Download Palo Alto 4.1 Administrators Guide PDF

TitlePalo Alto 4.1 Administrators Guide
File Size4.2 MB
Total Pages336
Table of Contents
	About This Guide
	Typographical Conventions
	Notes and Cautions
	Related Documentation
Chapter 1 Introduction
	Firewall Overview
	Features and Benefits
	Management Interfaces
Chapter 2 Getting Started
	Preparing the Firewall
	Setting Up the Firewall
	Using the Firewall Web Interface
		Committing Changes
		Navigating to Configuration Pages
		Using Tables on Configuration Pages
		Required Fields
		Locking Transactions
		Supported Browsers
	Getting Help Configuring the Firewall
		Obtaining More Information
		Technical Support
Chapter 3 Device Management
	System Setup, Configuration, and License Management
		Defining Management Settings
		Defining Operations Settings
		Defining Services Settings
		Defining Content ID Settings
		Defining Session Settings
		Statistics Service
	Comparing Configuration Files
	Installing a License
	Upgrading the PAN-OS Software
		Upgrading with High Availability
	Updating Threat and Application Definitions
	Administrator Roles, Profiles, and Accounts
		Defining Administrator Roles
		Creating Administrative Accounts
		Specifying Access Domains for Administrators
	Authentication Profiles
		Setting Up Authentication Profiles
		Creating a Local User Database
		Configuring RADIUS Server Settings
		Configuring LDAP Server Settings
		Configuring Kerberos Settings (Native Active Directory Authentication)
	Authentication Sequence
		Setting Up Authentication Sequences
	Client Certificate Profiles
	Firewall Logs
		Logging Configuration
			Scheduling Log Exports
			Defining Configuration Log Settings
			Defining System Log Settings
			Defining HIP Match Log Settings
			Defining Alarm Log Settings
			Managing Log Settings
	Configuring SNMP Trap Destinations
	Configuring Syslog Servers
	Configuring Email Notification Settings
	Viewing Alarms
	Configuring Netflow Settings
	Importing, Exporting and Generating Security Certificates
		Encrypting Private Keys and Passwords on the Firewall
	High Availability
		Active/Passive HA
		Active/Active HA
		Packet Flow
		Deployment Options
		NAT Considerations
		Setting Up HA
		Enabling HA on the Firewall
	Virtual Systems
		Communications Among Virtual Systems
		Shared Gateways
			Defining Virtual Systems
			Configuring Shared Gateways
	Defining Custom Response Pages
	Viewing Support Information
Chapter 4 Network Configuration
	Firewall Deployment
		Virtual Wire Deployments
		Layer 2 Deployments
		Layer 3 Deployments
		Tap Mode Deployments
		Defining Virtual Wires
	Firewall Interfaces
		Viewing the Current Interfaces
		Configuring Layer 2 Interfaces
		Configuring Layer 2 Subinterfaces
		Configuring Layer 3 Interfaces
		Configuring Layer 3 Subinterfaces
		Configuring Virtual Wire Interfaces
		Configuring Aggregate Interface Groups
		Configuring Aggregate Ethernet Interfaces
		Configuring VLAN Interfaces
		Configuring Loopback Interfaces
		Configuring Tunnel Interfaces
		Configuring Tap Interfaces
		Configuring HA Interfaces
	Security Zones
		Defining Security Zones
	VLAN Support
	Virtual Routers and Routing Protocols
		Routing Information Protocol
		Open Shortest Path First
		Border Gateway Protocol
		Multicast Routing
		Defining Virtual Routers
	DHCP Server and Relay
	DNS Proxy
	Network Profiles
		Defining Interface Management Profiles
		Defining Zone Protection Profiles
Chapter 5 Policies and Security Profiles
		Guidelines on Defining Policies
		Specifying Users and Applications for Policies
		Security Policies
			Defining Security Policies
		NAT Policies
			Determining Zone Configuration in NAT and Security Policy
			NAT Rule Options
			Defining Network Address Translation Policies
			NAT Policy Examples
		Policy-Based Forwarding Policies
		Decryption Policies
		Application Override Policies
			Custom Application Definition with Application Override
			Defining Application Override Policies
		Captive Portal Policies
			Defining Captive Portal Policies
		DoS Protection Policies
			Defining DoS Policies
	Security Profiles
		Antivirus Profiles
		Anti-Spyware Profiles
		Vulnerability Protection Profiles
		URL Filtering Profiles
		File Blocking Profiles
		Data Filtering Profiles
		DoS Profiles
	Other Policy Objects
		Addresses and Address Groups
			Defining Address Ranges
			Defining Address Groups
			Defining Regions
		Applications and Application Groups
			Defining Applications
			Custom Applications with Signatures
			Defining Application Groups
		Application Filters
		Service Groups
		Data Patterns
		Custom URL Categories
			Defining Data Patterns
		Custom Spyware and Vulnerability Signatures
		Security Profile Groups
		Log Forwarding
Chapter 6 Reports and Logs
	Using the Dashboard
	Using the Application Command Center
	Using App-Scope
		Summary Report
		Change Monitor Report
		Threat Monitor Report
		Threat Map Report
		Network Monitor Report
		Traffic Map Report
	Viewing the Logs
		Viewing Session Information
	Working with Botnet Reports
		Configuring the Botnet Report
		Managing Botnet Reports
	Managing PDF Summary Reports
	Managing User Activity Reports
	Managing Report Groups
	Scheduling Reports for Email Delivery
	Viewing Reports
	Generating Custom Reports
	Identifying Unknown Applications and Taking Action
		Taking Action
		Requesting an App-ID from Palo Alto Networks
		Other Unknown Traffic
	Taking Packet Captures
Chapter 7 Configuring the Firewall for User Identification
	Overview of User Identification
		How User Identification Works
		Identifying Users and Groups
		How User-ID Components Interact
			User-ID Agent
			Terminal Services Agent
	User Identification Agents
		Captive Portals
		Configuring the Firewall for User Identification
	Setting Up the User-ID Agent
		Installing the User-ID Agent
		Configuring the User-ID Agent
		Discovering Domain Controllers
		Monitoring User-ID Agent Operation
		Uninstalling and Upgrading the User-ID Agent
	Setting Up the Terminal Services Agent
		Installing or Upgrading the Terminal Server Agent on the Terminal Server
		Configuring the Terminal Server Agent on the Terminal Server
		Uninstalling the Terminal Server Agent on the Terminal Server
Chapter 8 Configuring IPSec Tunnels
	Virtual Private Networks
		IPSec VPNs and SSL-VPNs
		VPN Tunnels
	IPSec and IKE
		IPSec and IKE Crypto Profiles
	Setting Up IPSec VPNs
		Defining IKE Gateways
		Setting Up IPSec Tunnels
		Defining IKE Crypto Profiles
		Defining IPSec Crypto Profiles
		Defining Monitor Profiles
		Viewing IPSec Tunnel Status on the Firewall
	Sample VPN Configuration
		Existing Topology
		New Topology
		Configure the VPN Connection
		VPN Connectivity Troubleshooting
Chapter 9 Configuring GlobalProtect
		GlobalProtect Authentication
	Setting Up GlobalProtect
	Setting Up and Activating the GlobalProtect Client
		Setting Up the GlobalProtect Client
Chapter 10 Configuring Quality of Service
	Firewall Support for QoS
		Configuring QoS for Firewall Interfaces
	Defining QoS Profiles
	Defining QoS Policies
	Displaying QoS Statistics
Chapter 11 Panorama Installation
	Installing Panorama
	Configuring the Panorama Network Interface
	Logging in to Panorama for the First Time
	Creating an SSL Certificate
	Expanding Panorama Storage Using a Virtual Disk
	Setting Up Storage Partitions
	Configuring HA
		HA Peer Promotion After Failure
Chapter 12 Central Device Management Using Panorama
	Accessing the Panorama Web Interface
	Using the Panorama Interface
		Panorama Tab
	Adding Devices
		Defining Device Groups
	Specifying Access Domains for Administrators
	Working with Policies
	Working with Objects
	Working with Devices
		Panorama Backward Compatibility
	Logging and Reporting
		Generating User Activity Reports
		Performing Comprehensive Configuration Audits
	Viewing Firewall Deployment Information
	Backing Up Firewall Configurations
	Scheduling Configuration Exports
	Upgrading the Panorama Software
Chapter 13 WildFire
	About WildFire
	Setting Up to Use WildFire
		Configuring WildFire Settings on the Firewall
	Using the WildFire Portal
		Configuring Settings on the WildFire Portal
		Viewing WildFire Reports
Appendix A Custom Pages
	Default Antivirus Response Page
	Default Application Block Page
	Default File Blocking Block Page
	Default URL Filtering Response Page
	Default Anti-Spyware Download Response Page
	Default Decryption Opt-out Response Page
	Captive Portal Comfort Page
	URL Filtering Continue and Override Page
	SSL VPN Login Page
	SSL Certificate Revoked Notify Page
Appendix B Application Categories, Subcategories, Technologies, and Characteristics
	Application Categories and Subcategories
	Application Technologies
	Application Characteristics
Appendix C Federal Information Processing Standards Support
Appendix D Open Source Licenses
	Artistic License
	GNU General Public License
	GNU Lesser General Public License
Document Text Contents
Page 168

Other Policy Objects

168 • Policies and Security Profiles Palo Alto Networks

When the firewall is not able to identify an application using the application ID, the traffic is classified
as unknown: unknown-tcp or unknown-udp. This behavior applies to all unknown applications except
those that fully emulate HTTP. For more information, refer to “Identifying Unknown Applications and
Taking Action” on page 206.
You can create new definitions for unknown applications and then define security policies for the new
application definitions. In addition, applications that require the same security settings can be combined
into application groups to simplify the creation of security policies.

Defining Applications
X�Objects > Applications

Use the Applications page to add new applications for the firewall to evaluate when applying policies.

TCP Timeout (seconds)
Timeout for terminating a TCP application flow (1-604800 seconds).
To customize this setting, click the Customize link, enter a value
(seconds), and click OK.

UDP Timeout (seconds):
Timeout for terminating a UCP application flow (1-604800 seconds).
To customize this setting, click the Customize link, enter a value
(seconds), and click OK.

Table 85. Application Details (Continued)

Item Description

Table 86. New Application Settings

Field Description

Configuration Tab

Name Enter the application name (up to 31 characters). This name appears in the
applications list when defining security policies. The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, periods, hyphens, and
underscores. The first character must be a letter.

Shared If the device is in Multiple Virtual System Mode, select this check box to allow
the application to be shared by all virtual systems.

Description Enter an application description (for general reference only).

Category Select the application category, such as email or database. For a description of
each category, refer to “Application Categories and Subcategories” on page 301.
The category is used to generate the Top Ten Application Categories chart and is
available for filtering (refer to “Using the Application Command Center” on
page 185).

Sub Category Select the application sub category, such as email or database. For a description
of each sub category, refer to “Application Categories and Subcategories” on
page 301. The sub category is used to generate the Top Ten Application
Categories chart and is available for filtering (refer to “Using the Application
Command Center” on page 185).

Technology Select the technology for the application. For a description of each technology,
refer to “Application Technologies” on page 303.

Page 169

Palo Alto Networks Policies and Security Profiles • 169

Other Policy Objects

Parent App Specify a parent application for this application. This setting applies when a
session matches both the parent and the custom applications; however, the
custom application is reported because it is more specific.

Risk Select the risk level associated with this application (1=lowest to 5=highest).

Characteristics Select the application characteristics that may place the application at risk. For a
description of each characteristic, refer to “Application Characteristics” on
page 303.

Advanced Tab

Defaults - Port If the protocol used by the application is TCP and/or UDP, select Port and enter
one or more combinations of the protocol and port number (one entry per line).
The general format is:
where the <port> is a single port number, or dynamic for dynamic port
Examples: TCP/dynamic or UDP/32.
This setting applies when using app-default in the Service column of a security

IP Protocol To specify an IP protocol other than TCP or UDP, select IP Protocol, and enter
the protocol number (1 to 255).

ICMP Type To specify an Internet Control Message Protocol (ICMP) type, select ICMP
Type (for IPv4) or ICMP6 Type (for IPv6), and enter the type number (range 0-

None To specify signatures independent of protocol, select None.

Timeouts Enter the number of seconds before an idle application flow is terminated (range
0-604800). A zero indicates that the default timeout will be used. This value is
used for protocols other than TCP and UDP in all cases and for TCP and UDP
timeouts when the TCP timeout and UDP timeout are not specified.

TCP Timeout
UDP Timeout

Enter the number of seconds before an idle TCP or UDP application flow is
terminated (range 0-604800). A zero indicates that the default timeout will be

Scanning Select check boxes for the scanning types that you want to allow, based on
security profiles (file types, data patterns, and viruses).

Table 86. New Application Settings (Continued)

Field Description

Page 335

Palo Alto Networks Index • 335

Panorama software 286, 287
PAN-OS software 38, 43, 280
schedules 40
threat and application definitions 39
with high availability 39

URL filtering
ACC page 186
continue and override response page 82, 298
defining profiles 155
dynamic categorization 155
list 186
override settings 33
profile settings 155
response pages 82
viewing log 198
viewing logs 51

user account lockout 43
user database, SSL VPN 45
user interface navigation 21
User-ID Agent

captive portal configuration 216
configuring firewall for 215
configuring for Active Directory 219
for Active Directory, about 217
installing for Active Directory 218
overview 211
uninstalling and upgrading for Active

Directory 222

version, software 184

devices 280
logs 196
session browser 198
session information 198

virtual routers
and routing protocols 107
configuring 109, 121
defining 109
multicast settings 121
next hop 110
runtime statistics 123

virtual systems
about 77
and policies 77
and security zones 77, 78
communications among 78
defining 77, 80, 81
defining multiple 80
enabling 27
enabling multiple 27
internal traffic flow 78
multiple 78
shared gateway common interface 79
shared gateways 79

virtual wire 86

defining 88
interfaces 98
interfaces, configuring 97

and L2 interfaces 100
interfaces, defining 100

VMware ESX(i) 267

about 230
IPSec and IKE crypto profiles 232
sample configuration 239
setting up tunnels 231
SSL, about 259

VPN tunnels
about 231
IKE 231
manual security keys 231
securing 231
setting up 233, 235

vSphere 267
vulnerability protection profiles 153, 155

web interface

committing changes 21
navigation 21
required fields 22
supported browsers 23
using 19
using tables 22

custom URL categories 177
patterns for allow and block lists 156

about 289
configuring firewall settings 290
configuring settings on the portal 292
dashboard 291
setup tasks 290
using the portal 291
viewing reports 292

WINS servers 124



defining 105
in NAT policies 140
in security policies 134, 135
protection profiles 128, 262

Similer Documents