YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
  • Palo Alto Networks

    Web Interface Reference GuideVersion 6.1

  • Contact Information

    Corporate Headquarters:

    Palo Alto Networks4401 Great America ParkwaySanta Clara, CA 95054

    http://www.paloaltonetworks.com/contact/contact/

    About this Guide

    This guide describes the Palo Alto Networks next-generation firewall and Panorama web interfaces. It provides information on how to use the web interface and reference information about how to populate fields within the interface:

    For information on the additional capabilities and for instructions on configuring the features on the firewall and Panorama, see https://www.paloaltonetworks.com/documentation.

    For access to the knowledge base, complete documentation set, discussion forums, and videos, see https://live.paloaltonetworks.com.

    For contacting support, for information on the support programs, or to manage your account or devices, see https://support.paloaltonetworks.com

    For the latest release notes, go to the software downloads page at https://support.paloaltonetworks.com/Updates/SoftwareUpdates.

    To provide feedback on the documentation, please write to us at: [email protected].

    Palo Alto Networks, Inc.www.paloaltonetworks.com 2014 Palo Alto Networks. All rights reserved. Palo Alto Networks and PAN-OS are trademarks of Palo Alto Networks, Inc.

    Revision Date: January 30, 20152

    http://www.paloaltonetworks.com/contact/contact/https://www.paloaltonetworks.com/documentationhttps://support.paloaltonetworks.comhttps://live.paloaltonetworks.comhttps://live.paloaltonetworks.com/community/documentation/content?filterID=content~category%5badministrators-guide%5dhttps://live.paloaltonetworks.com/community/documentation/content?filterID=content~category%5badministrators-guide%5dhttps://support.paloaltonetworks.comhttps://support.paloaltonetworks.com/Updates/SoftwareUpdateshttps://support.paloaltonetworks.com/Updates/SoftwareUpdateshttps://live.paloaltonetworks.commailto:[email protected]

  • January 30, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL

    Table of ContentsChapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    Firewall Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Chapter 2Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Preparing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Setting Up the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Using the Firewall Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Navigating to Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Using Tables on Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Required Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Locking Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Getting Help Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Obtaining More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Chapter 3Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    System Setup, Configuration, and License Management . . . . . . . . . . . . . . . . . . . . 24Defining Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Defining Operations Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Defining Hardware Security Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Defining Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Defining Content-ID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Configuring WildFire Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Defining Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

    Session Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Decryption Settings: Certificate Revocation Checking . . . . . . . . . . . . . . . . . . . 55Decryption Settings: Forward Proxy Server Certificate Settings . . . . . . . . . . . 56Palo Alto Networks 3

  • Comparing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Installing a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Defining VM Information Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Updating Threat and Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Administrator Roles, Profiles, and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

    Defining Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Defining Password Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

    Username and Password Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Specifying Access Domains for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Setting Up Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Creating a Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Adding Local User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

    Configuring RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configuring LDAP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Configuring Kerberos Settings (Native Active Directory Authentication) . . . . . . . . 78Setting Up an Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Scheduling Log Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Defining Logging Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Defining Configuration Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Defining System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Defining HIP Match Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Defining Alarm Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Managing Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Configuring SNMP Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Configuring Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

    Custom Syslog Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Configuring Email Notification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Configuring Netflow Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

    Managing Device Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Managing the Default Trusted Certificate Authorities. . . . . . . . . . . . . . . . . . 102

    Creating a Certificate Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Adding an OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Encrypting Private Keys and Passwords on the Firewall . . . . . . . . . . . . . . . . . . . 105Enabling HA on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Defining Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Configuring Shared Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Defining Custom Response Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Viewing Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

    Chapter 4Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

    Defining Virtual Wires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Configuring a Firewall Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

    Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuring an Ethernet Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring a Virtual Wire Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Configuring a Virtual Wire Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Configuring a Tap Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configuring a Log Card Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1404 Palo Alto Networks

  • Configuring a Decrypt Mirror Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Configuring Aggregate Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 141Configuring an Aggregate Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . 144Configuring an HA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Configuring a VLAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Configuring a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Configuring a Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

    Configuring a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Configuring the General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Configuring the Static Routes tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Configuring the Redistribution Profiles Tab . . . . . . . . . . . . . . . . . . . . . . . . . 155Configuring the RIP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Configuring the OSPF Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Configuring the OSPFv3 Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Configuring the BGP Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Configuring the Multicast Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Defining Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179More Runtime Stats for a Virtual Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

    VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187DHCP Server and Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Defining Interface Management Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Defining Monitor Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Defining Zone Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

    Configuring Flood Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Configuring Reconnaissance Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Configuring Packet Based Attack Protection . . . . . . . . . . . . . . . . . . . . . . . . 196

    Chapter 5Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

    Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Guidelines on Defining Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

    Specifying Users and Applications for Policies. . . . . . . . . . . . . . . . . . . . . . . 202Defining Policies on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Defining Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

    General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Source Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206User Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Destination Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Application Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Service/URL Category Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Actions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

    NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Determining Zone Configuration in NAT and Security Policy . . . . . . . . . . . . 214NAT Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214NAT Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215NAT64 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

    217Defining Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . . . 220

    General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Palo Alto Networks 5

  • Original Packet Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Translated Packet Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

    Policy-Based Forwarding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Destination/Application/Service Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Forwarding Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

    Decryption Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228URL Category Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Options Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

    Defining Application Override Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Protocol/Application Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

    Defining Captive Portal Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Service/URL Category Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Action Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

    Defining DoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Source Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Destination Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Options/Protection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

    Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Antivirus Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

    Antivirus Profile Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Antivirus Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Exceptions Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

    Anti-spyware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Vulnerability Protection Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244URL Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247File Blocking Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Data Filtering Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257DoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

    Other Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Defining Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

    Defining Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Defining Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

    Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Defining Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Defining Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

    Application Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Working with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Dynamic Block Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2806 Palo Alto Networks

  • Custom Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 282Defining Data Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Defining Spyware and Vulnerability Signatures . . . . . . . . . . . . . . . . . . . . . . 283Custom URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

    Security Profile Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Decryption Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

    Chapter 6Reports and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

    Using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Using the Application Command Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Using App Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

    Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Change Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Threat Monitor Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Threat Map Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306Network Monitor Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Traffic Map Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

    Viewing the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Viewing Session Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

    Working with Botnet Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Configuring the Botnet Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Managing Botnet Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

    Managing PDF Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Managing User/Group Activity Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . 319Managing Report Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Scheduling Reports for Email Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Generating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Taking Packet Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

    Chapter 7Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

    Configuring the Firewall for User Identification . . . . . . . . . . . . . . . . . . . . . . . . . . 327User Mapping Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328User-ID Agents Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Terminal Services Agents Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Group Mapping Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Captive Portal Settings Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

    Chapter 8Configuring IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

    Defining IKE Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Palo Alto Networks 7

  • IKE Gateway General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342IKE Gateway Advanced Phase 1 Options Tab . . . . . . . . . . . . . . . . . . . . . . . 342

    Setting Up IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343IPSec Tunnel General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343IPSec Tunnel Proxy ID Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Viewing IPSec Tunnel Status on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 346

    Defining IKE Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346Defining IPSec Crypto Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

    Chapter 9GlobalProtect Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

    Setting Up the GlobalProtect Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Portal Configuration Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Client Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Satellite Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

    Setting Up the GlobalProtect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Client Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Satellite Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

    Setting Up Gateway Access to a Mobile Security Manager . . . . . . . . . . . . . . . 365Creating HIP Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

    General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Mobile Device Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368Patch Management Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Firewall Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Antivirus Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Anti-Spyware Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372Disk Backup Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372Disk Encryption Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373Data Loss Prevention Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373Custom Checks Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

    Setting Up HIP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375Setting Up and Activating the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . 376Setting Up the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

    Using the GlobalProtect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

    Chapter 10Configuring Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

    Configuring QoS for Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379Defining QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381Defining QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Displaying QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

    Chapter 11Central Device Management Using Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

    Panorama Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Switching Device Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3918 Palo Alto Networks

  • Setting Up Storage Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Configuring High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Adding Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394Backing Up Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Defining Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

    Shared Objects and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Applying Policy to a Specific Device in a Device Group. . . . . . . . . . . . . . . . 399

    Defining Panorama Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400Creating Panorama Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401Specifying Panorama Access Domains for Administrators . . . . . . . . . . . . . . . . . . 403

    Committing your Changes in Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . 403Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

    Overriding Template Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406Deleting Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

    Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Managing Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

    Adding a Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Installing a Software Update on a Collector . . . . . . . . . . . . . . . . . . . . . . . . . 412

    Defining Log Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Generating User Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415Viewing Firewall Deployment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416Scheduling Dynamic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Scheduling Configuration Exports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Upgrading the Panorama Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Enable Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420Register VM-Series Firewall as a Service on the NSX Manager . . . . . . . . . . . . . 423

    Updating Information from the VMware Service Manager. . . . . . . . . . . . . . 425

    Appendix ACustom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

    Antivirus and Anti-spyware Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427Application Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429File Blocking Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429SSL Decryption Opt-out Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430Captive Portal Comfort Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430SSL VPN Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430SSL Certificate Revoked Notify Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432URL Filtering and Category Match Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . 432URL Filtering Continue and Override Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433URL Filtering Safe Search Enforcement Block Page . . . . . . . . . . . . . . . . . . . . . . . 434

    Appendix BApplication Categories, Subcategories, Technologies, and Characteristics 435

    Application Categories and Subcategories . . . . . . . . . . . . . . . . . . . . . . . . 435Application Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Application Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

    Appendix CPalo Alto Networks 9

  • Common Criteria/Federal Information Processing Standards Support . . 439Enabling CC/FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439CC/FIPS Security Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

    Appendix DOpen Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

    Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443GNU General Public License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448MIT/X11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454OpenSSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454PSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458Zlib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

    Appendix EFirewall Access to External Web Resources . . . . . . . . . . . . . . . . . . . . . . . 461

    Application Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462Threat/Antivirus Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462PAN-DB URL Filtering Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462BrightCloud URL Filtering Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462WildFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

    Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46510 Palo Alto Networks

  • Chapter 1

    Introduction

    This section provides an overview of the firewall:

    Firewall Overview

    Features and Benefits

    Management Interfaces

    Firewall Overview

    The Palo Alto Networks firewall allows you to specify security policies based on accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports.For example, you can define security policies for specific applications, rather than rely on a single policy for all port 80 connections. For each identified application, you can specify a security policy to block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each security policy can also specify security profiles to protect against viruses, spyware, and other threats.Palo Alto Networks Introduction 11

  • Features and BenefitsFeatures and Benefits

    The firewall provides granular control over the traffic allowed to access your network. The primary features and benefits include:

    Application-based policy enforcementAccess control by application is far more effective when application identification is based on more than just protocol and port number. High risk applications can be blocked, as well as high risk behavior, such as file-sharing. Traffic encrypted with the s Layer (SSL) protocol can be decrypted and inspected.

    User Identification (User-ID)User-ID allows administrators to configure and enforce firewall policies based on users and user groups, instead of or in addition to network zones and addresses. The firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP based directory servers to provide user and group information to the firewall. This information can then be used to provide an invaluable method of providing secure application enablement that can be defined per user or group. For example, the administrator could allow one organization to use a web-based application, but no other organizations in the company would be able to use that application. You can also configure granular control of certain components of an application based on users and groups. See Configuring the Firewall for User Identification.

    Threat preventionThreat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (see Security Profiles).

    URL filteringOutbound connections can be filtered to prevent access to inappropriate web sites (see URL Filtering Profiles).

    Traffic visibilityExtensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center (ACC) in the web interface identifies the applications with the most traffic and the highest security risk (see Reports and Logs).

    Networking versatility and speedThe firewall can augment or replace your existing firewall, and can be installed transparently in any network or configured to support a switched or routed environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or no impact on network latency.

    GlobalProtectGlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world.

    Fail-safe operationHigh availability support provides automatic failover in the event of any hardware or software disruption (see Enabling HA on the Firewall).

    Malware analysis and reportingWildFire provides detailed analysis and reporting on malware that traverses the firewall.

    VM-Series FirewallProvides a virtual instance of PAN-OS positioned for use in a virtualized data center environment and particularly well suited for private and public cloud deployments. Installs on any x86 device that is capable of running VMware ESXi, without the need to deploy Palo Alto Networks hardware.12 Introduction Palo Alto Networks

  • Management Interfaces Management and PanoramaEach firewall is managed through an intuitive web interface or a command-line interface (CLI), or all devices can be centrally managed through the Panorama centralized management system, which has a web interface very similar to the device web interface.

    Management Interfaces

    The firewall supports the following management interfaces. See Supported Browsers for a list of supported browsers.

    Web interfaceConfiguration and monitoring over HTTP or HTTPS from a web browser.

    CLIText-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console port (see the PAN-OS Command Line Interface Reference Guide).

    PanoramaPalo Alto Networks product that provides web-based management, reporting, and logging for multiple firewalls. The Panorama interface is similar to the device web interface, with additional management functions included. See Central Device Management Using Panorama for information on using Panorama.

    Simple Network Management Protocol (SNMP)Palo Alto Networks products support SNMPv2c and SNMPv3, read-only access over SNMP, and support for SNMP traps. See Configuring SNMP Trap Destinations).

    SyslogProvides message generation for one or more remote syslog servers (see Configuring Syslog Servers).

    XML APIProvides a Representational State Transfer (REST)-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at https:///api, where is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call. See the XML API Usage Guide for more information.Palo Alto Networks Introduction 13

    https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/pan-os-61/XML-API-6.1.pdfhttps://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/pan-os-61/PAN-OS-6.1-CLI-ref.pdf

  • Management Interfaces14 Introduction Palo Alto Networks

  • Chapter 2

    Getting Started

    This chapter describes how to set up and start using the firewall:

    Preparing the Firewall

    Setting Up the Firewall

    Using the Firewall Web Interface

    Getting Help Configuring the Firewall

    Preparing the Firewall

    Perform the following tasks to prepare the firewall for setup:

    1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide for your platform.

    2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and App-ID updates, and to activate support or subscriptions with the authorization codes emailed to you.

    3. Obtain an IP address from your network administrator for configuring the management port on the firewall.

    Setting Up the Firewall

    To perform the initial firewall setup:

    1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet cable.

    2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for example, 192.168.1.5) with a netmask of 255.255.255.0.

    3. Launch a supported web browser and enter https://192.168.1.1.

    The browser automatically opens the Palo Alto Networks login page.Palo Alto Networks Getting Started 15

    https://support.paloaltonetworks.comhttps://www.paloaltonetworks.com/documentation/platforms.html

  • Setting Up the Firewall4. Enter admin in both the Name and Password fields, and click Login. The system presents a warning that the default password should be changed. Click OK to continue.

    5. On the Device tab, choose Setup and configure the following (for general instructions on configuring settings in the web interface, see Using the Firewall Web Interface):

    On the Management tab under Management Interface Settings, enter the firewalls IP address, netmask, and default gateway.

    On the Services tab, enter the IP address of the Domain Name System (DNS) server. Enter the IP address or host and domain name of the Network Time Protocol (NTP) server and select your time zone.

    Click Support on the side menu. If this is the first Palo Alto Networks firewall for your company, click Register Device to register the firewall. (If you have already registered a firewall, you have received a user name and password.) Click the Activate support using authorization codes link and enter the authorization codes that have been emailed to you for any optional features. Use a space to separate multiple authorization codes.

    6. Click Administrators under the Devices tab.

    7. Click admin.

    8. In the New Password and Confirm New Password fields, enter and confirm a case-sensitive password (up to 15 characters).

    9. Click OK to submit the new password.

    10. Commit the configuration to make these settings active. When the changes are committed, the firewall will be reachable through the IP address assigned in Step 5. For information on committing changes, see Committing Changes.

    The default configuration of the firewall when delivered from the factory, or after a factory reset is performed, is a virtual wire between Ethernet ports 1 and 2 with a default policy to deny all inbound traffic and allow all outbound traffic.16 Getting Started Palo Alto Networks

  • Using the Firewall Web InterfaceUsing the Firewall Web Interface

    The following conventions apply when using the firewall interface.

    To display the menu items for a general functional category, click the tab, such as Objects or Device, near the top of the browser window.

    Click an item on the side menu to display a panel.

    To display submenu items, click the icon to the left of an item. To hide submenu items, click the icon to the left of the item.

    On most configuration pages, you can click Add to create a new item.

    To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel.

    On some configuration pages, you can select the check box for an item and click Clone to create a new item with the same information as the selected item.Palo Alto Networks Getting Started 17

  • Using the Firewall Web Interface To modify an item, click its underlined link.

    To view help information on a page, click the Help icon in upper right area of the page.

    To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use the Show drop-down list to filter the list of tasks.

    The web interface language is controlled by the current language of the computer that is managing the device if a specific language preference has not been defined. For example, if the computer you use to manage the firewall has a locale of Spanish, when you log in to the firewall, the web interface will be in Spanish.

    To specify a language that will always be used for a given account regardless of the locale of the computer, click the Language icon in the lower right corner of the page and the Language Preference window opens. Click the drop-down list to select the desired language and then click OK to save your change.

    On pages that list information you can modify (for example, the Setup page on the Devices tab), click the icon in the upper right corner of a section to edit the settings.18 Getting Started Palo Alto Networks

  • Using the Firewall Web Interface After you configure settings, you must click OK or Save to store the changes. When you click OK, the current candidate configuration is updated.

    Committing ChangesClick Commit at the top of the web interface to open the commit dialog box.

    The following options are available in the commit dialog box. Click the Advanced link, if needed, to display the options:

    Include Device and Network configurationInclude the device and network configuration changes in the commit operation.

    Include Shared Object configuration(Multi-virtual system firewalls only) Include the shared object configuration changes in the commit operation.

    Include Policy and Objects(Non-multi-virtual system firewalls only) Include the policy and object configuration changes in the commit operation.

    Include virtual system configurationInclude all virtual systems or choose Select one or more virtual systems.

    For more information about committing changes, see Defining Operations Settings.

    Preview ChangesClick this button to bring up a two-pane window that shows proposed changes in the candidate configuration compared to the current running configuration. You can choose the number of lines of context to display, or show all lines. Changes are color coded based on items that have been added, modified, or Palo Alto Networks Getting Started 19

  • Using the Firewall Web Interface

    deleted.The Device > Config Audit feature performs the same function, see Comparing Configuration Files.

    Navigating to Configuration PagesEach configuration section in this guide shows the menu path to the configuration page. For example, to reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability Protection under Security Profiles in the side menu. This is indicated in this guide by the following path:

    Objects > Security Profiles > Vulnerability Protection

    Using Tables on Configuration PagesThe tables on configuration pages include sorting and column chooser options. Click a column header to sort on that column, and click again to change the sort order. Click the arrow to the right of any column and select check boxes to choose the columns to display.

    Required FieldsRequired fields are shown with a light yellow background. A message indicating that the field is required appears when you hover over or click in the field entry area.

    Note: Configuration changes that span multiple configuration areas may require a full commit. For example, if you make certain changes in the Device tab and then click Commit and only select the Include Device and Network configuration option, some items will notcommit. This includes certificates and User-ID options as well as Server Profiles used for User-ID, such as an LDAP server profile. This can also occur if you perform a partial commit after importing a configuration. To commit these types of changes, do a full commit and select both Include Device and Network configuration and Include Policy and Object configuration.20 Getting Started Palo Alto Networks

  • Using the Firewall Web InterfaceLocking TransactionsThe web interface provides support for multiple administrators by allowing an administrator to lock a current set of transactions, thereby preventing configuration changes or commit operations by another administrator until the lock is removed. The following types of locks are supported:

    Config lockBlocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system.

    Commit LockBlocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed by the administrator who applied the lock, or it can be released manually.

    Any administrator can open the lock window to view the current transactions that are locked, along with a timestamp for each.To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks as needed, and then click Close to close the Lock dialog box.The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked items in parentheses.

    To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box.You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check box in the Management area of the Device Setup page. See System Setup, Configuration, and License Management.

    Supported BrowsersThe following web browsers are supported for access to the firewall web interface:

    Internet Explorer 7+

    Firefox 3.6+

    Safari 5+

    Chrome 11+Palo Alto Networks Getting Started 21

  • Getting Help Configuring the FirewallGetting Help Configuring the Firewall

    Use the information in this section to obtain help on using the firewall.

    Obtaining More InformationTo obtain more information about the firewall, see the following:

    General informationGo to http://www.paloaltonetworks.com.

    DocumentationFor information on the additional capabilities and for instructions on configuring the features on the firewall, go to https://www.paloaltonetworks.com/documentation.

    Online helpClick Help in the upper-right corner of the web interface to access the online help system.

    Knowledge BaseFor access to the knowledge base, a collaborative area for customer and partner interaction, discussion forums, and videos, go to https://live.paloaltonetworks.com.

    Technical SupportFor technical support, for information on support programs, or to manage your account or devices, go to https://support.paloaltonetworks.com.22 Getting Started Palo Alto Networks

    http://www.paloaltonetworks.comhttps://www.paloaltonetworks.com/documentationhttps://www.paloaltonetworks.com/documentationhttps://live.paloaltonetworks.comhttps://live.paloaltonetworks.comhttps://support.paloaltonetworks.com

  • Chapter 3

    Device Management

    Use the following sections for field reference on basic system configuration and maintenance tasks on the firewall:

    System Setup, Configuration, and License Management

    Defining VM Information Sources

    Installing the Software

    Updating Threat and Application Definitions

    Administrator Roles, Profiles, and Accounts

    Setting Up Authentication Profiles

    Setting Up an Authentication Sequence

    Creating a Certificate Profile

    Scheduling Log Exports

    Defining Logging Destinations

    Defining Alarm Log Settings

    Configuring Netflow Settings

    Using Certificates

    Encrypting Private Keys and Passwords on the Firewall

    Enabling HA on the Firewall

    Defining Virtual Systems

    Defining Custom Response Pages

    Viewing Support InformationPalo Alto Networks Device Management 23

  • System Setup, Configuration, and License ManagementThe following sections describe how to define network settings for management access, defining service routes and services, and how to manage configuration options such as global session timeouts, content identification, WildFire malware analysis and reporting:

    Defining Management Settings

    Defining Operations Settings

    Defining Hardware Security Modules

    SNMP

    Defining Services Settings

    Defining Content-ID Settings

    Configuring WildFire Settings

    Defining Session Settings

    Comparing Configuration Files

    Installing a License

    Defining Management SettingsDevice > Setup > Management

    Panorama > Setup > Management

    On a firewall, use the Device > Setup > Management tab to configure management settings.On Panorama, use the Device > Setup > Management tab to configure managed firewalls via Panorama templates. Use the Panorama > Setup > Management tab to configure settings for Panorama itself.

    For firewall management, optionally you can use the IP address of a loopback interface instead of the management port (see Configuring a Loopback Interface).

    Table 1. Management Settings

    Item Description

    General Settings

    Hostname Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.

    Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters).

    Login Banner Enter custom text that will be displayed on the firewall login page. The text is displayed below the Name and Password fields.

    Time Zone Select the time zone of the firewall.24 Device Management Palo Alto Networks

  • Locale Select a language for PDF reports from the drop-down list. See Managing PDF Summary Reports.

    If you have a specific language preference set for the web interface, PDF reports will still use the language specified in this locale setting. See language preference in Using the Firewall Web Interface.

    Time To set the date and time on the firewall, click Set Time. Enter the current date in (YYYY/MM/DD) or click the calendar icon to select a month and day. Enter the current time in 24-hour format (HH:MM:SS). You can also define an NTP server from Device > Setup > Services.

    Serial Number (virtual machines only)

    Enter the serial number of the firewall/Panorama. Find the serial number in the order fulfillment email that was sent to you.

    Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall.

    Automatically acquire commit lock

    Automatically apply a commit lock when you change the candidate configuration. For more information, see Locking Transactions.

    Certificate Expiration Check

    Instruct the firewall to create warning messages when on-box certificates near their expiration dates.

    Multi Virtual System Capability

    Enables the use of multiple virtual systems (if the firewall model supports that feature). For details, see Defining Virtual Systems.

    URL Filtering Database (Panorama only)

    Select a URL filtering vendor to enable on Panorama: brightcloud or paloaltonetworks (PAN-DB).

    Authentication Settings

    Authentication Profile Select the authentication profile to use for administrator access to the firewall. For instructions on configuring authentication profiles, see Setting Up Authentication Profiles.

    Certificate Profile Select the certificate profile to use for administrator access to the firewall. For instructions on configuring certificate profiles, see Creating a Certificate Profile.

    Idle TimeoutEnter the timeout interval in minutes (0-1440). A value of 0 means that the management, web, or CLI session does not time out.

    # Failed AttemptsEnter the number of failed login attempts (0-10, default 0) that PAN-OS allows for the web interface and CLI before locking the account. A value of 0 specifies unlimited attempts.

    Lockout TimeEnter the number of minutes (0-60) for which PAN-OS locks out a user upon reaching the # Failed Attempts limit. The default 0 specifies unlimited attempts.

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 25

  • Panorama Settings: Device > Setup > ManagementIf you use Panorama to manage the firewall, configure the following settings on the firewall or in a template on Panorama. These settings establish a connection between the firewall and Panorama, and determine the connection timeouts. If you edit the settings on a firewall (not in a template on Panorama), you can also enable or disable the propagation of policies, objects, device groups, and template information from Panorama to the firewall.

    Note: You must also configure connection timeouts and object sharing settings on Panorama: see Panorama Settings: Panorama > Setup > Management.

    Panorama Servers Enter the IP address of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second Panorama Servers field, enter the IP address of the secondary Panorama server.

    Receive Timeout for Connection to Panorama

    Enter the timeout for receiving TCP messages from Panorama (1-240 seconds, default 240).

    Send Timeout for Connection to Panorama

    Enter the timeout for sending TCP messages to Panorama (1-240 seconds, default 240).

    Retry Count for SSL Send to Panorama

    Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to Panorama (1-64, default 25).

    Disable/Enable Panorama Policy and Objects

    This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the policies and objects that are defined for a device group to the firewalls assigned to that group. Clicking Disable Panorama Policy and Objects disables that propagation. By default, this operation also removes those policies and objects from the firewall.

    To keep a local copy of the device group policies and objects on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Panorama Policy and Objects before disabling check box. Then, when you click OK, PAN-OS copies the policies and objects to the current candidate configuration. After you perform a commit, the policies and objects become part of the firewall configuration: Panorama no longer manages them.

    Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing.

    To revert firewall policy and object management to Panorama, click Enable Panorama Policy and Objects.

    Table 1. Management Settings (Continued)

    Item Description26 Device Management Palo Alto Networks

  • Disable/Enable Device and Network Template

    This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the device and network configurations defined for a template to the firewalls assigned to that template. Clicking Disable Device and Network Template disables that propagation. By default, this operation also removes the template information from the firewall.

    To keep a local copy of the template information on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Device and Network Templates before disabling check box. Then, when you click OK, PAN-OS copies the information defined in the template to the current candidate configuration on the firewall. After you perform a commit, the template information becomes part of the firewall configuration: Panorama no longer manages that information.

    Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing.

    To make the firewall resume accepting templates, click Enable Device and Network Templates.

    Panorama Settings: Panorama > Setup > ManagementIf you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections between Panorama and managed firewalls, as well as object sharing parameters.

    Note: You must also configure Panorama connection settings on the firewall, or in a template on Panorama: see Panorama Settings: Device > Setup > Management.

    Receive Timeout for Connection to Device

    Enter the timeout for receiving TCP messages from all managed firewalls (1-240 seconds, default 240).

    Send Timeout for Connection to Device

    Enter the timeout for sending TCP messages to all managed firewalls (1-240 seconds, default 240).

    Retry Count for SSL Send to Device

    Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to managed firewalls (1-64, default 25).

    Share Unused Address and Service Objects with Devices

    Select this check box to share all Panorama shared objects and device group-specific objects with managed firewalls. This setting is enabled by default.

    If you clear the check box, PAN-OS checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that PAN-OS sends only necessary objects to managed firewalls.

    Shared Objects Take Precedence

    Select the check box to specify that shared objects take precedence over device group objects. In this case, device group objects cannot override corresponding objects of the same name from a shared location; PAN-OS discards any device group object with the same name as a shared object.

    By default, this system-wide setting is disabled: device groups override corresponding shared objects of the same name.

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 27

  • Management Interface SettingsThis interface applies to the firewall, Panorama M-100 appliance, or Panorama virtual appliance.

    By default, the M-100 appliance uses the management (MGT) interface for configuration, log collection, and collector group communication. However, if you configure Eth1 or Eth2 for log collection and/or collector group communication, it is a best practice to define a separate subnet for the MGT interface that is more private than the Eth1 or Eth2 subnets. You define the subnet in the Netmask (for IPv4) or IPv6 Address/Prefix Length (for IPv6) field. The Panorama virtual appliance does not support separate interfaces.

    Note: To complete the configuration of the management interface, you must specify the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway. If you commit a partial configuration (for example, you might omit the default gateway), you can only access the device via the console port for future configuration changes. It is recommended that you commit a complete configuration.

    IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the management port. Alternatively, you can assign the IP address of a loopback interface for device management.

    By default, this is the source address for log forwarding.

    Netmask (IPv4) If you assigned an IPv4 address to the management port, enter a network mask (for example, 255.255.255.0).

    Default Gateway If you assigned an IPv4 address to the management port, assign an IPv4 address to the default router (it must be on the same subnet as the management port).

    IPv6 Address/Prefix Length

    If your network uses IPv6, assign an IPv6 address to the management port. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).

    Default IPv6 Gateway If you assigned an IPv6 address to the management port, assign an IPv6 address to the default router (it must be on the same subnet as the management port).

    Speed Configure a data rate and duplex option for the management interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the device (Panorama or the firewall) determine the interface speed.

    This setting must match the port settings on the neighboring network equipment.

    MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range 576-1500, default 1500).

    Services Select the services you want enabled on the specified management interface address: HTTP, HTTP OCSP, HTTPS, Telnet, SSH (Secure Shell), Ping, SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP.

    Permitted IP Addresses Enter the list of IP addresses from which firewall management is allowed. When using this option for the Panorama M-100 appliance, add the IP address of each managed firewall, otherwise the firewall cannot connect and forward logs to Panorama or receive configuration updates.

    Table 1. Management Settings (Continued)

    Item Description28 Device Management Palo Alto Networks

  • Eth1 Interface SettingsThis interface only applies to the Panorama M-100 appliance, not the Panorama virtual appliance or the firewall. By default, the M-100 appliance uses the management interface for configuration, log collection, and collector group communication. However, if you enable Eth1, you can configure it for log collection and/or collector group communication when you define managed collectors (Panorama > Managed Collectors).

    Note: You cannot commit the Eth1 configuration unless you specify the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway.

    Eth1 Select this check box to enable the Eth1 interface.

    IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the Eth1 port.

    Netmask (IPv4) If you assigned an IPv4 address to the port, enter a network mask (for example, 255.255.255.0).

    Default Gateway If you assigned an IPv4 address to the port, assign an IPv4 address to the default router (it must be on the same subnet as the Eth1 port).

    IPv6 Address/Prefix Length

    If your network uses IPv6, assign an IPv6 address of the Eth1 port. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).

    Default IPv6 Gateway If you assigned an IPv6 address to the port, assign an IPv6 address to the default router (it must be on the same subnet as the Eth1 port).

    Speed Configure a data rate and duplex option for the Eth1 interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have Panorama determine the interface speed.

    This setting must match the port settings on the neighboring network equipment.

    MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range 576-1500, default 1500).

    Services Select Ping if you want to enable that service on the Eth1 interface.

    Permitted IP Addresses Enter the list of IP addresses from which Eth1 management is allowed.

    Eth2 Interface SettingsThis interface only applies to the Panorama M-100 appliance, not the Panorama virtual appliance or the firewall. By default, the M-100 appliance uses the management interface for configuration, log collection, and collector group communication. However, if you enable Eth2, you can configure it for log collection and/or collector group communication when you define managed collectors (Panorama > Managed Collectors).

    Note: You cannot commit the Eth2 configuration unless you specify the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway.

    Eth2 Select this check box to enable the Eth2 interface.

    IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the Eth2 port.

    Netmask (IPv4) If you assigned an IPv4 address to the port, enter a network mask (for example, 255.255.255.0).

    Default Gateway If you assigned an IPv4 address to the port, assign an IPv4 address to the default router (it must be on the same subnet as the Eth2 port).

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 29

  • IPv6 Address/Prefix Length

    If your network uses IPv6, assign an IPv6 address to the Eth2 port. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).

    Default IPv6 Gateway If you specified an IPv6 address to the port, assign an IPv6 address to the default router (it must be on the same subnet as the Eth2 port).

    Speed Configure a data rate and duplex option for the Eth2 interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have Panorama determine the interface speed.

    This setting must match the port settings on the neighboring network equipment.

    MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range 576-1500, default 1500).

    Services Select Ping if you want to enable that service on the Eth2 interface.

    Permitted IP Addresses Enter the list of IP addresses from which Eth2 management is allowed.

    Table 1. Management Settings (Continued)

    Item Description30 Device Management Palo Alto Networks

  • Logging and Reporting SettingsUse this section of the interface to modify the following options:

    Log storage quotas for a firewall (Device > Setup > Management).

    Log storage quotas for a Panorama virtual appliance or an M-100 appliance in Panorama mode (Panorama > Setup > Management).

    Note: To configure the quotas for each log type on an M-100 appliance in log collector mode, select Panorama > Collector Groups > General and select the Log Storage link. See Installing a Software Update on a Collector.

    Attributes for calculating and exporting user activity reports.

    Predefined reports created on the firewall/Panorama.

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 31

  • Log Storage subtab

    (The PA-7050 firewall has Log Card Storage and Management Card Storage tabs)

    Specify the percentage of space allocated to each log type on the hard disk.

    When you change a percent value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears on the page in red, and an error message appears when you attempt to save the settings. If this occurs, readjust the percentages so the total is within the 100% limit.

    Click OK to save settings and Restore Defaults to restore all of the default settings.

    The PA-7050 firewall stores logs in the Log Processing Card (LPC) and Switch Management Card (SMC), and so divides log quotas into these two areas. The Log Storage tab has quota settings for data type traffic stored on the LPC (for example, traffic and threat logs). The Management Card Storage has quota settings for management type traffic stored on the SMC (for example, the config logs, system logs, and alarms logs).

    Note: When a log reaches the maximum size, the firewall starts overwriting the oldest log entries with the new log entries. If you reduce a log size, the firewall removes the oldest logs when you commit the changes.

    Table 1. Management Settings (Continued)

    Item Description32 Device Management Palo Alto Networks

  • Log Export and Reporting subtab

    Number of Versions for Config AuditEnter the number of configuration versions to save before discarding the oldest ones (default 100). You can use these saved versions to audit and compare changes in configuration.Max Rows in CSV ExportEnter the maximum number of rows that will appear in the CSV reports generated from the Export to CSV icon in the traffic logs view (range 1-1048576, default 65535).Max Rows in User Activity ReportEnter the maximum number of rows that is supported for the detailed user activity reports (1-1048576, default 5000).Number of Versions for Config Backups(Panorama only) Enter the number of configuration backups to save before discarding the oldest ones (default 100).

    Average Browse Time (sec)Configure this variable to adjust how browse time is calculated in the User Activity Report.

    The calculation will ignore sites categorized as web advertisements and content delivery networks. The browse time calculation is based on container pages logged in the URL filtering logs. Container pages are used as the basis for this calculation because many sites load content from external sites that should not be considered. For more information on the container page, see Container Pages.

    The average browse time setting is the average time that the admin thinks it should take a user to browse a web page. Any request made after the average browse time has elapsed will be considered a new browsing activity. The calculation will ignore any new web pages that are loaded between the time of the first request (start time) and the average browse time. This behavior was designed to exclude any external sites that are loaded within the web page of interest.

    Example: If the average browse time setting is 2 minutes and a user opens a web page and views that page for 5 minutes, the browse time for that page will still be 2 minutes. This is done because there is no way to determine how long a user views a given page.

    (Range 0-300 seconds, default 60 seconds)

    Page Load Threshold (sec)This option allows you to adjust the assumed time it takes for page elements to load on the page. Any request that occurs between the first page load and the page load threshold is assumed to be elements of the page. Any requests that occur outside of the page load threshold is assumed to be the user clicking a link within the page. The page load threshold is also used in the calculations for the User Activity Report.

    (Range 0-60 seconds, default 20 seconds)Syslog HOSTNAME FormatSelect whether to use the FQDN, hostname, IP address (v4 or V6) in the syslog message header; this header identifies the firewall/Panorama from which the message originated.

    Stop Traffic when LogDb full Select the check box if you want traffic through the firewall to stop when the log database is full (default off).

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 33

  • Enable Log on High DP LoadSelect this check box if you would like a system log entry generated when the packet processing load on the firewall is at 100% CPU utilization.

    A high CPU load can cause operational degradation because the CPU does not have enough cycles to process all packets. The system log alerts you to this issue (a log entry is generated each minute) and allows you to investigate the probable cause.

    Disabled by default.

    (Only on Panorama) Buffered Log Forwarding from DeviceAllows the firewall to buffer log entries on its hard disk (local storage) when it loses connectivity to Panorama. When the connection to Panorama is restored, the log entries are forwarded to Panorama; the disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the available space is consumed, the oldest entries are deleted to allow logging of new events.

    Enabled by default.

    Get Only New Logs on Convert to PrimaryThis option is only applicable when Panorama writes logs to a Network File Share (NFS). With NFS logging, only the primary Panorama is mounted to the NFS. Therefore, the firewalls send logs to the active primary Panorama only.

    This option allows an administrator to configure the managed firewalls to only send newly generated logs to Panorama when an HA failover occurs and the secondary Panorama resumes logging to the NFS (after it is promoted as primary).

    This behavior is typically enabled to prevent the firewalls from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time. Only Active Primary Logs to Local DiskAllows you to configure only the active primary Panorama to save logs to the local disk.

    This option is valid for a Panorama virtual machine with a virtual disk and to the M-100 appliance in Panorama mode.

    Pre-Defined ReportsPre-defined reports for application, traffic, threat, and URL Filtering are available on the firewall and on Panorama. By default, these pre-defined reports are enabled.

    Because the firewalls consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage you can disable the reports that are not relevant to you; to disable a report, clear the check box for the report.

    Use the Select All or Deselect All options to entirely enable or disable the generation of pre-defined reports.

    Note: Before disabling a report make sure that the report is not included in a Group Report or a PDF Report. If a pre-defined report is part of a set of reports and it is disabled, the entire set of reports will have no data.

    Table 1. Management Settings (Continued)

    Item Description34 Device Management Palo Alto Networks

  • Minimum Password Complexity

    Enabled Enable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the firewall will adhere to a defined set of password requirements.

    You can also create a password profile with a subset of these options that will override these settings and can be applied to specific accounts. For more information, see Defining Password Profiles and see Defining Administrator Roles for information on valid characters that can be used for accounts.

    Note: The maximum password length that can be entered is 31 characters. When setting requirements, make sure you do not create a combination that will not be accepted. Example, you would not be able to set a requirement of 10 uppercase, 10 lower case, 10 numbers, and 10 special characters since that would exceed the maximum length of 31.Note: If you have High Availability (HA) configured, always use the primary device when configuring password complexity options and commit soon after making changes.

    Minimum Length Require minimum length from 1-15 characters.

    Minimum Uppercase Letters

    Require a minimum number of uppercase letters from 0-15 characters.

    Minimum Lowercase Letters

    Require a minimum number of lowercase letters from 0-15 characters.

    Minimum Numeric Letters

    Require a minimum number of numeric letters from 0-15 numbers.

    Minimum Special Characters

    Require a minimum number of special characters (non-alphanumeric) from 0-15 characters.

    Block Repeated Characters

    Do not allow repeated characters based on the specified value. Example, if the value is set to 4, the password test2222 would not be accepted, but test222 would be accepted (range 2-15).

    Block Username Inclusion (including reversed)

    Select this check box to prevent the account username (or reversed version of the name) from being used in the password.

    New Password Differs By Characters

    When administrators change their passwords, the characters must differ by the specified value.

    Require Password Change on First Login

    Select this check box to prompt the administrators to change their passwords the first time they log in to the device.

    Prevent Password Reuse Limit

    Require that a previous password is not reused based on the specified count. Example, if the value is set to 4, you could not reuse the any of your last 4 passwords (range 0-50).

    Block Password Change Period (days)

    User cannot change their passwords until the specified number of days has been reached (range 0-365 days).

    Table 1. Management Settings (Continued)

    Item DescriptionPalo Alto Networks Device Management 35

  • Required Password Change Period (days)

    Require that administrators change their password on a regular basis specified a by the number of days set, ranging from 0-365 days. Example, if the value is set to 90, administrators will be prompted to change their password every 90 days.

    You can also set an expiration warning from 0-30 days and specify a grace period.

    Expiration Warning Period (days)

    If a required password change period is set, this setting can be used to prompt the user to change their password at each log in as the forced password change date approaches (range 0-30 days).

    Allowed expired admin login (count)

    Allow the administrator to log in the specified number of times after the account has expired. Example, if the value is set to 3 and their account has expired, they can log in 3 more times before their account is locked out (range 0-3 logins).

    Post Expiration Grace Period (days)

    Allow the administrator to log in the specified number of days after the account has expired (range 0-30 days).

    Table 1. Management Settings (Continued)

    Item Description36 Device Management Palo Alto Networks

  • Defining Operations SettingsDevice > Setup > Operations

    Panorama > Setup > Operations

    When you change a configuration setting and click OK, the current candidate configuration is updated, not the active configuration. Clicking Commit at the top of the page applies the candidate configuration to the active configuration, which activates all configuration changes since the last commit. This method allows you to review the configuration before activating it. Activating multiple changes simultaneously helps avoid invalid configuration states that can occur when changes are applied in real-time.You can save and roll back (restore) the candidate configuration as often as needed and also load, validate, import, and export configurations. Pressing Save creates a copy of the current candidate configuration, whereas choosing Commit updates the active configuration with the contents of the candidate configuration.

    To manage configurations, select the appropriate configuration management functions, as described in the following table.

    It is a good idea to periodically save the configuration settings you have entered by clicking the Save link in the upper-right corner of the screen.


Related Documents