Palo Alto Networks, Inc Palo Alto Networks Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N

Palo Alto Networks 4.0 5/10/11 / - Palo Alto Networks

Palo Alto Networks, Inc. www.paloaltonetworks.com 2007-2011 Palo Alto Networks Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N 810-000063-00A

5 10, 2011 - Palo Alto Networks............................................................... 11....................................................... 11............................................................. 11......................................................... 13....................................................... 13......................................................... 13..................................................... 14......................................................... 14 1............................................................... 15....................................................... 15....................................................... 16......................................................... 16 2............................................................... 19....................................................... 19....................................................... 20 Web.............................................. 21.................................................... 23......................................................... 23......................................................... 23 3........................................................... 25......................................... 26.............................................. 26...................................................... 32......................................................... 33................................. 34 Palo Alto Networks 3

SNMP........................................................... 35..................................................... 35......................................................... 36........................................................ 36 PAN-OS................................................. 37............................................. 38......................................... 38................................................... 39..................................................... 40................................................ 41.................................................. 41.............................................. 42................................................ 43 RADIUS............................................ 44 LDAP.............................................. 45 Active Directory (Kerberos)........................... 46...................................................... 46.................................................. 47................................................ 47........................................................ 48 Log Destinations................................................... 49..................................................... 50.................................................. 50.................................................. 51 HIP.............................................. 52.................................................. 52..................................................... 53 SNMP................................................ 53 Syslog................................................. 55.............................................. 56........................................... 57.......................................... 59......................................................... 60 / HA.................................................... 60 / HA.................................................... 60 HA.......................................................... 67 HA................................................ 67 Virtual Systems..................................................... 72................................................ 74......................................................... 75..................................................... 76..................................................... 77................................................ 77...................................................... 78 4 Palo Alto Networks

4........................................................... 79....................................................... 80..................................................... 80 2...................................................... 81 3...................................................... 81..................................................... 82..................................................... 82....................................................... 83..................................................... 83 2................................................... 84 2................................................. 85 3................................................... 85 3................................................. 89................................................. 90 Aggregate............................................. 91 Aggregate Ethernet....................................... 92 VLAN................................................... 93..................................................... 94..................................................... 95..................................................... 96 HA..................................................... 96......................................................... 97..................................................... 98 VLAN........................................................ 99.............................................. 99.................................................... 100.............................................. 100.................................................... 100.................................................. 101 DHCP............................................... 112 DNS........................................................ 114..................................................... 115............................................ 116............................................ 116 5................................................. 119............................................................ 119.................................................... 120......................................... 121....................................................... 121 NAT....................................................... 124.............................................. 128....................................................... 129................................................ 131................................................ 132 DoS.................................................... 134..................................................... 135 Palo Alto Networks 5

.................................................. 137............................................... 138................................................. 139 URL................................................. 141............................................. 143................................................. 145 DoS.................................................... 147..................................................... 148.................................................... 148............................................. 151.................................................. 158.................................................... 159........................................................ 160 URL.................................................. 162......................................... 163.................................................. 165........................................................ 166............................................................ 167 6........................................................ 169....................................................... 170............................................. 171..................................................... 174........................................................ 175.................................................... 176.................................................... 178.................................................... 179.................................................... 180.................................................... 182........................................................ 183.................................................... 186 Botnet.................................................. 186 Botnet.................................................. 186 Botnet.................................................. 187 PDF................................................ 188................................................. 190....................................................... 190........................................ 191........................................................ 191................................................... 192........................................ 193........................................................ 195.................................................... 195................................................... 196 6 Palo Alto Networks

7............................................... 199.................................................... 199.................................................... 201............................................. 201 Active Directory User-ID Agent.................................... 203 PC................................................. 204 User-ID Agent................................................ 204 User-ID Agent................................................ 205 User-ID Agent........................................... 208 edirectory API User-ID Agent................................... 208 User-ID Agent................................................ 208 User-ID Agent........................................... 213 User-ID Agent............................................ 213.................................................... 214 Terminal Server Agent......................................... 214 Terminal Server Agent....................... 214 Terminal Server Agent............................. 215 Terminal Server Agent............................. 219 8 IPSec..................................................... 221.................................................... 222 IPSec VPN SSL-VPN............................................. 223 VPN........................................................ 223 IPSec IKE...................................................... 223 IPSec IKE.......................................... 224 IPSec VPN................................................... 224 IKE..................................................... 226 IPSec................................................... 227 IKE............................................. 229 IPSec........................................... 230................................................. 230 IPSec...................................... 231 VPN................................................... 232........................................................ 232.......................................................... 233 VPN.................................................... 234 VPN................................................. 235 Palo Alto Networks 7

9 GlobalProtect SSL-VPN........................................ 237 GlobalProtect.................................................... 237 GlobalProtect............................................ 238 GlobalProtect................................................ 239 GlobalProtect.......................................... 247 SSL-VPN......................................................... 248 SSL-VPN................................................ 249 SSL-VPN.................................................... 249 SSL-VPN.................................................. 250 NetConnect SSL-VPN............................... 251 10...................................................... 253 QoS................................................. 253 QoS............................................. 254 QoS................................................ 255 QoS.................................................... 256 QoS................................................ 258 11 Panorama..................................................... 259............................................................ 259 Panorama................................................... 260 Panorama.................................... 261 Panorama........................................... 261 Panorama.............................................. 262 SSL.................................................... 262 12...................................................... 263 Panorama Web.......................................... 263 Panorama............................................... 264 Panorama................................................. 264...................................................... 266.................................................. 266 HA......................................................... 267 HA........................................... 268........................................................ 269...................................................... 270............................................... 270........................................................ 271..................................................... 272................................................... 273................................................. 273................................................. 273............................................... 273................................................... 274..................................................... 275 Panorama............................................... 275 8 Palo Alto Networks

A........................................................ 277............................................... 277............................................. 279............................................. 279 URL............................................. 280........................................ 281............................................. 281 Web........................................ 282 URL............................................ 282 SSL VPN................................................. 283 SSL.............................................. 284 B.................................... 285............................................. 285.................................................... 287.................................................... 287 C............................................... 289 D........................................................ 291...................................................... 291 BSD............................................................ 293 GNU.............................................. 293 GNU........................................ 296 MIT/X11........................................................ 301 OpenSSH........................................................ 302 PSF............................................................. 305 PHP............................................................ 305 Zlib............................................................ 306.............................................................. 307 Palo Alto Networks 9

10 Palo Alto Networks

5 10, 2011 - Palo Alto Networks 11 13 13 13 14 14 Web Palo Alto Networks 1 2 3 4 5 / Palo Alto Networks 11

6 7 8 IPSec IP (IPSec) 9 GlobalProtect SSL-VPN GlobalProtect (SSL) (VPN) 10 (QoS) 11 Panorama High Definition Firewall (CMS) 12 Panorama A HTML B Palo Alto Networks C 140-2 D 12 Palo Alto Networks

Web (URL) SecuritySecurity Rules Palo Alto Networks http://www.paloaltonetworks.com a:\setup Devices Administrators Clone Rule Palo Alto Networks 13

http://www.paloaltonetworks.com Web Help / https://live.paloaltonetworks.com/community/devcenter http://live.paloaltonetworks.com KnowledgePoint http://support.paloaltonetworks.com 1-866-898-9087 support@paloaltonetworks.com 14 Palo Alto Networks

1 16 16 Palo Alto Networks 80 IPv4 IPv6 IPv4 IPv6 Palo Alto Networks 15

(SSL) 135 URL URL 141 Web 169 HA 67 Web (CLI) Panorama Web Web Web Internet Explorer (IE) Firefox HTTP HTTPS CLI Telnet (SSH) PAN-OS Panorama Palo Alto Networks Web Panorama Web Panorama Panorama 259 Panorama 263 16 Palo Alto Networks

(SNMP) RFC 1213 (MIB-II) RFC 2665 SNMP SNMP 53 Syslog Syslog Syslog 55 XML API (REST) Palo Alto Networks 17

18 Palo Alto Networks

2 20 Web 21 Panorama Panorama 259 1. 2. http://support.paloaltonetworks.com App-ID 3. IP 4. IP 192.168.1.2 255.255.255.0 Palo Alto Networks 19

1. RJ-45 (MGT) 2. 192.168.1.0 IP 192.168.1.5 3. Web https://192.168.1.1 Palo Alto Networks 4. Name Password admin Login OK 5. Device Quick Start Setup Quick Start Setup 1. Quick Start Setup 6. Quick Start Setup a. Management Configuration (DNS) IP (NTP) IP NTP Setup 77 b. Palo Alto Networks Support 20 Palo Alto Networks

Web c. Update Application and Threat Content Update Software d. Proceed 7. Devices Administrators 8. admin 9. New Password Confirm New Password 15 10. OK Web Object Devices Add Palo Alto Networks 21

Web Delete OK Cancel Clone OK Save OK candidate Commit 33 22 Palo Alto Networks

Web Vulnerability Protection Profiles Objects Security Profiles Vulnerability Profiles Objects > Security Profiles > Vulnerability Profiles Web Config lock Commit Lock Locks Take a Lock OK Close Lock Locks Yes Close Lock Device Setup Management Automatically acquire commit lock 26 Palo Alto Networks 23

Web 24 Palo Alto Networks

3 36 PAN-OS 37 38 38 41 46 47 48 SNMP 53 Syslog 55 56 57 60 Virtual Systems 72 77 78 Palo Alto Networks 25

32 33 36 60 Device > Setup Setup IP Panorama (DNS) (NTP) (RADIUS) IP 94 Edit 1. Host Name Domain Name Mgt Interface Speed 31 (FQDN) 31 10Mbps 100Mbps 1Gbps 26 Palo Alto Networks

1. MGT Interface IP Address Netmask Default Gateway MGT Interface IPv6 Address Default IPv6 Gateway MGT Interface Services Login Banner Authentication Profile Client Certificate Profile DNS Proxy Primary NTP Server Secondary NTP Server System Location System Contact Timezone Update Server IP IP IP 255.255.255.0 IP IPv6 IPv6 IPv6 HTTP HTTPS Telnet (SSH) / Ping Name Password 42 47 DNS Servers DNS DNS IP DNS DNS FDQN DNS Proxy DNS DNS DNS DNS 114 NTP IP NTP Quick Start Setup NTP Palo Alto Networks updates.paloaltonetworks.com Palo Alto Networks 27

1. Proxy Server: Server Port User Password Panorama Panorama 2 Permitted IP Addresses Geo Location SNMP Community String Configuration Links Custom Logo Manage Data Protection Service Route Configuration CRL/OCSP Settings Palo Alto Networks IP Panorama Palo Alto Networks IP Panorama Panorama Disabled Shared Policies Panorama Import shared policies from Panorama before disabling OK Panorama (HA) HA Panorama IPv4 IPv6-90.0 90.0-180.0 180.0 (SNMP) Custom Logo Browse OK Remove OK 192 Manage Data Protection Set data access password Change data access password Delete data access password and protected data Service Route Configuration Use Management Interface for all Select Source Address 34 28 Palo Alto Networks

1. Quick Start SNMP Setup Statistics Service Setup Container Pages Multi-Virtual Systems Multi Virtual System Capability Reboot/Restart Reboot Device Restart Data Plane Date and Time Set Time Settings IPv6 Firewalling Rematch Sessions Jumbo Frame Jumbo Frame MTU Dynamic URL Cache Timeout URL Continue Timeout 20 SNMP SNMP 35 35 36 Setup Multi Virtual System Capability Edit OK Virtual Systems 72 Reboot Device PAN-OS 33 Restart Dataplane Set Time YYYY/MM/DD 24 (HH:MM:SS) IPv6 Edit IPv6 Firewalling IPv6 IPv6 Edit Rematch all sessions on config policy change Telnet Deny Telnet MTU 9192 Edit URL BrightCloud URL URL 141 continue URL continue 1-86400 Palo Alto Networks 29

1. URL Admin Override Timeout URL Admin Lockout Timeout x-forwarded-for Strip-x-forwarded-for ICMPv6 Token Bucket Size ICMPv6 Error Packet Rate Management Log Storage Automatically acquire commit lock Idle Timeout Max. Rows in CSV Export Max. Rows in User Activity Report Receive Timeout for connection to Panorama Send Timeout for connection to Panorama Retry Count for SSL send to Panorama URL 1-86400 URL 1-86400 IP X-Forwarded-For X-Forwarded-For HTTP IP Src x.x.x.x URL x.x.x.x IP Source User IP X-Forwarded-For IP ICMPv6 ICMPv6 10-65535 100 ICMPv6 10-65535 / 100 Restore Defaults 23 1-1440 0 Web CLI CSV 1-1048576 65535 1-1048576 65535 Panorama TCP 1-120 20 TCP Panorama 1-120 20 (SSL) Panorama 1-64 25 30 Palo Alto Networks

1. # Failed Attempts Lockout Time Number of Versions for Config Audit Stop Traffic when LogDb full Number of Versions for Config Backups URL Admin Override Settings for URL admin override Web CLI 1-10 00 0-60 0 100 Panorama 100 URL Override URL 141 Edit URL Virtual System Password/Confirm Password Server Certificate SSL Mode Redirect IP Palo Alto Networks 31

Device > Config Audit Config Audit Submit 2. Panorama Panorama 32 Palo Alto Networks

Device > Setup OK Commit Save Commit Save 2. Save (running-config.xml ) (running-config.xml ) (running-config.xml ) / Browse Commit commit CLI Web CLI 23 Palo Alto Networks 33

Device > Setup (CA) (CRL) SSL SSL (OCSP) SSL 129 CRL OCSP Setup Server CRL/OCSP Setting 3. CRL/OCSP Enable Receive Timeout Enable OCSP Receive Timeout Block Unknown Certificate Block Timeout Certificate Certificate Status Timeout CRL SSL CRL 1-60 OCSP SSL OCSP 1-60 1-60 34 Palo Alto Networks

SNMP Device > Setup SNMPv2c SNMPv3 SNMP (MIB) Setup SNMP Setup 4. SNMP Location Contact Access Setting MIB SNMPv2c SNMPv3 MIB V2c SNMP Community String SNMP V3 Views Add Name View OID (OID)1.2.3.4 Option OID Mask 0xf0 OID Users Add Users View Auth Password Priv Password Device > Setup Palo Alto Networks URL Panorama URL Palo Alto Networks 35

Report Sample Device > Setup text/html text/xml text/plain (pdf) (jpeg) URL 5. VSYS URL Content Types Add Device > Licenses Palo Alto Networks Licenses URL BrightCloud URL Active Retrieve license keys from license server Activate feature using authorization code OK a. http://support.paloaltonetworks.com b. c. Manually upload license key Browse OK 36 Palo Alto Networks

PAN-OS Web URL CLI request url-filtering upgrade brightcloud CLI tail follow yes mp-log Pan_bc_download.log Licenses BrightCloud URL PAN-OS Device > Software PAN-OS Palo Alto Networks PAN-OS Software Refresh Palo Alto Networks Release Notes Download Downloaded Install Upload PC Install from File OK PAN-OS PAN-OS PAN-OS Decrypt failed: GnuPG edit non-zero, with code 171072 Failed to load into PAN software manager. Palo Alto Networks 37

Device > Dynamic Updates Palo Alto Networks URL GlobalProtect Dynamic Updates Application and Threats Antivirus URL Filtering Check Now Palo Alto Networks Upgrade Revert Release Notes Upload PC Install from File OK Schedule Download Only Dynamic Updates Upgrade OK Local database RADIUS RADIUS LDAP (LDAP) Kerberos Kerberos Client Certificate 38 Palo Alto Networks

RADIUS LDAP Kerberos DB 42 39 47 SSL (VPN) GlobalProtect SSL-VPN 237 41 47 Device > Admin Roles Admin Roles 40 6. Name Role WebUI CLI Role Web / CLI disable CLI superuser superreader deviceadmin devicereader Palo Alto Networks 39

Device > Administrators admin 7. Name Authentication Profile New Password Confirm New Password Role Virtual System 15 RADIUS LDAP Kerberos DB 42 15 Dynamic Superuser Superuser (Read Only) Device Admin Device Admin (Read Only) Vsys Admin Vsys Admin (Read Only) Role Based Admin 39 Role Based 39 Add Available Selected Panorama Administrators 40 Palo Alto Networks

Device > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS RADIUS RADIUS 8. Name Virtual Systems 31 Available Add RADIUS LDAP Kerberos SSL-VPN SSL-VPN Setup 26 Setup RADIUS RADIUS RADIUS http://support. paloaltonetworks.com Settings None Palo Alto Networks 41

Device > Authentication Profile Authentication Profile 9. Profile Name Virtual System Failed Attempts Lockout Time Allow List Authentication Server Profile Login Attribute 1-10 00 0-60 0 0 Edit Allow List Available Add Selected All Search Available Add Selected Remove any None Local DB RADIUS RADIUS LDAP LDAP Kerberos Kerberos RADIUS LDAP Kerberos Server RADIUS 44 LDAP 45 Active Directory (Kerberos) 46 LDAP LDAP 42 Palo Alto Networks

9. Password Expiration Warning LDAP Active Directory edirectory Sun ONE Directory SSL-VPN GlobalProtect SSL- VPN 237 SSL-VPN <SCRIPT> function getpasswarnhtml(expdays) { var str = "Your password will expire in " + expdays + " days"; return str; } </SCRIPT> str Device > Local User Database > Users Local Users 10. Local User Name Virtual System Mode Enabled Password Phash Palo Alto Networks 43

Device > Local User Database > User Groups Local User Groups 11. Local User Group Name Virtual System All Local Users RADIUS Device > Server Profiles > RADIUS RADIUS RADIUS 41 12. RADIUS Name Location Shared Virtual System Domain Timeout Retries Retrieve User Group Servers 31 Shared Shared RADIUS 1-30 3 1-5 3 RADIUS VSA Name IP address IPv4 IPv6 Port Secret/Confirm Secret RADIUS 44 Palo Alto Networks

LDAP Device > Server Profiles > LDAP LDAP LDAP 41 13. LDAP Name Location Servers Domain Type Base Bind DN Bind Password/ Confirm Bind Password SSL Time Limit Bind Time Limit Retry Interval 31 Shared LDAP IPv4 IPv6 Palo Alto Networks SSL (TLS) 0-60 30 0-60 30 LDAP 1-3600 Palo Alto Networks 45

Active Directory (Kerberos) Device > Server Profiles > Kerberos Kerberos Active Directory RADIUS Internet (IAS) Kerberos Kerberos Kerberos 41 Kerberos domain realm Kerberos domain\username username@realm 14. Kerberos Name Location Realm Domain Servers 31 Shared 127 user@example.local example.local 63 Kerberos Add Server IP Host FQDN Port Active Directory LDAP 46 Palo Alto Networks

Device > Authentication Sequence Authentication Sequence 41 15. Profile Name Location Failed Attempts Lockout Time Profile List Shared 1-10 00 0-60 0 0 Move Up Move Down Device > Client Certificate Profile Setup SSL-VPN 26 201 16. Profile Name Location Shared Virtual System Username Field Domain Shared shared Palo Alto Networks 47

16. CA Certificates Use CRL Use OCSP CRL Receive Timeout OCSP Receive Timeout Certificate Status Timeout Block Unknown Certificate Block Timeout Certificate CA OCSP URL CA Add (CRL) OCSP CRL 1-60 OCSP 1-60 1-60 Panorama SNMP syslog 17. Configuration System Threat Panorama syslog SNMP HA SNMP / 121 169 48 Palo Alto Networks

17. Traffic URL Filtering Data Filtering allow deny drop / 169 URL URL URL 141 145 Log Destinations Panorama SNMP syslog 18. Destination Panorama Panorama Panorama 26 SNMP trap SNMP SNMP SNMP 53 Syslog Syslog syslog Syslog 55 Email 56 Palo Alto Networks 49

Device > Scheduled Log Export CSV (FTP) FTP 3 FTP OK Scheduled Log Export 19. Name Enabled Log Type Scheduled export start time (daily) Hostname Port Passive Mode Username Password URL HIP 24 (hh:mm) (00:00-23:59) FTP IP FTP 21 FTP FTP anonymous Device > Log Settings > Config Panorama syslog / 20. Panorama Email Syslog Panorama 56 syslog syslog syslog Syslog 55 50 Palo Alto Networks

Device > Log Settings > System Panorama SNMP syslog / HA 21. Panorama SNMP Trap Email Syslog Panorama Panorama 26 Critical HA High syslog RADIUS Medium Low Informational / SNMP syslog / SNMP 53 Syslog 55 56 Palo Alto Networks 51

HIP Device > Log Settings > HIP Match (HIP) GlobalProtect GlobalProtect 237 22. HIP Panorama Email Syslog SNMP Trap Panorama 56 syslog syslog syslog Syslog 55 HIP SNMP SNMP SNMP 53 Device > Log Settings > Alarms Alarms 23. Enable Alarms Enable CLI Alarm Notifications Enable Web Alarm Notifications Enable Audible Alarms Encryption/Decryption Failure Threshold Log DB Alarm Threshold % Full CLI Web CLI / 52 Palo Alto Networks

SNMP 23. Security Policy Limits Security Rule Group Tags Security Rule Group Limits Selective Audit Security Violations Time Period Security Violations Threshold Security Rule Group Violations Time Period Security Rule Group Violations Threshold Common Criteria Alarms CC Specific Logging Common Criteria (CC) Login Success Logging Login Failure Logging Suppressed Administrators Device > Log Settings > Manage Logs SNMP Device > Server Profiles > SNMP Trap SNMP SNMP 51 24. SNMP Name Location SNMP 31 Shared Palo Alto Networks 53

SNMP 24. SNMP Version V2c settings V3 settings SNMP SNMP V2c Server SNMP 31 Manager IP Community V3 Server SNMP 31 Manager IP User SNMP EngineID - SNMP ID Auth Password SNMP Priv Password SNMP SNMP MIB SNMP MIB SNMPv2-MIB DISMAN-EVENT-MIB IF-MIB HOST-RESOURCES-MIB ENTITY-SENSOR-MIB PAN-COMMON-MIB Palo Alto Networks MIB http://support.paloaltonetworks.com 54 Palo Alto Networks

Syslog Syslog Device > Server Profiles > Syslog HIP syslog Syslog syslog 51 25. Syslog Name Location Servers Name Server Port Facility Custom Log Format Log Type Escaping syslog 31 Shared Add Syslog 31 syslog IP syslog 514 Log Format Log Format OK Escaped characters Palo Alto Networks 55

Device > Server Profiles > Email 51 191 26. Name Location Servers Server Display Name From To And Also To Gateway Custom Log Format Log Type Escaping 31 Shared 1-31 From security_alert@company.com (SMTP) IP Log Format OK 56 Palo Alto Networks

Device > Certificates Certificates Forward Trust CA CA Certificates Forward Trust Certificate Forward Untrust CA CA Trusted Root CA CA CA CA CA CA CA SSL Exclude SSL SSL Certificate for Secure Web GUI Web Web Certificates Web CA SSL a. Import b. c. PKCS #12 PEM d. Import Private Key PKCS #12 PEM *.key e. Palo Alto Networks 57

a. b. Export c. PKCS#12.pfx.pem d. Export Private Key e. Save a. Generate Generate Certificate b. Forward Trust Forward Untrust Trusted Root CA SSL Exclude Certificate for Secure Web GUI Panorama Panorama Panorama 263 27. Certificate Name Common Name Location Passphrase Confirm Passphrase Number of Bits Digest Country Code State Locality Organization Department Email 31 IP FQDN Shared / / ISO 3166 Country Codes 58 Palo Alto Networks

27. Signed By Certificate Authority CA CA Device > Master Key and Diagnostics Master Key and Diagnostics 28. Master Key New Master Key Confirm Master Key Life Time Time for Reminder Common Criteria Common Criteria Palo Alto Networks 59

PAN-OS / / (HA) HA / HA / HA HA HA HA HA / HA / HA App-ID Content-ID App-ID Content-ID 7 PAN-OS HA3 / 3 3 HA3 App-ID Content-ID 60 Palo Alto Networks

3 Static interface IP HA Floating IP (VRRP) HA IP ARP load sharing (ARP) / App-ID Content-ID (1) (2) primary device / HA IP modulo IP IP IP HA Primary Device Hash HA App-ID Content-ID HA HA3 7 Palo Alto Networks 61

/ HA 3 IPv6 / IPv6 Virtual Wire Deployment / App-ID Content-ID Layer 3 Floating IP Deployment HA IP IP MAC ARP VRRP IP IP VPN (NAT) Layer 3 ARP Load-Sharing ARP Load-Sharing HA IP IP ARP HA IP ARP ARP Load-Sharing 3 ARP Load-Sharing Layer 3 Route Based Redundancy (OSPF) IP HA 62 Palo Alto Networks

NAT / NAT / HA / / Web NAT NAT NAT NAT NAT NAT 1 1 NAT 0 NAT Device 0 and Device 1 NAT ID IP NAT Both NAT NAT Primary NAT NAT NAT ARP 0/1 / NAT Palo Alto Networks 63

IP IP/ IP IP/ NAT Device ID 0 1 HA IP Device 0 1.1.1.1 Device 1 1.1.1.2 0 1.1.1.1 IP 3. IP 64 Palo Alto Networks

Internet (ISP) IP NAT Device ID 0 1Device 0 1.1.1.1 Device 1 2.2.2.1 Device 0 Device 1 IP 1.1.1.1 ISP ISP IP IP 4. IP Palo Alto Networks 65

IP NAT 3.3.3.30 10.0.0.200 5. IP 66 Palo Alto Networks

HA HA 1. 2. Factory Reset PAN-OS 3. Internet 4. RJ-45 HA1 HA2 HA1 HA2 / HA3 HA HA 1/15 1/16 5. Network HA HA 6. HA 6. HA HA 67 HA HA HA Device > High Availability HA 67 HA HA High Availability Edit Palo Alto Networks 67

29. HA Setup Enable HA ID Mode Peer HA IP Address Backup Peer HA IP Address Enable Config Sync Link Speed HA Link Duplex HA Election Settings Device Priority Heartbeat Backup Preemptive Preemption Hold Time Promotion Hold Time HA / 1 254 / / active-active active-passive Control Link HA1 IP HA IP IP 0-255 HA IP HA1 HA 0-60000 ms 0 ms / / HA Hello Interval HA PA-4000/PA-5000 1000-60000 ms PA-2000/ PA-500 8000-60000 ms PA-4000/PA-5000 1000 ms PA-2000/PA-500 8000 ms Heartbeat Interval HA ICMP Ping 1000-60000ms 1000ms Maximum No. of Flaps 15 0-16 3 0 68 Palo Alto Networks

29. HA Monitor Fail Hold Up Time (ms) Additional Master Hold Up Time (min) Control Link Port IP Address Netmask Gateway Control Link Monitor Hold Time (ms) Encryption Enabled Data Link Port IP Address Netmask Gateway State Synchronization Enabled Transport Link Speed HA Link Duplex HA HA 0-60000 ms 0 ms Monitor Fail Hold Up Time 0-60000 ms 500 ms / / / HA1 HA HA1 HA IP HA1 IP 255.255.255.0 HA1 IP 1000-60000 ms 3000 ms HA1 HA HA HA HA HA1 / Certificates 57 HA HA2 HA2 HA IP HA2 HA HA2 HA Ethernet (Ethertype 0x7261) IP 3 IP 99 UDP IP UDP 29281 HA2 HA2 Palo Alto Networks 69

29. HA Active Passive Configuration Passive Link State Monitor Fail Hold Down Time Active Active Configuration HA3 Port Sync Virtual Router Sync QoS Packet Forward Session Load Sharing Session Setup auto 3 auto shutdown / HA QoS QoS Network QoS QoS HA3 App-ID Content-ID 7 First packet App-ID Content-ID 7 HA3 Primary Device / 7 IP Modulo IP Primary Device IP Hash IP IP 70 Palo Alto Networks

29. HA Path Monitoring Enabled Failure Condition Path Groups Link Monitoring Enabled Failure Condition Link Groups ICMP ping IP 3 Add Type VLAN Name Enabled Failure Condition Source IP VLAN IP IP Destination IPs Delete 3 Add Name Enabled Failure Condition Interfaces Delete HA HA Preemption HA Preemption Palo Alto Networks 71

Virtual Systems IP OS LED HA CLI request high-availability state suspend High Availability Device Suspend CLI request high-availability state functional HA CLI show high-availability all CLI show high-availability state Device Config Audit Dashboard HA Push Configuration Web CLI request high-availability sync-to-remote runningconfig CLI show jobs processed Virtual Systems VLAN 98 PA-4000 PA-5000 PA-2000 PA-500 72 Palo Alto Networks

Virtual Systems 7 Internet Device admin Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies vsys admin vsys admin vsys admin vsys admin 7. (vsys1) Policies Objects Virtual System VLAN 76 SNMP syslog Palo Alto Networks 73

Virtual Systems external 98 1 VSYS 2 VSYS 1 VSYS 2 VSYS 2 VSYS 1 VSYS Internet Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS Policies Policies Policies Policies 8. 74 Palo Alto Networks

Virtual Systems 74 IP Internet a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 9. ISP IP IP 10 Internet x.x.x.x Shared gateway a.a.a.a b.b.b.b c.c.c.c d.d.d.d Dept 1 VSYS Dept 2 VSYS Dept 3 VSYS Dept 4 VSYS 10. NAT Virtual System Palo Alto Networks 75

Virtual Systems Device > Virtual Systems Device > Setup Multi Virtual System Capability Edit Allow multiple virtual systems Virtual Systems Virtual Systems Add 30. ID Name General Resource 31 DNS DNS DNS 114 VLAN Add Delete Sessions Limit Security Rules NAT Rules NAT Decryption Rules QoS Rules QoS Application Override Rules PBF Rules (PBF) CP Rules (CP) DoS Rules (DoS) Site to Site VPN Tunnels VPN Concurrent SSL-VPN Tunnels SSL- VPN VLAN OK Network > Zones 98 Network > Interfaces 76 Palo Alto Networks

Device > Shared Gateways 3 3 3 85 31. ID Name Interfaces 31 Device > Response Pages URL HTML A 32. Antivirus Block Captive Portal Comfort SSL Certificate Revoked Notify URL Filtering Block SSL-VPN Custom Login GlobalProtect Portal Login Application Block File Blocking Block Active Directory SSL URL SSL-VPN SSL-VPN SSL-VPN 248 GlobalProtect GlobalProtect GlobalProtect 237 Palo Alto Networks 77

32. SSL URL File Blocking Continue GlobalProtect Portal Help Continue URL 1 URL 143 GlobalProtect Response Pages HTML Import HTML HTML Export Application Block SSL Decryption Opt-out Enable Enable Restore Block Page Restore Device > Support Support Palo Alto Networks Create Ticket View Ticket Palo Alto Networks Generate Tech Support Download Tech Support File Knowledge Base 78 Palo Alto Networks

4 83 97 VLAN 99 99 DHCP 112 DNS 114 115 VPN IPSec 221 IPSec 221 (QoS) 253 Palo Alto Networks 79

Internet 2 81 3 81 82 82 11 LAN (VLAN) default-vwire 1 2 (NAT) No routing or switching performed User network Internet 11. 90 80 Palo Alto Networks

2 2 VLAN 2 12 Switching between two networks User network Internet 12. 2 3 3 IP NAT 13 Routing between two networks 10.1.2.1/24 10.1.1.1/24 User network Internet 13. 3 (PPPoE) (DSL) DSL PPPoE 3 PPPoE 3 85 Palo Alto Networks 81

SPAN SPAN SPAN SPAN QoS Network > Virtual Wires 80 90 33. Virtual Wire Name Interfaces Tags Allowed Multicast Firewalling Link State Pass Through 31 0 4094 (tag1- tag2) Multicast Firewalling Virtual Wires OK Interfaces 90 Delete Interfaces 82 Palo Alto Networks

34. Interface Aggregate Ethernet 2 3 Virtual Wire VLAN Interface High Availability 2 3 Aggregate Ethernet 92 QoS Aggregate Ethernet VLAN 2 VLAN 2 2 84 2 85 3 VLAN 3 IP 3 85 3 89 GlobalProtect IPSec 3 IP 94 VLAN NAT 90 VLAN VLAN VLAN 3 VLAN 93 SPAN URL 96 Palo Alto (HA) HA 96 Network > Interfaces Interfaces IP VLAN VLAN Security Zone Group By Interfaces none Palo Alto Networks 83

2 Network > Interfaces VLAN 2 2 2 VLAN 2 85 VLAN VLAN 3 VLAN 93 2 1. Security Zone None OK 2. VLAN/Virtual Wire None OK 3. 35. 2 Type Link Speed Link Duplex Link State L2 Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) VLAN VLAN New VLAN VLAN 99 None Virtual System None Zone New 98 None 84 Palo Alto Networks

2 Network > Interfaces 2 VLAN 2 2 2 84 2 Interfaces New L2 Interface 36. 2 Physical Interface Logical Interface Name Tag VLAN Zone Virtual System 2 2 2 84 1 9999 ethernetx/y.<1-9999> 1 4094 2 VLAN New VLAN 115 None None New 98 None 3 Network > Interfaces 3 VLAN 3 3 89 PPPoE 3 81 3 1. Security Zone None OK 2. VLAN/Virtual Wire None OK 3. Palo Alto Networks 85

37. 3 Type Link Speed Link Duplex Link State MTU Adjust TCP MSS Untagged Subinterface Management Profile L3 Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) 3 (MTU) 512 1500 1500 MTU (PMTUD) MTU ICMP MTU (MSS) 40 MTU MSS MSS 3 IP VLAN 86 Palo Alto Networks

37. 3 IP Address - Manual PPPoE Manual IPv4 IPv6 IPv4 ip_address/mask IP Add IP IP Delete (ARP) IP MAC Add Delete ARP ARP man-in-the-middle IPv6 Enable IPv6 Interface ID 64 00:26:08:FF:FE:DE:4E:29 Interface ID MAC EUI-64 Address IPv6 Prefix IPv6 Interface ID Anycast Prefix IPv6 (DAD) Enable DAD DAD DAD Attempts DAD Neighbor Solicitation Interval 1-10 Neighbor Solicitation Interval DAD 1-10 Reachable Time 1-36000 Neighbors IP MAC Add Palo Alto Networks 87

37. 3 IP Address - PPPoE PPPoE PPPoE Enable PPPoE Username Password/Confirm Password Advanced PPPoE Settings Show Advanced PPPoE Settings Authentication CHAP PAP Auto PPPoE Static IP Address IP Create Default Route PPPoE Default Route Metric 1-65535 Access Concentrator Service ARP Entries Passive PPPoE (ARP) IP MAC Add Delete ARP ARP man-in-the-middle Virtual Router Virtual System Zone New 99 None None New 98 None 88 Palo Alto Networks

3 Network > Interfaces 3 VLAN 3 3 3 85 3 Interfaces New L3 Interface 38. 3 Physical Interface Logical Interface Name Tag MTU Adjust TCP MSS Management Profile IPv4 Settings IP Address and Subnet Mask ARP Entries IPv6 Settings Enable Interface ID Address 3 3 3 85 1 9999 ethernetx/y.<1-9999> 1 4094 MTU512 1500 1500 PMTUD MTU ICMP MTU MSS 40 MTU MSS MSS IPv4 ip_address/mask IP Add IP IP Delete ARP IP (MAC) Add Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast Palo Alto Networks 89

38. 3 Neighbor Discovery Virtual Router Virtual System Zone 3 85 Neighbor Discovery New 99 None None New 98 None Network > Interfaces VLAN NAT 80 1. Security Zone None OK 2. 39. Type Link Speed Link Duplex Link State Virtual Wire Virtual System Zone Virtual Wire Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) New 82 None None New 98 None VLAN/Virtual Wire None OK 90 Palo Alto Networks

Aggregate Network > Interfaces Aggregate 1 Gbps 802.3ad 1 Gbps 10Gbps XFP Aggregate VPN VLAN Aggregate Aggregate Aggregate Ethernet Aggregate Aggregate Ethernet 2 3 Aggregate 2 3 1 Gig Aggregate Aggregate Aggregate Aggregate Ethernet 3 89 Aggregate New Aggregate Group 40. Aggregate Name Type Virtual System ae.n n (1-8) Layer 2 Layer 3 Virtual Wire HA Layer 2 VLAN Layer 3 Virtual Wire HA None Palo Alto Networks 91

Aggregate Ethernet Network > Interfaces Aggregate Ethernet ae.number 2 3 Aggregate Ethernet 41. Aggregate Ethernet Type Link Speed Link Duplex Link State Virtual Router Aggregate Group Virtual System Zone Aggregate Ethernet Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) New 99 Aggregate Aggregate ae.n Aggregate Ethernet Aggregate Aggregate Ethernet 2 3 Aggregate 91 None New 98 None 92 Palo Alto Networks

VLAN Network > Interfaces 2 VLAN VLAN VLAN 3 2 2 84 VLAN New VLAN Interface 42. VLAN VLAN Interface Name MTU Management Profile IPv4 Settings IP Address and Subnet Mask ARP Entries IPv6 Settings Enable Interface ID Address Neighbor Discovery ARP/Interface Entries Virtual Router VLAN Virtual System Zone vlan (1-9999) vlan.<1-9999> MTU512 1500 1500 PMTUD MTU ICMP MTU IPv4 ip_address/mask IP Add IP IP Delete ARP IP (MAC) Add Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast 3 85 Neighbor Discovery ARP IP (MAC) 3 Add Delete New 99 None VLAN New VLAN 115 None None New 98 None Palo Alto Networks 93

Network > Interfaces 3 New Loopback Interface 43. Loopback Interface Name MTU Management Profile IPv4 Settings IP Address IPv6 Settings Enable Interface ID Address Virtual Router Virtual System Zone loopback 1 9999 loopback.<1-9999> MTU512 1500 1500 PMTUD MTU ICMP MTU IPv4 IP Add IP IP Delete IPv6 64 IPv6 Prefix IPv6 Interface ID Anycast New 99 None None New 98 None 94 Palo Alto Networks

Network > Interfaces New Tunnel Interface 44. Tunnel Interface Name MTU IP Address Management Profile Virtual Router Virtual System Zone 3 MTU512 1500 1500 PMTUD MTU ICMP MTU IP TCP (MSS) IPv4 New 99 None None New 98 None Palo Alto Networks 95

Network > Interfaces SPAN 82 Edit Ethernet Interface 45. Type Link Speed Link Duplex Link State Virtual System Zone Tap Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) None New 98 None 1. OK Cancel 2. 33 HA HA / HA Palo Alto Networks HA HA HA HA 67 HA Edit Ethernet Interface 46. HA Type Link Speed Link Duplex Link State HA Mbps 10 100 1000 (Full) (Half) (Auto) (Up) (Down) (Auto) 96 Palo Alto Networks

Internet 2 3 VLAN VLAN VLAN 3 14 2 3 14. Palo Alto Networks 97

Network > Zones New 47. Virtual System Zone Type Interfaces Zone Protection Profiles Log Setting Enable User Identification User Identification ACL Include List User Identification ACL Exclude List 31 Layer2 Layer3 Virtual Wire Tap External vsys Layer 2 Layer 3 External vsys 74 83 116 IP IP / ip_address/mask 10.1.1.1/24 IP IP IP / ip_address/mask 10.1.1.1/24 IP 98 Palo Alto Networks

VLAN VLAN Network > VLANs IEEE 802.1Q VLAN 2 VLAN VLAN 2 VLAN VLAN VLAN 3 VLAN 48. VLAN Dot1q VLAN Name Interfaces VLAN Interface L3 Forwarding Enabled VLAN 31 VLAN VLAN 2 VLAN 83 VLAN VLAN VLAN VLAN 93 VLAN 3 3 VLAN 3 (RIP) (OSPF) (BGP) 3 Palo Alto Networks 99

RIP IP RIP UDP 520 15 15 RIP OSPF (LSA) OSPF LSA LSA OSPF RIP (BGP) Internet BGP (AS) IP AS IP BGP (RIB) RIB RIB BGP BGP BGP BGP BGP AS BGP IGP-BGP BGP 100 Palo Alto Networks

BGP ID AS AS BGP MD5 AS Network > Virtual Routers 3 3 VLAN 3 3 85 3 3 89 99 General 49. - General Interfaces Interfaces 83 Palo Alto Networks 101

49. - General Admin Distances Admin Distances Static Routes Name Destination Interface Next Hop Admin Distance Metric No Install 10-240 10 OSPF 10-240 30 OSPF 10-240 110 BGP (IBGP) 10-240 200 BGP (EBGP) 10-240 20 RIP 10-240 120 IPv4 IPv6 IPv4 IPv6 (0.0.0.0/0) Add ip_address/mask IP / Next Hop None IP IP Discard Next VR 10-240 10 (1-65535) 102 Palo Alto Networks

Redistribution Profiles RIP OSPF Redistribution Rules BGP 50. - Redistribution Profiles Profile Name Priority Filter OSPF Params BGP Params Action Add New Redistribution Profile 1-255 Type Interface Destination IP x.x.x.x x.x.x.x/n Add Next Hop IP x.x.x.x x.x.x.x/n Add OSPF Path Type OSPF Area OSPF OSPF ID x.x.x.x Add Tag OSPF (1-255) Add Community BGP Extended Community BGP Redistribute Metric Palo Alto Networks 103

RIP (RIP) RIP OSPF 51. - RIP Enable Reject Default Route Allow Redist Default Route Auth Profiles RIP RIP RIP RIP RIP Add OK Name Password Type simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred Export Rules Interfaces RIP Timing Add OK Interface RIP Enable Advertise and Metric RIP Auth Profile Mode normal passive send-only Interval Duration RIP Timing (1-60) # Update Intervals (1-3600) # Expire Intervals (1-3600) # Delete Intervals (1-3600) 104 Palo Alto Networks

OSPF (OSPF) RIP OSPF 52. - OSPF Enable Reject Default Route Allow Redist Default Route Router ID RFC 1583 Compatibility Export Rules Auth Profiles OSPF OSPF OSPF ID OSPF ID OSPF OSPF OSPF ID OSPF ID OSPF RFC 1583 OSPF Add OK Name New Metric Type New Tag 32 OSPF OSPF Add Name Password Type simple MD5 Simple MD5 Key-ID (0-255) Key Preferred Add OK Preferred Areas Area ID OSPF New Done x.x.x.x Palo Alto Networks 105

52. - OSPF Type Ranges Interface Virtual Link Normal Stub (LSA) Accept Summary LSA (1-255) stub stub (ABR) Accept Summary OSPF Stubby ABR LSA NSSA(not so stub area) OSPF LSA Accept Summary LSA (1-255) stub LSA NSSA External Ranges Add Add LSA LSA OK Add OK Name Enable OSPF Passive OSPF OSPF OSPF LSA Link type OSPF broadcast p2p p2mp p2mp Metric OSPF (0-65535) Priority OSPF (0-255) OSPF (DR) DR (BDR) DR BDR Timing Auth Profile Neighbors p2pmp IP (0.0.0.0) Add OK Name Neighbor ID ID Transit Area ID Enable Timing Auth Profile 106 Palo Alto Networks

BGP (BGP) 53. - BGP General Enable Router ID AS Number Reject Default Route Allow Redist Default Route Install Route Aggregate MED Reflector Cluster ID Confederation Number AS Auth Profiles Dampening Profiles BGP IP AS ID BGP BGP BGP (MED) IPv4 AS AS BGP Add Profile Name Secret/Confirm Secret BGP Profile Name Enable Cutoff 0.0-1000.0 1.25 Reuse 0.0-1000.0 0.5 Max. Hold Time 0-3600 900 Decay Half Life Reachable 0-3600 300 Decay Half Life Unreachable 0-3600 300 Palo Alto Networks 107

53. - BGP Graceful Restart General > Show Advanced Enable Stale Route Time 1-3600 120 Local Restart Time 1-3600 120 Max Peer Restart Time 1-3600 120 Path Selection General > Show Advanced Always Compare MED MED Deterministic MED comparison MED IBGP BGP AS Format General > Show Advanced 2-byte 4-byte 108 Palo Alto Networks

53. - BGP Peer Group/Peer General New Name Enable Type IBGP Next Hop original Next Hop use-self IP Next Hop EBGP Next Hop Import Next Hop Export BGP AS Remove Private AS resolve Next Hop use-self IP Next Hop original Next Hop use-peer IP Next Hop IBGP-Confed Next Hop Export original Next Hop use-self IP Next Hop EBGP-Confed Next Hop Export original Next Hop use-self IP Next Hop Palo Alto Networks 109

53. - BGP Peers New Name Enable Peer AS AS Local Address IP Connection Options Passive Connection Auth Profile Keep Alive Interval 0-1200 disabled 30 Multi Hop IP (TTL) 1-255 0 0 ebgp 2 ibgp 255 Open Delay Time TCP BGP 0-240 0 Hold Time KEEPALIVE UPDATE 3-3600 disabled 90 Idle Hold Time 1-3600 15 Peer Address IP Advanced Options Reflector Client Non-Client Client Meshed Client BGP Aggregated Confed AS Path AS Max. Prefixes IP 1-100000 Soft Reset With Stored Info 110 Palo Alto Networks

53. - BGP Import Rules/Export Rules Import Rules/Export Rules Conditional Advertisements BGP Import Rules Export Rules New General Name Enable Used by Match AS-Path Regular Expression AS Community Regular Expression Extended Community Regular Expression Address Prefix IP MED MED Next Hop From Peer Action Action Allow Deny Local Preference Allow MED MED (0-65535) Allow Weight Allow (0-65535). Next Hop Allow Origin IGP EGP incomplete Allow AS Path Limit AS Allow AS Path AS None Remove Prepend Remove and Prepend Allow Community None Remove All Remove Regex Append Overwrite Allow Extended Community None Remove All Remove Regex Append Overwrite Allow Dampening Allow Clone BGP Conditional Advertisement New General Non Exist Filters Advertise Filters Done Policies Import Rules Export Rules Palo Alto Networks 111

DHCP 53. - BGP Aggregate Redistribution Rule BGP Aggregate New General Suppress Filters Advertise Filters Aggregate Route Attributes Done Addresses Import Rules Export Rules BGP Redistribution Rules New Done Import Rules Export Rules Network > Virtual Routers Virtual Routers More Runtime Stats 99 DHCP Network > DHCP DHCP DHCP 3 IP DHCP DHCP IPSec VPN IPSec DHCP IP IPSec VPN IPSec 221 DHCP Server DHCP Relay 54. DHCP Interface Type DHCP Mode Probe IP Lease Preferred DNS Alternate DNS DHCP IP Ping DHCP (DNS) IP 112 Palo Alto Networks

DHCP 54. DHCP Preferred WINS Alternate WINS Preferred NIS Alternate NIS Gateway POP3 Server SMTP Server DNS Suffix IP Pools Reserved Addresses DHCP IPv4 IPv6 Windows Internet (WINS) IP (NIS) IP DHCP IP (POP3) IP (SMTP) IP DHCP IP Add IP 192.168.1.0/24 IP 192.168.1.10-192.168.1.20 IP Edit Done Delete IP DHCP IP x.x.x.x MAC xx:xx:xx:xx:xx:xx Edit Done Delete IP Enabled IPv4 DHCP DHCP IPv4 Enabled IPv6 DHCP DHCP IPv6 IPv6 Palo Alto Networks 113

DNS DNS Network > DNS Proxy IP DNS DNS TCP UDP DNS DNS UDP UDP TCP DNS DNS DNS 55. DNS Enable Name Default DNS Settings Interfaces DNS Proxy Rules Static Entries Advanced DNS DNS DNS DNS IP Interface DNS Add Delete DNS Add Turn on/off caching of domains resolved by this mapping Primary/Secondary DNS DNS IP Domain Name Add Delete DNS Add Domain Name DNS Address Add IP Delete Cache DNS Size 1024-10240 1024 MB Timeout DNS 4 24 4 114 Palo Alto Networks

55. DNS Advanced TCP Queries TCP DNS Max Pending Requests TCP DNS 64-256 64 UDP Queries Retries UDP Interval e 1-30 2 Attempts DNS 1-30 5 IKE IPSec IKE IPSec VPN IPSec 221 IKE IPSec VPN IKE IKE VPN 1 IPSec VPN 2 IPSec (PBF) IPSec Interface 3 VLAN 116 116 Flood SYN ICMP UDP IP flood IP ICMP ICMP QoS QoS QoS 255 Palo Alto Networks 115

Network > Network Profiles > Interface Mgmt 3 85 3 89 83 56. Name Ping Telnet SSH HTTP HTTPS SNMP Permitted IP 31 IPv4 IPv6 Network > Network Profiles > Zone Protection 97 57. Name 31 Flood - SYN Flood Action SYN flood Random Early Drop SYN flood Alert Activate SYN Maximum SYN cookie SYN-ACK 116 Palo Alto Networks

57. Alert Activate Maximum SYN 170 193 SNMP syslog SNMP 53 Syslog 55 SYN SYN Flood - ICMP Flood Alert ICMP (ping) Activate ICMP ICMP Maximum ICMP Flood - ICMPv6 Flood Alert ICMPv6 (ping) Activate ICMPv6 ICMPv6 ICMPv6 Maximum ICMPv6 Flood - UDP Flood Alert UDP Activate UDP UDP UDP Maximum UDP Flood - IP Flood Alert IP Activate IP IP IP Maximum IP - TCP UDP Interval Threshold Action Allow Alert Drop Palo Alto Networks 117

57. IPv6 Drop Packets with Type 0 Router Header IPv4 Compatible Address Multicast Source Address Anycast Source Address IP address spoof Block fragmented traffic ICMP ping ID 0 ICMP fragment ICMP large packet (>1024) Suppress ICMP TTL expired error Suppress ICMP NEEDFRAG Discard Strict Source Routing Discard Loose Source Routing Discard Timestamp Discard Record Route Reject non-syn TCP Packet 0 IPv6 IPv4 IPv6 IPv6 IPv6 IP IP ping ID 0 ICMP 1024 ICMP ICMP TTL ICMP MTU (DF) PMTUD Strict Source Routing IP Loose Source Routing IP Timestamp IP Record Route IP TCP SYN Global CLI Yes SYN TCP No SYN TCP 118 Palo Alto Networks

5 135 148 / 121 (NAT) NAT 124 128 URL SSH SSH SSH 129 131 132 (DoS) DoS DoS 134 Panorama Web Palo Alto Networks 119

Web 21 Policies Filter Rules Filter Add Clone Rule Clone Rule rulen n Move Up Move Down Move Top Move Bottom Move 15. Enable Highlight Unused Rules 16. Log Viewer Value 17. Address 120 Palo Alto Networks

Policies > Security Policies > Decryption Security Decryption 153 1. Decryption RADIUS User-ID Agent 2. any known-user unknown select 3. Available User Groups Add User Group Add User Group 4. User Find Add User Additional Users 5. OK HTTP Internet Palo Alto Networks 121

Policies > Security Security 120 58. General Name Source Source Zone Source Address User Source User HIP Destination Destination Zone Destination Address Application/Service Application 31 Add 2 3 98 Add Address Address Group Regions Add Add (HIP) HIP GlobalProtect 237 Add 2 3 98 Add Address 153 157 122 Palo Alto Networks

58. Service Actions Action Setting Profile Setting Log Setting Other Settings TCP / UDP any any application-default Palo Alto Networks applicationdefault service-http service-https Web allow deny URL / Profile Groups Group New 165 Log Setting Panorama syslog Log Forwarding Profile New 166 Send At Session Start Send At Session End drop deny Schedule New 167 QoS Marking (QoS) IP DSCP IP QoS QoS 253 Disable Server Response Inspection Palo Alto Networks 123

NAT 3 (NAT) IP IP NAT NAT Dynamic IP/Port IP IP/ NAT IP IP IP IP/NAT Palo Alto Networks Dynamic IP/port NAT NAT IP NAT IP PA-2000 IP PA-4020 PA-4050/4060 Dynamic IP IP NAT IP IP IP Static IP IP IP IP / IP NAT TCP UDP HTTP (service-http) TCP 80 8080 TCP 80 NAT (M) NAT (N) M N N 1 Dynamic IP/Port NAT Dynamic IP NAT TCP UDP Dynamic IP/Port Dynamic IP NAT IP Static IP NAT IP IP M M 124 Palo Alto Networks

59. NAT PAN-OS NAT Dynamic IP/ Port M N 254 Dynamic IP M N 16k Static IP 1 1 M M MIP 1 VIP PAT NAT NAT NAT NAT IP Internet IP IP NAT IP IP NAT NAT NAT NAT NAT NAT IP IP NAT IP NAT NAT NAT NAT NAT NAT NAT IP NAT source translation No Source Translation Palo Alto Networks 125

NAT NAT NAT NAT IP 10.0.1.10 IP 3.3.3.1 IP 3.3.3.1 IP 10.0.1.10 NAT 18. NAT NAT NAT 10.0.0.1 L3 trust 10.0.0.100 IP L3 untrust 200.10.2.100 L3 trust L3 untrust NAT NAT / / 19. NAT IP L3 trust L3 untrust Rule2 L3untrust NAT NAT NAT IP L3untrust 20. 126 Palo Alto Networks

Policies > NAT NAT HTTP NAT 83 120 60. NAT Name Source Zone Destination Zone Destination Interface Source Address Destination Address Service Source Translation Destination Translation / NAT any 2 3 98 NAT IP VLAN IP ISP IP 160 IP (address1-address2) Dynamic IP/port 64K IP 254 IP Dynamic IP 16K IP Static IP 192.168.0.1-192.168.0.10 10.0.0.1-10.0.0.10 192.168.0.2 10.0.0.2 IP IP 1 65535 port number Palo Alto Networks 127

Policies > Policy Based Forwarding (PBF) IP ID IP PBF IP PBF PBF Forward-to-VSYS PBF 120 61. General Name Tag Source Source Zone Source Address Source User Destination/ Application/Service Destination Address Application Service 31 Add Add 2 3 98 Add Address Address Group Regions Add Add Address Address Group Regions 153 157 160 128 Palo Alto Networks

61. Forwarding Action Monitoring Schedule Forward IP Forward To VSYS Discard No PBF Monitor Profile Disable if unreachable IP Address IP Ping 167 Policies > Decryption (SSL) (SSH) SSH SSH URL ID URL SSL SSL Palo Alto Networks SSL CA SSL Device > Certificates Forward Trust Certificate 57 Palo Alto Networks 129

62. General Name Tag Source Source Zone Source Address Source User Destination Destination Zone Destination Address Options Action Type Category Block sessions that cannot be decrypted 31 Add Add 2 3 98 Add Address Address Group Regions Add Add 2 3 98 Add Address Address Group Regions decrypt no-decrypt SSL Forward Proxy SSH Proxy SSH sshtunnel App-ID SSH SSL Inbound Inspection SSL Add URL 130 Palo Alto Networks

unknown 153 PAN-OS ID IP IP 1. 153 2. IP IP Policies > Application Override 63. General Name Tag Source Source Zone 31 Add Add 2 3 98 Palo Alto Networks 131

63. Source Address Source User Destination Destination Zone Destination Address Protocol/Application Protocol Port Application Add Address Address Group Regions Add Add 2 3 98 Add Address Address Group Regions 0 65535 (port1-port2) New Application 153 User-ID Agent Active Directory IP 132 Palo Alto Networks

Policies > Captive Portal User Identification 201 64. Name Tag Source Source Destination Service/Action Action Setting Service 31 Add Add Source Address DoS Negate Add Add Destination Address Negate Add captive-portal no-captive-portal ntlm-auth Web NT LAN (NTLM) Web TCP / UDP any any application-default Palo Alto Networks default Palo Alto Networks 133

DoS DoS / IP / DoS Policies > DoS Protection DoS 65. DoS Name Shared Tag Source Source Destination 31 Add Type Interface DoS DoS Zone Add Source Address DoS Negate Add Source User DoS Add Type Interface DoS DoS Zone Add Destination Address DoS Negate Add 134 Palo Alto Networks

65. DoS Option/Protection Service Action Schedule Aggregate Classified DoS Deny Allow Protect DoS DoS / DoS DoS Profile Address IP IP IP IP 100 source Address IP 100 138 139 URL URL 141 143 145 Palo Alto Networks 135

DoS (DoS) DoS 147 Default Alert Block Allow None Default Alert Drop Drop-all-packets Reset-both Reset-client Reset-server Block-IP - Phone Home DoS 136 Palo Alto Networks

Objects > Security Profiles > Antivirus (SMTP) Internet (IMAP) 3 (POP3) Internet 135 66. Name Antivirus Packet Capture Decoders and Actions Applications Exceptions and Actions Virus Exception Threat ID 31 HTTP Block HTTP Allow ID Add ID 183 Palo Alto Networks 137

Objects > Security Profiles > Anti-Spyware Phone Home phone-home Internet 67. Name Anti-Spyware Rule Type:Simple Rule Type:Custom Packet Capture Spyware Exception Threat ID 31 Simple None Default Allow Alert Block Enable All None Alert Block-IP Default Drop Drop All Packets Reset Both Reset Client Reset Server Block IP IP ID Add ID 183 138 Palo Alto Networks

Objects > Security Profiles > Vulnerability Protection Internet 121 68. Name Shared Vulnerability Rule Type:Simple Rule Type:Custom 31 Simple None Default Allow Alert Block Enable All None Alert Block-IP Default Drop Drop All Packets Reset Both Reset Client Reset Server Block IP IP Palo Alto Networks 139

68. Threats Packet Capture Vulnerability Exception Threat ID Enable All Action FTP ID 40001 Vulnerability Custom IP IP IP IP CVE (CVE) ID Add ID 183 140 Palo Alto Networks

URL Objects > Security Profiles > URL Filtering URL URL Web Palo Alto Networks URL 121 URL URL URL 162 69. URL Name Shared Action on License Expiration Dynamic URL Filtering Log Container Page Only 31 URL URL Block Allow URL URL URL URL URL 2 BrightCloud URL 1 URL 5 Category and Action Category ActionNot resolved URL URL 36 Palo Alto Networks 141

69. URL Block List Allow List Category/Action IP URL URL http[s]:// www.ebay.com 198.133.219.25/en/US. /? & = ; + ASCII * *.yahoo.com www.*.com www.yahoo.com/search=* search * ) * yahoo com ) www * com ) www yahoo com * ww*.yahoo.com www.y*.com IP URL Set for all categories Allow Block Continue Continue Override Settings URL Admin Override 26 1 Alert URL 142 Palo Alto Networks

Objects > Security Profiles > File Blocking / 71 121 70. Name Shared Rules 31 Add Name 31 Applications any File Types Direction Upload Download Both Action Continue Move Up Move Down Edit Delete 71. exe dll pe doc xls ppt docx Microsoft Windows Microsoft Windows Microsoft Windows exe dll com scr ocx cpl sys drv tlb Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office 2007 Palo Alto Networks 143

71. xlsx pptx msoffice enc-doc enc-docx enc-xls enc-xlsx enc-ppt enc-pptx enc-office2007 zip enc-zip Zcompressed gzip tar rar enc-rar lha avi bat cab ocx cmd flv hta iso mdb mdi mov mpeg msi pdf pgp pif pl reg Microsoft Office 2007 Excel Microsoft Office 2007 PowerPoint Microsoft Office doc xls ppt pub pst Microsoft Office Microsoft Office 2007 Microsoft Office Excel Microsoft Office 2007 Excel Microsoft Office PowerPoint Microsoft Office 2007 PowerPoint Microsoft Office 2007 Winzip/pkzip zip Unix Z uncompress gzip Unix tar winrar rar lha / Microsoft AVI (RIFF) MS DOS Microsoft Windows Microsoft ActiveX Microsoft Adobe Flash HTML ISO-9660 Microsoft Access Microsoft Apple Quicktime MPEG-1 MPEG-2 Microsoft Windows Installer Adobe PGP Windows Perl Windows 144 Palo Alto Networks

71. rtf sh tif wmf wmv wri wsf Windows Unix Windows Windows Metafile Windows Media Windows Windows Objects > Security Profiles > Data Filtering 121 72. Name Shared Data Capture 31 Settings Manage Data Protection 26 Palo Alto Networks 145

Add 73. Data Pattern Applications File Types Direction Alert Threshold Block Threshold Data Pattern Data Pattern Name Description Shared CC# 0-255 SSN# 123-45-6789 0-255 255 SSN# 123456789 0-255 255 Custom Patterns Add (regex) 0-255 255 any Select Add Remove any Select Add Remove 146 Palo Alto Networks

DoS Objects > Security Profiles > DoS Protection DoS DoS DoS DoS DoS DoS 134 74. DoS Name Shared Type 31 aggregate DoS 10000 (pps) SYN Flood DoS classified DoS IP IP IP Flood Protection Syn Flood UDP Flood ICMP Flood SYN flood Choice SYN Flood Random early drop DoS SYN cookies SYN cookies SYN flood Alarm Rate DoS (pps) 0-2000000 pps 10000 pps Activate Rate DoS (pps) 0-2000000 pps 10000 pps Maximal Rate Block Duration Resources Protection Sessions Max Concurrent Limit DoS DoS DoS DoS IP IP IP DoS DoS Palo Alto Networks 147

151 158 159 160 URL URL URL URL 162 165 166 167 Objects > Addresses 150 75. Name Shared 31 148 Palo Alto Networks

75. IP Address IP Range FQDN IPv4 IPv6 FQDN IPv4 ip_address/mask ip_address mask 192.168.80.150/32192.168.80.0/24 192.168.80.0 192.168.80.255 IPv6 IPv6 2001:db8:123:1::1 2001:db8:123:1::/64 IP Range ip_address-ip_address IPv4 IPv6 2001:db8:123:1::1-2001:db8:123:1::22 FQDN FQDN FQDN DNS FQDN DNS DNS DNS DNS 114 Palo Alto Networks 149

Objects > Address Groups 76. Address Group Name 31 All Addresses & Groups / Objects > Regions / DoS / 77. Name Geo Location Addresses 31 xxx.xxxxxx App-Scope 174 IP IP x.x.x.x x.x.x.x-y.y.y.y x.x.x.x/n> 150 Palo Alto Networks

Applications 1 5 Networking Networking Attribute Technology Objects > Application Filters Palo Alto Networks 151

Search Enter 78. Name Additional Information Standard Ports Capable of File Transfer Used by Malware Excessive Bandwidth Use Evasive Widely used Has Known Vulnerabilities Tunnels Other Applications Depends on Applications Category Subcategory Technology Risk Prone to Misuse Session Timeout TCP Timeout (seconds) UDP Timeout (seconds): Web Wikipedia Google Yahoo! Customize (1-5) OK Customize OK TCP 1-604800 Customize OK UCP 1-604800 Customize OK 152 Palo Alto Networks

ID unknown-tcp unknown-udp HTTP 193 Objects > Applications Applications 79. Configuration Name Shared Category Sub Category Technology Parent Application Risk Characteristics Advanced Defaults - Port IP Protocol 31 email database 285 Top Ten Application Categories 171 email database 285 Top Ten Application Categories 171 287 1 5 287 TCP / UDP Port <protocol>/<port> <port>, dynamic TCP/dynamic UDP/32 Service app-default TCP UDP IP IP Protocol 1 255 Palo Alto Networks 153

79. ICMP Type None Timeouts TCP Timeout UDP Timeout Scanning Signature Signatures Internet (ICMP) ICMP Type IPv4 ICMP6 Type IPv6 0-255 None 0-604800 TCP UDP TCP UDP TCP UDP TCP UDP 0-604800 Add Name Comment Scope Ordered Condition Match Add AND Condition Add OR Condition Add Condition Pattern Match Equal To Context Pattern 83 Qualifier and Value / Context TCP UDP Position Mask 4 0xaabbccdd Value 4 0xffffff00 Move Up Move Down Move Up Move Down Import Destination Export 154 Palo Alto Networks

PAN-OS Command Line Interface Reference Guide - Web Web www.specifiedsite.com GET /001/guest/ viewprofile.act?fa=25&tg=m&mg=f&searchtype=zipcode&type=quick&pict=true&cont ext=adrr&zip=94024&ta=34&sb=&item=0&pn=0 HTTP/1.1 Host:www.specifiedsite.com User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.0.7) Gecko/ 2009021910 Firefox/3.0.7 Accept:text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Language:en-us,en;q=0.5 Accept- Encoding:gzip,deflate Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep- Alive:300 Connection:keep-alive Referer:http://www.specifiedsite.com/001/ guest/ search.act?type=quick&pict=true&sb=&fa=25&ta=34&mg=f&tg=m&searchtype=zipcode &zip=94024&context=adrr&context=adrr Cookie:JSESSIONID=A41B41A19B7533589D6E88190B7F0B3D.001; specifiedsite.com/ jumpcookie=445461346*google.com/search?q=lava+life&; locale=en_us; campaign=1; imagenum=2; cftag_logsid=9327803497943a1237780204643; utma=69052556.1949878616336713500.1238193797.1238193797.1238193797.1; utmb=69052556.2.10.1238193797; utmc=69052556; utmz=69052556.1238193797.1.1.utmcsr=(direct) utmccn=(direct) utmcmd=(none) ; utmv=69052556.gender%3df; launch=1 www.specifiedsite.com specifiedsite username@hostname# show application specifiedsite specifiedsite { category collaboration; subcategory social-networking; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern www\.specifiedsite\.com; } } } } } } } - www.specifiedblog.com POST /wp-admin/post.php HTTP/1.1 Host:panqa100.specifiedblog.com User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.0.7) Palo Alto Networks 155

Gecko/2009021910 Firefox/3.0.7 Accept:text/html,application/ xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:en-us,en;q=0.5 Accept-Encoding:gzip,deflate Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive:300 Connection:keep-alive Referer:http:// panqa100.specifiedblog.com/wp-admin/post.php?action=edit&post=1 Cookie: utma=96731468.235424814.1238195613.1238195613.1238195613.1; utmb=96731468; utmc=96731468; utmz=96731468.1238195613.1.1.utmccn=(organic) utmcsr=google utmctr=blog+ho st utmcmd=organic; wordpressuser_bfbaae4493589d9f388265e737a177c8=panqa100; wordpresspass_bfbaae4493589d9f388265e737a177c8=c68a8c4eca4899017c58668eacc05 fc2 Content-Type:application/x-www-form-urlencoded Content-Length:462 user_id=1&action=editpost&post_author=1&post_id=1&post_title=hello+world%21& post_category%5b%5d=1&advanced_view=1&comment_status=open&post_password=&exc erpt=&content=hello+world.%3cbr+%2f%3e&use_instant_preview=1&post_pingback=1 &prev_status=publish&submit=save&referredby=http%3a%2f%2fpanqa100.specifiedb log.com%2fwp-admin%2f&post_status=publish&trackback_url=&post_name=helloworld&post_author_override=1&mm=3&jj=27&aa=2009&hh=23&mn=14&ss=42&metakeyinp ut=&metavalue=http/1.1 specifiedblog.com specifiedblog.com post_title post-author username@hostname# show application specifiedblog_blog_posting specifiedblog_blog_posting { category collaboration; subcategory web-posting; technology browser-based; decoder http; signature { s1 { and-condition { a1 { or-condition { o1 { context http-req-host-header; pattern specifiedblog\.com; method POST; } } } a2 { or-condition { o2 { context http-req-params; pattern post_title; method POST; } } } a3 { or-condition { o3 { context http-req-params; pattern post_author; method POST; } } } } } } } 156 Palo Alto Networks

Objects > Application Groups 153 80. Name Applications Filters Groups 31 any deny Select 285 Search Available Add Filters Add Filter Groups Add Group Palo Alto Networks 157

Objects > Application Filters Add Networking Networking Technology 158 Palo Alto Networks

any TCP UDP HTTP HTTPS Objects > Services any TCP UDP HTTP HTTPS 160 81. Service Name Shared Protocol Destination Port Port 31 TCP UDP 0 65535 (port1-port2) 0 65535 (port1-port2) Palo Alto Networks 159

Objects > Services Groups 159 82. Name Service 31 Add Service 159 163 7 7 7 confidential Confidential CONFIDENTIAL PAN-OS PAN-OS 83..? 0 1 (abc)? * 0 (abc)* + 1 (abc)+ 160 Palo Alto Networks

83. or ((bif) (scr) (exe)) bif scr exe - [c-z] c z c z [ ] [abz]: a b z ^ [^abz] a b z { } / {10,20} 10 20. \ \ &amp & & &amp.*((confidential) (CONFIDENTIAL)) Confidential CONFIDENTIAL.* confidential.*((proprietary &amp Confidential) (Proprietary and Confidential)) Proprietary & Confidential Proprietary and Confidential Confidential.*(Press Release).*((Draft) (DRAFT) (draft)) draft Press Release Press Release.*(Trinidad) Trinidad Palo Alto Networks 161

URL Objects > Custom URL Categories URL URL URL URL URL Allow Block Continue Override Alert URL URL www.example.com * *.example.com 69 141 URL URL 141 84. URL Name Shared Members URL 31 URL Members Import URL Objects > Custom Signatures > Data Patterns Data Patterns 145 85. Name Shared 31 162 Palo Alto Networks

85. Add Pattern Weight 1 255 Alert Block Objects > Custom Signatures > Spyware Objects > Custom Signatures > Vulnerability Phone Home HTTP SMTP IMAP FTP POP3 Custom Signatures 86. - Configuration Threat ID Name 15000-18000 41000-45000 Palo Alto Networks 163

86. - Shared Comment Severity Default Action Direction Affected System CVE Vendor Bugtraq Reference Signature Standard Signature Alert Drop Packets Reset Both Reset Client Reset Server Block IP (CVE) bugtraq CVE ACC Standard Add Standard Comment Ordered Condition Match Scope Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down 164 Palo Alto Networks

86. - Combination Signature Combination Combination Signatures Add AND Condition Add OR Condition Add Condition Method Context Pattern Move Up Move Down Move Up Move Down Time Attribute Number of Hits (1-3600) (1-1000) Aggregation Criteria IP IP IP Objects > Security Profile Groups URL 165 87. Profile Group Name Profiles 31 URL / 145 Palo Alto Networks 165

Objects > Log Forwarding Panorama / SNMP syslog, 121 88. Name Panorama SNMP Trap Setting Email Setting Syslog Setting Panorama SNMP Trap Setting Email Setting Syslog Setting 31 Panorama Panorama 26 SNMP syslog / SNMP 53 56 Syslog 55 Panorama Critical High Medium URL Low Informational SNMP syslog / 166 Palo Alto Networks

Objects > Schedules 121 89. Name Recurrence Times Day of Week Start Time End Time Start Date End Date 31 Daily Weekly Non-Recurring Add Delete Weekly 24 (HH:MM) Non-Recurring (YYYY/MM/DD) Palo Alto Networks 167

168 Palo Alto Networks

6 171 174 183 Botnet 186 PDF 188 190 190 191 191 192 193 196 Palo Alto Networks 169

Dashboard Dashboard 10 Refresh 1 min 2 mins 5 mins Manual 90. Top Applications Top High Risk Applications General Information Interface Status Threat Logs Config Logs Data Filtering Logs URL Filtering Logs System Logs Resource Information Logged In Admins ACC Risk Factor High Availability Top Applications PAN-OS URL 10 ID ID URL URL 10 Web CLI 60 URL 60 10 Config installed CPU IP Web CLI 1 5 (HA) HA HA HA 67 170 Palo Alto Networks

ACC Application Command Center (ACC) ACC 1 5 1. ACC Go a. b. Time Frame c. Sort By d. Top N 25 21. Palo Alto Networks 171

2. 3. Set Filter OK 4. 5. Applications URL Filtering Threat 91. Applications URL Filtering Threats Data Filtering Applications Technology Risk URL URL URL URL URL URL ID Threats File Types 172 Palo Alto Networks

6. 22. Palo Alto Networks 173

Monitor > App Scope Monitor App-Scope 92. Summary Change Monitor Threat Monitor Threat Map Network Monitor Traffic Map 175 176 178 178 180 182 174 Palo Alto Networks

23 23. Palo Alto Networks 175

24 24 24 24. 93. 176 Palo Alto Networks

93. None Palo Alto Networks 177

( 25) 25 6 10 25. 94. 178 Palo Alto Networks

94. 26 26. / Zoom Out 95. Palo Alto Networks 179

95. 27 27 7 27. 180 Palo Alto Networks

96. None Palo Alto Networks 181

28 28. 97. 182 Palo Alto Networks

97. Monitor > Logs URL (HIP) 39 Monitor 10.0.0.252 Host Web Browsing AND Add Log Filter (AND/OR) Add Close Apply Filter Expression in Last 60 seconds Clear Filter Save Filter OK Palo Alto Networks 183

Save Filter OK 1 min 30 seconds 10 seconds Manual Rows 10 Resolve Hostname IP 29. Addresses IP IP IP 98. Traffic allow deny drop ICMP Count Type dropanydeny not-applicable 184 Palo Alto Networks

98. Threat URL Filtering Data Filtering Configuration System HIP URL allow block Count Type virus spywarename URL Category keylogger URL 135 URL URL URL URL 141 145 OK 77 IP Web CLI GlobalProtect GlobalProtect 237 Palo Alto Networks 185

Botnet Monitor > Session Browser Session Browser 183 Botnet Botnet botnet URL DNS 30 Internet (IRC) botnet 1 5 botnet 1 5 24 24 Botnet Monitor > Botnet botnet Botnet Configuration 99. Botnet HTTP IRC Enable Malware URL visit botnet URL URL Use of dynamic DNS botnet DNA Browsing to IP domains IP URL Browsing to recently registered domains 30 Executable files from unknown sites URL TCP UDP Sessions per Hour Destinations per Hour Minimum Bytes Maximum Bytes IRC 186 Palo Alto Networks

Botnet Botnet Monitor > Botnet > Report Setting botnet botnet Botnet 186 IP Run Now Botnet botnet Botnet Report Setting Export to PDF Export to CSV 100. Botnet 24 # Rows Scheduled Query Negate Botnet Run Now Add Connector (AND/OR) Attribute Operator Value Palo Alto Networks 187

PDF PDF Monitor > PDF Reports PDF 5 50 30. PDF 188 Palo Alto Networks

PDF PDF New Manage PDF Summary Reports 31. PDF 18 Save OK PDF PDF Summary Report Palo Alto Networks 189

Monitor > PDF Reports > User Activity New 101. Name User Time frame IP IPv4 IPv6 Edit Run Monitor > PDF Reports > Report Groups PDF 102. Report Group Name Title Page Custom Title Report selection Add 190 Palo Alto Networks

Monitor > PDF Reports > Email Scheduler 190 56 2:00 AM 103. Name Report Group Recurrence Email Profile Override Recipient email(s) 190 56 Monitor 50 Monitor Select CSV Export to CSV PDF Export to PDF PDF Palo Alto Networks 191

Monitor > Manage Custom Reports Reports Add Load Template 104. Name Database Time Frame Sort By Group By Scheduled Columns Query and Query Builder 31 Custom amount amount Reports Available Selected Add Connector (and/or) Attribute Operator = Value Traffic Log 24 untrust Negate 24 untrust 192 Palo Alto Networks

Palo Alto Networks Web (ACC) ACC 32. ACC Palo Alto Networks 193

Monitor Reports 33. unknown-tcp 34. 194 Palo Alto Networks

131 155 Palo Alto Networks App-ID Palo Alto Networks App-ID TCP UDP IP 131 App-ID Palo Alto Networks App-ID IP Palo Alto Networks Internet Palo Alto Networks Internet URL http://www.paloaltonetworks.com/researchcenter/tools/ (PCAP) support@paloaltonetworks.com ACCunknown Incomplete Insufficient-Data Palo Alto Networks 195

Monitor > Packet Capture PAN-OS Clear All Settings 105. Filtering Manage Filters Filtering Pre-Parse Match Manage Filters Add Id Ingress Interface Source IP Destination IP Src Port Dest Port Proto Non-IP IP IP IP IP IP IPv6 IPv6 ON 196 Palo Alto Networks

105. Capture Files Capturing Capture Settings Add Stage drop firewall receive transmit File Packet Count Byte Count Palo Alto Networks 197

198 Palo Alto Networks

7 201 201 Active Directory User-ID Agent 203 edirectory API User-ID Agent 208 214 VPN IPSec VPN IPSec 221 (User-ID Agent) Palo Alto Networks IP User-ID Agent IP IP Active Directory IP Active Directory IP edirectory IP edirectory User-ID Agent Palo Alto Networks 199

edirectory WMI NetBIOS PC IP 20 IP IP User-ID Agent API IP User-ID Agent Active Directory edirectory (LDAP) Active Directory edirectory/ldap Active Directory User- ID Agent IP edirectory User-ID Agent IP User/group membership User-IP address mapping Active Directory User-ID Agent performs both functions LDAP and/or edirectory Firewall is responsible for user/group membership User-ID Agent is responsible for IP-address mapping 35. User-ID Agent NAT IP IP NAT User-ID Agent TS User-ID Agent IP 200 Palo Alto Networks

201 Active Directory User-ID Agent 203 edirectory API User-ID Agent 208 214 User-ID Agent IP Web NT LAN (NTLM) Web Web Web HTTP Web Web form Web NTLM Internet Explorer Firefox NTLM Web HTTP IP Device > User Identification IP 106. User-ID Agent Name Virtual System IP Address Port User-ID Agent User-ID Agent Windows PC IP Palo Alto Networks 201

RADIUS Captive Portal Edit 107. Virtual System Enable Captive Portal Idle Timer Expiration Server Certificate Client Certificate Authentication Profile User Identification Agent Host Name Mode 5-1440 5 5-1440 5 NTLM User-ID Agent HTTP NTLM NTLM cookie cookie Address IP Enable Timeout Enable 60-10080 1440 Roaming IP cookie Roaming cookie 202 Palo Alto Networks

Active Directory User-ID Agent LDAP LDAP Server Add 108. User-ID Agent Virtual System Enable Name Server Profile Domain Update Interval Group Filter User Filter Groups Users LDAP LDAP 1-3600 LDAP LDAP objectclass=group objectclass=group Active Directory User-ID Agent User-ID Agent Active Directory IP IP Palo Alto Networks User-ID Agent Windows PC App- Scope IP Active Directory User-ID Agent ISP Palo Alto Networks 203

Active Directory User-ID Agent PC User-ID Agent PC PC Server Operator PC 1. Control Panel > Administrative Tools > Services 2. PANAgentService Properties 3. Log On 36. User-ID Agent 4. Server Operator This Account Server Operator 5. OKServices User-ID Agent User-ID Windows 2008 Windows XP Windows Server 2003 PC Active Directory Active Directory 204 Palo Alto Networks

Active Directory User-ID Agent 201 User-ID Agent 165 User-ID Agent User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 37. User-ID Agent Agent Status User-ID Agent Get Groups IP to Username Information IP IP Get IP Information Get All LDAP LDAP Get LDAP tree Configure User-ID Agent Palo Alto Networks 205

Active Directory User-ID Agent Filter Group Members User-ID Agent Ignore Groups User-ID Agent User-ID Agent User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Configure 38. 3. 1024 4. Domain Controller Address Active Directory IP Add 5. Allow Distribution Groups 6. WMI/NetBIOS Disable NetBIOS Probing User-ID Agent NetBIOS WMI WMI Pan Agent PC Windows 206 Palo Alto Networks

Active Directory User-ID Agent 7. Enable Group Cache User-ID Agent 8. Age-out Timeout IP IP 45 NetBIOS User Membership Timer 60 Security Log Timer 1 NetBIOS Probing Timer NetBIOS 20 Server Session Timer 9. Allow List IP Add IP Address Subnet Mask ip_address/mask10.1.1.1/24 10. Ignore List IP Add IP Address Subnet Mask ip_address/mask10.1.1.1/ 24 11. Save User-ID Agent OK User-ID Agent User-ID Agent Cancel Palo Alto Networks User-ID Agent File > Show Logs Palo Alto Networks 207

edirectory API User-ID Agent User-ID Agent User-ID Agent PC Control Panel Add or Remove Programs User Identification Agent PC edirectory API User-ID Agent edirectory API User-ID Agent edirectory API User-ID Agent 201 User-ID Agent User-ID Agent User-ID Agent Start > All Programs > Palo Alto Networks > User- ID Agent 39. User-ID Agent - 208 Palo Alto Networks

edirectory API User-ID Agent Configuration Monitor Device Connection List User-Identification Agent Device IP IP Connection Status Connected Disconnected Connecting Connection List User-ID Server Connection List ID Server Down Credential invalid Connecting User-ID Agent 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Configure 40. User-ID Agent - 3. Device Listening Port PC 5007 4. User-ID Agent Entry Timeout 1-360000 edirectory LDAP Palo Alto Networks 209

edirectory API User-ID Agent 5. Enable Network Address Allow/Ignore List IP Allowed List Ignore List User-ID Agent Add Delete x.x.x.x x.x.x.x/y 6. Device Access Control Enable Device Access Control List IP Add Remove 7. Commit Commit User-ID Agent Cancel User-ID Agent 8. Configure edirectory edirectory 41. User ID Agent - edirectory 9. LDAP Server Selection EDirectory LDAP IP IP IP Add Remove 10. Copy Settings OK 210 Palo Alto Networks

edirectory API User-ID Agent 11. Basic Settings Basic Settings Advanced Settings Search Base dc=domain1, dc=example, dc=com Bind Distinguished Name LDAP cn=admin, ou=it, dc=domain1, dc=example, dc=com Bind Password Confirm Bind Password Server Domain Prefix Search Interval User-ID Agent 1-36000 30 12. Advanced Settings EDirectory Search Filter LDAP objectclass=person Login Address Attribute Names IP networkaddress Login Time Attribute Name logintime Login ID Attribute Name ID uniqueid Bind Port 636 Other / SSL SSL Verify Server Certificate SSL edirectory Palo Alto Networks 211

edirectory API User-ID Agent 13. Configure User-ID API User- ID API 42. User ID-Agent - API a. Enable User-ID API User-ID API b. ConfigureUser- ID API 5006 c. Server Allow List IP User-ID Agent User-ID API Add Remove d. Commit 212 Palo Alto Networks

edirectory API User-ID Agent User-ID Agent User-ID Agent PC Control Panel Add or Remove Programs User-ID Agent PC User-ID Agent Monitor User-ID Agent IP 1. Start > All Programs > Palo Alto Networks > User Identification Agent 2. Monitor Monitor 43. LDAP - Monitor 3. Search IP IP Search Name User-ID Agent Ready Connected Palo Alto Networks 213

Terminal Server Agent TS IP TS TCP/UDP TS TS TCP/UDP TCP/UDP TS TCP/UDP ID Terminal Server Agent Device > User Identification TS User Identification Terminal Server Agent Add 109. Terminal Server Agent Name Virtual system IP Address Port Alternative IP Addresses TS TS Windows PC IP IP TS IP IP IP Terminal Server Agent TS Microsoft Terminal Services 2003 Microsoft Terminal Services 2008 Citrix Metaframe Presentation Server 4.0 Citrix Metaframe Presentation Server 4.5, Citrix XenApp 5, 6 214 Palo Alto Networks

TS 1. 2. 3. TS TS TS TS TS 4. TS 5. Terminal Server Agent TS 1. Start TS 2. Terminal Server Agent 44. Terminal Server Agent - Palo Alto Networks 215

TS Palo Alto Networks Device IP IP Connection Status Connected Disconnected Connecting TS Connection List 3. TS Enable Device Access Control List IP Add Remove Save 4. Configure 45. Terminal Server Agent - Configure 5. Save 216 Palo Alto Networks

110. Terminal Server Agent System Source Port Allocation Range System Reserved Source Ports Listening Port Source Port Allocation Range Reserved Source Ports Port Allocation Start Size Per User Port Allocation Maximum Size Per User Fail port binding when available ports are used up UDP TCP - 1025-5000 - Palo Alto Networks 5009 20000-39999 TS 2000-3000,3500,4000-5000 - TS 200 TS TS 200 Port Allocation Start Size Per User TS System Source Port Allocation Range ID Palo Alto Networks 217

6. Monitor 46. Terminal Server Agent - Monitor 7. 111. Terminal Server Agent User Name Ports Range Ports Count 20400-20799, 20500-20599 Port Allocation Start Size Per User Port Allocation Maximum Size Per User 110 8. Refresh Ports Count Ports Count Refresh Interval 218 Palo Alto Networks

TS 112. Terminal Server Agent Configure Monitor Restart Service Show Logs Debug Exit Help Configuration Monitor TS None Error Information Debug Verbose TS TS Terminal Server Agent TS Add/Remove Programs Terminal Server Agent Palo Alto Networks 219

220 Palo Alto Networks

8 IPSec (VPN) IP (IPSec) VPN VPN IPSec IPSec IKE 223 IPSec VPN 224 IKE 226 IPSec 227 IKE 229 IPSec 230 230 IPSec 231 VPN 232 Palo Alto Networks IPSec 221

(VPN) (LAN) IP (IPSec) VPN TCP/IP IPSec IPSec VPN Secure Socket Layer (SSL) VPN VPN VPN 9 GlobalProtect SSL-VPN IPSec IPSec Firewall Switch Router Internet Router Switch Firewall IPSec tunnel Local network Local network 47. IPSec VPN Palo Alto Networks Palo Alto Networks VPN IP VPN VPN VPN IP VPN VPN ID 2 ID IPSec 227 IPSec IP IP IP IP IP IPSec IPSec (SA) (SPI) IP IPSec SA 222 IPSec Palo Alto Networks

IPSec IKE IPSec VPN SSL-VPN IPSec VPN GlobalProtect SSL-VPN 237 SSL-VPN IPSec VPN Palo Alto Networks SSL-VPN Web SSL Web SSL-VPN IPSec VPN VPN VPN VPN 10 IPSec IPSec IPSec IKE IPSec VPN Internet (IKE) IPSec IKE IKE IPSec IP ID IP PKI Palo Alto Networks IKE IKE IKE Diffie-Hellman PAN-OS IKE NAT Palo Alto Networks IPSec 223

IPSec VPN IPSec IKE IKE IKE 1 IKE IKE SA IKE 2 1 SA IPSec IPSec SA IPSec IKE IPSec IKE SA IKE SA Diffie-Hellman (DH) Group IKE DH Encryption Hash Algorithm Lifetime IPSec SA Encapsulating Security Payload (ESP) Authentication Header (AH) Perfect Forward Security (PFS) Diffie-Hellman (DH) group IPSec DH Lifetime IPSec IKE IPSec 227 IPSec 230 IPSec VPN IPSec VPN VPN 232 83 99 98 IPSec VPN 1. 2. IKE IKE IKE 226 224 IPSec Palo Alto Networks

IPSec VPN 3. IKE SA VPN IKEv1 Phase-1 IPSec 227 IKEv1 Phase-2 IPSec 230 4. IPSec VPN IPSec 227 5. IPSec 230 6. (RIP) (OSPF) 99 7. 121 Outgoing traffic entering the tunnel Incoming traffic egressing the tunnel VPN VPN VPN VPN IKE IPSec Palo Alto Networks IPSec 225

IKE IKE Network > Network Profiles > IKE Gateways IKE Gateways IKE 113. IKE IKE Gateway Local IP Address Peer IP Address Pre-shared key IP IP Show advanced Phase 1 options Local Identification (FQDN) ID FQDN IP Peer Identification FQDN ID FQDN IP Exchange Mode IKE Crypto Profile Dead Peer Detection 2-100 2-100 ICMP ping IKE auto 226 IPSec Palo Alto Networks

IPSec IPSec Network > IPSec Tunnels IPSec Tunnels IPSec VPN 114. IPSec IPSec Tunnel Tunnel Interface Type IKE Gateway Local IP Address Peer IP Address Pre-shared key Local Identification Peer Identification Exchange Mode IKE Crypto Profile Dead Peer Detection IPSec Crypto Profile New 95 Auto key IKE IKE 226 IP IP Dynamic FQDN IP address Key ID User FQDN IP FQDN IP address Key ID User FQDN IP auto aggressive main 2-100 2-100 ICMP ping IKE New IPSec 230 Palo Alto Networks IPSec 227

IPSec 114. IPSec Proxy IDs Replay Protection Copy TOS Header Tunnel Monitor ID Proxy ID Name Local Proxy ID IP ip_address/mask 10.1.2.1/24 Remote Proxy ID IP ip_address/mask 10.1.1.1/24 Protocol any TCP / UDP TCP TCP UDP UDP Number IPSec IP (TOS) IP TOS Enable Destination IP ICMP IP Palo Alto Networks IP IP Profile New ICMP 228 IPSec Palo Alto Networks

IKE IPSec VPN IPSec VPN 1 / IPSec IP IP IPSec 1 IP IP IPSec ID IPSec ID IKE Network > Network Profiles > IKE Crypto IKE Crypto Profiles IPSec SA (IKEv1 Phase-1) VPN 222 115. IKE DH Group Priority Hash Algorithm Priority Encryption Priority Lifetime Diffie-Hellman (DH) group14 group2 sha1 Encapsulating Security Payload (ESP) aes256 aes192 aes128 3des Palo Alto Networks IPSec 229

IPSec IPSec Network > Network Profiles > IPSec Crypto IPSec Crypto Profiles IPSec SA (IKEv1 Phase-2) VPN 222 116. IPSec Name AH Priority ESP Authentication ESP Encryption DH Group Lifetime Lifesize sha1 ESP sha1 None ESP aes256 aes192 aes128 3des DH 1 Network > Network Profiles > Monitor IPSec IPSec Tunnels IP 230 IPSec Palo Alto Networks

IPSec 117. Name Action Interval Threshold 31 wait-recover fail-over IPSec 2-10 3 2-100 5 IPSec Network > IPSec Tunnels IPSec VPN IPSec Tunnels Tunnel Status IPSec SA IPSec SA IKE Gateway Status IKE 1 SA IKE 1 SA Tunnel Interface Status UPDOWN Palo Alto Networks IPSec 231

VPN VPN VPN 233 VPN 234 VPN 235 IP 61.1.1.1 ethernet1/1 ISPpublic 10.100.0.0/16 ethernet1/5 (IP 10.100.0.1) server internal IP 202.101.1.1 ethernet1/2 ISP-branch branch PC 192.168.20.0/24 ethernet1/10 branch-office branch ethernet1/2 branch-office ISP-branch PC Internet Headquarters firewall Branch office firewall eth1/5 10.100.0.1/16 Zone: server Virtual router: HQ eth1/1 61.1.1.1 Zone: ISP Virtual router: HQ Internet eth1/2 202.101.1.1 Zone: ISP-branch Virtual router: branch 192.168.20.0/24 PC network eth1/10 192.168.20.1/24 Zone: branch-office Virtual router: branch 10.100.0.0/16 Server farm 48. VPN - 232 IPSec Palo Alto Networks

VPN branch-vpn tunnel.1 branch-vpn 172.254.254.1/24 IP 192.168.20.0/24 tunnel.1 172.254.254.20 IP branch-vpn server central-vpn tunnel.2 central-vpn 172.254.254.20/ 24 IP 10.100.0.0/16 tunnel.2 172.254.254.1 IP branch central-vpn Headquarters firewall Branch office firewall 10.100.0.0/16 Server farm eth1/5 10.100.0.1/16 Zone: server Virtual router: HQ eth1/1 61.1.1.1 Zone: ISP Virtual router: HQ Internet Tunnel interface: tunnel.1 172.254.254.1/24 Zone: branch-vpn Virtual router: HQ eth1/2 202.101.1.1 Zone: ISP-branch Virtual router: branch Tunnel interface: tunnel.2 172.254.254.20/24 Zone: central-vpn Virtual router: branch 192.168.20.0/24 PC network eth1/10 192.168.20.1/24 Zone: branch-office Virtual router: branch 49. VPN - Palo Alto Networks IPSec 233

VPN VPN IKE branch-1-gw Peer-address 202.101.1.1 Local-address ethernet1/1 Peer-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec branch-1-vpn ike-gateway-profile branch-1-gw ipsec-crypto-profile Tunnel interface tunnel.1 proxy-id 10.100.0.0/16 192.168.20.0/24 10.100.0.1 192.168.20.0/24 IKE central-gw Peer-address 61.1.1.1 Local-address ethernet1/2 Local-ID FQDN branch1.my.domain Authentication pre-shared-key newvpn Protocol IPSec central -vpn ike-gateway-profile central -gw ipsec-crypto-profile Tunnel interface tunnel.2 proxy-id 192.168.20.0/24 10.100.0.0/16 branch-1-gw 202.101.1.1 peer-address local-id peer-id IKE proxy-id proxy-id IKE 234 IPSec Palo Alto Networks

VPN VPN VPN VPN VPN 234 VPN 1. 2. ping 202.101.1.1 61.1.1.1 3. ping (ethernet1/5) 4. ping (ethernet1/10) 5. CLI test vpn ike-sa gateway central-gw show vpn ike-sa gateway central-gw IKE 1 SA 6. CLI show vpn ike-sa gateway branch-1-gw IKE 1 SA 7. CLI test vpn ipsec-sa tunnel central-vpn show vpn ipsec-sa tunnel central-vpn IKE 2 SA 8. CLI show vpn ipsec-sa tunnel branch-1-vpn IKE 2 SA 9. ethernet1/5 IP 192.168.20.0/24 10. PC traceroute 11. PC ping CLI show vpn flow 12. syslog IKE debug ike pcap PCAP IKE Palo Alto Networks IPSec 235

VPN 236 IPSec Palo Alto Networks

9 GlobalProtect SSL-VPN GlobalProtect (SSL) (VPN) GlobalProtect SSL-VPN 248 VPN IPSec VPN IPSec 221 GlobalProtect GlobalProtect GlobalProtect Palo Alto Networks (HIP) HIP HIP GlobalProtect Palo Alto Networks GlobalProtect Palo Alto Networks GlobalProtect Palo Alto Networks GlobalProtect SSL-VPN 237

GlobalProtect 1. SSL GlobalProtect GlobalProtect 2. (DNS) 3. SSL 4. SSL IPSec IPSec 5. HIP GlobalProtect HIP HIP HIP HIP HIP HIP HIP HIP (CA) HIP HIP HIP HIP (ACC) GlobalProtect GlobalProtect SSL (CA) CA CA CA CA CA CA CA CA CA 41 46 238 GlobalProtect SSL-VPN Palo Alto Networks

GlobalProtect GlobalProtect GlobalProtect 1. HIP HIP 239 2. HIP HIP 242 3. GlobalProtect 243 4. GlobalProtect 245 5. HIP 122 6. GlobalProtect GlobalProtect 247 7. 183 HIP Objects > GlobalProtect > HIP Objects GlobalProtect HIP HIP HIP 118. HIP General Name Shared Host Info Domain OS Patch Management Patch Management HIP 31 (OS) HIP Palo Alto Networks GlobalProtect SSL-VPN 239

GlobalProtect 118. HIP Criteria Vendor Firewall Firewall Antivirus Antivirus Is Enabled (yes) (no) Is Installed Severity Check Patches Add Add Add OK Patch Management Is Enabled (yes) (no) Is Installed Vendor and Product Add Add OK Firewall Exclude Vendor Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Antivirus Exclude Vendor 240 GlobalProtect SSL-VPN Palo Alto Networks

GlobalProtect 118. HIP Anti-Spyware Anti-Spyware Disk Backup Disk Backup Disk Encryption Disk Encryption Real-time Protection Is Installed Virus Definition Version Within Not Within Product Version Last Scan Time Within Not Within Vendor and Product Add Add OK Anti-Spyware Exclude Vendor Is Installed Last Backup Time Within Not Within Vendor and Product Add Add OK Disk Backup Exclude Vendor Is Installed Encrypted Locations Add Add OK Disk Encryption Exclude Vendor Palo Alto Networks GlobalProtect SSL-VPN 241

GlobalProtect 118. HIP Criteria Vendor Custom Checks Process List Registry Key Is Enabled (yes) (no) Is Installed Encrypted Locations Add OK Disk Encryption Add Add OK Disk Encryption Add Add HIP Objects > GlobalProtect > HIP Profiles HIP HIP 239 GlobalProtect HIP HIP HIP 119. HIP Name Shared Match 31 HIP Browse HIP AND OR NOT HIP 242 GlobalProtect SSL-VPN Palo Alto Networks

GlobalProtect GlobalProtect Network > GlobalProtect > Portals GlobalProtect 120. GlobalProtect Name Location Authentication Profile Client Certificate Server Certificate Custom Login Page Custom Help Page Gateway Address Client Configuration General subtab settings 31 Shared 41 GlobalProtect SSL Interface Choice (HA) IP On demand Use single sign-on External Gateways Add IP Root CA Add CA Internal Gateways Add IP Palo Alto Networks GlobalProtect SSL-VPN 243

GlobalProtect 120. GlobalProtect Advanced subtab settings Third Party VPN Clients Add VPN VPN Internal Host Detection DNS IP Address IP Hostname IP Agent UI User can save password Passcode/Confirm Passcode Agent User Override Disabled With-comment GlobalProtect With-passcode GlobalProtect Data Collection Subtab Settings Max Wait Time Exclude Categories Add Add OK Custom Checks Process List Add Registry Key Add 244 GlobalProtect SSL-VPN Palo Alto Networks

GlobalProtect GlobalProtect Network > GlobalProtect > Gateways GlobalProtect 121. GlobalProtect Name Location Server Certificate Authentication Profile Client Certificate Tunnel Mode 31 Shared 41 Tunnel Interface Max Users Enable IPSec IPSec IPSec SSL - VPN Gateway Address Timeout Configuration Interface Choice / HA IP Login Lifetime Inactivity Logout Palo Alto Networks GlobalProtect SSL-VPN 245

GlobalProtect 121. GlobalProtect Client Configuration On demand Primary DNS Secondary DNS Primary WINS Secondary WINS IP Pool DNS Suffix Access Route HIP HIP Notification DNS IP Windows Internet (WINS) IP Add IP IP IP IP IP 192.168.0.0/16 192.168.0.10 Add Move Up Move Down Remove Add VPN VPN Internet Internet Add PC/ Move Up Move Down Remove Add 246 GlobalProtect SSL-VPN Palo Alto Networks

GlobalProtect GlobalProtect Devices > GlobalProtect Client GlobalProtect Client GlobalProtect GlobalProtect GlobalProtect 1. Download Close 2. Activate 3. Upload Activate from File OK 4. Remove GlobalProtect GlobalProtect (PanGP Agent) GlobalProtect GlobalProtect PanGP 1. > > Palo Alto Networks > GlobalProtect > GlobalProtect Settings 50. GlobalProtect - Settings Palo Alto Networks GlobalProtect SSL-VPN 247

SSL-VPN 2. GlobalProtect Remember Me 3. GlobalProtect IP 4. Apply GlobalProtect GlobalProtect Status tab Details tab IP Host State tab HIP Troubleshooting Network Configurations Routing Table GlobalProtect Sockets Logs GlobalProtect PanGP PanGP Start Stop SSL-VPN Windows 7 Vista Windows XP SSL-VPN VPN SSL-VPN Web SSL-VPN IPSec VPN IPSec VPN IPSec VPN IPSec 221 SSL-VPN SSL- VPN 3 Aggregate SSL-VPN 222 VPN Palo Alto Networks Palo Alto Networks 248 GlobalProtect SSL-VPN Palo Alto Networks

SSL-VPN SSL-VPN SSL-VPN 1. URL 2. 3. Start VPN 4. SSL-VPN VPN IPSec SSL 5. Internet 6. VPN SSL-VPN 1. URL 2. 3. Internet 4. VPN SSL-VPN SSL-VPN 1. SSL-VPN SSL-VPN 250 2. SSL-VPN 57 3. PC SSL-VPN NetConnect SSL-VPN 251 4. RADIUS 41 46 5. VPN SSL-VPN 248 6. VPN 77 7. SSL-VPN 121 Palo Alto Networks GlobalProtect SSL-VPN 249

SSL-VPN SSL-VPN Network > SSL-VPN SSL-VPN Client Configuration 122. SSL-VPN Name Server Certificate Authentication Profile Client Certificate Profile Custom Login Page Tunnel Interface Max User Enable IPSec Redirect HTTP traffic to HTTPS login page Gateway Address Timeout configuration Client Configuration Primary DNS Secondary DNS Primary WINS Secondary WINS DNS Suffix VPN VPN VPN 41 VPN 77 VPN VPN VPN SSL-VPN IPSec VPN HTTP HTTPS Interface Choice / HA IP Login Lifetime Inactivity Logout DNS IP Windows (WINS) IP Add Move Up Move Down Remove 250 GlobalProtect SSL-VPN Palo Alto Networks

SSL-VPN 122. SSL-VPN IP Pool - Subnet/Range Split Tunnel - Access Route IP IP IP IP 192.168.0.0/16 192.168.0.10 VPN VPN Internet Internet Add PC/ Move Up Move Down Remove NetConnect SSL-VPN Device > SSL-VPN Client SSL-VPN Client SSL-VPN NetConnect SSL-VPN SSL-VPN NetConnect SSL-VPN 1. Download Close Cancel Download 2. Activate SSL-VPN OK Cancel 3. Upload SSL-VPN Activate from File OK 4. SSL-VPN Remove Yes Palo Alto Networks GlobalProtect SSL-VPN 251

SSL-VPN 252 GlobalProtect SSL-VPN Palo Alto Networks

10 (QoS) QoS QoS 254 QoS 255 QoS 256 QoS 258 QoS QoS QoS Aggregate Ethernet QoS QoS QoS Network QoS QoS QoS 254 QoS QoS QoS 255 QoS Policies Policies QoS QoS 256 Palo Alto Networks 253

QoS QoS QoS QoS 4 QoS PA-4060 6 PA-4050 12 PA4020 12 PA-2050 6 PA- 2020 6 PA-500 6 QoS Network > QoS QoS QoS 123. QoS Physical Interface Interface Name Maximum Egress Enable QoS Clear Text Default Profile Tunnel Interface Default Profile Advanced Options Tunneled Traffic Clear Text Traffic Guaranteed Egress Maximum Egress (Mbps) QoS QoS QoS QoS 255 Tunneled Traffic Clear Text Traffic Detail Configuration (Mbps) 254 Palo Alto Networks

QoS 123. QoS Detail Configuration Group Configuration 45 Mbps T1 T1 QoS 45 Mbps Clear Text Add Name Source Interface Source Subnet any QoS Profile QoS QoS QoS 255 QoS Move Up Move Down Tunneled Traffic Add Tunnel Interface QoS Profile QoS Remove QoS Network > Network Profiles > QoS Profiles QoS QoS QoS QoS 254 QoS QoS 256 124. QoS Profile Name Guaranteed Egress Maximum Egress (Mbps) (Mbps) Palo Alto Networks 255

QoS 124. QoS Classes QoS Class QoS QoS 4 Guaranteed Egress (Mbps) Maximum Egress (Mbps) Priority QoS Network > Network Profiles > QoS Profiles QoS QoS 4 QoS QoS 254 QoS 255 Virtual System Go Filter Rules Source Zone / Destination Zone Filter by Zone Panorama QoS Add Rule Clone Rule Clone Rule 256 Palo Alto Networks

QoS 125. QoS Name / rulen n Source Zone Destination Zone Source Address Destination Address Source User Application Service Class any 2 3 98 IPv4 IPv6 select Available / Add Selected Search Available Add IP <ip_address>/<mask> Selected Remove any New Address 153 150 QoS any Select Add Available Selected + - Search Enter Selected Remove New Application 153 OK New Service 159 160 QoS OK QoS QoS QoS 255 Palo Alto Networks 257

QoS QoS Network > QoS QoS Policies QoS QoS QoS Policies 51. QoS QoS QoS Bandwidth Session Browser / Application View QoS / 258 Palo Alto Networks

11 Panorama Panorama (CMS) Panorama 260 Panorama 261 Panorama 261 Panorama 262 SSL 262 Panorama 263 Panorama VMware Panorama VMware Server VMware ESX(i) 4.x 3.5 VMware Server VMware Server VMware ESX(i) Palo Alto Networks Panorama 259

Panorama (OVF) VMware ESX(i) 4.x 3.5 2GHz CPU 2-4 GB RAM 10 10 4 GB VMware vsphere Client 4.x VMware Infrastructure Client 3.5 Panorama https://support.paloaltonetworks.com Panorama Panorama zip Panorama Panorama Panorama 1. Panorama zip panorama-esx.ovf 2. VMware vsphere Client VMware 3. File > Deploy OVF Template 4. Panorama panorama-esx.ovf Next 5. Next 6. Panorama Next 7. Panorama Next 8. Thick provisioned format Next 9. Finish 10. Panorama Power On Panorama 260 Panorama Palo Alto Networks

Panorama Panorama Panorama 10 GB VMware Server 950 GB ESX ESXi 2TB 1. VMware Panorama 2. Edit Virtual Machine Settings 3. Add Add Hardware wizard 4. Hard Disk Next 5. Create a new virtual disk Next 6. Virtual Disk Type IDE Next 7. Browse 8. Finish RAID 1/0 RAID 1/0 RAID 5 IDE 9. Panorama Panorama Panorama 10 GB Panorama Panorama 1. admin admin CLI CLI 2. IP 3. CLI Palo Alto Networks Panorama 261

Panorama 4. set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-ip> dns-setting servers primary <DNS-IP> <Panorama-IP> IP <netmask> <gateway-ip> IP <DNS-IP> (DNS) IP 5. commit exit 6. (<target-ip>) ping host <target-ip> ping Internet Panorama Panorama 1. Web https://<panorama IP address> Palo Alto Networks 2. Name Password admin Login 3. Panorama > Administrators > admin 4. Old Password admin 5. New Password 15 Confirm New Password 6. OK 7. 57 Panorama 8. 269 9. 26 Panorama IP SSL Panorama SSL SSL Panorama 1. Panorama > 2. Generate Import 3. OK 4. Commit 262 Panorama Palo Alto Networks

12 Panorama (CMS) Panorama Web Panorama 264 HA 267 269 270 271 272 273 273 274 275 Panorama 275 Panorama Web Panorama Panorama Web 1. Web https://<panorama IP address> Palo Alto Networks 2. Login Palo Alto Networks 263

Panorama Panorama Panorama Web Palo Alto Networks Panorama Panorama 1. Panorama IP 26 2. Panorama 269 Panorama Panorama Panorama 126. Panorama Dashboard 10 ACC 171 193 Monitor 191 Objects 271 Policies Panorama 271 Panorama Panorama Panorama Panorama Devices 127. Panorama Setup Config Audit Managed Devices Device Groups Admin Roles Panorama DNS NTP 26 32 Panorama 269 Panorama 270 Panorama 39 264 Palo Alto Networks

Panorama 127. Panorama Administrators High Availability Certificates Log Settings Server Profiles Panorama 40 Administrators Panorama (HA) HA 267 Web Panorama 57 Panorama 77 (SNMP) Syslog Log Destinations 49 Panorama SNMP 53 Syslog 55 56 RADIUS 44 LDAP 45 Authentication Profile Authentication Sequence Client Certificate Profile Access Domain Scheduled Config Export Software Dynamic Updates Support Deployment Active Directory (Kerberos) 46 Panorama 41 Panorama 46 Panorama 47 270 (FTP) 275 Panorama Panorama 275 Panorama 38 Palo Alto Networks 78 273 Palo Alto Networks 265

Panorama Context Panorama Panorama 269 Web Panorama 52. Panorama Panorama Panorama Panorama 128. Panorama Panorama Location Panorama Panorama SNMP Syslog (RADIUS) (LDAP) Kerberos Device Groups Panorama 270 Policies Objects Device Groups Shared Panorama Location Panorama Location Shared Objects Shared 266 Palo Alto Networks

HA HA Panorama > High Availability Panorama HA Panorama Panorama Panorama Preemption HA 4.0 3.1 Panorama HA Panorama Network File System NFS NFS Local Logging Panorama HA 129. Panorama HA Setup Enable HA Peer HA IP Address Enable Encryption Monitor Hold Time (ms) Election Settings Priority Preemptive Preemption Hold Time (min) Promotion Hold Time (ms) Hello Interval (ms) Heartbeat Interval (ms) Monitor Fail Hold Up Time (ms) HA Control Link HA1 IP Panorama Panorama (ms) 1000-60000 ms 3000 ms Primary Secondary Panorama 1-60 1 0-60000 ms 2000 8000-60000 ms 8000 Panorama ICMP Ping HA 1000-60000 ms 1000 Panorama 0 ms Palo Alto Networks 267

HA 129. Panorama HA Additional Master Hold Up Time (ms) Path Monitoring Enabled Failure Condition Path Groups 7000 ms ICMP Ping Panorama IP Add Name Enabled Failure Condition Ping interval ICMP 1000-60000 ms 5000 Destination IPs Delete HA HP NFS Panorama NFS NFS 2 S1 S2 S2 S2 1. S1 2. S2 a. Panorama> High Availability b. Priority Secondary Primary c. NFS 3. CLI request high-availability convert-to-primary S1 HA S2 NFS convert-to-primary HA (S1) NFS S2 268 Palo Alto Networks

4. S2 S2 NFS Panorama > Managed Devices Managed Devices HA Panorama HA HA Panorama TCP 3978 SSL 1. Panorama Managed Devices Managed Devices 2. Group by 3. Add/Remove Devices 4. Add 5. 6. OK Managed Devices 7. Commit All Panorama IP Connected 8. a. Add/Remove Devices b. Delete c. OK Palo Alto Networks 269

Panorama > Device Groups / Panorama Panorama Device Groups 130. Device Group Name Devices Master Device Add Panorama > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS 131. Name Devices Device Groups 31 Devices Available Add Device Groups Available Add 270 Palo Alto Networks

Panorama 119 Panorama Panorama Panorama Target Install on all but specified devices 53. Panorama Panorama Palo Alto Networks 271

Panorama deny all Panorama > Setup > Storage Partition Setup Panorama Panorama NFS Panorama Setup Storage Partition Setup 132. Internal NFS v3 Panorama NFS Server NFS (FQDN) IP Log Directory Protocol NFS UDP TCP Port NFS Read Size NFS 256-32768 Write Size NFS 256-32768 Copy On Setup Panorama NFS Test Logging Partition NFS 272 Palo Alto Networks

Panorama 15 Panorama ACC Monitor Panorama ACC Panorama > Managed devices Panorama Managed Devices 54 Commit All 54. Managed Devices Diff All 5 OK Panorama Monitor > PDF Reports > User Activity Report Panorama Panorama 190 Panorama > Deployment Deployment Palo Alto Networks 273

133. Panorama Deployment Software SSL VPN Client GlobalProtect Client Dynamic Updates Licenses SSL VPN GlobalProtect 38 Refresh Software SSL VPN GlobalProtect Refresh Palo Alto Networks Release Notes Download Downloaded Install Upload PC Install from File Activate from File OK Delete Activate Palo Alto Networks Panorama > Setup Panorama Panorama Setup Panorama 100 26 Panorama Panorama > Managed Devices Backups Manage Load Commit 274 Palo Alto Networks

Panorama > Scheduled Config Export Panorama Scheduled Config Export gzip FTP XML 134. Name Enable Scheduled export start time (daily) Hostname Port Passive Mode Username Password Confirm Password 31 24 HH:MM FTP IP FTP Panorama Panorama > Software Panorama Palo Alto Networks Panorama Panorama Refresh Palo Alto Networks Release Notes 1. a. Download Downloaded b. Install Panorama 2. Palo Alto Networks 275

Panorama 276 Palo Alto Networks

A IP URL URL HTML 279 279 URL 280 281 281 Web 282 URL 282 SSL VPN 283 SSL 284 77 <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions */ @font-face {font-family:"microsoft Sans Serif"; Palo Alto Networks 277

panose-1:2 11 6 4 2 2 2 2 2 4;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> 278 Palo Alto Networks

<html> <head> <title>application Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>application Blocked</h1> <p>access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>application:</b> <appname/> </p> </div> </body> </html> <html> <head> <meta http-equiv=content-type content="text/html; charset=windows-1252"> <meta name=generator content="microsoft Word 11 (filtered)"> <title>this is a test</title> <style> <!-- /* Font Definitions */ @font-face {font-family:"microsoft Sans Serif"; panose-1:2 11 6 4 2 2 2 2 2 4;} /* Style Definitions */ p.msonormal, li.msonormal, div.msonormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman";} h4 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:14.0pt; font-family:"times New Roman";} p.sanserifname, li.sanserifname, div.sanserifname {margin:0in; margin-bottom:.0001pt; text-autospace:none; font-size:10.0pt; font-family:"microsoft Sans Serif"; font-weight:bold;} p.boldnormal, li.boldnormal, div.boldnormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} Palo Alto Networks 279

span.heading10 {color:black font-weight:bold;} p.subheading1, li.subheading1, div.subheading1 {margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; page-break-after:avoid; font-size:12.0pt; font-family:"times New Roman"; font-weight:bold;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.section1 {page:section1;} --> </style> </head> <body lang=en-us> <div class=section1> <p class=msonormal>this is a test.</p> </div> </body> </html> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> </div> </body> </html> 280 Palo Alto Networks

<application-type> <category> <entry name="networking" id="1"> <subcategory> <entry name="remote-access" id="1"/> <entry name="proxy" id="2"/> <entry name="encrypted-tunnel" id="3"/> <entry name="routing" id="4"/> <entry name="infrastructure" id="5"/> <entry name="ip-protocol" id="6"/> </subcategory> </entry> <entry name="collaboration" id="2"> <subcategory> <entry name="email" id="7"/> <entry name="instant-messaging" id="8"/> <entry name="social-networking" id="9"/> <entry name="internet-conferencing" id="10"/> <entry name="voip-video" id="11"/> </subcategory> </entry> <entry name="media" id="3"> <subcategory> <entry name="video" id="12"/> <entry name="gaming" id="13"/> <entry name="audio-streaming" id="14"/> </subcategory> </entry> <entry name="business-systems" id="4"> <subcategory> <entry name="auth-service" id="15"/> <entry name="database"id="16"/> <entry name="erp-crm" id="17"/> <entry name="general-business" id="18"/> <entry name="management" id="19"/> <entry name="office-programs" id="20"/> <entry name="software-update" id="21"/> <entry name="storage-backup" id="22"/> </subcategory> </entry> <entry name="general-internet" id="5"> <subcategory> <entry name="file-sharing" id="23"/> <entry name="internet-utility" id="24"/> </subcategory> </entry> </category> <technology> <entry name="network-protocol" id="1"/> <entry name="client-server" id="2"/> <entry name="peer-to-peer" id="3"/> <entry name="web-browser" id="4"/> </technology> </application-type> <h1>ssl Inspection</h1> <p>in accordance with company security policy, the SSL encrypted connection you have initiated will be temporarily unencrypted so that it can be inspected for viruses, spyware, and other malware.</p> <p>after the connection is inspected it will be re-encrypted and sent to its destination. No data will be stored or made available for other purposes.</p> <p><b>ip:</b> <url/> </p> <p><b>category:</b> <category/> </p> Palo Alto Networks 281

Web <h1 ALIGN=CENTER>Captive Portal</h1> <h2 ALIGN=LEFT>In accordance with company security policy, you have to authenticate before accessing the network.</h2> <pan_form/> URL <html> <head> <title>web Page Blocked</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} form td, form input { font-size: 11px; font-weight: bold; } #formtable { height: 100%; width: 100%; } #formtd { vertical-align: middle; } #formdiv { margin-left: auto; margin-right: auto; } </style> <script type="text/javascript"> function pwdcheck() { if(document.getelementbyid("pwd")) { document.getelementbyid("continuetext").innerhtml = "If you require access to this page, have an administrator enter the override password here:"; } } </script> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>web Page Blocked</h1> <p>access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>user:</b> <user/> </p> <p><b>url:</b> <url/> </p> <p><b>category:</b> <category/> </p> <hr> <p id="continuetext">if you feel this page has been incorrectly blocked, you may click Continue to proceed to the page.however, this action will be logged.</p> <div id="formdiv"> <pan_form/> </div> <a href="#" onclick="history.back();return false;">return to previous page</ a> </div> </body> </html> 282 Palo Alto Networks

SSL VPN <HTML> <HEAD> <TITLE>Palo Alto Networks - SSL VPN</TITLE> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="/styles/ falcon_content.css?v=@@version"> <style> td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: black; /*#FFFFFF; */ }.msg { background-color: #ffff99; border-width: 2px; border-color: #ff0000; border-style: solid; padding-left: 20px; padding-right: 20px; max-height: 150px; height: expression( this.scrollheight > 150?"150px" : "auto" ); /* sets max-height for IE */ overflow: auto; }.alert {font-weight: bold;color: red;} </style> </HEAD> <BODY bgcolor="#f2f6fa"> <table style="background-color: white; width:100%; height:45px; borderbottom: 2px solid #888888;"> <tr style="background-image:url(/images/logo_pan_158.gif); background-repeat: no-repeat"> <td align="left"> </td> </tr> </table> <div align="center"> <h1>palo Alto Networks - SSL VPN Portal</h1> </div> <div id="formdiv"> <pan_form/> </div> </BODY> </HTML> Palo Alto Networks 283

SSL <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <html> <head> <title>certificate Error</title> <style> #content{border:3px solid#aaa;backgroundcolor:#fff;margin:40;padding:40;font-family:tahoma,helvetica,arial,sansserif;font-size:12px;} h1{font-size:20px;font-weight:bold;color:#196390;} b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>certificate Error</h1> <p>there is an issue with the SSL certificate of the server you are trying to contact.</p> <p><b>certificate Name:</b> <certname/> </p> <p><b>ip:</b> <url/> </p> <p><b>issuer:</b> <issuer/> </p> <p><b>status:</b> <status/> </p> <p><b>reason:</b> <reason/> </p> </div> </body> </html> 284 Palo Alto Networks

B Palo Alto Networks 287 287 business-system auth-service database erp-crm general-business infrastructure office-program software-update storage-backup collaboration instant-messaging internet-conferencing internet-utility Palo Alto Networks 285

social-networking voip-video web-posting general-internet file-sharing internet-utility media audio-streaming gaming photo-video networking audio-streaming encrypted-tunnel infrastructure ip-protocol proxy remote-access routing unknown 286 Palo Alto Networks

135. network-protocol client-server peer-to-peer browser-based IP - Web 136. Transfers Files Evasive Excessive Bandwidth Used by Malware Prone to Misuse Widely Used Tunnels Other Applications Continue Scanning for Other Applications 1 Mbps 1000000 Palo Alto Networks 287

288 Palo Alto Networks

C 140-2 (FIPS 140-2) FIPS FIPS Set FIPS Mode PAN-OS Command Line Interface Reference Guide FIPS TLS 1.0 Device > Setup > Management FIPS FIPS FIPS IPSec 2048 Telnet TFTP HTTP (HA) PAP Palo Alto Networks 289

290 Palo Alto Networks

D (GPL) $5 Palo Alto Networks Open Source Request 232 E. Java Drive Sunnyvale, CA 291 BSD 293 GNU 293 GNU 296 MIT/X11 301 OpenSSH 302 PSF 305 PHP 305 Zlib 306 Larry Wall Perl v4.0 Palo Alto Networks 291

CrackUnix Password Cracker CrackLibUnix Password Checking Alec David Edward Muffett 1. 2. 3. a) Usenet uunet.uu.net b) c) d) 4. a) b) c) d) 5. 6. 7. 292 Palo Alto Networks

BSD BSD BSD Julian Steward Thai Open Source Software Center Ltd The Regents of the University of California Nick Mathewson Niels Provos Dug Song Todd C. Miller University of Cambridge Sony Computer Science Laboratories Inc. 1. 2. / 3. GNU 1991 6 2 (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA GNU GNU Palo Alto Networks 293

GNU (1) (2) / / 1. 2. 1 a) b) c) 294 Palo Alto Networks

GNU 3. 1 2 2 a) 1 2 b) 1 2 c) b 4. 5. 6. 7. / Palo Alto Networks 295

GNU 8. / 9. / 10. 11. / 12. / GNU 1999 2 2.1 (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA [ GPL (Lesser GPL) GNU (GNU Library Public License) 2 2.1 ] GNU 296 Palo Alto Networks

GNU (1) (2) / GNU GNU GNU GNU C GNU GNU/ Linux / Palo Alto Networks 297

GNU / 1. 2. 1 * a) * b) * c) * d) 2d 3. GNU GNU 2 2 GNU GNU 298 Palo Alto Networks

GNU 4. 1 2 2 1 2 5. 6 6 6 6 6. * a) 1 2 / * b) (1) (2) * c) 6a * d) * e) Palo Alto Networks 299

GNU 7. * a) * b) 8. 9. 10. 11. / 12. / 13. / 300 Palo Alto Networks

MIT/X11 MIT/X11 14. 15. / 16. / (C) 2001-2002 Daniel Veillard (C) 2001-2002 Thomas Broyer Charlie Bozeman Daniel Veillard (C) 1998 Bjorn Reese Daniel Stenberg (C) 2000 Gary Pennington Daniel Veillard (C) 2001 Bjorn Reese <breese@users.sourceforge.net> (c) 2001, 2002, 2003 Python (c) 2004-2008 Paramjit Oberoi <param.cs.wisc.edu> (c) 2007 Tim Lauridsen <tla@rasmil.dk> / Palo Alto Networks 301

OpenSSH OpenSSH OpenSSH BSD OpenSSH GPL 1) (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland RFC ssh Secure Shell [Tatu ] GNU [ OpenSSH -RSA OpenSSL -IDEA -DES OpenSSL -GMP OpenSSL BN -Zlib -make-ssh-known-hosts -TSS -MD5 OpenSSL -RC4 OpenSSL ARC4 -Blowfish OpenSSL [ ] Internet http://www.cs.hut.fi/crypto / 302 Palo Alto Networks

OpenSSH / 2) deattack.c 32 CRC CORE SDI S.A. BSD ssh - (c) 1998 CORE SDI S.A., Buenos Aires, Argentina CORE SDI S.A. Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com> 3) ssh-keyscan David Mazieres BSD 1995, 1996 by David Mazieres <dm@lcs.mit.edu> OpenBSD Project 4) Vincent Rijmen Antoon Bosselaers Paulo Barreto Rijndael @3.0 2000 12 Rijndael ANSI C AES @ Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @ Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @ Paulo Barreto <paulo.barreto@terra.com.br> 5) ssh 3 BSD University of California Berkeley (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. 1. 2. / 3. Palo Alto Networks 303

OpenSSH THE REGENTS THE REGENTS 6) 2 BSD -Markus Friedl -Theo de Raadt -Niels Provos -Dug Song -Aaron Campbell -Damien Miller -Kevin Steves -Daniel Kouril -Wesley Griffin -Per Allansson -Nils Nordman -Simon Wilkinson 1. 2. / 304 Palo Alto Networks

PSF PSF 1. Python PSF Python 2.3 2. PSF Python 2.3 / Python 2.3 PSF PSF (c) 2001, 2002, 2003 Python Software Foundation 3. Python 2.3 Python 2.3 4. PSF Python 2.3 PSF PSF Python 2.3 5. PSF Python 2.3 Python 2.3 6. 7. PSF PSF 8. Python 2.3 PHP PHP 3.01 (c) 1999-2009 The PHP Group 1. 2. / 3. PHP group@php.net 4. group@php.net PHP PHPFoo PHP PHP Foo phpfoo PHP 5. PHP Group / PHP Group PHP Group Palo Alto Networks 305

Zlib 6. <http://www.php.net/software/> PHP PHP PHP PHP Group group@php.net PHP Group PHP Group PHP <http://www.php.net> PHP <http://www.zend.com> Zend Zlib (C) 1995-2005 Jean-loup Gailly Mark Adler 1. 2. 3. Jean-loup Gailly jloup@gzip.org Mark Adler madler@alumni.caltech.edu 306 Palo Alto Networks

A Active Directory User-ID Agent 204 User-ID Agent 205 User-ID Agent 203 User-ID Agent 208 Aggregate Ethernet 91 91 Aggregate 91 App-ID 195 ARP VLAN 93 3 88 3 89, 93 AS BGP 100 100 Authentication Header (AH) 224 136, 165 165 122 121 (SA) 222 135 165 135, 165 98 97 97 NAT 127 122 57, Panorama 260 B BGP 99 107 100 107 103 botnet 186 186 BrightCloud 141 170 68, 267 33 191 190 191 PDF 188 50 191 174 190, 273 192 193 PDF 188 191, 192 174 170 171 192 / 60, HA 68, 267 274 226, 227 23 2 85 3 89 82 (REST) 17 307 Palo Alto Networks

IKE 223 (DF) 118 80 80 2 81 3 81 PPPoE 81 82 80 273 C CPU 170 CRL 34 DoS 134 NAT 127 148 129 132 120 264, 271 119 NAT 124 121 128 72, 74, 75 272 119 QoS 256 148 272 162 121, 167 272 272 186 186 183 269 (DAD) 87 103 103 29 29 26, 29, 32 272 Panorama 272 D DHCP 112 112 112, 254 112 Diffie-Hellman (DH) group 224, 229 DNS 112 SSL VPN 250 DNS 114 114 DoS 147 134 147 GlobalProtect 237 214 GlobalProtect 247 GlobalProtect 248 199 33 33 50 275 57 23 2 81 2 84 85 84 85, 96 3 81 3 77 94, 95 85 89 85 89 150 150 148 150 148 150 308 Palo Alto Networks

, 150 191 56 56 166 165 275 275 DOS 118 URL 29 38 38 226, 227 226, 227 148 Panorama 266 29, 73, 76 E edirectory User-ID Agent 208 User-ID Agent 208 User-ID Agent 213 Encapsulating Security Payload (ESP) 224 F FIPS 289 flood 115 flood 116, 255 FTP, 50 137 137 277 23 16 User-ID Agent 201 15 28 138 138 39, 41 Panorama 270 159 159, 167 (TOS) 228 Kerberos 46 LDAP 45 RADIUS 44 syslog 55 (QoS) 253 160 159, 160, 167 G GlobalProtect 237 237 238 237 239 247 243 245 238 248 237 247 77, 78 botnet 186 60 96 60 67 96 Panorama 267 67 71 67 67 Panorama 267 / 60 / 60 16 264, 271 270 75 3 77 75 77 Palo Alto Networks 309

231 CLI 16 Panorama 16 26, 32 Web 16 16 33, 39, 38, 38 38 40, 265, 40, 38 13 122 165 151, 158 151 H HA 96 HA1 HA2 67 HTML 277 185, HA 267 33 186 94, 95 26, 33 I ICMP flood 117 IKE AH 224 223 DH 224 229 226, 227 ESP 224 222, 223 229 224 226, 227 223 IKE 223 115, 226 IPSec AH 224 DH 224 230 ESP 224 230 227 224 223 IPv6 28 IPv6 149 J 128 128 115, 118 (CMS) 263 229, 230 224 59 CMS 264 67 226, 227 39 38 Aggregate 91 83, 170 2 85, 96 2 84 3 89 3 85 96 96 Aggregate Ethernet 91, 92 83 116 137 184 52 117 (Dos) 147 K Kerberos 38 46 (OVF) 259 291 310 Palo Alto Networks

botnet 186 GlobalProtect 247 L LDAP 205 203 45 38 LSA 100 84 84 84 96 170 96, HA 71 139, 141, HA 71, 268 BGP 107 99 99 OSPF 105 RIP 104 M MD5 105 MIB 35, 54 GlobalProtect 237 237 GlobalProtect 243 59 28 21, 28, QoS 254 N NAT 124 126 127 124 NFS 272 272 Panorama 267 272 NIS 113 NSSA (not so stub area) 106 NT LAN (NTLM) 133, 201 NTP 27 170 O OCSP 34 OSPF 99 105 105 103 P Panorama ACC 264 259, 260 264 266 264 263 270 58 267, 264, 271 264 264 Panorama 264 IP 28 275 273 28 274, 275 269 259 264 264 264 40, 265 PAN-OS 170 37, 41, 270 PAN-OS, 37 passive link state 70 PDF 188 189, 191 189 189 Perfect Forward Security (PFS) 224 PPPoE 81 81 Palo Alto Networks 311

88 proxy DNS 114 server 28 96 82 82 32 33 275 185 50, 52, 53 48 32, 273 136, 165 166 flood 115 137, 137, 137 138 135 IKE 229 IKE 229 IPSec 230 IPSec 230 115 116 139, 141 QoS 253, 255 116, 255 165 145 230 URL 141 115 143, 165 115 103, 165 VPN 232 Q QoS 123 256 253 256 256 254 253 253, 255 123 254 256 163 163 163 132 41 202 133, 134 Web 77, 282 78 116, 255 98 NAT 127 122 R RADIUS 44 41 38 random early drop 116 RFC 1583 Compatibility 105 RIP 99 104 104 103 ACC 172 FTP 50 183 URL 185 56 50 50, 52, 53 51 165 53 48 HIP 185 HIP 52 184 52 48 50 312 Palo Alto Networks

53 48 48 50 56 49 SNMP 53 syslog 55 172 166 166 170 37, 41, 270, 274, 275 Panorama 275 S SNMP 53 MIB 54 MIB 35 28 SNMP 53 166 SSL 129 129 165 128, 130 SSL VPN 43 246, 251 237, 253 41 249 249 250 Web 77 77 250 SYN flood 116 syslog 55 166 25 269 270, HA 68, 267 266 266 270 266 38 GlobalProtect 238 38 IKE 223 LDAP 38 RADIUS 38 46 26, 32 41 Kerberos 46 LDAP 45 RADIUS 44 42 47 47 32, 273 38 Panorama 274, 275 PAN-OS 37, 41, 270 38 27 26, 32 VPN 232, 26, 32 185 196 185 APP-ID 195 196 137, 138, 140 196 28 28 ACC 172 49, 185 145 162 172 146 145 146 145, 147 Palo Alto Networks 313

162 160 146 160, 151 84, 96 59 84, 96 SSL VPN 246, 251 VPN 223 IPSec 223 SSL VPN 250 227 231 231 230 227, QoS 254 T Terminal Server Agent 214, 219 214 215 TS 214 214 214 219 269 269 35 142 URL 162 166 184 165 U UDP flood 117 URL ACC 172 49, 185 141 141 77, 282 172 141 31 78 User-ID Agent Active Directory 207 Active Directory, 203 API, 208 edirectory, 208 213 PC 204 208 LDAP 203 201 202 Active Directory 204 Active Directory 205 Active Directory 208 213 V VLAN 2 93 93 VMware ESX(i) 259 VPN 222 IPSec IKE 224 SSL 237, 253 223 232 VPN 223 223 IKE 223 224, 227 223 vsphere 259 W Windows XP Vista 248 WINS 113 SSL VPN 250 GlobalProtect 237 237 GlobalProtect 245 80 115 26, 32 94 28 314 Palo Alto Networks

ACC 172 38 172 166 185 165 48 193 App-ID 195 195 143, 165 143 279 X XML API 17 185 51 48 77 102 77 77, 277 GlobalProtect portal help 78 GlobalProtect portal login 77 47, 77 77, 282 SSL 78 SSL VPN 77 SSL 77, 284 URL 77, 78, 282 77, 279 78 77, 279 117 36, 57 291 101 99 101 102 112 72, 76, 77 76 73 75 75 72 72, 74 72 74 29 29 74 80 82 91 90 Y 170 92 13 170 174 180 178, 179, 182 176 175 ACC 172 131 193 153 158 157 38 151 287 153, 285 137 151 152 153, 287 152 279 153, 285 137 165 172 (ACC) 171 131 131, 157 Palo Alto Networks 315

SSL VPN 249 40, 265 23 SSL VPN 43 26 117 26, 32 142 URL 142 Z 40, 265 40 41 115 CRL 34 163 163 190 151 153 Aggregate 91 160, 167 270, 143 142 URL 142 (MSS) 86 58 57 GlobalProtect 238 57 CA 57 OCSP 34 Panorama 58 58 Web 57 (CA) CRL 34 GlobalProtect 238 CA 57 OCSP 34, 160 78, 78 78, 215 / 60 / 60, 26, 32 (HIP) HIP 52 185 242 239 59 270 (TLS) 45, HA 69 192 163 316 Palo Alto Networks