Palo Alto Networks Administrator's Guide

Palo Alto Networks 5.0 11/15/12??????? Palo Alto Networks????

Palo Alto Networks, Inc. www.paloaltonetworks.com 2007-2012 Palo Alto Networks. Palo Alto Networks PAN-OS Panorama Palo Alto Networks, Inc. P/N 810-000108-00A

11 15, 2012 - Palo Alto Networks..................................................... 13................................................. 13................................................... 13................................................... 15................................................. 15................................................... 15 1..................................................... 17............................................. 17................................................. 18................................................... 19 2................................................. 21................................................. 21................................................. 22 Web........................................ 23........................................................ 25.................................................. 26............................................ 26........................................................ 26.................................................... 27.................................................... 27................................... 28.................................................... 28........................................................ 28 Palo Alto Networks 3

3.................................................. 29................................... 30 Management............................................ 30 Operations............................................. 35 Services................................................ 38 Content ID.............................................. 40 Session................................................. 41 SNMP........................................................... 42.................................................... 43............................................... 44................................................... 44 / PAN-OS..................................... 45 PAN-OS.................................... 46 PAN-OS................................................ 47................................................ 47................................................ 48..................................... 49................................... 49........................................ 50.............................................. 51.............................................. 52................................................ 53........................................ 54................................................. 55.............................................. 55........................................ 56 RADIUS....................................... 57 LDAP......................................... 58 Kerberos Active Directory.................. 59................................................... 59................................................ 60................................................. 60.................................................... 62................................................ 62............................................ 63............................................ 64 HIP......................................... 64............................................ 65................................................ 65 SNMP Trap....................................... 66......................................... 67........................................ 68....................................... 74 4 Palo Alto Networks

................................................... 75 Netflow............................................ 75................................. 76............................................................ 76.............................................. 78...................................................... 79 OCSP................................................... 80.................................... 80........................................... 81................................................. 81................................................... 82 / HA................................................... 82 / HA................................................... 83........................................................ 83.................................................... 84 NAT................................................. 85 HA......................................................... 87 HA............................................... 88................................................... 95................................................ 97........................................................ 98................................................. 99................................................ 100.......................................... 100.............................................. 101 4................................................ 103................................................ 104................................................ 104 Layer 2................................................. 106 Layer 3................................................. 106................................................ 107................................................ 107................................................ 108................................................ 108................................................ 109 Layer 2............................................ 109 Layer 2.......................................... 110 Layer 3............................................ 110 Layer 3.......................................... 114............................................ 118.......................................... 119............................................ 120........................................ 121 Palo Alto Networks 5

VLAN.............................................. 122............................................... 125............................................... 126............................................... 127 HA................................................ 128................................................ 129............................................. 129 VLAN................................................. 130.................................. 131........................................... 131........................................... 131........................................... 131............................................... 132............................................. 133 DHCP......................................... 147 DNS Proxy................................................. 149................................................ 150......................................... 151............................................. 151......................................... 152 5....................................... 157...................................................... 157............................................... 158................................. 160....................................................... 160............................................... 161 NAT....................................................... 164 NAT............................. 165 NAT............................................... 166....................................... 166 NAT............................................... 168 NAT64...................................................... 168............................................ 171....................................................... 173.............................................. 175........................... 175....................................... 176................................................... 177........................................... 177 DoS................................................... 178 DoS............................................... 178 6 Palo Alto Networks

.............................................. 180..................................................... 181............................................... 182................................................. 183 URL................................................. 185................................................. 188................................................. 191 DoS..................................................... 193.............................................. 194................................................. 194................................................ 194................................................ 196.................................................... 196......................................... 197................................................ 199........................................ 201............................................ 203................................................. 203........................................................... 204....................................................... 205..................................................... 205 URL................................................... 206................................................... 207......................................... 208.............................................. 208...................................... 209............................................... 210....................................................... 211..................................................... 212........................................................... 213 6.............................................. 215................................................ 216...................................... 217.......................................... 220.................................................... 221................................................ 222................................................ 223................................................ 224................................................ 225................................................ 226.................................................. 228............................................ 230 Palo Alto Networks 7

.......................................... 231........................................... 231........................................... 232 PDF.......................................... 233........................................ 235.............................................. 235................................ 236.................................................. 236.............................................. 237................................ 238................................................... 239 Palo Alto Networks App-ID............................... 239............................................... 240.............................................. 240 7.................................. 243 User Identification................................... 243 User Identification........................................ 243.............................................. 244 User-ID............................................ 244 User-ID Agent................................................ 245 PAN-OS.......................................... 245 Terminal Services Agent........................................ 245 PAN-OS LDAP....................................... 245 User Identification Agents...................................... 246................................................... 247..................................... 247 PAN-OS..................................... 252 PAN-OS......................................... 253.................................. 255 User-ID Agent.......................................... 257 User-ID Agent............................................ 257 User-ID Agent............................................ 258............................................. 261 User-ID Agent................................. 261 User-ID Agent.................................. 261 Terminal Services Agent................................... 261 Terminal Server Agent............... 262 Terminal Server Agent..................... 263 Terminal Server Agent................. 267 8 Palo Alto Networks

8 IPSec........................................... 269.............................................. 270 VPN.................................................... 271 IPSec IKE................................................ 271 IPSec IKE Crypto..................................... 272 IPSec VPN............................................. 272 IKE................................................ 274 IPSec.............................................. 275 IKE Crypto........................................ 278 IPSec Crypto...................................... 278 IPSec.................................. 279 VPN............................................ 279.................................................... 279...................................................... 280 VPN............................................... 281 VPN............................................ 282 GlobalProtect VPN................................ 283....................................................... 283 VPN............................................ 284 OCSP........................................ 285 GlobalProtect........................................ 288 GlobalProtect.................................... 289 GlobalProtect Satellite..................................... 291 VPN................................... 292 GlobalProtect....................................... 292 9 GlobalProtect........................................ 293.................................................. 293 GlobalProtect............................................... 294 GlobalProtect.......................................... 295 GlobalProtect............................ 307 GlobalProtect....................................... 307 10........................................ 309 QoS......................................... 309 QoS........................................... 310 QoS........................................... 312 QoS.............................................. 313 QoS......................................... 316 Palo Alto Networks 9

11 VM....................................... 317.................................................. 317............................................ 318........................................................... 318........................................................... 318 VM........................................ 319 VM........................................ 319.................................................. 322 12 Panorama............................................ 323.................................................. 323 Panorama................................. 324 Panorama.................................................. 324 Panorama......................................... 325.............................................. 325................................................... 326................................................. 327 M Panorama............................... 328................................................... 328 Panorama............................................. 329................................................... 329 (HA).......................................... 329 HA............................... 331 13 Panorama........................... 333 Panorama Web.................................... 334 Panorama......................................... 334 Panorama.................................................. 335.................................................. 337................................................... 338 Panorama......................... 339 Panorama....................................... 339 Panorama......................................... 341 Panorama............................. 343.................................................. 344....................................................... 344....................................................... 346 10 Palo Alto Networks

.................................................. 348 Panorama.......................................... 348 Panorama.............................................. 349...................................................... 350 Panorama.............................................. 351.................................................... 351.................................................... 352................................................ 352.................................................... 353.................................................. 353................................................. 353............................................. 354 Panorama....................................... 354............................................ 355.............................................. 358.......................................... 360........................................ 364............................................ 365.............................................. 365 Panorama......................................... 366 14 WildFire............................................ 367 WildFire............................................... 367 WildFire..................................... 368 WildFire..................................... 369 WildFire.......................................... 369 WildFire....................................... 370 WildFire...................................... 371 WildFire................................... 372 WildFire............................................... 372 373............................................... 373........................................... 375............................................... 375 URL........................................... 376..................................... 377........................................... 377 WEB.......................................... 378 URL......................................... 378 Palo Alto Networks 11

SSL VPN............................................... 379 SSL........................................... 380 381...................................... 381.............................................. 383.............................................. 383 385 387.................................................. 388 BSD....................................................... 389 GNU....................................... 390 GNU..................................... 393 MIT/X11................................................... 397 OpenSSH................................................... 398 PSF....................................................... 401 PHP....................................................... 401 Zlib....................................................... 402..................................................... 403 12 Palo Alto Networks

11 15, 2012 - Palo Alto Networks 13 15 15 15 Web Palo Alto Networks 1 2 3 4 5 / 6 7 8 IPSec IP (IPSec) Palo Alto Networks 13

9 GlobalProtect GlobalProtect GlobalProtect 10 (QoS) 12 Panorama Palo Alto Networks 13 Panorama Panorama 14 WildFire WildFire A HTML B Palo Alto Networks C 140-2 D 14 Palo Alto Networks

courier 字型 Web (URL) Security Security Rules Palo Alto Networks http://www.paloaltonetworks.com set deviceconfig system dnssettings Devices Administrators Clone Rule Palo Alto Networks https://live.paloaltonetworks.com/community/documentation Palo Alto Networks 15

16 Palo Alto Networks

1 18 19 Palo Alto Networks TCP80 IPv4 IPv6 Palo Alto Networks 17

Secure Sockets Layer (SSL) (User-ID) User-ID Microsoft Active Directory edirectory SunOne OpenLDAP LDAP Web 243 180 URL 185 URL Web (ACC) 215 GlobalProtect GlobalProtect 88 HA WildFire VM PAN-OS VMware ESXi x86 Palo Alto Networks Panorama Web (CLI) Panorama Web Web 18 Palo Alto Networks

27 Web HTTP HTTPS CLI Telnet Secure Shell (SSH) PAN-OS Panorama Web Palo Alto Networks Panorama Web Panorama 323 Panorama Panorama 333 Panorama (SNMP) RFC 1213 (MIB-II) RFC 2665 SNMP Trap 66 SNMP Trap 67 XML API Representational State Transfer (REST) API https:// <firewall>/api <firewall> IP API DevCenter XML API http://live.paloaltonetworks.com Palo Alto Networks 19

20 Palo Alto Networks

2 22 23 Web 28 Panorama 323 Panorama 1. 2. https://support.paloaltonetworks.com App-ID 3. IP Palo Alto Networks 21

1. RJ-45 (MGT) 2. 255.255.255.0 192.168.1.0 IP 192.168.1.5 3. Web https://192.168.1.1 Palo Alto Networks 4. admin 5. Device Setup 23 Web Management Interface Settings Management IP Services (DNS) IP (NTP) IP Palo Alto Networks 6. Devices Administrators 7. admin 8. New Password Confirm New Password 15 9. 10. 5 IP 25 1 2 22 Palo Alto Networks

Web Web Objects Device Palo Alto Networks 23

Web Task Manager Web Web [ ] Palo Alto Networks https://live.paloaltonetworks.com/community/documentation Devices Setup 24 Palo Alto Networks

Web Web Include Device and Network configuration Include Shared Object configuration Include Policy and Objects Palo Alto Networks 25

Web Include virtual system configuration 35 Operations Preview Changes Device > Config Audit 44 Vulnerability Protection Objects Security Profiles Vulnerability Protection Objects > Security Profiles > Vulnerability Protection 26 Palo Alto Networks

Web Web Config lock Commit Lock [ ] [ ] [ ] [ ] Device Setup Management Automatically acquire commit lock 30 Web Internet Explorer 7+ Firefox 3.6+ Safari 5+ Chrome 11+ Palo Alto Networks 27

http://www.paloaltonetworks.com Web Help / https://live.paloaltonetworks.com/community/devcenter KnowledgePoint http://live.paloaltonetworks.com https://support.paloaltonetworks.com 28 Palo Alto Networks

3 44 44 45 / PAN-OS 49 49 55 59 79 60 66 SNMP Trap 67 74 75 75 Netflow 76 82 95 100 101 Palo Alto Networks 29

Management 35 Operations 38 Services 40 Content ID 41 Session 42 SNMP 43 44 WildFire 367 WildFire Management Device > Setup > Management Setup WildFire IP 125 1. Management Domain 31 (FQDN) 31 Name Password 30 Palo Alto Networks

1. Management Geo Location Automatically acquire commit lock # Failed Attempts PDF 233 PDF Web PDF 23 Web (YYYY/MM/ DD) 24 (HH:MM:SS) Device > Setup > Services NTP Panorama -90.0 90.0-180.0 180.0 27 Setup Multi Virtual System Capability 95 55 79 1-1440 0 Web CLI Web CLI 1-10 00 0-60 0 Palo Alto Networks 31

1. Management Panorama Panorama Server Panorama Palo Alto Networks IP Panorama Panorama Panorama Panorama Panorama Panorama Panorama Panorama 2 Receive Timeout for connection to Panorama Send Timeout for connection to Panorama Retry Count for SSL send to Panorama Panorama Panorama MGT Interface Speed MGT Interface IP Address (HA) Panorama HA Panorama Panorama TCP 1-120 20 TCP Panorama 1-120 20 Secure Sockets Layer (SSL) Panorama 1-64 25 Panorama Panorama 10Mbps 100Mbps 1Gbps IP IP IP 255.255.255.0 IP 32 Palo Alto Networks

1. Management MGT Interface IPv6 Address IPv6 MGT Interface Services Permitted IPs CSV Average Browse Time (sec) Page Load Threshold (sec) IPv6 IPv6 2001:400:f00::1/64 IPv6 IPv6 HTTP HTTPS Telnet Secure Shell (SSH) / ping IP 100% 100% 1-1048576 65535 CSV CSV 1-1048576 65535 100 Panorama 100 User Activity Report URL 41 2 5 2 0-300 60 User Activity Report 0-60 20 Palo Alto Networks 33

1. Management Stop Traffic when LogDb full DP Minimum Password Complexity 52 50 31 10 10 10 10 31 (HA) Block Username Inclusion (including reversed) Block Password Change Period (days) Required Password Change Period (days) Expiration Warning Period (days) 1-15 0-15 0-15 0-15 0-15 4 test2222 test222 2-15 4 4 0-50 0-365 0-365 90 90 0-30 0-30 34 Palo Alto Networks

1. Management Allowed expired admin login (count) Post Expiration Grace Period (days) 3 3 0-3 0-30 Operations Device > Setup > Operations 2. Validate candidate config Revert to last saved config Revert to running config Save named configuration snapshot Save candidate config Load named configuration snapshot Load configuration version Export named configuration snapshot Export configuration version (running-config.xml) (running-config.xml) (running-config.xml) / Palo Alto Networks 35

2. Import named config snapshot VPN GlobalProtect CA XML API CLI save device state device_state_cfg.tgz /opt/pancfg/mgmt/ device-state scp export devicestate tftp export device-state XML API PAN-OS XML Rest API https://live.paloaltonetworks.com/community/ documentation 283 GlobalProtect VPN Reboot Device Shutdown Device Restart Data Plane Export device state Panorama Global Protect (CA) Reboot Device PAN-OS 35 Operations Web CLI request restart system PAN-OS Shutdown Device Web CLI request restart system PAN-OS Restart Dataplane PA-200 Web CLI request restart dataplanepan-os 36 Palo Alto Networks

2. SNMP UI PDF 233 PDF PDF png gif jpg 128 KB PDF PDF 233 PDF SNMP 42 SNMP 43 commit CLI Web CLI 27 Palo Alto Networks 37

Services Device > Setup > Services Services (DNS) (NTP) Proxy 3. Services DNS DNS Secondary DNS Server NTP NTP Proxy Proxy Proxy Proxy Confirm Secure Proxy Password DNS DNS FQDN DNS DNS Proxy DNS IP DNS DNS FDQN DNS IP NTP IP NTP NTP IP Palo Alto Networks IP updates.paloaltonetworks.com Proxy Palo Alto Networks IP Proxy Proxy Proxy 38 Palo Alto Networks

3. Services Service Route Configuration / DNSPalo Alto Networks NTP Use Management Interface for all (MGT) IP IP Palo Alto Networks IP/ Service Route Configuration Use Management Interface for all (MGT) MGT / MGT Device > Setup > Management Management Interface Settings Select [ ] IP Device > Setup > Services DNS DNS Destination Source Address Destination Source Address Kerberos LDAP Panorama IP RADIUS MGT Kerberos Service Route Configuration Destination Source Address Kerberos [] Ethernet1/3 IP 192.168.2.1 Kerberos 10.0.0.240 Ethernet1/3 Network > Virtual Routers 10.0.0.240 Ethernet1/3 IP 192.168.2.1/24 CLI PA-200-Test# show route destination { 10.0.0.240 { source address 192.168.2.1/24 } Ethernet1/3 10.0.0.240 Palo Alto Networks 39

Content ID Device > Setup > Content-ID Content-ID URL 4. Content ID URL Dynamic URL Cache Timeout URL URL URL x-forwarded-for Strip-x-forwarded-for URL Settings for URL Admin Override URL URL BrightCloud URL URL 185 URL URL continue 1-86400 15 URL 1-86400 900 URL 1-86400 1800 IP X-Forwarded-For HTTP X-Forwarded-For Proxy IP Src:x.x.x.x URL Source User x.x.x.x IP IP X-Forwarded-For IP WildFire VSYS VSYS URL Override 185 URL URL Location VSYS Password/Confirm Password Server Certificate SSL Mode Redirect IP 40 Palo Alto Networks

4. Content ID Manage Data Protection /pdf /soap+xml /xhtml+ /html / /xml URL Session Device > Setup > Session Session IPv6 5. Session ICMPv6 ICMPv6 Jumbo Frame Jumbo Frame MTU IPv6 NAT64 IPv6 MTU Telnet Deny Telnet ICMPv6 ICMPv6 10-65535 100 ICMPv6 10-65535 / 100 jumbo Jumbo MTU 9192 http://www.paloaltonetworks.com IPv6 IPv6 IPv6 IPv6 IPv6 MTU 1280 IPv6 MTU Palo Alto Networks 41

5. Session Enable OCSP (%) Accelerated Aging Threshold % Accelerated Aging Scaling Factor 10 3600 360 (CRL) SSL (CA) CRL SSL SSL (OCSP) SSL 173 CRL 1-60 OCSP SSL OCSP 1-60 1-60 SNMP Device > Setup > Operations SNMPv2c SNMPv3 SNMP (MIB) Setup SNMP Setup MIB SNMP Trap SNMP Trap ID (OID) (varbind) 6. SNMP MIB 42 Palo Alto Networks

6. SNMP Use Specific Trap Definitions SNMP Trap OID SNMP V2c V3 MIB V2c public V2c SNMP Community String SNMP public V3 Views Name View OID (OID) 1.2.3.4 Option OID Mask OID 0xf0 Users Users View Auth Password 8 256 (SHA) Priv Password 8 256 (AES) Device > Setup > Operations Palo Alto Networks Palo Alto Networks 4 URL Report Sample Palo Alto Networks 43

Device > Config Audit Config Audit 1. Panorama Panorama Device > Licenses Palo Alto Networks URL URL Licenses URL 44 Palo Alto Networks

/ PAN-OS a. http://support.paloaltonetworks.com b. c. Web URL CLI PAN-OS / PAN-OS Device > Software PAN-OS Palo Alto Networks PAN- OS Software Palo Alto Networks 4.0.12 4.1.7 4.1.0 4.1.7 4.1.0 4.0 5.0 4.0 4.1 4.1 5.0 4.1 3.1 4.0 PAN-OS 4.0 4.1. 4.1 5.0 47 PAN-OS PC Palo Alto Networks 45

/ PAN-OS PAN-OS PAN-OS (HA)PAN-OS 4.0 4.1. 4.1 5.0 PAN-OS PAN-OS Decrypt failed:gnupg edit non-zero, with code 171072 Failed to load into PAN software manager. PAN-OS / / (HA) PAN-OS PAN-OS non-syn-tcp (HA) 82 HA Dashboard Widget Widget Widget > HA / // / 1. 45 / PAN-OS 2. Device > Setup > Operations Export named configuration snapshot running-config.xml 3. / B PAN-OS A / set session tcp-reject-non-syn no set session tcp-reject-non-syn yes / 4. / A / B PAN-OS B A 46 Palo Alto Networks

/ PAN-OS 5. A PAN-OS A HA non-syn-tcp 3 set session tcp-reject-nonsyn yes 6. Monitor > Session Browser CLI show session all HA show high-availability all match reason / show high-availability interface ha2 CPU / / PAN-OS PAN-OS PAN-OS PAN-OS 4.0 4.1 4.1 5.0 48 4.1.4 4.1.5 5.0.0 5.0.1 1. Device > Setup > Operations Export named configuration snapshot running-config.xml 2. Device > Software PAN- OS 3. 4. PAN-OS Palo Alto Networks 47

/ PAN-OS 4.0 4.1 4.1 5.0 PAN-OS 4.1 1. Device > Setup > Operations Export named configuration snapshot running-config.xml 2. Device > Software 2 3. 4. PAN-OS 5.0 PAN-OS 4.1 autosave-4.1.0 2 2. 48 Palo Alto Networks

5. PAN-OS PAN-OS 4.1 4.0 3.1 Device > Dynamic Updates Palo Alto Networks URL GlobalProtect WildFire WildFire Palo Alto Networks PC Dynamic Updates Local database RADIUS Remote Authentication Dial In User Service (RADIUS) LDAP (LDAP) Kerberos Kerberos Client Certificate RADIUS LDAP Kerberos DB Palo Alto Networks 49

55 51 53 SSL (VPN) 293 GlobalProtect 54 79 PAN-OS Panorama PAN-OS 3.1 7. SSL- VPN (`) < > (&) (*) (@) (?) ( ) (\) (;) (") ($) '(' ')' (':') 50 Palo Alto Networks

7. (@) (^) ([) (a-z) (A-Z) (0-9) (_) (.) (-) (]) (+) ($) Device > Admin Roles Admin Roles 53 FIPS CC admin paloalto admin admin / auditadmin cryptoadmin securityadmin Palo Alto Networks 51

8. Role WebUI CLI 31 255 Web / CLI disable CLI superuser superreader deviceadmin devicereader Device > Password Profiles Minimum Password Complexity 34 Minimum Password Complexity 50 Device > Administrators 9. Required Password Change Period (days) Expiration Warning Period (days) Post Expiration Grace Period (days) Allowed expired admin login (count) 31 0-365 90 90 0-30 0-30 0-30 3 3 0-3 52 Palo Alto Networks

Device > Administrators admin Password authentication Client certificate authentication (web) (SSH) / Setup > Management Minimum Password Complexity 10. Use only client certificate authentication (web) Confirm New Password (SSH) 15 RADIUS LDAP Kerberos DB 55 Web 15 Setup > Management Minimum Password SSH IETF SECSH OpenSSH DSA 1024 RSA 768-4096 Palo Alto Networks 53

10. Role Dynamic Superuser Superuser (read-only) Device Admin Device administrator (read-only) Vsys Admin Vsys Admin (read-only) Role Based Admin 51 51 Panorama Administrators Device > Access Domain Access Domain RADIUS (VSA) RADIUS RADIUS 57 RADIUS RADIUS RADIUS RADIUS Panorama 343 Panorama 11. 31 [ ] 54 Palo Alto Networks

RADIUS LDAP Kerberos SSL-VPN SSL-VPN Setup 30 Management Setup RADIUS RADIUS Palo Alto Networks RADIUS https://live.paloaltonetworks.com/docs/doc-3189 Settings None Device > Authentication Profile Authentication Profile 12. 31 0-60 0 0 1-10 00 All Search Available any Palo Alto Networks 55

12. None Local Database RADIUS RADIUS LDAP LDAP Kerberos Kerberos RADIUS LDAP Kerberos Server 57 RADIUS 58 LDAP 59 Kerberos Active Directory LDAP LDAP LDAP Active Directory edirectory Sun ONE Directory SSL-VPN 293 GlobalProtect SSL-VPN <SCRIPT> function getpasswarnhtml(expdays) { var str = "Your password will expire in " + expdays + " days"; return str; } </SCRIPT> str Panorama Captive Portal User Group Authentication Profile Device > User Authentication > Captive Portal Captive Portal Authentication Profile Policies > Captive Portal 247 56 Palo Alto Networks

Device > Local User Database > Users Local Users 13. Local User Name 31 Device > Local User Database > User Groups Shared Password Password Hash Local User Groups 14. Local User Group Name 31 Shared RADIUS Device > Server Profiles > RADIUS RADIUS RADIUS 55 15. RADIUS 31 Shared RADIUS 1-30 3 Palo Alto Networks 57

15. RADIUS Retrieve User Group 1-5 3 RADIUS VSA Name IP address IP Port Secret/Confirm Secret RADIUS LDAP Device > Server Profiles > LDAP LDAP LDAP 55 16. LDAP DN Bind Password/Confirm Bind Password SSL 31 Shared LDAP IP NetBIOS paloaltonetworks.com paloaltonetworks Palo Alto Networks SSL (TLS) 0-60 30 0-60 30 LDAP 1-3600 58 Palo Alto Networks

Kerberos Active Directory Device > Server Profiles > Kerberos Internet Authentication Service (IAS) RADIUS Kerberos Active Directory Kerberos Kerberos Kerberos 55 Kerberos Kerberos \ @ 17. Kerberos 31 Shared 127 user@example.local example.local 31 Kerberos Server IP Host FQDN Port RADIUS LDAP Palo Alto Networks 59

Device > Authentication Sequence Authentication Sequence 55 18. 31 0-60 0 0 1-10 00 Monitor > Logs Panorama SNMP Trap 19. Configuration Data Filtering Alarms 75 Panorama SNMP Trap 191 60 Palo Alto Networks

19. HIP URL Filtering WildFire HIP GlobalProtect (HIP) 293 GlobalProtect HA SNMP Trap / 160 215 / 215 URL URL URL PAN-DB URL URL BrightCloud DB BrightCloud 185 URL WildFire WildFire [ ] [ ] [ ] [ ] [ ] [ ] WildFire WildFire https://wildfire.paloaltonetworks.com 367 WildFire 371 WildFire Palo Alto Networks 61

Panorama SNMP Trap 20. Panorama Panorama Panorama 30 Management SNMP Trap SNMP Trap SNMP Trap 66 SNMP Trap Syslog 67 68 [ ] Device > Server Profiles > Syslog Custom Log Format HIP Device > Scheduled Log Export CSV (FTP) (SCP) FTP 3 FTP Scheduled Log Export SCP Test SCP server connection SCP SCP 21. Scheduled export start time (daily) 31 255 url hipmatch 24 (hh:mm) (00:00-23:59) 62 Palo Alto Networks

21. Port FTP Username SCP FTP FTP IP FTP 21 FTP FTP anonymous FTP anonymous Device > Log Settings > Config Panorama / 22. Panorama Panorama SNMP Syslog SNMP Trap SNMP Trap 66 SNMP Trap 74 67 Palo Alto Networks 63

Device > Log Settings > System Panorama SNMP Trap / HA 23. Panorama SNMP Email Syslog Panorama Panorama 30 Management Critical HA High RADIUS Medium Low Informational / SNMP / 66 SNMP Trap. 67. 74. HIP Device > Log Settings > HIP Match (HIP) GlobalProtect 293 24. HIP Panorama Panorama SNMP Syslog HIP SNMP Trap SNMP Trap 66 SNMP Trap 68 [ ] Device > Server Profiles > Syslog Custom Log Format HIP 67 64 Palo Alto Networks

Device > Log Settings > Alarms Alarms 25. CLI Web Encryption/Decryption Failure Threshold CLI Web CLI / DB Selective Audit Security Violations Time Period IP Security Violations Threshold Alarms CC Specific Logging (CC) Verbose Login Success Logging Login Failure Logging Suppressed Administrators Device > Log Settings > Manage Logs Palo Alto Networks 65

SNMP Trap SNMP Trap Device > Server Profiles > SNMP Trap SNMP Trap SNMP Trap 64 26. SNMP Trap V2c settings V3 settings SNMP 31 SNMP SNMP V2c Server SNMP Trap 31 Manager IP Community public V3 Server SNMP Trap 31 Manager IP User SNMP EngineID ID ID 5 64 10 128 2 0x ID MIB OID 1.3.6.1.6.3.10.2.1.1.0 GET ID Auth Password 8 256 (SHA) Priv Password 8 256 (AES) 66 Palo Alto Networks

SNMP MIB SNMP MIB SNMPv2-MIB DISMAN-EVENT-MIB IF-MIB HOST-RESOURCES-MIB ENTITY-SENSOR-MIB PAN-COMMON-MIB PAN-TRAPS-MIB Palo Alto Networks Technical Documentation Enterprise MIB https://live.paloaltonetworks.com/community/documentation Device > Server Profiles > Syslog HIP 64 27. Servers Server Port 31 31 IP 514 Palo Alto Networks 67

27. Custom Log Format [ ] [ ] 68 Escaped characters [ ] Device > Server Profiles > Syslog Custom Log Format HIP 28. actionflags admin after-change-detail before-change-detail formtted-receive_time cef-formatted-time_generated client cmd host path receive_time result seqno serial subtype Panorama PAN-OS 4.0.0 CEF CEF Web CLI add clone commit delete edit move rename set validate IP 512 [ ] [ ] [ ] [ ] 64 PAN-OS 4.0.0 68 Palo Alto Networks

28. time_generated vsys [] [] [] [] [hip ] 29. actionflags cef-formatted-receive_time cef-formatted-time_generated eventid fmt module number-of-severity Panorama PAN-OS 4.0.0 CEF CEF 512 [ ] [ ] [ ] [ ] [ ] [ ] [ ] -1-2 -3-4 -5 opaque 512 receive_time seqno 64 PAN-OS 4.0.0 serial severity [ ] [ ] [ ] [ ] [ ] subtype time_generated vsys crypto dhcp dnsproxy dos general global-protect ha hw nat ntpd pbf port pppoe ras routing satd sslmgr sslvpn userid url-filtering vpn [] [] [] [] [hip ] Palo Alto Networks 69

30. action actionflags app category cef-formatted-receive_time cef-formatted-time_generated contenttype direction dport dst dstloc dstuser flags from inbound_if logset misc natdport natdst natsport natsrc number-of-severity outbound_if proto receive_time repeatcnt [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ url] [ ] Panorama PAN-OS 4.0.0 URL URL WildFire any CEF CEF HTTP 32 URL PAN-OS 4.0.0 'client-to-server' 'server-to-client' IP 32 PAN-OS 4.0.0 32 [ ] URL URI wildfire 4.0 PAN-OS 63 4.0 1023 NAT NAT NAT IP NAT NAT NAT IP -1-2 -3-4 -5 IP 5 IP IP ID URL 70 Palo Alto Networks

30. rule seqno serial sessionid severity sport src srcloc srcuser subtype threatid time_generated time_received to vsys Wildfire 64 PAN-OS 4.0.0 [] [ ] [ ] [ ] [] IP 32 PAN-OS 4.0.0 [URL] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [wildfire] Palo Alto Networks PAN-OS 5.0 64 [] [] [] [] [hip ] WildFire 31. action [ ] [ ] [ ] actionflags Panorama PAN-OS 4.0.0 app bytes bytes_received bytes_sent category cef-formatted-receive_time cef-formatted-time_generated PA-4000 PAN-OS 4.1.0 PA-4000 PAN-OS 4.1.0 URL CEF CEF Palo Alto Networks 71

31. dport dst dstloc dstuser elapsed flags from inbound_if logset natdport natdst natsport natsrc outbound_if packets pkts_received pkts_sent proto receive_time repeatcnt rule seqno serial sessionid sport src srcloc srcuser start IP 32 PAN-OS 4.0.0 32 [ ] AND NAT NAT NAT IP NAT NAT NAT IP PA-4000 PAN-OS 4.1.0 PA-4000 PAN-OS 4.1.0 IP 5 IP IP ICMP 64 PAN-OS 4.0.0 IP 32 PAN-OS 4.0.0 72 Palo Alto Networks

31. subtype time_generated time_received to vsys [ ] [ ] [ ] [ ] [ ] [] [] [] [] [hip ] 32. HIP actionflags cef-formatted-receive_time cef-formatted-time_generated machinename matchname matchtype receive_time repeatcnt seqno serial src srcuser subtype time_generated vsys Panorama PAN-OS 4.0.0 CEF CEF HIP HIP HIP HIP HIP 64 PAN-OS 4.0.0 IP HIP [] [] [] [] [hip ] HIP Palo Alto Networks 73

Device > Server Profiles > Email 64 236 33. Servers Server Custom Log Format 31 1-31 SMTP From From security_alert@company.com (SMTP) IP [ ] 74 Palo Alto Networks

[ ] Web [ ] Device > Log Settings > Alarms > Alarm Settings Enable Alarms [ ] Netflow Device > Server Profiles > Netflow IP NetFlow 9 NetFlow IPv4 IPv4 NAT IPv6 App-ID User-ID PAN-OS PA- 4000 NetFlow NetFlow NetFlow NetFlow NetFlow NetFlow 108 34. Netflow PAN-OS Server Port Netflow 31 Netflow 1-3600 30 1-600 20 PAN-OS Netflow App-ID User-ID 31 IP 2 2055 Palo Alto Networks 75

Device > Certificate Management > Certificates Certificates Forward Trust CA CA Certificates Forward Untrust CA CA Trusted Root CA CA CA CA CA CA CA SSL Exclude SSL Certificate for Secure Web GUI Web Web Certificates a. b. a. b. 76 Palo Alto Networks

Web CA SSL a. b. c. PKCS #12 PEM d. PKCS #12 PEM *.key e. a. b. c. PKCS#12.pfx.pem d. Export Private Key a. [ ] b. Forward Trust Forward Untrust Trusted Root CA SSL Exclude Certificate for Secure Web GUI Panorama Panorama Panorama 333 Panorama (HA) HA HA HA HA 2 1 2 35. 31 IP FQDN Shared CA Palo Alto Networks 77

35. OCSP Expiration (days) Locality Organization Department CA OSCP Device > Certificate Management > OCSP Responder OCSP IP OCSP URL 365 GlobalProtect Validity Period ISO 6366 Device > Certificate Management > Certificates > Trusted Certificate Authorities (CA) CA 36. Trusted Certificate Authorities CA CA CA CA CA CA CA 78 Palo Alto Networks

Device > Certificate Management > Certificate Profile Setup SSL-VPN GlobalProtect 30 Management 247 37. Certificate Profile Username Field CA CRL OCSP CRL OCSP Receive Timeout 31 user name CA OCSP URL CA OCSP OCSP CA (CRL) (OCSP) OCSP CRL CRL 1-60 OCSP 1-60 1-60 Palo Alto Networks 79

OCSP Device > Certificate Management > OCSP Responder OCSP Responder PAN-OS OCSP OCSP Device > Setup > Sessions Sessions Features Decryption Certificate Revocation Settings 38. OCSP Responder OCSP 31 OCSP Device > Master Key and Diagnostics Master Key and Diagnostics New Master Key 16 81 81 81 80 Palo Alto Networks

39. Master Key and Diagnostic SA 1-730 1-365 (HA) HA HA PAN-OS 5.0 HA HA HA 1. HA Web CLI show jobs all show jobs pending check pending-changes 2. Device > High Availability General Enable Config Sync 3. 16 A 4. B 5. 6. Enable Config Sync Palo Alto Networks 81

HA 1. HA HA Device > High Availability General Enable Config Sync 2. HA Web CLI show jobs all show jobs pending check pending-changes 3. 16 A 4. B 5. 6. 7. Enable Config Sync PAN-OS / / (HA) HA / HA / HA HA HA HA HA (MGT) hello HA1 HA1 82 Palo Alto Networks

/ HA / HA App-ID Content- ID App-ID Content-ID Layer 7 PAN-OS HA3 Layer 3 / Layer 3 HA3 App-ID Content-ID Layer 3 IP ARP IP IP Layer 3 Static interface IP Layer 3 IP / HA / Floating IP Virtual Router Redundancy Protocol (VRRP) HA IP IP IP ID IP HA ARP load sharing (ARP) / App-ID Content-ID (1) (2) / HA IP modulo IP IP modulo IP HA Primary Device Hash Palo Alto Networks 83

HA App-ID Content-ID HA HA3 Layer 7 / HA Layer 3 IPv6 / IPv6 / App-ID Content-ID Layer 3 IP HA IP IP MAC ARP VRRP IP VPN (NAT) IP IP IP HA MAC Layer 3 ARP ARP HA IP IP ARP IP ARP ARP Layer 3 ARP / ARP IP ping Layer 3 IP (OSPF) IP HA 84 Palo Alto Networks

NAT / NAT / HA / Web / NAT NAT NAT NAT NAT NAT 1 1 NAT 0 NAT Device 0 and Device 1 NAT ID IP NAT Both NAT NAT Primary NAT NAT ARP 0/1 / NAT IP IP/ IP IP/ NAT ID 0 1HA IP 0 1.1.1.1 1 1.1.1.2 0 1.1.1.1 IP ISP 1.1.1.254/24 1.1.1.1/24 1.1.1.2/24 ID 0 ID 1 3. IP Palo Alto Networks 85

40. IP Src NAT 0 L3Trust L3Untrust dynamic-ip-andport 1.1.1.1 Src NAT 1 L3Trust L3Untrust dynamic-ip-andport 1.1.1.2 / HA 0 1 (ISP) IP NAT ID 0 1 0 1.1.1.1 1 2.2.2.1 0 1 IP 1.1.1.1 ISP ISP IP IP ISP 1.1.1.254/24 ISP 2.2.2.254/24 1.1.1.1/24 2.2.2.1/24 ID 1 4. IP 41. IP Src NAT 0 L3Trust L3Untrust dynamic-ip-andport 1.1.1.1 Src NAT 1 L3Trust L3Untrust dynamic-ip-andport 2.2.2.1 / HA 0 1 86 Palo Alto Networks

IP NAT 3.3.3.30 10.0.0.200 ISP 1.1.1.254/24 ISP 2.2.2.254/24 1.1.1.1/24 2.2.2.1/24 ID 0 ID 1 10.0.0.200 IP 3.3.3.30 5. IP 42. IP DNAT Prov Indep / HA L3Untrust L3Untrust 3.3.3.30 10.0.0.200 HA HA 1. 2. PAN-OS 3. 4. RJ-45 HA1 HA2 HA1 HA2 / HA3 HA3 Palo Alto Networks 87

HA HA ethernet 1/15 ethernet 1/16 5. Network HA HA 6. HA 6. HA 88 HA HA HA HA Device > High Availability 87 HA HA HA High Availability 43. HA General Enable HA Group ID / 1 63 / Layer 2 ID Description / Mode active-active active-passive Peer HA IP Address Control Link HA1 IP Backup Peer HA IP Address IP Enable Config Sync Link Speed / HA Link Duplex / HA 88 Palo Alto Networks

43. HA Device Priority 0-255 Heartbeat Backup HA hello HA1 IP HA Preemptive Preemption Hold Time 1-60 1 Promotion Hold Time / / HA Hello Interval HA hello 8000-60000 8000 Heartbeat Interval HA ICMP ping 1000-60000 1000 Maximum No. of Flaps active 15 flap 0-16 3 suspended 0 Passive firewall flap Monitor Fail Hold Up Time (ms) HA 0-60000 0 Additional Master Hold Up Time (min) 0-60000 500 / / / Palo Alto Networks 89

43. HA Control Link (HA1)/ Control Link (HA1 Backup) HA HA1 HA [ ] Heartbeat Backup HA HA1 HA Heartbeat Backup HA PA-200 HA HA1 HA [ ] Heartbeat Backup HA HA HA HA HA Port HA1 HA IPv4/IPv6 Address HA1 HA1 IPv4 IPv6 Netmask HA1 IP 255.255.255.0 Gateway HA1 IP Link Speed HA HA1 HA HA1 Encryption Enabled HA HA HA HA HA1 Certificates / 60 Monitor Hold Time (ms) 1000-60000 3000 HA1 90 Palo Alto Networks

43. HA (HA2) Port HA HA2 IP Address HA2 HA IPv4 IPv6 Netmask HA2 HA Gateway HA2 HA HA HA2 IP Gateway Enable Session Synchronization Transport Ethernet (Ethertype 0x7261) IP Layer 3 IP 99 UDP IP UDP 29281 Link Speed HA HA2 Link Duplex HA HA2 HA2 keep-alive HA HA2 HA2 HA Action log-only HA2 HA2 / split data-path / HA active/active Threshold (ms) 5000-60000 10000 HA2 HA2 keep-alive HA Palo Alto Networks 91

43. HA Link and Path Monitoring Link Groups Enabled IP ICMP ping Layer 2 Layer 3 Failure Condition VLAN Name Enabled Failure Condition Source IP VLAN IP IP IP IP IP IP Destination IPs Ping Interval ping 200-60,000 200 Ping Count ping 3-10 ping 10 ping Enabled Failure Condition Name Enabled Failure Condition Interfaces 92 Palo Alto Networks

43. HA Active Passive Passive Link State Active/Active HA3 VR QoS auto Layer 2 Layer 3 shutdown 1 60 1 [ ] HA3 App-ID Content-ID Layer 7 / HA HA QoS QoS Network QoS QoS Primary Device / Layer 7 First packet App-ID Content-ID Layer 7 HA3 IP Modulo IP Primary Device IP Hash IP IP Palo Alto Networks 93

43. HA IPv4 IPv6 HA / HA ARP LAN ARP WAN IP 84 Floating HA IP IP IP HA Device 0 Priority IP Device 1 Priority IP Failover address if link state is down ARP Load Sharing HA IP IP Modulo ARP IP ARP IP Hash ARP IP ARP Suspend local device HA HA HA HA IP HA LED request high-availability state suspend CLI Device High Availability Suspend 94 Palo Alto Networks

CLI request high-availability state functional HA CLI show high-availability all CLI show high-availability state Device Config Audit Dashboard HA Widget Web CLI request high-availability sync-to-remote running-config CLI show jobs processed HA Lite PA-200 VM Lite / HA HA Lite Lite IPSec DHCP DHCP PPPoE Layer 3 VLAN 129 NAT QoS PA-4000 PA-5000 PA-2000 PA-3000 PA-500 PA-200 Palo Alto Networks 95

7 1 VSYS 2 VSYS 3 VSYS 4 VSYS vsys vsys vsys vsys 7. (vsys1) Policies Objects VLAN 99 SNMP 96 Palo Alto Networks

Dept 1 VSYS Dept 2 VSYS VSYS 1 VSYS 2 VSYS 1 VSYS 2 VSYS 2 VSYS 1 VSYS 1 VSYS 2 VSYS 3 VSYS 4 VSYS 8. Palo Alto Networks 97

97 IP a.a.a.a b.b.b.b c.c.c.c d.d.d.d 1 VSYS 2 VSYS 3 VSYS 4 VSYS 9. ISP IP IP 10 x.x.x.x a.a.a.a b.b.b.b c.c.c.c d.d.d.d 1 VSYS 2 VSYS 3 VSYS 4 VSYS 10. NAT 98 Palo Alto Networks

Device > Virtual Systems Device > Setup Management General Settings Multi Virtual System Capability Virtual Systems 44. ID General Resource 31 DNS Proxy DNS Proxy 149 DNS Proxy VLAN Sessions Limit Security Rules NAT Rules NAT Decryption Rules QoS Rules QoS Application Override Rules PBF Rules (PBF) CP Rules (CP) DoS Rules (DoS) Site to Site VPN Tunnels VPN Concurrent GlobalProtect Tunnel Mode Users GlobalProtect VLAN Network > Zones 129 Network > Interfaces Palo Alto Networks 99

Device > Shared Gateways Layer 3 Layer 3 110 Layer 3 45. ID 31 Device > Response Pages URL HTML A 46. Antivirus Block Application Block Captive Portal Comfort File Blocking Block File Blocking Continue GlobalProtect Portal Help GlobalProtect Portal Login GlobalProtect Welcome SSL 188 GlobalProtect GlobalProtect GlobalProtect 293 GlobalProtect GlobalProtect 293 SSL 100 Palo Alto Networks