Академический Документы
Профессиональный Документы
Культура Документы
WebInterface
ReferenceGuide
Version8.0
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribesthePaloAltoNetworksnextgenerationfirewallandPanoramawebinterfaces.Itprovides
referenceinformationonhowtopopulatefieldswithinthesewebinterface.Foradditionalinformation,refertothe
followingresources:
Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,
refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebase,discussionforums,andvideos,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,see
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
www.paloaltonetworks.com
2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.
RevisionDate:February6,2017
2 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
WebInterfaceBasics ................................................. 13
FirewallOverview .................................................................14
FeaturesandBenefits..............................................................15
LastLoginTimeandFailedLoginAttempts ...........................................16
MessageoftheDay ...............................................................17
TaskManager.....................................................................18
Language.........................................................................20
Alarms...........................................................................20
CommitChanges ..................................................................21
SaveCandidateConfigurations......................................................25
RevertChanges...................................................................29
LockConfigurations ...............................................................33
GlobalFind.......................................................................34
ThreatDetails.....................................................................35
AutoFocusIntelligenceSummary ....................................................37
Dashboard.......................................................... 39
ACC ................................................................ 41
AFirstGlanceattheACC.......................................................42
ACCTabs .....................................................................43
ACCWidgets .................................................................44
ACCActions..................................................................45
Monitor............................................................. 49
Monitor>Logs....................................................................50
LogTypes ....................................................................50
LogActions...................................................................53
Monitor>ExternalLogs ............................................................55
Monitor>AutomatedCorrelationEngine.............................................56
Monitor>AutomatedCorrelationEngine>CorrelationObjects .........................57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents ..........................58
Monitor>PacketCapture ..........................................................59
PacketCaptureOverview......................................................59
BuildingBlocksforaCustomPacketCapture......................................60
EnableThreatPacketCapture ...................................................63
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 3
TableofContents
Monitor>AppScope .............................................................. 64
SummaryReport ............................................................... 65
ChangeMonitorReport......................................................... 66
ThreatMonitorReport.......................................................... 67
ThreatMapReport ............................................................. 68
NetworkMonitorReport........................................................ 69
TrafficMapReport ............................................................. 71
Monitor>SessionBrowser ......................................................... 72
Monitor>BlockIPList............................................................. 73
BlockIPListEntries............................................................ 73
VieworDeleteBlockIPListEntries .............................................. 74
Monitor>Botnet .................................................................. 75
ManagingBotnetReports ....................................................... 75
ConfiguringtheBotnetReport................................................... 76
Monitor>PDFReports............................................................. 77
Monitor>PDFReports>ManagePDFSummary ...................................... 78
Monitor>PDFReports>UserActivityReport........................................ 80
Monitor>PDFReports>SaaSApplicationUsage ..................................... 81
Monitor>PDFReports>ReportGroups ............................................. 83
Monitor>PDFReports>EmailScheduler............................................ 84
Monitor>ManageCustomReports .................................................. 85
Monitor>Reports................................................................. 86
Policies .............................................................87
PolicyTypes ...................................................................... 88
MoveorCloneaPolicyRule ........................................................ 89
Policies>Security ................................................................. 90
SecurityPolicyOverview ....................................................... 90
BuildingBlocksinaSecurityPolicyRule .......................................... 91
CreatingandManagingPolicies .................................................. 98
OverridingorRevertingaSecurityPolicyRule....................................100
Policies>NAT ...................................................................102
GeneralTab ..................................................................102
OriginalPacketTab ...........................................................103
TranslatedPacketTab.........................................................104
Active/ActiveHABindingTab ..................................................105
Policies>QoS....................................................................107
Policies>PolicyBasedForwarding..................................................111
GeneralTab ..................................................................111
SourceTab ...................................................................112
Destination/Application/ServiceTab............................................113
ForwardingTab ...............................................................113
Policies>Decryption..............................................................115
GeneralTab ..................................................................115
SourceTab ...................................................................116
4 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
Objects ............................................................133
Move,Clone,Override,orRevertObjects........................................... 134
MoveorCloneanObject...................................................... 134
OverrideorRevertanObject................................................... 134
Objects>Addresses .............................................................. 136
Objects>AddressGroups ......................................................... 138
Objects>Regions................................................................ 140
Objects>Applications............................................................ 141
ApplicationsOverview ........................................................ 141
ActionsSupportedonApplications.............................................. 145
DefiningApplications ......................................................... 147
Objects>ApplicationGroups ...................................................... 150
Objects>ApplicationFilters ....................................................... 151
Objects>Services ................................................................ 152
Objects>ServiceGroups.......................................................... 153
Objects>Tags ................................................................... 154
CreateTags .................................................................. 154
UsetheTagBrowser .......................................................... 155
ManageTags ................................................................. 156
Objects>ExternalDynamicLists ................................................... 158
Objects>CustomObjects ......................................................... 161
Objects>CustomObjects>DataPatterns.......................................... 162
DataPatternSettings ......................................................... 162
SyntaxforRegularExpressionDataPatterns..................................... 163
RegularExpressionDataPatternExamples....................................... 164
Objects>CustomObjects>Spyware/Vulnerability................................... 165
Objects>CustomObjects>URLCategory .......................................... 169
Objects>SecurityProfiles......................................................... 170
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 5
TableofContents
ActionsinSecurityProfiles .....................................................170
Objects>SecurityProfiles>Antivirus...............................................173
Objects>SecurityProfiles>AntiSpywareProfile....................................175
Objects>SecurityProfiles>VulnerabilityProtection .................................178
Objects>SecurityProfiles>URLFiltering ...........................................181
GeneralSettings..............................................................181
Categories ...................................................................182
Overrides....................................................................183
URLFilteringSettings .........................................................185
UserCredentialDetection......................................................186
Objects>SecurityProfiles>FileBlocking ...........................................188
Objects>SecurityProfiles>WildFireAnalysis.......................................190
Objects>SecurityProfiles>DataFiltering ..........................................191
Objects>SecurityProfiles>DoSProtection .........................................193
Objects>SecurityProfileGroups...................................................196
Objects>LogForwarding .........................................................197
Objects>Authentication..........................................................200
Objects>DecryptionProfile .......................................................202
DecryptionProfileGeneralSettings .............................................202
SettingstoControlDecryptedSSLTraffic ........................................203
SettingstoControlTrafficthatisnotDecrypted..................................205
SettingstoControlDecryptedSSHTraffic .......................................205
Objects>Schedules ..............................................................207
Network.......................................................... 209
Network>VirtualWires...........................................................210
Network>Interfaces..............................................................211
FirewallInterfacesOverview ...................................................212
CommonBuildingBlocksforFirewallInterfaces...................................212
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces....................213
Layer2Interface ..............................................................214
Layer2Subinterface ..........................................................215
Layer3Interface ..............................................................215
Layer3Subinterface ..........................................................226
VirtualWireInterface .........................................................235
VirtualWireSubinterface......................................................236
TapInterface .................................................................237
LogCardInterface ............................................................238
LogCardSubinterface.........................................................239
DecryptMirrorInterface .......................................................240
AggregateEthernet(AE)InterfaceGroup.........................................241
AggregateEthernet(AE)Interface...............................................244
HAInterface .................................................................249
Network>Interfaces>VLAN ......................................................250
Network>Interfaces>Loopback...................................................256
6 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 7
TableofContents
Network>NetworkProfiles>ZoneProtection.......................................347
BuildingBlocksofZoneProtectionProfiles.......................................348
FloodProtection ..............................................................349
ReconnaissanceProtection .....................................................352
PacketBasedAttackProtection.................................................353
ProtocolProtection ...........................................................360
Network>NetworkProfiles>LLDPProfile ..........................................361
Network>NetworkProfiles>BFDProfile...........................................362
BFDOverview................................................................362
BuildingBlocksofaBFDProfile ................................................363
Network>NetworkProfiles>QoS.................................................365
8 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
Device>AuthenticationProfile.................................................... 440
ConfigureanAuthenticationProfile ............................................. 440
ExportSAMLMetadatafromanAuthenticationProfile ............................ 445
Device>AuthenticationSequence ................................................. 447
Device>VMInformationSources .................................................. 448
Device>VirtualSystems .......................................................... 452
Device>SharedGateways ........................................................ 454
Device>CertificateManagement.................................................. 455
Device>CertificateManagement>Certificates...................................... 456
ManageFirewallandPanoramaCertificates ...................................... 456
ManageDefaultTrustedCertificateAuthorities .................................. 460
Device>CertificateManagement>CertificateProfile................................ 461
Device>CertificateManagement>OCSPResponder ................................ 463
Device>CertificateManagement>SSL/TLSServiceProfile ........................... 464
Device>CertificateManagement>SCEP........................................... 465
Device>CertificateManagement>SSLDecryptionExclusion......................... 468
Device>ResponsePages ......................................................... 470
Device>LogSettings ............................................................. 472
SelectLogForwardingDestinations ............................................. 472
DefineAlarmSettings ......................................................... 474
ClearLogs ................................................................... 475
Device>ServerProfiles ........................................................... 476
Device>ServerProfiles>SNMPTrap.............................................. 477
Device>ServerProfiles>Syslog ................................................... 479
Device>ServerProfiles>Email .................................................... 481
Device>ServerProfiles>HTTP ................................................... 482
Device>ServerProfiles>NetFlow ................................................. 484
Device>ServerProfiles>RADIUS................................................. 485
Device>ServerProfiles>TACACS+................................................ 486
Device>ServerProfiles>LDAP ................................................... 487
Device>ServerProfiles>Kerberos ................................................ 489
Device>ServerProfiles>SAMLIdentityProvider.................................... 490
Device>ServerProfiles>DNS .................................................... 493
Device>ServerProfiles>MultiFactorAuthentication ................................ 494
Device>LocalUserDatabase>Users.............................................. 496
Device>LocalUserDatabase>UserGroups........................................ 497
Device>ScheduledLogExport .................................................... 498
Device>Software................................................................ 499
Device>DynamicUpdates ........................................................ 501
Device>Licenses ................................................................ 505
BehavioronLicenseExpiry .................................................... 506
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 9
TableofContents
Device>Support .................................................................507
Device>MasterKeyandDiagnostics...............................................508
GlobalProtect...................................................... 537
Network>GlobalProtect>Portals..................................................538
GeneralTab ..................................................................539
AuthenticationConfigurationTab ...............................................540
AgentConfigurationTab .......................................................542
ClientlessConfigurationTab....................................................556
SatelliteConfigurationTab.....................................................559
Network>GlobalProtect>Gateways...............................................562
GeneralTab ..................................................................563
AuthenticationTab ............................................................564
AgentTab....................................................................564
SatelliteConfigurationTab.....................................................572
Network>GlobalProtect>MDM...................................................574
Network>GlobalProtect>BlockList ...............................................575
Network>GlobalProtect>ClientlessApps..........................................576
Network>GlobalProtect>ClientlessAppGroups....................................577
Objects>GlobalProtect>HIPObjects..............................................578
GeneralTab ..................................................................579
MobileDeviceTab............................................................580
PatchManagementTab........................................................581
FirewallTab ..................................................................582
AntivirusTab .................................................................582
AntiSpywareTab .............................................................583
10 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
DiskBackupTab.............................................................. 583
DiskEncryptionTab........................................................... 584
DataLossPreventionTab...................................................... 584
CustomChecksTab ........................................................... 585
Objects>GlobalProtect>HIPProfiles .............................................. 586
Device>GlobalProtectClient...................................................... 588
ManagingtheGlobalProtectAgentSoftware ..................................... 588
SettingUptheGlobalProtectAgent ............................................. 589
UsingtheGlobalProtectAgent ................................................. 590
PanoramaWebInterface ............................................591
UsethePanoramaWebInterface .................................................. 593
ContextSwitch .................................................................. 597
PanoramaCommitOperations..................................................... 598
DefiningPoliciesonPanorama..................................................... 607
LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode ................ 608
Panorama>Setup>Interfaces ..................................................... 609
Panorama>HighAvailability....................................................... 611
Panorama>ManagedWildFireClusters ............................................. 614
ManagedWildFireClusterTasks................................................ 614
ManagedWildFireApplianceTasks............................................. 615
ManagedWildFireInformation................................................. 616
ManagedWildFireClusterandApplianceAdministration .......................... 619
Panorama>Administrators ........................................................ 627
Panorama>AdminRoles .......................................................... 629
Panorama>AccessDomains ...................................................... 631
Panorama>ManagedDevices..................................................... 632
ManagedFirewallAdministration............................................... 632
ManagedFirewallInformation.................................................. 633
FirewallSoftwareandContentUpdates ......................................... 635
FirewallBackups.............................................................. 636
Panorama>Templates ............................................................ 638
Templates ................................................................... 638
TemplateStacks .............................................................. 640
Panorama>DeviceGroups ........................................................ 641
Panorama>ManagedCollectors................................................... 643
LogCollectorInformation...................................................... 643
LogCollectorConfiguration .................................................... 644
SoftwareUpdatesforDedicatedLogCollectors .................................. 652
Panorama>CollectorGroups ...................................................... 654
CollectorGroupConfiguration ................................................. 654
CollectorGroupInformation ................................................... 659
Panorama>Plugins............................................................... 660
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 11
TableofContents
Panorama>VMwareNSX.........................................................661
ConfigureaNotifyGroup......................................................662
CreateServiceDefinitions......................................................663
ConfigureAccesstotheNSXManager...........................................664
CreateSteeringRules..........................................................665
Panorama>LogIngestionProfile ...................................................667
Panorama>LogSettings ..........................................................668
Panorama>ScheduledConfigExport ...............................................670
Panorama>Software .............................................................671
ManagePanoramaSoftwareUpdates............................................672
DisplayPanoramaSoftwareUpdateInformation..................................673
Panorama>DeviceDeployment....................................................674
ManageSoftwareandContentUpdates .........................................674
DisplaySoftwareandContentUpdateInformation ................................676
ScheduleDynamicContentUpdates.............................................677
ManageFirewallLicenses......................................................678
12 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics
FirewallOverview
FeaturesandBenefits
LastLoginTimeandFailedLoginAttempts
MessageoftheDay
TaskManager
Language
Alarms
CommitChanges
SaveCandidateConfigurations
RevertChanges
LockConfigurations
GlobalFind
ThreatDetails
AutoFocusIntelligenceSummary
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 13
FirewallOverview WebInterfaceBasics
FirewallOverview
PaloAltoNetworksnextgenerationfirewallssafelyenableapplicationsandpreventmodernthreatsby
inspectingalltrafficapplications,threats,andcontentandtyingittotheuser,regardlessoflocationor
devicetype.Theapplication,content,andusertheelementsthatrunyourbusinessbecomeintegral
componentsofyourSecuritypolicy.Thisallowsyoutoalignsecuritywithyourkeybusinessinitiatives.With
ournextgenerationsecurityplatform,youreduceresponsetimestoincidents,discoverunknownthreats,
andstreamlinesecuritynetworkdeployment.
Safelyenableapplications,users,andcontentbyclassifyingalltraffic,determiningthebusinessusecase,
andassigningpoliciestoallowandprotectaccesstorelevantapplications.
Preventthreatsbyeliminatingunwantedapplicationstoreduceyourthreatfootprintandapplytargeted
Securitypolicyrulestoblockknownvulnerabilityexploits,viruses,spyware,botnets,andunknown
malware(APTs).
Protectyourdatacentersthroughthevalidationofapplications,isolationofdata,controloverrogue
applications,andhighspeedthreatprevention.
Securepublicandprivatecloudcomputingenvironmentswithincreasedvisibilityandcontrol;deploy,
enforce,andmaintainSecuritypolicyrulesatthesamepaceasyourvirtualmachines.
14 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics FeaturesandBenefits
FeaturesandBenefits
ThePaloAltoNetworksnextgenerationfirewallsprovidegranularcontroloverthetrafficallowedtoaccess
yournetwork.Theprimaryfeaturesandbenefitsinclude:
Applicationbasedpolicyenforcement(AppID)Accesscontrolaccordingtoapplicationtypeisfar
moreeffectivewhenapplicationidentificationisbasedonmorethanjustprotocolandportnumber.The
AppIDservicecanblockhighriskapplications,aswellashighriskbehavior,suchasfilesharing,and
trafficencryptedwiththeSecureSocketsLayer(SSL)protocolcanbedecryptedandinspected.
Useridentification(UserID)TheUserIDfeatureallowsadministratorstoconfigureandenforce
firewallpoliciesbasedonusersandusergroupsinsteadoforinadditiontonetworkzonesandaddresses.
Thefirewallcancommunicatewithmanydirectoryservers,suchasMicrosoftActiveDirectory,
eDirectory,SunOne,OpenLDAP,andmostotherLDAPbaseddirectoryserverstoprovideuserand
groupinformationtothefirewall.Youcanthenusethisinformationforsecureapplicationenablement
thatcanbedefinedperuserorgroup.Forexample,theadministratorcouldallowoneorganizationtouse
awebbasedapplicationbutnotallowanyotherorganizationsinthecompanytousethatsame
application.Youcanalsoconfiguregranularcontrolofcertaincomponentsofanapplicationbasedon
usersandgroups(seeUserIdentification).
ThreatpreventionThreatpreventionservicesthatprotectthenetworkfromviruses,worms,spyware,
andothermalicioustrafficcanbevariedbyapplicationandtrafficsource(seeObjects>SecurityProfiles).
URLfilteringOutboundconnectionscanbefilteredtopreventaccesstoinappropriatewebsites(see
Objects>SecurityProfiles>URLFiltering).
TrafficvisibilityExtensivereports,logs,andnotificationmechanismsprovidedetailedvisibilityinto
networkapplicationtrafficandsecurityevents.TheApplicationCommandCenter(ACC)intheweb
interfaceidentifiestheapplicationswiththemosttrafficandthehighestsecurityrisk(seeMonitor).
NetworkingversatilityandspeedThePaloAltoNetworksfirewallcanaugmentorreplaceyourexisting
firewallandcanbeinstalledtransparentlyinanynetworkorconfiguredtosupportaswitchedorrouted
environment.Multigigabitspeedsandasinglepassarchitectureprovidetheseservicestoyouwithlittle
ornoimpactonnetworklatency.
GlobalProtectTheGlobalProtectsoftwareprovidessecurityforclientsystems,suchaslaptopsthat
areusedinthefield,byallowingeasyandsecureloginfromanywhereintheworld.
FailsafeoperationHighavailability(HA)supportprovidesautomaticfailoverintheeventofany
hardwareorsoftwaredisruption(seeDevice>VirtualSystems).
MalwareanalysisandreportingTheWildFirecloudbasedanalysisserviceprovidesdetailedanalysis
andreportingonmalwarethatpassesthroughthefirewall.IntegrationwiththeAutoFocusthreat
intelligenceserviceallowsyoutoassesstheriskassociatedwithyournetworktrafficatorganization,
industry,andgloballevels.
VMSeriesfirewallAVMSeriesfirewallprovidesavirtualinstanceofPANOSpositionedforuseina
virtualizeddatacenterenvironmentandisidealforyourprivate,public,andhybridcloudcomputing
environments.
ManagementandPanoramaYoucanmanageeachfirewallthroughanintuitivewebinterfaceor
throughacommandlineinterface(CLI)oryoucancentrallymanageallfirewallsthroughthePanorama
centralizedmanagementsystem,whichhasawebinterfaceverysimilartothewebinterfaceonPaloAlto
Networksfirewalls.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 15
LastLoginTimeandFailedLoginAttempts WebInterfaceBasics
LastLoginTimeandFailedLoginAttempts
Todetectmisuseandpreventexploitationofaprivilegedaccount,suchasanadministrativeaccountona
PaloAltoNetworksfirewallorPanorama,thewebinterfaceandthecommandlineinterface(CLI)displays
yourlastlogintimeandanyfailedloginattemptsforyourusernamewhenyoulogin.Thisinformationallows
youtoeasilyidentifywhethersomeoneisusingyouradministrativecredentialstolaunchanattack.
Afteryoulogintothewebinterface,thelastlogintime informationappearsatthebottomleftofthe
window.Ifoneormorefailedloginsoccurredsincethelastsuccessfullogin,acautioniconappearstothe
rightofthelastlogininformation.Hoveroverthecautionsymboltoviewthenumberoffailedloginattempts
orclicktoviewtheFailed Login Attempts Summarywindow,whichliststheadministrativeaccountname,the
sourceIPaddress,andthereasonfortheloginfailure.
Ifyouseemultiplefailedloginattemptsthatyoudonotrecognizeasyourown,youshouldworkwithyour
networkadministratortolocatethesystemthatisperformingthebruteforceattackandtheninvestigate
theuserandhostcomputertoidentifyanderadicateanymaliciousactivity.Ifyouseethatthelastlogindate
andtimeindicatesanaccountcompromise,youshouldimmediatelychangeyourpasswordandthenperform
aconfigurationaudittodetermineifsuspiciousconfigurationchangeswerecommitted.Revertthe
configurationtoaknowngoodconfigurationifyouseethatlogswereclearedorifyouhavedifficulty
determiningifimproperchangesweremadeusingyouraccount.
16 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics MessageoftheDay
MessageoftheDay
IfyouoranotheradministratorconfiguredamessageofthedayorPaloAltoNetworksembeddedoneas
partofasoftwareorcontentrelease,aMessageoftheDaydialogdisplaysautomaticallywhenuserslogin
tothewebinterface.Thisensuresthatusersseeimportantinformation,suchasanimpendingsystemrestart,
thatimpactsthetaskstheyintendtoperform.
Thedialogdisplaysonemessageperpage.IfthedialogincludestheoptiontoselectDo not show again,you
canselectitforeachmessagethatyoudontwantthedialogtodisplayaftersubsequentlogins.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 17
TaskManager WebInterfaceBasics
TaskManager
ClickTasksatthebottomofthewebinterfacetodisplaythetasksthatyou,otheradministrators,orPANOS
initiatedsincethelastfirewallreboot(forexample,manualcommitsorautomaticFQDNrefreshes).Foreach
task,theTaskManagerprovidestheinformationandactions describedinthetablebelow.
Somecolumnsarehiddenbydefault.Todisplayorhidespecificcolumns,openthedropdowninanycolumn
header,selectColumns,andselect(display)orclear(hide)thecolumnnames.
Field/Button Description
Tofilterthetasks,enteratextstringbasedonavalueinoneofthe
columnsandApplyFilter( ).Forexample,enteringedlwillfilterthe
listtodisplayonlyEDLFetch(fetchexternaldynamiclists)tasks.To
removefiltering,RemoveFilter( ).
Type Thetypeoftask,suchaslogrequest,licenserefresh,orcommit.Ifthe
informationrelatedtothetask(suchaswarnings)istoolongtofitin
theMessagescolumn,youcanclicktheTypevaluetoseeallthe
details.
Status Indicateswhetherthetaskispending(suchascommitswithQueued
status),inprogress(suchaslogrequestswithActivestatus),
completed,orfailed.Forcommitsinprogress,theStatusindicatesthe
percentageofcompletion.
JobID Anumberthatidentifiesthetask.FromtheCLI,youcanusetheJobID
toseeadditionaldetailsaboutatask.Forexample,youcanseethe
positionofacommittaskinthecommitqueuebyentering:
> show jobs id <job-id>
Thiscolumnishiddenbydefault.
EndTime Thedateandtimewhenthetaskfinished.Thiscolumnishiddenby
default.
StartTime Thedateandtimewhenthetaskstarted.Forcommittasks,theStart
Timeindicateswhenthecommitwasaddedtothecommitqueue.
Messages Displaysdetailsaboutthetask.Iftheentryindicatesthattherearetoo
manymessages,youcanclickthetaskTypetoseethemessages.
Forcommittasks,theMessagesincludethedequeuedtimetoindicate
whenPANOSstartedperformingthecommit.Toseethedescription
anadministratorenteredforacommit,clickCommit Description.For
details,seeCommitChanges.
Action Clickxtocancelapendingcommitinitiatedbyanadministratoror
PANOS.Thisbuttonisavailableonlytoadministratorswhohaveone
ofthefollowingpredefinedroles:superuser,deviceadministrator,
virtualsystemadministrator,orPanoramaadministrator.
18 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics TaskManager
Field/Button Description
Show Selectthetasksyouwanttodisplay:
All Tasks(default)
Alltasksofacertaintype(Jobs,Reports,orLog Requests)
AllRunningtasks(inprogress)
AllRunningtasksofacertaintype(Jobs,Reports,orLog Requests)
(Panoramaonly)Usetheseconddropdowntodisplaythetasksfor
Panorama(default)oraspecificmanagedfirewall.
ClearCommitQueue CancelallpendingcommitsinitiatedbyadministratorsorPANOS.This
buttonisavailableonlytoadministratorswhohaveoneofthe
followingpredefinedroles:superuser,deviceadministrator,virtual
systemadministrator,orPanoramaadministrator.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 19
Language WebInterfaceBasics
Language
Bydefault,thelocale(suchasSpanish)ofthecomputerfromwhichyoulogintothefirewalldeterminesthe
languagethatthewebinterfacedisplays.TochangetheLanguage(bottomofthewebinterface),selecta
LanguagefromthedropdownandclickOK.Thewebinterfacethenrefreshesusingthenewlanguage.
Alarms
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype(see
DefineAlarmSettings).Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystem
Alarmsdialogtodisplaythealarm.Afterclosingthedialog,youcanreopenitanytimebyclickingAlarms
( )atthebottomofthewebinterface.Topreventthefirewallfromautomaticallyopeningthedialogfor
aparticularalarm,selectUnacknowledgedAlarmsandclickAcknowledgetomovethealarmstothe
AcknowledgedAlarmslist.
20 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics CommitChanges
CommitChanges
ClickCommitatthetoprightofthewebinterfaceandspecifyanoperationforpendingchangestothe
firewallconfiguration:commit(activate),validate,orpreview .Youcanfilterpendingchangesby
administratororlocationandthenpreview,validate,andcommitonlythosechanges.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.
UsetheTaskManagertocancelcommitsorseedetailsaboutcommitsthatarepending,inprogress,
completed,orfailed.
TheCommitdialogdisplaystheoptionsdescribedinthefollowingtable.
Field/Button Description
CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallcommitswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthecommitscope:
SuperuserroleThefirewallcommitsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethecommitscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallcommitschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallcommitsonly
yourchangesandnotthoseofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthecommitscope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallcommits
onlytheconfigurationchangesintheaccessdomainsassignedtoyour
account.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 21
CommitChanges WebInterfaceBasics
Field/Button Description
CommitChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallcommits.
Theadministrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthecommitscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,youcanlimitthecommitscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopeonlytothechanges
youmadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filtersthecommitscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thecommitscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoavirtualsystem,youmust
includethechangesofalladministratorswhoadded,deleted,
orrepositionedrulesforthesamerulebaseinthatvirtual
system.
CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objectsPolicyrulesorobjectsthataredefinedona
firewallthatdoesnothavemultiplevirtualsystems.
device-and-networkNetworkanddevicesettingsthatareglobal
(suchasInterfaceManagementprofiles)andnotspecifictoavirtual
system.Thisalsoappliestonetworkanddevicesettingsonafirewall
thatdoesnothavemultiplevirtualsystems.
<virtual-system>Thenameofthevirtualsysteminwhichpolicy
rulesorobjectsaredefinedonafirewallthathasmultiplevirtual
systems.Thisalsoincludesnetworkanddevicesettingsthatare
specifictoavirtualsystem(suchaszones).
22 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics CommitChanges
Field/Button Description
LocationType Thiscolumncategorizesthelocationsofpendingchanges:
Virtual SystemsSettingsthataredefinedinaspecificvirtual
system.
Other ChangesSettingsthatarenotspecifictoavirtualsystem
(suchassharedobjects).
IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewbrowserwindow,
yourbrowsermustallowpopups.Ifthepreviewwindowdoes
notopen,refertoyourbrowserdocumentationforthestepsto
allowpopups.
ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be CommittedIndicateswhetherthecommitcurrently
includesthesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 23
CommitChanges WebInterfaceBasics
Field/Button Description
ValidateCommit Validateswhetherthefirewallconfigurationhascorrectsyntaxandis
semanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.
Description Allowsyoutoenteradescription(upto512characters)tohelpother
administratorsunderstandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.
Commit Startsthecommitor,ifothercommitsarepending,addsyourcommit
tothecommitqueue.
24 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics SaveCandidateConfigurations
SaveCandidateConfigurations
Youshouldperiodicallysaveyourchangessothatyoudontlosethemifthefirewallor
Panoramareboots.
Savingyourchangestothecandidateconfigurationdoesnotactivatethosechanges;youmustCommitChanges
toactivatethem.
TheSaveChangesdialogdisplaystheoptionsdescribedinthefollowingtable:
Field/Button Description
SaveAllChanges Savesallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallsaveswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthesavescope:
SuperuserroleThefirewallsavesthechangesofalladministrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethesavescope(seeDevice>AdminRoles).
IftheprofileincludestheprivilegetoSave For Other Admins,the
firewallsaveschangesconfiguredbyanyandalladministrators.If
yourAdminRoleprofiledoesnotincludetheprivilegetoSave For
Other Admins,thefirewallsavesonlyyourchangesandnotthose
ofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthesavescope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallsavesonly
theconfigurationchangesintheaccessdomainsassignedtoyour
account.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 25
SaveCandidateConfigurations WebInterfaceBasics
Field/Button Description
SaveChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallsaves.The
administrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthesavescopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoSave For Other
Admins,youcanlimitthesavescopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoSave For Other
Admins,youcanlimitthesavescopeonlytothechangesyoumade
inspecificlocations.
Filterthesavescopeasfollows:
FilterbyadministratorEvenifyourroleallowssavingthechanges
ofotheradministrators,thesavescopeincludesonlyyourchanges
bydefault.Toaddotheradministratorstothesavescope,clickthe
<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectchangesinspecificlocationstoIncludein
Save.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filtersthesavescopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thesavescopeincludesonlytheconfigurationchangesinthe
accessdomainsassignedtoyouraccount.
SaveScope Liststhelocationsthathavechangestosave.Whetherthelistincludes
allchangesorasubsetofthechangesdependsonseveralfactors,as
describedfortheSaveAllChangesandSaveChangesMadeBy
options.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
specifictoavirtualsystem.
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
26 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics SaveCandidateConfigurations
Field/Button Description
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Groups(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Templates(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Collector Groups(Panoramaonly)Settingsthatarespecifictoa
CollectorGroupconfiguration.
IncludeinSave Enablesyoutoselectthechangesyouwanttosave.Bydefault,all
(partialsaveonly) changeswithintheSave Scopeareselected.Thiscolumndisplaysonly
afteryouchoosetoSave Changes Made Byspecificadministrators.
Theremightdependenciesthataffectthechangesyouinclude
inasave.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotsavethe
changefortheotheradministratorwithoutalsosavingyour
ownchange.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheSave
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 27
SaveCandidateConfigurations WebInterfaceBasics
Field/Button Description
ChangeSummary Liststheindividualsettingsforwhichyouaresavingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be SavedIndicateswhetherthesaveoperationwillinclude
thesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
Save Savestheselectedchangestoaconfigurationsnapshotfile:
IfyouselectedSave All Changes,thefirewalloverwritesthedefault
configurationsnapshotfile(.snapshot.xml).
IfyouselectedSave Changes Made By,specifytheNameofanew
orexistingconfigurationfile,andclickOK.
28 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics RevertChanges
RevertChanges
Field/Button Description
RevertAllChanges Revertsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallrevertswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinestherevertscope:
SuperuserroleThefirewallrevertsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminetherevertscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallrevertschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallrevertsonly
yourchangesandnotthoseofotheradministrators.
InAdminRoleprofiles,theprivilegesforcommittingalso
applytoreverting.
Ifyouimplementedaccessdomains,thefirewallautomaticallyapplies
thosedomainstofiltertherevertscope(seeDevice>AccessDomain).
Regardlessofyouradministrativerole,thefirewallrevertsonlythe
configurationchangesintheaccessdomainsassignedtoyouraccount.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 29
RevertChanges WebInterfaceBasics
Field/Button Description
RevertChangesMadeBy Filtersthescopeofconfigurationchangesthatthefirewallreverts.The
administrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimittherevertscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,youcanlimittherevertscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimittherevertscopeonlytothechanges
youmadeinspecificlocations.
Filtertherevertscopeasfollows:
FilterbyadministratorEvenifyourroleallowsrevertingthe
changesofotheradministrators,therevertscopeincludesonlyyour
changesbydefault.Toaddotheradministratorstotherevertscope,
clickthe<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectthechangesinspecificlocationstoInclude
inRevert.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filterstherevertscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,therevertscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
RevertScope Liststhelocationsthathavechangestorevert.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedfortheRevertAllChangesandRevertChanges
MadeByoptions.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
specifictoavirtualsystem.
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
30 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics RevertChanges
Field/Button Description
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Group(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Template(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Log Collector Group(Panoramaonly)Settingsthatarespecificto
aCollectorGroupconfiguration.
Log Collector(Panoramaonly)SettingsthatarespecifictoaLog
Collectorconfiguration.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).
IncludeinRevert Enablesyoutoselectthechangesyouwanttorevert.Bydefault,all
(partialrevertonly) changeswithintheRevert Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoRevert Changes Made Byspecific
administrators.
Theremightdependenciesthataffectthechangesyouinclude
inarevert.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotrevertyour
changewithoutalsorevertingthechangefortheother
administrator.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheRevert
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 31
RevertChanges WebInterfaceBasics
Field/Button Description
ChangeSummary Liststheindividualsettingsforwhichyouarerevertingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be RevertedIndicateswhethertherevertoperationwill
includethesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
Revert Revertstheselectedchanges.
32 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics LockConfigurations
LockConfigurations
Tohelpyoucoordinateconfigurationtaskswithotherfirewalladministratorsduringconcurrentlogin
sessions,thewebinterfaceenablesyoutoapplyaconfigurationorcommitlock sothatother
administratorscannotchangetheconfigurationorcommitchangesuntilthelockisremoved.
Atthetoprightofthewebinterface,alockedpadlock( )indicatesthatoneormorelocksareset(with
thenumberoflocksinparentheses);anunlockedpadlock( )indicatesthatnolocksareset.Clickingeither
padlockopenstheLocksdialog,whichprovidesthefollowingoptionsandfields.
Toconfigurethefirewalltoautomaticallysetacommitlockwheneveranadministratorchangesthecandidate
configuration,selectDevice > Setup > Management,edittheGeneralSettings,enableAutomatically
Acquire Commit Lock,andthenclickOKandCommit.
Whenyourevertchanges(Config > Revert Changes),thefirewallautomaticallylocksthecandidateand
runningconfigurationsothatotheradministratorscannoteditsettingsorcommitchanges.Aftercompletingthe
revertprocess,thefirewallautomaticallyremovesthelock.
Field/Button Description
Admin Theusernameoftheadministratorwhosetthelock.
Location Onafirewallwithmorethanonevirtualsystem(vsys),thescopeofthe
lockcanaspecificvsysortheSharedlocation.
Type Thelocktypecanbe:
ConfigLockBlocksotheradministratorsfromchangingthe
candidateconfiguration.Onlyasuperuserortheadministratorwho
setthelockcanremoveit.
CommitLockBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.Thecommitqueue
doesnotacceptnewcommitsuntilalllocksarereleased.Thislock
preventscollisionsthatcanoccurwhenmultipleadministrators
makechangesduringconcurrentloginsessionsandone
administratorfinishesandinitiatesacommitbeforetheother
administratorshavefinished.Thefirewallautomaticallyremovesthe
lockaftercompletingthecommitforwhichtheadministratorsetthe
lock.Asuperuserortheadministratorwhosetthelockcanalso
manuallyremoveit.
Comment Enterupto256charactersoftext.Thisisusefulforother
administratorswhowanttoknowthereasonforthelock.
CreatedAt Thedateandtimewhenanadministratorsetthelock.
LoggedIn Indicateswhethertheadministratorwhosetthelockiscurrently
loggedin.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 33
GlobalFind WebInterfaceBasics
GlobalFind
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyname,threatID,orapplicationname.Thesearchresultsare
groupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterfacesothatyoucan
easilyfindalloftheplaceswherethestringexistsorisreferenced.
Tolaunchglobalfind,clickthe Searchicon ontheupperrightsideofthewebinterface.GlobalFind
isavailablefromallwebinterfacepagesandlocations.ThefollowingisalistofGlobalFindfeaturestohelp
youperformsuccessfulsearches:
Ifyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifadministrativerolesare
defined,GlobalFindwillreturnresultsonlyforareasofthefirewallforwhichyouhavepermissionto
access.ThesameappliestoPanoramadevicegroups;youwillseesearchresultsonlyfordevicegroups
towhichyouhaveadministrativeaccess.
SpacesinsearchtextarehandledasANDoperations.Forexample,ifyousearchoncorp policy,both
corpandpolicymustexistintheconfigurationitemforittobeincludedinthesearchresults.
Tofindanexactphrase,surroundthephraseinquotes.
Torerunaprevioussearch,clickGlobalFindandalistofthelast20searchesaredisplayed.Clickany
iteminthelisttorerunthatsearch.Thesearchhistorylistisuniquetoeachadministrativeaccount.
GlobalFindisavailableforeachfieldthatissearchable.Forexample,inthecaseofasecuritypolicy,youcan
searchonthefollowingfields:Name,Tags,Zone,Address,User,HIPProfile,Application,andService.To
performasearch,clickthedropdownnexttoanyofthesefieldsandclickGlobal Find.Forexample,ifyou
clickGlobal Findonazonenamedl3vlantrust,GlobalFindwillsearchtheentireconfigurationforthatzone
nameandreturnresultsforeachlocationwherethezoneisreferenced.Thesearchresultsaregroupedby
categoryandyoucanhoveroveranyitemtoviewdetailsoryoucanclickanitemtonavigatetothe
configurationpageforthatitem.
GlobalFinddoesnotsearchdynamiccontentthatthefirewallallocatestousers(suchaslogs,addressranges,
orindividualDHCPaddresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchasthe
DNSentry,butyoucannotsearchforindividualaddressesissuedtousers.Anotherexampleisusernames
thatthefirewallcollectswhenyouenabletheUserIDfeature.Inthiscase,ausernameorusergroupthat
existsintheUserIDdatabaseisonlysearchableifthenameorgroupexistsintheconfiguration,suchas
whenausergroupnameisdefinedinapolicy.Ingeneral,youcanonlysearchforcontentthatthefirewall
writestotheconfiguration.
Lookingformore?
LearnmoreaboutusingGlobalFindtosearchthefirewallorPanoramaconfiguration.
34 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics ThreatDetails
ThreatDetails
Monitor>Logs>Threat
ACC>ThreatActivity
Objects>SecurityProfiles>AntiSpyware/VulnerabilityProtection
UsetheThreatDetailsdialogtolearnmoreaboutthethreatsignatureswithwhichthefirewallisequipped
andtheeventsthattriggerthosesignatures.Threatdetailsareprovidedfor:
Threatlogsthatrecordthethreatsthatthefirewalldetects(Monitor > Logs > Threat)
Thetopthreatsfoundinyournetwork(ACC > Threat Activity)
Threatsignaturesthatyouwanttomodifyorexcludefromenforcement(Objects > Security Profiles >
Anti-Spyware/Vulnerability Protection)
Whenyoufindathreatsignatureyouwanttolearnmoreabout,hoverovertheThreat NameorthethreatID
andclickException toreviewthethreatdetails.Thethreatdetailsallowyoutoeasilycheckwhetherathreat
signatureisconfiguredasanexceptiontoyoursecuritypolicyandtofindthelatestThreatVaultinformation
aboutaspecificthreat.ThePaloAltoNetworksThreatVaultdatabaseisintegratedwiththefirewall,
allowingyoutoviewexpandeddetailsaboutthreatsignaturesinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforaloggedthreat.
Dependingonthetypeofthreatyoureviewing,thedetailsincludeallorsomeofthethreatdetailsdescribed
inthefollowingtable.
ThreatDetails Description
Name Threatsignaturename.
Description Informationaboutthethreatthattriggersthesignature.
Severity Thethreatseveritylevel:informational,low,medium,high,orcritical.
CVE Publiclyknownsecurityvulnerabilitiesassociatedwiththethreat.TheCommon
VulnerabilitiesandExposures(CVE)identifieristhemostusefulidentifierforfinding
informationaboutuniquevulnerabilitiesasvendorspecificIDscommonly
encompassmultiplevulnerabilities.
Bugtraq ID TheBugtraqIDassociatedwiththethreat.
Vendor ID Thevendorspecificidentifierforavulnerability.Forexample,MS16148isthe
vendorIDforoneormoreMicrosoftvulnerabilitiesandAPBSB1639isthevendor
IDforoneormoreAdobevulnerabilities.
Reference Researchsourcesyoucanusetolearnmoreaboutthethreat.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 35
ThreatDetails WebInterfaceBasics
ThreatDetails Description
Ifyourehavingtroubleviewingthreatdetails,checkforthefollowingconditions:
ThefirewallThreatPreventionlicenseisactive(Device > Licenses).
ThelatestAntivirusandThreatsandApplicationscontentupdatesareinstalled.
ThreatVaultaccessisenabled(selectDevice > Setup > ManagementandedittheLogging and
ReportingsettingtoEnable Threat Vault Access).
Thedefault(orcustom)Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofilesareappliedto
yoursecuritypolicy.
36 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics AutoFocusIntelligenceSummary
AutoFocusIntelligenceSummary
YoucanviewagraphicaloverviewofthreatintelligencethatAutoFocuscompilestohelpyouassessthe
pervasivenessandriskofthefollowingfirewallartifacts:
IPAddress
URL
Domain
Useragent(foundintheUserAgentcolumnofDataFilteringlogs)
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash(foundintheFileDigestcolumnofWildFireSubmissionslogs)
ToviewtheAutoFocusIntelligenceSummarywindow,youmusthaveanactiveAutoFocussubscriptionand
enableAutoFocusthreatintelligence .Hoveroveranartifacttoopenthedropdown( )andthenclick
AutoFocus.TheAutoFocusIntelligenceSummaryisonlyavailablewhenyou:
ViewTraffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogs(Monitor > Logs).
Viewexternaldynamiclistentries .
Field/Button Description
SearchAutoFocusfor... ClicktolaunchanAutoFocussearchfortheartifact.
Sessions ThenumberofprivatesessionsinwhichWildFiredetectedtheartifact.Privatesessions
aresessionsrunningonlyonfirewallsassociatedwithyoursupportaccount.Hoverover
asessionbartoviewthenumberofsessionspermonth.
Samples Organizationandglobalsamples(filesandemaillinks)associatedwiththeartifactand
groupedbyWildFireverdict(benign,grayware,ormalware).Globalreferstosamples
fromallWildFiresubmissions,whileorganizationrefersonlytosamplessubmittedto
WildFirebyyourorganization.
ClickonaWildFireverdicttolaunchanAutoFocussearchfortheartifactfilteredby
scope(organizationorglobal)andWildFireverdict.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 37
AutoFocusIntelligenceSummary WebInterfaceBasics
Field/Button Description
Request ThedomainthatsubmittedaDNSrequest.ClickthedomaintolaunchanAutoFocus
searchforit.
Type TheDNSrequesttype(example:A,NS,CNAME).
Response TheIPaddressordomaintowhichtheDNSrequestresolved.ClicktheIPaddressor
domaintolaunchanAutoFocussearch.
TheResponsecolumndoesnotdisplayprivateIPaddresses.
Count Thenumberoftimestherequestwasmade.
FirstSeen ThedateandtimethattheRequest,Response,andTypecombinationwasfirstseen
basedonpassiveDNShistory.
LastSeen ThedateandtimethattheRequest,Response,andTypecombinationwasmostrecently
seenbasedonpassiveDNShistory.
SHA256 TheSHA256hashforasample.ClickthehashtolaunchanAutoFocussearchforthat
hash.
FileType Thefiletypeofthesample.
CreateDate ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdicttoit.
UpdateDate ThedateandtimethatWildFireupdatedtheWildFireverdictforasample.
Verdict TheWildFireverdictforasample:benign,grayware,ormalware.
38 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Dashboard
TheDashboardwidgetsshowgeneralfirewallorPanoramainformation,suchasthesoftwareversion,
statusofeachinterface,resourceutilization,andupto10entriesforeachofseverallogtypes;logwidgets
displayentriesfromthelasthour.Bydefault,theDashboarddisplayswidgetsinaLayoutof3 Columnsbutyou
cancustomizetheDashboardtodisplayonly2 Columns,instead.
Youcanalsodecidewhichwidgetstodisplayorhidesothatyouseeonlythoseyouwanttomonitor.To
displayawidget,selectawidgetcategoryfromtheWidgetsdropdownandselectawidgettoaddittothe
Dashboard(widgetnamesthatappearinfadedgrayedouttextarealreadydisplayed).Hide(stopdisplaying)
awidgetbyclosingthewidget( inthewidgetheader).ThefirewallsandPanoramasaveyourwidget
displaysettingsacrosslogins(separatelyforeachadministrator).
RefertotheLast updatedtimestamptodeterminewhentheDashboarddatawaslastrefreshed.Youcan
manuallyrefreshtheentireDashboard( inthetoprightcorneroftheDashboard)oryoucanrefresh
individualwidgets( withineachwidgetheader).Usetheunlabeleddropdownnexttothemanual
Dashboardrefreshoption( )toselecttheautomaticrefreshintervalfortheentireDashboard(inminutes):
1 min,2 mins,or5 mins;todisableautomaticrefreshfortheentireDashboard,selectManual.
DashboardWidgets Description
Application Widgets
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplicationsexceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
ACCRiskFactor Displaystheaverageriskfactor(15)forthenetworktrafficprocessedoverthepastweek.
Highervaluesindicatehigherrisk.
System Widgets
GeneralInformation DisplaysthefirewallorPanoramanameandmodel,thePANOSorPanoramasoftware
version,theapplication,threat,andURLfilteringdefinitionversions,thecurrentdateand
time,andthelengthoftimesincethelastrestart.
Interfaces Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
(Firewallonly)
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount(the
numberofsessionsestablishedthroughthefirewallorPanorama).
HighAvailability Indicateswhenhighavailability(HA)isenabledtheHAstatusofthelocalandpeer
firewall/Panoramagreen(active),yellow(passive),orblack(other).Formoreinformation
aboutHA,refertoDevice>VirtualSystemsorPanorama>HighAvailability.
Locks Showsconfigurationlocksthatadministratorshaveset.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(webinterfaceorCLI),andsessionstarttime
foreachadministratorwhoiscurrentlyloggedin.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 39
Dashboard
DashboardWidgets Description
Logs Widgets
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Displaysonlyentriesfromthelast60minutes.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
ConfigLogs Displaystheadministratorusername,client(webinterfaceorCLI),anddateandtimefor
thelast10entriesintheConfigurationlog.Displaysonlyentriesfromthelast60minutes.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfiginstalledentryindicatesconfigurationchangeswerecommitted
successfully.Displaysonlyentriesfromthelast60minutes.
40 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC
TheApplicationCommandCenter(ACC)isananalyticaltoolthatprovidesactionableintelligenceaboutthe
activitywithinyournetwork.TheACCusesthefirewalllogstographicallydepicttraffictrendsonyour
network.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizetherelationships
betweeneventsonthenetworkincludingnetworkusagepatterns,trafficpatterns,andsuspiciousactivity
andanomalies.
Whatdoyouwanttoknow? See:
HowdoIusetheACC? AFirstGlanceattheACC
ACCTabs
ACCWidgets
HowdoIinteractwiththeACC? ACCActions
WorkingwithTabsandWidgets
WorkingwithFilters
Looking for more? UsetheApplicationCommandCenter
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 41
ACC
AFirstGlanceattheACC
AFirstGlanceattheACC
1 Tabs TheACCincludespredefinedtabsthatprovidevisibilityintonetworktraffic,threatactivity,
blockedactivity,andtunnelactivity.Forinformationoneachtab,seeACCTabs.
2 Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheeventsandtrends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowingfilters:
bytes(inandout),sessions,content(filesanddata),URLcategories,applications,users,
threats(malicious,benign,grayware,phishing),andcount.Forinformationoneachwidget,
seeACCWidgets.
3 Time Thechartsandgraphsineachwidgetprovidearealtimeandhistoricview.Youcanchoose
acustomrangeorusethepredefinedtimeperiodsthatrangefromthelast15minutesup
tothelast30daysorlast30calendardays.
Thetimeperiodusedtorenderdata,bydefault,isthelasthour.Thedateandtimeinterval
aredisplayedonscreen.Forexample:
11/11 10:30:00-01/12 11:29:59
4 GlobalFilters Theglobalfiltersallowyoutosetthefilteracrossalltabs.Thechartsandgraphsapplythe
selectedfiltersbeforerenderingthedata.Forinformationonusingthefilters,seeACC
Actions.
42 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC
AFirstGlanceattheACC
5 Application TheapplicationviewallowsyoufiltertheACCviewbyeitherthesanctionedand
View unsanctionedapplicationsinuseonyournetwork,orbytheriskleveloftheapplicationsin
useonyournetwork.Greenindicatessanctionedapplications,blueunsanctioned
applications,andyellowindicatesapplicationsthathavedifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
6 RiskMeter Theriskmeter(1=lowestto5=highest)indicatestherelativesecurityriskonyournetwork.
Theriskmeterusesavarietyoffactorssuchasthetypeofapplicationsseenonthenetwork
andtherisklevelsassociatedwiththeapplications,thethreatactivityandmalwareasseen
throughthenumberofblockedthreats,andcompromisedhostsortraffictomalwarehosts
anddomains.
7 Source ThedatausedforthedisplayvariesbetweenthefirewallandPanorama.Youhavethe
followingoptionstoselectwhatdataisusedtogeneratetheviewsontheACC:
VirtualSystem:Onafirewallthatisenabledformultiplevirtualsystems,youcanusethe
Virtual SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjust
aselectedvirtualsystem.
DeviceGroup:OnPanorama,youcanusetheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
DataSource:OnPanorama,youcanalsochangethedisplaytousePanoramaorRemote
Device Data(managedfirewalldata).WhenthedatasourceisPanorama,youcanfilterthe
displayforaspecificdevicegroup.
8 Export YoucanexportthewidgetsdisplayedinthecurrenttabasaPDF.
ACCTabs
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.Itfocusesonthetop
applicationsbeingused,thetopuserswhogeneratetrafficwithadrilldownintothebytes,content,
threatsorURLsaccessedbytheuser,andthemostusedsecurityrulesagainstwhichtrafficmatches
occur.Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,orIPaddress,
byingressoregressinterfaces,andbyhostinformationsuchastheoperatingsystemsofthedevices
mostcommonlyusedonthenetwork.
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork.Itfocusesonthetopthreats
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,topWildFiresubmissionsby
filetypeandapplication,andapplicationsthatusenonstandardports.TheCompromisedHostswidget
supplementsdetectionwithbettervisualizationtechniques.Itusestheinformationfromthecorrelated
eventstab(Monitor>AutomatedCorrelationEngine>CorrelatedEvents)topresentanaggregatedview
ofcompromisedhostsonyournetworkbysourceusersorIPaddresses,sortedonseverity.
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsinthis
taballowyoutoviewactivitydeniedbyapplicationname,username,threatname,content(filesand
data),andthetopsecurityruleswithadenyactionthatblockedtraffic.
Tunnel ActivityDisplaystheactivityoftunneltrafficthatthefirewallinspectedbasedonyourtunnel
inspectionpolicies.InformationincludestunnelusagebasedontunnelID,monitortag,user,andtunnel
protocolssuchasGenericRoutingEncapsulation(GRE),GeneralPacketRadioService(GPRS)Tunneling
ProtocolforUserData(GTPU),andnonencryptedIPSec.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 43
ACC
ACCWidgets
Thewidgetsoneachtabareinteractive.Youcansetfiltersanddrilldownintothedisplaytocustomizethe
viewandfocusontheinformationyouneed.
Eachwidgetisstructuredtodisplaythefollowinginformation:
1 View Youcansortthedatabybytes,sessions,threats,count,users,content,
applications,URLs,malicious,benign,grayware,phishing,file(name)s,data,
profiles,objects.Theavailableoptionsvarybywidget.
2 Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,
stackedareagraph,stackedbargraph,andmap.Theavailableoptionsvaryby
widgetandtheinteractionexperiencevarieswitheachgraphtype.Forexample,
thewidgetforApplicationsusingNonStandardPortsallowsyoutochoose
betweenatreemapandalinegraph.
Todrilldownintothedisplay,clickonthegraph.Theareayouclickonbecomes
afilterandallowsyoutozoominandviewmoregranularinformationaboutthat
selection.
3 Table Thedetailedviewofthedatausedtorenderthegraphdisplaysinatablebelow
thegraph.
Youcanclickandsetalocalfilteroraglobalfilterforelementsinthetable.With
alocalfilter,thegraphisupdatedandthetableissortedbythatfilter.
Withaglobalfilter,theviewacrosstheACCpivotstodisplayonlythe
informationspecifictoyourfilter.
44 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC
4 Actions Thefollowingareactionsavailableinthetitlebarofawidget:
MaximizeviewAllowsyoutoenlargethewidgetandviewitinalarger
screenspace.Inthemaximizedview,youcanseemorethanthetoptenitems
thatdisplayinthedefaultwidgetview.
SetuplocalfiltersAllowsyoutoaddfiltersthatrefinethedisplaywithinthe
widget.SeeWorkingwithFiltersLocalFiltersandGlobalFilters.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyousetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andfiltersanddisplaysonlylogsthatmatchyourfilterset.
ExportAllowsyoutoexportthegraphasaPDF.
Foradescriptionofeachwidget,seethedetailsonusingtheACC.
ACCActions
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkingwithTabsandWidgets
WorkingwithFiltersLocalFiltersandGlobalFilters
WorkingwithTabsandWidgets
WorkingwithTabsandWidgets
Editatab. Selectthetabandclickeditnexttothetabnametoedit
thetab.
Example: .
Setatabasdefault 1. Editatab.
2. Select tosetthecurrenttabasthedefault.
Eachtimeyoulogintothefirewall,thistabwill
display.
Saveatabstate 1. Editatab.
2. Select tosaveyourpreferencesinthecurrent
tabasthedefault.
Thetabstateincludinganyfiltersthatyoumayhave
setaresynchronizedacrossHApeers.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 45
ACC
WorkingwithTabsandWidgets(Continued)
Exportatab 1. Editatab.
2. Select toexportthecurrenttab.Thetab
downloadstoyourcomputerasa.txtfile.Youmust
enablepopupstodownloadthefile.
Importatab 1. Addacustomtab.
2. Select toimportatab.
3. Browsetothetext(.txt)fileandselectit.
Seewhichwidgetsareincludedinaview. 1. Selecttheviewandclickedit( ).
2. SelecttheAdd Widgetsdropdowntoreview
selectedwidgets.
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widgetandthenselectthewidgetyou
wanttoadd.Youcanselectamaximumof12
widgets.
3. (Optional)Tocreateatwocolumnlayout,selectAdd
Widget Group.Youcandraganddropwidgetsinto
thetwocolumndisplay.Asyoudragthewidgetinto
thelayout,aplaceholderwilldisplayforyoutodrop
thewidget.
Youcannotnameawidgetgroup.
Deleteatab,widget,orwidgetgroup. Todeleteacustomtab,selectthetabandclickdelete(
).
Youcannotdeleteapredefinedtab.
Todeleteawidgetorwidgetgroup,editthetaband
thenclickdelete([X]).Youcannotundoadeletion.
WorkingwithFiltersLocalFiltersandGlobalFilters
TohonethedetailsandfinelycontrolwhattheACCdisplays,youcanusefilters:
LocalFiltersLocalfiltersareappliedonaspecificwidget.Alocalfilterallowsyoutointeractwiththe
graphandcustomizethedisplaysothatyoucandigintothedetailsandaccesstheinformationyouwant
tomonitoronaspecificwidget.Youcanapplyalocalfilterintwoways:clickintoanattributeinthegraph
ortable;orselectSet Filterwithinawidget.Set Filterallowsyoutosetalocalfilterthatispersistentacross
reboots.
46 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC
GlobalfiltersGlobalfiltersareappliedacrosstheACC.Aglobalfilterallowsyoutopivotthedisplay
aroundthedetailsyoucaremostaboutandexcludetheunrelatedinformationfromthecurrentdisplay.
Forexample,toviewalleventsrelatedtoaspecificuserandapplication,youcanapplytheusersIP
addressandspecifytheapplicationtocreateaglobalfilterthatdisplaysonlyinformationpertainingto
thatuserandapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent
acrosslogins.
Globalfilterscanbeappliedinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertobeaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidgetandapplythe
attributegloballytoupdatethedisplayacrossalltabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
WorkingwithFilters
Setalocalfilter. 1. SelectawidgetandclickFilter( ).
Youcanalsoclickanattributeinthe 2. Add( )filtersyouwanttoapply.
tablebelowthegraphtoapplyitas
3. ClickApply.Thesefiltersarepersistentacross
alocalfilter.
reboots.
Thenumberoflocalfiltersappliedonawidgetare
indicatednexttothewidgetname.
Setaglobalfilterfromatable. Hoveroveranattributeinatableandclickthearrowthat
appearstotherightoftheattribute.
Promotealocalfiltertoasglobalfilter. 1. Onanytableinawidget,selectanattribute.Thissets
theattributeasalocalfilter.
2. Topromotethefiltertoaglobalfilter,hoveroverthe
attributeandclickthearrowtotherightofthe
attribute.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 47
ACC
WorkingwithFilters(Continued)
Viewwhatfiltersareinuse. GlobalfiltersThenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
LocalfiltersThenumberoflocalfiltersappliedona
widgetaredisplayednexttothewidgetname.Toview
thefilters,clickSetLocalFilters.
48 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor
Thefollowingtopicsdescribethefirewallreportsandlogsyoucanusetomonitoractivityonyournetwork:
Monitor>Logs
Monitor>ExternalLogs
Monitor>AutomatedCorrelationEngine
Monitor>PacketCapture
Monitor>AppScope
Monitor>SessionBrowser
Monitor>BlockIPList
Monitor>Botnet
Monitor>PDFReports
Monitor>ManageCustomReports
Monitor>Reports
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 49
Monitor>Logs Monitor
Monitor>Logs
Whatdoyouwanttoknow? See:
Tellmeaboutthedifferenttypesof LogTypes
logs.
Filterlogs. LogActions
Exportlogs.
Viewdetailsforindividuallog
entries.
Modifythelogdisplay.
LogTypes
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsarerespected.Onlythe
informationthatyouhavepermissiontoseeisincluded,andthismightvarydependingonthetypesoflogs
youareviewing.Forinformationonadministratorpermissions,refertoDevice>AdminRoles.
LogType Description
Traffic Displaysanentryforthestartandendofeachsession.Eachentryincludesthedate
andtime,sourceanddestinationzones,addressesandports,applicationname,
securityrulenameappliedtotheflow,ruleaction(allow,deny,ordrop),ingressand
egressinterface,numberofbytes,andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession,
orwhetherthesessionwasdeniedordropped.Adropindicatesthatthesecurity
rulethatblockedthetrafficspecifiedanyapplication,whileadenyindicatesthe
ruleidentifiedaspecificapplication.
Iftrafficisdroppedbeforetheapplicationisidentified,suchaswhenaruledropsall
trafficforaspecificservice,theapplicationisshownasnotapplicable.
Drilldownintrafficlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthesession,suchaswhether
anICMPentryaggregatesmultiplesessionsbetweenthesamesourceand
destination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
50 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Logs
LogType Description
Threat Displaysanentryforeachsecurityalarmgeneratedbythefirewall.Eachentry
includesthedateandtime,athreatnameorURL,thesourceanddestinationzones,
addresses,andports,theapplicationname,andthealarmaction(alloworblock)and
severity.
TheTypecolumnindicatesthetypeofthreat,suchasvirusorspyware;the
NamecolumnisthethreatdescriptionorURL;andtheCategorycolumnisthe
threatcategory(suchaskeylogger)orURLcategory.
Drilldowninthreatlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthethreat,suchaswhether
theentryaggregatesmultiplethreatsofthesametypebetweenthesamesource
anddestination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Iflocalpacketcapturesareenabled,clickDownload( )toaccesscaptured
packets.Toenablelocalpacketcaptures,refertothesubsectionsunderObjects
> Security Profiles.
Toviewmoredetailsaboutathreatortoquicklyconfigurethreatexemptions
directlyfromthethreatlogs,clickthethreatnameintheNamecolumn.The
ExemptProfileslistshowsallcustomAntivirus,Antispyware,andVulnerability
protectionprofiles.Toconfigureanexemptionforathreatsignature,selectthe
checkboxtotheleftofthesecurityprofilenameandsaveyourchange.Toadd
exemptionsforIPAddresses(upto100IPaddressespersignature),highlightthe
securityprofile,addtheIPaddress(es)intheExemptIPAddressessectionand
clickOKtosave.Toviewormodifytheexemption,gototheassociatedsecurity
profileandclicktheExceptionstab.Forexample,ifthethreattypeis
vulnerability,selectObjects > Security Profiles > Vulnerability Protection,click
theassociatedprofilethenclicktheExceptionstab.
URLFiltering DisplayslogsforURLfilters,whichcontrolaccesstowebsitesandwhetherusers
cansubmitcredentialstowebsites.
SelectObjects>SecurityProfiles>URLFilteringtodefineURLfilteringsettings,
includingwhichURLcategoriestoblockorallowandtowhichyouwanttograntor
disablecredentialsubmissions.YoucanalsoenableloggingoftheHTTPheader
optionsfortheURL.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
WildFire DisplayslogsforfilesandemaillinksthatthefirewallforwardedforWildFire
Submissions analysis.TheWildFirecloudanalyzesthesampleandreturnsanalysisresults,which
includetheWildFireverdictassignedtothesample(benign,malware,grayware,or
phishing).YoucanconfirmifthefirewallallowedorblockedafilebasedonSecurity
policyrulesbyviewingtheActioncolumn.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhash(intheFileDigestcolumn)contained
inalogentryandclickthedropdown( )toopentheAutoFocusIntelligence
Summaryfortheartifact.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 51
Monitor>Logs Monitor
LogType Description
DataFiltering DisplayslogsforthesecuritypolicieswithattachedDataFilteringprofiles,tohelp
preventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingtheareaprotectedbythefirewall,andFileBlockingprofiles,thatprevent
certainfiletypesfrombeinguploadedordownloaded.
Toconfigurepasswordprotectionforaccessthedetailsforalogentry,click .
EnterthepasswordandclickOK.RefertoDevice>ResponsePagesforinstructions
onchangingordeletingthedataprotectionpassword.
Thesystempromptsyoutoenterthepasswordonlyoncepersession.
HIPMatch DisplaysallHIPmatchesthattheGlobalProtectgatewayidentifieswhen
comparingtherawHIPdatareportedbytheagenttothedefinedHIPobjectsand
HIPprofiles.Unlikeotherlogs,aHIPmatchisloggedevenwhenitdoesnotmatch
asecuritypolicy.Formoreinformation,refertoNetwork>GlobalProtect>Portals.
UserID DisplaysinformationaboutIPaddresstousernamemappings,suchasthesourceof
themappinginformation,whentheUserIDagentperformedthemapping,andthe
remainingtimebeforemappingsexpire.Youcanusethisinformationtohelp
troubleshootUserIDissues.Forexample,ifthefirewallisapplyingthewrongpolicy
ruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothe
correctIPaddressandwhetherthegroupassociationsarecorrect.
TunnelInspection Displaysanentryforthestartandendofeachinspectedtunnelsession.Thelog
includestheReceiveTime(dateandtimethefirstandlastpacketinthesession
arrived),TunnelID,MonitorTag,SessionID,Securityruleappliedtothetunnel
traffic,andmore.SeePolicies>TunnelInspectionformoreinformation.
Configuration Displaysanentryforeachconfigurationchange.Eachentryincludesthedateand
time,theadministratorusername,theIPaddressfromwherethechangewasmade,
thetypeofclient(webinterfaceorCLI),thetypeofcommandexecuted,whether
thecommandsucceededorfailed,theconfigurationpath,andthevaluesbeforeand
afterthechange.
System Displaysanentryforeachsystemevent.Eachentryincludesthedateandtime,the
eventseverity,andaneventdescription.
Alarms Thealarmslogrecordsdetailedinformationonalarmsthataregeneratedbythe
system.TheinformationinthislogisalsoreportedinAlarms.RefertoDefineAlarm
Settings.
Authentication Displaysinformationaboutauthenticationeventsthatoccurwhenenduserstryto
accessnetworkresourcesforwhichaccessiscontrolledbyAuthenticationpolicy
rules.Youcanusethisinformationtohelptroubleshootaccessissuesandtoadjust
yourAuthenticationpolicyasneeded.Inconjunctionwithcorrelationobjects,you
canalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,
suchasbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestoLogAuthenticationTimeouts.
Thesetimeoutsrelatetotheperiodoftimewhenauserneedauthenticatefora
resourceonlyoncebutcanaccessitrepeatedly.Seeinginformationaboutthe
timeoutshelpsyoudecideifandhowtoadjustthem.
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandto
administratoraccesstothewebinterface.
52 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Logs
LogType Description
Unified DisplaysthelatestTraffic,Threat,URLFiltering,WildFireSubmissions,andData
Filteringlogentriesinasingleview.Thecollectivelogviewenablesyouto
investigateandfilterthesedifferenttypesoflogstogether(insteadofsearching
eachlogsetseparately).Or,youcanchoosewhichlogtypestodisplay:clickthe
arrowtotheleftofthefilterfieldandselecttraffic,threat,url,data,and/or
wildfiretodisplayonlytheselectedlogtypes.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsare
respected.WhenviewingUnifiedlogs,onlythelogsthatyouhavepermissiontosee
aredisplayed.Forexample,anadministratorwhodoesnothavepermissiontoview
WildFireSubmissionslogswillnotseeWildFireSubmissionslogentrieswhen
viewingUnifiedlogs.Forinformationonadministratorpermissions,refertoDevice
>AdminRoles.
YoucanusetheUnifiedlogsetwiththeAutoFocusthreatintelligence
portal.SetupanAutoFocussearch toaddAutoFocussearchfilters
directlytotheUnifiedlogfilterfield.
LogActions
Action Description
FilterLogs Eachlogpagehasafilterfieldatthetopofthepage.Youcanaddartifactstothefield,
suchasanIPaddressoratimerange,tofindmatchinglogentries.Theiconstotheright
ofthefieldenableyoutoapply,clear,create,save,andloadfilters.
Createafilter:
Clickanartifactinalogentrytoaddthatartifacttothefilter.
ClickAdd( )todefinenewsearchcriteria.Foreachcriterion,selectthe
Connectorthatdefinesthesearchtype(andoror),theAttributeonwhichto
basethesearch,anOperatortodefinethescopeofthesearch,andaValuefor
evaluationagainstlogentries.AddeachcriteriontothefilterfieldandClose
whenyoufinish.Youcanthenapply( )thefilter.
IftheValuestringmatchesanOperator(suchashasorin),enclosethestring
inquotationmarkstoavoidasyntaxerror.Forexample,ifyoufilterby
destinationcountryanduseINasaValuetospecifyINDIA,enterthefilteras
( dstloc eq "IN" ).
Thelogfilter(receive_time in last-60-seconds)causesthenumberof
logentries(andlogpages)displayedtogroworshrinkovertime.
ApplyfiltersClickApplyFilter( )todisplaylogentriesthatmatchthecurrent
filter.
DeletefiltersClickClearFilter( )toclearthefilterfield.
SaveafilterClickSaveFilter( ),enteranameforthefilter,andclickOK.
UseasavedfilterClickLoadFilter( )toaddasavedfiltertothefilterfield.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 53
Monitor>Logs Monitor
Action Description
Highlight Selecttohighlightlogentriesthatmatchtheaction.Thefilteredlogsarehighlightedin
PolicyActions thefollowingcolors:
GreenAllow
YellowContinue,oroverride
RedDeny,drop,dropicmp,rstclient,resetserver,resetboth,blockcontinue,
blockoverride,blockurl,dropall,sinkhole
ChangeLog Tocustomizethelogdisplay:
Display ChangetheautomaticrefreshintervalSelectanintervalfromtheinterval
dropdown(60 seconds,30 seconds,10 seconds,orManual).
ChangethenumberandorderofentriesdisplayedperpageLogentriesare
retrievedinblocksof10pages.
Usethepagingcontrolsatthebottomofthepagetonavigatethroughthelog
list.
Tochangethenumberoflogentriesperpage,selectthenumberofrowsfrom
theperpagedropdown(20,30,40,50,75,or100).
Tosorttheresultsinascendingordescendingorder,usetheASCorDESC
dropdown.
ResolveIPaddressestodomainnamesSelectResolve Hostnametobeginresolving
externalIPaddressestodomainnames.
ChangetheorderinwhichlogsaredisplayedSelectDESCtodisplaylogsin
descendingorderbeginningwithlogentrieswiththemostrecentReceiveTime.
SelectASCtodisplaylogsinascendingorderbeginningwithlogentrieswiththe
oldestReceiveTime.
ViewDetails Toviewinformationaboutindividuallogentries:
forIndividual Todisplayadditionaldetails,clickDetails( )foranentry.Ifthesourceor
LogEntries destinationhasanIPaddresstodomainorusernamemappingdefinedinthe
Addressespage,thenameispresentedinsteadoftheIPaddress.Toviewthe
associatedIPaddress,moveyourcursoroverthename.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,filename,
URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryfortheartifact.
54 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>ExternalLogs
Monitor>ExternalLogs
UsethispagetoviewlogsingestedfromtheTrapsEndpointSecurityManager(ESM)intoLogCollectors
thataremanagedbyPanorama.ToviewTrapsESMlogsonPanorama,dothefollowing:
OntheTrapsESMserver,configurePanoramaasaSyslogserverandselecttheloggingeventstoforward
toPanorama.Theeventscanincludesecurityevents,policychanges,agentandESMServerstatus
changes,andchangestoconfigurationsettings.
OnaPanoramathatisdeployedinPanoramamodewithoneormoreManagedLogCollectors,setupa
logingestionprofile(Panorama>LogIngestionProfile)andattachtheprofiletoaCollectorGroup
(Panorama>CollectorGroups)inwhichtostoretheTrapsESMlogs.
ExternallogsarenotassociatedwithadevicegroupandarevisibleonlywhenyouselectDevice Group:All
becausethelogsarenotforwardedfromfirewalls.
LogType Description
Panoramacancorrelatediscretesecurityeventsontheendpointswitheventsonthenetworktotraceany
suspiciousormaliciousactivitybetweentheendpointsandthefirewall.Toviewcorrelatedeventsthat
Panoramaidentifies,seeMonitor>AutomatedCorrelationEngine>CorrelatedEvents.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 55
Monitor>AutomatedCorrelationEngine Monitor
Monitor>AutomatedCorrelationEngine
Theautomatedcorrelationenginetrackspatternsonyournetworkandcorrelateseventsthatindicatean
escalationinsuspiciousbehaviororeventsthatamounttomaliciousactivity.Theenginefunctionsasyour
personalsecurityanalystwhoscrutinizesisolatedeventsacrossthedifferentsetsoflogsonthefirewall,
queriesthedataforspecificpatterns,andconnectsthedotssothatyouhaveactionableinformation.
Thecorrelationengineusescorrelationobjectsthatgeneratecorrelatedevents.Correlatedeventscollate
evidencetohelpyoutracecommonalityacrossseeminglyunrelatednetworkeventsandprovidethefocus
forincidentresponse.
Theautomatedcorrelationengineissupportedonthefollowingmodelsonly:
PanoramaMSeriesandthevirtualappliance
PA800Seriesfirewalls
PA3000Seriesfirewalls
PA5000Seriesfirewalls
PA5200Seriesfirewalls
PA7000Seriesfirewalls
Whatdoyouwanttoknow? See:
Whatarecorrelationobjects? Monitor>AutomatedCorrelationEngine>Correlation
Objects
Whatisacorrelatedevent? Monitor>AutomatedCorrelationEngine>Correlated
WheredoIseethematchevidence Events
foracorrelationmatch?
HowcanIseeagraphicalviewof SeetheCompromisedHostswidgetinACC.
correlationmatches?
56 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AutomatedCorrelationEngine>CorrelationObjects
Monitor>AutomatedCorrelationEngine>Correlation
Objects
Tocountertheadvancesinexploitsandmalwaredistributionmethods,correlationobjectsextendthe
signaturebasedmalwaredetectioncapabilitiesonthefirewall.Theyprovidetheintelligenceforidentifying
suspiciousbehaviorpatternsacrossdifferentsetsoflogsandtheygathertheevidencerequiredto
investigateandpromptlyrespondtoanevent.
Acorrelationobjectisadefinitionfilethatspecifiespatternsformatching,thedatasourcestousefor
performingthelookups,andthetimeperiodwithinwhichtolookforthesepatterns.Apatternisaboolean
structureofconditionsthatquerythedatasources,andeachpatternisassignedaseverityandathreshold,
whichisnumberoftimethepatternmatchoccurswithinadefinedtimelimit.Whenapatternmatchoccurs,
acorrelationeventislogged.
Thedatasourcesusedforperforminglookupscanincludethefollowinglogs:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Forexample,thedefinitionfora
correlationobjectcanincludeasetofpatternsthatquerythelogsforevidenceofinfectedhosts,evidence
ofmalwarepatterns,orforlateralmovementofmalwareinthetraffic,urlfiltering,andthreatlogs.
CorrelationobjectsaredefinedbyPaloAltoNetworksandarepackagedwithcontentupdates.Youmust
haveavalidthreatpreventionlicensetogetcontentupdates.
Bydefault,allcorrelationobjectsareenabled.Todisableanobject,selecttheobjectandDisableit.
Correlation Description
ObjectFields
NameandTitle Thelabelindicatesthetypeofactivitythatthecorrelationobjectdetects.
ID Auniquenumberidentifiesthecorrelationobject.Thisnumberisinthe6000series.
Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.
State Thestateindicateswhetherthecorrelationobjectisenabled(active)ordisabled
(inactive).
Description ThedescriptionspecifiesthematchconditionsforwhichthefirewallorPanoramawill
analyzelogs.Itdescribestheescalationpatternorprogressionpaththatwillbeused
toidentifymaliciousactivityorsuspicioushostbehavior.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents Monitor
Monitor>AutomatedCorrelationEngine>Correlated
Events
CorrelatedeventsexpandthethreatdetectioncapabilitiesonthefirewallandPanorama;thecorrelated
eventsgatherevidenceofsuspiciousorunusualbehaviorofusersorhostsonthenetwork.
Thecorrelationobjectmakesitpossibletopivotoncertainconditionsorbehaviorsandtracecommonalities
acrossmultiplelogsources.Whenthesetofconditionsspecifiedinacorrelationobjectareobservedonthe
network,eachmatchisloggedasacorrelatedevent.
Thecorrelatedeventincludesthedetailslistedinthefollowingtable.
Field Description
MatchTime Thetimethecorrelationobjecttriggeredamatch.
UpdateTime Thetimestampwhenthematchwaslastupdated.
ObjectName Thenameofthecorrelationobjectthattriggeredthematch.
SourceAddress TheIPaddressoftheuserfromwhomthetrafficoriginated
SourceUser Theuserandusergroupinformationfromthedirectoryserver,ifUserIDis
enabled.
Severity Aratingthatclassifiestheriskbasedontheextentofdamagecaused.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Toviewthedetailedlogview,clickDetails( )foranentry.Thedetailedlogviewincludesalltheevidence
foramatch:
Tab Description
Match ObjectDetailsPresentsinformationonthecorrelationobjectthattriggeredthe
Information match.Forinformationoncorrelationobjects,seeMonitor>AutomatedCorrelation
Engine>CorrelationObjects.
MatchDetailsAsummaryofthematchdetailsthatincludesthematchtime,last
updatetimeonthematchevidence,severityoftheevent,andaneventsummary.
Match Thistabincludesalltheevidencethatcorroboratesthecorrelatedevent.Itlists
Evidence detailedinformationontheevidencecollectedforeachsession.
SeeagraphicaldisplayoftheinformationintheCorrelated Eventstab,seetheCompromisedHostswidget
ontheACC > Threat Activitytab.IntheCompromisedHostswidget,thedisplayisaggregatedbysourceuser
andIPaddressandsortedbyseverity.
Toconfigurenotificationswhenacorrelatedeventislogged,gototheDevice > Log SettingsorPanorama >
Log Settingstab.
58 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture
Monitor>PacketCapture
AllPaloAltoNetworksfirewallshaveabuiltinpacketcapture(pcap)featureyoucanusetocapturepackets
thattraversethenetworkinterfacesonthefirewall.Youcanthenusethecaptureddatafortroubleshooting
purposesortocreatecustomapplicationsignatures.
ThepacketcapturefeatureisCPUintensiveandcandegradefirewallperformance.Onlyuse
thisfeaturewhennecessaryandmakesuretoturnitoffafteryoucollecttherequiredpackets.
Whatdoyouwanttoknow? See:
Whatarethedifferentmethods PacketCaptureOverview
thefirewallcanusetocapture
packets?
HowdoIgenerateacustompacket BuildingBlocksforaCustomPacketCapture
capture?
HowdoIgeneratepacketcaptures EnableThreatPacketCapture
whenthefirewalldetectsathreat?
WheredoIdownloadapacket PacketCaptureOverview
capture?
Turnonextendedpacketcapture Device>Setup>ContentID
forsecurityprofiles.
Usepacketcapturetowrite SeeDoc2015.
customapplicationsignatures.
Thisexampleusesathirdpartyappbutyoucanusethe
firewalltocapturetherequiredpackets.
Preventafirewalladminfrom DefineWebInterfaceAdministratorAccess.
viewingpacketcaptures.
Seeanexample. SeeTakePacketCaptures.
PacketCaptureOverview
YoucanconfigureaPaloAltoNetworksfirewalltoperformacustompacketcaptureorathreatpacket
capture.
CustomPacketCaptureCapturepacketsforalltrafficortrafficbasedonfiltersyoudefine.Forexample,
youcanconfigurethefirewalltocaptureonlypacketstoandfromaspecificsourceanddestinationIP
addressorport.Usethesepacketcapturestotroubleshootnetworktrafficrelatedissuesortogather
applicationattributestowritecustomapplicationsignatures(Monitor > Packet Capture).Youdefinethefile
namebasedonthestage(Drop,Firewall,Receive,orTransmit)and,afterthepcapiscomplete,you
downloadthepcapintheCapturedFilessection.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 59
Monitor>PacketCapture Monitor
ThreatPacketCaptureCapturepacketswhenthefirewalldetectsavirus,spyware,orvulnerability.You
enablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.These
packetcapturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulorto
learnmoreaboutthemethodsusedbyanattacker.Theactionforthethreatmustbesettoeitherallow
oralert;otherwise,thethreatisblockedandpacketscannotbecaptured.Youconfigurethistypeof
packetcaptureintheObjects > Security Profiles.Todownload( )pcaps,selectMonitor > Threat.
BuildingBlocksforaCustomPacketCapture
60 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 61
Monitor>PacketCapture Monitor
62 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture
EnableThreatPacketCapture
Objects>SecurityProfiles
Toenablethefirewalltocapturepacketswhenitdetectsathreat,enablethepacketcaptureoptioninthe
securityprofile.
FirstselectObjects > Security Profilesandthenmodifythedesiredprofileasdescribedinthefollowingtable:
PacketCapture Location
Optionsin
SecurityProfiles
Vulnerability SelectacustomVulnerabilityProtectionprofileand,intheRulestab,clickAddto
Protection addanewruleorselectanexistingrule.ThenselectthePacket Capturedropdown
andselectsingle-packetorextended-capture.
InAntiSpywareandVulnerabilityProtectionprofiles,youcanalsoenablepacketcaptureonexceptions.Click
theExceptionstabandinthePacketCapturecolumnforasignature,clickthedropdownandselect
single-packetorextended-capture.
(Optional)Todefinethelengthofathreatpacketcapturebasedonthenumberofpacketscaptured(and
whichisbasedonaglobalsetting),selectDevice > Setup > Content-IDand,intheContentIDSettingssection,
modifytheExtended Packet Capture Length (packets)field(rangeis150;defaultis5).
Afteryouenablepacketcaptureonasecurityprofile,youneedtoverifythattheprofileispartofasecurity
rule.Forinformationonhowtoaddasecurityprofiletoasecurityrule,seeSecurityPolicyOverview.
Eachtimethefirewalldetectsathreatwhenpacketcaptureisenabledonthesecurityprofile,youcan
download( )orexportthepacketcapture.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 63
Monitor>AppScope Monitor
Monitor>AppScope
TheAppScopereportsprovidegraphicalvisibilityintothefollowingaspectsofyournetwork:
Changesinapplicationusageanduseractivity
Usersandapplicationsthattakeupmostofthenetworkbandwidth
Networkthreats
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected,andhelpspinpoint
problematicbehavior;eachreportprovidesadynamic,usercustomizablewindowintothenetwork.The
reportsincludeoptionstoselectthedataandrangestodisplay.OnPanorama,youcanalsoselecttheData
Sourcefortheinformationthatisdisplayed.Thedefaultdatasource(onnewPanoramainstallations)uses
thelocaldatabaseonPanorama,whichstoreslogsforwardedbythemanagedfirewalls;onanupgrade,the
defaultdatasourceistheRemote Device Data(managedfirewalldata).Tofetchanddisplayanaggregated
viewofthedatadirectlyfromthemanagedfirewalls,younowhavetoswitchthesourcefromPanoramato
Remote Device Data.
HoveringthemouseoverandclickingeitherthelinesorbarsonthechartsswitchestotheACCandprovides
detailedinformationaboutthespecificapplication,applicationcategory,user,orsource.
ApplicationCommand Description
CenterCharts
Summary SummaryReport
ChangeMonitor ChangeMonitorReport
ThreatMonitor ThreatMonitorReport
ThreatMap ThreatMapReport
NetworkMonitor NetworkMonitorReport
TrafficMap TrafficMapReport
64 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope
SummaryReport
TheSummaryreportdisplayschartsforthetopfivegainers,losers,andbandwidthconsumingapplications,
applicationcategories,users,andsources.
ToexportthechartsinthesummaryreportasaPDF,clickExport( ).Eachchartissavedasapage
inthePDFoutput.
AppScopeSummaryReport
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 65
Monitor>AppScope Monitor
ChangeMonitorReport
TheChangeMonitorreportdisplayschangesoveraspecifiedtimeperiod.Forexample,thefigurebelow
displaysthetopapplicationsthatgainedinuseoverthelasthourascomparedwiththelast24hourperiod.
Thetopapplicationsaredeterminedbysessioncountandsortedbypercentage.
AppScopeChangeMonitorReport
Thisreportcontainsthefollowingoptions.
ChangeMonitorReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Application Determinesthetypeofitemreported:Application,
ApplicationCategory,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreased
overthemeasuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreased
overthemeasuredperiod.
New Displaysmeasurementsofitemsthatwereaddedover
themeasureperiod.
Dropped Displaysmeasurementsofitemsthatwere
discontinuedoverthemeasureperiod.
Filter Appliesafiltertodisplayonlytheselecteditem.None
displaysallentries.
66 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope
ChangeMonitorReportOptions Description
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
Sort Determineswhethertosortentriesbypercentageor
rawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Compare(interval) Specifiestheperiodoverwhichthechange
measurementsaretaken.
ThreatMonitorReport
TheThreatMonitorreportdisplaysacountofthetopthreatsovertheselectedtimeperiod.Forexample,
thefigurebelowshowsthetop10threattypesforthepast6hours.
AppScopeThreatMonitorReport
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 67
Monitor>AppScope Monitor
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
ThreatMonitorReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Threat Determinesthetypeofitemmeasured:Threat,Threat
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheThreatMapreportshowsageographicalviewofthreats,includingseverity.
AppScopeThreatMapReport
68 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Clickacountryonthemapto
Zoom InandthenZoom Outasneeded.Thisreportcontainsthefollowingoptions.
ThreatMapReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Incomingthreats Displaysincomingthreats.
Outgoingthreats Displaysoutgoingthreats.
Filter Appliesafiltertodisplayonlytheselecteditem.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Indicatestheperiodoverwhichthemeasurementsaretaken.
NetworkMonitorReport
TheNetworkMonitorreportdisplaysthebandwidthdedicatedtodifferentnetworkfunctionsoverthe
specifiedperiodoftime.Eachnetworkfunctioniscolorcodedasindicatedinthelegendbelowthechart.
Forexample,theimagebelowshowsapplicationbandwidthforthepast7daysbasedonsession
information.
AppScopeNetworkMonitorReport
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 69
Monitor>AppScope Monitor
Thereportcontainsthefollowingoptions.
NetworkMonitorReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyteinformation.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Indicatestheperiodoverwhichthechangemeasurementsare
taken.
70 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope
TrafficMapReport
TheTrafficMapreportshowsageographicalviewoftrafficflowsaccordingtosessionsorflows.
AppScopeTrafficMapReport
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
TrafficMapReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththe
highestmeasurementincludedinthechart.
Incomingtraffic Displaysincomingtraffic.
Outgoingtraffic Displaysoutgoingtraffic.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Export Exportthegraphasa.pngimageorasaPDF.
Bottom Bar
Indicatestheperiodoverwhichthechange
measurementsaretaken.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 71
Monitor>SessionBrowser Monitor
Monitor>SessionBrowser
72 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>BlockIPList
Monitor>BlockIPList
YoucanconfigurethefirewalltoplaceIPaddressesontheblocklistinseveralways,includingthefollowing:
ConfigureaDoSProtectionpolicyrulewiththeActiontoProtectandapplyaClassifiedDoSProtection
profiletotherule.TheprofileincludestheBlockDuration.
ConfigureaSecuritypolicyrulewithaVulnerabilityProtectionprofilethatusesarulewiththeActionto
Block IPandapplytheruletoazone.
TheBlockIPListissupportedonPA3050,PA3060,PA5000Series,PA5200Series,andPA7000Series
firewalls.
Whatdoyouwanttoknow? See:
WhatdotheBlockIPListfields BlockIPListEntries
indicate?
HowdoIfilter,navigate,ordelete VieworDeleteBlockIPListEntries
BlockIPListentries?
BlockIPListEntries
ThefollowingtableexplainstheblocklistentryforasourceIPaddressthatthefirewallisblocking.
Field Description
BlockTime Month/dayandhours:minutes:secondswhentheIPaddresswentontheBlock
IPList.
Type Typeofblockaction:whetherthehardware(hw)orsoftware(sw)blockedthe
IPaddress.
WhenyouconfigureaDoSProtectionpolicyoraSecuritypolicythatusesa
VulnerabilityProtectionprofiletoblockconnectionsfromsourceIPv4
addresses,thefirewallautomaticallyblocksthattrafficinhardwarebefore
thosepacketsuseCPUorpacketbufferresources.Ifattacktrafficexceedsthe
blockingcapacityofthehardware,thefirewallusessoftwaretoblockthe
traffic.
SourceIPAddress SourceIPaddressofthepacketthatthefirewallblocked.
IngressZone Securityzoneassignedtotheinterfacewherethepacketenteredthefirewall.
TimeRemaining NumberofsecondsremainingfortheIPaddresstobeontheBlockIPList.
BlockSource NameoftheclassifiedDoSProtectionprofileorVulnerabilityprotectionobject
namewhereyouspecifiedtheBlockIPaction.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 73
Monitor>BlockIPList Monitor
Field Description
TotalBlockedIPs:xoutof CountofblockedIPaddresses(x)outofthenumberofblockedIPaddressesthe
y(z%used) firewallsupports(y),andthecorrespondingpercentageofblockedIPaddresses
used(z).
VieworDeleteBlockIPListEntries
NavigatetheBlockIPlistentries,viewdetailedinformation,anddeleteanentryifdesired.
VieworDeleteBlockIPListEntries
Searchforspecific Selectavalueinacolumn,whichentersafilterintheFiltersfield,andclicktheright
BlockIPList arrowtoinitiatethesearchforentrieswiththatvalue.
information ClicktheXtoremovethefilter.
ViewBlockIPList EnterapagenumberinthePagefieldorclickthesinglearrowstoseetheNextPage
entriesbeyondthe orPreviousPageofentries.ClickthedoublearrowstoviewtheLastPageorFirst
currentscreen Pageofentries.
Viewdetailed ClickonaSourceIPAddressofanentry,whichlinkstoNetworkSolutionsWhoIs
informationaboutanIP withinformationabouttheaddress.
addressontheBlockIP
List
DeleteBlockIPList SelectanentryandclickDelete.
entries
74 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Botnet
Monitor>Botnet
Thebotnetreportenablesyoutousebehaviorbasedmechanismstoidentifypotentialmalwareand
botnetinfectedhostsinyournetwork.Thereportassignseachhostaconfidencescoreof1to5toindicate
thelikelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Beforeschedulingthereportor
runningitondemand,youmustconfigureittoidentifytypesoftrafficassuspicious.ThePANOS
AdministratorsGuideprovidesdetailsoninterpretingbotnetreportoutput.
ManagingBotnetReports
ConfiguringtheBotnetReport
ManagingBotnetReports
Monitor>Botnet>ReportSetting
Beforegeneratingthebotnetreport,youmustspecifythetypesoftrafficthatindicatepotentialbotnet
activity(seeConfiguringtheBotnetReport).Toscheduleadailyreportorrunitondemand,clickReport
Settingandcompletethefollowingfields.Toexportareport,selectitandExport to PDF,Export to CSV,or
Export to XML.
BotnetReportSettings Description
No.ofRows Specifythenumberofrowstodisplayinthereport(defaultis100).
Scheduled Selectthisoptiontoautomaticallygeneratethereportdaily.Bydefault,this
optionisenabled.
QueryBuilder (Optional)AddqueriestotheQueryBuildertofilterthereportoutputby
attributessuchassource/destinationIPaddresses,users,orzones.For
example,ifyouknowthattrafficinitiatedfromtheIPaddress192.0.2.0
containsnopotentialbotnetactivity,youcanadd
not (addr.src in 192.0.2.0)asaquerytoexcludethathostfromthe
reportoutput.
ConnectorSelectalogicalconnector(andoror).IfyouselectNegate,
thereportwillexcludethehoststhatthequeryspecifies.
AttributeSelectazone,address,oruserthatisassociatedwiththehosts
thatthefirewallevaluatesforbotnetactivity.
OperatorSelectanoperatortorelatetheAttributetoaValue.
ValueEnteravalueforthequerytomatch.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 75
Monitor>Botnet Monitor
ConfiguringtheBotnetReport
Monitor>Botnet>Configuration
Tospecifythetypesoftrafficthatindicatepotentialbotnetactivity,clickConfigurationontherightsideof
theBotnetpageandcompletethefollowingfields.Afterconfiguringthereport,youcanrunitondemandor
scheduleittorundaily(seeMonitor>PDFReports>ManagePDFSummary).
BotnetConfiguration Description
Settings
HTTPTraffic EnableanddefinetheCountforeachtypeofHTTPTrafficthatthereport
willinclude.TheCountvaluesyouenteraretheminimumnumberofevents
ofeachtraffictypethatmustoccurforthereporttolisttheassociatedhost
withahigherconfidencescore(higherlikelihoodofbotnetinfection).Ifthe
numberofeventsislessthantheCount,thereportwilldisplaythelower
confidencescoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.
Malware URL visit(rangeis21000;defaultis5)Identifiesusers
communicatingwithknownmalwareURLsbasedonmalwareandbotnet
URLfilteringcategories.
Use of dynamic DNS(rangeis21000;defaultis5)Looksfordynamic
DNSquerytrafficthatmightindicatemalware,botnetcommunications,
orexploitkits.Generally,usingdynamicDNSdomainsisveryrisky.
MalwareoftenusesdynamicDNStoavoidIPblacklisting.Considerusing
URLfilteringtoblocksuchtraffic.
Browsing to IP domains(rangeis21000;defaultis10)Identifiesusers
whobrowsetoIPdomainsinsteadofURLs.
Browsing to recently registered domains(rangeis21000;defaultis
5)Looksfortraffictodomainsthatwereregisteredwithinthepast30
days.Attackers,malware,andexploitkitsoftenusenewlyregistered
domains.
Executable files from unknown sites(rangeis21000;defaultis5)
IdentifiesexecutablefilesdownloadedfromunknownURLs.Executable
filesareapartofmanyinfectionsand,whencombinedwithothertypes
ofsuspicioustraffic,canhelpyouprioritizehostinvestigations.
UnknownApplications Definethethresholdsthatdeterminewhetherthereportwillincludetraffic
associatedwithsuspiciousUnknownTCPorUnknownUDPapplications.
Sessions Per Hour(rangeis13600;defaultis10)Thereportincludes
trafficthatinvolvesuptothespecifiednumberofapplicationsessionsper
hour.
Destinations Per Hour(rangeis13600;defaultis10)Thereport
includestrafficthatinvolvesuptothespecifiednumberofapplication
destinationsperhour.
Minimum Bytes(rangeis1200;defaultis50)Thereportincludes
trafficforwhichtheapplicationpayloadequalsorexceedsthespecified
size.
Maximum Bytes(rangeis1200;defaultis100)Thereportincludes
trafficforwhichtheapplicationpayloadisequaltoorlessthanthe
specifiedsize.
IRC SelectthisoptiontoincludetrafficinvolvingIRCservers.
76 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports
Monitor>PDFReports
Monitor>PDFReports>ManagePDFSummary
Monitor>PDFReports>UserActivityReport
Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>ReportGroups
Monitor>PDFReports>EmailScheduler
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 77
Monitor>PDFReports>ManagePDFSummary Monitor
Monitor>PDFReports>ManagePDFSummary
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
PDFSummaryReport
ManagingPDFReports
78 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>ManagePDFSummary
Useoneormoreoftheseoptionstodesignthereport:
Toremoveanelementfromthereport,clickdelete([X])orcleartheitemfromtheappropriate
dropdown.
Selectadditionalelementsbyselectingthemintheappropriatedropdown.
Draganddropanelementtomoveittoanotherareaofthereport.
Thereisamaximumof18reportelementsallowed.Ifyouhave18already,youmustdelete
existingelementsbeforeyoucanaddnewones.
ToSavethereport,enterareportname,andclickOK.
TodisplayPDFreports,selectMonitor > ReportsandclickPDF Summary Reportandclickareporttoopenor
savethatreport.Youcanalsoexportareportusingtheoptionsatthebottomofthepage(Export to PDF,
Export to CSV,orExport to XML)orclickadayinthecalendartodownloadareportforthatday.
NewPDFsummaryreportswillnotappearuntilafterthereportruns,whichwilloccur
automaticallyevery24hoursat2a.m.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 79
Monitor>PDFReports>UserActivityReport Monitor
Monitor>PDFReports>UserActivityReport
Usethispagetocreatereportsthatsummarizetheactivityofindividualusersorusergroups.ClickAddand
specifythefollowinginformation.
User/GroupActivity Description
ReportSettings
Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
ForGroupActivityReport:SelectGroupandentertheGroup Name.
TimePeriod Selectthetimeframeforthereportfromthedropdown.
IncludeDetailed (Optional)SelectthisoptiontoincludedetailedURLlogsinthereport.
Browsing Thedetailedbrowsinginformationcanincludealargevolumeoflogs
(thousands)fortheselecteduserorusergroupandcauseareportto
beverylarge.
TheGroupActivityReportdoesnotincludeBrowsingSummarybyURLCategory;allother
informationiscommonacrosstheUserActivityReportandtheGroupActivityReport.
Torunthereportondemand,clickRun Now.Tochangethemaximumnumberofrowsthatdisplayinthe
report,seeLoggingandReportingSettings.
Tosavethereport,clickOK.Youcanthenschedulethereportforemaildelivery(Monitor>PDFReports>
EmailScheduler).
80 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>SaaSApplicationUsage
UsethispagetocreateareportthatsummarizestheSaaSapplicationactivityonyournetwork.This
predefinedreportpresentsacomparisononthesanctionedversusunsanctionedSaaSapplicationusageon
yournetworkandyoucanusethisinformationtohelpsteeryouruserstowardsanctionedapplications.You
canthenenforcegranularcontextandapplicationbasedpoliciesforSaaSapplicationsthatyouwanttoallow
orblockonyournetwork.
Forgeneratinganaccurateandinformativereport,youmusttagthesanctionedapplicationsonyour
network(seeActionsSupportedonApplications).ThefirewallandPanoramaconsideranyapplication
withoutthispredefinedtagasunsanctionedforuseonthenetwork.Itisimportanttoknowaboutthe
sanctionedapplicationsandunsanctionedapplicationsthatareprevalentonyournetworkbecause
unsanctionedSaaSapplicationsareapotentialthreattoinformationsecurity;theyarenotapprovedforuse
onyournetworkandcancauseanexposuretothreatsandlossofprivateandsensitivedata.
.
Makesureyoutagapplicationsconsistentlyacrossallfirewallsordevicegroups.Ifthesameapplicationistagged
assanctionedinonevirtualsystemandisnotsanctionedinanotheroronPanorama,ifanapplicationis
unsanctionedinaparentdevicegroupbutistaggedassanctionedinachilddevicegroup(orviceversa)theSaaS
ApplicationUsagereportwillproduceoverlappingresults.
OntheACC,settheApplication ViewtoBy Sanctioned Statetovisuallyidentifyapplicationsthathave
differentsanctionedstateacrossvirtualsystemsordevicegroups.Greenindicatessanctionedapplications,blueis
forunsanctionedapplications,andyellowindicatesapplicationsthathaveadifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
Toconfigurethereport,clickAddandspecifythefollowinginformation:
SaaSApplicationUsage Description
ReportSettings
Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Includelogsfrom Fromthedropdown,selectwhetheryouwanttogeneratethereportona
selectedusergroup,onaselectedzone,orforallusergroupsandzones
configuredonthefirewallorPanorama.
ForaselectedusergroupSelecttheUser Groupforwhichthefirewallor
Panoramawillfilterthelogs.
ForaselectedzoneSelecttheZoneforwhichthefirewallorPanorama
willfilterthelogs.
ForallusergroupsandzonesYoucanreportonallgroupsorchooseup
to25usergroupsforwhichyouwantvisibility.Ifyouhavemorethan25
groups,thefirewallorPanoramawilldisplaythetop25groupsinthereport
andassignallremainingusergroupstotheOthersgroup.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 81
Monitor>PDFReports>SaaSApplicationUsage Monitor
SaaSApplicationUsage Description
ReportSettings
Includeusergroup Thisoptionfiltersthelogsfortheusergroupsyouwanttoincludeinthe
informationinthereport report.Selectthemanage groupsorthemanage groups for the selected
(Notavailableifyou zonelinktochooseupto25usergroupsforwhichyouwantvisibility.
choosetogeneratethe Whenyougenerateareportforspecificusergroupsonaselectedzone,users
reportonaSelected whoarenotamemberofanyoftheselectedgroupsareassignedtoauser
User Group.) groupcalledOthers.
Usergroup Selecttheusergroup(s)forwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected User GroupintheInclude logs from
dropdown.
Zone Selectthezoneforwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected ZoneintheInclude logs from
dropdown.
YoucanthenselectIncludeusergroupinformationinthereport.
Includedetailed TheSaaSApplicationUsagePDFreportisatwopartreport.Bydefault,both
applicationcategory partsofthereportaregenerated.Thefirstpartofthereport(tenpages)
informationinreport focusesontheSaaSapplicationsusedonyournetworkduringthereporting
period.
Clearthisoptionifyoudonotwantthesecondpartofthereportthatincludes
detailedinformationforSaaSandnonSaaSapplicationsforeachapplication
subcategorylistedinthefirstpartofthereport.Thissecondpartofthereport
includesthenamesofthetopapplicationsineachsubcategoryand
informationaboutusers,usergroups,files,bytestransferred,andthreats
generatedfromtheseapplications.
Withoutthedetailedinformation,thereportistenpageslong.
Limitmaxsubcategories SelectwhetheryouwanttouseallapplicationsubcategoriesintheSaaS
inthereportto ApplicationUsagereportorwhetheryouwanttolimitthemaximumnumber
to10,15,20,or25subcategories.
Whenyoureducethemaximumnumberofsubcategories,thedetailedreport
isshorterbecauseyoulimittheSaaSandnonSaaSapplicationactivity
informationincludedinthereport.
ClickRun Nowtogeneratethereportondemand.
Toschedulethereport,seeMonitor>PDFReports>EmailScheduler.
OnPA200andPA500firewalls,theSaaSApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkyouusetoopenthereportinawebbrowser.
Formoreinformationonthereport,seeManageReporting .
82 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>ReportGroups
Monitor>PDFReports>ReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
ReportGroupSettings Description
Name Enteranametoidentifythereportgroup(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
TitlePage Selectthisoptiontoincludeatitlepageinthereport.
Title Enterthenamethatwillappearasthereporttitle.
Reportselection/ Foreachreporttoincludeinthegroup,selectthereportintheleftcolumnand
Widgets Addittotherightcolumn.Youcanselectthefollowingreporttypes:
PredefinedReport
CustomReport
PDFSummaryReport
CSV
LogViewWheneveryoucreateacustomreport,thefirewall
automaticallycreatesaLogViewreportwiththesamename.TheLogView
reportshowsthelogsthatthefirewallusedtobuildthecontentsofthe
customreport.Toincludethelogviewdata,whencreatingareportgroup,
addyourCustom ReportsandthenaddthematchingLog Viewreports.
Theaggregatereportgeneratedforthereportgroupdisplaysthecustom
reportdatafollowedbythelogdata.
Afteryousavethereportgroup,theWidgetscolumnoftheReportGroups
pageliststhereportsyouaddedtothegroup.
Tousethereportgroup,refertoMonitor>PDFReports>EmailScheduler.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 83
Monitor>PDFReports>EmailScheduler Monitor
Monitor>PDFReports>EmailScheduler
UsetheEmailschedulertoschedulereportsfordeliverybyemail.Beforeaddingaschedule,youmustdefine
reportgroupsandanemailprofile.RefertoMonitor>PDFReports>ReportGroupsandDevice>Server
Profiles>Email.
Scheduledreportsbeginrunningat2:00AM,andemailforwardingoccursafterallscheduledreportshave
finishedrunning.
EmailSchedulerSettings Description
Name Enteranametoidentifytheschedule(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
ReportGroup Selectthereportgroup(Monitor>PDFReports>ReportGroups)ortheSaaS
ApplicationUsagereport(Monitor>PDFReports>SaaSApplicationUsage)
youwanttoschedule.
EmailProfile Selecttheprofilethatdefinestheemailsettings.RefertoDevice>Server
Profiles>Emailforinformationondefiningemailprofiles.
Recurrence Selectthefrequencyatwhichtogenerateandsendthereport.
OverrideEmail Enteranoptionalemailaddresstouseinsteadoftherecipientspecifiedinthe
Addresses emailprofile.
Sendtestemail ClicktosendatestemailtotheemailaddressdefinedintheselectedEmail
Profile.
84 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>ManageCustomReports
Monitor>ManageCustomReports
Youcancreatecustomreportstorunondemandoronschedule(eachnight).Forreportsthatarepredefined,
selectMonitor > Reports.
Addacustomreporttocreateanewone.Tobasethereportonanexistingtemplate,Load Templateandselect
thetemplate.Togenerateareportondemand,insteadoforinadditiontotheScheduledtime,clickRun Now.
Specifythefollowingsettingstodefinethereport.
CustomReportSettings Description
Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Enteradescriptionforthecustomreport.
Database Choosethedatabasetouseasthedatasourceforthereport.
Scheduled Selectthisoptiontorunthereporteachnight.Thereportthenbecomes
availablebyselectingMonitor > Reports.
TimeFrame ChooseafixedtimeframeorchooseCustomandspecifyadateandtime
range.
SortBy Choosesortingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
GroupBy Choosegroupingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
QueryBuilder Tobuildareportquery,specifythefollowingandclickAdd.Repeatas
neededtoconstructthefullquery.
ConnectorChoosetheconnector(andoror)toprecedetheexpression
youareadding.
NegateSelectthisoptiontointerpretthequeryasanegation.Inthe
previousexample,thenegateoptioncausesamatchonentriesthatare
notinthepast24hoursorarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthe
choiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattribute
applies(suchas=).Theavailableoptionsdependonthechoiceof
database.
ValueSpecifytheattributevaluetomatch.
Formoreinformation,seeGenerateCustomReports.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 85
Monitor>Reports Monitor
Monitor>Reports
Thefirewallprovidesvarioustop50reportsofthetrafficstatisticsforthepreviousdayoraselectedday
inthepreviousweek.
Toviewareport,expandareportcategory(suchasCustomReports)ontherightsideofthepageandselect
areportname.Thepagelistsreportsinsections.Youcanviewtheinformationineachreportfortheselected
timeperiod.
Bydefault,thefirewalldisplaysallreportsforthepreviouscalendarday.Toviewreportsforotherdates,
selectareportgenerationdateinthecalendaratthebottomrightofthepage.
Toviewreportsonasystemotherthanthefirewall,selectanexportoption:
Export to PDF
Export to CSV
Export to XML
86 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies
Thissectiondescribesthefirewallwebinterfacesyoucanusetoconfigurepolicies:
PolicyTypes
MoveorCloneaPolicyRule
Policies>Security
Policies>NAT
Policies>QoS
Policies>PolicyBasedForwarding
Policies>Decryption
Policies>TunnelInspection
Policies>ApplicationOverride
Policies>Authentication
Policies>DoSProtection
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 87
PolicyTypes Policies
PolicyTypes
Policiesenableyoutocontrolfirewalloperationbyenforcingrulesandautomatingactions.Thefirewall
supportsthefollowingpolicytypes:
Basicsecuritypoliciestoblockorallowanetworksessionbasedontheapplication,thesourceand
destinationzonesandaddresses,andoptionallybasedontheservice(portandprotocol).Zones
identifythephysicalorlogicalinterfacesthatsendorreceivethetraffic.SeePolicies>Security.
NetworkAddressTranslation(NAT)policiestotranslateaddressesandports.SeetoPolicies>NAT.
QualityofService(QoS)policiestodeterminehowtrafficisclassifiedfortreatmentwhenitpasses
throughaninterfacewithQoSenabled.SeePolicies>QoS.
Policybasedforwardingpoliciestooverridetheroutingtableandspecifyanegressinterfacefortraffic.
SeePolicies>PolicyBasedForwarding.
Decryptionpoliciestospecifytrafficdecryptionforsecuritypolicies.Eachpolicycanspecifythe
categoriesofURLsforthetrafficyouwanttodecrypt.SSHdecryptionisusedtoidentifyandcontrolSSH
tunnelinginadditiontoSSHshellaccess.SeePolicies>Decryption.
TunnelInspectionpoliciestoenforceSecurity,DoSProtection,andQoSpoliciesontunneledtraffic,and
toviewtunnelactivity.SeePolicies>TunnelInspection.
Overridepoliciestooverridetheapplicationdefinitionsprovidedbythefirewall.SeePolicies>
ApplicationOverride.
Authenticationpoliciestodefineauthenticationforenduserswhoaccessnetworkresources.See
Policies>Authentication.
Denialofservice(DoS)policiestoprotectagainstDoSattacksandtakeprotectiveactioninresponseto
rulematches.SeePolicies>DoSProtection.
SharedpolicespushedfromPanoramadisplayinorangeonthefirewallwebinterface.You
caneditthesesharedpoliciesonlyonPanorama;youcannoteditthemonthefirewall.
UsetheTagBrowsertoviewallthetagsusedinarulebase.Inrulebaseswithmanyrules,the
tagbrowsersimplifiesthedisplaybypresentingthetags,colorcode,andtherulenumbersin
whichtagsareused.
88 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies MoveorCloneaPolicyRule
MoveorCloneaPolicyRule
Whenmovingorcloningpolicies ,youcanassignaDestination(avirtualsystemonafirewalloradevice
grouponPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveapolicyrule,selecttheruleinthePoliciestab,clickMove,selectMove to other vsys(firewallsonly)
orMove to other device group(Panoramaonly),specifythefieldsinthefollowingtable,andthenclickOK.
Tocloneapolicyrule,selecttheruleinthePoliciestab,clickClone,specifythefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedRules DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepolicyrulesyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Ruleorder Selecttherulepositionrelativetootherrules:
Move topTherulewillprecedeallotherrules.
Move bottomTherulewillfollowallotherrules.
Before ruleIntheadjacentdropdown,selectthesubsequentrule.
After ruleIntheadjacentdropdown,selecttheprecedingrule.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 89
Policies>Security Policies
Policies>Security
Securitypolicyrulesreferencesecurityzonesandenableyoutoallow,restrict,andtracktrafficonyour
networkbasedontheapplication,userorusergroup,andservice(portandprotocol).Bydefault,thefirewall
includesasecurityrulenamedrule1thatallowsalltrafficfromtheTrustzonetotheUntrustzone.
Whatdoyouwanttoknow? See:
WhatisaSecuritypolicy? SecurityPolicyOverview
ForPanorama,seeMoveorCloneaPolicyRule
Whatarethefieldsavailableto BuildingBlocksinaSecurityPolicyRule
createaSecuritypolicyrule?
HowcanIusethewebinterfaceto CreatingandManagingPolicies
manageSecuritypolicyrules?
OverridingorRevertingaSecurityPolicyRule
Looking for more? SecurityPolicy
SecurityPolicyOverview
Securitypoliciesallowyoutoenforcerulesandtakeaction,andcanbeasgeneralorspecificasneeded.The
policyrulesarecomparedagainsttheincomingtrafficinsequence,andbecausethefirstrulethatmatches
thetrafficisapplied,themorespecificrulesmustprecedethemoregeneralones.Forexample,arulefora
singleapplicationmustprecedearuleforallapplicationsifallothertrafficrelatedsettingsarethesame.
Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationpolicybeforeSecuritypolicy.Fordetails,seePolicies>Authentication.
Fortrafficthatdoesntmatchanyuserdefinedrules,thedefaultrulesapply.Thedefaultrulesdisplayedat
thebottomofthesecurityrulebasearepredefinedtoallowallintrazonetraffic(withinthezone)anddeny
allinterzonetraffic(betweenzones).Althoughtheserulesarepartofthepredefinedconfigurationandare
readonlybydefault,youcanOverridethemandchangealimitednumberofsettings,includingthetags,
action(allowordeny),logsettings,andsecurityprofiles.
TheinterfaceincludesthefollowingtabsfordefiningSecuritypolicyrules.
GeneralSelecttheGeneraltabtoconfigureanameanddescriptionfortheSecuritypolicyrule.
SourceSelecttheSourcetabtodefinethesourcezoneorsourceaddressfromwhichthetraffic
originates.
UserSelecttheUsertabtoenforcepolicyforindividualusersoragroupofusers.Ifyouareusing
GlobalProtectwithhostinformationprofile(HIP)enabled,youcanalsobasethepolicyoninformation
collectedbyGlobalProtect.Forexample,theuseraccesslevelcanbedeterminedHIPthatnotifiesthe
firewallabouttheuser'slocalconfiguration.TheHIPinformationcanbeusedforgranularaccesscontrol
basedonthesecurityprogramsthatarerunningonthehost,registryvalues,andmanyothercheckssuch
aswhetherthehosthasantivirussoftwareinstalled.
DestinationSelecttheDestinationtabtodefinethedestinationzoneordestinationaddressforthetraffic.
90 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security
ApplicationSelecttheApplicationtabtohavethepolicyactionoccurbasedonanapplicationor
applicationgroup.AnadministratorcanalsouseanexistingAppIDsignatureandcustomizeittodetect
proprietaryapplicationsortodetectspecificattributesofanexistingapplication.Customapplicationsare
definedinObjects > Applications.
Service/URL CategorySelecttheService/URL CategorytabtospecifyaspecificTCPand/orUDPport
numberoraURLcategoryasmatchcriteriainthepolicy.
ActionSelecttheActiontabtodeterminetheactionthatwillbetakenbasedontrafficthatmatchesthe
definedpolicyattributes.
BuildingBlocksinaSecurityPolicyRule
Thefollowingsectiondescribeseachcomponentinasecuritypolicyrule.Whenyouviewthedefault
securityrule,orcreateanewrule,youcanconfiguretheoptionsdescribedhere.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 91
Policies>Security Policies
Tag Addandspecifythetagforthepolicy.
Apolicytagisakeywordorphrasethatallowsyoutosortor
filterpolicies.Thisisusefulwhenyouhavedefinedmany
policiesandwanttoviewthosethataretaggedwithaparticular
keyword.Forexample,youmaywanttotagcertainruleswith
specificwordslikeDecryptandNodecrypt,orusethenameof
aspecificdatacenterforpoliciesassociatedwiththatlocation.
Youcanalsoaddtagstothedefaultrules.
Type Specifieswhethertheruleappliestotrafficwithinazone,
betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzone
andintrazonetrafficinthespecifiedsourceanddestination
zones.Forexample,ifyoucreateauniversalrulewithsource
zonesAandBanddestinationzonesAandB,therulewould
applytoalltrafficwithinzoneA,alltrafficwithinzoneB,and
alltrafficfromzoneAtozoneBandalltrafficfromzoneBto
zoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthe
specifiedsourcezones(youcannotspecifyadestinationzone
forintrazonerules).Forexample,ifyousetthesourcezone
toAandB,therulewouldapplytoalltrafficwithinzoneA
andalltrafficwithinzoneB,butnottotrafficbetweenzones
AandB.
interzoneAppliestheruletoallmatchingtrafficbetween
thespecifiedsourceanddestinationzones.Forexample,if
yousetthesourcezonetoA,B,andCandthedestination
zonetoAandB,therulewouldapplytotrafficfromzoneA
tozoneB,fromzoneBtozoneA,fromzoneCtozoneA,and
fromzoneCtozoneB,butnottrafficwithinzonesA,B,orC.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions
(defaultisany).Selectfromthedropdown,orclickAddress,
Address Group,orRegionsatthebottomofthedropdown,
andspecifythesettings.
92 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security
SourceHIPProfile ClickAddtochoosehostinformationprofiles(HIP)toidentify
users.AHIPenablesyoutocollectinformationaboutthe
securitystatusofyourendhosts,suchaswhethertheyhavethe
latestsecuritypatchesandantivirusdefinitionsinstalled.Using
hostinformationprofilesforpolicyenforcementenables
granularsecuritythatensuresthattheremotehostsaccessing
yourcriticalresourcesareadequatelymaintainedandin
adherencewithyoursecuritystandardsbeforetheyareallowed
accesstoyournetworkresources.ThefollowingsourceHIP
profilesaresupported:
anyIncludesanyendpoint,regardlessofHIPinformation.
selectIncludesselectedHIPprofilesasdeterminedbythe
selectioninthewindow.Forexample,youmaywanttoadd
oneHIPprofile,alistofHIPprofiles,ormanuallyaddHIP
profiles.
no-hipHIPinformationisnotrequired.Thissettingenables
accessfromthirdpartyclientsthatcannotcollectorsubmit
HIPinformation.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 93
Policies>Security Policies
Destination ClickAddtoadddestinationaddresses,addressgroups,or
Address regions(defaultisany).Selectfromthedropdown,orclick
Addressatthebottomofthedropdown,andspecifyaddress
settings.
94 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security
URLCategory SelectURLcategoriesforthesecurityrule.
Chooseanytoallowordenyallsessionsregardlessofthe
URLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory
(includingacustomcategory)fromthedropdown.Youcan
addmultiplecategories.SelectObjects>ExternalDynamic
Liststodefinecustomcategories.
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 95
Policies>Security Policies
96 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 97
Policies>Security Policies
CreatingandManagingPolicies
Task Description
Add Toaddanewpolicyrule,dooneofthefollowing:
ClickAddatthebottomofthepage.
SelectaruleonwhichtobasethenewruleandclickClone Ruleorselectarule
byclickingthewhitespaceoftheruleandselectClone Ruleatthebottomofthe
page(arulethatisselectedinthewebinterfacedisplayswithayellow
background).Thecopiedrule,rulenisinsertedbelowtheselectedrule,wheren
isthenextavailableintegerthatmakestherulenameunique.Fordetailson
cloning,seeMoveorCloneaPolicyRule.
Modify Tomodifyarule,clicktherule.
IftheruleispushedfromPanorama,theruleisreadonlyonthefirewallandcannot
beeditedlocally.
OverrideandRevertactionspertainonlytothedefaultrulesthataredisplayedatthe
bottomoftheSecurityrulebase.Thesepredefinedrulesallowallintrazonetraffic
anddenyallinterzonetrafficinstructthefirewallonhowtohandletrafficthatdoes
notmatchanyotherruleintherulebase.Becausetheyarepartofthepredefined
configuration,youmustOverridetheminordertoeditselectpolicysettings.Ifyou
areusingPanorama,youcanalsoOverridethedefaultrules,andthenpushthemto
firewallsinaDeviceGrouporSharedcontext.YoucanalsoRevertthedefaultrules,
whichrestoresthepredefinedsettingsorthesettingspushedfromPanorama.For
details,seeOverridingorRevertingaSecurityPolicyRule.
Move RulesareevaluatedtopdownandasenumeratedonthePoliciespage.Tochange
theorderinwhichtherulesareevaluatedagainstnetworktraffic,selectaruleand
clickMove Up,Move Down,Move Top,orMove Bottom.Fordetails,seeMoveor
CloneaPolicyRule.
Delete SelectaruleandclickDeletetoremovetheexistingrule.
Enable/Disable Todisablearule,selecttheruleandclickDisable.Toenablearulethatisdisabled,
selecttheruleandclickEnable.
ViewUnused Toidentifyrulesthathavenotbeenusedsincethelasttimethefirewallwas
rules restarted,selectHighlight Unused Rules.Youcanthendecidewhethertodisable
theruleordeleteit.Rulesnotcurrentlyinusearedisplayedwithadottedyellow
background.
Eachfirewallmaintainsaflagfortherulesthathaveamatch.Becausetheflag
isresetwhenadataplaneresetoccursonarebootorarestart,monitorthis
listperiodicallytodeterminewhethertherulehashadamatchsincethelast
checkbeforeyoudeleteordisableit.
98 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security
Task Description
Show/Hide ToshoworhidethecolumnsthatdisplayinthePoliciespages,selectthisoption
columns nexttothecolumnnametotogglethedisplayofeachcolumn.
Toviewthenetworksessionsthatwereloggedasmatchesagainstthepolicy,click
thedropdownfortherulenameandchooseLog Viewer.
Todisplaythecurrentvaluebyclickingthedropdownfortheentryandchoosing
Value.Youcanalsoedit,filter,orremovecertainitemsdirectlyfromthecolumn
menu.Forexample,toviewaddressesincludedinanaddressgroup,holdyourmouse
overtheobjectintheAddresscolumn,clickthedropdownandselectValue.This
allowsyoutoquicklyviewthemembersandthecorrespondingIPaddressesforthe
addressgroupwithouthavingtonavigatetotheObjecttab.
TofindobjectsusedwithinapolicybasedontheirnameorIPaddress,usethefilter
option.Afteryouapplythefilter,youwillseeonlytheitemsthatmatchthefilter.The
filteralsoworkswithembeddedobjects.Example:whenyoufilteron10.1.4.8,only
thepolicythatcontainsthataddressisdisplayed:
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 99
Policies>Security Policies
OverridingorRevertingaSecurityPolicyRule
Thedefaultsecurityrulesinterzonedefaultandintrazonedefaulthavepredefinedsettingsthatyoucan
overrideonafirewalloronPanorama.Ifafirewallreceivesthedefaultrulesfromadevicegroup,youcan
alsooverridethedevicegroupsettings.Thefirewallorvirtualsystemwhereyouperformtheoverridestores
alocalversionoftheruleinitsconfiguration.Thesettingsyoucanoverrideareasubsetofthefullset(the
followingtableliststhesubsetforsecurityrules).Fordetailsonthedefaultsecurityrules,seePolicies>
Security.
Tooverridearule,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.The
Namecolumndisplaystheinheritanceicon( )forrulesyoucanoverride.Selecttherule,clickOverride,
andeditthesettingsinthefollowingtable.
TorevertanoverriddenruletoitspredefinedsettingsortothesettingspushedfromaPanoramadevice
group,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.TheName
columndisplaystheoverrideicon( )forrulesthathaveoverriddenvalues.Selecttherule,clickRevert,
andclickYestoconfirmtheoperation.
FieldstoOverrideaDefault Description
SecurityRule
General Tab
Name TheNamethatidentifiestheruleisreadonly;youcannotoverrideit.
Description TheDescriptionisreadonly;youcannotoverrideit.
Tag SelectTagsfromthedropdown.
Apolicytagisakeywordorphrasethatenablesyoutosortorfilter
policies.Thisisusefulwhenyouhavedefinedmanypoliciesandwant
toviewthosethataretaggedwithaparticularkeyword.Forexample,
youmightwanttotagcertainsecuritypolicieswithInboundtoDMZ,
tagspecificdecryptionpolicieswiththewordsDecryptorNodecrypt,
orusethenameofaspecificdatacenterforpoliciesassociatedwith
thatlocation.
Actions Tab
ActionSetting SelecttheappropriateActionfortrafficthatmatchestherule.
Allow(default)Allowsthetraffic.
DenyBlockstrafficandenforcesthedefaultDenyActionthatis
definedfortheapplicationthatthefirewallisdenying.Toviewthe
denyactionthatisdefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
DropSilentlydropstheapplication.Thefirewalldoesnotsenda
TCPresetmessagetothehostorapplication.
Reset clientSendsaTCPresetmessagetotheclientsidedevice.
Reset serverSendsaTCPresetmessagetotheserversidedevice.
Reset bothSendsaTCPresetmessagetoboththeclientsideand
serversidedevices.
FieldstoOverrideaDefault Description
SecurityRule
LogSetting Specifyanycombinationofthefollowingoptions:
Log ForwardingToforwardthelocaltrafficlogandthreatlog
entriestoremotedestinations,suchasPanoramaandsyslog
servers,selectaLog Forwardingprofilefromthedropdown.
SecurityprofilesdeterminethegenerationofThreatlogentries.To
defineanewLog Forwardingprofile,selectProfileinthe
dropdown(seeObjects>LogForwarding).
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log at Session StartGeneratesatrafficlogentryforthestart
ofasession(selectedbydefault).
Log at Session EndGeneratesatrafficlogentryfortheendof
asession(clearedbydefault).
Ifyouconfigurethefirewalltoincludesessionstartorsession
endentriesintheTrafficlog,itwillalsoincludedropanddeny
entries.
Policies>NAT
IfyoudefineLayer3interfacesonthefirewall,youcanconfigureaNetworkAddressTranslation(NAT)
policy tospecifywhethersourceordestinationIPaddressesandportsareconvertedbetweenpublicand
privateaddressesandports.Forexample,privatesourceaddressescanbetranslatedtopublicaddresseson
trafficsentfromaninternal(trusted)zonetoapublic(untrusted)zone.NATisalsosupportedonvirtualwire
interfaces.
NATrulesarebasedonsourceanddestinationzones,sourceanddestinationaddresses,andapplication
service(suchasHTTP).Likesecuritypolicies,NATpolicyrulesarecomparedagainstincomingtrafficin
sequence,andthefirstrulethatmatchesthetrafficisapplied.
Asneeded,addstaticroutestothelocalroutersothattraffictoallpublicaddressesisroutedtothefirewall.
Youmayalsoneedtoaddstaticroutestothereceivinginterfaceonthefirewalltoroutetrafficbacktothe
privateaddress.
ThefollowingtablesdescribetheNATandNPTv6(IPv6toIPv6NetworkPrefixTranslation)settings:
GeneralTab
OriginalPacketTab
TranslatedPacketTab
Active/ActiveHABindingTab
Lookingformore?
SeeNAT
GeneralTab
Policies>NAT>General
SelecttheGeneraltabtoconfigureanameanddescriptionfortheNATorNPTv6policy.Youcanconfigure
atagtoallowyoutosortorfilterpolicieswhenmanypoliciesexist.SelectthetypeofNATpolicyyouare
creating,whichaffectswhichfieldsareavailableontheOriginal PacketandTranslated Packettabs.
NATRule Description
GeneralSettings
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevicegroups.
Description Enteradescriptionfortherule(upto255characters).
Tag Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.
NATRule Description
GeneralSettings
NATType Specifythetypeoftranslation:
ipv4translationbetweenIPv4addresses.
nat64translationbetweenIPv6andIPv4addresses.
nptv6translationbetweenIPv6prefixes.
YoucannotcombineIPv4andIPv6addressrangesinasingleNATrule.
OriginalPacketTab
Policies>NAT>OriginalPacket
SelecttheOriginal Packettabtodefinethesourceanddestinationzonesofpacketsthatthefirewallwill
translateand,optionally,specifythedestinationinterfaceandtypeofservice.Youcanconfiguremultiple
sourceanddestinationzonesofthesametypeandyoucanapplytheruletospecificnetworksorspecificIP
addresses.
NATRuleOriginal Description
PacketSettings
SourceZone/ Selectoneormoresourceanddestinationzonesfortheoriginal
DestinationZone (nonNAT)packet(defaultisAny).Zonesmustbeofthesametype
(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Youcanspecifymultiplezonestosimplifymanagement.Forexample,
youcanconfiguresettingssothatmultipleinternalNATaddressesare
directedtothesameexternalIPaddress.
DestinationInterface Specifythedestinationinterfaceofpacketsthefirewalltranslates.You
canusethedestinationinterfacetotranslateIPaddressesdifferently
inthecasewherethenetworkisconnectedtotwoISPswithdifferent
IPaddresspools.
Service Specifytheserviceforwhichthefirewalltranslatesthesourceor
destinationaddress.Todefineanewservicegroup,selectObjects>
ServiceGroups.
SourceAddress/ Specifyacombinationofsourceanddestinationaddressesforthe
DestinationAddress firewalltotranslate.
ForNPTv6,theprefixesconfiguredforSource Addressand
Destination Addressmustbeintheformatxxxx:xxxx::/yy.Theaddress
cannothaveaninterfaceidentifier(host)portiondefined.Therangeof
supportedprefixlengthsis/32to/64.
TranslatedPacketTab
Policy>NAT>TranslatedPacket
SelecttheTranslated Packettabtodetermine,forSourceAddressTranslation,thetypeoftranslation to
performonthesource,andtheaddressand/orporttowhichthesourcewillbetranslated.
YoucanalsoenableDestinationAddressTranslationforaninternalhostthatneedstobeaccessedbya
publicIPaddress.Inthiscase,youdefineasourceaddress(public)anddestinationaddress(private)inthe
Original Packettabforaninternalhost,andintheTranslated PackettabyouenableDestination Address
TranslationandentertheTranslated Address.Whenthepublicaddressisaccessed,itwillbetranslatedtothe
internal(destination)addressoftheinternalhost.
NATRule Description
TranslatedPacket
Settings
SourceAddress SelecttheTranslationType(dynamicorstaticaddresspool),andenteranIPaddressor
Translation addressrange(address1address2)thatthesourceaddressistranslatedto(Translated
Address).Thesizeoftheaddressrangeislimitedbythetypeofaddresspool:
Dynamic IP And PortAddressselectionisbasedonahashofthesourceIPaddress.Fora
givensourceIPaddress,thefirewallusesthesametranslatedsourceaddressforall
sessions.DynamicIPandPortsourceNATsupportsapproximately64,000concurrent
sessionsoneachIPaddressintheNATpool.Onsomemodels,oversubscriptionis
supported,whichallowsasingleIPtohostmorethan64,000concurrentsessions.
PaloAltoNetworksDynamicIP/portNATsupportsmoreNATsessionsthanaresupported
bythenumberofavailableIPaddressesandports.ThefirewallcanuseIPaddressandport
combinationsuptotwotimes(simultaneously)onthePA200,PA500,andPA3000
Seriesfirewalls,fourtimesonthePA5020firewalls,andeighttimesonthePA5050and
PA5060firewallswhendestinationIPaddressesareunique.
Dynamic IPThenextavailableaddressinthespecifiedrangeisused,buttheportnumber
isunchanged.Upto32,000consecutiveIPaddressesaresupported.AdynamicIPpoolcan
containmultiplesubnets,soyoucantranslateyourinternalnetworkaddressestotwoor
moreseparatepublicsubnets.
Advanced (Dynamic IP/Port Fallback)Usethisoptiontocreateafallbackpoolthatwill
performIPandporttranslationandwillbeusediftheprimarypoolrunsoutofaddresses.
YoucandefineaddressesforthepoolbyusingtheTranslatedAddressoptionorthe
InterfaceAddressoption,whichisforinterfacesthatreceiveanIPaddressdynamically.
Whencreatingafallbackpool,makesureaddressesdonotoverlapwithaddressesinthe
primarypool.
Static IPThesameaddressisalwaysusedforthetranslationandtheportisunchanged.
Forexample,ifthesourcerangeis192.168.0.1192.168.0.10andthetranslationrangeis
10.0.0.110.0.0.10,address192.168.0.2isalwaystranslatedto10.0.0.2.Theaddressrange
isvirtuallyunlimited.
NPTv6mustuseStatic IPtranslationforSourceAddressTranslation.ForNPTv6,the
prefixesconfiguredforTranslated Addressmustbeintheformatxxxx:xxxx::/yy.The
addresscannothaveaninterfaceidentifier(host)portiondefined.Therangeofsupported
prefixlengthsis/32to/64.
NoneTranslationisnotperformed.
NATRule Description
TranslatedPacket
Settings
Bidirectional (Optional)Enablebidirectionaltranslationifyouwantthefirewalltocreateacorresponding
translation(NATorNPTv6)intheoppositedirectionofthetranslationyouconfigure.
Ifyouenablebidirectionaltranslation,youmustensurethatyouhavesecuritypolicies
inplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,thebidirectional
featureallowspacketstobetranslatedautomaticallyinbothdirections.
DestinationAddress EnteranIPaddressorrangeofIPaddressesandatranslatedportnumber(165535)towhich
Translation thedestinationaddressandportnumberaretranslated.IftheTranslated Portfieldisblank,
thedestinationportisnotchanged.Destinationtranslationistypicallyusedtoallowan
internalserver,suchasanemailserver,tobeaccessedfromthepublicnetwork.
ForNPTv6,theprefixesconfiguredforDestinationprefixTranslated Addressmustbeinthe
formatxxxx:xxxx::/yy.Theaddresscannothaveaninterfaceidentifier(host)portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TranslatedPortisnotsupportedforNPTv6becauseNPTv6isstrictlyprefix
translation.ThePortandHostaddresssectionissimplyforwardedunchanged.
Active/ActiveHABindingTab
Policies>NAT>Active/ActiveHABinding
TheActive/ActiveHABindingtabisavailableonlyifthefirewallisinahighavailability(HA)active/active
configuration.Inthisconfiguration,youmustbindeachsourceNATrule(whetherstaticordynamicNAT)to
DeviceID0orDeviceID1;youmustbindeachdestinationNATruletoeitherDeviceID0,DeviceID1,both
(DeviceID0andDeviceID1),ortotheactiveprimaryfirewall.
SelectanActive/Active HA BindingsettingtobindtheNATruletoanHAfirewallasfollows:
0BindstheNATruletothefirewallthathasHADeviceID0.
1BindstheNATruletothefirewallthathasHADevice ID 1.
bothBindstheNATruletoboththefirewallthathasHADeviceID0andthefirewallthathasHADevice
ID1.ThissettingdoesnotsupportDynamicIPorDynamicIPandPortNAT.
primaryBindstheNATruletothefirewallthatisinHAactiveprimarystate.Thissettingdoesnot
supportDynamicIPorDynamicIPandPortNAT.
YoutypicallyconfiguredevicespecificNATruleswhenthetwoHApeershaveuniqueNATIPaddresspools.
Whenthefirewallcreatesanewsession,theHAbindingdetermineswhichNATrulesthesessioncanmatch.
Thebindingmustincludethesessionownerfortheruletomatch.Thesessionsetupfirewallperformsthe
NATrulematchingbutthesessioniscomparedtoNATrulesthatareboundtothesessionownerand
translatedaccordingtooneoftherules.Fordevicespecificrules,thefirewallskipsallNATrulesthatarenot
boundtothesessionowner.Forexample,supposethefirewallwithDeviceID1isthesessionownerand
thesessionsetupfirewall.WhenDeviceID1attemptstomatchasessiontoaNATrule,itignoresallrules
boundtoDeviceID0.
Ifonepeerfails,thesecondpeercontinuestoprocesstrafficforthesynchronizedsessionsfromthefailed
peer,includingNATtranslations.PaloAltoNetworksrecommendsyoucreateaduplicateNATrulethatis
boundtothesecondDeviceID.Therefore,therearetwoNATruleswiththesamesourcetranslation
addressesandthesamedestinationtranslationaddressesoneruleboundtoeachDeviceID.This
configurationallowstheHApeertoperformnewsessionsetuptasksandperformNATrulematchingfor
NATrulesthatareboundtoitsDeviceID.WithoutaduplicateNATrule,thefunctioningpeerwilltryto
performtheNATpolicymatchbutthesessionwontmatchthefirewallsowndevicespecificrulesandthe
firewallskipsallotherNATrulesthatarenotboundtoitsDeviceID.
Lookingformore?
SeeNATinActive/ActiveHAMode
Policies>QoS
AddQoSpolicy rulestodefinethetrafficthatreceivesspecificQoStreatmentandassignaQoSclass
foreachQoSpolicyruletospecifythattheassignedclassofserviceappliestoalltrafficmatchedtothe
associatedruleasitexitsaQoSenabledinterface.
QoSpolicyrulespushedtoafirewallfromPanoramaareshowninorangeandcannotbeeditedatthefirewall
level.
Additionally,tofullyenablethefirewalltoprovideQoS:
SetbandwidthlimitsforeachQoSclassofservice(selectNetwork>NetworkProfiles>QoStoaddor
modifyaQoSprofile).
EnableQoSonaninterface(selectNetwork>QoS).
RefertoQualityofService forcompleteQoSworkflows,concepts,andusecases.
Addanewruleorcloneanexistingruleandthendefinethefollowingfields.
QoSPolicyRuleSettings
General Tab
Name Enteranametoidentifytherule(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Enteranoptionaldescription.
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
Source Tab
SourceZone Selectoneormoresourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).
QoSPolicyRuleSettings
SourceAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andclickAddtoaddyourselections
totheSelectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.Todefinenewaddressgroups,selectObjects>AddressGroups.
SourceUser SpecifythesourceusersandgroupstowhichtheQoSpolicywillapply.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesNOTmatch.
Destination Tab
DestinationZone Selectoneormoredestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).
DestinationAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andAddyourselectionstothe
Selectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesnotmatch.
QoSPolicyRuleSettings
Application Tab
Application SelectspecificapplicationsfortheQoSrule.Todefinenewapplicationsor
applicationgroups,selectObjects > Applications.
Ifanapplicationhasmultiplefunctions,youcanselecttheoverallapplication
orindividualfunctions.Ifyouselecttheoverallapplication,allfunctionsare
included,andtheapplicationdefinitionisautomaticallyupdatedasfuture
functionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainerintheQoSrule,you
canviewdetailsontheseobjectsbyholdingyourmouseovertheobjectin
theApplicationcolumn,clickthedownarrowandselectValue.Thisenables
youtoeasilyviewapplicationmembersdirectlyfromthepolicywithout
havingtogototheObjectstab.
Service SelectservicestolimittospecificTCPand/orUDPportnumbers.Choose
oneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsareallowedordenied
onlyontheirdefaultportsdefinedbyPaloAltoNetworks.Thisoptionis
recommendedforallowpolicies.
SelectClickAdd.ChooseanexistingserviceorchooseServiceor
Service Grouptospecifyanewentry.
URLCategory SelectURLcategoriesfortheQoSrule.
SelectAnytoensurethatasessioncanmatchthisQoSruleregardlessof
theURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
RefertoObjects>ExternalDynamicListsforinformationondefining
customcategories.
DSCP/TOS Tab
Any SelectAny(default)toallowthepolicytomatchtotrafficregardlessofthe
DifferentiatedServicesCodePoint(DSCP)valueortheIPPrecedence/Type
ofService(ToS)definedforthetraffic.
Codepoints SelectCodepointstoenabletraffictoreceiveQoStreatmentbasedonthe
DSCPorToSvaluedefinedapacketsIPheader.TheDSCPandToSvalues
areusedtoindicatethelevelofservicerequestedfortraffic,suchashigh
priorityorbesteffortdelivery.Usingcodepointsasmatchingcriteriaina
QoSpolicyallowsasessiontoreceiveQoStreatmentbasedonthe
codepointdetectedatthebeginningofthesession.
ContinuetoAddcodepointstomatchtraffictotheQoSpolicy:
GivecodepointentriesadescriptiveName.
SelecttheTypeofcodepointyouwanttouseasmatchingcriteriaforthe
QoSpolicyandthenselectaspecificCodepointvalue.Youcanalsocreate
aCustom CodepointbyenteringaCodepoint NameandBinary Value.
QoSPolicyRuleSettings
Class ChoosetheQoSclasstoassigntotherule,andclickOK.Classcharacteristics
aredefinedintheQoSprofile.RefertoNetwork>NetworkProfiles>QoS
forinformationonconfiguringsettingsforQoSclasses.
Schedule SelectNoneforthepolicyruletoremainactiveatalltimes.
Fromthedropdown,selectSchedule(calendaricon)tosetasingletime
rangeorarecurringtimerangeduringwhichtheruleisactive.
Policies>PolicyBasedForwarding
Normally,whentrafficentersthefirewall,theingressinterfacevirtualrouterdictatestheroutethat
determinestheoutgoinginterfaceanddestinationsecurityzonebasedondestinationIPaddress.Bycreating
apolicybasedforwarding(PBF)rule ,youcanspecifyotherinformationtodeterminetheoutgoing
interface,includingsourcezone,sourceaddress,sourceuser,destinationaddress,destinationapplication,
anddestinationservice.TheinitialsessiononagivendestinationIPaddressandportthatisassociatedwith
anapplicationwillnotmatchanapplicationspecificruleandwillbeforwardedaccordingtosubsequentPBF
rules(thatdonotspecifyanapplication)orthevirtualroutersforwardingtable.Allsubsequentsessionson
thatdestinationIPaddressandportforthesameapplicationwillmatchanapplicationspecificrule.To
ensureforwardingthroughPBFrules,applicationspecificrulesarenotrecommended.
Whennecessary,PBFrulescanbeusedtoforcetrafficthroughanadditionalvirtualsystemusingthe
ForwardtoVSYSforwardingaction.Inthiscase,itisnecessarytodefineanadditionalPBFrulethatwill
forwardthepacketfromthedestinationvirtualsystemoutthroughaparticularegressinterface onthe
firewall.
Thefollowingtablesdescribethepolicybasedforwardingsettings:
GeneralTab
SourceTab
Destination/Application/ServiceTab
ForwardingTab
Lookingformore?
RefertoPolicyBasedForwarding
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthePBFpolicy.Atagcanalsobeconfigured
toallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.
Description Enteradescriptionforthepolicy(upto255characters).
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
SourceTab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to
which the forwarding policy will be applied.
Field Description
SourceZone Tochoosesourcezones(defaultisany),clickAddandselectfromthe
dropdown.Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
OnlyLayer3typezonesaresupportedforpolicybasedforwarding.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.
Destination/Application/ServiceTab
SelecttheDestination/Application/Servicetabtodefinethedestinationsettingsthatwillbeappliedtotraffic
thatmatchestheforwardingrule.
Field Description
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultisany).
Bydefault,theruleappliestoAnyIPaddress.Selectfromthedropdown,orclick
Address,Address Group,orRegionsatthebottomofthedropdown,andspecify
thesettings.
Application/Service SelectspecificapplicationsorservicesforthePBFrule.Todefinenew
applications,refertoDefiningApplications.Todefineapplicationgroups,referto
Objects>ApplicationGroups.
ApplicationspecificrulesarenotrecommendedforusewithPBF.
Wheneverpossible,useaserviceobject,whichistheLayer4port(TCPor
UDP)usedbytheprotocolorapplication.
Ifyouareusingapplicationgroups,filters,orcontainerinthePBFrule,youcan
viewdetailsontheseobjectsbyholdingyourmouseovertheobjectinthe
Applicationcolumn,clickingthedownarrowandselectingValue.Thisenablesyou
toeasilyviewapplicationmembersdirectlyfromthepolicywithouthavingtogo
totheObjecttabs.
ForwardingTab
SelecttheForwardingtabtodefinetheactionandnetworkinformationthatwillbeappliedtotrafficthat
matchestheforwardingpolicy.TrafficcanbeforwardedtoanexthopIPaddress,avirtualsystem,orthe
trafficcanbedropped.
Field Description
Action Selectoneofthefollowingoptions:
ForwardSpecifythenexthopIPaddressandegressinterface(the
interfacethatthepackettakestogettothespecifiednexthop).
Forward To VSYSChoosethevirtualsystemtoforwardtofromthe
dropdown.
DiscardDropthepacket.
No PBFDonotalterthepaththatthepacketwilltake.Thisoption,
excludesthepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedintherule.Matching
packetsusetheroutetableinsteadofPBF;thefirewallusestheroute
tabletoexcludethematchedtrafficfromtheredirectedport.
EgressInterface DirectsthepackettoaspecificEgressInterface
NextHop Ifyoudirectthepackettoaspecificinterface,specifytheNextHopIP
addressforthepacket.
Field Description
Schedule Tolimitthedaysandtimeswhentheruleisineffect,selectaschedulefrom
thedropdown.Todefinenewschedules,refertoSettingstoControl
DecryptedSSLTraffic.
Policies>Decryption
Youcanconfigurethefirewalltodecrypttrafficforvisibility,control,andgranularsecurity.Decryption
policiescanapplytoSecureSocketsLayer(SSL)includingSSLencapsulatedprotocolssuchasIMAP(S),
POP3(S),SMTP(S),andFTP(S),andSecureShell(SSH)traffic.SSHdecryptioncanbeusedtodecrypt
outboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedtotunneldisallowed
applicationsandcontent.
Addadecryptionpolicyruletodefinetrafficthatyouwanttodecrypt(forexample,youcandecrypttraffic
basedonURLcategorization).Decryptionpolicyrulesarecomparedagainstthetrafficinsequence,somore
specificrulesmustprecedethemoregeneralones.
SSLforwardproxydecryptionrequirestheconfigurationofatrustedcertificatethatwillbepresentedtothe
useriftheservertowhichtheuserisconnectingpossessesacertificatesignedbyaCAtrustedbythe
firewall.CreateacertificateontheDevice > Certificate Management > Certificatespageandthenclickthename
ofthecertificateandselectForward Trust Certificate.
Certainapplicationswillnotfunctioniftheyaredecryptedbythefirewall.Topreventthisfrom
occurring,PANOSwillnotdecrypttheSSLtrafficfortheseapplicationsandthedecryption
rulesettingswillnotapply.
RefertotheListofApplicationsExcludedfromSSLDecryption.
Thefollowingtablesdescribethedecryptionpolicysettings:
GeneralTab
SourceTab
DestinationTab
Service/URLCategoryTab
OptionsTab
Lookingformore?
SeeDecryption
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthedecryptionpolicy.Atagcanalsobe
configuredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.
Description Enteradescriptionfortherule(upto255characters).
Field Description
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetraffictowhichthe
decryptionpolicywillbeapplied.
Field Description
SourceZone ClickAddtochoosesourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).Todefinenewzones,refertoNetwork
>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.SelectNegateto
chooseanyaddressexcepttheconfiguredones.
Field Description
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
tousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.Select
Negatetochooseanyaddressexcepttheconfiguredones.
Service/URLCategoryTab
SelecttheService/URL CategorytabtoapplythedecryptionpolicytotrafficbasedonTCPportnumberorto
anyURLcategory(oralistofcategories).
Field Description
Service ApplythedecryptionpolicytotrafficbasedonspecificTCPportnumbers.
Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsaredecrypted(orare
exemptfromdecryption)onlyonthedefaultportsdefinedforthe
applicationsbyPaloAltoNetworks.
SelectClickAdd.ChooseanexistingserviceorspecifyanewServiceor
Service Group.(OrselectObjects>ServicesandObjects>Service
Groups).
URLCategoryTab SelectURLcategoriesforthedecryptionrule.
ChooseanytomatchanysessionsregardlessoftheURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
Refertoforinformationondefiningcustomcategories.
OptionsTab
SelecttheOptionstabtodetermineifthematchedtrafficshouldbedecryptedornot.IfDecryptisset,specify
thedecryptiontype.Youcanalsoaddadditionaldecryptionfeaturesbyconfiguringorselectingadecryption
profile.
Field Description
Action Selectdecryptorno-decryptforthetraffic.
Type Selectthetypeoftraffictodecryptfromthedropdown:
SSL Forward ProxySpecifiesthatthepolicywilldecryptclienttraffic
destinedforanexternalserver.
SSH ProxySpecifiesthatthepolicywilldecryptSSHtraffic.Thisoption
allowsyoutocontrolSSHtunnelinginpoliciesbyspecifyingthe
sshtunnelAppID.
SSL Inbound InspectionSpecifiesthatthepolicywilldecryptSSL
inboundinspectiontraffic.
DecryptionProfile Attachadecryptionprofiletothepolicyruleinordertoblockandcontrol
certainaspectsofthetraffic.Fordetailsoncreatingadecryptionprofile,
selectObjects>DecryptionProfile.
Policies>TunnelInspection
Youcanconfigurethefirewalltoinspectthetrafficcontentofthefollowingcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmodeAHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU);supportedonlyon
PA5200SeriesandVMSeriesfirewalls.
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandontrafficnestedwithinanothercleartexttunnel(forexample,NullEncrypted
IPSecinsideaGREtunnel).
CreateaTunnelInspectionpolicythat,whenmatchinganincomingpacket,determineswhichtunnel
protocolsinthepacketthefirewallwillinspectandthatspecifiestheconditionsunderwhichthefirewall
dropsorcontinuestoprocessthepacket.YoucanviewtunnelinspectionlogsandtunnelactivityintheACC
toverifythattunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnels.ThefeatureissupportedinLayer3,Layer2,virtualwire,and
tapdeployments.Tunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications.
Whatdoyouwanttoknow? See:
Whatarethefieldsavailableto BuildingBlocksinaTunnelInspectionPolicy
createaTunnelInspectionpolicy?
HowcanIviewtunnelinspection LogTypesandSeverityLevels
logs?
Lookingformore? TunnelContentInspection
BuildingBlocksinaTunnelInspectionPolicy
ThefollowingtabledescribesthefieldsyouconfigureforaTunnelInspectionpolicy.
Description (Optional)EnteradescriptionfortheTunnelInspectionpolicy.
Tags (Optional)Enteroneormoretagsforreportingandloggingpurposesthat
identifythepacketsthataresubjecttotheTunnelInspectionpolicy.
SourceAddress (Optional)AddsourceIPv4orIPv6addresses,addressgroups,orGeoRegion
addressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
SourceUser (Optional)AddsourceusersofpacketstowhichtheTunnelInspectionpolicy
applies(defaultisany).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
Destination (Optional)AdddestinationIPv4orIPv6addresses,addressgroups,orGeo
Address RegionaddressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
Droppacketif (Optional)Droppacketsthatcontainatunnelprotocolthatusesaheaderthat
tunnelprotocol isnoncompliantwiththeRFCforthatprotocol.Noncompliantheaderscan
failsstrictheader indicatesuspiciouspackets.ThisoptioncausesthefirewalltoverifyGRE
check headersagainstRFC2890.
DontenablethisoptionifyourfirewallistunnelingGREwithadevicethat
implementsaversionofGREolderthanRFC2890.
Droppacketif (Optional)Droppacketsthatcontainaprotocolinsidethetunnelthatthe
unknownprotocol firewallcannotidentify.
insidetunnel
TunnelSource (Optional)Selectoneofthefollowing:
Zone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunnelsourcezone.
Tunnel (Optional)Selectoneofthefollowing:
DestinationZone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunneldestinationzone.
Policies>ApplicationOverride
Tochangehowthefirewallclassifiesnetworktrafficintoapplications,youcanspecifyapplicationoverride
policies.Forexample,ifyouwanttocontroloneofyourcustomapplications,anapplicationoverridepolicy
canbeusedtoidentifytrafficforthatapplicationaccordingtozone,sourceanddestinationaddress,port,
andprotocol.Ifyouhavenetworkapplicationsthatareclassifiedasunknown,youcancreatenew
applicationdefinitionsforthem(refertoDefiningApplications).
Likesecuritypolicies,applicationoverridepoliciescanbeasgeneralorspecificasneeded.Thepolicyrules
arecomparedagainstthetrafficinsequence,sothemorespecificrulesmustprecedethemoregeneralones.
BecausetheAppIDengineinPANOSclassifiestrafficbyidentifyingtheapplicationspecificcontentin
networktraffic,thecustomapplicationdefinitioncannotsimplyuseaportnumbertoidentifyanapplication.
Theapplicationdefinitionmustalsoincludetraffic(restrictedbysourcezone,sourceIPaddress,destination
zone,anddestinationIPaddress).
Tocreateacustomapplicationwithapplicationoverride:
Createacustomapplication(seeDefiningApplications).Itisnotrequiredtospecifysignaturesforthe
applicationiftheapplicationisusedonlyforapplicationoverriderules.
Defineanapplicationoverridepolicythatspecifieswhenthecustomapplicationshouldbeinvoked.A
policytypicallyincludestheIPaddressoftheserverrunningthecustomapplicationandarestrictedset
ofsourceIPaddressesorasourcezone.
Usethefollowingtablestoconfigureanapplicationoverriderule.
GeneralTab
SourceTab
DestinationTab
Protocol/ApplicationTab
Lookingformore?
SeeUseApplicationObjectsinPolicy
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionfortheapplicationoverridepolicy.Atagcanalso
beconfiguredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.
Description Enteradescriptionfortherule(upto255characters).
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetrafficto
whichtheapplicationoverridepolicywillbeapplied.
Field Description
SourceZone Addsourcezones(defaultisany).Zonesmustbeofthesametype(Layer2,
Layer3,orvirtualwire).Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
SourceAddress Addsourceaddresses,addressgroups,orregions(defaultisany).Selectfrom
thedropdown,orclickAddress,Address Group,orRegionsatthebottom
ofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.
Protocol/ApplicationTab
SelecttheProtocol/Applicationtabtodefinetheprotocol(TCPorUDP),port,andapplicationthatfurther
definestheattributesoftheapplicationforthepolicymatch.
Field Description
Protocol Selecttheprotocol(TCPorUDP)forwhichtoallowanapplicationoverride.
Port Entertheportnumber(0to65535)orrangeofportnumbers(port1port2)
forthespecifieddestinationaddresses.Multipleportsorrangesmustbe
separatedbycommas.
Application Selecttheoverrideapplicationfortrafficflowsthatmatchtheaboverule
criteria.Whenoverridingtoacustomapplication,thereisnothreat
inspectionthatisperformed.Theexceptiontothisiswhenyouoverridetoa
predefinedapplicationthatsupportsthreatinspection.
Todefinenewapplications,refertoObjects>Applications).
Policies>Authentication
YourAuthenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessnetworkresources.
Whatdoyouwanttoknow? See:
Whatarethefieldsavailableto BuildingBlocksofanAuthenticationPolicyRule
createanAuthenticationrule?
HowcanIusethewebinterfaceto CreateandManageAuthenticationPolicy
manageAuthenticationpolicy?
ForPanorama,seeMoveorCloneaPolicyRule
Looking for more? AuthenticationPolicy
BuildingBlocksofanAuthenticationPolicyRule
Wheneverauserrequestsaresource(suchaswhenvisitingawebpage),thefirewallevaluates
Authenticationpolicy.Basedonthematchingpolicyrule,thefirewallthenpromptstheusertorespondto
oneormorechallengesofdifferentfactors(types),suchasloginandpassword,voice,SMS,push,or
onetimepassword(OTP)authentication.Aftertheuserrespondstoallthefactors,thefirewallevaluates
Securitypolicy(seePolicies>Security)todeterminewhethertoallowaccesstotheresource.
Thefirewalldoesnotpromptuserstoauthenticateiftheyaccessnonwebbasedresources(suchasaprinter)
throughaGlobalProtectgateway thatisinternalorintunnelmode.Instead,theuserswillseeconnection
failuremessages.Toensureuserscanaccesstheseresources,setupanauthenticationportalandtrainusersto
visititwhentheyseeconnectionfailures.ConsultyourITdepartmenttosetupanauthenticationportal.
ThefollowingtabledescribeseachbuildingblockorcomponentinanAuthenticationpolicyrule.Beforeyou
Addarule,completetheprerequisitesdescribedinCreateandManageAuthenticationPolicy.
Description Enteradescriptionfortherule(upto255characters).
Tag Selectatagforsortingandfilteringrules(seeObjects>Tags).
SourceAddress Addaddressesoraddressgroupstoapplytheruleonlytotraffic
originatingfromthesourcesthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.
SourceHIPProfile Addhostinformationprofiles(HIP)toidentifyusers.AHIP
enablesyoutocollectinformationaboutthesecuritystatusof
yourendhosts,suchaswhethertheyhavethelatestsecurity
patchesandantivirusdefinitions.Fordetailsandtodefinenew
HIPs,seeObjects>GlobalProtect>HIPProfiles.
Destination Addaddressesoraddressgroupstoapplytheruleonlytothe
Address destinationsthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.
URLCategory SelecttheURLcategoriestowhichtheruleapplies:
SelectanytospecifyalltrafficregardlessoftheURL
category.
Addcategories.Todefinecustomcategories,seeObjects>
CustomObjects>URLCategory.
Timeout Toreducethefrequencyofauthenticationchallengesthat
interrupttheuserworkflow,youcanspecifytheintervalin
minutes(defaultis60)whenthefirewallpromptstheuserto
authenticateonlyonceforrepeatedaccesstoresources.
IftheAuthentication Enforcementobjectspecifiesmultifactor
authentication,theusermustauthenticateonceforeachfactor.
Thefirewallrecordsatimestampandreissuesachallengeonly
whenthetimeoutforafactorexpires.Redistributing the
timestampstootherfirewallsenablesyoutoapplythetimeout
evenifthefirewallthatinitiallyallowsaccessforauserisnotthe
samefirewallthatlatercontrolsaccessforthatuser.
Log Selectthisoption(disabledbydefault)ifyouwantthefirewallto
Authentication generateAuthenticationlogswhenevertheTimeoutassociated
Timeouts withanauthenticationfactorexpires.Enablingthisoption
providesmoredatatotroubleshootaccessissues.In
conjunctionwithcorrelationobjects,youcanalsouse
Authenticationlogstoidentifysuspiciousactivityonyour
network(suchasbruteforceattacks).
Enablingthisoptionincreaseslogtraffic.
LogForwarding SelectaLogForwardingprofileifyouwantthefirewallto
forwardAuthenticationlogstoPanoramaortoexternalservices
suchasasyslogserver(seeObjects>LogForwarding).
CreateandManageAuthenticationPolicy
Task Description
Add PerformthefollowingprerequisitesbeforecreatingAuthenticationpolicyrules:
ConfiguretheUserIDCaptivePortalsettings(seeDevice>User
Identification>CaptivePortalSettings).ThefirewallusesCaptivePortalto
displaythefirstauthenticationfactorthattheAuthenticationrulerequires.
CaptivePortalalsoenablesthefirewalltorecordthetimestampsassociated
withauthenticationTimeoutperiodsandtoupdateusermappings.
Configureaserverprofilethatspecifieshowthefirewallcanaccesstheservice
thatwillauthenticateusers(seeDevice>ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifies
authenticationsettings(seeDevice>AuthenticationProfile).
Assigntheauthenticationprofiletoanauthenticationenforcementobjectthat
specifiestheauthenticationmethod(seeObjects>Authentication).
Tocreatearule,performoneofthefollowingstepsandthencompletethefields
describedinBuildingBlocksofanAuthenticationPolicyRule:
ClickAdd.
SelectaruleonwhichtobasethenewruleandclickClone Rule.Thefirewall
insertsthecopiedrule,named<rulename>#,belowtheselectedrule,where#is
thenextavailableintegerthatmakestherulenameunique.Fordetails,seeMove
orCloneaPolicyRule.
Modify Tomodifyarule,clicktheruleNameandeditthefieldsdescribedinBuildingBlocks
ofanAuthenticationPolicyRule.
IfthefirewallreceivedtherulefromPanorama,theruleisreadonly;youcan
edititonlyonPanorama.
Move Whenmatchingtraffic,thefirewallevaluatesrulesfromtoptobottomintheorder
thatthePolicies > Authenticationpageliststhem.Tochangetheevaluationorder,
selectaruleandMove Up,Move Down,Move Top,orMove Bottom.Fordetails,see
MoveorCloneaPolicyRule.
Delete Toremoveanexistingrule,selectandDeleteit.
Enable/Disable Todisablearule,selectandDisableit.Toreenableadisabledrule,selectandEnable
it.
Highlight Toidentifyrulesthathavenotmatchedtrafficsincethelasttimethefirewallwas
UnusedRules restarted,Highlight Unused Rules.Youcanthendecidewhethertodisableordelete
unusedrules.Thepagehighlightsunusedruleswithadottedyellowbackground.
Policies>DoSProtection
Whatdoyouwanttoknow? See:
WhatisaDoSProtectionpolicy? DoSProtectionPolicyOverview
Whatarethefieldsavailableto BuildingBlocksofaDoSProtectionPolicy
createaDoSProtectionpolicy?
HowdoIconfigureaDoS SeeObjects>SecurityProfiles>DoSProtection
Protectionprofile?
Lookingformore? SeeDosProtectionPolicies
DoSProtectionPolicyOverview
ADoSProtectionpolicyallowsyoutoprotectagainstDoSattacksbyspecifyingwhethertodenyorallow
packetsthatmatchasourceinterface,zone,addressoruserand/oradestinationinterface,zone,oruser.
Alternatively,youcanchoosetheProtectactionandspecifyaDoSprofilewhereyousetthethresholds
(sessionsorpacketspersecond)thattriggeranalarm,activateaprotectiveaction,andindicatethemaximum
rateabovewhichpacketsaredropped.Thus,youcancontrolthenumberofsessionsbetweeninterfaces,
zones,addresses,andcountriesbasedonaggregatesessionsorsourceand/ordestinationIPaddresses.For
example,youcancontroltraffictoandfromcertainaddressesoraddressgroups,orfromcertainusersand
forcertainservices.
ThefirewallenforcesDoSProtectionpolicyrulesbeforeSecuritypolicyrulestoensurethefirewallusesits
resourcesinthemostefficientmanner.IfaDoSProtectionpolicyruledeniesapacket,thatpacketnever
reachesaSecuritypolicyrule.
BuildingBlocksofaDoSProtectionPolicy
Description Enteradescriptionfortherule(upto255characters).
Tags Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.A
tagisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthosethat
aretaggedwithaparticularkeyword.Forexample,youmaywanttotagcertain
securitypolicieswithInboundtoDMZ,decryptionpolicieswiththewords
DecryptorNodecrypt,orusethenameofaspecificdatacenterforpolicies
associatedwiththatlocation.
SourceAddress SelectAnyorAddandspecifyoneormoresourceaddressestowhichtheDoS
Protectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.
SourceUser SpecifyoneormoresourceuserstowhichtheDoSProtectionpolicyrule
applies:
anyIncludespacketsregardlessofthesourceuser.
pre-logonIncludespacketsfromremoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheirsystem.When
pre-logonisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotdirectlyloggedin,theirmachinesareauthenticated
onthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPaddress
withuserdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPaddressonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousernamemappinginformationonthefirewall.
SelectIncludesusersspecifiedinthiswindow.Forexample,youcanselect
oneuser,alistofindividuals,somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,thelist
ofusersdoesnotdisplay;youmustenteruserinformationmanually.
Destination SelectAnyorAddandspecifyoneormoredestinationaddressestowhichthe
Address DoSProtectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.
Schedule SpecifytheschedulewhentheDoSProtectionpolicyruleisineffect.The
defaultsettingofNoneindicatesnoschedule;thepolicyisalwaysineffect.
Alternatively,selectascheduleorcreateanewscheduletocontrolwhenthe
DoSProtectionpolicyruleisineffect.EnteraNamefortheschedule.Select
Sharedtosharethisschedulewitheveryvirtualsystemonamultiplevirtual
systemfirewall.SelectaRecurrence ofDaily,Weekly,orNon-recurring.Add
aStart TimeandEnd Timeinhours:minutes,basedona24hourclock.
LogForwarding Ifyouwanttotriggerforwardingofthreatlogentriesformatchedtraffictoan
externalservice,suchastoasyslogserverorPanorama,selectaLog
ForwardingprofileorclickProfiletocreateanewone.
Onlytrafficthatmatchesanactionintherulewillbeloggedand
forwarded.
Aggregate SelectanAggregateDoSProtectionprofilethatspecifiesthethresholdratesat
whichtheincomingconnectionspersecondtriggeranalarm,activateanaction,
andexceedamaximumrate.Allincomingconnections(theaggregate)count
towardthethresholdsspecifiedinanAggregateDoSProtectionprofile.
AnAggregateprofilesettingofNonemeanstherearenothresholdsettingsin
placefortheaggregatetraffic.SeeObjects>SecurityProfiles>DoS
Protection.
Classified Selectthisoptionandspecifythefollowing:
ProfileSelectaClassifiedDoSProtectionprofiletoapplytothisrule.
AddressSelectwhetherincomingconnectionscounttowardthe
thresholdsintheprofileiftheymatchthesource-ip-only,
destination-ip-only,orsrc-dest-ip-both.
IfyouspecifyaClassifiedDoSProtectionprofile,onlytheincoming
connectionsthatmatchasourceIPaddress,destinationIPaddress,orsource
anddestinationIPaddresspaircounttowardthethresholdsspecifiedinthe
profile.Forexample,youcanspecifyaClassifiedDoSProtectionprofilewitha
Max Rateof100cps,andspecifyanAddresssettingofsource-ip-onlyinthe
rule.Theresultwouldbealimitof100connectionspersecondforthat
particularsourceIPaddress.
SeeObjects>SecurityProfiles>DoSProtection.
Move,Clone,Override,orRevertObjects
Seethefollowingtopicsforoptionstomodifyexistingobjects:
MoveorCloneanObject
OverrideorRevertanObject
MoveorCloneanObject
Whenmovingorcloningobjects,youcanassignaDestination(avirtualsystemonafirewalloradevicegroup
onPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveanobject,selecttheobjectintheObjectstab,clickMove,selectMove to other vsys(firewallonly)or
Move to other device group(Panoramaonly),completethefieldsinthefollowingtable,andthenclickOK.
Tocloneanobject,selecttheobjectintheObjectstab,clickClone,completethefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedObjects DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepoliciesorobjectsyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
OverrideorRevertanObject
InPanorama,youcannestdevicegroupsinatreehierarchyofuptofourlevels.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.Youcanoverrideanobjectinadescendantsothatitsvaluesdifferfromthoseinanancestor.
Thisoverridecapabilityisenabledbydefault.However,youcannotoverridesharedordefault
(preconfigured)objects.Thewebinterfacedisplaysthe icontoindicateanobjecthasinheritedvalues
anddisplaysthe icontoindicateaninheritedobjecthasoverriddenvalues.
OverrideanobjectSelecttheObjectstab,selectthedescendantDevice Groupthatwillhavethe
overriddenversion,selecttheobject,clickOverride,andeditthesettings.YoucannotoverrideNameor
Sharedsettingsforanobject.
RevertanoverriddenobjecttoitsinheritedvaluesSelecttheObjectstab,selecttheDevice Groupthat
hastheoverriddenversion,selecttheobject,clickRevert,andclickYestoconfirmtheoperation.
DisableoverridesforanobjectSelecttheObjectstab,selecttheDevice Groupwheretheobjectresides,
clicktheobjectNametoeditit,selectDisable override,andclickOK.Overridesforthatobjectarethen
disabledinalldevicegroupsthatinherittheobjectfromtheselectedDevice Group.
ReplaceallobjectoverridesacrossPanoramawiththevaluesinheritedfromtheSharedlocationor
ancestordevicegroupsSelectPanorama > Setup > Management,editthePanoramaSettings,select
Ancestor Objects Take Precedence,andclickOK.YoumustthencommittoPanoramaandtothedevice
groupscontainingoverridestopushtheinheritedvalues.
Objects>Addresses
AnaddressobjectcanincludeanIPv4orIPv6address(singleIP,range,subnet)oraFQDN.Itallowsyouto
reusethesameobjectasasourceordestinationaddressacrossallthepolicyrulebaseswithouthavingto
additmanuallyeachtime.ItisconfiguredusingthewebinterfaceortheCLIandacommitoperationis
requiredtomaketheobjectapartoftheconfiguration.
Todefineanaddressobject,clickAddandfillinthefollowingfields:
AddressObjectSettings Description
Name Enteranamethatdescribestheaddressestobedefined(upto63
characters).Thisnameappearsintheaddresslistwhendefiningsecurity
policies.Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheaddressobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).
Type SpecifyanIPv4orIPv6addressoraddressrange,oranFQDN.
IP Netmask:
EntertheIPv4orIPv6addressorIPaddressrangeusingthefollowing
notation:
ip_address/mask or ip_address
wherethemaskisthenumberofsignificantbinarydigitsusedforthe
networkportionoftheaddress.Ideally,forIPv6,youspecifyonlythe
networkportion,notthehostportion.
Examples:
192.168.80.150/32(indicatesoneaddress)
192.168.80.0/24(indicatesalladdressesfrom192.168.80.0through
192.168.80.255)
2001:db8::/32
2001:db8:123:1::/64
IP Range:
Enterarangeofaddressesusingthefollowingformat:
ip_addressip_address
wherebothaddressescanbeIPv4orbothcanbeIPv6.
Example:
2001:db8:123:1::12001:db8:123:1::22
AddressObjectSettings Description
Type(continued) FQDN:
TospecifyanaddressusingtheFQDN,selectFQDNandenterthedomain
name.
TheFQDNinitiallyresolvesatcommittime.Entriesaresubsequently
refreshedwhenthefirewallperformsacheckevery30minutes;allchanges
intheIPaddressfortheentriesarepickedupattherefreshcycle
TheFQDNisresolvedbythesystemDNSserveroraNetwork>DNSProxy
object,ifaproxyisconfigured.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressobject.
YoucandefineataghereorusetheObjects>Tagstabtocreatenewtags.
Forinformationontags,seeObjects>Tags.
Objects>AddressGroups
Tosimplifythecreationofsecuritypolicies,addressesthatrequirethesamesecuritysettingscanbe
combinedintoaddressgroups.Anaddressgroupcanbestaticordynamic.
DynamicAddressGroups:Adynamicaddressgrouppopulatesitsmembersdynamicallyusinglooksups
fortagsandtagbasedfilters.Dynamicaddressgroupsareveryusefulifyouhaveanextensivevirtual
infrastructurewherechangesinvirtualmachinelocation/IPaddressarefrequent.Forexample,youhave
asophisticatedfailoversetuporprovisionnewvirtualmachinesfrequentlyandwouldliketoapplypolicy
totrafficfromortothenewmachinewithoutmodifyingtheconfiguration/rulesonthefirewall.
Touseadynamicaddressgroupinpolicyyoumustcompletethefollowingtasks:
Defineadynamicaddressgroupandreferenceitinapolicyrule.
NotifythefirewalloftheIPaddressesandthecorrespondingtags,sothatmembersofthedynamic
addressgroupcanbeformed.YoucandothisusingexternalscriptsthatusetheXMLAPIonthe
firewallor,foraVMwarebasedenvironment,youcanselectDevice > VM Information Sourcesto
configuresettingsonthefirewall.
Dynamicaddressgroupscanalsoincludestaticallydefinedaddressobjects.Ifyoucreateanaddress
objectandapplythesametagsthatyouhaveassignedtoadynamicaddressgroup,thatdynamicaddress
groupwillincludeallstaticanddynamicobjectsthatmatchthetags.Youcan,thereforeusetagstopull
togetherbothdynamicandstaticobjectsinthesameaddressgroup.
StaticAddressGroups:Astaticaddressgroupcanincludeaddressobjectsthatarestatic,dynamic
addressgroups,oritcanbeacombinationofbothaddressobjectsanddynamicaddressgroups.
Tocreateanaddressgroup,clickAddandfillinthefollowingfields:
AddressGroupSettings Description
Name Enteranamethatdescribestheaddressgroup(upto63characters).This
nameappearsintheaddresslistwhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheaddressgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressgroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).
AddressGroupSettings Description
Type SelectStaticorDynamic.
Tocreateadynamicaddressgroup,usethematchcriteriaisassemblethe
memberstobeincludedinthegroup.DefinetheMatchcriteriausingthe
ANDorORoperators.
Toviewthelistofattributesforthematchcriteria,youmusthave
configuredthefirewalltoaccessandretrievetheattributesfromthe
source/host.Eachvirtualmachineontheconfiguredinformation
source(s)isregisteredwiththefirewallandthefirewallcanpollthe
machinetoretrievechangesinIPaddressorconfigurationwithout
anymodificationsonthefirewall.
Forastaticaddressgroup,clickAddandselectoneormoreAddresses.Click
Addtoaddanobjectoranaddressgrouptotheaddressgroup.Thegroup
cancontainaddressobjects,andbothstaticanddynamicaddressgroups.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressgroup.For
informationontags,seeObjects>Tags.
MembersCountand Afteryouaddanaddressgroup,theMembersCountcolumnontheObjects
Address > Address Groupspageindicateswhethertheobjectsinthegroupare
populateddynamicallyorstatically.
Forastaticaddressgroup,youcanviewthecountofthemembersinthe
addressgroup.
Foranaddressgroupthatusestagstodynamicallypopulatemembersor
hasbothstaticanddynamicmembers,toviewthemembers,clickthe
More...linkintheAddresscolumn.YoucannowviewtheIPaddresses
thatareregisteredtotheaddressgroup.
TypeindicateswhethertheIPaddressisastaticaddressobjector
beingdynamicallyregisteredanddisplaystheIPaddress.
ActionallowsyoutoUnregister TagsfromanIPaddress.Clickthe
linktoAddtheregistrationsourceandspecifythetagstounregister.
Objects>Regions
Thefirewallsupportscreationofpolicyrulesthatapplytospecifiedcountriesorotherregions.Theregionis
availableasanoptionwhenspecifyingsourceanddestinationforsecuritypolicies,decryptionpolicies,and
DoSpolicies.Youcanchoosefromastandardlistofcountriesorusetheregionsettingsdescribedinthis
sectiontodefinecustomregionstoincludeasoptionsforSecuritypolicyrules.
Thefollowingtablesdescribetheregionsettings:
RegionSettings Description
Name Enteranamethatdescribestheregion(upto31characters).Thisname
appearsintheaddresslistwhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
GeoLocation Tospecifylatitudeandlongitude,selectthisoptionandspecifythevalues
(xxx.xxxxxxformat).Thisinformationisusedinthetrafficandthreatmapsfor
AppScope.RefertoMonitor>Logs.
Addresses SpecifyanIPaddress,rangeofIPaddresses,orsubnettoidentifytheregion,
usinganyofthefollowingformats:
x.x.x.x
x.x.x.xy.y.y.y
x.x.x.x/n
Objects>Applications
Whatareyoulookingfor? See
Understandtheapplication ApplicationsOverview
settingsandattributesdisplayed
ontheApplicationspage. ActionsSupportedonApplications
Addanewapplicationormodifyan DefiningApplications
existingapplication.
ApplicationsOverview
TheApplicationspagelistsvariousattributesofeachapplicationdefinition,suchastheapplicationsrelative
securityrisk(1to5).Theriskvalueisbasedoncriteriasuchaswhethertheapplicationcansharefiles,is
pronetomisuse,ortriestoevadefirewalls.Highervaluesindicatehigherrisk.
Thetopapplicationbrowserareaofthepageliststheattributesthatyoucanusetofilterthedisplayas
follows.Thenumbertotheleftofeachentryrepresentsthetotalnumberofapplicationswiththatattribute.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
ThefollowingtabledescribesapplicationdetailscustomapplicationsandPaloAltoNetworksapplications
mightdisplaysomeorallofthesefields.
ApplicationDetails Description
Name Nameoftheapplication.
Description Descriptionoftheapplication(upto255characters).
AdditionalInformation Linkstowebsources(Wikipedia,Google,andYahoo!)thatcontain
additionalinformationabouttheapplication.
StandardPorts Portsthattheapplicationusestocommunicatewiththenetwork.
Dependson Listofotherapplicationsthatarerequiredforthisapplicationtorun.
Whencreatingapolicyruletoallowtheselectedapplication,youmust
alsobesurethatyouareallowinganyotherapplicationsthatthe
applicationdependson.
ApplicationDetails Description
ImplicitlyUses Otherapplicationsthattheselectedapplicationdependsonbutthat
youdonotneedtoaddtoyourSecuritypolicyrulestoallowthe
selectedapplicationbecausethoseapplicationsaresupported
implicitly.
PreviouslyIdentifiedAs ForanewAppID,orAppIDsthatarechanged,thisindicateswhat
theapplicationwaspreviouslyidentifiedas.Thishelpsyouassess
whetherpolicychangesarerequiredbasedonchangesinthe
application.IfanAppIDisdisabled,sessionsassociatedwiththat
applicationwillmatchpolicyasthepreviouslyidentifiedasapplication.
Similarly,disabledAppIDswillappearinlogsastheapplicationthey
werepreviousidentifiedas.
DenyAction AppIDsaredevelopedwithadefaultdenyactionthatdictateshow
thefirewallrespondswhentheapplicationisincludedinaSecurity
policyrulewithadenyaction.Thedefaultdenyactioncanspecify
eitherasilentdroporaTCPreset.Youcanoverridethisdefaultaction
inSecuritypolicy.
Characteristics
Evasive Usesaportorprotocolforsomethingotherthanitsoriginallyintended
purposewiththehopethatitwilltraverseafirewall.
ExcessiveBandwidth Consumesatleast1Mbpsonaregularbasisthroughnormaluse.
PronetoMisuse Oftenusedfornefariouspurposesoriseasilysetuptoexposemore
thantheuserintended.
SaaS Onthefirewall,SoftwareasaService(SaaS)ischaracterizedasa
servicewherethesoftwareandinfrastructureareownedandmanaged
bytheapplicationserviceproviderbutwhereyouretainfullcontrolof
thedata,includingwhocancreate,access,share,andtransferthedata.
Keepinmindthatinthecontextofhowanapplicationischaracterized,
SaaSapplicationsdifferfromwebservices.Webservicesarehosted
applicationswhereeithertheuserdoesntownthedata(forexample,
Pandora)orwheretheserviceisprimarilycomprisedofsharingdata
fedbymanysubscribersforsocialpurposes(forexample,LinkedIn,
Twitter,orFacebook).
CapableofFileTransfer Hasthecapabilitytotransferafilefromonesystemtoanotherovera
network.
TunnelsOtherApplications Isabletotransportotherapplicationsinsideitsprotocol.
UsedbyMalware Malwarehasbeenknowntousetheapplicationforpropagation,
attack,ordatatheft,orisdistributedwithmalware.
HasKnownVulnerabilities Haspubliclyreportedvulnerabilities.
Widelyused Likelyhasmorethan1,000,000users.
ContinueScanningforOther Instructsthefirewalltocontinuetotryandmatchagainstother
Applications applicationsignatures.Ifyoudonotselectthisoption,thefirewall
stopslookingforadditionalapplicationmatchesafterthefirst
matchingsignature.
ApplicationDetails Description
Classification
Category Theapplicationcategorywillbeoneofthefollowing:
businesssystems
collaboration
generalinternet
media
networking
unknown
Subcategory Thesubcategoryinwhichtheapplicationisclassified.Different
categorieshavedifferentsubcategoriesassociatedwiththem.For
example,subcategoriesinthecollaborationcategoryincludeemail,
filesharing,instantmessaging,Internetconferencing,socialbusiness,
socialnetworking,voipvideo,andwebposting.Whereas,
subcategoriesinthebusinesssystemscategoryincludeauthservice,
database,erpcrm,generalbusiness,management,officeprograms,
softwareupdate,andstoragebackup.
Technology Theapplicationtechnologywillbeoneofthefollowing:
clientserver:Anapplicationthatusesaclientservermodelwhere
oneormoreclientscommunicatewithaserverinthenetwork.
networkprotocol:Anapplicationthatisgenerallyusedfor
systemtosystemcommunicationthatfacilitatesnetwork
operation.ThisincludesmostoftheIPprotocols.
peertopeer:Anapplicationthatcommunicatesdirectlywithother
clientstotransferinformationinsteadofrelyingonacentralserver
tofacilitatethecommunication.
browserbased:Anapplicationthatreliesonawebbrowserto
function.
Risk Assignedriskoftheapplication.
Tocustomizethissetting,clicktheCustomizelink,enteravalue(15),
andclickOK.
Options
SessionTimeout Periodoftime,inseconds,requiredfortheapplicationtotimeoutdue
toinactivity(rangeis1604800seconds).Thistimeoutisforprotocols
otherthanTCPorUDP.ForTCPandUDP,refertothenextrowsin
thistable.
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
TCPTimeout(seconds) Timeout,inseconds,forterminatingaTCPapplicationflow(rangeis
1604800).
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
Avalueof0indicatesthattheglobalsessiontimerwillbeused,which
is3600secondsforTCP.
ApplicationDetails Description
UDPTimeout(seconds): Timeout,inseconds,forterminatingaUDPapplicationflow(rangeis
1604800seconds).
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
TCPHalfClosed(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontablebetweenreceivingthefirstFINpacketandreceivingthe
secondFINpacketorRSTpacket.Ifthetimerexpires,thesessionis
closed(rangeis1604800).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Half Closedsetting.
TCPTimeWait(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontableafterreceivingthesecondFINpacketoraRSTpacket.If
thetimerexpires,thesessionisclosed(rangeis1600).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Time Waitsetting.
AppIDEnabled IndicateswhethertheAppIDisenabledordisabled.IfanAppIDis
disabled,trafficforthatapplicationwillbetreatedasthePreviously
Identified AsAppIDinbothSecuritypolicyandinlogs.For
applicationsaddedaftercontentreleaseversion490,youhavethe
abilitytodisablethemwhileyoureviewthepolicyimpactofthenew
app.Afterreviewingpolicy,youmaychoosetoenabletheAppID.You
alsohavetheabilitytodisableanapplicationthatyouhavepreviously
enabled.Onamultivsysfirewall,youcandisableAppIDsseparately
ineachvirtualsystem.
WhenthefirewallisnotabletoidentifyanapplicationusingtheAppID,thetrafficisclassifiedasunknown:
unknowntcporunknownudp.Thisbehaviorappliestoallunknownapplicationsexceptthosethatfully
emulateHTTP.Formoreinformation,refertoMonitor>Botnet.
Youcancreatenewdefinitionsforunknownapplicationsandthendefinesecuritypoliciesforthenew
applicationdefinitions.Inaddition,applicationsthatrequirethesamesecuritysettingscanbecombinedinto
applicationgroupstosimplifythecreationofsecuritypolicies.
ActionsSupportedonApplications
Youcanperformanyofthefollowingactionsonthispage:
ActionsSupportedfor Description
Applications
Filterbyapplication Tosearchforaspecificapplication,entertheapplicationnameordescription
intheSearchfieldandpressEnter.Thedropdowntotherightofthesearch
boxallowsyoutosearchorfilterforaspecificapplicationorviewAll
applications,Custom applications,Disabled applications,orTagged
applications.
Theapplicationislistedandthefiltercolumnsareupdatedtoshowstatistics
fortheapplicationsthatmatchedthesearch.Asearchwillmatchpartial
strings.Whenyoudefinesecuritypolicies,youcanwriterulesthatapplytoall
applicationsthatmatchasavedfilter.Suchrulesaredynamicallyupdated
whenanewapplicationisaddedthroughacontentupdatethatmatchesthe
filter.
Tofilterbyapplicationattributesdisplayedonthepage;clickanitemthatyou
wanttouseasabasisforfiltering.Forexample,torestrictthelisttothe
collaborationcategory,clickcollaborationandthelistwillonlyshow
applicationsinthiscategory.
Tofilteronadditionalcolumns,selectanentryintheothercolumns.The
filteringissuccessive:firstCategoryfiltersareapplied,thenSubcategory
filters,thenTechnologyfilters,thenRiskfilters,andfinallyCharacteristic
filters.Forexample,ifyouapplyaCategory,Subcategory,andRiskfilter,the
Technologycolumnisautomaticallyrestrictedtothetechnologiesthatare
consistentwiththeselectedCategoryandSubcategory,eventhougha
Technologyfilterhasnotbeenexplicitlyapplied.Eachtimeyouapplyafilter,
thelistofapplicationsinthelowerpartofthepageautomaticallyupdates.To
createanewapplicationfilter,seeObjects>ApplicationFilters.
Addanewapplication. Toaddanewapplication,seeDefiningApplications.
Viewand/orcustomize Clicktheapplicationnamelink,toviewtheapplicationdescriptionincludingthe
applicationdetails. standardportandcharacteristicsoftheapplication,riskamongotherdetails.For
detailsontheapplicationsettings,seeDefiningApplications.
Iftheicontotheleftoftheapplicationnamehasayellowpencil( ),the
applicationisacustomapplication.
ActionsSupportedfor Description
Applications
Disableanapplications YoucanDisableanapplication(orseveralapplications)sothattheapplication
signatureisnotmatchedagainsttraffic.Securityrulesdefinedtoblock,allow,or
enforceamatchingapplicationarenotappliedtotheapplicationtrafficwhen
theappisdisabled.Youmightchoosetodisableanapplicationthatisincluded
withanewcontentreleaseversionbecausepolicyenforcementforthe
applicationmightchangewhentheapplicationisuniquelyidentified.For
example,anapplicationthatisidentifiedaswebbrowsingtrafficisallowedby
thefirewallpriortoanewcontentversioninstallation;afterinstallingthe
contentupdate,theuniquelyidentifiedapplicationnolongermatchesthe
Securityrulethatallowswebbrowsingtraffic.Inthiscase,youcouldchooseto
disabletheapplicationsothattrafficmatchedtotheapplicationsignature
continuestobeclassifiedaswebbrowsingtrafficandisallowed.
Enableanapplication SelectadisabledapplicationandEnabletheapplicationsothatitcanbe
enforcedaccordingtoyourconfiguredsecuritypolicies.
Importanapplication Toimportanapplication,clickImport.Browsetoselectthefile,andselectthe
targetvirtualsystemfromtheDestinationdropdown.
Exportanapplication Toexportanapplication,selectthisoptionfortheapplicationandclickExport.
Followthepromptstosavethefile.
Taganapplication. ApredefinedtagnamedsanctionedisavailableforyoutotagSaaSapplications.
WhileaSaaSapplicationisanapplicationthatisidentifiedasSaas=yesinthe
detailsonapplicationcharacteristics,youcanusethesanctionedtagonany
application.
Selectanapplication,clickTag Application,and,fromthedropdown,selectthe
predefinedSanctionedtagtoidentifyanyapplicationthatyouwanttoexplicitly
allowonyournetwork.WhenyouthengeneratetheSaaSApplicationUsage
Report(seeMonitor>PDFReports>SaaSApplicationUsage),youcancompare
statisticsontheapplicationthatyouhavesanctionedversusunsanctionedSaaS
applicationsthatarebeingusedonyournetwork.
Whenyoutaganapplicationassanctioned,thefollowingrestrictionsapply:
Thesanctionedtagcannotbeappliedtoanapplicationgroup.
ThesanctionedtagcannotbeappliedattheSharedlevel;youcantagan
applicationonlyperdevicegrouporpervirtualsystem.
Thesanctionedtagcannotbeusedtotagapplicationsincludedinacontainer
app,suchasfacebookmail,whichispartofthefacebookcontainerapp.
YoucanalsoRemove tagorOverride tag.Theoverrideoptionisonlyavailable
onafirewallthathasinheritedsettingsfromadevicegrouppushedfrom
Panorama.
DefiningApplications
NewApplicationSettings Description
Configuration Tab
Name Entertheapplicationname(upto31characters).Thisnameappearsinthe
applicationslistwhendefiningsecuritypolicies.Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,periods,hyphens,
andunderscores.Thefirstcharactermustbealetter.
Shared Selectthisoptionifyouwanttheapplicationtobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theapplicationwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,the
applicationwillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisapplicationobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettings
foranydevicegroupthatinheritstheobject.
Description Enteradescriptionoftheapplicationforgeneralreference(upto255
characters).
Category Selecttheapplicationcategory,suchasemailordatabase.Thecategoryis
usedtogeneratetheTopTenApplicationCategorieschartandisavailable
forfiltering(refertoACC).
Subcategory Selecttheapplicationsubcategory,suchasemailordatabase.The
subcategoryisusedtogeneratetheTopTenApplicationCategorieschart
andisavailableforfiltering(refertoACC).
Technology Selectthetechnologyfortheapplication.
ParentApp Specifyaparentapplicationforthisapplication.Thissettingapplieswhena
sessionmatchesboththeparentandthecustomapplications;however,the
customapplicationisreportedbecauseitismorespecific.
Risk Selecttherisklevelassociatedwiththisapplication(1=lowestto5=highest).
Characteristics Selecttheapplicationcharacteristicsthatmayplacetheapplicationatrisk.
Foradescriptionofeachcharacteristic,refertoCharacteristics.
NewApplicationSettings Description
Advanced Tab
Port IftheprotocolusedbytheapplicationisTCPand/orUDP,selectPortand
enteroneormorecombinationsoftheprotocolandportnumber(oneentry
perline).Thegeneralformatis:
<protocol>/<port>
wherethe<port>isasingleportnumber,ordynamicfordynamicport
assignment.
Examples:TCP/dynamicorUDP/32.
Thissettingapplieswhenusingapp-defaultintheServicecolumnofa
Securityrule.
ICMPType TospecifyanInternetControlMessageProtocolversion4(ICMP)type,
selectICMP Typeandenterthetypenumber(rangeis0255).
ICMP6Type TospecifyanInternetControlMessageProtocolversion6(ICMPv6)type,
selectICMP6 Typeandenterthetypenumber(rangeis0255).
None Tospecifysignaturesindependentofprotocol,selectNone.
Timeout Enterthenumberofsecondsbeforeanidleapplicationflowisterminated
(rangeis0604800seconds).Azeroindicatesthatthedefaulttimeoutofthe
applicationwillbeused.ThisvalueisusedforprotocolsotherthanTCPand
UDPinallcasesandforTCPandUDPtimeoutswhentheTCPtimeoutand
UDPtimeoutarenotspecified.
TCPTimeout EnterthenumberofsecondsbeforeanidleTCPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
UDPTimeout EnterthenumberofsecondsbeforeanidleUDPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
TCPHalfClosed Enterthemaximumlengthoftimethatasessionremainsinthesessiontable,
betweenreceivingthefirstFINandreceivingthesecondFINorRST.Ifthe
timerexpires,thesessionisclosed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1604800seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
HalfClosedsetting.
TCPTimeWait Enterthemaximumlengthoftimethatasessionremainsinthesessiontable
afterreceivingthesecondFINoraRST.Ifthetimerexpires,thesessionis
closed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1600seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
TimeWaitsetting.
Scanning SelectthescanningtypesthatyouwanttoallowbasedonSecurityProfiles
(filetypes,datapatterns,andviruses).
NewApplicationSettings Description
Signature Tab
Signatures ClickAddtoaddanewsignature,andspecifythefollowinginformation:
Signature NameEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
TransactionortothefulluserSession.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
Specifytheconditionsthatidentifythesignature.Theseconditionsareused
togeneratethesignaturethatthefirewallusestomatchtheapplication
patternsandcontroltraffic:
Toaddacondition,selectAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
SelectanOperatorfromthedropdown.TheoptionsarePattern Match,
Greater Than,Less Than,andEqual Toandspecifythefollowingoptions:
(ForPatternMatchonly)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates.
PatternSpecifyaregularexpressiontospecifyuniquestring
contextvaluesthatapplytothecustomapplication.
Performapacketcapturetoidentifythecontext.SeePattern
RulesSyntaxforpatternrulesforregularexpressions.
(ForGreaterThan,LessThan)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates
ValueSpecifyavaluetomatchon(rangeis04294967295).
Qualifier and Value(Optional)Addqualifier/valuepairs.
(ForEqualToonly)
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP(forexample,unknownreqtcp)oradditionalcontextsthatare
availablethroughdynamiccontentupdates(forexample,
dnp3reqfunccode).
ForunknownrequestsandresponsesforTCPorUDP,specify
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
Forallothercontexts,specifyaValuethatispertinenttotheapplication.
Tomoveaconditionwithinagroup,selecttheconditionandMove Upor
Move Down.Tomoveagroup,selectthegroupandMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
Itisnotrequiredtospecifysignaturesfortheapplicationiftheapplicationisusedonlyfor
applicationoverriderules.
Objects>ApplicationGroups
Tosimplifythecreationofsecuritypolicies,applicationsrequiringthesamesecuritysettingscanbe
combinedbycreatinganapplicationgroup.(Todefineanewapplication,refertoDefiningApplications.)
NewApplicationGroup Description
Settings
Name Enteranamethatdescribestheapplicationgroup(upto31characters).This
nameappearsintheapplicationlistwhendefiningsecuritypolicies.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheapplicationgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theapplicationgroupwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theapplication
groupwillbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisapplicationgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Applications ClickAddandselectapplications,applicationfilters,and/orotherapplication
groupstobeincludedinthisgroup.
Objects>ApplicationFilters
Applicationfiltershelptosimplifyrepeatedsearches.Todefineanapplicationfilter,Addandenteraname
foryournewfilter.Intheupperareaofthewindow,clickanitemthatyouwanttouseasabasisforfiltering.
Forexample,torestrictthelisttotheCollaborationcategory,clickcollaboration.
Tofilteronadditionalcolumns,selectanentryinthecolumns.Thefilteringissuccessive:categoryfiltersare
appliedfirstfollowedbysubcategoryfilters,technologyfilters,riskfilters,andthencharacteristicfilters.
Asyouselectfilters,thelistofapplicationsthatdisplayonthepageisautomaticallyupdated.
Objects>Services
Whenyoudefinesecuritypoliciesforspecificapplications,youcanselectoneormoreservicestolimitthe
portnumberstheapplicationscanuse.Thedefaultserviceisany,whichallowsallTCPandUDPports.
TheHTTPandHTTPSservicesarepredefined,butyoucanaddadditionalservicedefinitions.Servicesthat
areoftenassignedtogethercanbecombinedintoservicegroupstosimplifythecreationofsecuritypolicies
(refertoObjects>ServiceGroups).
Thefollowingtabledescribestheservicesettings:
ServiceSettings Description
Name Entertheservicename(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionfortheservice(upto255characters).
Shared Selectthisoptionifyouwanttheserviceobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theserviceobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisserviceobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.
Protocol Selecttheprotocolusedbytheservice(TCPorUDP).
DestinationPort Enterthedestinationportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thedestinationportisrequired.
SourcePort Enterthesourceportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thesourceportisoptional.
Objects>ServiceGroups
Tosimplifythecreationofsecuritypolicies,youcancombineservicesthathavethesamesecuritysettings
intoservicegroups.Todefinenewservices,refertoObjects>Services.
Thefollowingtabledescribestheservicegroupsettings:
ServiceGroupSettings Description
Name Entertheservicegroupname(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Shared Selectthisoptionifyouwanttheservicegrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theservicegroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisservicegroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Service ClickAddtoaddservicestothegroup.Selectfromthedropdownorclick
Serviceatthebottomofthedropdownandspecifythesettings.Referto
Objects>Servicesforadescriptionofthesettings.
Objects>Tags
Tagsallowyoutogroupobjectsusingkeywordsorphrases.Tagscanbeappliedtoaddressobjects,address
groups(staticanddynamic),zones,services,servicegroups,andtopolicyrules.Youcanuseatagstosortor
filterobjects,andtovisuallydistinguishobjectsbecausetheycanhavecolor.Whenacolorisappliedtoa
tag,thePolicytabdisplaystheobjectwithabackgroundcolor.
ApredefinedtagnamedSanctionedisavailablefortaggingapplications(Objects > Applications).Thesetagsare
requiredforaccuratelyMonitor>PDFReports>SaaSApplicationUsage.
Whatdoyouwanttoknow? See:
HowdoIcreatetags? CreateTags
Whatisthetagbrowser? UsetheTagBrowser
Searchforrulesthataretagged. ManageTags
Grouprulesusingtags.
Viewtagsusedinpolicy.
Applytagstopolicy.
CreateTags
TagSettings Description
Name Enterauniquetagname(upto127characters).Thenameisnot
casesensitive.
Shared Selectthisoptionifyouwantthetagtobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
thetagwillbeavailableonlytotheVirtual SystemselectedintheObjects
tab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thetagwillbe
availableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thistagindevicegroupsthatinheritthetag.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritsthetag.
TagSettings Description
Color Selectacolorfromthecolorpaletteinthedropdown.Thedefaultvalueis
None.
Comments Addalabelordescriptiontoremindyouwhatthetagisusedfor.
Addatag:Toaddanewtag,clickAddandthenfillinthefollowingfields:
YoucanalsocreateanewtagwhenyoucreateoreditpolicyinthePoliciestab.Thetagisautomatically
createdintheDeviceGrouporVirtualSystemthatiscurrentlyselected.
Editatag:Toedit,rename,orassignacolortoatag,clickthetagnamethatdisplaysasalinkandmodify
thesettings.
Deleteatag:Todeleteatag,clickDeleteandselectthetaginthewindow.Youcannotdeleteapredefined
tag.
MoveorCloneatag:Theoptionstomoveorcloneatagallowsyoutocopyatagormoveatagtoa
differentDeviceGrouporVirtualSystemonfirewallswithmultiplevirtualsystemsenabled.
ClickCloneorMoveandselectthetaginthewindow.SelecttheDestinationlocationDeviceGroupor
VirtualSystemforthetag.ClearthisselectionforError out on first detected error in validationifyouwant
thevalidationprocesstodiscoveralltheerrorsfortheobjectbeforedisplayingtheerrors.Bydefault,this
optionisenabledandthevalidationprocessstopswhenthefirsterrorisdetectedandonlydisplaysthe
error.
OverrideorRevertatag(Panoramaonly):TheOverrideoptionisavailableifyouhavenotselectedthe
Disableoverrideoptionwhencreatingthetag.Itallowsyoutooverridethecolorassignedtothetagthat
wasinheritedfromasharedorancestordevicegroup.TheLocationfielddisplaysthecurrentdevice
group.YoucanalsoselecttheDisableoverridetodisablefurtheroverrides.
Toundothechangesonatag,clickRevert.Whenyourevertatag,theLocationfielddisplaysthedevice
grouporvirtualsystemfromwherethetagwasinherited.
UsetheTagBrowser
Policies>Rulebase(Security,NAT,QoS...)
Thetagbrowserpresentsasummaryofallthetagsusedwithinarulebase(policyset).Itallowsyoutoseea
listofallthetagsandtheorderinwhichtheyarelistedintherulebase.
Youcansort,browse,search,andfilterforaspecifictag,orviewonlythefirsttagappliedtoeachruleinthe
rulebase.
Thefollowingtabledescribestheoptionsinthetagbrowser:
UsetheTagBrowser Description
Tag(#) Displaysthelabelandtherulenumberorrangeofnumbersinwhichthetag
isusedcontiguously.
Hoveroverthelabeltoseethelocationwheretherulewasdefined.The
locationcanbeinheritedfromtheSharedlocation,adevicegroup,ora
virtualsystem.
Rule Liststherulenumberorrangeofnumbersassociatedwiththetags.
UsetheTagBrowser Description
Filterbyfirsttaginrule Displaysonlythefirsttagappliedtoeachruleintherulebase,whenselected.
Thisviewisparticularlyusefulifyouwanttonarrowthelistandviewrelated
rulesthatmightbespreadaroundtherulebase.Forexample,ifthefirsttag
ineachruledenotesitsfunctionadministration,webaccess,datacenter
access,proxyyoucannarrowtheresultandscantherulesbasedon
function.
RuleOrder Sortsthetagsintheorderofappearancewithintheselectedrulebase.When
displayedinorderofappearance,tagsusedincontiguousrulesaregrouped
together.Therulenumberwithwhichthetagisassociatedisdisplayedalong
withthetagname.
Alphabetical Sortsthetagsinalphabeticalorderwithintheselectedrulebase.Thedisplay
liststhetagname,color(ifacolorisassigned),andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoesnotdisplayrule
numbersforuntaggedrules.WhenyouselectNone,therightpaneisfiltered
todisplayrulesthathavenotagsassignedtothem.
Clear Clearsthefilteronthecurrentlyselectedtagsinthesearchbar.
Searchbar Allowsyoutosearchforatag,enterthetermandclickthegreenarrowto
applythefilter.
Italsodisplaysthetotalnumberoftagsintherulebaseandthenumberof
selectedtags.
Forotheractions,seeManageTags.
ManageTags
Thefollowingtableliststheactionsthatyoucanperformusingthetagbrowser.
ManageTags
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
Selectataginthetagbrowserand,fromthe
dropdown,selectApply the Tag to the
Selection(s).
Draganddroptagsfromthetagbrowserontothe
tagcolumnoftherule.Whenyoudropthetags,a
confirmationdialogdisplays.
Viewthecurrentlyselectedtags. 1. Selectoneormoretagsinthetagbrowser.Thetags
arefilteredusinganORoperator.
2. Therightpaneupdatestodisplaytherulesthathave
anyoftheselectedtags.
3. Toviewthecurrentlyselectedtags,hoveroverthe
Clearlabelinthetagbrowser.
ManageTags(Continued)
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,select
Youcanfilterrulesbasedontagswithan oneormoretagsinthetagbrowser.Therightpanewill
ANDoranORoperator. displayonlytherulesthatincludethecurrentlyselected
tags.
ANDfilter:Toviewrulesthathavealltheselectedtags,
hoveroverthenumberintheRulecolumnofthetag
browserandselectFilterinthedropdown.Repeatto
addmoretags.
Clickthe inthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Untagarule. HoverovertherulenumberintheRulecolumnofthetag
browserandselectUntag Rule(s)inthedropdown.
Confirmthatyouwanttoremovetheselectedtagfrom
therule.
Reorderaruleusingtags. Selectoneormoretagsandhoverovertherulenumber
intheRulecolumnofthetagbrowserandselectMove
Rule(s)inthedropdown.
Selectatagfromthedropdowninthemoverulewindow
andselectwhetheryouwanttoMove BeforeorMove
Afterthetagselectedinthedropdown.
Addanewrulethatappliestheselected Selectoneormoretags,hoverovertherulenumberinthe
tags. Rulecolumnofthetagbrowser,andselectAdd New Rule
inthedropdown.
Thenumericalorderofthenewrulevariesbywhether
youselectedaruleontherightpane.Ifnorulewas
selectedontherightpane,thenewrulewillbeadded
aftertheruletowhichtheselectedtag(s)belongs.
Otherwise,thenewruleisaddedaftertheselectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetag
nameyouwanttosearchforandclick todisplaythe
tagsthatmatchyourinput.
Objects>ExternalDynamicLists
AnexternaldynamiclistisanaddressobjectbasedonanimportedlistofIPaddresses,URLs,ordomain
namesthatyoucanuseinpolicyrulestoblockorallowtraffic.Thislistmustbeatextfilesavedtoaweb
serverthatisaccessiblebythefirewall.Thefirewallusesthemanagement(MGT)interfacebydefaultto
retrievethislist.
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwoDynamicIPLists:PaloAlto
NetworksHighriskIPaddressesandPaloAltoNetworksKnownmaliciousIPaddresses.Thesefeedsboth
containmaliciousIPaddressentries,whichyoucanusetoblocktrafficfrommalicioushosts.Thefirewall
receivesdailyupdatesforthesefeedsthroughantiviruscontentupdates.
YoucanuseanIPaddresslistasanaddressobjectinthesourceanddestinationofyourpolicyrules;youcan
useaURLListinObjects>SecurityProfiles>URLFilteringorasamatchcriteriainSecuritypolicyrules;and
youcanuseadomainlistinObjects>SecurityProfiles>AntiSpywareProfileforsinkholingspecified
domainnames.
Oneachfirewallmodel,youcanuseupto30externaldynamiclistswithuniquesourcesacrossallSecurity
policyrules.Themaximumnumberofentriesthatthefirewallsupportsforeachlisttypevariesbasedonthe
firewallmodel(viewthedifferentfirewalllimitsforeachexternaldynamiclisttype).Listentriesonlycount
towardthemaximumlimitiftheexternaldynamiclistisusedinpolicy.Ifyouexceedthemaximumnumber
ofentriesthataresupportedonamodel,thefirewallgeneratesaSystemlogandskipstheentriesthat
exceedthelimit.TocheckthenumberofIPaddresses,domains,andURLscurrentlyusedinpolicyandthe
totalnumbersupportedonthefirewall,clickList Capacities(firewallonly).
Toretrievethelatestversionoftheexternaldynamiclistfromtheserverthathostsit,selectanexternal
dynamiclistandclickImport Now.
Youcannotdelete,clone,oreditthesettingsofthePaloAltoNetworksmaliciousIPaddressfeeds.
ClickAddtocreateanewexternaldynamiclistandconfigurethesettingsdescribedinthetablebelow.
ExternalDynamicListSettings Description
Name Enteranametoidentifytheexternaldynamiclist(upto32characters).Thisname
identifiesthelistwhenyouusethelisttoenforcepolicy.
Shared Selectthisoptionifyouwanttheexternaldynamiclisttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theexternaldynamiclistwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theexternal
dynamiclistwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride(Panoramaonly) Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
externaldynamiclistobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforany
devicegroupthatinheritstheobject.
ExternalDynamicListSettings Description
TestSourceURL(firewallonly) Clicktoverifythatthefirewallcanconnecttotheserverthathoststheexternal
dynamiclist.
Thistestdoesnotcheckwhethertheserverauthenticatessuccessfully.
Type Selectfromthefollowingtypesofexternaldynamiclists:
Youcannotmix Predefined IP ListListsofthistypeuseaPaloAltoNetworksmaliciousor
IP addresses,URLs,and highriskIPaddressfeedasasourceoflistentries(activeThreatPrevention
domainnamesinasingle licenserequired).
list.Eachlistmustinclude IP ListEachlistcanincludeIPrangesandIPsubnetsintheIPv4andIPv6
entriesofonlyonetype. addressspace.ThelistmustcontainonlyoneIPaddress,range,orsubnetper
line.Example:
192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through
192.168.80.255)
2001:db8:123:1::1 - 2001:db8:123:1::22
AsubnetoranIPaddressrange,suchas92.168.20.0/24or
192.168.20.40192.168.20.50,countasoneIPaddressentryandnotas
multipleIPaddresses.
Domain ListEachlistcanhaveonlyonedomainnameentryperline.Example:
www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net
ForthelistofdomainsincludedintheExternalDynamicList,thefirewall
createsasetofcustomsignaturesoftypespywareandmediumseverity,so
thatyoucanusethesinkholeactionforacustomlistofdomains.
URL ListEachlistcanhaveonlyoneURLentryperline.Example:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*
ForeachURLlist,thedefaultactionissettoallow.Toeditthedefaultaction,
seeObjects>SecurityProfiles>URLFiltering.
Description Enteradescriptionfortheexternaldynamiclist(upto255characters).
Source EnteranHTTPorHTTPSURLpaththatcontainsthetextfile.Forexample,
http://1.1.1.1/myfile.txt.
IftheexternaldynamiclistisaPredefinedIPList,selectPalo Alto
Networks - High risk IP addressesorPalo Alto Networks - Known
malicious IP addressesasthelistsource.
ExternalDynamicListSettings Description
CertificateProfile IftheexternaldynamiclisthasanHTTPSURL,selectanexistingcertificateprofile
(firewallandPanorama)orcreateanewCertificate Profile(firewallonly)for
authenticatingthewebserverthathoststhelist.Formoreinformationon
configuringacertificateprofile,seeDevice>CertificateManagement>
CertificateProfile.
Default:None (Disable Cert profile)
Tomaximizethenumberofexternaldynamicliststhatyoucanuseto
enforcepolicy,usethesamecertificateprofiletoauthenticateexternal
dynamicliststhatusethesamesourceURLsothatthelistscountasonly
oneexternaldynamiclist.ExternaldynamiclistsfromthesamesourceURL
thatusedifferentcertificateprofilesarecountedasuniqueexternal
dynamiclists.
ClientAuthentication Selectthisoption(disabledbydefault)toaddausernameandpasswordforthe
firewalltousewhenaccessinganexternaldynamiclistsourcethatrequiresbasic
HTTPauthentication.Thissettingisavailableonlywhentheexternaldynamiclist
hasanHTTPSURL.
UsernameEnteravalidusernametoaccessthelist.
Password/Confirm PasswordEnterandconfirmthepasswordforthe
username.
Repeat Specifythefrequencyinwhichthefirewallretrievesthelistfromthewebserver.
YoucanchooseHourly,Five Minute,Daily,Weekly,orMonthly.Attheconfigured
interval,thefirewallretrievesthelistandautomaticallycommitsthechangesto
theconfiguration.Anypolicyrulesthatreferencethelistareupdatedsothatthe
firewallcansuccessfullyenforcepolicy.
YoudonothaveatoconfigureafrequencyforapredefinedIPlistbecause
thefirewalldynamicallyreceivescontentupdateswithanactiveThreat
Preventionlicense.
ListEntries Displaystheentriesintheexternaldynamiclist.
AddanentryasalistexceptionSelectupto100entriesandclickSubmit( ).
ViewanAutoFocusthreatintelligencesummaryforanitemHoveroveran
entry,clickthedropdown,andclickAutoFocus.YoumusthaveanAutoFocus
licenseandenableAutoFocusthreatintelligenceonthefirewall toviewan
itemsummary.
CheckifanIPaddress,domain,orURLisintheexternaldynamiclistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.
ManualExceptions Displaysexceptionstotheexternaldynamiclist.
EditanexceptionClickonanexceptionandmakeyourchanges.
ManuallyenteranexceptionAddanewexceptionmanually.
RemoveanexceptionfromtheManualExceptionslistSelectandDeletean
exception.
CheckifanIPaddress,domain,orURLisintheManualExceptionslistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.Youcannotsaveyourchangestotheexternal
dynamiclistifyouhaveduplicateentriesintheManualExceptionslist.
Objects>CustomObjects
Createcustomdatapatterns,vulnerabilityandspywaresignatures,andURLcategoriestousewithpolicies:
Objects>CustomObjects>DataPatterns
Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>URLCategory
Objects>CustomObjects>DataPatterns
Whatareyoulookingfor? See:
DataPatternSettings
DataPatternSettings Description
Name Enterthedatapatternname(upto31characters).Thenamecasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionforthedatapattern(upto255characters).
Shared Selectthisoptionifyouwantthedatapatterntobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,thedatapatternwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thedata
patternwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisdatapatternobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
PatternType Selectthetypeofdatapatternyouwanttocreate:
PredefinedPattern
RegularExpression
FileProperties
DataPatternSettings Description
PredefinedPattern PaloAltoNetworksprovidespredefineddatapatternstoscanforcertain
typesofinformationinfiles,forexample,forcreditcardnumbersorsocial
securitynumbers.Toconfiguredatafilteringbasedonapredefinedpattern,
Addapatternandselectthefollowing:
NameSelectapredefinedpatterntousetofilterforsensitivedata.
Whenyoupickapredefinedpattern,theDescriptionpopulates
automatically.
SelecttheFile Typeinwhichyouwanttodetectthepredefinedpattern.
RegularExpression Addacustomdatapattern.GivethepatternadescriptiveName,settheFile
Typeyouwanttoscanforthedatapattern,andentertheregularexpression
thatdefinestheData Pattern.
Forregularexpressiondatapatternsyntaxdetailsandexamples,see:
SyntaxforRegularExpressionDataPatterns
RegularExpressionDataPatternExamples
FileProperties Buildadatapatterntoscanforfilepropertiesandtheassociatedvalues.For
example,AddadatapatterntofilterforMicrosoftWorddocumentsand
PDFswherethedocumenttitleincludesthewordssensitive,internal,or
confidential.
GivethedatapatternadescriptiveName.
SelecttheFile Typethatyouwanttoscan.
SelecttheFile Propertythatyouwanttoscanforaspecificvalue.
EntertheProperty Valueforwhichyouwanttoscan.
SyntaxforRegularExpressionDataPatterns
Whencreatingaregularexpressiondatapattern,thefollowinggeneralrequirementsapply:
Thepatternmusthavestringofatleastsevenbytestomatch.Itcancontainmorethansevenbytesbut
notfewer.
Thestringmatchmayormaynotbecasesensitive,dependingonwhichdecoderyouuse.Whenyou
needcasesensitivity,definepatternsforallpossiblestringstomatchallvariationsofaterm.Forexample,
tomatchanydocumentsdesignatedasconfidential,youmustcreateapatternthatincludes
confidential,Confidential,andCONFIDENTIAL.
TheregularexpressionsyntaxinPANOSissimilartotraditionalregularexpressionenginesbutevery
engineisunique.ThefollowingtabledescribesthesyntaxsupportedinPANOS.
Pattern Description
RulesSyntax
. Matchanysinglecharacter.
? Matchtheprecedingcharacterorexpression0or1time.ThegeneralexpressionMUST
beinsideapairofparentheses.
Example:(abc)?
Pattern Description
RulesSyntax
* Matchtheprecedingcharacterorexpression0ormoretimes.Thegeneralexpression
MUSTbeinsideapairofparentheses.
Example:(abc)*
+ Matchtheprecedingcharacterorregularexpressiononeormoretimes.Thegeneral
expressionMUSTbeinsideapairofparentheses.
Example:(abc)+
| Equivalenttoor.
Example:((bif)|(scr)|(exe))matchesbif,scrorexe.
Thealternativesubstringsmustbeinparentheses.
Usedtocreaterangeexpressions.
Example:[cz]matchesanycharacterbetweencandz,inclusive.
[] Matchany.
Example:[abz]:matchesanyofthecharactersa,b,orz.
^ Matchanyexcept.
Example:[^abz]matchesanycharacterexcepta,b,orz.
{} Min/Maxnumberofbytes.
Example:{1020}matchesanystringthatisbetween10and20bytes.Thismustbe
directlyinfrontofafixedstring,andonlysupports.
\ Toperformaliteralmatchonanyoneofthespecialcharactersabove,itMUSTbeescaped
byprecedingthemwitha\(backslash).
& &isaspecialcharacter,sotolookforthe&inastringyoumustuse&instead.
RegularExpressionDataPatternExamples
Thefollowingareexamplesofvalidcustompatterns:
.*((Confidential)|(CONFIDENTIAL))
LooksforthewordConfidentialorCONFIDENTIALanywhere
.*atthebeginningspecifiestolookanywhereinthestream
Dependingonthecasesensitivityrequirementsofthedecoder,thismaynotmatchconfidential
(alllowercase)
.*((Proprietary&Confidential)|(ProprietaryandConfidential))
LooksforeitherProprietary&ConfidentialorProprietaryandConfidential
MoreprecisethanlookingforConfidential
.*(PressRelease).*((Draft)|(DRAFT)|(draft))
LooksforPressReleasefollowedbyvariousformsoftheworddraft,whichmayindicatethatthe
pressreleaseisn'treadytobesentoutsidethecompany
.*(Trinidad)
Looksforaprojectcodename,suchasTrinidad
Objects>CustomObjects>Spyware/Vulnerability
Thefirewallsupportstheabilitytocreatecustomspywareandvulnerabilitysignaturesusingthefirewall
threatengine.Youcanwritecustomregularexpressionpatternstoidentifyspywarephonehome
communicationorvulnerabilityexploits.Theresultingspywareandvulnerabilitypatternsbecomeavailable
foruseinanycustomvulnerabilityprofiles.Thefirewalllooksforthecustomdefinedpatternsinnetwork
trafficandtakesthespecifiedactionforthevulnerabilityexploit.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
Youcanoptionallyincludeatimeattributewhendefiningcustomsignaturesbyspecifyingathresholdper
intervalfortriggeringpossibleactionsinresponsetoanattack.Actionistakenonlyafterthethresholdis
reached.
UsetheCustom Spyware SignaturepagetodefinesignaturesforAntiSpywareprofiles.UsetheCustom
Vulnerability SignaturepagetodefinesignaturesforVulnerabilityProtectionprofiles.
CustomVulnerabilityand Description
SpywareSignature
Settings
Configuration Tab
ThreatID Enteranumericidentifierfortheconfiguration(spywaresignaturesrangeis
1500018000;vulnerabilitysignaturesrangeis4100045000).
Name Specifythethreatname.
Shared Selectthisoptionifyouwantthecustomsignaturetobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,thecustomsignaturewillbeavailableonlytotheVirtual
SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thecustom
signaturewillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thissignatureindevicegroupsthatinheritthesignature.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritsthesignature.
Comment Enteranoptionalcomment.
Severity Assignalevelthatindicatestheseriousnessofthethreat.
DefaultAction Assignthedefaultactiontotakeifthethreatconditionsaremet.Foralistof
actions,seeActionsinSecurityProfiles.
Direction Indicatewhetherthethreatisassessedfromtheclienttoserver,serverto
client,orboth.
AffectedSystem Indicatewhetherthethreatinvolvestheclient,server,either,orboth.
Appliestovulnerabilitysignatures,butnotspywaresignatures.
CustomVulnerabilityand Description
SpywareSignature
Settings
CVE Specifythecommonvulnerabilityenumeration(CVE)asanexternal
referenceforadditionalbackgroundandanalysis.
Vendor Specifythevendoridentifierforthevulnerabilityasanexternalreference
foradditionalbackgroundandanalysis.
Bugtraq Specifythebugtraq(similartoCVE)asanexternalreferenceforadditional
backgroundandanalysis.
Reference Addanylinkstoadditionalanalysisorbackgroundinformation.The
informationisshownwhenauserclicksonthethreatfromtheACC,logs,or
vulnerabilityprofile.
CustomVulnerabilityand Description
SpywareSignature
Settings
Signatures Tab
StandardSignature SelectStandardandthenAddanewsignature.Specifythefollowing
information:
StandardEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
transactionortothefullusersession.
AddaconditionbyclickingAdd Or ConditionorAdd And Condition.Toadd
aconditionwithinagroup,selectthegroupandthenclickAdd Condition.
Addaconditiontoasignaturesothatthesignatureisgeneratedfortraffic
whentheparametersyoudefinefortheconditionaretrue.Selectan
Operatorfromthedropdown.Theoperatordefinesthetypeofcondition
thatmustbetrueforthecustomsignaturetomatchtotraffic.Choosefrom
Less Than,Equal To,Greater Than,orPattern Matchoperators.
WhenchoosingaPattern Matchoperator,specifyforthefollowingtobe
trueforthesignaturetomatchtotraffic:
ContextSelectfromtheavailablecontexts.
PatternSpecifyaregularexpression.SeePatternRulesSyntaxfor
patternrulesforregularexpressions.
Qualifier and ValueOptionally,addqualifier/valuepairs.
NegateSelectNegatesothatthecustomsignaturematchesto
trafficonlywhenthedefinedPatternMatchconditionisnottrue.
Thisallowsyoutoensurethatthecustomsignatureisnottriggered
undercertainconditions.
AcustomsignaturecannotbecreatedwithonlyNegate
conditions;atleastonepositiveconditionmustbeincluded
inorderforanegateconditiontospecified.Also,ifthescope
ofthesignatureissettoSession,aNegateconditioncannot
beconfiguredasthelastconditiontomatchtotraffic.
Youcandefineexceptionsforcustomvulnerabilityorspyware
signaturesusingthenewoptiontonegatesignaturegeneration
whentrafficmatchesbothasignatureandtheexceptiontothe
signature.Usethisoptiontoallowcertaintrafficinyournetworkthat
mightotherwisebeclassifiedasspywareoravulnerabilityexploit.In
thiscase,thesignatureisgeneratedfortrafficthatmatchesthe
pattern;trafficthatmatchesthepatternbutalsomatchesthe
exceptiontothepatternisexcludedfromsignaturegenerationand
anyassociatedpolicyaction(suchasbeingblockedordropped).For
example,youcandefineasignaturetobegeneratedforredirected
URLs;however,youcannowalsocreateanexceptionwherethe
signatureisnotgeneratedforURLsthatredirecttoatrusteddomain.
CustomVulnerabilityand Description
SpywareSignature
Settings
CombinationSignature SelectCombinationandspecifythefollowinginformation:
SelectCombination Signaturestospecifyconditionsthatdefinesignatures:
AddaconditionbyclickingAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.
SelectTime Attributetospecifythefollowinginformation:
Number of HitsSpecifythethresholdthatwilltriggeranypolicybased
actionasanumberofhits(11000)inaspecifiednumberofseconds
(13600).
Aggregation CriteriaSpecifywhetherthehitsaretrackedbysourceIP
address,destinationIPaddress,oracombinationofsourceand
destinationIPaddresses.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.
Objects>CustomObjects>URLCategory
UsethecustomURLcategorypagetocreateyourcustomlistofURLsanduseitinaURLfilteringprofileor
asmatchcriteriainpolicyrules.InacustomURLcategory,youcanaddURLentriesindividually,orimporta
textfilethatcontainsalistofURLs.
URLentriesaddedtocustomcategoriesarecaseinsensitive.
ThefollowingtabledescribesthecustomURLsettings:
CustomURLCategory Description
Settings
Name EnteranametoidentifythecustomURLcategory(upto31characters).This
namedisplaysinthecategorylistwhendefiningURLfilteringpoliciesandin
thematchcriteriaforURLcategoriesinpolicyrules.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description EnteradescriptionfortheURLcategory(upto255characters).
Shared SelectthisoptionifyouwanttheURLcategorytobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theURLcategorywillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theURL
categorywillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thiscustomURLobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Sites AddClickAddtoenterURLs,onlyoneineachrow.EachURLcanbein
theformatwww.example.comorcanincludewildcards,suchas
*.example.com.Foradditionalinformationonformatssupported,see
BlockListinObjects>SecurityProfiles>URLFiltering.
ImportClickImportandbrowsetoselectthetextfilethatcontainsthe
listofURLs.EnteronlyoneURLperrow.EachURLcanbeintheformat
www.example.comorcanincludewildcards,suchas*.example.com.
Foradditionalinformationonformatssupported,seeBlockListinObjects
>SecurityProfiles>URLFiltering.
ExportClickExporttoexportthecustomURLentriesincludedinthelist.
TheURLsareexportedasatextfile.
DeleteSelectanentryandclickDeletetoremovetheURLfromthelist.
TodeleteacustomcategorythatyouhaveusedinaURLfiltering
profile,youmustsettheactiontoNonebeforeyoucandeletethe
customcategory.SeeCategoryactionsinObjects>SecurityProfiles
>URLFiltering.
Objects>SecurityProfiles
SecurityprofilesprovidethreatprotectioninSecurityPolicy.EachSecuritypolicyrulecanincludeoneor
moreSecurityProfiles.Thefollowingareavailableprofiletypes:
Antivirusprofilestoprotectagainstworms,viruses,andtrojansandtoblockspywaredownloads.See
Objects>SecurityProfiles>Antivirus.
AntiSpywareprofilestoblockattemptsfromspywareoncompromisedhoststryingtophonehomeor
beaconouttoexternalcommandandcontrol(C2)servers.SeeObjects>SecurityProfiles>
AntiSpywareProfile.
Vulnerabilityprotectionprofilestostopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.SeeObjects>SecurityProfiles>VulnerabilityProtection.
URLfilteringprofilestorestrictusersaccesstospecificwebsitesand/orwebsitecategories,suchas
shoppingorgambling.SeeObjects>SecurityProfiles>URLFiltering.
Fileblockingprofilestoblockselectedfiletypes,andinthespecifiedsessionflowdirection
(inbound/outbound/both).SeeObjects>SecurityProfiles>FileBlocking.
WildFireanalysisprofilestospecifyforfileanalysistobeperformedlocallyontheWildFireappliance
orintheWildFirecloud.SeeObjects>SecurityProfiles>WildFireAnalysis.
Datafilteringprofilesthathelppreventsensitiveinformationsuchascreditcardorsocialsecurity
numbersfromleavingaprotectednetwork.SeeObjects>SecurityProfiles>DataFiltering.
DoSProtectionprofilesareusedwithDoSProtectionpolicyrulestoprotectthefirewallfrom
highvolumesinglesessionandmultiplesessionattacks.SeeObjects>SecurityProfiles>DoS
Protection.
Inadditionaltoindividualprofiles,youcancombineprofilesthatareoftenappliedtogether,andcreate
SecurityProfilegroups(Objects > Security Profile Groups).
ActionsinSecurityProfiles
Theactionspecifieshowthefirewallrespondstoathreatevent.Everythreatorvirussignaturethatis
definedbyPaloAltoNetworksincludesadefaultaction,whichistypicallyeithersettoAlert, whichinforms
youusingtheoptionyouhaveenabledfornotification,ortoReset Both,whichresetsbothsidesofthe
connection.However,youcandefineoroverridetheactiononthefirewall.Thefollowingactionsare
applicablewhendefiningAntivirusprofiles,AntiSpywareprofiles,VulnerabilityProtectionprofiles,custom
spywareobjects,customvulnerabilityobjects,orDoSProtectionprofiles.
Allow Permitstheapplication
traffic.
Alert Generatesanalertfor
eachapplicationtraffic Generatesan
flow.Thealertissavedin alertwhen
thethreatlog. attackvolume
(cps)reaches
theAlarm
thresholdset
intheprofile.
Drop Dropstheapplication
traffic.
Block IP Blockstrafficfromeither
asourceora
sourcedestinationpair;
Configurablefora
specifiedperiodoftime.
Sinkhole ThisactiondirectsDNS
queriesformalicious
domainstoasinkholeIP
address.
Theactionisavailablefor
PaloAltoNetworksDNS
signaturesandforcustom
domainsincludedin
Objects>External
DynamicLists.
Random Causesthefirewallto
Early Drop randomlydroppackets
whenconnectionsper
secondreachtheActivate
RatethresholdinaDoS
Protectionprofileapplied
toaDoSProtectionrule.
Youcannotdeleteaprofilethatisusedinapolicyrule;youmustfirstremovetheprofilefrom
thepolicyrule.
Objects>SecurityProfiles>Antivirus
UsetheAntivirus Profilespagetoconfigureoptionstohavethefirewallscanforvirusesonthedefinedtraffic.
Settheapplicationsthatshouldbeinspectedforvirusesandtheactiontotakewhenavirusisdetected.The
defaultprofileinspectsallofthelistedprotocoldecodersforviruses,generatesalertsforSimpleMail
TransportProtocol(SMTP),InternetMessageAccessProtocol(IMAP),andPostOfficeProtocolVersion3
(POP3),andtakesthedefaultactionforotherapplications(alertordeny),dependingonthetypeofvirus
detected.TheprofilewillthenbeattachedtoaSecuritypolicyruletodeterminethetraffictraversing
specificzonesthatwillbeinspected.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ToaddanewAntivirusprofile,selectAddandenterthefollowingsettings:
Field Description
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofantivirus
profileswhendefiningsecuritypolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,periods,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbe
availableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Antivirusprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroup
thatinheritstheprofile.
The Antivirus tab allows you to specify the action for the different types of traffic, such as ftp, and http.
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
DecodersandActions Foreachtypeoftrafficthatyouwanttoinspectforviruses,selectanactionfrom
thedropdown.Youcandefinedifferentactionsforstandardantivirussignatures
(Actioncolumn)andsignaturesgeneratedbytheWildFiresystem(WildFireAction
column).
Someenvironmentsmayhaverequirementsforalongersoaktimeforantivirus
signatures,sothisoptionenablestheabilitytosetdifferentactionsforthetwo
antivirussignaturetypesprovidedbyPaloAltoNetworks.Forexample,the
standardantivirussignaturesgothroughalongersoakperiodbeforebeingreleased
(24hours),versusWildFiresignatures,whichcanbegeneratedandreleasedwithin
15minutesafterathreatisdetected.Becauseofthis,youmaywanttochoosethe
alertactiononWildFiresignaturesinsteadofblocking.
Field Description
ThreatID Toaddspecificthreatsthatyouwanttoignore,enteroneThreatIDatatimeand
clickAdd.ThreatIDsarepresentedaspartofthethreatloginformation.Referto
Monitor>Logs.
Objects>SecurityProfiles>AntiSpywareProfile
YoucanattachanAntiSpywareprofiletoaSecuritypolicyrulefordetectingconnectionsinitiatedby
spywareandcommandandcontrol(C2)malwareinstalledonsystemsonyournetwork.Youcanchoose
betweentwopredefinedAntiSpywareprofilesinaSecuritypolicyrule.Eachoftheseprofileshasasetof
predefinedrules(withthreatsignatures)organizedbytheseverityofthethreat;eachthreatsignature
includesadefaultactionthatisspecifiedbyPaloAltoNetworks.
DefaultThedefaultprofileusesthedefaultactionforeverysignature,asspecifiedbyPaloAlto
Networkswhenthesignatureiscreated.
StrictThestrictprofileoverridestheactiondefinedinthesignaturefileforcritical,high,andmedium
severitythreats,andsetsittotheblockaction.Thedefaultactionistakenwithlowandinformational
severitythreats.
Youcanalsocreatecustomprofiles.Youcan,forexample,reducethestringencyforAntiSpyware
inspectionfortrafficbetweentrustedsecurityzones,andmaximizetheinspectionoftrafficreceived
fromtheInternet,ortrafficsenttoprotectedassetssuchasserverfarms.
ThefollowingtablesdescribetheAntiSpywareprofile settings:
AntiSpywareProfile Description
Settings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
AntiSpywareprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,periods,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisAntiSpywareprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
Rules
AntiSpywarerulesallowyoutodefineacustomseverityandactiontotakeonanythreat,aspecific
threatnamethatcontainsthetextthatyouenter,and/orbyathreatcategory,suchasadware.
Addanewrule,oryoucanselectanexistingruletoandselectFind Matching Signaturestofilterthreat
signaturesbasedonthatrule.
RuleName Specifytherulename.
ThreatName Enteranytomatchallsignatures,orentertexttomatchanysignature
containingtheenteredtextaspartofthesignaturename.
Severity Chooseaseveritylevel(critical,high,medium,low,orinformational).
AntiSpywareProfile Description
Settings
Action Chooseanactionforeachthreat.Foralistofactions,seeActionsinSecurity
Profiles.
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Exceptions Tab
Allowsyoutochangetheactionforaspecificsignature.Forexample,youcangeneratealertsfora
specificsetofsignaturesandblockallpacketsthatmatchallothersignatures.Threatexceptionsare
usuallyconfiguredwhenfalsepositivesoccur.Tomakemanagementofthreatexceptionseasier,youcan
addthreatexceptionsdirectlyfromtheMonitor > Logs > Threatlist.Ensurethatyouobtainthelatest
contentupdatessothatyouareprotectedagainstnewthreatsandhavenewsignaturesforany
falsepositives.
Exceptions SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
UsetheIPAddressExemptionscolumntoaddIPaddressfilterstoathreat
exception.IfIPaddressesareaddedtoathreatexception,thethreat
exceptionactionforthatsignaturewillonlybetakenovertherule'saction
ifthesignatureistriggeredbyasessionhavingeitherthesourceor
destinationIPmatchinganIPintheexception.Youcanaddupto100IP
addressespersignature.Withthisoption,youdonothavetocreateanew
policyruleandnewvulnerabilityprofiletocreateanexceptionforaspecific
IPaddress.
ExternalDynamicList Allowsyoutoselectthelistsforwhichyouwanttoenforceanactionwhen
Domains aDNSqueryoccurs.Bydefault,thelistofDNSsignaturesprovidedthrough
contentupdates(PaloAltoNetworksDNSSignatureslist)issinkholed.The
defaultIPaddressusedforsinkholingbelongstoPaloAltoNetworks
(71.19.152.112).ThisIPaddressisnotstaticandcanbemodifiedthrough
contentupdatesonthefirewallorPanorama.
Toaddanewlist,clickAddandselecttheExternalDynamicListoftype
Domainthatyouhadcreated.Tocreateanewlist,seeObjects>External
DynamicLists.
AntiSpywareProfile Description
Settings
ActiononDNSqueries ChooseanactiontobetakenwhenDNSlookupsaremadetoknown
malwaresites.Theoptionsarealert,allow,block,orsinkhole.Thedefault
actionforPaloAltoNetworksDNSsignaturesissinkhole.
TheDNSsinkholeactionprovidesadministratorswithamethodof
identifyinginfectedhostsonthenetworkusingDNStraffic,evenwhenthe
firewallisnorthofalocalDNSserver(i.e.thefirewallcannotseethe
originatoroftheDNSquery).Whenathreatpreventionlicenseisinstalled
andanAntiSpywareprofileisenabledinaSecurityProfile,theDNSbased
signatureswilltriggeronDNSqueriesdirectedatmalwaredomains.Ina
typicaldeploymentwherethefirewallisnorthofthelocalDNSserver,the
threatlogwillidentifythelocalDNSresolverasthesourceofthetraffic
ratherthantheactualinfectedhost.SinkholingmalwareDNSqueriessolves
thisvisibilityproblembyforgingresponsestothequeriesdirectedat
maliciousdomains,sothatclientsattemptingtoconnecttomalicious
domains(forcommandandcontrol,forexample)insteadattempt
connectionstoanIPaddressspecifiedbytheadministrator.Infectedhosts
canthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIParemostlikelyinfectedwithmalware.
Afterselectingthesinkholeaction,specifyanIPv4and/orIPv6addressthat
willbeusedforsinkholing.Bydefault,thesinkholeIPaddressissettoaPalo
AltoNetworksserver.Youcanthenusethetrafficlogsorbuildacustom
reportthatfiltersonthesinkholeIPaddressandidentifyinfectedclients.
ThefollowingisthesequenceofeventsthatwilloccurwhenanDNSrequest
issinkholed:
MalicioussoftwareonaninfectedclientcomputersendsaDNSqueryto
resolveamalicioushostontheInternet.
Theclient'sDNSqueryissenttoaninternalDNSserver,whichthenqueries
apublicDNSserverontheothersideofthefirewall.
TheDNSquerymatchesaDNSentryintheDNSsignaturesdatabase,sothe
sinkholeactionwillbeperformedonthequery.
Theinfectedclientthenattemptstostartasessionwiththehost,butuses
theforgedIPaddressinstead.TheforgedIPaddressistheaddressdefined
intheAntiSpywareprofileDNSSignaturestabwhenthesinkholeactionis
selected.
TheadministratorisalertedofamaliciousDNSqueryinthethreatlog,and
canthensearchthetrafficlogsforthesinkholeIPaddressandcaneasily
locatetheclientIPaddressthatistryingtostartasessionwiththesinkhole
IPaddress.
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
ThreatID ManuallyenterDNSsignatureexceptions(rangeis
40000004999999).
Objects>SecurityProfiles>VulnerabilityProtection
ASecuritypolicyrulecanincludespecificationofaVulnerabilityProtectionprofilethatdeterminesthelevel
ofprotectionagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.TherearetwopredefinedprofilesavailablefortheVulnerabilityProtectionfeature:
Thedefaultprofileappliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
vulnerabilities.Itdoesnotdetectlowandinformationalvulnerabilityprotectionevents.
Thestrictprofileappliestheblockresponsetoallclientandservercritical,highandmediumseverity
spywareeventsandusesthedefaultactionforlowandinformationalvulnerabilityprotectionevents.
Customizedprofilescanbeusedtominimizevulnerabilitycheckingfortrafficbetweentrustedsecurity
zones,andtomaximizeprotectionfortrafficreceivedfromuntrustedzones,suchastheInternet,aswellas
thetrafficsenttohighlysensitivedestinations,suchasserverfarms.ToapplyVulnerabilityProtection
profilestoSecuritypolicies,refertoPolicies>Security.
TheRulessettingsspecifycollectionsofsignaturestoenable,aswellasactionstobetakenwhenasignature
withinacollectionistriggered.
TheExceptionssettingsallowsyoutochangetheresponsetoaspecificsignature.Forexample,youcan
blockallpacketsthatmatchasignature,exceptfortheselectedone,whichgeneratesanalert.TheException
tabsupportsfilteringfunctions.
TheVulnerability Protectionpagepresentsadefaultsetofcolumns.Additionalcolumnsofinformationare
availablebyusingthecolumnchooser.Clickthearrowtotherightofacolumnheaderandselectthecolumns
fromtheColumnssubmenu.
ThefollowingtablesdescribetheVulnerabilityProtectionprofilesettings:
VulnerabilityProtection Description
ProfileSettings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
VulnerabilityProtectionprofileswhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,periods,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisVulnerabilityProtectionprofileindevicegroupsthatinherittheprofile.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheprofile.
Rules Tab
RuleName Specifyanametoidentifytherule.
ThreatName Specifyatextstringtomatch.Thefirewallappliesacollectionofsignatures
totherulebysearchingsignaturenamesforthistextstring.
VulnerabilityProtection Description
ProfileSettings
Action Choosetheactiontotakewhentheruleistriggered.Foralistofactions,see
ActionsinSecurityProfiles.
TheDefaultactionisbasedonthepredefinedactionthatispartofeach
signatureprovidedbyPaloAltoNetworks.Toviewthedefaultactionfora
signature,selectObjects > Security Profiles > Vulnerability Protectionand
Addorselectanexistingprofile.ClicktheExceptionstabandthenclick
Show all signaturestoseealistofallsignaturesandtheassociatedAction.
HostType Specifywhethertolimitthesignaturesfortheruletothosethatareclient
side,serverside,oreither(any).
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Category Selectavulnerabilitycategoryifyouwanttolimitthesignaturestothose
thatmatchthatcategory.
CVEList Specifycommonvulnerabilitiesandexposures(CVEs)ifyouwanttolimitthe
signaturestothosethatalsomatchthespecifiedCVEs.
EachCVEisintheformatCVEyyyyxxxx,whereyyyyistheyearandxxxxis
theuniqueidentifier.Youcanperformastringmatchonthisfield.For
example,tofindvulnerabilitiesfortheyear2011,enter2011.
VendorID SpecifyvendorIDsifyouwanttolimitthesignaturestothosethatalso
matchthespecifiedvendorIDs.
Forexample,theMicrosoftvendorIDsareintheformMSyyxxx,whereyy
isthetwodigityearandxxxistheuniqueidentifier.Forexample,tomatch
Microsoftfortheyear2009,enterMS09.
Severity Selectseveritiestomatch(informational,low,medium,high,orcritical)if
youwanttolimitthesignaturestothosethatalsomatchthespecified
severities.
VulnerabilityProtection Description
ProfileSettings
Exceptions Tab
Threats SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
Chooseanactionfromthedropdown,orchoosefromtheAction
dropdownatthetopofthelisttoapplythesameactiontoallthreats.Ifyou
selectedShow All,thenallsignaturesarelisted.Ifnot,onlythesignatures
thatareexceptionsarelisted.
SelectPacket Captureifyouwanttocaptureidentifiedpackets.
Thevulnerabilitysignaturedatabasecontainssignaturesthatindicatea
bruteforceattack;forexample,ThreatID40001triggersonanFTPbrute
forceattack.Bruteforcesignaturestriggerwhenaconditionoccursina
certaintimethreshold.Thethresholdsarepreconfiguredforbruteforce
signatures,andcanbechangedbyclickingedit( )nexttothethreat
nameontheVulnerabilitytab(withtheCustomoptionselected).Youcan
specifythenumberofhitsperunitoftimeandwhetherthethresholdapplies
tosource,destination,orsourceanddestination.
ThresholdscanbeappliedonasourceIP,destinationIPoracombinationof
sourceIPanddestinationIP.
Thedefaultactionisshowninparentheses.TheCVEcolumnshows
identifiersforcommonvulnerabilitiesandexposures(CVE).Theseunique,
commonidentifiersareforpubliclyknowninformationsecurity
vulnerabilities.
ClickintotheIPAddressExemptionscolumntoAddIPaddressfilterstoa
threatexception.WhenyouaddanIPaddresstoathreatexception,the
threatexceptionactionforthatsignaturewilltakeprecedenceoverthe
rule'sactiononlyifthesignatureistriggeredbyasessionwitheithera
sourceordestinationIPaddressmatchinganIPaddressintheexception.
Youcanaddupto100IPaddressespersignature.Youmustenteraunicast
IPaddress(thatis,anaddresswithoutanetmask),suchas10.1.7.8or
2001:db8:123:1::1.ByaddingIPaddressexemptions,youdonothaveto
createanewpolicyruleandnewvulnerabilityprofiletocreateanexception
foraspecificIPaddress.
Objects>SecurityProfiles>URLFiltering
YoucanuseURLfiltering profilestocontrolaccesstowebcontent.
Whatareyoulookingfor? See:
GeneralSettings
GeneralSettings Description
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
URLfilteringprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisURLFilteringprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
Categories
Objects>SecurityProfiles>URLFiltering>Categories
CategoriesSettings Description
Category Inadditiontothepredefinedcategories,bothcustomURLcategoriesandexternal
dynamiclistsoftypeURLaredisplayedunderCategory.Bydefault,theSite Access
andUser Credential SubmissionpermissionsforallcategoriesaresettoAllow.
SiteAccess ForeachURLcategory,selecttheactiontotakewhenauserattemptstoaccessa
URLinthatcategory(Site Access):
alertAllowsaccesstothewebsitebutaddsanalerttotheURLlogeachtimea
useraccessestheURL.
allowAllowsaccesstothewebsite.
blockBlocksaccesstothewebsite.IftheSiteAccesstoaURLcategoryissetto
block,theUserCredentialSubmissionpermissionsisautomaticallyalsosetto
block.
continueDisplaysapagetousersthattowarnthemagainstcontinuingtoaccess
thepage.Toaccessthewebsite,theusermustclickContinue.
TheContinuepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
overrideDisplaysaresponsepagethatpromptstheusertoenteravalid
passwordinordertogainaccesstothesite.ConfigureURLAdminOverride
settings(Device > Setup > Content ID)tomanagepasswordandotheroverride
settings.(SeealsotheManagementSettingstableinDevice>Setup>
ContentID).
TheOverridepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
none(customURLcategoryonly)IfyouhavecreatedcustomURLcategories,set
theactiontononetoallowthefirewalltoinherittheURLfilteringcategory
assignmentfromyourURLdatabasevendor.Settingtheactiontononegivesyou
theflexibilitytoignorecustomcategoriesinaURLfilteringprofile,whileallowing
youtousethecustomURLcategoryasamatchcriteriainpolicyrules(Security,
Decryption,andQoS)tomakeexceptionsortoenforcedifferentactions.To
deleteacustomURLcategory,youmustsettheactiontononeinanyprofile
wherethecustomcategoryisused.ForinformationoncustomURLcategories,
seeObjects>CustomObjects>URLCategory.
CategoriesSettings Description
CheckURLCategory ClicktoaccessthePANDBURLFilteringdatabase,whereyoucanenteraURLorIP
addresstoviewcategorizationinformation.
DynamicURLFiltering SelecttoenablecloudlookupforcategorizingtheURL.Thisoptionisinvokedifthe
Default:Disabled localdatabaseisunabletocategorizetheURL.
(Configurablefor IftheURLisunresolvedaftera5secondtimeoutwindow,theresponseisdisplayed
BrightCloudonly) asNot resolved URL.
WithPANDB,this
optionisenabled
bydefaultandis
notconfigurable.
Overrides
Objects>SecurityProfiles>URLFiltering>Overrides
OverridesSettings Description
ActiononLicense WithBrightCloud:
Expiration IfyouareusingtheBrightClouddatabase,youcanconfiguretheactiontotakeifthe
URLfilteringlicenseexpires:
BlockBlocksaccesstoallwebsites.Uponlicenseexpiration,allURLsare
blocked,notjusttheURLcategoriespreviouslysettoblock.
AllowAllowsaccesstoallwebsites.Uponlicenseexpiration,allURLsare
allowed,notjusttheURLcategoriessettoallow.
WithPANDB:
IfthelicenseexpiresforPANDB,URLfilteringisnotenforced:
URLcategoriesthatarecurrentlyinthecachewillbeusedtoeitherblockorallow
contentbasedonyourconfiguration.Usingcachedresultsisasecurityrisk
becausethecategorizationinformationmightbestale.
URLsthatarenotinthecachewillbecategorizedasnotresolvedandwillbe
allowed.
Alwaysrenewyourlicenseintimetoensurenetworksecurity.
AllowList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoallowor
Ifyouwouldliketo generatealertson.EntereachIPaddressorURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheallowlistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
allow(withouta toallowtheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Thislisttakesprecedenceovertheselectedwebsitecategories.
OverridesSettings Description
BlockList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoblockor
Ifyouwouldliketo generatealertson.EntereachURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheblocklistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
block(withouta toblocktheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists. www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Action Selecttheactiontotakewhenawebsiteintheblocklistisaccessed.
alertAllowtheusertoaccessthewebsite,butaddanalerttotheURLlog.
blockBlockaccesstothewebsite.
continueAllowtheusertoaccesstheblockedpagebyclickingContinueonthe
blockpage.
overrideAllowtheusertoaccesstheblockedpageafterenteringapassword.
ThepasswordandotheroverridesettingsarespecifiedintheURLAdminOverride
areaoftheSettingspage(refertotheManagementSettingstableinDevice>
Setup>Management).
URLFilteringSettings
Objects>SecurityProfiles>URLFiltering>URLFilteringSettings
URLFilteringSettings Descriptions
Logcontainerpageonly SelectthisoptiontologonlytheURLsthatmatchthecontenttypethatisspecified.
Default:Enabled
EnableSafeSearch Selectthisoptiontoenforcestrictsafesearchfiltering.
Enforcement Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesand
Default:Disabled videosinsearchqueryreturntraffic.WhenyouselectthesettingtoEnableSafe
AURLfilteringlicenseis SearchEnforcement,thefirewallblockssearchresultsiftheenduserisnotusingthe
notrequiredtousethis strictestsafesearchsettingsinthesearchquery.Thefirewallcanenforcesafesearch
feature. forthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.This
isabesteffortsettingandisnotguaranteedbythesearchproviderstoworkwith
everywebsite.
TousesafesearchenforcementyoumustenablethissettingandthenattachtheURL
filteringprofileSecuritypolicyrule.Thefirewallwillthenblockanymatchingsearch
queryreturntrafficthatisnotusingthestrictestsafesearchsettings.
IfyouareperformingasearchonYahooJapan(yahoo.co.jp)whileloggedinto
yourYahooaccount,thelockoptionforthesearchsettingmustalsobe
enabled.
Topreventusersfrombypassingthisfeaturebyusingothersearchproviders,
configuretheURLfilteringprofiletoblockthesearchenginescategoryand
thenallowaccesstoBing,Google,Yahoo,Yandex,andYouTube.
HTTPHeaderLogging EnablingHTTPHeaderLoggingprovidesvisibilityintotheattributesincludedinthe
HTTPrequestsenttoaserver.Whenenabledoneormoreofthefollowing
attributevaluepairsarerecordedintheURLFilteringlog:
UserAgentThewebbrowserthattheuserusedtoaccesstheURL.This
informationissentintheHTTPrequesttotheserver.Forexample,theUserAgent
canbeInternetExplorerorFirefox.TheUserAgentvalueinthelogsupportsup
to1024characters.
RefererTheURLofthewebpagethatlinkedtheusertoanotherwebpage;itis
thesourcethatredirected(referred)theusertothewebpagethatisbeing
requested.Thereferervalueinthelogsupportsupto256characters.
XForwardedForTheheaderfieldoptionthatpreservestheIPaddressofthe
userwhorequestedthewebpage.ItallowsyoutoidentifytheIPaddressofthe
user,whichisparticularlyusefulifyouhaveaproxyserveronyournetworkoryou
haveimplementedSourceNAT,thatismaskingtheusersIPaddresssuchthatall
requestsseemtooriginatefromtheproxyserversIPaddressoracommonIP
address.Thexforwardedforvalueinthelogsupportsupto128characters.
UserCredentialDetection
Objects>SecurityProfiles>URLFiltering>UserCredentialDetection
Enablethefirewalltodetectwhenuserssubmitcorporatecredentials.Thefirewallusesoneofthree
methodstodetectvalidcredentialssubmittedtowebpages.EachmethodrequiresUserID,whichenables
thefirewalltocompareusernameandpasswordsubmissionstowebpagesagainstvalid,corporate
credentials.SelectoneofthesemethodstothencontinuetoPreventCredentialPhishing basedonURL
category.
UserCredentialDetection Description
Settings
IPUser Thiscredentialdetectionmethodchecksforvalidusernamesubmissions.Youcanuse
thismethodtodetectcredentialsubmissionsthatincludeavalidcorporateusername
(regardlessoftheaccompanyingpassword).Thefirewalldeterminesausername
matchbyverifyingthattheusernamematchestheuserloggedinthesourceIP
addressofthesession.Tousethismethod,thefirewallmatchesthesubmitted
usernameagainstitsIPaddresstousernamemappingtable.Tousethismethodyou
canuseanyoftheusermappingmethodsdescribedinMapIPAddressestoUsers.
GroupMapping Thefirewalldeterminesiftheusernameausersubmitstoarestrictedsitematches
anyvalidcorporateusername.Todothis,thefirewallmatchesthesubmitted
usernametothelistofusernamesinitsusertogroupmappingtabletodetectwhen
userssubmitacorporateusernamestoasiteinarestrictedcategory.
ThismethodonlychecksforcorporateusernamesubmissionsbasedonLDAPgroup
membership,whichmakesitsimpletoconfigure,butmorepronetofalsepositives.
Youmustenablegroupmapping tousethismethod.
DomainCredential Thiscredentialdetectionmethodenablesthefirewalltocheckforavalidcorporate
usernameandtheassociatedpassword.Thefirewalldeterminesiftheusernameand
passwordausersubmitsmatchesthesameuserscorporateusernameandpassword.
Todothis,thefirewallmustabletomatchcredentialsubmissionstovalidcorporate
usernamesandpasswordsandverifythattheusernamesubmittedmapstotheIP
addressoftheloggedinuser.ThismodeissupportedonlywiththeWindowsbased
UserIDagent,andrequiresthattheUserIDagentisinstalledonareadonlydomain
controller(RODC)andequippedwiththeUserIDCredentialServiceAddon.Touse
thismethod,youmustalsoenableUserIDtoMapIPAddressestoUsersusingany
ofthesupportedusermappingmethods,includingAuthenticationPolicyandCaptive
PortalandGlobalProtect.
SeePreventCredentialPhishing fordetailsoneachofthemethodsthefirewall
canusetocheckforvalidcorporatecredentialsubmissions,andforstepstoenable
phishingprevention.
ValidUsernameDetected Settheseverityforlogsthatindicatethefirewalldetectedavalidusername
LogSeverity submissiontoawebsite.
Thislogseverityisassociatedwitheventswhereavalidusernameissubmittedto
websiteswithcredentialsubmissionpermissionstoalert,blockorcontinue.Logsthat
recordwhenausersubmitsavalidusernametoawebsiteforwhichcredential
submissionsareallowedhaveaseverityofinformational.SelectCategoriestoreview
oradjusttheURLcategoriestowhichcredentialsubmissionsareallowedand
blocked.
Objects>SecurityProfiles>FileBlocking
YoucanattachaFileBlockingprofiletoaSecuritypolicyrule(Policies>Security)toblockusersfrom
uploadingordownloadingspecifiedfiletypesortogenerateanalertwhenauserattemptstouploador
downloadspecifiedfiletypes.
Thefollowingtablesdescribethefileblockingprofilesettings.
FileBlockingProfile Description
Settings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
fileblockingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisFileBlockingprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
FileBlockingProfile Description
Settings
Rules Defineoneormorerulestospecifytheactiontaken(ifany)fortheselected
filetypes.Toaddarule,specifythefollowingandclickAdd:
NameEnterarulename(upto31characters).
ApplicationsSelecttheapplicationstheruleappliestoorselectany.
File TypesClickinthefiletypesfieldandthenclickAddtoviewalistof
supportedfiletypes.Clickafiletypetoaddittotheprofileandcontinue
toaddadditionalfiletypesasneeded.IfyouselectAny,thedefinedaction
istakenonallsupportedfiletypes.
DirectionSelectthedirectionofthefiletransfer(Upload,Download,or
Both).
ActionSelecttheactiontakenwhentheselectedfiletypesaredetected:
alertAnentryisaddedtothethreatlog.
blockThefileisblocked.
continueAmessagetotheuserindicatesthatadownloadhasbeen
requestedandaskstheusertoconfirmwhethertocontinue.Thepurpose
istowarntheuserofapossibleunknowndownload(alsoknownasa
drivebydownload)andtogivetheusertheoptionofcontinuingor
stoppingthedownload.
Whenyoucreateafileblockingprofilewiththeactioncontinueor
continue-and-forward(usedforWildFireforwarding),youcanonly
choosetheapplicationweb-browsing.Ifyouchooseanyother
application,trafficthatmatchestheSecuritypolicyrulewillnotflow
throughthefirewallduetothefactthattheuserswillnotbeprompted
withacontinuepage.
forwardThefileisautomaticallysenttoWildFire.
continue-and-forwardAcontinuepageispresented,andthefileissent
toWildFire(combinesthecontinueandforwardactions).Thisactiononly
workswithwebbasedtraffic.Thisisduetothefactthatausermustclick
continuebeforethefilewillbeforwardandthecontinueresponsepage
optionisonlyavailablewithhttp/https.
Objects>SecurityProfiles>WildFireAnalysis
UseaWildFireAnalysisprofiletospecifyforWildFirefileanalysistobeperformedlocallyontheWildFire
applianceorintheWildFirecloud.Youcanspecifytraffictobeforwardedtothepubliccloudorprivatecloud
basedonfiletype,application,orthetransmissiondirectionofthefile(uploadordownload).Aftercreating
aWildFireanalysisprofile,addingtheprofiletoapolicy(Policies > Security)furtherallowsyouapplythe
profilesettingstoanytrafficmatchedtothatpolicy(forexample,aURLcategorydefinedinthepolicy).
WildFireAnalysisProfileSettings
Name EnteradescriptivenamefortheWildFireanalysisprofile(upto31
characters).ThisnameappearsinthelistofWildFireAnalysisprofilesthat
youcanchoosefromwhendefiningaSecuritypolicyrule.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Optionallydescribetheprofilerulesortheintendedusefortheprofile(up
to255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Rules DefineoneormorerulestospecifytraffictoforwardtoeithertheWildFire
publiccloudortheWildFireappliance(privatecloud)foranalysis.
EnteradescriptiveNameforanyrulesyouaddtotheprofile(upto31
characters).
AddanApplicationsothatanyapplicationtrafficwillbematchedtothe
ruleandforwardedtothespecifiedanalysisdestination.
SelectaFile Typetobeanalyzedatthedefinedanalysisdestinationfor
therule.
AWildFireprivatecloud(hostedbyaWF500appliance)doesnot
supportanalysisforAPKfiles.
ApplytheruletotrafficdependingonthetransmissionDirection.Youcan
applytheruletouploadtraffic,downloadtraffic,orboth.
SelecttheDestinationfortraffictobeforwardedforanalysis:
Selectpubliccloudsothatalltrafficmatchedtotheruleisforwarded
totheWildFirepubliccloudforanalysis.
Selectprivatecloudsothatalltrafficmatchedtotheruleis
forwardedtotheWildFireapplianceforanalysis.
Objects>SecurityProfiles>DataFiltering
Datafilteringenablesthefirewalltodetectsensitiveinformationsuchascreditcardorsocialsecurity
numbersorinternalcorporatedocumentsandpreventthisdatafromleavingasecurenetwork.Beforeyou
enabledatafiltering,selectObjects>CustomObjects>DataPatternstodefinethetypeofdatayouwant
tofilter(suchassocialsecuritynumbersordocumenttitlesthatcontainthewordconfidential).Youcan
addseveraldatapatternobjectstoasingleDataFilteringprofileand,whenattachedtoaSecuritypolicyrule,
thefirewallscansallowedtrafficforeachdatapatternandblocksmatchingtrafficbasedonthedatafiltering
profilesettings.
DataFilteringProfile Description
Settings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisDataFilteringprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
DataCapture Selectthisoptiontoautomaticallycollectthedatathatisblockedbythe
filter.
SpecifyapasswordforManageDataProtectionontheSettingspagetoview
yourcaptureddata.RefertoDevice>Setup>Management.
DataPattern AddanexistingdatapatterntouseforfilteringorselectNewtoconfigurea
newdatapatternobject(Objects>CustomObjects>DataPatterns).
Applications Specifytheapplicationstoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedapplications.This
selectiondoesnotblockallpossibleapplications,justthelistedones.
ClickAddtospecifyindividualapplications.
FileTypes Specifythefiletypestoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedfiletypes.Thisselection
doesnotblockallpossiblefiletypes,justthelistedones.
ClickAddtospecifyindividualfiletypes.
Direction Specifywhethertoapplythefilterintheuploaddirection,download
direction,orboth.
DataFilteringProfile Description
Settings
AlertThreshold Specifythenumberoftimesthedatapatternmustbedetectedinafileto
triggeranalert.
BlockThreshold Blockfilesthatcontainatleastthismanyinstancesofthedatapattern.
LogSeverity Definethelogseverityrecordedforeventsthatmatchthisdatafiltering
profilerule.
Objects>SecurityProfiles>DoSProtection
DoSProtectionprofilesaredesignedforhighprecisiontargetingandtheyaugmentZoneProtection
profiles.ADoSProtectionprofilespecifiesthethresholdratesatwhichnewconnectionspersecond(cps)
triggeranalarmandanaction(specifiedintheDoSProtectionpolicy).TheDoSProtectionprofilealso
specifiesthemaximumrateofconnectionspersecondandhowlongablockedIPaddressremainsonthe
BlockIPlist.YouapplyaDoSprotectionprofiletoaDoSprotectionpolicyrulewhereyouspecifythecriteria
forpacketstomatchtherule.
ADoSProtectionprofileisconfiguredtobeanAggregateorClassifiedtype.YoucanapplyaClassifiedDoS
ProtectionprofiletoaClassifiedDoSProtectionrule.
AClassifiedDoSProtectionrulehasClassifiedselectedandspecifiesaClassifiedDoSProtectionprofile.
WhenaDoSProtectionruleactionisProtect,thefirewallcountsconnectionstowardthecpsthresholds
oftheDoSProtectionprofileifthepacketmeetsthespecifiedAddresstype:sourceiponly,
destinationiponly,orsrcdestipboth.
Bycomparison,aDoSProtectionruleisanAggregaterulewhenClassifiedisnotselected.WhenaDoS
ProtectionruleactionisProtect,anAggregaterulecausesthefirewalltocountallconnectionsthatmeet
thecriteriafortherule(theaggregate)towardthecpsthresholdsthatarespecifiedintheAggregateDoS
Protectionprofileidentifiedintherule.
ToapplyaDoSProtectionprofiletoaDoSProtectionpolicy,seePolicies>DoSProtection.
Ifyouhaveamultiplevirtualsystem(multivsys)environmentandhaveconfiguredthefollowing:
Externalzonestoenableintervirtualsystemcommunicationand
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddressforexternal
communications,then
ThefollowingZoneandDoSprotectionmechanismsaredisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protection,createaseparatezoneprotectionprofilefortheshared
gateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotectionprofilewitheither
RandomEarlyDroporSYNcookies.Onanexternalzone,onlyRandomEarlyDropisavailableforSYNFlood
protection.
DoSProtectionProfileSettings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
DoSProtectionProfileSettings
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisDoSProtectionprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
Description Enteradescriptionoftheprofile(upto255characters).
Type Selectoneofthefollowingprofiletypes:
aggregateApplytheDoSthresholdsconfiguredintheprofiletoall
connectionsthatmatchtherulecriteriaonwhichthisprofileisapplied.
Forexample,anaggregaterulewithaSYNfloodthresholdof10,000
connectionspersecond(cps)countsallconnectionsthathitthat
particularDoSrule.
classifiedApplytheDoSthresholdsconfiguredintheprofiletothe
connectionsthatmatchtheclassificationcriterion(sourceIPaddress,
destinationIPaddress,orsourceanddestinationIPaddresspair).
SYNFloodtab Selectthisoptiontoenablethetypeoffloodprotectionindicatedonthetab
UDPFloodtab andspecifythefollowingsettings:
ICMPFloodtab Action(SYN Floodonly)ActionthatthefirewallperformsiftheDoS
ICMPv6tab ProtectionpolicyactionisProtectandifincomingconnectionsper
second(cps)reachtheActivate Rate.Chooseoneofthefollowing:
OtherIPtab
Random Early DropDroppacketsrandomlywhenconnectionsper
secondreachtheActivate Ratethreshold.
SYN cookiesUseSYNcookiestogenerateacknowledgmentsso
thatitisnotnecessarytodropconnectionsduringaSYNflood
attack.
Alarm RateSpecifythethresholdrate(cps)atwhichaDoSalarmis
generated(rangeis0to2,000,000cps;defaultis10,000cps).
Activate RateSpecifythethresholdrate(cps)atwhichaDoSresponse
isactivated.TheDoSresponseisconfiguredintheActionfieldoftheDoS
Protectionprofile(RandomEarlyDroporSYNcookies).TheActivate
Raterangeis0to2,000,000cps;defaultis10,000cps.
IftheprofileActionisRandom Early Drop(RED),whenincoming
connectionspersecondreachtheActivate Ratethreshold,REDoccurs.If
thecpsrateincreases,theREDrateincreasesaccordingtoanalgorithm.
ThefirewallcontinueswithREDuntilthecpsratereachestheMax Rate
threshold.
Max RateSpecifythethresholdrateofincomingconnectionsper
secondthefirewallallows.AttheMax Ratethreshold,thefirewalldrops
100%ofnewconnections(rangeis2to2,000,000cps;defaultis
40,000 cps.)
Block DurationSpecifythelengthoftime(seconds)duringwhichthe
offendingIPaddressremainsontheBlockIPlistandconnectionswiththe
IPaddressareblocked.Thefirewalldoesntcountpacketsthatarrive
duringtheblockdurationtowardtheAlarmRate,ActivateRate,orMax
Ratethresholds(rangeis1to21,600seconds;defaultis300 seconds).
Sessions Selectthisoptiontoenableresourcesprotection.
DoSProtectionProfileSettings
MaxConcurrentLimit Specifythemaximumnumberofconcurrentsessions.
FortheAggregateprofiletype,thislimitappliestoalltraffichittingthe
DoSProtectionruleonwhichtheDoSProtectionprofileisapplied.
FortheClassifiedprofiletype,thislimitappliestothetrafficona
classifiedbasis(sourceIP,destinationIPorsourceanddestinationIP)
hittingtheDoSProtectionruletowhichtheDoSProtectionprofileis
applied.
Objects>SecurityProfileGroups
ThefirewallsupportstheabilitytocreateSecurityProfilegroups,whichspecifysetsofSecurityProfilesthat
canbetreatedasaunitandthenaddedtosecuritypolicies.Forexample,youcancreateathreatsSecurity
ProfilegroupthatincludesprofilesforAntivirus,AntiSpyware,andVulnerabilityProtectionandthencreate
aSecuritypolicyrulethatincludesthethreatsprofile.
Antivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,andfileblockingprofilesthatareoften
assignedtogethercanbecombinedintoprofilegroupstosimplifythecreationofsecuritypolicies.
TodefineanewSecurityProfile,selectObjects > Security Profiles.
ThefollowingtabledescribestheSecurityProfilesettings:
SecurityProfileGroup Description
Settings
Name Entertheprofilegroupname(upto31characters).Thisnameappearsinthe
profileslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Shared Selectthisoptionifyouwanttheprofilegrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilegroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisSecurityProfilegroupobjectindevicegroupsthatinherittheobject.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheobject.
Profiles SelectanAntivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,
and/orfileblockingprofiletobeincludedinthisgroup.Datafilteringprofiles
canalsobespecifiedinSecurityProfilegroups.RefertoObjects>Security
Profiles>DataFiltering.
Objects>LogForwarding
Bydefault,thelogsthatthefirewallgeneratesresideonlyinitslocalstorage.However,ifyouwanttouse
Panoramaorexternalservices(suchasasyslogserver)tocentrallymonitorloginformation,youcandefine
aLogForwardingprofileandassignittoSecurity,Authentication,andDoSProtectionpolicyrules.Log
ForwardingprofilesdefineforwardingdestinationsforthefollowingLogTypes:Traffic,Threat,WildFire
Submissions,URLFiltering,DataFiltering,TunnelInspection,andAuthenticationlogs.
Toforwardotherlogtypes,seeDevice>LogSettings.
OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceforthefirewalltoforward
logstothefollowingloggingdestinations:Syslog,HTTP,Email,andSNMP.Thisisalsorequired
toforwardfilestoWildFire.Aftertheportisconfigured,logforwardingandWildFireforwarding
willautomaticallyusethisportandthereisnospecialconfigurationrequiredforthistooccur.
JustconfigureadataportononeofthePA7000SeriesNPCsasinterfacetypeLogCardand
ensurethatthenetworkthatwillbeusedcancommunicatewithyourlogservers.ForWildFire
forwarding,thenetworkmustcommunicatesuccessfullywiththeWildFirecloudand/or
WildFireappliance.
ThefollowingtabledescribestheLogForwardingprofilesettings:
LogForwardingProfile Description
Settings
Name Enteraname(upto64characters)toidentifytheprofile.Thisnameappears
inthelistofLogForwardingprofileswhendefiningSecuritypolicyrules.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisLogForwardingprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.
Description EnteradescriptiontoexplainthepurposeofthisLogForwardingprofile.
MatchList(unlabeled) Addoneormorematchlistprofiles(upto64)thatspecifyforwarding
destinations,logattributebasedfilterstocontrolwhichlogsthefirewall
forwards,andactionstoperformonthelogs(suchasautomatictagging).
Completethefollowingtwofieldsforeachmatchlistprofile.
Name(matchlistprofile) Enteraname(upto31characters)toidentifythematchlistprofile.
Description(matchlist Enteradescription(upto1,023characters)toexplainthepurposeofthis
profile) matchlistprofile.
LogType Selectthetypeoflogstowhichthismatchlistprofileapplies:traffic,threat,
WildFire,URL,data,tunnel,orauthentication(auth).
LogForwardingProfile Description
Settings
Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .
SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).
Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).
Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).
HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).
LogForwardingProfile Description
Settings
BuiltinActions Addtheactiontoperform.Addorremoveatagtothesourceordestination
IPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremote
UserIDagentsothatyoucanrespondtoaneventanddynamicallyenforce
Securitypolicy.TheabilitytotaganIPaddressanddynamicallyenforce
policyusingdynamicaddressgroupsgivesyoubettervisibility,context,and
controlforconsistentlyenforcingSecuritypolicyirrespectiveofwherethe
IPaddressmovesacrossyournetwork.
Configurethefollowingsettings:
Addanactionandenteranametodescribeit.
SelectthetargetIPaddressyouwanttotagSource Addressor
Destination Address.
Youcantakeanactionforalllogtypesthatincludeasourceordestination
IPaddressinthelogentry.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs;youcannotconfigureanactionfor
SystemlogsandConfigurationlogsbecausethelogtypedoesnotinclude
anIPaddressinthelogentry.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.
Objects>Authentication
Anauthenticationenforcementobjectspecifiesthemethodandservicetouseforauthenticatingendusers
whoaccessyournetworkresources.YouassigntheobjecttoAuthenticationpolicyrules,whichinvokethe
authenticationmethodandservicewhentrafficmatchesarule(seePolicies>Authentication).
Thefirewallhasthefollowingpredefined,readonlyauthenticationenforcementobjects:
default-browser-challengeThefirewalltransparentlyobtainsuserauthenticationcredentials.Ifyou
selectthisaction,youmustenableKerberosSingleSignOn(SSO)orNTLANManager(NTLM)
authenticationwhenyouconfigureCaptivePortal .IfKerberosSSOauthenticationfails,thefirewall
fallsbacktoNTLMauthentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktotheauthenticationmethodspecifiedinthepredefineddefault-web-formobject.
default-web-formToauthenticateusers,thefirewallusesthecertificateprofileorauthenticationprofile
youspecifiedwhenconfiguringCaptivePortal .Ifyouspecifiedanauthenticationprofile,thefirewall
ignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortalpagefortheusertoenter
authenticationcredentials.
default-no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticatingusers.
Beforecreatingacustomauthenticationenforcementobject:
Configureaserverprofilethatspecifieshowtoconnecttotheauthenticationservice(seeDevice>
ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifiesauthenticationsettingssuchas
Kerberossinglesignonparameters(seeDevice>AuthenticationProfile).
Tocreateacustomauthenticationenforcementobject,clickAddandcompletethefollowingfields:
Authentication Description
EnforcementSettings
Name Enteradescriptivename(upto31characters)tohelpyouidentifytheobjectwhen
definingAuthenticationrules.Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
objectwillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theobjectwillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) authenticationenforcementobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritstheobject.
Authentication Description
EnforcementSettings
AuthenticationMethod Selectamethod:
browser-challengeThefirewalltransparentlyobtainsuserauthentication
credentials.Ifyouselectthisaction,theAuthentication Profileyouselectmusthave
KerberosSSOenabledorelseyoumusthaveconfiguredNTLMintheCaptivePortal
settings .IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLM
authentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktoweb-formauthentication.
web-formToauthenticateusers,thefirewallusesthecertificateprofileyou
specifiedwhenconfiguringCaptivePortal ortheAuthentication Profileyouselect
intheauthenticationenforcementobject.IfyouselectanAuthentication Profile,the
firewallignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortal
pagefortheusertoenterauthenticationcredentials.
no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticating
users.
AuthenticationProfile Selecttheauthenticationprofilethatspecifiestheservicetouseforvalidatingthe
identitiesofusers.
Message Enterinstructionsthattellusershowtorespondtothefirstauthenticationchallengethat
theyseewhentheirtraffictriggerstheAuthenticationrule.Themessagedisplaysinthe
Captive Portal Comfort Page.Ifyoudontenteramessage,thedefaultCaptive Portal
Comfort Pagedisplays(seeDevice>ResponsePages).
ThefirewalldisplaystheCaptive Portal Comfort Pageonlyforthefirst
authenticationchallenge(factor),whichyoudefineintheAuthenticationtabof
theAuthentication Profile(seeDevice>AuthenticationProfile).Formultifactor
authentication(MFA)challengesthatyoudefineintheFactorstaboftheprofile,
thefirewalldisplaystheMFA Login Page.
Objects>DecryptionProfile
DecryptionprofilesenableyoutoblockandcontrolspecificaspectsoftheSSLforwardproxy,SSLinbound
inspection,andSSHtraffic.Afteryoucreateadecryptionprofile,youcanthenaddthatprofiletoa
decryptionpolicy;anytrafficmatchedtothedecryptionpolicywillbeenforcedaccordingtotheprofile
settings.
YoucanalsocontroltheCAsthatyourfirewalltrusts.Formoreinformation,refertoManageDefaultTrusted
CertificateAuthorities.
Adefaultdecryptionprofileisconfiguredonthefirewall,andisautomaticallyincludedinnewdecryption
policies(youcannotmodifythedefaultdecryptionprofile).ClickAddtocreateanewdecryptionprofile,or
selectanexistingprofiletoCloneormodifyit.
Whatareyoulookingfor? See:
Addanewdecryptionprofile. DecryptionProfileGeneralSettings
Enableportmirroringfordecryptedtraffic.
BlockandcontrolSSLdecryptedtraffic. SettingstoControlDecryptedSSLTraffic
Blockandcontroltrafficthatyouhaveexcluded SettingstoControlTrafficthatisnotDecrypted
fromdecryption(forexample,trafficclassified
ashealthandmedicineorfinancialservices).
BlockandcontroldecryptedSSHtraffic. SettingstoControlDecryptedSSHTraffic
DecryptionProfileGeneralSettings
DecryptionProfile Description
GeneralSettings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofdecryption
profileswhendefiningdecryptionpolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Decryptionprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroupthat
inheritstheprofile.
DecryptionProfile Description
GeneralSettings
DecryptionMirroring SelectanInterfacetousefordecryptionportmirroring.
Interface Beforeyoucanenabledecryptionportmirroring,youmustobtainaDecryption
(PA3000Series, PortMirrorlicense,installthelicense,andrebootthefirewall.
PA5000Series,and
PA7000Series
firewallsonly)
SettingstoControlDecryptedSSLTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontrolSSLtrafficthathasbeendecryptedusing
eitherSSLForwardProxydecryptionorSSLInboundInspection.Youcanusethesesettingstolimitorblock
SSLsessionsbasedoncriteriaincludingthestatusoftheexternalservercertificate,theuseofunsupported
ciphersuitesorprotocolversions,ortheavailabilityofsystemresourcestoprocessdecryption.
SSLDecryptionTab Description
Settings
SSLForwardProxyTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLForwardProxy.
ServerCertificateValidationSelectoptionstocontrolservercertificatesfordecryptedSSLtraffic.
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
Blocksessionswith TerminatetheSSLsessionifaserverreturnsacertificaterevocationstatus
unknowncertificatestatus ofunknown.Certificaterevocationstatusindicatesiftrustforthe
certificatehasbeenorhasnotbeenrevoked.
Blocksessionsonthe TerminatetheSSLsessionifthecertificatestatuscannotberetrievedwithin
certificatestatuscheck theamountoftimethatthefirewallisconfiguredtostopwaitingfora
timeout responsefromacertificatestatusservice.YoucanconfigureCertificate
Status Timeoutvaluewhencreatingormodifyingacertificateprofile
(Device > Certificate Management > Certificate Profile).
Restrictcertificate Limitsthecertificateextensionsusedinthedynamicservercertificatetokey
extensions usageandextendedkeyusage.
SSLDecryptionTab Description
Settings
UnsupportedModeChecksSelectoptionstocontrolunsupportedSSLapplications.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversion PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuitespecifiedintheSSLhandshakeifit
unsupportedciphersuites isnotsupportedbyPANOS.
Blocksessionswithclient TerminatesessionswithclientauthenticationforSSLforwardproxytraffic.
authentication
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailabletoprocessdecryption.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available signcertificates.
Forunsupportedmodesandfailuremodes,thesessioninformationiscachedfor12hours,so
futuresessionsbetweenthesamehostsandserverpairarenotdecrypted.Enabletheoptionsto
blockthosesessionsinstead.
SSLInboundInspectionTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLInbound
Inspection.
UnsupportedModeChecksSelectoptionstocontrolsessionsifunsupportedmodesaredetectedin
SSLtraffic.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversions PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuiteusedisnotsupportedbyPANOS.
unsupportedciphersuites
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailable.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available decryptthesessionkey.
SSLProtocolSettingsTabSelectthefollowingsettingstoenforceprotocolversionsandciphersuites
forSSLsessiontraffic.
ProtocolVersions EnforcetheuseofminimumandmaximumprotocolversionsfortheSSL
session.
MinVersion SettheminimumprotocolversionthatcanbeusedtoestablishtheSSL
connection.
MaxVersion SetthemaximumprotocolversionthatcanbeusedtoestablishtheSSL
connection.YoucanchoosetheoptionMaxsothatnomaximumversionis
specified;inthiscase,protocolversionsthatareequivalenttoorarealater
versionthantheselectedminimumversionaresupported.
SSLDecryptionTab Description
Settings
KeyExchangeAlgorithms EnforcetheuseoftheselectedkeyexchangealgorithmsfortheSSLsession.
ToimplementPerfectForwardSecrecy(PFS)forSSLForwardProxy
decryptedtraffic,youcanselectDHEtoenableDiffieHellmankeyexchange
basedPFSorECDHEtoenableellipticcurveDiffieHellmanbasedPFS.
EncryptionAlgorithms EnforcetheuseoftheselectedencryptionalgorithmsfortheSSLsession.
AuthenticationAlgorithms EnforcetheuseoftheselectedauthenticationalgorithmsfortheSSL
session.
SettingstoControlTrafficthatisnotDecrypted
YoucanusetheNo Decryptiontabtoenablesettingstoblocktrafficthatismatchedtoadecryptionpolicy
configuredwiththeNo Decryptaction(Policies > Decryption > Action).Usetheseoptionstocontrolserver
certificatesforthesession,thoughthefirewalldoesnotdecryptandinspectthesessiontraffic.
NoDecryptionTab Description
Settings
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
SettingstoControlDecryptedSSHTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontroldecryptedinboundandoutboundSSH
traffic.ThesesettingsallowyoutolimitorblockSSHtunneledtrafficbasedoncriteriaincludingtheuseof
unsupportedalgorithms,thedetectionofSSHerrors,ortheavailabilityofresourcestoprocessSSHProxy
decryption.
SSHProxyTab Description
Settings
UnsupportedModeChecksUsetheseoptionstocontrolsessionsifunsupportedmodesaredetected
inSSHtraffic.SupportedSSHversionisSSHversion2.
Blocksessionswith TerminatesessionsiftheclienthellomessageisnotsupportedbyPANOS.
unsupportedversions
Blocksessionswith Terminatesessionsifthealgorithmspecifiedbytheclientorserverisnot
unsupported supportedbyPANOS.
algorithms
SSHProxyTab Description
Settings
FailureChecksSelectactionstotakeifSSHapplicationerrorsoccurandifsystemresourcesarenot
available.
Blocksessionson TerminatesessionsifSSHerrorsoccur.
SSHerrors
Blocksessionsif Terminatesessionsifsystemresourcesarenotavailabletoprocessdecryption.
resourcesnot
available
Objects>Schedules
Objects>Schedules
Bydefault,Securitypolicyrulesarealwaysineffect(alldatesandtimes).TolimitaSecuritypolicyruleto
specifictimes,youcandefineschedules,andthenapplythemtotheappropriatepolicies.Foreachschedule,
youcanspecifyafixeddateandtimerangeorarecurringdailyorweeklyschedule.Toapplyschedulesto
securitypolicies,refertoPolicies>Security.
WhenaSecuritypolicyruleisinvokedbyadefinedschedule,onlynewsessionsareaffectedby
theappliedSecuritypolicyrule.Existingsessionsarenotaffectedbythescheduledpolicy.
ScheduleSettings Description
Name Enteraschedulename(upto31characters).Thisnameappearsinthe
schedulelistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Shared Selectthisoptionifyouwantthescheduletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theschedulewillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theschedule
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisscheduleindevicegroupsthatinherittheschedule.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheschedule.
Recurrence Selectthetypeofschedule(Daily,Weekly,orNon-Recurring).
Network>VirtualWires
VirtualWireSettings Description
VirtualWireName Enteravirtualwirename(upto31characters).Thisnameappearsinthelist
ofvirtualwireswhenconfiguringinterfaces.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Interfaces SelecttwoEthernetinterfacesfromthedisplayedlistforthevirtualwire
configuration.Interfacesarelistedhereonlyiftheyhavethevirtualwire
interfacetypeandhavenotbeenassignedtoanothervirtualwire.
Forinformationonvirtualwireinterfaces,seeVirtualWireInterface.
TagAllowed Enterthetagnumber(04094)orrangeoftagnumbers(tag1tag2)forthe
trafficallowedonthevirtualwire.Atagvalueofzeroindicatesuntagged
traffic(thedefault).Multipletagsorrangesmustbeseparatedbycommas.
Trafficthathasanexcludedtagvalueisdropped.
Tagvaluesarenotchangedonincomingoroutgoingpackets.
Whenutilizingvirtualwiresubinterfaces,theTag Allowedlistwillcauseall
trafficwiththelistedtagstobeclassifiedtotheparentvirtualwire.Virtual
wiresubinterfacesmustutilizetagsthatdonotexistintheparent'sTag
Allowedlist.
MulticastFirewalling Selectifyouwanttobeabletoapplysecurityrulestomulticasttraffic.Ifthis
settingisnotenabled,multicasttrafficisforwardedacrossthevirtualwire.
LinkStatePassThrough Selectifyouwanttobringdowntheotherinterfaceinavirtualwirepair
whenadownlinkstateisdetected.Ifyoudonotselectoryoudisablethis
option,linkstatusisnotpropagatedacrossthevirtualwire.
Network>Interfaces
Firewallinterfaces(ports)enableafirewalltoconnectwithothernetworkdevicesandwithotherinterfaces
withinthefirewall.Thefollowingtopicsdescribetheinterfacetypesandhowtoconfigurethem:
Whatareyoulookingfor? See
Whatarefirewallinterfaces? FirewallInterfacesOverview
Iamnewtofirewallinterfaces; CommonBuildingBlocksforFirewallInterfaces
whatarethecomponentsofa
firewallinterface? CommonBuildingBlocksforPA7000SeriesFirewall
Interfaces
Ialreadyunderstandfirewall Physical Interfaces (Ethernet)
interfaces;howcanIfind
Layer2Interface
informationonconfiguringa
specificinterfacetype? Layer2Subinterface
Layer3Interface
Layer3Subinterface
VirtualWireInterface
VirtualWireSubinterface
TapInterface
LogCardInterface
LogCardSubinterface
DecryptMirrorInterface
AggregateEthernet(AE)InterfaceGroup
AggregateEthernet(AE)Interface
HAInterface
Logical Interfaces
Network>Interfaces>VLAN
Network>Interfaces>Loopback
Network>Interfaces>Tunnel
Looking for more? Networking
FirewallInterfacesOverview
Theinterfaceconfigurationsoffirewalldataportsenabletraffictoenterandexitthefirewall.APaloAlto
Networksfirewallcanoperateinmultipledeploymentssimultaneouslybecauseyoucanconfigurethe
interfacestosupportdifferentdeployments.Forexample,youcanconfiguretheEthernetinterfacesona
firewallforvirtualwire,Layer2,Layer3,andtapmodedeployments.Theinterfacesthatthefirewall
supportsare:
PhysicalInterfacesThefirewallsupportstwokindsofEthernetcopperandfiberopticthatcansend
andreceivetrafficatdifferenttransmissionrates.YoucanconfigureEthernetinterfacesasthefollowing
types:tap,highavailability(HA),logcard(interfaceandsubinterface),decryptmirror,virtualwire
(interfaceandsubinterface),Layer2(interfaceandsubinterface),Layer3(interfaceandsubinterface),and
aggregateEthernet.Theavailableinterfacetypesandtransmissionspeedsvarybyhardwaremodel.
LogicalInterfacesTheseincludevirtuallocalareanetwork(VLAN)interfaces,loopbackinterfaces,and
tunnelinterfaces.YoumustsetupthephysicalinterfacebeforedefiningaVLANoratunnelinterface.
CommonBuildingBlocksforFirewallInterfaces
ForadescriptionofcomponentsthatareuniqueordifferentwhenyouconfigureinterfacesonaPA7000Series
firewall,orwhenyouusePanoramatoconfigureinterfacesonanyfirewall,seeCommonBuildingBlocksfor
PA7000SeriesFirewallInterfaces.
FirewallInterface Description
Building Blocks
Interface(Interface Theinterfacenameispredefinedandyoucannotchangeit.However,youcan
Name) appendanumericsuffixforsubinterfaces,aggregateinterfaces,VLANinterfaces,
loopbackinterfaces,andtunnelinterfaces.
ManagementProfile SelectaManagement Profile(Network > Interfaces > <if-config > Advanced > Other
Info)thatdefinestheprotocols(suchasSSH,Telnet,andHTTP)youcanuseto
managethefirewalloverthisinterface.
FirewallInterface Description
Building Blocks
(Continued)
LinkState ForEthernetinterfaces,LinkStateindicateswhethertheinterfaceiscurrently
accessibleandcanreceivetrafficoverthenetwork:
GreenConfiguredandup
RedConfiguredbutdownordisabled
GrayNotconfigured
Hoveroverthelinkstatetodisplayatooltipthatindicatesthelinkspeedandduplex
settingsforthatinterface.
IPAddress (Optional)ConfiguretheIPv4orIPv6addressoftheEthernet,VLAN,loopback,or
tunnelinterface.ForanIPv4address,youcanalsoselecttheaddressingmode(Type)
fortheinterface:Static,DHCP Client,orPPPoE.
Tag(Subinterfaceonly) EntertheVLANtag(14,094)forthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,select
avirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefineanewvsys.
Features ForEthernetinterfaces,thiscolumnindicateswhetherthefollowingfeaturesare
enabled:
DHCPClient
DNSProxy
GlobalProtectgatewayenabled
LinkAggregationControlProtocol(LACP)
LinkLayerDiscoveryProtocol(LLDP)
NDPMonitor
NetFlowprofile
QualityofService(QoS)profile
Comment Adescriptionoftheinterfacefunctionorpurpose.
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces
OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceononedataport.
PA7000SeriesFirewall Description
InterfaceBuildingBlocks
Slot Selecttheslotnumber(112)oftheinterface.OnlyPA7000Seriesfirewallshave
multipleslots.IfyouusePanoramatoconfigureaninterfaceforanyotherfirewall
model,selectSlot 1.
Interface(InterfaceName) SelectthenameofaninterfacethatisassociatedwiththeselectedSlot.
Layer2Interface
Network>Interfaces>Ethernet
SelectNetwork > Interfaces > EthernettoconfigureaLayer2interface.clickthenameofanInterface
(ethernet1/1,forexample)thatisnotconfiguredandspecifythefollowinginformation.
InterfaceType SelectLayer2.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).
EnableinHA IfLLDPisenabled,selecttoallowanHApassivefirewalltoprenegotiateLLDP
PassiveState withitspeerbeforethefirewallbecomesactive.
Layer2Subinterface
Network>Interfaces>Ethernet
ForeachEthernetportconfiguredasaphysicalLayer2interface,youcandefineanadditionallogicalLayer
2interface(subinterface)foreachVLANtagassignedtothetrafficthattheportreceives.Toenable
switchingbetweenLayer2subinterfaces,assignthesameVLANobjecttothesubinterfaces.
ToconfigureaLayer2Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.
Layer2SubinterfaceSettings
InterfaceName ThereadonlyInterfaceNamedisplaysthenameofthephysicalinterfaceyouselected.Inthe
adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.
Comment Enteranoptionaldescriptionforthesubinterface.
Tag EntertheVLANtag(14,094)forthesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VLAN ToenableswitchingbetweenLayer2interfacesortoenableroutingthroughaVLANinterface,
selectaVLAN,orclickVLANtodefineanewVLAN(seeNetwork>VLANs).SelectNonetoremove
thecurrentVLANassignmentfromthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone SelectasecurityzoneforthesubinterfaceorclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.
Layer3Interface
Network>Interfaces>Ethernet
ToconfigureaLayer3interface,clickthenameofanInterface(ethernet1/1,forexample)thatisnot
configuredandspecifythefollowinginformation.
InterfaceType SelectLayer3.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
interfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
interface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)fortheinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoitishelpfultoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
UntaggedSubinterface SpecifiesthatallsubinterfacesbelongingtothisLayer3interfaceare
untagged.PANOSselectsanuntaggedsubinterfaceastheingress
interfacebasedonthepacketdestination.IfthedestinationistheIP
addressofanuntaggedsubinterface,itmapstothesubinterface.Thisalso
meansthatpacketsinthereversedirectionmusthavetheirsource
addresstranslatedtotheIPaddressoftheuntaggedsubinterface.A
byproductofthisclassificationmechanismisthatallmulticastand
broadcastpacketsareassignedtothebaseinterface,notany
subinterfaces.BecauseOpenShortestPathFirst(OSPF)usesmulticast,
thefirewalldoesnotsupportitonuntaggedsubinterfaces.
Address ClickAddtoenteroneormoreIPv6addresses,IPranges,IPv6subnets,or
addressobjectsforwhichthefirewallwillactastheNDPproxy.Ideally,
oneoftheseaddressesisthesameaddressasthatofthesource
translationinNPTv6.Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendthatyoualsoaddtheIPv6
neighborsofthefirewallandthenselectNegatetoinstructthefirewall
nottorespondtotheseIPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.You
cannegateasubsetofthespecifiedIPaddressrangeorIPsubnet.
LLDPProfile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>
LLDPProfile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHAPassive IfLLDPisenabled,selecttoallowthefirewallasanHApassivefirewallto
State prenegotiateLLDPwithitspeerbeforethefirewallbecomesactive.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.
IP Ethernet ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIP
Interface > IPv4 addressandnetworkmaskfortheinterface.
TypetheentryinClasslessInterdomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yourfirewallusesdeterminesthemaximum
numberofIPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.
ShowPPPoEClient (Optional)Opensadialogthatdisplaysparametersthatthefirewall
RuntimeInfo negotiatedwiththeInternetserviceprovider(ISP)toestablisha
connection.ThespecificinformationdependsontheISP.
StaticAddress PerformoneofthefollowingstepstospecifytheIPaddressthatthe
Internetserviceproviderassigned(nodefaultvalue):
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
SelectNonetoremovethecurrentaddressassignmentfromthe
interface.
Automaticallycreate SelecttoautomaticallycreateadefaultroutethatpointstothePPPoE
defaultroutepointing peerwhenconnected.
topeer
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandInternetservice
provider,enteraroutemetric(prioritylevel)toassociatewiththedefault
routeandtouseforpathselection(rangeis165,535).Theprioritylevel
increasesasthenumericvaluedecreases.
AccessConcentrator (Optional)EnterthenameoftheaccessconcentratorontheInternet
serviceproviderendtowhichthefirewallconnects(nodefault).
Service (Optional)Entertheservicestring(nodefault).
Passive Selecttousepassivemode.Inpassivemode,aPPPoEendpointwaitsfor
theaccessconcentratortosendthefirstframe.
DefaultRouteMetric FortheroutebetweenthefirewallandDHCPserver,optionallyentera
routemetric(prioritylevel)toassociatewiththedefaultrouteandtouse
forpathselection(rangeis165,535,nodefault).Theprioritylevel
increasesasthenumericvaluedecreases.
ShowDHCPClient SelecttodisplayallsettingsreceivedfromtheDHCPserver,including
RuntimeInfo DHCPleasestatus,dynamicIPaddressassignment,subnetmask,
gateway,andserversettings(DNS,NTP,domain,WINS,NIS,POP3,and
SMTP).
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisement.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime(defaultis2,592,000).
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires
(defaultis604,800).
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis1036,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDPMonitor( inFeaturescolumn)andview
informationaboutaneighborthatthefirewalldiscovered,suchasthe
IPv6address,thecorrespondingMACaddress,andtheUserID(ona
bestcasebasis).
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis41,800;defaultis600).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,insecond,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewall
sendsintheorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusesthoseaddressesinthe
sameorder.SelectaserverandMove UporMove Downtochangethe
orderoftheserversorDeleteaserverfromthelistwhenyounolonger
needit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanusetheRDNSserverstoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNS
searchlist(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothatnameandthentransmits
theDNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
triesDNSsuffixesuntilaDNSlookupissuccessful(ignorestheremaining
suffixes)oruntiltherouterhastriedallsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsintheorderlistedfromtoptobottom
inanNDProuteradvertisementtotherecipient,whichusesthose
addressesinthesameorder.SelectasuffixandMove UporMove Down
tochangetheorderofthesuffixesorDeleteasuffixfromthelistwhen
younolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSSearchList(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
Layer3Subinterface
Network>Interfaces>Ethernet
ForeachEthernetportconfiguredasaphysicalLayer3interface,youcandefineadditionallogicalLayer3
interfaces(subinterfaces).
ToconfigureaLayer3Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.
Comment Enteranoptionaldescriptionforthesubinterface.
Tag EntertheVLANtag(14,094)forthesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
subinterfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)forthesubinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanew
zone.SelectNonetoremovethecurrentzoneassignmentfromthe
subinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(rangeis5769,192;defaultis1,500).Ifmachinesoneither
sideofthefirewallperformPathMTUDiscovery(PMTUD)andthe
interfacereceivesapacketexceedingtheMTU,thefirewallreturnsan
ICMPfragmentationneededmessagetothesourceindicatingthepacketis
toolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddress
objectsforwhichthefirewallwillactasNDPproxy.Ideally,oneofthese
addressesisthesameaddressasthatofthesourcetranslationinNPTv6.
Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendyoualsoaddtheIPv6
neighborsofthefirewallandthenclickNegatetoinstructthefirewallnot
torespondtotheseIPaddresses.
Negate NegateanaddresstopreventNDPproxyforthataddress.Youcannegate
asubsetofthespecifiedIPaddressrangeorIPsubnet.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.
IP Layer3 AddandperformoneofthefollowingstepstospecifyastaticIPaddress
Subinterface > andnetworkmaskfortheinterface.
IPv4, Type = TypetheentryinClasslessInterDomainRouting(CIDR)notation:
Static ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
CreateanAddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximum
numberofIPaddresses.
DeleteanIPaddresswhenyounolongerneedit.
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandDHCPserver,youcan
enteraroutemetric(prioritylevel)toassociatewiththedefaultrouteand
touseforpathselection(rangeis165535;thereisnodefault).The
prioritylevelincreasesasthenumericvaluedecreases.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisementinthistable.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime.Thedefaultis2,592,000.
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires.The
defaultis604,800.
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDP( inFeaturescolumn)toviewinformation
aboutaneighborthefirewalldiscovered,suchastheIPv6address,the
correspondingMACaddress,andtheUserID(onabestcasebasis).
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis41,800;defaultis600).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration
OtherConfiguration Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseanRDNSservertoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
Suffix Addoneormoredomainnames(suffixes)fortheDNSsearchlist(DNSSL).
Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothenameandtransmitsthe
DNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
usestheDNSsuffixesuntilaDNSlookupissuccessful(ignoresthe
remainingsuffixes)oruntiltherouterhastriedallofsuffixesonthelist.
Configurethefirewallwiththesuffixesthatyouwanttoprovidetothe
DNSclientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistoptionthatthefirewallsendsinorderlistedfromtopto
bottominanNDProuteradvertisementtotherecipient,whichuses
theminthesameorder.SelectasuffixandMove UporMove Downto
changetheorderofthesuffixesorDeleteasuffixwhenyounolonger
needit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSsearchlist(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
VirtualWireInterface
Network>Interfaces>Ethernet
AvirtualwireinterfacebindstwoEthernetportstogether,allowingforalltraffictopassbetweentheports,
orjusttrafficwithselectedVLANtags(nootherswitchingorroutingservicesareavailable).Youcanalso
createVirtualWiresubinterfacesandclassifytrafficaccordingtoanIPaddress,IPrange,orsubnet.Avirtual
wirerequiresnochangestoadjacentnetworkdevices.
Tosetupavirtualwirethroughthefirewall,identifytheinterfacetouseforthevirtualwire(Network >
Interfaces > Ethernet),specifythevirtualwireinterfacesettingsasdescribedinthefollowingtable,andthen
Addthevirtualwire(Network > Virtual Wires).
Ifyouareusinganexistinginterfaceforthevirtualwire,firstremovetheinterfacefromanyassociatedsecurity
zone.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).
EnableinHA IfLLDPisenabled,selecttoconfigureanHApassivefirewalltoprenegotiate
PassiveState LLDPwithitspeerbeforethefirewallbecomesactive.
IfLLDPisnotenabled,selecttoconfigureanHApassivefirewalltosimplypass
LLDPpacketsthroughthefirewall.
VirtualWireSubinterface
Network>Interfaces>Ethernet
Virtualwire(vwire)subinterfacesallowyoutoseparatetrafficbyVLANtagsoraVLANtagandIPclassifier
combination,assignthetaggedtraffictoadifferentzoneandvirtualsystem,andthenenforcesecurity
policiesforthetrafficthatmatchesthedefinedcriteria.
ToaddaVirtualWireInterfaceselecttherowforthatinterface,clickAdd Subinterface,andspecifythe
followinginformation.
VirtualWire Description
Subinterface
Settings
Comment Enteranoptionaldescriptionforthesubinterface.
Tag EntertheVLANtag(04,094)forthesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectingNoneremovesthecurrentNetFlowserverassignmentfromthe
subinterface.
IPClassifier ClickAddandenteranIPaddress,IPrange,orsubnettoclassifythetrafficonthisvwire
subinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.
TapInterface
Network>Interfaces>Ethernet
Youcanuseatapinterfacetomonitortrafficonaport.
Toconfigureatapinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfiguredandspecify
thefollowinginformation.
InterfaceType SelectTap.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).
LogCardInterface
Network>Interfaces>Ethernet
IfyouconfigurelogforwardingonaPA7000Seriesfirewall,youmustconfigureonedataportastypeLog
Card.Thisisbecausethetrafficandloggingcapabilitiesofthisfirewallmodelexceedthecapabilitiesofthe
management(MGT)interface.Alogcarddataportperformslogforwardingforsyslog,email,Simple
NetworkManagementProtocol(SNMP),Panoramalogforwarding,andWildFirefileforwarding.
YoucanconfigureonlyoneportonthefirewallastypeLog Card.Ifyouenablelogforwardingbutdonot
configureaninterfacewiththeLog Cardtype,yougetanerrorwhenyouattempttocommityourchanges.
Toconfigurealogcardinterface,selectanInterfacethatisnotconfigured(ethernet1/16,forexample)and
configurethesettingsdescribedinthefollowingtable.
Comment Enteranoptionaldescriptionfortheinterface.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
Default GatewayTheIPv6addressofthedefaultgatewayfortheport.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomaticallybasedontheconnection(auto).Thedefault
isauto.
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomaticallybasedontheconnection(auto).Thedefaultisauto.
LogCardSubinterface
Network>Interfaces>Ethernet
ToaddaLogCardInterface,selecttherowforthatinterface,Add Subinterface,andspecifythefollowing
information.
Comment Enteranoptionaldescriptionfortheinterface.
Tag EntertheVLANTag(04,094)forthesubinterface.
Makethetagthesameasthesubinterfacenumberforeaseofuse.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
Default GatewayTheIPv6addressofthedefaultgatewayfortheport.
DecryptMirrorInterface
Network>Interfaces>Ethernet
TousetheDecryptionPortMirrorfeature,youmustselecttheDecrypt Mirrorinterfacetype.Thisfeatureenables
creatingacopyofdecryptedtrafficfromafirewallandsendingittoatrafficcollectiontoolthatcanreceiverawpacket
capturessuchasNetWitnessorSoleraforarchivingandanalysis.Organizationsthatrequirecomprehensivedata
captureforforensicandhistoricalpurposesordataleakprevention(DLP)functionalityrequirethisfeature.Decryption
portmirroringisonlyavailableonPA7000Seriesfirewalls,PA5000Seriesfirewalls,andPA3000Seriesfirewalls.To
enablethefeature,youmustacquireandinstallthefreelicense.
Toconfigureadecryptmirrorinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
DecryptMirrorInterfaceSettings
InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.
Comment Enteranoptionaldescriptionfortheinterface.
LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).
AggregateEthernet(AE)InterfaceGroup
Network>Interfaces>Ethernet
AnAEinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfacesintoa
singlevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.AnAE
interfacegroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinueto
supporttraffic.
BeforeconfiguringanAEinterfacegroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidth(1Gbpsor10Gbps)andinterfacetype(HA3,virtualwire,
Layer2,orLayer3).YoucanadduptoeightAEinterfacegroupsperfirewallandeachgroupcanhaveupto
eightinterfaces.
AllPaloAltoNetworksfirewallsexceptthePA200andVMSeriesmodelssupportAEinterfacegroups.
YoucanaggregatetheHA3(packetforwarding)interfacesinahighavailability(HA)active/activeconfigurationbut
onlyonthefollowingfirewallmodels:
PA220
PA500
PA800Series
PA3000Series
PA5000Series
PA5200Series
InterfaceType Selecttheinterfacetype,whichcontrolstheremainingconfiguration
requirementsandoptions:
HAOnlyselectiftheinterfaceisanHA3linkbetweentwofirewallsinan
active/activedeployment.OptionallyselectaNetflow Profileandconfigure
theLACPtab(seeEnableLACP).
Virtual WireOptionallyselectaNetflow Profile,andconfiguretheConfig
andAdvancedtabsasdescribedinVirtualWireSettings.
Layer 2OptionallyselectaNetflow Profile;configuretheConfigand
AdvancedtabsasdescribedinLayer2InterfaceSettings;andoptionally
configuretheLACPtab(seeEnableLACP).
Layer 3OptionallyselectaNetflow Profile;configuretheConfig,IPv4or
IPv6,andAdvancedtabsasdescribedinLayer3InterfaceSettings;and
optionallyconfiguretheLACPtab(seeEnableLACP).
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheAEinterfacegroup.
Mode SelecttheLACPmodeofthefirewall.BetweenanytwoLACPpeers,itis
recommendedthatoneisactiveandtheotherispassive.LACPcannotfunction
ifbothpeersarepassive.
ActiveThefirewallactivelyqueriestheLACPstatus(availableor
unresponsive)ofpeerdevices.
Passive(default)ThefirewallpassivelyrespondstoLACPstatusqueries
frompeerdevices.
Transmission Selecttherateatwhichthefirewallexchangesqueriesandresponseswithpeer
Rate devices:
FastEverysecond
SlowEvery30seconds(thisisthedefaultsetting)
FastFailover Selectif,whenaninterfacegoesdown,youwantthefirewalltofailovertoan
operationalinterfacewithinonesecond.Otherwise,failoveroccursatthe
standardIEEE802.1AXdefinedspeed(atleastthreeseconds).
MaxPorts Thenumberofinterfaces(18)thatcanbeactiveatanygiventimeinanLACP
aggregategroup.Thevaluecannotexceedthenumberofinterfacesyouassign
tothegroup.Ifthenumberofassignedinterfacesexceedsthenumberofactive
interfaces,thefirewallusestheLACPportprioritiesoftheinterfacesto
determinewhichareinstandbymode.YousettheLACPportprioritieswhen
configuringindividualinterfacesforthegroup(seeAggregateEthernet(AE)
Interface).
EnableinHA Forfirewallsdeployedinahighavailability(HA)active/passiveconfiguration,
PassiveState selecttoallowthepassivefirewalltoprenegotiateLACPwithitsactivepeer
beforeafailoveroccurs.Prenegotiationspeedsupfailoverbecausethe
passivefirewalldoesnothavetonegotiateLACPbeforebecomingactive.
SameSystem Thisappliesonlytofirewallsdeployedinahighavailability(HA)active/passive
MACAddressfor configuration;firewallsinanactive/activeconfigurationrequireuniqueMAC
ActivePassive addresses.
HA HAfirewallpeershavethesamesystempriorityvalue.However,inan
active/passivedeployment,thesystemIDforeachcanbethesameor
different,dependingonwhetheryouassignthesameMACaddress.
hentheLACPpeers(alsoinHAmode)arevirtualized(appearingtothe
networkasasingledevice),usingthesamesystemMACaddressforthe
firewallsminimizeslatencyduringfailover.WhentheLACPpeersare
notvirtualized,usingtheuniqueMACaddressofeachfirewall
minimizesfailoverlatency.
LACPusestheMACaddresstoderiveasystemIDforeachLACPpeer.Ifthe
firewallpairandpeerpairhaveidenticalsystempriorityvalues,LACPusesthe
systemIDvaluestodeterminewhichoverridestheotherwithrespecttoport
priorities.IfbothfirewallshavethesameMACaddress,bothwillhavethesame
systemID,whichwillbehigherorlowerthanthesystemIDoftheLACPpeers.
IftheHAfirewallshaveuniqueMACaddresses,itispossibleforonetohavea
highersystemIDthantheLACPpeerswhiletheotherhasalowersystemID.
Inthelattercase,whenfailoveroccursonthefirewalls,portprioritization
switchesbetweentheLACPpeersandthefirewallthatbecomesactive.
AggregateEthernet(AE)Interface
Network>Interfaces>Ethernet
ToconfigureanAggregateEthernet(AE)Interface,firstconfigureanAggregateEthernet(AE)Interface
Groupandclickthenameoftheinterfaceyouwillassigntothatgroup.Theinterfaceyouselectmustbethe
sametypeasthatdefinedfortheAEinterfacegroup(forexample,Layer3);youwillchangethetypeto
Aggregate Ethernetwhenyouconfiguretheinterface.Specifythefollowinginformationfortheinterface.
IfyouenabledLinkAggregationControlProtocol(LACP)fortheAEinterfacegroup,selectthesame
Link SpeedandLink Duplexforeveryinterfaceinthatgroup.Fornonmatchingvalues,thecommit
operationdisplaysawarningandPANOSdefaultstothehigherspeedandfullduplex.
AggregateGroup Assigntheinterfacetoanaggregategroup.
LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).
LACPPort ThefirewallonlyusesthisfieldifyouenabledLinkAggregationControl
Priority Protocol(LACP)fortheaggregategroup.Ifthenumberofinterfacesyouassign
tothegroupexceedsthenumberofactiveinterfaces(theMaxPortsfield),the
firewallusestheLACPportprioritiesoftheinterfacestodeterminewhichare
instandbymode.Thelowerthenumericvalue,thehigherthepriority(rangeis
165,535;defaultis32,768).
Address AddanIPv6addressandconfigurethefollowingparameters:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
one.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
TheremainingfieldsapplyarevisibleonlyafteryouenableRA:
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval Specifythelengthoftime,inseconds,beforeaDADattemptfailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis41,800;defaultis600).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis1,2809,192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait,
inmilliseconds,beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(suchas
Configuration DNSrelatedsettings)isavailableviaDHCPv6.
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6AggregatedEthernet
interface.RDNSserverssendaseriesofDNSlookuprequeststorootDNS
serversandauthoritativeDNSserverstoultimatelyprovideanIPaddressto
theDNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusesthoseaddressesinthesameorder.Selectaserver
andMove UporMove DowntochangetheorderoftheserversorDeletea
serverwhenyounolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSServerstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandtransmitstheDNSquery.IfthefirstDNSsuffix
onthelistiscompany.com,theresultingDNSqueryfromtherouterisforthe
fullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNSclient
routerinaNeighborDiscoveryDNSSLoption;theDNSclientreceivingthe
DNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusestheminthesameorder.
SelectasuffixandMove UporMove Downtochangetheorderofthesuffixes
orDeleteasuffixfromthelistwhenyounolongerneedit.
HAInterface
Network>Interfaces>Ethernet
Eachhighavailability(HA)interfacehasaspecificfunction:oneinterfaceisforconfigurationsynchronization
andheartbeats,andtheotherinterfaceisforstatesynchronization.Ifactive/activehighavailabilityis
enabled,thefirewallcanuseathirdHAinterfacetoforwardpackets.
SomePaloAltoNetworksfirewallsincludededicatedphysicalportsforuseinHAdeployments(oneforthecontrol
linkandoneforthedatalink).Forfirewallsthatdonotincludededicatedports,youmustspecifythedataportsthat
willbeusedforHA.ForadditionalinformationonHA,refertoDevice>VirtualSystems.
ToconfigureanHAinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
HAInterface Description
Settings
InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.
Comment Enteranoptionaldescriptionfortheinterface.
InterfaceType SelectHA.
LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).
Network>Interfaces>VLAN
AVLANinterfacecanprovideroutingintoaLayer3network(IPv4andIPv6).YoucanaddoneormoreLayer
2Ethernetports(seeLayer2Interface)toaVLANinterface.
Comment Enteranoptionaldescriptionfortheinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(rangeis5769,192;defaultis1,500).Ifmachinesoneithersideofthe
firewallperformPathMTUDiscovery(PMTUD)andtheinterfacereceivesa
packetexceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddressobjectsfor
whichthefirewallwillactasNDPProxy.Ideally,oneoftheseaddressesisthe
sameaddressasthatofthesourcetranslationinNPTv6.Theorderof
addressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponseforall
addressesinthesubnet,sowerecommendyoualsoaddthefirewallsIPv6
neighborsandthenclickNegatetoinstructthefirewallnottorespondtothese
IPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.Youcan
negateasubsetofthespecifiedIPaddressrangeorIPsubnet.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthetabwill
vary.
IPv4addressType=Static
DefaultRoute FortheroutebetweenthefirewallandDHCPserver,optionallyenteraroute
Metric metric(prioritylevel)toassociatewiththedefaultrouteandtouseforpath
selection(rangeis165,535;thereisnodefault).Theprioritylevelincreasesas
thenumericvaluedecreases.
ShowDHCP SelecttodisplayallsettingsreceivedfromtheDHCPserver,includingDHCP
ClientRuntime leasestatus,dynamicIPaddressassignment,subnetmask,gateway,andserver
Info settings(DNS,NTP,domain,WINS,NIS,POP3,andSMTP).
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval SpecifythenumberofsecondsforDADattemptsbeforefailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis41,800;defaultis600).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis12809192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait
(inmilliseconds)beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(forexample,
Configuration DNSrelatedsettings)isavailableviaDHCPv6.
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6VLANinterface.RDNS
serverssendaseriesofDNSlookuprequeststorootDNSserversand
authoritativeDNSserverstoultimatelyprovideanIPaddresstotheDNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusestheminthesameorder.SelectaserverandMove Up
orMove DowntochangetheorderoftheserversorDeleteaserverfromthe
listwhenyounolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSserverstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandthentransmitstheDNSquery.IfthefirstDNS
suffixonthelistiscompany.com,theresultingDNSqueryfromtherouteris
forthefullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclientreceiving
theDNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusesthoseaddressesinthe
sameorder.SelectasuffixandMove UporMove Downtochangetheorderof
thesuffixesorDeleteasuffixfromthelistwhenyounolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
1,200).
Network>Interfaces>Loopback
Usethefollowingfieldstoconfigurealoopbackinterface:
Comment Enteranoptionaldescriptionfortheinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.
IP Loopback ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress
Interface > IPv4 andnetworkmaskfortheinterface.
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
anaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Network>Interfaces>Tunnel
Usethefollowingfieldstoconfigureatunnelinterface:
Comment Enteranoptionaldescriptionfortheinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
anaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Network>VirtualRouters
Thefirewallrequiresavirtualroutertoobtainroutestoothersubnetseitherusingstaticroutesthatyou
manuallydefine,orthroughparticipationinLayer3routingprotocols(dynamicroutes).EachLayer3
interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociatedwithavirtual
router.Eachinterfacecanbelongtoonlyonevirtualrouter.
Definingavirtualrouterrequiresgeneralsettingsandanycombinationofstaticroutesordynamicrouting
protocols,asrequiredbyyournetwork.Youcanalsoconfigureotherfeaturessuchasrouteredistribution
andECMP.
Whatareyoulookingfor? See
Whataretherequiredelementsof GeneralSettingsofaVirtualRouter
avirtualrouter?
Configure:
StaticRoutes
RouteRedistribution
RIP
OSPF
OSPFv3
BGP
IPMulticast
ECMP
Viewinformationaboutavirtual MoreRuntimeStatsforaVirtualRouter
router.
GeneralSettingsofaVirtualRouter
Network>VirtualRouters>RouterSettings>General
AllvirtualroutersrequirethatyouassignLayer3interfacesandadministrativedistancemetricsasdescribed
inthefollowingtable.
VirtualRouterGeneral Description
Settings
Name Specifyanametodescribethevirtualrouter(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Interfaces Selecttheinterfacesthatyouwanttoincludeinthevirtualrouter.Thus,they
canbeusedasoutgoinginterfacesinthevirtualroutersroutingtable.
Tospecifytheinterfacetype,refertoNetwork>Interfaces.
Whenyouaddaninterface,itsconnectedroutesareaddedautomatically.
AdministrativeDistances Specifythefollowingadministrativedistances:
Static routesRangeis10240;defaultis10.
OSPF IntRangeis10240;defaultis30.
OSPF ExtRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
StaticRoutes
Network>VirtualRouters>StaticRoutes
Optionallyaddoneormorestaticroutes.ClicktheIPorIPv6tabtospecifytherouteusinganPv4orIPv6
address.Itisusuallynecessarytoconfiguredefaultroutes(0.0.0.0/0)here.Defaultroutesareappliedfor
destinationsthatareotherwisenotfoundinthevirtualroutersroutingtable.
StaticRouteSettings Description
Name Enteranametoidentifythestaticroute(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Destination EnteranIPaddressandnetworkmaskinClasslessInterdomainRouting
(CIDR)notation:ip_address/mask(forexample,192.168.2.0/24forIPv4or
2001:db8::/32forIPv6).
Interface Selecttheinterfacetoforwardpacketstothedestination,orconfigurethe
nexthopsettings,orboth.
StaticRouteSettings Description
NextHop Selectoneofthefollowing:
IP AddressSelecttoentertheIPaddressofthenexthoprouter.
Next VRSelecttoselectavirtualrouterinthefirewallasthenexthop.
Thisallowsyoutorouteinternallybetweenvirtualrouterswithinasingle
firewall.
DiscardSelectifyouwanttodroptrafficthatisaddressedtothis
destination.
NoneSelectifthereisnonexthopfortheroute.
AdminDistance Specifytheadministrativedistanceforthestaticroute(10240;defaultis
10).
Metric Specifyavalidmetricforthestaticroute(165535).
RouteTable Selecttheroutetableintowhichthefirewallinstallsthestaticroute:
UnicastInstallstherouteintotheunicastroutetable.
MulticastInstallstherouteintothemulticastroutetable.
BothInstallstherouteintotheunicastandmulticastroutetables.
No InstallDoesnotinstalltherouteintheroutetable(RIB);thefirewall
retainsthestaticrouteforfuturereferenceuntilyoudeletetheroute.
BFDProfile ToenableBidirectionalForwardingDetection(BFD)forastaticrouteona
PA3000Series,PA5000Series,PA5200Series,PA7000Series,or
VMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforthestaticroute.
TouseBFDonastaticroute:
Boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.
ThestaticrouteNext HoptypemustbeIP Addressandyoumustentera
validIPaddress.
TheInterfacesettingcannotbeNone;youmustselectaninterface(even
ifyouareusingaDHCPaddress).
PathMonitoring Selecttoenablepathmonitoringforthestaticroute.
FailureCondition Selecttheconditionunderwhichthefirewallconsidersthemonitoredpath
downandthusthestaticroutedown:
AnyIfanyoneofthemonitoreddestinationsforthestaticrouteis
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
AllIfallofthemonitoreddestinationsforthestaticrouteare
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
SelectAlltoavoidthepossibilityofasinglemonitoreddestination
signalingastaticroutefailurewhenthatmonitoreddestinationissimply
offlineformaintenance,forexample.
StaticRouteSettings Description
PreemptiveHoldTime EnterthenumberofminutesadownedpathmonitormustremaininUp
(min) statethepathmonitorevaluatesallofitsmembermonitoreddestinations
andmustremainUpbeforethefirewallreinstallsthestaticrouteintothe
RIB.Ifthetimerexpireswithoutthelinkgoingdownorflapping,thelinkis
deemedstable,pathmonitorcanremainUp,andthefirewallcanaddthe
staticroutebackintotheRIB.
Ifthelinkgoesdownorflapsduringtheholdtime,pathmonitorfailsandthe
timerrestartswhenthedownedmonitorreturnstoUpstate.APreemptive
Hold Time ofzerocausesthefirewalltoreinstallthestaticrouteintotheRIB
immediatelyuponthepathmonitorcomingup.Rangeis01,440;defaultis2.
Name Enteranameforthemonitoreddestination(upto31characters).
Enable Selecttoenablepathmonitoringofthisspecificdestinationforthestatic
route;thefirewallsendsICMPpingstothisdestination.
SourceIP SelecttheIPaddressthatthefirewallwilluseasthesourceintheICMPping
tothemonitoreddestination:
IftheinterfacehasmultipleIPaddresses,selectone.
Ifyouselectaninterface,thefirewallusesthefirstIPaddressassignedto
theinterfacebydefault.
IfyouselectDHCP (Use DHCP Client address),thefirewallusesthe
addressthatDHCPassignedtotheinterface.ToseetheDHCPaddress,
selectNetwork > Interfaces > Ethernet andintherowfortheEthernet
interface,clickonDynamic DHCP Client.TheIPAddressappearsinthe
DynamicIPInterfaceStatuswindow.
DestinationIP Enterarobust,stableIPaddressoraddressobjectforwhichthefirewallwill
monitorthepath.Themonitoreddestinationandthestaticroutedestination
mustusethesameaddressfamily(IPv4orIPv6)
PingInterval(sec) SpecifytheICMPpingintervalinsecondstodeterminehowfrequentlythe
firewallmonitorsthepath(pingsthemonitoreddestination;rangeis160;
defaultis3).
PingCount SpecifythenumberofconsecutiveICMPpingpacketsthatdonotreturn
fromthemonitoreddestinationbeforethefirewallconsidersthelinkdown.
BasedontheAnyorAllfailurecondition,ifpathmonitoringisinfailedstate,
thefirewallremovesthestaticroutefromtheRIB(rangeis310;defaultis5).
Forexample,aPingIntervalof3secondsandPingCountof5missedpings
(thefirewallreceivesnopinginthelast15seconds)meanspathmonitoring
detectsalinkfailure.Ifpathmonitoringisinfailedstateandthefirewall
receivesapingafter15seconds,thelinkisdeemedup;basedontheAnyor
Allfailurecondition,pathmonitoringtoAnyorAllmonitoreddestinations
canbedeemedup,andthePreemptiveHoldTimestarts.
RouteRedistribution
Network>VirtualRouter>RedistributionProfiles
Redistributionprofilesdirectthefirewalltofilter,setpriority,andperformactionsbasedondesirednetwork
behavior.Routeredistributionallowsstaticroutesandroutesthatareacquiredbyotherprotocolstobe
advertisedthroughspecifiedroutingprotocols.
Redistributionprofilesmustbeappliedtoroutingprotocolsinordertotakeeffect.Withoutredistribution
rules,eachprotocolrunsseparatelyanddoesnotcommunicateoutsideitspurview.Redistributionprofiles
canbeaddedormodifiedafterallroutingprotocolsareconfiguredandtheresultingnetworktopologyis
established.
ApplyredistributionprofilestotheRIPandOSPFprotocolsbydefiningexportrules.Applyredistribution
profilestoBGPintheRedistribution Rulestab.Refertothefollowingtable.
RedistributionProfile Description
Settings
Priority Enterapriority(rangeis1255)forthisprofile.Profilesarematchedinorder
(lowestnumberfirst).
Redistribute Choosewhethertoperformrouteredistributionbasedonthesettingsinthis
window.
RedistSelecttoredistributematchingcandidateroutes.Ifyouselectthis
option,enteranewmetricvalue.Alowermetricvaluemeansamore
preferredroute.
No RedistSelecttonotredistributematchingcandidateroutes.
Type Selecttheroutetypesofthecandidateroute.
Interface Selecttheinterfacestospecifytheforwardinginterfacesofthecandidate
route.
Destination Tospecifythedestinationofthecandidateroute,enterthedestinationIP
addressorsubnet(formatx.x.x.xorx.x.x.x/n)andclickAdd.Toremovean
entry,clickremove( ).
NextHop Tospecifythegatewayofthecandidateroute,entertheIPaddressorsubnet
(formatx.x.x.xorx.x.x.x/n)thatrepresentsthenexthopandclickAdd.To
removeanentry,clickremove( ).
PathType SelecttheroutetypesofthecandidateOSPFroute.
Area SpecifytheareaidentifierforthecandidateOSPFroute.EntertheOSPF
area ID(formatx.x.x.x),andclickAdd.
Toremoveanentry,clickremove( ).
Tag SpecifyOSPFtagvalues.Enteranumerictagvalue(1255),andclickAdd.
Toremoveanentry,clickremove( ).
RedistributionProfile Description
Settings
Community SpecifyacommunityforBGProutingpolicy.
ExtendedCommunity SpecifyanextendedcommunityforBGProutingpolicy.
RIP
Network>VirtualRouters>RIP
ConfiguringtheRoutingInformationProtocol(RIP)includesthefollowinggeneralsettings:
RIPSettings Description
Enable SelecttoenableRIP.
RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughRIP.
BFD ToenableBidirectionalForwardingDetection(BFD)forRIPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
default(profilewiththedefaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforallRIPinterfacesonthevirtual
router;youcannotenableBFDforasingleRIPinterface.
Inaddition,RIPsettingsonthefollowingtabsmustbeconfigured:
Interfaces:SeeRIPInterfacesTab.
Timers:SeeRIPTimersTab.
Auth Profiles:SeeRIPAuthProfilesTab.
Export Rules:SeeRIPExportRulesTab.
RIPInterfacesTab
Network>VirtualRouters>RIP>Interfaces
UsethefollowingfieldstoconfigureRIPinterfaces:
RIPInterfaceSettings Description
Interface SelecttheinterfacethatrunstheRIPprotocol.
Enable Selecttoenablethesesettings.
Advertise SelecttoenableadvertisementofadefaultroutetoRIPpeerswiththe
specifiedmetricvalue.
Metric Specifyametricvaluefortherouteradvertisement.Thisfieldisvisibleonly
ifyouenableAdvertise.
AuthProfile Selecttheprofile.
Mode Selectnormal,passive,orsend-only.
BFD ToenableBFDforaRIPinterface(andtherebyoverridetheBFDsettingfor
RIP,aslongasBFDisnotdisabledforRIPatthevirtualrouterlevel),select
oneofthefollowing:
default(profilewiththedefaultBFDsettings)
aBFDprofilethatyoucreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheRIPinterface.
RIPTimersTab
Network>VirtualRouter>RIP>Timers
ThefollowingtabledescribesthetimersthatcontrolRIProuteupdatesandexpirations.
RIPTimerSettings Description
RIP Timing
IntervalSeconds(sec) Definethelengthofthetimerintervalinseconds.Thisdurationisusedfor
theremainingRIPtimingfields(rangeis160).
UpdateIntervals Enterthenumberofintervalsbetweenrouteupdateannouncements(range
is13,600).
ExpireIntervals Enterthenumberofintervalsbetweenthetimethattheroutewaslast
updatedtoitsexpiration(rangeis13,600).
DeleteIntervals Enterthenumberofintervalsbetweenthetimethattherouteexpirestoits
deletion(rangeis13,600).
RIPAuthProfilesTab
Network>VirtualRouter>RIP>AuthProfiles
Bydefault,thefirewalldoesnotauthenticateRIPmessagesbetweenneighbors.ToauthenticateRIP
messagesbetweenneighbors,createanauthenticationprofileandapplyittoaninterfacerunningRIPona
virtualrouter.ThefollowingtabledescribesthesettingsfortheAuth Profilestab.
RIPAuthProfileSettings Description
ProfileName EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthesimplepasswordandthenconfirm.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.
RIPExportRulesTab
Network>VirtualRouter>RIP>ExportRules
RIPexportrulesallowyoutocontrolwhichroutesthevirtualroutersendstopeers.
RIPExportRules Description
Settings
AllowRedistributeDefault Selecttopermitthefirewalltoredistributeitsdefaultroutetopeers.
Route
RedistributionProfile ClickAddandselectorcreatearedistributionprofilethatallowsyouto
modifyrouteredistribution,filter,priority,andactionbasedonthedesired
networkbehavior.RefertoRouteRedistribution.
OSPF
Network>VirtualRouter>OSPF
ConfiguringtheOpenShortestPathFirst(OSPF)protocolrequiresyoutoconfigurethefollowinggeneral
settings(exceptBFD,whichisoptional):
OSPFSettings Description
Enable SelecttoenabletheOSPFprotocol.
RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughOSPF.
RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.
BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFgloballyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,orVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforallOSPFinterfacesonthe
virtualrouter;youcannotenableBFDforasingleOSPFinterface.
Inaddition,youmustconfigureOSPFsettingsonthefollowingtabs:
Areas:SeeOSPFAreasTab.
Auth Profiles:SeeOSPFAuthProfilesTab.
Export Rules:SeeOSPFExportRulesTab.
Advanced:SeeOSPFAdvancedTab.
OSPFAreasTab
Network>VirtualRouter>OSPF>Areas
ThefollowingfieldsdescribetheOSPFareasettings:
OSPFAreasSettings Description
Areas
AreaID ConfiguretheareaoverwhichtheOSPFparameterscanbeapplied.
Enteranidentifierfortheareainx.x.x.xformat.Thisistheidentifierthateach
neighbormustaccepttobepartofthesamearea.
Type Selectoneofthefollowingoptions.
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(rangeis1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.SelectAdvertise
Default RoutetospecifywhethertoincludeadefaultrouteLSAin
advertisementstothestubareaalongwiththeassociatedmetricvalue
(1255).Also,selecttheroutetypeusedtoadvertisethedefaultLSA.Click
AddintheExternal Rangessectionandenterrangesifyouwantto
enableorsuppressadvertisingexternalroutesthatarelearnedthrough
NSSAtootherareas.
OSPFAreasSettings Description
Range ClickAddtoaggregateLSAdestinationaddressesintheareaintosubnets.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.
Interface Addaninterfacetobeincludedintheareaandenterthefollowing
information:
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfacetosendorreceive
OSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedifyou
choosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPF
peerinterface(andtherebyoverridetheBFDsettingforOSPF,aslongas
BFDisnotdisabledforOSPFatthevirtualrouterlevel),selectoneofthe
following:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheOSPFpeer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforeitissentoutofaninterface(rangeis03,600;defaultis1).
OSPFAreasSettings Description
VirtualLink Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
OSPFAuthProfilesTab
Network>VirtualRouter>OSPF>AuthProfiles
ThefollowingfieldsdescribetheOSPFauthenticationprofilesettings:
OSPFAuthProfile Description
Settings
ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.
PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthepassword.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.
OSPFExportRulesTab
Network>VirtualRouter>OSPF>ExportRules
ThefollowingtabledescribesthefieldstoexportOSPFroutes:
OSPFExportRules Description
Settings
AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route
Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.
NewPathType Choosethemetrictypetoapply.
NewTag Specifyatagforthematchedroutethathasa32bitvalue.
Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).
OSPFAdvancedTab
Network>VirtualRouter>OSPF>Advanced
ThefollowingfieldsdescribeRFC1583compatibility,OSPFtimers,andgracefulrestart:
OSPFAdvancedSettings Description
RFC1583Compatibility SelecttoensurecompatibilitywithRFC1583(OSPFVersion2).
OSPFv3
Network>VirtualRouter>OSPFv3
ConfiguringtheOpenShortestPathFirstv3(OSPFv3)protocolrequiresconfiguringthefirstthreesettings
inthefollowingtable(BFDisoptional):
OSPFv3Settings Description
Enable SelecttoenabletheOSPFprotocol.
RejectDefaultRoute SelectifyoudonotwanttolearnanydefaultroutesthroughOSPF.
RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.
BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFv3globallyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
(SelectNone (Disable BFD)todisableBFDforallOSPFv3interfaceson
thevirtualrouter;youcannotenableBFDforasingleOSPFv3interface.)
Inaddition,configureOSPFv3settingsonthefollowingtabs:
Areas:SeeOSPFv3AreasTab.
Auth Profiles:SeeOSPFv3AuthProfilesTab.
Export Rules:SeeOSPFv3ExportRulesTab.
Advanced:SeeOSPFv3AdvancedTab.
OSPFv3AreasTab
Network>VirtualRouter>OSPFv3>Areas
ThefollowingfieldsdescribeOSPFv3areas:
OSPv3AreasSettings Description
Authentication SelectthenameoftheAuthenticationprofilethatyouwanttospecifyfor
thisOSPFarea.
Type Selectoneofthefollowing:
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.Specifywhether
toincludeadefaultrouteLSAinadvertisementstothestubareaalong
withtheassociatedmetricvalue(1255).Also,selecttheroutetypeused
toadvertisethedefaultLSA.ClickAddintheExternal Rangessectionand
enterrangesifyouwanttoenableorsuppressadvertisingexternalroutes
thatarelearnedthroughNSSAtootherareas
Range ClickAddtoaggregateLSAdestinationIPv6addressesintheareabysubnet.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.
OSPv3AreasSettings Description
Interface ClickAddandenterthefollowinginformationforeachinterfacetobe
includedinthearea,andclickOK.
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
Instance ID EnteranOSPFv3instanceIDnumber.
PassiveSelecttoifyoudonotwanttheOSPFinterfacetosendor
receiveOSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedif
youchoosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPFv3
peerinterface(andtherebyoverridetheBFDsettingforOSPFv3,aslong
asBFDisnotdisabledforOSPFv3atthevirtualrouterlevel),selectone
ofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheOSPFv3peer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03,600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforethefirewallsendsitoutofaninterface(rangeis03,600;default
is 1).
OSPv3AreasSettings Description
VirtualLinks Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Instance IDEnteranOSPFv3instanceIDnumber.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
OSPFv3AuthProfilesTab
Network>VirtualRouter>OSPFv3>AuthProfiles
UsethefollowingfieldstoconfigureauthenticationforOSPFv3.
OSPFv3AuthProfile Description
Settings
ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.
SPI Specifythesecurityparameterindex(SPI)forpackettraversalfromthe
remotefirewalltothepeer.
Protocol Specifyeitherofthefollowingprotocols:
ESPEncapsulatingSecurityPayloadprotocol.
AHAuthenticationHeaderprotocol
CryptoAlgorithm Specifyoneofthefollowing
NoneNocryptoalgorithmwillbeused.
SHA1(default)SecureHashAlgorithm1.
SHA256SecureHashAlgorithm2.Asetoffourhashfunctionswitha
256bitdigest.
SHA384SecureHashAlgorithm2.Asetoffourhashfunctionswitha
384bitdigest.
SHA512SecureHashAlgorithm2.Asetoffourhashfunctionswitha
512bitdigest.
MD5TheMD5messagedigestalgorithm.
Key/ConfirmKey Enterandconfirmanauthenticationkey.
Encryption(ESPprotocol Specifyoneofthefollowing:
only) 3des(default)appliesTripleDataEncryptionAlgorithm(3DES)using
threecryptographickeysof56bits.
aes-128-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof128bits.
aes-192-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof192bits.
aes-256-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof256bits.
nullNoencryptionisused.
Key/ConfirmKey Enterandconfirmanencryptionkey.
OSPFv3ExportRulesTab
Network>VirtualRouter>OSPFv3>ExportRules
UsethefollowingfieldstoexportOSPFv3routes.
OSPFv3ExportRules Description
Settings
AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route
Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.
NewPathType Choosethemetrictypetoapply.
NewTag Specifyatagforthematchedroutethathasa32bitvalue.
Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).
OSPFv3AdvancedTab
Network>VirtualRouter>OSPFv3>Advanced
UsethefollowingfieldstodisabletransitroutingforSPFcalculations,configureOSPFv3timers,and
configuregracefulrestartforOSPFv3.
OSPFv3Advanced Description
Settings
DisableTransitRoutingfor SelectifyouwanttosettheRbitinrouterLSAssentfromthisfirewallto
SPFCalculation indicatethatthefirewallisnotactive.Wheninthisstate,thefirewall
participatesinOSPFv3butotherroutersdonotsendtransittraffic.Inthis
state,localtrafficwillstillbeforwardedtothefirewall.Thisisusefulwhile
performingmaintenancewithadualhomednetworkbecausetrafficcanbe
reroutedaroundthefirewallwhileitcanstillbereached.
BGP
Network>VirtualRouter>BGP
ConfiguringBorderGatewayProtocol(BGP)requiresyoutoconfigureBasicBGPSettingstoenableBGPand
configuretheRouterIDandASNumberasdescribedinthefollowingtable.Inaddition,youmustconfigure
aBGPpeeraspartofaBGPpeergroup.
ConfiguretheremainingBGPsettingsonthefollowingtabsasneededforyournetwork:
General:SeeBGPGeneralTab.
Advanced:SeeBGPAdvancedTab.
Peer Group:SeeBGPPeerGroupTab.
Import:SeeBGPImportandExportTabs.
Export:SeeBGPImportandExportTabs.
Conditional Adv:SeeBGPConditionalAdvTab.
Aggregate:SeeBGPAggregateTab.
Redist Rules:SeeBGPRedistRulesTab.
BasicBGPSettings
TouseBGPonavirtualrouter,youmustenableBGPandconfiguretheRouterIDandASNumber;enabling
BFDisoptional.
RouterID EntertheIPaddresstoassigntothevirtualrouter.
ASNumber EnterthenumberoftheAStowhichthevirtualrouterbelongs,basedonthe
routerID(rangeis14,294,967,295).
BFD ToenableBidirectionalForwardingDetection(BFD)forBGPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,PA7000
Series,orVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
anexistingBFDprofileonthefirewall
createaNew BFD Profile
SelectNone (Disable BFD)todisableBFDforallBGPinterfacesonthevirtual
router;youcannotenableBFDforasingleBGPinterface.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPare
takendownandbroughtbackupwiththeBFDfunction,whichcan
disruptBGPtraffic.Therefore,enableBFDonBGPinterfacesduringan
offpeaktimewhenreconvergencedoesnotimpactproductiontraffic.
BGPGeneralTab
Network>VirtualRouter>BGP>General
UsethefollowingfieldstoconfiguregeneralBGPsettings.
InstallRoute SelecttoinstallBGProutesintheglobalroutingtable.
AggregateMED SelecttoenablerouteaggregationevenwhenrouteshavedifferentMultiExit
Discriminator(MED)values.
DefaultLocal Specifiesavaluethatthefirewallcanusetodeterminepreferencesamong
Preference differentpaths.
ASFormat Selectthe2byte(default)or4byteformat.Thissettingisconfigurablefor
interoperabilitypurposes.
AlwaysCompare EnableMEDcomparisonforpathsfromneighborsindifferentautonomous
MED systems.
Deterministic EnableMEDcomparisontochoosebetweenroutesthatareadvertisedbyiBGP
MEDComparison peers(BGPpeersinthesameautonomoussystem).
AuthProfiles Addanewauthprofileandconfigurethefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphraseforBGPpeer
communications.
Delete( )profileswhenyounolongerneedthem.
BGPAdvancedTab
Network>VirtualRouter>BGP>Advanced
AdvancedBGPsettingsincludeavarietyofcapabilities.YoucanrunECMPovermultipleBGPautonomous
systems.YoucanrequireeBGPpeerstolisttheirownASasthefirstASinanAS_PATHattribute(toprevent
spoofedUpdatepackets).YoucanconfigureBGPgracefulrestart,ameansbywhichBGPpeersindicate
whethertheycanpreserveforwardingstateduringaBGPrestarttominimizetheconsequencesofroutes
flapping(goingupanddown).YoucanconfigureroutereflectorsandASconfederations,whicharetwo
methodstoavoidhavingafullmeshofBGPpeeringsinanAS.Youcanconfigureroutedampeningto
preventunnecessaryrouterconvergencewhenaBGPnetworkisunstableandroutesareflapping.
EnforceFirstAS CausesthefirewalltodropanincomingUpdatepacketfromaneBGPpeerthat
forEBGP doesntlisttheeBGPpeersownASnumberasthefirstASnumberinthe
AS_PATHattribute.ThispreventsBGPfromfurtherprocessingaspoofedor
erroneousUpdatepacketthatarrivesfromanASotherthananeighboringAS.
Defaultisenabled.
GracefulRestart Activatethegracefulrestartoption.
Stale Route TimeSpecifythelengthoftime,inseconds,thataroutecan
stayinthestalestate(rangeis13,600;defaultis120).
Local Restart TimeSpecifythelengthoftime,inseconds,thatthefirewall
takestorestart.Thisvalueisadvertisedtopeers(rangeis13,600;defaultis
120).
Max Peer Restart TimeSpecifythemaximumlengthoftime,inseconds,
thatthefirewallacceptsasagraceperiodrestarttimeforpeerdevices
(rangeis13,600;defaultis120).
ReflectorCluster SpecifyanIPv4identifiertorepresentthereflectorcluster.Aroutereflector
ID (router)inanASperformsaroleofreadvertisingroutesitlearnedtoitspeers
(ratherthanrequirefullmeshconnectivityandallpeerssendroutestoeach
other).Theroutereflectorsimplifiesconfiguration.
Confederation SpecifytheidentifierfortheASconfederationtobepresentedasasingleAS
MemberAS toexternalBGPpeers.UseaBGPconfederationtodivideautonomoussystems
intosubautonomoussystemsandreducefullmeshpeering.
BGPPeerGroupTab
Network>VirtualRouter>BGP>PeerGroup
ABGPpeergroupisacollectionofBGPpeersthatsharesettings,suchasthetypeofpeergroup(EBGP,for
example),orthesettingtoremoveprivateASnumbersfromtheAS_PATHlistthatthevirtualroutersends
inUpdatepackets.BGPpeergroupssaveyoufromhavingtoconfiguremultiplepeerswiththesame
settings.YoumustconfigureatleastoneBGPpeergroupinordertoconfiguretheBGPpeersthatbelong
tothegroup.
Enable Selecttoactivatethepeergroup.
Aggregated SelecttoincludeapathtotheconfiguredaggregatedconfederationAS.
ConfedASPath
SoftResetwith Selecttoperformasoftresetofthefirewallafterupdatingthepeersettings.
StoredInfo
Type Specifythetypeofpeerorgroupandconfiguretheassociatedsettings(see
belowinthistablefordescriptionsofImport Next HopandExport Next Hop).
IBGPSpecifythefollowing:
Export Next Hop
EBGP ConfedSpecifythefollowing:
Export Next Hop
IBGP ConfedSpecifythefollowing:
Export Next Hop
EBGPSpecifythefollowing:
Import Next Hop
Export Next Hop
Remove Private AS(selectifyouwanttoforceBGPtoremoveprivate
ASnumbersfromtheAS_PATHattribute).
ImportNextHop Chooseanoptionfornexthopimport:
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use PeerUsethepeer'sIPaddressastheNextHopaddress.
ExportNextHop Chooseanoptionfornexthopexport:
ResolveResolvetheNextHopaddressusingtheForwardingInformation
Base(FIB).
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use SelfReplacetheNextHopaddresswiththevirtualrouter'sIPaddress
toensurethatitwillbeintheforwardingpath.
RemovePrivate SelecttoremoveprivateautonomoussystemsfromtheAS_PATHlist.
AS
PeerAS Specifytheautonomoussystem(AS)ofthepeer.
AddressFamily SelecteithertheIPv4orIPv6addressfamilythatBGPsessionswiththispeer
Type willsupport.
Subsequent SelecteithertheUnicastorMulticastsubsequentaddressfamilyprotocolthe
AddressFamily BGPsessionswiththispeerwillcarry.
LocalAddress Chooseafirewallinterface.
Interface
LocalAddressIP ChoosealocalIPaddress.
PeerAddressIP SpecifytheIPaddressandportofthepeer.
MultiHop Setthetimetolive(TTL)valueintheIPheader(rangeis1255;defaultis0).
Thedefaultvalueof0means2foreBGPand255foriBGP.
OpenDelayTime SpecifythedelaytimebetweenopeningthepeerTCPconnectionandsending
thefirstBGPopenmessage(rangeis0240seconds;defaultis0seconds).
HoldTime SpecifytheperiodoftimethatmayelapsebetweensuccessiveKEEPALIVEor
UPDATEmessagesfromapeerbeforethepeerconnectionisclosed.(rangeis
33,600seconds;defaultis90seconds).
IdleHoldTime Specifythetimetowaitintheidlestatebeforeretryingconnectiontothepeer
(rangeis13,600seconds;defaultis15seconds).
Incoming SpecifytheincomingportnumberandAllowtraffictothisport.
Connections
RemotePort
Outgoing SpecifytheoutgoingportnumberandAllowtrafficfromthisport
Connections
LocalPort
PeeringType SpecifyaBilateralpeerorleaveUnspecified.
MaxPrefixes SpecifythemaximumnumberofsupportedIPprefixes(1100,000or
unlimited).
EnableSender EnabletocausethefirewalltochecktheAS_PATHattributeofarouteinitsFIB
SideLoop beforeitsendstherouteinanupdate,toensurethatthepeerASnumberisnot
Detection ontheAS_PATHlist.Ifitis,thefirewallremovesittopreventaloop.Usually
thereceiverdoesloopdetection,butthisoptimizationfeaturehasthesender
doloopdetection.
BFD ToenableBidirectionalForwardingDetection(BFD)foraBGPpeer(and
therebyoverridetheBFDsettingforBGP,aslongasBFDisnotdisabledfor
BGPatthevirtualrouterlevel),selectthedefaultprofile(defaultBFDsettings),
anexistingBFDprofile,Inherit-vr-global-setting(toinherittheglobalBGP
BFDprofile),orNew BFD Profile(tocreateanewBFDprofile).Disable BFD
disablesBFDfortheBGPpeer.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPwillbe
takendownandbroughtbackupwiththeBFDfunction.Thiscan
disruptallBGPtraffic.WhenyouenableBFDontheinterface,the
firewallwillstoptheBGPconnectiontothepeertoprogramBFDon
theinterface.ThepeerdevicewillseetheBGPconnectiondrop,which
canresultinareconvergencethatimpactsproductiontraffic.
Therefore,enableBFDonBGPinterfacesduringanoffpeaktime
whenareconvergencewillnotimpactproductiontraffic.
BGPImportandExportTabs
Network>VirtualRouter>BGP>Import
Network>VirtualRouter>BGP>Export
AddanewImportorExportruletoimportorexportBGProutes.
UsedBy Selectthepeergroupsthatwillusethisrule.
Community Specifyaregularexpressionforfilteringofcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringofextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMultiExitDiscriminatorvalueforroutefilteringintherange
04,294,967,295.
AddressPrefix SpecifyIPaddressesorprefixesforroutefiltering.
NextHop Specifynexthoproutersorsubnetsforroutefiltering
FromPeer Specifypeerroutersforroutefiltering
LocalPreference Specifyalocalpreferencemetric,onlyiftheactionisAllow.
MED SpecifyaMEDvalue,onlyiftheactionisAllow(065,535).
Weight Specifyaweightvalue,onlyiftheactionisAllow(065,535).
NextHop Specifyanexthoprouter,onlyiftheactionisAllow.
Origin Specifythepathtypeoftheoriginatingroute:IGP,EGP,orincomplete,onlyif
theactionisAllow.
ASPathLimit SpecifyanASpathlimit,onlyiftheactionisAllow.
Delete ruleswhenyounolongerneedthemorClonearulewhen
appropriate.YoucanalsoselectrulesandMove UporMove Downtochange
theirorder.
BGPConditionalAdvTab
Network>VirtualRouter>BGP>ConditionalAdv
ABGPconditionaladvertisementallowsyoutocontrolwhichroutetoadvertiseintheeventthatapreferred
routeisnotavailableinthelocalBGProutingtable(LocRIB),indicatingapeeringorreachabilityfailure.This
isusefulwhereyouwanttotrytoforceroutestooneASoveranother,suchaswhenyouhavelinkstothe
internetthroughmultipleISPsandyouwanttraffictoberoutedtooneproviderinsteadoftheotherexcept
whenthereisalossofconnectivitytothepreferredprovider.
Forconditionaladvertisement,youconfigureaNonExistfilterthatspecifiesthepreferredroute(s)(Address
Prefix)plusanyotherattributesthatidentifythepreferredroute(suchasASPathRegularExpression).Ifa
routematchingtheNonExistfilterisnotfoundinthelocalBGProutingtable,onlythenwillthefirewallallow
advertisementofthealternateroute(theroutetotheother,nonpreferredprovider)asspecifiedinits
Advertisefilter.
Toconfigureconditionaladvertisement,selecttheConditional Advtab,Addaconditionaladvertisement,and
configurethevaluesdescribedinthefollowingtable.
UsedBy Addthepeergroupsthatwillusethisconditionaladvertisementpolicyrule.
Enable SelecttoactivatetheNonExistfilter.
ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression
Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).
RouteTable Specifywhichroutetable(unicast,multicast,orboth)thefirewallwillsearch
toseeifthematchedrouteispresent.Ifthematchedrouteisnotpresentin
thatroutetable,onlythenwillthefirewallallowtheadvertisementofthe
alternateroute.
AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
preferredroute(s).
NextHop Specifynexthoproutersorsubnetsforfilteringtheroute.
FromPeer Specifypeerroutersforroutefiltering.
Enable Selecttoactivatethefilter.
ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression
Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).
RouteTable Specifywhichroutetablethefirewalluseswhenamatchedrouteistobe
conditionallyadvertised:unicast,multicast,orboth.
AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
routetobeadvertisedifthepreferredrouteisnotavailable.
NextHop Specifynexthoproutersorsubnetsforroutefiltering.
FromPeer Specifypeerroutersforroutefiltering.
BGPAggregateTab
Network>VirtualRouter>BGP>Aggregate
Routeaggregationistheactofcombiningspecificroutes(thosewithalongerprefixlength)intoasingle
route(withashorterprefixlength)toreduceroutingadvertisementsthatthefirewallmustsendandtohave
fewerroutesintheroutetable.
Prefix Enterasummaryprefix(IPaddress/prefixlength)thatwillbeusedtoaggregate
thelongerprefixes.
Enable Selecttoenablethisaggregationofroutes.
Summary Selecttosummarizeroutes.
ASSet Selecttocausethefirewall,forthisaggregationrule,toincludethesetofAS
numbers(ASset)intheASpathoftheaggregateroute.TheASsetisthe
unorderedlistoftheoriginASnumbersfromtheindividualroutesthatare
aggregated.
ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression aggregated,forexample,^5000meansrouteslearnedfromAS5000.
Community Specifyaregularexpressionforcommunitiestofilterwhichrouteswillbe
Regular aggregated,forexample,500:.*matchescommunitieswith500:x.
Expression
Extended Specifyaregularexpressionforextendedcommunitiestofilterwhichroutes
Community willbeaggregated.
Regular
Expression
MED SpecifytheMEDthatfilterswhichrouteswillbeaggregated.
RouteTable Specifywhichroutetabletouseforaggregatedroutesthatshouldbe
suppressed(notadvertised):unicast,multicast,orboth.
AddressPrefix EntertheIPaddressthatyouwanttosuppressfromadvertisement.
NextHop EnterthenexthopaddressoftheBGPprefixthatyouwanttosuppress.
FromPeer EntertheIPaddressofthepeerfromwhichtheBGPprefix(thatyouwantto
suppress)wasreceived.
Enable SelecttoenablethisAdvertiseFilter.
ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression advertised.
Community SpecifyaregularexpressionforCommunitytofilterwhichrouteswillbe
Regular advertised.
Expression
Extended SpecifyaregularexpressionforExtendedCommunitytofilterwhichrouteswill
Community beadvertised.
Regular
Expression
MED SpecifyaMEDvaluetofilterwhichrouteswillbeadvertised.
RouteTable SpecifywhichroutetabletouseforanAdvertiseFilterofaggregateroutes:
unicast,multicast,orboth.
AddressPrefix EnteranIPaddressthatyouwantBGPtoadvertise.
NextHop EntertheNextHopaddressoftheIPaddressyouwantBGPtoadvertise.
FromPeer EntertheIPaddressofthepeerfromwhichtheprefixwasreceived,thatyou
wantBGPtoadvertise.
Weight Weightintherange065,535.
NextHop NextHopIPaddress.
Origin Originoftheroute:igp,egp,orincomplete.
ASPathLimit ASPathLimitintherange1255.
ASPath SelectType:NoneorPrepend.
BGPRedistRulesTab
Network>VirtualRouter>BGP>RedistRules
ConfigurethesettingsdescribedinthefollowingtabletocreaterulesforredistributingBGProutes.
Name AddanIPsubnetorcreatearedistributionrulefirst.
Enable Selecttoenablethisredistributionrule.
RouteTable Specifywhichroutetabletheroutewillberedistributedinto:unicast,
multicast,orboth.
Metric Enterametricintherange165,535.
SetOrigin Selecttheoriginfortheredistributedroute(igp,egp,orincomplete).Thevalue
incompleteindicatesaconnectedroute.
SetMED EnteraMEDfortheredistributedrouteintherange04,294,967,295.
SetLocal Enteralocalpreferencefortheredistributedrouteintherange
Preference 04,294,967,295.
SetASPathLimit EnteranASpathlimitfortheredistributedrouteintherange1255.
SetCommunity Selectorentera32bitvalueindecimalorhexadecimalorinAS:VALformat;
ASandVALareeachintherange065,535.Enteramaximumof10
communities.
SetExtended Entera64bitvalueinhexadecimalorinTYPE:AS:VALorTYPE:IP:VALformat.
Community TYPEis16bits;ASorIPis16bits;VALis32bits.Enteramaximumoffive
extendedcommunities.
IPMulticast
Network>VirtualRouter>Multicast
ConfiguringMulticastprotocolsrequiresconfiguringthefollowingstandardsetting:
MulticastSetting Description
Enable Selecttoenablemulticastrouting.
Inaddition,settingsonthefollowingtabsmustbeconfigured:
Rendezvous Point:SeeMulticastRendezvousPointTab.
Interfaces:SeeMulticastInterfacesTab.
SPT Threshold:SeeMulticastSPTThresholdTab.
MulticastRendezvousPointTab
Network>VirtualRouter>Multicast>RendezvousPoint
UsethefollowingfieldstoconfigureanIPmulticastrendezvouspoint:
MulticastSettings Description
RendezvousPoint
RPType ChoosethetypeofRendezvousPoint(RP)thatwillrunonthisvirtualrouter.
AstaticRPmustbeexplicitlyconfiguredonotherPIMrouterswhereasa
candidateRPiselectedautomatically.
NoneChooseifthereisnoRPrunningonthisvirtualrouter.
StaticSpecifyastaticIPaddressfortheRPandchooseoptionsforRP
InterfaceandRP Addressfromthedropdown.SelectOverride learned
RP for the same groupifyouwanttousethespecifiedRPinsteadofthe
RPelectedforthisgroup.
CandidateSpecifythefollowinginformationforthecandidateRP
runningonthisvirtualrouter:
RP InterfaceSelectaninterfacefortheRP.Validinterfacetypes
includeloopback,L3,VLAN,aggregateEthernet,andtunnel.
RP AddressSelectanIPaddressfortheRP.
PrioritySpecifyapriorityforcandidateRPmessages(default192).
Advertisement intervalSpecifyanintervalbetween
advertisementsforcandidateRPmessages.
Group listIfyouchooseStaticorCandidate,clickAddtospecifyalistof
groupsforwhichthiscandidateRPisproposingtobetheRP.
RemoteRendezvousPoint ClickAddandspecifythefollowing:
IP addressSpecifytheIPaddressfortheRP.
Override learned RP for the same groupSelecttousethespecifiedRP
insteadoftheRPelectedforthisgroup.
GroupSpecifyalistofgroupsforwhichthespecifiedaddresswillactas
theRP.
MulticastInterfacesTab
Network>VirtualRouter>Multicast>Interfaces
Usethefollowingfieldstoconfiguremulticastinterfaces:
MulticastSettings Description
Interfaces
Name Enteranametoidentifyaninterfacegroup.
Description Enteranoptionaldescription.
Interface ClickAddtospecifyoneormorefirewallinterfaces.
MulticastSettings Description
Interfaces(Continued)
GroupPermissions Specifygeneralrulesformulticasttraffic:
Any SourceClickAddtospecifyalistofmulticastgroupsforwhich
PIMSMtrafficispermitted.
Source-SpecificClickAddtospecifyalistofmulticastgroupand
multicastsourcepairsforwhichPIMSSMtrafficispermitted.
IGMP SpecifyrulesforIGMPtraffic.IGMPmustbeenabledforhostfacing
interfaces(IGMProuter)orforIGMPproxyhostinterfaces.
EnableSelecttoenabletheIGMPconfiguration.
IGMP VersionChooseversion1,2,or3torunontheinterface.
Enforce Router-Alert IP OptionSelecttorequiretherouteralertIP
optionwhenspeakingIGMPv2orIGMPv3.Thismustbedisabledfor
compatibilitywithIGMPv1.
RobustnessChooseanintegervaluetoaccountforpacketlossona
network(rangeis17;defaultis2).Ifpacketlossiscommon,choosea
highervalue.
Max SourcesSpecifythemaximumnumberofsourcespecific
membershipsallowedonthisinterface(0=unlimited).
Max GroupsSpecifythemaximumnumberofgroupsallowedonthis
interface.
Query ConfigurationSpecifythefollowing:
Query intervalSpecifytheintervalatwhichgeneralqueriesaresent
toallhosts.
Max Query Response TimeSpecifythemaximumtimebetweena
generalqueryandaresponsefromahost.
Last Member Query IntervalSpecifytheintervalbetweengroupor
sourcespecificquerymessages(includingthosesentinresponseto
leavegroupmessages).
Immediate LeaveSelecttoleavethegroupimmediatelywhena
leavemessageisreceived.
PIMconfiguration SpecifythefollowingProtocolIndependentMulticast(PIM)settings:
EnableSelecttoallowthisinterfacetoreceiveand/orforwardPIM
messages.
Assert IntervalSpecifytheintervalbetweenPIMassertmessages.
Hello IntervalSpecifytheintervalbetweenPIMhellomessages.
Join Prune IntervalSpecifytheintervalbetweenPIMjoinandprune
messages(seconds).Defaultis60.
DR PrioritySpecifythedesignatedrouterpriorityforthisinterface.
BSR BorderSelecttousetheinterfaceasthebootstrapborder.
PIM NeighborsClickAddtospecifythelistofneighborsthatwill
communicatewithusingPIM.
MulticastSPTThresholdTab
Network>VirtualRouter>Multicast>SPTThreshold
UsethefollowingfieldstoconfiguremulticastSPTthresholds:
MulticastSettingsSPT Description
Threshold
Name TheShortestPathTree(SPT)thresholddefinesthethroughputrate(inkbps)
atwhichmulticastroutingwillswitchfromsharedtreedistribution(sourced
fromtherendezvouspoint)tosourcetreedistribution.
AddthefollowingSPTsettings:
Multicast Group PrefixSpecifythemulticastIPaddress/prefixforwhich
theSPTwillbeswitchedtosourcetreedistributionwhenthethroughput
reachesthedesiredthreshold(kbps).
ThresholdSpecifythethroughputatwhichtoswitchfromsharedtree
distributiontosourcetreedistribution.
MulticastSourceSpecificAddressTab
Network>VirtualRouter>Multicast>SourceSpecificAddressSpace
Defineanameforamulticastgroupandconfiguresourcespecificmulticastservices.
MulticastSettings Description
SourceSpecificAddress
Space
Name Definesthemulticastgroupsforwhichthefirewallwillprovide
sourcespecificmulticast(SSM)services.
Addthefollowingsettingsforsourcespecificaddresses:
NameEnteranametoidentifythisgroupofsettings.
GroupSpecifygroupsfortheSSMaddressspace.
IncludedSelecttoincludethespecifiedgroupsintheSSMaddress
space.
MulticastAdvancedTab
Network>VirtualRouter>Multicast>Advanced
Configurethelengthoftimeamulticastrouteremainsintheroutingtableafterthesessionends.
MulticastAdvanced Description
Settings
RouteAgeOutTime(sec) Allowsyoutotunetheduration,inseconds,forwhichamulticastroute
remainsintheroutingtableonthefirewallafterthesessionends(rangeis
2107200;defaultis210).
ECMP
Network>VirtualRouters>RouterSettings>ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewallhaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Makeuseoftheavailablebandwidthonalllinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
waitingfortheroutingprotocolorRIBtabletoelectanalternativepath,whichcanhelpreducedown
timewhenlinksfail.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevel.Thismeansthefirewallchoosesan
equalcostpathatthestartofanewsession,noteachtimethefirewallreceivesapacket.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestartthevirtualrouter,
whichmightcauseexistingsessionstobeterminated.
ToconfigureECMPforavirtualrouter,selectavirtualrouterand,forRouter Settings,selecttheECMPtab
andconfiguretheECMPSettingsasdescribed.
Whatareyoulookingfor? See:
Whatarethefieldsavailableto ECMPSettings
configureECMP?
ECMPSettings
Network>VirtualRouters>RouterSettings>ECMP
UsethefollowingfieldstoconfigureEqualCostMultiplePathsettings.
ECMPSettings Description
Enable EnableECMP.
Enabling,disabling,orchangingECMPrequiresthatyourestartthe
firewall,whichmightcausesessionstobeterminated.
MaxPath Selectthemaximumnumberofequalcostpaths:(2,3,or4)toadestination
networkthatcanbecopiedfromtheRIBtotheFIB.Defaultis2.
Method ChooseoneofthefollowingECMPloadbalancingalgorithmstouseonthe
virtualrouter.ECMPloadbalancingisdoneatthesessionlevel,notatthe
packetlevel.Thismeansthatthefirewall(ECMP)choosesanequalcostpathat
thestartofanewsession,noteachtimeapacketisreceived.
IP ModuloBydefault,thevirtualrouterloadbalancessessionsusingthis
option,whichusesahashofthesourceanddestinationIPaddressesinthe
packetheadertodeterminewhichECMProutetouse.
IP HashOptionallyclickUse Source/Destination Portstoincludetheports
inthehashcalculation,inadditiontothesourceanddestinationIP
addresses.YoucanalsoenteraHash Seedvalue(aninteger)tofurther
randomizeloadbalancing.
Weighted Round RobinThisalgorithmcanbeusedtotakeinto
considerationdifferentlinkcapacitiesandspeeds.Uponchoosingthis
algorithm,theInterfacewindowopens.ClickAddandselectanInterfaceto
beincludedintheweightedroundrobingroup.Foreachinterface,enterthe
Weighttobeusedforthatinterface.Weightdefaultsto100;rangeis1255.
Thehighertheweightforaspecificequalcostpath,themoreoftenthat
equalcostpathwillbeselectedforanewsession.Ahigherspeedlinkshould
begivenahigherweightthanaslowerlink,sothatmoreoftheECMPtraffic
goesoverthefasterlink.ClickAddagaintoaddanotherinterfaceand
weight.
Balanced Round RobinDistributesincomingECMPsessionsequallyacross
links.
MoreRuntimeStatsforaVirtualRouter
RIP:SeeRIPTab.
BGP:SeeBGPTab.
Multicast:SeeMulticastTab.
RoutingTab
TheRoutingTabisdividedintothreetabs:
Routing Table:SeeRouteTableTab.
Forwarding Table:SeeForwardingTableTab.
RouteTableTab
RouteTableRuntime Description
Stats
RouteTable SelectUnicastorMulticasttodisplayeithertheunicastormulticastroutetable.
Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofnetworksthe
virtualroutercanreach.
NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.
Metric Metricfortheroute.Whenaroutingprotocolhasmorethanoneroutetothe
samedestinationnetwork,itpreferstheroutewiththelowestmetricvalue.Each
routingprotocolusesadifferenttypeofmetric;forexample,RIPuseshopcount.
Weight Weightfortheroute.Forexample,whenBGPhasmorethanoneroutetothe
samedestination,itwillprefertheroutewiththehighestweight.
RouteTableRuntime Description
Stats
Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea
Age Ageoftherouteentryintheroutingtable.Staticrouteshavenoage.
Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.
Refresh Clicktorefreshtheruntimestatsinthetable.
ForwardingTableTab
ForwardingTable Description
RuntimeStats
Destination BestIPv4addressandnetmaskorIPv6addressandprefixlengthtoanetworkthe
virtualroutercanreach,selectedfromtheRouteTable.
NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.
Flags uRouteisup.
hRouteistoahost.
gRouteistoagateway.
eFirewallselectedthisrouteusingEqualCostMultipath(ECMP).
*Routeisthepreferredpathtoadestinationnetwork.
Interface Egressinterfacethevirtualrouterwillusetoreachthenexthop.
MTU Maximumtransmissionunit(MTU);maximumnumberofbytesthatthefirewall
willtransmitinasingleTCPpackettothisdestination.
Refresh Clicktorefreshtheruntimestatsinthetable.
StaticRouteMonitoringTab
StaticRoute Description
MonitoringRuntime
Stats
Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofanetworkthe
virtualroutercanreach.
NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.
Metric Metricfortheroute.Whenthereismorethanonestaticroutetothesame
destinationnetwork,thefirewallpreferstheroutewiththelowestmetricvalue.
Weight Weightfortheroute.
Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea
Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.
PathMonitoring(Fail Ifpathmonitoringisenabledforthisstaticroute,FailOnindicates:
On) AllFirewallconsidersthestaticroutedownandwillfailoverifallofthe
monitoreddestinationsforthestaticroutearedown.
AnyFirewallconsidersthestaticroutedownandwillfailoverifanyoneof
themonitoreddestinationsforthestaticrouteisdown.
Ifstaticroutepathmonitoringisdisabled,FailOnindicatesDisabled.
Status StatusofthestaticroutebasedonICMPpingstothemonitoreddestinations:Up,
Down,orpathmonitoringforthestaticrouteisDisabled.
Refresh Refreshestheruntimestatsinthetable.
RIPTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforRIP.
RIPRuntimeStats Description
Summary Tab
IntervalSeconds Numberofsecondsinaninterval.RIPusesthisvalue(alengthoftime)tocontrol
itsUpdate,Expire,andDeleteIntervals.
UpdateIntervals NumberofintervalsbetweenRIProuteadvertisementupdatesthatthevirtual
routersendstopeers.
ExpireIntervals Numberofintervalssincethelastupdatethevirtualrouterreceivedfromapeer,
afterwhichthevirtualroutermarkstheroutesfromthepeerasunusable.
DeleteIntervals Numberofintervalsafteraroutehasbeenmarkedasunusablethat,ifnoupdate
isreceived,thefirewalldeletestheroutefromtheroutingtable.
Interface Tab
Address IPaddressofaninterfaceonthevirtualrouterwhereRIPisenabled.
AuthType Typeofauthentication:simplepassword,MD5,ornone.
SendAllowed CheckmarkindicatesthisinterfaceisallowedtosendRIPpackets.
ReceiveAllowed CheckmarkindicatesthisinterfaceisallowedtoreceiveRIPpackets.
AdvertiseDefault CheckmarkindicatesthatRIPwilladvertiseitsdefaultroutetoitspeers.
Route
DefaultRouteMetric Metric(hopcount)assignedtothedefaultroute.Thelowerthemetricvalue,the
higherpriorityithasintheroutetabletobeselectedasthepreferredpath.
KeyId Authenticationkeyusedwithpeers.
Preferred Preferredkeyforauthentication.
Peer Tab
PeerAddress IPaddressofapeertothevirtualroutersRIPinterface.
LastUpdate Dateandtimethatthelastupdatewasreceivedfromthispeer.
RIPVersion RIPversionthepeerisrunning.
InvalidPackets Countofinvalidpacketsreceivedfromthispeer.Possiblecausesthatthefirewall
cannotparsetheRIPpacket:xbytesoverarouteboundary,toomanyroutesin
packet,badsubnet,illegaladdress,authenticationfailed,ornotenoughmemory.
InvalidRoutes Countofinvalidroutesreceivedfromthispeer.Possiblecauses:routeisinvalid,
importfails,ornotenoughmemory.
BGPTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforBGP.
BGPRuntimeStats Description
Summary Tab
RouterId RouterIDassignedtotheBGPinstance.
RejectDefaultRoute IndicateswhethertheRejectDefaultRouteoptionisconfigured,whichcauses
theVRtoignoreanydefaultroutesthatareadvertisedbyBGPpeers.
RedistributeDefault IndicateswhethertheAllowRedistributeDefaultRouteoptionisconfigured.
Route
InstallRoute IndicateswhethertheInstallRouteoptionisconfigured,whichcausestheVRto
installBGProutesintheglobalroutingtable.
GracefulRestart IndicateswhetherornotGracefulRestartisenabled(support).
ASSize IndicateswhethertheASFormatsizeselectedis2Byteor4Byte.
LocalAS NumberoftheAStowhichtheVRbelongs.
LocalMemberAS LocalMemberASnumber(validonlyiftheVRisinaconfederation).Thefieldis
0iftheVRisnotinaconfederation.
ClusterID DisplaystheReflectorClusterIDconfigured.
DefaultLocal DisplaystheDefaultLocalPreferenceconfiguredfortheVR.
Preference
AlwaysCompare IndicateswhethertheAlwaysCompareMEDoptionisconfigured,whichenables
MED acomparisontochoosebetweenroutesfromneighborsindifferentautonomous
systems.
AggregateRegardless IndicateswhethertheAggregateMEDoptionisconfigured,whichenablesroute
MED aggregationevenwhenrouteshavedifferentMEDvalues.
DeterministicMED IndicateswhethertheDeterministicMEDcomparisonoptionisconfigured,which
Processing enablesacomparisontochoosebetweenroutesthatareadvertisedbyIBGP
peers(BGPpeersinthesameAS).
CurrentRIBOut NumberofentriesintheRIBOuttable.
Entries
PeakRIBOutEntries PeaknumberofAdjRIBOutroutesthathavebeenallocatedatanyonetime.
Peer Tab
Name Nameofthepeer.
Group Nameofthepeergrouptowhichthispeerbelongs.
LocalIP IPaddressoftheBGPinterfaceontheVR.
PeerIP IPaddressofthepeer.
PeerAS Autonomoussystemtowhichthepeerbelongs.
BGPRuntimeStats Description
(Continued)
PasswordSet Yesornoindicateswhetherauthenticationisset.
Status Statusofthepeer,suchasActive,Connect,Established,Idle,OpenConfirm,or
OpenSent.
StatusDuration Durationofthepeersstatus.
(secs.)
GroupName Nameofapeergroup.
Type Typeofpeergroupconfigured,suchasEBGPorIBGP.
AggregateConfed. YesornoindicateswhethertheAggregateConfederationASoptionis
AS configured.
SoftResetSupport Yesornoindicateswhetherthepeergroupsupportssoftreset.Whenrouting
policiestoaBGPpeerchange,routingtableupdatesmightbeaffected.Asoft
resetofBGPsessionsispreferredoverahardresetbecauseasoftresetallows
routingtablestobeupdatedwithoutclearingtheBGPsessions.
NextHopSelf Yesornoindicateswhetherthisoptionisconfigured.
NextHopThirdParty Yesornoindicateswhetherthisoptionisconfigured.
RemovePrivateAS IndicateswhetherupdateswillhaveprivateASnumbersremovedfromthe
AS_PATHattributebeforetheupdateissent.
Prefix NetworkprefixandsubnetmaskintheLocalRoutingInformationBase.
Flag *indicatestheroutewaschosenasthebestBGProute.
NextHop IPaddressofthenexthoptowardthePrefix.
Peer Nameofpeer.
Weight WeightattributeassignedtothePrefix.Ifthefirewallhasmorethanonerouteto
thesamePrefix,theroutewiththehighestweightisinstalledintheIProuting
table.
LocalPref. Localpreferenceattributefortheroute,whichisusedtochoosetheexitpoint
towardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreferenceis
preferredoveralowerlocalpreference.
ASPath ListofautonomoussystemsinthepathtothePrefixnetwork;thelistis
advertisedinBGPupdates.
Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.
MED MultiExitDiscriminator(MED)attributeoftheroute.TheMEDisametric
attributeforaroute,whichtheASadvertisingtheroutesuggeststoanexternal
AS.AlowerMEDispreferredoverahigherMED.
FlapCount Numberofflapsfortheroute.
BGPRuntimeStats Description
(Continued)
Prefix NetworkroutingentryintheRoutingInformationBase.
NextHop IPaddressofthenexthoptowardthePrefix.
Peer PeertowhichtheVRwilladvertisethisroute.
LocalPref. Localpreferenceattributetoaccesstheprefix,whichisusedtochoosetheexit
pointtowardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreference
ispreferredoveralowerlocalpreference.
ASPath ListofautonomoussystemsinthepathtothePrefixnetwork.
Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.
MED MultiExitDiscriminator(MED)attributetothePrefix.TheMEDisametric
attributeforaroute,whichtheASthatisadvertisingtheroutesuggeststoan
externalAS.AlowerMEDispreferredoverahigherMED.
Adv.Status Advertisedstatusoftheroute.
Aggr.Status Indicateswhetherthisrouteisaggregatedwithotherroutes.
MulticastTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforIPMulticast.
MulticastRuntime Description
Stats
FIB Tab
Group MulticastgroupaddressthattheVRwillforward.
Source Multicastsourceaddress.
IncomingInterfaces IndicatesinterfaceswherethemulticasttrafficcomesinontheVR.
Interface InterfacethathasIGMPenabled.
Version Version1,2,or3ofInternetGroupManagementProtocol(IGMP).
Querier IPaddressoftheIGMPquerieronthatinterface.
QuerierUpTime LengthoftimethatIGMPquerierhasbeenup.
QuerierExpiryTime TimeremainingbeforethecurrenttheOtherQuerierPresenttimerexpires.
Robustness RobustnessvariableoftheIGMPinterface.
GroupsLimit Numberofmulticastgroupsallowedontheinterface.
SourcesLimit Numberofmulticastsourcesallowedontheinterface.
MulticastRuntime Description
Stats(Continued)
ImmediateLeave YesornoindicateswhetherImmediateLeaveisconfigured.Immediateleave
indicatesthatthevirtualrouterwillremoveaninterfacefromtheforwardingtable
entrywithoutsendingtheinterfaceIGMPgroupspecificqueries.
Interface Nameofaninterfacetowhichthemembershipbelongs.
Group IPMulticastgroupaddress.
Source Sourceaddressofmulticasttraffic.
UpTime Lengthoftimethismembershipbeenup.
ExpiryTime Lengthoftimeremainingbeforemembershipexpires.
FilterMode Includeorexcludethesource.VRisconfiguredtoincludealltraffic,oronlytraffic
fromthissource(include),ortrafficfromanysourceexceptthisone(exclude).
ExcludeExpiry TimeremainingbeforetheinterfaceExcludestateexpires.
V1HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version1membersontheIPsubnetattachedtotheinterface.
V2HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version2membersontheIPsubnetattachedtotheinterface.
Group IPaddressofthegroupmappedtoaRendezvousPoint.
RP IPaddressofRendezvousPointforthegroup.
Origin IndicateswheretheVRlearnedoftheRP.
PIMMode ASMorSSM.
Inactive IndicatesthatthemappingofthegrouptotheRPisinactive.
Interface NameofinterfaceparticipatinginPIM.
Address IPaddressoftheinterface.
DR IPaddressoftheDesignatedRouterontheinterface.
HelloInterval Hellointervalconfigured,inseconds.
Join/PruneInterval Join/Pruneintervalconfigured,inseconds.
AssertInterval Assertintervalconfigured,inseconds.
DRPriority PriorityconfiguredfortheDesignatedRouter.
BSRBorder Yesorno.
Interface NameofinterfaceintheVR.
MulticastRuntime Description
Stats(Continued)
Address IPaddressoftheneighbor.
SecondaryAddress SecondaryIPaddressoftheneighbor.
UpTime Lengthoftimetheneighborhasbeenup.
ExpiryTime LengthoftimeremainingbeforetheneighborexpiresbecausetheVRisnot
receivinghellopacketsfromtheneighbor.
GenerationID ValuethattheVRreceivedfromtheneighborinthelastPIMhellomessage
receivedonthisinterface.
DRPriority DesignatedRouterprioritythattheVRreceivedinthelastPIMhellomessage
fromthisneighbor.
BFDSummaryInformationTab
BFDsummaryinformationincludesthefollowingdata.
BFDSummary Description
InformationRuntime
Stats
Interface InterfacethatisrunningBFD.
Protocol Staticroute(IPaddressfamilyofstaticroute)ordynamicroutingprotocolthatis
runningBFDontheinterface.
LocalIPAddress IPaddressoftheinterfacewhereyouconfiguredBFD.
NeighborIPAddress IPaddressofBFDneighbor.
Uptime LengthoftimeBFDhasbeenup(hours,minutes,seconds,andmilliseconds).
Discriminator(local) DiscriminatorforlocalBFDpeer.Adiscriminatorisaunique,nonzerovaluethe
peersusetodistinguishmultipleBFDsessionsbetweenthem.
Discriminator DiscriminatorforremoteBFDpeer.
(remote)
Errors NumberofBFDerrors.
SessionDetails ClickDetailstoseeBFDinformationforasessionsuchastheIPaddressesofthe
localandremoteneighbors,thelastreceivedremotediagnosticcode,numberof
transmittedandreceivedcontrolpackets,numberoferrors,informationabout
thelastpacketcausingstatechange,andmore.
Network>Zones
Securityzonesarealogicalwaytogroupphysicalandvirtualinterfacesonthefirewalltocontrolandlogthe
trafficthattraversesspecificinterfacesonyournetwork.Aninterfaceonthefirewallmustbeassignedtoa
securityzonebeforetheinterfacecanprocesstraffic.Azonecanhavemultipleinterfacesofthesametype
assignedtoit(suchastap,layer2,orlayer3interfaces),butaninterfacecanbelongtoonlyonezone.
Policyrulesonthefirewallusesecurityzonestoidentifywherethetrafficcomesfromandwhereitisgoing.
Trafficcanflowfreelywithinazonebuttrafficcannotflowbetweendifferentzonesuntilyoudefinea
Securitypolicyrulethatallowsit.Toallowordenyinterzonetraffic,Securitypolicyrulesmustreferencea
sourcezoneanddestinationzone(notinterfaces)andthezonesmustbeofthesametype;thatis,aSecurity
policyrulecanallowordenytrafficfromoneLayer2zoneonlytoanotherLayer2zone.
Whatareyoulookingfor? See:
Whatarethefields BuildingBlocksofSecurityZones
availabletoconfigure
securityzones?
BuildingBlocksofSecurityZones
Todefineasecurityzone,clickAddandspecifythefollowinginformation.
SecurityZoneSettings Description
Name Enterazonename(upto31characters).Thisnameappearsinthelistofzones
whendefiningsecuritypoliciesandconfiguringinterfaces.Thenameis
casesensitiveandmustbeuniquewithinthevirtualrouter.Useonlyletters,
numbers,spaces,hyphens,periods,andunderscores.
Location Thisfieldispresentonlyifthefirewallsupportsmultiplevirtualsystems(vsys)
andthatcapabilityisenabled.Selectthevsystowhichthiszoneapplies.
Interfaces Addoneormoreinterfacestothiszone.
SecurityZoneSettings Description
ZoneProtectionProfiles Selectaprofilethatspecifieshowthefirewallrespondstoattacksfromthis
zone.Tocreateanewprofile,seeNetwork>NetworkProfiles>Zone
Protection.
EnablePacketBuffer IfyouhaveconfiguredPacketBufferProtection,selecttoapplythepacket
Protection bufferprotectionsettings,configuredunderDevice>Setup>Session,tothis
zone(disabledbydefault).Packetbufferprotectionisappliedtotheingress
zoneonly.
LogSetting SelectaLogForwardingprofileforforwardingzoneprotectionlogstoan
externalsystem.
IfyouhaveaLogForwardingprofilenameddefault,thatprofilewillbe
automaticallyselectedforthisdropdownwhendefininganewsecurityzone.
Youcanoverridethisdefaultsettingatanytimebycontinuingtoselecta
differentLogForwardingprofilewhensettingupanewsecurityzone.To
defineoraddanewLogForwardingprofile(andtonameaprofiledefaultso
thatthisdropdownispopulatedautomatically),clickNew(refertoObjects>
LogForwarding).
IfyouareconfiguringthezoneinaPanoramatemplate,theLog Setting
dropdownlistsonlysharedLogForwardingprofiles;tospecifya
nonsharedprofile,youmusttypeitsname.
EnableUserIdentification IfyouconfiguredUserIDtoperformIPaddresstousernamemapping
(discovery),selecttoapplythemappinginformationtotrafficinthiszone.If
youdisablethisoption,firewalllogs,reports,andpolicieswillexcludeuser
mappinginformationfortrafficwithinthezone.
Bydefault,ifyouselectthisoption,thefirewallappliesusermapping
informationtothetrafficofallsubnetworksinthezone.Tolimitthe
informationtospecificsubnetworkswithinthezone,usetheInclude Listand
Exclude List.
EnableUserIDontrustedzonesonly.IfyouenableUserIDandclient
probingonanexternaluntrustedzone(suchastheinternet),probes
couldbesentoutsideyourprotectednetwork,resultinginan
informationdisclosureoftheUserIDagentserviceaccountname,
domainname,andencryptedpasswordhash,whichcouldallowan
attackertogainunauthorizedaccesstoprotectedresources.
UserIDperformsdiscoveryforthezoneonlyifitfallswithinthe
networkrangethatUserIDmonitors.Ifthezoneisoutsidethatrange,
thefirewalldoesnotapplyusermappinginformationtothezonetraffic
evenifyouselectEnable User Identification.Fordetails,seeInclude
orExcludeSubnetworksforUserMapping.
SecurityZoneSettings Description
UserIdentificationACL Bydefault,ifyoudonotspecifysubnetworksinthislist,thefirewallappliesthe
IncludeList usermappinginformationitdiscoverstoallthetrafficofthiszoneforusein
logs,reports,andpolicies.
Tolimittheapplicationofusermappinginformationtospecificsubnetworks
withinthezone,thenforeachsubnetworkclickAddandselectanaddress(or
addressgroup)objectortypetheIPaddressrange(forexample,10.1.1.1/24).
Theexclusionofallothersubnetworksisimplicit:youdonotneedtoaddthem
totheExclude List.
AddentriestotheExclude Listonlytoexcludeusermappinginformationfora
subsetofthesubnetworksintheInclude List.Forexample,ifyouadd
10.0.0.0/8totheInclude Listandadd10.2.50.0/22totheExclude List,the
firewallincludesusermappinginformationforallthezonesubnetworksof
10.0.0.0/8except10.2.50.0/22,andexcludesinformationforallzone
subnetworksoutsideof10.0.0.0/8.
Youcanonlyincludesubnetworksthatfallwithinthenetworkrange
thatUserIDmonitors.Fordetails,seeIncludeorExcludeSubnetworks
forUserMapping.
UserIdentificationACL Toexcludeusermappinginformationforasubsetofthesubnetworksinthe
ExcludeList Include List,Addanaddress(oraddressgroup)objectortypetheIPaddress
rangeforeachsubnetworktoexclude.
IfyouaddentriestotheExclude ListbutnottheInclude List,the
firewallexcludesusermappinginformationforallsubnetworkswithin
thezone,notjustthesubnetworksyouadded.
Network>VLANs
ThefirewallsupportsVLANsthatconformtotheIEEE802.1Qstandard.EachLayer2interfacedefinedon
thefirewallcanbeassociatedwithaVLAN.ThesameVLANcanbeassignedtomultipleLayer2interfaces
buteachinterfacecanbelongtoonlyoneVLAN.
VLANSettings Description
Name EnteraVLANname(upto31characters).Thisnameappearsinthe
listofVLANswhenconfiguringinterfaces.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
VLANInterface SelectaNetwork>Interfaces>VLANtoallowtraffictoberouted
outsidetheVLAN.
Interfaces SpecifyfirewallinterfacesfortheVLAN.
StaticMAC SpecifytheinterfacethroughwhichaMACaddressisreachable.This
Configuration willoverrideanylearnedinterfacetoMACmappings.
Network>IPSecTunnels
Whatareyoulookingfor? See:
ManageIPSecVPNtunnels. IPSecVPNTunnelManagement
ConfigureanIPSectunnel. IPSecTunnelGeneralTab
IPSecTunnelProxyIDsTab
ViewIPSectunnelstatus. IPSecTunnelStatusontheFirewall
RestartorrefreshanIPSectunnel. IPSecTunnelRestartorRefresh
Looking for more? SetupanIPSectunnel.
IPSecVPNTunnelManagement
Network>IPSecTunnels
ThefollowingtabledescribeshowtomanageyourIPSecVPNtunnels.
FieldstoManageIPSecVPNTunnels
Add AddanewIPSecVPNtunnel.SeeIPSecTunnelGeneralTabforinstructions
onconfiguringthenewtunnel.
Delete Deleteatunnelthatyounolongerneed.
Enable Enableatunnelthathasbeendisabled(tunnelsareenabledbydefault).
Disable Disableatunnelthatyoudontwanttousebutarenot,yet,readytodelete.
IPSecTunnelGeneralTab
Network>IPSecTunnels>General
UsethefollowingfieldstosetupanIPSectunnel.
IPSecTunnelGeneral Description
Settings
Name EnteraNametoidentifythetunnel(upto63characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
The63characterlimitforthisfieldincludesthetunnelnameinadditionto
theProxyID,whichisseparatedbyacoloncharacter.
IPv4orIPv6 SelectIPv4orIPv6toconfigurethetunneltohaveendpointswiththatIP
typeofaddress.
Type Selectwhethertouseanautomaticallygeneratedormanuallyentered
securitykey.Auto keyisrecommended.
Destination IPSpecifyanIPaddressontheothersideofthetunnel
thatthetunnelmonitorwillusetodetermineifthetunnelisworking
properly.
ProfileSelectanexistingprofilethatwilldeterminetheactionsthat
aretakenifthetunnelfails.Iftheactionspecifiedinthemonitor
profileiswaitrecover,thefirewallwillwaitforthetunneltobecome
functionalandwillNOTseekanalternatepathwiththeroutetable.
Ifthefailoveractionisused,thefirewallwillchecktheroutetable
toseeifthereisanalternateroutethatcanbeusedtoreachthe
destination.Formoreinformation,seeNetwork>NetworkProfiles
>Monitor.
IPSecTunnelGeneral Description
Settings(Continued)
IPSecTunnelProxyIDsTab
Network>IPSecTunnels>ProxyIDs
TheIPSec Tunnel Proxy IDstabisseparatedintotwotabs:IPv4andIPv6.Thehelpissimilarforbothtypes;the
differencesbetweenIPv4andIPv6aredescribedintheLocalandRemotefieldsinthefollowingtable.
TheIPSec Tunnel Proxy IDstabisalsousedforspecifyingtrafficselectorsforIKEv2.
ProxyIDsIPv4andIPv6 Description
Settings
ProxyID ClickAddandenteranametoidentifytheproxy.
ForanIKEv2trafficselector,thisfieldisusedastheName.
Local ForIPv4:EnteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.2.0/24).
ForIPv6:EnteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:0::/48).
IPv6addressingdoesnotrequirethatallzerosbewritten;leadingzeroscan
beomittedandonegroupingofconsecutivezeroscanbereplacedbytwo
adjacentcolons(::).
ForanIKEv2trafficselector,thisfieldisconvertedtoSourceIPAddress.
Remote Ifrequiredbythepeer:
ForIPv4,enteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.1.0/24).
ForIPv6,enteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:55::/48).
ForanIKEv2trafficselector,thisfieldisconvertedtoDestinationIP
Address.
Protocol Specifytheprotocolandportnumbersforthelocalandremoteports:
NumberSpecifytheprotocolnumber(usedforinteroperabilitywith
thirdpartydevices).
AnyAllowTCPand/orUDPtraffic.
TCPSpecifythelocalandremoteTCPportnumbers.
UDPSpecifythelocalandremoteUDPportnumbers.
EachconfiguredproxyIDwillcounttowardstheIPSecVPNtunnelcapacity
ofthefirewall.
ThisfieldisalsousedasanIKEv2trafficselector.
IPSecTunnelStatusontheFirewall
Network>IPSecTunnels
ToviewthestatusofcurrentlydefinedIPSecVPNtunnels,opentheIPSec Tunnelspage.Thefollowingstatus
informationisreportedonthepage:
TunnelStatus(firststatuscolumn)GreenindicatesanIPSecphase2securityassociation(SA)tunnel.
RedindicatesthatIPSecphase2SAisnotavailableorhasexpired.
IKEGatewayStatusGreenindicatesavalidIKEphase1SAorIKEv2IKESA.RedindicatesthatIKE
phase1SAisnotavailableorhasexpired.
TunnelInterfaceStatusGreenindicatesthatthetunnelinterfaceisup(becausetunnelmonitoris
disabledorbecausetunnelmonitorstatusisUPandthemonitoringIPaddressisreachable).Redindicates
thatthetunnelinterfaceisdownbecausethetunnelmonitorisenabledandtheremotetunnel
monitoringIPaddressisunreachable.
IPSecTunnelRestartorRefresh
Network>IPSecTunnels
SelectNetwork > IPSec Tunnelstodisplaystatusoftunnels.InthefirstStatuscolumnisalinktotheTunnel
Info.ClickthetunnelyouwanttorestartorrefreshtoopentheTunnel Infopageforthattunnel.Clickonone
ofentriesinthelistandthenclick:
RestartRestarttheselectedtunnel.Arestartdisruptstrafficgoingacrossthetunnel.
RefreshShowthecurrentIPSecSAstatus.
Network>DHCP
DynamicHostConfigurationProtocol(DHCP)isastandardizedprotocolthatprovidesTCP/IPandlinklayer
configurationparametersandnetworkaddressestodynamicallyconfiguredhostsonaTCP/IPnetwork.An
interfaceonaPaloAltoNetworksfirewallcanactasaDHCPserver,client,orrelayagent.Assigningthese
rolestodifferentinterfacesallowsthefirewalltoperformmultipleroles.
Whatareyoulookingfor? See:
WhatisDHCP? DHCPOverview
HowdoesaDHCPserverallocate DHCPAddressing
addresses?
Configureaninterfaceonthefirewalltoactasa:
DHCPServer
DHCPRelay
Network>DNSProxy
Looking for more? DHCP
DHCPOverview
Network>DHCP
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthefirewallcan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AfirewallactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientfirewallssaveconfigurationtimeandeffort,andneednotknowthe
addressingplanofthenetworkorothernetworkresourcesandoptionsinheritedfromtheDHCPserver.
AfirewallactingasaDHCPservercanserviceclients.ByusingoneoftheDHCPaddressingmechanisms,
theadministratorsavesconfigurationtimeandhasthebenefitofreusingalimitednumberofIP
addressesclientsnolongerneednetworkconnectivity.TheservercanalsodeliverIPaddressingand
DHCPoptionstomultipleclients.
AfirewallactingasaDHCPrelayagentlistensforbroadcastandunicastDHCPmessagesandrelaysthem
betweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPmessages
thataserversendstoaclientaresenttoport68.
DHCPAddressing
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientfirewall.TheDHCP
assignmentremainsinplaceeveniftheclientdisconnects(logsoff,reboots,hasapoweroutage,etc.).
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientfirewallisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
firewallisturnedoff,unplugged,rebooted,orapoweroutageoccurs.
KeepthefollowingpointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youcanconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocateeveryaddressintheIP PoolsasaReserved Address,therearenodynamicaddresses
freetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanyfirewall.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPServer
Network>DHCP>DHCPServer
ThefollowingsectiondescribeseachcomponentoftheDHCPserver.BeforeyouconfigureaDHCPserver,
youshouldalreadyhaveconfiguredaLayer3EthernetorLayer3VLANinterfacethatisassignedtoavirtual
routerandazone.YoushouldalsoknowavalidpoolofIPaddressesfromyournetworkplanthatcanbe
designatedtobeassignedbyyourDHCPservertoclients.
WhenyouaddaDHCPserver,youconfigurethesettingsdescribedinthetablebelow.
Mode Selectenabledorautomode.Automodeenablestheserver
anddisablesitifanotherDHCPserverisdetectedonthe
network.Thedisabledsettingdisablestheserver.
PingIPwhen DHCP Server > Lease IfyouclickPing IP when allocating new IP,theserverwillping
allocatingnewIP theIPaddressbeforeitassignsthataddresstoitsclient.Ifthe
pingreceivesaresponse,thatmeansadifferentfirewall
alreadyhasthataddress,soitisnotavailableforassignment.
Theserverassignsthenextaddressfromthepoolinstead.If
youselectthisoption,theProbeIPcolumninthedisplaywill
haveacheckmark.
Lease Specifyaleasetype.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIPPoolsandassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionally,thenumberof
Minutes.
IPPools SpecifythestatefulpoolofIPaddressesfromwhichtheDHCP
serverchoosesanaddressandassignsittoaDHCPclient.
Youcanenterasingleaddress,anaddress/<masklength>,
suchas192.168.1.0/24,orarangeofaddresses,suchas
192.168.1.10192.168.1.20.
ReservedAddress OptionallyspecifyanIPaddress(formatx.x.x.x)fromtheIP
poolsthatyoudonotwantdynamicallyassignedbytheDHCP
server.
IfyoualsospecifyaMAC Address(formatxx:xx:xx:xx:xx:xx),
theReserved Addressisassignedtothefirewallassociated
withthatMACaddresswhenthatfirewallrequestsanIP
addressthroughDHCP.
SubnetMask Specifythenetworkmaskthatappliestotheaddressesinthe
IP Pools.
Options Forthefollowingfields,clickthedropdownandselectNone
orinherited,orentertheIPaddressoftheremoteserverthat
yourDHCPserverwillsendtoclientsforaccessingthat
service.Ifyouselectinherited,theDHCPserverinheritsthe
valuesfromthesourceDHCPclientspecifiedasthe
Inheritance Source.
TheDHCPserversendsthesesettingstoitsclients.
Primary DNS, Secondary DNSIPaddressofthepreferred
andalternateDomainNameSystem(DNS)servers.
Primary WINS,Secondary WINSIPaddressofthe
preferredandalternateWindowsInternetNameService
(WINS)servers.
Primary NIS,Secondary NISIPaddressofthepreferred
andalternateNetworkInformationService(NIS)servers.
Primary NTP,Secondary NTPIPaddressoftheavailable
networktimeprotocol(NTP)servers.
POP3 ServerIPaddressofaPostOfficeProtocolversion
3(POP3)server.
SMTP ServerIPaddressofaSimpleMailTransfer
Protocol(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthattheclientcannot
resolve.
CustomDHCP ClickAddandentertheNameofthecustomoptionyouwant
options theDHCPServertosendtoclients.
EnteranOption Code(rangeis1254).
IfOption Code 43isentered,theVendorClassIdentifier(VCI)
fieldappears.Enteramatchcriterionthatwillbecomparedto
theincomingVCIfromtheclientsOption60.Thefirewall
looksattheincomingVCIfromtheclientsOption60,findsthe
matchingVCIinitsownDHCPservertable,andreturnsthe
correspondingvaluetotheclientinOption43.TheVCImatch
criterionisastringorhexvalue.Ahexvaluemusthavea0x
prefix.
SelectInherited from DCHP server inheritance sourceto
havetheserverinheritthevalueforthatoptioncodefromthe
inheritancesourceinsteadofyouenteringanOption Value.
Asanalternativetothisoption,youcanproceedwiththe
following:
Option Type:SelectIP Address,ASCII,orHexadecimalto
specifythetypeofdatausedfortheOptionValue.
ForOption Value,clickAddandenterthevalueforthecustom
option.
DHCPRelay
Network>DHCP>DHCPRelay
BeforeconfiguringafirewallinterfaceasaDHCPrelayagent,makesureyouhaveconfiguredaLayer 3
EthernetorLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.You
wantthatinterfacetobeabletopassDHCPmessagesbetweenclientsandservers.Eachinterfacecan
forwardmessagestoamaximumofeightexternalIPv4DHCPserversandeightexternalIPv6DHCPservers.
AclientsendsaDHCPDISCOVERmessagetoallconfiguredservers,andthefirewallrelaystheDHCPOFFER
messageofthefirstserverthatrespondsbacktotherequestingclient.
DHCPRelay Description
Settings
Interface NameoftheinterfacethatwillbetheDHCPrelayagent.
IPv4/IPv6 SelectthetypeofDHCPserverandIPaddressyouwillspecify.
DHCPServerIP EntertheIPaddressoftheDHCPservertoandfromwhich
Address youwillrelayDHCPmessages.
Interface IfyouselectedIPv6astheIPaddressprotocolfortheDHCP
serverandspecifiedamulticastaddress,youmustalsospecify
anoutgoinginterface.
DHCPClient
Network>Interfaces>Ethernet>IPv4
Network>Interfaces>VLAN>IPv4
BeforeconfiguringafirewallinterfaceasaDHCPclient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.Performthis
taskifyouneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
DHCPClientSettings Description
Automaticallycreatedefault Causesthefirewalltocreateastaticroutetoadefaultgatewaythatwillbeuseful
routepointingtodefault whenclientsaretryingtoaccessmanydestinationsthatdonotneedtohave
gatewayprovidedbyserver routesmaintainedinaroutingtableonthefirewall.
ShowDHCPClientRuntime DisplaysallsettingsreceivedfromtheDHCPserver,includingDHCPleasestatus,
Info dynamicIPassignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).
Network>DNSProxy
DNSserversperformtheserviceofresolvingadomainnamewithanIPaddressandviceversa.Whenyou
configurethefirewallasaDNSproxy,itactsasanintermediarybetweenclientsandserversandasaDNS
serverbyresolvingqueriesfromitsDNScacheorforwardingqueriestootherDNSservers.Usethispageto
configurethesettingsthatdeterminehowthefirewallservesasaDNSproxy.
Whatdoyouwanttoknow? See:
HowdoesthefirewallproxyDNSrequests? DNSProxyOverview
HowdoIconfigureaDNSproxy? DNSProxySettings
HowdoIconfigurestaticFQDNtoIP
addressmappings?
HowcanImanageDNSproxies? AdditionalDNSProxyActions
Lookingformore? DNS
DNSProxyOverview
YoucanconfigurethefirewalltoactasaDNSserver.First,createaDNSproxyandselecttheinterfacesto
whichtheproxyapplies.ThenspecifythedefaultDNSprimaryandsecondaryserverstowhichthefirewall
sendstheDNSquerieswhenitdoesntfindthedomainnameinitsDNSproxycache(andwhenthedomain
namedoesntmatchaproxyrule).
TodirectDNSqueriestodifferentDNSserversbasedondomainnames,createDNSproxyrules.Specifying
multipleDNSserverscanensurelocalizationofDNSqueriesandincreaseefficiency.Forexample,youcan
forwardallcorporateDNSqueriestoacorporateDNSserverandforwardallotherqueriestoISPDNS
servers.
UsethefollowingtabstodefineaDNSproxy(beyondthedefaultDNSprimaryandsecondaryservers):
Static EntriesAllowsyoutoconfigurestaticFQDNtoIPaddressmappingsthatthefirewallcachesand
sendstohostsinresponsetoDNSqueries.
DNS Proxy RulesAllowsyoutospecifydomainnamesandcorrespondingprimaryandsecondaryDNS
serverstoresolvequeriesthatmatchtherule.IfthedomainnameisntintheDNSproxycache,the
firewallsearchesforamatchintheDNSproxy(ontheinterfaceonwhichthequeryarrived),andforwards
thequerytoaDNSserverbasedonthematchresults.Ifnomatchresults,thefirewallsendsthequery
tothedefaultDNSprimaryandsecondaryservers.Youcanenablecachingofdomainsthatmatchthe
rule.
AdvancedAllowsyoutoenablecachingandcontrolTCPqueriesandUDPQueryRetries.Thefirewall
sendsTCPorUDPDNSqueriesthroughtheconfiguredinterface.UDPqueriesswitchovertoTCPwhen
aDNSqueryresponseistoolongforasingleUDPpacket.
DNSProxySettings
ClickAddandconfigurethefirewalltoactasaDNSproxy.Youcanconfigureamaximumof256DNSproxies
onafirewall.
Name SpecifyanametoidentifytheDNSproxyobject(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.
Location SpecifythevirtualsystemtowhichtheDNSproxyobjectapplies:
Shared:Proxyappliestoallvirtualsystems.IfyouchooseShared,
theServer Profilefieldisnotavailable.Instead,enterthePrimary
andSecondaryDNSserverIPaddressesoraddressobjects.
SelectavirtualsystemtousethisDNSproxy;youmustconfigure
avirtualsystemfirst.SelectDevice > Virtual Systems,selecta
virtualsystem,andselectaDNS Proxy.
InheritanceSource SelectasourcefromwhichtoinheritdefaultDNSserversettings.
(Sharedlocationonly) Thisiscommonlyusedinbranchofficedeploymentswherethe
firewall'sWANinterfaceisaddressedbyDHCPorPPPoE.
Checkinheritancesource Selecttoseetheserversettingsthatarecurrentlyassignedtothe
status DHCPclientandPPPoEclientinterfaces.ThesemayincludeDNS,
(Sharedlocationonly) WINS,NTP,POP3,SMTP,orDNSsuffix.
Primary/Secondary SpecifytheIPaddressesofthedefaultprimaryandsecondaryDNS
(Sharedlocationonly) serverstowhichthisfirewall(asDNSproxy)sendsDNSqueries.If
theprimaryDNSservercannotbefound,thefirewallusesthe
secondaryDNSserver.
ServerProfile SelectorcreateanewDNSserverprofile.Thisfielddoesnotappear
(VirtualSystemlocation iftheLocationofvirtualsystemswasspecifiedasShared.
only)
Interface AddaninterfacetofunctionasaDNSproxy.Youcanaddmultiple
interfaces.ToremovetheDNSproxyfromaninterface,selectand
Deleteit.
AninterfaceisnotrequirediftheDNSProxyisusedonlyforservice
routefunctionality.UseadestinationserviceroutewithaDNSproxy
withnointerfaceifyouwantthedestinationserviceroutetosetthe
sourceIPaddress.Otherwise,theDNSproxyselectsaninterfaceIP
addresstouseasasource(whennoDNSserviceroutesareset).
Turnoncachingof Selecttoenablecachingofdomainsthatareresolvedbythis
domainsresolvedbythis mapping.
mapping
DomainName Addoneormoredomainnamestowhichthefirewallcompares
incomingFQDNs.IftheFQDNmatchesoneofthedomainsinthe
rule,thefirewallforwardsthequerytothePrimary/SecondaryDNS
serverspecifiedforthisproxy.Todeleteadomainnamefromthe
rule,selectitandclickDelete.
DNSServerProfile SelectoraddaDNSserverprofiletodefineDNSsettingsforthe
(Sharedlocationonly) virtualsystem,includingtheprimaryandsecondaryDNSserverto
whichthefirewallsendsdomainnamequeries.
Primary/Secondary EnterthehostnameorIPaddressoftheprimaryandsecondaryDNS
(VirtualSystemlocation serverstowhichthefirewallsendsmatchingdomainnamequeries.
only)
Address AddoneormoreIPaddressesthatmaptothisdomain.Thefirewall
includesalloftheseaddressesinitsDNSresponse,andtheclient
chooseswhichIPaddresstouse.Todeleteanaddress,selectthe
addressandclickDelete.
UDPQueriesRetries SpecifysettingsforUDPqueryretries:
IntervalTime,inseconds,afterwhichtheDNSproxysends
anotherrequestifithasntreceivedaresponse(rangeis130;
defaultis2).
AttemptsMaximumnumberofattempts(excludingthefirst
attempt)afterwhichtheDNSPtriesthenextDNSserver(rangeis
130;defaultis5).
Cache SelecttoenablethefirewalltocacheDNSentries(enabledby
default)andspecifythefollowing:
Enable TTLLimitthelengthoftimethefirewallcachesDNS
entriesfortheproxyobject.TTLisdisabledbydefault.Thenenter
Time to Live (sec)thenumberofsecondsafterwhichallcached
entriesfortheproxyobjectareremovedandnewDNSrequests
mustberesolvedandcachedagain.Rangeis6086,400.Thereis
nodefaultTTL;entriesremainuntilthefirewallrunsoutofcache
memory.
Cache EDNS ResponsesSelectCacheExtensionMechanisms
forDNS(EDNS)Responsesifyouwantthefirewalltocache
partialDNSresponsesthataregreaterthan512bytes.Ifa
subsequentFQDNforthecachedentryarrives,thefirewallsends
thepartialDNSresponse.
DontselectthisifyouwanttosendDNSresponsesgreaterthan
512bytes.
AdditionalDNSProxyActions
Network>QoS
Whatareyoulookingfor? See::
Setbandwidthlimitsforan QoSInterfaceSettings
interfaceandenforceQoSfor
trafficexitinganinterface.
Monitortrafficexitinga QoSInterfaceStatistics
QoSenabledinterface.
QoSInterfaceSettings
EnableQoSonaninterfacetosetbandwidthlimitsfortheinterfaceand/ortoenabletheinterfacetoenforce
QoSforegresstraffic.EnablingaQoSinterfaceincludesattachingaQoSprofiletotheinterface.QoSis
supportedonphysicalinterfacesand,dependingonfirewallmodel,QoSisalsosupportedonsubinterfaces
andAggregateEthernet(AE)interfaces.SeethePaloAltoNetworksproductcomparisontooltoviewQoS
featuresupportforyourfirewallmodel.
Togetstarted,AddormodifyaQoSInterface,andthenconfiguresettingsasdescribedinthefollowingtable.
TurnonQoS SelecttoenableQoSontheselectedinterface.
featureonthis
interface
QoSInterfaceStatistics
Network>QoS>Statistics
ForaQoSinterface,selectStatisticstoviewbandwidth,session,andapplicationinformationforconfigured
QoSinterfaces.
QoSStatistics Description
Bandwidth Showstherealtimebandwidthchartsfortheselectednodeandclasses.This
informationisupdatedeverytwoseconds.
TheQoSEgressMaxandEgressGuaranteedlimitationsconfiguredforthe
QoSclassesmightbeshownwithaslightlydifferentvalueintheQoS
statisticsscreen.Thisisnormalbehaviorandisduetohowthehardware
enginesummarizesbandwidthlimitsandcounters.Thereisnooperation
concernasthebandwidthutilizationgraphsdisplaytherealtimevaluesand
quantities.
Applications ListsallactiveapplicationsfortheselectedQoSnodeand/orclass.
SourceUsers ListsalltheactivesourceusersfortheselectedQoSnodeand/orclass.
DestinationUsers ListsalltheactivedestinationusersfortheselectedQoSnodeand/orclass.
SecurityRules ListsthesecurityrulesmatchedtoandenforcingtheselectedQoSnodeand/or
class.
QoSRules ListstheQoSrulesmatchedtoandenforcingtheselectedQoSnodeand/orclass.
Network>LLDP
LinkLayerDiscoveryProtocol(LLDP)providesanautomaticmethodofdiscoveringneighboringdevicesand
theircapabilitiesattheLinkLayer.
LLDPallowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunits(LLDPDUs)toand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbeaccessedbytheSimple
NetworkManagementProtocol(SNMP).LLDPenablesnetworkdevicestomaptheirnetworktopologyand
learncapabilitiesoftheconnecteddevices,whichmakestroubleshootingeasierespeciallyforvirtualwire
deploymentswherethefirewallwouldtypicallygoundetectedinanetworktopology.
Whatareyoulookingfor? See::
BuildingBlocksofLLDP
ToenableLLDPonthefirewall,clickEdit,clickEnable,andoptionallyconfigurethefoursettingsshownin
thefollowingtable,ifthedefaultsettingsdonotsuityourenvironment.Theremainingtableentriesdescribe
thestatusandpeerstatistics.
TransmitDelay(sec) Specifythedelaytime,inseconds,betweenLLDP
transmissionssentafterachangeismadeina
TypeLengthValue(TLV)element.Thedelayhelpsto
preventfloodingthesegmentwithLLDPDUsifmany
networkchangesspikethenumberofLLDPchangesorif
theinterfaceflaps.TheTransmit Delaymustbelessthan
theTransmit Interval(rangeis1600;defaultis2).
NotificationInterval Specifytheinterval,inseconds,atwhichsyslogandSNMP
TrapnotificationsaretransmittedwhenMIBchanges
occur(rangeis13,600;defaultis5).
Interface NameoftheinterfacesthathaveLLDPprofilesassignedto
them.
LLDP LLDPstatus:enabledordisabled.
Mode LLDPmodeoftheinterface:Tx/Rx,TxOnly,orRxOnly.
Profile Nameoftheprofileassignedtotheinterface.
TotalTransmitted CountofLLDPDUstransmittedouttheinterface.
DroppedTransmit CountofLLDPDUsthatwerenottransmittedoutthe
interfacebecauseofanerror.Forexample,alengtherror
whenthesystemisconstructinganLLDPDUfor
transmission.
TotalReceived CountofLLDPframesreceivedontheinterface.
DroppedTLV CountofLLDPframesdiscardeduponreceipt.
Errors CountofTimeLengthValue(TLV)elementsthatwere
receivedontheinterfaceandcontainederrors.Typesof
TLVerrorsinclude:oneormoremandatoryTLVsmissing,
outoforder,containingoutofrangeinformation,or
lengtherror.
Unrecognized CountofTLVsreceivedontheinterfacethatarenot
recognizedbytheLLDPlocalagent,forexample,because
theTLVtypeisinthereservedTLVrange.
AgedOut CountofitemsdeletedfromtheReceiveMIBdueto
properTTLexpiration.
ClearLLDPStatistics SelecttoclearalloftheLLDPstatistics.
LocalInterface Interfaceonthefirewallthatdetectedtheneighboring
device.
RemoteChassisID ChassisIDofthepeer;theMACaddressisused.
ChassisType ChassisTypeisMACaddress.
MACAddress MACaddressofthepeer.
SystemName Nameofthepeer.
SystemDescription Descriptionofthepeer.
PortDescription Portdescriptionofthepeer.
PortType Interfacename.
PortID Firewallusestheifnameoftheinterface.
SystemCapabilities Capabilitiesofthesystem.O=Other,P=Repeater,
B=Bridge,W=WirelessLAN,R=Router,T=Telephone
EnabledCapabilities Capabilitiesenabledonthepeer.
ManagementAddress Managementaddressofthepeer.
Network>NetworkProfiles
Network>NetworkProfiles>GlobalProtectIPSecCrypto
Network>NetworkProfiles>IKEGateways
Network>NetworkProfiles>IPSecCrypto
Network>NetworkProfiles>IKECrypto
Network>NetworkProfiles>InterfaceMgmt
Network>NetworkProfiles>Monitor
Network>NetworkProfiles>ZoneProtection
Network>NetworkProfiles>LLDPProfile
Network>NetworkProfiles>BFDProfile
Network>NetworkProfiles>QoS
Network>NetworkProfiles>GlobalProtectIPSecCrypto
ForVPNtunnelsbetweenGlobalProtectgatewaysandsatellites(firewalls),seeNetwork>
NetworkProfiles>IPSecCrypto.
GlobalProtectIPSecCryptoProfileSettings
Name Enteranametoidentifytheprofile.Thenameiscasesensitive,mustbe
unique,andcanhaveupto31characters.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Encryption ClickAddandselectthedesiredencryptionalgorithms.Forhighestsecurity,
changetheorder(toptobottom)to:aes-256-gcm,aes-128-gcm,
aes-128-cbc.
Authentication ClickAddandselecttheauthenticationalgorithm.Currently,theonlyoption
issha1.
Network>NetworkProfiles>IKEGateways
Usethispagetomanageordefineagateway,includingtheconfigurationinformationnecessarytoperform
InternetKeyExchange(IKE)protocolnegotiationwithapeergateway.ThisisthePhase1portionofthe
IKE/IPSecVPNsetup.
Tomanage,configure,restart,orrefreshanIKEgateway,seethefollowing:
IKEGatewayManagement
IKEGatewayGeneralTab
IKEGatewayAdvancedOptionsTab
IKEGatewayRestartorRefresh
IKEGatewayManagement
Network>NetworkProfiles>IKEGateways
ThefollowingtabledescribeshowtomanageyourIKEgateways.
ManageIKEGateways Description
Add TocreateanewIKEgateway,clickAdd.SeeIKEGatewayGeneralTaband
IKEGatewayAdvancedOptionsTabforinstructionsonconfiguringthenew
gateway.
Delete Todeleteagateway,selectthegatewayandclickDelete.
Enable Toenableagatewaythathasbeendisabled,selectthegatewayandclick
Enable,whichisthedefaultsettingforagateway.
Disable Todisableagateway,selectthegatewayandclickDisable.
IKEGatewayGeneralTab
Network>NetworkProfiles>IKEGateways>General
ThefollowingtabledescribesthebeginningstepsforhowtoconfigureanIKEgateway.IKEisPhase1ofthe
IKE/IPSecVPNprocess.Afterperformingthesesteps,seeIKEGatewayAdvancedOptionsTab.
IKEGatewayGeneral Description
Settings
Name EnteraNametoidentifythegateway(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Version SelecttheIKEversionthatthegatewaysupportsandmustagreetousewith
thepeergateway:IKEv1 only mode,IKEv2 only mode,orIKEv2 preferred
mode.IKEv2preferredmodecausesthegatewaytonegotiateforIKEv2,and
ifthepeeralsosupportsIKEv2,thatiswhattheywilluse.Otherwise,the
gatewayfallsbacktoIKEv1.
IPv4/IPv6 SelectthetypeofIPaddressthegatewayuses.
Interface SpecifytheoutgoingfirewallinterfacetotheVPNtunnel.
LocalIPAddress SelectorentertheIPaddressforthelocalinterfacethatistheendpointof
thetunnel.
PeerIPType SelectStaticorDynamicforthepeeronthefarendofthetunnel.
LocalIdentification Definestheformatandidentificationofthelocalgateway,whichareused
withthepresharedkeyforbothIKEv1phase1SAandIKEv2SA
establishment.
Chooseoneofthefollowingtypesandenterthevalue:FQDN(hostname),IP
address,KEYID(binaryformatIDstringinHEX),User FQDN(emailaddress).
Ifnovalueisspecified,thelocalIPaddresswillbeusedastheLocal
Identificationvalue.
PeerIdentification Definesthetypeandidentificationofthepeergateway,whichareusedwith
thepresharedkeyduringIKEv1phase1SAandIKEv2SAestablishment.
Chooseoneofthefollowingtypesandenterthevalue:FQDN(hostname),IP
address,KEYID(binaryformatIDstringinHEX),User FQDN(emailaddress).
Ifnovalueisspecified,thepeersIPaddresswillbeusedasthePeer
Identificationvalue.
IKEGatewayGeneral Description
Settings
Certificate Fields
LocalCertificate IfCertificateisselectedastheAuthenticationtype,fromthedropdown,
selectacertificatethatisalreadyonthefirewall.
Alternatively,youcouldImportacertificate,orGenerateanewcertificate,
asfollows:
Import:
Certificate NameEnteranameforthecertificateyouareimporting.
SharedClickifthiscertificateistobesharedamongmultiplevirtual
systems.
Certificate FileClickBrowsetonavigatetothelocationwherethe
certificatefileislocated.ClickonthefileandselectOpen.
File FormatSelectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthecertificate,butnot
thekey.Cleartext.
Encrypted Private Key and Certificate (PKCS12)Containsboththe
certificateandthekey.
Private key resides on Hardware Security ModuleClickifthefirewallis
aclientofanHSMserverwherethekeyresides.
Import private keyClickifaprivatekeyistobeimportedbecauseitisin
adifferentfilefromthecertificatefile.
Key FileBrowseandnavigatetothekeyfiletoimport.Thisentryis
ifyouchosePEMastheFileFormat.
PassphraseandConfirm PassphraseEntertoaccessthekey.
Generate:
Certificate NameEnteranameforthecertificateyouarecreating.
Common NameEnterthecommonname,whichistheIPaddressor
FQDNtoappearonthecertificate.
SharedClickifthiscertificateistobesharedamongmultiplevirtual
systems.
Signed BySelectExternalAuthority(CSR)orenterthefirewallIP
address.ThisentrymustbeaCA.
Certificate AuthorityClickifthefirewallistherootCA.
OCSP ResponderEntertheOSCPthattrackswhetherthecertificateis
validorrevoked.
AlgorithmSelectRSAorEllipticCurveDSAtogeneratethekeyforthe
certificate.
Number of BitsSelect512,1024,2048,or3072asthenumberofbits
inthekey.
DigestSelectmd5,sha1,sha256,sha384,orsha512asthemethodto
revertthestringfromthehash.
Expiration (days)Enterthenumberofdaysthatthecertificateisvalid.
Certificate Attributes:TypeOptionallyselectadditionalattributetypes
fromthedropdowntobeinthecertificate.
ValueEnteravaluefortheattribute.
IKEGatewayGeneral Description
Settings
LocalIdentification Identifieshowthelocalpeerisidentifiedinthecertificate.Chooseoneofthe
followingtypesandenterthevalue:Distinguished Name(Subject),FQDN
(hostname),IP address,orUser FQDN(emailaddress).
PeerIdentification Identifieshowtheremotepeerisidentifiedinthecertificate.Chooseoneof
thefollowingtypesandenterthevalue:Distinguished Name(Subject),
FQDN(hostname),IP address,orUser FQDN(emailaddress).
PeerIDCheck SelectExactorWildcard.ThissettingappliestothePeerIdentificationthat
isbeingexaminedtovalidatethecertificate.SupposethePeerIdentification
wasaNameequaltodomain.com.IfyouselectExactandnameofthe
certificateintheIKEIDpayloadismail.domain2.com,theIKEnegotiationwill
fail.ButifyouselectedWildcard,anycharacterintheNamestringbeforethe
wildcardasterisk(*)mustmatchandanycharacterafterthewildcardcan
differ.
Permitpeeridentification SelectifyouwanttheflexibilityofhavingasuccessfulIKESAeventhough
andcertificatepayload thepeeridentificationdoesnotmatchthecertificatepayload.
identificationmismatch
Enablestrictvalidationof Selectifyouwanttostrictlycontrolhowthekeycanbeused.
peersextendedkeyuse
IKEGatewayAdvancedOptionsTab
Network>NetworkProfiles>IKEGateways>AdvancedOptions
ConfigureadvancedIKEgatewaysettingssuchaspassivemode,NATTraversal,andIKEv1settingssuchas
deadpeerdetection.
IKEGatewayAdvanced Description
Options
EnablePassiveMode ClicktohavethefirewallonlyrespondtoIKEconnectionsandneverinitiate
them.
EnableNATTraversal ClicktohaveUDPencapsulationusedonIKEandUDPprotocols,enabling
themtopassthroughintermediateNATdevices.
EnableNATTraversalifNetworkAddressTranslation(NAT)isconfiguredon
adevicebetweentheIPSecVPNterminatingpoints.
IKEv1 Tab
ExchangeMode Chooseauto,aggressive,ormain.Inautomode(default),thedevicecan
acceptbothmainmodeandaggressivemodenegotiationrequests;
however,wheneverpossible,itinitiatesnegotiationandallowsexchangesin
mainmode.Youmustconfigurethepeerdevicewiththesameexchange
modetoallowittoacceptnegotiationrequestsinitiatedfromthefirst
device.
IKECryptoProfile Selectanexistingprofile,keepthedefaultprofile,orcreateanewprofile.
TheprofilesselectedforIKEv1andIKEv2candiffer.
ForinformationonIKECryptoprofiles,seeNetwork>NetworkProfiles>
IKECrypto.
EnableFragmentation ClicktoallowthelocalgatewaytoreceivefragmentedIKEpackets.The
maximumfragmentedpacketsizeis576bytes.
DeadPeerDetection Clicktoenableandenteraninterval(2100seconds)anddelaybefore
retrying(2100seconds).Deadpeerdetectionidentifiesinactiveor
unavailableIKEpeersandcanhelprestoreresourcesthatarelostwhena
peerisunavailable.
IKEGatewayAdvanced Description
Options
IKEv2 Tab
IKECryptoProfile Selectanexistingprofile,keepthedefaultprofile,orcreateanewprofile.
TheprofilesselectedforIKEv1andIKEv2candiffer.
ForinformationonIKECryptoprofiles,seeNetwork>NetworkProfiles>
IKECrypto.
IKEGatewayRestartorRefresh
Network>IPSecTunnels
SelectNetwork > IPSec Tunnelstodisplaystatusoftunnels.InthesecondStatuscolumnisalinktotheIKE
Info.Clickthegatewayyouwanttorestartorrefresh.TheIKEInfopageopens.Clickoneoftheentriesin
thelistandclick:
RestartRestartstheselectedgateway.Arestartwilldisrupttrafficgoingacrossthetunnel.Therestart
behaviorsforIKEv1andIKEv2aredifferent,asfollows:
IKEv1Youcanrestart(clear)aPhase1SAorPhase2SAindependentlyandonlythatSAis
affected.
IKEv2CausesallchildSAs(IPSectunnels)tobeclearedwhentheIKEv2SAisrestarted.
IfyourestarttheIKEv2SA,allunderlyingIPSectunnelsarealsocleared.
IfyourestarttheIPSecTunnel(childSA)associatedwithanIKEv2SA,therestartwillnotaffectthe
IKEv2SA.
RefreshShowsthecurrentIKESAstatus.
Network>NetworkProfiles>IPSecCrypto
ForVPNtunnelsbetweenGlobalProtectgatewaysandclients,seeNetwork>NetworkProfiles
>GlobalProtectIPSecCrypto.
IPSecCryptoProfile Description
Settings
Name EnteraNametoidentifytheprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
IPSecProtocol SelectaprotocolforsecuringdatathattraversestheVPNtunnel:
ESPEncapsulatingSecurityPayloadprotocolencryptsthedata,
authenticatesthesource,andverifiesdataintegrity.
AHAuthenticationHeaderprotocolauthenticatesthesourceand
verifiesdataintegrity.
Encryption(ESPprotocol ClickAddandselectthedesiredencryptionalgorithms.Forhighestsecurity,
only) useMove UpandMove Downtochangetheorder(toptobottom)tothe
following:aes-256-gcm,aes-256-cbc,aes-192-cbc,aes-128-gcm,
aes-128-ccm(theVMSeriesfirewalldoesntsupportthisoption),
aes-128-cbc,3des,anddes.Youcanalsoselectnull(noencryption).
Authentication ClickAddandselectthedesiredauthenticationalgorithms.Forhighest
security,useMove UpandMove Downtochangetheorder(toptobottom)
tothefollowing:sha512,sha384,sha256,sha1,md5.IftheIPSec Protocol
isESP,youcanalsoselectnone(noauthentication).
DHGroup SelecttheDiffieHellman(DH)groupforInternetKeyExchange(IKE):
group1,group2,group5,group14,group19,orgroup20.Forhighest
security,choosethegroupwiththehighestnumber.Ifyoudontwantto
renewthekeythatthefirewallcreatesduringIKEphase1,selectno-pfs(no
perfectforwardsecrecy):thefirewallreusesthecurrentkeyfortheIPSec
securityassociation(SA)negotiations.
Lifetime Selectunitsandenterthelengthoftime(defaultisonehour)thatthe
negotiatedkeywillstayeffective.
Lifesize Selectoptionalunitsandentertheamountofdatathatthekeycanusefor
encryption.
Network>NetworkProfiles>IKECrypto
IKECryptoProfile Description
Settings
Name Enteranamefortheprofile.
DHGroup SpecifythepriorityforDiffieHellman(DH)groups.ClickAddandselect
groups:group1,group2,group5,group14,group19,orgroup20.Forhighest
security,selectanitemandthenclickMove UporMove Downtomovethe
groupswithhighernumericidentifierstothetopofthelist.Forexample,
movegroup14abovegroup2.
Authentication Specifythepriorityforhashalgorithms.ClickAddandselectalgorithms.For
highestsecurity,selectanitemandthenclickMove UporMove Downto
changetheorder(toptobottom)tothefollowing:sha512,sha384,sha256,
sha1,md5.
Encryption SelecttheappropriateEncapsulatingSecurityPayload(ESP)authentication
options.ClickAddandselectalgorithms.Forhighestsecurity,selectanitem
andthenclickMove UporMove Downtochangetheorder(toptobottom)
tothefollowing:aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des.
KeyLifetime SelectunitoftimeandenterthelengthoftimethatthenegotiatedIKEPhase
1keywillbeeffective(defaultis8 hours).
IKEv2Beforethekeylifetimeexpires,theSAmustberekeyedorelse,
uponexpiration,theSAmustbeginanewPhase1keynegotiation.
IKEv1WillnotactivelydoaPhase1rekeybeforeexpiration.Only
whentheIKEv1IPSecSAexpireswillittriggerIKEv1Phase1rekey.
IKEv2Authentication Specifyavalue(rangeis050;defaultis0)thatismultipliedbytheKey
Multiple Lifetimetodeterminetheauthenticationcount.Theauthenticationcountis
thenumberoftimesthatthegatewaycanperformIKEv2IKESArekey
beforethegatewaymuststartoverwithIKEv2reauthentication.Avalueof
0disablesthereauthenticationfeature.
Network>NetworkProfiles>InterfaceMgmt
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheservicesand
IPaddressesthatafirewallinterfacepermits.YoucanassignanInterfaceManagementprofiletoLayer3
Ethernetinterfaces(includingsubinterfaces)andtologicalinterfaces(aggregategroup,VLAN,loopback,and
tunnelinterfaces).ToassignanInterfaceManagementprofile,seeNetwork>Interfaces.
Field Description
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
InterfaceManagementprofileswhenconfiguringinterfaces.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,
andunderscores.
PermittedServices PingUsetotestconnectivitywithexternalservices.Forexample,youcanpingthe
interfacetoverifyitcanreceivePANOSsoftwareandcontentupdatesfromthePalo
AltoNetworksUpdateServer.
TelnetUsetoaccessthefirewallCLI.Telnetusesplaintext,whichisnotassecureas
SSH.
EnableSSHinsteadofTelnetformanagementtrafficontheinterface.
SSHUseforsecureaccesstothefirewallCLI.
HTTPUsetoaccessthefirewallwebinterface.HTTPusesplaintext,whichisnotas
secureasHTTPS.
EnableHTTPSinsteadofHTTPformanagementtrafficontheinterface.
HTTP OCSPUsetoconfigurethefirewallasanOnlineCertificateStatusProtocol
(OCSP)responder.Fordetails,seeDevice>CertificateManagement>OCSP
Responder.
HTTPSUseforsecureaccesstothefirewallwebinterface.
SNMPUsetoprocessfirewallstatisticsqueriesfromanSNMPmanager.Fordetails,
seeEnableSNMPMonitoring.
Response PagesUsetoenableresponsepagesfor:
Captive PortalTheportsusedtoserveCaptivePortalresponsepagesareleft
openonLayer3interfaces:port6080forNTLM,6081forCaptivePortalin
transparentmode,and6082forCaptivePortalinredirectmode.Fordetails,see
Device>UserIdentification>CaptivePortalSettings.
URL Admin OverrideFordetails,seeDevice>Setup>ContentID.
User-IDUsetoEnableRedistributionofUserMappingsAmongFirewalls.
User-ID Syslog Listener-SSLUsetoallowthePANOSintegratedUserIDagentto
collectsyslogmessagesoverSSL.Fordetails,seeConfigureAccesstoMonitored
Servers.
User-ID Syslog Listener-UDPUsetoallowthePANOSintegratedUserIDagentto
collectsyslogmessagesoverUDP.Fordetails,seeConfigureAccesstoMonitored
Servers.
PermittedIPAddresses EnterthelistofIPv4orIPv6addressesfromwhichtheinterfaceallowsaccess.
Network>NetworkProfiles>Monitor
AmonitorprofileisusedtomonitorIPSectunnelsandtomonitoranexthopdeviceforpolicybased
forwarding(PBF)rules.Inbothcases,themonitorprofileisusedtospecifyanactiontotakewhenaresource
(IPSectunnelornexthopdevice)becomesunavailable.Monitorprofilesareoptional,butcanbeveryuseful
formaintainingconnectivitybetweensitesandtoensurethatPBFrulesaremaintained.Thefollowing
settingsareusedtoconfigureamonitorprofile.
Field Description
Name Enteranametoidentifythemonitorprofile(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Action Specifyanactiontotakeifthetunnelisnotavailable.Ifthethresholdnumber
ofheartbeatsislost,thefirewalltakesthespecifiedaction.
wait-recoverWaitforthetunneltorecover;donottakeadditional
action.PacketswillcontinuetobesentaccordingtothePBFrule.
fail-overTrafficwillfailovertoabackuppath,ifoneisavailable.The
firewallusesroutingtablelookuptodetermineroutingforthedurationof
thissession.
Inbothcases,thefirewalltriestonegotiatenewIPSeckeystoacceleratethe
recovery.
Interval Specifythetimebetweenheartbeats(rangeis210;defaultis3).
Threshold Specifythenumberofheartbeatstobelostbeforethefirewalltakesthe
specifiedaction(rangeis210;defaultis5).
Network>NetworkProfiles>ZoneProtection
AZoneProtectionprofileappliedtoazoneoffersprotectionagainstmostcommonfloods,reconnaissance
attacks,otherpacketbasedattacks,andtheuseofnonIPprotocols.Itisdesignedtoprovidebroadbased
protectionattheingresszone(thatis,thezonewheretrafficentersthefirewall)andisnotdesignedto
protectaspecificendhostortrafficgoingtoaparticulardestinationzone.Youcanattachonezone
protectionprofiletoazone.
Toaugmentzoneprotectioncapabilitiesonthefirewall,configureaDoSProtectionpolicy(Policies>DoS
Protection)tomatchonaspecificzone,interface,IPaddress,oruser.
Zoneprotectionisenforcedonlywhenthereisnosessionmatchforthepacketbecausezoneprotectionisbased
onnewconnectionspersecond(cps),notonpacketspersecond(pps).Ifthepacketmatchesanexistingsession,
itwillbypassthezoneprotectionsetting.
Whatareyoulookingfor? See:
HowdoIcreateaZoneProtection BuildingBlocksofZoneProtectionProfiles
profile?
FloodProtection
ReconnaissanceProtection
PacketBasedAttackProtection
ProtocolProtection
BuildingBlocksofZoneProtectionProfiles
TocreateaZoneProtectionprofile,Addoneandgiveitaname.
Description EnteranoptionaldescriptionfortheZoneProtectionprofile.
ContinuetocreatetheZoneProtectionprofilebyconfiguringanycombinationofsettingsbasedonwhat
typesofprotectionyourzoneneeds:
FloodProtection
ReconnaissanceProtection
PacketBasedAttackProtection
ProtocolProtection
Ifyouhaveamultivirtualsystemenvironment,andhaveenabledthefollowing:
Externalzonestoenableintervirtualsystemcommunication
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddress
forexternalcommunications
thefollowingZoneandDoSprotectionmechanismswillbedisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protectionforthesharedgateway,youmustcreatea
separateZoneProtectionprofileforthesharedgateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotection
profilewitheitherRandomEarlyDroporSYNcookies;onanexternalzone,onlyRandomEarly
DropisavailableforSYNFloodprotection.
FloodProtection
Network>NetworkProfiles>ZoneProtection>FloodProtection
ConfigureaprofilethatprovidesfloodprotectionagainstSYN,ICMP,ICMPv6,andUDPpackets,aswellas
protectionagainstfloodingfromothertypesofIPpackets.
AlarmRate EnterthenumberofSYNpackets(notmatchinganexistingsession)thezone
(connections/sec) receivespersecondthattriggersanalarm.Youcanviewalarmsonthe
Dashboardandinthethreatlog(Monitor>PacketCapture).
Activate EnterthenumberofSYNpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggerstheActionspecifiedinthisZone
Protectionprofile.Thefirewallusesanalgorithmtoprogressivelydropmore
packetsastheattackrateincreases,untiltheratereachestheMaximumrate.
ThefirewallstopsdroppingtheSYNpacketsiftheincomingratedropsbelow
theActivatethreshold.
Maximum EnterthemaximumnumberofSYNpackets(notmatchinganexistingsession)
(connections/sec) thatthezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.
Maximum EnterthemaximumnumberofICMPpackets(notmatchinganexistingsession)
(connections/sec) thatthezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.
ICMPv6 SelecttoenableprotectionagainstICMPv6floods.
AlarmRate EnterthenumberofICMPv6echorequests(pingsnotmatchinganexisting
(connections/sec) session)thatthezonereceivespersecondthattriggersanattackalarm.
Activate EnterthenumberofICMPv6packets(notmatchinganexistingsession)that
(connections/sec) thezonereceivespersecondbeforesubsequentICMPv6packetsaredropped.
Thefirewallusesanalgorithmtoprogressivelydropmorepacketsastheattack
rateincreases,untiltheratereachestheMaximumrate.Thefirewallstops
droppingtheICMPv6packetsiftheincomingratedropsbelowtheActivate
threshold.
Maximum EnterthemaximumnumberofICMPv6packets(notmatchinganexisting
(connections/sec) session)thatthezonereceivespersecondbeforepacketsexceedingthe
maximumaredropped.
UDP SelecttoenableprotectionagainstUDPfloods.
AlarmRate EnterthenumberofUDPpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggersanattackalarm.
Activate EnterthenumberofUDPpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggersrandomdroppingofUDPpackets.The
firewallusesanalgorithmtoprogressivelydropmorepacketsastheattackrate
increases,untiltheratereachestheMaximumrate.Thefirewallstopsdropping
theUDPpacketsiftheincomingratedropsbelowtheActivatethreshold.
Maximum EnterthemaximumnumberofUDPpackets(notmatchinganexistingsession)
(connections/sec) thezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.
Other IP SelecttoenableprotectionagainstotherIP(nonTCP,nonICMP,
nonICMPv6,andnonUDP)floods.
AlarmRate EnterthenumberofotherIPpackets(nonTCP,nonICMP,nonICMPv6,and
(connections/sec) nonUDPpackets)(notmatchinganexistingsession)thezonereceivesper
secondthattriggersanattackalarm.
Activate EnterthenumberofotherIPpackets(nonTCP,nonICMP,nonICMPv6,and
(connections/sec) nonUDPpackets)(notmatchinganexistingsession)thezonereceivesper
secondthattriggersrandomdroppingofotherIPpackets.Thefirewallusesan
algorithmtoprogressivelydropmorepacketsastheattackrateincreases,until
theratereachestheMaximumrate.ThefirewallstopsdroppingtheOtherIP
packetsiftheincomingratedropsbelowtheActivatethreshold.
Maximum EnterthemaximumnumberofotherIPpackets(nonTCP,nonICMP,
(connections/sec) nonICMPv6,andnonUDPpackets)(notmatchinganexistingsession)the
zonereceivespersecondbeforepacketsexceedingthemaximumaredropped.
ReconnaissanceProtection
Network>NetworkProfiles>ZoneProtection>ReconnaissanceProtection
Thefollowingsettingsdefinereconnaissanceprotection:
Interval(sec) Timeinterval,inseconds,forTCPorUDPportscandetection(rangeis
265,535;defaultis 2).
Timeinterval,inseconds,forhostsweepdetection(rangeis265,535;default
is10).
Threshold Numberofscannedporteventsorhostsweepeventswithinthespecified
(events) timeintervalthattriggerstheAction(rangeis265,535;defaultis100).
SourceAddress IPaddresseswhitelistedfromthereconnaissanceprotection.Thelistsupports
Exclusion amaximumof20IPaddressesorNetmaskaddressobjects.
Name:Enteradescriptivenamefortheaddresstoexclude.
AddressType:SelectIPv4orIPv6fromthedropdown.
Address:Selectanaddressoraddressobjectfromthedropdownorenter
onemanually.
PacketBasedAttackProtection
Network>NetworkProfiles>ZoneProtection>PacketBasedAttackProtection
YoucanconfigurePacketBasedAttackprotectiontodropthefollowingtypesofpackets:
IPDrop
TCPDrop
ICMPDrop
IPv6Drop
ICMPv6Drop
IPDrop
ToinstructthefirewallwhattodowithcertainIPpacketsitreceivesinthezone,specifythefollowing
settings.
Fragmented DiscardfragmentedIPpackets.
traffic
IPOptionDrop Selectthesettingsinthisgrouptoenablethefirewalltodroppackets
containingtheseIPOptions.
StrictSource DiscardpacketswiththeStrictSourceRoutingIPoptionset.StrictSource
Routing Routingisanoptionwherebyasourceofadatagramprovidesrouting
informationthroughwhichagatewayorhostmustsendthedatagram.
LooseSource DiscardpacketswiththeLooseSourceRoutingIPoptionset.LooseSource
Routing Routingisanoptionwherebyasourceofadatagramprovidesrouting
informationandagatewayorhostisallowedtochooseanyrouteofanumber
ofintermediategatewaystogetthedatagramtothenextaddressintheroute.
Timestamp DiscardpacketswiththeTimestampIPoptionset.
RecordRoute DiscardpacketswiththeRecordRouteIPoptionset.Whenadatagramhasthis
option,eachrouterthatroutesthedatagramaddsitsownIPaddresstothe
header,thusprovidingthepathtotherecipient.
Security Discardpacketsifthesecurityoptionisdefined.
StreamID DiscardpacketsiftheStreamIDoptionisdefined.
Unknown Discardpacketsiftheclassandnumberareunknown.
Malformed Discardpacketsiftheyhaveincorrectcombinationsofclass,number,and
lengthbasedonRFCs791,1108,1393,and2113.
TCPDrop
ToinstructthefirewallwhattodowithcertainTCPpacketsitreceivesinthezone,specifythefollowing
settings.
SplitHandshake PreventaTCPsessionfrombeingestablishedifthesessionestablishment
proceduredoesnotusethewellknownthreewayhandshake.Afourwayor
fivewaysplithandshakeorasimultaneousopensessionestablishment
procedureareexamplesofvariationsthatwouldnotbeallowed.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessions
andallLayer 7processesforsplithandshakeandsimultaneousopensession
establishmentwithoutconfiguringSplit Handshake.Whenthisisconfigured
forazoneprotectionprofileandtheprofileisappliedtoazone,TCPsessions
forinterfacesinthatzonemustbeestablishedusingthestandardthreeway
handshake;thevariationsarenotallowed.
TCPSYNwith PreventaTCPsessionfrombeingestablishediftheTCPSYNpacketcontains
Data dataduringathreewayhandshake.Enabledbydefault.
TCPSYNACK PreventaTCPsessionfrombeingestablishediftheTCPSYNACKpacket
withData containsdataduringathreewayhandshake.Enabledbydefault.
RejectNonSYN DeterminewhethertorejectthepacketifthefirstpacketfortheTCPsession
TCP setupisnotaSYNpacket:
globalUsesystemwidesettingthatisassignedthroughtheCLI.
yesRejectnonSYNTCP.
noAcceptnonSYNTCP.
AllowingnonSYNTCPtrafficmaypreventfileblockingpolicies
fromworkingasexpectedincaseswheretheclientand/orserver
connectionisnotsetaftertheblockoccurs.
AsymmetricPath DeterminewhethertodroporbypasspacketsthatcontainoutofsyncACKs
oroutofwindowsequencenumbers:
globalUsesystemwidesettingthatisassignedthroughtheCLI.
dropDroppacketsthatcontainanasymmetricpath.
bypassBypassscanningonpacketsthatcontainanasymmetricpath.
StripTCPOptions DeterminewhethertostriptheTCPTimestamporTCPFastOpenoptionfrom
TCPpackets.
TCPFastOpen StriptheTCPFastOpenoption(anddatapayload,ifany)fromtheTCPSYNor
SYNACKpacketduringaTCPthreewayhandshake.
Whenthisiscleared(disabled),theTCPFastOpenoptionisallowed,which
preservesthespeedofaconnectionsetupbyincludingdatadelivery.This
functionsindependentlyoftheTCPSYNwithDataandTCPSYNACKwith
Data.Disabledbydefault.
MultipathTCP MPTCPisanextensionofTCPthatallowsaclienttomaintainaconnectionby
(MPTCP)Options simultaneouslyusingmultiplepathstoconnecttothedestinationhost.By
default,MPTCPsupportisdisabled,basedontheglobalMPTCPsetting.
RevieworadjusttheMPTCPsettingsforthesecurityzonesassociatedwith
thisprofile:
noEnableMPTCPsupport(donotstriptheMPTCPoption).
yesDisableMPTCPsupport(striptheMPTCPoption).Withthis
configured,MPTCPconnectionsareconvertedtostandardTCP
connections,asMPTCPisbackwardscompatiblewithTCP.
(Default) globalSupportMPTCPbasedontheglobalMPTCPsetting.By
default,theglobalMPTCPsettingissettoyessothatMPTCPisdisabled
(theMPTCPoptionisstrippedfromthepacket).Youcanrevieworadjustthe
globalMPTCPsettingusingthefollowingCLIcommand:
set deviceconfig setting tcp strip-mptcp-option <yes|no>
ICMPDrop
ToinstructthefirewalltodropcertainICMPpacketsitreceivesinthezone,selectthefollowingsettingsto
enablethem.
SuppressICMP StopsendingICMPTTLexpiredmessages.
TTLExpiredError
SuppressICMP StopsendingICMPfragmentationneededmessagesinresponsetopackets
FragNeeded thatexceedtheinterfaceMTUandhavethedonotfragment(DF)bitset.This
settingwillinterferewiththePMTUDprocessperformedbyhostsbehindthe
firewall.
IPv6Drop
ToinstructthefirewalltodropcertainIPv6packetsitreceivesinthezone,selectthefollowingsettingsto
enablethem.
Needless DiscardIPv6packetswiththelastfragmentflag(M=0)andoffsetofzero.
fragmentheader
MTUinICMP DiscardIPv6packetsthatcontainaPacketTooBigICMPv6messagewhenthe
PacketTooBig maximumtransmissionunit(MTU)islessthan1,280bytes.
lessthan1280
bytes
HopbyHop DiscardIPv6packetsthatcontaintheHopbyHopOptionsextensionheader.
extension
Routingextension DiscardIPv6packetsthatcontaintheRoutingextensionheader,whichdirects
packetstooneormoreintermediatenodesonitswaytoitsdestination.
Destination DiscardIPv6packetsthatcontaintheDestinationOptionsextension,which
extension containsoptionsintendedonlyforthedestinationofthepacket.
InvalidIPv6 DiscardIPv6packetsthatcontaininvalidIPv6optionsinanextensionheader.
optionsin
extensionheader
Nonzero DiscardIPv6packetsthathaveaheaderwithareservedfieldnotsettozero.
reservedfield
ICMPv6Drop
ToinstructthefirewallwhattodowithcertainICMPv6packetsitreceivesinthezone,selectthefollowing
settingstoenablethem.
ICMPv6packet RequireanexplicitSecuritypolicymatchforPacketTooBigICMPv6messages,
toobigrequire evenwhenthemessageisassociatedwithanexistingsession.
explicitsecurity
rulematch
ICMPv6time RequireanexplicitSecuritypolicymatchforTimeExceededICMPv6messages,
exceeded evenwhenthemessageisassociatedwithanexistingsession.
requireexplicit
securityrule
match
ICMPv6 RequireanexplicitSecuritypolicymatchforParameterProblemICMPv6
parameter messages,evenwhenthemessageisassociatedwithanexistingsession.
problemrequire
explicitsecurity
rulematch
ICMPv6redirect RequireanexplicitSecuritypolicymatchforRedirectMessageICMPv6
requireexplicit messages,evenwhenthemessageisassociatedwithanexistingsession.
securityrule
match
ProtocolProtection
Network>NetworkProfiles>ZoneProtection>ProtocolProtection
ThefirewallnormallyallowsnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones.
ProtocolprotectionallowsyoutocontrolwhichnonIPprotocolsareallowed(include)ordenied(exclude)
betweenorwithinsecurityzonesonaLayer2VLANorvirtualwire.ExamplesofnonIPprotocolsinclude
AppleTalk,BanyanVINES,Novell,NetBEUI,andSupervisoryControlandDataAcquisition(SCADA)systems
suchasGenericObjectOrientedSubstationEvent(GOOSE).
AfteryouconfigureprotocolprotectioninaZoneProtectionprofile,applytheprofiletoaningresssecurity
zoneonaLayer2VLANorvirtualwire.
ProtocolName EntertheprotocolnamethatcorrespondstotheEthertypecodeyouare
addingtothelist.Thefirewalldoesnotverifythattheprotocolnamematches
theEthertypecodebuttheEthertypecodedoesdeterminetheprotocolfilter.
Enable EnabletheEthertypecodeonthelist.Ifyouwanttodisableaprotocolfor
testingpurposesbutnotdeleteit,disableit,instead.
Ethertype(hex) EnteranEthertypecode(protocol)precededby0xtoindicatehexadecimal
(rangeis0x0000to0xFFFF).Alistcanhaveamaximumof64Ethertypes.
SomesourcesofEthertypecodesare:
IEEEhexadecimalEthertype
standards.ieee.org/develop/regauth/ethertype/eth.txt
http://www.cavebear.com/archive/cavebear/Ethernet/type.html
Network>NetworkProfiles>LLDPProfile
ALinkLayerDiscoveryProtocol(LLDP)profileisthewayinwhichyouconfiguretheLLDPmodeofthe
firewall,enablesyslogandSNMPnotifications,andconfiguretheoptionalTypeLengthValues(TLVs)you
wanttransmittedtoLLDPpeers.AfterconfiguringtheLLDPprofile,youassigntheprofiletooneormore
interfaces.
LearnmoreaboutLLDP,includinghowtoconfigureandmonitorLLDP.
LLDPProfileSettings Description
Name SpecifyanamefortheLLDPprofile.
Mode SelectthemodeinwhichLLDPwillfunction:transmit-receive,transmit-only,or
receive-only.
SNMPSyslogNotification EnablesSNMPtrapandsyslognotifications,whichwilloccurattheglobalNotification
Interval.Ifenabled,thefirewallwillsendbothanSNMPtrapandasyslogeventas
configuredintheDevice > Log Settings > System > SNMP Trap ProfileandSyslog
Profile.
PortDescription EnablestheifAliasobjectofthefirewalltobesentinthePortDescriptionTLV.
SystemName EnablesthesysNameobjectofthefirewalltobesentintheSystemNameTLV.
SystemDescription EnablesthesysDescrobjectofthefirewalltobesentintheSystemDescriptionTLV.
SystemCapabilities Enablesthedeploymentmode(L3,L2,orvirtualwire)oftheinterfacetobesent,viathe
followingmapping,intheSystemCapabilitiesTLV.
IfL3,thefirewalladvertisesrouter(bit6)capabilityandtheOtherbit(bit1).
IfL2,thefirewalladvertisesMACBridge(bit3)capabilityandtheOtherbit(bit 1).
Ifvirtualwire,thefirewalladvertisesRepeater(bit2)capabilityandtheOtherbit
(bit 1).
SNMPMIBwillcombinecapabilitiesconfiguredoninterfacesintoasingleentry.
Name SpecifyanamefortheManagementAddress.
Interface SelectaninterfacewhoseIPaddresswillbetheManagementAddress.Ifyouselect
None,youcanenteranIPaddressinthefieldnexttotheIPv4orIPv6selection.
IPChoice SelectIPv4orIPv6,andintheadjacentfield,selectorentertheIPaddresstobe
transmittedastheManagementAddress.Atleastonemanagementaddressisrequired
ifManagement AddressTLVisenabled.IfnomanagementIPaddressisconfigured,the
systemusestheMACaddressofthetransmittinginterfaceasthemanagementaddress
transmitted.
Network>NetworkProfiles>BFDProfile
BidirectionalForwardingDetection(BFD)enablesextremelyfastdetectionofalinkfailure,which
acceleratesfailovertoadifferentroute.
Whatareyoulookingfor? See:
WhatisBFD? BFDOverview
WhatfieldsareavailabletocreateaBFD BuildingBlocksofaBFDProfile
profile?
ViewBFDstatusforavirtualrouter. ViewBFDSummaryandDetails
Looking for more? LearnmoreaboutandconfigureBFD.
ConfigureBFDfor:
StaticRoutes
BGP
OSPF
OSPFv3
RIP
BFDOverview
BFDisaprotocolthatrecognizesafailureinthebidirectionalpathbetweentwoforwardingengines,such
asinterfaces,datalinks,ortheactualforwardingengines.InthePANOSimplementation,oneofthe
forwardingenginesisaninterfaceonthefirewallandtheotherisanadjacentconfiguredBFDpeer.TheBFD
failuredetectionbetweentwoenginesisextremelyfast,providingfasterfailoverthancouldbeachievedby
linkmonitoringorfrequentdynamicroutinghealthchecks,suchasHellopacketsorheartbeats.
AfterBFDdetectsafailure,itnotifiestheroutingprotocoltoswitchtoanalternatepathtothepeer.IfBFD
isconfiguredforastaticroute,thefirewallremovestheaffectedroutesfromtheRIBandFIBtables.
BFDissupportedonthefollowinginterfacetypes:physicalEthernet,AE,VLAN,tunnel(SitetoSiteVPN
andLSVPN),andsubinterfacesofLayer3interfaces.Foreachstaticrouteordynamicroutingprotocol,you
canenableordisableBFD,selectthedefaultBFDprofile,orconfigureaBFDprofile.
BuildingBlocksofaBFDProfile
Network>NetworkProfiles>BFDProfile
YoucanenableBFDforastaticrouteordynamicroutingprotocolbyapplyingthedefaultBFDprofileora
BFDprofilethatyoucreate.ThedefaultprofileusesthedefaultBFDsettingsandcannotbechanged.You
canAddanewBFDprofileandspecifythefollowinginformation.
BFDProfile Description
Settings
Name NameoftheBFDprofile(upto31characters).Thenameiscasesensitiveandmust
beuniqueonthefirewall.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Mode ModeinwhichBFDoperates:
ActiveBFDinitiatessendingcontrolpackets(default).AtleastoneoftheBFD
peersmustbeactive;theycanbothbeactive.
PassiveBFDwaitsforthepeertosendcontrolpacketsandrespondsas
required.
DesiredMinimum Minimuminterval(inmilliseconds)atwhichyouwanttheBFDprotocoltosendBFD
TxInterval(ms) controlpackets.MinimumvalueonPA7000/PA5000Seriesis50;minimumon
PA3000Seriesis100;minimumonVMSeriesis200(maximumvalueis2000;
defaultis1000).
IfyouhavemultipleprotocolsthatusedifferentBFDprofilesonthesame
interface,configuretheBFDprofileswiththesameDesired Minimum Tx
Interval.
Required Minimuminterval(inmilliseconds)atwhichBFDcanreceiveBFDcontrolpackets.
MinimumRx MinimumvalueonPA7000/PA5000Seriesis50;minimumonPA3000Seriesis
Interval(ms) 100;minimumonVMSeriesis200(maximumvalueis2000;defaultis1000).
HoldTime(ms) Delay(inmilliseconds)afteralinkcomesupbeforethefirewalltransmitsBFD
controlpackets.Hold TimeappliestoBFDActivemodeonly.Ifthefirewallreceives
BFDcontrolpacketsduringtheHold Time,itignoresthem(rangeis0120000;
defaultis0).Thedefaultsettingof0meansnotransmitHold Timeisused;the
firewallsendsandreceivesBFDcontrolpacketsimmediatelyafterthelinkis
established.
EnableMultihop EnablesBFDovermultiplehops.AppliestoBGPimplementationonly.
MinimumRxTTL MinimumTimetoLivevalue(numberofhops)BFDwillaccept(receive)whenit
supportsmultihopBFD.AppliestoBGPimplementationonly(rangeis1254;there
isnodefault).
ViewBFDSummaryandDetails
Network>VirtualRouters
ThefollowingtabledescribesBFDsummaryinformation.
ViewBFDInformation
ViewBFDdetails. Selectdetailsintherowoftheinterfaceyouare
interestedintoviewBFDDetails.
Network>NetworkProfiles>QoS
AddaQoSprofiletodefinethebandwidthlimitsandpriorityforuptoeightclassesofservice.Youcanset
bothguaranteedandmaximumbandwidthlimitsforindividualclassesandforthecollectiveclasses.
Prioritiesdeterminehowtrafficistreatedinthepresenceofcontention.
TofullyenablethefirewalltoprovideQoS,also:
DefinethetrafficthatyouwanttoreceiveQoStreatment(selectPolicies>QoStoaddormodifyaQoS
policy).
EnableQoSonaninterface(selectNetwork>QoS).
SeeQualityofService forcompleteQoSworkflows,concepts,andusecases.
QoSProfileSettings
ProfileName Enteranametoidentifytheprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
EgressMax Enterthemaximumbandwidthallowedforthisprofile(Mbps).
TheEgressMaxvalueforaQoSprofilemustbelessthanorequaltothe
EgressMaxvaluedefinedforthephysicalinterfaceenabledwithQoS.See
Network>QoS.
Thoughthisisnotarequiredfield,itisrecommendedtoalways
definetheEgressMaxvalueforaQoSprofile.
EgressGuaranteed Enterthebandwidththatisguaranteedforthisprofile(Mbps).Whenthe
egressguaranteedbandwidthisexceeded,thefirewallpassestrafficona
besteffortbasis.
QoSProfileSettings
Classes AddandspecifyhowtotreatindividualQoSclasses.Youcanselectoneor
moreclassestoconfigure:
ClassIfyoudonotconfigureaclass,youcanstillincludeitinaQoS
policy.Inthiscase,thetrafficissubjecttooverallQoSlimits.Trafficthat
doesnotmatchaQoSpolicywillbeassignedtoclass4.
PriorityClickandselectaprioritytoassignittoaclass:
real-time
high
medium
low
Whencontentionoccurs,trafficthatisassignedalowerpriorityis
dropped.Realtimepriorityusesitsownseparatequeue.
Egress MaxClickandenterthebandwidthlimit(Mbps)forthisclass.The
EgressMaxvalueforaQoSclassmustbelessthanorequaltotheEgress
MaxvaluedefinedfortheQoSprofile.
Thoughthisisnotarequiredfield,werecommendyoualways
definetheEgress MaxvalueforaQoSprofile.
Egress GuaranteedClickandentertheguaranteedbandwidth
(Mbps)forthisclass.Guaranteedbandwidthassignedtoaclassisnot
reservedforthatclassbandwidththatisunusedcontinuestoremain
availabletoalltraffic.However,whentheegressguaranteedbandwidth
foratrafficclassisexceeded,thefirewallpassesthattrafficona
besteffortbasis.
Device>Setup
Device>Setup>Management
Device>Setup>Operations
Device>Setup>HSM
Device>Setup>Services
Device>Setup>Interfaces
Device>Setup>Telemetry
Device>Setup>ContentID
Device>Setup>WildFire
Device>Setup>Session
Device>Setup>Management
Device>Setup>Management
Panorama>Setup>Management
Onafirewall,selectDevice > Setup > Managementtoconfiguremanagementsettings.
OnPanorama,selectDevice > Setup > ManagementtoconfigurefirewallsthatyoumanagewithPanorama
templates.SelectPanorama > Setup > ManagementtoconfiguresettingsforPanorama.
ThefollowingmanagementsettingsapplytoboththefirewallandPanorama,exceptwhereotherwisenoted.
GeneralSettings
AuthenticationSettings
PanoramaSettings:Device>Setup>Management(settingsconfiguredonthefirewalltoconnectto
Panorama)
PanoramaSettings:Panorama>Setup>Management(settingsconfiguredonPanoramaforits
connectiontofirewalls)
LoggingandReportingSettings
BannersandMessages
MinimumPasswordComplexity
AutoFocus
Item Description
General Settings
Hostname Enterahostname(upto31characters).Thenameiscasesensitiveandmust
beunique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
Ifyoudontenteravalue,PANOSusesthefirewallmodel(forexample,
PA5050_2)asthedefault.
Optionally,youcanconfigurethefirewalltouseahostnamethataDHCP
serverprovides.SeeAcceptDHCPserverprovidedHostname(Firewall
only).
Domain EntertheFullyQualifiedDomainName(FQDN)ofthefirewall(upto31
characters).
Ifyoudontenteravalue,PANOSusesthefirewallmodel(forexample,
PA5050_2)asthedefault.
Optionally,youcanconfigurethefirewalltouseadomainthataDHCP
serverprovides.SeeAcceptDHCPserverprovidedDomain(Firewallonly).
AcceptDHCP (AppliesonlywhentheManagementInterfaceIPTypeisDHCPClient.)
serverprovidedHostname Selectthisoptiontohavethemanagementinterfaceacceptthehostnameit
(Firewallonly) receivesfromtheDHCPserver.Thehostnamefromtheserver(ifvalid)
overwritesanyvaluespecifiedintheHostnamefield.
AcceptDHCP (AppliesonlywhentheManagementInterfaceIPTypeisDHCPClient.)
serverprovidedDomain Selectthisoptiontohavethemanagementinterfaceacceptthedomain
(Firewallonly) (DNSsuffix)itreceivesfromtheDHCPserver.Thedomainfromtheserver
overwritesanyvaluespecifiedintheDomainfield.
Item Description
LoginBanner Entertext(upto3,200characters)todisplayonthewebinterfaceloginpage
belowtheNameandPasswordfields.
SSL/TLSServiceProfile AssignanexistingSSL/TLSServiceprofileorcreateanewonetospecifya
certificateandtheSSL/TLSprotocolsettingsallowedonthemanagement
interface(seeDevice>CertificateManagement>SSL/TLSServiceProfile).
ThefirewallorPanoramausesthiscertificatetoauthenticateto
administratorswhoaccessthewebinterfacethroughthemanagement
(MGT)interfaceorthroughanyotherinterfacethatsupportsHTTP/HTTPS
managementtraffic(seeNetwork>NetworkProfiles>InterfaceMgmt).If
youselectnone(default),thefirewallorPanoramausesapredefined
certificate.
Thepredefinedcertificateisprovidedforconvenience.Forbetter
security,assignanSSL/TLSServiceprofile.Toensuretrust,the
certificatemustbesignedbyacertificateauthority(CA)certificate
thatisinthetrustedrootcertificatestoreoftheclientsystems.
TimeZone Selectthetimezoneofthefirewall.
Locale SelectalanguageforPDFreportsfromthedropdown.SeeMonitor>PDF
Reports>ManagePDFSummary.
Evenifyouhaveaspecificlanguagepreferencesetforthewebinterface,
PDFreportswillusethelanguagespecifiedforLocale.
Time Setthedateandtimeonthefirewall:
Enterthecurrentdate(inYYYY/MM/DDformat)orselectthedatefrom
thedropdown.
Enterthecurrenttimein24hourformat(HH:MM:SS).
YoucanalsodefineanNTPserverfromDevice > Setup > Services.
SerialNumber EntertheserialnumberforPanorama.Findtheserialnumberintheorder
(Panoramavirtual fulfillmentemailthatyoureceivedfromPaloAltoNetworks.
appliancesonly)
GeoLocation Enterthelatitude(90.0to90.0)andlongitude(180.0to180.0)ofthe
firewall.
Automaticallyacquire Selectthisoptiontoautomaticallyapplyacommitlockwhenyouchangethe
commitlock candidateconfiguration.Formoreinformation,seeLockConfigurations.
CertificateExpiration Instructthefirewalltocreatewarningmessageswhenonboxcertificates
Check neartheirexpirationdates.
Item Description
MultipleVirtualSystem Enablestheuseofmultiplevirtualsystemsonfirewallsthatsupportthis
Capability feature(seeDevice>VirtualSystems).
Toenablemultiplevirtualsystemsonafirewall,firewallpoliciesmust
referencenomorethan640distinctusergroups.Ifnecessary,
reducethenumberofreferencedusergroups.Then,afteryou
enableandaddmultiplevirtualsystems,thepoliciescanthen
referenceanother640usergroupsforeachadditionalvirtual
system.
URLFilteringDatabase SelectaURLFilteringvendorforusewithPanorama:brightcloudor
(Panoramaonly) paloaltonetworks(PANDB).
UseHypervisorAssigned SelectthisoptiontohavetheVMSeriesfirewallusetheMACaddressthat
MACAddresses thehypervisorassigned,insteadofgeneratingaMACaddressusingthe
(VMSeriesfirewallsonly) PANOScustomschema.
IfyouenablethisoptionanduseanIPv6addressfortheinterface,the
interfaceIDmustnotusetheEUI64format,whichderivestheIPv6address
fromtheinterfaceMACaddress.Inahighavailability(HA)active/passive
configuration,acommiterroroccursiftheEUI64formatisused.
Authentication Settings
AuthenticationProfile Selecttheauthenticationprofile(orsequence)thefirewallusesto
authenticateadministrativeaccountsthatyoudefineonanexternalserver
insteadoflocallyonthefirewall(seeDevice>AuthenticationProfile).When
externaladministratorslogin,thefirewallrequestsauthenticationand
authorizationinformation(suchastheadministrativerole)fromtheexternal
server.
Enablingauthenticationforexternaladministratorsrequiresadditionalsteps
basedontheservertypethattheauthenticationprofilespecifies,which
mustbeoneofthefollowing:
RADIUS
TACACS+
SAML
AdministratorscanuseSAMLtoauthenticatetothewebinterface
butnottotheCLI.
ForRADIUSandTACACS+authentication,youcanconfigurethe
firewalltoauthenticateeitherexternalorlocaladministratorsbut
notboth.SpecifyinganauthenticationprofileintheAuthentication
SettingsdisablesRADIUSandTACACS+authenticationforlocal
administrators.
SelectNonetodisableauthenticationforexternaladministrators.
Foradministrativeaccountsthatyoudefinelocally(onthefirewall),the
firewallauthenticatesusingtheauthenticationprofileassignedtothose
accounts(seeDevice>Administrators).
CertificateProfile Selectacertificateprofiletoverifytheclientcertificatesofadministrators
whoareconfiguredforcertificatebasedaccesstothefirewallweb
interface.Forinstructionsonconfiguringcertificateprofiles,seeDevice>
CertificateManagement>CertificateProfile.
Item Description
IdleTimeout Enterthemaximumtime(inminutes)withoutanyactivityontheweb
interfaceorCLIbeforeanadministratorisautomaticallyloggedout(rangeis
0to1,440;defaultis60).Avalueof0meansthatinactivitydoesnottrigger
anautomaticlogout.
Bothmanualandautomaticrefreshingofwebinterfacepages(such
astheDashboardtabandSystemAlarmsdialog)resettheIdle
Timeoutcounter.Toenablethefirewalltoenforcethetimeout
whenyouareonapagethatsupportsautomaticrefreshing,setthe
refreshintervaltoManualortoavaluehigherthantheIdle Timeout.
YoucanalsodisableAuto RefreshintheACCtab.
FailedAttempts Enterthenumberoffailedloginattempts(rangeis0to10)thatthefirewall
allowsforthewebinterfaceandCLIbeforelockingouttheadministrator
account.Avalueof0(default)specifiesunlimitedloginattempts.Limiting
loginattemptscanhelpprotectthefirewallfrombruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavethe
Lockout Timeat0,theFailed Attemptsisignoredandtheuseris
neverlockedout.
LockoutTime Enterthenumberofminutes(rangeis0to60)forwhichthefirewalllocks
outanadministratorfromaccesstothewebinterfaceandCLIafterreaching
theFailed Attemptslimit.Avalueof0(default)meansthelockoutapplies
untilanotheradministratormanuallyunlockstheaccount.
IfyousettheLockout Timetoavalueotherthan0butleavethe
Failed Attemptsat0,theLockout Timeisignoredandtheuseris
neverlockedout.
PanoramaServers EntertheIPaddressorFQDNofthePanoramaserver.IfPanoramaisina
highavailability(HA)configuration,inthesecondPanorama Serversfield,
entertheIPaddressorFQDNofthesecondaryPanoramaserver.
ReceiveTimeoutfor EnterthetimeoutinsecondsforreceivingTCPmessagesfromPanorama
ConnectiontoPanorama (rangeis1240;defaultis240).
SendTimeoutfor EnterthetimeoutinsecondsforsendingTCPmessagestoPanorama(range
ConnectiontoPanorama is1to240;defaultis240).
RetryCountforSSLSend EnterthenumberofretryattemptsallowedwhensendingSecureSocket
toPanorama Layer(SSL)messagestoPanorama(rangeis1to64;defaultis25).
Item Description
Item Description
ReceiveTimeoutfor EnterthetimeoutinsecondsforreceivingTCPmessagesfromallmanaged
ConnectiontoDevice firewalls(rangeis1to240;defaultis240).
SendTimeoutfor EnterthetimeoutinsecondsforsendingTCPmessagestoallmanaged
ConnectiontoDevice firewalls(rangeis1to240;defaultis240).
RetryCountforSSLSend EnterthenumberofallowedretryattemptswhensendingSecureSocket
toDevice Layer(SSL)messagestomanagedfirewalls(rangeis1to64;defaultis25).
ShareUnusedAddressand SelectthisoptiontoshareallPanoramasharedobjectsand
ServiceObjectswith devicegroupspecificobjectswithmanagedfirewalls.Thissettingisenabled
Devices bydefault.
Ifyouclearthisoption,PANOSchecksPanoramapoliciesforreferencesto
address,addressgroup,service,andservicegroupobjects,anddoesnot
shareanyunreferencedobjects.Thisoptionreducesthetotalobjectcount
byensuringthatPANOSsendsonlynecessaryobjectstomanaged
firewalls.
Item Description
Objectsdefinedin Selectthisoption(disabledbydefault)tospecifythattheobjectvaluesin
ancestorswilltakehigher ancestorgroupstakeprecedenceoverthoseindescendantgroupswhen
precedence devicegroupsatdifferentlevelsinthehierarchyhaveobjectsofthesame
typeandnamebutwithdifferentvalues.Thismeansthatwhenyouperform
adevicegroupcommit,theancestorvaluesreplaceanyoverridevalues.
Likewise,thisoptioncausesthevalueofasharedobjecttooverridethe
valuesofobjectsofthesametypeandnameindevicegroups.
SelectingthisoptiondisplaystheFindOverriddenObjectslink.
FindOverriddenObjects ClickthislinkatthebottomofthePanoramaSettingsdialogtolistany
shadowedobjects.AshadowedobjectisanobjectintheSharedlocationthat
hasthesamenamebutadifferentvalueinadevicegroup.Thelinkdisplays
onlyifyouspecifythatObjectsdefinedinancestorswilltakehigher
precedence.
Enablereportingand Selectthisoption(disabledbydefault)toenablePanoramatolocallystore
filteringongroups usernames,usergroupnames,andusernametogroupmappinginformation
thatitreceivesfromfirewalls.Thisoptionisglobaltoalldevicegroupsin
Panorama.However,youmustalsoenablelocalstorageatthelevelofeach
devicegroupbyspecifyingaMasterDeviceandselectingtheStoreusers
andgroupsfromMasterDeviceoption.
Item Description
Attributesforcalculatingandexportinguseractivityreports.
PredefinedreportscreatedonthefirewallorPanorama.
Item Description
LogStoragetab Foreachlogtype,specify:
(Panoramamanagement QuotaTheQuota,asapercentage,allocatedontheharddiskforlog
serverandallfirewall storage.WhenyouchangeaQuotavalue,theassociateddiskallocation
modelsexceptPA5200 changesautomatically.Ifthetotalofallthevaluesexceeds100%,a
SeriesandPA7000Series messageappearsonthepageinredandanerrormessageappearswhen
firewalls) youtrytosavethesettings.Ifthishappens,adjustthepercentagessothe
Panoramadisplays totaliswithinthe100%limit.
thistabifyouedit Max DaysThelength,indays,ofthelogexpirationperiod(rangeis1to
theLoggingand 2,000).ThefirewallorPanoramaautomaticallydeleteslogsthatexceed
ReportingSettings thespecifiedperiod.Bydefault,thereisnoexpirationperiod,which
onthePanorama > meanslogsneverexpire.
Setup > ThefirewallorPanoramaevaluateslogsasitcreatesthemanddeletes
Management logsthatexceedtheexpirationperiodorquotasize.
page.Ifyouusea Weeklysummarylogscanagebeyondthethresholdbeforethe
Panorama nextdeletioniftheyreachtheexpirationthresholdbetween
templateto timeswhenthefirewallorPanoramadeleteslogs.Whenalog
configurethe quotareachesthemaximumsize,newlogentriesstart
settingsfor overwritingtheoldestlogentries.Ifyoureducealogquotasize,
firewalls(Device > thefirewallorPanoramaremovestheoldestlogswhenyou
Setup > committhechanges.Inahighavailability(HA)active/passive
Management),see configuration,thepassivepeerdoesnotreceivelogsand,
SingleDiskStorage therefore,doesnotdeletethemunlessfailoveroccursandit
andMultiDisk becomesactive.
Storagetabs.
Core FilesIfyourfirewallexperiencesasystemprocessfailure,itwill
generateacorefilethatcontainsdetailsabouttheprocessandwhyit
failed.Ifacorefileistoolargeforthedefaultcorefilestoragelocation
(/var/corespartition),youcanenablethelarge-corefileoptionto
allocateanalternateandlargerstoragelocation(/opt/panlogs/cores).A
PaloAltoNetworkssupportengineercanincreasetheallocatedstorage
ifneeded.
Toenableordisablethelarge-corefileoption,enterthefollowingCLI
commandfromconfigurationmodeandthencommittheconfiguration:
# set deviceconfig settings management large-core [yes|no]
Thecorefilewillbedeletedwhenyoudisabletheoption.
YoumustuseSCPfromoperationalmodetoexportthecorefile:
> scp export core-file large-corefile
ThecontentsofthecorefilescanbeinterpretedonlybyaPalo
AltoNetworkssupportengineer.
Restore DefaultsSelectthisoptiontoreverttothedefaultvalues.
Item Description
Item Description
LogExportandReporting Configurethefollowinglogexportandreportingsettingsasneeded:
tab Number of Versions for Config AuditEnterthenumberofconfiguration
versionstosavebeforediscardingtheoldestones(defaultis100).You
canusethesesavedversionstoauditandcomparechangesin
configuration.
Number of Versions for Config Backups(Panoramaonly)Enterthe
numberofconfigurationbackupstosavebeforediscardingtheoldest
ones(defaultis100).
Max Rows in CSV ExportEnterthemaximumnumberofrowsthatwill
appearintheCSVreportsgeneratedwhenyouExport to CSVfromthe
trafficlogsview(rangeis1to1,048,576;defaultis65,535).
Max Rows in User Activity ReportEnterthemaximumnumberofrows
thatissupportedforthedetaileduseractivityreports(rangeis1to
1,048,576;defaultis5,000).
Average Browse Time (sec)Configurethisvariabletoadjusthowthe
browsetimeiscalculatedinsecondsfortheMonitor>PDFReports>
UserActivityReport(rangeis0to300seconds;defaultis60).
Thecalculationwillignoresitescategorizedaswebadvertisementsand
contentdeliverynetworks.Thebrowsetimecalculationisbasedon
containerpagesloggedintheURLfilteringlogs.Containerpagesareused
asthebasisforthiscalculationbecausemanysitesloadcontentfrom
externalsitesthatshouldnotbeconsidered.Formoreinformationonthe
containerpage,seeContainerPages.
Theaveragebrowsetimesettingistheaveragetimethattheadminthinks
itshouldtakeausertobrowseawebpage.Anyrequestmadeafterthe
averagebrowsetimehaselapsedwillbeconsideredanewbrowsing
activity.Thecalculationwillignoreanynewwebpagesthatareloaded
betweenthetimeofthefirstrequest(starttime)andtheaveragebrowse
time.Thisbehaviorwasdesignedtoexcludeanyexternalsitesthatare
loadedwithinthewebpageofinterest.
Example:Iftheaveragebrowsetimesettingis2minutesandauseropens
awebpageandviewsthatpagefor5minutes,thebrowsetimeforthat
pagewillstillbe2minutes.Thisisdonebecausethereisnowayto
determinehowlongauserviewsagivenpage.
Page Load Threshold (sec)Thisoptionallowsyoutoadjustthe
assumedtimeinsecondsthatittakesforpageelementstoloadonthe
page(rangeis0to60;defaultis20).Anyrequestthatoccursbetweenthe
firstpageloadandthepageloadthresholdisassumedtobeelementsof
thepage.Anyrequeststhatoccuroutsideofthepageloadthresholdis
assumedtobetheuserclickingalinkwithinthepage.Thepageload
thresholdisalsousedinthecalculationsfortheMonitor>PDFReports
>UserActivityReport.
Syslog HOSTNAME FormatSelectwhethertousetheFQDN,hostname,
orIPaddress(v4orv6)inthesyslogmessageheader.Thisheader
identifiesthefirewallorPanoramamanagementserverwherethe
messageoriginated.
Report RuntimeSelectthetimeofday(defaultis2A.M.)whenthe
firewallorPanoramastartsgeneratingdailyscheduledreports.
Report Expiration PeriodSettheexpirationperiod(indays)forreports
(rangeis1to2,000).Bydefault,thereisnoexpirationperiod,which
meansreportsneverexpire.ThefirewallorPanoramadeletesexpired
reportsnightlyat2a.m.accordingtoitssystemtime.
Item Description
Item Description
Pre-Defined Reports(Enabledbydefault)Predefinedreportsfor
application,traffic,threat,andURLFilteringareavailableonthefirewalland
onPanorama.
Becausethefirewallsconsumememoryresourcesingeneratingtheresults
hourly(andforwardingittoPanoramawhereitisaggregatedandcompiled
forviewing),toreducememoryusageyoucandisablethereportsthatare
notrelevanttoyou;todisableareport,clearthisoptionforthereport.
ClickSelect AllorDeselect Alltoentirelyenableordisablethegeneration
ofpredefinedreports.
Beforedisablingareport,verifythatthereisntaGroupReportora
PDFReportusingit.Ifyoudisableapredefinedreportassignedto
asetofreports,theentiresetofreportswillhavenodata.
MessageoftheDay SelectthisoptiontoenabletheMessageoftheDaydialogtodisplayupon
(checkbox) logintothewebinterface.
MessageoftheDay Enterthetext(upto3,200characters)fortheMessageoftheDaydialog.
(textentryfield)
BackgroundColor SelectabackgroundcolorfortheMessageoftheDaydialog.Thedefault
(None)isalightgraybackground.
Icon SelectapredefinedicontoappearabovethetextintheMessageoftheDay
dialog:
None(default)
Error
Help
Information
Warning
HeaderBanner Enterthetextthattheheaderbannerdisplays(upto3,200characters).
HeaderColor Selectacolorfortheheaderbackground.Thedefault(None)isatransparent
background.
HeaderTextColor Selectacolorfortheheadertext.Thedefault(None)isblack.
Item Description
Samebannerforheader Selectthisoption(enabledbydefault)ifyouwantthefooterbannertohave
andfooter thesametextandcolorsastheheaderbanner.Whenenabled,thefieldsfor
thefooterbannertextandcolorsaregrayedout.
FooterBanner Enterthetextthatthefooterbannerdisplays(upto3,200characters).
FooterColor Selectacolorforthefooterbackground.Thedefault(None)isatransparent
background.
FooterTextColor Selectacolorforthefootertext.Thedefault(None)isblack.
Enabled Enableminimumpasswordrequirementsforlocalaccounts.Withthis
feature,youcanensurethatlocaladministratoraccountsonthefirewallwill
adheretoadefinedsetofpasswordrequirements.
Youcanalsocreateapasswordprofilewithasubsetoftheseoptionsthat
willoverridethesesettingsandcanbeappliedtospecificaccounts.Formore
information,seeDevice>PasswordProfilesandseeUsernameand
PasswordRequirementsforinformationonvalidcharactersthatcanbeused
foraccounts.
Themaximumpasswordlengthis31characters.Avoidsetting
requirementsthatPANOSdoesnotaccept.Forexample,donotset
arequirementof10uppercase,10lowercase,10numbers,and10
specialcharactersbecausethatwouldexceedthemaximumlength
of31characters.
Ifyouhavehighavailability(HA)configured,alwaysusetheprimary
peerwhenconfiguringpasswordcomplexityoptionsandcommit
soonaftermakingchanges.
Minimumpasswordcomplexitysettingsdonotapplytolocal
databaseaccountsforwhichyouspecifiedaPassword Hash(see
Device>LocalUserDatabase>Users).
MinimumLength Requireminimumlengthfrom1to15characters.
MinimumUppercase Requireaminimumnumberofuppercaselettersfrom0to15characters.
Letters
MinimumLowercase Requireaminimumnumberoflowercaselettersfrom0to15characters.
Letters
MinimumNumericLetters Requireaminimumnumberofnumericlettersfrom0to15numbers.
MinimumSpecial Requireaminimumnumberofspecialcharacters(nonalphanumeric)from0
Characters to15characters.
BlockRepeated Specifythenumberofsequentialduplicatecharacterspermittedina
Characters password(rangeis2to15).
Ifyousetthevalueto2,thepasswordcancontainthesamecharacterin
sequencetwice,butifthesamecharacterisusedthreeormoretimesin
sequence,thepasswordisnotpermitted.
Forexample,ifthevalueissetto2,thesystemwillacceptthepassword
test11or11test11,butnottest111,becausethenumber1appearsthree
timesinsequence.
Item Description
BlockUsernameInclusion Selectthisoptiontopreventtheaccountusername(orreversedversionof
(includingreversed) thename)frombeingusedinthepassword.
NewPasswordDiffersBy Whenadministratorschangetheirpasswords,thecharactersmustdifferby
Characters thespecifiedvalue.
RequirePasswordChange Selectthisoptiontoprompttheadministratorstochangetheirpasswords
onFirstLogin thefirsttimetheylogintothefirewall.
PreventPasswordReuse Requirethatapreviouspasswordisnotreusedbasedonthespecifiedcount.
Limit Example,ifthevalueissetto4,youcouldnotreusetheanyofyourlast4
passwords(rangeis0to50).
BlockPasswordChange Usercannotchangetheirpasswordsuntilthespecifiednumberofdayshas
Period(days) beenreached(rangeis0to365days).
RequiredPassword Requirethatadministratorschangetheirpasswordonaregularbasis
ChangePeriod(days) specifiedabythenumberofdaysset,rangingfrom0to365days.Example,
ifthevalueissetto90,administratorswillbepromptedtochangetheir
passwordevery90days.
Youcanalsosetanexpirationwarningfrom0to30daysandspecifyagrace
period.
ExpirationWarningPeriod Ifarequiredpasswordchangeperiodisset,thissettingcanbeusedto
(days) prompttheusertochangetheirpasswordateachloginastheforced
passwordchangedateapproaches(rangeis0to30days).
Allowedexpiredadmin Allowtheadministratortologinthespecifiednumberoftimesafterthe
login(count) accounthasexpired.Example,ifthevalueissetto3andtheiraccounthas
expired,theycanlogin3moretimesbeforetheiraccountislockedout
(rangeis0to3logins).
PostExpirationGrace Allowtheadministratortologinthespecifiednumberofdaysafterthe
Period(days) accounthasexpired(rangeis0to30days).
AutoFocus
Enabled EnablethefirewalltoconnecttoanAutoFocusportaltoretrievethreat
intelligencedataandtoenableintegratedsearchesbetweenthefirewalland
AutoFocus.
WhenconnectedtoAutoFocus,thefirewalldisplaysAutoFocusdata
associatedwithTraffic,Threat,URLFiltering,WildFireSubmissions,and
DataFilteringlogentries(Monitor > Logs).Youcanclickonanartifactin
thesetypesoflogentries(suchasanIPaddressoraURL)todisplaya
summaryoftheAutoFocusfindingsandstatisticsforthatartifact.Youcan
thenopenanexpandedAutoFocussearchfortheartifactdirectlyfromthe
firewall.
CheckthatyourAutoFocuslicenseisactiveonthefirewall:select
Device > Licenses.IftheAutoFocuslicenseisnotdisplayed,useone
oftheLicense Managementoptionstoactivatethelicense.
AutoFocusURL EntertheAutoFocusURL:
https://autofocus.paloaltonetworks.com:10443
QueryTimeout(sec) SetthedurationoftimeforthefirewalltoattempttoqueryAutoFocusfor
threatintelligencedata.IftheAutoFocusportaldoesnotrespondbeforethe
endofthespecifiedperiod,thefirewallwillclosetheconnection.
Device>Setup>Operations
Youcanperformthefollowingtaskstomanagetherunningandcandidateconfigurationsofthefirewalland
Panorama.IfyoureusingaPanoramavirtualappliance,youcanalsousethesettingsonthispageto
configureLogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode.
YoumustCommitChangesyoumakeinthecandidateconfigurationtoactivatethosechanges,atwhich
pointtheybecomepartoftherunningconfiguration.Asabestpractice,periodicallySaveCandidate
Configurations.
YoucanuseSecureCopy(SCP)commandsfromtheCLI toexportconfigurationfiles,logs,reports,
andotherfilestoanSCPserverandimportthefilestoanotherfirewallorPanorama.However,because
thelogdatabaseistoolargeforanexportorimporttobepracticalonthefollowingmodels,theydonot
supportexportingorimportingtheentirelogdatabase:PA7000Seriesfirewalls(allPANOSreleases),
PanoramavirtualappliancerunningPanorama6.0orlaterreleases,andPanoramaMSeriesappliances
(allPanoramareleases).
Function Description
Configuration Management
Reverttolastsavedconfig Restoresthedefaultsnapshot(.snapshot.xml)ofthecandidateconfiguration
(thesnapshotthatyoucreateoroverwritewhenyouselectConfig > Save
Changesatthetoprightofthewebinterface).
Reverttorunningconfig Restoresthecurrentrunningconfiguration.Thisoperationundoesallthe
changesthatalladministratorsmadetothecandidateconfigurationsince
thelastcommit.Torevertonlythechangesofspecificadministrators,see
RevertChanges.
Savenamedconfiguration Createsacandidateconfigurationsnapshotthatdoesnotoverwritethe
snapshot defaultsnapshot(.snapshot.xml).EnteraNameforthesnapshotorselectan
existingnamedsnapshottooverwrite.
Savecandidateconfig Createsoroverwritesthedefaultsnapshotofthecandidateconfiguration
(.snapshot.xml)withthecurrentcandidateconfiguration.Thisisthesame
actionaswhenyouselectConfig > Save Changesatthetoprightoftheweb
interface.Tosaveonlythechangesofspecificadministrators,seeSave
CandidateConfigurations.
Loadnamedconfiguration Overwritesthecurrentcandidateconfigurationwithoneofthefollowing:
snapshot(firewall) Customnamedcandidateconfigurationsnapshot(insteadofthedefault
or snapshot).
LoadnamedPanorama Customnamedrunningconfigurationthatyouimported.
configurationsnapshot Currentrunningconfiguration.
TheconfigurationmustresideonthefirewallorPanoramaontowhichyou
areloadingit.
SelecttheNameoftheconfigurationandentertheDecryption Key,which
isthemasterkeyofthefirewallorPanorama(seeDevice>MasterKeyand
Diagnostics).Themasterkeyisrequiredtodecryptallthepasswordsand
privatekeyswithintheconfiguration.Ifyouareloadinganimported
configuration,youmustenterthemasterkeyofthefirewallorPanorama
fromwhichyouimported.Aftertheloadoperationfinishes,themasterkey
ofthefirewallorPanoramaontowhichyouloadedtheconfiguration
reencryptsthepasswordsandprivatekeys.
Function Description
Loadconfigurationversion Overwritesthecurrentcandidateconfigurationwithapreviousversionof
(firewall) therunningconfigurationthatisstoredonthefirewallorPanorama.
or SelecttheNameoftheconfigurationandentertheDecryption Key,which
LoadPanorama isthemasterkeyofthefirewallorPanorama(seeDevice>MasterKeyand
configurationversion Diagnostics).Themasterkeyisrequiredtodecryptallthepasswordsand
privatekeyswithintheconfiguration.Aftertheloadoperationfinishes,the
masterkeyreencryptsthepasswordsandprivatekeys.
Exportnamed Exportsthecurrentrunningconfiguration,acandidateconfiguration
configurationsnapshot snapshot,orapreviouslyimportedconfiguration(candidateorrunning).The
firewallexportstheconfigurationasanXMLfilewiththespecifiedname.
Youcansavethesnapshotinanynetworklocation.
Exportconfiguration ExportsaVersionoftherunningconfigurationasanXMLfile.
version
ExportPanoramaand Generatesandexportsthelatestversionsoftherunningconfiguration
devicesconfigbundle backupofPanoramaandofeachmanagedfirewall.Toautomatetheprocess
(Panoramaonly) ofcreatingandexportingtheconfigurationbundledailytoanSCPorFTP
server,seePanorama>DeviceDeployment.
Exportorpushdevice Promptsyoutoselectafirewallandperformoneofthefollowingactionson
configbundle thefirewallconfigurationstoredonPanorama:
(Panoramaonly) Push & Committheconfigurationtothefirewall.Thisactioncleansthe
firewall(removesanylocalconfigurationfromit)andpushesthefirewall
configurationstoredonPanorama.Afteryouimportafirewall
configuration,usethisoptiontocleanthatfirewallsoyoucanmanageit
usingPanorama.
Exporttheconfigurationtothefirewallwithoutloadingit.Toloadthe
configuration,youmustaccessthefirewallCLIandruntheconfiguration
modecommandload device-state.Thiscommandcleansthefirewallin
thesamewayasthePush & Commitoption.
TheseoptionsareavailableonlyforfirewallsrunningPANOS6.0.4
andlaterreleases.
Exportdevicestate Exportsthefirewallstateinformationasabundle.Inadditiontotherunning
(firewallonly) configuration,thestateinformationincludesdevicegroupandtemplate
settingspushedfromPanorama.IfthefirewallisaGlobalProtectportal,
thebundlealsoincludescertificateinformation,alistofsatellitesthatthe
portalmanages,andsatelliteauthenticationinformation.Ifyoureplacea
firewallorportal,youcanrestoretheexportedinformationonthe
replacementbyimportingthestatebundle.
Important:Youmustmanuallyrunthefirewallstateexportorcreatea
scheduledXMLAPIscripttoexportthefiletoaremoteserver.Thisshould
bedoneonaregularbasisbecausesatellitecertificatesoftenchange.
TocreatethefirewallstatefilefromtheCLI,fromconfigurationmoderun
save device state.Thefilewillbenameddevice_state_cfg.tgzandis
storedin/opt/pancfg/mgmt/devicestate.Theoperationalcommandto
exportthefirewallstatefileis scp export device-state (youcanalso
use tftp export device-state).
ForinformationonusingtheXMLAPI,refertothePANOSandPanorama
XMLAPIUsageGuide .
Function Description
Importnamedconfig Importsarunningorcandidateconfigurationfromanynetworklocation.
snapshot ClickBrowseandselecttheconfigurationfiletobeimported.
Importdevicestate Importsthestateinformationbundlethatyouexportedfromafirewallusing
(firewallonly) theExport device stateoption.Besidestherunningconfiguration,thestate
informationincludesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,thebundlealsoincludes
certificateinformation,alistofsatellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,canyoucanrestorethe
informationonthereplacementbyimportingthestatebundle.
Function Description
ImportDevice ImportsafirewallconfigurationintoPanorama.Panoramaautomatically
Configurationto createsatemplatetocontainthenetworkanddevice configurations.For
Panorama eachvirtualsystem(vsys)onthefirewall,Panoramaautomaticallycreatesa
(Panoramaonly) devicegrouptocontainthepolicyandobjectconfigurations.Thedevice
groupswillbeonelevelbelowtheSharedlocationinthehierarchy,though
youcanreassignthemtoadifferentparentdevicegroupafterfinishingthe
import(seePanorama>VMwareNSX).
ThecontentversionsonPanorama(forexample,Applicationsand
Threatsdatabase)mustbethesameasorhigherthantheversions
onthefirewallfromwhichyouwillimportaconfiguration.
Configurethefollowingimportoptions:
DeviceSelectthefirewallfromwhichPanoramawillimportthe
configurations.Thedropdownincludesonlyfirewallsthatareconnected
toPanoramaandarenotassignedtoanydevicegrouportemplate.You
canselectonlyanentirefirewall,notanindividualvsys.
Template NameEnteranameforthetemplatethatwillcontainthe
importeddeviceandnetworksettings.Foramultivsysfirewall,thefield
isblank.Forotherfirewalls,thedefaultvalueisthefirewallname.You
cannotusethenameofanexistingtemplate.
Device Group Name Prefix(multivsysfirewallsonly)Optionally,adda
characterstringasaprefixforeachdevicegroupname.
Device Group NameForamultivsysfirewall,eachdevicegrouphasa
vsysnamebydefault.Foraotherfirewalls,thedefaultvalueisthefirewall
name.Youcaneditthedefaultnamesbutcannotusethenameofan
existingdevicegroup.
Import devices' shared objects into Panorama's shared contextThis
optionisselectedbydefault,whichmeansPanoramaimportsobjectsthat
belongtoSharedinthefirewalltoSharedinPanorama.
Panoramaregardsallobjectsassharedonafirewallwithout
multiplevirtualsystems.Ifyouclearthisoption,Panoramacopies
sharedfirewallobjectsintodevicegroupsinsteadofShared.This
settinghasthefollowingexceptions:
Ifasharedfirewallobjecthasthesamenameandvalueasanexisting
sharedPanoramaobject,theimportexcludesthatfirewallobject.
Ifthenameorvalueofthesharedfirewallobjectdiffersfromthe
sharedPanoramaobject,Panoramaimportsthefirewallobjectinto
eachdevicegroup.
Ifaconfigurationimportedintoatemplatereferencesashared
firewallobject,PanoramaimportsthatobjectintoSharedregardless
ofwhetheryouselectthisoption.
Ifasharedfirewallobjectreferencesaconfigurationimportedintoa
template,Panoramaimportstheobjectintoadevicegroup
regardlessofwhetheryouselectthisoption.
Rule Import LocationSelectwhetherPanoramawillimportpoliciesas
prerulesorpostrules.Regardlessofyourselection,Panoramaimports
defaultsecurityrules(intrazonedefaultandinterzonedefault)intothe
postrulebase.
IfPanoramahasarulewiththesamenameasafirewallrulethatyou
import,Panoramadisplaysbothrules.However,rulenamesmustbe
unique:deleteoneoftherulesbeforeperformingacommiton
Panoramaorelsethecommitwillfail.
Function Description
Device Operations
Shutdown ToperformagracefulshutdownofthefirewallorPanorama,clickShutdown
DeviceorShutdown PanoramaandthenclickYesontheconfirmation
prompt.Anyconfigurationchangesthathavenotbeensavedorcommitted
arelost.Alladministratorswillbeloggedoffandthefollowingprocesseswill
occur:
Allloginsessionswillbeloggedoff.
Interfaceswillbedisabled.
Allsystemprocesseswillbestopped.
Existingsessionswillbeclosedandlogged.
SystemLogswillbecreatedthatwillshowtheadministratornamewho
initiatedtheshutdown.Ifthislogentrycannotbewritten,awarningwill
appearandthesystemwillnotshutdown.
DiskdriveswillbecleanlyunmountedandthefirewallorPanoramawill
poweredoff.
Youneedtounplugthepowersourceandplugitbackinbeforeyoucan
poweronthefirewallorPanorama.
Ifthewebinterfaceisnotavailable,usethefollowingCLIcommand:
request shutdown system
RestartDataPlane Torestartthedatafunctionsofthefirewallwithoutrebooting,clickRestart
Dataplane.ThisoptionisnotavailableonPanoramaoronPA200,PA220,
PA800Series,orVMSeriesfirewalls.
Ifthewebinterfaceisnotavailable,usethefollowingCLIcommand:
request restart dataplane
Function Description
Miscellaneous
CustomLogos Usethisoptiontocustomizeanyofthefollowing:
Loginscreenbackgroundimage
MainUI(UserInterface)headerimage
PDFreporttitlepageimage.RefertoMonitor>PDFReports>Manage
PDFSummary.
PDFreportfooterimage
Click touploadanimagefile, topreview,or toremovea
previouslyuploadedimage.
Supportedfiletypesarepng,gif,andjpg.
Imagefilesthatcontainanalphachannelarenotsupportedand
whenusedinPDFreports,thereportswillnotbegenerated
properly.Youmayneedtocontacttheillustratorwhocreatedthe
imagetoremovealphachannelsintheimageormakesurethe
graphicssoftwareyouareusingdoesnotsavefileswiththealpha
channelfeature.
Toreturntothedefaultlogo,removeyourentryandcommit.
Themaximumimagesizeforanylogoimageis128KB.
Fortheloginscreenandmainuserinterfaceoptions,whenyou
click ,theimageisshownasitwillbedisplayed.Ifnecessary,
theimageiscroppedtofit.ForthePDFreports,theimagesare
autoresizedtofitwithoutcropping.Inallcases,thepreview
showstherecommendedimagedimensions.
ForinformationongeneratingPDFreports,seeMonitor>PDFReports>
ManagePDFSummary.
SNMPSetup EnableSNMPMonitoring.
StoragePartitionSetup LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode.
(Panoramaonly)
EnableCloudWatch SelectthisoptiontoenabletheVMSeriesfirewallinAWStoconnectto
Monitoring AWSCloudWatch(disabledbydefault).Whenenabled,thefirewall
publishescustomPANOSmetricsonhealthstatusandutilizationto
CloudWatch.YoucanthenmonitorthemetricofyourchoiceinCloudWatch
orcreateautoscalingpoliciestotriggeralarmsandtakeanactionwhenthe
monitoredmetricreachesaspecifiedthresholdvalue.
ThisoptionisavailableonlyfortheVMSeriesfirewallonAWSdeployed
usinganIAMrolewiththecorrectpermissions.
Whenyoudisablethisoption,thefirewalldoesnotpublishmetricsto
CloudWatchortriggeranyCloudWatchalarmsorautoscalinggroupactions
youdefined.
CloudWatchNamespace Enteranametoaggregatemetricspublishedbyallthefirewallsthatusethis
namespace.Forexample,createanamespaceforallfirewallsthatsecurean
internetfacingapplication.Firewallsinthesamenamespacecanbelongto
anautoscalinggroupacrossmultipleAvailabilityZoneswithinanAWS
region.
Thenamemustbeastringwith1to255charactersandcannotbeginwith
AWS/(reservedforAWSservices).
Function Description
UpdateInterval(min) Thefrequency(inminutes)atwhichthefirewallpublishesmetricsto
CloudWatch(rangeis1to60;defaultis5).Fordetailsonthemetrics,refer
totheVMSeriesDeploymentGuide.
EnableSNMPMonitoring
Device>Setup>Operations
SimpleNetworkManagementProtocol(SNMP)isastandardprotocolformonitoringthedevicesonyour
network.SelectOperationstoconfigurethefirewalltousetheSNMPversionthatyourSNMPmanager
supports(SNMPv2corSNMPv3).ForalistoftheMIBsthatyoumustloadintotheSNMPmanagersoitcan
interpretthestatisticsitcollectsfromthefirewall,seeSupportedMIBs .Toconfiguretheserverprofile
thatenablesthefirewalltocommunicatewiththeSNMPtrapdestinationsonyournetwork,seeDevice>
ServerProfiles>SNMPTrap.TheSNMPMIBsdefineallSNMPtrapsthatthefirewallgenerates.AnSNMP
trapidentifiesaneventwithauniqueObjectID(OID)andtheindividualfieldsaredefinedasavariable
binding(varbind)list.ClickSNMP Setup andspecifythefollowingsettingstoallowSNMPGETrequestsfrom
yourSNMPmanager:
Field Description
PhysicalLocation Specifythephysicallocationofthefirewall.Whenalogortrapisgenerated,this
informationallowsyoutoidentify(inanSNMPmanager)thefirewallthatgenerated
thenotification.
Contact Enterthenameoremailaddressofthepersonresponsibleformaintainingthe
firewall.ThissettingisreportedinthestandardsysteminformationMIB.
UseSpecificTrap Thisoptionisselectedbydefault,whichmeansthefirewallusesauniqueOIDfor
Definitions eachSNMPtrapbasedontheeventtype.Ifyouclearthisoption,everytrapwillhave
thesameOID.
Version SelecttheSNMPversion:V2c(default)orV3.Yourselectioncontrolstheremaining
fieldsthatthedialogdisplays.
SNMPCommunityString Enterthecommunitystring,whichidentifiesanSNMPcommunityofSNMPmanagers
andmonitoreddevicesandalsoservesasapasswordtoauthenticatethecommunity
memberstoeachotherwhentheyexchangeSNMPget(statisticsrequest)andtrap
messages.Thestringcanhaveupto127characters,acceptsallcharacters,andis
casesensitive.
Dontusethedefaultcommunitystringpublic.BecauseSNMPmessages
containcommunitystringsincleartext,considerthesecurityrequirementsof
yournetworkwhendefiningcommunitymembership(administratoraccess).
Field Description
For SNMP V3
Name/View YoucanassignagroupofoneormoreviewstotheuserofanSNMPmanagerto
controlwhichMIBobjects(statistics)theusercangetfromthefirewall.Eachviewis
apairedOIDandbitwisemask:theOIDspecifiesaMIBandthemask(inhexadecimal
format)specifieswhichobjectsareaccessiblewithin(includematching)oroutside
(excludematching)thatMIB.
Forexample,iftheOIDis1.3.6.1,thematchingOptionissettoincludeandtheMask
is0xf0,thentheobjectsthattheuserrequestsmusthaveOIDsthatmatchthefirst
fournodes(f=1111)of1.3.6.1.Theobjectsdontneedtomatchtheremaining
nodes.Inthisexample,1.3.6.1.2matchesthemaskand1.4.6.1.2doesnt.
Foreachgroupofviews,clickAdd,enteraNameforthegroup,andthenconfigure
thefollowingforeachviewyouAddtothegroup:
ViewSpecifyanamefortheview.Thenamecanhaveupto31charactersthat
arealphanumeric,periods,underscores,orhyphens.
OIDSpecifytheOIDoftheMIB.
OptionSelectthematchinglogictoapplytotheMIB.
MaskSpecifythemaskinhexadecimalformat.
Toprovideaccesstoallmanagementinformation,usethetoplevelOID
1.3.6.1,settheMaskto0xf0,andsetthematchingOptiontoinclude.
Users SNMPuseraccountsprovideauthentication,privacy,andaccesscontrolwhen
firewallsforwardtrapsandSNMPmanagersgetfirewallstatistics.Foreachuser,click
Addandconfigurethefollowingsettings:
UsersSpecifyausernametoidentifytheSNMPuseraccount.Theusernameyou
configureonthefirewallmustmatchtheusernameconfiguredontheSNMP
manager.Theusernamecanhaveupto31characters.
ViewAssignagroupofviewstotheuser.
Auth PasswordSpecifytheauthenticationpasswordoftheuser.Thefirewall
usesthepasswordtoauthenticatetotheSNMPmanagerwhenforwardingtraps
andrespondingtostatisticsrequests.ThefirewallusesSecureHashAlgorithm
(SHA1160)toencryptthepassword.Thepasswordmustbe8256characters
andallcharactersareallowed.
Priv PasswordSpecifytheprivacypasswordoftheuser.Thefirewallusesthe
passwordandAdvancedEncryptionStandard(AES128)toencryptSNMPtraps
andresponsestostatisticsrequests.Thepasswordmustbe8256charactersand
allcharactersareallowed.
Device>Setup>HSM
Whatareyoulookingfor? See:
WhatisthepurposeofaHardware SecureKeyswithaHardwareSecurityModule
SecurityModule(HSM)andwhere
canIfinddetailedconfiguration
procedures?
Configure:
HardwareSecurityModuleProviderSettings
HSMAuthentication
HowdoIviewHSMstatus? HardwareSecurityModuleProviderConfigurationand
Status
HardwareSecurityModuleStatus
HardwareSecurityModuleProviderSettings
ToconfigureaHardwareSecurityModule(HSM)onthefirewall,edittheHardwareSecurityModule
Providersettings:
HardwareSecurity Description
ModuleProvider
Settings
ProviderConfigured SelecttheHSMvendor:
NoneNootherconfigurationrequired.
SafeNet Network HSM
Thales nShield Connect
ModuleName SpecifyamodulenamefortheHSM.ThiscanbeanyASCIIstringupto31
characterslong.Createmultiplemodulenamesifyouareconfiguringahigh
availabilityHSMconfiguration.
ServerAddress SpecifyanIPv4addressforanyHSMmodulesyouareconfiguring.
HighAvailability SelectthisoptionifyouareconfiguringtheHSMmodulesinahighavailability
(SafeNetNetworkonly) configuration.ThemodulenameandserveraddressofeachHSMmodule
mustbeconfigured.
AutoRecoveryRetry Specifythenumberoftimesthatthefirewallwilltrytorecoveritsconnection
(SafeNetNetworkonly) toanHSMbeforefailingovertoanotherHSMinanHSMhighavailability
configuration(rangeis0to500).
HighAvailabilityGroup SpecifyagroupnametobeusedfortheHSMhighavailabilitygroup.This
Name. nameisusedinternallybythefirewall.ItcanbeanyASCIIstringupto31
(SafeNetNetworkonly) characterslong.
HardwareSecurity Description
ModuleProvider
Settings
RemoteFilesystem ConfiguretheIPv4addressoftheremotefilesystemusedintheThales
Address NshieldConnectHSMconfiguration.
(ThalesNshieldConnect
Only)
HSMAuthentication
HSMModuleAuthentication
ServerName SelectanHSMservernamefromthedropdown.
AdministratorPassword EntertheadministratorpasswordoftheHSMtoauthenticatethefirewallto
theHSM.
HardwareSecurityModuleProviderConfigurationandStatus
TheHardwareSecurityModuleProvidersectionshowstheHSMconfigurationsettingsandtheconnectivity
statusoftheHSM.
HardwareSecurityModuleProviderStatus
ProviderConfigured SelecttheHSMvendorconfiguredonthefirewall:
None
SafeNet Network HSM
Thales nShield Connect
HighAvailability (SafeNetNetworkonly)HSMhighavailabilityisconfiguredifchecked.
HighAvailabilityGroup (SafeNetNetworkonly)ThegroupnameconfiguredonthefirewallforHSM
Name highavailability.
FirewallSourceAddress TheaddressoftheportusedfortheHSMservice.Bydefaultthisisthe
managementportaddress.Itcanbespecifiedasadifferentporthowever
throughtheServicesRouteConfigurationinDevice > Setup > Services.
MasterKeySecuredby Ifchecked,themasterkeyissecuredontheHSM.
HSM
Status ShowsgreenifthefirewallisconnectedandauthenticatedtotheHSMand
showsredifthefirewallisnotauthenticatedorifnetworkconnectivitytothe
HSMisdown.
YoucanalsoHardwareSecurityModuleStatusformoredetailsontheHSM
connection.
HardwareSecurityModuleStatus
TheHardwareSecurityModuleStatussectionprovidesthefollowinginformationaboutHSMsthathave
beensuccessfullyauthenticated.ThedisplayisdifferentdependingontheHSMproviderconfigured
(SafeNetorThales).
HardwareSecurityModuleStatus
SafeNetLunaSA SerialNumberTheserialnumberoftheHSMpartitionisdisplayedifthe
HSMpartitionwassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthefirewall.
ModuleStateThecurrentoperatingstateoftheHSMconnection.This
fieldshowsAuthenticatediftheHSMisdisplayedinthistable.
ThalesNshieldConnect NameTheServernameoftheHSM.
IPaddressTheIPaddressoftheHSMthatwasassignedonthefirewall.
ModuleStateThecurrentoperatingstateoftheHSMconnection.This
settingshowsAuthenticatedifthefirewallsuccessfullyauthenticatedtothe
HSMandshowsNot Authenticatedifauthenticationfailed.
Device>Setup>Services
Onafirewallwheremultiplevirtualsystemsareenabled,selectServicestodisplaytheGlobalandVirtual
Systemstabswhereyousetservicesthatthefirewalloritsvirtualsystems,respectively,usetooperate
efficiently.(Ifthefirewallisasinglevirtualsystemorifmultiplevirtualsystemsaredisabled,therearenot
twotabs,butjustaServicesmenu.)
SelectGlobaltosetservicesforthewholefirewall.Thesesettingsarealsousedasthedefaultvaluesfor
virtualsystemsthatdonothaveacustomizedsettingforaservice.
EditServicestodefinethedestinationIPaddressesofDNSservers,theUpdateServer,andtheProxy
Server.UsethededicatedNTPtabtoconfigureNetworkTimeProtocolsettings.SeeTable 12forfield
descriptionsoftheavailableServicesoptions.
InService Features,clickService Route Configurationtospecifyhowthefirewallwillcommunicatewith
otherservers/devicesforservicessuchasDNS,email,LDAP,RADIUS,syslog,andmanymore.Thereare
twowaystoconfigureglobalserviceroutes:
TheUse Management Interface for alloptionwillforceallfirewallservicecommunicationswith
externalserversthroughthemanagementinterface(MGT).Ifyouselectthisoption,youmust
configuretheMGTinterfacetoallowcommunicationsbetweenthefirewallandtheservers/devices
thatprovideservices.ToconfiguretheMGTinterface,selectDevice>Setup>Managementand
editthesettings.
TheCustomizeoptionallowsyougranularcontroloverservicecommunicationbyconfiguringa
specificsourceinterfaceandIPaddressthattheservicewilluseasthedestinationinterfaceand
destinationIPaddressinitsresponse.(Forexample,youcouldconfigureaspecificsourceIP/
interfaceforallemailcommunicationbetweenthefirewallandanemailserver,anduseadifferent
sourceIP/interfaceforPaloAltoNetworksServices.)Selecttheoneormoreservicesyouwantto
customizetohavethesamesettingsandclickSet Selected Service Routes.Theservicesarelistedin
Table 13,whichindicateswhetheraservicecanbeconfiguredfortheGlobalfirewallorVirtual
Systems,andwhethertheservicesupportsanIPv4and/orIPv6sourceaddress.
TheDestinationtabisanotherGlobalserviceroutefeaturethatyoucancustomize.Thistabappearsinthe
ServiceRouteConfigurationwindowandisdescribedinDestinationServiceRoute.
UsetheVirtual Systemstabtospecifyserviceroutesforasinglevirtualsystem.SelectaLocation(virtual
system)andclickService Route Configuration.SelectInherit Global Service Route ConfigurationorCustomize
serviceroutesforavirtualsystem.Ifyouchoosetocustomizesettings,selectIPv4orIPv6.Selecttheoneor
moreservicesyouwanttocustomizetohavethesamesettingsandclickSet Selected Service Routes.See
Table 13forservicesthatcanbecustomized.
TocontrolandredirectDNSqueriesbetweensharedandspecificvirtualsystems,youcanuseaDNSproxy
andaDNSServerprofile.
Configuretheglobalservicessettingsasdescribedinthefollowingtable.
GlobalServices Description
Settings
Services
PrimaryDNSServer EntertheIPaddressoftheprimaryDNSserver.TheserverisusedforDNSqueriesfromthe
firewall,forexample,tofindtheupdateserver,toresolveDNSentriesinlogs,orfor
FDQNbasedaddressobjects.
SecondaryDNS EntertheIPaddressofasecondaryDNSservertouseiftheprimaryserverisunavailable
Server (optional).
UpdateServer ThissettingrepresentstheIPaddressorhostnameoftheserverusedtodownloadupdates
fromPaloAltoNetworks.Thecurrentvalueisupdates.paloaltonetworks.com.Donotchange
theservernameunlessinstructedbytechnicalsupport.
VerifyUpdateServer Ifthisoptionisenabled,thefirewallorPanoramawillverifythattheserverfromwhichthe
Identity softwareorcontentpackageisdownloadhasanSSLcertificatesignedbyatrustedauthority.
Thisoptionaddsanadditionallevelofsecurityforthecommunicationbetweenthe
firewall/Panoramaserverandtheupdateserver.
Server IfthefirewallneedstouseaproxyservertoreachPaloAltoNetworksupdateservices,enter
theIPaddressorhostnameoftheserver.
Port Entertheportfortheproxyserver.
GlobalServices Description
Settings
User Entertheusernametoaccesstheserver.
Password/Confirm Enterandconfirmthepasswordfortheusertoaccesstheproxyserver.
Password
NTP
NTPServerAddress EntertheIPaddressorhostnameofanNTPserverthatyouwanttousetosynchronizethe
firewallsclock.OptionallyentertheIPaddressorhostnameofasecondNTPserverto
synchronizethefirewallsclockwithiftheprimaryserverbecomesunavailable.
AuthenticationType YoucanenablethefirewalltoauthenticatetimeupdatesfromanNTPserver.ForeachNTP
server,selectthetypeofauthenticationforthefirewalltouse:
None(Default)SelectthisoptiontodisableNTPAuthentication.
Symmetric KeySelectthisoptionforthefirewalltousesymmetrickeyexchange(shared
secrets)toauthenticatetheNTPserverstimeupdates.IfyouselectSymmetricKey,
continuebyenteringthefollowingfields:
Key IDEntertheKeyID(165534).
AlgorithmSelecttheAlgorithmtouseinNTPauthentication(MD5orSHA1).
Authentication Key/Confirm Authentication KeyEnterandconfirmtheauthentication
algorithmsauthenticationkey.
AutokeySelectthisoptionforthefirewalltouseautokey(publickeycryptography)to
authenticatetheNTPserverstimeupdates.
Configuretheserviceroutesettingsasdescribedinthefollowingtable.
AutoFocusAutoFocusserver.
CRLStatusCertificaterevocationlist(CRL)server.
PanoramapushedupdatesContentandsoftwareupdates
deployedfromPanorama
DNSDomainNameSystemserver.*Forvirtualsystems,DNS * *
isdoneintheDNSServerProfile.
ExternalDynamicListsUpdatesforexternaldynamiclists.
EmailEmailserver.
HSMHardwaresecuritymoduleserver.
KerberosKerberosauthenticationserver.
LDAPLightweightDirectoryAccessProtocolserver.
MDMMobileDeviceManagementserver.
MultiFactorAuthenticationMultifactorauthentication
(MFA)server.
NetflowNetFlowcollectorforcollectingnetworktraffic
statistics.
NTPNetworkTimeProtocolserver.
PaloAltoNetworksServicesUpdatesfromPaloAlto
NetworksandthepublicWildFireserver.Thisisalsotheservice
routeforforwardingtelemetrydatatoPaloAltoNetworks.
PanoramaPanoramamanagementserver.
PanoramaLogForwarding(PA5200Seriesfirewallsonly)Log
forwardingfromthefirewalltoLogCollectors.
ProxyServerthatisactingasProxytothefirewall.
RADIUSRemoteAuthenticationDialinUserServiceserver.
SCEPSimpleCertificateEnrollmentProtocolforrequesting
anddistributingclientcertificates.
SNMPTrapSimpleNetworkManagementProtocoltrap
server.
SyslogServerforsystemmessagelogging.
TACACS+TerminalAccessControllerAccessControlSystem
Plus(TACACS+)serverforauthentication,authorization,and
accounting(AAA)services.
UIDAgentUserIDAgentserver.
URLUpdatesUniformResourceLocator(URL)updatesserver.
VMMonitorVirtualMachineMonitorserver.
WildFirePrivatePrivatePaloAltoNetworksWildFireserver.
WhencustomizingaGlobalserviceroute,oneithertheIPv4orIPv6tab,selectfromthelistofavailable
services,clickSet Selected Service Routes,andselecttheSource InterfaceandSource Addressfromthe
dropdown.ASourceInterfacethatissettoAnyallowsyoutoselectaSourceAddressfromanyofthe
interfacesavailable.TheSourceAddressdisplaystheIPv4orIPv6addressassignedtotheselectedinterface;
theselectedIPaddresswillbethesourcefortheservicetraffic.Youdonothavetodefineadestination
addressbecausethedestinationisconfiguredwhenconfiguringeachservice.Forexample,whenyoudefine
yourDNSservers(Device > Setup > Services),thatwillsetthedestinationforDNSqueries.
WhenconfiguringserviceroutesforaVirtual System,theInherit Global Service Route Configurationoption
meansthatallservicesforthevirtualsystemwillinherittheglobalserviceroutesettings.Oryoucanchoose
Customize,selectIPv4orIPv6,selectaservice,andclickSet Selected Service Routes.TheSource Interfacehas
thefollowingthreechoices:
Inherit Global SettingTheselectedserviceswillinherittheglobalsettingsforthoseservices.
AnyAllowsyoutoselectaSourceAddressfromanyoftheinterfacesavailable(interfacesinthespecific
virtualsystem).
AninterfacefromthedropdownFortheservicesbeingconfigured,theserversresponseswillbesent
totheselectedinterfacebecausethatwasthesourceinterface.
ForSource Address,selectanaddressfromthedropdown.Fortheservicesselected,theserversresponses
willbesenttothissourceaddress.
DestinationServiceRoute
Device>Setup>Services>Global
ReturningtotheGlobaltab,whenyouclickonService Route ConfigurationandthenCustomize,theDestination
tabappears.DestinationserviceroutesareavailableundertheGlobaltabonly(nottheVirtual Systemstab),
sothattheservicerouteforanindividualvirtualsystemcannotoverrideroutetableentriesthatarenot
associatedwiththatvirtualsystem.
Adestinationserviceroutecanbeusedtoaddacustomizedredirectionofaservicethatisnotsupportedon
theCustomizelistofservices(Table 13).Adestinationservicerouteisawaytosetuproutingtooverridethe
forwardinginformationbase(FIB)routetable.AnysettingsintheDestinationserviceroutesoverridethe
routetableentries.Theycouldberelatedorunrelatedtoanyservice.
TheDestinationtabisforthefollowingusecases:
Whenaservicedoesnothaveanapplicationserviceroute.
Withinasinglevirtualsystem,whenyouwanttousemultiplevirtualroutersoracombinationofvirtual
routerandmanagementport.
DestinationServiceRouteSettings Description
Destination EntertheDestinationIPaddress.
Device>Setup>Interfaces
Usethispagetoconfigureconnectionsettings,allowedservices,andadministrativeaccessforthe
management(MGT)interfaceonallfirewallmodelsandfortheauxiliaryinterfaces(AUX1andAUX2)on
PA5200Seriesfirewalls.
PaloAltoNetworksrecommendsthatyoualwaysspecifytheIPaddressandnetmask(forIPv4)orprefix
length(forIPv6)andthedefaultgatewayforeveryinterface.IfyouomitanyofthesesettingsfortheMGT
interface(suchasthedefaultgateway),youcanaccessthefirewallonlythroughtheconsoleportforfuture
configurationchanges.
ToconfiguretheMGTinterfaceontheM100orM500appliance,orthePanoramavirtualappliance,see
Panorama>Setup>Interfaces.
YoucanusealoopbackinterfaceasanalternativetotheMGTinterfaceforfirewallmanagement(Network>
Interfaces>Loopback).
Item Description
Type Selectone:
(MGTinterfaceonly) StaticRequiresyoutoentertheIP Address(IPv4),Netmask(IPv4),andDefault
Gatewaymanually.
DHCP ClientConfigurestheMGTinterfaceasaDHCPclientsothatthefirewall
cansendDHCPDiscoverorRequestmessagestofindaDHCPserver.Theserver
respondsbyprovidinganIPaddress(IPv4),netmask(IPv4),anddefaultgateway
fortheMGTinterface.DHCPontheMGTinterfaceisturnedoffbydefaultforthe
VMSeriesfirewall(exceptfortheVMSeriesfirewallinAWSandAzure).Ifyou
selectDHCP Client,optionallyselecteitherorbothofthefollowingClient
Options:
Send HostnameCausestheMGTinterfacetosenditshostnametothe
DHCPserveraspartofDHCPOption12.
Send Client IDCausestheMGTinterfacetosenditsclientidentifieraspart
ofDHCPOption61.
IfyouselectDHCP Client,optionallyclickShow DHCP Client Runtime Infotoview
thedynamicIPinterfacestatus:
InterfaceIndicatesMGTinterface.
IPAddressIPaddressoftheMGTinterface.
NetmaskSubnetmaskfortheIPaddress,whichindicateswhichbitsarenetwork
orsubnetworkandwhichbitsarehost.
GatewayDefaultgatewayfortrafficleavingtheMGTinterface.
Primary/SecondaryNTPIPaddressofuptotwoNTPserversservingtheMGT
interface.IftheDHCPServerreturnsNTPserveraddresses,thefirewallconsiders
themonlyifyoudidnotmanuallyconfigureNTPserveraddresses.Ifyoumanually
configuredNTPserveraddresses,thefirewalldoesnotoverwritethemwiththose
fromtheDHCPserver.
LeaseTimeNumberofdays,hours,minutes,andsecondsthattheDHCPIP
addressisassigned.
ExpiryTimeYear/Month/Day,Hours/Minutes/Seconds,andtimezone,
indicatingwhenDHCPleasewillexpire.
DHCPServerIPaddressoftheDHCPServerrespondingtoMGTinterfaceDHCP
Client.
DomainNameofdomaintowhichtheMGTinterfacebelongs.
DNSServerIPaddressofuptotwoDNSserversservingtheMGTinterface.If
theDHCPServerreturnsDNSserveraddresses,thefirewallconsidersthemonly
ifyoudidnotmanuallyconfigureDNSserveraddresses.Ifyoumanually
configuredDNSserveraddresses,thefirewalldoesnotoverwritethemwiththose
fromtheDHCPserver.
Optionally,youcanRenewtheDHCPleasefortheIPaddressassignedtotheMGT
interface.Otherwise,Closethewindow.
Item Description
Aux1/Aux2 Selectanyofthefollowingoptionstoenableanauxiliaryinterface.Theseinterfaces
(PA5200Seriesfirewalls provide10Gbps(SFP+)throughputfor:
only) FirewallmanagementtrafficYoumustenabletheServices(protocols)that
administratorswillusewhenaccessingthewebinterfaceandCLItomanagethe
firewall.
EnableHTTPSinsteadofHTTPforthewebinterfaceandenableSSH
insteadofTelnetfortheCLI.
Highavailability(HA)synchronizationbetweenfirewallpeersAfterconfiguring
theinterface,youmustselectitastheHAControlLink(Device > High Availability
> General).
LogforwardingtoPanoramaYoumustconfigureaserviceroutewiththe
Panorama Log Forwardingserviceenabled(Device>Setup>Services).
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.Alternatively,you
canassigntheIPaddressofaloopbackinterfaceforfirewallmanagement(see
Network>Interfaces>Loopback).Bydefault,theIPaddressyouenteristhesource
addressforlogforwarding.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask
(forexample,255.255.255.0).
DefaultGateway IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4address
tothedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethe
Length netmask,enteranIPv6prefixlength(forexample,2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6address
tothedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
Speed Configureadatarateandduplexoptionfortheinterface.Thechoicesinclude
10Mbps,100Mbps,and1Gbpsatfullorhalfduplex.Usethedefaultautonegotiate
settingtohavethefirewalldeterminetheinterfacespeed.
Thissettingmustmatchtheportsettingsontheneighboringnetwork
equipment.Toensurematchingsettings,selectautonegotiateifthe
neighboringequipmentsupportsthatoption.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(rangeis576to1,500;defaultis1,500).
Item Description
Services Selecttheservicesyouwanttoenableontheinterface:
HTTPUsethisservicetoaccessthefirewallwebinterface.
HTTPusesplaintext,whichisnotassecureasHTTPS.Therefore,PaloAlto
NetworksrecommendyouenableHTTPSinsteadofHTTPfor
managementtrafficontheinterface.
HTTP OCSPUsethisservicetoconfigurethefirewallasanOnlineCertificate
StatusProtocol(OCSP)responder.Fordetails,seeDevice>Certificate
Management>OCSPResponder.
HTTPSUsethisserviceforsecureaccesstothefirewallwebinterface.
TelnetUsethisservicetoaccessthefirewallCLI.
Telnetusesplaintext,whichisnotassecureasSSH.Therefore,PaloAlto
NetworksrecommendyouenableSSHinsteadofTelnetformanagement
trafficontheinterface.
SSHUsethisserviceforsecureaccesstothefirewallCLI.
PingUsethisservicetotestconnectivitywithexternalservices.Forexample,
youcanpingtheinterfacetoverifyitcanreceivePANOSsoftwareandcontent
updatesfromthePaloAltoNetworksUpdateServer.Inahighavailability(HA)
deployment,HApeersusepingtoexchangeheartbeatbackupinformation.
SNMPUsethisservicetoprocessfirewallstatisticsqueriesfromanSNMP
manager.Fordetails,seeEnableSNMPMonitoring.
User-IDUsethisservicetoEnableRedistributionofUserMappingsAmong
Firewalls.
User-ID Syslog Listener-SSLUsethisservicetoenablethePANOSintegrated
UserIDagenttocollectsyslogmessagesoverSSL.Fordetails,seeConfigure
AccesstoMonitoredServers.
User-ID Syslog Listener-UDPUsethisservicetoenablethePANOSintegrated
UserIDagenttocollectsyslogmessagesoverUDP.Fordetails,seeConfigure
AccesstoMonitoredServers.
PermittedIPAddresses EntertheIPaddressesfromwhichadministratorscanaccessthefirewallthroughthe
interface.Anemptylist(default)specifiesthataccessisavailablefromanyIPaddress.
Donotleavethelistblank;specifyonlytheIPaddressesoffirewall
administratorstopreventunauthorizedaccess.
Device>Setup>Telemetry
Telemetryistheprocessofcollectingandtransmittingdataforanalysis.Whenyouenabletelemetryonthe
firewall,thefirewallcollectsandforwardsdatathatincludesinformationonapplications,threats,device
health,andpassiveDNStoPaloAltoNetworks.AllPaloAltoNetworksusersbenefitfromthedatathateach
telemetryparticipantshares,makingtelemetryacommunitydrivenapproachtothreatprevention.Learn
moreabouttelemetryanditsbenefits .
Telemetryisanoptinfeatureand,formosttelemetrydata,youcanpreviewtheinformationthatthefirewall
collects.PaloAltoNetworksdoesnotshareyourtelemetrydatawithothercustomersorthirdparty
organizations.
SelectDevice > Setup > TelemetrytochoosetelemetrydatatosharewithPaloAltoNetworks.TheThreat
PreventionDataandThreatPreventionPacketCapturesreportsprovidePaloAltoNetworksmorevisibility
intoyournetworktrafficthanothertelemetryreports.
TelemetrySettings Description
ApplicationReports Sharethenumberandsizeofknownapplicationsgroupedbydestinationport,unknown
(Disabledbydefault) applicationsgroupedbydestinationport,andunknownapplicationsgroupedby
destinationIPaddress.ThefirewallgeneratesthesereportsfromTrafficlogs.
Whenenabled,thefirewallforwardsApplicationReportsevery4hours.
ThreatPreventionReports Sharethenumberofthreatsforeachsourcecountryanddestinationport,attacker
(Disabledbydefault) information,andthecorrelationobjectsthatthreateventstriggeredwhenthefirewall
wascollectingdataforthesereports.
Whenenabled,thefirewallforwardsThreatPreventionReportsevery4hours.
URLReports SharereportsgeneratedfromURLfilteringlogswiththefollowingPANDBURL
(Disabledbydefault) categories:malware,phishing,dynamicDNS,proxyavoidance,questionable,parked,and
unknown(URLsthatPANDBhasnotyetcategorized).ThefirewallalsosendsPANDB
statisticsatthetimethatthedatafortheURLReportswascollected.Thesestatistics
includetheversionoftheURLfilteringdatabaseonthefirewallandonthePANDB
cloud,thenumberofURLsinthosedatabases,andthenumberofURLsthatthefirewall
categorized.ThesestatisticsarebasedonthetimethatthefirewallforwardedtheURL
Reports.
Whenenabled,thefirewallforwardsURLReportsevery4hours.
TelemetrySettings Description
FileTypeIdentification Sharereportsaboutfilesthatthefirewallallowedorblockedbasedondatafiltering
Reports andfileblocking settings.
(Disabledbydefault) Whenenabled,thefirewallforwardsFileTypeIdentificationReportsevery4hours.
ThreatPreventionData SharelogsfromthreateventsthattriggeredsignaturesthatPaloAltoNetworksis
(Disabledbydefault) evaluating.ThecollectedinformationmayincludesourceorvictimIPaddresses.Enabling
thisoptionalsoallowsunreleasedsignaturesthatPaloAltoNetworksiscurrently
testingtoruninthebackground.Thesesignaturesdonotaffectyoursecuritypolicy
rulesandfirewalllogsandhavenoimpacttoyourfirewallperformance.
Whenenabled,thefirewallforwardsThreatPreventionDataevery5minutes.Click
Download Threat Prevention Data( )todownloadatarballfile(.tar.gz)withthemost
recent100foldersofThreat Prevention DataandThreat Prevention Packet Captures
thatthefirewallforwardedtoPaloAltoNetworks.Ifyouneverenabledthesesettingsor
ifyouenabledthembutnothreateventshavematchedtheconditionsforthese
telemetrysettings,thefirewalldoesnotgenerateafileandinsteadreturnsanerror
message.
ThreatPreventionPacket Sharepacketcaptures(ifyouenabledyourfirewalltotakethreatpacketcaptures )
Captures fromthreateventsthattriggersignaturesthatPaloAltoNetworksisevaluating.The
(Disabledbydefault) collectedinformationmayincludesourceorvictimIPaddresses.
Whenenabled,thefirewallforwardsThreatPreventionPacketCapturesevery5
minutes.
ToenableThreatPreventionPacketCaptures,youmustalsoenableThreat
PreventionData.
ProductUsageStatistics Sharebacktracesoffirewallprocessesthathavefailed,aswellasinformationaboutthe
(Disabledbydefault) firewallstatus.Backtracesoutlinetheexecutionhistoryofthefailedprocesses.Product
UsageStatisticsalsoincludedetailsaboutthefirewallmodelandthePANOSand
contentreleaseversionsinstalledonyourfirewall.
ToviewtheinformationthatthefirewallsendsasProductUsageStatistics,enterthe
followingoperationalCLIcommand:
show system info
Whenenabled,thefirewallforwardsProductUsageStatisticsevery5minutes.
PassiveDNSMonitoring AllowthefirewalltoactasapassiveDNSsensorandsendDNSinformationtoPaloAlto
(Disabledbydefault) Networksforanalysis.ThedatayousharethroughpassiveDNSmonitoringconsists
solelyofdomaintoIPaddressmappings.ThePaloAltoNetworksthreatresearchteam
usesthisinformationtoimprovePANDBURLcategoryandDNSbasedC2signature
accuracyandWildFiremalwaredetection.PassiveDNSmonitoringisaglobalsettingthat
appliestoallfirewalltraffic.
Whenenabled,thefirewallforwardsPassiveDNSMonitoringdatain1MBbatches.
SelectAll Enablealltelemetrysettings.
DeselectAll Disablealltelemetrysettings.
Device>Setup>ContentID
UsetheContentIDtabtodefinesettingsforURLfiltering,dataprotection,andcontainerpages.
ContentIDSettings Description
URL Filtering
DynamicURLCache ClickEditandenterthetimeout(inhours).ThisvalueisusedindynamicURL
Timeout filteringtodeterminethelengthoftimeanentryremainsinthecacheafter
itisreturnedfromtheURLfilteringservice.ThisoptionisapplicabletoURL
filteringusingtheBrightClouddatabaseonly.FormoreonURLfiltering,
selectObjects>SecurityProfiles>URLFiltering.
URLContinueTimeout Specifytheintervalinminutesfollowingauser'scontinueactionbeforethe
usermustpresscontinueagainforURLsinthesamecategory(rangeis1to
86,400;defaultis15).
URLAdminOverride Specifytheintervalinminutesaftertheuserenterstheadminoverride
Timeout passwordbeforetheusermustreentertheadminoverridepasswordfor
URLsinthesamecategory(rangeis1to86,400;defaultis900).
URLAdminLockout Specifytheperiodoftimeinminutesthatauserislockedoutfrom
Timeout attemptingtousetheURLAdminOverridepasswordfollowingthree
unsuccessfulattempts(rangeis1to86,400;defaultis1,800).
PANDBServer SpecifytheIPv4address,IPv6address,orFQDNfortheprivatePANDB
(Requiredforconnecting server(s)onyournetwork.Youcanenterupto20entries.
toaprivatePANDB ThefirewallconnectstothepublicPANDBcloud,bydefault.Theprivate
server) PANDBsolutionisforenterprisesthatdisallowthefirewall(s)fromdirectly
accessingthePANDBserversinthepubliccloud.Thefirewallsaccessthe
serversincludedinthisPANDBserverlistfortheURLdatabase,URL
updates,andURLlookupsforcategorizingwebpages.
SettingsforURLAdmin ForeachvirtualsystemthatyouwanttoconfigureforURLadminoverride,
Override clickAddandspecifythesettingsthatapplywhenaURLfilteringprofile
blocksapageandtheOverrideactionisspecified(fordetails,selectObjects
>SecurityProfiles>URLFiltering):
Location(multivsysfirewallsonly)Selectthevirtualsystemfromthe
dropdown.
Password/Confirm PasswordEnterthepasswordthattheusermust
entertooverridetheblockpage.
SSL/TLS Service ProfileTospecifyacertificateandtheallowedTLS
protocolversionsforsecuringcommunicationswhenredirectingthrough
thespecifiedserver,selectanSSL/TLSServiceprofile.Fordetails,see
Device>CertificateManagement>SSL/TLSServiceProfile.
ModeDetermineswhethertheblockpageisdeliveredtransparently(it
appearstooriginateattheblockedwebsite)orredirectstheusertothe
specifiedserver.IfyouchooseRedirect,entertheIPaddressfor
redirection.
Clickdeletetoremoveanentry.
ContentIDSettings Description
Content-ID Settings
Allowforwardingof Selectthisoptiontoallowthefirewalltoforwarddecryptedcontenttoan
decryptedcontent outsideservice.Thisallowsthefirewalltoforwarddecryptedcontentwhen
portmirroringorsendingWildFirefilesforanalysis.
Forafirewallwithmultiplevirtualsystem(multivsys)capability,youenable
thisoptionindividuallyforeachvirtualsystem.SelectDevice > Virtual
Systemsandselectthevirtualsystemonwhichyouwanttoenable
forwardingofdecryptedcontent.TheoptionisavailableontheVirtual
Systemdialog.
ExtendedPacketCapture Setthenumberofpacketstocapturewhentheextendedcaptureoptionis
Length enabledinAntiSpywareandVulnerabilityProtectionprofiles(rangeis1to
50;defaultis5).
Forwardsegments Selectthisoptiontoforwardsegmentsandclassifytheapplicationas
exceedingTCPAppID unknowntcpwhentheAppIDqueueexceedsthe64segmentlimit.Use
inspectionqueue thefollowingglobalcountertoviewthenumberofsegmentsinexcessof
thisqueueregardlessofwhetheryouenabledordisabledthisoption:
appid_exceed_queue_limit.
DisablethisoptiontopreventthefirewallfromforwardingTCPsegments
andskippingAppIDinspectionwhentheAppIDinspectionqueueisfull.
Thisoptionisdisabledbydefaultandyoushouldleaveitdisabledfor
maximumsecurity.
Whenthisoptionisdisabled,youmaynoticeincreasedlatencyon
streamswheremorethan64segmentswerequeuedawaiting
AppIDprocessing.
Forwardsegments SelectthisoptiontoenableforwardingofTCPsegmentsandskipcontent
exceedingTCPcontent inspectionwhentheTCPcontentinspectionqueueisfull.Thefirewallcan
inspectionqueue queueupto64segmentswhilewaitingforthecontentengine.Whenthe
firewallforwardsasegmentandskipscontentinspectionduetoafull
contentinspectionqueue,itincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit
DisablethisoptiontopreventthefirewallfromforwardingTCPsegments
andskippingcontentinspectionwhenthecontentinspectionqueueisfull.
Withthisoptiondisabled,thefirewalldropsanysegmentsthatexceedthe
queuelimitandincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit_drop
ThispairofglobalcountersappliestobothTCPandUDPpackets.If,after
viewingtheglobalcounters,youdecidetochangethesetting,youcan
modifyitfromwithintheCLIusingthefollowingCLIcommand:
set deviceconfig setting ctd tcp-bypass-exceed-queue
Thisoptionisenabledbydefault.However,PaloAltoNetworks
recommendsthatyoudisablethisoptionformaximumsecurity.
Keepinmindthatdisablingthisoptioncouldresultinperformance
degradationandsomeapplicationsmayincurlossoffunctionality,
particularlyinhighvolumetrafficsituations.
ContentIDSettings Description
Forwarddatagrams SelectthisoptiontoenableforwardingofUDPdatagramsandskipcontent
exceedingUDPcontent inspectionwhentheUDPcontentinspectionqueueisfull.Thefirewallcan
inspectionqueue queueupto64datagramswhilewaitingaresponsefromthecontentengine.
Whenthefirewallforwardsadatagramandskipscontentinspectiondueto
aUDPcontentinspectionqueueoverflow,itincrementsthefollowingglobal
counter:
ctd_exceed_queue_limit
Disablethisoptiontopreventthefirewallfromforwardingdatagramsand
skippingcontentinspectionwhentheUDPcontentinspectionqueueisfull.
Withthisoptiondisabled,thefirewalldropsanydatagramsthatexceedthe
queuelimitandincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit_drop
ThispairofglobalcountersappliestobothTCPandUDPpackets.If,after
viewingtheglobalcounters,youdecidetochangethesetting,youcan
modifyitfromwithintheCLIusingthefollowingcommand:
set deviceconfig setting ctd udp-bypass-exceed-queue
Thisoptionisenabledbydefault.However,PaloAltoNetworks
recommendsthatyoudisablethisoptionformaximumsecurity.
Keepinmindthatdisablingthisoptioncouldresultinperformance
degradationandsomeapplicationsmayincurlossoffunctionality,
particularlyinhighvolumetrafficsituations.
AllowHTTPHeaderRange SelectthisoptiontoenabletheHTTPRangeoption.TheHTTPRangeoption
Option allowsaclienttofetchonlypartofafile.Whenanextgenerationfirewallin
thepathofatransferidentifiesanddropsamaliciousfile,itterminatesthe
TCPsessionwithanRSTpacket.IfthewebbrowserimplementstheHTTP
Rangeoption,itcanstartanewsessiontofetchonlytheremainingpartof
thefile.Thispreventsthefirewallfromtriggeringthesamesignatureagain
duetothelackofcontextintotheinitialsession,whileatthesametime
allowingthewebbrowsertoreassemblethefileanddeliverthemalicious
content.Topreventthis,makesurethisoptionisdisabled.
Bydefault,theAllow HTTP header range optionisenabled.
However,PaloAltoNetworksrecommendsyoudisablethisoption
formaximumsecurity.Disablingthisoptionshouldnotimpact
deviceperformance;however,HTTPfiletransferinterruption
recoverymaybeimpaired.Inaddition,disablingthisoptioncanalso
impactstreamingmediaservices,suchasNetflix,MicrosoftUpdates,
andPaloAltoNetworkscontentupdates.
ContentIDSettings Description
X-Forwarded-For Headers
UseXForwardedFor SelectthisoptiontospecifythatUserIDreadsIPaddressesfromthe
HeaderinUserID XForwardedFor(XFF)headerinclientrequestsforwebserviceswhenthe
firewallisdeployedbetweentheInternetandaproxyserverthatwould
otherwisehideclientIPaddresses.UserIDmatchestheIPaddressesit
readswithusernamesthatyourpoliciesreferencesothatthosepoliciescan
controlandlogaccessfortheassociatedusersandgroups.Iftheheaderhas
multipleIPaddresses,UserIDusesthefirstentryfromtheleft.
Insomecases,theheadervalueisacharacterstringinsteadofanIPaddress.
IfthestringmatchesausernamethatUserIDhasmappedtoanIPaddress,
thefirewallusesthatusernameforgroupmappingreferencesinpolicies.If
noIPaddressmappingexistsforthestring,thefirewallinvokesthepolicy
rulesinwhichthesourceuserissettoanyorunknown.
URLFilteringlogsdisplaythematchedusernamesintheSourceUserfield.
IfUserIDcannotperformthematchingorisnotenabledforthezone
associatedwiththeIPaddress,theSourceUserfielddisplaystheXFFIP
addresswiththeprefixx-fwd-for.
StripXForwardedFor SelectthisoptiontoremovetheXForwardedFor(XFF)header,which
Header containstheIPaddressofaclientrequestingawebservicewhenthefirewall
isdeployedbetweentheInternetandaproxyserver.Thefirewallzeroesout
theheadervaluebeforeforwardingtherequest:theforwardedpackets
dontcontaininternalsourceIPinformation.
SelectingthisoptiondoesntdisabletheuseofXFFheadersforuser
attributioninpolicies;thefirewallzeroesouttheXFFvalueonly
afterusingitforuserattribution.
Content-ID Features
ManageDataProtection Addadditionalprotectionforaccesstologsthatmaycontainsensitive
information,suchascreditcardnumbersorsocialsecuritynumbers.
ClickManage Data Protectionandconfigurethefollowing:
Tosetanewpasswordifonehasnotalreadybeenset,clickSet
Password.Enterandconfirmthepassword.
Tochangethepassword,clickChange Password.Entertheoldpassword,
andenterandconfirmthenewpassword.
Todeletethepasswordandthedatathathasbeenprotected,clickDelete
Password.
ContainerPages UsethesesettingstospecifythetypesofURLsthatthefirewallwilltrackor
logbasedoncontenttype,suchasapplication/pdf,application/soap+xml,
application/xhtml+,text/html,text/plain,andtext/xml.Containerpagesare
setpervirtualsystem,whichyouselectfromtheLocationdropdown.Ifa
virtualsystemdoesnothaveanexplicitcontainerpagedefined,thedefault
contenttypesareused.
ClickAddandenterorselectacontenttype.
Addingnewcontenttypesforavirtualsystemoverridesthedefaultlistof
contenttypes.Iftherearenocontenttypesassociatedwithavirtualsystem,
thedefaultlistofcontenttypesisused.
Device>Setup>WildFire
ToforwarddecryptedcontenttoWildFire,youneedtoselectAllow Forwarding of
Decrypted ContentinDevice > Setup > Content-ID > URL FilteringSettings.
WildFireSettings Description
General Settings
WildFirePrivateCloud SpecifytheIPaddressorFQDNoftheWildFireappliance.
ThefirewallsendsfilesforanalysistothespecifiedWildFireappliance.
PanoramacollectsthreatIDsfromtheWildFireappliancetoenablethe
additionofthreatexceptionsinAntiSpywareprofiles(forDNSsignatures
only)andAntivirusprofilesthatyouconfigureindevicegroups.Panoramaalso
collectsinformationfromtheWildFireappliancetopopulatefieldsthatare
missingintheWildFireSubmissionslogsreceivedfromfirewallsrunning
softwareversionsearlierthanPANOS7.0.
FileSizeLimits SpecifythemaximumfilesizethatwillbeforwardedtotheWildFireserver.
Availablerangesare:
flash(AdobeFlash)Rangeis1to10MB;defaultis5MB.
apk(AndroidApplication)Rangeis1to50MB;default10MB.
pdf(PortableDocumentFormat)Rangeis100KBto1,000KB;defaultis
200KB.
jar(PackagedJavaclassfile)Rangeis1to10MB;defaultis1MB.
pe(PortableExecutable)Rangeis1to10MB;defaultis2MB.
ms-office(MicrosoftOffice)Rangeis200KBto10,000KB;defaultis
500KB.
Theprecedingvaluesmightdifferbasedonthecurrentversionof
PANOSorthecontentrelease.Toseevalidranges,clickintheSize
Limitfield;apopupdisplaystheavailablerangeanddefaultvalue.
ReportBenignFiles Whenthisoptionisenabled(disabledbydefault),filesanalyzedbyWildFire
thataredeterminedtobebenignwillappearintheMonitor > WildFire
Submissionslog.
Evenifthisoptionisenabledonthefirewall,emaillinksthatWildFiredeems
benignwillnotbeloggedbecauseofthepotentialquantityoflinksprocessed.
WildFireSettings Description
ReportGraywareFiles Whenthisoptionisenabled(disabledbydefault),filesanalyzedbyWildFire
thataredeterminedtobegraywarewillappearintheMonitor > WildFire
Submissionslog.
Evenifthisoptionisenabledonthefirewall,emaillinksthatWildFire
determinestobegraywarewillnotbeloggedbecauseofthepotential
quantityoflinksprocessed.
Settings SpecifytheinformationtobeforwardedtotheWildFireserver.Bydefault,all
areselected:
Source IPSourceIPaddressthatsentthesuspectedfile.
Source PortSourceportthatsentthesuspectedfile.
Destination IPDestinationIPaddressforthesuspectedfile.
Destination PortDestinationportforthesuspectedfile.
VsysFirewallvirtualsystemthatidentifiedthepossiblemalware.
ApplicationUserapplicationthatwasusedtotransmitthefile.
UserTargeteduser.
URLURLassociatedwiththesuspectedfile.
FilenameNameofthefilethatwassent.
Email senderProvidesthesendernameinWildFirelogsandWildFire
detailedreportswhenamaliciousemaillinkisdetectedinSMTPandPOP3
traffic.
Email recipientProvidestherecipientnameinWildFirelogsandWildFire
detailedreportswhenamaliciousemaillinkisdetectedinSMTPandPOP3
traffic.
Email subjectProvidestheemailsubjectinWildFirelogsandWildFire
detailedreportswhenamaliciousemaillinkisdetectedinSMTPandPOP3
traffic.
Device>Setup>Session
SessionSettings
SessionSettings Description
ICMPv6TokenBucket EnterthebucketsizeforratelimitingofICMPv6errormessages.Thetoken
Size bucketsizeisaparameterofthetokenbucketalgorithmthatcontrolshow
burstytheICMPv6errorpacketscanbe(rangeis1065,535packets;default
100).
ICMPv6ErrorPacket EntertheaveragenumberofICMPv6errorpacketspersecondallowed
Rate globallythroughthefirewall(rangeis1065,535packets/second;defaultis
100packets/second).Thisvalueappliestoallinterfaces.Ifthefirewallreaches
theICMPv6errorpacketrate,theICMPv6tokenbucketisusedtoenable
throttlingofICMPv6errormessages.
SessionSettings Description
EnableJumboFrame SelecttoenablejumboframesupportonEthernetinterfaces.Jumboframes
GlobalMTU haveamaximumtransmissionunit(MTU)of9192bytesandareavailableon
certainmodels.
IfyoudonotcheckEnable Jumbo Frame,theGlobal MTUdefaultsto1500
bytes(rangeis5761,500).
IfyoucheckEnable Jumbo Frame,theGlobal MTUdefaultsto9,192 bytes
(rangeis9,1929,216 bytes.
IfyouenablejumboframesandyouhaveinterfaceswheretheMTUisnot
specificallyconfigured,thoseinterfaceswillautomaticallyinheritthejumbo
framesize.Therefore,beforeyouenablejumboframes,ifyouhaveany
interfacethatyoudonotwanttohavejumboframes,youmustsettheMTU
forthatinterfaceto1500 bytesoranothervalue.ToconfiguretheMTUfor
theinterface(Network > Interfaces > Ethernet),seeLayer3Interface.
NAT64IPv6Minimum EntertheglobalMTUforIPv6translatedtraffic.Thedefaultof1280bytesis
NetworkMTU basedonthestandardminimumMTUforIPv6traffic.
NATOversubscription SelecttheDIPPNAToversubscriptionrate,whichisthenumberoftimesthat
Rate thesametranslatedIPaddressandportpaircanbeusedconcurrently.
Reducingtheoversubscriptionratewilldecreasethenumberofsourcedevice
translations,butwillprovidehigherNATrulecapacities.
Platform DefaultExplicitconfigurationoftheoversubscriptionrateis
turnedoff;thedefaultoversubscriptionrateforthemodelapplies.See
defaultratesoffirewallmodelsat
https://www.paloaltonetworks.com/products/productselection.html.
1x1time.Thismeansnooversubscription;eachtranslatedIPaddressand
portpaircanbeusedonlyonceatatime.
2x2times
4x4times
8x8times
ICMPUnreachable DefinethemaximumnumberofICMPUnreachableresponsesthatthe
PacketRate(persec) firewallcansendpersecond.ThislimitissharedbyIPv4andIPv6packets.
Defaultvalueis200messagespersecond(rangeis165,535).
AcceleratedAging Enablesacceleratedagingoutofidlesessions.
Selectthisoptiontoenableacceleratedagingandspecifythethreshold(%)
andscalingfactor.
WhenthesessiontablereachestheAccelerated Aging Threshold(%full),
PANOSappliestheAccelerated Aging Scaling Factortotheaging
calculationsforallsessions.Thedefaultscalingfactoris2,meaningthat
acceleratedagingoccursataratetwiceasfastastheconfiguredidletime.The
configuredidletimedividedby2resultsinafastertimeoutofonehalfthe
time.Tocalculatethesessionsacceleratedaging,PANOSdividesthe
configuredidletime(forthattypeofsession)bythescalingfactorto
determineashortertimeout.
Forexample,ifthescalingfactoris10,asessionthatwouldnormallytimeout
after3600secondswouldtimeout10timesfaster(in1/10ofthetime),which
is360seconds.
SessionSettings Description
PacketBufferProtection Enablepacketbufferprotection.Thisoptionprotectsthereceivebufferson
thefirewallfromattacksorabusivetrafficthatcausessystemresourcesto
backupandcauselegitimatetraffictobedropped.Packetbufferprotectionis
achievedbyidentifyingoffendingsessions,usingRandomEarlyDrop(RED)as
afirstlineofdefense,anddiscardingthesessionifabusecontinues.Ifthe
firewalldetectsmanysmallsessionsorrapidsessioncreation(orboth)froma
particularIPaddress,itblocksthatIPaddress.
Alert (%)Whenpacketbufferutilizationexceedsthisthresholdformore
than10seconds,thefirewallcreatesalogeventeveryminute.Thefirewall
generateslogeventswhenpacketbufferprotectionisenabledglobally.The
defaultthresholdis50%andtherangeis0%to99%.Ifthevalueis0%,the
firewalldoesnotcreatealogevent.
Activate (%)Whenthisthresholdisreached,thefirewallbeginsto
mitigatethemostabusivesessionsonthezonewithPackBufferProtection
enabled.Thedefaultthresholdis50%andtherangeis0%to99%.Ifthe
valueis0%,thefirewalldoesnotapplyRED.
Block Hold Time (sec)Theamountoftime,inseconds,thesessionis
allowedtocontinuebeforeitisdiscarded.Thistimermonitors
REDmitigatedsessionstoseeiftheyarestillpushingbufferutilization
abovetheconfiguredthreshold.Iftheabusivebehaviorcontinuespastthe
blockholdtime,thesessionisdiscarded.Bydefault,theblockholdtimeis
60seconds.Therangeis0to65,535seconds.Ifthevalueis0,thefirewall
doesnotdiscardsessionsbasedonpacketbufferprotection.
Block Duration (sec)Theamountoftime,inseconds,thatadiscarded
sessionremainsdiscardedorablockedIPaddressremainsblocked.The
defaultis3,600secondswitharangeof0secondsto15,999,999seconds.
Ifthisvalueis0,thefirewalldoesnotdiscardsessionsorblockIPaddresses
basedonpacketbufferprotection.
MulticastRouteSetup Selectthisoption(disabledbydefault)toenablemulticastroutesetup
Buffering buffering,whichallowsthefirewalltopreservethefirstpacketinamulticast
sessionwhenthemulticastrouteorforwardinginformationbase(FIB)entry
doesnotyetexistforthecorrespondingmulticastgroup.Bydefault,the
firewalldoesnotbufferthefirstmulticastpacketinanewsession;instead,it
usesthefirstpackettosetupthemulticastroute.Thisisexpectedbehavior
formulticasttraffic.Youonlyneedtoenablemulticastroutesetupbuffering
ifyourcontentserversaredirectlyconnectedtothefirewallandyourcustom
applicationcannotwithstandthefirstpacketinthesessionbeingdropped.
MulticastRouteSetup IfyouenableMulticastRouteSetupBuffering,youcantunethebuffersize,
BufferSize whichspecifiesthebuffersizeperflow(rangeis1to2,000;defaultis1,000.)
Thefirewallcanbufferamaximumof5,000packets.
SessionTimeouts
AsessiontimeoutdefinesthedurationforwhichPANOSmaintainsasessiononthefirewallafterinactivity
inthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthesession.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects > Applicationstab.ThetimeoutsavailableforthatapplicationappearintheOptionswindow.The
firewallappliesapplicationtimeoutstoanapplicationthatisinEstablishedstate.Whenconfigured,timeouts
foranapplicationoverridetheglobalTCPorUDPsessiontimeouts.
UsetheoptionsinthissectiontoconfigureglobalsessiontimeoutsettingsspecificallyforTCP,UDPand
ICMP,andforallothertypesofsessions.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetworkneeds.Settinga
valuetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultinafailuretoestablish
connectionswiththefirewall.Settingavaluetoohighcoulddelayfailuredetection.
SessionTimeouts Description
Settings
Default Maximumlengthoftime,inseconds,thatanonTCP/UDPornonICMP
sessioncanbeopenwithoutaresponse(rangeis1to15,999,999;defaultis
30).
DiscardTimeouts PANOSappliesthediscardtimeoutwhendenyingasessionbasedonsecurity
policiesconfiguredonthefirewall.
DiscardDefault AppliesonlytononTCP/UDPtraffic(rangeis1to15,999,999;defaultis60).
DiscardTCP AppliestoTCPtraffic(rangeis1to15,999,999;defaultis90).
DiscardUDP AppliestoUDPtraffic(rangeis1to15,999,999;defaultis60).
ICMP MaximumlengthoftimethatanICMPsessioncanbeopenwithoutanICMP
response(rangeis1to15,999,999;defaultis6).
Scan Maximumlengthoftime,inseconds,thatanysessionremainsopenafteritis
consideredinactive.PANOSregardsanapplicationasinactivewhenit
exceedsthetricklingthresholddefinedfortheapplication(rangeis5to30;
defaultis10).
TCP MaximumlengthoftimethataTCPsessionremainsopenwithoutaresponse,
afteraTCPsessionisintheEstablishedstate(afterthehandshakeiscomplete
and/ordatatransmissionhasstarted);(rangeis1to15,999,999;defaultis
3,600).
TCPhandshake Maximumlengthoftime,inseconds,betweenreceivingtheSYNACKandthe
subsequentACKtofullyestablishthesession(rangesis1to60;defaultis10).
TCPinit Maximumlengthoftime,inseconds,betweenreceivingtheSYNand
SYNACKbeforestartingtheTCPhandshaketimer(rangesis1to60;default
is5).
TCPHalfClosed Maximumlengthoftime,inseconds,betweenreceivingthefirstFINand
receivingthesecondFINoraRST(rangeis1to604,800;defaultis120).
TCPTimeWait Maximumlengthoftime,inseconds,afterreceivingthesecondFINoraRST
(rangeis1to600;defaultis15).
UnverifiedRST Maximumlengthoftime,inseconds,afterreceivingaRSTthatcannotbe
verified(theRSTiswithintheTCPwindowbuthasanunexpectedsequence
number,ortheRSTisfromanasymmetricpath);(rangesis1to600;defaultis
30).
SessionTimeouts Description
Settings
UDP Maximumlengthoftime,inseconds,thataUDPsessionremainsopen
withoutaUDPresponse(rangeis1to1,599,999;defaultis30).
CaptivePortal TheauthenticationsessiontimeoutinsecondsfortheCaptivePortalweb
form(defaultis30,rangeis1to1,599,999).Toaccesstherequestedcontent,
theusermustentertheauthenticationcredentialsinthisformandbe
successfullyauthenticated.
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,usetheDevice >
User Identification > Captive Portal Settingstab.SeeDevice>User
Identification>CaptivePortalSettings.
TCPSettings
TCPSettings Description
UrgentDataFlag Usethisoptiontoconfigurewhetherthefirewallallowstheurgentpointer
(URGbitflag)intheTCPheader.TheurgentpointerintheTCPheaderisused
topromoteapacketforimmediateprocessingthefirewallremovesitfrom
theprocessingqueueandexpeditesitthroughtheTCP/IPstackonthehost.
Thisprocessiscalledoutofbandprocessing.
Becausetheimplementationoftheurgentpointervariesbyhost,settingthis
optiontoClear(thedefaultandrecommendedsetting)eliminatesany
ambiguitybydisallowingoutofbandprocessingsothattheoutofbandbyte
inthepayloadbecomespartofthepayloadandthepacketisnotprocessed
urgently.Additionally,theClearsettingensuresthatthefirewallseesthe
exactstreamintheprotocolstackasthehostforwhomthepacketisdestined.
Toseeacountofthenumberofsegmentsinwhichthefirewallclearedthe
URGflagwhenthisoptionissettoClear,runthefollowingCLIcommand:
show counter global tcp_clear_urg
Bydefault,thisflagissettoClearandshouldremainthiswayforthe
mostsecuredeployment.Thisshouldnotresultinperformance
degradation;intherareinstancethatapplications,suchastelnet,are
usingtheurgentdatafeature,TCPmaybeimpacted.Ifyousetthisflag
toDo Not Modify,thefirewallallowspacketswiththeURGbitflagin
theTCPheaderandenablesoutofbandprocessing(not
recommended).
TCPSettings Description
Dropsegmentswithout IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontent
flag inspection.Withthisoptionenabled(thedefault)thefirewalldropspackets
thathavenoflagssetintheTCPheader.Toseeacountofthenumberof
segmentsthatthefirewalldroppedasaresultofthisoption,runthefollowing
CLIcommand:
show counter global tcp_flag_zero
Thisoptionisenabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Enablingthisoptionshouldnotresultin
performancedegradation.However,ifanetworkstackincorrectly
generatessegmentswithnoTCPflags,enablingthisoptionmayresult
inconnectivityissues.
Dropsegmentswithnull TheTCPtimestamprecordswhenthesegmentwassentandallowsthe
timestampoption firewalltoverifythatthetimestampisvalidforthatsession,preventingTCP
sequencenumberwrapping.TheTCPtimestampisalsousedtocalculate
roundtriptime.Withthisoptionenabled,thefirewalldropspacketswithnull
timestamps.Toseeacountofthenumberofsegmentsthatthefirewall
droppedasaresultofenablingthisoption,runthefollowingCLIcommand:
show counter global tcp_invalid_ts_option
Thisoptionisenabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Enablingthisoptionshouldnotresultin
performancedegradation.However,ifanetworkstackincorrectly
generatessegmentswithanullTCPtimestampoptionvalue,enabling
thisoptionmayresultinconnectivityissues.
Forwardsegments Selectthisoptionifyouwantthefirewalltoforwardsegmentsthatexceedthe
exceedingTCP TCPoutoforderqueuelimitof64persession.Ifyoudisablethisoption,the
outoforderqueue firewalldropssegmentsthatexceedtheoutoforderqueuelimit.Toseea
countofthenumberofsegmentsthatthefirewalldroppedasaresultof
enablingthisoption,runthefollowingCLIcommand:
show counter global tcp_exceed_flow_seg_limit
Thisoptionisdisabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Disablingthisoptionmayresultinincreased
latencyforthespecificstreamthatreceivedover64segmentsoutof
order.ThereshouldbenolossofconnectivitybecausetheTCPstack
shouldhandlemissingsegmentsretransmission.
DecryptionSettings:CertificateRevocationChecking
SessionFeatures:Certificate Description
RevocationCheckingSettings
Enable:CRL Selectthisoptiontousethecertificaterevocationlist(CRL)methodtoverify
therevocationstatusofcertificates.
IfyoualsoenableOnlineCertificateStatusProtocol(OCSP),thefirewallfirst
triesOCSP;iftheOCSPserverisunavailable,thefirewallthentriestheCRL
method.
Formoreinformationondecryptioncertificates,seeKeysandCertificatesfor
Decryption.
ReceiveTimeout:CRL IfyouenabledtheCRLmethodforverifyingcertificaterevocationstatus,
specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromtheCRLservice.
Enable:OCSP SelectthisoptiontouseOCSPtoverifytherevocationstatusofcertificates.
ReceiveTimeout:OCSP IfyouenabledtheOCSPmethodforverifyingcertificaterevocationstatus,
specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromtheOCSPresponder.
BlockSessionWithUnknown SelectthisoptiontoblockSSL/TLSsessionswhentheOCSPorCRLservice
CertificateStatus returnsacertificaterevocationstatusofunknown.Otherwise,thefirewall
proceedswiththesession.
BlockSessionOnCertificate SelectthisoptiontoblockSSL/TLSsessionsafterthefirewallregistersaCRL
StatusCheckTimeout orOCSPrequesttimeout.Otherwise,thefirewallproceedswiththesession.
CertificateStatusTimeout Specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromanycertificatestatusserviceandappliesany
sessionblockinglogicyouoptionallydefine.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status Timeout
valueortheaggregateofthetwoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequesttimeoutafterthe
lesseroftwointervalspasses:theCertificate Status Timeoutvalueorthe
OCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeoutafterthe
lesseroftwointervalspasses:theCertificate Status Timeoutvalueorthe
CRLReceive Timeoutvalue.
DecryptionSettings:ForwardProxyServerCertificateSettings
SessionFeatures:ForwardProxyServerCertificateSettings
Definedbydestination SelectthisoptionifyouwantPANOStogeneratecertificatesbasedonthe
host keythatthedestinationserveruses:
IfthedestinationserverusesanRSA1024bitkey,PANOSgeneratesa
certificatewiththatkeysizeandanSHA1hashingalgorithm.
Ifthedestinationserverusesakeysizelargerthan1024bits(forexample,
2048bitsor4096bits),PANOSgeneratesacertificatethatusesa
2048bitkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024bitRSA SelectthisoptionifyouwantPANOStogeneratecertificatesthatuseanRSA
1024bitkeyandSHA1hashingalgorithmregardlessofthekeysizethatthe
destinationserveruses.AsofDecember31,2013,publiccertificate
authorities(CAs)andpopularbrowsershavelimitedsupportforX.509
certificatesthatusekeysoffewerthan2048bits.Inthefuture,dependingon
itssecuritysettings,whenpresentedwithsuchkeysthebrowsermightwarn
theuserorblocktheSSL/TLSsessionentirely.
2048bitRSA SelectthisoptionifyouwantPANOStogeneratecertificatesthatuseanRSA
2048bitkeyandSHA256hashingalgorithmregardlessofthekeysizethat
thedestinationserveruses.PublicCAsandpopularbrowserssupport
2048bitkeys,whichprovidebettersecuritythanthe1024bitkeys.
VPNSessionSettings
SelectSession,andinVPNSessionSettings,configureglobalsettingsrelatedtothefirewallestablishinga
VPNsession.Thefollowingtabledescribesthesettings.
VPNSessionSettings Description
CookieActivation SpecifyamaximumnumberofIKEv2halfopenIKESAsallowedperfirewall,
Threshold abovewhichcookievalidationistriggered.WhenthenumberofhalfopenIKE
SAsexceedstheCookieActivationThreshold,theResponderwillrequesta
cookie,andtheInitiatormustrespondwithanIKE_SA_INITcontainingacookie.
Ifthecookievalidationissuccessful,anotherSAsessioncanbeinitiated.
Avalueof0meansthatcookievalidationisalwayson.
TheCookieActivationThresholdisaglobalfirewallsettingandshouldbelower
thantheMaximumHalfOpenedSAsetting,whichisalsoglobal(rangeis0to
65535;defaultis500).
MaximumHalfOpened SpecifythemaximumnumberofIKEv2halfopenIKESAsthatInitiatorscansend
SA tothefirewallwithoutgettingaresponse.Oncethemaximumisreached,the
firewallwillnotrespondtonewIKE_SA_INITpackets(rangeis1to65535;default
is65535).
MaximumCached Specifythemaximumnumberofpeercertificateauthority(CA)certificates
Certificates retrievedviaHTTPthatthefirewallcancache.Thisvalueisusedonlybythe
IKEv2HashandURLfeature(rangeis1to4000;defaultis500).
Device>HighAvailability
Device>HighAvailability
Forredundancy,deployyourPaloAltoNetworksnextgenerationfirewallsinahighavailability
configuration.TherearetwoHAdeployments:
active/passiveInthisdeployment,theactivepeercontinuouslysynchronizesitsconfigurationand
sessioninformationwiththepassivepeerovertwodedicatedinterfaces.Intheeventofahardwareor
softwaredisruptionontheactivefirewall,thepassivefirewallbecomesactiveautomaticallywithoutloss
ofservice.Active/passiveHAdeploymentsaresupportedwithallinterfacemodes:virtualwire,Layer2
orLayer3.
active/activeInthisdeployment,bothHApeersareactiveandprocessingtraffic.Suchdeploymentsare
mostsuitedforscenariosinvolvingasymmetricroutingorincaseswhereyouwanttoallowdynamic
routingprotocols(OSPF,BGP)tomaintainactivestatusacrossbothpeers.Active/activeHAissupported
onlyinthevirtualwireandLayer3interfacemodes.InadditiontotheHA1andHA2links,active/active
deploymentsrequireadedicatedHA3link.HA3linkisusedaspacketforwardinglinkforsessionsetup
andasymmetrictraffichandling.
InanHApair,bothpeersmustbeofthesamemodel,mustberunningthesamePANOSandContent
Releaseversion,andmusthavethesamesetoflicenses.
Inaddition,fortheVMSeriesfirewalls,bothpeersmustbeonthesamehypervisorandmusthavethe
samenumberofCPUcoresallocatedoneachpeer.
HALite
ImportantConsiderationsforConfiguringHA
ConfigureHASettings
HALite
ThePA200firewallsupportsHAlite,aversionofactive/passiveHAthatdoesnotincludeanysession
synchronization.HAlitedoesprovideconfigurationsynchronizationandsynchronizationofsomeruntime
items.ItalsosupportsfailoverofIPSectunnels(sessionsmustbereestablished),DHCPserverlease
information,DHCPclientleaseinformation,PPPoEleaseinformation,andthefirewall'sforwardingtable
whenconfiguredinLayer3mode.
ImportantConsiderationsforConfiguringHA
ThesubnetthatisusedforthelocalandpeerIPshouldnotbeusedanywhereelseonthevirtualrouter.
TheOSandContentReleaseversionsshouldbethesameoneachfirewall.Amismatchcanpreventpeer
firewallsfromsynchronizing.
TheLEDsaregreenontheHAportsfortheactivefirewallandamberonthepassivefirewall.
Tocomparetheconfigurationofthelocalandpeerfirewalls,usingtheConfig AudittoolontheDevicetab
byselectingthedesiredlocalconfigurationintheleftselectionboxandthepeerconfigurationintheright
selectionbox.
SynchronizethefirewallsfromthewebinterfacebyclickingPush ConfigurationintheHAwidgetonthe
Dashboard.Theconfigurationonthefirewallfromwhichyoupushtheconfigurationoverwritesthe
configurationonthepeerfirewall.TosynchronizethefirewallsfromtheCLIontheactivefirewall,use
thecommandrequest high-availability sync-to-remote running-config.
InaHighAvailability(HA)active/passiveconfigurationwithfirewallsthatuse10gigabitSFP+ports,whena
failoveroccursandtheactivefirewallchangestoapassivestate,the10gigabitEthernetportistakendownand
thenbroughtbackuptorefreshtheport,butdoesnotenabletransmituntilthefirewallbecomesactiveagain.If
youhavemonitoringsoftwareontheneighboringdevice,itwillseetheportasflappingbecauseitisgoingdown
andthenupagain.Thisisdifferentbehaviorthantheactionwithotherports,suchasthe1gigabitEthernetport,
whichisdisabledandstillallowstransmit,soflappingisnotdetectedbytheneighboringdevice.
ConfigureHASettings
HASettings Description
General Tab
Setup Specifythefollowingsettings:
Enable HAActivateHAfunctionality.
Group IDEnteranumbertoidentifytheHApair(1to63).Thisfieldis
required(andmustbeunique)ifmultipleHApairsresideonthesame
broadcastdomain.
DescriptionEnteradescriptionoftheHApair(optional).
ModeSetthetypeofHAdeployment:Active PassiveorActive Active.
Device IDInactive/activeconfiguration,settheDeviceIDtodetermine
whichpeerwillbeactiveprimary(setDevice IDto0)andwhichwillbe
activesecondary(settheDevice IDto1).
Enable Config SyncSelectthisoptiontoenablesynchronizationof
configurationsettingsbetweenthepeers.
Configsyncshouldalwaysbeenabled.
HASettings Description
HASettings Description
ElectionSettings Specifyorenablethefollowingsettings:
Device PriorityEnterapriorityvaluetoidentifytheactivefirewall.The
firewallwiththelowervalue(higherpriority)becomestheactivefirewall
(rangeis0255)whenthepreemptivecapabilityisenabledonbothfirewalls
inthepair.
Heartbeat BackupUsesthemanagementportsontheHAfirewallsto
provideabackuppathforheartbeatandhellomessages.Themanagement
portIPaddresswillbesharedwiththeHApeerthroughtheHA1controllink.
Noadditionalconfigurationisrequired.
PreemptiveEnablesthehigherpriorityfirewalltoresumeactive
(active/passive)oractiveprimary(active/active>operationafterrecovering
fromafailure.ThePreemptionoptionmustbeenabledonbothfirewallsfor
thehigherpriorityfirewalltoresumeactiveoractiveprimaryoperationupon
recoveryfollowingafailure.Ifthissettingisoff,thenthelowerpriority
firewallremainsactiveoractiveprimaryevenafterthehigherpriority
firewallrecoversfromafailure.
HA Timer SettingsSelectoneofthepresetprofiles:
Recommended:Usefortypicalfailovertimersettings
Aggressive:Useforfasterfailovertimersettings.
Toviewthepresetvalueforanindividualtimerincludedina
profile,selectAdvancedandclickLoad RecommendedorLoad
Aggressive.Thepresetvaluesforyourhardwaremodelwillbe
displayedonscreen.
Advanced:Allowsyoutocustomizethevaluestosuityournetwork
requirementforeachofthefollowingtimers:
Promotion Hold TimeEnterthetimethatthepassivepeer(in
active/passivemode)ortheactivesecondarypeer(inactive/active
mode)willwaitbeforetakingoverastheactiveoractiveprimarypeer
aftercommunicationswiththeHApeerhavebeenlost.Thisholdtime
willbeginonlyafterthepeerfailuredeclarationhasbeenmade.
Hello IntervalEnterthenumberofmillisecondsbetweenthehello
packetssenttoverifythattheHAprogramontheotherfirewallis
operational(rangeis8,00060,000;defaultis8,000).
Heartbeat IntervalSpecifyhowfrequentlytheHApeersexchange
heartbeatmessagesintheformofanICMPping(rangeis1,00060,000
ms;nodefault).
Maximum No. of FlapsAflapiscountedwhenthefirewallleavesthe
activestatewithin15minutesafteritlastlefttheactivestate.Youcan
specifythemaximumnumberofflapsthatarepermittedbeforethe
firewallisdeterminedtobesuspendedandthepassivefirewalltakes
over(rangeis016;defaultis3).Thevalue0meansthereisno
maximum(aninfinitenumberofflapsisrequiredbeforethepassive
firewalltakesover).
Preemption Hold TimeEnterthetimeinminutesthatapassiveor
activesecondarypeerwaitsbeforetakingoverastheactiveor
activeprimarypeer(rangeis160;defaultis1).
HASettings Description
HASettings Description
HASettings Description
DataLink(HA2) Specifythefollowingsettingsfortheprimaryandbackupdatalink:
WhenanHA2 PortSelecttheHAport.Configurethissettingfortheprimaryandbackup
backuplinkis HA2interfaces.Thebackupsettingisoptional.
configured, IP AddressSpecifytheIPv4orIPv6addressoftheHAinterfaceforthe
failovertothe primaryandbackupHA2interfaces.Thebackupsettingisoptional.
backuplinkwill NetmaskSpecifythenetworkmaskfortheHAinterfacefortheprimary
occurifthereis andbackupHA2interfaces.Thebackupsettingisoptional.
aphysicallink
GatewaySpecifythedefaultgatewayfortheHAinterfacefortheprimary
failure.With
andbackupHA2interfaces.Thebackupsettingisoptional.IftheHA2IP
theHA2
addressesofthefirewallsareinthesamesubnet,theGatewayfieldshould
keepalive
beleftblank.
optionenabled,
thefailoverwill Enable Session SynchronizationEnablesynchronizationofthesession
alsooccurifthe informationwiththepassivefirewall,andchooseatransportoption.
HAkeepalive TransportChooseoneofthefollowingtransportoptions:
messagesfail EthernetUsewhenthefirewallsareconnectedbacktobackor
basedonthe throughaswitch(Ethertype0x7261).
defined IPUsewhenLayer3transportisrequired(IPprotocolnumber99).
threshold.
UDPUsetotakeadvantageofthefactthatthechecksumiscalculated
ontheentirepacketratherthanjusttheheader,asintheIPoption(UDP
port29281).ThebenefitofusingUDPmodeisthepresenceoftheUDP
checksumtoverifytheintegrityofasessionsyncmessage.
Link Speed(ModelswithdedicatedHAportsonly)Selectthespeedforthe
controllinkbetweenpeersforthededicatedHA2port.
Link Duplex(ModelswithdedicatedHAportsonly)Selectaduplexoption
forthecontrollinkbetweenpeersforthededicatedHA2port.
HA2 keep-aliveSelectthisoptiontomonitorthehealthoftheHA2
datalinkbetweenHApeers.Thisoptionisdisabledbydefaultandyou
canenableitononeorbothpeers.Ifenabled,thepeerswilluse
keepalivemessagestomonitortheHA2connectiontodetectafailure
basedontheThresholdyouset(defaultis10,000ms).Ifyouenable
HA2keepalive,theHA2KeepaliverecoveryActionwillbetaken.
SelectanAction:
Log OnlyLogsthefailureoftheHA2interfaceinthesystemlogasa
criticalevent.Selectthisoptionforactive/passivedeploymentsbecause
theactivepeeristheonlyfirewallforwardingtraffic.Thepassivepeeris
inabackupstateandisnotforwardingtraffic;thereforeasplitdatapath
isnotrequired.IfyouhavenotconfiguredanyHA2Backuplinks,state
synchronizationwillbeturnedoff.IftheHA2pathrecovers,an
informationallogwillbegenerated.
Split DatapathSelectthisoptioninactive/activeHAdeploymentsto
instructeachpeertotakeownershipoftheirlocalstateandsession
tableswhenitdetectsanHA2interfacefailure.WithoutHA2
connectivity,nostateandsessionsynchronizationcanhappen;this
actionallowsseparatemanagementofthesessiontablestoensure
successfultrafficforwardingbyeachHApeer.Topreventthiscondition,
configureanHA2Backuplink.
Threshold (ms)Thedurationinwhichkeepalivemessageshavefailed
beforeoneoftheaboveactionswillbetriggered(rangeis5,000to
60,000ms;defaultis10,000ms).
HASettings Description
Link and Path Monitoring Tab (Not available for the VM-Series firewall in AWS)
PathMonitoring Specifythefollowing:
EnabledEnablepathmonitoring.Pathmonitoringenablesthefirewallto
monitorspecifieddestinationIPaddressesbysendingICMPpingmessages
tomakesurethattheyareresponsive.Usepathmonitoringforvirtualwire,
Layer2,orLayer3configurationswheremonitoringofothernetwork
devicesisrequiredforfailoverandlinkmonitoringaloneisnotsufficient.
Failure ConditionSelectwhetherafailoveroccurswhenanyorallofthe
monitoredpathgroupsfailtorespond.
PathGroup Defineoneormorepathgroupstomonitorspecificdestinationaddresses.To
addapathgroup,clickAddfortheinterfacetype(Virtual Wire,VLAN,orVirtual
Router)andspecifythefollowing:
NameSelectavirtualwire,VLAN,orvirtualrouterfromthedropdown(the
dropdownispopulateddependingonifyouareaddingavirtualwire,VLAN,
orvirtualrouterpath).
EnabledEnablethepathgroup.
Failure ConditionSelectwhetherafailureoccurswhenanyorallofthe
specifieddestinationaddressesfailstorespond.
Source IPForvirtualwireandVLANinterfaces,enterthesourceIPaddress
usedintheprobepacketssenttothenexthoprouter(DestinationIP
address).Thelocalroutermustbeabletoroutetheaddresstothefirewall.
ThesourceIPaddressforpathgroupsassociatedwithvirtualrouterswillbe
automaticallyconfiguredastheinterfaceIPaddressthatisindicatedinthe
routetableastheegressinterfaceforthespecifieddestinationIPaddress.
Destination IPsEnteroneormore(commaseparated)destination
addressestobemonitored.
Ping IntervalSpecifytheintervalbetweenpingsthataresenttothe
destinationaddress(rangeis200to60,000ms;defaultis200ms).
Ping CountSpecifythenumberoffailedpingsbeforedeclaringafailure
(rangeis3to10;defaultis10).
LinkMonitoring Specifythefollowing:
EnabledEnablelinkmonitoring.Linkmonitoringallowsfailovertobe
triggeredwhenaphysicallinkorgroupofphysicallinksfails.
Failure ConditionSelectwhetherafailoveroccurswhenanyorallofthe
monitoredlinkgroupsfail.
LinkGroups DefineoneormorelinkgroupstomonitorspecificEthernetlinks.Toaddalink
group,specifythefollowingandclickAdd:
NameEnteralinkgroupname.
EnabledEnablethelinkgroup.
Failure ConditionSelectwhetherafailureoccurswhenanyorallofthe
selectedlinksfail.
InterfacesSelectoneormoreEthernetinterfacestobemonitored.
PacketForwarding EnablepeerstoforwardpacketsovertheHA3linkforsessionsetupandfor
Layer7inspection(AppID,ContentID,andthreatinspection)of
asymmetricallyroutedsessions.
HASettings Description
HA3Interface Selectthedatainterfaceyouplantousetoforwardpacketsbetween
active/activeHApeers.TheinterfaceyouusemustbeadedicatedLayer2
interfacesettoInterfaceTypeHA.
IftheHA3linkfails,theactivesecondarypeerwilltransitiontothe
nonfunctionalstate.Topreventthiscondition,configureaLink
AggregationGroup(LAG)interfacewithtwoormorephysicalinterfaces
astheHA3link.ThefirewalldoesnotsupportanHA3Backuplink.An
aggregateinterfacewithmultipleinterfaceswillprovideadditional
capacityandlinkredundancytosupportpacketforwardingbetweenHA
peers.
Youmustenablejumboframesonthefirewallandonallintermediary
networkingdeviceswhenusingtheHA3interface.Toenablejumbo
frames,selectDevice > Setup > SessionandselecttheoptiontoEnable
Jumbo FrameintheSessionSettingssection.
VRSync ForcesynchronizationofallvirtualroutersconfiguredontheHApeers.
Usethisoptionwhenthevirtualrouterisnotconfiguredfordynamicrouting
protocols.Bothpeersmustbeconnectedtothesamenexthoprouterthrough
aswitchednetworkandmustusestaticroutingonly.
QoSSync SynchronizetheQoSprofileselectiononallphysicalinterfaces.Usethisoption
whenbothpeershavesimilarlinkspeedsandrequirethesameQoSprofileson
allphysicalinterfaces.ThissettingaffectsthesynchronizationofQoSsettings
ontheNetworktab.QoSpolicyissynchronizedregardlessofthissetting.
TentativeHoldTime WhenafirewallinanHAactive/activeconfigurationfails,itwillgointoa
(sec) tentativestate.Thetransitionfromtentativestatetoactivesecondarystate
triggerstheTentativeHoldTime,duringwhichthefirewallattemptstobuild
routingadjacenciesandpopulateitsroutetablebeforeitwillprocessany
packets.Withoutthistimer,therecoveringfirewallwouldenterthe
activesecondarystateimmediatelyandwouldblackholepacketsbecauseit
wouldnothavethenecessaryroutes(defaultis60seconds).
SessionOwner ThesessionownerisresponsibleforallLayer7inspection(AppIDand
Selection ContentID)forthesessionandforgeneratingallTrafficlogsforthesession.
Selectoneofthefollowingoptionstospecifyhowtodeterminethesession
ownerforapacket:
First packetSelectthisoptiontodesignatethefirewallthatreceivesthe
firstpacketinasessionasthesessionowner.Thisistherecommended
configurationtominimizetrafficacrossHA3anddistributethedataplane
loadacrosspeers.
Primary DeviceSelectthisoptionifyouwanttheactiveprimaryfirewallto
ownallsessions.Inthiscase,iftheactivesecondaryfirewallreceivesthefirst
packet,itwillforwardallpacketsrequiringLayer7inspectiontothe
activeprimaryfirewallovertheHA3link.
HASettings Description
SessionSetup ThefirewallresponsibleforsessionsetupperformsLayer2throughLayer4
processing(includingaddresstranslation)andcreatesthesessiontableentry.
Becausesessionsetupconsumesmanagementplaneresources,youcanselect
oneofthefollowingoptionstohelpdistributetheload:
Primary DeviceTheactiveprimaryfirewallsetsupallsessions.
IP ModuloDistributessessionsetupbasedontheparityofthesourceIP
address.
IP HashDistributessessionsetupbasedonahashofthesourceIPaddress
orsourceanddestinationIPaddress,andhashseedvalueifyouneedmore
randomization.
First PacketThefirewallthatreceivesthefirstpacketperformssession
setup,evenincaseswherethepeerownsthesession.Thisoptionminimizes
trafficovertheHA3linkandensuresthatthemanagementplaneintensive
workofsettingupthesessionalwayshappensonthefirewallthatreceives
thefirstpacket.
VirtualAddress ClickAdd,selecttheIPv4orIPv6tabandthenclickAddagaintoenteroptions
tospecifythetypeofHAvirtualaddresstouse:FloatingorARPLoadSharing.
Youcanalsomixthetypeofvirtualaddresstypesinthepair.Forexample,you
coulduseARPloadsharingontheLANinterfaceandaFloatingIPontheWAN
interface.
FloatingEnteranIPaddressthatwillmovebetweenHApeersintheevent
ofalinkorsystemfailure.ConfiguretwofloatingIPaddressesonthe
interface,sothateachfirewallwillownoneandthensetthepriority.Ifeither
firewallfails,thefloatingIPaddresstransitionstotheHApeer.
Device 0 PrioritySetthepriorityforthefirewallwithDeviceID0to
determinewhichfirewallwillownthefloatingIPaddress.Afirewallwith
thelowestvaluewillhavethehighestpriority.
Device 1 PrioritySetthepriorityforthefirewallwithDeviceID1to
determinewhichfirewallwillownthefloatingIPaddress.Afirewallwith
thelowestvaluewillhavethehighestpriority.
Failover address if link state is downUsethefailoveraddresswhen
thelinkstateisdownontheinterface.
Floating IP bound to the Active-Primary HA deviceSelectthisoption
tobindthefloatingIPaddresstotheactiveprimarypeer.Intheevent
onepeerfails,trafficissentcontinuouslytotheactiveprimarypeer
evenafterthefailedfirewallrecoversandbecomesthe
activesecondarypeer.
ARP Load SharingEnteranIPaddressthatwillbesharedbytheHApair
andprovidegatewayservicesforhosts.Thisoptionisonlyrequiredifthe
firewallisonthesamebroadcastdomainasthehosts.SelecttheDevice
Selection Algorithm:
IP ModuloSelectthefirewallthatwillrespondtoARPrequestsbased
ontheparityoftheARPrequestersIPaddress.
IP HashSelectthefirewallthatwillrespondtoARPrequestsbasedon
ahashoftheARPrequestersIPaddress.
HASettings Description
Operational Commands
Suspendlocaldevice PlacestheHApeerinasuspendedstate,andtemporarilydisablesHA
(orMakelocaldevice functionalityonthefirewall.Ifyoususpendthecurrentlyactivefirewall,the
functional) otherpeerwilltakeover.
Toplaceasuspendedfirewallbackintoafunctionalstate,usethefollowing
operationalmodeCLIcommand:
request high-availability state functional
Totestfailover,youcaneitheruncabletheactive(oractiveprimary)firewallor
youcanclickthislinktosuspendtheactivefirewall.
Device>ConfigAudit
ConfigAuditSettings Description
Configurationname Selecttwoconfigurationstocompareinthe(unlabeled)configuration
dropdowns(unlabeled) namedropdowns(thedefaultsareRunning configandCandidate
config).
Youcanfilteradropdownbyenteringatextstringderived
fromtheDescriptionvalueofthecommitoperationassociated
withthedesiredconfiguration(seeCommitChanges).
Contextdropdown UsetheContextdropdowntospecifythenumberoflinestodisplay
beforeandafterthehighlighteddifferencesineachfile.Specifying
morelinescanhelpyoucorrelatetheauditresultstosettingsinthe
webinterface.IfyousettheContexttoAll,theresultsincludethe
entireconfigurationfiles.
Go ClickGotostarttheaudit.
Device>PasswordProfiles
Device>PasswordProfiles
Panorama>PasswordProfiles
SelectDevice > Password ProfilesorPanorama > Password Profilestosetbasicpasswordrequirementsfor
individuallocalaccounts.PasswordprofilesoverrideanyMinimumPasswordComplexitysettingsyou
definedforalllocalaccounts(Device > Setup > Management).
Toapplyapasswordprofiletoanaccount,selectDevice > Administrators(forfirewalls)orPanorama >
Administrators(forPanorama),selectanaccount,andthenselectthePassword Profile.
Youcannotassignpasswordprofilestoadministrativeaccountsthatuselocaldatabaseauthentication(see
Device>LocalUserDatabase>Users).
Tocreateapasswordprofile,Addandspecifytheinformationinthefollowingtable.
PasswordProfile Description
Settings
Name Enteranametoidentifythepasswordprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,
andunderscores.
RequiredPassword Requirethatadministratorschangetheirpasswordonaregularbasisspecifieda
ChangePeriod(days) byanumberofdays(rangeis0to365).Example,ifthevalueissetto90,
administratorswillbepromptedtochangetheirpasswordevery90days.Youcan
alsosetanexpirationwarningfrom0to30daysandspecifyagraceperiod.
ExpirationWarning Ifarequiredpasswordchangeperiodisset,thissettingcanbeusedtopromptthe
Period(days) usertochangetheirpasswordateachloginastheforcedpasswordchangedate
approaches(rangeis0to30).
PostExpiration Allowtheadministratortologinaspecifiednumberoftimesaftertheiraccount
AdminLoginCount hasexpired.Example,ifthevalueissetto3andtheiraccounthasexpired,they
canlogin3moretimesbeforetheiraccountislockedout(rangeis0to3).
PostExpirationGrace Allowtheadministratortologinthespecifiednumberofdaysaftertheiraccount
Period(days) hasexpired(rangeis0to30).
UsernameandPasswordRequirements
ThefollowingtableliststhevalidcharactersthatcanbeusedinusernamesandpasswordsforPANOSand
Panoramaaccounts.
AccountType UsernameandPasswordRestrictions
PasswordCharacterSet Therearenorestrictionsonanypasswordfieldcharactersets.
RemoteAdmin,SSLVPN,or Thefollowingcharactersarenotallowedfortheusername:
CaptivePortal Backtick(`)
Angularbrackets(<and>)
Ampersand(&)
Asterisk(*)
Atsign(@)
Questionmark(?)
Pipe(|)
SingleQuote()
Semicolon(;)
DoubleQuote(")
Dollar($)
Parentheses('('and')')
Colon(':')
LocalAdministratorAccounts Thefollowingaretheallowedcharactersforlocalusernames:
Lowercase(az)
Uppercase(AZ)
Numeric(09)
Underscore(_)
Period(.)
Hyphen()
Loginnamescannotstartwithahyphen().
Device>Administrators
AdministratoraccountscontrolaccesstofirewallsandPanorama.Afirewalladministratorcanhavefullor
readonlyaccesstoasinglefirewallortoavirtualsystemonasinglefirewall.Firewallshaveapredefined
adminaccountthathasfullaccess.
TodefinePanoramaadministrators,seePanorama>ManagedDevices.
Thefollowingauthenticationoptionsaresupported:
PasswordauthenticationTheadministratorentersausernameandpasswordtologin.This
authenticationrequiresnocertificates.Youcanuseitinconjunctionwithauthenticationprofiles,orfor
localdatabaseauthentication.
Clientcertificateauthentication(web)Thisauthenticationrequiresnousernameorpassword;the
certificatesufficestoauthenticateaccesstothefirewall.
Publickeyauthentication(SSH)Theadministratorgeneratesapublic/privatekeypaironthemachine
thatrequiresaccesstothefirewall,andthenuploadsthepublickeytothefirewalltoallowsecureaccess
withoutrequiringtheadministratortoenterausernameandpassword.
Toaddanadministrator,clickAddandfillinthefollowinginformation:
AdministratorAccountSettings Description
Name Enteraloginnamefortheadministrator(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
hyphens,periods,andunderscores.Loginnamescannotstartwitha
hyphen().
AuthenticationProfile Selectanauthenticationprofileforadministratorauthentication.You
canusethissettingforRADIUS,TACACS+,LDAP,Kerberos,SAML,or
localdatabaseauthentication.Fordetails,seeDevice>Authentication
Profile.
Useonlyclientcertificate Selectthisoptiontouseclientcertificateauthenticationforweb
authentication(web) access.Ifyouselectthisoption,ausernameandpasswordarenot
required;thecertificateissufficienttoauthenticateaccesstothe
firewall.
NewPassword Enterandconfirmacasesensitivepasswordfortheadministrator(up
ConfirmNewPassword to31characters).YoucanalsoselectSetup > Managementtoenforce
aminimumpasswordlength.
Toensurethatthefirewallmanagementinterfaceremains
secure,werecommendthatyouperiodicallychange
administrativepasswordsusingamixtureoflowercaseletters,
uppercaseletters,andnumbers.Youcanalsoconfigure
MinimumPasswordComplexitysettingsforalladministrators
onthefirewall.
AdministratorAccountSettings Description
UsePublicKeyAuthentication(SSH) SelectthisoptiontouseSSHpublickeyauthentication.ClickImport
Keyandbrowsetoselectthepublickeyfile.Theuploadedkeyappears
inthereadonlytextarea.
SupportedkeyfileformatsareIETFSECSHandOpenSSH.Supported
keyalgorithmsareDSA(1,024bits)andRSA(768to4,096bits).
Ifthepublickeyauthenticationfails,thefirewallpromptsthe
administratorforausernameandpassword.
Role Assignaroletothisadministrator.Theroledetermineswhatthe
administratorcanviewandmodify.
IfyouselectRole Based,selectacustomroleprofilefromthe
dropdown.Fordetails,seeDevice>AdminRoles.
IfyouselectDynamic,youcanselectoneofthefollowingpredefined
roles:
SuperuserHasfullaccesstothefirewallandcandefinenew
administratoraccountsandvirtualsystems.Youmusthave
superuserprivilegestocreateanadministrativeuserwithsuperuser
privileges.
Superuser(readonly)Hasreadonlyaccesstothefirewall.
Device administratorHasfullaccesstoallfirewallsettingsexcept
fordefiningnewaccountsorvirtualsystems.
Device administrator(readonly)Hasreadonlyaccesstoall
firewallsettingsexceptpasswordprofiles(noaccess)and
administratoraccounts(onlytheloggedinaccountisvisible).
Virtual system administratorHasfullaccesstospecificvirtual
systemsonthefirewall(ifmultiplevirtualsystemsareenabled).
Virtual system administrator(readonly)Hasreadonlyaccessto
specificvirtualsystemsonthefirewall(ifmultiplevirtualsystemsare
enabled).
VirtualSystem ClickAddtoselectthevirtualsystemsthattheadministratorcan
(Virtualsystemadministratorroleonly) manage.
PasswordProfile Selectthepasswordprofile,ifapplicable.Tocreateanewpassword
profile,seeDevice>PasswordProfiles.
Device>AdminRoles
TodefineAdminRoleprofilesforPanoramaadministrators,seePanorama>ManagedDevices.
Thefirewallhasthreepredefinedrolesyoucanuseforcommoncriteriapurposes.Youfirstusethesuperuser
roleforinitialfirewallconfigurationandtocreatetheadministratoraccountsfortheSecurityAdministrator,
AuditAdministrator,andCryptographicAdministrator.Afteryoucreatetheseaccountsandapplytheproper
commoncriteriaAdminRoles,youthenloginusingthoseaccounts.ThedefaultsuperuseraccountinFederal
InformationProcessingStandard(FIPS)/CommonCriteria(CC)FIPSCCmodeis admin andhasadefault
passwordof paloalto.Instandardoperatingmode,thedefaultadminpasswordisadmin.Thepredefined
AdminRoleswerecreatedwherethereisnooverlapincapabilities,exceptthatallhavereadonlyaccessto
theaudittrail(exceptauditadministratorwithfullread/deleteaccess.Theseadminrolescannotbemodified
andaredefinedasfollows:
auditadminTheAuditAdministratorisresponsiblefortheregularreviewofthefirewallsauditdata.
cryptoadminTheCryptographicAdministratorisresponsiblefortheconfigurationandmaintenanceof
cryptographicelementsrelatedtotheestablishmentofsecureconnectionstothefirewall.
securityadminTheSecurityAdministratorisresponsibleforallotheradministrativetasks(e.g.creating
Securitypolicy)notaddressedbytheothertwoadministrativeroles.
ToaddanAdminRoleprofile,clickAddandspecifythesettingsdescribedinthefollowingtable.
AdministratorRoleSettings
Name Enteranametoidentifythisadministratorrole(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Description (Optional)Enteradescriptionfortherole(upto255characters).
Role Selectthescopeofadministrativeresponsibility:
DeviceTheroleappliestotheentirefirewall,regardlesswhetherithas
morethanonevirtualsystem(vsys).
Virtual SystemTherole appliestospecificvirtualsystemsonthe
firewall.Youselectthevirtualsystemswhenyoucreateadministrative
accounts(Device>Administrators).
AdministratorRoleSettings
CommandLine SelectthetypeofroleforCLIaccess.ThedefaultisNone,whichmeans
accesstotheCLIisnotpermitted.TheotheroptionsvarybyRolescope:
Device
superuserHasfullaccesstothefirewallandcandefinenew
administratoraccountsandvirtualsystems.Youmusthave
superuserprivilegestocreateanadministrativeuserwithsuperuser
privileges.
superreaderHasreadonlyaccesstothefirewall.
deviceadminHasfullaccesstoallfirewallsettingsexceptfor
definingnewaccountsorvirtualsystems.
devicereaderHasreadonlyaccesstoallfirewallsettingsexcept
passwordprofiles(noaccess)andadministratoraccounts(onlythe
loggedinaccountisvisible).
Virtual System
vsysadminHasfullaccesstospecificvirtualsystemsonthe
firewall.
vsysreaderHasreadonlyaccesstospecificvirtualsystemsonthe
firewall.
Device>AccessDomain
Device>AccessDomain
Configureaccessdomainstorestrictadministratoraccesstospecificvirtualsystemsonthefirewall.The
firewallsupportsaccessdomainsonlyifyouuseaRADIUS,TACACS+,orSAMLidentityserver(IdP)server
tomanageadministratorauthenticationandauthorization.Toenableaccessdomains,youmustdefine:
AserverprofilefortheexternalauthenticationserverSeeDevice>ServerProfiles>RADIUS,Device>
ServerProfiles>TACACS+,andDevice>ServerProfiles>SAMLIdentityProvider.
RADIUSVendorSpecificAttributes(VSAs),TACACS+VSAs,orSAMLattributes.
Whenanadministratorattemptstologintothefirewall,thefirewallqueriestheexternalserverforthe
accessdomainoftheadministrator.Theexternalserverreturnstheassociateddomainandthefirewallthen
restrictstheadministratortothevirtualsystemsthatyouspecifiedintheaccessdomain.Ifthefirewalldoes
notuseanexternalserverforauthenticatingandauthorizingadministrators,theDevice > Access Domain
settingsareignored.
OnPanorama,youcanmanageaccessdomainslocallyorbyusingRADIUSVSAs,TACACS+VSAs,orSAML
attributes(seePanorama>AccessDomains).
AccessDomainSettings Description
Name Enteranamefortheaccessdomain(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,hyphens,
underscores,andperiods.
VirtualSystems SelectvirtualsystemsintheAvailablecolumnandAddthem.
AccessDomainsareonlysupportedonfirewallsthatsupportvirtual
systems.
Device>AuthenticationProfile
Usethispagetoconfiguresettingsforauthenticatingadministratorsandendusers.Thefirewalland
Panoramasupportlocal,RADIUS,TACACS+,LDAP,Kerberos,SAML2.0,andmultifactorauthentication
(MFA)services.
YoucanalsousethispagetoregisterafirewallorPanoramaservice(suchasadministrativeaccesstothe
webinterface)withaSAMLidentityprovider(IdP).RegisteringtheserviceenablesthefirewallorPanorama
tousetheIdPforauthenticatinguserswhorequesttheservice.YouregisteraservicebyenteringitsSAML
metadataontheIdP.ThefirewallandPanoramamakeregistrationeasybyautomaticallygeneratingaSAML
metadatafilebasedontheauthenticationprofilethatyouassignedtotheservice;youcanexportthis
metadatafiletotheIdP.
ConfigureanAuthenticationProfile
ExportSAMLMetadatafromanAuthenticationProfile
ConfigureanAuthenticationProfile
Device>AuthenticationProfile
SelectDevice > Authentication ProfileorPanorama > Authentication Profiletomanageauthenticationprofiles.
Tocreateanewprofile,Addoneandcompletethefollowingfields.
Afterconfiguringanauthenticationprofile,usethetest authenticationCLIcommandtodetermine
whetherthefirewallorPanoramamanagementservercancommunicatewiththebackendauthenticationserver
andwhethertheauthenticationrequestsucceeded.Youcanperformauthenticationtests onthecandidate
configurationtodeterminewhethertheconfigurationiscorrectbeforeyoucommit.
AuthenticationProfile Description
Settings
Name Enteranametoidentifytheprofile.Thenameiscasesensitive,canhaveupto31
characters,andcanincludeonlyletters,numbers,spaces,hyphens,underscores,and
periods.ThenamemustbeuniqueinthecurrentLocation(firewallorvirtualsystem)
relativetootherauthenticationprofilesandtoauthenticationsequences.
Inafirewallthatisinmultiplevirtualsystemsmode,iftheLocationofthe
authenticationprofileisavirtualsystem,dontenterthesamenameasan
authenticationsequenceintheSharedlocation.Similarly,iftheprofileLocationis
Shared,dontenterthesamenameasasequenceinavirtualsystem.Whileyoucan
commitanauthenticationprofileandsequencewiththesamenamesinthesecases,
itcanresultinreferenceerrors.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewallthathasmore
thanonevirtualsystem(vsys),selectavsysorselectShared(allvirtualsystems).Inany
othercontext,youcantselecttheLocation;itsvalueispredefinedasShared(forfirewalls)
orasPanorama.Afteryousavetheprofile,youcantchangeitsLocation.
AuthenticationProfile Description
Settings
Authentication Tab
Thefirewallinvokestheauthenticationservicethatyouconfigureinthistabbeforeinvokinganymultifactor
authentication(MFA)servicesthatyouaddintheFactorsTab.
IfthefirewallintegrateswithanMFAvendorthroughRADIUSinsteadofthevendorAPI,youmustconfigure
aRADIUSserverprofileforthatvendor,notanMFAserverprofile.
Type Selectthetypeofservicethatprovidesthefirst(andoptionallyonly)authentication
challengethatuserssee.Basedonyourselection,thedialogdisplaysothersettingsthatyou
definefortheservice.Theoptionsare:
NoneDonotuseanyauthentication.
Local DatabaseUsethelocalauthenticationdatabaseonthefirewall.Thisoptionisnot
availableonPanorama.
RADIUSUseaRemoteAuthenticationDialInUserService(RADIUS)server.
TACACS+UseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)
server.
LDAPUseaLightweightDirectoryAccessProtocol(LDAP)server.
KerberosUseaKerberosserver.
SAMLUseaSecurityAssertionMarkupLanguage2.0(SAML2.0)identityprovider(IdP).
AdministratorscanuseSAMLtoauthenticatetothefirewallorPanoramaweb
interfacebutnottotheCLI.
ServerProfile Selecttheauthenticationserverprofilefromthedropdown.SeeDevice>ServerProfiles>
(RADIUS,TACACS+, RADIUS,Device>ServerProfiles>TACACS+,Device>ServerProfiles>LDAP,orDevice
LDAP,orKerberosonly) >ServerProfiles>Kerberos.
IdPServerProfile SelecttheSAMLIdentityProviderserverprofilefromthedropdown.SeeDevice>Server
(SAMLonly) Profiles>SAMLIdentityProvider.
Retrieveusergroupfrom SelectthisoptiontocollectusergroupinformationfromVendorSpecificAttributes(VSAs)
RADIUS definedontheRADIUSserver.Thefirewallusestheinformationtomatchauthenticating
(RADIUSonly) usersagainstAllowListentries,notforenforcingpoliciesorgeneratingreports.
Retrieveusergroupfrom SelectthisoptiontocollectusergroupinformationfromVendorSpecificAttributes(VSAs)
TACACS+ definedontheTACACS+server.Thefirewallusestheinformationtomatchauthenticating
(TACACS+only) usersagainstAllowListentries,notforenforcingpoliciesorgeneratingreports.
LoginAttribute EnteranLDAPdirectoryattributethatuniquelyidentifiestheuserandfunctionsasthelogin
(LDAPonly) IDforthatuser.
AuthenticationProfile Description
Settings
PasswordExpiry IftheauthenticationprofileisforGlobalProtectusers,enterthenumberofdaysbefore
Warning passwordexpirationtostartdisplayingnotificationmessagestouserstoalertthemthat
(LDAPonly) theirpasswordsareexpiringinxnumberofdays.Bydefault,notificationmessageswill
displaysevendaysbeforepasswordexpiry(rangeis1to255).Userswillnotbeableto
accesstheVPNiftheirpasswordsexpire.
ConsiderconfiguringtheGlobalProtectagentstousetheprelogonconnection
method .Thiswillenableuserstoconnecttothedomaintochangetheir
passwordsevenafterthepasswordhasexpired.
Ifusersallowtheirpasswordstoexpire,theadministratorcanassignatemporaryLDAP
passwordtoenableuserstologintotheVPN.Inthisworkflow,werecommendsettingthe
Authentication ModifierintheportalconfigurationtoCookie authentication for config
refresh(otherwise,thetemporarypasswordwillbeusedtoauthenticatetotheportal,but
thegatewayloginwillfail,preventingVPNaccess).
CertificateforSigning SelectthecertificatethatthefirewallwillusetosignSAMLmessagesthatitsendstothe
Requests identityprovider(IdP).ThisfieldisrequiredifyouenabletheSign SAML Message to IdP
(SAMLonly) optionintheIdP Server Profile(seeDevice>ServerProfiles>SAMLIdentityProvider).
Otherwise,selectingacertificatetosignSAMLmessagesisoptional.
Whengeneratingorimportingacertificateanditsassociatedprivatekey,thekeyusage
attributesspecifiedinthecertificatecontrolhowyoucanusethekey:
Ifthecertificateexplicitlylistskeyusageattributes,oneoftheattributesmustbeDigital
Signature,whichisnotavailableincertificatesthatyougenerateonthefirewall.Inthis
case,youmustImportthecertificateandkeyfromyourenterprisecertificateauthority
(CA)orathirdpartyCA.
Ifthecertificatedoesntspecifykeyusageattributes,youcanusethekeyforany
purpose,includingsigningmessages.Inthiscase,youcanuseanymethodtoobtainthe
certificateandkey forsigningSAMLmessages.
PaloAltoNetworksrecommendsusingasigningcertificatetoensuretheintegrity
ofSAMLmessagessenttotheIdP.
EnableSingleLogout Selectthisoptiontoenableuserstologoutofeveryauthenticatedservicebyloggingout
(SAMLonly) ofanysingleservice.Singlelogout(SLO)appliesonlytoservicesthatusersaccessed
throughSAMLauthentication.Theservicescanbeexternaltoyourorganizationorinternal
(suchasthefirewallwebinterface).ThisoptionappliesonlyifyouenteredanIdentity
Provider SLO URLintheIdPServerProfile.YoucannotenableSLOforCaptivePortalusers.
Afterloggingoutusers,thefirewallautomaticallyremovestheirIP
addresstousernamemappings .
CertificateProfile SelecttheCertificateProfilethatthefirewallwillusetovalidate:
(SAMLonly) TheIdentity Provider CertificatespecifiedintheIdPServerProfile.TheIdPusesthis
certificatetoauthenticatetothefirewall.Thefirewallvalidatesthecertificatewhenyou
Committheauthenticationprofileconfiguration.
SAMLmessagesthattheIdPsendstothefirewallforsinglesignon(SSO)andsingle
logout(SLO)authentication.TheIdPusestheIdentity Provider Certificatespecifiedin
theIdPServerProfiletosignthemessages.
SeeDevice>CertificateManagement>CertificateProfile.
AuthenticationProfile Description
Settings
UsernameAttribute EntertheSAMLattributethatidentifiestheusernameofanauthenticatinguserinmessages
(SAMLonly) fromtheIdP(defaultisusername).IftheIdP Server Profilecontainsmetadatathatspecifies
ausernameattribute,thefirewallautomaticallypopulatesthisfieldwiththatattribute.The
firewallmatchesusernamesretrievedfromSAMLmessageswithusersandusergroupsin
theAllow Listoftheauthenticationprofile.Becauseyoucannotconfigurethefirewallto
modifythedomain/usernamestringthatauserentersduringSAMLlogins,thelogin
usernamemustexactlymatchanAllow Listentry.ThisistheonlySAMLattributethatis
mandatory.
SAMLmessagesmightdisplaytheusernameinthesubjectfield.Thefirewall
automaticallychecksthesubjectfieldiftheusernameattributedoesntdisplaythe
username.
AuthenticationProfile Description
Settings
UserGroupAttribute EntertheSAMLattributethatidentifiestheusergroupofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisusergroup).IftheIdP Server Profilecontainsmetadata
thatspecifiesausergroupattribute,thefieldautomaticallyusesthatattribute.Thefirewall
usesthegroupinformationtomatchauthenticatingusersagainstAllow Listentries,notfor
policiesorreports.
AdminRoleAttribute EntertheSAMLattributethatidentifiestheadministratorroleofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisadmin-role).Thisattributeappliesonlytofirewall
administrators,nottoendusers.IftheIdP Server Profilecontainsmetadatathatspecifies
anadminroleattribute,thefirewallautomaticallypopulatesthisfieldwiththatattribute.
Thefirewallmatchesitspredefined(dynamic)rolesorAdminRoleprofileswiththeroles
retrievedfromSAMLmessagestoenforcerolebasedaccesscontrol.IfaSAMLmessagehas
multipleadminrolevaluesforanadministratorwithonlyonerole,matchingappliesonlyto
thefirst(leftmost)valueintheadminroleattribute.Foranadministratorwithmorethan
onerole,thematchingcanapplytomultiplevaluesintheattribute.
AccessDomainAttribute EntertheSAMLattributethatidentifiestheaccessdomainofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisaccess-domain).Thisattributeappliesonlytofirewall
administrators,nottoendusers.IftheIdP Server Profilecontainsmetadatathatspecifies
anaccessdomainattribute,thefirewallautomaticallypopulatesthisfieldwiththat
attribute.Thefirewallmatchesitslocallyconfiguredaccessdomainswiththoseretrieved
fromSAMLmessagestoenforceaccesscontrol.IfaSAMLmessagehasmultiple
accessdomainvaluesforanadministratorwithonlyoneaccessdomain,matchingapplies
onlytothefirst(leftmost)valueintheaccessdomainattribute.Foranadministratorwith
morethanoneaccessdomain,thematchingcanapplytomultiplevaluesintheattribute.
Factors Tab
EnableAdditional Selectthisoptionifyouwantthefirewalltoinvokeadditionalauthenticationfactors
AuthenticationFactors (challenges)afteruserssuccessfullyrespondtothefirstfactor(specifiedintheTypefieldon
theAuthenticationtab).Thisoptionisavailableonlyforendusers,notforfirewall
administrators.Afterconfiguringanauthenticationprofilethatusesmultifactor
authentication(MFA),youmustassignittoanauthenticationenforcementobject(Objects
>Authentication)andassigntheobjecttotheAuthenticationpolicyrules(Policies>
Authentication)thatcontrolaccesstoyournetworkresources.
Factors AddanMFAserverprofile(Device>ServerProfiles>MultiFactorAuthentication)foreach
authenticationfactorthatthefirewallwillinvokeafteruserssuccessfullyrespondtothe
firstfactor(specifiedintheTypefieldontheAuthenticationtab).Thefirewallinvokeseach
factorinthetoptobottomorderthatyoulisttheMFAservicesthatprovidethefactors.To
changetheorder,selectaserverprofileandMove UporMove Down.Youcanspecifyupto
threeadditionalfactors.EachMFAserviceprovidesonefactor.SomeMFAserviceslet
userschooseonefactorfromalistofseveral.ThefirewallintegrateswiththeseMFA
servicesthroughvendorAPIs.
Advanced Tab
AllowList ClickAddandselectallorselectthespecificusersandgroupsthatcanauthenticatewith
thisprofile.Whenauserauthenticates,thefirewallmatchestheassociatedusernameor
groupagainsttheentriesinthislist.Ifyoudontaddentries,nouserscanauthenticate.
IfyouenteredaUser Domainvalue,youdontneedtospecifydomainsintheAllow
List.Forexample,iftheUser Domainisbusinessincandyouwanttoadduser
admin1totheAllow List,enteringadmin1hasthesameeffectasentering
businessinc\admin1.Youcanspecifygroupsthatalreadyexistinyourdirectory
serviceorspecifycustomgroupsbasedonLDAPfilters.
AuthenticationProfile Description
Settings
FailedAttempts Enterthenumberoffailedsuccessiveloginattempts(rangeis0to10;defaultis0)thatthe
(Allauthenticationtypes firewallallowsbeforelockingouttheuseraccount.Avalueof0specifiesunlimitedlogin
exceptSAML) attempts.Limitingloginattemptscanhelpprotectagainstbruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavetheLockout Time
at0,theFailed Attemptsisignoredandtheuserisneverlockedout.
LockoutTime Enterthenumberofminutes(rangeis0to60;defaultis0)forwhichthefirewalllocksout
(Allauthenticationtypes auseraccountaftertheuserreachesthenumberofFailed Attempts.Avalueof0means
exceptSAML) thelockoutappliesuntilanadministratormanuallyunlockstheuseraccount.
IfyousettheLockout Timetoavalueotherthan0butleavetheFailed Attempts
at0,theLockout Timeisignoredandtheuserisneverlockedout.
ExportSAMLMetadatafromanAuthenticationProfile
Device>AuthenticationProfile
ThefirewallandPanoramacanuseaSAMLidentityprovider(IdP)toauthenticateuserswhorequest
services.Foradministrators,theservicecanbeaccesstothewebinterface.Forendusers,theservicecan
beCaptivePortalorGlobalProtect,whichenableaccesstoyournetworkresources.ToenableSAML
authenticationforaservice,youmustregisterthatservicebyenteringspecificinformationaboutitonthe
IdPintheformofSAMLmetadata.ThefirewallandPanoramasimplifyregistrationbyautomatically
generatingaSAMLmetadatafilebasedontheauthenticationprofilethatyouassignedtotheserviceand
youcanexportthismetadatafiletotheIdP.Exportingthemetadataisaneasieralternativetotypingthe
valuesforeachmetadatafieldintheIdP.
SomeofthemetadataintheexportedfilederivesfromtheSAMLIdPserverprofileassignedtothe
authenticationprofile(Device>ServerProfiles>SAMLIdentityProvider).However,theexportedfilealways
specifiesPOSTastheHTTPbindingmethod,regardlessofthemethodspecifiedintheSAMLIdPserverprofile.
TheIdPwillusethePOSTmethodtosendSAMLmessagestothefirewallorPanorama.
ToexportSAMLmetadatafromanauthenticationprofile,clicktheSAMLMetadatalinkintheAuthentication
columnandcompletethefollowingfields.ToimportthemetadatafileintoanIdP,refertoyourIdP
documentation.
SAMLMetadataExport Description
Settings
Commands SelecttheserviceforwhichyouwanttoexportSAMLmetadata:
management(default)Providesadministratoraccesstothewebinterface.
captive-portalProvidesenduseraccesstonetworkresourcesthroughCaptive
Portal.
global-protectProvidesenduseraccesstonetworkresourcesthrough
GlobalProtect.
Yourselectiondetermineswhichotherfieldsthedialogdisplays.
SAMLMetadataExport Description
Settings
IP Hostname EntertheIPaddressorhostnameoftheservice.
(CaptivePortalor CaptivePortalEntertheRedirect HostIPaddressorhostname(Device > User
GlobalProtectonly) Identification > Captive Portal Settings).
GlobalProtectEntertheHostnameorIP AddressoftheGlobalProtectportal.
Ifyouenterahostname,theDNSservermusthaveanaddress(A)recordthatmaps
totheIPaddress.
Device>AuthenticationSequence
Device>AuthenticationSequence
Panorama>AuthenticationSequence
Insomeenvironments,useraccountsresideinmultipledirectories(suchasLDAPandRADIUS).An
authenticationsequenceisasetofauthenticationprofilesthatthefirewalltriestouseforauthenticating
userswhentheylogin.Thefirewalltriestheprofilessequentiallyfromthetopofthelisttothebottom
applyingtheauthentication,Kerberossinglesignon,allowlist,andaccountlockoutvaluesforeachuntil
oneprofilesuccessfullyauthenticatestheuser.Thefirewallonlydeniesaccessifallprofilesinthesequence
failtoauthenticate.Fordetailsonauthenticationprofiles,seeDevice>AuthenticationProfile.
Authentication Description
SequenceSettings
Name Enteranametoidentifythesequence.Thenameiscasesensitive,canhave
upto31characters,andcanincludeonlyletters,numbers,spaces,hyphens,
underscores,andperiods.ThenamemustbeuniqueinthecurrentLocation
(firewallorvirtualsystem)relativetootherauthenticationsequencesandto
authenticationprofiles.
Inafirewallthathasmultiplevirtualsystems,iftheLocationofthe
authenticationsequenceisavirtualsystem(vsys),dontenterthe
samenameasanauthenticationprofileintheSharedlocation.
Similarly,ifthesequenceLocationisShared,dontenterthesame
nameasaprofileinavsys.Whileyoucancommitanauthentication
sequenceandprofilewiththesamenamesinthesecases,reference
errorsmightoccur.
Location Selectthescopeinwhichthesequenceisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
sequence,youcantchangeitsLocation.
Usedomaintodetermine Selectthisoption(selectedbydefault)ifyouwantthefirewalltomatchthe
authenticationprofile domainnamethatauserentersduringloginwiththeUser Domainor
Kerberos Realmofanauthenticationprofileassociatedwiththesequence
andthenusethatprofiletoauthenticatetheuser.Theuserinputthatthe
firewallusesformatchingcanbethetextprecedingtheusername(witha
backslashseparator)orthetextfollowingtheusername(witha@separator).
Ifthefirewalldoesnotfindamatch,ittriestheauthenticationprofilesinthe
sequenceintoptobottomorder.
AuthenticationProfiles ClickAddandselectfromthedropdownforeachauthenticationprofileyou
wanttoaddtothesequence.Tochangethelistorder,selectaprofileandclick
Move UporMove Down.Toremoveaprofile,selectitandclickDelete.
Youcannotaddanauthenticationprofilethatspecifiesamultifactor
authentication(MFA)serverprofileoraSecurityAssertionMarkup
Language(SAML)IdentityProviderserverprofile.
Device>VMInformationSources
UsethistabtoproactivelytrackchangesontheVirtualMachines(VMs)deployedonanyofthesesources
VMwareESXiserver,VMwarevCenterserverortheAmazonWebServices,VirtualPrivateCloud
(AWSVPC).
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanorama
withinformationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformation
fromtheNSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamic
AddressGroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyou
toproperlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSX
securitygroups.
Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanberegisteredto
anIPaddress.
TherearetwowaystomonitorVMInformationSources:
ThefirewallcanmonitortheVMwareESXiserver,VMwarevCenterserverandtheAWSVPC
environmentsandretrievechangesasyouprovisionormodifytheguestsconfiguredonthemonitored
sources.Foreachfirewallorforeachvirtualsystemonamultiplevirtualsystemscapablefirewall,you
canconfigureupto10sources.
Ifyourfirewallsareconfiguredinahighavailabilityconfiguration:
inanactive/passivesetup,onlytheactivefirewallmonitorstheVMinformationsources.
inanactive/activesetup,onlythefirewallwiththepriorityvalueofprimarymonitorstheVM
informationsources.
ForinformationonhowVMInformationSourcesandDynamicAddressGroupscanworksynchronously
andenableyoutomonitorchangesinthevirtualenvironment,refertotheVMSeriesDeploymentGuide.
ForIPaddresstousermapping,youcaneitherconfiguretheVMInformationSourcesontheWindows
UserIDagentoronthefirewalltomonitortheVMwareESXiandvCenterserverandretrievechanges
asyouprovisionormodifytheguestsconfiguredontheserver.Upto100sourcesaresupportedonthe
WindowsUserIDagent;supportforAWSisnotavailablefortheUserIDagent.
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.
VMwareToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedto
eachVM.
TocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorstheattributesinthefollowing
table.
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown. InstanceState
Annotation InstanceType
Version KeyName
NetworkVirtualSwitchName,PortGroup PlacementTenancy,GroupName,AvailabilityZone
Name,andVLANID PrivateDNSName
ContainerNamevCenterName,DataCenter PublicDNSName
ObjectName,ResourcePoolName,Cluster
SubnetID
Name,Host,HostIPaddress.
Tag(key,value)(upto18tagssupportedperinstance)
VPCID
AddToaddanewsourceforVMMonitoring,clickAddandthenfillinthedetailsbasedonthesourcebeing
monitored:
ForVMwareESXiorvCenterServer,seeSettingstoEnableVMInformationSourcesforVMwareESXi
orvCenterServer.
ForAWSVPC,seeSettingstoEnableVMInformationSourcesforAWSVPC.
Refresh ConnectedClicktorefreshtheconnectionstatus;itrefreshestheonscreendisplay.Thisoptiondoes
notrefreshtheconnectionbetweenthefirewallandthemonitoredsources.
DeleteSelectaconfiguredVMInformationsourceandclicktoremovetheconfiguredsource.
SettingstoEnableVMInformationSourcesforVMwareESXiorvCenterServer
Name Enteranametoidentifythemonitoredsource(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Description (Optional)Addalabeltoidentifythelocationorfunctionofthesource.
Port Specifytheportonwhichthehost/sourceislistening.(defaultport443).
Enabled Bydefaultthecommunicationbetweenthefirewallandtheconfigured
sourceisenabled.
Theconnectionstatusbetweenthemonitoredsourceandthefirewall
displaysintheinterfaceasfollows:
Connected
Disconnected
Pending;theconnectionstatusalsodisplaysasyellowwhenthe
monitoredsourceisdisabled.
CleartheEnabledoptiontodisablecommunicationbetweenthehostand
thefirewall.
SettingstoEnableVMInformationSourcesforVMwareESXiorvCenterServer
Timeout Entertheintervalinhoursafterwhichtheconnectiontothemonitored
sourceisclosed,ifthehostdoesnotrespond(rangeis210;defaultis2).
(Optional)Tochangethedefaultvalue,selectthisoptiontoEnable timeout
when the source is disconnectedandspecifythevalue.Whenthespecified
limitisreachedorifthehostisinaccessibleorthehostdoesnotrespond,the
firewallwillclosetheconnectiontothesource.
Source EntertheFQDNortheIPaddressofthehost/sourcebeingmonitored.
Username Specifytheusernamerequiredtoauthenticatetothesource.
Password Enterthepasswordandconfirmyourentry.
UpdateInterval Specifytheinterval,inseconds,atwhichthefirewallretrievesinformation
fromthesource(rangeis5600;defaultis5).
SettingstoEnableVMInformationSourcesforAWSVPC
Name Enteranametoidentifythemonitoredsource(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Description (Optional)Addalabeltoidentifythelocationorfunctionofthesource.
Enabled Bydefaultthecommunicationbetweenthefirewallandtheconfiguredsource
isenabled.
Theconnectionstatusbetweenthemonitoredsourceandthefirewalldisplays
intheinterfaceasfollows:
Connected
Disconnected
Pending;Theconnectionstatusalsodisplaysasyellowwhenthe
monitoredsourceisdisabled.
CleartheEnabledoptiontodisablecommunicationbetweenthehostandthe
firewall.
Source AddtheURIinwhichtheVirtualPrivateCloudresides.Forexample,
ec2.uswest1.amazonaws.com.
Thesyntaxis:ec2.<your_AWS_region>.amazonaws.com
AccessKeyID Enterthealphanumerictextstringthatuniquelyidentifiestheuserwhoowns
orisauthorizedtoaccesstheAWSaccount.
ThisinformationisapartoftheAWSSecurityCredentials.Thefirewallrequires
thecredentialsAccessKeyIDandtheSecretAccessKeytodigitallysignAPI
callsmadetotheAWSservices.
SecretAccessKey Enterthepasswordandconfirmyourentry.
UpdateInterval Specifytheinterval,inseconds,atwhichthefirewallretrievesinformationfrom
thesource(rangeis60to1,200;defaultis60).
SettingstoEnableVMInformationSourcesforAWSVPC
Timeout Theintervalinhoursafterwhichtheconnectiontothemonitoredsourceis
closed,ifthehostdoesnotrespond(defaultis2)
(Optional)SelectthisoptiontoEnable timeout when the source is
disconnected.Whenthespecifiedlimitisreachedorifthesourceisinaccessible
orthesourcedoesnotrespond,thefirewallwillclosetheconnectiontothe
source.
VPCID EntertheIDoftheAWSVPCtomonitor,forexample,vpc1a2b3c4d.OnlyEC2
instancesthataredeployedwithinthisVPCaremonitored.
IfyouraccountisconfiguredtouseadefaultVPC,thedefaultVPCIDwillbe
listedunderAWSAccountAttributes.
Device>VirtualSystems
Avirtualsystem(vsys)isanindependent(virtual)firewallinstancethatyoucanseparatelymanagewithina
physicalfirewall.EachvsyscanbeanindependentfirewallwithitsownSecuritypolicy,interfaces,and
administrators;avsysenablesyoutosegmenttheadministrationofallpolicies,reporting,andvisibility
functionsthatthefirewallprovides.Forexample,ifyouwanttocustomizethesecurityfeaturesforthe
trafficthatisassociatedwithyourFinancedepartment,youcandefineaFinancevsysandthendefine
securitypoliciesthatpertainonlytothatdepartment.Tooptimizepolicyadministration,youcanmaintain
separateadministratoraccountsforoverallfirewallandnetworkfunctionswhilecreatingvsysadministrator
accountsthatallowaccesstoindividualvsys.ThisallowsthevsysadministratorintheFinancedepartment
tomanagethesecuritypoliciesonlyforthatdepartment.
Networkingfunctions,includingstaticanddynamicrouting,pertaintoanentirefirewallandallitsvsys;vsys
donotcontrolfirewallandnetworklevelfunctions.Foreachvsys,youcanspecifyacollectionofphysical
andlogicalfirewallinterfaces(includingVLANsandvirtualwires)andsecurityzones.Ifyourequirerouting
segmentationforeachvsys,youmustcreate/assignadditionalvirtualroutersandassigninterfaces,VLANs,
andvirtualwiresasneeded.
IfyouuseaPanoramatemplatetodefinevsys,youcansetonevsysasthedefault.Thedefaultvsysand
MultipleVirtualSystemsmodedeterminewhetherfirewallsacceptvsysspecificconfigurationsduringa
templatecommit:
FirewallsthatareinMultipleVirtualSystemsmodeacceptvsysspecificconfigurationsforallvsysthat
aredefinedinthetemplate.
FirewallsthatarenotinMultipleVirtualSystemsmodeacceptvsysspecificconfigurationsonlyforthe
defaultvsys.Ifyoudonotsetavsysasthedefault,thesefirewallsacceptnovsysspecificconfigurations.
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewallssupportmultiplevirtualsystems;
however,PA3000Seriesfirewallsrequirealicenseforenablingmultiplevirtualsystems.ThePA200and
PA220,PA500,andPA800Seriesfirewallsdonotsupportmultiplevirtualsystems.
Beforeenablingmultiplevsys,considerthefollowing:
Avsysadministratorcreatesandmanagesallitemsneededforpolicies.
Zonesareobjectswithinvsys.Beforedefiningapolicyorpolicyobject,selecttheVirtual Systemfromthe
dropdownonthePoliciesorObjectstab.
Youcansetremoteloggingdestinations(SNMP,syslog,andemail),applications,services,andprofilesto
beavailabletoallvsys(shared)ortoasinglevsys.
Youcanconfigureglobal(toallvsysonafirewall)orvsysspecificserviceroutes(seeDevice>Setup>
Services).
Beforedefiningvsys,youmustfirstenablethemultiplevsyscapabilityonthefirewall:selectDevice > Setup
> Management,edittheGeneral Settings,selectMulti Virtual System Capability,andclickOK.ThisaddsaDevice
> Virtual Systemspage.Selectthepage,clickAdd,andspecifythefollowinginformation.
VirtualSystemSettings Description
ID Enteranintegeridentifierforthevsys.Refertothedatasheetforyour
firewallmodelforinformationonthenumberofsupportedvsys.
IfyouuseaPanoramatemplatetoconfigurethevsys,thisfielddoes
notappear.
VirtualSystemSettings Description
Name Enteraname(upto31characters)toidentifythevsys.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
IfyouuseaPanoramatemplatetopushvsysconfigurations,thevsys
nameinthetemplatemustmatchthevsysnameonthefirewall.
AllowForwardingof Selectthisoptiontoallowthevirtualsystemtoforwarddecryptedcontent
DecryptedContent toanoutsideservicewhenportmirroringorsendingWildFirefilesfor
analysis.ForinformationonDecryptionPortMirroring,seeDecryptionPort
Mirroring.
ResourceTab Specifytheresourcelimitsallowedforthisvsys:
Sessions LimitMaximumnumberofsessions.
Security RulesMaximumnumberofsecurityrules.
NAT RulesMaximumnumberofNATrules.
Decryption RulesMaximumnumberdecryptionrules.
QoS RulesMaximumnumberofQoSrules.
Application Override RulesMaximumnumberofapplicationoverride
rules.
Policy Based Forwarding RulesMaximumnumberofpolicybased
forwarding(PBF)rules.
Captive Portal RulesMaximumnumberofcaptiveportal(CP)rules.
DoS Protection RulesMaximumnumberofdenialofservice(DoS)rules.
Site to Site VPN TunnelsMaximumnumberofsitetositeVPNtunnels.
Concurrent GlobalProtect TunnelsMaximumnumberofconcurrent
remoteGlobalProtectusers.
Device>SharedGateways
Sharedgateways allowmultiplevirtualsystemstoshareasingleinterfaceforexternalcommunication
(typicallyconnectedtoacommonupstreamnetworksuchasanInternetServiceProvider).Allofthevirtual
systemscommunicatewiththeoutsideworldthroughthephysicalinterfaceusingasingleIPaddress.A
singlevirtualrouterisusedtoroutetrafficforallofthevirtualsystemsthroughthesharedgateway.
SharedgatewaysuseLayer3interfaces,andatleastoneLayer3interfacemustbeconfiguredasashared
gateway.Communicationsoriginatinginavirtualsystemandexitingthefirewallthroughasharedgateway
requiresimilarpolicytocommunicationspassingbetweentwovirtualsystems.Youcouldconfigurean
Externalvsyszonetodefinesecurityrulesinthevirtualsystem.
SharedGatewaySettings Description
ID Identifierforthegateway(notusedbyfirewall).
Name Enteranameforthesharedgateway(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.Onlythenameisrequired.
DNSProxy (Optional)IfaDNSproxyisconfigured,selectwhichDNSserver(s)tousefor
domainnamequeries.
Interfaces Selecttheinterfacesthesharedgatewaywilluse.
Device>CertificateManagement
Device>CertificateManagement>Certificates
Device>CertificateManagement>CertificateProfile
Device>CertificateManagement>OCSPResponder
Device>CertificateManagement>SSL/TLSServiceProfile
Device>CertificateManagement>SCEP
Device>CertificateManagement>SSLDecryptionExclusion
Device>CertificateManagement>Certificates
FormoreinformationonhowtoimplementcertificatesonthefirewallandPanorama,referto
CertificateManagement .
ManageFirewallandPanoramaCertificates
ManageDefaultTrustedCertificateAuthorities
Device>CertificateManagement>CertificateProfile
Device>CertificateManagement>OCSPResponder
Device>CertificateManagement>SSL/TLSServiceProfile
Device>CertificateManagement>SCEP
Device>MasterKeyandDiagnostics
ManageFirewallandPanoramaCertificates
Device>CertificateManagement>Certificates>DeviceCertificates
Panorama>CertificateManagement>Certificates
SelectDevice > Certificate Management > Certificates > Device CertificatesorPanorama > Certificate Management
> Certificates > Device CertificatestodisplaythecertificatesthatthefirewallorPanoramausesfortaskssuch
assecuringaccesstothewebinterface,SSLdecryption,orLSVPN.
Thefollowingaresomeusesforcertificates.Definetheusageofthecertificateafteryougenerateit(see
ManageDefaultTrustedCertificateAuthorities).
Forward TrustThefirewallusesthiscertificatetosignacopyoftheservercertificatethatthefirewall
presentstoclientsduringSSLForwardProxydecryption whenthecertificateauthority(CA)that
signedtheservercertificateisinthetrustedCAlistonthefirewall.
Forward UntrustThefirewallusesthiscertificatetosignacopyoftheservercertificatethefirewall
presentstoclientsduringSSLForwardProxydecryption whentheCAthatsignedtheservercertificate
isnotinthetrustedCAlistonthefirewall.
Trusted Root CAThefirewallusesthiscertificateasatrustedCAforSSLForwardProxydecryption ,
GlobalProtect ,URLAdminOverride ,andCaptivePortal .Thefirewallhasalargelistofexisting
trustedCAs.ThetrustedrootCAcertificateisforadditionalCAsthatyourorganizationtrustsbutthat
arenotpartofthepreinstalledtrustedlist.
SSL ExcludeThefirewallusesthiscertificateifyouconfiguredecryptionexceptions toexclude
specificserversfromSSL/TLSdecryption.
Certificate for Secure SyslogThefirewallusesthiscertificatetosecurethedeliveryoflogsassyslog
messages toasyslogserver.
Togenerateacertificate,clickGenerateandspecifythefollowingfields:
SettingstoGeneratea Description
Certificate
CertificateType Selecttheentitythatgeneratesthecertificate:
LocalThefirewallorPanoramageneratesthecertificate.
SCEPASimpleCertificateEnrollmentProtocol(SCEP)servergeneratesthe
certificateandsendsittothefirewallorPanorama.
CertificateName (Required)Enteraname(upto31characters)toidentifythecertificate.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
CommonName (Required)EntertheIPaddressorFQDNthatwillappearonthecertificate.
Shared Onafirewallthathasmorethanonevirtualsystem(vsys),selectSharedif
youwantthecertificatetobeavailabletoeveryvsys.
SignedBy Tosignthecertificate,youcanuseacertificateauthority(CA)certificate
thatyouimportedintothefirewall.Thecertificatecanalsobeselfsigned,in
whichcasethefirewallistheCA.IfyouareusingPanorama,youalsohave
theoptionofgeneratingaselfsignedcertificateforPanorama.
IfyouimportedCAcertificatesorissuedanyonthefirewall(selfsigned),the
dropdownincludestheCAsavailabletosignthecertificatethatyouare
creating.
Togenerateacertificatesigningrequest(CSR),selectExternal Authority
(CSR).Afterthefirewallgeneratesthecertificateandthekeypair,youcan
exporttheCSRandsendittotheCAforsigning.
CertificateAuthority Selectthisoptionifyouwantthefirewalltoissuethecertificate.
MarkingthiscertificateasaCAallowsyoutousethiscertificatetosign
othercertificatesonthefirewall.
OCSPResponder SelectanOSCPresponderprofilefromthedropdown(seeDevice>
CertificateManagement>OCSPResponder).Thecorrespondinghostname
appearsinthecertificate.
SettingstoGeneratea Description
Certificate
NumberofBits Selectthekeylengthforthecertificate.
IfthefirewallisinFIPSCCmodeandthekeygenerationAlgorithmisRSA,
theRSAkeysgeneratedmustbe2048or3027bits.IftheAlgorithmis
Elliptic Curve DSA,bothkeylengthoptions(256and384)work.
Digest SelecttheDigestalgorithmforthecertificate.Theavailableoptionsdepend
onthekeygenerationAlgorithm:
RSAMD5,SHA1,SHA256,SHA384,orSHA512
Elliptic Curve DSASHA256orSHA384
IfthefirewallisinFIPSCCmodeandthekeygenerationAlgorithmisRSA,
youmustselectSHA256,SHA384,orSHA512astheDigestalgorithm.Ifthe
AlgorithmisElliptic Curve DSA,bothDigestalgorithms(SHA256and
SHA384)work.
Expiration(days) Specifythenumberofdays(defaultis365)thatthecertificatewillbevalid.
IfyouspecifyaValidity PeriodinaGlobalProtectsatellite
configuration,thatvaluewilloverridethevalueenteredinthisfield.
Ifyouconfiguredahardwaresecuritymodule(HSM),theprivatekeysarestoredontheexternal
HSMstorage,notonthefirewall.
Afteryougeneratethecertificate,itsdetailsdisplayonthepage.
OtherSupportedActions Description
toManageCertificates
Delete SelectthecertificateandDeleteit.
Ifthefirewallhasadecryptionpolicy,youcannotdeleteacertificate
forwhichusageissettoForward Trust CertificateorForward
Untrust Certificate.Tochangethecertificateusage,seeManage
DefaultTrustedCertificateAuthorities.
Revoke Selectthecertificatethatyouwanttorevoke,andclickRevoke.The
certificatewillbeinstantlysettorevokedstatus.Nocommitisrequired.
Renew Incaseacertificateexpiresorisabouttoexpire,selectthecorresponding
certificateandclickRenew.Setthevalidityperiod(indays)forthecertificate
andclickOK.
IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesitwith
anewcertificatethathasadifferentserialnumberbutthesameattributes
astheoldcertificate.
Ifanexternalcertificateauthority(CA)signedthecertificateandthefirewall
usestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationto
updatethecertificatestatus
Import Importacertificateandconfigureasfollows:
EnterCertificateNametoidentifythecertificate.
Browsetothecertificatefile.IfyouimportaPKCS12 certificateand
privatekey,asinglefilecontainsboth.IfyouimportaPEMcertificate,the
filecontainsonlythecertificate.
SelecttheFile Formatforthecertificate.
SelectPrivate key resides on Hardware Security ModuleifanHSM
storesthekeyforthiscertificate.ForHSMdetails,seeDevice>Setup>
HSM.
Import private keyasneeded(PEMformatonly).IfyouselectedPKCS12
asthecertificateFile Format,theselectedCertificate Fileincludesthe
key.IfyouselectedthePEMformat,browsetotheencryptedprivatekey
file(generallynamed*.key).Forbothformats,enterthePassphraseand
Confirm Passphrase.
WhenyouimportacertificatetoaPaloAltoNetworksfirewallor
PanoramaserverthatisinFIPSCCmode,youmustimportthe
certificateasaBase64EncodedCertificate(PEM)andyoumust
encrypttheprivatekeywithAES.Also,youmustuseSHA1asthe
passphrasebasedkeyderivationmethod.
ToimportaPKCS12certificate,convertthecertificatetothePEM
format(usingatoolsuchasOpenSSL);ensurethatthepassword
phraseyouuseduringconversionisatleastsixcharacters.
OtherSupportedActions Description
toManageCertificates
Export Selectthecertificateyouwanttoexport,clickExport,andselectaFile
Format:
EncryptedPrivateKeyandCertificate(PKCS12)Theexportedfilewill
containboththecertificateandprivatekey.
Base64EncodedCertificate(PEM)Ifyouwanttoexporttheprivatekey
also,selectExportPrivateKeyandenteraPassphraseandConfirm
Passphrase.
BinaryEncodedCertificate(DER)Youcanexportonlythecertificate,
notthekey:ignoreExportPrivateKeyandpassphrasefields.
ImportHAKey TheHAkeysmustbeswappedacrossboththefirewallspeers;thatisthe
keyfromfirewall1mustbeexportedandthenimportedintofirewall2and
ExportHAKey viceversa.
Toimportkeysforhighavailability(HA),clickImport HA KeyandBrowseto
specifythekeyfileforimport.
ToexportkeysforHA,clickExport HA Keyandspecifyalocationtosave
thefile.
Definetheusageofthe IntheNamecolumn,selectthecertificateandthenselectoptions
certificate appropriateforhowyouplantousethecertificate.
ManageDefaultTrustedCertificateAuthorities
Device>CertificateManagement>Certificates>DefaultTrustedCertificateAuthorities
Usethispagetoview,disable,orexport,thepreincludedcertificateauthorities(CAs)thatthefirewalltrusts.
ForeachCA,thename,subject,issuer,expirationdateandvaliditystatusisdisplayed.
TheCAcertificatesgeneratedonthefirewalldontappearinthislist;theyappearonlyintheDevice >
Certificate Management > Certificates > Device Certificatespage.
TrustedCertificate Description
AuthoritiesSettings
Enable IfyoudisabledaCA,youcanreEnableit.
Disable SelecttheCAandDisableit.Youmightusethisoptiontotrustonly
specificCAsortodisableallotherCAsandtrustonlyyourlocalCA.
Export SelectandExporttheCAcertificate.Youcanimportintoanother
systemorviewthecertificateoffline.
Device>CertificateManagement>CertificateProfile
Device>CertificateManagement>CertificateProfile
Panorama>CertificateManagement>CertificateProfiles
Certificateprofilesdefinewhichcertificateauthority(CA)certificatestouseforverifyingclientcertificates,
howtoverifycertificaterevocationstatus,andhowthatstatusconstrainsaccess.Youselecttheprofiles
whenconfiguringcertificateauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSecVPN,and
webinterfaceaccesstofirewallsandPanorama.Youcanconfigureaseparatecertificateprofileforeachof
theseservices.
CertificateProfileSettings Description
Name (Required)Enteranametoidentifytheprofile(upto31characters).
Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysor
selectShared(allvirtualsystems).Inanyothercontext,youcantselect
theLocation;itsvalueispredefinedasShared(forfirewalls)oras
Panorama.Afteryousavetheprofile,youcantchangeitsLocation.
UsernameField IfGlobalProtectonlyusescertificatesforportalandgateway
authentication,PANOSusesthecertificatefieldyouselectinthe
Username FielddropdownastheusernameandmatchesittotheIP
addressfortheUserIDservice:
SubjectPANOSusesthecommonname.
Subject AltPANOSusestheEmailorPrincipalName.
NoneTypicallyforGlobalProtectdeviceorprelogin
authentication.
Domain EntertheNetBIOSdomainsoPANOScanmapusersthroughUserID.
UseCRL Selectthisoptiontouseacertificaterevocationlist(CRL)toverifythe
revocationstatusofcertificates.
CertificateProfileSettings Description
UseOCSP SelectthisoptiontouseOCSPtoverifytherevocationstatusof
certificates.
IfyouselectbothOCSPandCRL,thefirewallfirsttriesOCSP
andonlyfallsbacktotheCRLmethodiftheOCSPresponderis
unavailable.
CRLReceiveTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromtheCRLservice.
OCSPReceiveTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromtheOCSPresponder.
CertificateStatusTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromanycertificatestatusserviceandapplies
anysessionblockinglogicyoudefine.
Blocksessionifcertificatestatus Selectthisoptionifyouwantthefirewalltoblocksessionswhenthe
isunknown OCSPorCRLservicereturnsacertificaterevocationstatusof
unknown.Otherwise,thefirewallproceedswiththesession.
Blocksessionsifcertificate Selectthisoptionifyouwantthefirewalltoblocksessionsafterit
statuscannotberetrieved registersanOCSPorCRLrequesttimeout.Otherwise,thefirewall
withintimeout proceedswiththesession.
Device>CertificateManagement>OCSPResponder
OCSPResponderSettings Description
Name Enteranametoidentifytheresponder(upto31characters).The
nameiscasesensitive.Itmustbeuniqueanduseonlyletters,
numbers,spaces,hyphens,andunderscores.
Location Selectthescopeinwhichtheresponderisavailable.Inthecontext
ofafirewallthathasmorethanonevirtualsystem(vsys),selecta
vsysorselectShared(allvirtualsystems).Inanyothercontext,you
cantselecttheLocation;itsvalueispredefinedasShared.Afteryou
savetheresponder,youcantchangeitsLocation.
HostName Enterthehostname(recommended)orIPaddressoftheOCSP
responder.Fromthisvalue,PANOSautomaticallyderivesaURL
andaddsittothecertificatebeingverified.Ifyouconfigurethe
firewallasanOCSPresponder,thehostnamemustresolvetoanIP
addressintheinterfacethatthefirewallusesforOCSPservices.
Device>CertificateManagement>SSL/TLSServiceProfile
Device>CertificateManagement>SSL/TLSServiceProfile
Panorama>CertificateManagement>SSL/TLSServiceProfile
SSL/TLSserviceprofilesspecifyaservercertificateandaprotocolversionorrangeofversionsforfirewall
orPanoramaservicesthatuseSSL/TLS(suchasadministrativeaccesstothewebinterface).Bydefiningthe
protocolversions,theprofilesenableyoutorestricttheciphersuitesthatareavailableforsecuring
communicationwiththeclientsystemsrequestingtheservices.
IntheclientsystemsthatrequestfirewallorPanoramaservices,thecertificatetrustlist(CTL)mustincludethe
certificateauthority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,
userswillseeacertificateerrorwhenrequestingtheservices.MostthirdpartyCAcertificatesarepresentby
defaultinclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythat
CAcertificatetotheCTLinclientbrowsers.
Toaddaprofile,clickAdd,completethefieldsinthefollowingtable.
SSL/TLSServiceProfileSettings Description
Name Enteranametoidentifytheprofile(upto31characters).Thename
iscasesensitive.Itmustbeuniqueanduseonlyletters,numbers,
spaces,hyphens,andunderscores.
Shared Ifthefirewallhasmorethanonevirtualsystem(vsys),selectingthis
optionmakestheprofileavailableonallvirtualsystems.Bydefault,
thisoptionisclearedandtheprofileisavailableonlyforthevsys
selectedintheDevicetab,Locationdropdown.
Certificate Select,import,orgenerateacertificatetoassociatewiththeprofile
(seeManageFirewallandPanoramaCertificates).
Donotusecertificateauthority(CA)certificatesforSSL/TLS
services;useonlysignedcertificates.
MinVersion SelecttheearliestTLSversionthatservicestowhichthisprofileis
assignedcanuse:TLSv1.0,TLSv1.1,orTLSv1.2.
MaxVersion SelectthelatestTLSversionthatservicestowhichthisprofileis
assignedcanuse:TLSv1.0,TLSv1.1,TLSv1.2,orMax(thelatest
availableversion).
Device>CertificateManagement>SCEP
Thesimplecertificateenrollmentprotocol(SCEP)providesamechanismforissuingauniquecertificateto
endpoints,gateways,andsatellitedevices.SelectDevice > Certificate Management > SCEPtocreateanSCEP
configuration.
TostartanewSCEPconfiguration,clickAddandthencompletethefollowingfields.
SCEPSettings Description
Name SpecifyadescriptiveNametoidentifythisSCEPconfiguration,suchas
SCEP_Example.ThisnamedistinguishesaSCEPprofilefromotherinstances
thatyoumighthaveamongtheconfigurationprofiles.
Location SelectaLocationfortheprofileifthesystemhasmultiplevirtualsystems.
ThelocationidentifieswheretheSCEPconfigurationisavailable.
SCEPChallenge (Optional)TomakeSCEPbasedcertificategenerationmoresecure,youcan
configureaSCEPchallengeresponsemechanism(aonetimepassword
(OTP))betweenthepublickeyinfrastructure(PKI)andtheportalforeach
certificaterequest.
Afteryouconfigurethismechanism,itsoperationisinvisible,andno
furtherinputfromyouisnecessary.
ThechallengemechanismthatyouselectdeterminesthesourceoftheOTP.
IfyouselectFixed,copytheenrollmentchallengepasswordfromtheSCEP
serverforthePKIandenterthestringintheportalsPassworddialogthat
displayswhenconfiguredasFixed.Eachtimetheportalrequestsa
certificate,itusesthispasswordtoauthenticatewiththePKI.Ifyouselect
Dynamic,youentertheusernameandpasswordofyourchoice(possiblythe
credentialsofthePKIadministrator)andtheSCEPServer URLwherethe
portalclientsubmitsthesecredentials.Thisusernameandpassword
remainsthesamewhiletheSCEPservertransparentlygeneratesanOTP
passwordfortheportaluponeachcertificaterequest.(YoucanseethisOTP
changeafterascreenrefreshinTheenrollmentchallengepasswordisfield
uponeachcertificaterequest.)ThePKItransparentlypasseseachnew
passwordtotheportal,whichthenusesthepasswordforitscertificate
request.
TocomplywiththeU.S.FederalInformationProcessingStandard
(FIPS),selectDynamic,specifyaServer URLthatusesHTTPS,and
enableSCEP Server SSL Authentication.(FIPSCCoperationis
indicatedonthefirewallloginpageandinthefirewallstatusbar.)
Configuration
ServerURL EntertheURLatwhichtheportalrequestsandreceivesclientcertificates
fromtheSCEPserver.Example:
http://<hostname or IP>/certsrv/mscep/.
CAIDENTName EnterastringtoidentifytheSCEPserver.Maximumlengthis255
characters.
SCEPSettings Description
Subject ConfiguretheSubjecttoincludeidentifyinginformationaboutthedevice
andoptionallyuserandprovidethisinformationinthecertificatesigning
request(CSR)totheSCEPserver.
Whenusedtorequestclientcertificatesforendpoints,theendpointsends
identifyinginformationaboutthedevicethatincludesitshostIDvalue.The
hostIDvaluevariesbydevicetype,eitherGUID(Windows)MACaddressof
theinterface(Mac),AndroidID(Androiddevices),UDID(iOSdevices),ora
uniquenamethatGlobalProtectassigns(Chrome).Whenusedtorequest
certificatesforsatellitedevices,thehostIDvalueisthedeviceserial
number.
TospecifyadditionalinformationintheCSR,entertheSubjectname.The
subjectmustbeadistinguishednameinthe <attribute>=<value>format
andmustincludethecommonname(CN)key.Forexample:
O=acme,CN=acmescep
TherearetwowaystospecifytheCN:
(Recommended)TokenbasedCNEnteroneofthesupportedtokens
$USERNAME, $EMAILADDRESS, or $HOSTID.Usetheusernameoremail
addressvariabletoensurethattheportalrequestscertificatesfora
specificuser.Torequestcertificatesforthedeviceonly,specifythe
hostidvariable.WhentheGlobalProtectportalpushestheSCEPsettings
totheagent,theCNportionofthesubjectnameisreplacedwiththe
actualvalue(username,hostid,oremailaddress)ofthecertificateowner.
Forexample:
O=acme,CN=$HOSTID
StaticCNTheCNyouspecifywillbeusedasthesubjectforall
certificatesissuedbytheSCEPserver.Forexample:
O=acme,CN=acmescep
SubjectAlternativeName AfteryouselectatypeotherthanNone,adialogdisplaysforyoutoenter
Type theappropriatevalue:
RFC 822 NameEntertheemailnameinacertificatessubjectorSubject
AlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluatecertificates.
Uniform Resource Identifier (URI)EnterthenameoftheURIresource
fromwhichtheclientobtainsthecertificate.
Useasdigitalsignature Selectthisoptiontoconfiguretheendpointtousetheprivatekeyinthe
certificatetovalidateadigitalsignature.
Useforkeyencipherment Selectthisoptiontoconfiguretheclientendpointtousetheprivatekeyin
thecertificatetoencryptdataexchangedovertheHTTPSconnection
establishedwiththecertificatesissuedbytheSCEPserver.
SCEPSettings Description
CACertificateFingerprint (Optional)ToensurethattheportalconnectstothecorrectSCEPserver,
entertheCA Certificate Fingerprint.ObtainthisfingerprintfromtheSCEP
serverinterfaceintheThumbprintfield.
LogintotheSCEPserversadministrativeuserinterface(forexample,at
http://<hostnameorIP>/CertSrv/mscep_admin/).Copythethumbprintand
enteritinCA Certificate Fingerprint.
Device>CertificateManagement>SSLDecryption
Exclusion
ViewandmanageSSLdecryptionexclusions .Therearetwotypesofdecryptionexclusions,predefined
exclusionsandcustomexclusions:
Predefineddecryptionexclusionsallowapplicationsandservicesthatmightbreakwhenthefirewall
decryptsthemtoremainencrypted.PaloAltoNetworksdefinesthepredefineddecryptionexclusions
anddeliversupdatesandadditionstothepredefinedexclusionslistatregularintervalsaspartofthe
applicationsandthreatscontentupdate.Predefinedexclusionsareenabledbydefault,butyoucan
choosetodisabletheexclusionasneeded.
Youcancreatecustomdecryptionexclusionstoexcludeservertrafficfromdecryption.Alltraffic
originatingfromordestinedtothetargetedserverremainsencrypted.
Youcanalsoexcludetrafficfromdecryption basedonapplication,source,destination,URLcategory,and
service.
UsethesettingsonthispagetoModifyorAddaDecryptionExclusionandtoManageDecryption
Exclusions.
SSLDecryptionExclusions Description
Settings
Hostname EnteraHostnametodefineacustomdecryptionexclusion.Thehostnamedefined
hereiscomparedagainsttheSNIrequestedbytheclientortheCNpresentedinthe
servercertificate.Youcanalsouseawildcardasterisk(*)tocreateadecryption
exclusionforallhostnamesassociatedwithadomain.Sessionswheretheserver
presentsaCNthatcontainsthedefineddomainareexcludedfromdecryption.
Hostnamesshouldbeuniqueforeachentryifapredefinedentryisdeliveredtothe
firewallthatmatchesanexistingcustomentry,thecustomentrytakesprecedence.
YoucannotedittheHostnameforapredefineddecryptionexclusion.
Shared SelectSharedtoshareadecryptionexclusionacrossallvirtualsystemsinamultiple
virtualsystemfirewall.
Whilepredefineddecryptionexclusionsaresharedbydefault,youcanenableand
disablebothpredefinedandcustomentriesforaspecificvirtualsystem.
Description (Optional)Describetheapplicationthatyouareexcludingfromdecryption,including
whytheapplicationbreakswhendecrypted.
Exclude Excludetheapplicationfromdecryption.Disablethisoptiontostartdecryptingan
applicationthatwaspreviouslyexcludedfromdecryption.
Enable Enableoneormoreentriestoexcludethemfromdecryption.
SSLDecryptionExclusions Description
Settings
Disable Disableoneormorepredefineddecryptionexclusions.
Becausedecryptionexclusionsidentifyapplicationsthatbreakwhendecrypted,
disablingoneoftheseentrieswillcausetheapplicationtobeunsupported.The
firewallwillattempttodecrypttheapplicationandtheapplicationwillbreak.Youcan
usethisoptionifyouwanttoensurecertainencryptedapplicationsdonotenteryour
network.
Device>ResponsePages
CustomresponsepagesarethewebpagesthatdisplaywhenausertriestoaccessaURL.Youcanprovide
acustomHTMLmessagethatisdownloadedanddisplayedinsteadoftherequestedwebpageorfile.
Eachvirtualsystemcanhaveitsowncustomresponsepages.Thefollowingtabledescribesthetypesof
customresponsepagesthatsupportcustomermessages.
CustomResponsePageTypes Description
AntivirusBlockPage Accessblockedduetoavirusinfection.
ApplicationBlockPage AccessblockedbecausetheapplicationisblockedbyaSecuritypolicy
rule.
CaptivePortalComfortPage Thefirewalldisplaysthispagesothatuserscanenterlogincredentials
toaccessservicesthataresubjecttoAuthenticationpolicyrules(see
Policies>Authentication).Enteramessagethattellsusershowto
respondtothisauthenticationchallenge.Thefirewallauthenticates
usersbasedontheAuthentication Profilespecifiedinthe
authenticationenforcementobjectassignedtoanAuthenticationrule
(seeObjects>Authentication).
Youcandisplayuniqueauthenticationinstructionsforeach
AuthenticationrulebyenteringaMessageintheassociated
authenticationenforcementobject.Themessagedefinedin
theobjectoverridesthemessagedefinedintheCaptivePortal
ComfortPage.
FileBlockingContinuePage Pageforuserstoconfirmthatdownloadingshouldcontinue.This
optionisavailableonlyifContinuefunctionalityisenabledinthe
securityprofile.SelectObjects>SecurityProfiles>FileBlocking.
FileBlockingBlockPage Accessblockedbecauseaccesstothefileisblocked.
GlobalProtectPortalHelpPage CustomhelppageforGlobalProtectusers(accessiblefromtheportal).
GlobalProtectPortalLoginPage PageforuserswhoattempttoaccesstheGlobalProtectportal.
GlobalProtectWelcomePage WelcomepageforuserswhoattempttologintotheGlobalProtect
portal.
MFALoginPage Thefirewalldisplaysthispagesothatuserscanrespondtomultifactor
authentication(MFA)challengeswhenaccessingservicesthatare
subjecttoAuthenticationpolicyrules(seePolicies>Authentication).
EnteramessagethattellsusershowtorespondtotheMFAchallenges.
SAMLAuthInternalErrorPage PagetoinformusersthatSAMLauthenticationfailed.Thepage
includesalinkfortheusertoretryauthentication.
SSLCertificateErrorsNotify NotificationthatanSSLcertificatehasbeenrevoked.
Page
SSLDecryptionOptoutPage UserwarningpageindicatingthatthefirewallwilldecryptSSLsessions
forinspection.
URLFilteringandCategory AccessblockedbyaURLfilteringprofileorbecausetheURLcategory
MatchBlockPage isblockedbyaSecuritypolicyrule.
CustomResponsePageTypes Description
URLFilteringContinueand Pagewithinitialblockpolicythatallowsuserstobypasstheblock.For
OverridePage example,auserwhothinksthepagewasblockedinappropriatelycan
clickContinuetoproceedtothepage.
Withtheoverridepage,apasswordisrequiredfortheusertooverride
thepolicythatblocksthisURL.SeetheURLAdminOverridesection
forinstructionsonsettingtheoverridepassword.
URLFilteringSafeSearch AccessblockedbyaSecuritypolicyrulewithaURLfilteringprofilethat
EnforcementBlockPage hastheSafe Search Enforcementoptionenabled.
TheuserseesthispageifasearchisperformedusingBing,Google,
Yahoo,Yandex,orYouTubeandtheirbrowserorsearchengine
accountsettingforSafeSearchisnotsettostrict.Theblockpagewill
instructtheusertosettheSafeSearchsettingtostrict.
AntiPhishingBlockPage Displaystouserswhentheyattempttoentervalidcorporate
credentials(usernamesorpasswords)onawebpageforwhich
credentialsubmissionsareblocked.Theusercancontinuetoaccess
thesitebutremainsunabletosubmitvalidcorporatecredentialstoany
associatedwebforms.
SelectObjects>SecurityProfiles>URLFilteringtoenablecredential
detectionandcontrolcredentialsubmissionstowebpagesbasedon
URLcategory.
AntiPhishingContinuePage Thispagewarnsusersagainstsubmittingcorporatecredentials
(usernamesandpasswords)toawebsite.Warningusersagainst
submittingcredentialscanhelptodiscouragethemfromreusing
corporatecredentialsandtoeducatethemaboutpossiblephishing
attempts.Usersseethispagewhentheyattempttosubmitcredentials
toasiteforwhichtheUser Credential Submissionpermissionsareset
tocontinue(seeObjects>SecurityProfiles>URLFiltering).Theymust
selectContinuetoentercredentialsonthesite.
YoucanperformanyofthefollowingfunctionsforResponse Pages.
ToimportacustomHTMLresponsepage,clickthelinkofthepagetypeyouwouldliketochangeand
thenclickimport/export.Browsetolocatethepage.Amessageisdisplayedtoindicatewhetherthe
importsucceeded.Fortheimporttobesuccessful,thefilemustbeinHTMLformat.
ToexportacustomHTMLresponsepage,clickExportforthetypeofpage.Selectwhethertoopenthe
fileorsaveittodiskand,ifappropriate,selectAlways use the same option.
ToenableordisabletheApplication BlockpageorSSL Decryption Opt-outpages,clickEnableforthetype
ofpage.SelectordeselectEnable,asappropriate.
Tousethedefaultresponsepageinsteadofapreviouslyuploadedcustompage,deletethecustomblock
pageandcommit.Thiswillsetthedefaultblockpageasthenewactivepage.
Device>LogSettings
SelectLogForwardingDestinations
Device>LogSettings
UsethesesettingstoconfigurelogforwardingtoPanorama,SNMPtrapreceivers,emailservers,Syslog
servers,andHTTPservers.YoucanalsoaddorremovetagsfromasourceordestinationIPaddressinalog
entry;alllogtypesexceptSystemlogsandConfigurationlogssupporttagging.
Youcanforwardthefollowinglogtypes :System,Configuration,UserID,HIPMatch,andCorrelationlogs.
Tospecifydestinationsforeachlogtype,Addoneormorematchlistprofiles(upto64)andcompletethe
fieldsdescribedinthefollowingtable.
ToforwardTraffic,Threat,WildFireSubmissions,URLFiltering,DataFiltering,Tunnel
Inspection,GTP,andAuthenticationlogs,youmustconfigureaLogForwardingprofile(see
Objects>LogForwarding).
MatchListProfileSettings Description
Name Enteraname(upto31characters)toidentifythematchlistprofile.Avalid
namemuststartwithanalphanumericcharacterandcancontainzeroes,
alphanumericcharacters,underscores,hyphens,dots,orspaces.
Description Enteradescription(upto1,023characters)toexplainthepurposeofthis
matchlistprofile.
MatchListProfileSettings Description
Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .
YoucannotforwardCorrelationlogsfromfirewallstoPanorama.
PanoramageneratesCorrelationlogsbasedonthefirewalllogsit
receives.
SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).
Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).
Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).
HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).
BuiltinActions YoucanaddanactionforalllogtypesthatincludeasourceordestinationIP
addressinthelogentrybyconfiguringthefollowingsettingsasneeded.
YoucantagonlythesourceIPaddressinCorrelationlogsandHIP
Matchlogs.YoucannotconfigureanyactionforSystemlogsand
ConfigurationlogsbecausethelogtypedoesnotincludeanIP
addressinthelogentry.
Addanactionandenteranametodescribeit.
SelecttheIPaddressyouwanttoautomaticallytagSource Addressor
Destination Address.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.
DefineAlarmSettings
Device>LogSettings
UsetheAlarmSettingstoconfigureAlarmsfortheCLIandthewebinterface.Youcanconfigurenotifications
forthefollowingevents:
Asecurityrule(orgroupofrules)hasbeenmatchedataspecifiedthresholdandwithinaspecifiedtime
interval.
Encryption/Decryptionfailurethresholdismet.
TheLogdatabaseforeachlogtypeisnearingfull;thequotabydefaultissettonotifywhen90%ofthe
availablediskspaceisused.Configuringalarmsallowstotakeactionbeforethediskisfull,andlogsare
purged.
Whenyouenablealarms,youcanviewthecurrentlistbyclickingAlarms( )inthebottomoftheweb
interface.
Toaddanalarm,edittheAlarmSettingsdescribedinthefollowingtable.
AlarmLogSettings Description
EnableCLIAlarm EnableCLIalarmnotificationswheneveralarmsoccur.
Notifications
EnableWebAlarm Openawindowtodisplayalarmsonusersessions,includingwhenthey
Notifications occurandwhentheyareacknowledged.
EnableAudibleAlarms Anaudiblealarmtonewillplayevery15secondsontheadministrator's
computerwhentheadministratorisloggedintothewebinterfaceand
unacknowledgedalarmsexist.Thealarmtonewillplayuntilthe
administratoracknowledgesallalarms.
Toviewandacknowledgealarms,clickAlarms.
ThisfeatureisonlyavailablewhenthefirewallisinFIPSCCmode.
Encryption/Decryption Specifythenumberofencryption/decryptionfailuresafterwhichanalarmis
FailureThreshold generated.
<Logtype>LogDB Generateanalarmwhenalogdatabasereachestheindicatedpercentageof
themaximumsize.
SecurityViolations AnalarmisgeneratedifaparticularIPaddressorporthitsadenyrulethe
Threshold/ specifiednumberoftimesintheSecurity Violations Thresholdsetting
SecurityViolationsTime withintheperiod(seconds)specifiedintheSecurity Violations Time Period
Period setting.
AlarmLogSettings Description
ViolationsThreshold/ Analarmisgeneratedifthecollectionofrulesreachesthenumberofrule
ViolationsTimePeriod/ limitviolationsspecifiedintheViolations Thresholdfieldduringtheperiod
SecurityPolicyTags specifiedintheViolations Time Periodfield.Violationsarecountedwhena
sessionmatchesanexplicitdenypolicy.
UseSecurity Policy Tagstospecifythetagsforwhichtherulelimit
thresholdswillgeneratealarms.Thesetagsbecomeavailabletobespecified
whendefiningsecuritypolicies.
SelectiveAudit TheselectiveauditoptionsareonlyavailablewhenthefirewallisinFIPSCC
mode.
Specifythefollowingsettings:
FIPS-CC Specific LoggingEnablesverboseloggingrequiredfor
CommonCriteria(CC)compliance.
Packet Drop LoggingLogspacketsdroppedbythefirewall.
Suppress Login Success LoggingStopsloggingofsuccessful
administratorloginstothefirewall.
Suppress Login Failure LoggingStopsloggingoffailedadministrator
loginstothefirewall.
TLS Session LoggingLogstheestablishmentofTLSsessions.
CA (OCSP/CRL) Session Establishment LoggingLogssession
establishmentbetweenthefirewallandacertificateauthoritywhenthe
firewallsendsarequesttocheckcertificaterevocationstatususingthe
OnlineCertificateStatusProtocoloraCertificateRevocationListserver
request.(Disabledbydefault.)
IKE Session Establishment LoggingLogsIPSecIKEsession
establishmentwhentheVPNgatewayonthefirewallauthenticateswith
apeer.ThepeercanbeaPaloAltoNetworksfirewallsoranothersecurity
deviceusedtoinitiateandterminateVPNconnections.Theinterface
namethatisspecifiedinthelogistheinterfacethatisboundtotheIKE
gateway.TheIKEgatewaynameisalsodisplayedifapplicable.Disabling
thisoptionstopsloggingofallIKEloggingevents.(Enabledbydefault.)
Suppressed AdministratorsStopsloggingofchangesthatthelisted
administratorsmaketothefirewallconfiguration.
ClearLogs
Device>LogSettings
YoucanclearlogsonthefirewallwhenyouManageLogsontheLogSettingspage.Clickthelogtypeyou
wanttoclearandclickYestoconfirmtherequest.
Toautomaticallydeletelogsandreports,youcanconfigureexpirationperiods.Fordetails,see
LoggingandReportingSettings.
Device>ServerProfiles
Device>ServerProfiles>SNMPTrap
Device>ServerProfiles>Syslog
Device>ServerProfiles>Email
Device>ServerProfiles>HTTP
Device>ServerProfiles>NetFlow
Device>ServerProfiles>RADIUS
Device>ServerProfiles>TACACS+
Device>ServerProfiles>LDAP
Device>ServerProfiles>Kerberos
Device>ServerProfiles>SAMLIdentityProvider
Device>ServerProfiles>DNS
Device>ServerProfiles>MultiFactorAuthentication
Device>ServerProfiles>SNMPTrap
SimpleNetworkManagementProtocol(SNMP)isastandardprotocolformonitoringthedevicesonyour
network.Toalertyoutosystemeventsorthreatsonyournetwork,monitoreddevicessendSNMPtrapsto
SNMPmanagers(trapservers).SelectDevice > Server Profiles > SNMP TraporPanorama > Server Profiles >
SNMP TraptoconfiguretheserverprofilethatenablesthefirewallorPanoramatosendtrapstotheSNMP
managers.ToenableSNMPGETmessages(statisticsrequestsfromanSNMPmanager),seeEnableSNMP
Monitoring.
Aftercreatingtheserverprofile,youmustspecifywhichlogtypeswilltriggerthefirewalltosendSNMP
traps(Device>LogSettings).ForalistoftheMIBsthatyoumustloadintotheSNMPmanagersoitcan
interprettraps,seeSupportedMIBs .
Dontdeleteaserverprofilethatanysystemlogsettingorloggingprofileuses.
SNMPTrapServerProfile Description
Settings
Name EnteranamefortheSNMPprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared
(allvirtualsystems).Inanyothercontext,youcantselecttheLocation;its
valueispredefinedasShared(forfirewalls)orasPanorama.Afteryousave
theprofile,youcantchangeitsLocation.
Version SelecttheSNMPversion:V2c(default)orV3.Yourselectioncontrolsthe
remainingfieldsthatthedialogdisplays.Foreitherversion,youcanaddup
tofourSNMPmanagers.
Name SpecifyanamefortheSNMPmanager.Thenamecanhaveupto31
charactersthatarealphanumeric,periods,underscores,orhyphens.
SNMPManager SpecifytheFQDNorIPaddressoftheSNMPmanager.
Community Enterthecommunitystring,whichidentifiesanSNMPcommunityofSNMP
managersandmonitoreddevicesandalsoservesasapasswordto
authenticatethecommunitymemberstoeachotherduringtrapforwarding.
Thestringcanhaveupto127characters,acceptsallcharacters,andis
casesensitive.
Donotusethedefaultcommunitystringpublic.BecauseSNMP
messagescontaincommunitystringsincleartext,considerthe
securityrequirementsofyournetworkwhendefiningcommunity
membership(administratoraccess).
SNMPTrapServerProfile Description
Settings
For SNMP V3
Name SpecifyanamefortheSNMPmanager.Thenamecanhaveupto31
charactersthatarealphanumeric,periods,underscores,orhyphens.
SNMPManager SpecifytheFQDNorIPaddressoftheSNMPmanager.
User SpecifyausernametoidentifytheSNMPuseraccount(upto31characters).
Theusernameyouconfigureonthefirewallmustmatchtheusername
configuredontheSNMPmanager.
EngineID SpecifytheengineIDofthefirewall.WhenanSNMPmanagerandthe
firewallauthenticatetoeachother,trapmessagesusethisvaluetouniquely
identifythefirewall.Ifyouleavethefieldblank,themessagesusethe
firewallserialnumberastheEngineID.Ifyouenteravalue,itmustbein
hexadecimalformat,prefixedwith0x,andwithanother10128characters
torepresentanynumberof564bytes(2charactersperbyte).Forfirewalls
inahighavailability(HA)configuration,leavethefieldblanksothatthe
SNMPmanagercanidentifywhichHApeersentthetraps;otherwise,the
valueissynchronizedandbothpeerswillusethesameEngineID.
AuthPassword SpecifytheauthenticationpasswordoftheSNMPuser.Thefirewallusesthe
passwordtoauthenticatetotheSNMPmanager.ThefirewallusesSecure
HashAlgorithm(SHA1160)toencryptthepassword.Thepasswordmust
be8256charactersandallcharactersareallowed.
PrivPassword SpecifytheprivacypasswordoftheSNMPuser.Thefirewallusesthe
passwordandAdvancedEncryptionStandard(AES128)toencrypttraps.
Thepasswordmustbe8256charactersandallcharactersareallowed.
Device>ServerProfiles>Syslog
SelectDevice > Server Profiles > SyslogorPanorama > Server Profiles > Syslogtoconfigureaserverprofile
forforwardingfirewall,Panorama,andLogCollectorlogsassyslogmessagestoasyslogserver.Todefinea
syslogserverprofile,clickAddandspecifyingtheNewSyslogServerfields.
ToselecttheSyslogServerprofileforSystem,Config,UserID,HIPMatch,and
Correlationlogs,seeDevice>LogSettings.
ToselecttheSyslogServerProfileForTraffic,Threat,Wildfire,URLFiltering,Data
Filtering,TunnelInspection,Authentication,andGTPlogs,seeObjects>Log
Forwarding.
YoucannotdeleteaserverprofilethatthefirewallusesinanySystemorConfiglog
settingsorLogForwardingprofile.
SyslogServerSettings Description
Name Enteranameforthesyslogprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared
(allvirtualsystems).Inanyothercontext,youcantselecttheLocation;its
valueispredefinedasShared(forfirewalls)orasPanorama.Afteryousave
theprofile,youcantchangeitsLocation.
Servers Tab
Name ClickAddandenteranameforthesyslogserver(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Server EntertheIPaddressofthesyslogserver.
Transport SelectwhethertotransportthesyslogmessagesoverUDP,TCP,orSSL.
Port Entertheportnumberofthesyslogserver(thestandardportforUDPis
514;thestandardportforSSLis6514;forTCPyoumustspecifyaport
number).
Format Specifythesyslogformattouse:BSD(thedefault)orIETF.
Facility SelectoneoftheSyslogstandardvalues.Selectthevaluethatmapstohow
yourSyslogserverusesthefacilityfieldtomanagemessages.Fordetailson
thefacilityfield,seeRFC3164(BSDformat)orRFC5424(IETFformat).
LogType Clickthelogtypetoopenadialogboxthatallowsyoutospecifyacustom
logformat.Inthedialogbox,clickafieldtoaddittotheLogFormatarea.
OthertextstringscanbeediteddirectlyintheLogFormatarea.ClickOKto
savethesettings.Viewadescriptionofeachfieldthatcanbeusedfor
customlogs .
Fordetailsonthefieldsthatcanbeusedforcustomlogs,seeDevice>
ServerProfiles>Email.
SyslogServerSettings Description
Device>ServerProfiles>Email
SelectDevice > Server Profiles > SyslogorPanorama > Server Profiles > Syslogtoconfigureaserverprofile
forforwardinglogsasemailnotifications.TodefineanEmailserverprofile,AddaprofileandspecifyEmail
NotificationSettings.
ToselecttheSyslogServerprofileforSystem,Config,UserID,HIPMatch,andCorrelation
logs,seeDevice>LogSettings.
ToselecttheSyslogServerProfileForTraffic,Threat,Wildfire,URLFiltering,DataFiltering,
TunnelInspection,Authentication,andGTPlogs,seeObjects>LogForwarding.
YoucanalsoMonitor>PDFReports>EmailScheduler.
YoucannotdeleteaserverprofilethatthefirewallusesinanySystemorConfiglogsettings
orLogForwardingprofile.
EmailNotificationSettings Description
Name Enteranamefortheserverprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared
(allvirtualsystems).Inanyothercontext,youcantselecttheLocation;its
valueispredefinedasShared(forfirewalls)orasPanorama.Afteryousave
theprofile,youcantchangeitsLocation.
Servers Tab
Server Enteranametoidentifytheserver(upto31characters).Thisfieldisjusta
labelanddoesnothavetobethehostnameofanexistingSMTPserver.
DisplayName EnterthenameshownintheFromfieldoftheemail.
From EntertheFromemailaddress,suchassecurity_alert@company.com.
To Entertheemailaddressoftherecipient.
AdditionalRecipient Optionally,entertheemailaddressofanotherrecipient.Youcanonlyadd
oneadditionalrecipient.Toaddmultiplerecipients,addtheemailaddressof
adistributionlist.
Gateway EntertheIPaddressorhostnameoftheSimpleMailTransportProtocol
(SMTP)serverusedtosendtheemail.
LogType Clickthelogtypetoopenadialogboxthatallowsyoutospecifyacustom
logformat.Inthedialogbox,clickafieldtoaddittotheLogFormatarea.
ClickOKtosavethesettings.
Escaping Includeescapedcharactersandspecifytheescapecharacterorcharacters.
Device>ServerProfiles>HTTP
SelectDevice > Server Profiles > HTTPorPanorama > Server Profiles > HTTPtoconfigureaserverprofilefor
forwardinglogs.YoucanconfigurethefirewalltoforwardlogstoanHTTP(S)destination,ortointegrate
withanyHTTPbasedservicethatexposesanAPI,andmodifytheURL,HTTPheader,parameters,andthe
payloadintheHTTPrequesttomeetyourneeds.YoucanalsousetheHTTPserverprofiletoaccessfirewalls
runningtheintegratedPANOSUserIDagentandregisteroneormoretagstoasourceordestinationIP
addressonlogsthatafirewallgenerated.
TousetheHTTPserverprofiletoforwardlogs:
SeeDevice>LogSettingsforSystem,Config,UserID,HIPMatch,andCorrelationlogs.
SeeObjects>LogForwardingforTraffic,Threat,WildFire,URLFiltering,DataFiltering,
TunnelInspection,Authentication,andGTPlogs.
YoucannotdeleteanHTTPserverprofileifitisusedtoforwardlogs.Todeleteaserverprofile
onthefirewallorPanorama,youmustdeleteallreferencestotheprofilefromtheDevice > Log
settingsorObjects > Log Forwardingprofile.
TodefineanHTTPserverprofile,Addanewprofileandconfigurethesettingsinthefollowingtable.
HTTPServerSettings Description
Name Enteranamefortheserverprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Avalidnamemuststartwithan
alphanumericcharacterandcancontainzeroes,alphanumericcharacters,
underscores,hyphens,dots,orspaces.
Location Selectthescopeinwhichtheserverprofileisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysorselect
Shared(allvirtualsystems).Inanyothercontext,youcantselectthe
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.
Afteryousavetheprofile,youcantchangetheLocation.
TagRegistration Tagregistrationallowsyoutoaddorremoveatagonasourceordestination
IPaddressinalogentryandregistertheIPaddressandtagmappingtothe
UserIDagentonafirewallusingHTTP(S).Youcanthendefinedynamic
addressgroupsthatusethesetagsasafilteringcriteriatodetermineits
members,andenforcepolicyrulestoanIPaddressbasedontags.
AddtheconnectiondetailstoenableHTTP(S)accesstotheUserIDagent
onafirewall.
ToregistertagstotheUserIDagentonPanorama,youdonotneedaserver
profile.Additionally,youcannotusetheHTTPserverprofiletoregistertags
toaUserIDagentrunningonaWindowsserver.
Servers Tab
Name AddanHTTP(s)serverandenteraname(upto31characters)orremote
UserIDagent.Avalidnamemustbeuniqueandstartwithanalphanumeric
character;thenamecancontainzeroes,alphanumericcharacters,
underscores,hyphens,dots,orspaces.
Aserverprofilecanincludeuptofourservers.
Address EntertheIPaddressoftheHTTP(S)server.
Fortagregistration,specifytheIPaddressofthefirewallconfiguredasa
UserIDagent.
HTTPServerSettings Description
Protocol Selecttheprotocol:HTTPorHTTPS.
Port Entertheportnumberonwhichtoaccesstheserverorfirewall.Thedefault
portforHTTPis80andforHTTPSis443.
Fortagregistration,thefirewallusesHTTPorHTTPStoconnecttotheweb
serveronthefirewallsthatareconfiguredasUserIDagents.
HTTPMethod SelecttheHTTPmethodthattheserversupports.TheoptionsareGET,
PUT,POST(default),andDELETE.
FortheUserIDagent,usetheGETmethod.
Username EntertheusernamethathasaccessprivilegestocompletetheHTTPmethod
youselected.
IfyouareregisteringtagstotheUserIDagentonafirewall,theusername
mustbethatofanadministratorwithasuperuserrole.
Password Enterthepasswordtoauthenticatetotheserverorthefirewall.
LogType ThelogtypeavailableforHTTPforwardingdisplays.Clickthelogtypeto
openadialogboxthatallowsyoutospecifyacustomlogformat.
Format Displayswhetherthelogtypeusesthedefaultformat,apredefinedformat,
oracustompayloadformatthatyoudefined.
PredefinedFormats Selecttheformatforyourserviceorvendorforsendinglogs.Predefined
formatsarepushedthroughcontentupdatesandcanchangeeachtimeyou
installanewcontentupdateonthefirewallorPanorama.
Name Enteranameforthecustomlogformat.
URIFormat SpecifytheresourcetowhichyouwanttosendlogsusingHTTP(S).
Ifyoucreateacustomformat,theURIistheresourceendpointontheHTTP
service.ThefirewallappendstheURItotheIPaddressyoudefinedearlier
toconstructtheURLfortheHTTPrequest.EnsurethattheURIandpayload
formatmatchesthesyntaxthatyourthirdpartyvendorrequires.Youcan
useanyattributesupportedontheselectedlogtypewithintheHTTP
Header,Parameter,andValuepairs,andtherequestpayload.
HTTPHeaders AddaHeaderanditscorrespondingvalue.
Parameters Includetheoptionalparametersandvalues.
Payload SelectthelogattributesyouwanttoincludeasthepayloadintheHTTP
messagetotheexternalwebserver.
SendTestLog Clickthisbuttontovalidatethattheexternalwebserverreceivesthe
requestandinthecorrectpayloadformat.
Device>ServerProfiles>NetFlow
AllPaloAltoNetworksfirewallssupportNetFlowVersion9.Thefirewallssupportonlyunidirectional
NetFlow,notbidirectional.YoucanenableNetFlowexportsonallinterfacetypesexceptHA,logcard,or
decryptmirror.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
NetFlowcollectorsrequiretemplatestodeciphertheexportedfields.Thefirewallselectsatemplatebased
onthetypeofdataitexports:IPv4orIPv6traffic,withorwithoutNAT,andwithstandardor
enterprisespecificfields.
ToconfigureNetFlowdataexports,defineaNetFlowserverprofile,whichspecifiestheNetFlowservers
thatwillreceivethedataandspecifiesexportparameters.Afteryouassigntheprofiletoaninterface(see
Network>Interfaces),thefirewallexportsNetFlowdataforalltraffictraversingthatinterfacetothe
specifiedservers.
NetflowSettings Description
Name EnteranamefortheNetflowserverprofile(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
TemplateRefreshRate SpecifythenumberofMinutes(rangeis1to3,600;defaultis30)orPackets
(rangeis1to600;defaultis20)afterwhichthefirewallrefreshesthe
NetFlowtemplatetoapplyanychangestoitsfieldsorachangetothe
templateselection.TherequiredrefreshfrequencydependsontheNetFlow
collector.IfyouaddmultipleNetFlowcollectorstotheserverprofile,use
thevalueofthecollectorwiththefastestrefreshrate.
ActiveTimeout Specifythefrequency(inminutes)atwhichthefirewallexportsdatarecords
foreachsession(rangeis1to60;defaultis5).Setthefrequencybasedon
howoftenyouwanttheNetFlowcollectortoupdatetrafficstatistics.
PANOSFieldTypes ExportPANOSspecificfieldsforAppIDandtheUserIDserviceinNetflow
records.
Servers
Name Specifyanametoidentifytheserver(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Server SpecifythehostnameorIPaddressoftheserver.Youcanaddamaximum
oftwoserversperprofile.
Port Specifytheportnumberforserveraccess(defaultis2055).
Device>ServerProfiles>RADIUS
SelectDevice > Server Profiles > RADIUSorPanorama > Server Profiles > RADIUStoconfiguresettings forthe
RemoteAuthenticationDialInUserService(RADIUS)serversthatauthenticationprofilesreference(see
Device>AuthenticationProfile).YoucanuseRADIUStoauthenticateenduserswhoaccessyournetwork
resources(throughGlobalProtectorCaptivePortal),toauthenticateadministratorsdefinedlocallyonthe
firewallorPanorama,andtoauthenticateandauthorizeadministratorsdefinedexternallyontheRADIUS
server.
RADIUSServerSettings Description
ProfileName Enteranametoidentifytheserverprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Forfirewallsthathavemultiplevirtualsystems,this
optionappearsonlyiftheLocationisShared.
Timeout Enteranintervalinsecondsafterwhichanauthenticationrequesttimesout
(rangeis1to120;defaultis3).
IfyouusetheRADIUSserverprofiletointegratethefirewallwithan
MFAservice,enteranintervalthatgivesusersenoughtimetorespond
totheauthenticationchallenge.Forexample,iftheMFAservice
promptsforaonetimepassword(OTP),usersneedtimetoseethe
OTPontheirendpointdeviceandthenentertheOTPintheMFAlogin
page.
Retries Enterthenumberofautomaticretriesfollowingatimeoutbeforetherequest
fails(rangeis1to5;defaultis3).
Servers Configureinformationforeachserverinthepreferredorder.
NameEnteranametoidentifytheserver.
RADIUS ServerEntertheserverIPaddressorFQDN.
Secret/Confirm SecretEnterandconfirmakeytoverifyandencryptthe
connectionbetweenthefirewallandtheRADIUSserver.
PortEntertheserverport(rangeis1to65,535;defaultis1812)for
authenticationrequests.
Device>ServerProfiles>TACACS+
SelectDevice > Server Profiles > TACACS+orPanorama > Server Profiles > TACACS+toconfigurethesettings
thatdefinehowthefirewallorPanoramaconnectstoTerminalAccessControllerAccessControlSystem
Plus(TACACS+)servers(seeDevice>AuthenticationProfile).YoucanuseTACACS+toauthenticateend
userswhoaccessyournetworkresources(throughGlobalProtectorCaptivePortal),toauthenticate
administratorsdefinedlocallyonthefirewallorPanorama,andtoauthenticateandauthorizeadministrators
definedexternallyontheTACACS+server.
TACACS+Server Description
Settings
ProfileName Enteranametoidentifytheserverprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Formultivsysfirewalls,thisoptionappearsonlyif
theLocationisShared.
Timeout Enteranintervalinsecondsafterwhichanauthenticationrequesttimesout
(rangeis120;defaultis3).
Usesingleconnectionfor SelectthisoptiontousethesameTCPsessionforallauthentications.This
allauthentication optionimprovesperformancebyavoidingtheprocessingrequiredtoinitiate
andteardownaseparateTCPsessionforeachauthenticationevent.
Servers ClickAddandspecifythefollowingsettingsforeachTACACS+server:
NameEnteranametoidentifytheserver.
TACACS+ ServerEntertheIPaddressorFQDNoftheTACACS+server.
Secret/Confirm SecretEnterandconfirmakeytoverifyandencryptthe
connectionbetweenthefirewallandtheTACACS+server.
PortEntertheserverport(defaultis49)forauthenticationrequests.
Device>ServerProfiles>LDAP
SelectDevice > Server Profiles > LDAPorPanorama > Server Profiles > LDAPtoconfiguresettings forthe
LightweightDirectoryAccessProtocol(LDAP)serversthatauthenticationprofilesreference(seeDevice>
AuthenticationProfile).YoucanuseLDAPtoauthenticateenduserswhoaccessyournetworkresources
(throughGlobalProtectorCaptivePortal)andadministratorsdefinedlocallyonthefirewallorPanorama.
LDAPServerSettings Description
ProfileName Enteranametoidentifytheprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Forfirewallsthathavemultiplevirtualsystems,this
optionappearsonlyiftheLocationisShared.
Servers ForeachLDAPserver,clickAddandenterthehostName,IPaddressor
FQDN(LDAP Server),andPort(defaultis389).
Type Choosetheservertypefromthedropdown.
BaseDN Specifytherootcontextinthedirectoryservertonarrowthesearchforuser
orgroupinformation.
BindDN Specifytheloginname(DistinguishedName)forthedirectoryserver.
Password/Confirm Specifythebindaccountpassword.Theagentsavestheencryptedpassword
Password intheconfigurationfile.
BindTimeout Specifythetimelimit(inseconds)imposedwhenconnectingtothedirectory
server(rangeis1to30;defaultis30).
SearchTimeout Specifythetimelimit(inseconds)imposedwhenperformingdirectory
searches(rangeis1to30;defaultis30).
RetryInterval Specifytheinterval(inseconds)afterwhichthesystemwilltrytoconnectto
theLDAPserverafterapreviousfailedattempt(rangeis1to3,600;defaultis
60).
RequireSSL/TLSsecured SelectthisoptionifyouwantthefirewalltouseSSLorTLSfor
connection communicationswiththedirectoryserver.Theprotocoldependsonthe
serverport:
389(default)TLS(Specifically,thefirewallusestheStartTLSoperation,
whichupgradestheinitialplaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallfirstattemptstouseTLS.Ifthedirectory
serverdoesntsupportTLS,thefirewallfallsbacktoSSL.
Thisoptionisselectedbydefault.
LDAPServerSettings Description
VerifyServerCertificate Selectthisoption(clearedbydefault)ifyouwantthefirewalltoverifythe
forSSLsessions certificatethatthedirectoryserverpresentsforSSL/TLSconnections.The
firewallverifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewalltotrustthecertificate,
itsrootcertificateauthority(CA)andanyintermediatecertificatesmustbe
inthecertificatestoreunderDevice > Certificate Management >
Certificates > Device Certificates.
ThecertificatenamemustmatchthehostNameoftheLDAPserver.The
firewallfirstchecksthecertificateattributeSubjectAltNameformatching,
thentriestheattributeSubjectDN.IfthecertificateusestheFQDNofthe
directoryserver,youmustusetheFQDNintheLDAP Serverfieldforthe
namematchingtosucceed.
Iftheverificationfails,theconnectionfails.Toenablethisverification,you
mustalsoselectRequire SSL/TLS secured connection.
Device>ServerProfiles>Kerberos
SelectDevice > Server Profiles > KerberosorPanorama > Server Profiles > Kerberostoconfigureaserver
profile thatenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleroraKerberos
V5compliantauthenticationserver.AfterconfiguringaKerberosserverprofileyoucanassignittoan
authenticationprofile(seeDevice>AuthenticationProfile).YoucanuseKerberostoauthenticateendusers
whoaccessyournetworkresources(throughGlobalProtectorCaptivePortal)andadministratorsdefined
locallyonthefirewallorPanorama.
TouseKerberosauthentication,yourbackendKerberosservermustbeaccessibleoveranIPv4
address.IPv6addressesarenotsupported.
KerberosServerSettings Description
ProfileName Enteranametoidentifytheserver(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Forfirewallsthathavemultiplevirtualsystems,this
optionappearsonlyiftheLocationisShared.
Servers ForeachKerberosserver,clickAddandspecifythefollowingsettings:
NameEnteranamefortheserver.
Kerberos ServerEntertheserverIPv4addressorFQDN.
PortEnteranoptionalport(rangeis1to65,535;defaultis88)for
communicationwiththeserver.
Device>ServerProfiles>SAMLIdentityProvider
UsethispagetoregisteraSecurityAssertionMarkupLanguage(SAML)2.0identityprovider(IdP)withthe
firewallorPanorama.RegistrationisanecessarysteptoenablethefirewallorPanoramatofunctionasa
SAMLserviceprovider,whichcontrolsaccesstoyournetworkresources.Whenadministratorsandend
usersrequestresources,theserviceproviderredirectstheuserstotheIdPforauthentication.Theendusers
canbeGlobalProtectorCaptivePortalusers.Theadministratorscanbemanagedlocallyonthefirewalland
PanoramaormanagedexternallyintheIdPidentitystore.YoucanconfigureSAMLsinglesignon(SSO)so
thateachusercanautomaticallyaccessmultipleresourcesafterloggingintoone.Youcanalsoconfigure
SAMLsinglelogout(SLO)sothateachusercansimultaneouslylogoutofeverySSOenabledserviceby
loggingoutofanysingleservice.
AuthenticationsequencesdontsupportauthenticationprofilesthatspecifySAMLIdPserverprofiles.
Inmostcases,youcannotuseSSOtoaccessmultipleappsonthesamemobiledevice.
YoucannotenableSLOforCaptivePortalusers.
TheeasiestwaytocreateaSAMLIdPserverprofileistoImportametadatafilecontainingtheregistration
informationfromtheIdP.Aftersavingaserverprofilewithimportedvalues,youcanedittheprofileto
modifythevalues.IftheIdPdoesntprovideametadatafile,youcanAddtheserverprofileandmanually
entertheinformation.Aftercreatingaserverprofile,assignittoanauthenticationprofile(seeDevice>
AuthenticationProfile)forspecificfirewallorPanoramaservices.
SAMLIdentityProvider Description
ServerSettings
ProfileName Enteranametoidentifytheserver(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmultiplevirtualsystems,selectavirtualsystemorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Forfirewallsthathavemultiplevirtualsystems,this
optionappearsonlyiftheLocationisShared.
IdentityProviderID EnteranidentifierfortheIdP.YourIdPprovidesthisinformation.
SAMLIdentityProvider Description
ServerSettings
IdentityProvider SelectthecertificatethattheIdPusestosignSAMLmessagesthatitsendsto
Certificate thefirewall.TovalidatetheIdPcertificate,youmustspecifyaCertificate
ProfileinanyauthenticationprofilethatreferencestheIdPserverprofile(see
Device>AuthenticationProfile).
Whengeneratingorimportingacertificateanditsassociatedprivatekey,
rememberthatthekeyusageattributesspecifiedinthecertificatecontrol
whatyoucanusethekeyfor.Ifthecertificateexplicitlylistskeyusage
attributes,oneoftheattributesmustbeDigitalSignature,whichisnot
availableincertificatesthatyougenerateonthefirewall.Inthiscase,youmust
Importthecertificateandkeyfromyourenterprisecertificateauthority(CA)
orathirdpartyCA.Ifthecertificatedoesntspecifykeyusageattributes,you
canusethekeyforanypurpose,includingsigningmessages.Inthiscase,you
canuseanymethodtoobtainthecertificateandkey forsigningSAML
messages.
IdPcertificatessupportthefollowingalgorithms:
PublickeyalgorithmsRSA(1,024bitsorlarger)andECDSA(allsizes).A
firewallinFIPS/CCmodesupportsRSA(2,048bitsorlarger)andECDSA(all
sizes).
SignaturealgorithmsSHA1,SHA256,SHA384,andSHA512.Afirewallin
FIPS/CCmodesupportsSHA256,SHA384,andSHA512.
PaloAltoNetworksrecommendsselectinganIdPcertificatetoensure
theintegrityofmessagesthattheIdPsendstothefirewall.
IdentityProviderSSO EntertheURLthattheIdPadvertisesforitssinglesignon(SSO)service.
URL Ifyoucreatetheserverprofilebyimportingametadatafileandthefile
specifiesmultipleSSOURLs,thefirewallusesthefirstURLthatspecifiesa
POSTorredirectbindingmethod.
PaloAltoNetworksstronglyrecommendsusingaURLthatrelieson
HTTPS,althoughSAMLalsosupportsHTTP.
IdentityProviderSLO EntertheURLthattheIdPadvertisesforitssinglelogout(SLO)service.
URL Ifyoucreatetheserverprofilebyimportingametadatafileandthefile
specifiesmultipleSLOURLs,thefirewallusesthefirstURLthatspecifiesa
POSTorredirectbindingmethod.
PaloAltoNetworksstronglyrecommendsusingaURLthatrelieson
HTTPS,althoughSAMLalsosupportsHTTP.
SAMLIdentityProvider Description
ServerSettings
IdentityProvider ThisfielddisplaysonlyifyouImportanIdPmetadatafilethatyouuploaded
Metadata tothefirewallfromtheIdP.Thefilespecifiesthevaluesandsigningcertificate
foranewSAMLIdPserverprofile.Browsetothefile,specifytheProfileName
andMaximumClockSkew,andthenclickOKtocreatetheprofile.Optionally,
youcanedittheprofiletochangetheimportedvalues.
ValidateIdentity SelectthisoptiontohavethefirewallauthenticatetheIdPbyverifyingthe
ProviderCertificate Identity Provider Certificate.Theverificationoccursafteryouassignthe
SAMLIdPserverprofiletoanauthenticationprofileandCommitthe
configuration.Intheauthenticationprofile,selectaCertificate Profileto
verifytheIdPcertificate(seeDevice>AuthenticationProfile).
SignSAMLMessageto SelectthisoptiontospecifythatthefirewallsignmessagesitsendstotheIdP.
IdP ThefirewallusestheCertificate for Signing Requeststhatyouspecifyinan
authenticationprofile(seeDevice>AuthenticationProfile).
Usingasigningcertificateensurestheintegrityofmessagessentto
theIdP.
MaximumClockSkew EnterthemaximumacceptabletimedifferenceinsecondsbetweentheIdP
andfirewallsystemtimesatthemomentwhenthefirewallvalidatesa
messagethatitreceivesfromtheIdP(rangeis1to900;defaultis60).Ifthe
timedifferenceexceedsthisvalue,thevalidation(andthusauthentication)
fails.
Device>ServerProfiles>DNS
Tosimplifyconfigurationforavirtualsystem,aDNSserverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryDNSaddressesforDNSservers,
andthesourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNS
server.Thesourceinterfaceandsourceaddressareusedasthedestinationinterfaceanddestinationaddress
inthereplyfromtheDNSserver.
ADNSserverprofileisforavirtualsystemonly;itisnotfortheglobalSharedlocation.
DNSServerProfileSettings Description
Name NametheDNSServerprofile.
Location Selectthevirtualsystemtowhichtheprofileapplies.
InheritanceSource SelectNoneiftheDNSserveraddressesarenotinherited.Otherwise,specifythe
DNSserverfromwhichtheprofileshouldinheritsettings.
Checkinheritancesource Clicktoseetheinheritancesourceinformation.
status
PrimaryDNS SpecifytheIPaddressoftheprimaryDNSserver.
SecondaryDNS SpecifytheIPaddressofthesecondaryDNSserver.
ServiceRouteIPv4 SelectthisoptionifyouwanttospecifythatpacketsgoingtotheDNSserverare
sourcedfromanIPv4address.
SourceInterface SpecifythesourceinterfacethatpacketsgoingtotheDNSserverwilluse.
SourceAddress SpecifytheIPv4sourceaddressfromwhichpacketsgoingtotheDNSserverare
sourced.
ServiceRouteIPv6 SelectthisoptionifyouwanttospecifythatpacketsgoingtotheDNSserverare
sourcedfromanIPv6address.
SourceInterface SpecifythesourceinterfacethatpacketsgoingtotheDNSserverwilluse.
SourceAddress SpecifytheIPv6sourceaddressfromwhichpacketsgoingtotheDNSserverare
sourced.
Device>ServerProfiles>MultiFactorAuthentication
Usethispagetoconfigureamultifactorauthentication(MFA)serverprofilethatdefineshowthefirewall
connectstoanMFAserver.MFAcanprotectyourmostsensitiveresourcesbyensuringthatattackers
cannotaccessyournetworkandmovelaterallythroughitbycompromisingasingleauthenticationfactor
(forexample,stealinglogincredentials).ThefirewallsupportsMFAonlyforendusers,notfirewall
administrators.YoucanconfigureanMFAserverprofileforDuov2,OktaAdaptive,andPingIDMFA.After
configuringtheserverprofile,assignittoauthenticationprofilesfortheservicesthatrequireauthentication
(seeDevice>AuthenticationProfile).
Thecompleteprocedure toconfigureMFArequiresadditionaltasksbesidescreatingaserverprofile.
AuthenticationsequencesdonotsupportauthenticationprofilesthatspecifyMFAserverprofiles.
IfthefirewallintegrateswithyourMFAvendorthroughRADIUS,configureaRADIUSserverprofile(seeDevice
>ServerProfiles>RADIUS).ThefirewallsupportsallMFAvendorsthroughRADIUS.
MFAServerSettings Description
Name Enteranametoidentifytheserver(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Onafirewallthathasmorethanonevirtualsystem(vsys),selectavsysorthe
Sharedlocation.Afteryousavetheprofile,youcannotchangeitsLocation.
MFAServerSettings Description
Type/Value SelectanMFAvendorTypeandenteraValueforeachvendorattribute.The
attributesvarybyvendor.Refertoyourvendordocumentationforthecorrect
values.
Duo v2:
API HostThehostnameoftheDuov2server.
Integration KeyandSecret KeyThefirewallusesthesekeysto
authenticatetotheDuov2serverandtosignauthenticationrequests
thatitsendstotheserver.Tosecurethesekeys,themasterkeyonthe
firewallautomaticallyencryptsthemsothattheirplaintextvaluesare
notexposedanywhereinthefirewallstorage.ContactyourDuov2
administratortoobtainthekeys.
TimeoutEnterthetimeinsecondsafterwhichthefirewalltimesout
whenattemptingtocommunicatewiththeAPI Host(rangeis5to600;
defaultis30).Thisintervalmustbelongerthanthetimeoutbetween
theAPIhostandtheendpointdeviceoftheuser.
Base URIIfyourorganizationhostsalocalauthenticationproxy
serverfortheDuov2server,entertheproxyserverURI(default
/auth/v2).
Okta Adaptive:
API HostThehostnameoftheOktaserver.
Base URIIfyourorganizationhostsalocalauthenticationproxy
serverfortheOktaserver,entertheproxyserverURI(default/api/v1).
TokenThefirewallusesthistokentoauthenticatetotheOktaserver
andtosignauthenticationrequeststhatitsendstotheserver.To
securethetoken,themasterkeyonthefirewallautomaticallyencrypts
itsothatitsplaintextvalueisnotexposedanywhereinthefirewall
storage.ContactyourOktaadministratortoobtainthetoken.
OrganizationThesubdomainforyourorganizationintheAPI Host.
TimeoutEnterthetimeinsecondsafterwhichthefirewalltimesout
whenattemptingtocommunicatewiththeAPI Host(rangeis5to600;
defaultis30).Thisintervalmustbelongerthanthetimeoutbetween
theAPIhostandtheendpointdeviceoftheuser.
PingID:
Base URIIfyourorganizationhostsalocalauthenticationproxy
serverforthePingIDserver,entertheproxyserverURI(default
/pingid/rest/4).
Host nameEnterthehostnameofthePingIDserver(default
idpxnyl3m.pingidentity.com).
Use Base64 KeyandTokenThefirewallusesthekeyandtokento
authenticatetothePingIDserverandtosignauthenticationrequests
thatitsendstotheserver.Tosecurethekeyandtoken,themasterkey
onthefirewallautomaticallyencryptsthemsothattheirplaintext
valuesarenotexposedanywhereinthefirewallstorage.Contactyour
PingIDadministratortoobtainthevalues.
PingID Client Organization IDThePingIDidentifierforyour
organization.
TimeoutEnterthetimeinsecondsafterwhichthefirewalltimesout
whenattemptingtocommunicatewiththePingIDserverspecifiedin
theHost namefield(rangeis5to600;defaultis30).Thisintervalmust
belongerthanthetimeoutbetweenthePingIDserverandthe
endpointdeviceoftheuser.
Device>LocalUserDatabase>Users
Youcansetupalocaldatabaseonthefirewalltostoreauthenticationinformationforfirewall
administrators ,CaptivePortalendusers ,andenduserswhoauthenticatetoaGlobalProtectportal
andGlobalProtectgateway .Localdatabaseauthenticationrequiresnoexternalauthenticationservice;
youperformallaccountmanagementonthefirewall.Aftercreatingthelocaldatabaseand(optionally)
assigningtheuserstogroups(seeDevice>LocalUserDatabase>UserGroups),youcanDevice>
AuthenticationProfilebasedonthelocaldatabase.
YoucannotconfigureDevice>PasswordProfilesforadministrativeaccountsthatuselocaldatabase
authentication.
ToAddalocalusertothedatabase,configurethesettingsdescribedinthefollowingtable.
LocalUserSettings Description
Name Enteranametoidentifytheuser(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheuseraccountisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysorselect
Shared(allvirtualsystems).Inanyothercontext,youcantselectthe
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.After
yousavetheuseraccount,youcantchangeitsLocation.
Mode Usethisfieldtospecifytheauthenticationoption:
PasswordEnterandconfirmapasswordfortheuser.
Password HashEnterahashedpasswordstring.Thiscanbeusefulif,for
example,youwanttoreusethecredentialsforanexistingUnixaccountbut
dontknowtheplaintextpassword,onlythehashedpassword.Thefirewall
acceptsanystringofupto63charactersregardlessofthealgorithmused
togeneratethehashvalue.TheoperationalCLIcommandrequest
password-hash passwordusestheMD5algorithmwhenthefirewallisin
normalmodeandtheSHA256algorithmwhenthefirewallisinCC/FIPS
mode.
AnyMinimumPasswordComplexityparametersyousetforthe
firewall(Device > Setup > Management)donotapplytoaccounts
thatuseaPassword Hash.
Enable Selectthisoptiontoactivatetheuseraccount.
Device>LocalUserDatabase>UserGroups
LocalUserGroupSettings Description
Name Enteranametoidentifythegroup(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Selectthescopeinwhichtheusergroupisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysorselect
Shared(allvirtualsystems).Inanyothercontext,youcantselectthe
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.After
yousavetheusergroup,youcantchangeitsLocation.
AllLocalUsers ClickAddtoselecttheusersyouwanttoaddtothegroup.
Device>ScheduledLogExport
Youcanscheduleexportsoflogs andsavetheminCSVformattoaFileTransferProtocol(FTP)serveror
useSecureCopy(SCP)tosecurelytransferdatabetweenthefirewallandaremotehost.Logprofilescontain
thescheduleandFTPserverinformation.Forexample,aprofilemayspecifythatthepreviousdayslogsare
collectedeachdayat3AMandstoredonaparticularFTPserver.
ClickAddandfillinthefollowingdetails:
ScheduledLogExport Description
Settings
Name Enteranametoidentifytheprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Youcannotchangethenameaftertheprofileiscreated.
Description Enteranoptionaldescription(upto255characters).
Enable Selectthisoptiontoenabletheschedulingoflogexports.
LogType Selectthetypeoflog(traffic,threat,url,data,orhipmatch).Defaultistraffic.
ScheduledExportStart Enterthetimeofday(hh:mm)tostarttheexportusinga24hourclock(00:00
Time(Daily) 23:59).
Protocol Selecttheprotocoltousetoexportlogsfromthefirewalltoaremotehost:
FTPThisprotocolisnotsecure.
SCPThisprotocolissecure.Aftercompletingtheremainingfields,you
mustclickTest SCP server connectiontotestconnectivitybetweenthe
firewallandtheSCPserverandyoumustverifyandacceptthehostkeyof
theSCPserver.
Hostname EnterthehostnameorIPaddressoftheFTPserverthatwillbeusedforthe
export.
Port EntertheportnumberthattheFTPserverwilluse.Defaultis21.
Path SpecifythepathlocatedontheFTPserverthatwillbeusedtostorethe
exportedinformation.
EnableFTPPassive Selectthisoptiontousepassivemodefortheexport.Bydefault,thisoption
Mode isselected.
Username EntertheusernameforaccesstotheFTPserver.Defaultisanonymous.
Password/Confirm EnterthepasswordforaccesstotheFTPserver.Apasswordisnotrequired
Password iftheuserisanonymous.
TestSCPserver IfyousettheProtocoltoSCP,youmustclickthisbuttontotestconnectivity
connection betweenthefirewallandtheSCPserverandthenverifyandacceptthehost
(SCPprotocolonly) keyoftheSCPserver.
IfyouuseaPanoramatemplatetoconfigurethelogexportschedule,
youmustperformthisstepaftercommittingthetemplate
configurationtothefirewalls.Afterthetemplatecommit,loginto
eachfirewall,openthelogexportschedule,andclickTest SCP server
connection.
Device>Software
ThefollowingtableprovideshelpforusingtheSoftwarepage.
SoftwareOptionsFields Description
Version ListsthesoftwareversionsthatarecurrentlyavailableonthePaloAlto
NetworksUpdateServer.Tocheckifanewsoftwarereleaseisavailable
fromPaloAltoNetworks,clickCheck Now.Thefirewallusestheservice
routetoconnecttotheUpdateServerandchecksfornewversionsand,if
thereareupdatesavailable,anddisplaysthematthetopofthelist.
Size Indicatesthesizeofthesoftwareimage.
ReleaseDate IndicatesthedateandtimePaloAltoNetworksmadethereleaseavailable.
Available Indicatesthatthecorrespondingversionofthesoftwareimageisuploaded
ordownloadedtothefirewall.
CurrentlyInstalled Indicateswhetherthecorrespondingversionofthesoftwareimageis
activatedandiscurrentlyrunningonthefirewall.
SoftwareOptionsFields Description
Action Indicatesthecurrentactionyoucantakeforthecorrespondingsoftware
imageasfollows:
DownloadThecorrespondingsoftwareversionisavailableonthePalo
AltoNetworksUpdateServer;clicktoDownloadanavailablesoftware
version.
InstallThecorrespondingsoftwareversionhasbeendownloadedor
uploadedtothefirewall;clicktoInstallthesoftware.Arebootisrequired
tocompletetheupgradeprocess.
ReinstallThecorrespondingsoftwareversionwasinstalledpreviously;
clicktoReinstallthesameversion.
ReleaseNotes Providesalinktothereleasenotesforthecorrespondingsoftwareupdate.
ThislinkisonlyavailableforupdatesthatyoudownloadfromthePaloAlto
NetworksUpdateServer:itisnotavailableforuploadedupdates.
Removesthepreviouslydownloadedoruploadedsoftwareimagefromthe
firewall.Youwouldonlywanttodeletethebaseimageforolderreleases
thatwillnotneedupgrading.Forexample,ifyouarerunning7.0,youcan
removethebaseimagefor6.1unlessyouthinkyoumightneedto
downgrade.
CheckNow CheckswhetheranewsoftwareupdateisavailablefromPaloAlto
Networks.
Upload Importsasoftwareupdateimagefromacomputerthatthefirewallcan
access.Typically,youperformthisactionifthefirewalldoesnthaveInternet
access,whichisrequiredwhendownloadingupdatesfromthePaloAlto
NetworksUpdateServer.Foruploads,useanInternetconnectedcomputer
tovisitthePaloAltoNetworkswebsite,downloadthesoftwareimagefrom
theSupportsite(SoftwareUpdates),downloadtheupdatetoyour
computer,selectDevice > SoftwareonthefirewallandUploadthesoftware
image.Inahighavailability(HA)configuration,youcanselectSync To Peer
topushtheimportedsoftwareimagetotheHApeer.Aftertheupload,the
Softwarepagedisplaysthesameinformation(forexample,versionandsize)
andInstall/Reinstalloptionsforuploadedanddownloadedsoftware.
Release Notesoptionisnotactiveforuploadedsoftware.
Device>DynamicUpdates
Device>DynamicUpdates
Panorama>DynamicUpdates
PaloAltoNetworksregularlypostsupdatesforapplicationdetection,threatprotection,andGlobalProtect
datafilesthroughdynamicupdatesasfollows:
AntivirusIncludesnewandupdatedantivirussignatures,includingWildFiresignaturesand
automaticallygeneratedcommandandcontrol(C2)signatures.WildFiresignaturesdetectmalwarefirst
seenbyfirewallsfromaroundtheworld.AutomaticallygeneratedC2signaturesdetectcertainpatterns
inC2traffic(insteadoftheC2serversendingmaliciouscommandstoacompromisedsystem);these
signaturesenablethefirewalltodetectC2activityevenwhentheC2hostisunknownorchangesrapidly.
YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.Newantivirussignaturesare
publisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andinthiscaseyouwillgetthisupdateinsteadof
theApplicationsupdate).NewApplicationsandThreatsupdatesarepublishedweekly,andyoucanset
thefirewalltoretrievethelatestupdateswithin30minutesofavailability.Youcanalsochoosetoinstall
onlythenewthreatsignaturesinacontentreleaseversion.Youarepromptedwiththisoptionbothwhen
installingacontentreleaseandwhensettingthescheduletoautomaticallyinstallcontentrelease
versions.Thisoptionallowsyoutobenefitfromnewthreatsignaturesimmediately;youcanthenreview
thepolicyimpactfornewapplicationsignaturesandmakeanynecessarypolicyupdatesbeforeenabling
them.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
subscriptioninordertoreceivetheseupdates.Inaddition,youmustcreateaschedulefortheseupdates
beforeGlobalProtectwillfunction.
GlobalProtectClientlessVPNContainsnewandupdatedapplicationsignaturestoenableClientless
VPNaccesstocommonwebapplicationsfromtheGlobalProtectportal.YoumusthaveaGlobalProtect
subscriptiontoreceivetheseupdates.Inaddition,youmustcreateaschedulefortheseupdatesbefore
GlobalProtectClientlessVPNwillfunction.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirepubliccloud.WildFiresignatureupdatesaremadeavailableeveryfiveminutes.You
cansetthefirewalltocheckfornewupdatesasfrequentlyaseveryminutetoensurethatthefirewall
retrievesthelatestWildFiresignatureswithinaminuteofavailability.WithouttheWildFiresubscription,
youmustwait24to48hoursfortheWildFiresignaturestorollintotheApplicationsandThreatupdate.
SelectDevice > Setup > WildFiretoenableWildFire Public Cloudanalysis.
WFPrivateProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebyaWF500appliance.ToreceivecontentupdatesfromaWF500appliance,thefirewalland
appliancemustbothberunningPANOS6.1oralaterreleaseandthefirewallmustbeconfiguredto
forwardfilesandemaillinkstotheWildFirePrivateCloud.SelectDevice>Setup>WildFiretoenable
WildFirePrivateCloudanalysis.
Youcanviewthelatestupdates,readthereleasenotesforeachupdate,andthenselecttheupdateyouwant
todownloadandinstall.Youcanalsoreverttoapreviouslyinstalledversionofanupdate.
IfyouaremanagingyourfirewallsusingPanoramaandwanttoscheduledynamicupdatesforoneormore
firewalls,seeScheduleDynamicContentUpdates.
DynamicUpdatesOptions Description
Version ListstheversionsthatarecurrentlyavailableonthePaloAltoNetworks
UpdateServer.TocheckifanewsoftwarereleaseisavailablefromPaloAlto
Networks,clickCheck Now.Thefirewallusestheserviceroutetoconnectto
theUpdateServerandchecksfornewcontentreleaseversionsand,ifthere
areupdatesavailable,displaysthematthetopofthelist.
Lastchecked Displaysthedateandtimethatthefirewalllastconnectedtotheupdate
serverandcheckedifanupdatewasavailable.
Schedule Allowsyoutoschedulethefrequencyforretrievingupdates.
Youcandefinehowoftenandwhenthedynamiccontentupdatesoccur
theRecurrenceandtimeandwhethertoDownload OnlyortoDownload
and Installthescheduledupdatesonthefirewall.
Whenschedulingrecurringdownloadsandinstallationsforcontentupdates,
youcanchoosetoDisable new apps in content update.Thisoptionenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenable
applicationsafterpreparingpolicyupdatesthatmightbenecessaryfor
applicationsthatarenewlyidentifiedandpossiblytreateddifferently
followingtheupdate.(Tolaterenableapplicationsthatareautomatically
disabledforscheduledcontentupdates,selectApps, Threatsonthe
DynamicUpdatespageorselectObjects > Applications).
Inrareinstances,therecanbeanerrorinacontentupdate.Youcanreduce
thechanceofbeingimpactedbyanunexpectedissuebydelayingupdatesto
newversionsuntilcontentupdatesarereleasedforaspecifiednumberof
hours.Todelayupdatestonewcontentversions,addaThreshold (hours)
value.Forexample,ifyouspecifyathresholdof48hoursandyourfirewall
isconfiguredtodownloadandinstallupdateseveryhour,thefirewallwill
querytheupdateservereveryhourbutwillnotdownloadandinstallanew
updateuntilthatupdateremainsavailableformorethan48hours.
FileName Listthefilename;itincludesthecontentversioninformation.
Features Listswhattypeofsignaturesthecontentversionmightinclude.
ForApplicationsandThreatscontentreleaseversions,thisfieldmight
displayanoptiontoreviewApps, Threats.Clickthisoptiontoviewnew
applicationsignaturesmadeavailablesincethelastcontentreleaseversion
installedonthefirewall.YoucanalsousetheNew Applicationsdialogto
Enable/Disable newapplications.Youmightchoosetodisableanew
applicationincludedinacontentreleaseifyouwanttoavoidanypolicy
impactfromanapplicationbeinguniquelyidentified(anapplicationmightbe
treateddifferentlybeforeandafteracontentinstallationifapreviously
unknownapplicationisidentifiedandcategorizeddifferently).
DynamicUpdatesOptions Description
Type Indicateswhetherthedownloadincludesafulldatabaseupdateoran
incrementalupdate.
Size Displaysthesizeofthecontentupdatepackage.
ReleaseDate ThedateandtimePaloAltoNetworksmadethecontentreleaseavailable.
Downloaded Acheckmarkinthiscolumnindicatesthatthecorrespondingcontentrelease
versionhasbeendownloadedtothefirewall.
CurrentlyInstalled Acheckmarkinthiscolumnindicatesthatthecorrespondingcontentrelease
versioniscurrentlyrunningonthefirewall.
Action Indicatesthecurrentactionyoucantakeforthecorrespondingsoftware
imageasfollows:
DownloadThecorrespondingcontentreleaseversionisavailableonthe
PaloAltoNetworksUpdateServer;clicktoDownloadthecontentrelease
version.IfthefirewalldoesnothaveaccesstotheInternet,usean
InternetconnectedcomputertogototheDynamicUpdatessitetolook
forandDownloadthecontentreleaseversiontoyourlocalcomputer.
ThenmanuallyUploadthesoftwareimagetothefirewall.Additionally,
downloadinganApplicationandThreatcontentreleaseversionenables
theoptiontoReview Policiesthatareaffectedbynewapplication
signaturesincludedwiththerelease.
Review Policies(ApplicationandThreatcontentonly)Reviewanypolicy
impactfornewapplicationsincludedinacontentreleaseversion.Usethis
optiontoassessthetreatmentanapplicationreceivesbothbeforeand
afterinstallingacontentupdate.YoucanalsousethePolicyReviewdialog
toaddorremoveapendingapplication(anapplicationthatisdownloaded
withacontentreleaseversionbutisnotinstalledonthefirewall)toor
fromanexistingSecuritypolicyrule;policychangesforpending
applicationsdonottakeeffectuntilthecorrespondingcontentrelease
versionisinstalled.
InstallThecorrespondingcontentreleaseversionhasbeendownloaded
tothefirewall;clicktoInstalltheupdate.Wheninstallinganew
ApplicationsandThreatscontentreleaseversion,youarepromptedwith
theoptiontoDisable new apps in content update.Thisoptionenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilityto
enableapplicationsafterpreparinganypolicyupdates,duetotheimpact
ofnewapplicationsignatures(toenableapplicationsyouhavepreviously
disabled,selectApps, ThreatsontheDynamicUpdatespageorselect
Objects > Applications).
RevertThecorrespondingcontentreleaseversionhasbeendownloaded
previouslyToreinstallthesameversion,clickRevert.
Documentation Providesalinktothereleasenotesforthecorrespondingversion.
Removethepreviouslydownloadedcontentreleaseversionfromthe
firewall.
Upload IfthefirewalldoesnothaveaccesstothePaloAltoNetworksUpdateServer,
youcanmanuallydownloaddynamicupdatesfromthePaloAltoNetworks
SupportsiteintheDynamicUpdatessection.Afteryoudownloadanupdate
toyourcomputer,Uploadtheupdatetothefirewall.YouthenselectInstall
From File andselectthefileyoudownloaded.
DynamicUpdatesOptions Description
InstallFromFile Afteryoumanuallyuploadanupdatefiletothefirewall,usethisoptionto
installthefile.InthePackage Typedropdown,selectthetypeofupdateyou
areinstalling(Application and Threats,Antivirus,orWildFire),clickOK,
selectthefileyouwanttoinstallandthenclickOKagaintostartthe
installation.
Device>Licenses
ToenablelicensesforURLfiltering,youmustinstallthelicense,downloadthedatabase,andclick
Activate.IfyouareusingPANDBforURLFiltering,youwillneedtoDownloadtheinitialseed
databasefirstandthenActivate.
YoucanalsoruntheCLIcommand request url-filtering download paloaltonetworks
region <region name>.
Deactivate VM:ThisoptionisavailableontheVMSeriesfirewallwiththeBringYourOwnLicensemodel
thatsupportsperpetualandtermbasedlicenses;theondemandlicensemodeldoesnotsupportthis
functionality.
ClickDeactivate VMwhenyounolongerneedaninstanceoftheVMSeriesfirewall.Itallowyoutofree
upallactivelicensessubscriptionlicenses,VMCapacitylicenses,andsupportentitlementsusingthis
option.Thelicensesarecreditedbacktoyouraccountandyoucanthenapplythelicensesonanew
instanceofaVMSeriesfirewall,whenyouneedit.
Whenthelicenseisdeactivated,theVMSeriesfirewallfunctionalityisdisabledandthefirewallisinan
unlicensedstate.However,theconfigurationremainsintact.
ClickContinue ManuallyiftheVMSeriesfirewalldoesnothavedirectinternetaccess.Thefirewall
generatesatokenfile.ClickExport license tokentosavethetokenfiletoyourlocalcomputerand
thenrebootthefirewall.LogintothePaloAltoNetworksSupportportal,selectAssets > Devices,and
Deactivate VMtousethistokenfileandcompletethedeactivationprocess.
ClickContinuetodeactivatethelicensesontheVMSeriesfirewall.ClickReboot Nowtocompletethe
licensedeactivationprocess.
ClickCancelifyouwanttocancelandclosetheDeactivateVMwindow.
Upgrade VM Capacity:ThisoptionallowsyoutoupgradethecapacityofyourcurrentlylicensedVMSeries
firewall.Uponupgradingthecapacity,theVMSeriesfirewallretainsallconfigurationandsubscriptions
ithadpriortotheupgrade.
IfyourfirewallhasconnectivitytothelicenseserverSelectAuthorization Code,enteryour
authorizationcodeintheAuthorizationCodefield,andclickContinuetoinitiatethecapacity
upgrade.
IfyourfirewalldoesnothaveconnectivitytothelicenseserverSelectLicense Key,clickComplete
Manuallytogenerateatokenfile,andsavethetokenfiletoyourlocalcomputer.Thenlogintothe
PaloAltoNetworksSupportportal,selectAssets > Devices,andDeactivate License(s)tousethetoken
file.DownloadthelicensekeyforyourVMSeriesfirewalltoyourlocalcomputer,addthelicense
keytothefirewall,andclickContinuetocompletethecapacityupgrade.
IfyourfirewallhasconnectivitytothelicenseserverbutyoudonothaveanAuthorizationCode
SelectFetch from license server,upgradethefirewallscapacitylicenseonthelicenseserverbefore
youattempttoupgradethecapacity,andthenafteryouverifythatthelicenseisupgradedonthe
licenseserver,clickContinuetoinitiatethecapacityupgrade.
BehavioronLicenseExpiry
ContactthePaloAltoNetworksoperationsteamorsalesforinformationonrenewingyour
licenses/subscriptions.
IftheThreatPreventionsubscriptiononthefirewallexpires,thefollowingwilloccur:
Asystemlogentryisgenerated;theentrystatesthatthesubscriptionhasexpired.
Allthreatpreventionfeatureswillcontinuetofunctionusingthesignaturesthatwereinstalledat
thetimethelicenseexpired.
Newsignaturescannotbeinstalleduntilavalidlicenseisinstalled.Also,theabilitytorollbacktoa
previousversionofthesignaturesisnotsupportedifthelicenseisexpired.
CustomAppIDsignatureswillcontinuetofunctionandcanbemodified.
Ifthesupportlicenseexpires,threatpreventionandthreatpreventionupdateswillcontinuetofunction
normally.
Ifyoursupportentitlementexpires,softwareupdateswillnobeavailable.Youwillneedtorenewyour
licensetocontinueaccesstosoftwareupdatesandtointeractwiththetechnicalsupportgroup.
IfatermbasedVMcapacitylicenseexpires,youcannotobtainsoftwareorcontentupdatesonthe
firewalluntilyourenewthelicense. Althoughyoumighthaveavalidsubscription(threatpreventionor
WildFire,forexample)andsupportlicense,youmusthaveavalidcapacitylicensetoobtainthelatest
softwareorcontentupdates.
Device>Support
Device>Support
Panorama>Support
SelectDevice > SupportorPanorama > Supporttoaccesssupportrelatedoptions.YoucanviewthePaloAlto
Networkscontactinformation,viewyoursupportexpirationdate,andviewproductandsecurityalertsfrom
PaloAltoNetworksbasedontheserialnumberofyourfirewall.
Performanyofthefollowingfunctionsonthispage:
SupportProvidesinformationonthesupportstatusofthedeviceandprovidesalinktoactivatesupport
usinganauthorizationcode.
ProductionAlerts/ApplicationandThreatAlertsThesealertswillberetrievedfromthePaloAlto
Networksupdateserverswhenthispageisaccessed/refreshed.Toviewthedetailsofproductionalerts,
orapplicationandthreatalerts,clickthealertname.Productionalertswillbepostedifthereisalarge
scalerecallorurgentissuerelatedtoagivenrelease.Theapplicationandthreatalertswillbepostedif
significantthreatsarediscovered.
LinksProvidescommonsupportlinkstohelpyoumanageyourdeviceandtoaccesssupportcontact
information.
TechSupportFileClickGenerate Tech Support Filetogenerateasystemfilethatthesupportteamcan
usetohelptroubleshootissuesthatyoumaybeexperiencingwiththefirewall.Afteryougeneratethe
file,Download Tech Support FileandthensendittothePaloAltoNetworksSupportdepartment.
Ifyourbrowserisconfiguredtoautomaticallyopenfilesafterdownload,youshouldturnoffthat
optionsothebrowserdownloadsthesupportfileinsteadofattemptingtoopenandextractit.
ThecontentsofthecorefilescanbeinterpretedonlybyaPaloAltoNetworkssupportengineer.
Device>MasterKeyandDiagnostics
SelectDevice > Master Key and DiagnosticsorPanorama > Master Key and Diagnosticstoconfigurethemaster
keythatencryptsallpasswordsandprivatekeysonthefirewallorPanorama(suchastheRSAkeyfor
authenticatingadministratorswhoaccesstheCLI).Encryptingpasswordsandkeysimprovessecurityby
ensuringtheirplaintextvaluesarenotexposedanywhereonthefirewallorPanorama.
Theonlywaytorestorethedefaultmasterkeyistoperformafactoryreset .
PaloAltoNetworksrecommendsyouconfigureanewmasterkeyinsteadofusingthedefaultkey,storethe
keyinasafelocation,andperiodicallychangeit.Forextraprivacy,youcanuseahardwaresecuritymodule
toencryptthemasterkey(seeDevice>Setup>HSM).Configuringauniquemasterkeyoneachfirewallor
Panoramamanagementserverensuresthatanattackerwholearnsthemasterkeyforoneappliancecannot
accessthepasswordsandprivatekeysonanyofyourotherappliances.However,youmustusethesame
masterkeyacrossmultipleappliancesinthefollowingcases:
Highavailability(HA)configurationsIfyoudeployfirewallsorPanoramainanHAconfiguration,usethe
samemasterkeyonbothfirewallsorPanoramamanagementserversinthepair.Otherwise,HA
synchronizationdoesnotwork.
PanoramapushesconfigurationstofirewallsIfyouusePanoramatopushconfigurationstomanaged
firewalls,usethesamemasterkeyonPanoramaandthemanagedfirewalls.Otherwise,pushoperations
fromPanoramawillfail.
Toconfigureamasterkey,edittheMasterKeysettingsandusethefollowingtabletodeterminethe
appropriatevalues:
MasterKeyand Description
DiagnosticsSettings
CurrentMasterKey Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysand
passwordsonthefirewall.
NewMasterKey Tochangethemasterkey,entera16characterstringandconfirmthenew
ConfirmMasterKey key.
LifeTime SpecifythenumberofDaysandHoursafterwhichthemasterkeyexpires
(rangeis1to730days).
Youmustconfigureanewmasterkeybeforethecurrentkeyexpires.
Ifthemasterkeyexpires,thefirewallorPanoramaautomatically
rebootsinMaintenancemode.Youmustthenperformafactory
reset .
TimeforReminder EnterthenumberofDaysandHoursbeforethemasterkeyexpireswhenthe
firewallgeneratesanexpirationalarm.Thefirewallautomaticallyopensthe
SystemAlarmsdialogtodisplaythealarm.
Toensuretheexpirationalarmdisplays,selectDevice > Log Settings,
edittheAlarmSettings,andEnable Alarms.
MasterKeyand Description
DiagnosticsSettings
StoredonHSM EnablethisoptiononlyifthemasterkeyisencryptedonaHardwareSecurity
Module(HSM).YoucannotuseHSMonadynamicinterfacesuchasaDHCP
clientorPPPoE.
TheHSMconfigurationisnotsynchronizedbetweenpeerfirewallsinHA
mode.Therefore,eachpeerinanHApaircanconnecttoadifferentHSM
source.IfyouareusingPanoramaandneedtokeepbothpeerconfigurations
insync,usePanoramatemplatestoconfiguretheHSMsourceonthe
managedfirewalls.
ThePA200,PA220,andPA500firewallsdonotsupportHSM.
CommonCriteria InCommonCriteriamode,additionaloptionsareavailabletoruna
cryptographicalgorithmselftestandsoftwareintegrityselftest.A
schedulerisalsoincludedtospecifythetimesatwhichthetwoselftestswill
run.
Whatareyoulookingfor? See:
ConfigurethePANOSintegrated Device>UserIdentification>UserMapping
UserIDagenttomapIPaddresses
tousernames.
Configurethefirewallto Device>UserIdentification>ConnectionSecurity
authenticatewithWindows
UserIDAgents.
Configurethefirewalltoreceive Device>UserIdentification>UserIDAgents
usermappinginformationfrom
WindowsbasedUserIDagentsor
fromPanorama,LogCollectors,
orotherfirewalls.
Configureusermappingin Device>UserIdentification>TerminalServicesAgents
deploymentswheremultipleusers
onasystemhavethesameIP
address.
Configureusernametogroup Device>UserIdentification>GroupMappingSettings
mapping.
UseCaptivePortaltoforceusers Device>UserIdentification>CaptivePortalSettings
toauthenticate.
Device>UserIdentification>UserMapping
ConfigurethePANOSintegratedUserIDagentthatrunsonthefirewalltomapIPaddressestousernames.
Whatareyoulookingfor? See:
ConfigurethePANOS EnabletheUserIDagenttomonitorserverlogsforusermapping
integratedUserIDagent. information:EnableServerMonitoring.
Thesesettingsdefinethe
methodsthattheUserID Ensurethatthefirewallhasthemostcurrentusermappinginformation
agentusestoperformuser asusersroamandobtainnewIPaddresses:ConfigureCacheTimeouts
mapping. forUserMappingEntries.
Enablefirewallstoshareuserandgroupmappinginformationto
simplifyUserIDmanagement:EnableRedistributionofUserMappings
AmongFirewalls.
ConfiguretheUserIDagenttoparsesyslogmessagesforusermapping
information:ManageSyslogMessageFilters.
ConfiguretheUserIDagenttoomitspecificusernamesfromthe
mappingprocess:ManagetheUserIgnoreList.
EnableNTLANManager(NTLM)authenticationforusermapping
throughCaptivePortal:EnableNTLMAuthentication.
EnabletheUserIDagenttouseWindowsManagement
Instrumentation(WMI)toprobeclientsystemsandmonitoringservers
forusermappinginformation:EnableWMIAuthentication.
EnabletheUserIDagenttoprobeclientsystemsforusermapping
information:EnableClientProbing.
Manageaccesstothe MonitorServers
serversthattheUserID
agentmonitorsforuser
mappinginformation.
Managethesubnetworks IncludeorExcludeSubnetworksforUserMapping
thatthefirewallincludesor
excludeswhenmappingIP
addressestousernames.
EnableWMIAuthentication
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>WMI
Authentication
ToconfigurethePANOSintegratedUserIDagenttouseWindowsManagementInstrumentation(WMI)
forprobingclientsystemsandmonitoringMicrosoftExchangeserversanddomaincontrollersforuser
mappinginformation,completethefollowingfields.
BecauseWMIprobingtrustsdatathatisreportedbackfromanendpoint,PaloAltoNetworkrecommendsthat
youdonotusethismethodtoobtainUserIDmappinginformationinahighsecuritynetwork.Ifyouconfigure
theUserIDagenttoobtainmappinginformationbyparsingActiveDirectory(AD)securityeventlogsorsyslog
messages,orusingtheXMLAPI,PaloAltoNetworksrecommendsyoudisableWMIprobing.
IfyoudouseWMIprobing,donotenableitonexternal,untrustedinterfaces.Doingsocausestheagenttosend
WMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpasswordhashofthe
UserIDagentserviceaccountoutsideofyournetwork.Anattackercouldpotentiallyexploitthisinformation
topenetrateandgainfurtheraccesstoyournetwork.
WMIAuthenticationSettings Description
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttomonitor
serversandprobeclientsrequiresadditionaltasksbesidesdefiningtheWMIauthentication
settings.
EnableClientProbing
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Client
Probing
YoucanconfiguretheUserIDagenttoperformWMIclientprobing foreachclientsystemthattheuser
mappingprocessidentifies.TheUserIDagentwillperiodicallyprobeeachlearnedIPaddresstoverifythat
thesameuserisstillloggedin.WhenthefirewallencountersanIPaddressforwhichithasnousermapping,
itsendstheaddresstotheUserIDagentforanimmediateprobe.Toconfigureclientprobingsettings,
completethefollowingfields.
Donotenableclientprobingonhighsecuritynetworks.Clientprobingcangeneratealarge
amountofnetworktrafficandcanposeasecuritythreatwhenmisconfigured.Insteadcollect
usermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollers
andthroughintegrationswithSyslogortheXMLAPI,whichhavetheaddedbenefitofallowing
youtosafelycaptureusermappinginformationfromanydevicetypeoroperatingsystem,
insteadofjustWindowsclients.
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttoprobeclients
requiresadditionaltasksbesidesconfiguringtheclientprobingsettings.
ThePANOSIntegratedUserIDagentdoesnotsupportNetBIOSprobingbutthe
WindowsbasedUserIDagent doessupportit.
ClientProbingSettings Description
EnableProbing SelectthisoptiontoenableWMIprobing.
ProbeInterval(min) Entertheprobeintervalinminutes(rangeis11440;defaultis20).This
istheintervalbetweenwhenthefirewallfinishesprocessingthelast
requestandwhenitstartsthenextrequest.
Inlargedeployments,itisimportanttosettheintervalproperlyto
allowtimetoprobeeachclientthattheusermappingprocess
identified.Example,ifyouhave6,000usersandanintervalof10
minutes,itwouldrequire10WMIrequestspersecondfromeach
client.
Iftheproberequestloadishigh,theobserveddelaybetween
requestsmightsignificantlyexceedtheintervalyouspecify.
EnableServerMonitoring
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Server
Monitor
ToenabletheUserIDagenttomapIPaddressestousernamesbysearchingforlogoneventsinthesecurity
eventlogsofservers,configurethesettingsdescribedinthefollowingtable.
IfthequeryloadishighforWindowsserverlogs,Windowsserversessions,oreDirectory
servers,theobserveddelaybetweenqueriesmightsignificantlyexceedthespecifiedfrequency
orinterval.
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttomonitor
serversrequiresadditionaltasksbesidesconfiguringtheservermonitoringsettings.
ServerMonitoringSettings Description
EnableSecurityLog SelectthisoptiontoenablesecuritylogmonitoringonWindows
servers.
ServerLogMonitorFrequency Specifythefrequencyinsecondsatwhichthefirewallwillquery
(sec) Windowsserversecuritylogsforusermappinginformation(rangeis
13600;defaultis2).Thisistheintervalbetweenwhenthefirewall
finishesprocessingthelastqueryand
EnableSession Selectthisoptiontoenablemonitoringofusersessionsonthe
monitoredservers.Eachtimeauserconnectstoaserver,asessionis
created;thefirewallcanusethisinformationtoidentifytheuserIP
address.
DonotEnable Session.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServerOperator
privilegessothatitcanreadallusersessions.Instead,you
shoulduseaSyslogorXMLAPIintegrationtomonitorsources
thatcaptureloginandlogouteventsforalldevicetypesand
operatingsystems(insteadofonlyWindowsoperating
systems),suchaswirelesscontrollersandNACs.
ServerMonitoringSettings Description
ServerSessionReadFrequency Specifythefrequencyinsecondsatwhichthefirewallwillquery
(sec) Windowsserverusersessionsforusermappinginformation(rangeis
13600;defaultis10).Thisistheintervalbetweenwhenthefirewall
finishesprocessingthelastqueryandwhenitstartsthenextquery.
NovelleDirectoryQuery SpecifythefrequencyinsecondsatwhichthefirewallwillqueryNovell
Interval(sec) eDirectoryserversforusermappinginformation(rangeis13600;
defaultis30).Thisistheintervalbetweenwhenthefirewallfinishes
processingthelastqueryandwhenitstartsthenextquery.
SyslogServiceProfile SelectanSSL/TLSserviceprofilethatspecifiesthecertificateand
allowedSSL/TLSversionsforcommunicationsbetweenthefirewall
andanysyslogsendersthattheUserIDagentmonitors.Fordetails,
seeDevice>CertificateManagement>SSL/TLSServiceProfileand
ManageSyslogMessageFilters.Ifyouselectnone,thefirewallusesits
predefined,selfsignedcertificate.
ConfigureCacheTimeoutsforUserMappingEntries
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Cache
ToensurethatthefirewallhasthemostcurrentusermappinginformationasusersroamandobtainnewIP
addresses,configuretimeoutsforclearingusermappingsfromthefirewallcache.Thistimeoutappliesto
usermappingslearnedthroughanymethodexceptCaptivePortal.FormappingslearnedthroughCaptive
Portal,setthetimeoutintheCaptivePortalSettings(Device>UserIdentification>CaptivePortalSettings,
TimerandIdle Timerfields).
CacheSettings Description
EnableUserIdentification Selectthisoptiontoenableatimeoutvalueforusermappingentries.
Timeout Whenthetimeoutvalueisreachedforanentry,thefirewallclearsit
andcollectsanewmapping.Thisensuresthatthefirewallhasthemost
currentinformationasusersroamandobtainnewIPaddresses.
UserIdentificationTimeout Setthetimeoutvalueinminutesforusermappingentries(rangeis1to
(min) 3,600;defaultis45).
Ifyouconfigurefirewallstoredistributemappinginformation,
eachfirewallclearsthemappingentriesitreceivesbasedon
thetimeoutyousetonthatfirewall,notonthetimeoutssetin
theforwardingfirewalls.
EnableNTLMAuthentication
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>NTLM
YoucanuseNTLANManager(NTLM) toauthenticateonlyWindowsusers.Whenaclientwebrequest
matchesanAuthenticationpolicyruleinwhichtheauthenticationenforcementobjectspecifiesa
browserchallenge(seePolicies>Authentication),anNTLMchallengetransparentlyauthenticatestheclient.
ThefirewallthencollectsusermappinginformationfromtheNTLMdomain.
YoucanenableNTLMauthenticationprocessingforonlyonevirtualsystemperfirewall,whichyouselectin
theLocationdropdownatthetopoftheUser Mappingpage.
Optionally,youcanusethefirewalltoperformNTLMauthenticationprocessingforotherfirewallsbyadding
itasaUserIDagenttothosefirewalls.Fordetails,seeConfigureAccesstoUserIDAgents.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothedomaincontrollerwhere
youinstalledtheagent.Fordetails,seetheNTLM AuthenticationfieldinDevice>UserIdentification>Captive
PortalSettings.
ConfigureAuthenticationrulestouseKerberossinglesignon insteadofNTLM
authentication.Kerberosisastronger,morerobustauthenticationmethodthanNTLManddoes
notrequirethefirewalltohaveanadministrativeaccounttojointhedomain.Fordetailson
configuringtheauthenticationmethodsforAuthenticationrules,seeObjects>Authentication.
ThecompleteprocedurestoconfigureCaptivePortal orWindowsbasedUserIDagents
requireadditionaltasksbesidesenablingNTLM.
ToconfigureNTLMauthenticationprocessing,specifythesettingsdescribedinthefollowingtable.
Field Description
EnableNTLMauthentication SelectthisoptiontoenableNTLMauthenticationprocessing.
processing
NTLMDomain EntertheNTLMdomainname.
AdminUserName(forthe EntertheadministratoraccountthathasaccesstotheNTLMdomain.
NTLMdomain) DonotincludethedomainintheAdmin User Namefield.
Otherwise,thefirewallwillfailtojointhedomain.
Password/ConfirmPassword Enterthepasswordfortheadministratoraccountthathasaccessto
(fortheNTLMdomain) NTLMdomain.
EnableRedistributionofUserMappingsAmongFirewalls
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>
Redistribution
ToenableafirewallorvirtualsystemtoserveasaUserIDagentthatredistributesusermappinginformation
alongwiththetimestampsassociatedwithauthenticationchallenges,configurethesettingsdescribedinthe
followingtable.Whenyoulaterconnectthisfirewalltoanappliance(suchasPanorama)thatwillreceivethe
mappinginformationandtimestamps,theapplianceusesthesefieldstoidentifythefirewallorvirtualsystem
asaUserIDagent.
Thecompleteprocedure toconfigurefirewallstoredistributeusermappinginformationand
authenticationtimestampsrequiresadditionaltasksbesidesspecifyingtheredistributionsettings.
Bydefault,afirewallwithmultiplevirtualsystemsdoesntredistributeusermappinginformationacross
itsvirtualsystems,thoughyoucanconfigurethemforredistribution.
RedistributionSettings Description
CollectorName Enteracollectorname(upto255alphanumericcharacters)toidentify
thefirewallorvirtualsystemasaUserIDagent.
PreSharedKey/Confirm Enterapresharedkey(upto255alphanumericcharacters)toidentify
PreSharedKey thefirewallorvirtualsystemasaUserIDagent.
ManageSyslogMessageFilters
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Syslog
Filters
TheUserIDagentusesSyslogParseprofilestofiltersyslogmessages sentfromthesyslogsendersthat
youselectformonitoring(seeConfigureAccesstoMonitoredServers).Eachprofilecanparsesyslog
messagesforeitherofthefollowingeventtypes,butnotboth:
Authentication(login)eventsUsedtoaddIPaddresstousernamemappingstothefirewall.
LogouteventsUsedtodeleteusermappingsthatarenolongercurrent.Deletingoutdatedmappingsis
usefulinenvironmentswhereIPaddressassignmentschangeoften.
PaloAltoNetworksprovidespredefinedSyslogParseprofilesthroughApplicationscontentupdates .To
dynamicallyupdatethelistofprofilesasvendorsdevelopnewfilters,scheduledynamiccontentupdates(see
Device>DynamicUpdates).Thepredefinedprofilesareglobaltothefirewall,whereasthecustomprofiles
youconfigureapplyonlytothevirtualsystem(Location)selectedintheDevice > User Identification > User
Mapping.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Anewline(\n)oracarriagereturnplusanewline(\r\n)
arethedelimitersforlinebreaks.
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
Toconfigureacustomprofile,clickAddandspecifythesettingsdescribedinthefollowingtable.Thefield
descriptionsinthistableusealogineventexamplefromasyslogmessagewiththefollowingformat:
[Tue Jul 5 13:15:04 2005 CDT] Administrator authentication success User:domain\johndoe_4 Source:192.168.0.212
Thecompleteprocedure toconfiguretheUserIDagenttoparseasyslogsenderforuser
mappinginformationrequiresadditionaltasksbesidescreatingaSyslogParseprofile.
Field Description
SyslogParseProfile Enteranamefortheprofile(upto63alphanumericcharacters).
Description Enteradescriptionfortheprofile(upto255alphanumericcharacters).
Type Specifythetypeofparsingforfilteringtheusermappinginformation:
Regex IdentifierUseEvent Regex,Username Regex,and
Address Regextospecifyregularexpressions(regex)thatdescribe
searchpatternsforidentifyingandextractingusermapping
informationfromsyslogmessages.Thefirewallusestheregexto
matchauthenticationorlogouteventsinsyslogmessagesandto
matchtheusernamesandIPaddresseswithinmatchingmessages.
Field IdentifierUsetheEvent String,Username Prefix,
Username Delimiter,Address Prefix,andAddress Delimiterfields
tospecifystringsformatchingtheauthenticationorlogoutevent
andforidentifyingtheusermappinginformationinsyslog
messages.
Theremainingfieldsinthedialogvarybasedonyourselection.
Configurethefieldsasdescribedinthefollowingrows.
Field Description
EventRegex Entertheregexforidentifyingsuccessfulauthenticationorlogout
events.Fortheexamplemessageusedwiththistable,theregex
(authentication\ success){1}extractsthefirst{1}instanceofthe
stringauthentication success.Thebackslashbeforethespaceisa
standardregexescapecharacterthatinstructstheregexenginenotto
treatthespaceasaspecialcharacter.
UsernameRegex Entertheregexforidentifyingtheusernamefieldinauthentication
successorlogoutmessages.Fortheexamplemessageusedwiththis
table,theregexUser:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe_4andextractacme\johndoe1astheusername.
AddressRegex EntertheregextoidentifytheIPaddressportionofauthentication
successorlogoutmessages.Intheexamplemessageusedwiththis
table,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
matchestheIPv4addressSource:192.168.0.212andadds
192.168.0.212astheIPaddressintheusernamemapping.
EventString Enteramatchingstringtoidentifyauthenticationsuccessorlogout
messages.Fortheexamplemessageusedwiththistable,youwould
enterthestringauthentication success.
UsernamePrefix Enterthematchingstringtoidentifythebeginningoftheusername
fieldwithinauthenticationorlogoutsyslogmessages.Thefielddoes
notsupportregexexpressionssuchas\s(foraspace)or\t(foratab).
Intheexamplemessageusedwiththistable,User:identifiesthestart
oftheusernamefield.
UsernameDelimiter Enterthedelimiterthatmarkstheendoftheusernamefieldwithinan
authenticationorlogoutmessage.Use\stoindicateastandalone
space(asintheexamplemessage)and\ttoindicateatab.
AddressPrefix EnteramatchingstringtoidentifythestartoftheIPaddressfieldin
syslogmessages.Thefielddoesnotsupportregexexpressionssuchas
\s(foraspace)or\t(foratab).Intheexamplemessageusedwiththis
table,Source:identifiesthestartoftheaddressfield.
AddressDelimiter EnterthematchingstringthatmarkstheendoftheIPaddressfield
withinauthenticationsuccessorlogoutmessages.Forexample,enter
\ntoindicatethedelimiterisalinebreak.
ManagetheUserIgnoreList
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>UserIgnore
List
TheignoreuserlistdefineswhichuseraccountsdontrequireIPaddresstousernamemapping(forexample,
kioskaccounts).Toconfigurethelist,clickAddandenterausername.Youcanuseanasteriskasawildcard
charactertomatchmultipleusernamesbutonlyasthelastcharacterintheentry.Forexample,
corpdomain\it-admin* matchesalladministratorsinthe corpdomain domainwhoseusernamesstart
withthestring it-admin.Youcanaddupto5,000entriestoexcludefromusermapping.
MonitorServers
Device>UserIdentification>UserMapping
UsetheServerMonitoringsectiontodefinetheMicrosoftExchangeServers,ActiveDirectory(AD)domain
controllers,NovelleDirectoryservers,orsyslogsendersthattheUserIDagentmonitorsforloginevents.
ConfigureAccesstoMonitoredServers
ManageAccesstoMonitoredServers
IncludeorExcludeSubnetworksforUserMapping
ConfigureAccesstoMonitoredServers
UsetheServerMonitoringsectiontoAddserverprofilesthatspecifytheservers(upto100)thefirewallwill
monitor.
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttomonitor
serversrequiresadditionaltasksbesidescreatingserverprofiles.
ServerMonitoring Description
Settings
Name Enteranamefortheserver.
Description Enteradescriptionoftheserver.
Enabled Selectthisoptiontoenablelogmonitoringforthisserver.
Type Selecttheservertype.Yourselectiondetermineswhichotherfieldsthisdialog
displays.
NetworkAddress EntertheserverIPaddressorFQDN.ThisoptiondoesntapplyiftheTypeisNovell
eDirectory.
ServerMonitoring Description
Settings
ServerProfile SelectanLDAPserverprofileforconnectingtotheNovelleDirectoryserver(Device
(NovelleDirectory >ServerProfiles>LDAP).
only)
ConnectionType SelectwhethertheUserIDagentlistensforsyslogmessagesontheUDPport(514)
(SyslogSender ortheSSLport(6514).IfyouselectSSL,theSyslog Service Profileyouselectwhen
only) youEnableServerMonitoringdetermineswhichSSL/TLSversionsareallowedand
thecertificatethatthefirewallusestosecureaconnectiontothesyslogsender.
Asasecuritybestpractice,selectSSLwhenusingthePANOSintegrated
UserIDagenttomapIPaddressestousernames.IfyouselectUDP,ensure
thatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
ManageAccesstoMonitoredServers
PerformthefollowingtasksintheServerMonitoringsectiontomanageaccesstotheserversthatthe
UserIDagentmonitorsforusermappinginformation.
Task Description
Displayserver Foreachmonitoredserver,theUserMappingpagedisplaystheStatusofthe
information connectionfromtheUserIDagenttotheserver.AfteryouAddaserver,thefirewall
triestoconnecttoit.Iftheconnectionattemptissuccessful,theServerMonitoring
sectiondisplaysConnectedintheStatuscolumn.Ifthefirewallcannotconnect,the
Statuscolumndisplaysanerrorcondition,suchasConnection refusedorConnection
timeout.
FordetailsontheotherfieldsthattheServerMonitoringsectiondisplays,seeConfigure
AccesstoMonitoredServers.
Add ToConfigureAccesstoMonitoredServers,AddeachserverthattheUserIDagentwill
monitorforusermappinginformation.
Task Description
Delete Toremoveaserverfromtheusermappingprocess(discovery),selecttheserverand
Deleteit.
Tip:Toremoveaserverfromdiscoverywithoutdeletingitsconfiguration,editthe
serverentryandclearEnabled.
Discover YoucanautomaticallyDiscoverMicrosoftActiveDirectorydomaincontrollersusing
DNS.Thefirewallwilldiscoverdomaincontrollersbasedonthedomainnameentered
intheDevice > Setup > Managementpage,General Settingssection,Domainfield.
Afterdiscoveringadomaincontroller,thefirewallcreatesanentryforitintheServer
Monitoringlist;youcanthenenabletheserverformonitoring.
TheDiscoverfeatureworksfordomaincontrollersonly,notExchangeservers
oreDirectoryservers.
IncludeorExcludeSubnetworksforUserMapping
Device>UserIdentification>UserMapping
UsetheInclude/ExcludeNetworkslisttodefinethesubnetworksthattheUserIDagentwillincludeor
excludewhenperformingIPaddresstousernamemapping(discovery).Bydefault,ifyoudontaddany
subnetworkstothelist,theUserIDagentperformsdiscoveryforuseridentificationsourcesinall
subnetworksexceptwhenusingWMIprobingforclientsystemsthathavepublicIPv4addresses.(Public
IPv4addressesarethoseoutsidethescopeofRFC1918andRFC3927).
ToenableWMIprobingforpublicIPv4addresses,youmustaddtheirsubnetworkstothelistandsettheir
DiscoveryoptiontoInclude.Ifyouconfigurethefirewalltoredistributeusermappinginformation toother
firewalls,thediscoverylimitsyouspecifyinthelistwillapplytotheredistributedinformation.Youcan
performthefollowingtasksontheInclude/ExcludeNetworkslist:
Task Description
Add Tolimitdiscoverytoaspecificsubnetwork,Addasubnetworkprofileandcompletethe
followingfields:
NameEnteranametoidentifythesubnetwork.
EnabledSelectthisoptiontoenableinclusionorexclusionofthesubnetworkfor
servermonitoring.
DiscoverySelectwhethertheUserIDagentwillIncludeorExcludethe
subnetwork.
Network AddressEntertheIPaddressrangeofthesubnetwork.
TheUserIDagentappliesanimplicitexcludeallruletothelist.Forexample,ifyouadd
subnetwork10.0.0.0/8withtheIncludeoption,theUserIDagentexcludesallother
subnetworksevenifyoudontaddthemtothelist.AddentrieswiththeExcludeoption
onlyifyouwanttheUserIDagenttoexcludeasubsetofthesubnetworksyouexplicitly
included.Forexample,ifyouadd10.0.0.0/8withtheIncludeoptionandadd
10.2.50.0/22withtheExcludeoption,theUserIDagentwillperformdiscoveryonall
thesubnetworksof10.0.0.0/8except10.2.50.0/22,andwillexcludeallsubnetworks
outsideof10.0.0.0/8.IfyouaddExcludeprofileswithoutaddinganyIncludeprofiles,
theUserIDagentexcludesallsubnetworks,notjusttheonesyouadded.
Task Description
Delete Toremoveasubnetworkfromthelist,selectandDeleteit.
Tip:ToremoveasubnetworkfromtheInclude/ExcludeNetworkslistwithoutdeleting
itsconfiguration,editthesubnetworkprofileandclearEnabled.
Custom Bydefault,theUserIDagentevaluatesthesubnetworksintheorderyouaddthem,
Include/Exclude fromtopfirsttobottomlast.Tochangetheevaluationorder,clickCustom
Network Include/Exclude Network Sequence.YoucanthenAdd,Delete,Move Up,orMove
Downthesubnetworkstocreateacustomevaluationorder.
Device>UserIdentification>ConnectionSecurity
Edit( )theUserIDConnectionSecuritysettingstoselectthecertificateprofileusedbythefirewalltovalidatethe
certificatepresentedbyWindowsUserIDagents.Thefirewallusestheselectedcertificateprofiletoverifytheidentity
oftheUserIDagentbyvalidatingtheservercertificatepresentedbytheagent.
Task Description
UserID Fromthedropdown,selectthecertificateprofiletousewhenauthenticatingWindows
Certificate UserIDagentsorselectNewCertificateProfiletocreateanewcertificateprofile.
Profile SelectNonetoremovethecertificateprofileandusedefaultauthenticationinstead.
RemoveAll RemovesthecertificateprofileattachedtotheUserIDConnectionSecurity
(Template configurationfortheselectedtemplate.
Configuration
Only)
Device>UserIdentification>UserIDAgents
TomapusernamestoIPaddresses,UserIDagentsmonitorvarioussources,suchasdirectoryservers.The
agentssendtheusermappingstofirewalls,LogCollectors,orPanoramaandeachoftheseappliancescan
thenserveasredistributionpointsthatforwardthemappingstootherfirewalls,LogCollectors,orPanorama.
Forafirewall(Device > User Identification > User-ID Agents)orPanorama(Panorama > User Identification)to
collectusermappings,youmustconfigureitsconnectionstotheUserIDagentsorredistributionpoints.
ToconfigureDedicatedLogCollectorstoconnecttoUserIDagentsorredistributionpoints,
defineUserIDAgentSettings.YoucannotconfigurelocalLogCollectorstoconnecttoUserID
agentsorredistributionpoints.
AlthoughyoucanconfigureaLogCollectororPanoramatoredistributeusermappings,these
devicescannotmapIPaddressestousernames.OnlyWindowsbasedUserIDagentsand
PANOSintegratedUserIDagentscanperformusermapping.
Thecompleteproceduretoconfigureusermapping requiresadditionaltasksbesides
configuringconnectionstoUserIDagents.
ConfigureAccesstoUserIDAgents
ManageAccesstoUserIDAgents
ConfigureAccesstoUserIDAgents
EachfirewallandPanoramamanagementservercanconnecttoamaximumof100UserIDagentsor
UserIDredistributionpoints(oramixtureofboth).Toaddaconnection,clickAddandcompletethe
followingfields.
UserIDAgent Description
Settings
Name Enteradescriptivename(upto31characters)fortheUserIDagentorredistribution
point.Thenameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Forafirewallorvirtualsystemservingasaredistributionpoint,thisfielddoes
nothavetomatchtheCollectorNamefield.
AddanAgent SelecthowthefirewallidentifiestheUserIDagentorredistributionpoint:
Using Serial NumberSelectthisoptionforaPanoramamanagementserverthat
(firewallonly) redistributesUserIDmappings.
Host and PortSelectthisoptionforWindowsbasedUserIDagentsorfor
firewalls,virtualsystems,andLogCollectorsthatredistributeUserIDmappings.
SerialNumber SelectthePanoramamanagementserverthatredistributesusermappingstothe
(firewallonly) firewall.Forhighavailability(HA)deployments,youcanselecttheactivePanorama
(panorama)orthepassivePanorama(panorama2).
Youdonotneedtospecifythehost,port,orotherconnectioninformation
becauseyoudefinedtheseduringinitialconfigurationofthefirewall.
UserIDAgent Description
Settings
Host WindowsbasedUserIDagentsEntertheIPaddressoftheWindowshoston
whichtheUserIDagentisinstalled.
Firewall(PANOSintegratedUserIDagent)EntertheIPaddressoftheMGT
interfaceorserviceroutethatthefirewallusestosendusermappings.Forthe
MGTinterface,youcanenterahostnameinsteadoftheIPaddress.
LogCollectorsthatredistributeusermappingsEnterthehostnameorIPaddress
oftheinterfacethattheLogCollectorusestosendusermappings.
Port EntertheportnumberonwhichtheUserIDagentlistensforUserIDrequests.The
defaultis5007butyoucanspecifyanyavailableportanddifferentUserIDagents
canusedifferentports.
ThedefaultportforsomeearlierversionsoftheUserIDagentis2010.
UseasLDAP SelectthisoptiontousethisUserIDagentasaproxyformonitoringthedirectory
Proxy servertomapusernamestogroups.Tousethisoption,youmustconfiguregroup
(firewallonly) mappingonthefirewall(Device>UserIdentification>GroupMappingSettings).
ThefirewallpushesthatconfigurationtotheUserIDagenttoenableittomap
usernamestogroups.
Thisoptionisusefulindeploymentswherethefirewallcannotdirectlyaccessthe
directoryserver.Itisalsousefulindeploymentsthatbenefitfromreducingthe
numberofqueriesthedirectoryservermustprocess;multiplefirewallscanreceive
thegroupmappinginformationfromthecacheonasingleUserIDagentinsteadof
requiringeachfirewalltoquerytheserverdirectly.
UseforNTLM SelectthisoptiontousethisUserIDagentasaproxyforperformingNTLAN
Authentication Manager(NTLM)authentication whenaclientwebrequestmatchesan
(firewallonly) Authenticationpolicyrule.TheUserIDagentmonitorsthedomaincontrollerfor
usermappinginformationandforwardstheinformationtothefirewall.Tousethis
option,youmustalsoEnableNTLMAuthenticationontheUserIDagent.
Thisoptionisusefulindeploymentswherethefirewallcannotdirectlyaccessthe
domaincontrollertoperformNTLMauthentication.Itisalsousefulindeployments
thatbenefitfromreducingthenumberofauthenticationrequeststhedomain
controllermustprocess;multiplefirewallscanreceivetheusermappinginformation
fromthecacheonasingleUserIDagentinsteadofrequiringeachfirewalltoquery
thedomaincontrollerdirectly.
ConfigureAuthenticationrulestouseKerberossinglesignon insteadof
NTLMauthentication.Kerberosisastronger,morerobustauthentication
methodthanNTLManddoesnotrequirethefirewalltohavean
administrativeaccounttojointhedomain.Fordetailsonconfiguringthe
authenticationmethodsforAuthenticationrules,seeObjects>
Authentication.
Enabled SelectthisoptiontoenablethefirewallorPanoramatocommunicatewiththe
UserIDagentorredistributionpoint.
ManageAccesstoUserIDAgents
PerformthefollowingtasksformanagingconnectionsfromthefirewalltoUserIDagentsorredistribution
points.
Task Description
Display SelectDevice > User Identification > User-ID AgentsorPanorama > User
information/ IdentificationtoseewhetherthefirewallorPanoramaisconnectedtoeachUserID
Refresh agentorredistributionpoint.TheConnectedcolumndisplaysagreenicontoindicatea
Connected successfulconnection,ayellowicontoindicateadisabledconnection,andarediconto
indicateafailedconnection.Ifyouthinktheconnectionstatusmighthavechanged
sinceyoufirstviewedstatus,Refresh Connectedtoupdatethestatusdisplay.
Fortheotherdisplayedfields,seeConfigureAccesstoUserIDAgents.
Add AddandthenConfigureAccesstoUserIDAgents.
Delete ToremovetheconfigurationthatenablesthefirewalltoconnecttoaUserIDagentor
redistributionpoint,Deletetheagentorredistributionpoint.
TodisableaccesstoaUserIDagentorredistributionpointwithoutdeletingits
configuration,edititandcleartheEnabledoption.
CustomAgent IfyouenableUserIDagentstoperformNTLANManager(NTLM)authentication on
Sequence behalfofthefirewall,thenbydefaultthefirewallcommunicateswiththeagentsin
theorderyouaddthemfromtoptobottom(seehowtoUse for NTLM Authentication
inConfigureAccesstoUserIDAgents).Tochangetheorderofhowthefirewall
communicateswithagents,clickCustom Agent Sequence,Addeachagent,Move Upor
Move Downagentstorepositionthem,andclickOK.
Device>UserIdentification>TerminalServicesAgents
OnasystemthatsupportsmultipleuserswhosharethesameIPaddress,aTerminalServices(TS)agent
identifiesindividualusersbyallocatingportrangestoeachone.TheTSagentinformseveryconnected
firewalloftheallocatedportrangesothatthefirewallscanenforcepolicybasedonusersandusergroups.
Allfirewallmodelscancollectusernametoportmappinginformationfromupto5,000multiusersystems.
ThenumberofTSagentsfromwhichafirewallcancollectthemappinginformationvariesbyfirewallmodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
maximum400TSagents
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls:
maximum1,000TSagents
YoumustinstallandconfiguretheTSagentsbeforeconfiguringaccesstothem.Thecomplete
procedure toconfigureusermappingforterminalserverusersrequiresadditionaltasks
besidesconfiguringconnectionstoTSagents.
YoucanperformthefollowingtaskstomanageaccesstoTSagents.
Task Description
Add ToconfigureaccesstoaTSagent,Addanagentandconfigurethefollowingfields:
NameEnteranametoidentifytheTSagent(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
HostEntertheIPaddressoftheterminalserverwheretheTSagentisinstalled.
PortEntertheportnumber(defaultis5009)thattheTSagentserviceusesto
communicatewiththefirewall.
Alternative IP AddressesIftheterminalserverwheretheTSagentisinstalledhas
multipleIPaddressesthatcanappearasthesourceIPaddressfortheoutgoing
traffic,AddandenteruptoeightadditionalIPaddresses.
EnabledSelectthisoptiontoenablethefirewalltocommunicatewiththisTSagent.
Delete ToremovetheconfigurationthatenablesaccesstoaTSagent,selecttheagentandclick
Delete.
TodisableaccesstoaTSagentwithoutdeletingitsconfiguration,edittheagent
andcleartheEnabledoption.
Device>UserIdentification>GroupMappingSettings
Tobasesecuritypoliciesandreportsonusersandusergroups,thefirewallretrievesthelistofgroupsand
thecorrespondinglistofmembersspecifiedandmaintainedonyourdirectoryservers.Thefirewallsupports
avarietyofLDAPdirectoryservers,includingtheMicrosoftActiveDirectory(AD),theNovelleDirectory,
andtheSunONEDirectoryServer.
ThenumberofdistinctusergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesby
model:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
Beforecreatingagroupmappingconfiguration,youmustconfigureanLDAPserverprofile(Device>Server
Profiles>LDAP).
Thecompleteprocedure tomapusernamestogroupsrequiresadditionaltasksbesides
creatinggroupmappingconfigurations.
ClickAddandcompletethefollowingfieldstocreateagroupmappingconfiguration.Toremoveagroup
mappingconfiguration,selectandDeleteit.Ifyouwanttodisableagroupmappingconfigurationwithout
deletingit,edittheconfigurationandcleartheEnabledoption.
UpdateInterval Specifytheintervalinsecondsafterwhichthe
firewallwillinitiateaconnectionwiththeLDAP
directoryservertoobtainanyupdatesthatwere
madetothegroupsthatfirewallpoliciesuse
(rangeis60to86,400).
MailDomains WhenthefirewallreceivesaWildFirelogfora
maliciousemail,theemailrecipientinformationin
thelogismatchedagainstusermapping
informationfromtheUserIDagent.Thelog
containsalinktotheuserthat,whenclicked,
displaystheACCfilteredbytheuser.Iftheemail
issenttoadistributionlist,theACCisfilteredby
thememberscontainedinthelist.
Theemailheaderandusermappinginformation
willhelpyouquicklytrackandthwartthreatsthat
arrivethroughemailbymakingiteasiertoidentify
theuserswhoreceivedtheemail.
Mail AttributesPANOSautomatically
populatesthisfieldbasedontheLDAPserver
type(SunONE,ActiveDirectory,orNovell).
Domain ListEntertheemaildomainsinyour
organizationasacommaseparatedlistofupto
256characters.
Enabled Selectthisoptiontoenableserverprofilefor
groupmapping.
Device>UserIdentification>CaptivePortalSettings
IfCaptivePortalwilluseanSSL/TLSServiceprofile(Device>CertificateManagement>
SSL/TLSServiceProfile),authenticationprofile(Device>AuthenticationProfile),orCertificate
Profile(Device>CertificateManagement>CertificateProfile),thenconfiguretheprofilebefore
youbegin.Thecompleteprocedure toconfigureCaptivePortalrequiresadditionaltasks
besidesconfiguringtheseprofiles.
YoumustEnable Captive PortaltoenforceAuthenticationpolicy(seePolicies>
Authentication).
Field Description
EnableCaptive SelectthisoptiontoenableCaptivePortal.
Portal
IdleTimer(min) Entertheusertimetolive(TTL)valueinminutesforaCaptivePortalsession(range
is1to1,440;defaultis15).Thistimerresetseverytimethereisactivityfroma
CaptivePortaluser.IfidletimeforauserexceedstheIdle Timervalue,PANOS
removestheCaptivePortalusermappingandtheusermustloginagain.
Timer(min) ThisisthemaximumTTLinminutes,whichisthemaximumtimethatanyCaptive
Portalsessioncanremainmapped(rangeis1to1,440;defaultis60).Afterthis
durationelapses,PANOSremovesthemappingandusersmustreauthenticate
evenifthesessionisactive.Thistimerpreventsstalemappingsandoverridesthe
Idle Timervalue.
YoushouldalwayssettheexpirationTimerhigherthantheIdle Timer.
SSL/TLSService Tospecifyafirewallservercertificateandtheallowedprotocolsforsecuringredirect
Profile requests,selectanSSL/TLSserviceprofile(Device>CertificateManagement>
SSL/TLSServiceProfile).IfyouselectNone,thefirewallusesitslocaldefault
certificateforSSL/TLSconnections.
Totransparentlyredirectuserswithoutdisplayingcertificateerrors,assignaprofile
associatedwithacertificatethatmatchestheIPaddressoftheinterfacetowhich
youareredirectingwebrequests.
Authentication Youcanselectanauthenticationprofile(Device>AuthenticationProfile)to
Profile authenticateuserswhentheirtrafficmatchesanAuthenticationpolicyrule(Policies
>Authentication).However,theauthenticationprofileyouselectintheCaptive
PortalSettingsappliesonlytorulesthatreferenceoneofthedefaultauthentication
enforcementobjects(Objects>Authentication).Thisistypicallythecaserightafter
anupgradetoPANOS8.0becauseallAuthenticationrulesinitiallyreferencethe
defaultobjects.Forrulesthatreferencecustomauthenticationenforcementobjects,
selecttheauthenticationprofilewhenyoucreatetheobject.
Field Description
GlobalProtect SpecifytheportthatGlobalProtectusestoreceiveinboundauthentication
NetworkPortfor promptsfrommultifactor(MFA)gateways.(rangeis1to65,536;defaultis4,501).
Inbound Tosupportmultifactorauthentication,aGlobalProtectclientmustreceiveand
Authentication acknowledgeUDPpromptsthatareinboundfromtheMFAgateway.Whena
Prompts(UDP) GlobalProtectclientreceivesaUDPmessageonthespecifiednetworkportandthe
UDPmessagecomesfromatrustedfirewallorgateway,GlobalProtectdisplaysthe
authenticationmessage(seeCustomizetheGlobalProtectAgent ).
Mode Selecthowthefirewallcaptureswebrequestsforauthentication:
TransparentThefirewallinterceptswebrequestsaccordingtothe
AuthenticationruleandimpersonatestheoriginaldestinationURL,issuingan
HTTP401messagetoprompttheusertoauthenticate.However,becausethe
firewalldoesnothavetherealcertificateforthedestinationURL,thebrowser
displaysacertificateerrortousersattemptingtoaccessasecuresite.Therefore,
onlyusethismodewhenabsolutelynecessary,suchasinLayer2orvirtualwire
deployments.
RedirectThefirewallinterceptswebrequestsaccordingtotheAuthentication
ruleandredirectsthemtothespecifiedRedirectHost.ThefirewallusesanHTTP
302redirecttoprompttheusertoauthenticate.Thisisthepreferredmode
becauseitprovidesabetterenduserexperience(nocertificateerrors).However,
itrequiresthatyouenableresponsepagesontheInterfaceManagementprofile
assignedtotheingressLayer3interface(fordetails,seeNetwork>Network
Profiles>InterfaceMgmtandLayer3Interface).
AnotherbenefitoftheRedirectmodeisthatitallowsforsessioncookies,which
enabletheusertocontinuebrowsingtoauthenticatedsiteswithoutrequiring
remappingeachtimethetimeoutsexpire.Thisisespeciallyusefulforuserswho
roamfromoneIPaddresstoanother(forexample,fromthecorporateLANtothe
wirelessnetwork)becausetheydontneedtoreauthenticatewhentheirIP
addresschangesaslongasthesessionstaysopen.
RedirectmodeisrequiredifCaptivePortalusesKerberosSSOorNTLM
authenticationbecausethebrowserprovidescredentialsonlytotrusted
sites.RedirectmodeisalsorequiredifCaptivePortalusesmultifactor
authentication(MFA).
SessionCookie EnableSelectthisoptiontoenablesessioncookies.
(Redirectmode TimeoutIfyouEnablesessioncookies,thistimerspecifiesthenumberof
only) minutesforwhichthecookieisvalid(rangeis60to10,080;defaultis1,440).
RoamingSelectthisoptiontoretainthecookieiftheIPaddresschangeswhile
thesessionisactive(suchaswhentheclientmovesfromawiredtoawireless
network).Theusermustreauthenticateonlyifthecookietimesoutortheuser
closesthebrowser.
Field Description
CertificateProfile YoucanselectaCertificateProfile(Device>CertificateManagement>Certificate
Profile)toauthenticateuserswhentheirtrafficmatchesanyAuthenticationpolicy
rule(Policies>Authentication).
Forthisauthenticationtype,CaptivePortalpromptstheclientbrowseroftheuser
topresentaclientcertificate.Therefore,youmustdeployclientcertificatestoeach
usersystem.Furthermore,onthefirewall,youmustinstallthecertificateauthority
(CA)certificatethatissuedtheclientcertificatesandassigntheCAcertificatetothe
CertificateProfile.ThisistheonlyauthenticationmethodthatenablesTransparent
authenticationforMacOSandLinuxclients.
NTLM WhenyouconfigureCaptivePortalforNTLANManager(NTLM)authentication ,
Authentication thefirewallusesanencryptedchallengeresponsemechanismtotransparently
obtainusercredentialsfromthebrowserwithoutpromptingtheuser.
ToinvokeNTLMauthentication,Authenticationpolicyrulesmustspecifyan
Authentication EnforcementobjectwiththeAuthentication Methodsetto
browser-challengeordefault-browser-challenge(Objects>Authentication).If
theobjectspecifiesanAuthentication ProfilewithKerberossinglesignon(SSO)
enabled,thefirewallfirstattemptsKerberosauthenticationbeforefallingbackto
NTLM.IfthebrowsercannotperformNTLMorifNTLMauthenticationfails,the
firewallfallsbacktoweb-formordefault-web-formastheAuthentication Method.
Bydefault,InternetExplorersupportsNTLM.YoucanconfigureFirefoxandChrome
touseit,aswell,butyoucannotuseNTLMtoauthenticatenonWindowsclients.
ChooseKerberosSSO transparentauthenticationoverNTLM
authenticationwhenconfiguringCaptivePortal.Kerberosisastronger,more
robustauthenticationmethodthanNTLManditdoesnotrequirethefirewall
tohaveanadministrativeaccounttojointhedomain.
TheseoptionsapplyonlytotheWindowsbasedUserIDagents.Whenusing
thePANOSintegratedUserIDagent,thefirewallmustbeableto
successfullyresolvetheDNSnameofyourdomaincontrollertojointhe
domain.YoucanthenEnableNTLMAuthenticationinthePANOS
integratedUserIDagentsetupandprovidethecredentialsforthefirewallto
jointhedomain.NTLMisavailableonlyforWindowsServerversion2003
andearlierversions.
ToconfigureNTLMforusewithWindowsbasedUserIDagents,definethe
following:
AttemptsThenumberofattemptsafterwhichNTLMauthenticationfails(range
is1to60;defaultis1).
TimeoutThenumberofsecondsafterwhichNTLMauthenticationtimesout
(rangeis1to60;defaultis2).
Reversion TimeThenumberofsecondsafterwhichthefirewallwillretry
contactingthefirstUserIDagentlisted(inDevice > User Identification > User-ID
Agents)afterthatagentbecomesunavailable(rangeis60to3,600;defaultis
300).
Network>GlobalProtect>Portals
Whatareyoulookingfor? See:
WhatgeneralsettingsshouldIconfigurefor GeneralTab
theGlobalProtectportal?
HowcanIassignanauthenticationprofileto AuthenticationConfigurationTab
aportalconfiguration?
WhatclientauthenticationoptionscanI AuthenticationTab
configure?
HowcanIassignaconfigurationtoaspecific User/UserGroupTab
groupofdevicesbasedonoperatingsystem,
user,and/orusergroup?
HowcanIconfigurethesettingsandpriority InternalTab
oftheinternalgateways?
HowcanIconfigurethesettingsandpriority ExternalTab
oftheexternalgateways?
HowcanIcreateseparateclient AgentConfigurationTab
configurationsfordifferenttypesofusers?
WhatsettingscanIcustomizeonthelook AppTab
andbehavioroftheGlobalProtectagent?
HowcanIconfiguredatacollectionoptions? DataCollectionTab
HowcanIconfiguretheGlobalProtectportal ClientlessConfigurationTab
toallowaccesstowebapplicationswithout
installingaGlobalProtectclient?
HowcanIextendVPNconnectivitytoa SatelliteConfigurationTab
firewallwhichactsasasatellite?
GeneralTab
GlobalProtectPortal Description
Settings
Name Typeanamefortheportal(upto31characters).Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheGlobalProtectportalisavailable.Fora
firewallthatisnotinmultivsysmode,Locationselectionisnotavailable.
Afteryousavetheportal,youcannotchangeLocation.
Network Settings
Interface Selectthenameofthefirewallinterfacethatwillbetheingressfor
communicationsfromremoteclientsandfirewalls.
IPAddress SpecifytheIPaddressonwhichtoruntheGlobalProtectportalwebservice.
SelecttheIP Address TypeandthenentertheIP Address.
TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6(forIPv6
trafficonly),orIPv4 and IPv6.UseIPv4 and IPv6ifyournetworksupports
dualstackconfigurations,whereIPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddresstype.Forexample,
172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
IfyouchooseIPv4 and IPv6,entertheappropriateIPaddresstypefor
each.
Appearance
PortalLoginPage (Optional)Chooseacustomloginpageforuseraccesstotheportal.Youcan
selectthefactory-defaultpageorImportacustompage.Thedefaultis
None.Topreventaccesstothispagefromawebbrowser,Disablethispage.
PortalLandingPage (Optional)Chooseacustomlandingpagefortheportal.Youcanselectthe
factory-defaultpageorImportacustompage.ThedefaultisNone.
AppHelpPage (Optional)ChooseacustomhelppagetoassisttheuserwithGlobalProtect.
Youcanselectthefactory-defaultpageorImportacustompage.The
defaultisNone.
AuthenticationConfigurationTab
GlobalProtectPortal Description
AuthenticationSettings
Server Authentication
SSL/TLSServiceProfile SelectanexistingSSL/TLSServiceprofile.Theprofilespecifiesacertificateandthe
allowedprotocolsforsecuringtrafficonthemanagementinterface.TheCommonName
(CN)and,ifapplicable,theSubjectAlternativeName(SAN)fieldsofthecertificate
associatedwiththeprofilemustmatchtheIPaddressorfullyqualifieddomainname
(FQDN)oftheInterfaceselectedintheGeneraltab.
InGlobalProtectVPNconfigurations,useaprofileassociatedwithacertificate
fromatrusted,thirdpartyCAoracertificatethatyourinternalenterpriseCA
generated.
Client Authentication
Name Enteranametoidentifytheclientauthenticationconfiguration.(Theclientauthentication
configurationisindependentoftheSSL/TLSserviceprofile.).
Youcancreatemultipleclientauthenticationconfigurationsanddifferentiatethem
primarilybyoperatingsystemandadditionallybyuniqueauthenticationprofiles(forthe
sameOS).Forexample,youcanaddclientauthenticationconfigurationsfordifferent
operatingsystemsbutalsohavedifferentconfigurationsforthesameOSthatare
differentiatedbyuniqueauthenticationprofiles.(Youshouldmanuallyordertheseprofiles
frommostspecifictomostgeneral.Forexample,allusersandanyOSisthemostgeneral.)
YoucanalsocreateconfigurationsthatGlobalProtectdeploystoagentsinpre-logon
mode(beforetheuserhasloggedintothesystem)orthatitappliestoanyuser.(Prelogon
establishesaVPNtunneltoaGlobalProtectgatewaybeforetheuserlogsinto
GlobalProtect.)
OS Todeployaclientauthenticationprofilespecifictotheoperatingsystem(OS)onan
endpoint,AddtheOS(Any,Android,Chrome,iOS,Mac,Windows,orWindowsUWP).The
OSistheprimarydifferentiatorbetweenconfigurations.(SeeAuthenticationProfilefor
furtherdifferentiation.)
TheadditionaloptionsofBrowserandSatelliteenableyoutospecifytheauthentication
profiletouseforspecificscenarios.SelectBrowsertospecifytheauthenticationprofile
tousetoauthenticateauseraccessingtheportalfromawebbrowserwiththeintentof
downloadingtheGlobalProtectagent(WindowsandMac).SelectSatellitetospecifythe
authenticationprofiletousetoauthenticatethesatellite(LSVPN).
GlobalProtectPortal Description
AuthenticationSettings
(Continued)
AuthenticationProfile InadditiontodistinguishingaclientauthenticationconfigurationbyanOS,youcanfurther
differentiatebyspecifyinganauthenticationprofile.(YoucancreateaNew
Authentication Profileorselectanexistingone.)Toconfiguremultipleauthentication
optionsforanOS,youcancreatemultipleclientauthenticationprofiles.
IfyouareconfiguringanLSVPNinGateways,youcannotsavethatconfiguration
unlessyouselectanauthenticationprofilehere.Also,ifyouplantouseserial
numberstoauthenticatesatellites,theportalmusthaveanauthenticationprofile
availablewhenitcannotlocateorvalidateafirewallserialnumber.
SeealsoDevice>AuthenticationProfile.
AuthenticationMessage Tohelpendusersknowthetypeofcredentialstheyneedforloggingin,enteramessage
orkeepthedefaultmessage.Themaximumlengthofthemessageis100characters.
Certificate Profile
AgentConfigurationTab
AuthenticationTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Authentication
toconfiguretheauthenticationsettingsthatapplytotheagentconfiguration.
GlobalProtectPortal Description
ClientAuthentication
ConfigurationSettings
Authentication Tab
Name Enteradescriptivenameforthisconfigurationforclientauthentication.
ClientCertificate (Optional)Selectthesourcethatdistributestheclientcertificatetoaclient,
whichthenpresentsthecertificatetothegateways.Aclientcertificateis
requiredifyouareconfiguringmutualSSLauthentication.
IfSCEPisconfiguredforprelogonintheportalclientconfiguration,the
portalgeneratesamachinecertificatethatisstoredinthesystemcertificate
storeforgatewayauthenticationandconnections.
TouseacertificatethatisLocaltothefirewallinsteadofagenerated
certificatefromthePKIthroughSCEP,selectacertificatethatisalready
uploadedtothefirewall.
IfyouuseaninternalCAtodistributecertificatestoclients,selectNone
(default).WhenyouselectNone,theportaldoesnotpushacertificatetothe
client.
SaveUserCredentials SelectYestosavetheusernameandpasswordontheagentorselectNoto
forcetheuserstoprovidethepasswordeithertransparentlyviatheclient
orbymanuallyenteringoneeachtimetheyconnect.SelectSave
Username Onlytosaveonlytheusernameeachtimeauserconnects.
Authentication Override
Generatecookiefor Selectthisoptiontoconfiguretheportaltogenerateencrypted,
authenticationoverride endpointspecificcookies.Theportalsendsthiscookietotheendpointafter
theuserfirstauthenticateswiththeportal.
Acceptcookiefor Selectthisoptiontoconfiguretheportaltoauthenticateclientsthrougha
authenticationoverride valid,encryptedcookie.Whentheendpointpresentsavalidcookie,the
portalverifiesthatthecookiewasencryptedbytheportal,decryptsthe
cookie,andthenauthenticatestheuser.
CookieLifetime Specifythehours,days,orweeksthatthecookieisvalid.Thetypicallifetime
is24hours.Therangesare172hours,152weeks,or1365days.After
thecookieexpires,theusermustenterlogincredentialsandtheportal
subsequentlyencryptsanewcookietosendtotheuserendpoint.
Certificateto Selectthecertificatetouseforencryptinganddecryptingthecookie.
Encrypt/DecryptCookie Ensurethattheportalandgatewaysusethesamecertificateto
encryptanddecryptcookies.(Configurethecertificateaspartofa
gatewayclientconfiguration.SeeNetwork>GlobalProtect>
Gateways).
GlobalProtectPortal Description
ClientAuthentication
ConfigurationSettings
(Continued)
ToconfigureGlobalProtecttosupportdynamicpasswordssuchasonetimepasswords(OTPs)specify
theportalorgatewaytypesthatrequireuserstoenterdynamicpasswords.Wheretwofactor
authenticationisnotenabled,GlobalProtectusesregularauthenticationusinglogincredentials(suchas
AD)andacertificate.
Whenyouenableaportaloragatewaytypefortwofactorauthentication,thatportalorgateway
promptstheuserafterinitialportalauthenticationtosubmitcredentialsandasecondOTP(orother
dynamicpassword).
However,ifyoualsoenableauthenticationoverride,anencryptedcookieisusedtoauthenticatetheuser
(aftertheuserisfirstauthenticatedforanewsession)and,thus,preemptstherequirementfortheuser
toreentercredentials(aslongasthecookieisvalid).Therefore,theuseristransparentlyloggedin
whenevernecessaryaslongasthecookieisvalid.Youspecifythelifetimeofthecookie.
Portal Selectthisoptiontousedynamicpasswordstoconnecttotheportal.
Internalgatewaysall Selectthisoptiontousedynamicpasswordstoconnecttointernal
gateways.
Externalgateways Selectthisoptiontousedynamicpasswordstoconnecttoexternal
manualonly gatewaysthatareconfiguredasManualgateways.
Externalgatewaysauto Selectthisoptiontousedynamicpasswordstoconnecttoany
discovery remainingexternalgatewaysthattheagentcanautomatically
discover(gatewayswhicharenotconfiguredasManual).
User/UserGroupTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > User/User
Grouptospecifytheoperatingsystemsandusersorusergroupstowhichthisagentconfigurationapplies.If
thisagentconfigurationcannotaccommodateallcombinationsofoperatingsystemsanduserscapabilities,
consideraddinganotheragentconfiguration.Ifyouhavemultipleagentconfigurationsthatare
differentiatedbyoperatingsystemsandusersorusergroups,themostspecificconfigurationsshouldbeat
thetopofthetableinAgentandthemostgeneral(suchasanyOSandabroadgroupmembership)atthe
bottom.Youcanmoveanagentconfigurationupordownasneeded.
Forgroups,theonlysupportedtypeofauthenticationserviceisLDAP.
GlobalProtectPortal Description
ClientUser/UserGroup
ConfigurationSettings
OS Auserorgroupmembercanhavemultipledeviceswhoseoperatingsystems
differfromeachother(forexample,auserwithoneendpointrunning
WindowsOSandanotherendpointrunningMacOS).Theportalcanprovide
configurationsthatarespecifictotheOSoneachendpoint.Forthecurrent
agentconfiguration,youcanAddoneormoreclientoperatingsystemsto
specifywhichclientsreceivetheconfiguration.Aportalautomaticallylearns
theOSoftheclientdeviceandincorporatesdetailsforthatOSintheclient
configuration.YoucanselectAnyOSoraspecificOS(Android,Chrome,iOS,
Mac,Windows,orWindowsUWP);youcanalsoselectmorethanoneOS.
TheinformationinUser/UserGroupsdescribeshowyoucanfurther
differentiatebyselectionofusers,usergroups,andchoiceofany,prelogon
orselect.
User/UserGroup YoucanAddindividualusersorusergroupstowhichthecurrentagent
configurationapplies.
Youmustconfiguregroupmapping(Device > User Identification >
Group Mapping Settings)beforeyoucanselectthegroups.
Inadditiontousersandgroups,youcanusethedropdownto
specifywhenthesesettingsapplytotheusersorgroups:
anyTheagentconfigurationappliestoallusers(noneedtoAddusersor
usergroups).
selectTheagentconfigurationappliesonlytousersandusergroupsyou
Addtothislist.
pre-logonTheagentconfigurationappliesonlytotheusersanduser
groupsyouAddthatalsoareconfiguredforprelogonorprelogonthen
ondemand.Theprelogonoptionappliestoprelogonusersbeforethey
logintotheirsystem.Tousethepre-logonoption,youmustalsoenable
aprelogon(orprelogonthenondemand)ConnectMethodintheApp
tabforthisagentconfiguration.IfyouspecifyaprelogonConnect
Methodbutspecifyanyusersorgroups,theconfigurationappliesto
prelogonusersbeforeandaftertheylogin.
InternalTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Internalto
configurethesettingsforinternalgatewaysforanagentconfiguration.
GlobalProtectPortal Description
InternalSettings
InternalHostDetection SelectthisoptiontoallowtheGlobalProtectagenttodetermineifitisinside
theenterprisenetwork.Thisoptionappliesonlytoendpointsthatare
configuredtocommunicatewithinternalgateways.
Whentheuserattemptstologin,theagentdoesareverseDNSlookupof
aninternalhostusingthespecifiedHostnametothespecifiedIP Address.
Thehostservesasareferencepointthatisreachableiftheendpointisinside
theenterprisenetwork.Iftheagentfindsthehost,theendpointisinsidethe
networkandtheagentconnectstoaninternalgateway;iftheagentfailsto
findtheinternalhost,theendpointisoutsidethenetworkandtheagent
establishesatunneltooneoftheexternalgateways.
TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6(forIPv6
trafficonly),orboth.UseIPv4andIPv6ifyournetworksupportsdual
stackconfigurations,whereIPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddresstype.Forexample,
172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
IfyouchooseIPv4andIPv6,entertheappropriateIPaddresstypefor
each.
Hostname EntertheHostnamethatresolvestotheIPaddresswithintheinternal
network.
Internal Gateways
Specifytheinternal Addinternalgatewaysthatincludethefollowinginformationforeach:
gatewaystowhichan NameAlabelofupto31characterstoidentifythegateway.Thename
agentorappcanrequest iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
accessandalsoprovide hyphens,andunderscores.
HIPreports(ifHIPis AddressTheIPaddressorFQDNofthefirewallinterfaceforthe
enabledintheData gateway.ThisvaluemustmatchtheCommonName(CN)andSAN(if
CollectionTab). specified)inthegatewayservercertificate.Forexample,ifyouusedan
FQDNtogeneratethecertificate,youmustentertheFQDNhere.
Source AddressAsourceaddressoraddresspoolforclientdevices.
Whenusersconnect,GlobalProtectrecognizesthesourceaddressofthe
device.OnlytheGlobalProtectagentswithIPaddressesthatareincluded
inthesourceaddresspoolcanauthenticatewiththisgatewayandsend
HIPreports.
DHCP Option 43 Code (WindowsandMaconly)DHCPsuboptioncodes
forgatewayselection.Specifyoneormoresuboptioncodes(indecimal).
TheGlobalProtectAgentreadsthegatewayaddressfromvaluesdefined
bythesuboptioncodes.
ExternalTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Externalto
configurethesettingsforexternalgatewaysforanagentconfiguration.
GlobalProtectPortal Description
ExternalSettings
CutoffTime(sec) Specifythenumberofsecondsthatanagentorappwaitsforallofthe
availablegatewaystorespondbeforeitselectsthebestgateway.For
subsequentconnectionrequests,theagentorapptriestoconnecttoonly
thosegatewaysthatrespondedbeforethecutoff.Avalueof0meansthe
agentorappusestheTCP Connection TimeoutinAppConfigurationsinthe
Apptab(rangeis0to10;defaultis5).
External Gateways
Specifythelistoffirewalls Addexternalgatewaysthatincludethefollowinginformationforeach:
towhichagentscantryto NameAlabelofupto31characterstoidentifythegateway.Thename
connectwhenestablishing iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
atunnelwhilenotonthe hyphens,andunderscores.
corporatenetwork. AddressTheIPaddressorFQDNofthefirewallinterfacewherethe
gatewayisconfigured.ThevaluemustmatchtheCN(andSANif
specified)inthegatewayservercertificate.Forexample,ifyouuseda
FQDNtogeneratethecertificate,youmustalsoentertheFQDNhere.
Source RegionSourceregionforclientdevices.Whenusersconnect,
GlobalProtectrecognizesthedeviceregionandonlyallowsusersto
connecttogatewaysthatareconfiguredforthatregion.Forgateway
choices,sourceregionisconsideredfirst,thengatewaypriority.
PrioritySelectavalue(Highest,High,Medium,Low,Lowest,orManual
only)tohelptheagentdeterminewhichgatewaytouse.Theagentwill
contactallspecifiedgateways(exceptthosewithapriorityofManual
only)andestablishatunnelwiththefirewallthatprovidesthefastest
responseandthehighestpriorityvalue.Manual onlypreventsthe
GlobalProtectagentfromattemptingtoconnecttothisgatewaywhen
Auto Discoveryisenabledontheclient.
ManualSelectthisoptiontoletusersmanuallyselect(orswitchto)a
gateway.TheGlobalProtectagentcanconnecttoanyexternalgateway
thatisconfiguredasManual.Whentheagentorappconnectstoanother
gateway,theexistingtunnelisdisconnectedandanewtunnel
established.Themanualgatewayscanalsohaveadifferent
authenticationmechanismthantheprimarygateway.Ifaclientsystemis
restartedorifarediscoveryisperformed,theGlobalProtectagent
connectstotheprimarygateway.Thisfeatureisusefulifagroupofusers
needstoconnecttemporarilytoaspecificgatewaytoaccessasecure
segmentofyournetwork.
ThirdPartyVPN TodirecttheGlobalProtectagentorapptoignoreselected,thirdpartyVPN
clientssothatGlobalProtectdoesnotconflictwiththem,Addthenameof
theVPNclient:Selectthenamefromthelist,orenterthenameinthefield
provided.GlobalProtectignorestheroutesettingsforthespecifiedVPN
clientsifyouconfigurethisfeature.
AppTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Apptospecify
howendusersinteractwiththeGlobalProtectagentsinstalledontheirsystems.Youcandefinedifferent
appsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.
GlobalProtectApp Description
ConfigurationSettings
WelcomePage Selectawelcomepagetopresenttoendusersaftertheyconnectto
GlobalProtect.Youcanselectthefactory-defaultpageorImportacustom
page.ThedefaultisNone.
App Configurations
GlobalProtectApp Description
ConfigurationSettings
(Continued)
GlobalProtectAppConfig SpecifythenumberofhourstheGlobalProtectportalwaitsbeforeitinitiates
RefreshInterval(hours) thenextrefreshofaclientsconfiguration(rangeis1to168;defaultis24).
AllowUsertoDisable SpecifieswhetherusersareallowedtodisabletheGlobalProtectagentand,
GlobalProtectApp ifso,whatifanythingtheymustdobeforetheycandisabletheagent:
AllowAllowanyusertodisabletheGlobalProtectagentasneeded.
DisallowDonotallowenduserstodisabletheGlobalProtectagent.
Allow with CommentAllowuserstodisabletheGlobalProtectagentor
appontheirendpointbutrequirethattheysubmittheirreasonfor
disablingtheagent.
Allow with PasscodeAllowuserstoenterapasscodetodisablethe
GlobalProtectagentorapp.Thisoptionrequirestheusertoenterand
confirmaPasscodevaluethat,likeapassword,doesnotdisplaywhen
typed.Typically,administratorsprovideapasscodetousersbefore
unplannedorunanticipatedeventspreventusersfromconnectingtothe
networkbyusingtheGlobalProtectVPN.Youcanprovidethepasscode
throughemailorasapostingonyourorganizationswebsite.
Allow with TicketThisoptionenablesachallengeresponsemechanism
where,afterauserattemptstodisableGlobalProtect,theendpoint
displaysan8character,hexadecimal,ticketrequestnumber.Theuser
thencontactsthefirewalladministratororsupportteam(preferablyby
phoneforsecurity)andprovidesthisnumber.Theadministratoror
supportpersontypesthehexadecimalticketrequestnumberintothe
Agent User Override Keyfield(intheGlobalProtectagentconfiguration
Agenttab)sotheycanseetheticketnumber(alsoan8character
hexadecimalnumber).Theadministratororsupportpersonthenprovides
thisticketnumbertotheuserwhothenenterstheticketnumberintothe
challengefieldtodisabletheagent.
AllowUsertoUpgrade SpecifieswhetherenduserscanupgradetheGlobalProtectagentsoftware
GlobalProtectApp and,iftheycan,whethertheycanchoosewhentoupgrade:
DisallowPreventusersfromupgradingtheagentorappsoftware.
Allow ManuallyAllowuserstomanuallycheckforandinitiateupgrades
byselectingCheck VersionintheGlobalProtectagent.
Allow with Prompt (default)Promptuserswhenanewversionis
activatedonthefirewallandallowuserstoupgradetheirsoftwarewhen
itisconvenient.
Allow TransparentlyAutomaticallyupgradetheagentsoftware
wheneveranewversionbecomesavailableontheportal.
InternalAutomaticallyupgradetheagentsoftwarewheneveranew
versionbecomesavailableontheportal,butwaituntiltheendpointis
connectedinternallytothecorporatenetwork.Thispreventsdelays
causedbyupgradesoverlowbandwidthconnections.
UseSingleSignon SelectNotodisablesinglesignon(SSO).WithSSOenabled(default),the
(WindowsOnly) GlobalProtectagentautomaticallyusestheWindowslogincredentialsto
authenticateandthenconnecttotheGlobalProtectportalandgateway.
GlobalProtectcanalsowrapthirdpartycredentialstoensurethatWindows
userscanauthenticateandconnectevenwhenathirdpartycredential
providerisusedtowraptheWindowslogincredentials.
GlobalProtectApp Description
ConfigurationSettings
(Continued)
ClearSingleSignOn SelectNotokeepsinglesignoncredentialswhentheuserlogsout.Select
CredentialsonLogout Yes(default)toclearthemandforcetheusertoentercredentialsuponthe
(WindowsOnly) nextlogin.
UseDefault SelectNotouseonlyKerberosauthentication.SelectYes(default)toretry
Authenticationon authenticationbyusingthedefaultauthenticationmethodafterafailureto
KerberosAuthentication authenticatewithKerberos.
Failure
(WindowsOnly)
ClientCertificateStore Selectthetypeofcertificateorcertificatesthatanagentorapplooksupin
Lookup itspersonalcertificatestore.TheGlobalProtectagentorappusesthe
certificatetoauthenticatetotheportaloragatewayandthenestablisha
VPNtunneltotheGlobalProtectgateway.
UserAuthenticatebyusingthecertificatethatislocaltotheusers
account.
MachineAuthenticatebyusingthecertificatethatislocaltothe
endpoint.Thiscertificateappliestoalltheuseraccountspermittedtouse
theendpoint.
User and machine(default)Authenticatebyusingtheusercertificate
andthemachinecertificate.
SCEPCertificateRenewal ThismechanismisforrenewingaSCEPgeneratedcertificatebeforethe
Period(days) certificateactuallyexpires.Youspecifythemaximumnumberofdaysbefore
certificateexpirythattheportalcanrequestanewcertificatefromtheSCEP
serverinyourPKIsystem(rangeis0to30;defaultis7).Avalueof0means
thattheportaldoesnotautomaticallyrenewtheclientcertificatewhenit
refreshesaclientconfiguration.
Foranagentorapptogetthenewcertificate,theusermustloginduringthe
renewalperiod(theportaldoesnotrequestthenewcertificateforauser
duringthisrenewalperiodunlesstheuserlogsin).
Forexample,supposethataclientcertificatehasalifespanof90daysand
thiscertificaterenewalperiodis7days.Ifauserlogsinduringthefinal7
daysofthecertificatelifespan,theportalgeneratesthecertificateand
downloadsitalongwitharefreshedclientconfiguration.SeeGlobalProtect
AppConfigRefreshInterval(hours).
ExtendedKeyUsageOID Entertheextendedkeyusageofaclientcertificatebyspecifyingitsobject
forClientCertificate identifier(OID).ThissettingensuresthattheGlobalProtectagentselects
onlyacertificatethatisintendedforclientauthenticationandenables
GlobalProtecttosavethecertificateforfutureuse.
EnableAdvancedView SelectNotorestricttheuserinterfaceontheclientsidetothebasic,
minimumview(enabledbydefault).
AllowUsertoDismiss SelectNotoforcetheWelcomePagetoappeareachtimeauserinitiatesa
WelcomePage connection.Thisrestrictionpreventsauserfromdismissingimportant
information,suchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.
EnableRediscover SelectNotopreventusersfrommanuallyinitiatinganetworkrediscovery.
NetworkOption
GlobalProtectApp Description
ConfigurationSettings
(Continued)
EnableResubmitHost SelectNotopreventusersfrommanuallytriggeringresubmissionofthe
ProfileOption latestHIP.
AllowUsertoChange SelectNotodisablethePortalfieldontheHometabintheGlobalProtect
PortalAddress agentorapp.However,becausetheuserwillthenbeunabletospecifya
portaltowhichtoconnect,youmustsupplythedefaultportaladdressinthe
WindowsregistryorMacplist:
WindowsregistryHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal
Macplist
/Library/Preferences/com.paloaltonetworks.GlobalProtect.pan
setup.plist withkeyPortal
Formoreinformationaboutpredeployingtheportaladdress,see
CustomizableAgentSettingsintheGlobalProtectAdministratorsGuide.
AllowUsertoContinue SelectNotopreventtheagentfromestablishingaconnectionwiththeportal
withInvalidPortalServer iftheportalcertificateisnotvalid.
Certificate
DisplayGlobalProtectIcon SelectNotohidetheGlobalProtecticonontheclientsystem.Iftheiconis
hidden,userscannotperformcertaintasks,suchasviewingtroubleshooting
information,changingpasswords,rediscoveringthenetwork,orperforming
anondemandconnection.However,HIPnotificationmessages,login
prompts,andcertificatedialogsdodisplaywhenuserinteractionis
necessary.
UserSwitchTunnel Specifythenumberofsecondsthataremoteuserhastobeauthenticated
RenameTimeout(sec) byaGlobalProtectgatewayafterloggingintoanendpointbyusing
(Windowsonly) MicrosoftsRemoteDesktopProtocol(RDP)(rangeis0to600;defaultis0).
Requiringtheremoteusertoauthenticatewithinalimitedamountoftime
maintainssecurity.
Afterauthenticatingthenewuserandswitchingthetunneltotheuser,the
gatewayrenamesthetunnel.
Avalueof0meansthatthecurrentuserstunnelisnotrenamedbut,instead,
isimmediatelyterminated.Inthiscase,theremoteusergetsanewtunnel
andhasnotimelimitforauthenticatingtoagateway(otherthanthe
configuredTCPtimeout).
ShowSystemTray SelectNotohidenotificationsfromtheuser.SelectYes(default)todisplay
Notifications notificationsinthesystemtrayarea.
(Windowsonly)
CustomPassword Createacustommessagetodisplaytouserswhentheirpasswordisabout
ExpirationMessage toexpire.Themaximummessagelengthis200characters.
(LDAPAuthentication
Only)
GlobalProtectApp Description
ConfigurationSettings
(Continued)
MaximumInternal EnterthemaximumnumberoftimestheGlobalProtectagentshouldretry
GatewayConnection theconnectiontoaninternalgatewayafterthefirstattemptfails(rangeis0
Attempts to100;defaultis0,whichmeanstheGlobalProtectagentdoesnotretrythe
connection).Byincreasingthevalue,youenabletheagenttoautomatically
connecttoaninternalgatewaythatistemporarilydownorunreachable
duringthefirstconnectionattemptbutcomesbackupbeforethespecified
numberofretriesareexhausted.Increasingthevaluealsoensuresthatthe
internalgatewayreceivesthemostuptodateuserandhostinformation.
PortalConnection Thenumberofsecondsbeforeaconnectionrequesttotheportaltimesout
Timeout(sec) duetonoresponsefromtheportal(rangeis1to600;defaultis30).
TCPConnectionTimeout ThenumberofsecondsbeforeaTCPconnectionrequesttimesoutdueto
(sec) unresponsivenessfromeitherendoftheconnection(rangeis1to600;
defaultis60).
TCPReceiveTimeout(sec) ThenumberofsecondsbeforeaTCPconnectiontimesoutduetothe
absenceofsomepartialresponseofaTCPrequest(rangeis1to600;default
is30).
UpdateDNSSettingsat SelectYestoflushtheDNScacheandforcealladapterstousetheDNS
Connect settingsintheconfiguration.SelectNo(default)tousetheDNSsettingsof
(WindowsOnly) theclient.
DetectProxyforEach SelectNotoautodetecttheproxyfortheportalconnectionandusethat
Connection proxyforsubsequentconnections.SelectYes(default)toautodetectthe
(Windowsonly) proxyateveryconnection.
SendHIPReport SelectNotopreventtheGlobalProtectagentfromsendingHIPdatawhen
ImmediatelyifWindows thestatusoftheWindowsSecurityCenter(WSC)changes.SelectYes
SecurityCenter(WSC) (default)toimmediatelysendHIPdatawhenthestatusoftheWSCchanges.
StateChanges
(WindowsOnly)
EnforceGlobalProtect SelectYestoforceallnetworktraffictotraverseaGlobalProtecttunnel.
ConnectionforNetwork SelectNo(default)ifGlobalProtectisnotrequiredfornetworkaccessand
Access userscanstillaccesstheinternetevenwhenGlobalProtectisdisabledor
disconnected.Toprovideinstructionstousersbeforetrafficisblocked,
configureaTraffic Blocking Notification Messageandoptionallyspecify
whentodisplaythemessage(Traffic Blocking Notification Delay).Topermit
trafficrequiredtoestablishaconnectionwithacaptiveportal,specifya
Captive Portal Exception Timeout.Theusermustauthenticatewiththe
portalbeforethetimeoutexpires.Toprovideadditionalinstructions,
configureaCaptive Portal Detection Message.
CaptivePortalException ToenforceGlobalProtectfornetworkaccessbutprovideagraceperiodto
Timeout(sec) allowusersenoughtimetoconnecttoacaptiveportal,specifythetimeout
inseconds(rangeis0to3600).Forexample,avalueof60meanstheuser
mustlogintothecaptiveportalwithinoneminuteafterGlobalProtect
detectsthecaptiveportal.Avalueof0meansGlobalProtectdoesnotallow
userstoconnecttoacaptiveportalandimmediatelyblocksaccess.
GlobalProtectApp Description
ConfigurationSettings
(Continued)
TrafficBlocking Specifyavalue,inseconds,todeterminewhentodisplaythenotification
NotificationDelay(sec) message.GlobalProtectstartsthecountdowntodisplaythenotification
afterthenetworkisreachable(rangeis5to120;defaultis15).
DisplayTrafficBlocking SpecifieswhetheramessageappearswhenGlobalProtectisrequiredfor
NotificationMessage networkaccess.SelectNotodisablethemessage.SelectYestoenablethe
message(GlobalProtectdisplaysthemessagewhenGlobalProtectis
disconnectedbutdetectsthatthenetworkisreachable.)
TrafficBlocking CustomizeanotificationmessagetodisplaytouserswhenGlobalProtectis
NotificationMessage requiredfornetworkaccess.GlobalProtectdisplaysthemessagewhen
GlobalProtectisdisconnectedbutdetectsthenetworkisreachable.The
messagecanindicatethereasonforblockingthetrafficandprovide
instructionsonhowtoconnect.Forexample:
To access the network, you much first connect to
GlobalProtect.
Themessagemustbe512orfewercharacters.
AllowUsertoDismiss SelectNotoalwaysdisplaytrafficblockingnotifications.Bydefaultthevalue
TrafficBlocking issettoYes meaningusersarepermittedtodismissthenotifications.
Notifications
DisplayCaptivePortal SpecifieswhetheramessageappearswhenGlobalProtectdetectsacaptive
DetectionMessage portal.SelectYes todisplaythemessage.SelectNo(default)tosuppressthe
message(GlobalProtectdoesnotdisplayamessagewhenGlobalProtect
detectsacaptiveportal).
IfyouenableaCaptive Portal Detection Message,themessage
appears85secondsbeforetheCaptive Portal Exception Timeout.
SoiftheCapture Portal Exception Timeoutis90secondsorless,the
messageappears5secondsafteracaptiveportalisdetected.
CaptivePortalDetection CustomizeanotificationmessagetodisplaytouserswhenGlobalProtect
Message detectsthenetworkwhichprovidesadditionalinstructionsforconnectingto
acaptiveportal.Forexample:
GlobalProtect has temporarily permitted network access
for you to connect to the internet. Follow instructions
from your internet provider. If you let the connection
time out, open GlobalProtect and click Connect to try
again.
Themessagemustbe512orfewercharacters.
EnableInbound Tosupportmultifactorauthentication(MFA),aGlobalProtectclientmust
AuthenticationPrompts receiveandacknowledgeUDPpromptsthatareinboundfromthegateway.
fromMFAGateways SelectYes toenableaGlobalProtectclienttoreceiveandacknowledgethe
prompt.SelectNo(default)forGlobalProtecttoblockUDPpromptsfromthe
gateway.
NetworkPortforInbound SpecifiestheportnumberaGlobalProtectclientusestoreceiveinbound
AuthenticationPrompts authenticationpromptsfromMFAgateways.Thedefaultportis4501.To
(UDP) changetheport,specifyanumberfrom1to65535.
GlobalProtectApp Description
ConfigurationSettings
(Continued)
TrustedMFAGateways SpecifiesthelistoffirewallsorauthenticationgatewaysaGlobalProtect
clienttrustsformultifactorauthentication.WhenaGlobalProtectclient
receivesaUDPmessageonthespecifiednetworkport,GlobalProtect
displaysanauthenticationmessageonlyiftheUDPpromptcomesfroma
trustedgateway.
DefaultMessagefor Customizeanotificationmessagetodisplaywhenuserstrytoaccessa
InboundAuthentication resourcethatrequiresadditionalauthentication.Forexample:
Prompts You have attempted to access a protected resource that
requires additional authentication. Proceed to
authenticate at www.mylogin.com)
Themessagemustbe512orfewercharacters.
IPv6Preferred SpecifiesthepreferredprotocolforGlobalProtectclientcommunications.
SelectNotochangethepreferredprotocoltoIPv4.SelectYes(default)to
makeIPv6thepreferredconnectionadualstackenvironment.
RetainConnectionon SelectYestoretaintheconnectionwhenauserremovesasmartcard
SmartCardRemoval containingaclientcertificate.SelectNo(default)toterminatetheconnection
(WindowsOnly) whenauserremovesasmartcard.
MaxTimesUserCan SpecifythemaximumnumberoftimesthatausercandisableGlobalProtect
Disable beforetheusermustconnecttoafirewall.Thedefaultvalueof0means
usershavenolimittothenumberoftimestheycandisabletheagent.
DisableTimeout(min) SpecifythemaximumnumberofminutestheGlobalProtectagentorappcan
bedisabled.Afterthespecifiedtimepasses,theagenttriestoconnecttothe
firewall.Thedefaultof0indicatesthatthedisableperiodisunlimited.
MobileSecurityManager IfyouareusingtheGlobalProtectMobileSecurityManagerformobile
devicemanagement(MDM),entertheIPaddressorFQDNofthedevice
checkin(enrollment)interfaceontheGP100appliance.
EnrollmentPort Theportnumberthemobileendpointshouldusewhenconnectingtothe
GlobalProtectMobileSecurityManagerforenrollment.TheMobileSecurity
Managerlistensonport443bydefault.
Keepthisportnumbersothatmobileendpointusersarenot
promptedforaclientcertificateduringtheenrollmentprocess(other
possiblevaluesare443,7443,and8443).
DataCollectionTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Data Collection
todefinethedatatheagentcollectsfromtheclientintheHIPreport:
GlobalProtectData Description
CollectionConfiguration
Settings
CollectHIPData ClearthisselectiontopreventtheagentfromcollectingandsendingHIP
data.
MaxWaitTime(sec) SpecifyhowmanysecondstheagentorappshouldsearchforHIPdata
beforesubmittingtheavailabledata(rangeis1060;defaultis20).
ClientlessConfigurationTab
GlobalProtectPortal Description
ClientlessConfiguration
Settings
Applications tab
GlobalProtectPortal Description
ClientlessConfiguration
Settings(Continued)
SourceUser YoucanAddindividualusersorusergroupstowhichthecurrentapplication
configurationapplies.Theseusershavepermissiontolaunchtheconfigured
applicationsusingaGlobalProtectclientlessVPN.
Youmustconfiguregroupmapping(Device > User Identification > Group
Mapping Settings)beforeyoucanselectthegroups.
Inadditiontousersandgroups,youcanspecifywhenthesesettingsapplytothe
usersorgroups:
anyTheapplicationconfigurationappliestoallusers(noneedtoAddusersor
usergroups).
selectTheapplicationconfigurationappliesonlytousersandusergroupsyou
Addtothislist.
Applications YoucanAddindividualapplicationsorapplicationgroupstothemapping.TheSource
UsersyouincludedintheconfigurationcanuseGlobalProtectclientlessVPNto
launchtheapplicationsyouadd.
CryptoSettings SpecifytheauthenticationandencryptionalgorithmsfortheSSLsessionsbetween
thefirewallandthepublishedapplications:
Protocol VersionsSelecttherequiredminimumandmaximumTLS/SSLversions.
ThehighertheTLSversion,themoresecuretheconnection.Choicesinclude
SSLv3,TLSv1.0,TLSv1.1,orTLSv1.2.
Key Exchange AlgorithmsSelectthesupportedalgorithmtypesforkey
exchange.ChoicesincludeRSA,DiffieHellman(DHE),orEllipticCurveEphemeral
DiffieHellman(ECDHE).
Encryption AlgorithmsSelectthesupportedencryptionalgorithms.AES128or
higherisrecommended.
Authentication AlgorithmsSelectthesupportedauthenticationalgorithms.
Choicesare:MD5,SHA1,SHA256,orSHA384.SHA256orhigherisrecommended.
ServerCertificate Enablewhichactionstotakeforthefollowingissuesthatcanoccurwhenan
Verification applicationpresentsaservercertificate:
Block sessions with expired certificateIftheservercertificatehasexpired,
blockaccesstotheapplication.
Block sessions with untrusted issuersIftheservercertificateisissuedfroman
untrustedcertificateauthority,blockaccesstotheapplication.
Block sessions with unknown certificate statusIftheOSCPorCRLservice
returnsacertificaterevocationstatusofunknown,blockaccesstotheapplication.
Block sessions on certificate status check timeoutIfthecertificatestatuscheck
timesoutbeforereceivingaresponsefromanycertificatestatusservice,block
accesstotheapplication.
GlobalProtectPortal Description
ClientlessConfiguration
Settings(Continued)
Proxy (Optional)Addaproxyserver.Specifythesesettingsifusersneedtoreachthe
applicationsthroughaproxyserver.Withthisconfiguration,theGlobalProtectportal
mustusetheproxyservertoaccessthepublishedapplications.
NameAlabelofupto31characterstoidentifytheproxyserver.Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,
hyphens,andunderscores.
DomainsAddthedomainsservedbytheproxyserver.
Use ProxySelecttoallowtheGlobalProtectportaltousetheproxyserverto
accessthepublishedapplications.
Server, PortSpecifythehostname(orIPaddress)andportnumberoftheproxy
server.
User,PasswordSpecifytheusernameandpasswordneededtologintothe
proxyserver.Enterthepasswordagainforverification.
SatelliteConfigurationTab
AsatelliteisaPaloAltoNetworksfirewalltypicallyatabranchofficethatactsasaGlobalProtectagent
toenablethesatellitetoestablishVPNconnectivitytoaGlobalProtectgateway.LikeaGlobalProtectagent,
asatellitereceivesitsinitialconfigurationfromtheportal,whichincludesthecertificatesandVPN
configurationroutinginformationandenablethesatellitetoconnecttoallconfiguredgatewaystoestablish
VPNconnectivity.
BeforeconfiguringtheGlobalProtectsatellitesettingsonthebranchofficefirewall,youmustconfigurean
interfacewithWANconnectivityandsetupasecurityzoneandpolicytoallowthebranchofficeLANto
communicatewiththeInternet.YoucanthenselectNetwork > GlobalProtect > Portals >
<GlobalProtect-portal-config> > Satellite > <GlobalProtect-satellite>toconfiguretheGlobalProtectsatellite
settingsontheportalasdescribedinthefollowingtable.
GlobalProtectPortal Description
SatelliteConfiguration
Settings
General NameAnameforthissatelliteconfigurationontheGlobalProtectportal.
Configuration Refresh Interval (hours)Howoftenasatelliteshould
checktheportalforconfigurationupdates(rangeis148;defaultis24).
GlobalProtectPortal Description
SatelliteConfiguration
Settings(Continued)
Gateways ClickAddtoentertheIPaddressorhostnameofthegateway(s)satellitesby
whichthisconfigurationcanestablishIPSectunnels.EntertheFQDNorIP
addressoftheinterfacewherethegatewayisconfiguredintheGateways
field.IPaddressescanbespecifiedasIPv6,IPv4,orboth.SelectIPv6
PreferredtospecifypreferenceofIPv6connectionsinadualstack
environment.
(Optional)Ifyouareaddingtwoormoregatewaystotheconfiguration,the
Routing Priority helpsthesatellitepickthepreferredgateway(rangeis1to
25).Lowernumbershavehigherpriority(forgatewaysthatareavailable).
Thesatellitemultipliestheroutingpriorityby10todeterminetherouting
metric.
Routespublishedbythegatewayareinstalledonthesatelliteas
staticroutes.Themetricforthestaticrouteis10timestherouting
priority.Ifyouhavemorethanonegateway,besuretosetthe
routingprioritysothatroutesadvertisedbybackupgatewayshave
highermetricsthanthesameroutesadvertisedbyprimarygateways.
Forexample,ifyousettheroutingpriorityfortheprimarygateway
andbackupgatewayto1and10respectively,thesatellitewilluse
10asthemetricfortheprimarygatewayand100asthemetricfor
thebackupgateway.
Thesatellitealsosharesitsnetworkandroutinginformationwiththe
gatewaysifyouPublish all static and connected routes to Gateway
(Network > IPSec tunnels > <tunnel> > Advancedavailableonlywhenyou
selectGlobalProtect Satellite on the <tunnel> > General).
TrustedRootCA ClickAddandthenselecttheCAcertificateforissuinggatewayserver
certificates.
Allyourgatewaysshouldusethesameissuer.
YoucanImportorGeneratearootCAcertificateforissuingyour
gatewayservercertificatesifonedoesnotalreadyexistonthe
portal.
GlobalProtectPortal Description
SatelliteConfiguration
Settings(Continued)
Client Certificate
OCSP ResponderSelecttheOCSPResponderthesatelliteusestoverify
therevocationstatusofcertificatespresentedbytheportalandgateways.
SelectNonetospecifythatOCSPisnotusedforverifyingrevocationofa
certificate.
Validity Period(days)SpecifytheGlobalProtectsatellitecertificate
lifetime(rangeis7to365;defaultis7).
Certificate Renewal Period(days)Specifythenumberofdaysbefore
expirationthatcertificatescanbeautomaticallyrenewed(rangeis3to30;
defaultis3).
SCEP SCEPSelectaSCEPprofileforgeneratingclientcertificates.Iftheprofile
isnotinthedropdown,youcancreateaNewprofile.
Certificate Renewal Period(days)Specifythenumberofdaysbefore
expirationthatcertificatescanbeautomaticallyrenewed(rangeis3to30;
defaultis3).
Network>GlobalProtect>Gateways
Whatareyoulookingfor? See:
WhatgeneralsettingscanIconfigureforthe GeneralTab
GlobalProtectgateway?
HowdoIconfigurethegatewayclient AuthenticationTab
authentication?
HowdoIconfigurethetunnelandnetwork AgentTab
settingsthatenableanagentorappto
establishaVPNtunnelwiththegateway?
HowdoIconfigurethetunnelandnetwork SatelliteConfigurationTab
settingstoenablethesatellitestoestablish
VPNconnectionswithagatewayactingasa
satellite?
GeneralTab
GlobalProtectGateway Description
GeneralSettings
Name Enteranameforthegateway(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheGlobalProtectgatewayisavailable.Fora
firewallthatisnotinmultivsysmode,theLocationfielddoesnotappearin
theGlobalProtectGatewaydialog.
Afteryousavethegatewayconfiguration,youcannotchangethe
Location.
Interface Selectthenameofthefirewallinterfacethatwillserveastheingress
interfaceforremoteendpoints.(Theseinterfacesmustalreadyexist.)
AuthenticationTab
GlobalProtectGatewayAuthenticationSettings
SSL/TLSServiceProfile SelectanSSL/TLSserviceprofileforsecuringthisGlobalProtectgateway.For
detailsaboutthecontentsofaserviceprofile,seeDevice>Certificate
Management>SSL/TLSServiceProfile.
Name Enterauniquenametoidentifythisconfiguration.
OS Bydefault,theconfigurationappliestoallclients.Youcanrefinethelistofclient
endpointsbyOS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP),by
Satellitedevices,orbythirdpartyIPSecVPNclients(X-Auth).
TheOSisthemaindifferentiatorbetweenmultipleconfigurations.Ifyouneed
multipleconfigurationsforoneOS,youcanfurtherdistinguishthe
configurationsbyyourchoiceofauthenticationprofile.
Ordertheconfigurationsfrommostspecificatthetopofthelisttomost
generalatthebottom.
AuthenticationProfile Chooseanauthenticationprofileorsequencefromthedropdownto
authenticateaccesstothegateway.RefertoDevice>AuthenticationProfile.
AuthenticationMessage Tohelpendusersknowwhatcredentialstheyshoulduseforloggingintothis
gateway,youcanenteramessageorkeepthedefaultmessage.Themessage
canhaveamaximumof100characters.
AgentTab
TunnelSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Tunnel Settingstoenabletunnelingandconfigurethe
tunnelparameters.
Tunnelparametersarerequiredifyouaresettingupanexternalgateway.Ifyouareconfiguringaninternal
gateway,tunnelparametersareoptional.
GlobalProtectGateway Description
ClientTunnelMode
ConfigurationSettings
TimeoutSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Timeout Settingstodefinethemaximumvaluethatauser
sessionortunnelconnectioncanbeidle.
GlobalProtectGateway Description
ClientTunnelMode
TimeoutSettings
TimeoutConfiguration
LoginLifetime Specifythenumberofdays,hours,orminutesallowedforasinglegateway
loginsession.
InactivityLogout Specifythenumberofdays,hours,orminutesafterwhichaninactivesession
isautomaticallyloggedout.
DisconnectonIdle Specifythenumberofminutesatwhichaclientisloggedoutof
GlobalProtectiftheGlobalProtectapphasnotroutedtrafficthroughthe
VPNtunnelinthespecifiedamountoftime.
ClientSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Client Settingstoconfiguresettingsforthevirtualnetwork
adapterontheclientsystemwhenanagentestablishesatunnelwiththegateway.
SomeClientSettingsoptionsareavailableonlyafteryouenabletunnelmodeanddefineatunnelinterfaceonthe
TunnelSettingsTab.
GlobalProtectGateway Description
ClientSettingsand
NetworkConfiguration
Authentication
Name Enteranametoidentifytheclientsettingsconfiguration(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.
AuthenticationOverride Enablethegatewaytousesecure,devicespecific,encryptedcookiesto
authenticatetheuseraftertheuserfirstauthenticatesusingthe
authenticationschemespecifiedbytheauthenticationorcertificateprofile.
Generate cookie for authentication overrideDuringthelifetimeofthe
cookie,theagentpresentsthiscookieeachtimetheuserauthenticates
withthegateway.
Cookie LifetimeSpecifythehours,days,orweeksthatthecookieis
valid.Thetypicallifetimeis24hours.Therangesare172hours,152
weeks,or1365days.Afterthecookieexpires,theusermustenterlogin
credentialsandthegatewaysubsequentlyencryptsanewcookietosend
touserdevice.
Accept cookie for authentication overrideSelectthisoptionto
configurethegatewaytoacceptauthenticationusingtheencrypted
cookie.Whentheagentpresentsthecookie,thegatewayvalidatesthat
thecookiewasencryptedbythegatewaybeforeauthenticatingtheuser.
Certificate to Encrypt/Decrypt CookieSelectthecertificatethe
gatewayusestousewhenencryptinganddecryptingthecookie.
Ensurethatthegatewayandportalbothusethesamecertificateto
encryptanddecryptcookies.
User/UserGrouptab Specifytheuserorusergroupandclientoperatingsystemtowhichthis
agentconfigurationapplies.
User/UserGroup Addaspecificuserorusergrouptowhichthisconfigurationapplies.
Youmustconfiguregroupmapping(Device > User Identification >
Group Mapping Settings)beforeyoucanselectusersandgroups.
Youcanalsocreateconfigurationsthataredeployedtoagentsorappsin
pre-logonmode(beforetheuserlogsintotheendpoint)orconfigurations
todeploytoanyuser.
GlobalProtectGateway Description
ClientSettingsand
NetworkConfiguration
(Continued)
OS Todeployconfigurationsbasedontheoperatingsystemrunningonthe
endpoint,AddanOS(Android,Chrome,iOS,Mac,Windows,WindowsUWP).
Alternatively,youcanleavethisvaluesettoAnysothatconfiguration
deploymentisbasedonlyontheuserorusergroupandnotontheoperating
systemoftheendpoint.
IP Pools tab
Retrieve SelectthisoptiontoenabletheGlobalProtectgatewaytoassignfixedIP
FramedIPAddress addressesbyuseofanexternalauthenticationserver.Whenthisoptionis
attributefrom enabled,theGlobalProtectgatewayallocatestheIPaddressforconnecting
authenticationserver todevicesbyusingtheFramedIPAddressattributefromtheauthentication
server.
AuthenticationServerIP AddasubnetorrangeofIPaddressestoassigntoremoteusers.Whenthe
Pool tunnelisestablished,theGlobalProtectgatewayallocatestheIPaddressin
thisrangetoconnectingdevicesusingtheFramedIPAddressattributefrom
theauthenticationserver.YoucanaddIPv4orIPv6addresses.
YoucanenableandconfigureAuthentication Server IP Poolonlyifyou
enableRetrieve Framed-IP-Address attribute from authentication server.
TheauthenticationserverIPpoolmustbelargeenoughtosupport
allconcurrentconnections.IP addressassignmentisfixedandis
retainedaftertheuserdisconnects.Configuremultiplerangesfrom
differentsubnetstoallowthesystemtoofferclientsanIPaddress
thatdoesnotconflictwithotherinterfacesontheclient.
TheserversandroutersinthenetworksmustroutethetrafficforthisIPpool
tothefirewall.Forexample,forthe192.168.0.0/16network,aremoteuser
canreceivetheaddress192.168.0.10.
IPPool AddarangeofIPaddressestoassigntoremoteusers.Whenthetunnelis
established,aninterfaceiscreatedontheremoteusersendpointwithan
addressinthisrange.YoucanaddIPv4orIPv6addresses.
Toavoidconflicts,theIPpoolmustbelargeenoughtosupportall
concurrentconnections.Thegatewaymaintainsanindexofclients
andIPaddressessothattheclientautomaticallyreceivesthesame
IPaddressthenexttimeitconnects.Configuringmultipleranges
fromdifferentsubnetsallowsthesystemtoofferclientsanIP
addressthatdoesnotconflictwithotherinterfacesontheclient.
TheserversandroutersinthenetworksmustroutethetrafficforthisIPpool
tothefirewall.Forexample,forthe192.168.0.0/16network,aremoteuser
maybeassignedtheaddress192.168.0.10.
GlobalProtectGateway Description
ClientSettingsand
NetworkConfiguration
(Continued)
Nodirectaccesstolocal Selectthisoptiontodisablesplittunneling,includingdirectaccesstolocal
network networksonWindowsandMacOSendpoints.Thisfunctionpreventsauser
fromsendingtraffictoproxiesorlocalresources,suchasahomeprinter.
Whenthetunnelisestablished,alltrafficisroutedthroughthetunnelandis
subjecttopolicyenforcementbythefirewall.
Includes AddroutestoincludeintheVPNtunnel.Thesearetheroutesthegateway
pushestotheremoteusersendpointtospecifywhatuserendpointscan
sendthroughtheVPNconnection.
Excludes AddroutestoexcludefromtheVPNtunnel.Theseroutesaresentthrough
thephysicaladapteronendpointsratherthanthroughthevirtualadapter
(thetunnel).
YoucandefinetheroutesyousendthroughtheVPNtunnelasroutesyou
includeinthetunnel,routesyouexcludefromthetunnel,oracombination
ofboth.Forexample,youcansetupsplittunnelingtoallowremoteusersto
accesstheinternetwithoutgoingthroughtheVPNtunnel.Excludedroutes
shouldbemorespecificthantheincludedroutestoavoidexcludingmore
trafficthanyouintendtoexclude.
Ifyoudontincludeorexcluderoutes,everyrequestisroutedthroughthe
tunnel(nosplittunneling).Inthiscase,eachinternetrequestpassesthrough
thefirewallandthenouttothenetwork.Thismethodcanpreventthe
possibilityofanexternalpartyaccessinguserendpointsandgainingaccess
totheinternalnetwork(withauserendpointactingasabridge).
NetworkServicesTab
SelectNetwork > GlobalProtect > Gateways > Agent > Network ServicestoconfigureDNSsettingsthatwillare
assignedtothevirtualnetworkadapterontheclientsystemwhenanagentestablishesatunnelwiththe
gateway.
NetworkServicesoptionsareavailableonlyifyouhaveenabletunnelmodeanddefineatunnelinterfaceonthe
TunnelSettingsTab.
GlobalProtectGateway Description
ClientNetworkServices
ConfigurationSettings
InheritanceSource SelectasourcetopropagateDNSserverandothersettingsfromthe
selectedDHCPclientorPPPoEclientinterfaceintotheGlobalProtect
agents'orappsconfiguration.Withthissetting,allclientnetwork
configurations,suchasDNSserversandWINSservers,areinheritedfrom
theconfigurationoftheinterfaceselectedintheInheritanceSource.
Checkinheritancesource ClickInheritanceSourcetoseetheserversettingsthatarecurrentlyassigned
status totheclientinterfaces.
PrimaryDNS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryDNS DNStotheclients.
PrimaryWINS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryWINS WindowsInternetNamingService(WINS)totheclients.
InheritDNSSuffixes SelectthisoptiontoinherittheDNSsuffixesfromtheinheritancesource.
DNSSuffix Addasuffixthattheclientshoulduselocallywhenanunqualifiedhostname
isenteredthatitcannotresolve.Youcanentermultiplesuffixesby
separatingthemwithcommas.
HIPNotificationTab
SelectNetwork > GlobalProtect > Gateways > Agent > HIP Notificationtodefinethenotificationmessagesthat
endusersseewhenasecurityrulewithahostinformationprofile(HIP)isenforced.
TheseoptionsareavailableonlyifyoucreatedHIPProfilesandaddedthemtoyoursecuritypolicies.
GlobalProtectClientHIP Description
NotificationConfiguration
Settings
HIPNotification AddHIPNotificationsandconfiguretheoptions.YoucanEnablenotifications
fortheMatch Message,theNot Match Message,orbothandthenspecify
whethertoShow Notification AsaSystem Tray BalloonoraPop Up Message.
Thenspecifythemessagetomatchornotmatch.
Usethesesettingstonotifytheenduseraboutthestateofthemachine,suchas
awarningmessagethatthehostsystemdoesnothavearequiredapplication
installed.FortheMatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App List toindicatewhatapplicationstriggeredtheHIPmatch.
YoucanformatHIPnotificationmessagesinrichHTML,whichcan
includelinkstoexternalwebsitesandresources.Clickhyperlink( )
intherichtextsettingstoolbartoaddlinks.
SatelliteConfigurationTab
AsatelliteisaPaloAltoNetworksfirewalltypicallyatabranchofficethatactsasaGlobalProtectagent
toenableittoestablishVPNconnectivitytoaGlobalProtectgateway.SelectNetwork > GlobalProtect >
Gateways > Satellite Configurationtodefinethegatewaytunnelandnetworksettingstoenablethesatellites
toestablishVPNconnectionswithit.Youcanalsoconfigureroutesadvertisedbythesatellites.
TunnelSettingstab
NetworkSettingstab
RouteFiltertab
GlobalProtectGateway Description
SatelliteConfiguration
Settings
InheritanceSource SelectasourcetopropagateDNSserverandothersettingsfromthe
selectedDHCPclientorPPPoEclientinterfaceintotheGlobalProtect
satelliteconfiguration.Withthissetting,allnetworkconfiguration,suchas
DNSservers,areinheritedfromtheconfigurationoftheinterfaceselected
intheInheritanceSource.
GlobalProtectGateway Description
SatelliteConfiguration
Settings(Continued)
PrimaryDNS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryDNS DNStothesatellites.
DNSSuffix ClickAddtoenterasuffixthatthesatelliteshoulduselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.Youcanenter
multiplesuffixesbyseparatingthemwithcommas.
InheritDNSSuffix SelectthisoptiontosendtheDNSsuffixtothesatellitestouselocallywhen
anunqualifiedhostnameisenteredthatitcannotresolve.
IPPool AddarangeofIPaddressestoassigntothetunnelinterfaceonsatellites
uponestablishmentoftheVPNtunnel.YoucanspecifyIPv6orIPv4
addresses.
TheIPpoolmustbelargeenoughtosupportallconcurrent
connections.IP addressassignmentisdynamicandnotretained
afterthesatellitedisconnects.Configuringmultiplerangesfrom
differentsubnetswillallowthesystemtooffersatellitesanIP
addressthatdoesnotconflictwithotherinterfacesonthesatellites.
TheserversandroutersinthenetworksmustroutethetrafficforthisIP
pooltothefirewall.Forexample,forthe192.168.0.0/16network,asatellite
canbeassignedtheaddress192.168.0.10.
Ifyouareusingdynamicrouting,makesurethattheIPaddresspoolyou
designateforsatellitesdoesnotoverlapwiththeIPaddressesyoumanually
assignedtothetunnelinterfacesonyourgatewaysandsatellites.
AccessRoute ClickAddandthenenterroutesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthroughthetunnel,leave
thisfieldblank.
Torouteonlysometrafficthroughthegateway(calledsplittunneling),
specifythedestinationsubnetsthatmustbetunneled.Inthiscase,the
satelliteroutestrafficthatisnotdestinedforaspecifiedaccessrouteby
usingitsownroutingtable.Forexample,youcanchoosetotunnelonly
thetrafficdestinedforyourcorporatenetworkandusethelocalsatellite
toenablesafeInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthesummaryroute
forthenetworkprotectedbyeachsatellite.
Network>GlobalProtect>MDM
IfyouareusingaMobileSecurityManagertomanageendusermobiledevicesandyouareusing
HIPenabledpolicyenforcement,youmustconfigurethegatewaytocommunicatewiththeMobileSecurity
ManagertoretrievetheHIPreportsforthemanageddevices.
FormoredetailedinformationonsettinguptheGlobalProtectMobileSecurityManagerservice,refertoSet
UptheGlobalProtectMobileSecurityManagerintheGlobalProtectAdministratorsGuide,Version6.2.For
detailedstepbystepinstructionsforsettingupthegatewaytoretrievetheHIPreportsonthe
GlobalProtectMobileSecurityManager,refertoEnableGatewayAccesstotheGlobalProtectMobile
SecurityManager.
AddMDMinformationfortheMobileSecurityManagertoenablethegatewaytocommunicatewiththe
MobileSecurityManager.
GlobalProtectMDM Description
Settings
Name EnteranamefortheMobileSecurityManager(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheMobileSecurityManagerisavailable.Fora
firewallthatisnotinmultivsysmode,theLocationfielddoesnotappearin
theMDMdialog.AfteryousavetheMobileSecurityManager,youcannot
changeitsLocation.
Connection Settings
Server EntertheIPaddressorFQDNoftheinterfaceontheMobileSecurity
ManagerwherethegatewayconnectstoretrieveHIPreports.Ensurethat
youhaveaserviceroutetothisinterface.
ConnectionPort TheconnectionportiswheretheMobileSecurityManagerlistensforHIP
reportrequests.Thedefaultportis5008,whichisthesameportonwhich
theGlobalProtectMobileSecurityManagerlistens.Ifyouareusinga
thirdpartyMobileSecurityManager,entertheportnumberonwhichthat
serverlistensforHIPreportrequests.
ClientCertificate ChoosetheclientcertificateforthegatewaytopresenttotheMobile
SecurityManagerwhenitestablishesanHTTPSconnection.Thiscertificate
isrequiredonlyiftheMobileSecurityManagerisconfiguredtousemutual
authentication.
TrustedRootCA ClickAddandthenselecttherootCAcertificatethatwasusedtoissuethe
certificatefortheinterfacewherethegatewayconnectstoretrieveHIP
reports.(Thisservercertificatecanbedifferentfromthecertificateissued
forthedevicecheckininterfaceontheMobileSecurityManager).Youmust
importtherootCAcertificateandaddittothislist.
Network>GlobalProtect>BlockList
DeviceBlockListSettings Description
Name Enteranameforthedeviceblocklist(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheGlobalProtectgatewayisavailable.Fora
firewallthatisnotinmultivsysmode,theLocationfielddoesnotappearin
theGlobalProtectGatewaydialog.Afteryousavethegateway
configuration,youcannotchangetheLocation.
HostID EntertheuniqueIDthatidentifiestheclient,acombinationofhostname
anduniquedeviceID.ForeachHostID,specifythecorresponding
Hostname.
Hostname Enterahostnametoidentifythedevice(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Network>GlobalProtect>ClientlessApps
ClientlessAppsSettings Description
Name Enteradescriptivenamefortheapplication(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheGlobalProtectgatewayisavailable.Fora
firewallthatisnotinmultivsysmode,theLocationfielddoesnotappearin
theGlobalProtectGatewaydialog.Afteryousavethegateway
configuration,youcannotchangetheLocation.
ApplicationHomeURL EntertheURLwheretheapplicationislocated(upto4095characters).
ApplicationDescription (Optional)Enteradescriptionoftheapplication(upto255characters).Use
onlyletters,numbers,spaces,hyphens,andunderscores.
ApplicationIcon (Optional)Uploadanicontoidentifytheapplicationonthepublished
applicationpage.Youcanbrowsetouploadtheicon.
Network>GlobalProtect>ClientlessAppGroups
ClientlessAppGroups Description
Settings
Name Enteradescriptivenamefortheapplicationgroup(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,hyphens,
andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthevirtualsystem
(vsys)wheretheGlobalProtectgatewayisavailable.Forafirewallthatisnotinmultivsys
mode,theLocationfielddoesnotappearintheGlobalProtectGatewaydialog.Afteryou
savethegatewayconfiguration,youcannotchangetheLocation.
Applications AddanApplicationfromthedropdownorconfigureanewclientlessapplicationandadd
ittothegroup.Toconfigureanewclientlessapplication,refertoNetwork>GlobalProtect
>ClientlessApps.
Objects>GlobalProtect>HIPObjects
GeneralTab
HIPObjectGeneral Description
Settings
Name EnteranamefortheHIPobject(upto31characters).Thenameiscasesensitiveandmust
beunique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
Shared IfyouselectShared,thecurrentHIPobjectsbecomeavailableto:
Everyvirtualsystem(vsys)onthefirewall,ifyouareloggedintoafirewallthatisin
multiplevirtualsystemmode.Ifyouclearthisselection,theobjectwillbeavailabletoonly
thevsysselectedintheVirtual SystemdropdownoftheObjectstab.Forafirewallthat
isnotinmultivsysmode,thisoptionisnotavailableintheHIPObjectdialog.
AlldevicegroupsonPanorama.Ifyouclearthisselection,theobjectwillbeavailableonly
tothedevicegroupselectedintheDevice GroupdropdownoftheObjectstab.
Afteryousavetheobject,youcannotchangeitsSharedsetting.SelectObjects >
GlobalProtect > HIP ObjectstoseethecurrentLocation.
Description (Optional)Enteradescription.
Disableoverride ControlsoverrideaccesstotheHIPobjectinthedevicegroupsthataredescendantsof
(Panoramaonly) theDevice GroupselectedintheObjectstab.Selectthisoptiontopreventadministrators
fromcreatinglocalcopiesoftheobjectindescendantdevicegroupsbyoverridingits
inheritedvalues.Thisoptionisclearedbydefault(overrideisenabled).
HostInfo Selectthisoptiontoactivatetheoptionsforconfiguringthehostinformation.
Domain Tomatchonadomainname,chooseanoperatorfromthedropdownandenterastring
tomatch.
OS TomatchonahostOS,chooseContainsfromthefirstdropdown,selectavendorfrom
theseconddropdown,andthenselectanOSversionfromthethirddropdown;oryou
canselectAlltomatchonanyOSversionfromtheselectedvendor.
HIPObjectGeneral Description
Settings(Continued)
ClientVersions Tomatchonaspecificversionnumber,selectanoperatorfromthedropdownandthen
enterastringtomatch(ornotmatch)inthetextbox.
HostName Tomatchonaspecifichostnameorpartofahostname,selectanoperatorfromthe
dropdownandthenenterastringtomatch(ornotmatch,dependingonwhatoperator
youselected)inthetextbox.
HostID ThehostIDisauniqueIDthatGlobalProtectassignstoidentifythehost.ThehostIDvalue
variesbydevicetype:
WindowsMachineGUIDstoredintheWindowsregistry
(HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
macOSMACaddressofthefirstbuiltinphysicalnetworkinterface
AndroidAndroidID
iOSUDID
ChromeGlobalProtectassigneduniquealphanumericstringwithlengthof32
characters
TomatchonaspecifichostID,selecttheoperatorfromthedropdownandthenentera
stringtomatch(ornotmatch,dependingonwhatoperatoryouselected)inthetextbox.
Network Usethisfieldtoenablefilteringonaspecificmobiledevicenetworkconfiguration.This
matchcriteriaappliestomobiledevicesonly.
Selectanoperatorfromthedropdownandthenselectthetypeofnetworkconnectionto
filteronfromtheseconddropdown:Wifi,Mobile,Ethernet(availableonlyforIs Not
filters),orUnknown.Afteryouselectanetworktype,enteranyadditionalstringstomatch
on,ifavailable,suchastheMobileCarrierorWifiSSID.
MobileDeviceTab
HIPObjectMobileDevice Description
Settings
MobileDevice Selectthisoptiontoenablefilteringonhostdatacollectedfrommobile
devicesthatarerunningtheGlobalProtectappandtoenabletheDevice,
Settings,andAppstabs.
HIPObjectMobileDevice Description
Settings(Continued)
Settingstab PasscodeFilterbasedonwhetherthedevicehasapasscodeset.To
matchdevicesthathaveapasscodeset,selectYes.Tomatchdevicesthat
donothaveapasscodeset,selectno.
Device ManagedFilterbasedonwhetherthedeviceismanagedbyan
MDM.Tomatchdevicesthataremanaged,selectYes.Tomatchdevices
thatarenotmanaged,selectNo.
Rooted/JailbrokenFilterbasedonwhetherthedevicehasbeenrooted
orjailbroken.Tomatchdevicesthathavebeenrootedorjailbroken,select
Yes.Tomatchdevicesthathavenotbeenrootedorjailbroken,selectNo.
Disk EncryptionFilterbasedonwhetherthedevicedatahasbeen
encrypted.Tomatchdevicesthathavediskencryptionenabled,selectyes.
Tomatchdevicesthatdonothavediskencryptionenabled,selectno.
Time Since Last Check-inFilterbasedonwhenthedevicelastchecked
inwiththeMDM.Selectanoperatorfromthedropdownandthenspecify
thenumberofdaysforthecheckinwindow.Forexample,youcould
definetheobjecttomatchdevicesthathavenotcheckedinwithinthelast
5days.
Appstab Apps(Androiddevicesonly)Selectthisoptiontoenablefilteringbased
ontheappsthatareinstalledonthedeviceandwhetherornotthedevice
hasanymalwareinfectedappsinstalled.
Criteriatab
Has MalwareSelectYestomatchdevicesthathavemalwareinfected
appsinstalled.SelectNotomatchdevicesthatdonothave
malwareinfectedappsinstalled.SelectNonetonotuseHas Malwareas
matchcriteria.
Includetab
PackageTomatchdevicesthathavespecificappsinstalled,Addanapp
andentertheuniqueappnameinreverseDNSformat.Forexample,
com.netflix.mediaclientandthenenterthecorrespondingappHash,which
theGlobalProtectappcalculatesandsubmitswiththedeviceHIPreport.
PatchManagementTab
HIPObjectPatch Description
ManagementSettings
PatchManagement Selectthisoptiontoenablematchingonthepatchmanagementstatusofthe
hostandenabletheCriteriaandVendortabs.
Criteriatab Specifythefollowingsettings:
Is InstalledMatchonwhetherpatchmanagementsoftwareisinstalled
onthehost.
Is EnabledMatchonwhetherpatchmanagementsoftwareisenabledon
thehost.IftheIs Installedselectioniscleared,thisfieldisautomatically
settononeandisdisabledforediting.
SeveritySelectfromthelistoflogicaloperatorsformatchingon
whetherthehosthasmissingpatchesofthespecifiedseveritynumber.
CheckMatchonwhethertheendpointhasmissingpatches.
PatchesMatchonwhetherthehosthasspecificpatches.ClickAddand
enterfilenamesforthespecificpatchnamestocheckfor.
Vendortab Definespecificvendorsofpatchmanagementsoftwareandproductstolook
forontheendpointtodetermineamatch.ClickAddandthenchoosea
Vendorfromthedropdown.Optionally,clickAddtochooseaspecific
Product.ClickOKtosavethesettings.
FirewallTab
HIPObjectFirewallSettings
SelectFirewalltoenablematchingonthefirewallsoftwarestatusofthehost:
Is InstalledMatchonwhetherfirewallsoftwareisinstalledonthehost.
Is EnabledMatchonwhetherfirewallsoftwareisenabledonthehost.IftheIs Installedselectioniscleared,this
fieldisautomaticallysettononeandisdisabledforediting.
Vendor and ProductDefinespecificfirewallsoftwarevendorsand/orproductstolookforonthehosttodetermine
amatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochooseaspecific
Product.ClickOKtosavethesettings.
Exclude VendorSelectthisoptiontomatchhoststhatdonothavesoftwarefromthespecifiedvendor.
AntivirusTab
HIPObjectAntivirusSettings
SelectAntivirustoenablematchingontheantiviruscoverageonthehostandthendefineadditionalmatchingcriteria
forthematchasfollows:
Is InstalledMatchonwhetherantivirussoftwareisinstalledonthehost.
Real Time ProtectionMatchonwhetherrealtimeantivirusprotectionisenabledonthehost.IftheIs Installed
selectioniscleared,thisfieldisautomaticallysettoNoneandisdisabledforediting.
Virus Definition VersionMatchwhenthevirusdefinitionshavebeenupdatedwithinaspecifiednumberofdays
orreleaseversions.
Product VersionMatchaspecificversionoftheantivirussoftware.Tospecifyaversion,selectanoperatorfrom
thedropdownandthenenterastringrepresentingtheproductversion.
Last Scan TimeMatchonthetimethatthelastantivirusscanwasrun.Selectanoperatorfromthedropdownand
thenspecifyanumberofDaysorHourstomatchagainst.
Vendor and ProductDefinespecificantivirussoftwarevendorsand/orproductstolookforonthehostto
determineamatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochoosea
specificProduct.ClickOKtosavethesettings.
Exclude VendorSelectthisoptiontomatchhoststhatdonothavesoftwarefromthespecifiedvendor.
AntiSpywareTab
HIPObjectAntiSpywareSettings
SelectAnti-Spywaretoenablematchingontheantispywarecoverageonthehostandthendefineadditionalmatching
criteriaforthematchasfollows:
Real Time ProtectionMatchonwhetherrealtimeantispywareprotectionisenabledonthehost.IftheIs
Installedselectioniscleared,thisfieldisautomaticallysettononeandisdisabledforediting.
Is InstalledMatchonwhetherantispywaresoftwareisinstalledonthehost.
Virus Definition VersionSelectanoperatorfromthelistandthenentertheversionsofvirusdefinitiontomatch.
IftheoperatorisWithinorNot Within,specifyanumberofdaysorreleaseversions.
Product VersionSelectanoperatorfromthelistandthenentertheproductversiontomatchaspecificversionof
antispywaresoftware.
Last Scan TimeSpecifywhethertomatchbasedonthetimethatthelastantispywarescanran.Selectanoperator
andthenspecifyanumberofDaysorHourstomatch.
Vendor and ProductDefinespecificantispywaresoftwarevendorsorproductstolookforonthehostto
determineamatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochoosea
specificProduct.ClickOKtosavethesettings.
Exclude VendorSelectthisoptiontomatchhoststhatdonothavesoftwarefromthespecifiedvendor.
DiskBackupTab
SelectObjects > GlobalProtect > HIP Objects > Disk Backup toenableHIPmatchingbasedonthediskbackup
statusoftheGlobalProtectclients.
HIPObjectDiskBackupSettings
SelectDisk Backuptoenablematchingonthediskbackupstatusonthehostandthendefineadditionalmatching
criteriaforthematchasfollows:
Is InstalledMatchonwhetherdiskbackupsoftwareisinstalledonthehost.
Last Backup TimeSpecifywhethertomatchbasedonthetimethatthelastdiskbackupwasrun.Selectan
operatorfromthedropdownandthenspecifyanumberofDaysorHourstomatchagainst.
Vendor and ProductDefinespecificdiskbackupsoftwarevendorsandproductstomatchonthehost.ClickAdd
andthenchooseaVendorfromthedropdown.Optionally,clickAddtochooseaspecificProduct.ClickOKtosave
thesettings.
Exclude VendorSelectthisoptiontomatchhoststhatdonothavesoftwarefromthespecifiedvendor.
DiskEncryptionTab
SelectObjects > GlobalProtect > HIP Objects > Disk Encryption toenableHIPmatchingbasedonthedisk
encryptionstatusoftheGlobalProtectclients.
HIPObjectDisk Description
EncryptionSettings
Criteria Specifythefollowingsettings:
Is InstalledMatchonwhetherdiskencryptionsoftwareisinstalledon
thehost.
Encrypted LocationsClickAddtospecifythedriveorpathtocheckfor
diskencryptionwhendeterminingamatch:
Encrypted LocationsEnterspecificlocationstocheckforencryptionon
thehost.
StateSpecifyhowtomatchthestateoftheencryptedlocationby
choosinganoperatorfromthedropdownandthenselectingapossible
state(full,none,partial,not-available).
ClickOKtosavethesettings.
Vendor Definespecificdiskencryptionsoftwarevendorsandproductstomatchon
theendpoint.ClickAddandthenchooseaVendorfromthedropdown.
Optionally,clickAddtochooseaspecificProduct.ClickOKtosavethe
settingsandreturntotheDisk Encryptiontab.
DataLossPreventionTab
SelectObjects > GlobalProtect > HIP Objects > Data Loss PreventiontoconfigureHIPmatchingthatisbasedon
whethertheGlobalProtectclientsarerunningdatalosspreventionsoftware.
HIPObjectDataLossPreventionSettings
CustomChecksTab
SelectObjects > GlobalProtect > HIP Objects > Custom Checks toenableHIPmatchingonanycustomchecksyou
havedefinedontheGlobalProtectportal.FordetailsonaddingthecustomcheckstotheHIPcollection,see
Network>GlobalProtect>Portals.
HIPObjectCustom Description
ChecksSettings
ProcessList Tocheckthehostsystemforaspecificprocess,clickAddandthenenterthe
processname.Bydefault,theagentchecksforrunningprocesses;ifyoujust
wanttoseeifaspecificprocessispresentonthesystemevenifnotrunning,
cleartheRunningselection.
RegistryKey TocheckWindowshostsforaspecificregistrykey,clickAddandenterthe
Registry Keytomatch.Tomatchonlythehoststhatlackthespecified
registrykeyorthekeysvalue,marktheKey does not exist or match the
specified value databox.
Tomatchonspecificvalues,clickAddandthenentertheRegistry Valueand
Value Data.Tomatchhoststhatexplicitlydonothavethespecifiedvalueor
valuedata,selectNegate.
ClickOKtosavethesettings.
Plist TocheckMachostsforaspecificentryinthepropertylist(plist),clickAdd
andenterthePlistname.Tomatchonlythehoststhatdonothavethe
specifiedplist,selectPlist does not exist.
Tomatchonspecifickeyvaluepairwithintheplist,clickAddandthenenter
theKeyandthecorrespondingValuetomatch.Tomatchhoststhatexplicitly
donothavethespecifiedkeyorvalue,selectNegate.
ClickOKtosavethesettings.
Objects>GlobalProtect>HIPProfiles
HIPProfileSettings Description
Name Enteranamefortheprofile(upto31characters).Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description (Optional)Enteradescription.
Shared SelectSharedtomakethecurrentHIPprofileavailableto:
Everyvirtualsystem(vsys)onthefirewall,ifyouareloggedintoafirewall
thatisinmultiplevirtualsystemmode.Ifyouclearthisselection,the
profileisavailableonlytothevsysselectedintheVirtual System
dropdownontheObjectstab.Forafirewallthatisnotinmultivsys
mode,thisoptiondoesnotappearintheHIPProfiledialog.
AlldevicegroupsonPanorama.Ifyouclearthisselection,theprofileis
availableonlytothedevicegroupselectedintheDevice Group
dropdownontheObjectstab.
Afteryousavetheprofile,youcannotchangeitsSharedsetting.Select
Objects > GlobalProtect > HIP ProfilestoviewthecurrentLocation.
Disableoverride ControlsoverrideaccesstotheHIPprofileindevicegroupsthatare
(Panoramaonly) descendantsoftheDevice GroupselectedintheObjectstab.Selectthis
optionifyouwanttopreventadministratorsfromcreatinglocalcopiesofthe
profileindescendantdevicegroupsbyoverridingitsinheritedvalues.This
optionisclearedbydefault(overrideisenabled).
HIPProfileSettings Description
(Continued)
Device>GlobalProtectClient
Whatareyoulookingfor? See:
Viewmoreinformationaboutthe ManagingtheGlobalProtectAgentSoftware
GlobalProtectagentsoftwarereleases.
InstalltheGlobalProtectagentsoftware. SettingUptheGlobalProtectAgent
UsetheGlobalProtectagentsoftware. UsingtheGlobalProtectAgent
Looking for more? Fordetailed,stepbystepinstructionsonsettingupthe
GlobalProtectclientsoftware,refertoDeploytheGlobalProtect
ClientSoftwareintheGlobalProtectAdministratorsGuide.
ManagingtheGlobalProtectAgentSoftware
FortheinitialdownloadandinstallationoftheGlobalProtectagent,theuseroftheclientendpointmustbe
loggedinwithadministratorrights.Forsubsequentupgrades,administratorrightsarenotrequired.
GlobalProtectClient Description
Settings
Version ThisversionnumberisoftheGlobalProtectagentsoftwarethatisavailable
onthePaloAltoNetworksUpdateServer.Toseeifanewagentsoftware
releaseisavailablefromPaloAltoNetworks,clickCheckNow.Thefirewall
usesitsserviceroutetoconnecttotheUpdateServertodetermineifnew
versionsareavailableanddisplaysthematthetopofthelist.
Size Thesizeoftheagentsoftwarebundle.
ReleaseDate ThedateandtimePaloAltoNetworksmadethereleaseavailable.
Downloaded Acheckmarkinthiscolumnindicatesthatthecorrespondingversionofthe
agentsoftwarepackagehasbeendownloadedtothefirewall.
CurrentlyActivated Acheckmarkinthiscolumnindicatesthatthecorrespondingversionofthe
agentsoftwarehaspackagehasbeenactivatedonthefirewallandcanbe
downloadedbyconnectingagents.Onlyoneversionofthesoftwarecanbe
activatedatatime.
GlobalProtectClient Description
Settings(Continued)
Action Indicatesthecurrentactionyoucantakeforthecorrespondingagent
softwarepackageasfollows:
DownloadThecorrespondingagentsoftwareversionisavailableonthe
PaloAltoNetworksUpdateServer.ClickDownloadtoinitiatethe
download.IfthefirewalldoesnothaveaccesstotheInternet,usean
InternetconnectedcomputertogototheSoftwareUpdatesitetolook
forandDownloadnewagentsoftwareversionstoyourlocalcomputer.
ThenmanuallyUploadtheagentsoftwaretothefirewall.
ActivateThecorrespondingagentsoftwareversionhasbeen
downloadedtothefirewall,butagentscannotyetdownloadit.Click
Activatetoactivatethesoftwareandenableagentupgrade.Toactivatea
softwareupdateyoumanuallyuploadedtothefirewall,clickActivate
From Fileandselecttheversionyouwanttoactivatefromthedropdown
(youmayneedtorefreshthescreenforittoshowasCurrently Activated).
ReactivateThecorrespondingagentsoftwarehasbeenactivatedandis
readyfortheclienttodownload.Becauseonlyoneversionofthe
GlobalProtectagentsoftwarecanbeactiveonthefirewallatonetime,if
yourendusersrequireaccesstoadifferentversionthaniscurrently
active,youhavetoActivatetheotherversiontomakeittheCurrently
Activeversion.
ReleaseNote ProvidesalinktotheGlobalProtectreleasenotesforthecorresponding
agentversion.
Removethepreviouslydownloadedagentsoftwareimagefromthefirewall.
SettingUptheGlobalProtectAgent
TheGlobalProtectagent(PanGPAgent)isanapplicationthatisinstalledontheclientsystem(typicallya
laptop)tosupportGlobalProtectconnectionswithportalsandgatewaysandissupportedbythe
GlobalProtectservice(PanGPService).
Besuretochoosethecorrectinstallationoptionforyourhostoperatingsystem(32bitor
64bit).Ifyouareinstallingona64bithost,usethe64bitbrowserandJavacombinationfor
theinitialinstallation.
Toinstalltheagent,opentheinstallerfileandfollowtheonscreeninstructions.
UsingtheGlobalProtectAgent
ThetabsintheGlobalProtectagentcontainusefulinformationaboutstatusandsettingsandprovide
informationtoassistintroubleshootingconnectionissues.
Home tabAllowsuserstochangetheportalIPaddressorhostnameandentertheirauthentication
credentials.Alsodisplayscurrentconnectionstatusandlistsanywarningsorerrors.
Details tabDisplaysinformationaboutthecurrentconnection,includingportalIPaddressesand
protocol,andpresentsbyteandpacketstatisticsaboutthenetworkconnection.
Host State tabDisplaystheinformationstoredintheHIP.Clickacategoryontheleftsideofthewindow
todisplaytheconfiguredinformationforthatcategoryontherightsideofthewindow.
Troubleshooting tabDisplaysinformationtoassistintroubleshooting.
Network ConfigurationsDisplaysthecurrentclientsystemconfiguration.
Routing TableDisplaysinformationonhowtheGlobalProtectconnectioniscurrentlyrouted.
SocketsDisplayssocketinformationforthecurrentactiveconnections.
LogsAllowstheusertodisplaylogsfortheGlobalProtectagent(PanGPAgent)andservice(PanGP
Service).Choosethelogtypeanddebugginglevel.ClickStarttobeginloggingandStoptoterminate
logging.
SeethePanoramaAdministratorsGuide fordetailsonsettingupandusingPanoramaforcentralized
management.
UsethePanoramaWebInterface
ThewebinterfaceonbothPanoramaandthefirewallhasthesamelookandfeel.However,thePanorama
webinterfaceincludesadditionaloptionsandaPanoramaspecifictabformanagingPanoramaandforusing
PanoramatomanagefirewallsandLogCollectors.
ThefollowingcommonfieldsappearintheheaderorfooterofseveralPanoramawebinterfacepages.
CommonField Description
Context YoucanusetheContextdropdownabovetheleftsidemenutoswitchbetweenthe
Panoramawebinterfaceandafirewallwebinterface(seeContextSwitch).
IntheDashboardandMonitortabs,clickrefresh( )inthetabheadertomanually
refreshdatainthosetabs.Youcanalsousetheunlabeleddropdownontherightside
ofthetabheadertoselectanautomaticrefreshintervalinminutes(1 min,2 mins,or
5 mins);todisableautomaticrefreshing,selectManual.
Template Atemplateisagroupoffirewallswithcommonnetworkanddevicesettings,anda
templatestackisacombinationoftemplates(seePanorama>Templates).Inthe
NetworkandDevicetabs,youconfiguresettingsforaspecificTemplateortemplate
stack.Becauseyoucaneditsettingsonlywithinindividualtemplates,thesettingsin
thesetabsarereadonlyifyouselectatemplatestack.
ThePanoramatabprovidesthefollowingpagesformanagingPanoramaandLogCollectors.
PanoramaPages Description
HighAvailability Enablesyoutoconfigurehighavailability(HA)forapairofPanorama
managementservers.SelectPanorama>HighAvailability.
ConfigAudit Enablesyoutoseethedifferencesbetweenconfigurationfiles.SelectDevice>
ConfigAudit.
PasswordProfiles EnablesyoutodefinepasswordprofilesforPanoramaadministrators.Select
Device>PasswordProfiles.
Administrators EnablesyoutoconfigurePanoramaadministratoraccounts.SelectPanorama>
Administrators.
Ifanadministratoraccountislockedout,theAdministratorspage
displaysalockintheLockedUsercolumn.Youcanclickthelocktounlock
theaccount.
AdminRoles Enablesyoutodefineadministrativeroles,whichcontroltheprivilegesand
responsibilitiesofadministratorswhoaccessPanorama.SelectPanorama>
AdminRoles.
AccessDomain Enablesyoutocontroladministratoraccesstodevicegroups,templates,
templatestacks,andthewebinterfaceoffirewalls.SelectPanorama>Access
Domains.
Authentication EnablesyoutospecifyaprofileforauthenticatingaccesstoPanorama.Select
Profile Device>AuthenticationProfile.
Authentication Enablesyoutospecifyaseriesofauthenticationprofilestouseforpermitting
Sequence accesstoPanorama.SelectDevice>AuthenticationSequence.
UserIdentification EnablesyoutoconfigurePanoramatoreceiveusermappinginformationfrom
UserIDagents.SelectDevice>UserIdentification>UserIDAgents.
ManagedDevices Enablesyoutomanagefirewalls,whichincludesaddingfirewallstoPanoramaas
manageddevices,displayingfirewallconnectionandlicensestatus,tagging
firewalls,updatingfirewallsoftwareandcontent,andloadingconfiguration
backups.SelectPanorama>ManagedDevices.
PanoramaPages Description
Templates EnablesyoutomanageconfigurationoptionsintheDeviceandNetworktabs.
Templatesandtemplatestacksenableyoutoreducetheadministrativeeffortof
deployingmultiplefirewallswiththesameorsimilarconfigurations.Select
Panorama>Templates.
DeviceGroups Enablesyoutoconfiguredevicegroups,whichgroupfirewallsbasedonfunction,
networksegmentation,orgeographiclocation.Devicegroupscaninclude
physicalfirewalls,virtualfirewalls,andvirtualsystems.
Typically,firewallsinadevicegroupneedsimilarpolicyconfigurations.Usingthe
PoliciesandObjectstabonPanorama,devicegroupsprovideawaytoimplement
alayeredapproachformanagingpoliciesacrossanetworkofmanagedfirewalls.
Youcannestdevicegroupsinatreehierarchyofuptofourlevels.Descendant
groupsautomaticallyinheritthepoliciesandobjectsofancestorgroupsandof
theSharedlocation.SelectPanorama>DeviceGroups.
ManagedCollectors EnablesyoutomanageLogCollectors.BecauseyouusePanoramatoconfigure
LogCollectors,theyarealsocalledmanagedcollectors.Amanagedcollectorcan
belocaltothePanoramamanagementserver(MSeriesapplianceorPanorama
virtualapplianceinPanoramamode)oraDedicatedLogCollector(MSeries
applianceinLogCollectormode).SelectPanorama>ManagedCollectors.
YoucanalsoinstallSoftwareUpdatesforDedicatedLogCollectors.
YoucanconvertaPanoramamanagementservertoaDedicatedLog
Collector.
CollectorGroups EnablesyoutomanageCollectorGroups.ACollectorGrouplogicallygroupsLog
Collectorssoyoucanapplythesameconfigurationsettingsandassignfirewalls
tothem.PanoramauniformlydistributesthelogsamongallthedisksinaLog
CollectorandacrossallmembersintheCollectorGroup.SelectPanorama>
CollectorGroups.
Plugins Enablesyoutomanagepluginsforthirdpartyintegration,suchasVMwareNSX.
SelectPanorama>VMwareNSX.
VMwareNSX EnablesyoutoautomateprovisioningofVMSeriesfirewallsbyenabling
communicationbetweentheNSXManagerandPanorama.SelectPanorama>
VMwareNSX.
Certificate Enablesyoutoconfigureandmanagecertificates,certificateprofiles,andkeys.
Management SelectManageFirewallandPanoramaCertificates.
LogSettings EnablesyoutoforwardlogstoSimpleNetworkManagementProtocol(SNMP)
trapreceivers,syslogservers,emailservers,andHTTPservers.SelectDevice>
LogSettings.
PanoramaPages Description
ServerProfiles Enablesyoutoconfigureprofilesforthedifferentservertypesthatprovide
servicestoPanorama.Selectanyofthefollowingtoconfigureaspecificserver
type:
Device>ServerProfiles>Email
Device>ServerProfiles>HTTP
Device>ServerProfiles>SNMPTrap
Device>ServerProfiles>Syslog
Device>ServerProfiles>RADIUS
Device>ServerProfiles>TACACS+
Device>ServerProfiles>LDAP
Device>ServerProfiles>Kerberos
Device>ServerProfiles>SAMLIdentityProvider
ScheduledConfig EnablesyoutoexportPanoramaandfirewallconfigurationstoanFTPserveror
Export SecureCopy(SCP)serveronadailybasis.SelectPanorama>ScheduledConfig
Export.
Software EnablesyoutoupdatePanoramasoftware.SelectPanorama>Software.
DynamicUpdates Enablesyoutoviewthelatestapplicationdefinitionsandinformationfornew
securitythreats,suchasAntivirussignatures(threatpreventionlicenserequired)
andthenupdatePanoramawiththenewdefinitions.SelectDevice>Dynamic
Updates.
Support EnablesyoutoaccessproductandsecurityalertsfromPaloAltoNetworks.
SelectDevice>Support.
DeviceDeployment EnablesyoutodeploysoftwareandcontentupdatestofirewallsandLog
Collectors.SelectPanorama>DeviceDeployment.
MasterKeyand EnablesyoutospecifyamasterkeytoencryptprivatekeysonPanorama.By
Diagnostics default,Panoramastoresprivatekeysinencryptedformevenifyoudontspecify
anewmasterkey.SelectDevice>MasterKeyandDiagnostics.
ContextSwitch
IntheheaderofeveryPanoramawebinterfacepage,youcanusetheContextdropdownabovetheleftside
menutoswitchbetweenthePanoramawebinterfaceandafirewallwebinterface.Whenyouselecta
firewall,thewebinterfacerefreshestoshowallthepagesandoptionsfortheselectedfirewallsothatyou
canmanageitlocally.Thedropdowndisplaysonlythefirewallstowhichyouhaveadministrativeaccess(see
Panorama>AccessDomains)andthatareconnectedtoPanorama.
YoucanusetheFilterstosearchforfirewallsbyPlatforms(model),DeviceGroups,Templates,Tags,orHA
Status.YoucanalsoenteratextstringinthefilterbartosearchbyDeviceName.
Theiconsoffirewallsthatareinhighavailability(HA)modewillhavecoloredbackgroundstoindicatetheir
HAstate.
PanoramaCommitOperations
ClickCommitatthetoprightofthewebinterfaceandselectanoperationforpendingchangestothe
PanoramaconfigurationandchangesthatPanoramapushestofirewalls,LogCollectors,andWildFire
clustersandappliances:
Commit > Commit to PanoramaActivateschangesyoumadeintheconfigurationofthePanorama
managementserver.Thisactionalsocommitsdevicegroup,template,CollectorGroup,andWildFire
clusterandappliancechangestothePanoramaconfigurationwithoutpushingthechangestofirewalls,
LogCollectors,orWildFireclustersandappliances.CommittingjusttothePanoramaconfiguration
enablesyoutosavechangesthatarenotreadyforactivationonthefirewalls,LogCollectors,orWildFire
clustersandappliances.
Whenpushingconfigurationstomanageddevices,Panorama8.0andlaterreleasespushthe
runningconfiguration,whichistheconfigurationthatiscommittedtoPanorama.Panorama7.1
andearlierreleasespushthecandidateconfiguration,whichincludesuncommittedchanges.
Therefore,Panorama8.0andlaterreleasesdonotletyoupushchangestomanageddevices
untilyoufirstcommitthechangestoPanorama.
Thefollowingoptionsareavailableforcommitting,validating,orpreviewingconfigurationchanges.
Field/Button Description
CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatPanoramacommitswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthecommitscope:
SuperuserrolePanoramacommitsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethecommitscope(seePanorama>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,Panoramacommitschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,Panoramacommitsonly
yourchangesandnotthoseofotheradministrators.
Ifyouhaveimplementedaccessdomains,Panoramaautomatically
appliesthosedomainstofilterthecommitscope(seePanorama>
AccessDomains).Regardlessofyouradministrativerole,Panorama
commitsonlytheconfigurationchangesintheaccessdomains
assignedtoyouraccount.
Field/Button Description
CommitChangesMadeBy FiltersthescopeoftheconfigurationchangesPanoramacommits.The
administrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthecommitscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seePanorama>
AdminRoles).IftheprofileincludestheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopetochanges
configuredbyspecificadministratorsandtochangesinspecific
locations.IfyourAdminRoleprofiledoesnotincludetheprivilege
toCommit For Other Admins,youcanlimitthecommitscopeonly
tothechangesyoumadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
Ifyouhaveimplementedaccessdomains,Panoramaautomatically
filtersthecommitscopebasedonthosedomains(seePanorama>
AccessDomains).Regardlessofyouradministrativeroleandyour
filteringchoices,thecommitscopeincludesonlytheconfiguration
changesintheaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoadevicegroup,youmustinclude
thechangesofalladministratorswhoadded,deleted,or
repositionedrulesforthesamerulebaseinthatdevicegroup.
CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
<device-group>Thenameofthedevicegroupinwhichthepolicy
rulesorobjectsaredefined.
<template>Thenameofthetemplateortemplatestackinwhich
thesettingsaredefined.
<log-collector-group>ThenameoftheCollectorGroupinwhich
thesettingsaredefined.
<log-collector>ThenameoftheLogCollectorinwhichthe
settingsaredefined.
<wildfire-appliances>TheserialnumberoftheWildFire
applianceinwhichthesettingsaredefined.
<wildfire-appliance-clusters>ThenameoftheWildFirecluster
inwhichthesettingsaredefined.
Field/Button Description
LocationType Thiscolumncategorizesthelocationsofpendingchanges:
PanoramaSettingsthatarespecifictothePanoramamanagement
serverconfiguration.
Device GroupSettingsthataredefinedinaspecificdevicegroup.
TemplateSettingsthataredefinedinaspecifictemplateor
templatestack.
Log Collector GroupSettingsthatarespecifictoaCollectorGroup
configuration.
Log CollectorSettingsthatarespecifictoaLogCollector
configuration.
WildFire Appliance ClustersSettingsthatarespecifictoa
WildFireapplianceclusterconfiguration.
WildFire AppliancesSettingsthatarespecifictoaWildFire
appliance.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).
IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewbrowserwindow,
yourbrowsermustallowpopups.Ifthepreviewwindowdoes
notopen,refertoyourbrowserdocumentationforthestepsto
allowpopups.
Field/Button Description
ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinDevice
Groups,Templates,Collector Groups,WildFire Appliances,or
Wildfire Appliance Clusters.
LocationThenameofthedevicegroup,template,CollectorGroup,
WildFirecluster,orWildFireappliancewherethesettingisdefined.
ThecolumndisplaysSharedforsettingsthatarenotdefinedin
theselocations.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be CommittedIndicateswhetherthecommitwillincludethe
setting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
ValidateCommit ValidateswhetherthePanoramaconfigurationhascorrectsyntaxand
issemanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.
Field/Button Description
Thefollowingoptionsapplywhenyoupushconfigurationchangestomanageddevicesbyselecting
Commit > Push to DevicesorCommit > Commit and Push.
PushScope Liststhelocationsthathavechangestopush.Thelocationsthatthe
scopeincludesbydefaultdependonwhichofthefollowingoptions
youselect:
Commit > Commit and PushThescopeincludesalllocationswith
changesthatrequireaPanoramacommit.
Commit > Push to DevicesThescopeincludesalllocations
associatedwithentities(firewalls,virtualsystems,LogCollectors,
WildFireclusters,WildFireappliances)thatareOut of Syncwith
thePanoramarunningconfiguration(seePanorama>Managed
DevicesandPanorama>ManagedCollectorsforthe
synchronizationstatus).
Forbothselections,PanoramafiltersthePush Scopeby:
AdministratorsPanoramaappliesthesamefiltersasforthe
Commit Scope(seeCommitAllChangesorCommitChangesMade
By).
AccessdomainsIfyouimplementedaccessdomains,Panorama
automaticallyfiltersthePush Scopebasedonthosedomains(see
Panorama>AccessDomains).Regardlessofyouradministrative
roleandyourfilteringchoices,thescopeincludestheconfiguration
changesonlyinaccessdomainsassignedtoyouraccount.
YoucanEditSelectionsforthePush Scopeinsteadofacceptingthe
defaultlocations.
LocationType Thiscolumncategorizesthelocationsofpendingchanges:
Device GroupsSettingsdefinedinaspecificdevicegroup.
TemplatesSettingsdefinedinaspecifictemplateortemplate
stack.
Log Collector GroupsSettingsspecifictoaCollectorGroup
configuration.
WildFire ClustersSettingsspecifictoaWildFirecluster
configuration.
WildFire AppliancesSettingsspecifictoaWildFireappliance
configuration.
Entities Foreachdevicegrouportemplate,thiscolumnliststhefirewalls(by
devicenameorserialnumber)orvirtualsystems(byname)includedin
thepushoperation.
IfyoupushchangestoaCollectorGroup,theoperation
includesalltheLogCollectorsthataremembersofthegroup,
eventhoughtheyarenotlisted.
EditSelections Clicktoselecttheentitiestoincludeinthepushoperation:
DeviceGroupsandTemplates
LogCollectorGroups
WildFireAppliancesandClusters
Panoramawontletyoupushchangesthatyoudidnotyet
committothePanoramaconfiguration.
Field/Button Description
Filters Filterthelistoftemplates,templatestacks,ordevicegroupsandthe
associatedfirewallsandvirtualsystems.
Name Selectthetemplates,templatestacks,devicegroups,firewalls,or
virtualsystemstoincludeinthepushoperation.
LastCommitState Indicateswhetherthefirewallandvirtualsystemconfigurationsare
synchronizedwiththetemplateordevicegroupconfigurationsin
Panorama.
HAStatus Indicatesthehighavailability(HA)stateofthelistedfirewalls:
ActiveNormaltraffichandlingoperationalstate.
PassiveNormalbackupstate.
InitiatingThefirewallisinthisstateforupto60secondsafter
bootup.
Non-functionalErrorstate.
SuspendedAnadministratordisabledthefirewall.
TentativeForalinkorpathmonitoringeventinanactive/active
configuration.
ChangesPending IndicateswhetheraPanoramacommitis(yes)orisnot(no)required
(Panorama)Commit beforeyoupushchangestotheselectedfirewallsandvirtualsystems.
SelectAll Selectsallentriesinthelist.
DeselectAll Deselectsallentriesinthelist.
ExpandAll Displaysthefirewallsandvirtualsystemsassignedtotemplates,
templatestacks,ordevicegroups.
CollapseAll Displaysonlythetemplates,templatestacks,ordevicegroups,notthe
firewallsorvirtualsystemsassignedtothem.
Field/Button Description
GroupHAPeers Groupsfirewallsthatarepeersinahighavailability(HA)configuration.
Theresultinglistdisplaystheactivefirewall(oractiveprimaryfirewall
inanactive/activeconfiguration)firstandthepassivefirewall(or
activesecondaryfirewallinanactive/activeconfiguration)in
parentheses.ThisenablesyoutoeasilyidentifyfirewallsthatareinHA
mode.Whenpushingsharedpolicies,youcanpushtothegroupedpair
insteadofindividualpeers.
ForHApeersinanactive/passiveconfiguration,consider
addingbothfirewallsortheirvirtualsystemstothesame
devicegroup,template,ortemplatestacksothatyoucanpush
theconfigurationtobothpeerssimultaneously.
Validate Clicktovalidatetheconfigurationsyouarepushingtotheselected
firewallsandvirtualsystems.TheTaskManagerautomaticallyopensto
displaythevalidationstatus.
FilterSelected Ifyouwantthelisttodisplayonlyspecificfirewallsorvirtualsystems,
selectthemandthenselectFilter Selected.
MergewithCandidate (Selectedbydefault)Mergestheconfigurationchangespushedfrom
Config Panoramawithanypendingconfigurationchangesthatadministrators
implementedlocallyonthetargetfirewall.Thepushoperationtriggers
PANOStocommitthemergedchanges.Ifyouclearthisselection,
thecommitexcludesthecandidateconfigurationonthefirewall.
Clearthisselectionifyouallowfirewalladministratorsto
commitchangeslocallyonafirewallandyoudontwantto
includethoselocalchangeswhencommittingchangesfrom
Panorama.
Anotherbestpracticeistoperformaconfigurationauditonthe
firewalltoreviewanylocalchangesbeforepushingchanges
fromPanorama(seeDevice>ConfigAudit).
IncludeDeviceand (Selectedbydefault)Pushesboththedevicegroupchangesandthe
NetworkTemplates associatedtemplatechangestotheselectedfirewallsandvirtual
(DeviceGroupstabonly) systemsinasingleoperation.Topushthesechangesasseparate
operations,clearthisoption.
ForceTemplateValues (Disabledbydefault)Overridesalllocalconfigurationsettingsand
removesallobjectsontheselectedfirewallsthatdontexistinthe
templateortemplatestackorthatareoverriddeninthelocal
configuration.Thepushoperationrevertsallexistingconfigurationon
thefirewallandensuresthatthefirewallinheritsonlythesettings
definedinthetemplateortemplatestack.
Filters FilterthelistofWildFireappliancesandclusters.
Name SelecttheWildFireappliancesandclusterstowhichPanoramawill
pushchanges.
Field/Button Description
LastCommitState IndicateswhethertheWildFireapplianceandclusterconfigurations
aresynchronizedwithPanorama.
ValidateDeviceGroupPush Validatestheconfigurationsyouarepushingtothedevicegroupsin
thePushScopelist.TheTaskManagerautomaticallyopenstodisplay
thevalidationstatus.
ValidateTemplatePush Validatestheconfigurationsyouarepushingtothetemplatesinthe
PushScopelist.TheTaskManagerautomaticallyopenstodisplaythe
validationstatus.
ThefollowingoptionsapplywhenyoucommitthePanoramaconfigurationorpushchangestodevices.
Description Enteradescription(upto512characters)tohelpotheradministrators
understandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.
Commit/Push/Commitand Startsthecommitor,ifothercommitsarepending,addsthecommit
Push requesttothecommitqueue.
DefiningPoliciesonPanorama
DeviceGroupsonPanoramaallowyoutocentrallymanagepoliciesonthefirewalls.Policiesdefinedon
PanoramaarecreatedeitherasPreRulesorPostRules;PreRulesandPostRulesallowyoutocreatealayered
approachinimplementingpolicy.
PrerulesandPostrulescanbedefinedinasharedcontextassharedpoliciesforallmanagedfirewallsorin
adevicegroupcontexttomakeitspecifictoadevicegroup.BecausePrerulesandPostRulesaredefined
onPanoramaandthenpushedfromPanoramatothemanagedfirewalls,youcanviewtherulesonthe
managedfirewallsbutcaneditthePreRulesandPostRulesonlyinPanorama.
PreRulesRulesthatareaddedtothetopoftheruleorderandareevaluatedfirst.Youcanuseprerules
toenforcetheAcceptableUsePolicyforanorganization;forexample,toblockaccesstospecificURL
categoriesortoallowDNStrafficforallusers.
PostRulesRulesthatareaddedatthebottomoftheruleorderandareevaluatedaftertheprerules
andrulesthatarelocallydefinedonthefirewall.Postrulestypicallyincluderulestodenyaccesstotraffic
basedontheAppID,UserID,orService.
DefaultRulesRulesthatspecifyhowthefirewallhandlestrafficthatdoesnotmatchanyPreRules,Post
Rules,orlocalfirewallrules.TheserulesarepartofthepredefinedPanoramaconfiguration.ToOverride
andenableeditingofselectsettingsintheserules,seeOverridingorRevertingaSecurityPolicyRule.
Preview Rulestoviewalistofallrulesbeforeyoupushtherulestothemanagedfirewalls.Withineach
rulebase,thehierarchyofrulesisvisuallydemarcatedforeachdevicegroup(andmanagedfirewall)tomake
iteasiertoscanthroughalargenumbersofrules.
WhenyouaddoreditaruleinPanorama,aTargettabdisplays.Youcanusethistabtoapplytheruleto
specificfirewallsordescendantdevicegroupsoftheDevice Group(orSharedlocation)wheretheruleis
defined.IntheTargettab,Anyisselectedbydefault,whichmeanstheruleappliestoallthefirewallsand
descendantdevicegroups.Totargetspecificfirewallsordevicegroups,clearAnyandselecttheirnames.To
excludespecificfirewallsordevicegroups,clearAny,selecttheirnames,andselectTarget to all but these
specified devices.Ifthelistofdevicegroupsandfirewallsislong,youcanapplyFilterstosearchtheentries
byattributes(suchasPlatforms)orbyatextstringformatchingnames.
Tocreatepolicies,seetherelevantsectionforeachrulebase:
Policies>Security
Policies>NAT
Policies>QoS
Policies>PolicyBasedForwarding
Policies>Decryption
Policies>ApplicationOverride
Policies>Authentication
Policies>DoSProtection
LogStoragePartitionsforaPanoramaVirtualAppliancein
LegacyMode
Panorama>Setup>Operations
Bydefault,aPanoramavirtualapplianceinLegacymodehasasinglediskpartitionforalldatainwhich
10.89GBisallocatedforlogstorage.Increasingdisksizedoesnotincreasethelogstoragecapacity;however,
youcanmodifythelogstoragecapacityusingthefollowingoptions:
NetworkFileSystem(NFS)TheoptiontomountNFSstorageisavailableonlyforaPanoramavirtual
appliancethatisinLegacymodeandrunningonaVMwareESXiserver.TomountNFSstorage,select
Storage Partition SetupintheMiscellaneoussection,settheStorage PartitiontoNFS V3,andconfigurethe
settingsasdescribedinTable:NFSStorageSettings.
DefaultinternalstorageReverttothedefaultinternalstoragepartition(applicableonlytoPanoramaon
anESXiserveroronthevCloudAirplatformwhereyoupreviouslyconfiguredanothervirtualloggingdisk
ormountedtoanNFS).Toreverttothedefaultinternalstoragepartition,selectStorage Partition Setupin
theMiscellaneoussectionandsettheStorage PartitiontoInternal.
VirtualloggingdiskYoucanaddanothervirtualdisk(upto8TB)forPanoramarunningonVMwareESXi
version5.5andlaterreleasesorforPanoramarunningontheVMwarevCloudAirplatform.However,
Panoramastopsusingthedefault10.89GBlogstorageontheoriginaldiskandcopiesanyexistinglogs
tothenewdisk.(EarlierESXiversionssupportonlyupto2TBvirtualdisks.)
YoumustrebootPanoramaafterchangingthestoragepartitionsettings:selectPanorama >
Setup > OperationsandReboot Panorama.
NFSstorageisnotavailabletothePanoramavirtualapplianceinPanoramamodeortoMSeries
appliances.
Table:NFSStorageSettings
PanoramaStorage Description
Partition
SettingsNFSV3
Server SpecifytheFQDNorIPaddressoftheNFSserver.
LogDirectory Specifythefullpathnameofthedirectorywherethelogswillreside.
Protocol Specifytheprotocol(UDPorTCP)forcommunicationwiththeNFSserver.
Port SpecifytheportforcommunicationwiththeNFSserver.
ReadSize Specifythemaximumsizeinbytes(rangeis256to32,768)forNFSreadoperations.
WriteSize Specifythemaximumsizeinbytes(rangeis256to32,768)forNFSwriteoperations.
CopyonSetup SelecttomounttheNFSpartitionandcopyanyexistinglogstothedestination
directoryontheserverwhenPanoramaboots.
TestLogging SelecttoperformatestthatmountstheNFSpartitionandpresentsasuccessor
Partitions failuremessage.
Panorama>Setup>Interfaces
TheavailableinterfacesvarybasedonthePanoramamodel.
Toconfigureaninterface,clicktheInterfaceNameandconfigurethesettingsdescribedinthefollowing
table.
AlwaysspecifytheIPaddress,netmask(forIPv4)orprefixlength(forIPv6),anddefaultgatewayfortheMGT
interface.Ifyouomitvaluesforsomesettings(suchasthedefaultgateway),youcanonlyaccessPanorama
throughtheconsoleportforfutureconfigurationchanges.Youcannotcommittheconfigurationsforother
interfacesunlessyouspecifyallthreesettings.
InterfaceSettings Description
Eth1/Eth2/Eth3/Eth4/ Youmustenableaninterfacetoconfigureit.TheexceptionistheMGTinterface,whichis
Eth5 enabledbydefault.
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask(such
as255.255.255.0).
DefaultGateway(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethenetmask,
Length enteranIPv6prefixlength(suchas2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
InterfaceSettings Description
Speed Setthespeedfortheinterfaceto10Mbps,100Mbps,1Gbps,or10Gbps(Eth4andEth5
only)atfullorhalfduplex.UsethedefaultautonegotiatesettingtohavePanorama
determinetheinterfacespeed.
Thissettingmustmatchtheinterfacesettingsonneighboringnetworkequipment.
Toensurematchingsettings,selectautonegotiateiftheneighboringequipment
supportsthatoption.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthisinterface
(rangeis576to1,500;defaultis1,500).
HTTPSEnablessecureaccesstothePanoramawebinterface.
TelnetEnablesaccessthePanoramaCLI.Telnetusesplaintext,whichisnotassecure
asSSH.
EnableSSHinsteadofTelnetformanagementtrafficontheinterface.
SSHEnablessecureaccesstothePanoramaCLI.
SNMPEnablesPanoramatoprocessstatisticsqueriesfromanSNMPmanager.For
details,seeEnableSNMPMonitoring.
User-IDEnablesPanoramatoredistributeusermappinginformationreceivedfrom
UserIDagents.
PermittedIPAddresses EntertheIPaddressesfromwhichadministratorscanaccessPanoramaonthisinterface.
Anemptylist(default)specifiesthataccessisavailablefromanyIPaddress.
Donotleavethislistblank;specifytheIPaddressesofPanoramaadministrators
(only)topreventunauthorizedaccess.
Panorama>HighAvailability
Toenablehighavailability(HA)onPanorama,configurethesettingsasdescribedinthefollowingtable.
PanoramaHASettings Description
Setup
ClickEdit( )toconfigurethefollowingsettings.
EnableHA SelecttoenableHA.
PeerHAIPAddress EntertheIPaddressoftheMGTinterfaceonthepeer.
EnableEncryption Whenenabled,theMGTinterfaceencryptscommunicationbetweentheHA
peers.Beforeenablingencryption,exporttheHAkeyfromeachHApeerand
importthekeyintotheotherpeer.YouimportandexporttheHAkeyonthe
Panorama > Certificate Management > Certificatespage(seeManageFirewall
andPanoramaCertificates).
HAconnectivityusesTCPport28withencryptionenabledandTCP
port28769whenencryptionisnotenabled.
MonitorHoldTime Enterthenumberofmillisecondsthatthesystemwillwaitbeforeactingona
(ms) controllinkfailure(rangeis1,000to60,000;defaultis3,000).
SecureClientCommunicationvalidatestheidentityofPanoramaHApeers.
Certificate SelectthelocalPanoramacertificate.Thiscertificateprofiledefinescertificate
revocationcheckingbehaviorandtherootCAusedtoauthenticatethe
certificatechainingforthePanoramaHApeer.
CertificateProfile SelectaCertificateProfilethatdefineshowPanoramaauthenticateswithitsHA
peerandwithotherservers.Thisprofilemustmatchthecertificateprofile
configuredunderPanorama > Setup > Panorama Settings.
CheckServerIdentity SelecttospecifythatPanoramaconfirmstheidentityofitsHApeerbymatching
thecommonname(CN)configuredintheservercertificateforthepeer.
PanoramaHASettings Description
Election Settings
ClickEdit( )toconfigurethefollowingsettings.
Priority Thissettingdetermineswhichpeeristheprimaryrecipientforfirewalllogs.
(Requiredonthe AssignonepeerasPrimaryandtheotherasSecondaryintheHApair.
Panoramavirtual WhenyouconfigureLogStoragePartitionsforaPanoramaVirtualAppliancein
appliance) LegacyMode,youcanuseitsinternaldisk(default)oraNetworkFileSystem
(NFS)forlogstorage.IfyouconfigureanNFS,onlytheprimaryrecipient
receivesthefirewalllogs.Ifyouconfigureinternaldiskstorage,thefirewalls
sendlogstoboththeprimaryandthesecondarypeerbydefaultbutyoucan
changethisbyenablingOnly Active Primary Logs to Local DiskintheLogging
andReportingSettings.
Preemptive SelecttoenabletheprimaryPanoramatoresumeactiveoperationafter
recoveringfromafailure.Whendisabled,thesecondaryPanoramaremains
activeevenaftertheprimaryPanoramarecoversfromafailure.
HATimerSettings YourselectiondeterminesthevaluesfortheremainingHAelectionsettings,
whichcontrolthefailoverspeed:
RecommendedSelectfortypical(default)failovertimersettings.Toseethe
associatedvalues,selectAdvancedandLoad Recommended.
AggressiveSelectforfasterfailovertimersettings.Toseetheassociated
values,selectAdvancedandLoad Aggressive.
AdvancedSelecttodisplaytheremainingHAelectionsettingsand
customizetheirvalues.
SeetheRecommendedandAggressivevaluesforthefollowingsettings.
PromotionHoldTime Enterthenumberofmilliseconds(rangeis0to60,000)thesecondaryPanorama
(ms) peerwaitsbeforetakingoveraftertheprimarypeergoesdown.The
recommended(default)valueis2,000;theaggressivevalueis500.
HelloInterval(ms) Enterthenumberofmilliseconds(rangeis8,000to60,000)betweenhello
packetsthataresenttoverifythattheotherpeerisoperational.The
recommended(default)andaggressivevalueis8,000.
HeartbeatInterval(ms) Specifythefrequencyinmilliseconds(rangeis1,000to60,000)atwhich
PanoramasendsICMPpingstotheHApeer.Therecommended(default)value
is2,000;theaggressivevalueis1,000.
PreemptionHoldTime ThisfieldappliesonlyifyoualsoselectPreemptive.Enterthenumberof
(min) minutes(rangeis1to60)thepassivePanoramapeerwillwaitbeforefalling
backtoactivestatusafteritrecoversfromaneventthatcausedfailover.The
recommended(default)andaggressivevalueis1.
MonitorFailHoldUp Specifythenumberofmilliseconds(rangeis0to60,000)Panoramawaitsafter
Time(ms) apathmonitorfailurebeforeattemptingtoreenterthepassivestate.During
thisperiod,thepassivepeerisnotavailabletotakeoverfortheactivepeerin
theeventoffailure.ThisintervalenablesPanoramatoavoidafailoverdueto
theoccasionalflappingofneighboringdevices.Therecommended(default)and
aggressivevalueis0.
AdditionalMasterHold Specifythenumberofmilliseconds(rangeis0to60,000)duringwhichthe
UpTime(ms) preemptingpeerremainsinthepassivestatebeforetakingoverastheactive
peer.Therecommended(default)valueis7,000;theaggressivevalueis5,000.
PanoramaHASettings Description
Path Monitoring
ClickEdit( )toconfigureHApathmonitoring.
Enabled Selecttoenablepathmonitoring.PathmonitoringenablesPanoramatomonitor
specifieddestinationIPaddressesbysendingICMPpingmessagestoverifythat
theyareresponsive.
FailureCondition SelectwhetherafailoveroccurswhenAnyorAllofthemonitoredpathgroups
failtorespond.
Path Group
TocreateapathgroupforHApathmonitoring,clickAddandcompletethefollowingfields.
Name Specifyanameforthepathgroup.
Enabled Selecttoenablethepathgroup.
FailureCondition SelectwhetherafailureoccurswhenAnyorAllofthespecifieddestination
addressesfailstorespond.
PingInterval SpecifythenumberofmillisecondsbetweentheICMPechomessagesthat
verifythatthepathtothedestinationIPaddressisup(rangeis1,000to60,000;
defaultis5,000).
PingCount Specifythenumberoffailedpingsbeforedeclaringafailure(rangeis3to10;
defaultis3).
DestinationIPs EnteroneormoredestinationIPaddressestomonitor.Usecommastoseparate
multipleaddresses.
Panorama>ManagedWildFireClusters
Panorama>ManagedWildFireClusters
Panorama>ManagedWildFireAppliances
YoucanmanageWildFireWF500appliancesinclustersorasstandaloneappliancesfromaPanorama
MSeriesorvirtualappliance.Managingclusters(Panorama > Managed WildFire Clusters)andmanaging
standaloneappliances(Panorama > Managed WildFire Appliances)sharemanycommonadministrativeand
configurationtaskssobothareincludedinthefollowingtopics.
AfteryouaddWildFireWF500appliancestoPanorama,usethewebinterfacetoaddthoseappliancesto
andmanagethemasclustersortomanagethemasstandaloneappliances.
ManagedWildFireClusterTasks
ManagedWildFireApplianceTasks
ManagedWildFireInformation
ManagedWildFireClusterandApplianceAdministration
ManagedWildFireClusterTasks
YoucancreateandremoveWildFireapplianceclustersfromPanorama.Additionally,youcansave
configurationtimebyimportingconfigurationsfromoneclustertoanother.
Task Description
Task Description
ManagedWildFireApplianceTasks
Youcanadd,remove,andmanagestandaloneWildFireWF500appliancesonaPanoramadevice.Afteryou
addstandaloneappliances,youcanaddthemtoWildFireapplianceclustersasclusternodesoryoucan
managethemasindividualstandaloneappliances.
Task Description
Remove IfyounolongerneedtomanageaWildFireappliancefromPanorama,Removethe
applianceandselectYestoconfirmyouraction.Afteryouremoveanappliancefrom
Panoramamanagement,youcanmanagetheappliancelocallyusingitsCLI.Ifneeded,you
canaddtheappliancebackintothePanoramaapplianceatanytimeifyouwanttoagain
managetheappliancecentrallyinsteadoflocally.
ManagedWildFireInformation
ManagedWildFire Description
Information
Appliance Thenameoftheappliance.
TheManagedWildFireClustersviewdisplaysappliancesgroupedbycluster,includes
thestandaloneappliancesavailabletoaddtoacluster,andincludestheserialnumber
(inparenthesis)withtheappliancename(theserialnumberisnotpartofthename).
IP Address TheIPaddressoftheappliance.
Connected TheconnectionstatebetweentheapplianceandPanoramaeitherConnectedor
Disconnected.
Content Theversionnumberofthecontentreleaseversion.
Role Theappliancerole:
StandaloneTheapplianceisnotaclusternode.
ControllerTheapplianceistheclusterControllernode.
Controller BackupTheapplianceistheclusterControllerbackupnode.
WorkerTheapplianceisaWorkernodeinthecluster.
ManagedWildFire Description
Information
View Viewclusterorapplianceutilizationstatistics.Youcanviewonlyindividualappliances
(Panorama > Managed WildFire Appliances)oryoucanviewonlyclusterstatistics
(Panorama > Managed WildFire Clusters).
Appliance(Standaloneapplianceviewonly)Theapplianceserialnumber.
Cluster(Clusterviewonly)Theclustername.Youcanalsoselectadifferent
clustertoview.
DurationDisplaysthetimeperiodforwhichstatisticsarecollectedand
displayed.Youcanselectdifferentdurations:
15 Min
Last Hour
Last 24 Hours (default)
Last 7 Days
All
TheUtilizationViewhasfourtabsand,oneachtab,youdeterminewhatis
displayedbasedonyourconfiguredDuration.
ManagedWildFire Description
Information
View Viewinformationaboutthefirewallsconnectedtotheclusterortheappliance.You
canviewonlyindividualappliances(Panorama > Managed WildFire Appliances)or
youcanviewonlyclusterstatistics(Panorama > Managed WildFire Clusters).
Appliance(Standaloneapplianceviewonly)Theapplianceserialnumber.
Cluster(Clusterviewonly)Theclustername,youcanalsoselectadifferent
clustertoview.
RefreshRefreshthedisplay.
ManagedWildFire Description
Information
ManagedWildFireClusterandApplianceAdministration
Setting Description
General Tab
Name TheclusterorapplianceNameortheapplianceserialnumber.
Setting Description
Appliance Tab
Hostname EnterthehostnameoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Domain Enterthedomainnameoftheapplianceclusterorappliance.
Timezone Selectthetimezonetousefortheclusterorappliance.
Setting Description
Latitude EnterthelatitudeoftheoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Longitude EnterthelongitudeoftheoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Setting Description
Delete SelectandthenDeletethelogforwardingsettingsyouwanttoremovefromthe
SystemorConfigurationloglist.
Authentication Tab
Setting Description
Clustering Tab (Managed WildFire Clusters only) and Interface Tab (Managed WildFire Appliances only)
YoumustaddappliancestoPanoramatomanageinterfacesandaddappliancestoclusterstomanage
clustersnodeinterfaces.
Appliance SelectaclusternodetoaccesstheApplianceandInterfacestabsforthatnode.The
(ClusteringTabonly) Appliancetabnodeinformationisprepopulatedandisnotconfigurableexceptfor
thehostname.TheInterfacestabliststhenodeinterfaces.Selectaninterfaceto
manageitasdescribedinInterfaceNameManagement,InterfaceNameAnalysis
EnvironmentNetwork,InterfaceNameEthernet2,andInterfaceNameEthernet3.
Setting Description
Setting Description
Setting Description
Role Whenaclusterhasmemberappliances,theappliancerolescanbeController,
(ClusteringTabonly) ControllerBackup,orWorker.SelectControllerorBackup Controllertochangethe
WildFireapplianceusedforeachrolefromtheappliancesinthecluster.Changingthe
Controllerresultsindatalossduringtherolechange.
Browse TheClusteringtabliststheWildFireappliancenodesinthecluster.Browsetoview
(ClusteringTabonly) andaddstandaloneWildFireappliancesthatthePanoramadevicealreadymanages:
SearchboxEntersearchtermstofilterthenodelist.Thesearchboxindicatesthe
numberofappliances(items)inthelistsoyouknowhowlongthelistis.Afteryou
entersearchterms,applythefilter( )orclearthefilter( )andentera
differentsetofterms.
AddNodesAddeachnodetotheclusterusingthe( )nexttothenodeinthe
list.
ThefirstWildFireapplianceyouaddtoaclusterautomaticallybecomesthe
Controllernode.ThesecondWildFireapplianceyouaddautomaticallybecomesthe
ControllerBackupnode.
Youcanaddupto20WildFireappliancestoacluster.AfteraddingtheControllerand
ControllerBackupnodes,allsubsequentaddednodesareWorkernodes.
Delete SelectoneormoreappliancesfromtheAppliancelistandthenDeletethemfromthe
(ClusteringTabonly) cluster.YoucanremoveaControllernodeonlyiftherearetwoControllernodesin
thecluster.
Panorama>Administrators
AdministratorAccountSettings Description
Name Enteraloginusernamefortheadministrator(upto15characters).The
nameiscasesensitive,mustbeunique,andcancontainonlyletters,
numbers,hyphens,andunderscores.
AuthenticationProfile Selectanauthenticationprofileorsequencetoauthenticatethis
administrator.Fordetails,seeDevice>AuthenticationProfileor
Device>AuthenticationSequence.
Useonlyclientcertificate Selecttouseclientcertificateauthenticationforwebinterfaceaccess.
authentication(Web) Ifyouselectthisoption,ausername(Name)andPasswordarenot
required.
Password/ConfirmPassword Enterandconfirmacasesensitivepasswordfortheadministrator(up
to15characters).Toensuresecurity,PaloAltoNetworksrecommends
thatadministratorschangetheirpasswordsperiodicallyusinga
combinationoflowercaseletters,uppercaseletters,andnumbers.
DeviceGroupandTemplateadministratorscannotaccessPanorama >
Administrators.Tochangetheirlocalpassword,theseadministrators
clicktheirusername(besideLogoutatthebottomoftheweb
interface).ThisalsoappliestoadministratorswithacustomPanorama
roleinwhichaccesstoPanorama> Administratorsisdisabled.
Youcanusepasswordauthenticationinconjunctionwithan
Authentication Profile(orsequence)orwithlocaldatabase
authentication.
YoucansetpasswordexpirationparametersbyselectingaPassword
Profile(seeDevice>PasswordProfiles)andsettingMinimum
PasswordComplexityparameters(seeDevice>Setup>Management),
butonlyforadministrativeaccountsthatPanoramaauthenticates
locally.
AdministratorAccountSettings Description
AdministratorType Thetypeselectiondeterminestheadministrativeroleoptions:
DynamicRolesthatprovideaccesstoPanoramaandmanaged
firewalls.Whennewfeaturesareadded,Panoramaautomatically
updatesthedefinitionsofdynamicroles;youneverneedto
manuallyupdatethem.
Custom Panorama AdminConfigurablerolesthathavereadwrite
access,readonlyaccess,ornoaccesstoPanoramafeatures.
Device Group and Template AdminConfigurablerolesthathave
readwriteaccess,readonlyaccess,ornoaccesstofeaturesforthe
devicegroupsandtemplatesthatareassignedtotheaccess
domainsyouselectforthisadministrator.
AdminRole Selectapredefinedrole:
(Dynamicadministratortype) SuperuserFullreadwriteaccesstoPanoramaandalldevice
groups,templates,andmanagedfirewalls.
Superuser (Read Only)ReadonlyaccesstoPanoramaandall
devicegroups,templates,andmanagedfirewalls.
Panorama administratorFullaccesstoPanoramaexceptforthe
followingactions:
Create,modify,ordeletePanoramaorfirewalladministrators
androles.
Export,validate,revert,save,load,orimportaconfiguration
(Device > Setup > Operations).
ConfigureaScheduled Config ExportinthePanoramatab.
Profile SelectacustomPanoramarole(seePanorama>ManagedDevices).
(CustomPanoramaAdmin
administratortype)
AccessDomaintoAdministrator Foreachaccessdomain(upto25)youwanttoassigntothe
Role administrator,AddanAccess Domainfromthedropdown(see
(DeviceGroupandTemplate Panorama>AccessDomains)andthenclicktheadjacentAdminRole
Adminadministratortype) cellandselectacustomDeviceGroupandTemplateadministratorrole
fromthedropdown(seePanorama>ManagedDevices).When
administratorswithaccesstomorethanonedomainloginto
Panorama,anAccess Domaindropdownappearsinthefooterofthe
webinterface.AdministratorscanselectanyassignedAccess Domain
tofilterthemonitoringandconfigurationdatathatPanoramadisplays.
TheAccess DomainselectionalsofiltersthefirewallsthattheContext
dropdowndisplays.
IfyouuseaRADIUSservertoauthenticateadministrators,you
mustmapadministratorrolesandaccessdomainstoRADIUS
VSAs.BecauseVSAstringssupportalimitednumberof
characters,ifyouconfigurethemaximumnumberofaccess
domain/rolepairs(25)foranadministrator,theNamevalues
foreachaccessdomainandeachrolemustnotexceedan
averageof9characters.
Panorama>AdminRoles
AdminRoleprofilesarecustomrolesthatdefinetheaccessprivilegesandresponsibilitiesofadministrators.
Forexample,therolesassignedtoanadministratorcontrolwhichreportsheorshecangenerateandwhich
devicegrouportemplateconfigurationstheadministratorcanvieworchange.
ForaDeviceGroupandTemplateadministrator,youcanassignaseparateroletoeachaccessdomainthat
isassignedtotheadministrativeaccount(seePanorama>AccessDomains).Mappingrolestoaccess
domainsenablesyoutoachieveverygranularcontrolovertheinformationthatadministratorscanaccess
onPanorama.Forexample,considerascenariowhereyouconfigureanaccessdomainthatincludesallthe
devicegroupsforfirewallsinyourdatacentersandyouassignthataccessdomaintoanadministratorwho
isallowedtomonitordatacentertrafficbutwhoisnotallowedtoconfigurethefirewalls.Inthiscase,you
wouldmaptheaccessdomaintoarolethatenablesallmonitoringprivilegesbutdisablesaccesstodevice
groupsettings.
TocreateanAdminRoleprofile,Addaprofileandconfigurethesettingsasdescribedinthefollowingtable.
IfyouuseaRADIUSservertoauthenticateadministrators,maptheadministratorrolesand
accessdomainstoRADIUSVendorSpecificAttributes(VSAs) .
PanoramaAdministrator Description
RoleSettings
Name Enteranametoidentifythisadministratorrole(upto31characters).The
nameiscasesensitive,mustbeuniqueandcancontainonlyletters,
numbers,spaces,hyphens,andunderscores.
Description (Optional)Enteradescriptionoftherole.
WebUI Selectfromthefollowingoptionstosetthetypeofaccesspermittedfor
specificfeaturesinthePanoramacontext(Web UI list)andfirewallcontext
(Context Switch UI list):
Enable ( )Readandwriteaccess
Read Only( )Readonlyaccess
Disable( )Noaccess
PanoramaAdministrator Description
RoleSettings
CommandLine SelectthetypeofroleforCLIaccess:
(Panoramaroleonly) None(Default)AccesstothePanoramaCLInotpermitted.
superuserFullaccesstoPanorama.
superreaderReadonlyaccesstoPanorama.
panorama-adminFullaccesstoPanoramaexceptforthefollowing
actions:
Create,modify,ordeletePanoramaadministratorsandroles.
Export,validate,revert,save,load,orimportaconfiguration.
Scheduleconfigurationexports.
Panorama>AccessDomains
AccessdomainscontroltheaccessthatDeviceGroupandTemplateadministratorshavetospecificdevice
groups(tomanagepoliciesandobjects),totemplates(tomanagenetworkanddevicesettings),andtothe
webinterfaceofmanagedfirewalls(throughcontextswitching).Youcandefineupto4,000accessdomains
andmanagethemlocallyorbyusingRADIUSVendorSpecificAttributes(VSAs),TACACS+VSAs,orSAML
attributes.Tocreateanaccessdomain,Addadomainandconfigurethesettingsasdescribedinthefollowing
table.
AccessDomainSettings Description
Name Enteranamefortheaccessdomain(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,
hyphens,andunderscores.
SharedObjects Selectoneofthefollowingaccessprivilegesfortheobjectsthatdevice
groupsinthisaccessdomaininheritfromtheSharedlocation.
Regardlessofprivilege,administratorscantoverridesharedordefault
(predefined)objects.
readAdministratorscandisplayandclonesharedobjectsbut
cannotperformanyotheroperationsonthem.Whenadding
nonsharedobjectsorcloningsharedobjects,thedestinationmust
beadevicegroupwithintheaccessdomain,notShared.
writeAdministratorscanperformalloperationsonsharedobjects.
Thisisthedefaultvalue.
shared-onlyAdministratorscanaddobjectsonlytoShared.
Administratorscanalsodisplay,edit,anddeletesharedobjectsbut
cannotmoveorclonethem.Aconsequenceofthisselectionisthat
administratorscannotperformanyoperationsonnonshared
objectsotherthantodisplaythem.
DeviceGroups Enableordisablereadwriteaccessforspecificdevicegroupsinthe
accessdomain.YoucanalsoclickEnable AllorDisable All.Enabling
readwriteaccessforadevicegroupautomaticallyenablesthesame
accessforitsdescendants.Ifyoumanuallydisableadescendant,
accessforitshighestancestorautomaticallychangestoreadonly.By
default,accessisdisabledforalldevicegroups.
Ifyouwantthelisttodisplayonlyspecificdevicegroups,selectthe
devicegroupnamesandFilter Selected.
Ifyousettheaccessforsharedobjectstoshared-only,
Panoramaappliesreadonlyaccesstoanydevicegroupsfor
whichyouspecifyreadwriteaccess.
Templates Foreachtemplateortemplatestackyouwanttoassign,clickAddand
selectitfromthedropdown.
DeviceContext Selectthefirewallstowhichtheadministratorcanswitchcontextfor
(Correspondstothe performinglocalconfiguration.Ifthelistislong,youcanfilterby
Device/VirtualSystemscolumn Device State,Platforms,Device Groups,Templates,Tags,andHA
intheAccessDomainpage) Status.
Panorama>ManagedDevices
APaloAltoNetworksfirewallthatPanoramamanagesiscalledamanageddevice.Panoramacanmanage
firewallsrunningthesamemajorreleaseorearliersupportedversionsbutPanoramacannotmanage
firewallsrunningalaterreleaseversion.Forexample,Panorama7.1canmanagefirewallsrunningPANOS
7.1andearliersupportedreleasesbutitcannotmanagefirewallsrunningPANOS8.0.
ManagedFirewallAdministration
ManagedFirewallInformation
FirewallSoftwareandContentUpdates
FirewallBackups
ManagedFirewallAdministration
Youcanperformthefollowingadministrativetasksonfirewalls.
Task Description
Add Addfirewallsandentertheirserialnumbers(oneperrow)toaddthemasmanaged
devices.TheManaged DeviceswindowwillthendisplayManagedFirewallInformation,
includingconnectionstatus,installedupdates,andpropertiesthatweresetduringinitial
configuration.
Next,entertheIPaddressofthePanoramamanagementserveroneachfirewall(see
Device>Setup>Management)sothatPanoramacanmanagethefirewalls.
ThefirewallregisterswithPanoramaoveranSSLconnectionwithAES256
encryption.Panoramaandthefirewallauthenticateeachotherusing2,048bit
certificatesandusetheSSLconnectionforconfigurationmanagementandlog
collection.
Delete SelectoneormorefirewallsandclickDeletetoremovethemfromthelistoffirewalls
thatPanoramamanages.
Tag Selectoneormorefirewalls,clickTag,andenteratextstringofupto31charactersor
selectanexistingtag.Donotuseanemptyspace.Whereverthewebinterfacedisplays
alonglistoffirewalls(forexample,inthedialogforinstallingsoftware),tagsprovideone
meanstofilterthelist.Forexample,youcanuseatagcalledbranchofficetofilterfor
allbranchofficefirewallsacrossyournetwork.
Install ClickInstalltoinstallFirewallSoftwareandContentUpdates.
Manage ClickManagetomanageFirewallBackups.
(Backups)
ManagedFirewallInformation
ManagedFirewallInformation Description
DeviceGroup DisplaysthenameofthePanorama>VMwareNSXinwhichthe
firewallisamember.Bydefault,thiscolumnishidden,thoughyoucan
displayitbyselectingthedropdowninanycolumnheaderand
selectingColumns > Device Group.
Regardlessofwhetherthecolumnisvisible,thepagedisplaysfirewalls
inclustersaccordingtotheirdevicegroup.Eachclusterhasaheader
rowthatdisplaysthedevicegroupname,thetotalnumberofassigned
firewalls,thenumberofconnectedfirewalls,andthedevicegrouppath
inthehierarchy.Forexample,Datacenter (2/4 Devices Connected):
Shared > Europe > Datacenterwouldindicatethatadevicegroup
namedDatacenterhasfourmemberfirewalls(twoofwhichare
connected)andisachildofadevicegroupnamedEurope.Youcan
collapseorexpandanydevicegrouptohideordisplayitsfirewalls.
DeviceName Displaysthehostnameorserialnumberofthefirewall.
FortheVMSeriesNSXeditionfirewall,thefirewallnameappendsthe
hostnameoftheESXihost.Forexample,PAVM:HostNY5105
VirtualSystem ListsthevirtualsystemsavailableonafirewallthatisinMultipleVirtual
Systemsmode.
Tags Displaysthetagsdefinedforeachfirewall/virtualsystem.
SerialNumber Displaystheserialnumberofthefirewall.
IPAddress DisplaystheIPaddressofthefirewall/virtualsystem.
Template Displaysthetemplateortemplatestacktowhichthefirewallis
assigned.
ManagedFirewallInformation Description
Status DeviceStateIndicatesthestateoftheconnectionbetween
Panoramaandthefirewall:ConnectedorDisconnected.
AVMSeriesfirewallcanhavetwoadditionalstates:
DeactivatedIndicatesthatyouhavedeactivatedavirtualmachine
eitherdirectlyonthefirewallorbyselectingDeactivate VMs
(Panorama > Device Deployment > Licenses)andremovedall
licensesandentitlementsonthefirewall.Adeactivatedfirewallisno
longerconnectedtoPanoramabecausethedeactivationprocess
removestheserialnumberontheVMSeriesfirewall.
PartiallydeactivatedIndicatesthatyouhaveinitiatedthelicense
deactivationprocessfromPanorama,buttheprocessisnotfully
completebecausethefirewallisofflineandPanoramacannot
communicatewithit.
HAStatusIndicateswhetherthefirewallis:
ActiveNormaltraffichandlingoperationalstate
PassiveNormalbackupstate
InitiatingThefirewallisinthisstateforupto60secondsafter
bootup
NonfunctionalErrorstate
SuspendedAnadministratordisabledthefirewall
TentativeForalinkorpathmonitoringeventinanactive/active
configuration
SharedPolicyIndicateswhetherthepolicyandobjectconfigurations
onthefirewallaresynchronizedwithPanorama.
TemplateIndicateswhetherthenetworkanddeviceconfigurations
onthefirewallaresynchronizedwithPanorama.
CertificateIndicatesthemanageddevicesclientcertificatestatus.
PredefinedThemanageddeviceisusingapredefinedcertificate
toauthenticatewithPanorama.
DeployedThecustomcertificateissuccessfullydeployedonthe
manageddevice.
ExpiresinNdaysNhoursThecurrentlyinstalledcertificatewill
expireinlessthan30days.
ExpiresinNminutesThecurrentlyinstalledcertificatewillexpire
inlessthanoneday.
ClientIdentityCheckPassedThecertificatecommonname
matchestheserialnumberoftheconnectingdevice.
OCSPStatusUnknownPanoramacannotgettheOCSPstatus
fromtheOCSPresponder.
OCSPStatusUnavailablePanoramacannotcontacttheOCSP
responder.
CRLStatusUnknownPanoramacannotgettherevocationstatus
fromtheCRLdatabase.
CRLStatusUnavailablePanoramacannotcontacttheCRL
database.
ManagedFirewallInformation Description
OCSP/CRLStatusUnknownPanoramacannotgettheOCSPor
revocationstatuswhenbothareenabled.
OCSP/CRLStatusUnavailablePanoramacannotcontacttheOCSP
orCRLdatabasewhenbothareenabled.
UntrustedIssuerThemanageddevicehasacustomcertificatebut
theserverisnotvalidatingit.
LastCommitStateIndicateswhetherthelastcommitfailedor
succeededonthefirewall.
SoftwareVersion|Appsand Displaysthesoftwareandcontentversionsthatarecurrentlyinstalled
Threat|Antivirus|URLFiltering onthefirewall.Fordetails,seeFirewallSoftwareandContentUpdates.
|GlobalProtectClient|
WildFire
Backups Oneachfirewallcommit,PANOSautomaticallysendsafirewall
configurationbackuptoPanorama.ClickManagetoviewtheavailable
configurationbackupsandoptionallyloadone.Fordetails,seeFirewall
Backups.
FirewallSoftwareandContentUpdates
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatousea
separateinterfacefordeployingupdates(seePanorama>Setup>Interfaces).
FirewallSoftware/Content Description
UpdateInstallationOptions
Type Selectthetypeofupdateyouwanttoinstall:PANOSSoftware,
GlobalProtect Clientsoftware,Apps and Threatssignatures,Antivirus
signatures,WildFire,orURL Filtering.
File Selecttheupdateimage.Thedropdownincludesonlyimagesthatyou
downloadedoruploadedtoPanoramausingthePanorama > Device
Deploymentpages.
Filters SelectFilterstofiltertheDeviceslist.
Devices Selectthefirewallsonwhichyouwanttoinstalltheimage.
DeviceName Thefirewallname.
CurrentVersion TheupdateversionoftheselectedTypethatiscurrentlyinstalledonthe
firewall.
FirewallSoftware/Content Description
UpdateInstallationOptions
HAStatus Indicateswhetherthefirewallis:
ActiveNormaltraffichandlingoperationalstate
PassiveNormalbackupstate
InitiatingThefirewallisinthisstateforupto60secondsafter
bootup
NonfunctionalErrorstate
SuspendedAnadministratordisabledthefirewall
TentativeForalinkorpathmonitoringeventinanactive/active
configuration
GroupHAPeers Selecttogroupfirewallsthatarepeersinahighavailability(HA)
configuration.
FilterSelected IfyouwanttheDeviceslisttodisplayonlyspecificfirewalls,selectthe
correspondingdevicenamesandFilter Selected.
Uploadonlytodevice Selecttouploadtheimageonthefirewallbutnotautomaticallyreboot
thefirewall.Theimageisinstalledwhenyoumanuallyrebootthe
firewall.
RebootdeviceafterInstall Selecttouploadandinstallthesoftwareimage.Theinstallationprocess
(Softwareonly) triggersareboot.
Disablenewappsincontent Selecttodisableapplicationsintheupdatethatarenewrelativetothe
update(AppsandThreats lastinstalledupdate.Thisprotectsagainstthelatestthreatswhilegiving
only) youtheflexibilitytoenableapplicationsafterpreparinganypolicy
updates.Then,toenableapplications,logintothefirewall,selectDevice
> Dynamic Updates,clickAppsintheFeaturescolumntodisplaythe
newapplications,andclickEnable/Disableforeachapplicationyou
wanttoenable.
FirewallBackups
Panorama>ManagedDevices
Panoramaautomaticallybacksupeveryconfigurationchangeyoucommittomanagedfirewalls.Tomanage
thebackupsforafirewall,selectPanorama > Managed Devices,clickManageintheBackupscolumnforthe
firewall,andperformanyofthefollowingtasks.
ToconfigurethenumberoffirewallconfigurationbackupsthatPanoramastores,select
Panorama > Setup > Management,edittheLoggingandReportingSettings,selectLog
Export and Reporting,andentertheNumber of Versions for Config Backups(defaultis
100).
Task Description
Displaydetailsaboutasavedor IntheVersioncolumnforthebackup,clickthesavedconfiguration
committedconfiguration. filenameorcommittedconfigurationversionnumbertodisplay
thecontentsoftheassociatedXMLfile.
Task Description
Restoreasavedorcommitted IntheActioncolumnforthebackup,clickLoadandCommit.
configurationtothecandidate
configuration.
Removeasavedconfiguration. IntheActioncolumnforthesavedbackup,clickDelete( ).
Panorama>Templates
ThroughtheDeviceandNetworktabs,youcandeployacommonbaseconfigurationtomultiplefirewallsthat
requiresimilarsettingsusingatemplateoratemplatestack(acombinationoftemplates).Whenmanaging
firewallconfigurationswithPanorama,youuseacombinationofdevicegroups(tomanagesharedpolicies
andobjects)andtemplates(tomanageshareddeviceandnetworksettings).
InadditiontothesettingsavailablefromthedialogsforcreatingTemplatesorTemplateStacks,Panorama >
Templatesdisplaysthefollowingcolumns:
TypeIdentifiesthelistedentriesastemplatesortemplatestacks.
StackListsthetemplatesassignedtoatemplatestack.
Whatdoyouwanttodo? See:
Add,clone,edit,ordeletea Templates
template
Add,clone,edit,ordeletea TemplateStacks
templatestack
Templates
Panoramasupportsupto1,024templates.Toconfigureatemplate,Addoneandconfigurethesettingsas
describedinthefollowingtable.
Afterconfiguringatemplate,youmustcommityourchangesinPanorama(seePanorama
CommitOperations).Afteryouconfigurethenetworkanddevicesettingsoffirewallsassigned
tothetemplate,youmustperformatemplatecommittopushthesettingstothefirewalls.
Deletingatemplate,orremovingafirewallfromone,doesnotdeletethevaluesthatPanorama
haspushedtothefirewall.Whenyouremoveafirewallfromatemplate,Panoramanolonger
pushesnewupdatestothatfirewall.
TemplateSettings Description
Name Enteratemplatename(upto31characters).Thenameiscasesensitive,mustbe
unique,andcancontainonlyletters,numbers,spaces,hyphens,periods,and
underscores.
IntheDeviceandNetworktabs,thisnameappearsintheTemplatedropdown.The
settingsyoumodifyinthesetabsapplyonlytotheselectedTemplate.
DefaultVSYS SelectavirtualsystemifyouwantPanoramatopushconfigurationsspecifictothat
virtualsystem(suchasinterfaces)tofirewallsthatdonthavemultiplevirtual
systems.
Description Enteradescriptionforthetemplate.
TemplateSettings Description
Devices Selecteachfirewallthatyouwanttoaddtothetemplate.Youcanassignagiven
firewalltoonlyonetemplateorstack.Therefore,ifyouwillusethetemplateonly
withinastack,donotassignfirewallstothetemplate,justtothestack(seeTemplate
Stacks).
Ifthelistoffirewallsislong,youcanfilteritbyPlatforms,Device Groups,Tags,and
HA Status.Foreachofthesecategories,thedialogdisplaysthenumberofmanaged
firewalls.
Youcanassignfirewallsthathavenonmatchingmodes(VPNmode,multiple
virtualsystemsmode,oroperationalmode)tothesametemplate.Panorama
pushesmodespecificsettingsonlytofirewallsthatsupportthosemodes.
SelectAll Selectseveryfirewallinthelist.
DeselectAll Deselectseveryfirewallinthelist.
GroupHAPeers Selecttogroupfirewallsthatarehighavailability(HA)peers.Thelistthendisplays
theactivefirewall(oractiveprimaryfirewallinanactive/activeconfiguration)first
anddisplaysthepassivefirewall(oractivesecondaryfirewallinanactive/active
configuration)inparentheses.Thisenablesyoutoeasilyidentifyfirewallsthathave
anHAconfigurationand,whenpushingtemplatesettings,youcanpushtothe
groupedpairinsteadoftoeachfirewallindividually.
TemplateStacks
Atemplatestackisacombinationoftemplates.Byassigningfirewallstoastack,youcanpushallthe
necessarysettingstothemwithouttheredundancyofaddingeverysettingtoeverytemplate.Panorama
supportsupto1,024stacks.Toconfigureatemplatestack,Add Stackandconfigurethesettingsasdescribed
inthefollowingtable.
Afterconfiguringatemplatestack,commityourchangesinPanorama(seePanoramaCommit
Operations).Afteryouconfigurethenetworkanddevicesettingsoffirewallsassignedtothe
stack,youmustperformatemplatecommittopushthesettingstothefirewalls.
Deletingatemplatestackorremovingafirewallfromatemplatestackdoesnotdeletethe
valuesthatPanoramapreviouslypushedtothatfirewall;however,whenyouremoveafirewall
fromatemplatestack,Panoramanolongerpushesnewupdatestothatfirewall.
TemplateStack Description
Settings
Name Enterastackname(upto31characters).Thenameiscasesensitive,mustbeunique,
muststartwithaletter,andcancontainonlyletters,numbers,andunderscores.In
theDeviceandNetworktabs,theTemplatedropdowndisplaysthestacknameand
itsassignedtemplates.
Description Enteradescriptionforthestack.
Templates Addeachtemplateyouwanttoincludeinthestack(upto16).
Iftemplateshaveduplicatesettings,Panoramapushesonlythesettingsofthehigher
templateinthelisttotheassignedfirewalls.Forexample,ifTemplate_Aisabove
Template_Binthelist,andbothtemplatesdefinetheethernet1/1interface,
Panoramapushestheethernet1/1definitionfromTemplate_Aandnotfrom
Template_B.Tochangetheorder,selectatemplateandMove UporMove Down.
Panoramadoesntvalidatetemplatecombinationsinstackssoplantheorder
inawaythatavoidsinvalidrelationships.
Devices Selecteachfirewallthatyouwanttoaddtothestack.
Ifthelistoffirewallsislong,youcanfilteritbyPlatforms,Device Groups,Tags,and
HA Status.
Youcanassignfirewallsthathavenonmatchingmodes(VPNmode,multiple
virtualsystemsmode,oroperationalmode)tothesamestack.Panorama
pushesmodespecificsettingsonlytofirewallsthatsupportthosemodes.
SelectAll Selectseveryfirewallinthelist.
DeselectAll Deselectseveryfirewallinthelist.
GroupHAPeers Groupsfirewallsthatarehighavailability(HA)peers.Thisenablesyoutoeasily
identifyfirewallsthathaveanHAconfiguration.Whenpushingsettingsfromthe
templatestack,youcanpushtothegroupedpairinsteadoftoeachfirewall
individually.
Panorama>DeviceGroups
Devicegroupscomprisefirewallsandvirtualsystemsyouwanttomanageasagroup,suchasthefirewalls
thatmanageagroupofbranchofficesorindividualdepartmentsinacompany.Panoramatreatsthesegroups
assingleunitswhenapplyingpolicies.Firewallscanbelongtoonlyonedevicegroupbut,becausevirtual
systemsaredistinctentitiesinPanorama,youcanassignvirtualsystemswithinafirewalltodifferentdevice
groups.
YoucannestdevicegroupsinatreehierarchyofuptofourlevelsundertheSharedlocationtoimplement
alayeredapproachformanagingpoliciesacrossyournetworkoffirewalls.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.WhenyouselectPanorama > Device Groups,theNamecolumndisplaysthisdevicegroup
hierarchy.
Afteradding,editing,ordeletingadevicegroup,performaPanoramacommitanddevicegroupcommit(see
PanoramaCommitOperations).Panoramathenpushestheconfigurationchangestothefirewallsthatare
assignedtothedevicegroup;Panoramasupportsupto1,024devicegroups.
Toconfigureadevicegroup,Addoneandconfigurethesettingsasdescribedinthefollowingtable.
DeviceGroup Description
Settings
Name Enteranametoidentifythegroup(upto31characters).Thenameiscasesensitive,
mustbeuniqueacrosstheentiredevicegrouphierarchy,andcancontainonly
letters,numbers,spaces,hyphens,andunderscores.
Description Enteradescriptionforthedevicegroup.
Devices Selecteachfirewallthatyouwanttoaddtothedevicegroup.Ifthelistoffirewalls
islong,youcanfilterbyDevice State,Platforms,Templates,orTags.TheFilters
sectiondisplays(inparentheses)thenumberofmanagedfirewallsforeachofthese
categories.
Ifthepurposeofadevicegroupispurelyorganizational(thatis,tocontainother
devicegroups),youdontneedtoassignfirewallstoit.
SelectAll Selectseveryfirewallandvirtualsysteminthelist.
DeselectAll Deselectseveryfirewallandvirtualsysteminthelist.
GroupHAPeers Selecttogroupfirewallsthatarepeersinahighavailability(HA)configuration.The
listthendisplaystheactive(oractiveprimaryinanactive/activeconfiguration)
firewallfirstandthepassive(oractivesecondaryinanactive/activeconfiguration)
firewallinparentheses.ThisenablesyoutoeasilyidentifyfirewallsthatareinHA
mode.Whenpushingsharedpolicies,youcanpushtothegroupedpairinsteadof
individualpeers.
ForHApeersinanactive/passiveconfiguration,consideraddingboth
firewallsortheirvirtualsystemstothesamedevicegroup.Thisenablesyou
topushtheconfigurationtobothpeerssimultaneously.
FilterSelected IfyouwanttheDeviceslisttodisplayonlyspecificfirewalls,selectthefirewallsand
thenFilter Selected.
DeviceGroup Description
Settings
ParentDevice Relativetothedevicegroupyouaredefining,selectthedevicegroup(ortheShared
Group location)thatisjustaboveitinthehierarchy(defaultisShared).
MasterDevice Toconfigurepolicyrulesandreportsbasedonusernamesandusergroups,youmust
selectaMaster Device.ThisisthefirewallfromwhichPanoramareceives
usernames,usergroupnames,andusernametogroupmappinginformation.
WhenyouchangetheMaster DeviceorsetittoNone,Panoramalosesallthe
userandgroupinformationreceivedfromthatfirewall.
DynamicallyAddedDevicePropertiesWhenanewdeviceisaddedtothedevicegroup,Panorama
dynamicallyappliesthespecifiedauthorizationcodeandPANOSsoftwareversiontothenewdevice.
ThisdisplaysonlyafteradevicegroupisassociatedwithanNSXservicedefinitioninPanorama.
Authorization Entertheauthorizationcodetobeappliedtodevicesaddedtothisdevicegroup.
Code
SWVersion Selectthesoftwareversiontobeappliedtodevicesaddedtothisdevicegroup.
Panorama>ManagedCollectors
ThePanoramamanagementserver(MSeriesapplianceorPanoramavirtualapplianceinPanoramamode)
canmanageDedicatedLogCollectors(MSeriesappliancesinLogCollectormode).EachPanorama
managementserveralsohasaalocalpredefinedLogCollector(nameddefault)toprocessthelogsit
receivesdirectlyfromfirewalls.(APanoramavirtualapplianceinLegacymodeprocessesthelogsitreceives
directlyfromfirewallswithoutusingalocalLogCollector.)
TousePanoramaformanagingaDedicatedLogCollector,addtheLogCollectorasamanagedcollector.
Whatdoyouwanttodo? See:
DisplayLogCollectorinformation LogCollectorInformation
Add,edit,ordeleteaLogCollector LogCollectorConfiguration
UpdatePanoramasoftwareona SoftwareUpdatesforDedicatedLogCollectors
LogCollector
ConfigureaManagedCollector
LogCollectorInformation
LogCollector Description
Information
CollectorName ThenamethatidentifiesthisLogCollector.ThisnamedisplaysastheLogCollector
hostname.
SerialNumber TheserialnumberofthePanoramaappliancethatfunctionsastheLogCollector.If
theLogCollectorislocal,thisistheserialnumberofthePanoramamanagement
server.
SoftwareVersion ThePanoramasoftwarereleaseinstalledontheLogCollector.
IPAddress TheIPaddressofthemanagementinterfaceontheLogCollector.
Connected ThestatusoftheconnectionbetweentheLogCollectorandPanorama.
Configuration IndicateswhethertheconfigurationontheLogCollectorissynchronizedwith
Status/Detail Panorama.
RunTime ThestatusoftheconnectionbetweenthisandotherLogCollectorsintheCollector
Status/Detail Group.
LogRedistribution Certainactions(forexample,addingdisks)willcausetheLogCollectorto
State redistributethelogsamongitsdiskpairs.Thiscolumnindicatesthecompletion
statusoftheredistributionprocessasapercentage.
LogCollector Description
Information
LastCommitState IndicateswhetherthelastCollectorGroupcommitperformedontheLogCollector
failedorsucceeded.
Statistics AfteryoucompletetheLogCollectorConfiguration,clickStatisticstoviewdisk
information,CPUperformance,andtheaveragelograte(logs/second).Tobetter
understandthelograngeyouarereviewing,youcanalsoviewinformationonthe
oldestlogthattheLogCollectorreceived.
IfyouuseanSNMPmanagerforcentralizedmonitoring,youcanalsosee
loggingsstatisticsinthepanLogCollectorMIB.
LogCollectorConfiguration
ThecompleteproceduretoconfigureaLogCollectorrequiresadditionaltasks.
Whatareyoulookingfor? See:
IdentifytheLogCollectorand GeneralLogCollectorSettings
defineitsconnectionstothe
Panoramamanagementserverand
toexternalservices.
ConfigureaccesstotheLog LogCollectorCLIAuthenticationSettings
CollectorCLI.
Configuretheinterfacesthatthe LogCollectorInterfaceSettings
DedicatedLogCollectorusesfor
managementtraffic,Collector
Groupcommunication,andlog
collection.
Whatareyoulookingfor? See:
ConfiguretheRAIDdisksthat LogCollectorRAIDDiskSettings
storelogscollectedfromfirewalls.
ConfiguretheLogCollectorto UserIDAgentSettings
receiveusermappinginformation
fromUserIDagents.
ConfiguretheLogCollectorto ConnectionSecurity
authenticatewithWindows
UserIDAgents.
Configuresecuritysettingsfor CommunicationSettings
communicationwithPanorama,
otherLogCollectors,andfirewalls.
GeneralLogCollectorSettings
Panorama>ManagedCollectors>General
ConfigurethesettingsasdescribedinthefollowingtabletoidentifyaLogCollectoranddefineits
connectionstothePanoramamanagementserver,DNSservers,andNTPservers.
LogCollector Description
GeneralSettings
CollectorS/N (Required)EntertheserialnumberofthePanoramaappliancethatfunctionsasthe
LogCollector.IftheLogCollectorislocal,entertheserialnumberofthePanorama
managementserver.
CollectorName EnteranametoidentifythisLogCollector(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,
hyphens,andunderscores.
ThisnamedisplaysastheLogCollectorhostname.
Inbound Selectthecertificatethatthemanagedcollectormustusetosecurelyingestlogs
Certificatefor fromtheTrapsESMserver.Thiscertificateiscalledaninboundcertificatebecause
SecureSyslog thePanorama/ManagedCollectoristheservertowhichtheTrapsESM(client)is
sendinglogs;thecertificateisrequirediftheTransportprotocolforthelogingestion
profileisSSL.
Certificatefor SelectacertificateforsecureforwardingofsyslogstoanexternalSyslogserver.The
SecureSyslog certificatemusthavetheCertificate for Secure Syslogoptionselected(seeManage
FirewallandPanoramaCertificates).WhenyouassignaSyslogserverprofiletothe
CollectorGroupthatincludesthisLogCollector(seePanorama>CollectorGroups,
Panorama > Collector Groups > Collector Log Forwarding),theTransportprotocol
oftheserverprofilemustbeSSL(seeDevice>ServerProfiles>Syslog).
PanoramaServer SpecifytheIPaddressofthePanoramamanagementserverthatmanagesthisLog
IP Collector.
PanoramaServer SpecifytheIPaddressofthesecondarypeerifthePanoramamanagementserveris
IP2 deployedinahighavailability(HA)configuration.
Domain EnterthedomainnameoftheLogCollector.
LogCollector Description
GeneralSettings
PrimaryDNS EntertheIPaddressoftheprimaryDNSserver.TheLogCollectorusesthisserver
Server forDNSqueries(forexample,tofindthePanoramamanagementserver).
SecondaryDNS (Optional)EntertheIPaddressasecondaryDNSservertouseiftheprimaryserver
Server isunavailable.
PrimaryNTP EntertheIPaddressorhostnameoftheprimaryNTPserver,ifany.Ifyoudonotuse
Server NTPservers,youcansettheLogCollectortimemanually.
SecondaryNTP (Optional)EntertheIPaddressorhostnameofsecondaryNTPserverstouseifthe
Server primaryserverisunavailable.
Timezone SelectthetimezoneoftheLogCollector.
Latitude Enterthelatitude(90.0to90.0)oftheLogCollector.Trafficandthreatmapsuse
thelatitudeforAppScope.
Longitude Enterthelongitude(180.0to180.0)oftheLogCollector.Trafficandthreatmaps
usethelongitudeforAppScope.
LogCollectorCLIAuthenticationSettings
Panorama>ManagedCollectors>Authentication
AnMSeriesapplianceinLogCollectormode(DedicatedLogCollector)hasnowebinterface,onlyaCLI.You
canusethePanoramamanagementservertoconfiguremostsettingsonaDedicatedLogCollectorbutsome
settingsrequireCLIaccess.ToconfigureauthenticationsettingsforCLIaccess,configurethesettingsas
describedinthefollowingtable.
LogCollector Description
Authentication
Settings
Users AlwaysdisplaysasadminandisusedforthelocalCLIloginnameontheLog
Collector.
Mode SelectthepasswordMode:
PasswordEnteraplaintextPasswordandConfirm Password.
Password HashEnterahashedpasswordstring.Thiscanbeusefulif,for
example,youwanttoreusethepasswordofanexistingUnixaccountbutdonot
knowtheplaintextpassword,onlythehashedpassword.Panoramaacceptsany
stringofupto63charactersregardlessofthealgorithmusedtogeneratethehash
value.TheoperationalCLIcommandrequest password-hash password
<password>usestheMD5algorithm.Whenyoucommityourchanges,Panorama
pushesthehashvaluetotheLogCollectorandtheadministratorpasswordwillbe
thespecified<password>.
FailedAttempts EnterthenumberoffailedloginattemptsallowedontheCLIbeforelockingoutthe
administratoraccount(rangeis0to10;defaultis0).Thedefault(0)specifies
unlimitedloginattempts.LimitingloginattemptscanhelpprotecttheLogCollector
frombruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavetheLockout
Timeat0,theFailed Attemptsisignoredandtheuserisneverlockedout.If
youusethedefault0forbothfields,theuserisneverlockedout.
LockoutTime EnterthenumberofminutesforwhichtheLogCollectorlocksouttheadministrator
outafterreachingthenumberofFailed Attempts(rangeis0to60;defaultis0).
IfyousettheLockout Timetoavalueotherthan0butleavetheFailed
Attemptsat0,theLockout Timeisignoredandtheuserisneverlockedout.
Ifyouusethedefault0forbothfields,theuserisneverlockedout.
LogCollectorInterfaceSettings
Panorama>ManagedCollectors>Interfaces
Bydefault,DedicatedLogCollectors(MSeriesappliancesinLogCollectormode)usethemanagement
(MGT)interfaceformanagementtraffic,logcollection,andCollectorGroupcommunication.However,Palo
AltoNetworksrecommendsthatyouassignseparateinterfacesforlogcollectionandCollectorGroup
communicationtoreducetrafficontheMGTinterface.Youcanimprovesecuritybydefiningaseparate
subnetfortheMGTinterfacethatismoreprivatethanthesubnetsfortheotherinterfaces.Touseseparate
interfaces,youmustfirstconfigurethemonthePanoramamanagementserver(seeDevice>Setup>
Management).TheinterfacesthatareavailableforlogcollectionandCollectorGroupcommunicationvary
basedontheLogCollectorappliancemodel:
M100applianceEthernet1,Ethernet2,Ethernet3(all1Gbpsinterfaces)
M500applianceEthernet1(1Gbps),Ethernet2(1Gbps),Ethernet3(1Gbps),Ethernet4(10Gbps)
Ethernet5(10Gbps)
Toconfigureaninterface,selectthelinkandconfigurethesettingsasdescribedinthefollowingtable.
TocompletetheconfigurationoftheMGTinterface,youmustspecifytheIPaddress,netmask(forIPv4)orprefix
length(forIPv6),anddefaultgateway.Ifyoucommitapartialconfiguration(forexample,youmightomitthe
defaultgateway),youcanonlyaccessthefirewallorPanoramathroughtheconsoleportforfutureconfiguration
changes.
AlwayscommitacompleteMGTinterfaceconfiguration.Youcannotcommittheconfigurationsforother
interfacesunlessyouspecifytheIPaddress,netmask(forIPv4)orprefixlength(forIPv6),anddefaultgateway.
LogCollectorInterface Description
Settings
Eth1/Eth2/Eth3/Eth4/ Youmustenableaninterfacetoconfigureit.TheexceptionistheMGTinterface,whichis
Eth5 enabledbydefault.
SpeedandDuplex Configureadatarateandduplexoptionfortheinterface.Thechoicesinclude10Mbps,
100Mbps,1Gbps,and10Gbps(Eth4andEth5only)atfullorhalfduplex.Usethedefault
auto-negotiatesettingtohavetheLogCollectordeterminetheinterfacespeed.
Thissettingmustmatchtheinterfacesettingsontheneighboringnetwork
equipment.
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask(such
as255.255.255.0).
DefaultGateway(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheMGTinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethenetmask,
Length enteranIPv6prefixlength(suchas2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthisinterface
(rangeis576to1,500;defaultis1,500).
LogCollectorInterface Description
Settings
PermittedIPAddresses EntertheIPaddressesoftheclientsystemsthatcanaccesstheLogCollectorthroughthis
interface.
Anemptylist(default)specifiesthataccessisavailabletoanyclientsystem.
PaloAltoNetworksrecommendsthatyoudonotleavethislistblank;specifythe
clientsystemsofPanoramaadministratorstopreventunauthorizedaccess.
LogCollectorRAIDDiskSettings
Panorama>ManagedCollectors>Disks
AfteryouconfigureloggingdisksontheMSeriesapplianceorPanoramavirtualappliance,youcanAddthem
totheLogCollectorconfiguration.
Bydefault,MSeriesappliancesareshippedwiththefirstRAID1diskpairinstalledinbaysA1andA2.Inthe
software,thediskpairinbaysA1andA2isnamedDiskPairA.Theremainingbaysarenamedsequentially:
DiskPairB,DiskPairC,andsoon.TheM500appliancesupportsupto12diskpairswhiletheM100
appliancesupportsupto4diskpairs.Youcaninstallpairsof2TBor1TBdiskswithinthesameappliance;
however,disksizemustbethesameforbothdrivewithineachpair.
ThePanoramavirtualappliancesupportsupto12virtualloggingdisksfor24TBofstoragecapacity.
Afteryouadddiskpairs,theLogCollectorredistributesitsexistinglogsacrossallthedisks,whichcantake
hoursforeachterabyteoflogs.Duringtheredistributionprocess,themaximumlogingestionrateisreduced.
InthePanorama > Managed Collectorspage,theLogRedistributionStatecolumnindicatesthecompletion
statusoftheprocessasapercentage.
IfyouuseanSNMPmanagerforcentralizedmonitoring,youcanseeloggingsstatisticsinthepanLogCollector
MIB.
UserIDAgentSettings
Panorama>ManagedCollectors>UserIDAgents
ADedicatedLogCollectorcanreceiveusermappingsfromupto100UserIDagents.Theagentscanbe
PANOSintegratedUserIDagentsthatrunonfirewallsorWindowsbasedUserIDagents.Onafirewall
withmultiplevirtualsystems,eachvirtualsystemcanserveasaseparateUserIDagent.TheLogCollector
canthenredistributetheusermappingstofirewallsorthePanoramamanagementserver.
Thecompleteprocedurestoconfigureusermappingandusermappingredistributionrequire
additionaltasksbesidesconnectingtoUserIDagents.
ToconfigureaDedicatedLogCollectortoconnecttoaUserIDagent,Addoneandconfigurethesettingsas
describedinthefollowingtable.
UserIDAgent Description
Settings
Name Enteraname(upto31characters)toidentifytheUserIDagent.Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,
hyphens,andunderscores.
ForafirewallservingasaUserIDagent,thisfielddoesnothavetomatch
theCollectorNamefield.
Host WindowsbasedUserIDagentEntertheIPaddressoftheWindowshoston
whichtheUserIDagentisinstalled.
Firewall(PANOSintegratedUserIDagent)EnterthehostnameorIPaddress
oftheinterfacethatthefirewallusestoredistributeusermappings.
Port EntertheportnumberonwhichtheUserIDagentwilllistenforUserIDrequests.
Thedefaultisport5007butyoucanspecifyanyavailableport.DifferentUserID
agentscanusedifferentports.
SomeearlierversionsoftheUserIDagentuseport2010asthedefault.
CollectorName ThecollectorthatthesefieldsrefertoistheUserIDagent,nottheLogCollector.
Thefieldsapplyonlyiftheagentisafirewallorvirtualsystemthatredistributesuser
Collector mappingstotheLogCollector.EntertheCollector NameandPre-Shared Keythat
PresharedKey/ identifythefirewallorvirtualsystemasaUserIDagent.Youmustenterthesame
ConfirmCollector valuesasyoudidwhenconfiguringthefirewallorvirtualsystemtoserveasa
Presharedkey UserIDagent(seeEnableRedistributionofUserMappingsAmongFirewalls).
Enabled SelecttoenabletheLogCollectortocommunicatewiththeUserIDagent.
ConnectionSecurity
Panorama>ManagedCollectors>ConnectionSecurity
ToconfigureacertificateprofileusedbytheLogCollectortovalidatethecertificatepresentedbyWindowsUserID
agents.TheLogCollectorusestheselectedcertificateprofiletoverifytheidentityoftheUserIDagentbyvalidatingthe
servercertificatepresentedbytheagent.
Task Description
UserID Fromthedropdown,selectthecertificateprofileusedtoauthenticatewithWindows
Certificate UserIDagentsorselectNewCertificateProfiletocreateone.SelectNonetoremove
Profile thecertificateprofile.
CommunicationSettings
Panorama>ManagedCollectors>Communication
ToconfigurecustomcertificatebasedauthenticationbetweenLogCollectorsandPanorama,firewalls,and
otherLogCollectors,configurethesettingsasdescribedinthefollowingtable.
CommunicationSettings Description
SSL/TLSServiceProfile SelectaSSL/TLSserviceprofilefromthedropdown.Thisprofiledefinesthe
certificatepresentedbytheLogCollectorandspecifiestherangeofSSL/TLS
versionsacceptableforcommunicationwiththeLogCollector.
CertificateProfile Selectacertificateprofilefromthedropdown.Thiscertificateprofiledefines
certificaterevocationcheckingbehaviorandrootCAusedtoauthenticatethe
certificatechainpresentedbytheclient.
CustomCertificateOnly Whenenabled,theLogCollectoronlyacceptscustomcertificatesforauthentication
withmanagedfirewallsandLogCollectors.
AuthorizeClientsBasedon TheLogCollectorauthorizesclientdevicesbasedonusesahashoftheirserial
SerialNumber number.
CheckAuthorizationList ClientdevicesordevicegroupsconnectingtothisLogCollectorarecheckedagainst
theauthorizationlist.
DisconnectWaitTime TheamountoftimetheLogCollectorwaitsbeforebreakingthecurrentconnection
(min) withitsmanageddevices.TheLogCollectorthenreestablishesconnectionswithits
manageddevicesusingtheconfiguredsecureservercommunicationssettings.The
waittimebeginsafterthesecureservercommunicationsconfigurationiscommitted.
CertificateType Selectthetypeofdevicecertificate(None,Local,orSCEP)usedforsecuring
communication
None IfNoneisselected,nodevicecertificateisconfiguredandthesecureclient
communicationisnotused.Thisisthedefaultselection.
CommunicationSettings Description
Local TheLogCollectorusesalocaldevicecertificateandthecorrespondingprivatekey
generatedontheLogCollectororimportedfromanexistingenterprisePKIserver.
CertificateSelectthelocaldevicecertificate.Thiscertificatecanbeauniquetothe
firewall(basedonahashoftheLogCollectorsserialnumber)oracommondevice
certificateusedbyallLogCollectorsconnectingtoPanorama.
CertificateProfileSelecttheCertificateProfilefromthedropdown.Thiscertificate
profileisusedfordefiningtheserverauthenticationwiththeLogCollector.
SCEP TheLogCollectorusesadevicecertificateandprivatekeygeneratedSimple
CertificateEnrollmentProtocol(SCEP)server.
SCEPProfileSelectaSCEPProfilefromthedropdown.
CertificateProfileSelecttheCertificateProfilefromthedropdown.This
certificateprofileisusedfordefiningtheserverauthenticationwiththeLog
Collector.
CheckServerIdentity Theclientdeviceconfirmstheserversidentitybymatchingthecommonname(CN)
withserversIPaddressorFQDN.
SoftwareUpdatesforDedicatedLogCollectors
Panorama>ManagedCollectors
ToinstallasoftwareimageonaDedicatedLogCollector,downloadoruploadtheimagetoPanorama(see
Panorama>DeviceDeployment),clickInstallandcompletethefollowingfields.
BecausethePanoramamanagementserversharesitsoperatingsystemwiththelocaldefault
LogCollector,youupgradebothwheninstallingasoftwareupdateonthePanorama
managementserver(seePanorama>Software).
ForDedicatedLogCollectors,youcanalsoselectPanorama > Device Deployment >
Softwaretoinstallupdates(seeManageSoftwareandContentUpdates).
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatousea
separateinterfacefordeployingupdates(seePanorama>Setup>Interfaces).
FieldstoInstalla Description
SoftwareUpdateona
LogCollector
File Selectadownloadedoruploadedsoftwareimage.
Devices SelecttheLogCollectorsonwhichtoinstallthesoftware.Thedialogdisplaysthe
followinginformationforeachLogCollector:
DeviceNameThenameoftheDedicatedLogCollector.
CurrentVersionThePanoramasoftwarereleasecurrentlyinstalledontheLog
Collector.
HAStatusThiscolumndoesnotapplytoLogCollectors.DedicatedLogCollectors
donotsupporthighavailability.
FieldstoInstalla Description
SoftwareUpdateona
LogCollector
Uploadonlytodevice(do SelecttouploadthesoftwaretotheLogCollectorwithoutautomaticallyrebootingit.
notInstall) TheimageisnotinstalleduntilyoumanuallyrebootbyloggingintotheLogCollector
CLIandrunningthe request restart system operationalcommand.
RebootdeviceafterInstall Selecttouploadandautomaticallyinstallthesoftware.Theinstallationprocessreboots
theLogCollector.
Panorama>CollectorGroups
EachCollectorGroupcanhaveuptoeightLogCollectors,towhichyouassignfirewallsforforwardinglogs.
YoucanthenusePanoramatoquerytheLogCollectorsforaggregatedlogviewingandinvestigation.
ThepredefinedCollectorGroupnameddefaultcontainsthepredefinedLogCollectorthatis
localtothePanoramamanagementserver.
CollectorGroupConfiguration
CollectorGroupInformation
CollectorGroupConfiguration
ToconfigureaCollectorGroup,clickAddandcompletethefollowingfields.
LogStorage Indicatesthetotalstoragequotaforfirewalllogsthatthe
CollectorGroupreceivesandtheavailablespace.
ClickthestoragequotalinktosetthestorageQuota(%) and
expirationperiod(Max Days)forthefollowinglogtypes:
Detailed Firewall LogsIncludesallthelogtypesinthe
Device > Setup > Logging and Reporting Settings,suchas
traffic,threat,HIPmatch,dynamicallyregisteredIPaddresses
(IPtag),extendedPCAPs,GTPandTunnel,AppStats,and
more.
Summary Firewall LogsIncludesallthesummarylogs
includedinDevice > Setup > Logging and Reporting
Settings,suchastrafficsummary,threatsummary,URL
summary,andGTPandtunnelsummary.
Infrastructure and Audit LogsIncludestheconfig,system,
userIDandauthenticationlogs.
Palo Alto Networks Platform LogsIncludeslogsfromTraps
andotherPaloAltoNetworksproducts.
3rd Party External LogsIncludeslogsfromothervendor
integrationsprovidedbyPaloAltoNetworks.
Tousethedefaultsettings,clickRestore Defaults.
MinRetention Entertheminimumlogretentionperiodindays(12,000)that
Period(days) PanoramamaintainsacrossallLogCollectorsintheCollector
Group.Ifthecurrentdateminusthedateoftheoldestlogisless
thanthedefinedminimumretentionperiod,Panorama
generatesaSystemlogasanalertviolation.
CollectorGroup AddtheLogCollectorsthatwillbepartofthisCollectorGroup
Members (uptoeight).YoucanaddanyoftheLogCollectorsthatare
availableinthePanorama > Managed Collectorspage.Allthe
LogCollectorsforanyparticularCollectorGroupmustbethe
samemodel:allM100appliances,allM500appliances,orall
Panoramavirtualappliances.
AfteryouaddLogCollectorstoanexistingCollector
Group,Panoramaredistributesitsexistinglogsacrossall
theLogCollectors,whichcantakehoursforeach
terabyteoflogs.Duringtheredistributionprocess,the
maximumloggingrateisreduced.InthePanorama >
Collector Groupspage,theLogRedistributionState
columnindicatesthecompletionstatusoftheprocessas
apercentage.
Enablelog Ifyouselectthisoption,eachlogintheCollectorGroupwill
redundancyacross havetwocopiesandeachcopywillresideonadifferentLog
collectors Collector.Thisredundancyensuresthat,ifanyoneLog
Collectorbecomesunavailable,nologsarelost:youcanseeall
thelogsforwardedtotheCollectorGroupandrunreportsforall
thelogdata.LogredundancyisavailableonlyiftheCollector
GrouphasmultipleLogCollectorsandeachLogCollectorhas
thesamenumberofdisks.
Afteryouenableredundancy,Panoramaredistributesthe
existinglogsacrossalltheLogCollectors,whichcantakehours
foreachterabyteoflogs.Duringtheredistributionprocess,the
maximumloggingrateisreduced.InthePanorama > Collector
Groupspage,theLogRedistributionStatecolumnindicatesthe
completionstatusoftheprocessasapercentage.AlltheLog
CollectorsforanyparticularCollectorGroupmustbethesame
model:allM100appliances:allM500appliances,orall
Panoramavirtualappliances.
Becauseenablingredundancycreatesmorelogs,this
configurationrequiresmorestoragecapacity.Enabling
redundancydoublesthelogprocessingtrafficina
CollectorGroup,whichreducesitsmaximumlogging
ratebyhalf,aseachLogCollectormustdistributeacopy
ofeachlogitreceives.(WhenaCollectorGrouprunsout
ofspace,itdeletesolderlogs.)
Forwardtoall (PA5200SeriesandPA7000Seriesfirewallsonly)Selectto
collectorsinthe sendlogstoeveryLogCollectorinthepreferencelist.Panorama
preferencelist usesroundrobinloadbalancingtoselectwhichLogCollector
receivesthelogsatanygivenmoment.Thisisdisabledby
default:firewallssendlogsonlytothefirstLogCollectorinthe
listunlessthatLogCollectorbecomesunavailable(seeDevices
/Collectors).
Version SpecifytheSNMPversionforcommunicationwiththe
Panoramamanagementserver:V2corV3.
SNMPenablesyoutocollectinformationaboutLogCollectors,
includingconnectionstatus,diskdrivestatistics,software
version,averageCPUusage,averagelogs/second,andstorage
durationperlogtype.SNMPinformationisavailableonaper
CollectorGroupbasis.
Views(V3only) AddagroupofSNMPviewsand,inViews,enteranameforthe
group.
Eachviewisapairedobjectidentifier(OID)andbitwisemask:
theOIDspecifiesamanagedinformationbase(MIB)andthe
mask(inhexadecimalformat)specifieswhichSNMPobjectsare
accessiblewithin(includematching)oroutside(exclude
matching)thatMIB.
Foreachviewinthegroup,Addthefollowingsettings:
ViewEnteranameforaview.
OIDEntertheOID.
Option(includeorexclude)Choosewhethertheviewwill
excludeorincludetheOID.
MaskSpecifyamaskvalueforafilterontheOID(for
example,0xf0).
Users(V3only) AddthefollowingsettingsforeachSNMPuser:
UsersEnterausernameforauthenticatingtheusertothe
SNMPmanager.
ViewSelectagroupofviewsfortheuser.
AuthpwdEnterapasswordforauthenticatingtheuserto
theSNMPmanager(minimumeightcharacters).OnlySecure
HashAlgorithm(SHA)issupportedforencryptingthe
password.
PrivpwdEnteraprivacypasswordforencryptingSNMP
messagestotheSNMPmanager(minimumeightcharacters).
OnlyAdvancedEncryptionStandard(AES)issupported.
CollectorGroupInformation
CollectorGroup Description
Information
Name AnamethatidentifiestheCollectorGroup.
Redundancy IndicateswhetherlogredundancyisenabledfortheCollectorGroup.Youcanenable
Enabled logredundancyforacollectorgroupafteryoucompleteormodifytheLog
CollectorConfiguration.
Collectors TheLogCollectorsassignedtotheCollectorGroup.
LogRedistribution Certainactions(forexample,enablinglogredundancy)willcausetheCollector
State GrouptoredistributethelogsamongitsLogCollectors.Thiscolumnindicatesthe
completionstatusoftheredistributionprocessasapercentage.
Panorama>Plugins
Plugins Description
Upload Allowsyoutouploadaplugininstallationfilefromalocaldirectory.Thisdoesnotinstall
theplugin.Afteruploadingtheinstallationfile,theInstalllinkbecomesactive.
FileName Thepluginfilename.
Version Thepluginversionnumber.
Releasedate Thereleasedateofthisversionoftheplugin.
Size Thepluginfilesize.
Installed ProvidesthecurrentinstallationstatusofeachpluginonPanorama.
Actions InstallInstallsthespecifiedversionoftheplugin.Installinganewversionofthe
pluginoverwritesthepreviouslyinstalledversion.
DeleteDeletesthespecifiedpluginfile.
Remove ConfigRemovesallconfigurationrelatedtotheplugin.
UninstallRemovesthecurrentinstallationoftheplugin.Thisdoesnotremovethe
pluginfilefromPanorama.Ifyouuninstalltheplugin,youloseanyconfiguration
relatedtothatplugin.Onlyusewhencompletelyremovingtherelatedconfiguration.
Panorama>VMwareNSX
ToautomatetheprovisioningofaVMSeriesNSXeditionfirewall,youmustenablecommunicationbetween
theNSXManagerandPanorama.WhenPanoramaregisterstheVMSeriesfirewallasaserviceontheNSX
Manager,theNSXManagerhastheconfigurationsettingsrequiredtoprovisiononeormoreinstancesof
theVMSeriesfirewallsoneachESXihostinthecluster.
Whatdoyouwanttoknow? See:
HowdoIconfigureaNotify ConfigureaNotifyGroup
Group?
HowdoIdefinetheconfiguration CreateServiceDefinitions
fortheVMSeriesNSXedition
firewall?
HowdoIconfigurePanoramato ConfigureAccesstotheNSXManager
communicatewiththeNSX
Manager?
HowdoIdefinesteeringrulesfor CreateSteeringRules
theVMSeriesNSXedition
firewall?
HowdoIconfigurethefirewallto SelectObjects>AddressGroupsandPolicies>Security
consistentlyenforcepolicyinthe
dynamicvSphereenvironment? ToenablePanoramaandthefirewallstolearnaboutthechangesin
thevirtualenvironment,useDynamicAddressGroupsassource
anddestinationaddressobjectsinSecuritypolicyprerules.
ConfigureaNotifyGroup
Panorama>NotifyGroup
NotifyGroupSettings Description
Name Enteradescriptivenameforyournotifygroup.
CreateServiceDefinitions
Panorama>VMwareNSX>ServiceDefinitions
AservicedefinitionallowsyoutoregistertheVMSeriesfirewallasapartnersecurityserviceontheNSX
Manager.Youcandefineupto32servicedefinitionsonPanoramaandsynchronizethemontheNSX
Manager.
Typically,youwillcreateoneservicedefinitionforeachtenantinanESXicluster.Eachservicedefinition
specifiestheOVF(PANOSversion)usedtodeploythefirewallandincludestheconfigurationforthe
VMSeriesfirewallsinstalledontheESXicluster.Tospecifytheconfiguration,aservicedefinitionmusthave
auniquetemplate,auniquedevicegroupandthelicenseauthcodesforthefirewallsthatwillbedeployed
usingtheservicedefinition.Whenthefirewallisdeployed,itconnectstoPanoramaandreceivesbothits
configurationsettingsincludingthezone(s)foreachtenantordepartmentthatthefirewallwillsecureand
itspolicysettingsfromthedevicegroupspecifiedintheservicedefinition.
Toaddanewservicedefinition,configurethesettingsasdescribedinthefollowingtable.
Field Description
Name EnterthenamefortheserviceyouwanttodisplayontheNSXManager.
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservicedefinition.
DeviceGroup SelectthedevicegroupordevicegrouphierarchytowhichtheseVMSeriesfirewalls
willbeassigned.Fordetails,seePanorama>VMwareNSX.
Template SelectthetemplatetowhichtheVMSeriesfirewallswillbeassigned.Fordetails,see
Panorama>Templates.
Eachservicedefinitionmustbeassignedtoauniquetemplateortemplatestack.
Atemplatecanhavemultiplezones(NSXServiceProfileZonesforNSX)associatedwith
it.Forasingletenantdeployment,createonezone(NSXServiceProfileZone)inthe
template.Ifyouhaveamultitenantdeployment,createazoneforeachsubtenant.
WhenyoucreateanewNSXServiceProfileZone,itisautomaticallyattachedtoapair
ofvirtualwiresubinterfaces.Formoreinformation,seeNetwork>Zones.
VMSeriesOVFURL EntertheURL(IPaddressorhostnameandpath)wheretheNSXManagercanaccess
theOVFfiletoprovisionnewVMSeriesfirewalls.
NotifyGroups Selectanotifygroupfromthedropdown.
ConfigureAccesstotheNSXManager
Panorama>VMwareNSX>ServiceManagers
ToenablePanoramatocommunicatewiththeNSXManager,Addandconfigurethesettingsasdescribedin
thefollowingtable.
ServiceManagers Description
ServiceManager EnteranametoidentifytheVMSeriesfirewallasaservice.Thisnamedisplayson
Name theNSXManagerandisusedtodeploytheVMSeriesfirewallondemand.
Supportsupto63characters;useonlyletters,numbers,hyphens,andunderscores.
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservice.
NSXManagerURL SpecifytheURLthatPanoramawillusetoestablishaconnectionwiththeNSX
Manager.
NSXManager Entertheauthenticationcredentialsusernameandpasswordconfiguredonthe
Login NSXManager.PanoramausesthesecredentialstoauthenticatewiththeNSX
Manager.
NSXManager
Password
ConfirmNSX
Manager
Password
Service Specifytheservicedefinitionsassociatedwiththisservicemanager.Eachservice
Definitions managersupportsupto32servicedefinitions.
AftercommittingthechangestoPanorama,theVMwareServiceManagerwindowdisplaystheconnectionstatus
betweenPanoramaandtheNSXManager.
SyncStatus Description
Status DisplaystheconnectionstatusbetweenPanoramaandtheNSXManager.
AsuccessfulconnectiondisplaysasRegisteredPanoramaandtheNSXManager
aresynchronizedandtheVMSeriesfirewallisregisteredasaserviceontheNSX
Manager.
Foranunsuccessfulconnection,thestatuscanbe:
ConnectedErrorUnabletoreach/establishanetworkconnectionwiththeNSX
Manager.
NotauthorizedTheaccesscredentials(usernameand/orpassword)are
incorrect.
UnregisteredTheservicemanager,servicedefinition,orserviceprofileis
unavailableorwasdeletedontheNSXManager.
OutofsyncTheconfigurationsettingsdefinedonPanoramaaredifferentfrom
whatisdefinedontheNSXManager.ClickOut of syncfordetailsonthereasons
forfailure.Forexample,NSXManagermayhaveaservicedefinitionwiththe
samenameasdefinedonPanorama.Tofixtheerror,usetheservicedefinition
namelistedintheerrormessagetovalidatetheservicedefinitionontheNSX
Manager.UntiltheconfigurationonPanoramaandtheNSXManageris
synchronized,youcannotaddanewservicedefinitiononPanorama.
SyncStatus Description
CreateSteeringRules
Panorama>VMwareNSX>SteeringRules
SteeringrulesdeterminewhattrafficfromwhichguestsintheclusterissteeredtotheVMSeriesfirewall.
Field Description
AutoGenerate Generatessteeringrulesbasedonasecurityrulethatisconfiguredasfollows:
SteeringRules BelongstoaparentorachilddevicegroupregisteredwithanNSXServiceManager.
Hasthesamezoneasthesourceanddestination(notanytoany).
Hasonlyonezone.
Hasnostaticaddressgroup,IPrange,ornetmaskconfiguredforthepolicy.
Bydefault,steeringrulesgeneratedthroughPanoramahavenoNSXServices
configuredandtheNSXTrafficDirectionissettoinout.Aftergeneratingsteeringrules,
youcanupdateindividualsteeringrulestochangetheNSXTrafficDirectionoraddNSX
Services.Panoramaautomaticallypopulatesthefollowingfields(exceptDescriptionand
NSXServices)whenyouautogeneratesteeringrules.
Name EnterthenameforthesteeringruleyouwanttodisplayontheNSXManager.When
autogenerated,Panoramaaddstheprefixauto_toeachsteeringruleandreplacesany
spaceinthesecuritypolicyrulenamewithanunderscore(_).
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservicedefinition.
Field Description
NSXTrafficDirection SpecifythedirectionofthetrafficthatisredirectedtotheVMSeriesfirewall.
inoutCreatesanINOUTruleonNSX.Trafficofthespecifiedtypegoingbetween
thesourceandthedestinationisredirectedtotheVMSeriesfirewall.Panoramauses
thistrafficdirectionforautogeneratedsteeringrules.
inCreatesanINruleonNSX.Trafficofthespecifiedtypegoingtothesourcefrom
thedestinationisredirectedtotheVMSeriesfirewall.
outCreatesanOUTruleonNSX.Trafficofthespecifiedtypegoingfromthesource
tothedestinationisredirectedtotheVMSeriesfirewall.
NSXServices Selecttheapplication(ActiveDirectoryServer,HTTP,DNS,etc.)traffictoredirectto
theVMSeriesfirewall.
DeviceGroup Selectadevicegroupfromthedropdown.Thechosendevicegroupdetermineswhich
securitypoliciesareappliedtothesteeringrule.Devicegroupsmustbeassociatedwith
anNSXservicedefinition.
SecurityPolicy Thesecuritypolicyrulethattheautogeneratedsteeringruleisbasedon.
Panorama>LogIngestionProfile
UsethelogingestionprofiletoenablePanoramatoreceivelogsfromexternalsources.InPANOS8.0.0,
Panorama(inPanoramamode)canserveasaSyslogreceiverthatcaningestlogsfromtheTrapsESMserver
usingSyslog.SupportfornewexternallogsourcesandtheupdatesfornewerTrapsESMversionswillbe
pushedthroughcontentupdates.
Toenablelogingestion,youmustconfigurePanoramaasaSyslogreceiverontheTrapsESMserver,define
alogingestionprofileonPanoramaandattachthelogingestionprofiletoaLogCollectorgroup.
ToaddanewexternalSyslogingestionprofile,Addaprofileandconfigurethesettingsasdescribedinthe
followingtable.
Field Description
Name EnterthenamefortheexternalSyslogingestionprofile.Youcanaddupto255profiles.
SourceName EnterthenameorIPaddressoftheexternalsourcesthatwillsendlogs.Youcanaddup
to4sourceswithinaprofile.
Port EntertheportonwhichPanoramawillbeaccessibleoverthenetworkandwilluseto
communicateandlistenon.
ForTrapsESM,selectavaluebetweentherangeof2300023999.Youmustconfigure
thesameportnumberontheTrapsESMtoenablecommunicationbetweenPanorama
andtheESM.
Transport SelectTCP,UDPorSSL.IfyouselectSSL,youmustconfigureaninboundcertificatefor
securesyslogcommunicationinPanorama>ManagedCollectors>General.
ExternalLogType Selectthelogtypefromthedropdown.
Version Selecttheversionfromthedropdown.
UseMonitor>ExternalLogstoviewinformationonthelogsingestedfromtheTrapsESMserverinto
Panorama.
Panorama>LogSettings
UsetheLog Settingspagetoforwardthefollowinglogtypestoexternalservices:
System,Configuration,UserID,andCorrelationlogsthatthePanoramamanagementserver(MSeries
applianceorPanoramavirtualapplianceinPanoramamode)generateslocally.
LogsofalltypesthatthePanoramavirtualapplianceinLegacymodegenerateslocallyorcollectsfrom
firewalls.
ForthelogsthatfirewallssendtoLogCollectors,completetheLogCollectorConfigurationto
enableforwardingtoexternalservices.
Beforestarting,youmustdefineserverprofilesfortheexternalservices(seeDevice>ServerProfiles>
SNMPTrap,Device>ServerProfiles>Syslog,Device>ServerProfiles>Email,andDevice>ServerProfiles
>HTTP).ThenAddoneormorematchlistprofilesandconfigurethesettingsasdescribedinthefollowing
table.
MatchListProfileSettings Description
Name Enteraname(upto31characters)toidentifythematchlistprofile.
Description Enteradescriptionofupto1,024characterstoexplainthepurposeofthis
matchlistprofile.
SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).
Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).
Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).
HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).
MatchListProfileSettings Description
BuiltinActions AlllogtypesexceptSystemlogsandConfigurationlogsallowyouto
configureactions.
Addanactionandenteranametodescribeit.
SelecttheIPaddressyouwanttotagSource AddressorDestination
Address.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertodistributethetagtothelocalUserIDagentonthisdevice,
ortoaremoteUserIDAgent.
TodistributetagstoaRemote device User-ID Agent,selecttheHTTP
serverprofilethatwillenableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetargetsource
ordestinationIPaddress.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs.
Panorama>ScheduledConfigExport
ToscheduleanexportofalltherunningconfigurationsonPanoramaandfirewalls,Addanexporttaskand
configurethesettingsasdescribedinthefollowingtable.
IfPanoramahasahighavailability(HA)configuration,youmustperformtheseinstructionson
eachpeertoensurethescheduledexportscontinueafterafailover.Panoramadoesnot
synchronizescheduledconfigurationexportsbetweenHApeers.
ScheduledConfiguration Description
ExportSettings
Name Enteranametoidentifytheconfigurationexportjob(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,hyphens,andunderscores.
Description Enteranoptionaldescription.
Enable Selecttoenabletheexportjob.
Scheduledexportstarttime Specifythetimeofdaytostarttheexport(24hourclock,format
(daily) HH:MM).
Protocol SelecttheprotocoltousetoexportlogsfromPanoramatoaremote
host.SecureCopy(SCP)isasecureprotocol;FTPisnot.
Hostname EntertheIPaddressorhostnameofthetargetSCPorFTPserver.
Port Entertheportnumberonthetargetserver.
Path Specifythepathtothefolderordirectoryonthetargetserverthatwill
storetheexportedconfiguration.
Forexample,iftheconfigurationbundleisstoredinafoldercalled
exported_configwithinatoplevelfoldercalledPanorama,thesyntax
foreachservertypeis:
SCPserver:/Panorama/exported_config
FTPserver://Panorama/exported_config
EnableFTPPassiveMode SelecttouseFTPpassivemode.
Username Specifytheusernamerequiredtoaccessthetargetsystem.
Password/ConfirmPassword Specifythepasswordrequiredtoaccessthetargetsystem.
TestSCPserverconnection SelecttotestcommunicationbetweenPanoramaandtheSCP
host/server.
Toenablethesecuretransferofdata,youmustverifyandacceptthe
hostkeyoftheSCPserver.Theconnectionisnotestablisheduntilthe
hostkeyisaccepted.IfPanoramahasanHAconfiguration,youmust
performthisverificationoneachHApeersothateachoneacceptsthe
hostkeyoftheSCPserver.
Panorama>Software
UsethispagetomanagePanoramasoftwareupdatesonthePanoramamanagementserver.
ManagePanoramaSoftwareUpdates
DisplayPanoramaSoftwareUpdateInformation
ManagePanoramaSoftwareUpdates
Bydefault,thePanoramamanagementserversavesuptotwosoftwareupdates.Tomakespace
fornewerupdates,theserverautomaticallydeletestheoldestupdate.Youcanchangethe
numberofsoftwareimagesthatPanoramasavesandmanuallydeleteimagestofreeupspace.
RefertoInstallContentandSoftwareUpdatesforPanoramaforimportantinformationabout
versioncompatibility.
Task Description
Upload TouploadasoftwareimagewhenPanoramadoesnothaveaccesstotheInternet,
useabrowsertovisittheSoftwareUpdatesite,locatethedesiredreleaseand
downloadthesoftwareimagetoacomputerthatPanoramacanaccess,select
Panorama > Software,clickUpload,Browsetoandselectthesoftwareimage,and
clickOK.Whentheuploadiscomplete,theAvailablecolumndisplaysUploaded.
Download IfPanoramahasaccesstotheInternet,Download(Actioncolumn)thedesired
release.Whenthedownloadiscomplete,theAvailablecolumndisplaysDownloaded.
Install Install(Actioncolumn)thesoftwareimage.Whentheinstallationfinishes,Panorama
logsyououtwhileitreboots.
Panoramaperiodicallyperformsafilesystemintegritycheck(FSCK)to
preventcorruptionofthePanoramasystemfiles.Thischeckoccursafter
eightrebootsoratarebootthatoccurs90daysafterthelastFSCK.A
warningappearsinthewebinterfaceandSSHloginscreensifanFSCKisin
progressandyoucannotloginuntilitcompletes.Thetimetocompletethis
processvariesbystoragesystemsize;foralargesystem,itcantakeseveral
hoursbeforeyoucanlogbackintoPanorama.Toviewprogress,setup
consoleaccesstoPanorama.
Deletesasoftwareimagewhennolongerneededorwhenyouwanttofreeupspace
formoreimages.
DisplayPanoramaSoftwareUpdateInformation
Softwareand Description
ContentUpdate
Information
Version ThePanoramasoftwareversion
Size Thesizeinmegabytesofthesoftwareimage.
ReleaseDate ThedateandtimewhenPaloAltoNetworksmadetheupdateavailable.
Available Indicateswhethertheimageisavailableforinstallation.
CurrentlyInstalled Acheckmarkindicatesthattheupdatethatisinstalled.
Action Indicatestheactions(Download,Install,orReinstall)thatareavailableforanimage.
Deletesanupdatewhennolongerneededortofreeupspaceformoredownloads
oruploads.
Panorama>DeviceDeployment
YoucanusePanoramatodeploysoftwareandcontentupdatestomultiplefirewallsandLogCollectorsand
tomanagefirewalllicenses.
Whatareyoulookingfor? See:
Deploysoftwareandcontent ManageSoftwareandContentUpdates
updatestofirewallsandLog
Collectors.
Seewhichsoftwareandcontent DisplaySoftwareandContentUpdateInformation
updatesareinstalledoravailable
fordownloadandinstallation.
Scheduleautomaticcontent ScheduleDynamicContentUpdates
updatesforfirewallsandLog
Collectors
View,activate,deactivate,and ManageFirewallLicenses
refreshlicenses.
Seethestatusoffirewalllicenses.
ManageSoftwareandContentUpdates
Panorama>DeviceDeployment>Software
PanoramaprovidesthefollowingoptionsfordeployingsoftwareandcontentupdatestofirewallsandLog
Collectors.
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatouseaseparateinterface
fordeployingupdates(seePanorama>Setup>Interfaces).
PanoramaDevice Description
Deployment
Options
Download TodeployasoftwareorcontentupdatewhenPanoramaisconnectedtotheInternet,
Downloadtheupdate.Whenthedownloadfinishes,theAvailablecolumndisplays
Downloaded.Youcanthen:
InstallthePANOS/Panoramasoftwareupdateorcontentupdate.
ActivatetheGlobalProtectClient(GlobalProtectagent/app)orSSLVPNClient
softwareupdate.
Upgrade IfaBrightCloudURLFilteringcontentupdateisavailable,clickUpgrade.Aftera
successfulupgrade,youcanInstalltheupdateonfirewalls.
PanoramaDevice Description
Deployment
Options
Install AfteryouDownloadorUploadaPANOSsoftware,Panoramasoftware,orcontent
update,clickInstallintheActioncolumnandselect:
DevicesSelectthefirewallsorLogCollectorsonwhichtoinstalltheupdate.If
thelistislong,usetheFilters.SelectGroup HA Peerstogroupfirewallsthatare
highavailability(HA)peers.Thisenablesyoutoeasilyidentifyfirewallsthathave
anHAconfiguration.TodisplayonlyspecificfirewallsorLogCollectors,select
themandthenFilter Selected.
Upload only to device(softwareonly)Selecttoloadthesoftwarewithout
automaticallyinstallingit.Youmustmanuallyinstallthesoftware.
Reboot device after install(softwareonly)Selecttospecifythattheinstallation
processautomaticallyrebootsthefirewallsorLogCollectors.Theinstallation
cannotfinishuntilarebootoccurs.
Disable new apps in content update(ApplicationsandThreatsonly)Selectto
disableapplicationsintheupdatethatarenewrelativetothelastinstalledupdate.
Thisprotectsagainstthelatestthreatswhilegivingyoutheflexibilitytoenable
applicationsafterpreparinganypolicyupdates.Then,toenableapplications,log
intothefirewall,selectDevice > Dynamic Updates,clickAppsintheFeatures
columntodisplaythenewapplications,andclickEnable/Disableforeach
applicationyouwanttoenable.
YoucanalsoselectPanorama > Managed Devices toinstallFirewall
SoftwareandContentUpdatesorPanorama > Managed Collectorsto
installSoftwareUpdatesforDedicatedLogCollectors.
Activate AfteryouDownloadorUploadaGlobalProtectClient(GlobalProtectagent/app)
softwareupdate,clickActivateintheActioncolumnandselecttheoptionsas
follows:
DevicesSelectthefirewallsonwhichtoactivatetheupdate.Ifthelistislong,use
theFilters.SelectGroupHAPeerstogroupfirewallsthatarehighavailability(HA)
peers.ThisenablesyoutoeasilyidentifyfirewallsthathaveanHAconfiguration.
Todisplayonlyspecificfirewalls,selectthemandthenFilter Selected.
Upload only to deviceSelectifyoudontwantPANOStoautomaticallyactivate
theuploadedimage.Youmustlogintothefirewallandactivateit.
Documentation ClickDocumentationtoaccessthereleasenotesforthedesiredcontentrelease.
Deletessoftwareorcontentupdateswhennolongerneededorwhenyouwantto
freeupspaceformoredownloadsoruploads.
PanoramaDevice Description
Deployment
Options
Upload TodeployasoftwareorcontentupdatewhenPanoramaisnotconnectedtothe
Internet,downloadtheupdatetoyourcomputerfromtheSoftwareUpdatesor
DynamicUpdatessite,selectthePanorama > Device Deploymentpagethat
correspondstotheupdatetype,clickUpload,selecttheupdateType(content
updatesonly),selecttheuploadedfile,andclickOK.Thestepstotheninstallor
activatetheupdatedependonthetype:
PANOSorPanoramasoftwareWhentheuploadiscomplete,theAvailable
columndisplaysUploaded.Youcantheninstallthesoftwareupdate.
GlobalProtectClientorSSLVPNClientsoftwareActivatefromfile.
DynamicupdatesInstallfromfile.
ActivatefromFile AfteryouuploadaGlobalProtectClient(GlobalProtectagent/app)softwareupdate,
clickActivate from File,selectthefilenameoftheupdate,andselectthefirewalls.
Schedules SelecttoScheduleDynamicContentUpdates.
DisplaySoftwareandContentUpdateInformation
Panorama>DeviceDeployment>Software
SelectPanorama > Device Deployment > Software todisplayPANOSSoftware,GlobalProtect Clientsoftware,
andDynamic Updates(content)thatarecurrentlyinstalledoravailablefordownloadandinstallation.The
Dynamic Updatespageorganizestheinformationbycontenttype(Antivirus,ApplicationsandThreats,URL
Filtering,andWildFire)andindicatesthedateandtimeofthelastcheckforupdatedinformation.Todisplay
thelatestsoftwareorcontentinformationfromPaloAltoNetworks,clickCheck Now.
SoftwareandContentUpdateInformation
Version Thesoftwareorcontentupdateversion.
FileName Thenameoftheupdatefile.
Platform ThedesignatedfirewallorLogCollectormodelfortheupdate.Anumberindicatesa
hardwarefirewallmodel(forexample,7000indicatesthePA7000Seriesfirewall),
vmindicatestheVMSeriesfirewall,andmindicatestheMSeriesappliance.
Features (Contentonly)Liststhetypeofsignaturesthecontentversionmightinclude.
Type (Contentonly)Indicateswhetherthedownloadincludesafulldatabaseupdateoran
incrementalupdate.
Size Thesizeoftheupdatefile.
ReleaseDate ThedateandtimewhenPaloAltoNetworksmadetheupdateavailable.
Available (PANOSorPanoramasoftwareonly)Indicatesthattheupdateisdownloadedor
uploaded.
SoftwareandContentUpdateInformation
Downloaded (SSLVPNClientsoftware,GlobalProtectClientsoftware,orcontentonly)Acheck
markindicatesthattheupdateisdownloaded.
Action Indicatestheactionyoucanperformontheupdate:Download,Upgrade,Installor
Activate.
Documentation (Contentonly)Providesalinktothereleasenotesforthedesiredcontentrelease.
ReleaseNotes (Softwareonly)Providesalinktothereleasenotesforthedesiredsoftwarerelease.
Deletesanupdatewhennolongerneededorwhenyouwanttofreeupspacefor
moredownloadsoruploads.
ScheduleDynamicContentUpdates
Panorama>DeviceDeployment>DynamicUpdates
Toscheduleanautomaticdownloadandinstallationofanupdate,clickSchedules,clickAdd,andconfigure
thesettingsasdescribedinthefollowingtable.
DynamicUpdateScheduleSettings
Name Enteranametoidentifythescheduledjob(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,hyphens,and
underscores.
Disabled Selecttodisablethescheduledjob.
Recurrence SelecttheintervalatwhichPanoramachecksinwiththeupdateserver.The
recurrenceoptionsvarybyupdatetype.
Time ForaDailyupdate,selecttheTimefromthe24hourclock.
ForaWeeklyupdate,selecttheDayofweek,andtheTimefromthe24hourclock.
Disablenewapps YoucandisablenewappsincontentupdatesonlyifyousettheupdateTypetoApp
incontentupdate orApp and ThreatandonlyifActionissettoDownload and Install.
Selecttodisableapplicationsintheupdatethatarenewrelativetothelastinstalled
update.Thisprotectsagainstthelatestthreatswhilegivingyoutheflexibilityto
enabletheapplicationsafterpreparinganypolicyupdates.Then,toenable
applications,logintothefirewall,selectDevice > Dynamic Updates,clickAppsinthe
Featurescolumntodisplaythenewapplications,andclickEnable/Disableforeach
applicationyouwanttoenable.
Devices SelectDevicesandthenselectthefirewallsthatwillreceivescheduledcontent
updates.
DynamicUpdateScheduleSettings
ManageFirewallLicenses
Panorama>DeviceDeployment>Licenses
SelectPanorama > Device Deployment > Licensestoperformthefollowingtasks:
UpdatelicensesoffirewallsthatdonthavedirectinternetaccessClickRefresh.
ActivatealicenseonfirewallsToactivatealicenseonfirewalls,clickActivate,selectthefirewallsand,inthe
AuthCodecolumn,entertheauthorizationcodesthatPaloAltoNetworksprovidedforthefirewalls.
Deactivateallthelicensesandsubscriptions/entitlementsinstalledonVMSeriesfirewallsClick
Deactivate VMs,selectthefirewalls(thelistdisplaysonlyfirewallsrunningPANOS7.0orlaterreleases),andclick:
ContinueDeactivatesthelicensesandautomaticallyregistersthechangeswiththelicensingserver.
Thelicensesarecreditedbacktoyouraccountandareavailableforreuse.
Complete ManuallyGeneratesatokenfile.UsethisifPanoramadoesnothavedirectInternet
access.Tocompletethedeactivationprocess,youmustlogintotheSupportportal,selectAssets,
clickDeactivate License(s),uploadthetokenfile,andclickSubmit.Afteryoucompletethe
deactivationprocess.
Youcanalsoviewthecurrentlicensestatusformanagedfirewalls.Forfirewallsthathavedirectinternet
access,Panoramaautomaticallyperformsadailycheckinwiththelicensingserver,retrieveslicenseupdates
andrenewals,andpushesthemtothefirewalls.Thecheckinishardcodedtooccurbetween1and2A.M.;
youcannotchangethisschedule.
FirewallLicenseInformation
Device Thefirewallname.
Support
GlobalProtect
Gateway
GlobalProtect
Portal
WildFire