PAN-OS-6.0-web-interface-ref (1).pdf

Palo Alto Networks Web Interface Reference GuideRelease 6.0

4/27/15 Final Review Draft - Palo Alto NetworksCOMPANY CONFIDENTIAL

Palo Alto Networks, Inc.www.paloaltonetworks.com 2007-2015 Palo Alto Networks. All rights reserved. Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc.

Revision Date: April 27, 2015

Palo Alto Networks 3

April 27, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Typographical Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Notes and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Firewall Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Preparing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting Up the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Using the Firewall Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Navigating to Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Using Tables on Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Required Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Locking Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Getting Help Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 3Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

System Setup, Configuration, and License Management . . . . . . . . . . . . . . . . . . . . 28Defining Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Defining Operations Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Defining Hardware Security Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table of Contents

4 Palo Alto Networks

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Defining Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Defining Content-ID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Configuring WildFire Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Defining Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Comparing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Installing a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Defining VM Information Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Updating Threat and Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Administrator Roles, Profiles, and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 62Defining Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Defining Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Username and Password Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Setting Up Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Creating a Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Adding Local User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuring RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Configuring LDAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuring Kerberos Settings (Native Active Directory Authentication) . . . . . . . . 73Setting Up an Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Scheduling Log Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Defining Logging Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Defining Configuration Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Defining System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Defining HIP Match Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Defining Alarm Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Managing Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Configuring SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Custom Syslog Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Configuring Email Notification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Configuring Netflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Managing Device Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Managing the Default Trusted Certificate Authorities. . . . . . . . . . . . . . . . . . . 96

Creating a Certificate Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Adding an OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Encrypting Private Keys and Passwords on the Firewall . . . . . . . . . . . . . . . . . . . . 99Enabling HA on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Defining Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Configuring Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Defining Custom Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Viewing Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 4Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Defining Virtual Wires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Configuring a Firewall Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118


Configuring an Ethernet Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Configuring a Virtual Wire Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Configuring a Virtual Wire Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Configuring a Tap Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Configuring a Log Card Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring a Decrypt Mirror Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Configuring Aggregate Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 133Configuring an Aggregate Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . 134Configuring an HA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring a VLAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring a Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configuring a Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Configuring a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Configuring the General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Configuring the Static Routes tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Configuring the Redistribution Profiles Tab . . . . . . . . . . . . . . . . . . . . . . . . . 145Configuring the RIP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Configuring the OSPF Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Configuring the OSPFv3 Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Configuring the BGP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Configuring the Multicast Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Defining Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169DHCP Server and Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Defining Interface Management Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Defining Monitor Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Defining Zone Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Configuring Flood Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Configuring Reconnaissance Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Configuring Packet Based Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . 178

Chapter 5Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Guidelines on Defining Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Specifying Users and Applications for Policies. . . . . . . . . . . . . . . . . . . . . . . 184Defining Policies on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Defining Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Source Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187User Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Destination Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Application Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Service/URL Category Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Actions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Determining Zone Configuration in NAT and Security Policy . . . . . . . . . . . . 193NAT Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193NAT Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194NAT64 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195


The following table describes the values needed in this NAT64 policy. . . . . 196

196Defining Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 199

General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Original Packet Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Translated Packet Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Policy-Based Forwarding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Destination/Application/Service Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Forwarding Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Decryption Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207URL Category Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Options Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Defining Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Protocol/Application Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Defining Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Service/URL Category Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Action Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Defining DoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Options/Protection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Antivirus Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Antivirus Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Antivirus Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Exceptions Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Anti-spyware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Vulnerability Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224URL Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227File Blocking Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Data Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237DoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Other Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Defining Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Defining Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Defining Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Defining Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Defining Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253


Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Working with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Dynamic Block Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Custom Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Defining Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Defining Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . 260Custom URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Security Profile Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Decryption Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Chapter 6Reports and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Using the Application Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Using App-Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Change Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Threat Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Threat Map Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Network Monitor Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Traffic Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Viewing the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Viewing Session Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Working with Botnet Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Configuring the Botnet Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Managing Botnet Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Managing PDF Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Managing User/Group Activity Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . 293Managing Report Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Scheduling Reports for Email Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Taking Packet Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Chapter 7Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . 299User Mapping Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300User-ID Agents Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Terminal Services Agents Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Group Mapping Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Captive Portal Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308


Chapter 8Configuring IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Defining IKE Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313IKE Gateway General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314IKE Gateway Advanced Phase 1 Options Tab . . . . . . . . . . . . . . . . . . . . . . . 314

Setting Up IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315IPSec Tunnel General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315IPSec Tunnel Proxy ID Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Viewing IPSec Tunnel Status on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 318

Defining IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Defining IPSec Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Chapter 9GlobalProtect Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Setting Up the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Portal Configuration Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Client Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Satellite Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Setting Up the GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Client Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Satellite Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Setting Up Gateway Access to a Mobile Security Manager . . . . . . . . . . . . . . . 345Creating HIP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347Mobile Device Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Patch Management Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Firewall Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Antivirus Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Anti-Spyware Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Disk Backup Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352Disk Encryption Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Data Loss Prevention Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Custom Checks Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Setting Up HIP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Setting Up and Activating the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . 356Setting Up the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Using the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Chapter 10Configuring Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Configuring QoS for Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Defining QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Defining QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Displaying QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366


Chapter 11Central Device Management Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Panorama Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Switching Device Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Setting Up Storage Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Configuring High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372Adding Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374Backing Up Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Defining Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Shared Objects and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378Applying Policy to a Specific Device in a Device Group. . . . . . . . . . . . . . . . 379

Defining Panorama Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Creating Panorama Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380Specifying Panorama Access Domains for Administrators . . . . . . . . . . . . . . . . . . 383

Committing your Changes in Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . 384Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Overriding Template Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387Deleting Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Managing Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Adding a Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Installing a Software Update on a Collector . . . . . . . . . . . . . . . . . . . . . . . . . 391

Defining Log Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Generating User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Viewing Firewall Deployment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Scheduling Dynamic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396Scheduling Configuration Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396Upgrading the Panorama Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Enable Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Register the VM-Series Firewall as a Service on the NSX Manager . . . . . . . . . . 402

Updating Information from the VMware Service Manager. . . . . . . . . . . . . . 403

Appendix ACustom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Antivirus and Anti-spyware Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405Application Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407File Blocking Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407SSL Decryption Opt-out Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Captive Portal Comfort Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408SSL VPN Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408SSL Certificate Revoked Notify Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410URL Filtering and Category Match Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . 410URL Filtering Continue and Override Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411URL Filtering Safe Search Enforcement Block Page . . . . . . . . . . . . . . . . . . . . . . . 412

Appendix BApplication Categories, Subcategories, Technologies, and Characteristics 413


Application Categories and Subcategories . . . . . . . . . . . . . . . . . . . . . . . . 413Application Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415Application Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Appendix CCommon Criteria/Federal Information Processing Standards Support . . 417

Enabling CC/FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417CC/FIPS Security Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Appendix DOpen Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421GNU General Public License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426MIT/X11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432OpenSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432PSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Zlib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Appendix EFirewall Access to External Web Resources . . . . . . . . . . . . . . . . . . . . . . . 439

Application Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440Threat/Antivirus Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440PAN-DB URL Filtering Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440Brightcloud URL Filtering Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Palo Alto Networks Preface 11

April 27, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL

PrefaceThis preface contains the following sections:

About This Guide

Organization

Typographical Conventions

Notes and Cautions

Related Documentation

About This Guide

The web interface provides web-based administrative access to the Palo Alto Networks next-generation firewall and Panorama. This reference guide describes this interface and details the proper input for each field. In previous releases, this guide was known as the Palo Alto Networks Administrators Guide. However, this guide is now a dedicated reference guide, containing field reference information only. For conceptual information about the firewall or Panorama and step-by-step instructions for configuring them, refer to the PAN-OS Administrators Guide and/or the Panorama Administrators Guide.

Organization

This guide is organized as follows:

Chapter 1, IntroductionProvides an overview of the firewall.

Chapter 2, Getting StartedDescribes how to install the firewall.

Chapter 3, Device ManagementDescribes how to perform basic system configuration and maintenance for the firewall, including how to configure a pair of firewalls for high availability, define user accounts, update the software, and manage configurations.

Chapter 4, Network SettingsDescribes how to configure the firewall for your network, including routing configuration.

Chapter 5, Policies and Security ProfilesDescribes how to configure security policies and profiles by zone, users, source/destination address, and application.

Organization

12 Preface Palo Alto Networks

Chapter 6, Reports and LogsDescribes how to view the reports and logs provided with the firewall.

Chapter 7, Configuring the Firewall for User IdentificationDescribes how to configure the firewall to identify the users who attempt to access the network.

Chapter 8, Configuring IPSec TunnelsDescribes how to configure IP Security (IPSec) tunnels on the firewall.

Chapter 9, GlobalProtect SettingsDescribes GlobalProtect, which allows secure login from client systems located anywhere in the world.

Chapter 10, Configuring Quality of ServiceDescribes how to configure quality of service (QoS) on the firewall.

Chapter 11, Central Device Management Using PanoramaDescribes how to use Panorama to manage multiple firewalls.

Appendix A, Custom PagesProvides HTML code for custom response pages to notify end users of policy violations or special access conditions.

Appendix B, Application Categories, Subcategories, Technologies, and CharacteristicsContains a list of the application categories defined by Palo Alto Networks.

Appendix C, Common Criteria/Federal Information Processing Standards SupportDescribes firewall support for the Federal Information Processing Standards 140-2.

Appendix D, Open Source LicensesIncludes information on applicable open source licenses.

Palo Alto Networks Preface 13



This guide uses the following typographical conventions for special terms and instructions.

Notes and Cautions

This guide uses the following symbols for notes and cautions.


You can find related documentation at:

For information on the additional capabilities and for instructions on configuring the features on the firewall, go to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, complete documentation set, discussion forums, and videos, go to https://live.paloaltonetworks.com.

For contacting support, for information on support programs, or to manage your account or devices, go to https://support.paloaltonetworks.com.

Convention Meaning Example

boldface Names of commands, keywords, and selectable items in the web interface

Click Security to open the Security Rules page.

italics Name of parameters, files, directories, or Uniform Resource Locators (URLs)

The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com

courier font Coding examples and text that you enter at the command prompt

Enter the following command:

set deviceconfig system dns-settings

Click Click the left mouse button Click Administrators under the Devices tab.

Right-click Click the right mouse button. Right-click on the number of a rule you want to copy, and select Clone Rule.

Symbol Description

NOTE

Indicates helpful suggestions or supplementary information.

CAUTION

Indicates actions that could cause loss of data.


14 Preface Palo Alto Networks

Palo Alto Networks Introduction 15

Chapter 1

Introduction

This section provides an overview of the firewall:

Firewall Overview

Features and Benefits

Management Interfaces

Firewall Overview

The Palo Alto Networks firewall allows you to specify security policies based on accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports.For example, you can define security policies for specific applications, rather than rely on a single policy for all port 80 connections. For each identified application, you can specify a security policy to block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each security policy can also specify security profiles to protect against viruses, spyware, and other threats.


16 Introduction Palo Alto Networks


The firewall provides granular control over the traffic allowed to access your network. The primary features and benefits include:

Application-based policy enforcementAccess control by application is far more effective when application identification is based on more than just protocol and port number. High risk applications can be blocked, as well as high risk behavior, such as file-sharing. Traffic encrypted with the s Layer (SSL) protocol can be decrypted and inspected.

User Identification (User-ID)User-ID allows administrators to configure and enforce firewall policies based on users and user groups, instead of or in addition to network zones and addresses. The firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP based directory servers to provide user and group information to the firewall. This information can then be used to provide an invaluable method of providing secure application enablement that can be defined per user or group. For example, the administrator could allow one organization to use a web-based application, but no other organizations in the company would be able to use that application. You can also configure granular control of certain components of an application based on users and groups. Refer to Configuring the Firewall for User Identification.

Threat preventionThreat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (refer to Security Profiles).

URL filteringOutbound connections can be filtered to prevent access to inappropriate web sites (refer to URL Filtering Profiles).

Traffic visibilityExtensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center (ACC) in the web interface identifies the applications with the most traffic and the highest security risk (refer to Reports and Logs).

Networking versatility and speedThe firewall can augment or replace your existing firewall, and can be installed transparently in any network or configured to support a switched or routed environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or no impact on network latency.

GlobalProtectGlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world.

Fail-safe operationHigh availability support provides automatic failover in the event of any hardware or software disruption (refer to Enabling HA on the Firewall).

Malware analysis and reportingWildFire provides detailed analysis and reporting on malware that traverses the firewall.

VM-Series FirewallProvides a virtual instance of PAN-OS positioned for use in a virtualized data center environment and particularly well suited for private and public cloud deployments. Installs on any x86 device that is capable of running VMware ESXi, without the need to deploy Palo Alto Networks hardware.

Palo Alto Networks Introduction 17


Management and PanoramaEach firewall is managed through an intuitive web interface or a command-line interface (CLI), or all devices can be centrally managed through the Panorama centralized management system, which has a web interface very similar to the device web interface.


The firewall supports the following management interfaces. Refer to Supported Browsers for a list of supported browsers.

Web interfaceConfiguration and monitoring over HTTP or HTTPS from a web browser.

CLIText-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console port (refer to the PAN-OS Command Line Interface Reference Guide).

PanoramaPalo Alto Networks product that provides web-based management, reporting, and logging for multiple firewalls. The Panorama interface is similar to the device web interface, with additional management functions included. Refer to Central Device Management Using Panorama for information on using Panorama.

Simple Network Management Protocol (SNMP)Palo Alto Networks products support SNMPv2c and SNMPv3, read-only access over SNMP, and support for SNMP traps. Refer to Configuring SNMP Trap Destinations).

SyslogProvides message generation for one or more remote syslog servers (refer to Configuring Syslog Servers).

XML APIProvides an XML-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at https:///api, where is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call. For more information, refer to the XML API Usage Guide.


18 Introduction Palo Alto Networks

Palo Alto Networks Getting Started 19

Chapter 2

Getting Started

This chapter describes how to set up and start using the firewall:

Preparing the Firewall

Setting Up the Firewall

Using the Firewall Web Interface

Getting Help Configuring the Firewall

Preparing the Firewall

Perform the following tasks to prepare the firewall for setup:

1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide for your platform.

2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and App-ID updates, and to activate support or subscriptions with the authorization codes emailed to you.

3. Obtain an IP address from your network administrator for configuring the management port on the firewall.


To perform the initial firewall setup:

1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet cable.

2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for example, 192.168.1.5) with a netmask of 255.255.255.0.

3. Launch a supported web browser and enter https://192.168.1.1.

The browser automatically opens the Palo Alto Networks login page.


20 Getting Started Palo Alto Networks

4. Enter admin in both the Name and Password fields, and click Login. The system presents a warning that the default password should be changed. Click OK to continue.

5. On the Device tab, choose Setup and configure the following (for general instructions on configuring settings in the web interface, refer to Using the Firewall Web Interface):

On the Management tab under Management Interface Settings, enter the firewalls IP address, netmask, and default gateway.

On the Services tab, enter the IP address of the Domain Name System (DNS) server. Enter the IP address or host and domain name of the Network Time Protocol (NTP) server and select your time zone.

Click Support on the side menu. If this is the first Palo Alto Networks firewall for your company, click Register Device to register the firewall. (If you have already registered a firewall, you have received a user name and password.) Click the Activate support using authorization codes link and enter the authorization codes that have been emailed to you for any optional features. Use a space to separate multiple authorization codes.

6. Click Administrators under the Devices tab.

7. Click admin.

8. In the New Password and Confirm New Password fields, enter and confirm a case-sensitive password (up to 15 characters).

9. Click OK to submit the new password.

10. Commit the configuration to make these settings active. When the changes are committed, the firewall will be reachable through the IP address assigned in Step 5. For information on committing changes, refer to Committing Changes.

Note: The default configuration of the firewall when delivered from the factory, or after a factory reset is performed, is a virtual wire between Ethernet ports 1 and 2 with a default policy to deny all inbound traffic and allow all outbound traffic.




The following conventions apply when using the firewall interface.

To display the menu items for a general functional category, click the tab, such as Objects or Device, near the top of the browser window.

Click an item on the side menu to display a panel.

To display submenu items, click the icon to the left of an item. To hide submenu items, click the icon to the left of the item.

On most configuration pages, you can click Add to create a new item.

To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel.

On some configuration pages, you can select the check box for an item and click Clone to create a new item with the same information as the selected item.



To modify an item, click its underlined link.

To view help information on a page, click the Help icon in upper right area of the page.

To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use the Show drop-down list to filter the list of tasks.

The web interface language is controlled by the current language of the computer that is managing the device if a specific language preference has not been defined. For example, if the computer you use to manage the firewall has a locale of Spanish, when you log in to the firewall, the web interface will be in Spanish.

To specify a language that will always be used for a given account regardless of the locale of the computer, click the Language icon in the lower right corner of the page and the Language Preference window opens. Click the drop-down list to select the desired language and then click OK to save your change.

On pages that list information you can modify (for example, the Setup page on the Devices tab), click the icon in the upper right corner of a section to edit the settings.



After you configure settings, you must click OK or Save to store the changes. When you click OK, the current candidate configuration is updated.

Committing ChangesClick Commit at the top of the web interface to open the commit dialog box.

The following options are available in the commit dialog box. Click the Advanced link, if needed, to display the options:

Include Device and Network configurationInclude the device and network configuration changes in the commit operation.

Include Shared Object configuration(Multi-virtual system firewalls only) Include the shared object configuration changes in the commit operation.

Include Policy and Objects(Non-multi-virtual system firewalls only) Include the policy and object configuration changes in the commit operation.

Include virtual system configurationInclude all virtual systems or choose Select one or more virtual systems.

For more information about committing changes, refer to Defining Operations Settings.

Preview ChangesClick this button to bring up a two-pane window that shows proposed changes in the candidate configuration compared to the current running configuration. You can choose the number of lines of context to display, or show all lines. Changes are color coded based on items that have been added, modified, or



deleted.The Device > Config Audit feature performs the same function, refer to Comparing Configuration Files.

Navigating to Configuration PagesEach configuration section in this guide shows the menu path to the configuration page. For example, to reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability Protection under Security Profiles in the side menu. This is indicated in this guide by the following path:

Objects > Security Profiles > Vulnerability Protection

Using Tables on Configuration PagesThe tables on configuration pages include sorting and column chooser options. Click a column header to sort on that column, and click again to change the sort order. Click the arrow to the right of any column and select check boxes to choose the columns to display.

Required FieldsRequired fields are shown with a light yellow background. A message indicating that the field is required appears when you hover over or click in the field entry area.

Note: Configuration changes that span multiple configuration areas may require a full commit. For example, if you click Commit and only select the Include Device and Network configuration option, some items that you changed in the Device tab will not commit. This includes certificates and User-ID options as well as Server Profiles used for User-ID, such as an LDAP server profile. This can also occur if you perform a partial commit after importing a configuration. To commit these types of changes, do a full commit and select both Include Device and Network configuration and Include Policy and Object configuration.



Locking TransactionsThe web interface provides support for multiple administrators by allowing an administrator to lock a current set of transactions, thereby preventing configuration changes or commit operations by another administrator until the lock is removed. The following types of locks are supported:

Config lockBlocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system.

Commit LockBlocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed by the administrator who applied the lock, or it can be released manually.

Any administrator can open the lock window to view the current transactions that are locked, along with a timestamp for each.To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks as needed, and then click Close to close the Lock dialog box.The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked items in parentheses.

To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box.You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check box in the Management area of the Device Setup page. Refer to System Setup, Configuration, and License Management.

Supported BrowsersThe following web browsers are supported for access to the firewall web interface:

Internet Explorer 7+

Firefox 3.6+

Safari 5+

Chrome 11+




Use the information in this section to obtain help on using the firewall.

Obtaining More InformationTo obtain more information about the firewall, refer to the following:

General informationGo to http://www.paloaltonetworks.com.

DocumentationFor information on the additional capabilities and for instructions on configuring the features on the firewall, go to https://www.paloaltonetworks.com/documentation.

Online helpClick Help in the upper-right corner of the web interface to access the online help system.

Knowledge BaseFor access to the knowledge base, a collaborative area for customer and partner interaction, discussion forums, and videos, go to https://live.paloaltonetworks.com.

Technical SupportFor technical support, for information on support programs, or to manage your account or devices, go to https://support.paloaltonetworks.com.

Palo Alto NetworksDevice Management 27

Chapter 3

Device Management

Use the following sections for field reference on basic system configuration and maintenance tasks on the firewall:

System Setup, Configuration, and License Management

Comparing Configuration Files

Defining VM Information Sources

Installing the Software

Updating Threat and Application Definitions

Administrator Roles, Profiles, and Accounts

Setting Up Authentication Profiles

Setting Up an Authentication Sequence

Creating a Certificate Profile

Scheduling Log Exports

Defining Logging Destinations

Defining Alarm Log Settings

Configuring Netflow Settings

Using Certificates

Encrypting Private Keys and Passwords on the Firewall

Enabling HA on the Firewall

Defining Virtual Systems

Defining Custom Response Pages

Viewing Support Information

28 Device Management Palo Alto Networks

System Setup, Configuration, and License ManagementThe following sections describe how to define network settings for management access, defining service routes and services, and how to manage configuration options such as global session timeouts, content identification, WildFire malware analysis and reporting:

Defining Management Settings

Defining Operations Settings

Defining Services Settings

Defining Content-ID Settings

Configuring WildFire Settings

Defining Session Settings

SNMP

Comparing Configuration Files

Installing a License

Defining Management SettingsDevice > Setup > Management and Panorama > Setup > ManagementThe Setup > Management tab allows you to configure the firewall for management access. If you do not want to use the management port, you can define a loopback interface and manage the firewall through the IP address of the loopback interface (see Configuring a Loopback Interfaces).On Panorama, use the Device > Setup > Management tab to configure managed devices using Panorama templates. Use the Panorama > Setup > Management tab to configure settings for Panorama.

Table 1. Management Settings

Item Description

General Settings

Hostname Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.

Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters).

Login Banner Enter custom text that will be displayed on the firewall login page. The text is displayed below the Name and Password fields.

Time Zone Select the time zone of the firewall.

Locale Select a language for PDF reports from the drop-down list. See Managing PDF Summary Reports.

If you have a specific language preference set for the web interface, PDF reports will still use the language specified in this locale setting. See language preference in Using the Firewall Web Interface.

Palo Alto Networks Device Management 29

Time To set the date and time on the firewall, click Set Time. Enter the current date in (YYYY/MM/DD) or click the calendar icon to select a month and day. Enter the current time in 24-hour format (HH:MM:SS). You can also define an NTP server from Device > Setup > Services.

Serial Number (virtual machines only)

Enter the serial number of the firewall/Panorama. Find the serial number in the order fulfillment email that was sent to you.

Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall.

Automatically acquire commit lock

Automatically apply a commit lock when you change the candidate configuration. For more information, see Locking Transactions.

Certificate Expiration Check

Instruct the firewall to create warning messages when on-box certificates near their expiration dates.

Multi Virtual System Capability

To enable the use of multiple virtual systems (if supported on the firewall model), click Edit for Multi Virtual System Capability near the top of the Setup page. Select the check box, and click OK. For more information about virtual systems, see Defining Virtual Systems.

URL Filtering Database (Panorama only)

Select a URL filtering vendor to enable on Panorama: brightcloud or paloaltonetworks (PAN-DB).

Authentication Settings

Authentication Profile Select the authentication profile to use for administrator access to the firewall. For instructions on configuring authentication profiles, see Setting Up Authentication Profiles.

Certificate Profile Select the certificate profile to use for administrator access to the firewall. For instructions on configuring certificate profiles, see Creating a Certificate Profile.

Idle TimeoutEnter the timeout interval (1 - 1440 minutes). A value of 0 means that the management, web, or CLI session does not time out.

# Failed AttemptsEnter the number of failed login attempts that are allowed for the web interface and CLI before the account is locked. (1-10, default 0). 0 means that there is no limit.

Lockout TimeEnter the number of minutes that a user is locked out (0-60 minutes) if the number of failed attempts is reached. The default 0 means that there is no limit to the number of attempts.

Table 1. Management Settings (Continued)

Item Description


Panorama Settings

Panorama Servers Enter the IP address of Panorama, the Palo Alto Networks centralized management system (if any). The server address is required to manage the device using Panorama. If Panorama is in an HA configuration, enter the secondary Panorama server IP address in the second Panorama Servers field.

Note: To remove any policies that Panorama propagates to managed firewalls, click the Disable Panorama Policy and Objects link. To keep a local copy of the policies and objects to your device before removing them from Panorama, click the Import Panorama Policy and Objects before disabling check box in the dialog box that opens. Click OK.

Note: When you select the import check box, the policies and objects will be copied to the current candidate configuration. If you commit this configuration, the policies and objects will become part of your configuration and will no longer be managed by Panorama.

To remove device and network templates, click the Disable Device and Network Template link. To keep a local copy of the device and network templates, click the Import Device and Network Templates before disabling check box in the dialog box that opens and click OK. When you select the import check box, the configuration defined in the device and network templates will be copied to the current candidate configuration. If you commit that configuration, these items will become part of your configuration and will no longer be managed by Panorama. Templates will no longer be accepted on the device until you click Enable Device and Network Templates.

Receive Timeout for connection to device/Panorama

DeviceEnter the timeout for receiving TCP messages from all managed devices (1-240 seconds, default 240).

PanoramaEnter the timeout for receiving TCP messages from Panorama (1-240 seconds, default 240).

Send Timeout for connection to device/Panorama

DeviceEnter the timeout for receiving TCP messages from all managed devices (1-240 seconds, default 240).

PanoramaEnter the timeout for receiving TCP messages from Panorama (1-240 seconds, default 240).

Retry Count for SSL send to device/ Panorama

DeviceEnter the number of retries for attempts to send Secure Socket Layer (SSL) messages to managed devices (1-64, default 25).

PanoramaEnter the number of retries for attempts to send Secure Socket Layer (SSL) messages to Panorama (1-64, default 25).

Share Unused Address and Service Objects with Devices(Panorama only)

Select this check box to share all Panorama shared objects and device group specific objects with managed devices. When unchecked, Panorama policies are checked for references to address, address group, service, and service group objects and any objects that are not referenced will not be shared. This option will ensure that only necessary objects are being sent to managed devices in order to reduce the total object count.


Item Description


Shared Objects Take Precedence(Panorama only)

Select the check box to specify that shared objects take precedence over device group objects. This option is a system-wide setting and is off by default. When this option is off, device groups override corresponding objects of the same name. If the option is selected, device group objects cannot override corresponding objects of the same name from a shared location and any device group object with the same name as a shared object will be discarded.

Management Interface Settings

IP Address Enter the IPv4 address of the management port. Alternatively, you can use the IP address of a loopback interface for device management. This address is used as the source address for remote logging.

Netmask Enter the network mask for the IPv4 address, such as 255.255.255.0.

Default Gateway Enter the IPv4 address of the default router (must be on the same subnet as the management port).

IPv6 Address/Prefix Length

(Optional) Enter the IPv6 address of the management port. An IPv6 prefix length is required to indicate the netmask, for example 2001:400:f00::1/64.

Default IPv6 Gateway Enter the IPv6 address of the default router (must be on the same subnet as the management port), if you assigned an IPv6 address to the management port.

Speed Configure a data rate and duplex option for the management interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the firewall determine the interface speed.

This setting should match the port settings on the neighboring network equipment.

MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range 512 to 1500, default 1500).

Services Select the desired services for the management interface: HTTP, HTTP OCSP, HTTPS, Telnet, SSH (Secure Shell), Ping, SNMP, User-ID, User-ID Syslog Listener-SSL, and/or User-ID Syslog Listener-UDP.

Permitted IP Addresses Enter the list of IP addresses from which firewall management is allowed. When using this option for Panorama, you will need to make sure that each managed device has its IP address added, otherwise it will not be able to connect and send logs to Panorama or receive configuration updates.


Item Description


Logging and Reporting Settings

Use this section of the interface to modify the following options:

Log storage quotas for the firewall

Log storage quotas on Panorama VM or an M-100 appliance in Panorama mode. (Panorama > Setup > Management)

Note: If you are using an M-100 appliance in Log Collector mode, use the Log Storage link in the Panorama > Collector Groups > General tab to configure the quotas for each log type. See Installing a Software Update on a Collector.

Attributes for calculating and exporting user activity reports.

Predefined reports created on the firewall/Panorama.

Log Storage subtab

(The PA-7050 will show Log Card Storage and Management Card Storage)

Specify the percentage of space allocated to each log type on the hard disk.

When you change a percent value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears on the page in red, and an error message is presented when you attempt to save the settings. If this occurs, readjust the percentages so the total is within the 100% limit.

Click OK to save settings and Restore Defaults to restore all of the default settings.

On the PA-7050 firewall, logs are stored in two different storage areas, the Log Processing Card (LPC) and the Switch Management Card (SMC), so log quotas are divided into these two areas. The Log Storage tab will have quota settings for data type traffic stored on the LPC and the Management Card Storage will have quota settings for management type traffic stored on the SMC. For example, the Log Card Storage tab will have quota settings for traffic and threat logs, while the Management Card Storage tab will have quota settings for the config logs, system logs, alarms logs, and so on.

Note: When a log reaches its maximum size, it starts to be overwritten beginning with the oldest entries. If you resize an existing log to be smaller than its current size, the firewall starts immediately to cut down the log when you commit the changes, with the oldest logs removed first.

Chassis Quotas subtab (Only on the Device > Setup > Management tab)


Item Description


Log Export and Reporting subtab

Number of Versions for Config AuditEnter the number of configuration versions to save before discarding the oldest ones (default 100). You can use these saved versions to audit and compare changes in configuration.

Max Rows in CSV ExportEnter the maximum number of rows that will appear in the CSV reports generated from the Export to CSV icon in the traffic logs view (range 1-1048576, default 5000).

Max Rows in User Activity ReportEnter the maximum number of rows that is supported for the detailed user activity reports (1-1048576, default 65535).

Number of Versions for Config Backups(Panorama only) Enter the number of configuration backups to save before discarding the oldest ones (default 100).

Average Browse Time (sec)Configure this variable to adjust how browse time is calculated in the User Activity Report.

The calculation will ignore sites categorized as web advertisements and content delivery networks. The browse time calculation is based on container pages logged in the URL filtering logs. Container pages are used as the basis for this calculation because many sites load content from external sites that should not be considered. For more information on the container page, see Container Pages.

The average browse time setting is the average time that the admin thinks it should take a user to browse a web page. Any request made after the average browse time has elapsed will be considered a new browsing activity. The calculation will ignore any new web pages that are loaded between the time of the first request (start time) and the average browse time. This behavior was designed to exclude any external sites that are loaded within the web page of interest.

Example: If the average browse time setting is 2 minutes and a user opens a web page and views that page for 5 minutes, the browse time for that page will still be 2 minutes. This is done because there is no way to determine how long a user views a given page.

(Range 0-300 seconds, default 60 seconds)

Page Load Threshold (sec)This option allows you to adjust the assumed time it takes for page elements to load on the page. Any request that occurs between the first page load and the page load threshold is assumed to be elements of the page. Any requests that occur outside of the page load threshold is assumed to be the user clicking a link within the page. The page load threshold is also used in the calculations for the User Activity Report.

(Range 0-60 seconds, default 20 seconds)

Syslog HOSTNAME FormatSelect whether to use the FQDN, hostname, IP address (v4 or V6) in the syslog message header; this header identifies the device/Panorama from which the message originated.

Stop Traffic when LogDb full Select the check box if you want traffic through the firewall to stop when the log database is full (default off).


Item Description


Enable Log on High DP LoadSelect this check box if you would like a system log entry generated when the packet processing load on the device is at 100% CPU utilization.

A high CPU load can cause operational degradation because the CPU does not have enough cycles to process all packets. The system log alerts you to this issue (a log entry is generated each minute) and allows you to investigate the probable cause.

Disabled by default.

(Only on Panorama) Buffered Log Forwarding from DeviceAllows the firewall to buffer log entries on the devices hard disk (local storage) when it loses connectivity to Panorama. When the connection to Panorama is restored, the log entries are forwarded to Panorama; the disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the available space is consumed, the oldest entries are deleted to allow logging of new events.

Enabled by default.

Get Only New Logs on Convert to PrimaryThis option is only applicable when Panorama writes logs to a Network File Share (NFS). With NFS logging, only the primary Panorama is mounted to the NFS. Therefore, the devices send logs to the active primary Panorama only.

This option allows an administrator to configure the managed devices to only send newly generated logs to Panorama when an HA failover occurs and the secondary Panorama resumes logging to the NFS (after it is promoted as primary).

This behavior is typically enabled to prevent the devices from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time.

Only Active Primary Logs to Local DiskAllows you to configure only the active primary Panorama to save logs to the local disk.

This option is valid for a Panorama virtual machine with a virtual disk and to the M-100 appliance in Panorama mode.

Pre-Defined ReportsPre-defined reports for application, traffic, threat, and URL Filtering are available on the device and on Panorama. By default, these pre-defined reports are enabled.

Because the devices consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage you can disable the reports that are not relevant to you; to disable a report, clear the check box for the report.

Use the Select All or Deselect All options to entirely enable or disable the generation of pre-defined reports.

Note: Before disabling a report make sure that the report is not included in a Group Report or a PDF Report. If a pre-defined report is part of a set of reports and it is disabled, the entire set of reports will have no data.

Minimum Password Complexity


Item Description


Enabled Enable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the firewall will adhere to a defined set of password requirements.

You can also create a password profile with a subset of these options that will override these settings and can be applied to specific accounts. For more information, see Defining Password Profiles and see Defining Administrator Roles for information on valid characters that can be used for accounts.

Note: The maximum password length that can be entered is 31 characters. When setting requirements, make sure you do not create a combination that will not be accepted. Example, you would not be able to set a requirement of 10 uppercase, 10 lower case, 10 numbers, and 10 special characters since that would exceed the maximum length of 31.

Note: If you have High Availability (HA) configured, always use the primary device when configuring password complexity options and commit soon after making changes.

Minimum Length Require minimum length from 1-15 characters.

Minimum Uppercase Letters

Require a minimum number of uppercase letters from 0-15 characters.

Minimum Lowercase Letters

Require a minimum number of lowercase letters from 0-15 characters.

Minimum Numeric Letters

Require a minimum number of numeric letters from 0-15 numbers.

Minimum Special Characters

Require a minimum number of special characters (non-alphanumeric) from 0-15 characters.

Block Repeated Characters

Specify the number of sequential duplicate characters permitted in a password. The range is (2-15).

If you set the value to 2, the password can contain the same character in sequence twice, but if the same character is used three or more times in sequence, the password is not permitted.

For example, if the value is set to 2, the system will accept the password test11 or 11test11, but not test111, because the number 1 appears three times in sequence.

Block Username Inclusion (including reversed)

Select this check box to prevent the account username (or reversed version of the name) from being used in the password.

New Password Differs By Characters

When administrators change their passwords, the characters must differ by the specified value.

Require Password Change on First Login

Select this check box to prompt the administrators to change their passwords the first time they log in to the device.

Prevent Password Reuse Limit

Require that a previous password is not reused based on the specified count. Example, if the value is set to 4, you could not reuse the any of your last 4 passwords (range 0-50).


Item Description


Block Password Change Period (days)

User cannot change their passwords until the specified number of days has been reached (range 0-365 days).

Required Password Change Period (days)

Require that administrators change their password on a regular basis specified a by the number of days set, ranging from 0-365 days. Example, if the value is set to 90, administrators will be prompted to change their password every 90 days.

You can also set an expiration warning from 0-30 days and specify a grace period.

Expiration Warning Period (days)

If a required password change period is set, this setting can be used to prompt the user to change their password at each log in as the forced password change date approaches (range 0-30 days).

Allowed expired admin login (count)

Allow the administrator to log in the specified number of times after the account has expired. Example, if the value is set to 3 and their account has expired, they can log in 3 more times before their account is locked out (range 0-3 logins).

Post Expiration Grace Period (days)

Allow the administrator to log in the specified number of days after the account has expired (range 0-30 days).


Item Description


Defining Operations SettingsDevice > Setup > Operations Panorama > Setup > Operations When you change a configuration setting and click OK, the current candidate configuration is updated, not the active configuration. Clicking Commit at the top of the page applies the candidate configuration to the active configuration, which activates all configuration changes since the last commit. This method allows you to review the configuration before activating it. Activating multiple changes simultaneously helps avoid invalid configuration states that can occur when changes are applied in real-time.You can save and roll back (restore) the candidate configuration as often as needed and also load, validate, import, and export configurations. Pressing Save creates a copy of the current candidate configuration, whereas choosing Commit updates the active configuration with the contents of the candidate configuration.

To manage configurations, select the appropriate configuration management functions, as described in the following table.

Note: It is a good idea to periodically save the configuration settings you have entered by clicking the Save link in the upper-right corner of the screen.

Table 2. Configuration Management Functions

Function Description

Configuration Management

Validate candidate config

Checks the candidate configuration for errors.

Revert to last saved config

Restores the last saved candidate configuration from the local drive. The current candidate configuration is overwritten. An error occurs if the candidate configuration has not been saved.

Revert to running config Restores the last running configuration. The current running configuration is overridden.

Save named configuration snapshot

Saves the candidate configuration to a file. Enter a file name or select an existing file to be overwritten. Note that the current active configuration file (running-config.xml) cannot be overwritten.

Save candidate config Saves the candidate configuration in flash memory (same as clicking Save at the top of the page).

Load named configuration snapshot

Loads a candidate configuration from the active configuration (running-config.xml) or from a previously imported or saved configuration. Select the configuration file to be loaded. The current candidate configuration is overwritten.

Load configuration version

Loads a specified version of the configuration.


Export named configuration snapshot

Exports the active configuration (running-config.xml) or a previously saved or imported configuration. Select the configuration file to be exported. You can open the file and/or save it in any network location.

Export configuration version

Exports a specified version of the configuration.

Export Panorama and devices config bundle (Panorama only)

Manually generates and exports the latest versions of the running configuration backup of Panorama and of each managed firewall. To automate the process of creating and exporting the configuration bundle daily to an SCP or FTP server, see Scheduling Configuration Exports.

Export device state (firewall only)

This feature is used to export the configuration and dynamic information from a firewall that is configured as a GlobalProtect Portal with the large scale VPN feature enabled. If the Portal experiences a failure, the export file can be imported to restore the Portals configuration and dynamic information.

The export contains a list of all satellite devices managed by the Portal, the running configuration at the time of the export, and all certificate information (Root CA, Server, and Satellite certificates).

Important: You must manually run the device state export or create a scheduled XML API script to export the file to a remote server. This should be done on a regular basis since satellite certificates may change often.

To create the device state file from the CLI, from configuration mode run save device state. The file will be named device_state_cfg.tgz and is stored in /opt/pancfg/mgmt/device-state. The operational command to export the device state file is scp export device-state (you can also use tftp export device-state). For information on using the XML API, refer to the XMLAPI Usage Guide.

Import named config snapshot

Imports a configuration file from any network location. Click Browse and select the configuration file to be imported.

Import device state (firewall only)

Import the device state information that was exported using the Export device state option. This includes the current running config, Panorama templates, and shared policies. If the device is a Global Protect Portal, the export includes the Certificate Authority (CA) information and the list of satellite devices and their authentication information.

Device Operations

Reboot To restart the firewall/Panorama, click Reboot Device. You are logged out and the PAN-OS software and active configuration are reloaded. Existing sessions will also be closed and logged and a system log entry will be created that will show the administrator name that initiated the shutdown. Any configuration changes that have not been saved or committed are lost (see Defining Operations Settings).

Note: If the web interface is not available, use the CLI command request restart system. Refer to the PAN-OS Command Line Interface Reference Guide for details.

Table 2. Configuration Management Functions (Continued)

Function Description


Shutdown To perform a graceful

PAN-OS-6.0-web-interface-ref (1).pdf

Documents