Palo Alto Networks PAN-OS 4.0 New Features


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Things to talk about:-Moving farther into datacenter coreNotes:-CPS: connections per second
  • Things to talk about:-What is it and what is the point? -Control outside of the network -Security outside of network
  • Things to talk about:-Installer is MSI and can be pushed out via GPO-Option to allow user to disable (not recommended), optional password required
  • Things to talk about:-3rd party supported VPN clients -PAN SSL VPN -Juniper Network Connect -Cisco Systems VPN Adapter
  • ** Global ProtectDemo After This Slide**
  • Things to talk about:Touch on all of these as they do not come up again.Notes:User-ID-x-forwarded-for: used by proxies to keep user info when requesting info from web servers -Security hole as it would be sending internal IP addresses out onto the webURL Filtering-URL Logging will now log 1023 bytes of requested url
  • Things to talk about:UI upgrades on next slide, Explain the rest.
  • Things to talk about:-Easy Object creation (from within rule creation and also lower left on the rules page)-Switching between tabs saves your place-Commit checks for application dependencies-Policy Viewer-Edit whole policy at once (Security, NAT…)-Regions-Reports is diff (Click on reports and look to the right) -Managing custom reports is much different-PCAP from GUI-Locks -Config-only you can edit config/commit -Commit-people can edit, only you can commit -Can be automatically aquired (device tab, setup, management options)**UI Demo After This Slide**-Security Rules (tagging, drag-n-drop, object value visibility, filtering, rule editing-quick & whole interface, regions)-Tab Switching-Config/commit Locks-Commit app dependency check-PCAP from GUI
  • Things to talk about:Explain these except for Active/Active, DNS Proxy, VR-VR Routing, Country-based, just touch on those.Notes: Overlapping IP Address Support: To facilitate shared use of a device, the system now supports the use ofthe devices layer 3 services for clients that have the same IP address of interfaces or hosts in anothervirtual router. Untagged Subinterfaces: Multiple untagged layer 3 interfaces can now be created on a single physicalinterface. The source interface will be determined based on the destination IP address as opposed to aVLAN tag.Adjust TCP MSS - maximum segment size (MSS) is adjusted to 40 bytes less than the interface MTU. Addresses the situation in which a tunnel through the network requires a smaller MSS. If a packet cannot fit within the MSS without fragmenting, this setting allows an adjustment to be made.
  • Things to talk about:Why did we add?To address split brain issues resulting from lost HA1 link. Very common for platforms using in-band HA1.How is this configured?Simple checkbox
  • The Neighbor Discovery Protocol defines mechanisms for providing the following functionality: Router discovery: hosts can locate routers residing on attached links. Prefix discovery: hosts can discover address prefixes that are on-link for attached links. Parameter discovery: hosts can find link parameters (e.g., MTU). Address autoconfiguration: stateless configuration of addresses of network interfaces. Address resolution: mapping between IP addresses and link-layer addresses. Next-hop determination: hosts can find next-hop routers for a destination. Neighbor unreachability detection (NUD): determine that a neighbor is no longer reachable on the link. Duplicate address detection (DAD): nodes can check whether an address is already in use. Redirect: router can inform a node about better first-hop routers. Recursive DNS Server (RDNSS) assignment via a router advertisement (RA) options.[2]
  • Things to talk about:-Virtual Systems/Routers as routing targets -Available in Virtual Routers as well as Policy-Based Forwarding rules -SSL VPN/Management of firewall via primary link in WAN failover config
  • Things to talk about:-Reason for HA3 Link: After session setup packet will be forwarded back to the session owner for Layer 7 processing to preserve the forwarding path
  • Notes:ECMP = Equal Cost Multi Path routing.
  • Things to talk about:-SSH V2 with interactive auth
  • **Authentication, Reporting (Custom & Default), Botnet, DoS, and Drive by Download Demo After This Slide**
  • Palo Alto Networks PAN-OS 4.0 New Features

    1. 1. AGENDA<br />PA-5000 Series<br />GlobalProtect<br />PAN-OS 4.0<br />
    2. 2. PA-5000 Series<br />
    3. 3. PA-5000 Series<br />PA-5060<br />PA-5050<br />PA-5020<br />
    4. 4. Introducing the PA-5000 Series<br />High performance Next Gen Firewall<br />3 Models, up to 20Gbps throughput, 10Gbps threat<br />
    5. 5. RAM<br />FPGA (Security Profiles)<br />RAM<br />RAM<br />RAM<br />Process Breakdown (PA-4000 Series)<br />FPGA<br /><ul><li>AV, Anti Spyware, and Vulnerability protection signatures
    6. 6. File and data filtering signatures</li></ul>10Gbps<br />Cavium Multi-Core Security Processor<br /><ul><li>App-ID
    7. 7. Decoders
    8. 8. Session setup and tear-down
    9. 9. Session table
    10. 10. Segment reassembly, normalization
    11. 11. 100k URL filtering cache
    12. 12. Disabled fast-path flows: ‘set session offload no’</li></ul>RAM<br />CPU<br />3<br />CPU<br />16<br />CPU<br />1<br />CPU<br />2<br />. .<br />Dual-core<br />CPU<br />RAM<br />RAM<br />RAM<br />SSL<br />IPSec<br />De-Compression<br />HDD<br />10Gbps<br />Device Server<br /><ul><li>URL Database (20 million + 1 million dynamic)</li></ul>QoS<br />Route, ARP, MAC lookup<br />NAT<br />EZ Chip 10 Gig Network Processor<br /><ul><li>App-Override flows
    13. 13. Fast-path flows
    14. 14. Zone Protection Profiles
    15. 15. QOS
    16. 16. PBF</li></ul>Control Plane<br />Data Plane<br />
    17. 17. PA-5000 Series Architecture<br /><ul><li>Quad-core mgmt
    18. 18. High speed logging and route update
    19. 19. Dual hard drives</li></ul>RAM<br />RAM<br />Signature Match<br />Signature Match<br />Signature Match HW Engine<br /><ul><li>Stream-based uniform sig. match
    20. 20. Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and more</li></ul>RAM<br />RAM<br />RAM<br />RAM<br />RAM<br />RAM<br />Core 2<br />Core 1<br />RAM<br />10Gbps<br />10Gbps<br />RAM<br />CPU<br />12<br />CPU<br />1<br />CPU<br />2<br />CPU<br />12<br />CPU<br />1<br />CPU<br />2<br />CPU<br />12<br />CPU<br />1<br />CPU<br />2<br />RAM<br />RAM<br />RAM<br />...<br />...<br />...<br />Core 4<br />Core 3<br />SSD<br />RAM<br />RAM<br />RAM<br />SSD<br />SSL<br />IPSec<br />De-Compress.<br />SSL<br />IPSec<br />De-Compress.<br />SSL<br />IPSec<br />De-Compress.<br />Control Plane<br />20Gbps<br /><ul><li>80 Gbps switch fabric interconnect
    21. 21. 20 Gbps QoS engine</li></ul>Security Processors<br /><ul><li>High density parallel processing for flexible security functionality
    22. 22. Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression)</li></ul>Flow <br />control<br />Route, ARP, MAC lookup<br />NAT<br />Network Processor<br /><ul><li>20 Gbps front-end network processing
    23. 23. Hardware accelerated per-packet route lookup, MAC lookup and NAT</li></ul>Switch<br />Fabric<br />QoS<br />Data Plane<br />Switch Fabric<br />
    24. 24. PA-5000 Series Features<br />Redundant, hot swap AC or DC power supplies<br />SFP+ transceivers<br />Hard Disks<br />Two disk bays<br />Solid State Drives <br />Single 120GB included, additional 120 or 240GB drives are available. <br />RAID 1 when two drives installed (must be identical)<br />Hot-swappable fan tray<br />
    25. 25. Global Protect<br />
    26. 26. What is Global Protect?<br />Global Protect applies security policy to end points regardless of their location<br />Runs as a client on Windows PC<br />Gathers host information (OPSWAT based)<br />Creates VPN for remote clients<br />Locates nearest portal for VPN connection<br />Transparent operation to user<br />
    27. 27. GP Architecture<br />The Portal authenticates the user and directs them to a gateway where policy is Enforced.<br />Portal<br />2<br />1<br />Gateway<br />Gateway<br />2<br />
    28. 28. Initial GP connection<br />Laptop user makes an initial connection to the Portal and authenticates.<br />Portal provides the software, HIP configuration, and gateway list.<br />The downloaded Agent is installed and configured. <br />Agent gathers host information, and finds closest Gateway<br />If the closest Gateway is "internal” then no VPN<br />If the closest Gateway is "external” then builds VPN<br />HIP data is sent to Gateway<br />The Gateway enforces security policy based on user, application, content AND the HIP submitted from the client.<br />
    29. 29. HIP – Host Information Profile<br />HIP Objects define an end point <br />“Does the client have AV and is it enabled?”<br />“Does the client have updated Microsoft patches?”<br />“Is the client running notepad.exe?”<br />End points return this information to the gateway<br />HIP Profiles are defined by the objects an endpoint matches<br />Security policy can be defined based on HIP profile<br />“VPN clients who are members of HR can only access the HR database if they have disk encryption enabled”<br />
    30. 30. HIP Object options<br />Patch Management       <br />IsEnabled?<br />LastScanTime<br />MissingPatchList<br />Vendor/Product<br />Disk Encryption       <br />DiskState for each volume<br />Vendor/Product<br />Antivirus       <br />DataFileTime<br />Vendor/Product<br />LastFullScanTime<br />RealTimeScanEnabled?<br />Anti-Spyware       <br />DataFileTime<br />Vendor/Product<br />LastFullScanTime<br />Firewall       <br />IsFirewallEnabled?<br />Vendor/Product<br />Host Info       <br />Machine Name<br />Domain<br />Organization<br />
    31. 31. HIP Objects and Profile examples<br />
    32. 32. Configuring Global Protect Portal<br />Portal has many of the same authentication configuration of a SSL VPN Portal<br />They can interoperate with some 3rd party VPN clients<br />3rd party clients can be set to override the GP tunnel<br />Administrator can control what HIP objects are returned to the portal<br />The portal determine what settings the UI of the client will use<br />
    33. 33. Configuring Global Protect Gateway<br />Gateway provides client addressing information<br />Can provide basic messages to clients that pass / fail HIP profiles<br />Contains all client VPN configuration<br />
    34. 34. Policy Example using GP<br />
    35. 35. PAN-OS 4.0: A Significant Milestone<br />
    36. 36. PAN-OS 4.0: More Control…<br />App-ID<br />Custom App-IDs for unknown protocols<br />App and threats stats collection<br />SSH tunneling control (for port forwarding control)<br />6,000 custom App-IDs<br />User-ID<br />Windows 2003 64-bit, Windows 2008 32- and 64-bit Terminal Server support; XenApp 6 support<br />Client certificates for captive portal<br />Authentication sequence flow<br />Strip x-forwarded-for header<br />Destination port in captive portal rules<br />Threat Prevention & Data Filtering<br /><ul><li>Behavior-based botnet C&C detection
    37. 37. PDF virus scanning
    38. 38. Drive by download protection
    39. 39. Hold-down time scan detection
    40. 40. Time attribute for IPS and custom signatures
    41. 41. DoS protection rulebase</li></ul>URL Filtering<br /><ul><li>Container page filtering, logging, and reporting
    42. 42. Seamless URL activation
    43. 43. “Full” URL logging
    44. 44. Manual URL DB uploads (weekly)</li></li></ul><li>PAN-OS 4.0: Easy to Use Gets Easier…<br />New UI Architecture<br />Streamline policy management workflow<br />Rule tagging, drag-n-drop, quick rule editing, object value visibility, filtering, and more<br />Panorama<br /><ul><li>Extended config sharing (all rulebases, objects & profiles shared to device)
    45. 45. Dynamic log storage via NFS
    46. 46. Panorama HA
    47. 47. UAR from Panorama
    48. 48. Exportable config backups
    49. 49. Comprehensive config audit</li></ul>Management<br /><ul><li>FQDN-based address objects
    50. 50. Configurable log storage by log type
    51. 51. Configurable event/log format (including CEF for ArcSight)
    52. 52. Configuration transactions
    53. 53. SNMPv3 support
    54. 54. Extended reporting for VSYS admins (scheduler, UAR, summary reports, email forwarding)
    55. 55. PCAP configuration in UI</li></li></ul><li>PAN-OS 4.0: New UI Architecture<br />Streamline policy management workflow<br />Rule: <br />tagging<br />drag-n-drop<br />quick rule editing<br />object value visibility<br />Filtering<br />Much more<br />
    56. 56. Networking Enhancements<br />
    57. 57. PAN-OS 4.0: Improved Deployment Flexibility…<br />Networking<br />Active/Active HA<br />HA enhancements (link failover, next-hop gateway for HA1, more)<br />IPv6 L2/L3 basic support<br />DNS proxy<br />DoS source/dest IP session limiting<br />VSYS resource control (# rules, tunnels, more)<br />Country-based policies<br />Overlapping IP support (across multiple VRs)<br />VR to VR routing<br />Virtual System as destination of PBF rule<br />Untagged subinterfaces<br />TCP MSS adjustment<br />NetConnect SSL-VPN<br /><ul><li>Password expiration notification
    58. 58. Mac OS support (released w/ PAN-OS 3.1.4)</li></li></ul><li>HA Enhancements<br />Added back up link for HA1 and HA2 to protect against “Split Brain”<br />Support for devices with HA links on different subnets<br />Enhanced timers for better fail over control<br />Active / Active HA clusters<br />
    59. 59. Heartbeat Backup Link – Split Brain Protection<br /><Heartbeat/Hello><br /><Heartbeat/Hello><br />Redundant path<br />Data Plane status confirmation<br />Supported on full product line<br />
    60. 60. DNS Proxy<br />Firewall acts as DNS server for clients<br />Firewall uses DNS based on:<br />Priority (Primary, Secondary)<br />Domain Name ( xxx.local uses internal DNS, uses public DNS)<br />Static entry<br />Is enabled by interface<br />
    61. 61. IPv6 Support<br />IPv6 Layer 3 interfaces<br />IPv6 addresses in all policy<br />IPv6 static routes in Virtual Routers<br />ICMPv6 support<br />DHCPv6 support<br />Support for Neighbor Discovery<br />
    62. 62. Networking enhancements<br />Virtual Systems as routing targets<br />Used in Virtual routers<br />Used in PBF<br />DNS based Address book entries<br />Allow<br />Country based Address book entries<br />Block everything from Canada<br />
    63. 63. Active/Active HA<br />
    64. 64. Active/Active HA<br />Both devices in the cluster are active and passing traffic<br />Devices back each other, taking over primary ownership if either one fails<br />Both devices load share the traffic<br />BUT REMEMBER<br />No increase in session capacity<br />Not designed to increase throughput<br />Supported modes<br />L3 and vwire<br />
    65. 65. Packet handling within the cluster<br />Session ownership and session setup can be two different devices in the cluster <br />It is atypical to implement it in this way<br />Session setup<br />Session setup maybe distributed among devices in HA group using IP modulo or hash<br />Layer2 to Layer4 processing is handled by the session setup device<br />This requires a dedicated HA interface- HA3 link<br />Session ownership<br />This device is responsible for all layer 7 processing<br />
    66. 66. Session setup options <br />IP modulo<br />One device sets sessions for even numbered IP address and the peer sets sessions for odd numbered IP address<br />This is preferred as it is deterministic<br />IP hash<br />Hash of either source or combination source/destination IP address is used for distributing session setup<br />
    67. 67. Deployment topologies: Floating IP address<br />Redundancy of IP address is accomplished using floating IP address<br />Each interface on device is configured with floating IP addresses<br />Floating IP address ownership is determined based on the device priority<br />Load sharing is done externally via ECMP or configuring the clients with different default gateways<br />RED- BACK GREEN-ACTIVE<br />
    68. 68. Deployment topologies: ARP load sharing<br />Firewalls share a virtual IP address<br />Unique Virtual MAC per device is generated for the virtual IP address<br />ARP load sharing is used for load balancing incoming traffic<br />Hash or modulo of the source address of ARP requests to determine which device should handle the requests<br />
    69. 69. Security Enhancements<br />
    70. 70. Agenda - Security Enhancements<br />Client cert auth for Captive Portal<br />Botnet Detection and DDoS policy<br />IPS action enhancements<br />SSH Decryption<br />Updated URL logging and reporting<br />Global Protect<br />Authentication Sequence<br />Kerberos support<br />
    71. 71. Client Certificate in Captive Portal<br />Formerly available for SSL VPN and device authentication<br />Now can be used in captive portal configuration<br />Client Certificate can be configured as the only authentication option<br />No Auth profile required<br />Unlike client certs with admin authentication, this will be transparent.<br />Uses the 3.1 “Client Certificate Profile” object<br />
    72. 72. Drive-by Download Protection<br />Warn end users about file transfer events<br />New ‘Continue’ file blocking action<br />Customizable response page<br />The response page has a ‘continue’ button. If the user clicks ‘continue’, the file transfer will continue<br />
    73. 73. Customizable Brute Force Attack Settings<br />User defined thresholds for brute force signatures. <br />Defined in the profile<br />
    74. 74. Custom Combination Signatures<br />Combine multiple signatures to create custom combination signatures<br />Take individual spyware or vulnerability threat IDs and group them into one custom signature<br />Take individual signatures and apply thresholds for number of hits over specified time period<br />
    75. 75. Block IP Action (Blackhole)<br />Block all future traffic from a host after triggering a security condition <br />Spyware and vulnerability signatures<br />DoS protection rulebase<br />Zone protection<br />Block time in seconds<br />Max 21600 seconds in DoS protection rulebase<br />Max 3600 seconds in spyware and vulnerability profiles<br />Block method: Based on sourceIP or source-and-destination IP<br />
    76. 76. DoS Protection Rulebase<br />Extends existing DoS protections that are currently configurable on a per-zone basis<br />Rules based on source/dest zone, source/dest IP, country, service, and user<br />Two types of profiles are supported:<br />Aggregate: Thresholds apply to all traffic <br />Classified: Thresholds apply either on basis of source IP, destination IP or a combination of both.<br />
    77. 77. Behavior-based Botnet Detection<br />Collate information from Traffic, Threat, URL logs to identify potentially botnet-infected hosts<br />A report will be generated each day <br />list of infected hosts, <br />description (why we believe the host to be infected)<br />Confidence level<br />Following parameters (configurable) to detect botnets<br />Unknown TCP/UDP <br />IRC<br />HTTP traffic (malware sites, recently registered, IP domains, Dynamic Domains)<br />Users can configure a query for specific traffic<br />
    78. 78. Updated URL Logging<br />Can log just container pages<br />Previously created 26 URL logs<br />Can filter to have just one<br />Uses the Container Page setting in the device tab<br />Full URL logging<br />Now logs up to 1023 bytes of the URL<br />Previous max was 256<br />
    79. 79. SSH Decryption<br />Uses same tactic as SSL decryption<br />No additional configuration required<br />New “Block if failed to decrypt” option<br />User certificates<br />Unsupported crypto system<br />Can now block the connection<br />Previously we would allow it<br />
    80. 80. Authentication Sequence<br />Can configure multiple authentication profiles<br />If the first one in the list fails the next will be attempted<br />Can be used to cycle through multiple RADIUS or Active Directory Forest designs<br />The Authentication Sequence object can be used in the same locations as a regular Authentication profile<br />
    81. 81. Native Kerberos Authentication<br />Firewall can now authenticate to AD without the use of an Agent<br />Can be used like RADIUS or LDAP authentication servers<br />Does not retrieve group membership – AD Agent or LDAP server required.<br />
    82. 82. Questions<br />Questions?<br />