PANOS 4.1 Administrators Guide

Palo Alto Networks
Administrator’s Guide
Release 4.1

11/9/11 Final Review Draft - Palo Alto Networks
COMPANY CONFIDENTIAL

Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2007-2011 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners.
P/N 810-000095-00B

November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIAL

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Notes and Cautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Firewall Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Preparing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Setting Up the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using the Firewall Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Navigating to Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using Tables on Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Required Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
Locking Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Getting Help Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Palo Alto Networks • 3

Chapter 3
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
System Setup, Configuration, and License Management . . . . . . . . . . . . . . . 26
Defining Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Defining Operations Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Defining Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Defining Content ID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Defining Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Statistics Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Comparing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing a License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Upgrading the PAN-OS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Upgrading with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Updating Threat and Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . 39
Administrator Roles, Profiles, and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 40
Defining Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . . . 43
Authentication Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Setting Up Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating a Local User Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring LDAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuring Kerberos Settings (Native Active Directory Authentication) . . . . 47
Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Setting Up Authentication Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Client Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Firewall Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Scheduling Log Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Defining Configuration Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Defining System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Defining HIP Match Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Defining Alarm Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Managing Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring Syslog Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring Email Notification Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Viewing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Netflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Importing, Exporting and Generating Security Certificates . . . . . . . . . . . . . 60
Encrypting Private Keys and Passwords on the Firewall . . . . . . . . . . . . . . . . . . . . 62
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Active/Passive HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Active/Active HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
NAT Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Setting Up HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

4 • Palo Alto Networks

Enabling HA on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Communications Among Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Defining Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Defining Custom Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Viewing Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Chapter 4
Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Firewall Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Virtual Wire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Layer 2 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Layer 3 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Tap Mode Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Defining Virtual Wires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
88
Firewall Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Viewing the Current Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring Layer 2 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Layer 2 Subinterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Layer 3 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Layer 3 Subinterfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring Virtual Wire Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring Aggregate Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring Aggregate Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring Tap Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring HA Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Defining Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Virtual Routers and Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Routing Information Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Open Shortest Path First . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Multicast Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Defining Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
DHCP Server and Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
DNS Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Network Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Defining Interface Management Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Defining Zone Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128


Chapter 5
Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Guidelines on Defining Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Specifying Users and Applications for Policies . . . . . . . . . . . . . . . . . . . . . . . 133
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Defining Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Determining Zone Configuration in NAT and Security Policy . . . . . . . . . . . . 139
NAT Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Defining Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . 139
NAT Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Policy-Based Forwarding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Decryption Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Custom Application Definition with Application Override . . . . . . . . . . . . . . . 145
Defining Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Defining Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
DoS Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Defining DoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Antivirus Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Anti-Spyware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Vulnerability Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
URL Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
File Blocking Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Data Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
DoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Other Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Addresses and Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Defining Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Defining Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Defining Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Defining Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Custom Applications with Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Defining Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Custom URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Defining Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Custom Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Security Profile Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182


Chapter 6
Reports and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Using the Application Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Using App-Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Change Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Threat Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Threat Map Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Network Monitor Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Traffic Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Viewing the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Viewing Session Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Working with Botnet Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Configuring the Botnet Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Managing Botnet Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Managing PDF Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Managing User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Managing Report Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Scheduling Reports for Email Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Identifying Unknown Applications and Taking Action . . . . . . . . . . . . . . . . . 206
Taking Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Requesting an App-ID from Palo Alto Networks . . . . . . . . . . . . . . . . . . . . . . 207
Other Unknown Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Taking Packet Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Chapter 7
Configuring the Firewall for User
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Overview of User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
How User Identification Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Identifying Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
How User-ID Components Interact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
User-ID Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Terminal Services Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
PAN-OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
User Identification Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Captive Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . 215
Setting Up the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Installing the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Discovering Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Monitoring User-ID Agent Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Uninstalling and Upgrading the User-ID Agent . . . . . . . . . . . . . . . . . . . . . . . 222
Setting Up the Terminal Services Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 222


Installing or Upgrading the Terminal Server Agent on the Terminal Server . 222
Configuring the Terminal Server Agent on the Terminal Server . . . . . . . . . . 223
Uninstalling the Terminal Server Agent on the Terminal Server . . . . . . . . . . 227

Chapter 8
Configuring IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
IPSec VPNs and SSL-VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
IPSec and IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
IPSec and IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Setting Up IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Defining IKE Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Setting Up IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Defining IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Defining IPSec Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Defining Monitor Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Viewing IPSec Tunnel Status on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 239
Sample VPN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Existing Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
New Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configure the VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
VPN Connectivity Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Chapter 9
Configuring GlobalProtect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
GlobalProtect Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Setting Up GlobalProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Setting Up and Activating the GlobalProtect Client . . . . . . . . . . . . . . . . . . 256
Setting Up the GlobalProtect Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Chapter 10
Configuring Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Firewall Support for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Configuring QoS for Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Defining QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Defining QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Displaying QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Chapter 11
Panorama Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Installing Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring the Panorama Network Interface . . . . . . . . . . . . . . . . . . . . . . 268


Logging in to Panorama for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . 269
Creating an SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Expanding Panorama Storage Using a Virtual Disk. . . . . . . . . . . . . . . . . . 270
Setting Up Storage Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
HA Peer Promotion After Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Chapter 12
Central Device Management Using
Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Accessing the Panorama Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Using the Panorama Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Panorama Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Adding Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Defining Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . 280
Working with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Working with Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Working with Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Panorama Backward Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Generating User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Performing Comprehensive Configuration Audits . . . . . . . . . . . . . . . . . . . . . . . . . 284
Viewing Firewall Deployment Information . . . . . . . . . . . . . . . . . . . . . . . . . 285
Backing Up Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Scheduling Configuration Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Upgrading the Panorama Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 13
WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

About WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Setting Up to Use WildFire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Configuring WildFire Settings on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Using the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Configuring Settings on the WildFire Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Viewing WildFire Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Appendix A
Custom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Default Antivirus Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Default Application Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Default File Blocking Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Default URL Filtering Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Default Anti-Spyware Download Response Page . . . . . . . . . . . . . . . . . . . . . . . . 297
Default Decryption Opt-out Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297


Captive Portal Comfort Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
URL Filtering Continue and Override Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
SSL VPN Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
SSL Certificate Revoked Notify Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Appendix B
Application Categories, Subcategories, Technologies, and Characteristics 301
Application Categories and Subcategories . . . . . . . . . . . . . . . . . . . . . . . . 301
Application Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Application Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Appendix C
Federal Information Processing Standards Support . . . . . . . . . . . . . . . . 305

Appendix D
Open Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
GNU General Public License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
MIT/X11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
OpenSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
PSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Zlib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327


November 9, 2011 - Palo Alto Networks COMPANY CONFIDENTIAL

Preface
This preface contains the following sections:
• “About This Guide” in the next section

• “Organization” on page 11

• “Typographical Conventions” on page 13

• “Notes and Cautions” on page 13

• “Related Documentation” on page 13

About This Guide
This guide describes how to administer the Palo Alto Networks firewall using the device’s web
interface.
This guide is intended for system administrators responsible for deploying, operating, and maintaining
the firewall.

Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Provides an overview of the firewall.

• Chapter 2, “Getting Started”—Describes how to install the firewall.

• Chapter 3, “Device Management”—Describes how to perform basic system configuration and
maintenance for the firewall, including how to configure a pair of firewalls for high availability,
define user accounts, update the software, and manage configurations.

• Chapter 4, “Network Configuration”—Describes how to configure the firewall for your
network, including routing configuration.

• Chapter 5, “Policies and Security Profiles”—Describes how to configure security policies and
profiles by zone, users, source/destination address, and application.

• Chapter 6, “Reports and Logs”—Describes how to view the reports and logs provided with the
firewall.

Palo Alto Networks Preface • 11

Organization

• Chapter 7, “Configuring the Firewall for User Identification”—Describes how to configure the
firewall to identify the users who attempt to access the network.

• Chapter 8, “Configuring IPSec Tunnels”—Describes how to configure IP Security (IPSec)
tunnels on the firewall.

• Chapter 9, “Configuring GlobalProtect”—Describes GlobalProtect, which allows secure login
from client systems located anywhere in the world.

• Chapter 10, “Configuring Quality of Service”—Describes how to configure quality of service
(QoS) on the firewall.

• Chapter 11, “Panorama Installation”—Describes how to install the centralized management
system for the Palo Alto Networks firewall.

• Chapter 12, “Central Device Management Using Panorama”—Describes how to use Panorama
to manage multiple firewalls.

• Chapter 13, “WildFire”—describes how to use WildFire for analysis and reporting on malware
that traverses the firewall.

• Appendix A, “Custom Pages”—Provides HTML code for custom response pages to notify end
users of policy violations or special access conditions.

• Appendix B, “Application Categories, Subcategories, Technologies, and Characteristics”—
Contains a list of the application categories defined by Palo Alto Networks.

• Appendix C, “Federal Information Processing Standards Support”—Describes firewall
support for the Federal Information Processing Standards 140-2.

• Appendix D, “Open Source Licenses”—Includes information on applicable open source licenses.

12 • Preface Palo Alto Networks

Typographical Conventions

Typographical Conventions

This guide uses the following typographical conventions for special terms and instructions.

Convention Meaning Example
boldface Names of commands, keywords, and Click Security to open the Security Rules
selectable items in the web interface page.
italics Name of parameters, files, directories, or The address of the Palo Alto Networks
Uniform Resource Locators (URLs) home page is
http://www.paloaltonetworks.com
courier font Coding examples and text that you enter Enter the following command:
at the command prompt a:setup
Click Click the left mouse button Click Administrators under the Devices
tab.
Right-click Click the right mouse button. Right-click on the number of a rule you
want to copy, and select Clone Rule.

Notes and Cautions
This guide uses the following symbols for notes and cautions.

Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.

CAUTION
Indicates actions that could cause loss of data.

Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start

• Hardware Reference Guide

• Command Line Interface Reference Guide

Palo Alto Networks Preface • 13

Related Documentation

14 • Preface Palo Alto Networks

Chapter 1
Introduction

This chapter provides an overview of the firewall:
• “Firewall Overview” in the next section

• “Features and Benefits” on page 15

• “Management Interfaces” on page 16

Firewall Overview
The Palo Alto Networks firewall allows you to specify security policies based on a more accurate
identification of each application seeking access to your network. Unlike traditional firewalls that
identify applications only by protocol and port number, the firewall uses packet inspection and a library
of application signatures to distinguish between applications that have the same protocol and port, and
to identify potentially malicious applications that use non-standard ports.
For example, you can define security policies for specific applications, rather than rely on a single
policy for all port 80 connections. For each identified application, you can specify a security policy to
block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each
security policy can also specify security profiles to protect against viruses, spyware, and other threats.
IPv4 and IPv6 addresses are supported.

Features and Benefits
The firewall provides granular control over the traffic allowed to access your network. The primary
features and benefits include:
• Application-based policy enforcement—Access control by application is far more effective when
application identification is based on more than just protocol and port number. High risk
applications can be blocked, as well as high risk behavior, such as file-sharing. Traffic encrypted
with the Secure Socket Layer (SSL) protocol can be decrypted and inspected.

• Threat prevention—Threat prevention services that protect the network from viruses, worms,
spyware, and other malicious traffic can be varied by application and traffic source (refer to
“Security Profiles” on page 150).

Palo Alto Networks Introduction • 15

Management Interfaces

• URL filtering—Outbound connections can be filtered to prevent access to inappropriate web sites
(refer to “URL Filtering Profiles” on page 155).

• Traffic visibility—Extensive reports, logs, and notification mechanisms provide detailed visibility
into network application traffic and security events. The Application Command Center in the web
interface identifies the applications with the most traffic and the highest security risk (refer to
“Reports and Logs” on page 183).

• Networking versatility and speed—The firewall can augment or replace your existing firewall,
and can be installed transparently in any network or configured to support a switched or routed
environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or
no impact on network latency.

• GlobalProtect—GlobalProtect provides security for client systems, such as laptops, that are used
in the field by allowing easy and secure login from anywhere in the world.

• Fail-safe operation—High availability support provides automatic failover in the event of any
hardware or software disruption (refer to “Enabling HA on the Firewall” on page 71).

• Malware analysis and reporting—WildFire provides detailed analysis and reporting on malware
that traverses the firewall.

• Easily managed—Each firewall is managed through an intuitive web interface or a command-line
interface (CLI), or all devices can be centrally managed through the Panorama centralized
management system, which has a web interface very similar to the device web interface.

Management Interfaces
The firewall supports the following management interfaces. Refer to “Supported Browsers” on page 23
for a list of supported browsers.
• Web interface—Configuration and monitoring over HTTP or HTTPS from a web browser.

• CLI—Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console
port (refer to the PAN-OS Command Line Interface Reference Guide).

• Panorama—Palo Alto Networks product that provides web-based management, reporting, and
logging for multiple firewalls. The Panorama interface is similar to the device web interface, with
additional management functions included. Refer to “Panorama Installation” on page 267 for
instructions on installing Panorama and “Central Device Management Using Panorama” on
page 275 for information on using Panorama.

• Simple Network Management Protocol (SNMP)—Supports RFC 1213 (MIB-II) and RFC 2665
(Ethernet interfaces) for remote monitoring, and generates SNMP traps for one or more trap sinks
(refer to “Configuring SNMP Trap Destinations” on page 55).

• Syslog—Provides message generation for one or more remote syslog servers (refer to
“Configuring Syslog Servers” on page 57).

• XML API—Provides a Representational State Transfer (REST)-based interface to access device
configuration, operational status, reports, and packet captures from the firewall. There is an API
browser available on the firewall at https://<firewall>/api, where <firewall> is the host name or IP
address of the firewall. This link provides help on the parameters required for each type of API
call. An XML API usage guide is available on the DevCenter online community at http://
live.paloaltonetworks.com.

16 • Introduction Palo Alto Networks

Chapter 2
Getting Started

This chapter describes how to set up and start using the firewall:
• “Preparing the Firewall” in the next section

• “Setting Up the Firewall” on page 18

• “Using the Firewall Web Interface” on page 19

• “Getting Help Configuring the Firewall” on page 23

Note: Refer to “Panorama Installation” on page 267 for instructions on installing
the Panorama centralized management system.

Preparing the Firewall
Perform the following tasks to prepare the firewall for setup:
1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide.

2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and
App-ID updates, and to activate support or subscriptions with the authorization codes emailed to
you.

3. Obtain an IP address from your network administrator for configuring the management port on the
firewall.

Palo Alto Networks Getting Started • 17

Setting Up the Firewall

Setting Up the Firewall
To perform the initial firewall setup:
1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet
cable.

2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for
example, 192.168.1.5) with a netmask of 255.255.255.0.

3. Launch a supported web browser and enter https://192.168.1.1.

The browser automatically opens the Palo Alto Networks login page.

4. Enter admin in both the Name and Password fields, and click Login. The system presents a
warning that the default password should be changed. Click OK to continue.

5. On the Device tab, choose Setup and configure the following (for general instructions on
configuring settings in the web interface, refer to “Using the Firewall Web Interface” on page 19):

– On the Management tab under Management Interface Settings, enter the firewall’s IP
address, netmask, and default gateway.

– On the Services tab, enter the IP address of the Domain Name Service (DNS) server. Enter the
IP address or host and domain name of the Network Time Protocol (NTP) server and select
your time zone.

– Click Support on the side menu.
If this is the first Palo Alto Networks firewall for your company, click Register Device to
register the firewall. (If you have already registered a firewall, you have received a user name
and password.)
Click the Activate support using authorization codes link and enter the authorization codes
that have been emailed to you for any optional features. Use a space to separate multiple
authorization codes.

6. Click Administrators under the Devices tab.

7. Click admin.

8. In the New Password and Confirm New Password fields, enter and confirm a case-sensitive
password (up to 15 characters).

9. Click OK to submit the new password.

10. Commit the configuration to put these settings into effect. When the changes are committed, the
firewall will be reachable through the IP address assigned in Step 5. For information on
committing changes, refer to “Committing Changes” on page 21.

18 • Getting Started Palo Alto Networks

Using the Firewall Web Interface

The following conventions apply when using the firewall interface.
• To display the menu items for a general functional category, click the tab, such as Object or
Devices, near the top of the browser window.

• Click an item on the side menu to display a panel.

• To display submenu items, click the icon to the left of an item. To hide submenu items, click
the icon to the left of the item.

• On most configuration pages, you can click Add to create a new item.

• To delete one or more items, select their check boxes and click Delete. In most cases, the system
prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel.

• On some configuration pages, you can select the check box for an item and click Clone to create a
new item with the same information as the selected item.



• To modify an item, click its underlined link.

• To view help information on a page, click the Help icon in upper right area of the page.

• To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task
Manager window opens to show the list of tasks, along with status, start times, associated
messages, and actions. Use the Show drop-down list to filter the list of tasks.

• On pages that list information you can modify (for example, the Setup page on the Devices tab),
click the icon in the upper right corner of a section to edit the settings.

• After you configure settings, you must click OK or Save to store the changes. When you click OK,
the current “candidate” configuration is updated.



Committing Changes
Click Commit at the top of the web interface to open the commit dialog box.

The following options are available in the commit dialog box. Click the Advanced link, if needed,
to display the options:

– Include Device and Network configuration—Include the device and network configuration
changes in the commit operation.

– Include Shared Object configuration—(Multi-virtual system firewalls only) Include the
shared object configuration changes in the commit operation.

– Include Policy and Objects—(Non-multi-virtual system firewalls only) Include the policy and
object configuration changes in the commit operation.

– Include virtual system configuration—Include all virtual systems or the selected virtual
system in the commit operation.

For more information about committing changes, refer to “Defining Operations Settings” on
page 29.

Navigating to Configuration Pages
Each configuration section in this guide shows the menu path to the configuration page. For example, to
reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability
Protection under Security Profiles in the side menu. This is indicated in this guide by the following
path:

Objects > Security Profiles > Vulnerability Protection



Using Tables on Configuration Pages
The tables on configuration pages include sorting and column chooser options. Click a column header
to sort on that column, and click again to change the sort order. Click the arrow to the right of any
column and select check boxes to choose the columns to display.

Required Fields
Required fields are shown with a light yellow background. A message indicating that the field is
required appears when you hover over or click in the field entry area.

Locking Transactions
The web interface provides support for multiple administrators by allowing an administrator to lock a
current set of transactions, thereby preventing configuration changes or commit operations by another
administrator until the lock is removed. The following types of locks are supported:
• Config lock—Blocks other administrators from making changes to the configuration. This type of
lock can be set globally or for a virtual system. It can be removed only by the administrator who set
it or by a superuser on the system.

• Commit Lock—Blocks other administrators from committing changes until all of the locks have
been released. This type of lock prevents collisions that can occur when two administrators are
making changes at the same time and the first administrator finishes and commits changes before
the second administrator has finished. The lock is released when the current changes are
committed, or it can be released manually.

Any administrator can open the lock window to view the current transactions that are locked, along with
a timestamp for each.
To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click
Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks
as needed, and then click Close to close the Lock dialog box.
The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of
locked items in parentheses.


Getting Help Configuring the Firewall

To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the
icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock
dialog box.
You can arrange to automatically acquire a commit lock by selecting the Automatically acquire
commit lock check box in the Management area of the Device Setup page. Refer to “System Setup,
Configuration, and License Management” on page 26.

Supported Browsers
The following web browsers are supported for access to the firewall web interface:
• Internet Explorer 7+

• Firefox 3.6+

• Safari 5+

• Chrome 11+

Use the information in this section to obtain help on using the firewall.

Obtaining More Information
To obtain more information about the firewall, refer to the following:
• General information—Go to http://www.paloaltonetworks.com.

• Online help—Click Help in the upper-right corner of the web interface to access the online help
system.

• Collaborative area for customer/partner interaction to share tips, scripts, and signatures—
Go to https://live.paloaltonetworks.com/community/devcenter.

Technical Support
For technical support, use the following methods:
• Go to the KnowledgePoint online support community at http://live.paloaltonetworks.com

• Go to https://support.paloaltonetworks.com.


Chapter 3
Device Management

This chapter describes how to perform basic system configuration and maintenance for the firewall and
includes overviews of the virtual systems, high availability, and logging functions:
• “System Setup, Configuration, and License Management” in the next section

• “Comparing Configuration Files” on page 37

• “Installing a License” on page 37

• “Upgrading the PAN-OS Software” on page 38

• “Updating Threat and Application Definitions” on page 39

• “Administrator Roles, Profiles, and Accounts” on page 40

• “Authentication Profiles” on page 43

• “Authentication Sequence” on page 48

• “Client Certificate Profiles” on page 49

• “Firewall Logs” on page 50

• “Configuring SNMP Trap Destinations” on page 55

• “Configuring Syslog Servers” on page 57

• “Configuring Email Notification Settings” on page 58

• “Viewing Alarms” on page 59

• “Configuring Netflow Settings” on page 59

• “Importing, Exporting and Generating Security Certificates” on page 60

• “High Availability” on page 63

• “Virtual Systems” on page 77

• “Defining Custom Response Pages” on page 81

• “Viewing Support Information” on page 83

Palo Alto Networks Device Management • 25

System Setup, Configuration, and License Management

The following sections describe how to define the network settings and manage configurations for the
firewall:
• “Defining Management Settings” in the next section

• “Defining Operations Settings” on page 29

• “Defining Services Settings” on page 31

• “Defining Content ID Settings” on page 32

• “Defining Session Settings” on page 34

Note: Refer to “WildFire” on page 289 for information on configuring the
settings on the WildFire tab.

Defining Management Settings
Device > Setup > Management

The Setup page allows you to configure the firewall for management, operations, services, content
identification, WildFire malware analysis and reporting, and session behavior.
If you do not want to use the management port, you can define a loopback interface and manage the
firewall through the IP address of the loopback interface (refer to “Configuring Loopback Interfaces” on
page 101).
Perform any of the following operations on this page:
• To change the host name or network settings, click Edit on the first table on the page, and specify
the following information.

Table 1. Management Settings
Item Description
General Settings
Host Name Enter a host name (up to 31 characters). The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and underscores.
Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31
characters).
Login Banner Enter custom text that will be displayed on the firewall login page. The text is
displayed below the Name and Password fields.
Timezone Select the time zone of the firewall.
Locale Select a language for PDF reports from the drop-down list. Refer to “Managing
PDF Summary Reports” on page 201.

26 • Device Management Palo Alto Networks


Table 1. Management Settings (Continued)
Item Description
Time To set the date and time on the firewall, click Set Time. Enter the current date in
(YYYY/MM/DD) or click the calendar icon to select a month and day. Enter
the current time in 24-hour format (HH:MM:SS).
Serial Number (Panorama only) Enter the serial number of the firewall.
Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall.
Automatically acquire Automatically apply a commit lock when you change the candidate
commit lock configuration. For more information, refer to “Locking Transactions” on page 22.

Certificate Expiration Instruct the firewall to create warning messages when on-box certificates near
Check their expiration dates.
Multi Virtual System To enable the use of multiple virtual systems (if supported on the firewall model),
Capability click Edit for Multi Virtual System Capability near the top of the Setup page.
Select the check box, and click OK. For more information about virtual systems,
refer to “Virtual Systems” on page 77.

Authentication
Settings
Authentication Profile Select the authentication profile to use for administrator access to the firewall.
For instructions on configuring authentication profiles, refer to “Setting Up
Authentication Profiles” on page 44.
Client Certificate Profile Select the client certificate profile to use for administrator access to the firewall.
For instructions on configuring client certificate profiles, refer to “Client
Certificate Profiles” on page 49.
Enter the timeout interval (1 - 1440 minutes). A value of 0 means that the
Idle Timeout
management, web, or CLI session does not time out.
Enter the number of failed login attempts that are allowed for the web interface
# Failed Attempts and CLI before the account is locked. (1-10, default 0). 0 means that there is no
limit.
Enter the number of minutes that a user is locked out (0-60 minutes) if the
Lockout Time number of failed attempts is reached. The default 0 means that there is no limit to
the number of attempts.

Panorama Settings
Panorama Server Enter the IP address of Panorama, the Palo Alto Networks centralized
management system (if any). The server address is required to manage the device
through Panorama.
To remove any policies that Panorama propagates to managed firewalls, click the
Disabled Shared Policies link. To move the policies to your local name space
before removing them from Panorama, click the Import shared policies from
Panorama before disabling check box in the dialog box that opens. Click OK.
Panorama Server 2 If Panorama is operating in high availability (HA) mode, specify the second
Panorama system that is part of the HA configuration.
Receive Timeout for Enter the timeout for receiving TCP messages from Panorama (1-120 seconds,
connection to Panorama default 20).
Send Timeout for Enter the timeout for sending TCP communications to Panorama (1-120 seconds,
connection to Panorama default 20).



Item Description
Retry Count for SSL send Enter the number of retries for attempts to send Secure Socket Layer (SSL)
to Panorama messages to Panorama (1-64, default 25).

Management
Interface Settings
MGT Interface Speed Configure a data rate and duplex option for the management interface. The
choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the
default auto-negotiate setting to have the firewall determine the interface speed.
This setting should match the port settings on the neighboring network
equipment.
MGT Interface IP Address Enter the IP address of the management port. Alternatively, you can use the IP
address of a loopback interface for device management. This address is used as
the source address for remote logging.
Netmask Enter the network mask for the IP address, such as “255.255.255.0”.
Default Gateway Enter the IP address of the default router (must be on the same subnet as the
management port).
MGT Interface IPv6 (Optional) Enter the IPv6 address of the management port.
Address
Default IPv6 Gateway Enter the IPv6 address of the default router (must be on the same subnet as the
management port), if you assigned an IPv6 address to the management port.
MGT Interface Services Select the services enabled on the specified management interface address:
HTTP, HTTPS, Telnet, Secure Shell (SSH), and/or ping.
Permitted IPs Enter the list of IP addresses from which firewall management is allowed.

Logging and
Reporting Settings
Log Storage Specify the percentage of space allocated to each log type on the hard disk.
When you change a percent value, the associated disk allocation changes
automatically. If the total of all the values exceeds 100%, a message appears on
the page in red, and an error message is presented when you attempt to save the
settings. If this occurs, readjust the percentages so the total is within the 100%
limit.
Click OK to save settings and Restore Defaults to restore all of the default
settings.
Note: When a log reaches its maximum size, it starts to be overwritten beginning
with the oldest entries. If you resize an existing log to be smaller than its current
size, the firewall starts immediately to cut down the log when you commit the
changes, with the oldest logs removed first.
Max. Rows in User Enter the maximum number of rows that is supported for user activity reports (1-
Activity Report 1048576, default 65535).
Number of Versions for Enter the number of configuration audit versions to save before discarding the
Config Audit oldest ones (default 100).
Number of Versions for (Panorama only) Enter the number of configuration backups to save before
Config Backups discarding the oldest ones (default 100).
Stop Traffic when LogDb Select the check box if you want traffic through the firewall to stop when the log
full database is full (default off).



Item Description
Select the check box to send the device hostname field in syslog messages.
Send Hostname In Syslog
When this option is set, syslog messages will contain the hostname of the firewall
device in their header.

Defining Operations Settings
Device > Setup > Operations

When you change a configuration setting and click OK, the current “candidate” configuration is
updated, not the active configuration. Clicking Commit at the top of the page applies the candidate
configuration to the active configuration, which activates all configuration changes since the last
commit.
This method allows you to review the configuration before activating it. Activating multiple changes
simultaneously helps avoid invalid configuration states that can occur when changes are applied in real-
time.
You can save and roll back (restore) the candidate configuration as often as needed and also load,
validate, import, and export configurations. Pressing Save creates a copy of the current candidate
configuration, whereas choosing Commit updates the active configuration with the contents of the
candidate configuration.

Note: It is a good idea to periodically save the configuration settings you have entered by
clicking the Save link in the upper-right corner of the screen.

To manage configurations, select the appropriate configuration management functions, as described in
the following table.

Table 2. Configuration Management Functions
Function Description
Configuration
Management
Validate candidate config Checks the candidate configuration for errors.
Revert to last saved config Restores the last saved candidate configuration from flash memory. The current
candidate configuration is overwritten. An error occurs if the candidate
configuration has not been saved.
Revert to running config Restores the last running configuration. The current running configuration is
overridden.
Note: If the web interface is not available, use the CLI command
debug swm revert. Refer to the PAN-OS Command Line Interface Reference
Guide for details.
Save named configuration Saves the candidate configuration to a file. Enter a file name or select an existing
snapshot file to be overwritten. Note that the current active configuration file (running-
config.xml) cannot be overwritten.



Table 2. Configuration Management Functions (Continued)
Save candidate config Saves the candidate configuration in flash memory (same as clicking Save at the
top of the page).
Load named configuration Loads a candidate configuration from the active configuration (running-
snapshot config.xml) or from a previously imported or saved configuration. Select the
configuration file to be loaded. The current candidate configuration is
overwritten.
Load configuration version Loads a specified version of the configuration.
Export named Exports the active configuration (running-config.xml) or a previously saved or
configuration snapshot imported configuration. Select the configuration file to be exported. You can
open the file and/or save it in any network location.
Export configuration Exports a specified version of the configuration.
version
Import named config Imports a configuration file from any network location. Click Browse and select
snapshot the configuration file to be imported.

Device Operations
Reboot Device To restart the firewall, click Reboot Device. You are logged out and the PAN-OS
software and active configuration are reloaded. Any configuration changes that
have not been saved or committed are lost (refer to “Defining Operations
Settings” on page 29).
request restart system. Refer to the PAN-OS Command Line Interface Reference
Guide for details.
Restart Data Plane To restart the data functions of the firewall without rebooting, click Restart
Dataplane.
request restart dataplane. Refer to the PAN-OS Command Line Interface
Reference Guide for details.



Table 2. Configuration Management Functions (Continued)
Miscellaneous
Custom Logo Click Custom Logo to customize any of the following:
• Login screen
• Main user interface (UI)
• PDF report title page. Refer to “Managing PDF Summary Reports” on
page 201.
• PDF report footer
Click to upload an image file, to preview, or to remove a
previously-uploaded image.
Note the following:
• Supported file types are png, gif, and jpg.
• To return to the default logo, remove your entry and commit.
• The maximum image size for any logo image is 128 KB.
• For the login screen and main user interface options, when you click , the
image is shown as it will be displayed. If necessary, the image is cropped to fit.
For the PDF reports, the images are auto-resized to fit without cropping. In all
cases, the preview shows the recommended image dimensions.
For information on generating PDF reports, refer to “Managing PDF Summary
Reports” on page 201.
SNMP Setup Specify SNMP parameters. Refer to “SNMP” on page 35.
Statistics Service Setup Specify settings for the statistics service. Refer to “Statistics Service” on page 36.

Note: When you click Commit or enter a commit CLI command, all changes made
through the web interface and the CLI since the last commit are activated. To avoid
possible conflicts, use the transaction locking functions as described in “Locking
Transactions” on page 22.

Defining Services Settings
Device > Setup > Services

Use the Services tab to define settings for Domain Name Service (DNS), Network Time Protocol
(NTP), update servers, proxy servers, and service route configuration.

Table 3. Services Settings
DNS Select the type of DNS service. This setting is used for all DNS queries initiated
by the firewall in support of FQDN address objects, logging, and device
management. Options include:
• Primary and secondary DNS servers for domain name resolution
• DNS proxy that has been configured on the firewall



Table 3. Services Settings (Continued)
Primary DNS Server Enter the IP address or host name of the primary DNS server. The server is used
for DNS queries from the firewall, for example, to find the update server, to
resolve DNS entries in logs, or for FDQN-based address objects.
Enter the IP address or host name of a secondary DNS server to use if the primary
Secondary DNS Server
server is unavailable (optional).
Enter the IP address or host name of the primary NTP server, if any. If you do not
Primary NTP Server
use NTP servers, you can set the device time manually.
Enter the IP address or host name of secondary NTP servers to use if the primary
Secondary NTP Server
server is unavailable (optional).
This setting represents the IP address or host name of the server used to download
updates from Palo Alto Networks. The current value is
Update Server
updates.paloaltonetworks.com. Do not change the server name unless
instructed by technical support.
If the device needs to use a proxy server to reach Palo Alto Networks update
Secure Proxy Server
services, enter the IP address or host name of the server.
Secure Proxy Port If you specify a proxy server, enter the port.
Secure Proxy User If you specify a proxy server, enter the user name to access the server.
Secure Proxy Password If you specify a proxy server, enter and confirm the the password for the user to
Confirm Secure Proxy access the server.
Password
Service Route Specify how the firewall will communicate with other servers.
Configuration Click Service Route Configuration and configure the following:
• To communicate with all external servers through the management interface,
select Use Management Interface for all.
• Choose Select to choose options based on the type of service. Select the source
from the Source Address drop-down list.

Defining Content ID Settings
Device > Setup > Content-ID

Use the Content-ID tab to define settings for URL filtering, data protection, and container pages.

Table 4. Content ID Settings
URL Filtering
Dynamic URL Cache Click Edit and enter the timeout (in hours). This value is used in dynamic URL
Timeout filtering to determine the length of time an entry remains in the cache after it is
returned from the URL filtering service. For information on URL filtering, refer
to “URL Filtering Profiles” on page 155.
URL Continue Timeout Specify the interval following a user's “continue” action before the user must
press continue again for URLs in the same category (range 1 - 86400 minutes,
default 15 minutes).



Table 4. Content ID Settings (Continued)
URL Admin Override Specify the interval after the user enters the admin override password before the
Timeout user must re-enter the admin override password for URLs in the same category
(range 1 - 86400 minutes, default 900 minutes).
URL Admin Lockout Specify the period of time that a user is locked out from attempting to use the
Timeout URL Admin Override password following three unsuccessful attempts (1 - 86400
minutes, default 1800 minutes).
x-forwarded-for Include the X-Forwarded-For header that includes the source IP address. When
this option is selected, the firewall examines the HTTP headers for the X-
Forwarded-For header, which a proxy can use to store the original user's source
IP address.
The system takes the value and places Src: x.x.x.x into the Source User field of
the URL logs (where x.x.x.x is the IP address that is read from the header).
Strip-x-forwarded-for Remove the X-Forwarded-For header that includes the source IP address. When
this option is selected, the firewall zeros out the header value before forwarding
the request, and the forwarded packets do not contain internal source IP
information.

URL Admin Override
Settings for URL admin Specify the settings that are used when a page is blocked by the URL filtering
override profile and the Override action is specified. Refer to “URL Filtering Profiles” on
page 155.
Click Add and configure the following settings for each virtual system that you
want to configure for URL admin override.
• Location—Select the virtual system from the drop-down list.
• Password/Confirm Password—Enter the password that the user must enter to
override the block page.
• Server Certificate—Select the server certificate to be used with SSL commu-
nications when redirecting through the specified server.
• Mode—Determines whether the block page is delivered transparently (it
appears to originate at the blocked website) or redirected to the user to the spec-
ified server. If you choose Redirect, enter the IP address for redirection.
Click to delete an entry.

Content-ID Features
Manage Data Protection Add additional protection for access to logs that may contain sensitive
information, such as credit card numbers or social security numbers.
Click Manage Data Protection and configure the following:
• To set a new password if one has not already been set, click Set Password.
Enter and confirm the password.
• To change the password, click Change Password. Enter the old password, and
enter and confirm the new password.
• To delete the password and the data that has been protected, click Delete Pass-
word.


PANOS 4.1 Administrators Guide

PANOS 4.1 Administrators Guide

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a PANOS 4.1 Administrators Guide

Similar a PANOS 4.1 Administrators Guide (20)

Más de Altaware, Inc.

Más de Altaware, Inc. (20)

Último

Último (20)

PANOS 4.1 Administrators Guide