Palo Alto Networks PAN-OS 5.0
Palo Alto Networks 3300 Olcott Street Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/ Palo Alto Networks Palo Alto Networks https://live.paloaltonetworks.com https://support.paloaltonetworks.com Panorama Panorama Palo Alto Networks, Inc. www.paloaltonetworks.com 2013 Palo Alto Networks. Palo Alto NetworksPAN-OS Panorama Palo Alto Networks, Inc. P/N 810-000146 Rev. B ii
.........................................3............................................................... 4...................................................................... 4...................................................................... 5......................................................... 7....................................................................... 10 Palo Alto Networks........................................................ 10......................................................................... 11..................................................................... 12..................................................................... 15..................................................................... 16......................................................................... 16......................................................................... 17..................................................................... 18........................................................................... 19............................................................... 20................................................................. 20............................................................. 22 SNMP............................................................ 29...............................................31................................................................... 32....................................................................... 32 (NAT)........................................................... 34................................................................... 34....................................................................... 40......................................................................... 40................................................................... 41 NAT........................................................................ 43 IP IP.......................................... 44......................................... 45.................................................... 46................................................................... 47................................................................... 47................................................................... 51..................................................................... 51 i
............................................. 53.................................................................... 54........................................... 55.................................................................... 56................................................................. 56................................................................... 56.................................................................... 57............................................................ 63.............................................................. 64..................................................................... 64................................................................. 66.................................................. 67..................................................................... 69..................................................................... 73 WildFire...................................................................... 75 URL.................................................................... 77............................................... 81.................................................................. 82..................................................................... 82................................................................... 83....................................................................... 84.............................................................. 85 IP........................................................... 86................................................................ 94 User-ID..................................................................... 96................................................. 99 HA........................................................................ 100 HA......................................................................... 100 HA.............................................................. 101............................................................. 101................................................................ 102 / HA............................................................. 103............................................................................ 104 /................................................................. 106................................................................ 111.................................................................... 112 ii
1 3
Palo Alto Networks (MGT) MGT Web MGT MGT Palo Alto Networks Panorama Palo Alto Networks Panorama Panorama Panorama (ACC) Web Panorama Panorama Palo Alto Networks 13 4
IP 192.168.1.1 / admin/admin MGT 1 MGT IP DNS 2 (9600-8-N-1) PA-500 login RJ-45 MGT https://192.168.1.1 IP 192.168.1.0 192.168.1.2 URL 3 (admin/admin) 4 MGT 1. Device > > [ ] IP 2. auto-negotiate 3. Telnet HTTP 4. 5 1. Device > > [ ] 2. 3. 4. 5
6 DNS DNS DNS ISP 1. Device > > [ ] 2. DNS IP Secondary DNS Server 3. pool.ntp.org NTP NTP IP Secondary DNS Server 4. 7 1. Device > 2. 3. 4. 8 Web IP Commit 90 9 1. 2. RJ-45 MGT 10 SSH PuTTY IP SSH 11 Palo Alto Networks MGT 7 MGT 10 MGT CLI ping DNS Palo Alto Networks admin@pa-200> ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (67.192.236.252) 56(84) bytes of data. 64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms 64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=53.6 ms 64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=79.5 ms Ctrl+C ping 6
MGT DNS 2 1 IP 2 Web Web (https) IP https://<ip > 3 Ethernet 1/1 Ethernet 1/2 1. Policies > 2. Network > 3. Network > 4. Network > ethernet1/1 ethernet1/2 5. Commit 7
4 1. Network > 1 2. Layer3 3. Zone 4. [Zone] L3-trust 5. IPv4 [IP] IP 192.168.1.254/24 6. > 7. allow_ping Web CLI MGT HTTPHTTPSSSH Telnet Ping 8. 5 MGT 1. Device > > > 2. Select 3. Use default 4. IP 5. DNSPalo Alto Networks URL WildFire 6. 7. Commit 8
6 NAT 1. Network > Layer3 IP IPv4 IPv6 ) l3-untrust 2. Palo Alto Networks DNS Policies > l3-trust l3-untrust 3. IP NAT Policies > NAT l3-trust l3-untrust NAT 43 NAT 4. Commit 7 DNS Palo Alto Networks 10 CLI ping MGT ping ping admin@pa-200> ping source 192.168.1.254 host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (67.192.236.252) from 192.168.1.254 : 56(84) bytes of data. 64 bytes from 67.192.236.252: icmp_seq=1 ttl=242 time=56.7 ms 64 bytes from 67.192.236.252: icmp_seq=2 ttl=242 time=47.7 ms 64 bytes from 67.192.236.252: icmp_seq=3 ttl=242 time=47.6 ms ^C Ctrl+C ping 9
PAN-OS Palo Alto Networks Palo Alto Networks 1 Web Web (https) IP https://<ip > 2 Dashboard [ ] 3 Palo Alto Networks https://support.paloaltonetworks.com 4 Palo Alto Networks Palo Alto Networks My Devices [ ] Register Hardware Device 10
67 URL URL URL PAN-DB BrightCloud URL 77 URL PA-2000 PA-3000 PA-4000 PA-5000 PA-500PA-200 VM WildFire WildFire WildFire WildFire WildFire WildFire API WildFire 75 WildFire GlobalProtect / VPN GlobalProtect / GlobalProtect Palo Alto Networks 9 1 Palo Alto Networks 2 Web Device > 3 1. 2. 3. WildFire 11
Palo Alto Networks URL Palo Alto Networks WildFire / Global Protect GlobalProtect (HIP) GlobalProtect GlobalProtect GlobalProtect BrightCloud URL BrightCloud URL BrightCloud BrightCloud URL PAN-DB WildFire WildFire 24 48 WildFire WildFire API 100 Palo Alto Networks (https://support.paloaltonetworks.com) 12
1 2 Web Device > BrightCloud PAN-DB URL PAN-DB 3 PA-200PA-500 PA-2000 20 PA-3000 PA-4000 PA-5000 VM 2 13
4 1. 2. WildFire 15 30 3. WildFire 4. 5. 6. 7. Commit 14
Palo Alto Networks PAN-OS 1 Web Device > 2 3 Palo Alto Networks (https://support.paloaltonetworks.com) [ ] 4 1. 2. Device > > [ ] 15
Palo Alto Networks Web CLI / XML API Web / 16
SSL SSH CLI / Web WebUI LDAPKerberos RADIUS Palo Alto Networks 3 RADIUS RADIUS (VSA) Palo Alto Networks Radius (VSA) 17
1 1. Device > 2. Web UI / XML API Web CLI XML API 3. CLI superreaderdeviceadmin devicereader vsysadmin vsysreader None CLI 4. 2 Device > Device > [ ] 3 1. Device > 2. 3. Role 1 4. 5. 4 1. Commit 18
SNMP / SNMP PA-4000 NetFlow Palo Alto Networks 3 NetFlow 19
Palo Alto Networks App-ID (ACC) ACC ACC App-ID App-ID ACC ACC URL ACC Palo Alto Networks URL URL Palo Alto Networks 3 20
Monitor > Widget Dashboard 21
Monitor > / 23 28 22
SNMP SNMP 24 / 25 SNMP 26 Splunk ArcSight CSV (FTP) (SCP) Palo Alto Networks 3 Palo Alto Networks Panorama Panorama 27 Panorama MGT MGT 5 Palo Alto Networks 3 23
1 1. Device > > 2. 3. 4. (SMTP) 1-31 SMTP [ ] SMTP IP 5. 2 3 1. 2. Commit 24
SNMP (SNMP) SNMP SNMP SNMP SNMP 29 SNMP SNMP 1 SNMP 1. Device > > SNMP 2. 3. 4. SNMP V2c V3 5. SNMP SNMP V2c V3 SNMP V2c Server SNMP 1-31 SNMP SNMP IP SNMP SNMP V3 Server SNMP 1-31 SNMP SNMP IP SNMP EngineID ID 0x 5 64 ID MIB OID 1.3.6.1.6.3.10.2.1.1.0 GET ID SNMP authnopriv (SHA-1) SNMP authpriv SHA (AES 128) 6. 25
SNMP 2 SNMP MGT SNMP Device > > [ ] SNMP SNMP SNMP SNMP 7 3 Commit 90 4 SNMP PAN-OS MIB SNMP SNMP PAN-OS HIP PAN-OS Palo Alto Networks 26
1 1. Device > > Syslog 2. 3. 4. Server IP (FQDN) Port 514 (PRI) PRI 5. 6. 2 Device > 3 Commit 90 Panorama Panorama Panorama Panorama Palo Alto Networks 13 Panorama Panorama 28 27
SNMP / Panorama Objects > Objects > URL DoS DoS LAN WildFire [ ] DoS [ ] URL WildFire [ ] (Device > > (Device > > 28
HA LDAP RADIUS / SNMP Palo Alto Networks SNMP (MIB) MIB SNMP SNMP / Palo Alto Networks SNMP GET SNMP SET SNMP 1 SNMP PAN-OS MIB SNMP SNMP 2 MIB PAN-OS MIB (OID) MIB PAN-COMMON-MIB OID 1.3.6.1.4.1.25461.2.1.2.3.1.0 3 SNMP OID SNMP 29
SNMP 4 5 Web SNMP SNMP GET SNMP SNMP 1. Device > > > SNMP 2. 3. SNMP SNMP SNMP SNMP 4. 5. Commit SNMP SNMP PA-500 30
2 NAT 31
Palo Alto Networks DMZ DMZ (NAT) Palo Alto Networks VPN Layer 2 Layer 3 Palo Alto Networks 32
LAN (VLAN) IP VLAN "default-vwire" 1 2 / 3 Layer 2 Layer 2 VLAN Layer 2 VLAN VLAN Layer 2 Layer 2 / VLAN Layer 3 Layer 3 IP Layer 3 IP Layer 3 VLAN VLAN IP Layer 3 BGPOSPF RIP Layer 3 OSPF BGP 33
(NAT) IP (NAT) PAN-OS NAT / / NAT NAT NAT / NAT NAT NAT / Palo Alto Networks IP 34
31 NAT NAT App-ID App-ID 35
DMZ IP IP URL HIP GlobalProtect 255 IP FQDN NAT IP NAT IP NAT IP NAT IP User-ID User-ID 81 URL HTTP HTTPS URL URL /.exe / SSL URL PAN-DB BrightCloud URL Layer 4TCP UDP DNS TCP 53 DNS 57 (HIP) (QoS) 36
Palo Alto Networks / DNS Monitor > 37
IP URL IP IP / IPv4 IPv6 IP FQDN IP IP XML API IP IP / Palo Alto Networks 3 PAN-OS / http https HTTP TCP 80 8080 HTTPS TCP 443 TCP/UDP Objects > 47 53 Palo Alto Networks 5 38
URL 47 64 39
Layer 3 IP Layer 3 L3 Ethernet1/3 IP 208.80.56.100/24 VR1 0.0.0.0/0 208.80.56.1/24 L3 Ethernet1/4 IP 192.168.1.4/24 VR1 DMZ L3 Ethernet1/13 IP 10.1.1.1/24 VR1 40
Layer 3 Layer 2 Palo Alto Networks 4 Ethernet 1/1 Ethernet 1/2 3 1. 1. Ethernet1/3 2. Layer3 3. Zone [Zone] [ ] 4. a VR1 b 0.0.0.0/0 c IP IP 208.80.56.1/24 d 5. IP IPv4 [IP] IP 208.80.56.100/24 6. ping > Ping 7. 41
2 IP IP NAT 43 NAT 1. Network > Ethernet1/4 2. Layer3 3. Zone [Zone] 4. 1 [ ] VR1 5. IP IPv4 [IP] IP 192.168.1.4/24 6. ping 1-6 7. 3 DMZ 1. 2. Layer3 Ethernet1/13 DMZ 3. Zone [Zone] [DMZ] 4. 1 [ ] VR1 5. IP IPv4 [IP] IP 10.1.1.1/24 6. ping 1-6 7. 4 Commit 5 6 Web Network > [ ] Dashboard Widget 42
NAT NAT NAT 192.168.1.0 NAT 208.80.56.100 44 IP IP DMZ 10.1.1.11 DMZ NAT 208.80.56.11 NAT DMZ NAT U-Turn NAT 45 DMZ IP IP IP IP IP NAT 46 43
NAT IP IP IP IP IP NAT NAT 1. IP 1. Web Objects > 2. 3. IP IP 208.80.56.100/24 4. 2 NAT 1. Policies > NAT 2. 3. 4. IP 1 5. NAT 3 Commit 44
NAT DMZ DNS IP IP IP DMZ NAT DMZ U-TURN NAT 1. 1. Web Objects > 2. 3. IP IP 208.80.56.11/24 4. 2 NAT 1. Policies > NAT 2. NAT 3. 4. 5. DMZ IP 10.1.1.11 6. NAT 3 Commit 45
NAT IP NAT NAT 10.1.1.11 208.80.56.11 IP DMZ NAT NAT 1. IP 1. Web Objects > 2. 3. IP DMZ IP 10.1.1.11/24 4. 2 NAT 1. Policies > NAT 2. NAT 3. DMZ 4. 5. Static IP 6. 7. NAT 3 Commit 46
NAT (QoS) (PBF) 53 Palo Alto Networks 5 47
1. rule1 1. Policies > 2. 3. [ ] 4. [ ] 5. /URL http https 6. a b URL 7. 2 DMZ DMZ DMZ IP IP NAT ) NAT 1. Policies > 2. 3. [ ] 4. [DMZ] 5. /URL application-default 6. [ ] 7. 48
3 DMZ IP DMZ DMZ IP 1. 2. [ ] 3. [DMZ] 4. IP (208.80.56.11/24) DMZ 5. 6. application-default 7. 4 DMZ DMZ 1. 2. DMZ 3. [ ] 4. DMZ DMZ 5. 6. a b c [ ] 49
5 DMZ Microsoft Update DMZ 1. 2. DMZ 3. [ ] 4. Microsoft (ms-updates) dns 5. application-default 6. 7. 6 Commit 50
. CLI test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number> CLI IP IP 208.90.56.11 DMZ Microsoft test security-policy-match source 208.80.56.11 destination 176.9.45.70 destination-port 80 protocol 6 "Updates-DMZ to Internet" { from dmz; source any; source-region any; to untrust; destination any; destination-region any; user any; category any; application/service[ dns/tcp/any/53 dns/udp/any/53 dns/udp/any/5353 ms-update/tcp/any/80 ms-update/tcp/any/443]; action allow; terminal yes; (ACC) Palo Alto Networks App-ID / Facebook Facebook Facebook Facebook Facebook Facebook 51
ACC ACC User-ID / Monitor > ACC URL /URL URL URL alertcontinueoverride block 52
3 Palo Alto Networks 53
Palo Alto Networks URL (DoS) (App-ID) / (User-ID) WildFire WildFire 24-48 WildFire 30 SSL SSH / SSL URL URL (App-ID) SSH SSH SSH X11 SSH SCP SFTP SSHSSH URL Wildfire 54
Palo Alto Networks Applipedia Palo Alto Networks Threat Vault Palo Alto Networks ID [ ] Palo Alto Networks 64 HTTP URL SSL SSH 63 40 47 55
URL URL URL PAN-DB BrightCloud Palo Alto Networks PAN-DB [PAN-DB URL ] WildFire WildFire WildFire WildFire WildFire WildFire WildFire REST API Palo Alto Networks Device > Palo Alto Networks 10 56
64 DoS Palo Alto Networks PDF HTML JavaScript SMTPIMAP POP3 FTPHTTP SMB Palo Alto Networks WildFire WildFire WildFire (C2) Palo Alto Networks PAN-OS 5.0 DNS DNS DNS 57
URL Palo Alto Networks PAN-DB URL PAN-OS 5.0 BrightCloud PAN-DB Palo Alto Networks URL PAN-DB URL Palo Alto Networks PAN-DB BrightCloud BrightCloud DB URL URL PAN-DB BrightCloud URL/IP PAN-DB URL (PAN-DB) PAN-DB URL 58
/ alert block continue forward WildFire continue-and-forward WildFire 59
Wildfire WildFire Palo Alto Networks WildFire WildFire API WildFire WildFire WildFire WildFire WildFire PAN-OS 5.0 WildFire Device > [WildFire] 30 WildFire WildFire 1530 60 WildFire WildFire WildFire WildFire Monitor > > WildFire WildFire API Palo Alto Networks WildFire WildFire API WildFire WildFire API WildFire 100 WildFire 1000 WildFire 60
Word Excel FTP CC# SSN# SSN# SSN# Regex 9 3 001-772 666SSN 0 987-00-4320 SSN 2-6 American Express 34 37 15 Visa 4 13 16 61
DoS SSNCC# 1 (SSN) SSN# 3 SSN x = Word 10 3 10 x 3 = 30 10 30 30 60 SSN# 2 SSN# = 3 = 20 20 3 20 x 3 = 60 20 1 x 20 = 20 80 80 (DoS) DoS / IP Palo Alto Networks DoS Flood / Bot DoS DoS DoS DoS SYNUDP ICMP Flood DoS DoS DoS DoS Palo Alto Networks 62
(pps) Palo Alto Networks URL SSH SSH SSH X11 SCP SFTP SSHSSL App-ID URL SSL ProxySSL SSH Palo Alto Networks / KB SSL SSL Dropbox Microsoft Lync URL URL 63
WildFire URL SSL SSH CA / Proxy SSL SSL CA CA PKI 64
1 2 3 CA CA CA Proxy CA CA SSL 66 1. Device > > 2. 3. my-fwd-trust 4. 192.168.2.1 IP FQDN IP 5. 6. (CA) CA 7. 8. my-ssl-cert 9. 1. 2. my-fwd-untrust 3. 192.168.2.1 4. 5. 6. my-ssl-fw-untrust 7. 8. CA 65
SSL SSL 1 1. Policies > 2. 2 1. Decrypt_All_Traffic 2. 3. DMZ 4. trust 5. untrust 6. URL URL SSL IP SSL Proxy 7. SSL Proxy 8. none SSL ProxySSL SSH Palo Alto Networks 9. 3 4 Commit my-ssl-cert CA Active Directory SSL www.eicar.org HTTPS eicar 66
Palo Alto Networks Objects > > / [ ] / / 1 Device > 2 1. Device > 2. Palo Alto Networks 3 1. Device > 2. 3. 10 10 4. HA / HA 67
/ / HA / HA MGT / / HA MGT / / / 4 1. Policies > 2. 5 Commit 68
.doc.docx 1 1. Objects > > 2. DF_Profile1 3. 2 1. Device > > ID 2. ID 3. Monitor > > 69
3 SSN 987-654-4320 1. Objects > > 2. SS 3. SSN# 3 62 4. Regex SSN_Custom 20 Word 4 1. FTPSMTP SSL Microsoft Outlook Web App Outlook Web App Microsoft PAN-OS outlook-web PAN-OS 69 2. doc docx doc docx 70
5 1. both 2. 35 5 1 5 3 SSN = 15 1 20 = 35 3. 50 50 SSN / 1 20 20 15 3 45 20 45 65 50 6 1. Policies > 2. DF_Profile1 47 7 Commit 71
8 SSN 1. HTTP.doc.docx 2. Microsoft Word 3. HTTP HTTPS 4. Monitoring > > 5. reset-both Microsoft Outlook Web App outlook-web SSN 72
.exe 1 1. Objects > > 2. Block_EXE.exe 2 1. 2. BlockEXE 3. web-browsing 4. exe 5. download 6. continue [ ] 7. 3 1. Policies > 47 2. 3. Block_EXE 4 Commit 73
5 PC.exe Continue 6 Device > Palo Alto Networks A HTML WildFire HTTPS 69 Microsoft Sharepoint sharepoint-base sharepoint-document any 74
WildFire WildFire WildFire WILDFIRE 1 1. Palo Alto Networks My Devices 2. My Devices 10 Palo Alto Networks 2 WildFire 1. Device > > WildFire 2. WildFire WildFire WildFire Monitor > > WildFire 75
WILDFIRE 3 WildFire Palo Alto Networks WildFire WildFire 73 Objects > > forward continue-and-forward WildFire Win32 (PE) exedll scr PE Win32 PE 73 WildFire Palo Alto Networks Upload File Upload Device API Palo Alto Networks WildFire WildFire API WildFire WildFire API WildFire 100 WildFire 1000 WildFire API 4 WildFire 1. WildFire Settings 2. WildFire 5 WildFire WildFire 1. WildFire 2. WildFire WildFire Palo Alto Networks WildFire WildFire WildFire API WildFire API 76
URL Palo Alto Networks URL (PAN-DB) BrightCloud PAN-DB URL 1 URL 1. PAN-DB 2. Device > PAN-DB URL Filtering 2 3 PAN-DB URL PAN-DB 1. PAN-DB URL Filtering Device > 2. 3. PAN-DB URL PAN-DB BrightCloud BrightCloud BrightCloud URL Filtering PAN-DB BrightCloud URL PAN-DB PAN-DB URL Filtering URL 4 URL 1. Objects > > URL 2. Block_Shopping 3. URL BrightCloud 77
PAN-DB URL 5 URL BrightCloud URL URL PAN-DB 6 URL URL URL 7 1. Device > > ID 2. URL 3. 15 URL 60 60 4. [ ] IP block URL continue continue alert 8 1. shopping 2. block 78
PAN-DB URL 9 1. Policies > 2. 3. URL Block_Shopping 4. 10 Commit 11 URL URL URL 12 Device > Palo Alto Networks A HTML PAN-DB URL URL (PAN-DB) BrightCloud URL URL 79
80
4 (User-ID) Palo Alto Networks IP Palo Alto Networks User-ID User-ID 81
User-ID Palo Alto Networks IP Palo Alto Networks Microsoft Active Directory LDAP Novell edirectory Citrix Metaframe Presentation Server XenApp Microsoft Terminal Services LDAP IP Microsoft Exchange Server Novell edirectory Windows User-ID LDAP LDAP LDAP Microsoft Active Directory (AD)Novell edirectory Sun ONE 82
IP User-ID Windows Microsoft Exchange Servers Novell edirectory AD Kerberos Exchange AD Microsoft Windows Windows Management Instrumentation (WMI) NetBIOS IP 20 IP Microsoft Terminal Server Citrix IP IP Windows/Citrix Palo Alto Networks GlobalProtect GlobalProtect Palo Alto Networks 9 User-ID IP Linux HTTP HTTPS NT LAN (NTLM) RADIUS LDAPKerberos VPN 802.1x PAN-OS XML REST API 83
IP 84
LDAP 1. LDAP 1. Device > > LDAP 2. 3. 4. LDAP Server 1-31 IP LDAP = LDAP 389LDAP over SSL 636 Port LDAP 5. LDAP - Active Directory NetBIOS FQDN acme acme.com - 6. LDAP LDAP 7. LDAP 8. DN LDAP DN (UPN) administrator@acme.local LDAP cn=administrator,cn=users,dc=acme,dc=local 9. LDAP SSL SSL 85
2 LDAP User-ID 1. Device > > 2. 1 3. 4. LDAP 5. 3 Commit IP IP Exchange edirectory Windows 86 User-ID Linux 88 IP Microsoft Terminal Server Citrix Metaframe Presentation Server XenApp Palo Alto Networks 7 XML REST API PAN-OS XML REST API User-ID Palo Alto Networks User-ID IP User-ID User-ID IP 86
Palo Alto Networks 7 Active Directory User-ID User-ID IP 1. Active Directory Windows 2008 User-ID COM Windows 2003 WMI CIMV2 NTLM User-ID NTLM NTLM Windows AD vsys1 2 IP 100 Microsoft Active DirectoryMicrosoft Exchange Novell edirectory 1. Device > > 2. 3. 4. 5. 6. DNS Exchange edirectory 7. Palo Alto Networks User-ID DC 5 87
IP 3 Windows Exchange WMI 1. domain\username 4 WMI NetBIOS Windows User-ID 2. 3. IP 4. Windows Windows 5 1. User-ID 2. Commit 6 IP ignore-user 1. CLI 2. set user-id-collector ignore-user <value> <value> set user-id-collector ignore-user SPAdmin SPInstall TFSReport 3. 7 1. CLI show user server-monitor state all 2. Web Device > > IP User-ID IP Linux / HTTP HTTPS 88
NTLM NTLM NTLM IE NTLM Firefox Chrome NTLM NTLM Windows RADIUSLDAP Kerberos CA Mac OS Linux URL HTTP 401 URL Layer 2 HTTP HTTPS HTTP 302 Layer 3 Layer 3 Cookies IP LAN IP NTLM 89
User-ID Layer 3 Windows Palo Alto Networks 7 User-ID User-ID USER-ID 1. Exchange MGT Window User-ID 2 DNS Ping FQDN admin@pa-200> ping host dc1.acme.com 3 Layer 3 1. a Network > b 2. Layer 3 41 1 > 3. DNS A Layer 3 IP ntlmhost 90
USER-ID 4 IP CA CA CA 1. CA Device > > > RootCA 2. DNS CA IP Layer 3 IP 3. CA CA Active Directory (GPO) 5 NTLM NTLM RADIUS RADIUS AD samaccountname LogonAttribute 1. LDAPKerberos RADIUS Device > Palo Alto Networks 3 Device > Palo Alto Networks 3 2. Device > Palo Alto Networks 3 91
USER-ID 6 CRL OCSP Palo Alto Networks 3 1. 2. Base64 CA 3. CA CA a Device > > > b CA c CA d Base64 (PEM) e f CA 4. a Device > > > b c CA 3 CA 7 NTLM User-ID DNS DNS 1. Device > > Palo Alto Networks User-ID 2. NTLM NTLM 3. User-ID NTLM NTLM 4. 87 IP 1 Active Directory NTLM 92
USER-ID 8 1. Device > > 2. 3. 4. SSL 4 5. Layer 3 IP 3 6. NTLM NTLM - LDAPKerberosRADIUS 5-6 7. 8. Commit 93
/ User-ID IP 1. User-ID 1. Network > 2. User-ID [ ] 3. 2 / 1. User-ID a Policies > b c / 2. 47 94
3 1. Policies > 2. 3. /URL 47 4. - no-captive-portal - web-form - browser-challenge NTLM HTTP 4 1. Commit 95
User-ID User-ID User-ID 1. CLI show user group-mapping statistics 2 User-ID CLI show user ip-user-mapping-mp all IP Vsys From User Timeout (sec) -------------------------------------------------------------- 192.168.201.1 vsys1 UIA acme\george 210 192.168.201.11 vsys1 UIA acme\duane 210 192.168.201.50 vsys1 UIA acme\betsy 210 192.168.201.10 vsys1 UIA acme\administrator 210 192.168.201.100 vsys1 AD acme\administrator 748 Total:5 users *: WMI probe succeeded 3 User-ID test security-policy-match duane test security-policy-match application worldofwarcraft source-user acme\duane source any destination any destination-port any protocol 6 "deny worldofwarcraft" { from corporate; source any; source-region any; to internet; destination any; destination-region any; user acme\duane; category any; application/service worldofwarcraft; action deny; terminal no; } 96
User-ID 4 1. Mac OS Ping Ping 2. 3. 4. test cp-policy-match test cp-policy-match from corporate to internet source 192.168.201.10 destination 8.8.8.8 Matched rule:'captive portal' action:web-form 5 Monitor > 97
User-ID 6 Monitor > 98
5 (HA) HA / HA / 99
HA HA Palo Alto Networks HA HA HA IP HA (ACC) HA Panorama Palo Alto Networks ( ( ( HA HA / Layer 2 Layer 3 / HA / / PA-200 VM / HA HA IPSec HA / Layer 3 / / / 100
HA HA HA HA HA (HA1) (HA2) HA HA HA1 HA2 PA-3000 PA-4000 PA-5000 HA HA HA PA-200PA-500 PA-2000 HA1 HA2 HA1 Hello HA User-ID HA1 Layer 3 IP TCP 28769 28 TCP SSH HA2 HA IPSec ARP HA2 HA2 HA2 Layer 2 ether 0x7261HA IP 99 UDP 29281 HA / HA3 HA1 HA2 HA1 HA2 HA HA IP HA HA HA1 HA2 HA1 HA1 Palo Alto Networks HA HA 101
HA Hello Hello Hello Hello HA ICMP ping ping 1000 HA IP ICMP ping IP Ping 200 10 ping IP IP IP HA PA-3000 PA-5000 102
/ HA / HA Palo Alto Networks PAN-OS PAN-OS URL vsys HA HA HA1 IP HA1 IP HA Layer 3 HA2 HA2 IP HA2 Layer 3HA2 IP HA1 HA 103
HA (PeerA) (PeerB) HA HA / PeerA PeerB HA ID ID MAC MAC 00-1B-17:00: xx: yy 00-1B-17 ID00xxHA IDyy ID Gratuitous ARP Layer 2 MAC HA1 HA2 HA HA HA1 HA HA1 HA1 HA1 HA1 HA1 HA1 HA1 HA1 HA1 HA1 HA1 HA1 104
PeerA PeerB (PeerA) HA1 IP (PeerB) HA1 IP HA HA IP HA2 /Layer 2 Layer3 (PeerA) IP HA2 /Layer 2 Layer3 (PeerB) IP PeerB PeerA PeerA 100 PeerB 110 ICMP ping IP ping ping / PeerB IP ping ping 105
/ / / 1 HA HA HA1 HA2 HA HA2 HA1 HA HA1 2 ping ping 1. Device > > [ ] 2. Ping 3 HA HA HA 4 1. Network > 2. 3. HA 4. 106
/ 4 HA IP 1. > > (HA1) 2. HA1 IP HA1 IP 5 1. HA a Network > > b HA HA c Device > > HA 2. > > (HA1) 3. 6 1. Device > > HA1 2. HA1 IP 107
/ 7 (HA2) HA2 1. Device > > (HA2) 2. 3. HA IP UDP 4. IP UDP IP 8 HA 5. 6. HA2 Keep-alive HA HA2 10000 ms / HA2 HA2 HA 7. HA2 IP 1. Device > > 2. Hello 108
/ 9 1. Device > > 2. HA1 MAC 3. 10 HA HA HA 1. Device > > 2. 109
/ 11 HA 1. Device > > 2. HA 3. ID ID HA HA ID 4. 5. 6. HA IP IP HA HA1 IP 7. HA IP 12 Commit 13 HA 2 12 14 / HA 1. Dashboard Widget 2. 110
/ 1 1. Device > > 2. 3. 2 1. 2. 3 ping IP 1. Device > > VLAN 2. IP / 4 5 Commit 111
/ HA 1 Device > > 2 Dashboard Widget 3 1. Device > > 2. Dashboard Widget 112