system configuration 30 Vulnerability Protection Objects Security Profiles Vulnerability Protection Objects > Security Profiles > Vulnerability Protection Palo Alto Networks 23

24 Web Web Config lock Commit Lock Locks Take a Lock OK Close Lock Locks Yes Close Lock 24 Palo Alto Networks

25 Device Setup Management Automatically acquire commit lock 28 Web Web Internet Explorer 7 Firefox 3.6 Safari 5 Chrome 11 Web Help / KnowledgePoint Palo Alto Networks 25

26 26 Palo Alto Networks

27 PAN-OS SNMP 56 Syslog Netflow Palo Alto Networks 27

28 ID 35 WildFire 263 WildFire Device > Setup > Management Setup WildFire IP 94 Edit 1. General Settings Host Name Domain Login Banner Timezone Locale Time Serial Number 31 (FQDN) 31 Name Password PDF 183 PDF Set Time YYYY/MM/DD 24 (HH:MM:SS) Panorama 28 Palo Alto Networks

29 1. Geo Location Automatically acquire commit lock Certificate Expiration Check Multi Virtual System Capability Authentication Settings Authentication Profile Client Certificate Profile Idle Timeout # Failed Attempts Lockout Time Panorama Settings Panorama Server Panorama Server 2 Receive Timeout for connection to Panorama Send Timeout for connection to Panorama Retry Count for SSL send to Panorama Management Interface Settings MGT Interface Speed MGT Interface IP Address Setup Multi Virtual System Capability Edit OK Web CLI Web CLI Panorama Palo Alto Networks IP Panorama Panorama Disabled Shared Policies Panorama Import shared policies from Panorama before disabling OK Panorama (HA) HA Panorama Panorama TCP TCP Panorama (SSL) Panorama Mbps 100Mbps 1Gbps IP IP Palo Alto Networks 29

30 1. Netmask Default Gateway MGT Interface IPv6 Address Default IPv6 Gateway MGT Interface Services Permitted IPs Logging and Reporting Settings Log Storage Max. Rows in User Activity Report Number of Versions for Config Audit Number of Versions for Config Backups Stop Traffic when LogDb full Send Hostname In Syslog IP IP IPv6 IPv6 IPv6 HTTP HTTPS Telnet (SSH) / Ping IP 100% 100% OK Restore Defaults Panorama 100 syslog syslog Device > Setup > Operations OK Commit Save Commit 30 Palo Alto Networks

31 Save 2. Restart Data Plane Web CLI debug swm revert PAN-OS (running-config.xml ) Save (running-config.xml ) (running-config.xml ) / Browse Reboot Device PAN-OS 30 Web CLI request restart system PAN-OS Restart Dataplane Web CLI request restart dataplane PAN-OS Palo Alto Networks 31

32 2. Custom Logo SNMP Setup Statistics Service Setup Custom Logo (UI) PDF 183 PDF PDF png gif jpg 128 KB PDF PDF 183 PDF SNMP 36 SNMP 37 Commit commit CLI Web CLI Palo Alto Networks

33 Device > Setup > Services Services (DNS) (NTP) 3. DNS Primary DNS Server Secondary DNS Server Primary NTP Server Secondary NTP Server Update Server Secure Proxy Server Secure Proxy Port Secure Proxy User Secure Proxy Password Confirm Secure Proxy Password Service Route Configuration DNS FQDN DNS DNS DNS DNS DNS IP DNS DNS FDQN DNS IP NTP IP NTP NTP IP Palo Alto Networks IP updates.paloaltonetworks.com Palo Alto Networks IP Service Route Configuration Use Management Interface for all Select Source Address Palo Alto Networks 33

34 ID Device > Setup > Content-ID Content-ID URL 4. ID URL Filtering Dynamic URL Cache Timeout URL Continue Timeout URL Admin Override Timeout URL Admin Lockout Timeout x-forwarded-for Strip-x-forwarded-for URL Admin Override Settings for URL admin override Edit URL URL URL 141 URL continue URL continue URL URL IP X-Forwarded-For X-Forwarded-For HTTP IP Src x.x.x.x URL x.x.x.x IP Source User IP X-Forwarded-For IP URL Override 141 URL Add URL Location Password/Confirm Password Server Certificate SSL Mode Redirect IP 34 Palo Alto Networks

35 4. ID Content-ID Features Manage Data Protection Container Pages Manage Data Protection Set Password Change Password Delete Password text/html text/xml text/plain application (pdf) image (jpeg) URL Location Add Device > Setup > Session Sessions IPv6 5. Session Settings Rematch Sessions ICMPv6 Token Bucket Size ICMPv6 Error Packet Rate Jumbo Frame Jumbo Frame MTU Enable IPv6 Firewalling Edit Rematch all sessions on config policy change Telnet Deny Telnet ICMPv6 ICMPv ICMPv / 100 MTU IPv6 Edit IPv6 Firewalling IPv6 IPv6 Palo Alto Networks 35

36 5. Accelerated Aging Session Timeouts Timeouts Server CRL/OCSP Enable Receive Timeout Enable OCSP Receive Timeout Block Unknown Certificate Block Timeout Certificate Certificate Status Timeout (%) Accelerated Aging Threshold (% full) Accelerated Aging Scaling Factor CRL SSL (CA) (CRL) SSL SSL (OCSP) SSL 131 CRL 1-60 OCSP SSL OCSP SNMP Device > Setup > Operations SNMPv2c SNMPv3 SNMP (MIB) Setup SNMP Setup MIB SNMP ID (OID) SNMP (varbind) 6. SNMP Physical Location Contact Use Event-Specific Trap Definitions MIB SNMP OID 36 Palo Alto Networks

37 6. SNMP Version SNMP V2c V3 MIB V2cpublic V2c SNMP Community String SNMP public V3 Views Add Name View OID (OID) Option OID Mask 0xf0 OID Users Add Users View Auth Password 8 (SHA) Priv Password 8 (AES) Device > Setup > Operations Statistics Service Setup Palo Alto Networks URL Panorama URL Report Sample Palo Alto Networks 37

38 Device > Config Audit Config Audit Go 1. Panorama Panorama Device > Licenses Palo Alto Networks URL URL Activate Licenses URL Activate Retrieve license keys from license server 38 Palo Alto Networks

39 PAN-OS Activate feature using authorization code OK a. b. c. Manually upload license key Browse OK Web URL CLI PAN- OS PAN-OS Device > Software PAN-OS Palo Alto Networks PAN-OS Software Refresh Palo Alto Networks Release Notes Download Downloaded Install Upload PC Install from File OK PAN-OS PAN-OS PAN-OS Decrypt failed: GnuPG edit non-zero, with code Failed to load into PAN software manager. Palo Alto Networks 39

40 PAN-OS PAN-OS (HA) HA 61 HA PAN-OS Device > Dynamic Updates Palo Alto Networks URL GlobalProtect Dynamic Updates Application and Threats Antivirus URL Filtering Check Now Palo Alto Networks Upgrade Revert Release Notes Upload PC Install from File OK Schedule Download Only Dynamic Updates Upgrade OK 40 Palo Alto Networks

41 Local database RADIUS (RADIUS) LDAP (LDAP) Kerberos Kerberos Client Certificate RADIUS LDAP Kerberos DB SSL (VPN) 223 GlobalProtect Device > Admin Roles Admin Roles Name Role 31 Palo Alto Networks 41

42 7. WebUI CLI Role Web / CLI disable CLI superuser superreader deviceadmin devicereader Device > Administrators admin Password authentication Client certificate authentication (web) Public key authentication (SSH) / 8. Name Authentication Profile Use only client certificate authentication (web) 15 RADIUS LDAP Kerberos DB 44 Web 42 Palo Alto Networks

43 8. New Password Confirm New Password Use Public Key Authentication (SSH) Role Virtual System 15 SSH Import Key IETF SECSH OpenSSH DSA 1024 RSA Dynamic Superuser Superuser (Read Only) Device Admin Device Admin (Read Only) Vsys Admin Vsys Admin (Read Only) Role Based Admin 41 Role Based 41 Add Available Selected Panorama Administrators Device > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS RADIUS RADIUS Palo Alto Networks 43

44 9. Name Virtual Systems 31 Available Add RADIUS LDAP Kerberos SSL-VPN SSL-VPN Setup 28 Setup RADIUS RADIUS RADIUS paloaltonetworks.com Settings None Device > Authentication Profile Authentication Profile 10. Name Shared Lockout Time Failed Attempts Palo Alto Networks

45 10. Allow List Authentication Server Profile Login Attribute Password Expiration Warning Edit Allow List Available Add Selected All Search Available Add Selected Remove any None Local DB RADIUS RADIUS LDAP LDAP Kerberos Kerberos RADIUS LDAP Kerberos Server 46 RADIUS 47 LDAP 47 Kerberos Active Directory LDAP LDAP LDAP Active Directory edirectory Sun ONE Directory SSL-VPN 223 GlobalProtect SSL-VPN <SCRIPT> function getpasswarnhtml(expdays) { var str = "Your password will expire in " + expdays + " days"; return str; } </SCRIPT> str Device > Local User Database > Users Local Users Palo Alto Networks 45

46 11. Local User Name Location Mode Enable 31 Shared Password Phash Device > Local User Database > User Groups Local User Groups 12. Local User Group Name RADIUS Location All Local Users Device > Server Profiles > RADIUS 31 Shared Add RADIUS RADIUS RADIUS Name Location Administrator Use Only Domain Timeout Retries Retrieve User Group 31 Shared RADIUS RADIUS VSA 46 Palo Alto Networks

47 13. RADIUS Servers Name IP address IP Port Secret/Confirm Secret RADIUS LDAP Device > Server Profiles > LDAP LDAP LDAP LDAP Name Location Administrator Use Only Servers Domain Type Base Bind DN Bind Password/ Confirm Bind Password SSL Time Limit Bind Time Limit Retry Interval 31 Shared LDAP IP Palo Alto Networks SSL (TLS) LDAP Kerberos Active Directory Palo Alto Networks 47

48 Device > Server Profiles > Kerberos Kerberos Active Directory RADIUS Internet (IAS) Kerberos Kerberos Kerberos 44 Kerberos domain realm Kerberos domain\username 15. Kerberos Name Location Administrator Use Only Realm Domain Servers 31 Shared 127 example.local 31 Kerberos Add Server IP Host FQDN Port Active Directory LDAP 48 Palo Alto Networks

49 Device > Authentication Sequence Authentication Sequence Profile Name Shared Lockout Time Failed Attempts Profile List Move Up Move Down Device > Client Certificate Profile Setup SSL-VPN Name Location Username Field Domain CA Certificates Use CRL Use OCSP CRL Receive Timeout OCSP Receive Timeout Certificate Status Timeout 31 CA OCSP URL CA Add (CRL) OCSP CRL 1-60 OCSP Palo Alto Networks 49

50 17. Block Unknown Certificate Block Timeout Certificate Monitor > Logs Panorama SNMP syslog 18 Alarms Configuration Data Filtering HIP Match System Threat Alarms 57 Panorama syslog SNMP After Change Before Change 146 HIP GlobalProtect (HIP) 223 GlobalProtect HA SNMP / Palo Alto Networks

51 18 Traffic URL Filtering allow deny drop / 167 URL URL 141 URL Panorama SNMP syslog 19 Destination Panorama SNMP trap Syslog Panorama Panorama 28 SNMP SNMP 54 SNMP Syslog syslog 56 Syslog 56 Device > Scheduled Log Export CSV (FTP) FTP 3 FTP OK Scheduled Log Export Palo Alto Networks 51

52 20. Name Enabled Log Type Scheduled export start time (daily) Hostname Port Passive Mode Username Password Device > Log Settings > Config 31 URL HIP 24 (hh:mm) (00:00-23:59) FTP IP FTP 21 FTP FTP anonymous Panorama syslog / 21. Panorama SNMP Trap Syslog Panorama SNMP SNMP 54 SNMP 56 syslog syslog syslog 56 Syslog Device > Log Settings > System Panorama SNMP syslog / HA 52 Palo Alto Networks

53 22. Panorama SNMP Trap Syslog Panorama Panorama 28 Critical HA High syslog RADIUS Medium Low Informational / SNMP syslog / 54 SNMP 56 Syslog 56 HIP Device > Log Settings > HIP Match (HIP) GlobalProtect HIP Panorama SNMP Trap Syslog Device > Log Settings > Alarms Panorama HIP SNMP SNMP 54 SNMP 56 syslog syslog syslog 56 Syslog Alarms Palo Alto Networks 53

54 SNMP 24. Enable Alarms Enable CLI Alarm Notifications Enable Web Alarm Notifications Enable Audible Alarms Encryption/Decryption Failure Threshold Log DB Alarm Threshold % Full Security Policy Limits Security Rule Group Limits Selective Audit CLI Web CLI / IP Security Violations Time Period Security Violations Threshold Security Rule Group Violations Time Period Security Rule Group Violations Threshold Security Rule Group Tags Common Criteria Alarms CC Specific Logging Common Criteria (CC) Login Success Logging Login Failure Logging Suppressed Administrators Device > Log Settings > Manage Logs SNMP Device > Server Profiles > SNMP Trap SNMP SNMP Palo Alto Networks

55 SNMP 25. SNMP Name Shared Version V2c settings V3 settings SNMP 31 SNMP SNMP V2c Server SNMP 31 Manager IP Community V3 Server SNMP 31 Manager IP User SNMP EngineID SNMP ID Auth Password SNMP Priv Password SNMP SNMP MIB SNMP MIB SNMPv2-MIB DISMAN-EVENT-MIB IF-MIB HOST-RESOURCES-MIB ENTITY-SENSOR-MIB PAN-COMMON-MIB PAN-TRAPS-MIB Palo Alto Networks Technical Documentation MIB Palo Alto Networks 55

56 Syslog Syslog Device > Server Profiles > Syslog HIP syslog Syslog syslog Syslog Name Shared Servers Name Server Port Facility Custom Log Format Log Type Escaping syslog 31 Add Syslog 31 syslog IP syslog 514 Log Format Log Format OK Escaped characters Device > Server Profiles > Palo Alto Networks

57 27. Name Shared Servers Server Display Name From To And Also To Gateway Custom Log Format Log Type Escaping From (SMTP) IP Log Format OK Web Alarms Acknowledge Acknowledge Alarms Device > Log Settings > Alarms > Alarm Settings Enable Alarms Alarms Palo Alto Networks 57

58 Netflow Netflow Device > Server Profiles > Netflow IP Netflow Version 9 Netflow IPv4 IPv4 NAT IPv6 App-ID User-ID PAN-OS 4000 Netflow Netflow Netflow Netflow Netflow Netflow Netflow Name Template Refresh Rate Active Timeout Export PAN-OS Specific Field Types Servers Name Server Port Netflow 31 Netflow Netflow PAN-OS App-ID User-ID 31 IP 2055 Device > Certificates Certificates Forward Trust CA CA Certificates Forward Trust Certificate Forward Untrust CA CA 58 Palo Alto Networks

59 Trusted Root CA CA CA CA CA CA CA SSL Exclude SSL SSL Certificate for Secure Web GUI Web Web Certificates Web CA SSL a. Import b. c. PKCS #12 PEM d. Import Private Key PKCS #12 PEM *.key e. a. b. Export c. PKCS#12.pfx.pem d. Export Private Key e. Save Palo Alto Networks 59

60 a. Generate Generate Certificate b. Forward Trust Forward Untrust Trusted Root CA SSL Exclude Certificate for Secure Web GUI Panorama Panorama Panorama 251 Panorama (HA) Import HA Key HA Export HA Key HA Certificate Name Common Name Location Signed By Certificate Authority Number of Bits Digest Country State Locality Organization Department 31 IP FQDN Shared CA CA / ISO 6366 Country Codes Device > Master Key and Diagnostics Master Key and Diagnostics 30. Master Key 60 Palo Alto Networks

61 30. New Master Key Confirm Master Key Life Time Time for Reminder Common Criteria Common Criteria PAN-OS / / (HA) HA / HA / HA HA HA HA HA / HA / HA App-ID Content-ID App-ID Content-ID 7 PAN-OS HA3 Palo Alto Networks 61

62 / 3 3 HA3 App-ID Content-ID 3 IP ARP IP IP 3 Static interface IP 3 IP / HA / Floating IP (VRRP) HA IP IP ID IP HA ARP load sharing (ARP) / App-ID Content-ID (1) (2) primary device / HA IP modulo IP IP IP HA Primary Device Hash HA App-ID Content-ID 62 Palo Alto Networks

63 HA HA3 7 NAT / HA 3 IPv6 / IPv6 Virtual Wire Deployment / App-ID Content-ID Layer 3 Floating IP Deployment HA IP IP MAC ARP VRRP IP IP VPN (NAT) Layer 3 ARP Load-Sharing ARP Load-Sharing HA IP IP ARP HA IP ARP ARP Load-Sharing 3 ARP Load-Sharing Layer 3 Route Based Redundancy (Static Interface IPs) (OSPF) IP HA / NAT / HA / / Web NAT NAT NAT NAT NAT NAT 1 1 NAT 0 Palo Alto Networks 63

64 NAT Device 0 and Device 1 NAT ID IP NAT Both NAT NAT Primary NAT NAT ARP 0/1 / NAT IP IP/ IP IP/ NAT Device ID 0 1 HA IP Device Device IP 2. IP 31. IP Name Source Zone Destination Zone Source Translation Active/Active HA Binding Src NAT Device 0 Src NAT Device 1 L3Trust L3Untrust dynamic-ip-andport L3Trust L3Untrust dynamic-ip-andport Palo Alto Networks

65 Internet (ISP) IP NAT Device ID 0 1Device Device Device 0 Device 1 IP ISP ISP IP IP 3. IP 32. IP Name Source Zone Destination Zone Source Translation Active/Active HA Binding Src NAT Device 0 Src NAT Device 1 L3Trust L3Untrust dynamic-ip-andport L3Trust L3Untrust dynamic-ip-andport Palo Alto Networks 65

66 IP NAT IP 33. IP Name Source Zone Destination Zone Destination Address Destination Translation Active/Active HA Binding DNAT Prov Indep L3Untrust L3Untrust address: both HA HA Factory Reset PAN- OS 3. Internet 4. RJ-45 HA1 HA2 HA1 HA2 / HA3 HA3 66 Palo Alto Networks

67 HA HA 1/15 1/16 5. Network HA HA 5. HA 6. HA 67 HA HA HA HA Device > High Availability 66 HA HA HA High Availability Edit 34. HA General Setup Enable HA HA Group ID / 1 31 / 2 ID Description / Mode active-active active-passive Peer HA IP Address Control Link HA1 IP Backup Peer HA IP Address HA IP IP Enable Config Sync Link Speed HA Link Duplex HA Palo Alto Networks 67

68 34. HA Election Settings Device Priority Heartbeat Backup HA IP HA1 HA Preemptive Preemption Hold Time ms 0 ms Promotion Hold Time / / HA Hello Interval HA PA-4000/PA ms PA-200/PA-2000/PA ms PA-4000/PA ms PA-200/PA-2000/PA ms Heartbeat Interval HA ICMP Ping ms 1000ms Maximum No. of Flaps Monitor Fail Hold Up Time (ms) HA ms 0 ms Additional Master Hold Up Time (min) Monitor Fail Hold Up Time ms 500 ms / / / 68 Palo Alto Networks

69 34. HA Control Link (HA1) Port HA1 HA1 HA IP Address HA1 HA1 HA1 IP Netmask HA1 HA1 IP Gateway HA1 HA1 IP Control Link Monitor Hold Time (ms) HA1 Encryption Enabled HA HA HA HA HA1 / Certificates 60 Monitor Fail Hold Up Time (ms) HA Palo Alto Networks 69

70 34. HA Data Link (HA2) Link and Path Monitoring Path Monitoring Path Group Port HA HA2 IP Address HA2 HA2 HA IP Netmask HA2 HA2 HA Gateway HA2 HA2 HA HA HA2 IP Gateway State Synchronization Enabled Transport Ethernet (Ethertype 0x7261) IP 3 IP 99 UDP IP UDP Link Speed (Models with dedicated HA ports only) HA2 Link Duplex (Models with dedicated HA ports only) HA2 Enabled ICMP ping IP 2 3 Failure Condition Virtual Wire VLAN Virtual Router Add Name Enabled Failure Condition Source IP VLAN IP IP IP IP IP Destination IPs 70 Palo Alto Networks

71 34. HA Link Monitoring Link Groups Active Passive Passive Link State Monitor Fail Hold Down Time Active Active Enabled Failure Condition Add Name Enabled Failure Condition Interfaces auto 3 auto shutdown Packet Forwarding HA3 App-ID Content-ID 7 HA3 Interface VR Sync QoS Sync Session Owner Selection Session Setup / HA HA QoS QoS Network QoS QoS Primary Device / 7 First packet App-ID Content-ID 7 HA3 IP Modulo IP Primary Device IP Hash IP IP Palo Alto Networks 71

72 HA HA Preemption HA Preemption IP OS LED HA CLI request high-availability state suspend High Availability Device Suspend CLI request high-availability state functional HA CLI show high-availability all CLI show high-availability state Device Config Audit Dashboard HA Push Configuration Web CLI request high-availability sync-to-remote running-config CLI show jobs processed PA-200 HA Lite PA-200 / HA HA lite IPSec DHCP DHCP PPPoE 3 72 Palo Alto Networks

73 VLAN 97 NAT QoS PA-4000 PA-5000 PA-2000 PA-500 PA Internet Device admin Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies vsys admin vsys admin vsys admin vsys admin 6. (vsys1) Policies Objects Virtual System VLAN 75 Palo Alto Networks 73

74 SNMP syslog external Dept 1 VSYS Dept 2 VSYS VSYS 1 VSYS 2 VSYS 1 VSYS 2 VSYS 2 VSYS 1 VSYS Internet Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies Palo Alto Networks

75 74 IP Internet a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 8. ISP IP IP 9 Internet x.x.x.x Shared gateway a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 9. NAT Virtual System Palo Alto Networks 75

76 Device > Virtual Systems Device > Setup Management General Settings Edit Multi Virtual System Capability Virtual Systems Virtual Systems Add 35. ID Name General Resource 31 DNS DNS 114 DNS VLAN Add Delete Sessions Limit Security Rules NAT Rules NAT Decryption Rules QoS Rules QoS Application Override Rules PBF Rules (PBF) CP Rules (CP) DoS Rules (DoS) Site to Site VPN Tunnels VPN Concurrent GlobalProtect Tunnel Mode Users GlobalProtect VLAN OK Network > Zones 97 Network > Interfaces Device > Shared Gateways 76 Palo Alto Networks

77 ID Name Interfaces 31 Device > Response Pages URL HTML A 37. Antivirus Block Application Block Captive Portal Comfort File Blocking Block File Blocking Continue GlobalProtect Portal Help GlobalProtect Portal Login GlobalProtect Welcome Page SSL Certificate Revoked Notify Active Directory 143 GlobalProtect GlobalProtect GlobalProtect 223 GlobalProtect GlobalProtect 223 SSL SSL Palo Alto Networks 77

78 37. URL URL Filtering and Category Match Block Page Continue URL 1 URL URL URL Response Pages HTML Import HTML HTML Export Application Block SSL Decryption Opt-out Enable Enable Restore Block Page Restore Device > Support Support Palo Alto Networks Palo Alto Networks Support Manage Cases Palo Alto Networks Generate Tech Support Download Tech Support File 78 Palo Alto Networks

79 VLAN DHCP 114 DNS 115 VPN 209 IPSec 209 IPSec (QoS) 235 Palo Alto Networks 79

80 Internet LAN (VLAN) default-vwire 1 2 No routing or switching performed User network Internet Palo Alto Networks

81 2 2 VLAN 2 11 Switching between two networks User network Internet IP NAT 12 Routing between two networks / /24 User network Internet (PPPoE) (DSL) DSL PPPoE 3 PPPoE 85 3 DHCP DHCP IP SPAN SPAN SPAN SPAN QoS Palo Alto Networks 81

82 Network > Virtual Wires Virtual Wire Name Interfaces Tags Allowed Multicast Firewalling Link State Pass Through (tag1-tag2) Multicast Firewalling Virtual Wires OK Interfaces 90 Delete Interfaces 39. Interface 2 3 VLAN 2 VLAN VLAN 3 IP Palo Alto Networks

83 39. Interface Aggregate Ethernet QoS Aggregate Ethernet VLAN VLAN VLAN VLAN 3 92 VLAN Tunnel Virtual Wire High Availability GlobalProtect IPSec 3 IP VLAN NAT 90 SPAN URL 95 Palo Alto (HA) 96 HA Network > Interfaces Interfaces IP VLAN VLAN Interfaces none 2 Network > Interfaces > Ethernet VLAN VLAN 84 2 VLAN VLAN 3 92 VLAN 2 Ethernet Palo Alto Networks 83

84 40. 2 Interface Name Interface Type Netflow Profile Comment Config VLAN Virtual System Zone Advanced Link Speed Link Duplex Link State Layer 2 Netflow 58 Netflow VLAN New VLAN 98 VLAN None None New 97 None Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) 2 Network > Interfaces 2 VLAN Add Layer 2 Subinterface Interface Name Tag Netflow Profile Comment ethernetx/y.<1-9999> Netflow 58 Netflow 84 Palo Alto Networks

85 VLAN Zone Virtual System Network > Interfaces > Ethernet 2 VLAN New VLAN 115 None None New 97 None 3 VLAN PPPoE Ethernet Interface Name Interface Type Netflow Profile Comment Config Virtual Router Virtual System Security Zone IPv4 Type Static Layer 3 Netflow 58 Netflow New 98 None None New 97 None IP Static PPPoE DHCP Client ip_address/mask IP Add IP IP Delete Palo Alto Networks 85

86 42. 3 PPPoE DHCP Client PPPoE PPPoE General Enable PPPoE Username Password/Confirm Password Advanced Authentication CHAP PAP Auto PPPoE Static IP Address IP Automatically create default route pointing to peer PPPoE Default Route Metric Access Concentrator Service Passive PPPoE DHCP Client DHCP IP Enable DHCP Automatically create default route point to server DHCP Default Route Metric Show DHCP Client Runtime Info DHCP DHCP IP DNS NTP WINS NIS POP3 SMTP 86 Palo Alto Networks

87 42. 3 IPv6 Enable IPv6 on the interface Interface ID Address Duplicate Address Detection Advanced Link Speed Link Duplex Link State Other Info ARP/Interface Entries ND Entries IPv :26:08:FF:FE:DE:4E:29 Interface ID MAC EUI-64 Add IPv6 Prefix IPv6 Interface ID Anycast Prefix IPv6 (DAD) DAD Attempts DAD Neighbor Solicitation Interval 1-10 Neighbor Solicitation (NS) Interval DAD 1-10 Reachable Time Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) Other Info Management Profile MTU 3 (MTU) MTU (PMTUD) MTU ICMP MTU Adjust TCP MSS (MSS) MTU 40 MSS MSS Untagged Subinterface 3 IP VLAN ARP Add IP (MAC) 3 Add IP MAC Palo Alto Networks 87

88 3 Network > Interfaces 3 VLAN Untagged Subinterface 3 VLAN ISP VLAN ISP IP IP NAT NAT NAT IP IP 3 Add Layer 3 Subinterface Interface Name Tag Netflow Profile Comment Config Virtual Router Virtual System Security Zone IPv4 Type Static ethernetx/y.<1-9999> Netflow 58 Netflow New 98 None None New 97 None IP Static PPPoE DHCP Client ip_address/mask IP Add IP IP Delete 88 Palo Alto Networks

89 43. 3 DHCP Client IPv6 Enable IPv6 on the interface Interface ID Address Duplicate Address Detection Advanced Other Info ARP Entries ND Entries DHCP Client DHCP IP Enable DHCP Automatically create default route point to server DHCP Default Route Metric Show DHCP Client Runtime Info DHCP DHCP IP DNS NTP WINS NIS POP3 SMTP IPv :26:08:FF:FE:DE:4E:29 Interface ID MAC EUI-64 Add IPv6 Prefix IPv6 Interface ID Anycast Prefix IPv6 (DAD) DAD Attempts DAD Neighbor Solicitation Interval 1-10 Neighbor Solicitation (NS) Interval DAD 1-10 Reachable Time Other Info Management Profile MTU 3 (MTU) MTU (PMTUD) MTU ICMP MTU Adjust TCP MSS (MSS) MTU 40 MSS MSS (ARP) IP MAC Add Delete ARP ARP man-in-the-middle Add IP MAC Palo Alto Networks 89

90 Network > Interfaces VLAN Ethernet Interface Name Interface Type Netflow Profile Comment Config Virtual Wire Virtual System Zone Advanced Link Speed Link Duplex Link State Virtual Wire Netflow 58 Netflow New 82 None None New 97 None 10Gbps auto auto (Full) (Half) (Auto) (Up) (Down) (Auto) VLAN/Virtual Wire None OK 90 Palo Alto Networks

91 Network > Interfaces Aggregate 1 Gbps 802.3ad 1 Gbps 10Gbps XFP SFP+ Aggregate VPN VLAN Aggregate Aggregate Aggregate Ethernet Aggregate Aggregate Ethernet 2 3 Aggregate Gig / HA HA3 Aggregate Ethernet 88 3 Add Aggregate Group 45. Aggregate Interface Name Interface Type Comment Virtual System mm.n mm n (1-8) HA Layer 2 41 Layer 3 43 Layer 2 VLAN Layer 3 Virtual Wire HA None Palo Alto Networks 91

92 Aggregate Ethernet Network > Interfaces Aggregate Ethernet ae.number 2 3 Ethernet VLAN 46. Aggregate Ethernet Interface Name Interface Type Netflow Profile Comment Config Virtual System Security Zone Advanced Link Speed Link Duplex Link State Network > Interfaces Aggregate Ethernet Netflow 58 Netflow None New 97 None Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) 2 VLAN VLAN VLAN VLAN VLAN Add 47. VLAN Interface Name Comment Config VLAN Virtual Router Virtual System (1-4999) VLAN New VLAN 115 None New 98 None None 92 Palo Alto Networks

93 47. VLAN Security Zone IPv4 Static DHCP Client ARP Entries IPv6 Enable Interface ID Address Neighbor Discovery Advanced Other Info ARP/Interface Entries ND Entries New 97 None Static IP Add ip_address/mask IP IP DHCP DHCP Enable DHCP Automatically create default route point to server DHCP Default Route Metric Show DHCP Client Runtime Info DHCP DHCP IP DNS NTP WINS NIS POP3 SMTP ARP IP (MAC) Add Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast 85 3 Neighbor Discovery Management Profile MTU MTU PMTUD MTU ICMP MTU Adjust TCP MSS (MSS) MTU 40 MSS MSS ARP Add IP (MAC) 3 Add IP MAC Palo Alto Networks 93

94 Network > Interfaces 3 VLAN Loopback Add 48. Interface Name Comment Config Virtual Router Virtual System Zone MTU Management Profile IPv4 IP Address IPv6 Enable Interface ID Address Advanced Other Info (1-4999) New 98 None None New 97 None MTU PMTUD MTU ICMP MTU Add IP IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast Management Profile MTU 3 (MTU) MTU (PMTUD) MTU ICMP MTU Adjust TCP MSS (MSS) MTU 40 MSS MSS 94 Palo Alto Networks

95 . Network > Interfaces Tunnel Add 49. Interface Name Comment IP Management Profile MTU Virtual Router Virtual System Zone (1-4999) IP 3 MTU PMTUD MTU ICMP MTU IP TCP (MSS) New 98 None None New 97 None Network > Interfaces SPAN 81 Ethernet 50. Interface Name Interface Type Netflow Profile Comment Config Virtual System Zone Tap Netflow 58 Netflow None New 97 None Palo Alto Networks 95

96 HA 50. Advanced Link Speed Link Duplex Link State Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) HA / HA Palo Alto Networks HA HA HA 67 HA HA 51. HA Interface Name Interface Type Comment Advanced Link Speed Link Duplex Link State HA Mbps (Full) (Half) (Auto) (Up) (Down) (Auto) Internet 2 3 VLAN VLAN VLAN Palo Alto Networks

97 13. Network > Zones New 52. Name Location Type Zone Protection Profiles Log Setting Enable User Identification User Identification ACL Include List 31 Layer2 Layer3 Virtual Wire Tap External vsys Layer 2 Layer 3 External vsys IP IP / ip_address/mask /24 IP Palo Alto Networks 97

98 VLAN 52. User Identification ACL Exclude List IP IP / ip_address/ mask /24 IP VLAN Network > VLANs IEEE 802.1Q VLAN 2 VLAN VLAN 2 VLAN VLAN VLAN 3 VLAN 53. VLAN Name VLAN 31 VLAN VLAN Interface VLAN VLAN VLAN 92 VLAN L3 Forwarding Enabled VLAN 3 Interfaces VLAN Static MAC Configuration MAC MAC IP 3 VLAN 3 (RIP) (OSPF) (BGP) 3 98 Palo Alto Networks

99 RIP IP RIP UDP RIP OSPF RIP v2 (LSA) OSPF LSA LSA OSPF RIP (BGP) Internet BGP (AS) IP AS IP BGP (RIB) RIB RIB BGP BGP BGP BGP BGP AS BGP IGP-BGP BGP BGP ID AS AS BGP MD5 AS Palo Alto Networks 99

100 PIMv2 Protocol Independent Multicast Sparse Mode (PIM-SM) PIM Source Specific Multicast (PIM-SSM) IGMP Internet (IGMP) 3 PIM-SM IGMP IGMP v1 v2 v3 PIM IGMP PAN-OS PIM (DR) PIM (RP) PIM IGMP RP (BSR) Palo Alto Networks IPSec IPSec GRE PAN-OS IGMP PIM Multicast QoS DoS Network > Virtual Routers 3 3 VLAN General General Name Interfaces Palo Alto Networks

101 54. - General Admin Distances OSPF OSPF BGP (IBGP) BGP (EBGP) RIP Static Routes IP IPv6 IPv4 IPv6 ( /0) Static Routes Name Destination Interface Next Hop Admin Distance Metric No Install 31 ip_address/mask IP / Next Hop None IP Address IP Discard Next VR ( ) Redistribution Profiles RIP OSPF Redistribution Rules BGP Palo Alto Networks 101

102 56. - Redistribution Profiles Name Priority Redistribute General Filter Type Interface Destination Next Hop OSPF Filter Path Type Area Tag BGP Filter Community Extended Community Add Redistribution Profile Redist No Redist IP x.x.x.x x.x.x.x/n Add IP x.x.x.x x.x.x.x/n Add OSPF OSPF OSPF ID x.x.x.x Add OSPF (1-255) Add BGP BGP RIP (RIP) RIP OSPF RIP Enable Reject Default Route Allow Redist Default Route Interfaces Interface Enable RIP RIP RIP RIP 102 Palo Alto Networks

103 57. - RIP Advertise Metric Auth Profile Mode Timers Interval Seconds (sec) Update Intervals Expire Intervals Delete Intervals Auth Profiles Profile Name Password Type Auth Profiles Export Rules RIP Advertise normal passive send-only RIP Timing (1-60) (1-3600) (1-3600) (1-3600) RIP RIP RIP Simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred OSPF (OSPF) RIP OSPF OSPF Enable Reject Default Route Router ID RFC 1583 Compatibility Areas Area ID OSPF OSPF OSPF ID OSPF ID OSPF OSPF ID OSPF ID OSPF RFC 1583 OSPF x.x.x.x Palo Alto Networks 103

104 58. - OSPF Type Range Interface Virtual Link Normal Stub (LSA) Accept Summary LSA (1-255) stub stub (ABR) Accept Summary OSPF Stubby ABR LSA NSSA(not so stub area) OSPF LSA Accept Summary LSA (1-255) stub LSA NSSA External Ranges Add Add LSA LSA OK Add OK Interface Enable OSPF Passive OSPF OSPF OSPF LSA Link type OSPF broadcast p2p p2mp p2mp Metric OSPF ( ) Priority OSPF (0-255) OSPF (DR) DR (BDR) DR BDR Auth Profile Timing Neighbors p2pmp IP ( ) Add OK Name Neighbor ID ID Transit Area ID Enable Timing Auth Profile 104 Palo Alto Networks

105 58. - OSPF Auth Profiles Profile Name Password Type Export Rules Allow Redist Default Route Name New Path Type New Tag OSPF OSPF Simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred OSPF 32 BGP (BGP) BGP Enable Router ID AS Number General Allow Redistribute Default Route Reject Default Route Install Route Aggregate MED Default Local Preference AS Format Always Compare MED Deterministic MED Comparison Auth Profiles BGP IP ID AS BGP BGP BGP (MED) 2-byte 4-byte MED MED IBGP BGP Add Profile Name Secret/Confirm Secret BGP Palo Alto Networks 105

106 59. - BGP Advanced Graceful Restart Reflector Cluster ID Confederation Member AS Dampening Profiles Peer Group Name Enable Aggregated Confed AS Path Soft Reset with Stored Info Stale Route Time Local Restart Time Max Peer Restart Time IPv4 AS AS BGP Profile Name Enable Cutoff Reuse Max. Hold Time Decay Half Life Reachable Decay Half Life Unreachable AS 106 Palo Alto Networks

107 59. - BGP Type Import Next Hop Export Next Hop Import Next Hop Export Next Hop IBGP Export Next Hop EBGP Confed Export Next Hop IBGP Confed Export Next Hop EBGP Next Hop Import Next Hop Export Remove Private AS BGP AS original Next Hop use-peer IP Next Hop resolve Next Hop original Next Hop use-self IP Next Hop Palo Alto Networks 107

108 59. - BGP Peers New Name Enable Peer AS AS Local Address IP Connection Options Passive Connection Auth Profile Keep Alive Interval disabled 30 Multi Hop IP (TTL) ebgp 2 ibgp 255 Open Delay Time TCP BGP Hold Time KEEPALIVE UPDATE disabled 90 Idle Hold Time Peer Address IP Advanced Options Reflector Client Non-Client Client Meshed Client BGP Peering Type Max. Prefixes IP Incoming Connections/Outgoing Connections Allow 108 Palo Alto Networks

109 59. - BGP Import Rules/Export Rules Import Rules/Export Rules BGP Import Rules Export Rules Add General Name Enable Used by Match AS-Path Regular Expression AS Community Regular Expression Extended Community Regular Expression Address Prefix IP MED MED Next Hop From Peer Action Action Allow Deny Local Preference Allow MED MED ( ) Allow Weight Allow ( ). Next Hop Allow Origin IGP EGP incomplete Allow AS Path Limit AS Allow AS Path AS None Remove Prepend Remove and Prepend Allow Community None Remove All Remove Regex Append Overwrite Allow Extended Community None Remove All Remove Regex Append Overwrite Allow Dampening Allow Clone Palo Alto Networks 109

110 59. - BGP Conditional Adv Policy Used by Non Exist Filters Advertise Filters Add Import Rules Export Rules Import Rules Export Rules Aggregate Aggregate Filters Add General Suppress Filters Advertise Filters Aggregate Route Attributes Done Addresses Import Rules Export Rules Redist Rules Redist Rules Add Done Import Rules Export Rules Multicast Multicast Enable Rendezvous Point RP Type (RP) PIM RP RP None RP Static RP IP RP Interface RP Address RP RP Override learned RP for the same group Candidate RP RP Interface RP L3 VLAN RP Address RP IP Priority RP 192 Advertisement interval RP Group list Static Candidate Add RP RP 110 Palo Alto Networks

111 60. - Multicast Remote Rendezvous Point Add IP address RP IP Override learned RP for the same group RP RP Group RP Interfaces Name Interface Group Permissions IGMP Add Any Source Add PIM-SM Source-Specific Add PIM-SSM IGMP IGMP IGMP IGMP Enable IGMP IGMP Version Enforce Router-Alert IP Option IGMPv2 IGMPv3 router-alert IP IGMPv1 Robustness Max Sources 0 = Max Groups Query Configuration Query interval Max Query Response Time Last Member Query Interval Immediate Leave PIM configuration PIM Enable / PIM Assert Interval PIM Hello Interval PIM Join Prune Interval PIM 60 DR Priority BSR Border PIM Neighbors Add PIM Palo Alto Networks 111

112 DHCP Multicast SPT Threshold Name Source Specific Address Space Name Network > Virtual Routers (SPT) kbps Add SPT Multicast Group Prefix (kbps) SPT IP / Threshold (SSM) Add Name Group SSM Included SSM Virtual Routers More Runtime Stats 98 DHCP Network > DHCP DHCP DHCP 3 IP DHCP DHCP IPSec VPN IPSec DHCP IP IPSec VPN 209 IPSec DHCP Server DHCP Relay 61. DHCP DHCP Server Interface Mode 112 Palo Alto Networks

113 DHCP 61. DHCP Ping IP when allocating new IP Lease Inheritance Source Primary DNS Secondary DNS Primary WINS Secondary WINS Primary NIS Secondary NIS Primary NTP Secondary NTP Gateway POP3 Server SMTP Server DNS Suffix IP Pools Reserved Address DHCP Relay Interface IPv4 IPv6 IP Ping Unlimited Timeout DHCP DHCP PPPoE DHCP (DNS) IP Windows Internet (WINS) IP (NIS) IP IP DHCP IP (POP3) IP (SMTP) IP DHCP IP Add IP /24 IP IP Edit Done Delete IP DHCP IP x.x.x.x MAC xx:xx:xx:xx:xx:xx Edit Done Delete IP Enabled IPv4 DHCP DHCP IPv4 Enabled IPv6 DHCP DHCP IPv6 IPv6 Palo Alto Networks 113

114 DNS DNS Network > DNS Proxy IP DNS DNS TCP UDP DNS DNS UDP UDP TCP DNS DNS DNS 62. DNS Name Enable Inheritance Source Primary Secondary Check inheritance source Interfaces DNS Proxy Rules Static Entries DNS 31 DNS DNS DNS DNS IP DHCP PPPoE DNS WINS NTP POP3 SMTP DNS Interface DNS Add Delete DNS Add Name Turn on/off caching of domains resolved by this mapping Domain Name Add Delete DNS *.engineering.local engineering.local Primary/Secondary DNS DNS IP DNS Add Domain Name DNS FQDN DNS Fully Qualified Domain Name (FQDN) Address Add IP Delete 114 Palo Alto Networks

115 62. DNS Advanced Cache DNS Size Timeout DNS TCP Queries TCP DNS Max Pending Requests TCP DNS UDP Queries Retries UDP Interval e Attempts DNS IKE IPSec IKE IPSec VPN 209 IPSec IKE IPSec VPN IKE IKE VPN 1 IPSec VPN 2 IPSec (PBF) IPSec Interface 3 VLAN Flood SYN ICMP UDP IP flood IP Palo Alto Networks 115

116 ICMP ICMP QoS QoS 238 QoS Network > Network Profiles > Interface Mgmt Name Ping Telnet SSH HTTP HTTPS SNMP Response Pages Permitted IP Addresses 31 Response Pages 3 URL IPv4 IPv6 Network > Network Profiles > Zone Protection Palo Alto Networks

117 64. Name 31 Flood - SYN Flood Action SYN flood Random Early Drop SYN flood Alarm Rate Activate Rate SYN Maximal Rate SYN cookie SYN-ACK Alarm Rate Activate Rate Maximal Rate SYN SYN SYN Flood - ICMP Flood Alarm Rate Activate Rate Maximal Rate ICMP (ping) ICMP ICMP ICMP Flood - ICMPv6 Flood Alarm Rate Activate Rate Maximal rate ICMPv6 (ping) ICMPv6 ICMPv6 ICMPv6 ICMPv6 Flood - UDP Flood Alarm Rate Activate Rate Maximal rate UDP UDP UDP UDP UDP Flood - IP Flood Alarm Rate IP Palo Alto Networks 117

118 64. Activate Rate Maximal rate IP IP IP IP - TCP UDP Interval Threshold Action IPv6 Drop Packets with Type 0 Router Header IPv4 Compatible Address Multicast Source Address Anycast Source Address IP address spoof Block fragmented traffic ICMP ping ID 0 ICMP fragment ICMP large packet (>1024) Suppress ICMP TTL expired error Suppress ICMP NEEDFRAG Discard Strict Source Routing Discard Loose Source Routing Discard Timestamp Discard Record Route Allow Alert Block Block IP 0 IPv6 IPv4 IPv6 IPv6 IPv6 IP IP ping ID 0 ICMP 1024 ICMP ICMP TTL ICMP MTU (DF) PMTUD Strict Source Routing IP Loose Source Routing IP Timestamp IP Record Route IP 118 Palo Alto Networks

119 64. Reject non-syn TCP Packet TCP SYN Global CLI Yes SYN TCP No SYN TCP Palo Alto Networks 119

120 120 Palo Alto Networks

121 / 124 (NAT) 126 NAT 130 URL SSH SSH SSH (QoS) QoS 239 QoS 134 (DoS) DoS 135 DoS Palo Alto Networks 121

122 Panorama Web 21 Web Policies Filter Rules Filter Add Clone Rule Clone Rule rulen n Move Up Move Down Move Top Move Bottom Move Enable Highlight Unused Rules Log Viewer Value 122 Palo Alto Networks

123 Policies Policies > Security Policies > Decryption Security Decryption Security Decryption RADIUS User-ID Agent 2. any known-user unknown Select 3. Available User Groups Add User Group Add User Group 4. User Find Add User Additional Users 5. OK Palo Alto Networks 123

124 HTTP Internet deny all Policies > Security Security General Name Tag Source Source Zone Source Address User Source User HIP 31 Add Add Add Address Address Group Regions Add Add (HIP) HIP Palo Alto Networks

125 65. Destination Destination Zone Destination Address Application Application Service/ URL Category Service URL Category Actions Action Setting Profile Setting Add Add Address TCP / UDP any application-default Palo Alto Networks Select Add Service Service Group URL any URL Add 161 URL allow deny URL / Profile Groups Group New 164 Palo Alto Networks 125

126 65. Log Setting Other Settings Log Setting Panorama syslog Log Forwarding Profile New 165 Log At Session Start Log At Session End drop deny Schedule New 166 QoS Marking (QoS) IP DSCP IP QoS QoS 235 Disable Server Response Inspection NAT 3 (NAT) IP IP NAT ARP IP ARP NAT NAT NAT NAT IP Dynamic IP/Port IP IP/ NAT IP IP IP IP/NAT Palo Alto Networks Dynamic IP/port NAT NAT IP NAT IP PA-2000 IP PA-4020 PA-4050 PA-4060 PA Palo Alto Networks

127 Dynamic IP IP NAT IP IP IP Static IP IP IP IP NAT (M) NAT (N) M N N 1 Dynamic IP/Port NAT Dynamic IP NAT TCP UDP Dynamic IP/Port Dynamic IP NAT IP Static IP NAT IP IP M M 66. NAT PAN-OS NAT Dynamic IP/ Port / IP NAT TCP UDP HTTP (service-http) TCP TCP 80 M N 254 Dynamic IP M N 16k Static IP 1 1 M M MIP 1 VIP PAT NAT NAT NAT IP Internet IP IP NAT IP IP NAT NAT NAT NAT NAT NAT IP IP NAT IP NAT Palo Alto Networks 127

128 NAT NAT NAT NAT NAT NAT NAT IP NAT source translation No Source Translation NAT NAT NAT NAT IP IP IP IP NAT Policies > NAT NAT HTTP NAT NAT Name Tag Source Zone Destination Zone Destination Interface Source Address Destination Address Service / Add NAT any NAT IP VLAN IP ISP IP Palo Alto Networks

129 NAT 67. NAT Source Translation Destination Translation IP (address1-address2) Dynamic IP And Port 64K IP 254 IP Dynamic IP 16K IP Static IP None IP IP Translated Port NAT L3Trust IP L3Untrust L3Trust 3 L3Untrust NAT NAT / / 14. NAT IP L3Trust L3Untrust Rule2 L3Untrust NAT NAT NAT IP L3Untrust 15. Palo Alto Networks 129

130 Policies > Policy Based Forwarding IP (PBF) IP ID IP PBF IP PBF PBF Forward-to-VSYS PBF General Name Tag Source Source Zone Source Address Source User Destination/ Application/Service Destination Address 31 Add Add Add Address Address Group Regions Add Add Address Address Group Regions 130 Palo Alto Networks

131 68. Application Service Forwarding Action Egress Interface Next Hop Monitor Schedule Forward IP Forward To VSYS Discard No PBF IP Monitor Profile Disable if unreachable IP Address IP Ping 166 Policies > Decryption (SSL) (SSH) SSH SSH URL ID URL SSL SSL Palo Alto Networks SSL Palo Alto Networks 131

132 CA SSL Device > Certificates Forward Trust Certificate General Name Tag Source Source Zone Source Address Source User Destination Destination Zone Destination Address Options Action Type Category Block sessions that cannot be decrypted 31 Add Add Add Address Address Group Regions Negate Add Add Add Address Address Group Regions Negate decrypt no-decrypt SSL Forward Proxy SSH Proxy SSH sshtunnel App-ID SSH SSL Inbound Inspection SSL Add URL 132 Palo Alto Networks

133 unknown 153 PAN-OS ID IP IP IP IP Policies > Application Override 70. General Name Tag Source 31 Add Source Zone Add Source Address Add Address Address Group Regions Negate Palo Alto Networks 133

134 70. Destination Destination Zone Destination Address Protocol/Application Protocol Port Application Add Add Address Address Group Regions Negate (port1-port2) New Application 153 User-ID Agent Active Directory IP Policies > Captive Portal User Identification Name Tag 31 Add 134 Palo Alto Networks

135 71. Source Source Destination Destination Service/ URL Category Service URL Category Service/Action Action Setting Add Source Address Negate Add Add Destination Address Negate Add TCP / UDP any default Palo Alto Networks Select Add Service Service Group URL any Service/Action URL Add 161 URL captive-portal no-captive-portal ntlm-auth Web NT LAN (NTLM) Web DoS DoS / IP / Palo Alto Networks 135

136 DoS Policies > DoS Protection DoS 72. DoS General Name Shared Tag Source Source Destination Destination Option/Protection Service Action Schedule Aggregate 31 Add Type Interface DoS DoS Zone Add Source Address DoS Negate Add Source User DoS Add Type Interface DoS DoS Zone Add Destination Address DoS Negate Add DoS Deny Allow Protect DoS DoS / DoS DoS 136 Palo Alto Networks

137 72. DoS Classified Profile Address IP IP IP IP 100 source Address IP URL 141 URL DoS (DoS) 147 DoS Default Alert Block Allow Palo Alto Networks 137

138 None Default Alert Drop Drop-all-packets Reset-both Reset-client Reset-server Block-IP - Phone Home DoS Objects > Security Profiles > Antivirus (SMTP) Internet (IMAP) 3 (POP3) Internet Name Antivirus Packet Capture Decoders and Actions Palo Alto Networks

139 73. Applications Exceptions and Actions Virus Exception Threat ID HTTP Block HTTP Allow ID Add ID 178 Objects > Security Profiles > Anti-Spyware Phone Home phone-home Internet Exceptions Anti-Spyware Columns Name Shared Rules Severity Action Packet Capture 31 critical high medium low informational Default Alert Allow Drop Palo Alto Networks 139

140 74. Exceptions Exceptions Enable All Objects > Security Profiles > Vulnerability Protection Internet 124 Rules Exceptions Exception Vulnerability Protection Columns Name Shared Rules Rule Name Threat Name Action Host Packet Capture Category 31 Alert Allow Default Block (any) 140 Palo Alto Networks

141 75. CVE List Vendor ID Severity Exceptions Threats CVE (CVE) CVE CVE-yyyy-xxxx yyyy xxxx ID ID Microsoft ID MSyy-xxx yy xxx 2009 Microsoft MS09 informational low medium high critical Enable All Action Show All Show All Packet Capture FTP ID Vulnerability Custom IP IP IP IP CVE (CVE) URL Objects > Security Profiles > URL Filtering URL URL Web Palo Alto Networks URL 124 URL URL 161 URL Palo Alto Networks 141

142 76. URL Name Shared Action on License Expiration Dynamic URL Filtering Log Container Page Only Block List 31 URL URL Block Allow URL URL URL URL URL URL URL 5 Category and Action Category Action Not resolved URL URL IP URL URL http[s]:// ebay.com *.ebay.com ebay.com /en/US. /? & = ; + ASCII * *.yahoo.com * yahoo com ) www * com ) www yahoo com search * ) * ww*.yahoo.com Palo Alto Networks

143 76. URL Action Allow List Category/Action Check URL Category alert URL block continue Continue override Settings URL Admin Override 28 1 IP URL URL alert URL allow block continue Continue override Settings URL Admin Override 28 1 URL IP Objects > Security Profiles > File Blocking / Name 31 Palo Alto Networks 143

144 77. Shared Rules Add Name 31 Applications any File Types Direction Upload Download Both Action alert block continue forward WildFire continue-and-forward WildFire continue forward Move Up Move Down Edit Delete 78. avi bat bmp-upload cab cmd dll doc docx dwg enc-doc enc-docx enc-ppt enc-pptx enc-office2007 enc-rar enc-xls Microsoft AVI (RIFF) MS DOS Microsoft Windows Microsoft Microsoft Windows Microsoft Office Microsoft Office 2007 Autodesk AutoCAD Microsoft Office Microsoft Office 2007 Microsoft Office PowerPoint Microsoft Office 2007 PowerPoint Microsoft Office 2007 rar Microsoft Office Excel 144 Palo Alto Networks

145 78. enc-xlsx enc-zip exe flv gif-upload gzip hta iso jpeg-upload lha lnk lzh mdb mdi mov mpeg msi msoffice ocx pdf pe pgp pif pl ppt pptx psd rar reg rm rtf sh tar tif torrent Microsoft Office 2007 Excel zip Microsoft Windows Adobe Flash GIF gzip HTML ISO-9660 JPG/JPEG lha / Microsoft Windows lha/lzh / Microsoft Access Microsoft Apple Quicktime MPEG-1 MPEG-2 Microsoft Windows Installer Microsoft Office doc xls ppt pub pst Microsoft ActiveX Adobe Microsoft Windows exe dll com scr ocx cpl sys drv tlb PGP Windows Perl Microsoft Office PowerPoint Microsoft Office 2007 PowerPoint Adobe Photoshop winrar Windows RealNetworks Real Media Windows Unix Unix tar Windows BitTorrent Palo Alto Networks 145

146 78. wmf Windows Metafile wmv Windows Media wri Windows wsf Windows xls Microsoft Office Excel xlsx Microsoft Office 2007 Excel Zcompressed Unix Z uncompress zip Winzip/pkzip Objects > Security Profiles > Data Filtering Name Shared Data Capture 31 Settings Manage Data Protection Palo Alto Networks

147 Add 80. Data Pattern Applications File Types Direction Alert Threshold Block Threshold Data Pattern Data Pattern Name Description Shared Weight SSN# 5 SSN 5 SSN 10 x 5= 50 CC# SSN# SSN# Custom Patterns Add (regex) any Add any Add 100 SSN 5 20 SSN 20 x 5 = SSN 5 20 SSN 20 x 5 = 100 DoS Objects > Security Profiles > DoS Protection DoS DoS DoS DoS DoS 135 DoS Palo Alto Networks 147

148 81. DoS Name Shared Type Flood Protection Syn Flood UDP Flood ICMP Flood Resources Protection Sessions Max Concurrent Limit 31 aggregate DoS (pps) SYN Flood DoS classified DoS IP IP IP SYN flood Choice SYN Flood Random early drop DoS SYN cookies SYN cookies SYN flood Alarm Rate DoS (pps) pps pps Activate Rate DoS (pps) pps pps Maximal Rate Block Duration DoS DoS DoS DoS IP IP IP DoS DoS Palo Alto Networks

149 URL URL URL 161 URL Objects > Addresses Name Shared 63 Palo Alto Networks 149

150 82. Type IPv4 IPv6 FQDN IP Netmask IPv4 IPv6 IP ip_address/mask ip_address mask / / :db8:123:1::1 2001:db8:123:1::/64 IP Range IP Range ip_address-ip_address IPv4 IPv6 2001:db8:123:1::1-2001:db8:123:1::22 FQDN FQDN FQDN FQDN DNS FQDN DNS DNS DNS 114 DNS Objects > Address Groups 83. Name Shared Addresses 63 Add / Objects > Regions / DoS / 150 Palo Alto Networks

151 84. Name Geo Location Addresses 31 xxx.xxxxxx App-Scope 171 IP IP x.x.x.x x.x.x.x-y.y.y.y x.x.x.x/n Applications 1 5 Networking Networking Attribute Technology Objects > Application Filters Palo Alto Networks 151

152 Search Enter 85. Name Additional Information Standard Ports Capable of File Transfer Used by Malware Excessive Bandwidth Use Evasive Widely used Has Known Vulnerabilities Tunnels Other Applications Depends on Applications Category Subcategory Technology Risk Prone to Misuse Web Wikipedia Google Yahoo! Customize (1-5) OK 152 Palo Alto Networks

153 85. Session Timeout TCP Timeout (seconds) UDP Timeout (seconds): Customize OK TCP Customize OK UCP Customize OK ID unknown-tcp unknown-udp HTTP 188 Objects > Applications Applications 86. Configuration Name Shared Category Sub Category Technology Parent App Risk 31 database 275 Top Ten Application Categories 169 database 275 Top Ten Application Categories Palo Alto Networks 153

154 86. Characteristics Advanced Defaults - Port IP Protocol ICMP Type None Timeouts TCP Timeout UDP Timeout Scanning 277 TCP / UDP Port <protocol>/<port> <port> dynamic TCP/dynamic UDP/32 Service app-default TCP UDP IP IP Protocol Internet (ICMP) ICMP Type IPv4 ICMP6 Type IPv None TCP UDP TCP UDP TCP UDP TCP UDP Palo Alto Networks

155 86. Signature Signatures Add Signature Name Comment Scope Ordered Condition Match Add AND Condition Add OR Condition Add Condition Pattern Match Equal To Context Pattern 90 Qualifier and Value / Context TCP UDP Position Mask 4 0xffffff00 Value 4 0xaabbccdd Move Up Move Down Move Up Move Down Import Destination Export Palo Alto Networks 155

156 PAN-OS Command Line Interface Reference Guide - Web Web GET /001/guest/ viewprofile.act?fa=25&tg=m&mg=f&searchtype=zipcode&type=quick&pict=true&cont ext=adrr&zip=94024&ta=34&sb=&item=0&pn=0 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/3.0.7 Accept: text/html,application/ xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: 001/guest/ search.act?type=quick&pict=true&sb=&fa=25&ta=34&mg=f&tg=m&searchtype=zipcode &zip=94024&context=adrr&context=adrr Cookie: JSESSIONID=A41B41A19B D6E88190B7F0B3D.001; specifiedsite.com/ jumpcookie= *google.com/search?q=lava+life&; locale=en_us; campaign=1; imagenum=2; cftag_logsid= a ; utma= ; utmb= ; utmc= ; utmz= utmcsr=(direct) utmccn=(direct) utmcmd=(none) ; utmv= gender%3df; launch=1 specifiedsite username@hostname# show application specifiedsite specifiedsite { category collaboration; subcategory social-networking; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern www\.specifiedsite\.com; } } } } } } } - POST /wp-admin/post.php HTTP/1.1 Host: panqa100.specifiedblog.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/3.0.7 Accept: text/html,application/ 156 Palo Alto Networks

157 xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: panqa100.specifiedblog.com/wp-admin/post.php?action=edit&post=1 Cookie: utma= ; utmb= ; utmc= ; utmz= utmccn=(organic) utmcsr=google utmctr=blog+ho st utmcmd=organic; wordpressuser_bfbaae d9f388265e737a177c8=panqa100; wordpresspass_bfbaae d9f388265e737a177c8=c68a8c4eca c58668eacc05 fc2 Content-Type: application/x-www-form-urlencoded Content-Length: 462 user_id=1&action=editpost&post_author=1&post_id=1&post_title=hello+world%21& post_category%5b%5d=1&advanced_view=1&comment_status=open&post_password=&exc erpt=&content=hello+world.%3cbr+%2f%3e&use_instant_preview=1&post_pingback=1 &prev_status=publish&submit=save&referredby=http%3a%2f%2fpanqa100.specifiedb log.com%2fwp-admin%2f&post_status=publish&trackback_url=&post_name=helloworld&post_author_override=1&mm=3&jj=27&aa=2009&hh=23&mn=14&ss=42&metakeyinp ut=&metavalue=http/1.1 specifiedblog.com specifiedblog.com post_title post-author show application specifiedblog_blog_posting specifiedblog_blog_posting { category collaboration; subcategory web-posting; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern specifiedblog\.com; method POST; } } } a2 { or-condition { o2 { context http-req-params; pattern post_title; method POST; } } } a3 { or-condition { o3 { context http-req-params; pattern post_author; method POST; } } } } } } } Palo Alto Networks 157

158 Objects > Application Groups Name Applications 31 Add / Objects > Application Filters Add Networking networking Technology 158 Palo Alto Networks

159 Objects > Services any TCP UDP HTTP HTTPS Name Shared Protocol Destination Port Source Port 63 TCP UDP (port1-port2) (port1-port2) Palo Alto Networks 159

160 Objects > Services Groups Name Service 63 Add Service confidential Confidential CONFIDENTIAL PAN-OS PAN-OS 90..? 0 1 (abc)? * 0 (abc)* + 1 (abc)+ or ((bif) (scr) (exe)) bif scr exe - [c-z] c z c z [ ] [abz]: a b z 160 Palo Alto Networks

161 90. ^ [^abz] a b z { } / {10-20} \ \ &amp & & &amp.*((confidential) (CONFIDENTIAL)) Confidential CONFIDENTIAL.* confidential.*((proprietary &amp Confidential) (Proprietary and Confidential)) Proprietary & Confidential Proprietary and Confidential Confidential.*(Press Release).*((Draft) (DRAFT) (draft)) draft Press Release.*(Trinidad) Trinidad URL Objects > Custom URL Categories URL URL URL URL URL Allow Block Continue Override Alert URL URL URL URL URL * *.example.com Palo Alto Networks 161

162 URL URL 141 URL 91. URL Name Shared Sites URL 31 URL Sites Add URL Import URL Objects > Custom Signatures > Data Patterns Data Patterns Name Shared Weight Custom Patterns Alert Block CC# SSN# SSN# Add 162 Palo Alto Networks

163 Objects > Custom Signatures > Spyware Objects > Custom Signatures > Vulnerability Phone Home HTTP SMTP IMAP FTP POP3 SMB MSSQL MSRPC RTSP SSH SSL Telnet Unknown-TCP Unknown-UDP Custom Signatures Configuration Threat ID Name Shared Comment Severity Default Action Direction Affected System CVE Vendor Bugtraq Reference Alert Drop Packets Reset Both Reset Client Reset Server Block IP (CVE) bugtraq CVE ACC Palo Alto Networks 163

164 93. - Signature Standard Signature Combination Signature Standard Add Standard Comment Ordered Condition Match Scope Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down Combination Combination Signatures Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down Time Attribute Number of Hits (1-3600) (1-1000) Aggregation Criteria IP IP IP Objects > Security Profile Groups URL Palo Alto Networks

165 94. Name Shared Profiles 31 URL / 146 Objects > Log Forwarding Panorama / SNMP syslog, Name Shared Traffic Settings Panorama SNMP Trap Syslog 31 Panorama Panorama 28 SNMP syslog / 54 SNMP Syslog Palo Alto Networks 165

166 95. Panorama SNMP Trap Syslog Panorama Critical High Medium URL Low Informational SNMP syslog / Objects > Schedules Name Shared Recurrence Daily Weekly Non-recurring 31 Daily Weekly Non-Recurring Add 24 (HH:MM) Add 24 (HH:MM) Add 166 Palo Alto Networks

167 Botnet 183 PDF Palo Alto Networks 167

168 Dashboard Dashboard 10 Refresh 1 min 2 mins 5 mins Manual 97. Top Applications Top High Risk Applications General Information Interface Status Threat Logs Config Logs Data Filtering Logs URL Filtering Logs System Logs Resource Information Logged In Admins ACC Risk Factor High Availability Top Applications PAN-OS URL 10 ID ID URL URL 10 Web CLI 60 URL Config installed CPU IP Web CLI 1 5 (HA) HA HA 67 HA 168 Palo Alto Networks

169 ACC Application Command Center (ACC) ACC ACC Go a. b. Time Frame c. Sort By d. Top N Set Filter OK Palo Alto Networks 169

170 4. 5. Applications URL Filtering Threat 98. Applications URL Filtering Threats Data Filtering HIP Applications Technology Risk URL URL URL URL URL URL ID Threats / HIP HIP 170 Palo Alto Networks

171 Monitor > App Scope Monitor App-Scope Palo Alto Networks 171

172 99. Summary Change Monitor Threat Monitor Threat Map Network Monitor Traffic Map Palo Alto Networks

173 Palo Alto Networks 173

174 100. None Palo Alto Networks

175 Palo Alto Networks 175

176 / Zoom Out Palo Alto Networks

177 103. None Palo Alto Networks 177

178 104. Monitor > Logs URL (HIP) 41 Monitor Host Web Browsing AND Add Log Filter (AND/OR) Add Close Apply Filter 178 Palo Alto Networks

179 Expression in Last 60 seconds Clear Filter Save Filter OK Save Filter OK 1 min 30 seconds 10 seconds Manual Rows 10 Resolve Hostname IP 24. Addresses IP IP IP Palo Alto Networks 179

180 105. Traffic Threat URL Filtering Data Filtering Configuration System HIP allow deny drop ICMP Count Type dropanydeny not-applicable URL allow block Count Type virus spywarename URL Category keylogger URL 137 URL URL URL 141 URL 146 OK 77 IP Web CLI GlobalProtect Palo Alto Networks

181 Botnet Monitor > Session Browser Session Browser 178 Botnet Botnet Botnet botnet URL DNS 30 Internet (IRC) botnet 1 5 botnet Monitor > Botnet botnet Botnet Configuration 106. Botnet HTTP IRC Enable Malware URL visit botnet URL URL Use of dynamic DNS botnet DNA Browsing to IP domains IP URL Browsing to recently registered domains 30 Executable files from unknown sites URL TCP UDP Sessions per Hour Destinations per Hour Minimum Bytes Maximum Bytes IRC Palo Alto Networks 181

182 Botnet Botnet Monitor > Botnet > Report Setting botnet botnet 181 Botnet IP Run Now Botnet botnet Botnet Report Setting Export to PDF Export to CSV 107. Botnet 24 # Rows Scheduled Query Negate Botnet Run Now Add Connector (AND/OR) Attribute Operator Value 182 Palo Alto Networks

183 PDF PDF Monitor > PDF Reports PDF PDF Palo Alto Networks 183

184 PDF PDF New Manage PDF Summary Reports 26. PDF 18 Save OK PDF PDF Summary Report 184 Palo Alto Networks

185 Monitor > PDF Reports > User Activity New 108. Name User Time frame 31 IP IPv4 IPv6 Edit Run Monitor > PDF Reports > Report Groups PDF 109. Report Group Name Title Page Custom Title Report selection 31 Add Palo Alto Networks 185

186 Monitor > PDF Reports > Scheduler :00 AM 110. Name Report Group Recurrence Profile Override Recipient (s) Monitor 50 Monitor Select CSV Export to CSV PDF Export to PDF PDF 186 Palo Alto Networks

187 Monitor > Manage Custom Reports Reports Add Load Template 111. Name Database Time Frame Sort By Group By Scheduled Columns Query and Query Builder 31 Custom amount amount Reports Available Selected Add Connector (and/or) Attribute Operator = Value Traffic Log 24 untrust Negate 24 untrust Palo Alto Networks 187

188 Palo Alto Networks Web (ACC) ACC 27. ACC Monitor Reports 188 Palo Alto Networks

189 unknown-tcp S Palo Alto Networks App-ID Palo Alto Networks App-ID TCP UDP IP 133 App-ID Palo Alto Networks App-ID IP Palo Alto Networks Internet Palo Alto Networks Internet URL (PCAP) [email protected] Palo Alto Networks 189

190 ACCunknown Incomplete Insufficient-Data Monitor > Packet Capture PAN-OS Clear All Settings 112. Filtering Manage Filters Filtering Pre-Parse Match Manage Filters Add Id Ingress Interface Source IP Destination IP Src Port Dest Port Proto Non-IP IP IP IP IP IP IPv6 IPv6 ON 190 Palo Alto Networks

191 112. Capture Files Capturing Capture Settings Add Stage drop firewall receive transmit File Packet Count Byte Count Palo Alto Networks 191

192 192 Palo Alto Networks

193 User-ID Agent 203 (User-ID) Palo Alto Networks User-ID IP User-ID LDAP User-ID User-ID User-ID Agent Active Directory (AD) Microsoft Windows Microsoft Exchange Palo Alto Networks 193

194 Microsoft Windows Windows Management Instrumentation (WMI) Microsoft Windows XML API User-ID XML over SSL User-ID HTTP Web Web NTLM Web Microsoft Agent Microsoft Active Directory Novell edirectory LDAP LDAP over SSL (LDAPS) User-ID User-ID Agent User-ID Agent PAN-OS User-ID Agent User-ID Agent 10 Microsoft Windows Server Agent User-ID Agent 194 Palo Alto Networks

195 User-ID Agent Agent User-ID Agent WMI NetBios PAN-OS TS Microsoft LDAP LDAP LDAP (User-ID Agent) Palo Alto Networks IP User-ID Agent IP IP Active Directory IP Active Directory IP edirectory IP edirectory User-ID Agent Windows Management Instrumentation (WMI) (NetBIOS) PC IP 20 IP IP Palo Alto Networks 195

196 User-ID Agent (API) IP User-ID Agent LDAP LDAP User-ID Agent LDAP NAT IP IP NAT User-ID Agent TS User-ID Agent IP User-ID Agent 203 User-ID Agent IP Web NT LAN (NTLM) Web Web Web HTTP Web web form Web NTLM Internet Explorer Firefox NTLM Web HTTP IP Device > User Identification User-ID Agents IP 196 Palo Alto Networks

197 Terminal Services 203 Group Mappings Settings Captive Portal User-ID Agent User-ID Agents Name Virtual System IP Address Port Use as LDAP Proxy Use for NTLM Authentication Disabled Terminal Services Agent Name Virtual system Host Port Alternative IP Addresses User-ID Agent 31 User-ID Agent Windows PC IP User-ID Agent User-ID Agent LDAP User-ID Agent Active Directory NTLM TS 31 TS Windows PC IP IP User-ID Agent IP IP IP Palo Alto Networks 197

198 113. User-ID Agent Group Mapping Settings Name Virtual system Server Profile 31 LDAP Search Filter LDAP Object Class objectclass=group objectclass=group Group Name Active Directory CN Group Member Active Directory member Search Filter LDAP Object Class Active Directory objectclass user User Name Active Directory samaccountname Group Include List Available Groups Included Captive Portal Settings Enable Captive Portal Location Idle Timer Timer Redirect Host Server Certificate Client Certificate Authentication Profile HTTP NTLM HTTP SSL 198 Palo Alto Networks

199 User-ID Agent 113. User-ID Agent NTLM Authentication Mode NTLM Attempts NTLM Timeout NTLM Reversion Time User- ID Agent NTLM cookie cookie Cookie Enable Timeout Enable Roaming IP cookie Roaming cookie User-ID Agent User-ID Agent Active Directory edirectory IP Palo Alto Networks User-ID Agent Windows PC IP User-ID Agent ISP User-ID Agent User-ID Agent Windows XP Vista Windows Windows 2003 Server Windows 2008 Server Palo Alto Networks 199

200 User-ID Agent PC 196 User-ID Agent 137 User-ID Agent User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User-ID Agent 29. User-ID Agent 200 Palo Alto Networks

201 User-ID Agent Agent Status User-ID Agent Connected Devices User-ID Agent Connected Servers User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Setup Edit Authentication Active Directory WMI NetBIOS edirectory Server Monitor Windows 1 10 Novell edirectory 30 Client Probing WMI Enable WMI Probing NetBIOS Enable NetBIOS Probing 20 0 Palo Alto Networks 201

202 User-ID Agent WMI Pan Agent PC Windows NetBIOS PC Windows 139 Cache ID 45 Agent Service ID ID XML API TCP API edirectory Search Base dc=domain1, dc=example, dc=com Bind Distinguished Name LDAP cn=admin, ou=it, dc=domain1, dc=example, dc=com Bind Password Search Filter LDAP objectclass=person Search Interval User-ID Agent Server Domain Prefix Use SSL SSL edirectory SSL Verify Server Certificate SSL edirectory Enable Group Cache User-ID Agent 4. Save User-ID Agent OK User-ID Agent User-ID Agent Cancel DNS Discover User-ID Agnet Servers Add Edit IP Microsoft Active Directory Microsoft Exchange Novell edirectory 202 Palo Alto Networks

203 Include/exclude lists of configured networks Add Edit Auto Discover DNS User-ID Agent IP Monitoring User-ID Agent Logs User-ID Agent User-ID Agent PC Control Panel Add or Remove Programs User Identification Agent PC config.xml User-ID Agent TS IP TS TCP/UDP TS TS TCP/UDP TCP/UDP TS TCP/UDP ID 196 TS Microsoft Terminal Services 2003 Microsoft Terminal Services 2008 Citrix Metaframe Presentation Server 4.0 Citrix Metaframe Presentation Server 4.5, Citrix XenApp 5, 6 TS Palo Alto Networks 203

204 3. TS TS TS TS TS 4. TS 5. Terminal Server Agent TS 1. Start TS 2. Terminal Server Agent 31. Terminal Server Agent - TS Palo Alto Networks Device IP IP Connection Status Connected DisconnectedConnecting TS Connection List 3. TS Enable Device Access Control List IP Add Remove Save 204 Palo Alto Networks

205 4. Configure 32. Terminal Server Agent - Configure 5. Save 114. Terminal Server Agent System Source Port Allocation Range System Reserved Source Ports Listening Port UDP TCP Palo Alto Networks 5009 Palo Alto Networks 205

206 114. Terminal Server Agent Source Port Allocation Range Reserved Source Ports Port Allocation Start Size Per User Port Allocation Maximum Size Per User Fail port binding when available ports are used up TS ,3500, TS 200 TS TS 200 Port Allocation Start Size Per User TS System Source Port Allocation Range ID 6. Monitor 33. Terminal Server Agent - Monitor 206 Palo Alto Networks

207 Terminal Server Agent User Name Ports Range Ports Count 8. Refresh Ports Count Ports Count Refresh Interval TS , Port Allocation Start Size Per User Port Allocation Maximum Size Per User Terminal Server Agent Configure Monitor Restart Service Show Logs Debug Exit Help Configuration Monitor Terminal Server Agent TS None Error Information Debug Verbose TS TS TS Add/Remove Programs Terminal Server Agent Palo Alto Networks 207

208 208 Palo Alto Networks

209 8 IPSec (VPN) IP (IPSec) VPN VPN IPSec 211 IPSec IKE 212 IPSec VPN 218 VPN Palo Alto Networks IPSec 209

210 (VPN) (LAN) IP (IPSec) VPN TCP/IP IPSec IPSec VPN Secure Socket Layer (SSL) VPN VPN VPN 9 GlobalProtect IPSec IPSec Firewall Switch Router Internet Router Switch Firewall IPSec tunnel Local network Local network 34. IPSec VPN Palo Alto Networks Palo Alto Networks VPN IP VPN VPN VPN IP VPN VPN ID 2 ID 215 IPSec IPSec IP IP IP IP IP IPSec IPSec (SA) (SPI) IP IPSec SA 210 IPSec Palo Alto Networks

211 IPSec IKE IPSec VPN SSL-VPN IPSec VPN 223 GlobalProtect SSL-VPN IPSec VPN Palo Alto Networks SSL-VPN Web SSL Web SSL-VPN IPSec VPN VPN VPN VPN 10 IPSec IPSec IPSec IKE IPSec VPN Internet (IKE) IPSec IKE IKE IPSec IP ID IP PKI Palo Alto Networks IKE IKE IKE Diffie-Hellman Palo Alto Networks IPSec 211

212 IPSec VPN IPSec IKE IKE IKE 1 IKE IKE SA IKE 2 1 SA IPSec IPSec SA IPSec IKE IPSec IKE SA IKE SA Diffie-Hellman (DH) Group IKE DH Encryption Hash Algorithm Lifetime IPSec SA Encapsulating Security Payload (ESP) Authentication Header (AH) Perfect Forward Security (PFS) Diffie-Hellman (DH) group IPSec DH Lifetime IPSec IKE 215 IPSec 217 IPSec IPSec VPN IPSec VPN 218 VPN IPSec VPN IKE IKE 214 IKE 212 IPSec Palo Alto Networks

213 IPSec VPN 3. IKE SA VPN IKEv1 Phase IPSec IKEv1 Phase IPSec 4. IPSec VPN 215 IPSec 5. IPSec (RIP) (OSPF) Outgoing traffic entering the tunnel Incoming traffic egressing the tunnel VPN VPN VPN VPN IKE IPSec IKE IPsec Palo Alto Networks IPSec 213

214 IPSec VPN IKE Network > Network Profiles > IKE Gateways IKE Gateways IKE 117. IKE Name Interface Local IP Address Peer Type Peer IP Address Pre-Shared Key 31 IP IP Static IP Show advanced Phase 1 options Local Identification (FQDN) ID FQDN IP Peer Identification FQDN ID FQDN IP Exchange Mode IKE Crypto Profile Passive Mode IKE NAT Traversal IKE UDP UDP NAT IPSec VPN NAT NAT Dead Peer Detection ICMP ping IKE auto 214 IPSec Palo Alto Networks

215 IPSec VPN IPSec Network > IPSec Tunnels IPSec Tunnels IPSec VPN 118. IPSec General Name Tunnel Interface 31 New 95 Type Auto Key Manual Key Proxy ID Proxy ID Local Remote Auto key Auto Key IKE Gateway IKE 214 IKE IPSec Crypto Profile New 217 IPSec Manual Key Local SPI (SPI) SPI IPSec IPSec Interface Local Address IP Remote SPI (SPI) Protocol ESP AH Authentication SHA1 SHA256 SHA384 SHA512 MD5 None Key/Confirm Key Encryption 3des aes128 aes192 aes256 null [ ] Key/Confirm Key IP ip_address/mask /24 IP ip_address/mask /24 Palo Alto Networks IPSec 215

216 IPSec VPN 118. IPSec Proxy IDs IPSec VPN IPSec VPN any TCP / UDP TCP TCP UDP UDP Number ID IPSec VPN 1 / IPSec IP IP IPSec 1 IP IP IPSec ID IPSec ID IKE Network > Network Profiles > IKE Crypto IKE Crypto Profiles IPSec SA (IKEv1 Phase-1) VPN IKE DH Group Authentication Encryption Lifetime Diffie-Hellman (DH) Add group14 group2 Add md5 sha1 sha256 sha384 sha512 sha1 Encapsulating Security Payload (ESP) Add aes256 aes192 aes128 3des aes256 aes192 aes128 3des 216 IPSec Palo Alto Networks

217 IPSec VPN IPSec Network > Network Profiles > IPSec Crypto IPSec Crypto Profiles IPSec SA (IKEv1 Phase-2) VPN IPSec Name IPSec DH Group Lifetime Lifesize 31 ESP Encryption Add ESP aes256 aes192 aes128 3des Authentication Add ESP md5 sha1 sha256 sha384 sha512 none AH Authentication Add AH md5 sha1 sha256 sha384 sha512 DH 1 Network > Network Profiles > Monitor IPSec IPSec Tunnels IP (PBF) IP IP wait-recover PBF fail-over Palo Alto Networks IPSec 217

218 VPN 121. Name Action Interval Threshold 31 wait-recover fail-over IPSec IPSec Network > IPSec Tunnels IPSec VPN IPSec Tunnels Tunnel Status IPSec SA IPSec SA IKE Gateway Status IKE 1 SA IKE 1 SA Tunnel Interface Status "UP" "DOWN" VPN VPN VPN 221 VPN 218 IPSec Palo Alto Networks

219 VPN IP ethernet1/1 ISP HQ /16 ethernet1/5 (IP ) server HQ IP ethernet1/2 ISP-branch branch PC /24 ethernet1/10 branch-office branch ethernet1/2 branch-office ISP-branch PC Internet Headquarters firewall Branch office firewall eth1/ /16 Zone: server Virtual router: HQ eth1/ Zone: ISP Virtual router: HQ Internet eth1/ Zone: ISP-branch Virtual router: branch /24 PC network eth1/ /24 Zone: branch-office Virtual router: branch /16 Server farm 35. VPN - branch-vpn tunnel.1 branch-vpn /24 IP /24 tunnel.1 branch-vpn server Palo Alto Networks IPSec 219

220 VPN central-vpn tunnel.2 central-vpn / 24 IP /16 tunnel.2 branch central-vpn Headquarters firewall Branch office firewall /16 Server farm eth1/ /16 Zone: server Virtual router: HQ eth1/ Zone: ISP Virtual router: HQ Internet Tunnel interface: tunnel /24 Zone: branch-vpn Virtual router: HQ eth1/ Zone: ISP-branch Virtual router: branch Tunnel interface: tunnel /24 Zone: central-vpn Virtual router: branch /24 PC network eth1/ /24 Zone: branch-office Virtual router: branch VPN 36. VPN - IKE branch-1-gw Peer-address Local-address ethernet1/1 Peer-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec branch-1-vpn ike-gateway-profile branch-1-gw ipsec-crypto-profile Tunnel interface tunnel / IPSec Palo Alto Networks

221 VPN IKE central-gw Peer-address Local-address ethernet1/2 Local-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec central -vpn ike-gateway-profile central-gw ipsec-crypto-profile Tunnel interface tunnel.2 branch-1-gw peer-address local-id peer-id IKE VPN proxy-id VPN VPN VPN 220 VPN VPN ping ping 3. ping (ethernet1/5) ping 4. ping (ethernet1/10) ping 5. CLI test vpn ike-sa gateway central-gw show vpn ike-sa gateway central-gw IKE 1 SA Palo Alto Networks IPSec 221

222 VPN 6. CLI show vpn ike-sa gateway branch-1-gw IKE 1 SA 7. CLI test vpn ipsec-sa tunnel central-vpn show vpn ipsec-sa tunnel central-vpn IKE 2 SA 8. CLI show vpn ipsec-sa tunnel branch-1-vpn IKE 2 SA 9. ethernet1/5 IP / PC traceroute 11. PC ping CLI show vpn flow 12. syslog IKE debug ike pcap PCAP IKE 222 IPSec Palo Alto Networks

223 9 GlobalProtect GlobalProtect 224 GlobalProtect 232 GlobalProtect GlobalProtect GlobalProtect Palo Alto Networks (HIP) HIP GlobalProtect Palo Alto Networks GlobalProtect Palo Alto Networks GlobalProtect 1. SSL GlobalProtect GlobalProtect 2. (DNS) 3. SSL Palo Alto Networks GlobalProtect 223

224 GlobalProtect 4. IPSec SSL IPSec IPSec 5. HIP GlobalProtect HIP HIP HIP HIP HIP HIP HIP HIP (CA) HIP HIP HIP HIP (ACC) GlobalProtect GlobalProtect SSL (CA) CA CA CA CA CA CA GlobalProtect CA CA CA GlobalProtect GlobalProtect 1. HIP 225 HIP 2. HIP 227 HIP GlobalProtect GlobalProtect 5. HIP GlobalProtect 233 GlobalProtect GlobalProtect Palo Alto Networks

225 GlobalProtect HIP Objects > GlobalProtect > HIP Objects GlobalProtect HIP HIP HIP 122. HIP General Name Shared Host Info Domain OS Client Versions Patch Management Patch Management Criteria Vendor Firewall Firewall HIP 31 GlobalProtect (OS) OS HIP Is Enabled (yes) (no) Is Installed Severity Check Patches Add Add Add OK Patch Management Is Enabled (yes) (no) Is Installed Vendor and Product Add Add OK Firewall Exclude Vendor Palo Alto Networks GlobalProtect 225

226 GlobalProtect 122. HIP Antivirus Antivirus Anti-Spyware Anti-Spyware Disk Backup Disk Backup Disk Encryption Disk Encryption Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Antivirus Exclude Vendor Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Anti-Spyware Exclude Vendor Is Installed Last Backup Time Within Not Within Vendor and Product Add Add OK Disk Backup Exclude Vendor 226 GlobalProtect Palo Alto Networks

227 GlobalProtect 122. HIP Criteria Vendor Custom Checks Process List Registry Key Plist HIP Objects > GlobalProtect > HIP Profiles Is Installed Encrypted Locations Add Encrypted Locations State OK Disk Encryption Add Add OK Disk Encryption Add Add Plist MacOS plist HIP 225 HIP GlobalProtect HIP HIP HIP 123. HIP Name Shared Match 31 HIP HIP Add Match Criteria HIP AND OR NOT HIP Palo Alto Networks GlobalProtect 227

228 GlobalProtect GlobalProtect Network > GlobalProtect > Portals GlobalProtect 124. GlobalProtect Name Location Authentication Profile Client Certificate Server Certificate Client Certificate Profile Custom Login Page Custom Help Page Interface IP Address Client Configuration General subtab settings GlobalProtect SSL GlobalProtect Web IP Add General Configs On demand Use single sign-on GlobalProtect Windows GlobalProtect Third Party VPN Clients Add VPN GlobalProtect Internal Host Detection GlobalProtect IP GlobalProtect Gateways DNS IP Address IP Hostname IP Source User 228 GlobalProtect Palo Alto Networks

229 GlobalProtect 124. GlobalProtect Gateways Agent Cutoff Time 0 Internal Gateways HIP External Gateways Enable advanced view GlobalProtect UI User can save password Passcode/Confirm Passcode Agent User Override disabled with-comment GlobalProtect with-passcode GlobalProtect with-ticket GlobalProtect GlobalProtect GlobalProtect GlobalProtect Agent User Override Timeout Max Agent User Overrides GlobalProtect Display Welcome Page Welcome Page Import None Display Welcome Page Allow user to manually rediscover network location Allow user to manually resubmit host information HIP Client Upgrade (prompt) (transparent) Palo Alto Networks GlobalProtect 229

230 GlobalProtect 124. GlobalProtect Data Collection Root CA GlobalProtect Network > GlobalProtect > Gateways GlobalProtect Max Wait Time Exclude Categories Add Add OK Custom Checks Registry Key (Windows) Add Plist (Mac) Add plist Process List Add GlobalProtect CA CA Add CA 125. GlobalProtect Name Location Server Certificate Authentication Profile Client Certificate GlobalProtect Palo Alto Networks

231 GlobalProtect 125. GlobalProtect Tunnel Mode Timeout Configuration Gateway Address Client Configuration Inheritance Source Primary DNS Secondary DNS Primary WINS Secondary WINS Check inheritance status IP Pool Tunnel Interface Max Users Enable IPSec IPSec IPSec SSL-VPN Enable 3rd Party VPN Support IPSec GlobalProtect (X-Auth) VPN X-Auth GlobalProtect VPN VPN Login Lifetime Inactivity Logout Interface IP Address / HA IP DHCP PPPoE DNS GlobalProtect Inheritance Source DNS WINS DNS IP Windows Internet (WINS) IP Add IP IP IP IP IP / IP / Palo Alto Networks GlobalProtect 231

232 GlobalProtect 125. GlobalProtect DNS Suffix Access Route HIP Notification HIP Notification Add Move Up Move Down Remove Add VPN VPN Internet Internet Add Add Enable Shown Notification As Rich HTML HIP GlobalProtect Devices > GlobalProtect Client GlobalProtect Client GlobalProtect GlobalProtect GlobalProtect 1. Download Close 2. Activate 3. Upload Activate from File OK 4. Remove 232 GlobalProtect Palo Alto Networks

233 GlobalProtect GlobalProtect GlobalProtect PanGP GlobalProtect GlobalProtect PanGP > > Palo Alto Networks > GlobalProtect > GlobalProtect Settings 37. GlobalProtect - Settings 2. GlobalProtect Remember Me 3. GlobalProtect IP 4. Apply GlobalProtect GlobalProtect Status tab Details tab IP Host State tab HIP Palo Alto Networks GlobalProtect 233

234 GlobalProtect Troubleshooting Network Configurations Routing Table GlobalProtect Sockets Logs GlobalProtect PanGP PanGP Start Stop 234 GlobalProtect Palo Alto Networks

235 10 (QoS) QoS 238 QoS 239 QoS 242 QoS QoS QoS QoS QoS QoS QoS Aggregate Ethernet QoS QoS QoS Network QoS 236 QoS QoS QoS 238 QoS QoS Policies Policies QoS 239 QoS Palo Alto Networks 235

236 QoS QoS QoS QoS 4 QoS QoS Network > QoS QoS 126. QoS Physical Interface Interface Name Maximum Egress Turn on QoS feature on this interface Default Profile: Clear Text Tunnel Interface Tunneled Traffic Clear Text Traffic Guaranteed Egress Maximum Egress (Mbps) QoS QoS QoS 238 QoS Tunneled Traffic Clear Text Traffic Detail Configuration (Mbps) 236 Palo Alto Networks

237 QoS 126. QoS Groups Group Configuration 45 Mbps T1 T1 QoS 45 Mbps Clear Text Add Name Source Interface Source Subnet any QoS Profile QoS QoS 238 QoS QoS Move Up Move Down Tunneled Traffic Add Tunnel Interface QoS Profile QoS Remove Palo Alto Networks 237

238 QoS QoS Network > Network Profiles > QoS Profiles QoS QoS QoS 236 QoS QoS 239 QoS 127. QoS Profile Name Egress Guaranteed Egress Max Classes 31 (Mbps) (Mbps) QoS Class QoS QoS QoS 4 Priority Egress Max (Mbps) Egress Guaranteed (Mbps) 238 Palo Alto Networks

239 QoS QoS Policies > QoS QoS QoS 4 QoS 236 QoS 238 QoS Virtual System Go Filter Rules Source Zone / Destination Zone Filter by Zone Panorama QoS Add Rule Clone Rule Clone Rule 128. QoS General Name Tag Source 31 Add Source Zone any Palo Alto Networks 239

240 QoS 128. QoS Source Address Source User Negate Destination IPv4 IPv6 select Available / Add Selected Search Available Add IP <ip_address>/<mask> Selected Remove any New Address QoS Destination Zone any Destination Address Negate Application Application IPv4 IPv6 select Available / Add Selected Search Available Add IP <ip_address>/<mask> Selected Remove any New Address QoS Palo Alto Networks

241 QoS 128. QoS Service/ URL Category Service URL Category Other Settings Class Schedule TCP / UDP any application-default Palo Alto Networks Select Add Service Service Group QoS URL any URL QoS Add 161 URL QoS OK QoS QoS 238 QoS QoS Palo Alto Networks 241

242 QoS QoS Network > QoS QoS Policies QoS QoS 38. QoS QoS QoS Bandwidth Session Browser / Application View QoS / 242 Palo Alto Networks

243 11 Panorama Panorama 244 Panorama 245 Panorama 245 Panorama 246 SSL 246 Panorama HA Panorama 251 Panorama Palo Alto Networks Panorama 243

244 Panorama VMware Panorama VMware Server VMware ESX(i) 4.x 3.5 (OVF) VMware ESX(i) 4.x 3.5 2GHz CPU VMware Server VMware Server VMware ESX(i) 2-4 GB RAM GB VMware vsphere Client 4.x VMware Infrastructure Client 3.5 Panorama Panorama Panorama Panorama zip Panorama Panorama Panorama 1. Panorama zip panorama-esx.ovf 2. VMware vsphere Client VMware 3. File > Deploy OVF Template 4. Panorama panorama-esx.ovf Next 5. Next 6. Panorama Next 7. Panorama Next 8. Thick provisioned format Next 9. Finish 10. Panorama Power On Panorama 244 Panorama Palo Alto Networks

245 Panorama Panorama Panorama 1. admin admin CLI CLI 2. IP 显示系统信息 3. CLI 配置 4. set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-ip> dns-setting servers primary <DNS-IP> <Panorama-IP> IP <netmask> <gateway-ip> IP <DNS-IP> (DNS) IP 5. commit exit 6. (<target-ip>) ping host <target-ip> ping Internet Ping Panorama Panorama 1. Web IP address> Palo Alto Networks 2. Name Password admin Login 3. Panorama > Administrators > admin 4. Old Password admin 5. New Password 15 Confirm New Password 6. OK Panorama Palo Alto Networks Panorama 245

246 SSL 8. Panorama Panorama IP SSL Panorama SSL SSL Panorama 1. Panorama > 2. Generate Import 3. OK 4. Commit Panorama Panorama 10 GB VMware Server 950 GB ESX ESXi 2TB 1. VMware Panorama 2. Edit Settings 3. Add Add Hardware wizard 4. Hard Disk Next 5. Create a new virtual disk Next 6. Virtual Disk Type SCSI Next 7. Location Specify a datastore Browse 8. Finish RAID RAID Panorama Palo Alto Networks

247 9. Panorama Panorama Panorama 10 GB Panorama > Setup > Storage Partition Setup Panorama Panorama NFS Panorama Setup Storage Partition Setup Panorama 129. Internal NFS v3 Panorama NFS Server NFS (FQDN) IP Log Directory Protocol NFS UDP TCP Port NFS Read Size NFS Write Size NFS Copy On Setup Panorama NFS Test Logging Partition NFS Palo Alto Networks Panorama 247

248 HA HA Panorama > High Availability Panorama HA Panorama Panorama Panorama Preemption HA HA Panorama Panorama HA Panorama Network File System NFS NFS Local Logging Panorama HA 130. Panorama HA Setup Enable HA Peer HA IP Address Enable Encryption Monitor Hold Time (ms) HA Control Link HA1 IP Panorama Panorama HA 28769/tcp 49160/tcp 49960/tcp 49969/tcp (ms) ms 3000 ms 248 Panorama Palo Alto Networks

249 HA 130. Panorama HA Election Settings Priority Preemptive Preemption Hold Time (min) Promotion Hold Time (ms) Hello Interval (ms) Heartbeat Interval (ms) Monitor Fail Hold Up Time (ms) Additional Master Hold Up Time (ms) Path Monitoring Enabled Failure Condition Path Groups Primary Secondary Panorama ms ms 8000 Panorama ICMP Ping HA ms 1000 Panorama 0 ms 7000 ms ICMP Ping Panorama IP Add Name Enabled Failure Condition Ping interval ICMP ms 5000 Destination IPs Delete HA HP NFS Panorama NFS NFS 2 S1 S2 S2 Palo Alto Networks Panorama 249

250 HA NFS S2 1. S1 2. S2 a. Panorama > High Availability b. Priority Secondary Primary c. NFS 3. CLI request high-availability convert-to-primary S1 HA S2 NFS convert-to-primary HA (S1) NFS S2 4. S2 S2 NFS 250 Panorama Palo Alto Networks

251 12 Panorama Panorama Panorama Web 252 Panorama Panorama Palo Alto Networks Panorama 251

252 Panorama Web Panorama Web Panorama Panorama Web 1. Web IP address> Palo Alto Networks 2. Login Panorama Panorama Web Palo Alto Networks Panorama Panorama 1. Panorama IP Panorama 255 Panorama Panorama Panorama 131. Panorama Dashboard ACC Monitor Objects Policies Panorama Panorama Panorama 252 Panorama Palo Alto Networks

253 Panorama Panorama Panorama Devices Panorama 132. Panorama Setup Config Audit Managed Devices Device Groups Admin Roles Administrators High Availability Certificates Log Settings Server Profiles Panorama DNS NTP Panorama 254 Panorama 255 Panorama 41 Panorama 42 Administrators Panorama (HA) 248 HA Web Panorama 58 Panorama 77 (SNMP) Syslog 51 Panorama 54 SNMP 56 Syslog RADIUS 47 LDAP 47 Kerberos Active Directory. Authentication Profile Authentication Sequence 58 Netflow Panorama 44 Panorama 48 Palo Alto Networks Panorama 253

254 132. Panorama Client Certificate Profile Access Domain Scheduled Config Export Software Dynamic Updates Support Deployment Panorama (FTP) 261 Panorama 262 Panorama Panorama 40 Palo Alto Networks Panorama > Managed Devices Managed Devices HA VSYS Panorama HA HA Panorama Panorama SSL TCP 3978 Panorama 1. Panorama Managed Devices Managed Devices 2. Group by 3. Add/Remove Devices 4. Add Panorama Palo Alto Networks

255 6. OK Managed Devices 7. a. Add/Remove Devices b. Delete c. OK Panorama > Device Groups / Panorama Panorama Device Groups 133. Device Group Name Devices Master Device 31 Add Panorama ID Panorama > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS Palo Alto Networks Panorama 255

256 134. Name Device Groups Device Context 31 Add Panorama 121 Panorama Panorama deny all allow Panorama Panorama Target Install on all but specified devices 256 Panorama Palo Alto Networks

257 39. Panorama Panorama Panorama Panorama Panorama any default Panorama Objects Device Device Panorama SNMP syslogradius LDAP Kerberos Location device-group-test Location 135. Panorama Panorama Location Panorama Panorama SNMP Syslog (RADIUS) (LDAP) Kerberos Palo Alto Networks Panorama 257

258 135. Device Groups Panorama 255 Policies Objects Device Groups Shared Panorama Location Panorama Panorama Location Shared Objects Shared Panorama Context Panorama Panorama 255 Web Panorama Panorama Palo Alto Networks

259 Panorama > Managed Devices Commit all Panorama IP Connected Panorama Panorama 4.1 PAN-OS 4.0 allow Managed Devices Last Commit All State Panorama 15 Panorama Panorama Panorama ACC Monitor Panorama ACC Monitor > PDF Reports > User Activity Report Panorama Panorama 185 Panorama > Config Audit Panorama Managed Devices 41 Palo Alto Networks Panorama 259

260 Commit All 41. Managed Devices Diff All 5 OK Panorama Panorama > Deployment Deployment 136. Panorama Deployment Software SSL VPN Client GlobalProtect Client Dynamic Updates Licenses SSL VPN GlobalProtect 40 Refresh Software SSL VPN GlobalProtect Refresh Palo Alto Networks Release Notes Activate Palo Alto Networks 260 Panorama Palo Alto Networks

261 Download Downloaded Install Upload PC Install from File Activate from File OK Delete Panorama > Setup Panorama Panorama Setup Panorama Panorama Panorama > Managed Devices Backups Manage Load Commit Panorama > Scheduled Config Export Panorama Scheduled Config Export gzip FTP XML 137. Name Enable Scheduled export start time (daily) Hostname Port HH:MM FTP IP Palo Alto Networks Panorama 261

262 Panorama 137. Passive Mode FTP Username Password Confirm Password Panorama Panorama > Software Panorama Palo Alto Networks Panorama Panorama Refresh Palo Alto Networks Release Notes 1. a. Download Downloaded b. Install Panorama Panorama Palo Alto Networks

263 13 WildFire WildFire WildFire 263 WildFire 264 WildFire WildFire WildFire EXE DLL Palo Alto Networks Palo Alto Networks HTTP (GZIP) EXE DLL WildFire WildFire WildFire WildFire WildFire 1. Device > Setup WildFire 264 WildFire 2. forward continue-andforward WildFire 264 WildFire WildFire 266 WildFire Palo Alto Networks WildFire 263

264 WildFire WildFire Device > Setup > WildFire WildFire WildFire 138. WildFire General Settings WildFire Server Maximum File Size (MB) Session Information Settings Settings WildFire URL default-cloud WildFire WildFire 1-10 MB 2 MB WildFire Source IP IP Source Port Destination IP IP Destination Port Vsys Application User URL URL Filename WildFire WildFire Palo Alto Networks WildFire WildFire WildFire Upload File 264 WildFire Palo Alto Networks

265 WildFire 42. WildFire WildFire WildFire Settings 139. WildFire Password Time Zone Notifications Current Password New Password/Confirm Password WildFire WildFire WildFire Malware Both None Palo Alto Networks WildFire 265

266 WildFire WildFire WildFire Reports 43. WildFire Reports 266 WildFire Palo Alto Networks

267 A IP URL URL HTML URL Web 272 URL 273 SSL VPN 274 SSL 77 <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions */ Palo Alto Networks 267

268 @font-face {font-family:"microsoft Sans Serif"; panose-1: ;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> 268 Palo Alto Networks

269 <html> <head> <title>application Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>application Blocked</h1> <p>access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>application:</b> <appname/> </p> </div> </body> </html> <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions {font-family:"microsoft Sans Serif"; panose-1: ;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} Palo Alto Networks 269

270 span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> </div> </body> </html> 270 Palo Alto Networks

271 <application-type> <category> <entry name="networking" id="1"> <subcategory> <entry name="remote-access" id="1"/> <entry name="proxy" id="2"/> <entry name="encrypted-tunnel" id="3"/> <entry name="routing" id="4"/> <entry name="infrastructure" id="5"/> <entry name="ip-protocol" id="6"/> </subcategory> </entry> <entry name="collaboration" id="2"> <subcategory> <entry name=" " id="7"/> <entry name="instant-messaging" id="8"/> <entry name="social-networking" id="9"/> <entry name="internet-conferencing" id="10"/> <entry name="voip-video" id="11"/> </subcategory> </entry> <entry name="media" id="3"> <subcategory> <entry name="video" id="12"/> <entry name="gaming" id="13"/> <entry name="audio-streaming" id="14"/> </subcategory> </entry> <entry name="business-systems" id="4"> <subcategory> <entry name="auth-service" id="15"/> <entry name="database"id="16"/> <entry name="erp-crm" id="17"/> <entry name="general-business" id="18"/> <entry name="management" id="19"/> <entry name="office-programs" id="20"/> <entry name="software-update" id="21"/> <entry name="storage-backup" id="22"/> </subcategory> </entry> <entry name="general-internet" id="5"> <subcategory> <entry name="file-sharing" id="23"/> <entry name="internet-utility" id="24"/> </subcategory> </entry> </category> <technology> <entry name="network-protocol" id="1"/> <entry name="client-server" id="2"/> <entry name="peer-to-peer" id="3"/> <entry name="web-browser" id="4"/> </technology> </application-type> <h1>ssl Inspection</h1> <p>in accordance with company security policy, the SSL encrypted connection you have initiated will be temporarily unencrypted so that it can be inspected for viruses, spyware, and other malware.</p> <p>after the connection is inspected it will be re-encrypted and sent to its destination. No data will be stored or made available for other purposes.</p> <p><b>ip:</b> <url/> </p> <p><b>category:</b> <category/> </p> Palo Alto Networks 271

272 Web <h1 ALIGN=CENTER>Captive Portal</h1> <h2 ALIGN=LEFT>In accordance with company security policy, you have to authenticate before accessing the network.</h2> <pan_form/> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} form td, form input { font-size:11px; font-weight:bold; } #formtable { height: 100%; width: 100%; } #formtd { vertical-align:middle; } #formdiv { margin-left:auto; margin-right:auto; } </style> <script type="text/javascript"> function pwdcheck() { if(document.getelementbyid("pwd")) { document.getelementbyid("continuetext").innerhtml = "If you require access to this page, have an administrator enter the override password here:"; } } </script> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy.please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> <hr> <p id="continuetext">if you feel this page has been incorrectly blocked, you may click Continue to proceed to the page.however, this action will be logged.</p> <div id="formdiv"> <pan_form/> </div> <a href="#" onclick="history.back();return false;">return to previous page</ a> </div> </body> </html> 272 Palo Alto Networks

273 SSL VPN <HTML> <HEAD> <TITLE>Palo Alto Networks - SSL VPN</TITLE> <meta http-equiv="content-type" content="text/html; charset=iso "> <link rel="stylesheet" type="text/css" href="/styles/ falcon_content.css?v=@@version"> <style> td { font-family:verdana, Arial, Helvetica, sans-serif; font-weight:bold; color:black; /*#FFFFFF; */ }.msg { background-color:#ffff99; border-width:2px; border-color:#ff0000; border-style:solid; padding-left:20px; padding-right:20px; max-height:150px; height:expression( this.scrollheight > 150?"150px" :"auto" ); /* sets max-height for IE */ overflow:auto; }.alert {font-weight:bold;color:red;} </style> </HEAD> <BODY bgcolor="#f2f6fa"> <table style="background-color:white; width:100%; height:45px; borderbottom:2px solid #888888;"> <tr style="background-image:url(/images/logo_pan_158.gif); background-repeat:no-repeat"> <td align="left"> </td> </tr> </table> <div align="center"> <h1>palo Alto Networks - SSL VPN Portal</h1> </div> <div id="formdiv"> <pan_form/> </div> </BODY> </HTML> Palo Alto Networks 273

274 SSL <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso "> <html> <head> <title>certificate Error</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>certificate Error</h1> <p>there is an issue with the SSL certificate of the server you are trying to contact.</p> <p><b>certificate Name:</b> <certname/> </p> <p><b>ip:</b> <url/> </p> <p><b>issuer:</b> <issuer/> </p> <p><b>status:</b> <status/> </p> <p><b>reason:</b> <reason/> </p> </div> </body> </html> 274 Palo Alto Networks

275 B Palo Alto Networks business-system auth-service database erp-crm general-business infrastructure office-program software-update storage-backup collaboration instant-messaging internet-conferencing internet-utility Palo Alto Networks 275

276 social-networking voip-video web-posting general-internet file-sharing internet-utility media audio-streaming gaming photo-video networking audio-streaming encrypted-tunnel infrastructure ip-protocol proxy remote-access routing unknown 276 Palo Alto Networks

277 140. network-protocol client-server peer-to-peer browser-based IP - Web 141. Transfers Files Evasive Excessive Bandwidth Used by Malware Prone to Misuse Widely Used Tunnels Other Applications Continue Scanning for Other Applications 1 Mbps Palo Alto Networks 277

278 278 Palo Alto Networks

279 C (FIPS 140-2) FIPS FIPS Set FIPS Mode PAN-OS Command Line Interface Reference Guide FIPS TLS 1.0 Device > Setup > Management FIPS FIPS FIPS IPSec 2048 SSH 2048 RSA Telnet TFTP HTTP (HA) PAP Kerberos Palo Alto Networks 279

280 280 Palo Alto Networks

281 D (GPL) $5 Palo Alto Networks Open Source Request 232 E. Java Drive Sunnyvale, CA BSD 284 GNU 287 GNU 291 MIT/X OpenSSH 295 PSF 295 PHP 296 Zlib Palo Alto Networks 281

282 Larry Wall Perl v4.0 CrackUnix Password Cracker CrackLibUnix Password Checking Alec David Edward Muffett a) Usenet uunet.uu.net b) c) d) 4. a) b) c) d) 282 Palo Alto Networks

283 BSD BSD BSD Julian Steward Thai Open Source Software Center Ltd The Regents of the University of California Nick Mathewson Niels Provos Dug Song Todd C. Miller University of Cambridge Sony Computer Science Laboratories Inc / 3. Palo Alto Networks 283

284 GNU GNU , 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA , USA GNU GNU (1) (2) / 0. / Palo Alto Networks

285 GNU 2. 1 a) b) c) a) 1 2 b) 1 2 c) b 4. Palo Alto Networks 285

286 GNU / 8. / 9. / / 12. / 286 Palo Alto Networks

287 GNU GNU , 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA USA [ GPL (Lesser GPL) GNU (GNU Library Public License) ] GNU (1) (2) / GNU GNU GNU Palo Alto Networks 287

288 GNU GNU C GNU GNU/ Linux / / * a) * b) * c) * d) 2d 288 Palo Alto Networks

289 GNU 3. GNU GNU 2 2 GNU GNU * a) 1 2 / * b) (1) (2) Palo Alto Networks 289

290 GNU * c) 6a * d) * e) 7. * a) * b) / 12. / 290 Palo Alto Networks

291 MIT/X11 MIT/X / / 16. / Daniel Veillard Thomas Broyer Charlie Bozeman Daniel Veillard 1998 Bjorn Reese Daniel Stenberg 2000 Gary Pennington Daniel Veillard 2001 Bjorn Reese <[email protected]> 2001, 2002, 2003 Python Paramjit Oberoi <param.cs.wisc.edu> 2007 Tim Lauridsen <[email protected]> / Palo Alto Networks 291

292 OpenSSH OpenSSH OpenSSH BSD OpenSSH GPL 1) 1995 Tatu Ylonen Espoo, Finland RFC ssh Secure Shell [Tatu ] GNU [ OpenSSH -RSA OpenSSL -IDEA -DES OpenSSL -GMP OpenSSL BN -Zlib -make-ssh-known-hosts -TSS -MD5 OpenSSL -RC4 OpenSSL ARC4 -Blowfish OpenSSL [ ] Internet / 292 Palo Alto Networks

293 OpenSSH / 2) deattack.c 32 CRC CORE SDI S.A. BSD ssh CORE SDI S.A., Buenos Aires, Argentina CORE SDI S.A. Ariel Futoransky <[email protected]> < 3) ssh-keyscan David Mazieres BSD 1995, 1996 by David Mazieres <[email protected]> OpenBSD Project 4) Vincent Rijmen Antoon Bosselaers Paulo Barreto Rijndael ANSI C Vincent Rijmen Antoon Bosselaers Paulo Barreto <[email protected]> 5) ssh 3 BSD University of California Berkeley 1983, 1990, 1992, 1993, 1995 The Regents of the University of California / 3. Palo Alto Networks 293

294 OpenSSH THE REGENTS THE REGENTS 6) 2 BSD -Markus Friedl -Theo de Raadt -Niels Provos -Dug Song -Aaron Campbell -Damien Miller -Kevin Steves -Daniel Kouril -Wesley Griffin -Per Allansson -Nils Nordman -Simon Wilkinson / 294 Palo Alto Networks

295 PSF PSF 1. Python PSF Python PSF Python 2.3 / Python 2.3 PSF PSF 2001, 2002, 2003 Python Software Foundation 3. Python 2.3 Python PSF Python 2.3 PSF PSF Python PSF Python 2.3 Python PSF PSF 8. Python 2.3 PHP PHP The PHP Group / 3. PHP [email protected] 4. [email protected] PHP PHPFoo PHP PHP Foo phpfoo PHP 5. PHP Group / PHP Group PHP Group Palo Alto Networks 295

296 Zlib 6. < software/> PHP PHP PHP PHP Group PHP Group PHP Group PHP < PHP < Zend Zlib Jean-loup Gailly Mark Adler Jean-loup Gailly Mark Adler 296 Palo Alto Networks

297 A Active Directory User-ID Agent 200 User-ID Agent 200 User-ID Agent 199 User-ID Agent 203 Aggregate Ethernet Aggregate 91 App-ID 189 ARP VLAN 87, AS BGP Authentication Header (AH) , (SA) , NAT , , Panorama 244 B BGP botnet BrightCloud , WildFire PDF , PDF , / 61, HA , Web Palo Alto Networks

298 (REST) 17 IKE 211 (DF) PPPoE C CPU 168 CRL 36 DoS 135 NAT , NAT , 74, QoS (DAD) 87, , 31, 38 (TLS) Panorama 247 D DHCP , Diffie-Hellman (DH) group 212, 216 DNS 113 DNS DoS GlobalProtect GlobalProtect 233 GlobalProtect , 33 30, , , Palo Alto Networks

299 , , , DOS 118 URL Panorama , 73, 76 E Encapsulating Security Payload (ESP) 212 F FIPS 279 flood 115 flood 117, 238 FTP, User-ID Agent WildFire 264 Web , 43 Panorama 255, 159 Kerberos 48 LDAP 47 RADIUS 46 syslog 56 (QoS) , 160 G GlobalProtect botnet Panorama PAN-OS 40 Panorama 248 / 61 / , Palo Alto Networks 299

300 CLI 17 Panorama 17 28, 38 Web , 33, 41, 41, , 253, 42, , H HA 96 HA1 HA2 67 HTML , HA , , 95 28, 30, J ICMP flood IKE AH DH ESP , IKE , 214 IPSec AH 212 DH ESP IPv6 116 IPv6 150 (PBF) , , Panorama Aggregate 91 83, , Aggregate Ethernet 91, Palo Alto Networks

301 (Dos) 147 K Kerberos (OVF) botnet 181 GlobalProtect 232 L LDAP LSA 99 84, 90, , 90, 96, HA 71, , 141, HA 249 BGP OSPF 103 RIP 102 M MD5 105 MIB 36, 55 GlobalProtect GlobalProtect , 35, QoS 236 N NAT Netflow NFS Panorama NIS 113 NSSA (not so stub area) 104 NT LAN (NTLM) 135, 196 NTP O OCSP 36 OSPF P Panorama ACC , , 252, Panorama 252 IP , , , 253 PAN-OS , 43, 255 PAN-OS, 39 passive link state 71 Palo Alto Networks 301

302 PDF , Perfect Forward Security (PFS) 212 PPPoE proxy DNS , , 53, , , flood , 138, IKE 216 IKE 216 IPSec 217 IPSec , 141 QoS 235, , URL , , 164 VPN 218 Q QoS , , , 136 Web 77, , NAT , 125 R RADIUS random early drop 117 RFC 1583 Compatibility 103 RIP routing ACC 169 FTP URL Palo Alto Networks

303 52, 53, HIP 180 HIP , , SNMP 54 syslog , 43, 255, 261, 262 Panorama 262 S SNMP 54 MIB 55 MIB SNMP SSL , 132 SSL VPN Web 77 SYN flood 117 syslog , HA GlobalProtect IKE 211 LDAP 41 RADIUS , Kerberos 48 LDAP 47 RADIUS , Panorama 261, 262 PAN-OS 39, 43, , 38 VPN , 28, APP-ID , 139, 140, ACC 170 ACC HIP 170 Palo Alto Networks 303

304 50, , , , 90, , 90, 96 SSL VPN 232 VPN 211 IPSec , QoS 236 T TS Panorama URL W UDP flood 117 Web WildFire WINS 113 VLAN VMware ESX(i) 244 VPN 210 IPSec IKE 212 SSL VPN IKE , URL ACC , , User-ID Agent Active Directory, Active Directory 200 Active Directory 200 Active Directory 203 vsphere 244 GlobalProtect GlobalProtect Palo Alto Networks

305 , ACC App-ID , X XML API , 267 GlobalProtect portal help 77 GlobalProtect portal login 77 49, 77 77, 272 SSL 77 SSL 77, 274 URL 78, , , , , , 101, , 75, , Y , 175, ACC , , , Palo Alto Networks 305

306 170 (ACC) , SSL VPN , 38 (SSM) URL 143 Z 43, CRL Aggregate , URL 142 (SPT) GlobalProtect CA 58 OCSP 36 Panorama Web 58 (CA) CRL 36 GlobalProtect 224 CA 58 OCSP 36 57, , TS 203 / 61 / 61, 28, 38 (HIP) ACC 170 HIP Palo Alto Networks