11. November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIAL
Preface
This preface contains the following sections:
• “About This Guide” in the next section
• “Organization” on page 11
• “Typographical Conventions” on page 13
• “Notes and Cautions” on page 13
• “Related Documentation” on page 13
About This Guide
This guide describes how to administer the Palo Alto Networks firewall using the device’s web
interface.
This guide is intended for system administrators responsible for deploying, operating, and maintaining
the firewall.
Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Provides an overview of the firewall.
• Chapter 2, “Getting Started”—Describes how to install the firewall.
• Chapter 3, “Device Management”—Describes how to perform basic system configuration and
maintenance for the firewall, including how to configure a pair of firewalls for high availability,
define user accounts, update the software, and manage configurations.
• Chapter 4, “Network Configuration”—Describes how to configure the firewall for your
network, including routing configuration.
• Chapter 5, “Policies and Security Profiles”—Describes how to configure security policies and
profiles by zone, users, source/destination address, and application.
• Chapter 6, “Reports and Logs”—Describes how to view the reports and logs provided with the
firewall.
Palo Alto Networks Preface • 11
12. Organization
• Chapter 7, “Configuring the Firewall for User Identification”—Describes how to configure the
firewall to identify the users who attempt to access the network.
• Chapter 8, “Configuring IPSec Tunnels”—Describes how to configure IP Security (IPSec)
tunnels on the firewall.
• Chapter 9, “Configuring GlobalProtect”—Describes GlobalProtect, which allows secure login
from client systems located anywhere in the world.
• Chapter 10, “Configuring Quality of Service”—Describes how to configure quality of service
(QoS) on the firewall.
• Chapter 11, “Panorama Installation”—Describes how to install the centralized management
system for the Palo Alto Networks firewall.
• Chapter 12, “Central Device Management Using Panorama”—Describes how to use Panorama
to manage multiple firewalls.
• Chapter 13, “WildFire”—describes how to use WildFire for analysis and reporting on malware
that traverses the firewall.
• Appendix A, “Custom Pages”—Provides HTML code for custom response pages to notify end
users of policy violations or special access conditions.
• Appendix B, “Application Categories, Subcategories, Technologies, and Characteristics”—
Contains a list of the application categories defined by Palo Alto Networks.
• Appendix C, “Federal Information Processing Standards Support”—Describes firewall
support for the Federal Information Processing Standards 140-2.
• Appendix D, “Open Source Licenses”—Includes information on applicable open source licenses.
12 • Preface Palo Alto Networks
13. Typographical Conventions
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning Example
boldface Names of commands, keywords, and Click Security to open the Security Rules
selectable items in the web interface page.
italics Name of parameters, files, directories, or The address of the Palo Alto Networks
Uniform Resource Locators (URLs) home page is
http://www.paloaltonetworks.com
courier font Coding examples and text that you enter Enter the following command:
at the command prompt a:setup
Click Click the left mouse button Click Administrators under the Devices
tab.
Right-click Click the right mouse button. Right-click on the number of a rule you
want to copy, and select Clone Rule.
Notes and Cautions
This guide uses the following symbols for notes and cautions.
Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates actions that could cause loss of data.
Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start
• Hardware Reference Guide
• Command Line Interface Reference Guide
Palo Alto Networks Preface • 13
15. Chapter 1
Introduction
This chapter provides an overview of the firewall:
• “Firewall Overview” in the next section
• “Features and Benefits” on page 15
• “Management Interfaces” on page 16
Firewall Overview
The Palo Alto Networks firewall allows you to specify security policies based on a more accurate
identification of each application seeking access to your network. Unlike traditional firewalls that
identify applications only by protocol and port number, the firewall uses packet inspection and a library
of application signatures to distinguish between applications that have the same protocol and port, and
to identify potentially malicious applications that use non-standard ports.
For example, you can define security policies for specific applications, rather than rely on a single
policy for all port 80 connections. For each identified application, you can specify a security policy to
block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each
security policy can also specify security profiles to protect against viruses, spyware, and other threats.
IPv4 and IPv6 addresses are supported.
Features and Benefits
The firewall provides granular control over the traffic allowed to access your network. The primary
features and benefits include:
• Application-based policy enforcement—Access control by application is far more effective when
application identification is based on more than just protocol and port number. High risk
applications can be blocked, as well as high risk behavior, such as file-sharing. Traffic encrypted
with the Secure Socket Layer (SSL) protocol can be decrypted and inspected.
• Threat prevention—Threat prevention services that protect the network from viruses, worms,
spyware, and other malicious traffic can be varied by application and traffic source (refer to
“Security Profiles” on page 150).
Palo Alto Networks Introduction • 15
16. Management Interfaces
• URL filtering—Outbound connections can be filtered to prevent access to inappropriate web sites
(refer to “URL Filtering Profiles” on page 155).
• Traffic visibility—Extensive reports, logs, and notification mechanisms provide detailed visibility
into network application traffic and security events. The Application Command Center in the web
interface identifies the applications with the most traffic and the highest security risk (refer to
“Reports and Logs” on page 183).
• Networking versatility and speed—The firewall can augment or replace your existing firewall,
and can be installed transparently in any network or configured to support a switched or routed
environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or
no impact on network latency.
• GlobalProtect—GlobalProtect provides security for client systems, such as laptops, that are used
in the field by allowing easy and secure login from anywhere in the world.
• Fail-safe operation—High availability support provides automatic failover in the event of any
hardware or software disruption (refer to “Enabling HA on the Firewall” on page 71).
• Malware analysis and reporting—WildFire provides detailed analysis and reporting on malware
that traverses the firewall.
• Easily managed—Each firewall is managed through an intuitive web interface or a command-line
interface (CLI), or all devices can be centrally managed through the Panorama centralized
management system, which has a web interface very similar to the device web interface.
Management Interfaces
The firewall supports the following management interfaces. Refer to “Supported Browsers” on page 23
for a list of supported browsers.
• Web interface—Configuration and monitoring over HTTP or HTTPS from a web browser.
• CLI—Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console
port (refer to the PAN-OS Command Line Interface Reference Guide).
• Panorama—Palo Alto Networks product that provides web-based management, reporting, and
logging for multiple firewalls. The Panorama interface is similar to the device web interface, with
additional management functions included. Refer to “Panorama Installation” on page 267 for
instructions on installing Panorama and “Central Device Management Using Panorama” on
page 275 for information on using Panorama.
• Simple Network Management Protocol (SNMP)—Supports RFC 1213 (MIB-II) and RFC 2665
(Ethernet interfaces) for remote monitoring, and generates SNMP traps for one or more trap sinks
(refer to “Configuring SNMP Trap Destinations” on page 55).
• Syslog—Provides message generation for one or more remote syslog servers (refer to
“Configuring Syslog Servers” on page 57).
• XML API—Provides a Representational State Transfer (REST)-based interface to access device
configuration, operational status, reports, and packet captures from the firewall. There is an API
browser available on the firewall at https://<firewall>/api, where <firewall> is the host name or IP
address of the firewall. This link provides help on the parameters required for each type of API
call. An XML API usage guide is available on the DevCenter online community at http://
live.paloaltonetworks.com.
16 • Introduction Palo Alto Networks
17. Chapter 2
Getting Started
This chapter describes how to set up and start using the firewall:
• “Preparing the Firewall” in the next section
• “Setting Up the Firewall” on page 18
• “Using the Firewall Web Interface” on page 19
• “Getting Help Configuring the Firewall” on page 23
Note: Refer to “Panorama Installation” on page 267 for instructions on installing
the Panorama centralized management system.
Preparing the Firewall
Perform the following tasks to prepare the firewall for setup:
1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide.
2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and
App-ID updates, and to activate support or subscriptions with the authorization codes emailed to
you.
3. Obtain an IP address from your network administrator for configuring the management port on the
firewall.
Palo Alto Networks Getting Started • 17
18. Setting Up the Firewall
Setting Up the Firewall
To perform the initial firewall setup:
1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet
cable.
2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for
example, 192.168.1.5) with a netmask of 255.255.255.0.
3. Launch a supported web browser and enter https://192.168.1.1.
The browser automatically opens the Palo Alto Networks login page.
4. Enter admin in both the Name and Password fields, and click Login. The system presents a
warning that the default password should be changed. Click OK to continue.
5. On the Device tab, choose Setup and configure the following (for general instructions on
configuring settings in the web interface, refer to “Using the Firewall Web Interface” on page 19):
– On the Management tab under Management Interface Settings, enter the firewall’s IP
address, netmask, and default gateway.
– On the Services tab, enter the IP address of the Domain Name Service (DNS) server. Enter the
IP address or host and domain name of the Network Time Protocol (NTP) server and select
your time zone.
– Click Support on the side menu.
If this is the first Palo Alto Networks firewall for your company, click Register Device to
register the firewall. (If you have already registered a firewall, you have received a user name
and password.)
Click the Activate support using authorization codes link and enter the authorization codes
that have been emailed to you for any optional features. Use a space to separate multiple
authorization codes.
6. Click Administrators under the Devices tab.
7. Click admin.
8. In the New Password and Confirm New Password fields, enter and confirm a case-sensitive
password (up to 15 characters).
9. Click OK to submit the new password.
10. Commit the configuration to put these settings into effect. When the changes are committed, the
firewall will be reachable through the IP address assigned in Step 5. For information on
committing changes, refer to “Committing Changes” on page 21.
18 • Getting Started Palo Alto Networks
19. Using the Firewall Web Interface
Using the Firewall Web Interface
The following conventions apply when using the firewall interface.
• To display the menu items for a general functional category, click the tab, such as Object or
Devices, near the top of the browser window.
• Click an item on the side menu to display a panel.
• To display submenu items, click the icon to the left of an item. To hide submenu items, click
the icon to the left of the item.
• On most configuration pages, you can click Add to create a new item.
• To delete one or more items, select their check boxes and click Delete. In most cases, the system
prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel.
• On some configuration pages, you can select the check box for an item and click Clone to create a
new item with the same information as the selected item.
Palo Alto Networks Getting Started • 19
20. Using the Firewall Web Interface
• To modify an item, click its underlined link.
• To view help information on a page, click the Help icon in upper right area of the page.
• To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task
Manager window opens to show the list of tasks, along with status, start times, associated
messages, and actions. Use the Show drop-down list to filter the list of tasks.
• On pages that list information you can modify (for example, the Setup page on the Devices tab),
click the icon in the upper right corner of a section to edit the settings.
• After you configure settings, you must click OK or Save to store the changes. When you click OK,
the current “candidate” configuration is updated.
20 • Getting Started Palo Alto Networks
21. Using the Firewall Web Interface
Committing Changes
Click Commit at the top of the web interface to open the commit dialog box.
The following options are available in the commit dialog box. Click the Advanced link, if needed,
to display the options:
– Include Device and Network configuration—Include the device and network configuration
changes in the commit operation.
– Include Shared Object configuration—(Multi-virtual system firewalls only) Include the
shared object configuration changes in the commit operation.
– Include Policy and Objects—(Non-multi-virtual system firewalls only) Include the policy and
object configuration changes in the commit operation.
– Include virtual system configuration—Include all virtual systems or the selected virtual
system in the commit operation.
For more information about committing changes, refer to “Defining Operations Settings” on
page 29.
Navigating to Configuration Pages
Each configuration section in this guide shows the menu path to the configuration page. For example, to
reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability
Protection under Security Profiles in the side menu. This is indicated in this guide by the following
path:
Objects > Security Profiles > Vulnerability Protection
Palo Alto Networks Getting Started • 21
22. Using the Firewall Web Interface
Using Tables on Configuration Pages
The tables on configuration pages include sorting and column chooser options. Click a column header
to sort on that column, and click again to change the sort order. Click the arrow to the right of any
column and select check boxes to choose the columns to display.
Required Fields
Required fields are shown with a light yellow background. A message indicating that the field is
required appears when you hover over or click in the field entry area.
Locking Transactions
The web interface provides support for multiple administrators by allowing an administrator to lock a
current set of transactions, thereby preventing configuration changes or commit operations by another
administrator until the lock is removed. The following types of locks are supported:
• Config lock—Blocks other administrators from making changes to the configuration. This type of
lock can be set globally or for a virtual system. It can be removed only by the administrator who set
it or by a superuser on the system.
• Commit Lock—Blocks other administrators from committing changes until all of the locks have
been released. This type of lock prevents collisions that can occur when two administrators are
making changes at the same time and the first administrator finishes and commits changes before
the second administrator has finished. The lock is released when the current changes are
committed, or it can be released manually.
Any administrator can open the lock window to view the current transactions that are locked, along with
a timestamp for each.
To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click
Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks
as needed, and then click Close to close the Lock dialog box.
The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of
locked items in parentheses.
22 • Getting Started Palo Alto Networks
23. Getting Help Configuring the Firewall
To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the
icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock
dialog box.
You can arrange to automatically acquire a commit lock by selecting the Automatically acquire
commit lock check box in the Management area of the Device Setup page. Refer to “System Setup,
Configuration, and License Management” on page 26.
Supported Browsers
The following web browsers are supported for access to the firewall web interface:
• Internet Explorer 7+
• Firefox 3.6+
• Safari 5+
• Chrome 11+
Getting Help Configuring the Firewall
Use the information in this section to obtain help on using the firewall.
Obtaining More Information
To obtain more information about the firewall, refer to the following:
• General information—Go to http://www.paloaltonetworks.com.
• Online help—Click Help in the upper-right corner of the web interface to access the online help
system.
• Collaborative area for customer/partner interaction to share tips, scripts, and signatures—
Go to https://live.paloaltonetworks.com/community/devcenter.
Technical Support
For technical support, use the following methods:
• Go to the KnowledgePoint online support community at http://live.paloaltonetworks.com
• Go to https://support.paloaltonetworks.com.
Palo Alto Networks Getting Started • 23
25. Chapter 3
Device Management
This chapter describes how to perform basic system configuration and maintenance for the firewall and
includes overviews of the virtual systems, high availability, and logging functions:
• “System Setup, Configuration, and License Management” in the next section
• “Comparing Configuration Files” on page 37
• “Installing a License” on page 37
• “Upgrading the PAN-OS Software” on page 38
• “Updating Threat and Application Definitions” on page 39
• “Administrator Roles, Profiles, and Accounts” on page 40
• “Authentication Profiles” on page 43
• “Authentication Sequence” on page 48
• “Client Certificate Profiles” on page 49
• “Firewall Logs” on page 50
• “Configuring SNMP Trap Destinations” on page 55
• “Configuring Syslog Servers” on page 57
• “Configuring Email Notification Settings” on page 58
• “Viewing Alarms” on page 59
• “Configuring Netflow Settings” on page 59
• “Importing, Exporting and Generating Security Certificates” on page 60
• “High Availability” on page 63
• “Virtual Systems” on page 77
• “Defining Custom Response Pages” on page 81
• “Viewing Support Information” on page 83
Palo Alto Networks Device Management • 25
26. System Setup, Configuration, and License Management
System Setup, Configuration, and License Management
The following sections describe how to define the network settings and manage configurations for the
firewall:
• “Defining Management Settings” in the next section
• “Defining Operations Settings” on page 29
• “Defining Services Settings” on page 31
• “Defining Content ID Settings” on page 32
• “Defining Session Settings” on page 34
Note: Refer to “WildFire” on page 289 for information on configuring the
settings on the WildFire tab.
Defining Management Settings
Device > Setup > Management
The Setup page allows you to configure the firewall for management, operations, services, content
identification, WildFire malware analysis and reporting, and session behavior.
If you do not want to use the management port, you can define a loopback interface and manage the
firewall through the IP address of the loopback interface (refer to “Configuring Loopback Interfaces” on
page 101).
Perform any of the following operations on this page:
• To change the host name or network settings, click Edit on the first table on the page, and specify
the following information.
Table 1. Management Settings
Item Description
General Settings
Host Name Enter a host name (up to 31 characters). The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and underscores.
Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31
characters).
Login Banner Enter custom text that will be displayed on the firewall login page. The text is
displayed below the Name and Password fields.
Timezone Select the time zone of the firewall.
Locale Select a language for PDF reports from the drop-down list. Refer to “Managing
PDF Summary Reports” on page 201.
26 • Device Management Palo Alto Networks
27. System Setup, Configuration, and License Management
Table 1. Management Settings (Continued)
Item Description
Time To set the date and time on the firewall, click Set Time. Enter the current date in
(YYYY/MM/DD) or click the calendar icon to select a month and day. Enter
the current time in 24-hour format (HH:MM:SS).
Serial Number (Panorama only) Enter the serial number of the firewall.
Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall.
Automatically acquire Automatically apply a commit lock when you change the candidate
commit lock configuration. For more information, refer to “Locking Transactions” on page 22.
Certificate Expiration Instruct the firewall to create warning messages when on-box certificates near
Check their expiration dates.
Multi Virtual System To enable the use of multiple virtual systems (if supported on the firewall model),
Capability click Edit for Multi Virtual System Capability near the top of the Setup page.
Select the check box, and click OK. For more information about virtual systems,
refer to “Virtual Systems” on page 77.
Authentication
Settings
Authentication Profile Select the authentication profile to use for administrator access to the firewall.
For instructions on configuring authentication profiles, refer to “Setting Up
Authentication Profiles” on page 44.
Client Certificate Profile Select the client certificate profile to use for administrator access to the firewall.
For instructions on configuring client certificate profiles, refer to “Client
Certificate Profiles” on page 49.
Enter the timeout interval (1 - 1440 minutes). A value of 0 means that the
Idle Timeout
management, web, or CLI session does not time out.
Enter the number of failed login attempts that are allowed for the web interface
# Failed Attempts and CLI before the account is locked. (1-10, default 0). 0 means that there is no
limit.
Enter the number of minutes that a user is locked out (0-60 minutes) if the
Lockout Time number of failed attempts is reached. The default 0 means that there is no limit to
the number of attempts.
Panorama Settings
Panorama Server Enter the IP address of Panorama, the Palo Alto Networks centralized
management system (if any). The server address is required to manage the device
through Panorama.
To remove any policies that Panorama propagates to managed firewalls, click the
Disabled Shared Policies link. To move the policies to your local name space
before removing them from Panorama, click the Import shared policies from
Panorama before disabling check box in the dialog box that opens. Click OK.
Panorama Server 2 If Panorama is operating in high availability (HA) mode, specify the second
Panorama system that is part of the HA configuration.
Receive Timeout for Enter the timeout for receiving TCP messages from Panorama (1-120 seconds,
connection to Panorama default 20).
Send Timeout for Enter the timeout for sending TCP communications to Panorama (1-120 seconds,
connection to Panorama default 20).
Palo Alto Networks Device Management • 27
28. System Setup, Configuration, and License Management
Table 1. Management Settings (Continued)
Item Description
Retry Count for SSL send Enter the number of retries for attempts to send Secure Socket Layer (SSL)
to Panorama messages to Panorama (1-64, default 25).
Management
Interface Settings
MGT Interface Speed Configure a data rate and duplex option for the management interface. The
choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the
default auto-negotiate setting to have the firewall determine the interface speed.
This setting should match the port settings on the neighboring network
equipment.
MGT Interface IP Address Enter the IP address of the management port. Alternatively, you can use the IP
address of a loopback interface for device management. This address is used as
the source address for remote logging.
Netmask Enter the network mask for the IP address, such as “255.255.255.0”.
Default Gateway Enter the IP address of the default router (must be on the same subnet as the
management port).
MGT Interface IPv6 (Optional) Enter the IPv6 address of the management port.
Address
Default IPv6 Gateway Enter the IPv6 address of the default router (must be on the same subnet as the
management port), if you assigned an IPv6 address to the management port.
MGT Interface Services Select the services enabled on the specified management interface address:
HTTP, HTTPS, Telnet, Secure Shell (SSH), and/or ping.
Permitted IPs Enter the list of IP addresses from which firewall management is allowed.
Logging and
Reporting Settings
Log Storage Specify the percentage of space allocated to each log type on the hard disk.
When you change a percent value, the associated disk allocation changes
automatically. If the total of all the values exceeds 100%, a message appears on
the page in red, and an error message is presented when you attempt to save the
settings. If this occurs, readjust the percentages so the total is within the 100%
limit.
Click OK to save settings and Restore Defaults to restore all of the default
settings.
Note: When a log reaches its maximum size, it starts to be overwritten beginning
with the oldest entries. If you resize an existing log to be smaller than its current
size, the firewall starts immediately to cut down the log when you commit the
changes, with the oldest logs removed first.
Max. Rows in User Enter the maximum number of rows that is supported for user activity reports (1-
Activity Report 1048576, default 65535).
Number of Versions for Enter the number of configuration audit versions to save before discarding the
Config Audit oldest ones (default 100).
Number of Versions for (Panorama only) Enter the number of configuration backups to save before
Config Backups discarding the oldest ones (default 100).
Stop Traffic when LogDb Select the check box if you want traffic through the firewall to stop when the log
full database is full (default off).
28 • Device Management Palo Alto Networks
29. System Setup, Configuration, and License Management
Table 1. Management Settings (Continued)
Item Description
Select the check box to send the device hostname field in syslog messages.
Send Hostname In Syslog
When this option is set, syslog messages will contain the hostname of the firewall
device in their header.
Defining Operations Settings
Device > Setup > Operations
When you change a configuration setting and click OK, the current “candidate” configuration is
updated, not the active configuration. Clicking Commit at the top of the page applies the candidate
configuration to the active configuration, which activates all configuration changes since the last
commit.
This method allows you to review the configuration before activating it. Activating multiple changes
simultaneously helps avoid invalid configuration states that can occur when changes are applied in real-
time.
You can save and roll back (restore) the candidate configuration as often as needed and also load,
validate, import, and export configurations. Pressing Save creates a copy of the current candidate
configuration, whereas choosing Commit updates the active configuration with the contents of the
candidate configuration.
Note: It is a good idea to periodically save the configuration settings you have entered by
clicking the Save link in the upper-right corner of the screen.
To manage configurations, select the appropriate configuration management functions, as described in
the following table.
Table 2. Configuration Management Functions
Function Description
Configuration
Management
Validate candidate config Checks the candidate configuration for errors.
Revert to last saved config Restores the last saved candidate configuration from flash memory. The current
candidate configuration is overwritten. An error occurs if the candidate
configuration has not been saved.
Revert to running config Restores the last running configuration. The current running configuration is
overridden.
Note: If the web interface is not available, use the CLI command
debug swm revert. Refer to the PAN-OS Command Line Interface Reference
Guide for details.
Save named configuration Saves the candidate configuration to a file. Enter a file name or select an existing
snapshot file to be overwritten. Note that the current active configuration file (running-
config.xml) cannot be overwritten.
Palo Alto Networks Device Management • 29
30. System Setup, Configuration, and License Management
Table 2. Configuration Management Functions (Continued)
Function Description
Save candidate config Saves the candidate configuration in flash memory (same as clicking Save at the
top of the page).
Load named configuration Loads a candidate configuration from the active configuration (running-
snapshot config.xml) or from a previously imported or saved configuration. Select the
configuration file to be loaded. The current candidate configuration is
overwritten.
Load configuration version Loads a specified version of the configuration.
Export named Exports the active configuration (running-config.xml) or a previously saved or
configuration snapshot imported configuration. Select the configuration file to be exported. You can
open the file and/or save it in any network location.
Export configuration Exports a specified version of the configuration.
version
Import named config Imports a configuration file from any network location. Click Browse and select
snapshot the configuration file to be imported.
Device Operations
Reboot Device To restart the firewall, click Reboot Device. You are logged out and the PAN-OS
software and active configuration are reloaded. Any configuration changes that
have not been saved or committed are lost (refer to “Defining Operations
Settings” on page 29).
Note: If the web interface is not available, use the CLI command
request restart system. Refer to the PAN-OS Command Line Interface Reference
Guide for details.
Restart Data Plane To restart the data functions of the firewall without rebooting, click Restart
Dataplane.
Note: If the web interface is not available, use the CLI command
request restart dataplane. Refer to the PAN-OS Command Line Interface
Reference Guide for details.
30 • Device Management Palo Alto Networks
31. System Setup, Configuration, and License Management
Table 2. Configuration Management Functions (Continued)
Function Description
Miscellaneous
Custom Logo Click Custom Logo to customize any of the following:
• Login screen
• Main user interface (UI)
• PDF report title page. Refer to “Managing PDF Summary Reports” on
page 201.
• PDF report footer
Click to upload an image file, to preview, or to remove a
previously-uploaded image.
Note the following:
• Supported file types are png, gif, and jpg.
• To return to the default logo, remove your entry and commit.
• The maximum image size for any logo image is 128 KB.
• For the login screen and main user interface options, when you click , the
image is shown as it will be displayed. If necessary, the image is cropped to fit.
For the PDF reports, the images are auto-resized to fit without cropping. In all
cases, the preview shows the recommended image dimensions.
For information on generating PDF reports, refer to “Managing PDF Summary
Reports” on page 201.
SNMP Setup Specify SNMP parameters. Refer to “SNMP” on page 35.
Statistics Service Setup Specify settings for the statistics service. Refer to “Statistics Service” on page 36.
Note: When you click Commit or enter a commit CLI command, all changes made
through the web interface and the CLI since the last commit are activated. To avoid
possible conflicts, use the transaction locking functions as described in “Locking
Transactions” on page 22.
Defining Services Settings
Device > Setup > Services
Use the Services tab to define settings for Domain Name Service (DNS), Network Time Protocol
(NTP), update servers, proxy servers, and service route configuration.
Table 3. Services Settings
Function Description
DNS Select the type of DNS service. This setting is used for all DNS queries initiated
by the firewall in support of FQDN address objects, logging, and device
management. Options include:
• Primary and secondary DNS servers for domain name resolution
• DNS proxy that has been configured on the firewall
Palo Alto Networks Device Management • 31
32. System Setup, Configuration, and License Management
Table 3. Services Settings (Continued)
Function Description
Primary DNS Server Enter the IP address or host name of the primary DNS server. The server is used
for DNS queries from the firewall, for example, to find the update server, to
resolve DNS entries in logs, or for FDQN-based address objects.
Enter the IP address or host name of a secondary DNS server to use if the primary
Secondary DNS Server
server is unavailable (optional).
Enter the IP address or host name of the primary NTP server, if any. If you do not
Primary NTP Server
use NTP servers, you can set the device time manually.
Enter the IP address or host name of secondary NTP servers to use if the primary
Secondary NTP Server
server is unavailable (optional).
This setting represents the IP address or host name of the server used to download
updates from Palo Alto Networks. The current value is
Update Server
updates.paloaltonetworks.com. Do not change the server name unless
instructed by technical support.
If the device needs to use a proxy server to reach Palo Alto Networks update
Secure Proxy Server
services, enter the IP address or host name of the server.
Secure Proxy Port If you specify a proxy server, enter the port.
Secure Proxy User If you specify a proxy server, enter the user name to access the server.
Secure Proxy Password If you specify a proxy server, enter and confirm the the password for the user to
Confirm Secure Proxy access the server.
Password
Service Route Specify how the firewall will communicate with other servers.
Configuration Click Service Route Configuration and configure the following:
• To communicate with all external servers through the management interface,
select Use Management Interface for all.
• Choose Select to choose options based on the type of service. Select the source
from the Source Address drop-down list.
Defining Content ID Settings
Device > Setup > Content-ID
Use the Content-ID tab to define settings for URL filtering, data protection, and container pages.
Table 4. Content ID Settings
Function Description
URL Filtering
Dynamic URL Cache Click Edit and enter the timeout (in hours). This value is used in dynamic URL
Timeout filtering to determine the length of time an entry remains in the cache after it is
returned from the URL filtering service. For information on URL filtering, refer
to “URL Filtering Profiles” on page 155.
URL Continue Timeout Specify the interval following a user's “continue” action before the user must
press continue again for URLs in the same category (range 1 - 86400 minutes,
default 15 minutes).
32 • Device Management Palo Alto Networks
33. System Setup, Configuration, and License Management
Table 4. Content ID Settings (Continued)
Function Description
URL Admin Override Specify the interval after the user enters the admin override password before the
Timeout user must re-enter the admin override password for URLs in the same category
(range 1 - 86400 minutes, default 900 minutes).
URL Admin Lockout Specify the period of time that a user is locked out from attempting to use the
Timeout URL Admin Override password following three unsuccessful attempts (1 - 86400
minutes, default 1800 minutes).
x-forwarded-for Include the X-Forwarded-For header that includes the source IP address. When
this option is selected, the firewall examines the HTTP headers for the X-
Forwarded-For header, which a proxy can use to store the original user's source
IP address.
The system takes the value and places Src: x.x.x.x into the Source User field of
the URL logs (where x.x.x.x is the IP address that is read from the header).
Strip-x-forwarded-for Remove the X-Forwarded-For header that includes the source IP address. When
this option is selected, the firewall zeros out the header value before forwarding
the request, and the forwarded packets do not contain internal source IP
information.
URL Admin Override
Settings for URL admin Specify the settings that are used when a page is blocked by the URL filtering
override profile and the Override action is specified. Refer to “URL Filtering Profiles” on
page 155.
Click Add and configure the following settings for each virtual system that you
want to configure for URL admin override.
• Location—Select the virtual system from the drop-down list.
• Password/Confirm Password—Enter the password that the user must enter to
override the block page.
• Server Certificate—Select the server certificate to be used with SSL commu-
nications when redirecting through the specified server.
• Mode—Determines whether the block page is delivered transparently (it
appears to originate at the blocked website) or redirected to the user to the spec-
ified server. If you choose Redirect, enter the IP address for redirection.
Click to delete an entry.
Content-ID Features
Manage Data Protection Add additional protection for access to logs that may contain sensitive
information, such as credit card numbers or social security numbers.
Click Manage Data Protection and configure the following:
• To set a new password if one has not already been set, click Set Password.
Enter and confirm the password.
• To change the password, click Change Password. Enter the old password, and
enter and confirm the new password.
• To delete the password and the data that has been protected, click Delete Pass-
word.
Palo Alto Networks Device Management • 33