Transcription of Palo Alto Networks Administrator’s Guide - Altaware
1 Palo Alto NetworksAdministrator s GuideRelease Alto Networks , 2007-2015 Palo Alto Networks . All rights reserved. Palo Alto Networks , PAN-OS, and Panorama are trademarks of Palo Alto Networks , Inc. All other trademarks are the property of their respective 810-000107-00 DPalo Alto Networks 3 Preface .. 13 About This Guide .. 13 Organization.. 13 Typographical Conventions.. 15 Notes and Cautions .. 15 Related Documentation .. 15 chapter 1 Introduction .. 17 Firewall Overview.. 17 Features and Benefits .. 18 Management Interfaces .. 19 chapter 2 Getting Started .. 21 Preparing the Firewall .. 21 Setting Up the Firewall .. 22 Using the Firewall Web Interface.. 23 Committing Changes .. 25 Navigating to Configuration Pages .. 26 Using Tables on Configuration Pages .. 26 Required Fields .. 26 Locking Transactions .. 27 Supported Browsers .. 27 Getting Help Configuring the Firewall.
2 28 Obtaining More Information .. 28 Technical Support .. 28 chapter 3 Device Management.. 29 System Setup, Configuration, and License Management .. 30 Defining Management Settings .. 30 Defining Operations Settings .. 37 Defining Services Settings .. 41 Table of Contents4 Palo Alto NetworksDefining Content ID Settings .. 43 Defining Session Settings .. 45 SNMP .. 47 Statistics Service .. 48 Comparing Configuration Files .. 49 Installing a License.. 50 Upgrading/Downgrading the PAN-OS Software .. 50 Upgrading PAN-OS in a High Availability Configuration .. 51 Downgrading PAN-OS Software .. 53 Maintenance Release Downgrade .. 53 Feature release Downgrade .. 54 Updating Threat and Application Definitions .. 55 Administrator Roles, Profiles, and Accounts.. 56 Username and Password Requirements.. 57 Defining Administrator Roles .. 58 Defining Password Profiles.
3 59 Creating Administrative Accounts .. 59 Specifying Access Domains for Administrators .. 61 Authentication Profiles.. 62 Setting Up Authentication Profiles .. 62 Creating a Local User Database.. 64 Configuring RADIUS Server Settings .. 65 Configuring LDAP Server Settings .. 66 Configuring Kerberos Settings (Native Active Directory Authentication) .. 67 Authentication Sequence .. 67 Setting Up Authentication Sequences .. 68 Firewall Logs .. 68 Logging Configuration .. 70 Scheduling Log Exports .. 71 Defining Configuration Log Settings .. 72 Defining System Log Settings .. 72 Defining HIP Match Log Settings .. 73 Defining Alarm Log Settings .. 73 Managing Log Settings .. 74 Configuring SNMP Trap Destinations .. 75 Configuring Syslog Servers .. 76 Custom Syslog Field Descriptions.. 77 Configuring Email Notification Settings.. 83 Viewing Alarms.
4 85 Configuring Netflow Settings .. 85 Importing, Exporting and Generating Security Certificates .. 86 Certificates .. 86 Default Trusted Certificate Authorities .. 88 Certificate Profile .. 89 OCSP Responder .. 90 Encrypting Private Keys and Passwords on the Firewall .. 90 Master Key and Diagnostic Settings .. 91 Updating Master Keys.. 91 High Availability .. 93 Active/Passive HA .. 93 Active/Active HA .. 93 Palo Alto Networks 5 Packet Flow .. 94 Deployment Options .. 95 NAT Considerations .. 96 Setting Up HA .. 99 Enabling HA on the Firewall .. 101 Virtual Systems .. 110 Communications Among Virtual Systems .. 111 Shared Gateways .. 112 Defining Virtual Systems .. 113 Configuring Shared Gateways .. 115 Defining Custom Response Pages .. 115 Viewing Support Information .. 117 chapter 4 network Configuration .. 119 Firewall Deployment.
5 120 Virtual Wire Deployments .. 120 Layer 2 Deployments .. 124 Layer 3 Deployments .. 124 Tap Mode Deployments .. 125 Defining Virtual Wires .. 125 Packet Content Modification.. 126 Firewall Interfaces .. 127 Viewing the Current Interfaces .. 128 Configuring Layer 2 Interfaces.. 128 Configuring Layer 2 Subinterfaces.. 129 Configuring Layer 3 Interfaces.. 130 Configuring Layer 3 Subinterfaces.. 134 Configuring Virtual Wire Interfaces .. 138 Configuring Virtual Wire Subinterfaces .. 139 Configuring Aggregate Interface Groups .. 141 Configuring Aggregate Ethernet Interfaces .. 142 Configuring VLAN Interfaces .. 143 Configuring Loopback Interfaces .. 146 Configuring Tunnel Interfaces .. 147 Configuring Tap Interfaces .. 149 Configuring HA Interfaces .. 150 Security Zones .. 151 Defining Security Zones .. 151 VLAN Support .. 152 Virtual Routers and routing Protocols.
6 153 routing Information Protocol.. 153 Open Shortest Path First .. 153 Border Gateway Protocol .. 154 Multicast routing .. 154 Defining Virtual Routers .. 155 DHCP Server and Relay .. 171 DNS Proxy.. 1736 Palo Alto NetworksNetwork Profiles .. 174 Defining Interface Management Profiles.. 175 Defining Monitor Profiles .. 177 Defining Zone Protection Profiles .. 178 chapter 5 Policies and Security Profiles .. 183 Policies.. 183 Guidelines on Defining Policies .. 184 Specifying Users and Applications for Policies .. 186 Security Policies .. 187 Defining Security Policies.. 187 NAT Policies .. 190 Determining Zone Configuration in NAT and Security Policy .. 193 NAT Rule Options .. 193 Defining network Address Translation Policies .. 194 NAT Policy Examples .. 195 NAT64 .. 196 Policy-Based Forwarding Policies .. 199 Decryption Policies .. 202 Application Override Policies.
7 205 Custom Application Definition with Application Override .. 205 Defining Application Override Policies .. 205 Captive Portal Policies .. 206 Defining Captive Portal Policies .. 207 DoS Protection Policies .. 209 Defining DoS Protection Policies .. 209 Security Profiles .. 211 Antivirus Profiles .. 212 Anti-spyware Profiles .. 213 Vulnerability Protection Profiles .. 215 URL Filtering Profiles .. 217 File Blocking Profiles .. 220 Data Filtering Profiles .. 223 DoS Profiles .. 225 Other Policy Objects .. 226 Addresses and Address Groups .. 227 Defining Address Ranges .. 227 Defining Address Groups .. 230 Defining Regions .. 230 Applications and Application Groups .. 231 Defining Applications.. 233 Custom Applications with Signatures .. 236 Defining Application Groups .. 238 Application Filters .. 238 Services .. 239 Service Groups.
8 240 Data Patterns .. 240 Custom URL Categories .. 242 Dynamic Block Lists .. 242 Palo Alto Networks 7 Custom Spyware and Vulnerability Signatures .. 243 Defining Data Patterns .. 243 Defining Spyware and Vulnerability Signatures .. 244 Security Profile Groups .. 246 Log Forwarding .. 247 Decryption Profiles .. 248 Schedules .. 250 chapter 6 Reports and Logs .. 251 Using the Dashboard .. 252 Using the Application Command Center .. 253 Using App-Scope .. 256 Summary Report.. 257 Change Monitor Report .. 258 Threat Monitor Report .. 259 Threat Map Report.. 260 network Monitor Report.. 261 Traffic Map Report .. 263 Viewing the Logs .. 264 Viewing Session Information.. 267 Working with Botnet Reports .. 267 Configuring the Botnet Report .. 268 Managing Botnet Reports.. 269 Managing PDF Summary Reports .. 270 Managing User Activity Reports .. 272 Managing Report Groups.
9 272 Scheduling Reports for Email Delivery .. 273 Viewing Reports .. 273 Generating Custom Reports .. 274 Identifying Unknown Applications and Taking Action .. 276 Taking Action .. 277 Requesting an App-ID from Palo Alto Networks .. 277 Other Unknown Traffic .. 278 Taking Packet Captures .. 278 chapter 7 Configuring the Firewall for User Identification .. 281 Overview of User Identification .. 281 How User Identification Works .. 281 Identifying Users and Groups .. 282 How User-ID Components Interact .. 283 User-ID Agent .. 283 PAN-OS User Mapping .. 283 Terminal Services Agent .. 283 PAN-OS LDAP Group Query .. 2848 Palo Alto NetworksUser Identification Agents .. 284 Captive Portals .. 285 Configuring the Firewall for User Identification .. 286 PAN-OS User Mapping Configuration .. 291 Configuring PAN-OS User Mapping .. 292 Configure a Firewall to Share User Mapping Data.
10 295 Setting Up the User-ID Agent .. 296 Installing the User-ID Agent .. 297 Configuring the User-ID Agent .. 298 Discovering Domain Controllers .. 301 Monitoring User-ID Agent Operation .. 301 Uninstalling and Upgrading the User-ID Agent.. 301 Setting Up the Terminal Services Agent .. 301 Installing or Upgrading the Terminal Server Agent on the Terminal Server . 302 Configuring the Terminal Server Agent on the Terminal Server .. 303 Uninstalling the Terminal Server Agent on the Terminal Server .. 307 chapter 8 Configuring IPSec Tunnels .. 309 Virtual Private Networks .. 310 VPN Tunnels .. 311 IPSec and IKE .. 311 IPSec and IKE Crypto Profiles .. 312 Setting Up IPSec VPNs .. 313 Defining IKE Gateways .. 314 Setting Up IPSec Tunnels .. 315 Defining IKE Crypto Profiles .. 318 Defining IPSec Crypto Profiles .. 319 Viewing IPSec Tunnel Status on the Firewall.
