Transcription of Palo Alto Networks Administrator’s Guide
1 Palo Alto NetworksAdministrator s GuideRelease Alto Networks , 2007-2015 Palo Alto Networks . All rights reserved. Palo Alto Networks , PAN-OS, and Panorama are trademarks of Palo Alto Networks , Inc. All other trademarks are the property of their respective 810-000107-00 DPalo Alto Networks 3 Preface .. 13 About This Guide .. 13 Organization.. 13 Typographical Conventions.. 15 Notes and Cautions .. 15 Related Documentation .. 15 Chapter 1 Introduction .. 17 Firewall Overview.. 17 Features and Benefits .. 18 Management Interfaces .. 19 Chapter 2 Getting Started.
2 21 Preparing the Firewall .. 21 Setting Up the Firewall .. 22 Using the Firewall Web Interface.. 23 Committing Changes .. 25 Navigating to Configuration Pages .. 26 Using Tables on Configuration Pages .. 26 Required Fields .. 26 Locking Transactions .. 27 Supported Browsers .. 27 Getting Help Configuring the Firewall .. 28 Obtaining More Information .. 28 Technical Support .. 28 Chapter 3 Device Management.. 29 System Setup, Configuration, and License Management .. 30 Defining Management Settings .. 30 Defining Operations Settings.
3 37 Defining Services Settings .. 41 Table of Contents4 Palo Alto NetworksDefining Content ID Settings .. 43 Defining Session Settings .. 45 SNMP .. 47 Statistics Service .. 48 Comparing Configuration Files .. 49 Installing a License.. 50 Upgrading/Downgrading the PAN-OS Software .. 50 Upgrading PAN-OS in a High Availability Configuration .. 51 Downgrading PAN-OS Software .. 53 maintenance Release Downgrade .. 53 Feature release Downgrade .. 54 Updating Threat and Application Definitions .. 55 Administrator Roles, Profiles, and Accounts.
4 56 Username and Password Requirements.. 57 Defining Administrator Roles .. 58 Defining Password Profiles .. 59 Creating Administrative Accounts .. 59 Specifying Access Domains for Administrators .. 61 Authentication Profiles.. 62 Setting Up Authentication Profiles .. 62 Creating a Local User Database.. 64 Configuring RADIUS Server Settings .. 65 Configuring LDAP Server Settings .. 66 Configuring Kerberos Settings (Native Active Directory Authentication) .. 67 Authentication Sequence .. 67 Setting Up Authentication Sequences .. 68 Firewall Logs.
5 68 Logging Configuration .. 70 Scheduling Log Exports .. 71 Defining Configuration Log Settings .. 72 Defining System Log Settings .. 72 Defining HIP Match Log Settings .. 73 Defining Alarm Log Settings .. 73 Managing Log Settings .. 74 Configuring SNMP Trap Destinations .. 75 Configuring Syslog Servers .. 76 Custom Syslog Field Descriptions.. 77 Configuring Email Notification Settings.. 83 Viewing Alarms .. 85 Configuring Netflow Settings .. 85 Importing, Exporting and Generating Security Certificates .. 86 Certificates .. 86 Default Trusted Certificate Authorities.
6 88 Certificate Profile .. 89 OCSP Responder .. 90 Encrypting Private Keys and Passwords on the Firewall .. 90 Master Key and Diagnostic Settings .. 91 Updating Master Keys.. 91 High Availability .. 93 Active/Passive HA .. 93 Active/Active HA .. 93 Palo Alto Networks 5 Packet Flow .. 94 Deployment Options .. 95 NAT Considerations .. 96 Setting Up HA .. 99 Enabling HA on the Firewall .. 101 Virtual Systems .. 110 Communications Among Virtual Systems .. 111 Shared Gateways .. 112 Defining Virtual Systems.
7 113 Configuring Shared Gateways .. 115 Defining Custom Response Pages .. 115 Viewing Support Information .. 117 Chapter 4 Network Configuration .. 119 Firewall Deployment .. 120 Virtual Wire Deployments .. 120 Layer 2 Deployments .. 124 Layer 3 Deployments .. 124 Tap Mode Deployments .. 125 Defining Virtual Wires .. 125 Packet Content Modification.. 126 Firewall Interfaces .. 127 Viewing the Current Interfaces .. 128 Configuring Layer 2 Interfaces.. 128 Configuring Layer 2 Subinterfaces.. 129 Configuring Layer 3 Interfaces.
8 130 Configuring Layer 3 Subinterfaces.. 134 Configuring Virtual Wire Interfaces .. 138 Configuring Virtual Wire Subinterfaces .. 139 Configuring Aggregate Interface Groups .. 141 Configuring Aggregate Ethernet Interfaces .. 142 Configuring VLAN Interfaces .. 143 Configuring Loopback Interfaces .. 146 Configuring Tunnel Interfaces .. 147 Configuring Tap Interfaces .. 149 Configuring HA Interfaces .. 150 Security Zones .. 151 Defining Security Zones .. 151 VLAN Support .. 152 Virtual Routers and Routing Protocols .. 153 Routing Information Protocol.
9 153 Open Shortest Path First .. 153 Border Gateway Protocol .. 154 Multicast Routing.. 154 Defining Virtual Routers .. 155 DHCP Server and Relay .. 171 DNS Proxy.. 1736 Palo Alto NetworksNetwork Profiles .. 174 Defining Interface Management Profiles.. 175 Defining Monitor Profiles .. 177 Defining Zone Protection Profiles .. 178 Chapter 5 Policies and Security Profiles .. 183 Policies.. 183 Guidelines on Defining Policies .. 184 Specifying Users and Applications for Policies .. 186 Security Policies .. 187 Defining Security Policies.
10 187 NAT Policies .. 190 Determining Zone Configuration in NAT and Security Policy .. 193 NAT Rule Options .. 193 Defining Network Address Translation Policies .. 194 NAT Policy Examples .. 195 NAT64 .. 196 Policy-Based Forwarding Policies .. 199 Decryption Policies .. 202 Application Override Policies .. 205 Custom Application Definition with Application Override .. 205 Defining Application Override Policies .. 205 Captive Portal Policies .. 206 Defining Captive Portal Policies .. 207 DoS Protection Policies .. 209 Defining DoS Protection Policies.
