Your SlideShare is downloading. ×
Palo Alto NetworksAdministrator’s GuideRelease 4.1     11/9/11 Final Review Draft - Palo Alto Networks              COMPAN...
Palo Alto Networks, Inc.www.paloaltonetworks.com© 2007-2011 Palo Alto Networks. All rights reserved.Palo Alto Networks, PA...
November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIALTable of ContentsPreface . . . . . . . . . . . . . . . . . . . ....
Chapter 3Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25           ...
Enabling HA on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71            Virt...
Chapter 5Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               ...
Chapter 6Reports and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             ...
Installing or Upgrading the Terminal Server Agent on the Terminal Server . 222                             Configuring the...
Logging in to Panorama for the First Time . . . . . . . . . . . . . . . . . . . . . . . . .                         269   ...
Captive Portal Comfort Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .        298      ...
November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIALPreface            This preface contains the following sections:...
Organization               •   Chapter 7, “Configuring the Firewall for User Identification”—Describes how to configure th...
Typographical ConventionsTypographical Conventions            This guide uses the following typographical conventions for ...
Related Documentation14 • Preface            Palo Alto Networks
Chapter 1Introduction            This chapter provides an overview of the firewall:            •   “Firewall Overview” in ...
Management Interfaces              •     URL filtering—Outbound connections can be filtered to prevent access to inappropr...
Chapter 2Getting Started            This chapter describes how to set up and start using the firewall:            •    “Pr...
Setting Up the FirewallSetting Up the Firewall             To perform the initial firewall setup:             1.   Connect...
Using the Firewall Web InterfaceUsing the Firewall Web Interface            The following conventions apply when using the...
Using the Firewall Web Interface             •   To modify an item, click its underlined link.             •   To view hel...
Using the Firewall Web InterfaceCommitting Changes            Click Commit at the top of the web interface to open the com...
Using the Firewall Web InterfaceUsing Tables on Configuration Pages             The tables on configuration pages include ...
Getting Help Configuring the Firewall            To unlock a transaction, click the locked icon     on the top bar to open...
Getting Help Configuring the Firewall24 • Getting Started                    Palo Alto Networks
Chapter 3Device Management            This chapter describes how to perform basic system configuration and maintenance for...
System Setup, Configuration, and License ManagementSystem Setup, Configuration, and License Management            The foll...
System Setup, Configuration, and License Management            Table 1. Management Settings (Continued)              Item ...
System Setup, Configuration, and License Management            Table 1. Management Settings (Continued)              Item ...
System Setup, Configuration, and License Management            Table 1. Management Settings (Continued)              Item ...
System Setup, Configuration, and License Management            Table 2. Configuration Management Functions (Continued)    ...
System Setup, Configuration, and License Management            Table 2. Configuration Management Functions (Continued)    ...
System Setup, Configuration, and License Management            Table 3. Services Settings (Continued)              Functio...
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
PANOS 4.1 Administrators Guide
Upcoming SlideShare
Loading in...5
×

PANOS 4.1 Administrators Guide

19,290

Published on

Palo Alto Networks PANOS 4.1 Administrators Guide

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
19,290
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
202
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "PANOS 4.1 Administrators Guide"

  1. 1. Palo Alto NetworksAdministrator’s GuideRelease 4.1 11/9/11 Final Review Draft - Palo Alto Networks COMPANY CONFIDENTIAL
  2. 2. Palo Alto Networks, Inc.www.paloaltonetworks.com© 2007-2011 Palo Alto Networks. All rights reserved.Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks arethe property of their respective owners.P/N 810-000095-00B
  3. 3. November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIALTable of ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Notes and Cautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Chapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Firewall Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Chapter 2Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Preparing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting Up the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Using the Firewall Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Navigating to Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using Tables on Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Required Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Locking Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Getting Help Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Palo Alto Networks • 3
  4. 4. Chapter 3Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 System Setup, Configuration, and License Management . . . . . . . . . . . . . . . 26 Defining Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Defining Operations Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Defining Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Defining Content ID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Defining Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Statistics Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Comparing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Installing a License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Upgrading the PAN-OS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Upgrading with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Updating Threat and Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . 39 Administrator Roles, Profiles, and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 40 Defining Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . . . 43 Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Setting Up Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating a Local User Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Configuring RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring LDAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuring Kerberos Settings (Native Active Directory Authentication) . . . . 47 Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Setting Up Authentication Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Client Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Firewall Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Scheduling Log Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Defining Configuration Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Defining System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Defining HIP Match Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Defining Alarm Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Managing Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring Syslog Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Configuring Email Notification Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Viewing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configuring Netflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Importing, Exporting and Generating Security Certificates . . . . . . . . . . . . . 60 Encrypting Private Keys and Passwords on the Firewall . . . . . . . . . . . . . . . . . . . . 62 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Active/Passive HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Active/Active HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 NAT Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Setting Up HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 • Palo Alto Networks
  5. 5. Enabling HA on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Communications Among Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Defining Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Defining Custom Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Chapter 4Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Firewall Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Virtual Wire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Layer 2 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Layer 3 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Tap Mode Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Defining Virtual Wires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Firewall Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Viewing the Current Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Configuring Layer 2 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Configuring Layer 2 Subinterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Layer 3 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Layer 3 Subinterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Configuring Virtual Wire Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Configuring Aggregate Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Configuring Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Configuring Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Configuring Tap Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Configuring HA Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Defining Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Virtual Routers and Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Routing Information Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Multicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Defining Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 DHCP Server and Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 DNS Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Network Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Defining Interface Management Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Defining Zone Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Palo Alto Networks • 5
  6. 6. Chapter 5Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Guidelines on Defining Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Specifying Users and Applications for Policies . . . . . . . . . . . . . . . . . . . . . . . 133 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Defining Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Determining Zone Configuration in NAT and Security Policy . . . . . . . . . . . . 139 NAT Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Defining Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . 139 NAT Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Policy-Based Forwarding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Decryption Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Custom Application Definition with Application Override . . . . . . . . . . . . . . . 145 Defining Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Defining Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 DoS Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Defining DoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Antivirus Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Anti-Spyware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Vulnerability Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 URL Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 File Blocking Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Data Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 DoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Other Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Addresses and Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Defining Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Defining Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Defining Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Defining Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Custom Applications with Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Defining Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Custom URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Defining Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Custom Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Security Profile Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1826 • Palo Alto Networks
  7. 7. Chapter 6Reports and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Using the Application Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Using App-Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Change Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Threat Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Threat Map Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Network Monitor Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Traffic Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Viewing the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Viewing Session Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Working with Botnet Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Configuring the Botnet Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Managing Botnet Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Managing PDF Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Managing User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Managing Report Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Scheduling Reports for Email Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Identifying Unknown Applications and Taking Action . . . . . . . . . . . . . . . . . 206 Taking Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Requesting an App-ID from Palo Alto Networks . . . . . . . . . . . . . . . . . . . . . . 207 Other Unknown Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Taking Packet Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Chapter 7Configuring the Firewall for UserIdentification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Overview of User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 How User Identification Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Identifying Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 How User-ID Components Interact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 User-ID Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Terminal Services Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 PAN-OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 User Identification Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Captive Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . 215 Setting Up the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Installing the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Configuring the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Discovering Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Monitoring User-ID Agent Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Uninstalling and Upgrading the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . 222 Setting Up the Terminal Services Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Palo Alto Networks • 7
  8. 8. Installing or Upgrading the Terminal Server Agent on the Terminal Server . 222 Configuring the Terminal Server Agent on the Terminal Server . . . . . . . . . . 223 Uninstalling the Terminal Server Agent on the Terminal Server . . . . . . . . . . 227Chapter 8Configuring IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 IPSec VPNs and SSL-VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 IPSec and IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 IPSec and IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Setting Up IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Defining IKE Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Setting Up IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Defining IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Defining IPSec Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Defining Monitor Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Viewing IPSec Tunnel Status on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 239 Sample VPN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Existing Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 New Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Configure the VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 VPN Connectivity Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Chapter 9Configuring GlobalProtect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 GlobalProtect Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Setting Up GlobalProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Setting Up and Activating the GlobalProtect Client . . . . . . . . . . . . . . . . . . 256 Setting Up the GlobalProtect Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Chapter 10Configuring Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Firewall Support for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Configuring QoS for Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Defining QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Defining QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Displaying QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Chapter 11Panorama Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Installing Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Configuring the Panorama Network Interface . . . . . . . . . . . . . . . . . . . . . . 2688 • Palo Alto Networks
  9. 9. Logging in to Panorama for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . 269 Creating an SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Expanding Panorama Storage Using a Virtual Disk. . . . . . . . . . . . . . . . . . 270 Setting Up Storage Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 HA Peer Promotion After Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Chapter 12Central Device Management UsingPanorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Accessing the Panorama Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Using the Panorama Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Panorama Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Adding Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Defining Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . 280 Working with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Working with Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Working with Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Panorama Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Generating User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Performing Comprehensive Configuration Audits . . . . . . . . . . . . . . . . . . . . . . . . . 284 Viewing Firewall Deployment Information . . . . . . . . . . . . . . . . . . . . . . . . . 285 Backing Up Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Scheduling Configuration Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Upgrading the Panorama Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Chapter 13WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Setting Up to Use WildFire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Configuring WildFire Settings on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Configuring Settings on the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Viewing WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Appendix ACustom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Default Antivirus Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Default Application Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Default File Blocking Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Default URL Filtering Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Default Anti-Spyware Download Response Page . . . . . . . . . . . . . . . . . . . . . . . . 297 Default Decryption Opt-out Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Palo Alto Networks • 9
  10. 10. Captive Portal Comfort Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 URL Filtering Continue and Override Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 SSL VPN Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 SSL Certificate Revoked Notify Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Appendix BApplication Categories, Subcategories, Technologies, and Characteristics 301 Application Categories and Subcategories . . . . . . . . . . . . . . . . . . . . . . . . 301 Application Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Application Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Appendix CFederal Information Processing Standards Support . . . . . . . . . . . . . . . . 305Appendix DOpen Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 GNU General Public License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 MIT/X11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 OpenSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 PSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Zlib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32710 • Palo Alto Networks
  11. 11. November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIALPreface This preface contains the following sections: • “About This Guide” in the next section • “Organization” on page 11 • “Typographical Conventions” on page 13 • “Notes and Cautions” on page 13 • “Related Documentation” on page 13About This Guide This guide describes how to administer the Palo Alto Networks firewall using the device’s web interface. This guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall.Organization This guide is organized as follows: • Chapter 1, “Introduction”—Provides an overview of the firewall. • Chapter 2, “Getting Started”—Describes how to install the firewall. • Chapter 3, “Device Management”—Describes how to perform basic system configuration and maintenance for the firewall, including how to configure a pair of firewalls for high availability, define user accounts, update the software, and manage configurations. • Chapter 4, “Network Configuration”—Describes how to configure the firewall for your network, including routing configuration. • Chapter 5, “Policies and Security Profiles”—Describes how to configure security policies and profiles by zone, users, source/destination address, and application. • Chapter 6, “Reports and Logs”—Describes how to view the reports and logs provided with the firewall.Palo Alto Networks Preface • 11
  12. 12. Organization • Chapter 7, “Configuring the Firewall for User Identification”—Describes how to configure the firewall to identify the users who attempt to access the network. • Chapter 8, “Configuring IPSec Tunnels”—Describes how to configure IP Security (IPSec) tunnels on the firewall. • Chapter 9, “Configuring GlobalProtect”—Describes GlobalProtect, which allows secure login from client systems located anywhere in the world. • Chapter 10, “Configuring Quality of Service”—Describes how to configure quality of service (QoS) on the firewall. • Chapter 11, “Panorama Installation”—Describes how to install the centralized management system for the Palo Alto Networks firewall. • Chapter 12, “Central Device Management Using Panorama”—Describes how to use Panorama to manage multiple firewalls. • Chapter 13, “WildFire”—describes how to use WildFire for analysis and reporting on malware that traverses the firewall. • Appendix A, “Custom Pages”—Provides HTML code for custom response pages to notify end users of policy violations or special access conditions. • Appendix B, “Application Categories, Subcategories, Technologies, and Characteristics”— Contains a list of the application categories defined by Palo Alto Networks. • Appendix C, “Federal Information Processing Standards Support”—Describes firewall support for the Federal Information Processing Standards 140-2. • Appendix D, “Open Source Licenses”—Includes information on applicable open source licenses.12 • Preface Palo Alto Networks
  13. 13. Typographical ConventionsTypographical Conventions This guide uses the following typographical conventions for special terms and instructions. Convention Meaning Example boldface Names of commands, keywords, and Click Security to open the Security Rules selectable items in the web interface page. italics Name of parameters, files, directories, or The address of the Palo Alto Networks Uniform Resource Locators (URLs) home page is http://www.paloaltonetworks.com courier font Coding examples and text that you enter Enter the following command: at the command prompt a:setup Click Click the left mouse button Click Administrators under the Devices tab. Right-click Click the right mouse button. Right-click on the number of a rule you want to copy, and select Clone Rule.Notes and Cautions This guide uses the following symbols for notes and cautions. Symbol Description NOTE Indicates helpful suggestions or supplementary information. CAUTION Indicates actions that could cause loss of data.Related Documentation The following additional documentation is provided with the firewall: • Quick Start • Hardware Reference Guide • Command Line Interface Reference GuidePalo Alto Networks Preface • 13
  14. 14. Related Documentation14 • Preface Palo Alto Networks
  15. 15. Chapter 1Introduction This chapter provides an overview of the firewall: • “Firewall Overview” in the next section • “Features and Benefits” on page 15 • “Management Interfaces” on page 16Firewall Overview The Palo Alto Networks firewall allows you to specify security policies based on a more accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. For example, you can define security policies for specific applications, rather than rely on a single policy for all port 80 connections. For each identified application, you can specify a security policy to block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each security policy can also specify security profiles to protect against viruses, spyware, and other threats. IPv4 and IPv6 addresses are supported.Features and Benefits The firewall provides granular control over the traffic allowed to access your network. The primary features and benefits include: • Application-based policy enforcement—Access control by application is far more effective when application identification is based on more than just protocol and port number. High risk applications can be blocked, as well as high risk behavior, such as file-sharing. Traffic encrypted with the Secure Socket Layer (SSL) protocol can be decrypted and inspected. • Threat prevention—Threat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (refer to “Security Profiles” on page 150).Palo Alto Networks Introduction • 15
  16. 16. Management Interfaces • URL filtering—Outbound connections can be filtered to prevent access to inappropriate web sites (refer to “URL Filtering Profiles” on page 155). • Traffic visibility—Extensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center in the web interface identifies the applications with the most traffic and the highest security risk (refer to “Reports and Logs” on page 183). • Networking versatility and speed—The firewall can augment or replace your existing firewall, and can be installed transparently in any network or configured to support a switched or routed environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or no impact on network latency. • GlobalProtect—GlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. • Fail-safe operation—High availability support provides automatic failover in the event of any hardware or software disruption (refer to “Enabling HA on the Firewall” on page 71). • Malware analysis and reporting—WildFire provides detailed analysis and reporting on malware that traverses the firewall. • Easily managed—Each firewall is managed through an intuitive web interface or a command-line interface (CLI), or all devices can be centrally managed through the Panorama centralized management system, which has a web interface very similar to the device web interface.Management Interfaces The firewall supports the following management interfaces. Refer to “Supported Browsers” on page 23 for a list of supported browsers. • Web interface—Configuration and monitoring over HTTP or HTTPS from a web browser. • CLI—Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console port (refer to the PAN-OS Command Line Interface Reference Guide). • Panorama—Palo Alto Networks product that provides web-based management, reporting, and logging for multiple firewalls. The Panorama interface is similar to the device web interface, with additional management functions included. Refer to “Panorama Installation” on page 267 for instructions on installing Panorama and “Central Device Management Using Panorama” on page 275 for information on using Panorama. • Simple Network Management Protocol (SNMP)—Supports RFC 1213 (MIB-II) and RFC 2665 (Ethernet interfaces) for remote monitoring, and generates SNMP traps for one or more trap sinks (refer to “Configuring SNMP Trap Destinations” on page 55). • Syslog—Provides message generation for one or more remote syslog servers (refer to “Configuring Syslog Servers” on page 57). • XML API—Provides a Representational State Transfer (REST)-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at https://<firewall>/api, where <firewall> is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call. An XML API usage guide is available on the DevCenter online community at http:// live.paloaltonetworks.com.16 • Introduction Palo Alto Networks
  17. 17. Chapter 2Getting Started This chapter describes how to set up and start using the firewall: • “Preparing the Firewall” in the next section • “Setting Up the Firewall” on page 18 • “Using the Firewall Web Interface” on page 19 • “Getting Help Configuring the Firewall” on page 23 Note: Refer to “Panorama Installation” on page 267 for instructions on installing the Panorama centralized management system.Preparing the Firewall Perform the following tasks to prepare the firewall for setup: 1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide. 2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and App-ID updates, and to activate support or subscriptions with the authorization codes emailed to you. 3. Obtain an IP address from your network administrator for configuring the management port on the firewall.Palo Alto Networks Getting Started • 17
  18. 18. Setting Up the FirewallSetting Up the Firewall To perform the initial firewall setup: 1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet cable. 2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for example, 192.168.1.5) with a netmask of 255.255.255.0. 3. Launch a supported web browser and enter https://192.168.1.1. The browser automatically opens the Palo Alto Networks login page. 4. Enter admin in both the Name and Password fields, and click Login. The system presents a warning that the default password should be changed. Click OK to continue. 5. On the Device tab, choose Setup and configure the following (for general instructions on configuring settings in the web interface, refer to “Using the Firewall Web Interface” on page 19): – On the Management tab under Management Interface Settings, enter the firewall’s IP address, netmask, and default gateway. – On the Services tab, enter the IP address of the Domain Name Service (DNS) server. Enter the IP address or host and domain name of the Network Time Protocol (NTP) server and select your time zone. – Click Support on the side menu. If this is the first Palo Alto Networks firewall for your company, click Register Device to register the firewall. (If you have already registered a firewall, you have received a user name and password.) Click the Activate support using authorization codes link and enter the authorization codes that have been emailed to you for any optional features. Use a space to separate multiple authorization codes. 6. Click Administrators under the Devices tab. 7. Click admin. 8. In the New Password and Confirm New Password fields, enter and confirm a case-sensitive password (up to 15 characters). 9. Click OK to submit the new password. 10. Commit the configuration to put these settings into effect. When the changes are committed, the firewall will be reachable through the IP address assigned in Step 5. For information on committing changes, refer to “Committing Changes” on page 21.18 • Getting Started Palo Alto Networks
  19. 19. Using the Firewall Web InterfaceUsing the Firewall Web Interface The following conventions apply when using the firewall interface. • To display the menu items for a general functional category, click the tab, such as Object or Devices, near the top of the browser window. • Click an item on the side menu to display a panel. • To display submenu items, click the icon to the left of an item. To hide submenu items, click the icon to the left of the item. • On most configuration pages, you can click Add to create a new item. • To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel. • On some configuration pages, you can select the check box for an item and click Clone to create a new item with the same information as the selected item.Palo Alto Networks Getting Started • 19
  20. 20. Using the Firewall Web Interface • To modify an item, click its underlined link. • To view help information on a page, click the Help icon in upper right area of the page. • To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use the Show drop-down list to filter the list of tasks. • On pages that list information you can modify (for example, the Setup page on the Devices tab), click the icon in the upper right corner of a section to edit the settings. • After you configure settings, you must click OK or Save to store the changes. When you click OK, the current “candidate” configuration is updated.20 • Getting Started Palo Alto Networks
  21. 21. Using the Firewall Web InterfaceCommitting Changes Click Commit at the top of the web interface to open the commit dialog box. The following options are available in the commit dialog box. Click the Advanced link, if needed, to display the options: – Include Device and Network configuration—Include the device and network configuration changes in the commit operation. – Include Shared Object configuration—(Multi-virtual system firewalls only) Include the shared object configuration changes in the commit operation. – Include Policy and Objects—(Non-multi-virtual system firewalls only) Include the policy and object configuration changes in the commit operation. – Include virtual system configuration—Include all virtual systems or the selected virtual system in the commit operation. For more information about committing changes, refer to “Defining Operations Settings” on page 29.Navigating to Configuration Pages Each configuration section in this guide shows the menu path to the configuration page. For example, to reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability Protection under Security Profiles in the side menu. This is indicated in this guide by the following path: Objects > Security Profiles > Vulnerability ProtectionPalo Alto Networks Getting Started • 21
  22. 22. Using the Firewall Web InterfaceUsing Tables on Configuration Pages The tables on configuration pages include sorting and column chooser options. Click a column header to sort on that column, and click again to change the sort order. Click the arrow to the right of any column and select check boxes to choose the columns to display.Required Fields Required fields are shown with a light yellow background. A message indicating that the field is required appears when you hover over or click in the field entry area.Locking Transactions The web interface provides support for multiple administrators by allowing an administrator to lock a current set of transactions, thereby preventing configuration changes or commit operations by another administrator until the lock is removed. The following types of locks are supported: • Config lock—Blocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system. • Commit Lock—Blocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed, or it can be released manually. Any administrator can open the lock window to view the current transactions that are locked, along with a timestamp for each. To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks as needed, and then click Close to close the Lock dialog box. The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked items in parentheses.22 • Getting Started Palo Alto Networks
  23. 23. Getting Help Configuring the Firewall To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box. You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check box in the Management area of the Device Setup page. Refer to “System Setup, Configuration, and License Management” on page 26.Supported Browsers The following web browsers are supported for access to the firewall web interface: • Internet Explorer 7+ • Firefox 3.6+ • Safari 5+ • Chrome 11+Getting Help Configuring the Firewall Use the information in this section to obtain help on using the firewall.Obtaining More Information To obtain more information about the firewall, refer to the following: • General information—Go to http://www.paloaltonetworks.com. • Online help—Click Help in the upper-right corner of the web interface to access the online help system. • Collaborative area for customer/partner interaction to share tips, scripts, and signatures— Go to https://live.paloaltonetworks.com/community/devcenter.Technical Support For technical support, use the following methods: • Go to the KnowledgePoint online support community at http://live.paloaltonetworks.com • Go to https://support.paloaltonetworks.com.Palo Alto Networks Getting Started • 23
  24. 24. Getting Help Configuring the Firewall24 • Getting Started Palo Alto Networks
  25. 25. Chapter 3Device Management This chapter describes how to perform basic system configuration and maintenance for the firewall and includes overviews of the virtual systems, high availability, and logging functions: • “System Setup, Configuration, and License Management” in the next section • “Comparing Configuration Files” on page 37 • “Installing a License” on page 37 • “Upgrading the PAN-OS Software” on page 38 • “Updating Threat and Application Definitions” on page 39 • “Administrator Roles, Profiles, and Accounts” on page 40 • “Authentication Profiles” on page 43 • “Authentication Sequence” on page 48 • “Client Certificate Profiles” on page 49 • “Firewall Logs” on page 50 • “Configuring SNMP Trap Destinations” on page 55 • “Configuring Syslog Servers” on page 57 • “Configuring Email Notification Settings” on page 58 • “Viewing Alarms” on page 59 • “Configuring Netflow Settings” on page 59 • “Importing, Exporting and Generating Security Certificates” on page 60 • “High Availability” on page 63 • “Virtual Systems” on page 77 • “Defining Custom Response Pages” on page 81 • “Viewing Support Information” on page 83Palo Alto Networks Device Management • 25
  26. 26. System Setup, Configuration, and License ManagementSystem Setup, Configuration, and License Management The following sections describe how to define the network settings and manage configurations for the firewall: • “Defining Management Settings” in the next section • “Defining Operations Settings” on page 29 • “Defining Services Settings” on page 31 • “Defining Content ID Settings” on page 32 • “Defining Session Settings” on page 34 Note: Refer to “WildFire” on page 289 for information on configuring the settings on the WildFire tab.Defining Management Settings Device > Setup > Management The Setup page allows you to configure the firewall for management, operations, services, content identification, WildFire malware analysis and reporting, and session behavior. If you do not want to use the management port, you can define a loopback interface and manage the firewall through the IP address of the loopback interface (refer to “Configuring Loopback Interfaces” on page 101). Perform any of the following operations on this page: • To change the host name or network settings, click Edit on the first table on the page, and specify the following information. Table 1. Management Settings Item Description General Settings Host Name Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters). Login Banner Enter custom text that will be displayed on the firewall login page. The text is displayed below the Name and Password fields. Timezone Select the time zone of the firewall. Locale Select a language for PDF reports from the drop-down list. Refer to “Managing PDF Summary Reports” on page 201.26 • Device Management Palo Alto Networks
  27. 27. System Setup, Configuration, and License Management Table 1. Management Settings (Continued) Item Description Time To set the date and time on the firewall, click Set Time. Enter the current date in (YYYY/MM/DD) or click the calendar icon to select a month and day. Enter the current time in 24-hour format (HH:MM:SS). Serial Number (Panorama only) Enter the serial number of the firewall. Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall. Automatically acquire Automatically apply a commit lock when you change the candidate commit lock configuration. For more information, refer to “Locking Transactions” on page 22. Certificate Expiration Instruct the firewall to create warning messages when on-box certificates near Check their expiration dates. Multi Virtual System To enable the use of multiple virtual systems (if supported on the firewall model), Capability click Edit for Multi Virtual System Capability near the top of the Setup page. Select the check box, and click OK. For more information about virtual systems, refer to “Virtual Systems” on page 77. Authentication Settings Authentication Profile Select the authentication profile to use for administrator access to the firewall. For instructions on configuring authentication profiles, refer to “Setting Up Authentication Profiles” on page 44. Client Certificate Profile Select the client certificate profile to use for administrator access to the firewall. For instructions on configuring client certificate profiles, refer to “Client Certificate Profiles” on page 49. Enter the timeout interval (1 - 1440 minutes). A value of 0 means that the Idle Timeout management, web, or CLI session does not time out. Enter the number of failed login attempts that are allowed for the web interface # Failed Attempts and CLI before the account is locked. (1-10, default 0). 0 means that there is no limit. Enter the number of minutes that a user is locked out (0-60 minutes) if the Lockout Time number of failed attempts is reached. The default 0 means that there is no limit to the number of attempts. Panorama Settings Panorama Server Enter the IP address of Panorama, the Palo Alto Networks centralized management system (if any). The server address is required to manage the device through Panorama. To remove any policies that Panorama propagates to managed firewalls, click the Disabled Shared Policies link. To move the policies to your local name space before removing them from Panorama, click the Import shared policies from Panorama before disabling check box in the dialog box that opens. Click OK. Panorama Server 2 If Panorama is operating in high availability (HA) mode, specify the second Panorama system that is part of the HA configuration. Receive Timeout for Enter the timeout for receiving TCP messages from Panorama (1-120 seconds, connection to Panorama default 20). Send Timeout for Enter the timeout for sending TCP communications to Panorama (1-120 seconds, connection to Panorama default 20).Palo Alto Networks Device Management • 27
  28. 28. System Setup, Configuration, and License Management Table 1. Management Settings (Continued) Item Description Retry Count for SSL send Enter the number of retries for attempts to send Secure Socket Layer (SSL) to Panorama messages to Panorama (1-64, default 25). Management Interface Settings MGT Interface Speed Configure a data rate and duplex option for the management interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the firewall determine the interface speed. This setting should match the port settings on the neighboring network equipment. MGT Interface IP Address Enter the IP address of the management port. Alternatively, you can use the IP address of a loopback interface for device management. This address is used as the source address for remote logging. Netmask Enter the network mask for the IP address, such as “255.255.255.0”. Default Gateway Enter the IP address of the default router (must be on the same subnet as the management port). MGT Interface IPv6 (Optional) Enter the IPv6 address of the management port. Address Default IPv6 Gateway Enter the IPv6 address of the default router (must be on the same subnet as the management port), if you assigned an IPv6 address to the management port. MGT Interface Services Select the services enabled on the specified management interface address: HTTP, HTTPS, Telnet, Secure Shell (SSH), and/or ping. Permitted IPs Enter the list of IP addresses from which firewall management is allowed. Logging and Reporting Settings Log Storage Specify the percentage of space allocated to each log type on the hard disk. When you change a percent value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears on the page in red, and an error message is presented when you attempt to save the settings. If this occurs, readjust the percentages so the total is within the 100% limit. Click OK to save settings and Restore Defaults to restore all of the default settings. Note: When a log reaches its maximum size, it starts to be overwritten beginning with the oldest entries. If you resize an existing log to be smaller than its current size, the firewall starts immediately to cut down the log when you commit the changes, with the oldest logs removed first. Max. Rows in User Enter the maximum number of rows that is supported for user activity reports (1- Activity Report 1048576, default 65535). Number of Versions for Enter the number of configuration audit versions to save before discarding the Config Audit oldest ones (default 100). Number of Versions for (Panorama only) Enter the number of configuration backups to save before Config Backups discarding the oldest ones (default 100). Stop Traffic when LogDb Select the check box if you want traffic through the firewall to stop when the log full database is full (default off).28 • Device Management Palo Alto Networks
  29. 29. System Setup, Configuration, and License Management Table 1. Management Settings (Continued) Item Description Select the check box to send the device hostname field in syslog messages. Send Hostname In Syslog When this option is set, syslog messages will contain the hostname of the firewall device in their header.Defining Operations Settings Device > Setup > Operations When you change a configuration setting and click OK, the current “candidate” configuration is updated, not the active configuration. Clicking Commit at the top of the page applies the candidate configuration to the active configuration, which activates all configuration changes since the last commit. This method allows you to review the configuration before activating it. Activating multiple changes simultaneously helps avoid invalid configuration states that can occur when changes are applied in real- time. You can save and roll back (restore) the candidate configuration as often as needed and also load, validate, import, and export configurations. Pressing Save creates a copy of the current candidate configuration, whereas choosing Commit updates the active configuration with the contents of the candidate configuration. Note: It is a good idea to periodically save the configuration settings you have entered by clicking the Save link in the upper-right corner of the screen. To manage configurations, select the appropriate configuration management functions, as described in the following table. Table 2. Configuration Management Functions Function Description Configuration Management Validate candidate config Checks the candidate configuration for errors. Revert to last saved config Restores the last saved candidate configuration from flash memory. The current candidate configuration is overwritten. An error occurs if the candidate configuration has not been saved. Revert to running config Restores the last running configuration. The current running configuration is overridden. Note: If the web interface is not available, use the CLI command debug swm revert. Refer to the PAN-OS Command Line Interface Reference Guide for details. Save named configuration Saves the candidate configuration to a file. Enter a file name or select an existing snapshot file to be overwritten. Note that the current active configuration file (running- config.xml) cannot be overwritten.Palo Alto Networks Device Management • 29
  30. 30. System Setup, Configuration, and License Management Table 2. Configuration Management Functions (Continued) Function Description Save candidate config Saves the candidate configuration in flash memory (same as clicking Save at the top of the page). Load named configuration Loads a candidate configuration from the active configuration (running- snapshot config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten. Load configuration version Loads a specified version of the configuration. Export named Exports the active configuration (running-config.xml) or a previously saved or configuration snapshot imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location. Export configuration Exports a specified version of the configuration. version Import named config Imports a configuration file from any network location. Click Browse and select snapshot the configuration file to be imported. Device Operations Reboot Device To restart the firewall, click Reboot Device. You are logged out and the PAN-OS software and active configuration are reloaded. Any configuration changes that have not been saved or committed are lost (refer to “Defining Operations Settings” on page 29). Note: If the web interface is not available, use the CLI command request restart system. Refer to the PAN-OS Command Line Interface Reference Guide for details. Restart Data Plane To restart the data functions of the firewall without rebooting, click Restart Dataplane. Note: If the web interface is not available, use the CLI command request restart dataplane. Refer to the PAN-OS Command Line Interface Reference Guide for details.30 • Device Management Palo Alto Networks
  31. 31. System Setup, Configuration, and License Management Table 2. Configuration Management Functions (Continued) Function Description Miscellaneous Custom Logo Click Custom Logo to customize any of the following: • Login screen • Main user interface (UI) • PDF report title page. Refer to “Managing PDF Summary Reports” on page 201. • PDF report footer Click to upload an image file, to preview, or to remove a previously-uploaded image. Note the following: • Supported file types are png, gif, and jpg. • To return to the default logo, remove your entry and commit. • The maximum image size for any logo image is 128 KB. • For the login screen and main user interface options, when you click , the image is shown as it will be displayed. If necessary, the image is cropped to fit. For the PDF reports, the images are auto-resized to fit without cropping. In all cases, the preview shows the recommended image dimensions. For information on generating PDF reports, refer to “Managing PDF Summary Reports” on page 201. SNMP Setup Specify SNMP parameters. Refer to “SNMP” on page 35. Statistics Service Setup Specify settings for the statistics service. Refer to “Statistics Service” on page 36. Note: When you click Commit or enter a commit CLI command, all changes made through the web interface and the CLI since the last commit are activated. To avoid possible conflicts, use the transaction locking functions as described in “Locking Transactions” on page 22.Defining Services Settings Device > Setup > Services Use the Services tab to define settings for Domain Name Service (DNS), Network Time Protocol (NTP), update servers, proxy servers, and service route configuration. Table 3. Services Settings Function Description DNS Select the type of DNS service. This setting is used for all DNS queries initiated by the firewall in support of FQDN address objects, logging, and device management. Options include: • Primary and secondary DNS servers for domain name resolution • DNS proxy that has been configured on the firewallPalo Alto Networks Device Management • 31
  32. 32. System Setup, Configuration, and License Management Table 3. Services Settings (Continued) Function Description Primary DNS Server Enter the IP address or host name of the primary DNS server. The server is used for DNS queries from the firewall, for example, to find the update server, to resolve DNS entries in logs, or for FDQN-based address objects. Enter the IP address or host name of a secondary DNS server to use if the primary Secondary DNS Server server is unavailable (optional). Enter the IP address or host name of the primary NTP server, if any. If you do not Primary NTP Server use NTP servers, you can set the device time manually. Enter the IP address or host name of secondary NTP servers to use if the primary Secondary NTP Server server is unavailable (optional). This setting represents the IP address or host name of the server used to download updates from Palo Alto Networks. The current value is Update Server updates.paloaltonetworks.com. Do not change the server name unless instructed by technical support. If the device needs to use a proxy server to reach Palo Alto Networks update Secure Proxy Server services, enter the IP address or host name of the server. Secure Proxy Port If you specify a proxy server, enter the port. Secure Proxy User If you specify a proxy server, enter the user name to access the server. Secure Proxy Password If you specify a proxy server, enter and confirm the the password for the user to Confirm Secure Proxy access the server. Password Service Route Specify how the firewall will communicate with other servers. Configuration Click Service Route Configuration and configure the following: • To communicate with all external servers through the management interface, select Use Management Interface for all. • Choose Select to choose options based on the type of service. Select the source from the Source Address drop-down list.Defining Content ID Settings Device > Setup > Content-ID Use the Content-ID tab to define settings for URL filtering, data protection, and container pages. Table 4. Content ID Settings Function Description URL Filtering Dynamic URL Cache Click Edit and enter the timeout (in hours). This value is used in dynamic URL Timeout filtering to determine the length of time an entry remains in the cache after it is returned from the URL filtering service. For information on URL filtering, refer to “URL Filtering Profiles” on page 155. URL Continue Timeout Specify the interval following a users “continue” action before the user must press continue again for URLs in the same category (range 1 - 86400 minutes, default 15 minutes).32 • Device Management Palo Alto Networks

×