Anda di halaman 1dari 936

PANOS

Administrators
Guide
Version7.1
ContactInformation

CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus

AboutthisGuide

ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.

Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.

RevisionDate:October21,2016

2 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................19
SetUpNetworkAccessforExternalServices......................................23
RegistertheFirewall ...............................................................28
ActivateLicensesandSubscriptions .................................................29
InstallContentandSoftwareUpdates................................................31
SegmentYourNetworkUsingInterfacesandZones ...................................35
NetworkSegmentationforaReducedAttackSurface..............................35
ConfigureInterfacesandZones..................................................36
SetUpaBasicSecurityPolicy .......................................................39
AssessNetworkTraffic ............................................................43
EnableBasicThreatPreventionFeatures .............................................45
EnableBasicWildFireForwarding ...............................................45
ScanTrafficforThreats.........................................................47
ControlAccesstoWebContent.................................................51
EnableAutoFocusThreatIntelligence............................................54
BestPracticesforCompletingtheFirewallDeployment................................56

FirewallAdministration ............................................... 57
ManagementInterfaces ............................................................58
UsetheWebInterface .............................................................59
LaunchtheWebInterface ......................................................59
ConfigureBanners,MessageoftheDay,andLogos ................................60
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............62
ManageandMonitorAdministrativeTasks ........................................64
Commit,Validate,andPreviewFirewallConfigurationChanges......................64
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............66
ManageLocksforRestrictingConfigurationChanges...............................67
ManageConfigurationBackups .....................................................69
BackUpaConfiguration ........................................................69
RestoreaConfiguration ........................................................70
ManageFirewallAdministrators .....................................................72
AdministrativeRoles...........................................................72
AdministrativeAuthentication ...................................................73
ConfigureAdministrativeAccountsandAuthentication .............................74
ConfigureanAdministrativeAccount.............................................74
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......75
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication .......78

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 3
TableofContents

Reference:WebInterfaceAdministratorAccess....................................... 80
WebInterfaceAccessPrivileges ................................................. 80
PanoramaWebInterfaceAccessPrivileges .......................................122
Reference:PortNumberUsage.....................................................125
PortsUsedforManagementFunctions ..........................................125
PortsUsedforHA ............................................................126
PortsUsedforPanorama ......................................................126
PortsUsedforGlobalProtect...................................................127
PortsUsedforUserID ........................................................128
ResettheFirewalltoFactoryDefaultSettings ........................................130
BootstraptheFirewall.............................................................131
USBFlashDriveSupport .......................................................131
Sampleinitcfg.txtFiles ........................................................132
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................133
BootstrapaFirewallUsingaUSBFlashDrive .....................................136

Authentication..................................................... 139
ConfigureanAuthenticationProfileandSequence ....................................140
ConfigureKerberosSingleSignOn .................................................143
ConfigureLocalDatabaseAuthentication ............................................144
ConfigureExternalAuthentication ..................................................145
ConfigureAuthenticationServerProfiles.........................................145
ConfigureaRADIUSServerProfile ..............................................145
RADIUSVendorSpecificAttributesSupport .....................................146
ConfigureaTACACS+ServerProfile ............................................147
ConfigureanLDAPServerProfile ...............................................148
ConfigureaKerberosServerProfile.............................................150
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................150
EnableExternalAuthenticationforUsersandServices .............................151
TestAuthenticationServerConnectivity.............................................152
RuntheTestAuthenticationCommand ..........................................152
TestaLocalDatabaseAuthenticationProfile.....................................153
TestaRADIUSAuthenticationProfile ...........................................154
TestaTACACS+AuthenticationProfile ..........................................156
TestanLDAPAuthenticationProfile ............................................157
TestaKerberosAuthenticationProfile...........................................158
TroubleshootAuthenticationIssues .................................................160

CertificateManagement............................................ 161
KeysandCertificates..............................................................162
CertificateRevocation.............................................................164
CertificateRevocationList(CRL) ................................................164
OnlineCertificateStatusProtocol(OCSP) ........................................165
CertificateDeployment............................................................166
SetUpVerificationforCertificateRevocationStatus ..................................167
ConfigureanOCSPResponder .................................................167
ConfigureRevocationStatusVerificationofCertificates ...........................168
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption.168

4 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

ConfiguretheMasterKey......................................................... 170
ObtainCertificates ............................................................... 171
CreateaSelfSignedRootCACertificate ........................................ 171
GenerateaCertificate ......................................................... 172
ImportaCertificateandPrivateKey............................................. 173
ObtainaCertificatefromanExternalCA ........................................ 174
ExportaCertificateandPrivateKey ................................................ 176
ConfigureaCertificateProfile...................................................... 177
ConfigureanSSL/TLSServiceProfile ............................................... 179
ReplacetheCertificateforInboundManagementTraffic.............................. 180
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 181
RevokeandRenewCertificates .................................................... 182
RevokeaCertificate .......................................................... 182
RenewaCertificate ........................................................... 182
SecureKeyswithaHardwareSecurityModule....................................... 183
SetupConnectivitywithanHSM ............................................... 183
EncryptaMasterKeyUsinganHSM ............................................ 188
StorePrivateKeysonanHSM.................................................. 189
ManagetheHSMDeployment ................................................. 190

HighAvailability....................................................191
HAOverview.................................................................... 192
HAConcepts .................................................................... 193
HAModes ................................................................... 193
HALinksandBackupLinks..................................................... 194
DevicePriorityandPreemption ................................................ 197
Failover ..................................................................... 197
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 198
FloatingIPAddressandVirtualMACAddress.................................... 198
ARPLoadSharing ............................................................ 200
RouteBasedRedundancy ..................................................... 202
HATimers................................................................... 202
SessionOwner............................................................... 205
SessionSetup................................................................ 205
NATinActive/ActiveHAMode ................................................ 207
ECMPinActive/ActiveHAMode ............................................... 208
SetUpActive/PassiveHA ......................................................... 209
PrerequisitesforActive/PassiveHA............................................. 209
ConfigurationGuidelinesforActive/PassiveHA.................................. 210
ConfigureActive/PassiveHA................................................... 212
DefineHAFailoverConditions ................................................. 217
VerifyFailover ............................................................... 218
SetUpActive/ActiveHA .......................................................... 219
PrerequisitesforActive/ActiveHA.............................................. 219
ConfigureActive/ActiveHA ................................................... 220
DetermineYourActive/ActiveUseCase......................................... 225
UseCase:ConfigureA/AHAwithRouteBasedRedundancy....................... 226
UseCase:ConfigureA/AHAwithFloatingIPAddresses........................... 227

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 5
TableofContents

UseCase:ConfigureA/AHAwithARPLoadSharing ..............................228
UseCase:ConfigureA/AHAwithFloatingIPAddressBoundtoAPFirewall.........229
UseCase:ConfigureA/AHAwithSourceDIPPNATUsingFloatingIPAddresses .....233
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforA/AHAFirewalls ....236
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNAT ...........237
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNATinLayer3 ..240
HAFirewallStates................................................................243
Reference:HASynchronization.....................................................245
WhatSettingsDontSyncinActive/PassiveHA?..................................245
WhatSettingsDontSyncinActive/ActiveHA?...................................247
SynchronizationofSystemRuntimeInformation..................................249

Monitoring ........................................................ 251


UsetheDashboard ...............................................................252
UsetheApplicationCommandCenter ...............................................253
ACCFirstLook ..............................................................254
ACCTabs....................................................................255
ACCWidgets .................................................................256
WidgetDescriptions...........................................................257
ACCFilters ...................................................................261
InteractwiththeACC .........................................................262
UseCase:ACCPathofInformationDiscovery ...................................265
AppScope .......................................................................272
SummaryReport ..............................................................273
ChangeMonitorReport........................................................274
ThreatMonitorReport.........................................................275
ThreatMapReport ............................................................276
NetworkMonitorReport.......................................................277
TrafficMapReport ............................................................278
UsetheAutomatedCorrelationEngine ..............................................279
AutomatedCorrelationEngineConcepts .........................................279
ViewtheCorrelatedObjects ...................................................280
InterpretCorrelatedEvents ....................................................281
UsetheCompromisedHostsWidgetintheACC ..................................283
TakePacketCaptures.............................................................284
TypesofPacketCaptures ......................................................284
DisableHardwareOffload......................................................285
TakeaCustomPacketCapture .................................................286
TakeaThreatPacketCapture ..................................................290
TakeanApplicationPacketCapture .............................................291
TakeaPacketCaptureontheManagementInterface..............................294
MonitorApplicationsandThreats...................................................296
MonitorandManageLogs.........................................................297
LogTypesandSeverityLevels ..................................................297
WorkwithLogs ...............................................................301
ConfigureLogStorageQuotasandExpirationPeriods.............................307
ScheduleLogExportstoanSCPorFTPServer....................................307

6 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

ManageReporting ................................................................ 309


ReportTypes................................................................. 309
ViewReports................................................................. 310
ConfiguretheReportExpirationPeriod.......................................... 310
DisablePredefinedReports.................................................... 311
CustomReports.............................................................. 311
GenerateCustomReports ..................................................... 314
GenerateBotnetReports...................................................... 316
GeneratetheSaaSApplicationUsageReport ..................................... 318
ManagePDFSummaryReports................................................. 320
GenerateUser/GroupActivityReports.......................................... 321
ManageReportGroups ........................................................ 323
ScheduleReportsforEmailDelivery ............................................ 324
UseExternalServicesforMonitoring ............................................... 325
ConfigureLogForwarding ......................................................... 326
ConfigureEmailAlerts ............................................................ 329
UseSyslogforMonitoring ......................................................... 330
ConfigureSyslogMonitoring ................................................... 330
SyslogFieldDescriptions ...................................................... 332
SNMPMonitoringandTraps....................................................... 348
SNMPSupport............................................................... 348
UseanSNMPManagertoExploreMIBsandObjects.............................. 349
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 353
MonitorStatisticsUsingSNMP ................................................. 353
ForwardTrapstoanSNMPManager ............................................ 355
SupportedMIBs.............................................................. 357
NetFlowMonitoring .............................................................. 364
ConfigureNetFlowExports.................................................... 364
NetFlowTemplates........................................................... 365
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 369

UserID ...........................................................371
UserIDOverview ................................................................ 372
UserIDConcepts................................................................ 374
GroupMapping............................................................... 374
UserMapping ................................................................ 374
EnableUserID................................................................... 378
MapUserstoGroups............................................................. 382
MapIPAddressestoUsers........................................................ 385
CreateaDedicatedServiceAccountfortheUserIDAgent ........................ 386
ConfigureUserMappingUsingtheWindowsUserIDAgent....................... 389
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent.............. 396
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender ................. 398
MapIPAddressestoUsernamesUsingCaptivePortal ............................. 406
ConfigureUserMappingforTerminalServerUsers ............................... 412
SendUserMappingstoUserIDUsingtheXMLAPI............................... 419
EnableUserandGroupBasedPolicy ............................................... 420

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 7
TableofContents

EnablePolicyforUserswithMultipleAccounts.......................................421
VerifytheUserIDConfiguration ...................................................423
DeployUserIDinaLargeScaleNetwork............................................425
DeployUserIDforNumerousMappingInformationSources .......................425
ConfigureFirewallstoRedistributeUserMappingInformation......................429

AppID ........................................................... 435


AppIDOverview .................................................................436
ManageCustomorUnknownApplications ...........................................437
ManageNewAppIDsIntroducedinContentReleases................................438
ReviewNewAppIDs..........................................................438
ReviewNewAppIDsSinceLastContentVersion .................................439
ReviewNewAppIDImpactonExistingPolicyRules ..............................440
DisableorEnableAppIDs .....................................................441
PreparePolicyUpdatesforPendingAppIDs.....................................442
UseApplicationObjectsinPolicy ...................................................444
CreateanApplicationGroup ...................................................444
CreateanApplicationFilter ....................................................445
CreateaCustomApplication ...................................................446
ApplicationswithImplicitSupport ..................................................451
ApplicationLevelGateways ........................................................454
DisabletheSIPApplicationlevelGateway(ALG)......................................455

ThreatPrevention .................................................. 457


SetUpSecurityProfilesandPolicies ................................................458
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection.......................458
SetUpDataFiltering..........................................................461
SetUpFileBlocking ...........................................................464
PreventBruteForceAttacks.......................................................466
CustomizetheActionandTriggerConditionsforaBruteForceSignature................467
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions............470
EnableDNSProxy................................................................475
EnablePassiveDNSCollectionforImprovedThreatIntelligence ........................478
UseDNSQueriestoIdentifyInfectedHostsontheNetwork ...........................479
DNSSinkholing ...............................................................479
ConfigureDNSSinkholingforaListofCustomDomains...........................481
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork ...............483
IdentifyInfectedHosts ........................................................487
DoSProtectionAgainstFloodingofNewSessions....................................489
MultipleSessionDoSAttack ...................................................489
SingleSessionDoSAttack .....................................................492
ConfigureDoSProtectionAgainstFloodingofNewSessions.......................492
UsetheCLItoEndaSingleAttackingSession ....................................495
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............495
DiscardaSessionWithoutaCommit ............................................498
ContentDeliveryNetworkInfrastructureforDynamicUpdates ........................499
ThreatPreventionResources.......................................................501

8 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

Decryption .........................................................503
DecryptionOverview ............................................................. 504
DecryptionConcepts ............................................................. 505
KeysandCertificatesforDecryptionPolicies..................................... 505
SSLForwardProxy............................................................ 506
SSLInboundInspection........................................................ 507
SSHProxy................................................................... 508
DecryptionExceptions ........................................................ 509
DecryptionMirroring.......................................................... 510
DefineTraffictoDecrypt.......................................................... 511
CreateaDecryptionProfile.................................................... 511
CreateaDecryptionPolicyRule................................................ 513
ConfigureSSLForwardProxy ...................................................... 515
ConfigureSSLInboundInspection .................................................. 519
ConfigureSSHProxy ............................................................. 521
ConfigureDecryptionExceptions................................................... 522
ExcludeTrafficfromDecryption ................................................ 522
ExcludeaServerfromDecryption .............................................. 523
EnableUserstoOptOutofSSLDecryption ......................................... 524
ConfigureDecryptionPortMirroring................................................ 526
TemporarilyDisableSSLDecryption ................................................ 528

URLFiltering.......................................................529
URLFilteringOverview ........................................................... 530
URLFilteringVendors ......................................................... 530
InteractionBetweenAppIDandURLCategories................................. 531
PANDBPrivateCloud........................................................ 531
URLFilteringConcepts............................................................ 534
URLCategories............................................................... 534
URLFilteringProfile .......................................................... 536
URLFilteringProfileActions ................................................... 536
BlockandAllowLists.......................................................... 537
ExternalDynamicListforURLs ................................................. 538
SafeSearchEnforcement ...................................................... 538
ContainerPages .............................................................. 540
HTTPHeaderLogging ......................................................... 540
URLFilteringResponsePages .................................................. 540
URLCategoryasPolicyMatchCriteria .......................................... 542
PANDBCategorization ........................................................... 544
PANDBURLCategorizationComponents ....................................... 544
PANDBURLCategorizationWorkflow ......................................... 545
EnableaURLFilteringVendor ..................................................... 547
EnablePANDBURLFiltering.................................................. 547
EnableBrightCloudURLFiltering............................................... 548
DetermineURLFilteringPolicyRequirements........................................ 551
UseanExternalDynamicListinaURLFilteringProfile ................................ 553

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 9
TableofContents

MonitorWebActivity .............................................................555
MonitorWebActivityofNetworkUsers .........................................555
ViewtheUserActivityReport..................................................557
ConfigureCustomURLFilteringReports .........................................559
ConfigureURLFiltering ...........................................................560
CustomizetheURLFilteringResponsePages.........................................562
ConfigureURLAdminOverride.....................................................563
EnableSafeSearchEnforcement ...................................................565
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................565
EnableTransparentSafeSearchEnforcement ....................................568
SetUpthePANDBPrivateCloud..................................................572
ConfigurethePANDBPrivateCloud............................................572
ConfiguretheFirewallstoAccessthePANDBPrivateCloud .......................577
URLFilteringUseCaseExamples...................................................578
UseCase:ControlWebAccess .................................................578
UseCase:UseURLCategoriesforPolicyMatching ................................582
TroubleshootURLFiltering ........................................................584
ProblemsActivatingPANDB...................................................584
PANDBCloudConnectivityIssues..............................................585
URLsClassifiedasNotResolved ................................................586
IncorrectCategorization.......................................................586
URLDatabaseOutofDate .....................................................587

QualityofService .................................................. 589


QoSOverview ...................................................................590
QoSConcepts....................................................................592
QoSforApplicationsandUsers .................................................592
QoSPolicy...................................................................592
QoSProfile...................................................................593
QoSClasses ..................................................................593
QoSPriorityQueuing ..........................................................594
QoSBandwidthManagement ..................................................594
QoSEgressInterface..........................................................595
QoSforClearTextandTunneledTraffic.........................................595
ConfigureQoS ...................................................................596
ConfigureQoSforaVirtualSystem.................................................601
EnforceQoSBasedonDSCPClassification ..........................................606
QoSUseCases ...................................................................609
UseCase:QoSforaSingleUser ................................................609
UseCase:QoSforVoiceandVideoApplications ..................................611

VPNs ............................................................. 615


VPNDeployments ................................................................616
SitetoSiteVPNOverview ........................................................617
SitetoSiteVPNConcepts .........................................................618
IKEGateway .................................................................618
TunnelInterface..............................................................618

10 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

TunnelMonitoring ............................................................ 619


InternetKeyExchange(IKE)forVPN ............................................ 620
IKEv2 ....................................................................... 622
SetUpSitetoSiteVPN ........................................................... 626
SetUpanIKEGateway ........................................................ 626
DefineCryptographicProfiles.................................................. 632
SetUpanIPSecTunnel........................................................ 635
SetUpTunnelMonitoring ..................................................... 638
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 639
TestVPNConnectivity........................................................ 641
InterpretVPNErrorMessages.................................................. 642
SitetoSiteVPNQuickConfigs .................................................... 643
SitetoSiteVPNwithStaticRouting............................................ 643
SitetoSiteVPNwithOSPF.................................................... 647
SitetoSiteVPNwithStaticandDynamicRouting ................................ 653

LargeScaleVPN(LSVPN)............................................659
LSVPNOverview................................................................. 660
CreateInterfacesandZonesfortheLSVPN.......................................... 661
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 663
AboutCertificateDeployment.................................................. 663
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 663
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 666
ConfigurethePortaltoAuthenticateSatellites ....................................... 669
ConfigureGlobalProtectGatewaysforLSVPN....................................... 671
PrerequisiteTasks ............................................................ 671
ConfiguretheGateway ........................................................ 671
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 674
PrerequisiteTasks ............................................................ 674
ConfigurethePortal .......................................................... 674
DefinetheSatelliteConfigurations.............................................. 675
PreparetheSatellitetoJointheLSVPN ............................................. 679
VerifytheLSVPNConfiguration.................................................... 681
LSVPNQuickConfigs ............................................................. 682
BasicLSVPNConfigurationwithStaticRouting ...................................... 683
AdvancedLSVPNConfigurationwithDynamicRouting ............................... 686
AdvancedLSVPNConfigurationwithiBGP.......................................... 689

Networking ........................................................695
InterfaceDeployments ............................................................ 696
VirtualWireDeployments ..................................................... 696
Layer2Deployments ......................................................... 699
Layer3Deployments ......................................................... 699
TapModeDeployments ....................................................... 700
ConfigureanAggregateInterfaceGroup ............................................ 702
UseInterfaceManagementProfilestoRestrictAccess................................ 705

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 11
TableofContents

VirtualRouters...................................................................707
StaticRoutes .....................................................................709
RIP .............................................................................711
OSPF ...........................................................................713
OSPFConcepts ...............................................................713
ConfigureOSPF ..............................................................715
ConfigureOSPFv3............................................................719
ConfigureOSPFGracefulRestart ...............................................722
ConfirmOSPFOperation ......................................................723
BGP.............................................................................725
SessionSettingsandTimeouts .....................................................730
TransportLayerSessions.......................................................730
TCP.........................................................................730
UDP.........................................................................735
ICMP ........................................................................735
ConfigureSessionTimeouts ....................................................736
ConfigureSessionSettings.....................................................738
PreventTCPSplitHandshakeSessionEstablishment ..............................740
DHCP ...........................................................................742
DHCPOverview ..............................................................742
FirewallasaDHCPServerandClient ............................................743
DHCPMessages ..............................................................743
DHCPAddressing .............................................................744
DHCPOptions................................................................746
ConfigureanInterfaceasaDHCPServer ........................................748
ConfigureanInterfaceasaDHCPClient .........................................752
ConfiguretheManagementInterfaceasaDHCPClient ............................753
ConfigureanInterfaceasaDHCPRelayAgent ...................................755
MonitorandTroubleshootDHCP...............................................755
DNS ............................................................................757
DNSOverview ...............................................................757
DNSProxyObject ............................................................758
DNSServerProfile ............................................................759
MultiTenantDNSDeployments ................................................759
ConfigureaDNSProxyObject..................................................760
ConfigureaDNSServerProfile.................................................762
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes............763
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Re
porting,andServiceswithinitsVirtualSystem764
UseCase3:FirewallActsasDNSProxyBetweenClientandServer.................766
Reference:DNSProxyRuleandFQDNMatching.................................768
NAT ............................................................................772
NATPolicyRules..............................................................772
SourceNATandDestinationNAT ...............................................775
NATRuleCapacities...........................................................776
DynamicIPandPortNATOversubscription ......................................776
DataplaneNATMemoryStatistics ..............................................778
ConfigureNAT ...............................................................779
NATConfigurationExamples ...................................................786

12 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

NPTv6 .......................................................................... 794


NPTv6Overview............................................................. 794
HowNPTv6Works........................................................... 796
NDPProxy................................................................... 797
NPTv6andNDPProxyExample ................................................ 799
CreateanNPTv6Policy ....................................................... 800
ECMP........................................................................... 803
ECMPLoadBalancingAlgorithms .............................................. 803
ECMPPlatform,Interface,andIPRoutingSupport ................................ 804
ConfigureECMPonaVirtualRouter............................................ 805
EnableECMPforMultipleBGPAutonomousSystems ............................. 806
VerifyECMP ................................................................. 808
LLDP ........................................................................... 809
LLDPOverview .............................................................. 809
SupportedTLVsinLLDP....................................................... 810
LLDPSyslogMessagesandSNMPTraps......................................... 811
ConfigureLLDP .............................................................. 812
ViewLLDPSettingsandStatus ................................................. 814
ClearLLDPStatistics .......................................................... 815
BFD............................................................................ 816
BFDOverview ............................................................... 816
ConfigureBFD............................................................... 819
Reference:BFDDetails ........................................................... 826

Policy..............................................................829
PolicyTypes ..................................................................... 830
SecurityPolicy................................................................... 831
ComponentsofaSecurityPolicyRule........................................... 831
SecurityPolicyActions........................................................ 834
CreateaSecurityPolicyRule ................................................... 834
PolicyObjects ................................................................... 837
SecurityProfiles.................................................................. 838
AntivirusProfiles ............................................................. 839
AntiSpywareProfiles......................................................... 839
VulnerabilityProtectionProfiles................................................ 840
URLFilteringProfiles.......................................................... 840
DataFilteringProfiles......................................................... 841
FileBlockingProfiles .......................................................... 842
WildFireAnalysisProfiles ...................................................... 842
DoSProtectionProfiles........................................................ 842
ZoneProtectionProfiles ....................................................... 843
SecurityProfileGroup ......................................................... 843
BestPracticeInternetGatewaySecurityPolicy....................................... 847
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 847
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 849
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 850
IdentifyWhitelistApplications.................................................. 851
CreateUserGroupsforAccesstoWhitelistApplications .......................... 854
DecryptTrafficforFullVisibilityandThreatInspection ............................ 854

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 13
TableofContents

CreateBestPracticeSecurityProfiles............................................856
DefinetheInitialInternetGatewaySecurityPolicy................................860
MonitorandFineTunethePolicyRulebase ......................................868
RemovetheTemporaryRules ..................................................869
MaintaintheRulebase .........................................................870
EnumerationofRulesWithinaRulebase.............................................871
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem ....................872
UseTagstoGroupandVisuallyDistinguishObjects ...................................873
CreateandApplyTags .........................................................873
ModifyTags ..................................................................874
UsetheTagBrowser..........................................................874
UseanExternalDynamicListinPolicy ..............................................879
ExternalDynamicList .........................................................879
FormattingGuidelinesforanExternalDynamicList ...............................880
EnforcePolicyonEntriesinanExternalDynamicList ..............................881
ViewtheListofEntriesinanExternalDynamicList ...............................884
RetrieveanExternalDynamicListfromtheWebServer ...........................885
RegisterIPAddressesandTagsDynamically .........................................886
MonitorChangesintheVirtualEnvironment .........................................887
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................887
AttributesMonitoredintheAWSandVMwareEnvironments ......................889
UseDynamicAddressGroupsinPolicy..........................................890
CLICommandsforDynamicIPAddressesandTags...................................893
IdentifyUsersConnectedthroughaProxyServer.....................................895
UseXFFValuesforPoliciesandLoggingSourceUsers .............................895
AddXFFValuestoURLFilteringLogs ...........................................896
PolicyBasedForwarding ..........................................................897
PBF.........................................................................897
CreateaPolicyBasedForwardingRule..........................................900
UseCase:PBFforOutboundAccesswithDualISPs ...............................902

VirtualSystems.................................................... 909
VirtualSystemsOverview .........................................................910
VirtualSystemComponentsandSegmentation ...................................910
BenefitsofVirtualSystems .....................................................911
UseCasesforVirtualSystems..................................................911
PlatformSupportandLicensingforVirtualSystems ...............................912
AdministrativeRolesforVirtualSystems .........................................912
SharedObjectsforVirtualSystems ..............................................912
CommunicationBetweenVirtualSystems............................................913
InterVSYSTrafficThatMustLeavetheFirewall..................................913
InterVSYSTrafficThatRemainsWithintheFirewall ..............................914
InterVSYSCommunicationUsesTwoSessions ...................................916
SharedGateway ..................................................................917
ExternalZonesandSharedGateway.............................................917
NetworkingConsiderationsforaSharedGateway.................................918

14 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents

ServiceRoutesforVirtualSystems ................................................. 919


UseCasesforServiceRoutesforaVirtualSystem ................................ 919
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers 920
ConfigureVirtualSystems ......................................................... 921
ConfigureInterVirtualSystemCommunicationwithintheFirewall..................... 924
ConfigureaSharedGateway....................................................... 925
CustomizeServiceRoutesforaVirtualSystem ....................................... 926
CustomizeServiceRoutestoServicesforVirtualSystems.......................... 926
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem ................ 928
ConfigureAdministrativeAccessPerVirtualSystemorFirewall..................... 929
VirtualSystemFunctionalitywithOtherFeatures .................................... 931

Certifications .......................................................933
EnableFIPSandCommonCriteriaSupport .......................................... 934
FIPSCCSecurityFunctions........................................................ 935

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 15
TableofContents

16 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 17
IntegratetheFirewallintoYourManagementNetwork GettingStarted

IntegratetheFirewallintoYourManagementNetwork

AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices

ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.

DetermineYourManagementStrategy

ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.

18 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork

PerformInitialConfiguration

Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.

SetUpNetworkAccesstotheFirewall

Step1 Gathertherequiredinformationfrom IPaddressforMGTport


yournetworkadministrator. Netmask
Defaultgateway
DNSserveraddress

Step2 Connectyourcomputertothefirewall. Youcanconnecttothefirewallinoneofthefollowingways:


ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.

Step3 Whenprompted,logintothefirewall. Youmustloginusingthedefaultusernameandpassword


(admin/admin).Thefirewallwillbegintoinitialize.

Step4 ConfiguretheMGTinterface. 1. SelectDevice > Setup > Managementandeditthe


ManagementInterfaceSettings.
2. ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP.Tousethismethod,you
mustConfiguretheManagementInterfaceasaDHCP
Client.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
3. SettheSpeedtoauto-negotiate.
4. Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 19
IntegratetheFirewallintoYourManagementNetwork GettingStarted

SetUpNetworkAccesstotheFirewall(Continued)

Step5 ConfigureDNS,updateserver,and 1. SelectDevice > Setup > Services.


proxyserversettings. Formultivirtualsystemplatforms,selectGlobalandedit
Youmustmanuallyconfigureat theServicessection.
leastoneDNSserveronthe Forsinglevirtualsystemplatforms,edittheServices
firewalloritwillnotbeableto section.
resolvehostnames;itwillnotuse
2. OntheServicestab,forDNS,clickoneofthefollowing:
DNSserversettingsfrom
anothersource,suchasanISP. ServersEnterthePrimary DNS Serveraddressand
Secondary DNS Serveraddress.
DNS Proxy ObjectFromthedropdown,selecttheDNS
ProxythatyouwanttousetoconfigureglobalDNS
services,orclickDNS ProxytoconfigureanewDNSproxy
object.
3. ClickOK.

Step6 Configuredateandtime(NTP)settings. 1. SelectDevice > Setup > Services.


Formultivirtualsystemplatforms,selectGlobalandedit
theServicessection.
Forsinglevirtualsystemplatforms,edittheServices
section.
2. OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthe
Primary NTP ServerorentertheIPaddressofyourprimary
NTPserver.
3. (Optional)EnteraSecondary NTP Serveraddress.
4. (Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5. ClickOK.

20 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork

SetUpNetworkAccesstotheFirewall(Continued)

Step7 (Optional)Configuregeneralfirewall 1. SelectDevice > Setup > ManagementandedittheGeneral


settingsasneeded. Settings.
2. EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3. EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4. EntertheLatitude andLongitude toenableaccurate
placementofthefirewallontheworldmap.
5. ClickOK.

Step8 Setasecurepasswordfortheadmin 1. SelectDevice > Administrators.


account. 2. Selecttheadminrole.
3. Enterthecurrentdefaultpasswordandthenewpassword.
4. ClickOKtosaveyoursettings.

Step9 Commityourchanges. ClickCommitatthetoprightofthewebinterface.Thefirewallcan


Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivity
tothewebinterfacebecausethe
IPaddresshaschanged.

Step10 Connectthefirewalltoyournetwork. 1. Disconnectthefirewallfromyourcomputer.


2. ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.

Step11 OpenanSSHmanagementsessionto Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH


thefirewall. sessiontothefirewallusingthenewIPaddressyouassignedtoit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 21
IntegratetheFirewallintoYourManagementNetwork GettingStarted

SetUpNetworkAccesstotheFirewall(Continued)

Step12 Verifynetworkaccesstoexternal 1. UsethepingutilitytoverifynetworkconnectivitytothePalo


servicesrequiredforfirewall AltoNetworksUpdateserverasshowninthefollowing
management,suchasthePaloAlto example.VerifythatDNSresolutionoccursandtheresponse
NetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
Youcandothisinoneofthefollowing serverdoesnotrespondtoapingrequest.
ways: admin@PA-200 > ping host
Ifyoudonotwanttoallowexternal updates.paloaltonetworks.com
networkaccesstotheMGTinterface, PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
youwillneedtosetupadataportto
From 192.168.1.1 icmp_seq=1 Destination Host
retrieverequiredserviceupdates.
Unreachable
ContinuetoSetUpNetworkAccess
From 192.168.1.1 icmp_seq=2 Destination Host
forExternalServices. Unreachable
Ifyoudoplantoallowexternal From 192.168.1.1 icmp_seq=3 Destination Host
networkaccesstotheMGTinterface, Unreachable
verifythatyouhaveconnectivityand From 192.168.1.1 icmp_seq=4 Destination Host
thenproceedtoRegistertheFirewall Unreachable
andActivateLicensesand AfterverifyingDNSresolution,pressCtrl+Ctostopthe
Subscriptions. pingrequest.

2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server

22 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork

SetUpNetworkAccessforExternalServices

Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.

Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.

SetUpaDataPortforAccesstoExternalServices

Step1 Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.


accesstoexternalservicesandconnect
ittoyourswitchorrouterport.

Step2 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login


usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.

Step3 (Optional)Thefirewallcomes Youmustdeletetheconfigurationinthefollowingorder:


preconfiguredwithadefaultvirtualwire 1. Todeletethedefaultsecuritypolicy,selectPolicies >
interfacebetweenportsEthernet1/1 Security,selecttherule,andclickDelete.
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou 2. Todeletethedefaultvirtualwire,selectNetwork > Virtual
donotplantousethisvirtualwire Wires,selectthevirtualwireandclickDelete.
configuration,youmustmanuallydelete 3. Todeletethedefaulttrustanduntrustzones,selectNetwork
theconfigurationtopreventitfrom > Zones,selecteachzoneandclickDelete.
interferingwithotherinterfacesettings
4. Todeletetheinterfaceconfigurations,selectNetwork >
youdefine.
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5. Committhechanges.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 23
IntegratetheFirewallintoYourManagementNetwork GettingStarted

SetUpaDataPortforAccesstoExternalServices(Continued)

Step4 Configuretheinterfaceyouplantouse 1. SelectNetwork > Interfacesandselecttheinterfacethat


forexternalaccesstomanagement correspondstotheportyoucabledinStep1.
services. 2. SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4. IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5. SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6. SelectAdvanced > Other Info,expandtheManagement
Profiledropdown,andselectNew Management Profile.
7. EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8. Tosavetheinterfaceconfiguration,clickOK.

24 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork

SetUpaDataPortforAccesstoExternalServices(Continued)

Step5 Configuretheserviceroutes. 1. SelectDevice > Setup > Services > GlobalandclickService


Bydefault,thefirewallusestheMGT Route Configuration.
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice Forthepurposesofactivatingyourlicensesand
routes. gettingthemostrecentcontentandsoftwareupdates,
Thisexampleshowshowtoset youwillwanttochangetheservicerouteforDNS,
upglobalserviceroutes.For Palo Alto Updates,URL Updates,WildFire,and
informationonsettingup AutoFocus.
networkaccesstoexternal 2. ClicktheCustomizeradiobutton,andselectoneofthe
servicesonavirtualsystembasis following:
ratherthanaglobalbasis,see
Forapredefinedservice,selectIPv4orIPv6andclickthe
PerVirtualSystemService
linkfortheserviceforwhichyouwanttomodifythe
Routes.
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,theSource Addressdropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3. ClickOKtosavethesettings.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5. Commityourchanges.

Step6 Configureanexternalfacinginterface 1. SelectNetwork > Interfacesandthenselectthe


andanassociatedzoneandthencreatea externalfacinginterface.SelectLayer3astheInterface Type,
securitypolicyruletoallowthefirewall AddtheIPaddress(ontheIPv4orIPv6tab),andcreatethe
tosendservicerequestsfromthe associatedSecurity Zone(ontheConfigtab),suchasInternet.
internalzonetotheexternalzone. ThisinterfacemusthaveastaticIPaddress;youdonotneed
tosetupmanagementservicesonthisinterface.
2. Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 25
IntegratetheFirewallintoYourManagementNetwork GettingStarted

SetUpaDataPortforAccesstoExternalServices(Continued)

Step7 CreateaNATpolicyrule. 1. IfyouareusingaprivateIPaddressontheinternalfacing


interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
2. Commityourchanges.

26 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork

SetUpaDataPortforAccesstoExternalServices(Continued)

Step8 Verifythatyouhaveconnectivityfrom 1. UsethepingutilitytoverifynetworkconnectivitytothePalo


thedataporttotheexternalservices, AltoNetworksUpdateserverasshowninthefollowing
includingthedefaultgateway,andthe example.VerifythatDNSresolutionoccursandtheresponse
PaloAltoNetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
Afteryouverifyyouhavetherequired serverdoesnotrespondtoapingrequest.
networkconnectivity,continueto admin@PA-200 > ping host
RegistertheFirewallandActivate updates.paloaltonetworks.com
LicensesandSubscriptions. PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
AfterverifyingDNSresolution,pressCtrl+Ctostopthe
pingrequest.

2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 27
RegistertheFirewall GettingStarted

RegistertheFirewall

Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.

IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.

RegistertheFirewall

Step1 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login


usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).

Step2 Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral


theclipboard. Informationsectionofthescreen.

Step3 GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto


Supportportalandlogin. https://www.paloaltonetworks.com/support/tabs/overview.html.

Step4 Registerthefirewall. Ifyoualreadyhaveasupportaccount,loginandregisterthe


Youmusthaveasupportaccount hardwarebasedfirewallasfollows:
toregisterafirewall.Ifyoudonot 1. SelectAssets > Devices.
yethaveasupportaccount,click
2. ClickRegister New Device.
theRegisterlinkonthesupport
loginpageandfollowthe 3. SelectRegister device using Serial Number or Authorization
instructionstogetyouraccount CodeandclickSubmit.
setupandregisterthefirewall. 4. EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5. (Optional)EntertheDevice NameandDevice Tag.
6. Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7. Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.

28 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted ActivateLicensesandSubscriptions

ActivateLicensesandSubscriptions

Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.

ActivateLicensesandSubscriptions

Step1 Locatetheactivationcodesforthe Whenyoupurchasedyoursubscriptionsyoushouldhavereceived


licensesyoupurchased. anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.

Step2 ActivateyourSupportlicense. 1. LogintothewebinterfaceandthenselectDevice > Support.


Youwillnotbeabletoupdateyour 2. ClickActivate support using authorization code.
PANOSsoftwareifyoudonothavea
3. EnteryourAuthorization CodeandthenclickOK.
validSupportlicense.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 29
ActivateLicensesandSubscriptions GettingStarted

ActivateLicensesandSubscriptions(Continued)

Step3 Activateeachlicenseyoupurchased. SelectDevice > Licensesandthenactivateyourlicensesand


subscriptionsinoneofthefollowingways:
Retrieve license keys from license serverUsethisoptionif
youactivatedyourlicenseontheCustomerSupportportal.
Activate feature using authorization codeUsethisoptionto
enablepurchasedsubscriptionsusinganauthorizationcodefor
licensesthathavenotbeenpreviouslyactivatedonthesupport
portal.Whenprompted,entertheAuthorization Codeandthen
clickOK.
Manually upload license keyUsethisoptionifyourfirewall
doesnothaveconnectivitytothePaloAltoNetworksCustomer
Supportwebsite.Inthiscase,youmustdownloadalicensekey
filefromthesupportsiteonanInternetconnectedcomputer
andthenuploadtothefirewall.

Step4 Verifythatthelicensewassuccessfully OntheDevice > Licensespage,verifythatthelicensewas


activated successfullyactivated.Forexample,afteractivatingtheWildFire
license,youshouldseethatthelicenseisvalid:

Step5 (WildFiresubscriptionsonly)Performa AfteractivatingaWildFiresubscription,acommitisrequiredfor


committocompleteWildFire thefirewalltobeginforwardingadvancedfiletypes.Youshould
subscriptionactivation. either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.

30 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates

InstallContentandSoftwareUpdates

Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:

Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.

AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 31
InstallContentandSoftwareUpdates GettingStarted

InstallContentandSoftwareUpdates

Step1 Ensurethatthefirewallhasaccesstothe 1. Bydefault,thefirewallaccessestheUpdate Serverat


updateserver. updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2. (Optional)ClickVerify Update Server Identityforanextra
levelofvalidationtoenablethefirewalltocheckthatthe
serversSSLcertificateissignedbyatrustedauthority.
3. (Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.

32 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates

InstallContentandSoftwareUpdates(Continued)

Step2 Checkforthelatestcontentupdates. SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin


thelowerlefthandcornerofthewindow)tocheckforthelatest
updates.ThelinkintheActioncolumnindicateswhetheranupdate
isavailable:
DownloadIndicatesthatanewupdatefileisavailable.Click
thelinktobegindownloadingthefiledirectlytothefirewall.
Aftersuccessfuldownload,thelinkintheActioncolumn
changesfromDownloadtoInstall.

Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.

UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.

Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).

RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.

Step3 Installthecontentupdates. ClicktheInstalllinkintheActioncolumn.Whentheinstallation


Installationcantakeupto20 completes,acheckmarkdisplaysintheCurrently Installed
minutesonaPA200,PA500,or column.
PA2000Seriesfirewallandupto
twominutesonaPA3000
Series,PA4000Series,PA5000
Series,PA7000Series,or
VMSeriesfirewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 33
InstallContentandSoftwareUpdates GettingStarted

InstallContentandSoftwareUpdates(Continued)

Step4 Scheduleeachcontentupdate. 1. SetthescheduleofeachupdatetypebyclickingtheNonelink.


Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
becausethefirewallcanonly 2. Specifyhowoftenyouwanttheupdatestooccurbyselecting
downloadoneupdateatatime.If avaluefromtheRecurrencedropdown.Theavailablevalues
youscheduletheupdatesto varybycontenttype(WildFireupdatesareavailableEvery
downloadduringthesametime Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
interval,onlythefirstdownload whereasApplicationsandThreatsupdatescanbescheduled
willsucceed. forDailyorWeeklyupdateandAntivirusupdatescanbe
scheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3. SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4. SpecifywhetheryouwantthesystemtoDownload Onlyor,as
abestpractice,Download And Installtheupdate.
5. Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6. ClickOKtosavetheschedulesettings.
7. ClickCommittosavethesettingstotherunning
configuration.

Step5 UpdatePANOS. 1. ReviewtheReleaseNotes.


Alwaysupdatecontentbefore 2. UpdatethePANOSsoftware.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.

34 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones

SegmentYourNetworkUsingInterfacesandZones

Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones

NetworkSegmentationforaReducedAttackSurface

Thefollowingdiagramshowsaverybasicexampleofhowyoucancreatezonestosegmentyournetwork.
Themoregranularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstraffic
betweenzones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflow
freelywithinazone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyou
defineaSecuritypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhave
assignedittoazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontrolover
accesstosensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishinga
communicationchannelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyour
network.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 35
SegmentYourNetworkUsingInterfacesandZones GettingStarted

ConfigureInterfacesandZones

Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.EachinterfaceonthefirewallsupportsallInterfaceDeploymentsandthe
deploymentyouwillusedependsonthetopologyofeachpartofthenetworkyouareconnectingto.The
followingworkflowshowshowtoconfigureLayer3interfacesandassignthemtozones.Fordetailson
integratingthefirewallusingadifferenttypeofinterfacedeployments(forexampleVirtualWire
DeploymentsorLayer2Deployments),seeNetworking.

ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.

SetUpInterfacesandZones

Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault


Internetrouter. linktoopentheVirtualRouterdialog.
2. SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3. SelecttheIP AddressradiobuttonintheNext Hopfieldand
thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,203.0.113.1).
4. ClickOKtwicetosavethevirtualrouterconfiguration.

Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou


interfacethatconnectstotheInternet). wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/16astheexternalinterface.
2. SelecttheInterface Type.Althoughyourchoiceheredepends
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,selectNew ZonefromtheSecurity Zone
dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleInternet,andthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6. Toenableyoutopingtheinterface,selectAdvanced > Other
Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.
7. Tosavetheinterfaceconfiguration,clickOK.

36 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones

SetUpInterfacesandZones(Continued)

Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant


yourinternalnetwork. toconfigure.Inthisexample,weareconfiguringEthernet1/15
Inthisexample,theinterface astheinternalinterfaceourusersconnectto.
connectstoanetworksegment 2. SelectLayer3astheInterface Type.
thatusesprivateIPaddresses.
3. OntheConfigtab,expandtheSecurity Zonedropdownand
BecauseprivateIPaddresses
selectNew Zone.IntheZonedialog,defineaNamefornew
cannotberoutedexternally,you
zone,forexampleUsers,andthenclickOK.
willhavetoconfigureNAT.
4. SelectthesameVirtualRouteryouusedpreviously,defaultin
thisexample.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.1.4/24.
6. Toenableyoutopingtheinterface,selectthemanagement
profilethatyoujustcreated.
7. Tosavetheinterfaceconfiguration,clickOK.

Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.


yourdatacenterapplications. 2. SelectLayer3fromtheInterface Typedropdown.Inthis
Althoughthisbasicsecurity example,weareconfiguringEthernet1/1astheinterfacethat
policyexampleconfiguration providesaccesstoyourdatacenterapplications.
depictsusingasinglezoneforall
3. OntheConfigtab,expandtheSecurity Zonedropdownand
ofyourdatacenterapplications,
selectNew Zone.IntheZonedialog,defineaNamefornew
asabestpracticeyouwould
zone,forexampleDataCenterApplications,andthenclickOK.
wanttodefinemoregranular
zonestopreventunauthorized 4. SelectthesameVirtualRouteryouusedpreviously,defaultin
accesstosensitiveapplications thisexample.
ordataandeliminatethe 5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
possibilityofmalwaremoving clickAddintheIPsection,andentertheIPaddressand
laterallywithinyourdatacenter. networkmasktoassigntotheinterface,forexample
10.1.1.1/24.
6. Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreated.
7. Tosavetheinterfaceconfiguration,clickOK.

Step5 (Optional)Createtagsforeachzone. Tagsallowyoutovisuallyscanpolicyrules.


1. SelectObjects > TagsandAdd.
2. SelectazoneName.
3. SelectatagColorandclickOK.

Step6 Savetheinterfaceconfiguration. ClickCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 37
SegmentYourNetworkUsingInterfacesandZones GettingStarted

SetUpInterfacesandZones(Continued)

Step7 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured


tothecorrespondingswitchorrouteroneachnetworksegment.

Step8 Verifythattheinterfacesareactive. SelectDashboardandverifythattheinterfacesyouconfigured


showasgreenintheInterfaceswidget.

38 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy

SetUpaBasicSecurityPolicy

Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.

DefineBasicSecurityPolicyRules

Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that


policyrule. allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.

Step2 CreatetheFileBlockingprofilesyouwill 1. ConfigureaFileBlockingprofileforgeneraluse.Youwill


needtopreventupload/downloadof attachthisprofiletomostofyoursecurityprofilestoblock
maliciousfilesandfordrivebydownload filesknowntocarrythreatsorthathavenorealbusinessuse
protection. forupload/download.
2. ConfigureaFileBlockingprofileforriskytraffic.Youwill
attachthisprofiletosecuritypolicyrulesthatallowgeneral
webaccesstopreventusersfromunknowinglydownloading
maliciousfilesfromtheInternet.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 39
SetUpaBasicSecurityPolicy GettingStarted

DefineBasicSecurityPolicyRules(Continued)

Step3 Allowaccesstoyournetwork 1. SelectPolicies > SecurityandclickAdd.


infrastructureresources. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoIT
Infrastructure.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
5. IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectdns,ntp,ocsp,ping,smtp.
6. IntheService/URL Categorytab,keeptheServicesetto
application-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9. VerifythatLog at Session Endisenabled.Onlytrafficthat
matchesasecurityrulewillbelogged.
10. ClickOK.

40 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy

DefineBasicSecurityPolicyRules(Continued)

Step4 EnableaccesstogeneralInternet 1. SelectPolicies > SecurityandclickAdd.


applications. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
Thisisatemporaryrulethat
3. IntheSourcetab,settheSource Zone toUsers.
allowsyoutogatherinformation
aboutthetrafficonyour 4. IntheDestinationtab,settheDestination ZonetoInternet.
network.Afteryouhavemore 5. IntheApplicationstab,AddanApplication Filterandentera
insightintowhatapplications Name.Tosafelyenableaccesstolegitimatewebbased
yourusersneedaccessto,you applications,settheCategoryintheapplicationfilterto
canmakeinformeddecisions general-internetandthenclickOK.Toenableaccessto
aboutwhatapplicationstoallow encryptedsites,Addthesslapplication.
andcreatemoregranular
applicationbasedrulesforeach 6. IntheService/URL Categorytab,keeptheServicesetto
usergroup. application-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spywareandselectthe
File Blockingstrictprofileyouconfiguredforriskytraffic.
9. VerifythatLog at Session Endisenabled.Onlytrafficthat
matchesasecurityrulewillbelogged.
10. ClickOK.

Step5 Enableaccesstodatacenter 1. SelectPolicies > SecurityandclickAdd.


applications. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoData
CenterApplications.
5. IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectactivesync,imap,kerberos,ldap,
ms-exchange,and ms-lync.
6. IntheService/URL Categorytab,keeptheServicesetto
application-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9. VerifythatLog at Session Endisenabled.Onlytrafficthat
matchesasecurityrulewillbelogged.
10. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 41
SetUpaBasicSecurityPolicy GettingStarted

DefineBasicSecurityPolicyRules(Continued)

Step6 Saveyourpoliciestotherunning ClickCommit.


configurationonthefirewall.

Step7 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI


policieseffectively,testwhetheryour command:
securitypolicyrulesarebeingevaluated test security-policy-match source <IP_address>
anddeterminewhichsecuritypolicyrule destination <IP_address> destination port <port_number>
appliestoatrafficflow. application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
test security-policy-match source 10.35.14.150
destination 10.43.2.2 application dns protocol 53

"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

42 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted AssessNetworkTraffic

AssessNetworkTraffic

Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.

MonitorNetworkTraffic

UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine. applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.

Determinewhatupdates/modificationsare Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges. users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.

WorkwithLogs. Specifically,viewthetrafficandthreatlogs(Monitor > Logs).


Trafficlogsaredependentonhowyoursecuritypolicies
aredefinedandsetuptologtraffic.TheApplicationUsage
widgetintheACC,however,recordsapplicationsand
statisticsregardlessofpolicyconfiguration;itshowsall
trafficthatisallowedonyournetwork,thereforeit
includestheinterzonetrafficthatisallowedbypolicyand
thesamezonetrafficthatisallowedimplicitly.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 43
AssessNetworkTraffic GettingStarted

MonitorNetworkTraffic

ViewAutoFocusThreatDataforLogs. ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.

MonitorWebActivityofNetworkUsers. ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.

44 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

EnableBasicThreatPreventionFeatures

ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.

Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.

Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence

EnableBasicWildFireForwarding

WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,grayware,orbenign.WithWildFireenabled,aPaloAlto
NetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscoveredmalware,
WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactiveWildFire
licenses.Thisenablesglobalfirewallstodetectandpreventmalwarefoundbyasinglefirewall.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifdonothaveaWildFiresubscription,butyoudohaveaThreat
Preventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448hours(as
partoftheantivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 45
EnableBasicThreatPreventionFeatures GettingStarted

EnableBasicWildFireForwarding

Step1 Confirmthatyourfirewallisregistered 1. GotothePaloAltoNetworksCustomerSupportwebsite,log


andthatyouhaveavalidsupport in,andselectMy Devices.
accountaswellasanysubscriptionsyou 2. Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
require. theFirewall.
3. (Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.

Step2 ConfigureWildFireforwardingsettings. 1. SelectDevice > Setup > WildFireandedittheGeneral


Settings.
2. SettheWildFire Public Cloudfieldto:
wildfire.paloaltonetworks.com.
3. ReviewtheFile Size LimitsforPEsthefirewallforwardsfor
WildFireanalysis.settheSize LimitforPEsthatthefirewall
canforwardtothemaximumavailablelimitof10MB.
AsaWildFirebestpractice,settheSize LimitforPEs
tothemaximumavailablelimitof10MB.

4. ClickOKtosaveyourchanges.

Step3 EnablethefirewalltoforwardPEsfor 1. SelectObjects > Security Profiles > WildFire Analysisand


analysis. Addanewprofilerule.
2. Namethenewprofilerule.
3. ClickAddtocreateaforwardingruleandenteraname.
4. IntheFile Typescolumn,addpefilestotheforwardingrule.
5. IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6. ClickOK.

Step4 ApplythenewWildFireAnalysisprofile 1. SelectPolicies > Securityandeitherselectanexistingpolicy


totrafficthatthefirewallallows. orcreateanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2. SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3. SelecttheWildFire Analysisprofileyoujustcreatedtoapply
thatprofileruletoalltrafficthispolicyallows.
4. ClickOK.

Step5 EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.

Step6 ReviewandimplementWildFirebestpracticestoensurethatyouaregettingthemostofWildFiredetection
andpreventioncapabilities.

Step7 ClickCommittosaveyourconfigurationupdates.

Step8 VerifythatthefirewallisforwardingPE SelectMonitor > Logs > WildFire Submissionstoviewlogentries


filestotheWildFirepubliccloud. forPEsthefirewallsuccessfullysubmittedforWildFireanalysis.
TheVerdictcolumndisplayswhetherWildFirefoundthePEtobe
malicious,grayware,orbenign.

46 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

EnableBasicWildFireForwarding

Step9 (ThreatPreventionsubscriptiononly)If 1. SelectDevice > Dynamic Updates.


youhaveaThreatPrevention 2. Checkthatthefirewallissettoretrieve,download,andinstall
subscription,butdonothaveaWildFire Antivirusupdates.
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.

ScanTrafficforThreats

SecurityProfilesprovidethreatprotectioninsecuritypolicies.Forexample,youcanapplyanantivirusprofile
toasecuritypolicyandalltrafficthatmatchesthesecuritypolicywillbescannedforviruses.
Thefollowingsectionsprovidestepsforsettingupabasicthreatpreventionconfiguration:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking

SetUpAntivirus,AntiSpyware,andVulnerabilityProtection

EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.

SetupAntivirus/AntiSpyware/VulnerabilityProtection

Step1 VerifythatyouhaveaThreatPrevention TheThreatPreventionlicensebundlestheAntivirus,


license. AntiSpyware,andtheVulnerabilityProtectionfeaturesinone
license.
SelectDevice > LicensestoverifythattheThreat Prevention
licenseisinstalledandvalid(checktheexpirationdate).

Step2 Downloadthelatestantivirusthreat 1. SelectDevice > Dynamic UpdatesandclickCheck Nowatthe


signatures. bottomofthepagetoretrievethelatestsignatures.
2. IntheActionscolumn,clickDownloadtoinstallthelatest
Antivirus,andApplicationsandThreatssignatures.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 47
EnableBasicThreatPreventionFeatures GettingStarted

SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)

Step3 Schedulesignatureupdates. 1. FromDevice > Dynamic Updates,clickthetexttotherightof


Performadownload-and-install Scheduletoautomaticallyretrievesignatureupdatesfor
onadailybasisforantivirus AntivirusandApplications and Threats.
updatesandweeklyfor 2. Specifythefrequencyandtimingfortheupdatesandwhether
applicationsandthreatsupdates. theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownload Only,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3. (Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4. InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.

RecommendationsforHAConfigurations:
Active/PassiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewallso
thateachfirewalldownloadsandinstallscontentindependently.Ifthefirewallsareusingadataportforcontent
updates,thepassivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscasesetaschedule
oneachpeerandenableSync To Peertoensurethatcontentupdatesontheactivepeersynctothepassivepeer.
Active/ActiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewall,but
donotenableSync To Peer.Ifthefirewallsareusingadataportforcontentupdates,schedulecontentupdateson
eachfirewallandselectSync To Peertoenabletheactiveprimaryfirewalltodownloadandinstallthecontent
updatesandthenpushthecontentupdatetotheactivesecondarypeer.

48 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)

Step4 Attachthesecurityprofilestoasecurity 1. SelectPolicies > Security,selectthedesiredpolicytomodify


policy. itandthenclicktheActionstab.
Attachacloneofapredefined 2. InProfile Settings,clickthedropdownnexttoeachsecurity
securityprofiletoyourbasic profileyouwouldliketoenable.Inthisexamplewechoose
Securitypolicyrules.Thatway,if defaultforAntivirusandWildFire Analysis,andstrictfor
youwanttocustomizetheprofileyou Vulnerability Protection and Anti-Spyware.
candosowithoutdeletingthereadonly Ifyoudontseedropdownsforselectingprofiles,
predefinedstrictordefaultprofileand selectProfiles fromtheProfile Typedropdown.
attachingacustomizedprofile.

Step5 Savetheconfiguration. ClickCommit.

SetUpFileBlocking

FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 49
EnableBasicThreatPreventionFeatures GettingStarted

ConfigureFileBlocking

Step6 ConfigureaFileBlockingprofilefor 1. SelectObjects > Security Profiles > File Blockingandclick


generaluse. Add.
2. EnteraNameforthefileblockingprofile,forexample
generalfileblocking.
3. OptionallyenteraDescription,suchasblockriskyapps.Click
Addtodefinetheprofilesettings.
4. EnteraName,suchasblockrisky.
5. SetFile Typestoblock.Forexample,Addthefollowing:bat,
dll, jar,hlp,lnk,andtorrent.
6. LeavetheDirectionsettoboth.
7. SettheActiontoblock.
8. AddasecondruleandenteraName,forexamplecontinueexe
andarchive.
9. SetFile Typestocontinue.Forexample,Addthefollowing:
PE,zipandrar.
10. LeavetheDirectionsettoboth.
11. SettheActiontoblock.
12. ClickOKtosavetheprofile.

Step7 ConfigureaFileBlockingprofileforrisky 1. OntheObjects > Security Profiles > File Blockingpage,


traffic. selectthefileblockingprofileyoujustcreatedforgeneral
Whenusersarewebbrowsingit trafficandclickClone.SelecttheprofiletocloneandclickOK.
ismuchmorelikelythattheywill 2. SelecttheclonedprofileandgiveitanewName,suchas
downloadamaliciousfile strictblockriskyapps.
unintentionally.Therefore,itis
3. ClickintheFileTypessectionoftheblockruleandAddthePE
importanttoattachastricterfile
filetype.
blockingpolicythanyouwould
attachtoSecuritypolicyrules 4. ClickintheFileTypessectionofthecontinuerule,selectPE
thatallowaccesstoless andclickDelete.
riskproneapplicationtraffic. 5. ClickOKtosavetheprofile.

Step8 Attachthefileblockingprofiletothe 1. SelectPolicies > Securityandeitherselectanexistingpolicy


securitypoliciesthatallowaccessto orcreateanewpolicyasdescribedinSetUpaBasicSecurity
content. Policy.
2. ClicktheActionstabwithinthesecuritypolicy.
3. IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyoucreated.
Ifyoudontseedropdownsforselectingprofiles,
selectProfilesfromtheProfile Typedropdown.

50 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

ConfigureFileBlocking(Continued)

Step9 Enableresponsepagesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtand


managementprofileforeachinterface thenselectaninterfaceprofiletoeditorclickAddtocreatea
onwhichyouareattachingfileblocking newprofile.
profilewithacontinueaction. 2. SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3. ClickOKtosavetheinterfacemanagementprofile.
4. SelectNetwork > Interfacesandselecttheinterfacetowhich
toattachtheprofile.
5. OntheAdvanced > Other Infotab,selecttheinterface
managementprofileyoujustcreated.
6. ClickOKtosavetheinterfacesettings.

Step10 Savetheconfiguration. 1. ClickCommit.

Step11 Testthefileblockingconfiguration. FromaclientPCinthetrustzoneofthefirewall,attemptto


downloadan.exefilefromawebsiteintheInternetzone.Make
surethefileisblockedasexpectedbasedontheactionyoudefined
inthefileblockingprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedblockastheaction,theFileBlockingBlockPage
responsepageshoulddisplay.
Ifyouselectedthecontinueaction,theFileBlockingContinue
Pageresponsepageshoulddisplay.ClickContinuetodownload
thefile.ThefollowingshowsthedefaultFileBlockingContinue
Page.

ControlAccesstoWebContent

URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormore(fromapproximately60)categories.Youcanthen
createpoliciesthatspecifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichit
belongs.ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,
andattachthemtosecuritypoliciestoenforceabasicURLfilteringpolicy.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 51
EnableBasicThreatPreventionFeatures GettingStarted

ConfigureURLFiltering

Step1 ConfirmlicenseinformationforURL 1. ObtainandinstallaURLFilteringlicense.SeeActivate


Filtering. LicensesandSubscriptionsfordetails.
2. SelectDevice > LicensesandverifythattheURLFiltering
licenseisvalid.

Step2 Downloadtheseeddatabaseand 1. Todownloadtheseeddatabase,clickDownloadnextto


activatethelicense. Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2. Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3. Afterthedownloadcompletes,clickActivate.

Step3 CreateaURLfilteringprofile. 1. SelectObjects > Security Profiles > URL Filtering.


BecausethedefaultURLfiltering 2. SelectthedefaultprofileandthenclickClone.Thenewprofile
profileblocksriskyand willbenameddefault1.
threatpronecontent,clonethis
3. Selectthenewprofileandrenameit.
profilewhencreatinganew
profileinordertopreservethe
defaultsettings.

52 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

ConfigureURLFiltering(Continued)

Step4 Definehowtocontrolaccesstoweb 1. Foreachcategorythatyouwantvisibilityintoorcontrolover,


content. selectavaluefromtheActioncolumnasfollows:
Ifyouarenotsurewhattrafficyouwant Ifyoudonotcareabouttraffictoaparticularcategory(that
tocontrol,considersettingthe isyouneitherwanttoblockitnorlogit),selectallow.
categories(exceptforthoseblockedby Forvisibilityintotraffictositesinacategory,selectalert.
default)toalert.Youcanthenusethe Topresentaresponsepagetousersattemptingtoaccessa
visibilitytoolsonthefirewall,suchasthe particularcategorytoalertthemtothefactthatthe
ACCandAppScope,todeterminewhich contenttheyareaccessingmightnotbeworkappropriate,
webcategoriestorestricttospecific selectcontinue.
groupsortoblockentirely.Youcanthen
Topreventaccesstotrafficthatmatchestheassociated
gobackandmodifytheprofiletoblock
policy,selectblock(thisalsogeneratesalogentry).
andallowcategoriesasdesired.
Youcanalsodefinespecificsitesto
alwaysalloworalwaysblockregardless
ofcategoryandenablethesafesearch
optiontofiltersearchresultswhen
definingtheURLFilteringprofile.

2. ClickOKtosavetheURLfilteringprofile.

Step5 AttachtheURLfilteringprofiletoa 1. SelectPolicies > Security.


securitypolicy. 2. Selectthedesiredpolicytomodifyitandthenclickthe
Actionstab.
3. Ifthisisthefirsttimeyouaredefiningasecurityprofile,select
ProfilesfromtheProfile Typedropdown.
4. IntheProfile Settingslist,selecttheprofileyoujustcreated
fromtheURL Filteringdropdown.(Ifyoudontsee
dropdownsforselectingprofiles,selectProfilesfromthe
Profile Typedropdown.)
5. ClickOKtosavetheprofile.
6. Committheconfiguration.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 53
EnableBasicThreatPreventionFeatures GettingStarted

ConfigureURLFiltering(Continued)

Step6 Enableresponsepagesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtand


managementprofileforeachinterface thenselectaninterfaceprofiletoeditorclickAddtocreatea
onwhichyouarefilteringwebtraffic. newprofile.
2. SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3. ClickOKtosavetheinterfacemanagementprofile.
4. SelectNetwork > Interfaces andselecttheinterfacetowhich
toattachtheprofile.
5. OntheAdvanced > Other Infotab,selecttheinterface
managementprofileyoujustcreated.
6. ClickOKtosavetheinterfacesettings.

Step7 Savetheconfiguration. ClickCommit.

Step8 TesttheURLfilteringconfiguration. AccessaclientPCinthetrustzoneofthefirewallandattemptto


accessasiteinablockedcategory.MakesureURLfilteringis
appliedbasedontheactionyoudefinedintheURLfilteringprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedthecontinueaction,theURLFilteringContinue
andOverridePageresponsepageshoulddisplay.Continueto
thesite.
Ifyouselectedblockastheaction,theURLFilteringand
CategoryMatchBlockPageresponsepageshoulddisplayas
follows:

EnableAutoFocusThreatIntelligence

WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.

54 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures

EnableAutoFocusThreatIntelligenceontheFirewall

Step1 VerifythattheAutoFocuslicenseisactivatedon 1. SelectDevice > LicensestoverifythattheAutoFocus


thefirewall. DeviceLicenseisinstalledandvalid(checkthe
expirationdate).
2. Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.

Step2 ConnectthefirewalltoAutoFocus. 1. SelectDevice > Setup > Managementandeditthe


AutoFocussettings.
2. EntertheAutoFocus URL:
https://autofocus.paloaltonetworks.com:1044
3
3. UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4. SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5. ClickOK.
6. CommityourchangestoretaintheAutoFocus
settingsuponreboot.

Step3 ConnectAutoFocustothefirewall. 1. LogintotheAutoFocusportal:


https://autofocus.paloaltonetworks.com
2. SelectSettings.
3. Add newremotesystems.
4. EnteradescriptiveNametoidentifythefirewall.
5. SelectPanOSastheSystemType.
6. EnterthefirewallIPAddress.
7. ClickSave changestoaddtheremotesystem.
8. ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.

Step4 Testtheconnectionbetweenthefirewalland 1. Onthefirewall,selectMonitor > Logs > Traffic.


AutoFocus. 2. VerifythatyoucanViewAutoFocusThreatDatafor
Logs.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 55
BestPracticesforCompletingtheFirewallDeployment GettingStarted

BestPracticesforCompletingtheFirewallDeployment

Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.However,ifyouusePanorama,youmustuse
thesamemasterkeyonPanoramaandallmanagedfirewalls.Otherwise,Panoramacannotpush
configurationstothefirewalls.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.

56 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 57
ManagementInterfaces FirewallAdministration

ManagementInterfaces

YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.

58 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface

UsetheWebInterface

Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges

LaunchtheWebInterface

Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+

LaunchtheWebInterface

Step1 LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.

Step2 EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.

Step3 Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.

Step4 Logintothewebinterface.

Step5 ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 59
UsetheWebInterface FirewallAdministration

ConfigureBanners,MessageoftheDay,andLogos

Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.

ConfigureBanners,MessageoftheDay,andLogos

Step1 Configuretheloginbanner. 1. SelectDevice > Setup > ManagementandedittheGeneral


Settings.
2. EntertheLogin Banner(upto3,200characters).
3. (Optional)SelectForce Admins to Acknowledge Login
BannertoforceadministratorstoselectanI Accept and
Acknowledge the Statement Belowcheckboxabovethe
bannertexttoactivatetheLoginbutton.
4. ClickOK.

Step2 Setthemessageoftheday. 1. SelectDevice > Setup > ManagementandedittheBanners


andMessagessettings.
2. EnabletheMessage of the Day.
3. EntertheMessage of the Day(upto3,200characters).
AfteryouenterthemessageandclickOK,
administratorswhosubsequentlylogin,andactive
administratorswhorefreshtheirbrowsers,seethe
neworupdatedmessageimmediately;acommitisnt
necessary.Thisenablesyoutoinformother
administratorsofanimpendingcommitthatmight
affecttheirconfigurationchanges.Basedonthe
committimethatyourmessagespecifies,the
administratorscanthendecidewhethertocomplete,
save,orundotheirchanges.
4. (Optional)SelectAllow Do Not Display Again(defaultis
disabled)togiveadministratorstheoptiontosuppressa
messageofthedayafterthefirstloginsession.Each
administratorcansuppressmessagesonlyforhisorherown
loginsessions.Inthemessageofthedaydialog,eachmessage
willhaveitsownsuppressionoption.
5. (Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).

60 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface

ConfigureBanners,MessageoftheDay,andLogos(Continued)

Step3 Configuretheheaderandfooter 1. EntertheHeader Banner(upto3,200characters).


banners. 2. (Optional)ClearSame Banner Header and Footer(enabledby
Abrightbackgroundcolorand default)tousedifferentheaderandfooterbanners.
contrastingtextcolorcan
3. EntertheFooter Banner(upto3,200characters)iftheheader
increasethelikelihoodthat
andfooterbannersdiffer.
administratorswillnoticeand
readabanner.Youcanalsouse 4. ClickOK.
colorsthatcorrespondto
classificationlevelsinyour
organization.

Step4 Replacethelogosontheloginpageand 1. SelectDevice > Setup > OperationsandclickCustom Logosin


intheheader. theMiscellaneoussection.
Themaximumsizeforanylogo 2. PerformthefollowingstepsforboththeLogin Screenlogo
imageis128KB. andtheMain UI(header)logo:
a. Clickupload .
b. SelectalogoimageandclickOpen.
Youcanpreview theimagetoseehowPANOS
willcropittofit.
c. ClickClose.
3. Commityourchanges.

Step5 Verifythatthebanners,messageofthe 1. Logouttoreturntotheloginpage,whichdisplaysthenew


day,andlogosdisplayasexpected. logosyouselected.
2. Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktheright orleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3. (Optional)YoucanselectDo not show againforthemessage
youconfiguredandforanymessagesthatPaloAltoNetworks
embedded.
4. Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 61
UsetheWebInterface FirewallAdministration

UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse

Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.

UsetheLoginActivityIndicatorstoDetectAccountMisuse

Step1 Viewtheloginactivityindicatorsto 1. LogintothewebinterfaceonyourfirewallorPanorama


monitorrecentactivityonyouraccount. managementserver.
2. Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.

3. Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.

b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.

62 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface

UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)

4. Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.

c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.

Step2 Takethefollowingactionsifyoudetect 1. SelectMonitor > Logs > Configurationandviewthe


anaccountcompromise. configurationchangesandcommithistorytodetermineifyour
accountwasusedtomakechangeswithoutyourknowledge.
2. SelectDevice > Config Audittocomparethecurrent
configurationandtheconfigurationthatwasrunningjustprior
totheconfigurationyoususpectwaschangedusingyour
credentials.YoucanalsodothisusingPanorama.
Ifyouradministratoraccountwasusedtocreateanew
account,performingaconfigurationaudithelpsyou
detectchangesthatareassociatedwithany
unauthorizedaccounts,aswell.
3. Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.For
example,theconfigurationthatyoureverttomaynot
containrecentchanges,soapplythosechangesafter
youcommitthebackupconfiguration.

Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 63
UsetheWebInterface FirewallAdministration

ManageandMonitorAdministrativeTasks

TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.

YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.

ManageandMonitorAdministrativeTasks

Step1 ClickTasksatthebottomofthewebinterface.

Step2 ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.

Step3 Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.

Commit,Validate,andPreviewFirewallConfigurationChanges

Acommitistheprocessofactivatingchangesthatyoumadetothefirewallconfiguration.Thefirewall
queuescommitoperationsintheorderyouandotheradministratorsinitiatethem.Ifthequeuealreadyhas
themaximumnumberofcommits(whichvariesbyplatform),youmustwaitforthefirewalltoprocessa
pendingcommitbeforeinitiatinganewcommit.Tocancelpendingcommitsorviewdetailsaboutcommits
ofanystatus,seeManageandMonitorAdministrativeTasks.Tocheckwhichchangesacommitwillactivate,
youcanrunacommitpreview.

Fordetailsoncandidateandrunningconfigurations,seeManageConfigurationBackups.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.

64 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface

Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.

Preview,Validate,orCommitFirewallConfigurationChanges

Step1 Configurethecommit,validation,or 1. ClickCommitatthetopofthewebinterface.


previewoptions. 2. (Optional)Excludecertaintypesofconfigurationchanges.
Theseoptionsareincluded(enabled)bydefault.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,ifyourchangesintroduceanewLog
Forwardingprofile(anobject)thatreferencesanew
Syslogserverprofile(adevicesetting),thecommit
mustincludeboththepolicyandobjectconfiguration
andthedeviceandnetworkconfiguration.
Include Device and Network configuration
Include Policy and Object configurationThisisavailable
onlyonfirewallsforwhichmultiplevirtualsystems
capabilityisdisabled.
Include Shared Object configurationThisisavailableonly
onfirewallswithmultiplevirtualsystems.
Include Virtual System configurationThisisavailable
onlyonfirewallswithmultiplevirtualsystems.Select All
virtual systems(default)orSelect one or more virtual
systemsinthelist.
3. (Optional)EnteraDescriptionforthecommit.Abrief
summaryofwhatchangedintheconfigurationisusefulto
otheradministratorswhowanttoknowwhatchangeswere
madewithoutperformingaconfigurationaudit.

Step2 (Optional)Previewthechangesthatthe 1. ClickPreview Changes.


commitwillactivate.Thiscanbeuseful 2. SelecttheLines of Context,whichisthenumberoflinesfrom
if,forexample,youdontrememberall thecomparedconfigurationfilestodisplaybeforeandafter
yourchangesandyourenotsureyou eachhighlighteddifference.Theseadditionallineshelpyou
wanttoactivateallofthem. correlatethepreviewoutputtosettingsinthewebinterface.
Thefirewalldisplaysthechangesina Becausethepreviewresultsdisplayinanewwindow,
newwindowthatshowstherunningand yourbrowsermustallowpopupwindows.Ifthe
candidateconfigurationssidebyside previewwindowdoesnotopen,refertoyourbrowser
usingcolorstohighlightthedifferences documentationforthestepstounblockpopup
linebyline. windows.
3. Closethepreviewwindowwhenyoufinishreviewingthe
changes.

Step3 (Optional)Validatethechangesbefore 1. ClickValidate Changes.Theresultsdisplayalltheerrorsand


youcommittoensurethecommitwill warningsthatanactualcommitwoulddisplay.
succeed. 2. Resolveanyerrorsthatthevalidationresultsidentify.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 65
UsetheWebInterface FirewallAdministration

Preview,Validate,orCommitFirewallConfigurationChanges(Continued)

Step4 Commityourconfigurationchanges. ClickCommit.


Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.

UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer

GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,orapplicationname.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
Watchthevideo.

GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.

UseGlobalFind

LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.

ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:

66 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface

UseGlobalFind(Continued)

Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:

Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.

ManageLocksforRestrictingConfigurationChanges

Lockingthecandidateorrunningconfigurationpreventsotheradministratorsfromchangingthe
configurationuntilyoumanuallyremovethelock,asuperuserremovesthelock,orthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.

Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.

ManageLocksforRestrictingConfigurationChanges

Viewdetailsaboutcurrentlocks. Clickthelock atthetopofthewebinterface.Anadjacent


Forexample,youcancheckwhetherother numberindicatesthenumberofcurrentlocks.
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 67
UsetheWebInterface FirewallAdministration

ManageLocksforRestrictingConfigurationChanges(Continued)

Lockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2. Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3. (Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4. (Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5. ClickOKandClose.

Unlockaconfiguration. 1. Clickthelock atthetopofthewebinterface.


Onlyasuperuserortheadministratorwho 2. Selectthelockentryinthelist.
lockedtheconfigurationcanmanuallyunlockit.
3. ClickRemove Lock,OK,andClose.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.

Configurethefirewalltoautomaticallylockthe 1. SelectDevice > Setup > ManagementandedittheGeneral


runningconfigurationwhenyouchangethe Settings.
candidateconfiguration.Thissettingappliesto 2. SelectAutomatically Acquire Commit LockandthenclickOK
alladministrators. andCommit.

68 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups

ManageConfigurationBackups

Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.

SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.

BackUpaConfiguration
RestoreaConfiguration

BackUpaConfiguration

CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.

WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 69
ManageConfigurationBackups FirewallAdministration

BackUpaConfiguration

Step1 Savealocalbackupsnapshotofthe Performoneofthefollowingtasksbasedonwhetheryouwantto


candidateconfigurationifitcontains overwritethedefaultsnapshot(.snapshot.xml)orcreateasnapshot
changesthatyouwanttopreservein withacustomname:
theeventthefirewallreboots. OverwritethedefaultsnapshotClickSaveatthetopofthe
Thesearechangesyouarenotreadyto webinterface.
commitforexample,changesyou Createacustomnamedsnapshot:
cannotfinishinthecurrentloginsession. a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. EnteraNameforthesnapshotorselectanexisting
snapshottooverwrite.
c. ClickOKandClose.

Step2 Exportacandidateconfiguration,a SelectDevice > Setup > Operationsandclickanexportoption:


runningconfiguration,orthefirewall Export named configuration snapshotExportthecurrent
stateinformationtoahostexternalto runningconfiguration,anamedcandidateconfiguration
thefirewall. snapshot,orapreviouslyimportedconfiguration(candidateor
running).ThefirewallexportstheconfigurationasanXMLfile
withtheNameyouspecify.
Export configuration versionSelectaVersionoftherunning
configurationtoexportasanXMLfile.Thefirewallcreatesa
versionwheneveryoucommitconfigurationchanges.
Export device stateExportthefirewallstateinformationasa
bundle.Besidestherunningconfiguration,thestateinformation
includesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,the
informationalsoincludescertificateinformation,alistof
satellites,andsatelliteauthenticationinformation.Ifyoureplace
afirewallorportal,youcanrestoretheexportedinformationon
thereplacementbyimportingthestatebundle.

RestoreaConfiguration

Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).

RestoreaConfiguration

Restorethecurrentrunningconfiguration. 1. SelectDevice > Setup > OperationsandRevert to running


Thisoperationundoesallthechangesyoumade configuration.
tothecandidateconfigurationsincethelast 2. ClickYestoconfirmtheoperation.
commit.

70 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups

RestoreaConfiguration(Continued)

Restorethedefaultsnapshotofthecandidate 1. SelectDevice > Setup > OperationsandRevert to last saved


configuration. configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2. ClickYestoconfirmtheoperation.
whenyouclickSaveatthetoprightoftheweb
3. (Optional)ClickCommittooverwritetherunning
interface.
configurationwiththesnapshot.

Restoreapreviousversionoftherunning 1. SelectDevice > Setup > OperationsandLoad configuration


configurationthatisstoredonthefirewall. version.
Thefirewallcreatesaversionwheneveryou 2. SelectaconfigurationVersionandclickOK.
commitconfigurationchanges.
3. (Optional)ClickCommittooverwritetherunning
configurationwiththeversionyoujustrestored.

Restoreoneofthefollowing: 1. SelectDevice > Setup > OperationsandclickLoad named


Currentrunningconfiguration(named configuration snapshot.
runningconfig.xml) 2. SelectthesnapshotNameandclickOK.
Customnamedversionoftherunning 3. (Optional)ClickCommittooverwritetherunning
configurationthatyoupreviouslyimported configurationwiththesnapshot.
Customnamedcandidateconfiguration
snapshot(insteadofthedefaultsnapshot)

Restorearunningorcandidateconfiguration 1. SelectDevice > Setup > Operations,clickImport named


thatyoupreviouslyexportedtoanexternal configuration snapshot,Browsetotheconfigurationfileon
host. theexternalhost,andclickOK.
2. ClickLoad named configuration snapshot,selecttheNameof
theconfigurationfileyoujustimported,andclickOK.
3. (Optional)ClickCommittooverwritetherunning
configurationwiththesnapshotyoujustimported.

Restorestateinformationthatyouexported Importstateinformation:
fromafirewall. 1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 71
ManageFirewallAdministrators FirewallAdministration

ManageFirewallAdministrators

AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.

Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.

AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication

AdministrativeRoles

Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile

AdministrativeRoleTypes

Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.

DynamicRole Privileges

Superuser Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.

Superuser(readonly) Readonlyaccesstothefirewall.

Virtualsystemadministrator Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.

Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.

Deviceadministrator Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.

Deviceadministrator(readonly) Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).

72 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators

AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.

ConfigureanAdminRoleProfile

AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.

Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.

ConfigureanAdminRoleProfile

Step1 SelectDevice > Admin RolesandclickAdd.

Step2 EnteraNametoidentifytherole.

Step3 ForthescopeoftheRole,selectDeviceorVirtual System.

Step4 IntheWeb UIandXML API tabs,clicktheiconforeachfunctionalareatotoggleittothedesiredsetting:


Enable,ReadOnly,orDisable.FordetailsontheWeb UIoptions,seeWebInterfaceAccessPrivileges.

Step5 SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:


Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone

Step6 ClickOKtosavetheprofile.

Step7 Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.

AdministrativeAuthentication

Youcanconfigurethefollowingtypesofadministratorauthentication:

AccountType Authentication Description


Method

Local Local(no Theadministratoraccountcredentialsandtheauthenticationmechanismsarelocal


database) tothefirewall.Youcanfurthersecurelocalaccountsbysettingglobalpassword
complexityandexpirationsettingsforallaccountsorbycreatingapasswordprofile
thatdefinespasswordexpirationsettingsforspecificaccounts.Fordetails,see
ConfigureanAdministrativeAccount.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 73
ManageFirewallAdministrators FirewallAdministration

AccountType Authentication Description


Method

Local Localdatabase Thefirewallusesalocaldatabasetostoretheadministratoraccountcredentialsand


toperformauthentication.IfyournetworksupportsKerberossinglesignon(SSO),
youcanconfigurelocalauthenticationasafallbackincaseSSOfails.Fordetails,see
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators.

Local SSLbased Theadministratoraccountsarelocaltothefirewall,butauthenticationisbasedon


SSHcertificates(forCLIaccess)orclientcertificates(forwebinterfaceaccess).For
details,seeConfigureSSHKeyBasedAdministratorAuthenticationtotheCLIand
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface.

Local Externalservice Theadministratoraccountsarelocaltothefirewall,butexternalservices(LDAP,


Kerberos,TACACS+,orRADIUS)handletheauthenticationfunctions.Ifyour
networksupportsKerberossinglesignon(SSO),youcanconfigureexternal
authenticationasafallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSO
andExternalorLocalAuthenticationforAdministrators.

External Externalservice AnexternalRADIUSserverhandlesaccountmanagementandauthentication.You


mustdefineVendorSpecificAttributes(VSAs)onyourRADIUSserverthatmapto
theadministratorrole,accessdomain,usergroup(ifapplicable),andvirtualsystem(if
applicable).Fordetails,seeConfigureRADIUSVendorSpecificAttributesfor
AdministratorAuthentication.

ConfigureAdministrativeAccountsandAuthentication

IfyouhavealreadyconfiguredAdministrativeRolesandexternalauthenticationservices(ifapplicable),you
canConfigureanAdministrativeAccount.Otherwise,performoneoftheotherprocedureslistedbelowto
configureadministrativeaccountsforspecifictypesofauthentication.

Administrativeaccountsspecifyhowadministratorsauthenticatetothefirewall.Toconfigurehowthefirewall
authenticatestoadministrators,seeReplacetheCertificateforInboundManagementTraffic.

ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication

ConfigureanAdministrativeAccount

AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.

74 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators

ConfigureanAdministrativeAccount

Step1 (Optional)Definepasswordcomplexity 1. Defineglobalpasswordcomplexityandexpirationsettingsfor


andexpirationsettingsforadministrator alllocaladministrators.
accountsthatarelocaltothefirewall. a. SelectDevice > Setup > Managementandeditthe
Thesesettingscanhelpprotectthe MinimumPasswordComplexitysettings.
firewallagainstunauthorizedaccessby b. SelectEnabled.
makingitharderforattackerstoguess c. DefinethepasswordsettingsandclickOK.
passwords.
2. DefineaPasswordProfileifyouwantcertainlocal
Youcannotconfigurethese
administratorstohavepasswordexpirationsettingsthat
settingsforlocalaccountsthat
overridetheglobalsettings.
usealocaldatabaseorexternal
serviceforauthentication. a. SelectDevice > Password ProfilesandAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.

Step2 Addanadministrativeaccount. 1. SelectDevice > AdministratorsandAddanadministrator.


2. EnterauserName.
3. SelectanAuthentication Profileorsequenceifyou
configuredeitherfortheuser.
Thedefaultoption(None)specifiesthatthefirewallwilllocally
manageandauthenticatetheaccountwithoutalocal
database.Inthiscase,youmustenterandconfirma
Password.
4. SelecttheAdministrator Type.Ifyouconfiguredacustomrole
fortheuser,selectRole BasedandselecttheAdminRole
Profile.Otherwise,selectDynamic(default)andselecta
dynamicrole.Ifthedynamicroleisvirtual system
administrator,addoneormorevirtualsystemsthatthe
virtualsystemadministratorisallowedtomanage.
5. (Optional)SelectaPassword Profileforlocaladministrators.
ThisoptionisavailableonlyifyousettheAuthentication
ProfiletoNone.
6. ClickOKandCommit.

ConfigureKerberosSSOandExternalorLocalAuthenticationfor
Administrators

YoucanconfigurethefirewalltofirsttryKerberossinglesignon(SSO)authenticationand,ifthatfails,fall
backtoExternalserviceorLocaldatabaseauthentication.

ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators

Step1 ConfigureaKerberoskeytabforthe CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos


firewall. accountinformation(principalnameandhashedpassword)forthe
RequiredforKerberosSSO firewall.
authentication.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 75
ManageFirewallAdministrators FirewallAdministration

ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)

Step2 Configurealocaldatabaseorexternal LocaldatabaseauthenticationPerformthefollowingtasks:


serverprofile. a. Configuretheuseraccount.
Requiredforlocaldatabaseorexternal b. (Optional)Configureausergroup.
authentication. ExternalauthenticationPerformoneofthefollowingtasks:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.

Step3 Configureanauthenticationprofile. ConfigureanAuthenticationProfileandSequence.


Ifyourusersareinmultiple
Kerberosrealms,createan
authenticationprofileforeach
realmandassignalltheprofiles
toanauthenticationsequence.
Youcanthenassignthesame
authenticationsequencetoall
useraccounts(Step 4).

Step4 Configureanadministratoraccount. ConfigureanAdministrativeAccount.


Forlocaldatabaseauthentication,specifytheNameoftheuser
youdefinedinStep 2.
AssigntheAuthentication ProfileorsequenceandtheAdmin
RoleProfilethatyoujustcreated.

ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface

AsamoresecurealternativetopasswordbasedauthenticationtothewebinterfaceofaPaloAltoNetworks
firewall,youcanconfigurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothe
firewall.Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinstead
ofapassword.

Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.

ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface

Step1 Generateacertificateauthority(CA) CreateaSelfSignedRootCACertificate.


certificateonthefirewall. Alternatively,ImportaCertificateandPrivateKeyfrom
YouwillusethisCAcertificatetosign yourenterpriseCA.
theclientcertificateofeach
administrator.

76 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators

ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)

Step2 Configureacertificateprofilefor ConfigureaCertificateProfile.


securingaccesstothewebinterface. SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.

Step3 Configurethefirewalltousethe 1. SelectDevice > Setup > Managementandeditthe


certificateprofileforauthenticating AuthenticationSettings.
administrators. 2. SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.

Step4 Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,


useclientcertificateauthentication. ConfigureanAdministrativeAccountandselectUse only client
certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.

Step5 Generateaclientcertificateforeach GenerateaCertificate.IntheSigned Bydropdown,selecta


administrator. selfsignedrootCAcertificate.

Step6 Exporttheclientcertificate. 1. ExportaCertificateandPrivateKey.


2. Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.

Step7 Importtheclientcertificateintothe Refertoyourwebbrowserdocumentation.


clientsystemofeachadministratorwho
willaccessthewebinterface.

Step8 Verifythatadministratorscanaccessthe 1. OpenthefirewallIPaddressinabrowseronthecomputer


webinterface. thathastheclientcertificate.
2. Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3. Addthecertificatetothebrowserexceptionlist.
4. ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 77
ManageFirewallAdministrators FirewallAdministration

ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI

ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.

ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI

Step1 UseanSSHkeygenerationtoolto Forthecommandstogeneratethekeypair,refertoyourSSHclient


createanasymmetrickeypaironthe documentation.
clientsystemoftheadministrator. Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
ThesupportedkeyformatsareIETF locationthatthefirewallcanaccess.Foraddedsecurity,entera
SECSHandOpenSSH.Thesupported passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
algorithmsareDSA(1,024bits)andRSA administratorforthispassphraseduringlogin.
(7684,096bits).

Step2 Configuretheadministratoraccountto 1. ConfigureanAdministrativeAccount.


usepublickeyauthentication. Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
2. Commityourchanges.

Step3 ConfiguretheSSHclienttousethe Performthistaskontheclientsystemoftheadministrator.Forthe


privatekeytoauthenticatetothe steps,refertoyourSSHclientdocumentation.
firewall.

Step4 Verifythattheadministratorcanaccess 1. Useabrowserontheclientsystemoftheadministratortogo


thefirewallCLIusingSSHkey tothefirewallIPaddress.
authentication. 2. LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3. Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.

ConfigureRADIUSVendorSpecificAttributesforAdministrator
Authentication

ThefollowingprocedureprovidesanoverviewofthetasksrequiredtouseRADIUSVendorSpecific
Attributes(VSAs)foradministratorauthenticationtoPaloAltoNetworksfirewalls.Fordetailedinstructions,
refertothefollowingKnowledgeBasearticles:
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA

78 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators

Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.

UseRADIUSVendorSpecificAttributesforAccountAuthentication

Step1 Configurethefirewall. 1. ConfigureanAdminRoleProfileiftheadministratorwillusea


customrole.
2. Configureanaccessdomainifthefirewallhasmorethanone
virtualsystem(vsys):
a. SelectDevice > Access Domain,Addanaccessdomain,and
enteraNametoidentifytheaccessdomain.
b. Addeachvsysthattheadministratorwillaccess,andthen
clickOK.
3. ConfigureaRADIUSServerProfile.
4. Configureanauthenticationprofile.Settheauthentication
TypetoRADIUSandassigntheRADIUSServer Profile.
5. Configurethefirewalltousetheauthenticationprofilefor
administratoraccessSelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profile.
6. ClickOKandCommit.

Step2 ConfiguretheRADIUSserver. 1. AddthefirewallIPaddressorhostnameastheRADIUSclient.


2. DefinetheVSAsforadministratorauthentication.Youmust
specifythevendorcode(25461forPaloAltoNetworks
firewalls)andtheVSAname,number,andvalue:seeRADIUS
VendorSpecificAttributesSupport.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 79
Reference:WebInterfaceAdministratorAccess FirewallAdministration

Reference:WebInterfaceAdministratorAccess

Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccessPrivileges

WebInterfaceAccessPrivileges

Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual SystemlevelasdefinedbytheDeviceorVirtual System
radiobutton.IfyouselectVirtual System,theadminassignedthisprofileisrestrictedtothevirtualsystem(s)
heorsheisassignedto.Furthermore,onlytheDevice > Setup > Services > Virtual Systemstabisavailableto
thatadmin,nottheGlobaltab.
Thefollowingtopicsdescribehowtosetadminroleprivilegestothedifferentpartsofthewebinterface:
DefineAccesstotheWebInterfaceTabs
ProvideGranularAccesstotheMonitorTab
ProvideGranularAccesstothePolicyTab
ProvideGranularAccesstotheObjectsTab
ProvideGranularAccesstotheNetworkTab
ProvideGranularAccesstotheDeviceTab
DefineUserPrivacySettingsintheAdminRoleProfile
RestrictAdministratorAccesstoCommitandValidateFunctions
ProvideGranularAccesstoGlobalSettings

80 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

DefineAccesstotheWebInterfaceTabs

Thefollowingtabledescribesthetoplevelaccessprivilegesyoucanassigntoanadminroleprofile(Device
> Admin Roles).Youcanenable,disable,ordefinereadonlyaccessprivilegesatthetopleveltabsintheweb
interface.

AccessLevel Description Enable ReadOnly Disable

Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes


thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.

ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes


(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.

Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.

Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.

Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 81
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.

Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.

ProvideGranularAccesstotheMonitorTab

InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.

DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Monitor EnablesordisablesaccesstotheMonitor Firewall:Yes Yes No Yes


tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogsor DeviceGroup/Template:Yes
reports.

82 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Logs Enablesordisablesaccesstoalllogfiles. Firewall:Yes Yes No Yes


Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.

Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seethetrafficlogs. Panorama:Yes
DeviceGroup/Template:Yes

Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seethethreatlogs. Panorama:Yes
DeviceGroup/Template:Yes

URLFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seetheURLfilteringlogs. Panorama:Yes
DeviceGroup/Template:Yes

WildFire Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Submissions seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire DeviceGroup/Template:Yes
subscription.

DataFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seethedatafilteringlogs. Panorama:Yes
DeviceGroup/Template:Yes

HIPMatch Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seetheHIPMatchlogs.HIPMatchlogsare Panorama:Yes
onlyavailableifyouhaveaGlobalProtect DeviceGroup/Template:Yes
portallicenseandgatewaysubscription.

Configuration Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seetheconfigurationlogs. Panorama:Yes
DeviceGroup/Template:No

System Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seethesystemlogs. Panorama:Yes
DeviceGroup/Template:No

Alarms Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seesystemgeneratedalarms. Panorama:Yes
DeviceGroup/Template:Yes

Automated Enablesordisablesaccesstothe Firewall:Yes Yes No Yes


Correlation correlationobjectsandcorrelatedevent Panorama:Yes
Engine logsgeneratedonthefirewall. DeviceGroup/Template:Yes

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 83
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Correlation Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Objects viewandenable/disablethecorrelation Panorama:Yes
objects. DeviceGroup/Template:Yes

Correlated Specifieswhethertheadministrator Firewall:Yes Yes No Yes


Events Panorama:Yes
DeviceGroup/Template:Yes

Packet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Capture seepacketcaptures(pcaps)fromthe Panorama:No
Monitortab.Keepinmindthatpacket DeviceGroup/Template:No
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.

AppScope Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.

Session Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Browser browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe DeviceGroup/Template:No
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inthesessionbrowserandyoushould
thereforedisabletheSession Browser
privilegeifyouareconcernedaboutuser
privacy.

Botnet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inscheduledbotnetreportsandyou
shouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.

84 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

PDFReports EnablesordisablesaccesstoallPDF Firewall:Yes Yes No Yes


reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF DeviceGroup/Template:Yes
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs And
Reportsoption.

ManagePDF Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Summary view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseePDFsummaryreport
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
canneitherviewthereportdefinitionsnor
add/deletethem.

PDFSummary Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Reports seethegeneratedPDFSummaryreportsin Panorama:Yes
Monitor > Reports.Ifyoudisablethis DeviceGroup/Template:Yes
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.

UserActivity Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Report view,addordeleteUserActivityreport Panorama:Yes
definitionsanddownloadthereports. DeviceGroup/Template:Yes
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.

SaaS Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Application view,addordeleteaSaaSapplication Panorama:Yes
UsageReport usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotaddor
deletethem.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoraddordeletethem.

Report Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Groups view,addordeletereportgroup Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 85
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Email Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes


Scheduler schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed DeviceGroup/Template:Yes
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/ortheShow
User Names In Logs And Reportsoptions
andbecausetheymayalsoshowlogdata
towhichtheadministratordoesnothave
access,youshoulddisabletheEmail
Scheduleroptionifyouhaveuserprivacy
requirements.

Manage Enablesordisablesaccesstoallcustom Firewall:Yes Yes No Yes


Custom reportfunctionality.Youcanalsoleavethis Panorama:Yes
Reports privilegeenabledandthendisablespecific DeviceGroup/Template:Yes
customreportcategoriesthatyoudonot
wanttheadministratortobeableto
access.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhilestill
providingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
option.
Reportsthatarescheduledtorun
ratherthanrunondemandwill
showIPaddressanduser
information.Inthiscase,besureto
restrictaccesstothe
correspondingreportareas.In
addition,thecustomreportfeature
doesnotrestricttheabilityto
generatereportsthatcontainlog
datacontainedinlogsthatare
excludedfromtheadministrator
role.

Application Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Statistics createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase. DeviceGroup/Template:Yes

DataFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Log createacustomreportthatincludesdata Panorama:Yes
fromtheDataFilteringlogs. DeviceGroup/Template:Yes

ThreatLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


createacustomreportthatincludesdata Panorama:Yes
fromtheThreatlogs. DeviceGroup/Template:Yes

Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Summary createacustomreportthatincludesdata Panorama:Yes
fromtheThreatSummarydatabase. DeviceGroup/Template:Yes

86 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

TrafficLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficlogs. DeviceGroup/Template:Yes

Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Summary createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficSummarydatabase. DeviceGroup/Template:Yes

URLLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


createacustomreportthatincludesdata Panorama:Yes
fromtheURLFilteringlogs. DeviceGroup/Template:Yes

Hipmatch Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


createacustomreportthatincludesdata Panorama:Yes
fromtheHIPMatchlogs. DeviceGroup/Template:Yes

WildFireLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


createacustomreportthatincludesdata Panorama:Yes
fromtheWildFirelogs. DeviceGroup/Template:Yes

View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Scheduled viewacustomreportthathasbeen Panorama:Yes
Custom scheduledtogenerate. DeviceGroup/Template:Yes
Reports

View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Predefined viewApplicationReports.Privacy Panorama:Yes
Application privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Predefined viewThreatReports.Privacyprivilegesdo Panorama:Yes
Threat notimpactreportsavailableonthe DeviceGroup/Template:Yes
Reports Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.

View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Predefined viewURLFilteringReports.Privacy Panorama:Yes
URLFiltering privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes


Predefined viewTrafficReports.Privacyprivilegesdo Panorama:Yes
Traffic notimpactreportsavailableonthe DeviceGroup/Template:Yes
Reports Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 87
Reference:WebInterfaceAdministratorAccess FirewallAdministration

ProvideGranularAccesstothePolicyTab

IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.

AccessLevel Description Enable ReadOnly Disable

Security Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.

NAT Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.

QoS Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.

PolicyBased Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


Forwarding view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.

Decryption Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeletedecryptionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.

88 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

ApplicationOverride Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingtheapplicationoverriderulebase,disablethis
privilege.

CaptivePortal Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeleteCaptivePortalrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheCaptive
Portalrulebase,disablethisprivilege.

DoSProtection Enablethisprivilegetoallowtheadministratorto Yes Yes Yes


view,add,and/ordeleteDoSprotectionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.

ProvideGranularAccesstotheObjectsTab

AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.

AccessLevel Description Enable ReadOnly Disable

Addresses Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteaddressobjectsforuseinsecuritypolicy.

AddressGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteaddressgroupobjectsforuseinsecuritypolicy.

Regions Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.

Applications Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteapplicationobjectsforuseinpolicy.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 89
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

ApplicationGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteapplicationgroupobjectsforuseinpolicy.

ApplicationFilters Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteapplicationfiltersforsimplificationofrepeated
searches.

Services Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.

ServiceGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteservicegroupobjectsforuseinsecuritypolicy.

Tags Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletetagsthathavebeendefinedonthefirewall.

GlobalProtect Specifieswhethertheadministratorcanview,add,or Yes No Yes


deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.

HIPObjects Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.

HIPProfiles Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.

DynamicBlockLists Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletedynamicblocklistsforuseinsecuritypolicy.

CustomObjects Specifieswhethertheadministratorcanseethe Yes No Yes


customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.

DataPatterns Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.

Spyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.

Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.

URLCategory Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletecustomURLcategoriesforuseinpolicy.

90 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

SecurityProfiles Specifieswhethertheadministratorcanseesecurity Yes No Yes


profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.

Antivirus Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteantivirusprofiles.

AntiSpyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteAntiSpywareprofiles.

Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


Protection deleteVulnerabilityProtectionprofiles.

URLFiltering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteURLfilteringprofiles.

FileBlocking Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletefileblockingprofiles.

DataFiltering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletedatafilteringprofiles.

DoSProtection Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteDoSprotectionprofiles.

SecurityProfileGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletesecurityprofilegroups.

LogForwarding Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletelogforwardingprofiles.

DecryptionProfile Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletedecryptionprofiles.

Schedules Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.

ProvideGranularAccesstotheNetworkTab

WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 91
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Interfaces Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteinterfaceconfigurations.

Zones Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletezones.

VLANs Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deleteVLANs.

VirtualWires Specifieswhethertheadministratorcanview,add,or Yes Yes Yes


deletevirtualwires.

VirtualRouters Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modifyordeletevirtualrouters.

IPSecTunnels Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteIPSecTunnelconfigurations.

DHCP Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteDHCPserverandDHCPrelay
configurations.

DNSProxy Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteDNSproxyconfigurations.

GlobalProtect Specifieswhethertheadministratorcanview,add, Yes No Yes


modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.

Portals Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteGlobalProtectportalconfigurations.

Gateways Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteGlobalProtectgateway
configurations.

MDM Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteGlobalProtectMDMserver
configurations.

DeviceBlockList Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeletedeviceblocklists.

QoS Specifieswhethertheadministratorcanview,add, Yes Yes Yes


modify,ordeleteQoSconfigurations.

LLDP Specifieswhethertheadministratorcanviewadd, Yes Yes Yes


modify,ordeleteLLDPconfigurations.

NetworkProfiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes


Networksettingsdescribedbelow.

92 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

IKEGateways ControlsaccesstotheNetwork Profiles > IKE Yes Yes Yes


Gatewaysnode.Ifyoudisablethisprivilege,the
administratorwillnotseetheIKE Gatewaysnodeor
definegatewaysthatincludetheconfiguration
informationnecessarytoperformIKEprotocol
negotiationwithpeergateway.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredIKEGatewaysbutcannot
addoreditgateways.

GlobalProtectIPSec ControlsaccesstotheNetwork Profiles > Yes Yes Yes


Crypto GlobalProtect IPSec Crypto node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethatnode,orconfigurealgorithmsfor
authenticationandencryptioninVPNtunnels
betweenaGlobalProtectgatewayandclients.
Ifyousettheprivilegetoreadonly,theadministrator
canviewexistingGlobalProtectIPSecCryptoprofiles
butcannotaddoreditthem.

IPSecCrypto ControlsaccesstotheNetwork Profiles > IPSec Yes Yes Yes


Cryptonode.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
IPSec Cryptonodeorspecifyprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPSecSA
negotiation.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredIPSecCryptoconfiguration
butcannotaddoreditaconfiguration.

IKECrypto Controlshowdevicesexchangeinformationtoensure Yes Yes Yes


securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).

Monitor ControlsaccesstotheNetwork Profiles > Monitor Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheNetwork Profiles > Monitornodeor
beabletocreateoreditamonitorprofilethatisused
tomonitorIPSectunnelsandmonitoranexthop
deviceforpolicybasedforwarding(PBF)rules.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredmonitorprofileconfiguration
butcannotaddoreditaconfiguration.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 93
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

InterfaceMgmt ControlsaccesstotheNetwork Profiles > Interface Yes Yes Yes


Mgmtnode.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
Interface Mgmtnodeorbeabletospecifythe
protocolsthatareusedtomanagethefirewall.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredInterfacemanagement
profileconfigurationbutcannotaddoredita
configuration.

ZoneProtection ControlsaccesstotheNetwork Profiles > Zone Yes Yes Yes


Protectionnode.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
Zone Protectionnodeorbeabletoconfigureaprofile
thatdetermineshowthefirewallrespondstoattacks
fromspecifiedsecurityzones.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredZoneProtectionprofile
configurationbutcannotaddoreditaconfiguration.

QoSProfile ControlsaccesstotheNetwork Profiles > QoSnode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheNetwork Profiles > QoSnodeorbeableto
configureaQoSprofilethatdetermineshowQoS
trafficclassesaretreated.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredQoSprofileconfigurationbut
cannotaddoreditaconfiguration.

LLDPProfile ControlsaccesstotheNetwork Profiles > LLDPnode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheNetwork Profiles > LLDPnodeorbeableto
configureanLLDPprofilethatcontrolswhetherthe
interfacesonthefirewallcanparticipateintheLink
LayerDiscoveryProtocol.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredLLDPprofileconfiguration
butcannotaddoreditaconfiguration.

BFDProfile ControlsaccesstotheNetwork Profiles > BFD Profile Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheNetwork Profiles > BFD Profilenode
orbeabletoconfigureaBFDprofile.ABidirectional
ForwardingDetection(BFD)profileallowsyouto
configureBFDsettingstoapplytooneormorestatic
routesorroutingprotocols.Thus,BFDdetectsafailed
linkorBFDpeerandallowsanextremelyfastfailover.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredBFDprofilebutcannotadd
oreditaBFDprofile.

94 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

ProvideGranularAccesstotheDeviceTab

TodefinegranularaccessprivilegesfortheDevicetab,whencreatingoreditinganadminroleprofile(Device
> Admin Roles),scrolldowntotheDevicenodeontheWebUItab.

AccessLevel Description Enable ReadOnly Disable

Setup ControlsaccesstotheSetupnode.Ifyoudisablethis Yes Yes Yes


privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

Management ControlsaccesstotheManagementnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panorama,managementinterface,banner,message,
andpasswordcomplexitysettings,andmore.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

Operations ControlsaccesstotheOperationsnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotbeableto
manageconfigurationfiles,orrebootorshutdown
thefirewall,amongotherthings.

Services ControlsaccesstotheServicesnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotbeableto
configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

ContentID ControlsaccesstotheContent-IDnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotbeableto
configureURLfilteringorContentID.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

WildFire ControlsaccesstotheWildFirenode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotbeableto
configureWildFiresettings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 95
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Session ControlsaccesstotheSessionnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotbeableto
configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

HSM ControlsaccesstotheHSMnode.Ifyoudisablethis Yes Yes Yes


privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.

ConfigAudit ControlsaccesstotheConfig Auditnode.Ifyou Yes No Yes


disablethisprivilege,theadministratorwillnotseethe
Config Auditnodeorhaveaccesstoanyfirewallwide
configurationinformation.

AdminRoles ControlsaccesstotheAdmin Rolesnode.This No Yes Yes


functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdmin Rolesnodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.

Administrators ControlsaccesstotheAdministratorsnode.This No Yes Yes


functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdministratorsnodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.

VirtualSystems ControlsaccesstotheVirtual Systemsnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseeor
beabletoconfigurevirtualsystems.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredvirtualsystemsbutcannot
addoreditaconfiguration.

96 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

SharedGateways ControlsaccesstotheShared Gatewaysnode.Shared Yes Yes Yes


gatewaysallowvirtualsystemstoshareacommon
interfaceforexternalcommunications.
Ifyoudisablethisprivilege,theadministratorwillnot
seeorbeabletoconfiguresharedgateways.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredsharedgatewaysbutcannot
addoreditaconfiguration.

UserIdentification ControlsaccesstotheUser Identificationnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
User Identificationnodeorhaveaccessto
firewallwideUserIdentificationconfiguration
information,suchasUserMapping,UserIDAgents,
Service,TerminalServicesAgents,GroupMappings
SettingsorCaptivePortalSettings.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewconfigurationinformationforthefirewallbut
isnotallowedtoperformanyconfiguration
procedures.

VMInformationSource ControlsaccesstotheVM Information Sourcenode Yes Yes Yes


thatallowsyoutoconfigurethefirewall/Windows
UserIDagenttocollectVMinventoryautomatically.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheVM Information Sourcenode.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheVMinformationsourcesconfiguredbut
cannotadd,edit,ordeleteanysources.
ThisprivilegeisnotavailabletoDeviceGroup
andTemplateadministrators.

HighAvailability ControlsaccesstotheHigh Availabilitynode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
High Availabilitynodeorhaveaccesstofirewallwide
highavailabilityconfigurationinformationsuchas
GeneralsetupinformationorLinkandPath
Monitoring.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewHighAvailabilityconfigurationinformation
forthefirewallbutisnotallowedtoperformany
configurationprocedures.

Certificate Setsthedefaultstatetoenableordisableforallofthe Yes No Yes


Management Certificatesettingsdescribedbelow.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 97
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Certificates ControlsaccesstotheCertificatesnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
Certificatesnodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.

CertificateProfile ControlsaccesstotheCertificate Profilenode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
Certificate Profilenodeorbeabletocreate
certificateprofiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewCertificateProfilesthatarecurrently
configuredforthefirewallbutisnotallowedtocreate
oreditacertificateprofile.

OCSPResponder ControlsaccesstotheOCSP Respondernode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
OCSP Respondernodeorbeabletodefineaserver
thatwillbeusedtoverifytherevocationstatusof
certificatesissuesbythefirewall.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheOCSP Responderconfigurationforthe
firewallbutisnotallowedtocreateoreditanOCSP
responderconfiguration.

SSL/TLSServiceProfile ControlsaccesstotheSSL/TLS Service Profilenode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seethenodeorconfigureaprofilethatspecifiesa
certificateandaprotocolversionorrangeofversions
forfirewallservicesthatuseSSL/TLS.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingSSL/TLSServiceprofilesbutcannot
createoreditthem.

SCEP ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes Yes Yes


privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingSCEPprofilesbutcannotcreateor
editthem.

98 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

ResponsePages ControlsaccesstotheResponse Pagesnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
Response Pagenodeorbeabletodefineacustom
HTMLmessagethatisdownloadedanddisplayed
insteadofarequestedwebpageorfile.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheResponse Pageconfigurationforthe
firewallbutisnotallowedtocreateoreditaresponse
pageconfiguration.

LogSettings Setsthedefaultstatetoenableordisableforallofthe Yes No Yes


Logsettingsdescribedbelow.

System ControlsaccesstotheLog Settings > Systemnode.If Yes Yes Yes


youdisablethisprivilege,theadministratorwillnot
seetheLog Settings > Systemnodeorbeableto
specifytheseveritylevelsofthesystemlogentries
thatareloggedremotelywithPanoramaandsentas
SNMPtraps,syslogmessages,and/oremail
notifications.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > Systemconfigurationfor
thefirewallbutisnotallowedtocreateoredita
configuration.

Config ControlsaccesstotheLog Settings > Confignode.If Yes Yes Yes


youdisablethisprivilege,theadministratorwillnot
seetheLog Settings > Confignodeorbeableto
specifytheconfigurationlogentriesthatarelogged
remotelywithPanorama,andsentassyslogmessages
and/oremailnotification.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > Configconfigurationfor
thefirewallbutisnotallowedtocreateoredita
configuration.

HIPMatch ControlsaccesstotheLog Settings > HIP Matchnode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheLog Settings > HIP Matchnodeorbeableto
specifytheHostInformationProfile(HIP)matchlog
settingsthatareusedtoprovideinformationon
securityrulesthatapplytoGlobalProtectclients
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > HIPconfigurationforthe
firewallbutisnotallowedtocreateoredita
configuration.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 99
Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Alarms ControlsaccesstotheLog Settings > Alarmsnode.If Yes Yes Yes


youdisablethisprivilege,theadministratorwillnot
seetheLog Settings > Alarmsnodeorbeableto
configurenotificationsthataregeneratedwhena
securityrule(orgroupofrules)hasbeenhit
repeatedlyinasetperiodoftime.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > Alarmsconfigurationfor
thefirewallbutisnotallowedtocreateoredita
configuration.

ManageLogs ControlsaccesstotheLog Settings > Manage Logs Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheLog Settings > Manage Logsnodeor
beabletocleartheindicatedlogs.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > Manage Logsinformation
butcannotclearanyofthelogs.

ServerProfiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes


ServerProfilessettingsdescribedbelow.

SNMPTrap ControlsaccesstotheServer Profiles > SNMP Trap Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > SNMP Trapnodeor
beabletospecifyoneormoreSNMPtrap
destinationstobeusedforsystemlogentries.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > SNMP Trap Logs
informationbutcannotspecifySNMPtrap
destinations.

Syslog ControlsaccesstotheServer Profiles > Syslognode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheServer Profiles > Syslognodeorbeableto
specifyoneormoresyslogservers.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Sysloginformationbut
cannotspecifysyslogservers.

Email ControlsaccesstotheServer Profiles > Emailnode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheServer Profiles > Emailnodeorbeableto
configureanemailprofilethatcanbeusedtoenable
emailnotificationforsystemandconfigurationlog
entries
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Emailinformationbut
cannotconfigureandemailprofile.

100 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

Netflow ControlsaccesstotheServer Profiles > Netflow Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > Netflownodeorbe
abletodefineaNetFlowserverprofile,which
specifiesthefrequencyoftheexportalongwiththe
NetFlowserversthatwillreceivetheexporteddata.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Netflowinformation
butcannotdefineaNetflowprofile.

RADIUS ControlsaccesstotheServer Profiles > RADIUS Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > RADIUSnodeorbe
abletoconfiguresettingsfortheRADIUSserversthat
areidentifiedinauthenticationprofiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > RADIUSinformation
butcannotconfiguresettingsfortheRADIUSservers.

TACACS+ ControlsaccesstotheServer Profiles > TACACS+ Yes Yes Yes


node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.

LDAP ControlsaccesstotheServer Profiles > LDAPnode. Yes Yes Yes


Ifyoudisablethisprivilege,theadministratorwillnot
seetheServer Profiles > LDAPnodeorbeableto
configuresettingsfortheLDAPserverstousefor
authenticationbywayofauthenticationprofiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > LDAPinformationbut
cannotconfiguresettingsfortheLDAPservers.

Kerberos ControlsaccesstotheServer Profiles > Kerberos Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > Kerberosnodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Kerberosinformation
butcannotconfiguresettingsforKerberosservers.

LocalUserDatabase Setsthedefaultstatetoenableordisableforallofthe Yes No Yes


LocalUserDatabasesettingsdescribedbelow.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 101


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Users ControlsaccesstotheLocal User Database > Users Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheLocal User Database > Usersnodeor
setupalocaldatabaseonthefirewalltostore
authenticationinformationforremoteaccessusers,
firewalladministrators,andcaptiveportalusers.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLocal User Database > Users
informationbutcannotsetupalocaldatabaseonthe
firewalltostoreauthenticationinformation.

UserGroups ControlsaccesstotheLocal User Database > Users Yes Yes Yes


node.Ifyoudisablethisprivilege,theadministrator
willnotseetheLocal User Database > Usersnodeor
beabletoaddusergroupinformationtothelocal
database.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLocal User Database > Users
informationbutcannotaddusergroupinformationto
thelocaldatabase.

AuthenticationProfile ControlsaccesstotheAuthentication Profilenode.If Yes Yes Yes


youdisablethisprivilege,theadministratorwillnot
seetheAuthentication Profilenodeorbeableto
createoreditauthenticationprofilesthatspecifylocal
database,RADIUS,TACACS+,LDAP,orKerberos
settingsthatcanbeassignedtoadministrator
accounts.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheAuthentication Profileinformationbut
cannotcreateoreditanauthenticationprofile.

Authentication Controlsaccesstothe Authentication Sequence Yes Yes Yes


Sequence node.Ifyoudisablethisprivilege,theadministrator
willnotseetheAuthentication Sequencenodeorbe
abletocreateoreditanauthenticationsequence.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheAuthentication Profileinformationbut
cannotcreateoreditanauthenticationsequence.

AccessDomain ControlsaccesstotheAccess Domainnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
Access Domainnodeorbeabletocreateoreditan
accessdomain.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheAccess Domaininformationbutcannot
createoreditanaccessdomain.

102 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

ScheduledLogExport ControlsaccesstotheScheduled Log Exportnode.If Yes No Yes


youdisablethisprivilege,theadministratorwillnot
seetheScheduled Log Exportnodeorbeable
scheduleexportsoflogsandsavethemtoaFile
TransferProtocol(FTP)serverinCSVformatoruse
SecureCopy(SCP)tosecurelytransferdatabetween
thefirewallandaremotehost.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheScheduled Log Export Profile
informationbutcannotscheduletheexportoflogs.

Software ControlsaccesstotheSoftwarenode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotseethe
Softwarenodeorviewthelatestversionsofthe
PANOSsoftwareavailablefromPaloAltoNetworks,
readthereleasenotesforeachversion,andselecta
releasetodownloadandinstall.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheSoftwareinformationbutcannot
downloadorinstallsoftware.

GlobalProtectClient ControlsaccesstotheGlobalProtect Clientnode.If Yes Yes Yes


youdisablethisprivilege,theadministratorwillnot
seetheGlobalProtect Clientnodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheavailableGlobalProtect Clientreleases
butcannotdownloadorinstalltheagentsoftware.

DynamicUpdates ControlsaccesstotheDynamic Updatesnode.Ifyou Yes Yes Yes


disablethisprivilege,theadministratorwillnotseethe
Dynamic Updatesnodeorbeabletoviewthelatest
updates,readthereleasenotesforeachupdate,or
selectanupdatetouploadandinstall.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheavailableDynamic Updatesreleases,
readthereleasenotesbutcannotuploadorinstallthe
software.

Licenses Controlsaccesstothe Licensesnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotseethe
Licensesnodeorbeabletoviewthelicensesinstalled
oractivatelicenses.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheinstalledLicenses,butcannotperform
licensemanagementfunctions.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 103


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Support ControlsaccesstotheSupportnode.Ifyoudisable Yes Yes Yes


thisprivilege,theadministratorwillnotseethe
Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheSupportnodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.

MasterKeyand ControlsaccesstotheMaster Key and Diagnostics Yes Yes Yes


Diagnostics node.Ifyoudisablethisprivilege,theadministrator
willnotseetheMaster Key and Diagnosticsnodeor
beabletospecifyamasterkeytoencryptprivatekeys
onthefirewall.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheMaster Key and Diagnosticsnodeand
viewinformationaboutmasterkeysthathavebeen
specifiedbutcannotaddoreditanewmasterkey
configuration.

DefineUserPrivacySettingsintheAdminRoleProfile

Todefinewhatprivateenduserdataanadministratorhasaccessto,whencreatingoreditinganadminrole
profile(Device > Admin Roles),scrolldowntothePrivacyoptionontheWebUItab.

AccessLevel Description Enable ReadOnly Disable

Privacy Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes


privacysettingsdescribedbelow.

ShowFullIPaddresses Whendisabled,fullIPaddressesobtainedbytraffic Yes N/A Yes


runningthroughthePaloAltofirewallarenotshown
inlogsorreports.InplaceoftheIPaddressesthatare
normallydisplayed,therelevantsubnetisdisplayed.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsand
reportsthataresentviascheduledemailswill
stilldisplayfullIPaddresses.Becauseofthis
exception,werecommendthatthefollowing
settingswithintheMonitortabbesetto
disable:CustomReports,ApplicationReports,
ThreatReports,URLFilteringReports,Traffic
ReportsandEmailScheduler.

104 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

ShowUserNamesin Whendisabled,usernamesobtainedbytraffic Yes N/A Yes


LogsandReports runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreports
thataresentviatheemailschedulerwillstilldisplay
usernames.Becauseofthisexception,we
recommendthatthefollowingsettingswithinthe
Monitortabbesettodisable:CustomReports,
ApplicationReports,ThreatReports,URLFiltering
Reports,TrafficReportsandEmailScheduler.

ViewPCAPFiles Whendisabled,packetcapturefilesthatarenormally Yes N/A Yes


availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.

RestrictAdministratorAccesstoCommitandValidateFunctions

Torestrictaccesstocommitandvalidatefunctionswhencreatingoreditinganadminroleprofile(Device >
Admin Roles),scrolldowntotheCommitandValidateoptionsontheWebUItab.

AccessLevel Description Enable ReadOnly Disable

Commit Whendisabled,anadministratorcannotcommitany Yes N/A Yes


changestoaconfiguration.

Validate Whendisabled,anadministratorcannotvalidatea Yes N/A Yes


configuration.

ProvideGranularAccesstoGlobalSettings

Todefinewhatglobalsettingsandadministratorhasaccessto,whencreatingoreditinganadminroleprofile
(Device > Admin Roles),scrolldowntotheGlobaloptionontheWebUItab.

AccessLevel Description Enable ReadOnly Disable

Global Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes


globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.

SystemAlarms Whendisabled,anadministratorcannotviewor Yes N/A Yes


acknowledgealarmsthataregenerated.

ProvideGranularAccesstothePanoramaTab

ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 105


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Setup Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


vieworeditPanoramasetup DeviceGroup/Template:No
information,suchasManagement,
Operations,Services,WildFire,or
HSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.

HighAvailability Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


viewandmanagehighavailability(HA) DeviceGroup/Template:No
settingsforthePanoramamanagement
server.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewHA
configurationinformationforthe
Panoramamanagementserverbutcant
managetheconfiguration.
Ifyoudisablethisprivilege,the
administratorcantseeormanageHA
configurationsettingsforthePanorama
managementserver.

ConfigAudit Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes


runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.

Administrators Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes


viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.

106 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

AdminRoles Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes


viewPanoramaadministratorroles. DeviceGroup/Template:No
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaadministratorroles.

AccessDomain Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama Youassignaccess
administrators.(Thisprivilegecontrols domainstoDevice
accessonlytotheconfigurationof GroupandTemplate
accessdomains,notaccesstothe administratorssothey
devicegroups,templates,andfirewall canaccessthe
contextsthatareassignedtoaccess configurationand
domains.) monitoringdatawithin
Ifyousetthisprivilegetoreadonly,the thedevicegroups,
administratorcanviewPanorama templates,andfirewall
accessdomainconfigurationsbutcant contextsthatare
managethem. assignedtothose
Ifyoudisablethisprivilege,the accessdomains.
administratorcantseeormanage
Panoramaaccessdomain
configurations.

Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Profile view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationprofilesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationprofilesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationprofiles.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 107


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Sequence view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationsequencesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationsequencesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationsequences.

Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Devices view,add,edit,tag,ordeletefirewallsas DeviceGroup/Template:Yes (Nofor
manageddevices,andinstallsoftware Device
orcontentupdatesonthem. Group
Ifyousetthisprivilegetoreadonly,the and
administratorcanseemanagedfirewalls Templat
butcantadd,delete,tag,orinstall eroles)
updatesonthem.
Ifyoudisablethisprivilege,the
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
Thisprivilegeappliesonlytothe
Panorama > Managed Devices
page.Anadministratorwith
DeviceDeploymentprivileges
canstillusethePanorama >
Device Deploymentpagesto
installupdatesonmanaged
firewalls.

Templates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes (Nofor
templatestacks. DeviceGroupand Device
Ifyousettheprivilegetoreadonly,the Template Group
administratorcanseetemplateand administratorscansee and
stackconfigurationsbutcantmanage onlythetemplatesand Templat
them. stacksthatarewithin e
Ifyoudisablethisprivilege,the theaccessdomains admins)
administratorcantseeormanage assignedtothose
templateandstackconfigurations. administrators.

108 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

DeviceGroups Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
Ifyousetthisprivilegetoreadonly,the DeviceGroupand
administratorcanseedevicegroup Template
configurationsbutcantmanagethem. administratorscan
Ifyoudisablethisprivilege,the accessonlythedevice
administratorcantseeormanage groupsthatarewithin
devicegroupconfigurations. theaccessdomains
assignedtothose
administrators.

Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Collectors view,edit,add,ordeletemanaged DeviceGroup/Template:No
collectors.
Ifyousetthisprivilegetoreadonly,the
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
Thisprivilegeappliesonlytothe
Panorama > Managed
Collectorspage.An
administratorwithDevice
Deploymentprivilegescanstill
usethePanorama > Device
Deploymentpagestoinstall
updatesonmanagedcollectors.

Collector Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Groups view,edit,add,ordeleteCollector DeviceGroup/Template:No
Groups.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeCollectorGroups
butcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
CollectorGroups.

VMwareService Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Manager viewandeditVMwareServiceManager DeviceGroup/Template:No
settings.
Ifyousetthisprivilegetoreadonly,the
administratorcanseethesettingsbut
cantperformanyrelatedconfiguration
oroperationalprocedures.
Ifyoudisablethisprivilege,the
administratorcantseethesettingsor
performanyrelatedconfigurationor
operationalprocedures.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 109


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Certificate Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes


Management disabled,forallofthePanorama DeviceGroup/Template:No
certificatemanagementprivileges.

Certificates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


view,edit,generate,delete,revoke, DeviceGroup/Template:No
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
PanoramacertificatesorHAkeys.

Certificate Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Profile view,add,edit,deleteorclone DeviceGroup/Template:No
Panoramacertificateprofiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramacertificateprofiles.

SSL/TLSService Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Profile view,add,edit,deleteorcloneSSL/TLS DeviceGroup/Template:No
Serviceprofiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSSL/TLSService
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
SSL/TLSServiceprofiles.

LogSettings Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes


disabled,forallthelogsetting DeviceGroup/Template:No
privileges.

110 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

System Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofSystemlogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoSystemlogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoSystemlogs
thatPanoramageneratesandto
SystemlogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
SystemlogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofSystemlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 111


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Config Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofConfiglogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheConfiglog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoConfiglogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoConfiglogs
thatPanoramageneratesandto
ConfiglogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
ConfiglogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofConfiglogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).

112 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

HIPMatch Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
toexternalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groupspagecontrolsthe
forwardingofHIPMatchlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofHIPMatchlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).

Correlation Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofCorrelation
logstoexternalservices(syslog,email,
orSNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groupspagecontrolsthe
forwardingofCorrelationlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofCorrelationlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 113


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Traffic Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofTrafficlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofTrafficlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groupspagecontrolsthe
forwardingofTrafficlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Trafficlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).

Threat Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofThreatlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofThreatlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groupspagecontrolsthe
forwardingofThreatlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Threatlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).

114 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Wildfire Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofWildFirelogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofWildFirelogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groupspagecontrolsthe
forwardingofWildFirelogs
fromaPanoramaMSeries
appliance.TheObjects > Log
Forwardingpagecontrolsthe
forwardingofWildFirelogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).

ServerProfiles Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes


disabled,foralltheserverprofile DeviceGroup/Template:No
privileges.
Theseprivilegespertainonlyto
theserverprofilesthatareused
forforwardinglogsthat
Panoramageneratesorcollects
fromfirewallsandtheserver
profilesthatareusedfor
authenticatingPanorama
administrators.TheDevice >
Server Profilespagescontrol
theserverprofilesthatareused
forforwardinglogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama)andfor
authenticatingfirewall
administrators.

SNMPTrap Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigureSNMPtrapserver DeviceGroup/Template:No
profiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSNMPtrapserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
SNMPtrapserverprofiles.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 115


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Syslog Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSyslogserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Syslogserverprofiles.

Email Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfigureemailserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeemailserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanageemail
serverprofiles.

RADIUS Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
RADIUSserverprofiles.

TACACS+ Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfiguretheTACACS+server DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyoudisablethisprivilege,the
administratorcantseethenodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.

116 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

LDAP Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfiguretheLDAPserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheLDAPserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
LDAPserverprofiles.

Kerberos Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


seeandconfiguretheKerberosserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheKerberos
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
Kerberosserverprofiles.

Scheduled Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes


ConfigExport view,add,edit,delete,orclone DeviceGroup/Template:No
scheduledPanoramaconfiguration
exports.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewthescheduled
exportsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
scheduledexports.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 117


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


can:viewinformationaboutPanorama DeviceGroup/Template:No
softwareupdates;download,upload,or
installtheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
softwareinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Softwarepage
controlsaccesstoPANOS
softwaredeployedonfirewalls
andPanoramasoftware
deployedonDedicatedLog
Collectors.

Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


Updates can:viewinformationaboutPanorama DeviceGroup/Template:No
contentupdates(forexample,WildFire
updates);download,upload,install,or
reverttheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramacontentupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
contentupdatesinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Dynamic
Updatespagecontrolsaccessto
contentupdatesdeployedon
firewallsandDedicatedLog
Collectors.

118 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Support Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


can:viewPanoramasupportlicense DeviceGroup/Template:No
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
Ifyoudisablethisprivilege,the
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.

Device Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes


Deployment disabled,forallthedevicedeployment DeviceGroup/Template:Yes
privileges.
Theseprivilegepertainonlyto
softwareandcontentupdates
thatPanoramaadministrators
deployonfirewallsand
DedicatedLogCollectors.The
Panorama > Softwareand
Panorama > Dynamic Updates
pagescontrolthesoftwareand
contentupdatesinstalledona
Panoramamanagementserver.

Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


can:viewinformationaboutthe DeviceGroup/Template:Yes
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 119


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

SSLVPNClient Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


can:viewinformationaboutSSLVPN DeviceGroup/Template:Yes
clientsoftwareupdatesonfirewalls;
download,upload,oractivatethe
updates;andviewtheassociated
releasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
SSLVPNclientsoftwareupdatesand
viewtheassociatedreleasenotesbut
cantactivatetheupdatesonfirewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutSSLVPNclientsoftwareupdates,
seetheassociatedreleasenotes,or
activatetheupdatesonfirewalls.

GlobalProtect Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


Client can:viewinformationabout DeviceGroup/Template:Yes
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.

120 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description AdministratorRole Enable Read Disable


Availability Only

Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes


Updates can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.

Licenses Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


view,refresh,andactivatefirewall DeviceGroup/Template:Yes
licenses.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
Ifyoudisablethisprivilege,the
administratorcantview,refresh,or
activatefirewalllicenses.

MasterKeyand Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes


Diagnostics viewandconfigureamasterkeyby DeviceGroup/Template:No
whichtoencryptprivatekeyson
Panorama.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewthePanorama
masterkeyconfigurationbutcant
changeit.
Ifyoudisablethisprivilege,the
administratorcantseeoreditthe
Panoramamasterkeyconfiguration.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 121


Reference:WebInterfaceAdministratorAccess FirewallAdministration

PanoramaWebInterfaceAccessPrivileges

ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI
accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.

AccessLevel Description Enable ReadOnly Disable

Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes


thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.

ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes


(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.

Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.

Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.

Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.

122 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:WebInterfaceAdministratorAccess

AccessLevel Description Enable ReadOnly Disable

Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.

Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes


privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.

Panorama ControlsaccesstothePanoramatab.Ifyoudisable Yes No Yes


thisprivilege,theadministratorwillnotseethe
Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.

Privacy Controlsaccesstotheprivacysettingsdescribedin Yes No Yes


DefineUserPrivacySettingsintheAdminRole
Profile.

Validate Whendisabled,anadministratorcannotvalidatea Yes No Yes


configuration.

Commit Setsthedefaultstate(enabledordisabled)forallthe Yes No Yes


commitsettingsdescribedbelow(Panorama,Device
Groups,Templates,ForceTemplateValues,Collector
Groups).

Panorama Whendisabled,anadministratorcannotcommit Yes No Yes


changestothePanoramaconfiguration.

DeviceGroups Whendisabled,anadministratorcannotcommit Yes No Yes


changestodevicegroups.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 123


Reference:WebInterfaceAdministratorAccess FirewallAdministration

AccessLevel Description Enable ReadOnly Disable

Templates Whendisabled,anadministratorcannotcommit Yes No Yes


changestotemplates.

ForceTemplateValues ThisprivilegecontrolsaccesstotheForce Template Yes No Yes


ValuesoptionintheCommitdialog.
Whendisabled,anadministratorcannotreplace
overriddensettingsinlocalfirewallconfigurations
withsettingsthatPanoramapushesfromatemplate.

CollectorGroups Whendisabled,anadministratorcannotcommit Yes No Yes


changestoCollectorGroups.

Global Controlsaccesstotheglobalsettings(systemalarms) Yes No Yes


describedinProvideGranularAccesstoGlobal
Settings.

124 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:PortNumberUsage

Reference:PortNumberUsage

ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforGlobalProtect
PortsUsedforUserID

PortsUsedforManagementFunctions

ThefirewallandPanoramausethefollowingportsformanagementfunctions.

DestinationPort Protocol Description

22 TCP UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.

80 TCP TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.

123 UDP PortthefirewallusesforNTPupdates.

443 TCP Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis


alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.

162 UDP Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP


Manager.
ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)
managertolistenonthisport.Fordetails,refertothedocumentationof
yourSNMPmanagementsoftware.

161 UDP Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP


manager.

514 TCP Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog


514 UDP serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
6514 SSL authenticationsyslogmessagesifyouConfigureUserIDtoReceiveUser
MappingsfromaSyslogSender.

2055 UDP DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif


youConfigureNetFlowExports,butthisisconfigurable.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 125


Reference:PortNumberUsage FirewallAdministration

DestinationPort Protocol Description

5008 TCP PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom


theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.

6080 TCP PortsusedforCaptivePortal:6080forNTLANManager(NTLM)authentication,


6081 TCP 6081forCaptivePortalintransparentmode,and6082forCaptivePortalin
redirectmode.
6082 TCP

PortsUsedforHA

FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.

DestinationPort Protocol Description

28769 TCP UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer


28260 TCP firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.

28 TCP UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.

28770 TCP ListeningportforHA1backuplinks.

28771 TCP Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat


backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.

99 IP UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
29281 UDP associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.

PortsUsedforPanorama

Panoramausesthefollowingports.

DestinationPort Protocol Description

22 TCP UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.

126 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:PortNumberUsage

DestinationPort Protocol Description

443 TCP UsedforcommunicationfromaclientsystemtothePanoramawebinterface.

3978 TCP UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged


collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors(MSeriesappliancesinLog
Collectormode).

28769(5.1andlater) TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers


28260(5.0andlater) TCP usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.

49160(5.0and TCP
earlier)

28 TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.

28270(6.0andlater) TCP UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog


49190(5.1and distribution.
earlier)

2049 TCP UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.

PortsUsedforGlobalProtect

GlobalProtectusesthefollowingports.

DestinationPort Protocol Description

443 TCP UsedforcommunicationbetweenGlobalProtectagentsandportals,or


GlobalProtectagentsandgatewaysandforSSLtunnelconnections.
GlobalProtectgatewaysalsousethisporttocollecthostinformationfrom
GlobalProtectagentsandperformhostinformationprofile(HIP)checks.

4501 UDP UsedforIPSectunnelconnectionsbetweenGlobalProtectagentsandgateways.

FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsand
addresses,refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 127


Reference:PortNumberUsage FirewallAdministration

PortsUsedforUserID

UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.

DestinationPort Protocol Description

389 TCP PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport


LayerSecurity(StartTLS)toMapUserstoGroups.

3268 TCP PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver


(plaintextorStartTLS)toMapUserstoGroups.

636 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap


UserstoGroups.

3269 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory


globalcatalogservertoMapUserstoGroups.

514 TCP PortthePANOSintegratedUserIDagentorWindowsbasedUserIDagent


514 UDP listensonforauthenticationsyslogmessagesifyouConfigureUserIDtoReceive
UserMappingsfromaSyslogSender.
6514 SSL

5007 TCP PortthefirewalllistensonforusermappinginformationfromtheUserIDor


TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.

5006 TCP PorttheUserIDagentlistensonforXMLAPIrequests.Thesourceforthis


communicationistypicallythesystemrunningascriptthatinvokestheAPI.

88 UDP/TCP PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.

1812 UDP PorttheUserIDagentusestoauthenticatetoaRADIUSserver.

49 TCP PorttheUserIDagentusestoauthenticatetoaTACACS+server.

135 TCP PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe


MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.

128 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration Reference:PortNumberUsage

DestinationPort Protocol Description

139 TCP PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe


ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).

445 TCP PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using


TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 129


ResettheFirewalltoFactoryDefaultSettings FirewallAdministration

ResettheFirewalltoFactoryDefaultSettings

Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.

ResettheFirewalltoFactoryDefaultSettings

Step1 Setupaconsoleconnectiontothe 1. ConnectaserialcablefromyourcomputertotheConsoleport


firewall. andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
Ifyourcomputerdoesnothavea9pinserialport,usea
USBtoserialportconnector.
2. Enteryourlogincredentials.
3. EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.

Step2 Resetthesystemtofactorydefault 1. Whenthefirewallreboots,pressEntertocontinuetothe


settings. maintenancemodemenu.
2. SelectFactory ResetandpressEnter.
3. SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.

130 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration BootstraptheFirewall

BootstraptheFirewall

Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive

USBFlashDriveSupport

TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:

USBFlashDrivesSupported

Kingston KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)

SanDisk SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)

SiliconPower SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)

PNY PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 131


BootstraptheFirewall FirewallAdministration

Sampleinitcfg.txtFiles

Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.

Sampleinitcfg.txt(StaticIPAddress) Sampleinitcfg.txt(DHCPClient)

type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2 ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes

Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.

Fieldsintheinitcfg.txtFile

Field Description

type (Required)TypeofmanagementIPaddress:staticordhcpclient.

ipaddress (RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.

defaultgateway (RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.

netmask (RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.

ipv6address (RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.

ipv6defaultgateway (RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.

hostname (Optional)Hostnameforthefirewall.

132 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration BootstraptheFirewall

Fieldsintheinitcfg.txtFile

Field Description

panoramaserver (Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.

panoramaserver2 (Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.

tplname (Recommended)Panoramatemplatename.

dgname (Recommended)Panoramadevicegroupname.

dnsprimary (Optional)IPv4orIPv6addressoftheprimaryDNSserver.

dnssecondary (Optional)IPv4orIPv6addressofthesecondaryDNSserver.

vmauthkey (VMSeriesfirewallsonly)Virtualmachineauthenticationkey.

opcommandmodes (Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.

dhcpsendhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.

dhcpsendclientid (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.

dhcpacceptserverhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.

dhcpacceptserverdomain (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.

PrepareaUSBFlashDriveforBootstrappingaFirewall

YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.

PrepareaUSBFlashDriveforBootstrappingaFirewall

Step1 Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.

Step2 RegisterS/Nsofnewfirewallsonthe 1. Gotosupport.paloaltonetworks.com,login,andselectAssets


CustomerSupportportal. > Register New Device > Register device using Serial
Number or Authorization Code.
2. FollowthestepstoRegistertheFirewall.
3. ClickSubmit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 133


BootstraptheFirewall FirewallAdministration

PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)

Step3 Activateauthorizationcodesonthe 1. Gotosupport.paloaltonetworks.com,login,andselectthe


CustomerSupportportal,whichcreates Assetstab.
licensekeys. 2. ForeachS/Nyoujustregistered,clicktheActionlink.
3. SelectActivate Auth-Code.
4. EntertheAuthorization codeandclickAgreeandSubmit.

Step4 AddtheS/NsinPanorama. CompleteStep1inAddaFirewallasaManagedDeviceinthe


PanoramaAdministratorsGuide.

Step5 Createtheinitcfg.txtfile. Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap


parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefault
configurationinthenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineach
field;donotaddspacesbecausetheycausefailuresduring
parsingonthemanagementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.

Step6 (Optional)Createthebootstrap.xmlfile. Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration


thatyoucanexportfromanexistingproductionfirewall.
1. SelectDevice > Setup > Operations > Export named
configuration snapshot.
2. SelecttheNameofthesavedortherunningconfiguration.
3. ClickOK.
4. Renamethefileasbootstrap.xml.

134 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration BootstraptheFirewall

PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)

Step7 Createanddownloadthebootstrap Useoneofthefollowingmethodstocreateanddownloadthe


bundlefromtheCustomerSupport bootstrapbundle:
portal. UseMethod1tocreateabootstrapbundlespecifictoaremote
Foraphysicalfirewall,thebootstrap site(youhaveonlyoneinitcfg.txtfile).
bundlerequiresonlythe/licenseand UseMethod2tocreateonebootstrapbundleformultiplesites.
/configdirectories.
Method1
1. Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2. SelectAssets.
3. SelecttheS/Nofthefirewallyouwanttobootstrap.
4. SelectBootstrap Container.
5. ClickSelect.
6. UploadandOpen theinitcfg.txtfileyoucreated.
7. (Optional)Selectthebootstrap.xmlfileyoucreatedand
Upload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.

8. SelectBootstrap Container Downloadtodownloadatar.gz


filenamedbootstrap_<S/N>_<date>.tar.gztoyourlocal
system.Thisbootstrapcontainerincludesthelicensekeys
associatedwiththeS/Nofthefirewall.
Method2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenames.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.

Step8 Importthetar.gzfileyoucreatedtoa AccesstheCLIandenteroneofthefollowingcommands:


PANOS7.1firewallusingSecureCopy tftp import bootstrap-bundle file <path and filename>
(SCP)orTFTP. from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
scp import bootstrap-bundle from <<user>@<host>:<path
tofile>>
Forexample:
scp import bootstrap-bundle from
userx@10.1.2.3:/home/userx/bootstrap/devices/pa200_b
ootstrap_bundle.tar.gz

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 135


BootstraptheFirewall FirewallAdministration

PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)

Step9 PreparetheUSBflashdrive. 1. InserttheUSBflashdriveintothefirewallthatyouusedin


Step 8.
2. EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3. Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
4. RemovetheUSBflashdrivefromthefirewall.
5. YoucanprepareasmanyUSBflashdrivesasneeded.

Step10 DelivertheUSBflashdrivetoyour IfyouusedMethod2tocreatethebootstrapbundle,youcanuse


remotesite. thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.

BootstrapaFirewallUsingaUSBFlashDrive

AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.

MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.

BootstrapaFirewallUsingaUSBFlashDrive

Step1 Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.

Step2 Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall

Step3 InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.

136 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


FirewallAdministration BootstraptheFirewall

BootstrapaFirewallUsingaUSBFlashDrive

Step4 Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > SystemorbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > LicensesorbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 137


BootstraptheFirewall FirewallAdministration

138 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication
ManyoftheservicesthatPaloAltoNetworksfirewallsandPanoramaproviderequireauthentication,
includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,GlobalProtect
portals,andGlobalProtectgateways.Theauthenticationmethodsthatyoucanconfigurevarybyservice,
andcanincludeKerberossinglesignon(SSO),externalauthenticationservices,certificatesandcertificate
profiles,localdatabaseaccounts,RADIUSVendorSpecificAttributes(VSAs),andNTLANManager(NTLM).
ThefollowingtopicsdescribeauthenticationmethodsthatarecommontomostfirewallandPanorama
services,procedurestoconfigurethem,howtotestauthenticationprofiles,andhowtotroubleshoot
authenticationissues:
ConfigureanAuthenticationProfileandSequence
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
ConfigureExternalAuthentication
TestAuthenticationServerConnectivity
TroubleshootAuthenticationIssues

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 139


ConfigureanAuthenticationProfileandSequence Authentication

ConfigureanAuthenticationProfileandSequence

Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsoffirewallor
PanoramaadministratorsandCaptivePortalorGlobalProtectendusers.Theauthenticationservicecanbe
alocaldatabase(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),or
Kerberossinglesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups(forexample,TACACS+and
LDAP).Toauthenticateusersinsuchcases,configureanauthenticationsequence,whichisarankedorder
ofauthenticationprofilesthatthefirewallorPanoramamatchesauseragainstduringlogin.Thefirewallor
Panoramachecksagainsteachprofileinsequenceuntilonesuccessfullyauthenticatestheuser(thefirewall
alwayschecksthelocaldatabasefirstifthesequenceincludesone).Auserisdeniedaccessonlyif
authenticationfailsforalltheprofilesintheauthenticationsequence.

ConfigureanAuthenticationProfileandSequence

Step1 CreateaKerberoskeytab. CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos


RequiredifthefirewallorPanoramawill accountinformation(principalnameandhashedpassword)forthe
useKerberosSSOauthentication. firewallorPanorama.

Step2 Configurealocaldatabase(firewallonly) LocaldatabaseauthenticationPerformthefollowingtasks:


orexternalserverprofile(firewallor a. Configuretheuseraccount.
Panorama). b. (Optional)Configureausergroup.
Requiredforlocaldatabaseorexternal ExternalauthenticationPerformoneofthefollowingtasks:
authentication.
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.

140 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureanAuthenticationProfileandSequence

ConfigureanAuthenticationProfileandSequence(Continued)

Step3 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandAddthe


Defineoneorbothofthefollowing: authenticationprofile.
KerberosSSOThefirewallor 2. EnteraNametoidentifytheauthenticationprofile.
PanoramafirsttriesSSO 3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
authentication.Ifthatfails,itfallsback Location(avsysorShared)wheretheprofileisavailable.
tothespecifiedauthenticationType.
4. SelecttheauthenticationType.IfyouselectRADIUS,
Localdatabaseorexternal
TACACS+,LDAP,orKerberos,selecttheauthentication
authenticationThefirewallor
Server Profilefromthedropdown.
Panoramapromptstheusertoenter
logincredentials,andusesitslocal IftheTypeisLDAP,definetheLogin Attribute.For
database(firewallsonly)oranexternal ActiveDirectory,entersAMAccountNameasthe
servicetoauthenticatetheuser. value.
5. (Optional)SelecttheUser DomainandUsername Modifier
optionsasfollowstomodifythedomain/usernamestringthat
theuserwillenterduringlogin.Thisisusefulwhenthe
authenticationservicerequiresthestringinaparticularformat
andyoudontwanttorelyonuserstocorrectlyenterthe
domain.
Tosendonlytheunmodifieduserinput,leavetheUser
Domainblank(thedefault)andsettheUsername Modifier
tothevariable%USERINPUT%(thedefault).
Toprependadomaintotheuserinput,enteraUser
DomainandsettheUsername Modifierto
%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
6. IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
7. SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.Youcanselectusersandgroups
fromthelocaldatabaseor,ifyouconfiguredanLDAPserver
profile,fromanLDAPbaseddirectoryservicesuchasActive
Directory.Selectingallallowseveryusertoauthenticate.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsocreateandallowcustomgroupsbasedon
LDAPfilters:seeMapUserstoGroups.
8. EnterthenumberofFailed Attempts(010)tologinthatthe
firewallorPanoramaallowsbeforelockingouttheuser.The
defaultvalue0meansthereisnolimit.
9. EntertheLockout Time(060),whichisthenumberof
minutesforwhichthefirewallorPanoramalocksouttheuser
afterreachingtheFailed Attemptslimit.Thedefaultvalue0
meansthelockoutappliesuntilanadministratorunlocksthe
useraccount.
10. ClickOKtosavetheauthenticationprofile.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 141


ConfigureanAuthenticationProfileandSequence Authentication

ConfigureanAuthenticationProfileandSequence(Continued)

Step4 Configureanauthenticationsequence. 1. SelectDevice > Authentication SequenceandAddthe


Requiredifyouwantthefirewallor authenticationsequence.
Panoramatotrymultipleauthentication 2. EnteraNametoidentifytheauthenticationsequence.
profilestoauthenticateusers.The
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
firewallorPanoramaevaluatesthe
Location(avsysorShared)wherethesequenceisavailable.
profilesintoptobottomorderuntilone
profilesuccessfullyauthenticatesthe Toexpeditetheauthenticationprocess,thebest
user. practiceistoUse domain to determine authentication
profile:thefirewallorPanoramawillmatchthedomain
namethatauserentersduringloginwiththeUser
DomainorKerberos Realmofanauthentication
profileinthesequence,andthenusethatprofileto
authenticatetheuser.IfthefirewallorPanorama
doesntfindamatch,orifyouclearthecheckbox,it
triestheprofilesinthetoptobottomsequence.
4. Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
5. ClickOKtosavetheauthenticationsequence.

Step5 Assigntheauthenticationprofileor Assigntheauthenticationprofileorsequencetoanadministrator


sequence. accountortoafirewallserviceforendusers.
TestAuthenticationServerConnectivitytoverifythatan
authenticationprofilecancommunicatewiththebackend
authenticationserverandthattheauthenticationrequest
succeeded.

142 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureKerberosSingleSignOn

ConfigureKerberosSingleSignOn

PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.

ConfigureKerberosSingleSignOn

Step1 CreateaKerberoskeytab. 1. LogintotheKDCandopenacommandprompt.


2. Enterthefollowingcommand,where<principal_name>,
<password>,and<algorithm>arevariables.TheKerberos
principalnameandpasswordareofthefirewallorPanorama,
nottheuser.
ktpass /princ <principal_name> /pass
<password> /crypto <algorithm> /ptype
KRB5_NT_PRINCIPAL /out <file_name>.keytab
IfthefirewallisinFIPS/CCmode,thealgorithmmust
beaes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalso
usedes3-cbc-sha1orarcfour-hmac.Tousean
AdvancedEncryptionStandard(AES)algorithm,the
functionalleveloftheKDCmustbeWindowsServer
2008orlaterandyoumustenableAESencryptionfor
thefirewallorPanoramaaccount.
Thealgorithminthekeytabmustmatchthealgorithm
intheserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithms
theserviceticketsuse.

Step2 Importthekeytabintoanauthentication ConfigureanAuthenticationProfileandSequence:


profile. 1. EntertheKerberos Realm(usuallytheDNSdomainofthe
users,exceptthattherealmisuppercase).
2. ImporttheKerberos Keytabthatyoucreatedforthefirewall
orPanorama.

Step3 Assigntheauthenticationprofiletothe Configureanadministratoraccount.


administratoraccountortotheCaptive ConfigureCaptivePortal.
Portalsettings.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 143


ConfigureLocalDatabaseAuthentication Authentication

ConfigureLocalDatabaseAuthentication

Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.

IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.

ConfigureLocalDatabaseAuthentication

Step1 Configuretheuseraccount. 1. SelectDevice > Local User Database > UsersandclickAdd.


2. EnterauserNamefortheadministrator.
3. EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4. Enabletheaccount(enabledbydefault)andclickOK.

Step2 Configureausergroup. 1. SelectDevice > Local User Database > User Groupsandclick
Requiredifyourusersrequiregroup Add.
membership. 2. EnteraNametoidentifythegroup.
3. AddeachuserwhoisamemberofthegroupandclickOK.

Step3 Configureanauthenticationprofile. SettheauthenticationTypetoLocal Database.

Step4 Assigntheauthenticationprofiletoan AdministratorsConfigureanAdministrativeAccount:


administratoraccountorfirewallservice. SpecifytheNameofauseryoudefinedinStep 1.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForallservices,youmustassigntheAuthentication
Profilethatyouconfiguredfortheaccounts:
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.

Step5 Verifythatthefirewallcancommunicate TestaLocalDatabaseAuthenticationProfile.


withtheauthenticationserver.

144 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureExternalAuthentication

ConfigureExternalAuthentication

PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices

ConfigureAuthenticationServerProfiles

ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers

ConfigureaRADIUSServerProfile

YoucanconfigurethefirewallorPanoramatouseaRADIUSserverformanagingadministratoraccounts(if
theyarenotlocal).YoucanalsoconfigurethefirewalltouseaRADIUSserverforauthenticatingendusers
andcollectingRADIUSVendorSpecificAttributes(VSAs)fromGlobalProtectclients.TouseaRADIUS
serverformanagingadministratoraccountsorcollectingGlobalProtectclientsVSAs,youmustdefineVSAs
ontheRADIUSserver.Fordetails,seethelistofsupportedRADIUSVendorSpecificAttributesSupport.

Bydefault,whenauthenticatingtotheRADIUSserver,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileis
assignedtoanauthenticationsequencefortheservicethatinitiatestheauthenticationprocess.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 145


ConfigureExternalAuthentication Authentication

ConfigureaRADIUSServerProfile

Step1 AddaRADIUSserverprofile. 1. SelectDevice > Server Profiles > RADIUSandclickAdd.


2. EnteraProfile Nametoidentifytheserverprofile.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4. FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis130,defaultis3).
5. EnterthenumberofautomaticRetriesfollowingaTimeout
beforetherequestfails(rangeis15,defaultis3).
6. ForeachRADIUSserver,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(RADIUS
Serverfield),Secret/Confirm Secret(akeytoencrypt
passwords),andserverPortforauthenticationrequests
(defaultis1812).
7. ClickOK.

Step2 ImplementtheRADIUSserverprofile. 1. AssigntheRADIUSserverprofiletoanauthenticationprofile


orsequence.
2. TestaRADIUSAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheRADIUSserver.
3. Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4. Commityourchanges.

RADIUSVendorSpecificAttributesSupport

PaloAltoNetworksfirewallsandPanoramasupportthefollowingRADIUSVendorSpecificAttributes
(VSAs).TodefineVSAsonaRADIUSserver,youmustspecifythevendorcode(25461forPaloAlto
NetworksfirewallsorPanorama)andtheVSAnameandnumber.SomeVSAsalsorequireavalue.

Name Number Value

VSAsforadministratoraccountmanagementandauthentication

PaloAltoAdminRole 1 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.

PaloAltoAdminAccessDomain 2 Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.

PaloAltoPanoramaAdminRole 3 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.

PaloAltoPanoramaAdminAccessDomain 4 ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).

PaloAltoUserGroup 5 Thenameofausergroupthatanauthenticationprofile
references.

146 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureExternalAuthentication

Name Number Value

VSAsforwardedfromGlobalProtectclientstotheRADIUSserver

PaloAltoUserDomain 6 DontspecifyavaluewhenyoudefinetheseVSAs.

PaloAltoClientSourceIP 7

PaloAltoClientOS 8

PaloAltoClientHostname 9

PaloAltoGlobalProtectClientVersion 10

ConfigureaTACACS+ServerProfile

TerminalAccessControllerAccessControlSystemPlus(TACACS+)protocolprovidesbetterAuthentication
securitythanRADIUSbecauseitencryptsusernamesandpasswords(insteadofjustpasswords),andisalso
morereliable(itusesTCPinsteadofUDP).

Bydefault,whenauthenticatingtotheTACACS+server,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.

ConfigureaTACACS+ServerProfile

Step1 AddaTACACS+serverprofile. 1. SelectDevice > Server Profiles > TACACS+andclickAdd.


2. EnteraProfile Nametoidentifytheserverprofile.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4. FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis120,defaultis3).
5. SelecttheUse single connection for all authenticationcheck
boxtousethesameTCPsessionforallauthenticationsthat
usethisprofile.Thisoptionimprovesperformancebyavoiding
theneedtostartandendaseparateTCPsessionforeach
authentication.Thecheckboxisclearedbydefault.
6. ForeachTACACS+server,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(TACACS+
Serverfield),Secret/Confirm Secret(akeytoencrypt
usernamesandpasswords),andserverPortforauthentication
requests(defaultis49).
7. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 147


ConfigureExternalAuthentication Authentication

ConfigureaTACACS+ServerProfile(Continued)

Step2 ImplementtheTACACS+serverprofile. 1. AssigntheTACACS+serverprofiletoanauthentication


profileorsequence.
2. TestaTACACS+AuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheTACACS+server.
3. Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4. Commityourchanges.

ConfigureanLDAPServerProfile

AnLDAPserverprofileenablesyouto:
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.

148 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureExternalAuthentication

ConfigureanLDAPServerProfile

Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandclickAdd.


2. EnteraProfile Nametoidentifytheserverprofile.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4. ForeachLDAPserver(uptofour),clickAddandenteraName
(toidentifytheserver),serverIPaddress(LDAP Serverfield),
andserverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthefirewallorPanoramatouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(itisselected
bydefault).TheprotocolthatthefirewallorPanoramauses
dependsontheserverPort:
389(default)TLS(Specifically,thefirewallorPanorama
usestheStartTLSoperation,whichupgradestheinitial
plaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallorPanoramafirsttriestouse
TLS.IfthedirectoryserverdoesntsupportTLS,thefirewall
orPanoramafallsbacktoSSL.
7. Toimprovesecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthefirewallorPanoramaverifiesthecertificate
thatthedirectoryserverpresentsforSSL/TLSconnections.If
theverificationfails,theconnectionfails.Toenable
verification,youmustalsoselecttheRequire SSL/TLS
secured connectioncheckbox.ThefirewallorPanorama
verifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewallor
Panoramatotrustthecertificate,itsrootcertificate
authority(CA)andanyintermediatecertificatesmustbein
thecertificatestoreunderDevice > Certificate
Management > Certificates > Device Certificates.Import
thecertificateifnecessary:seeImportaCertificateand
PrivateKey.
ThecertificatenamemustmatchthehostNameofthe
LDAPserver.ThefirewallorPanoramafirstchecksthe
certificateattributeSubjectAltNameformatching,then
triestheattributeSubjectDN.Ifthecertificateusesthe
FQDNofthedirectoryserver,youmustenterthatFQDN
intheLDAP Serverfieldforthenamematchingtosucceed.
8. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 149


ConfigureExternalAuthentication Authentication

ConfigureanLDAPServerProfile(Continued)

Step2 ImplementtheLDAPserverprofile. 1. AssigntheLDAPserverprofiletoanauthenticationprofileor


sequence.
2. TestanLDAPAuthenticationProfiletoverifythatthefirewall
orPanoramacanconnecttotheLDAPserver.
3. Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4. Commityourchanges.

ConfigureaKerberosServerProfile

AKerberosserverprofileenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleror
aKerberosV5compliantauthenticationserver.Thisauthenticationmethodisinteractive,requiringusersto
enterusernamesandpasswords,incontrastwithKerberossinglesignon(SSO),whichinvolvestransparent
authentication.

TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.
IPv6addressesarenotsupported.

ConfigureaKerberosServerProfile

Step1 AddaKerberosserverprofile. 1. SelectDevice > Server Profiles > KerberosandclickAdd.


2. EnteraProfile Nametoidentifytheserverprofile.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4. ForeachKerberosserver,clickAddandenteraName(to
identifytheserver),serverIPv4addressorFQDN(Kerberos
Serverfield),andanoptionalPortnumberforcommunication
withtheserver(default88).
5. ClickOK.

Step2 ImplementtheKerberosserverprofile. 1. AssigntheKerberosserverprofiletoanauthenticationprofile


orsequence.
2. TestaKerberosAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheKerberosserver.
3. Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4. Commityourchanges.

SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers

WhenyouconfigureaPaloAltoNetworksfirewallorPanoramatouseRADIUSorTACACS+server
authenticationforaparticularservice(suchasCaptivePortal),itfirsttriestoauthenticatetotheserverusing
ChallengeHandshakeAuthenticationProtocol(CHAP).ThefirewallorPanoramafallsbacktoPassword

150 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication ConfigureExternalAuthentication

AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]

WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.

EnableExternalAuthenticationforUsersandServices

PaloAltoNetworksfirewallsandPanoramacanuseexternalservicestoauthenticateadministratorsandend
users.

EnableExternalAuthentication

Step1 Configureanexternalserverprofile. ConfigureaRADIUSServerProfile.


ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.

Step2 Assigntheserverprofiletoan 1. ConfigureanAuthenticationProfileandSequence.


authenticationprofile. 2. TestAuthenticationServerConnectivity.
Optionally,youcanassignmultiple
authenticationprofilestoan
authenticationsequence.

Step3 Assigntheauthenticationprofileor Administrators:ConfigureanAdministrativeAccount.


sequencetoanadministratoraccountor Enduserservices:
toafirewallserviceforendusers. ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 151


TestAuthenticationServerConnectivity Authentication

TestAuthenticationServerConnectivity

AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile

RuntheTestAuthenticationCommand

RuntheTestAuthenticationCommand

Step1 OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

152 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication TestAuthenticationServerConnectivity

RuntheTestAuthenticationCommand

Step4 Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.

Step5 Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.

TestaLocalDatabaseAuthenticationProfile

ThefollowingexampleshowshowtotestaLocalDatabaseauthenticationprofilenamedLocalDBforauser
namedUser1LocalDBandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.

LocalDatabaseAuthenticationProfileTestExample

Step1 OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 153


TestAuthenticationServerConnectivity Authentication

LocalDatabaseAuthenticationProfileTestExample

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password

Step5 Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.

Step6 Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.

Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"

TestaRADIUSAuthenticationProfile

ThefollowingexampleshowshowtotestaRADIUSprofilenamedRADIUSProfileforausernamed
User2RADIUSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.

RADIUSAuthenticationProfileTestExample

Step1 OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

154 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication TestAuthenticationServerConnectivity

RADIUSAuthenticationProfileTestExample

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> set system setting target-vsys <vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> set system setting target-vsys vsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password

Step5 Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.

Step6 Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.

Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 155


TestAuthenticationServerConnectivity Authentication

TestaTACACS+AuthenticationProfile

ThefollowingexampleshowshowtotestaTACACS+profilenamedTACACSProfileforausernamed
User3TACACSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.

TACACS+AuthenticationProfileTestExample

Step1 OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password

Step5 Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
TheoutputshowserrorNetwork read timed out, whichindicatesthattheTACACS+servercouldnot
decrypttheauthenticationrequest.Inthiscase,theremaybeanissuewiththesecretdefinedintheTACACS+
serverprofile.

Step6 Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.

156 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication TestAuthenticationServerConnectivity

TACACS+AuthenticationProfileTestExample

Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"

TestanLDAPAuthenticationProfile

ThefollowingexampleshowshowtotestaLDAPauthenticationprofilenamedLDAPProfileforauser
namedUser4LDAPandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.

LDAPAuthenticationProfileTestExample

Step1 OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 157


TestAuthenticationServerConnectivity Authentication

LDAPAuthenticationProfileTestExample

Step5 Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Theoutputshowsparse error of dn and attributes for user User4-LDAP, whichindicatesaBIND
DNvalueissuesintheLDAPserverprofile.Inthiscase,aDomainComponent(DC)valueisincorrect.

Step6 Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
3. ClickOKtosavethechange.

Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"

TestaKerberosAuthenticationProfile

ThefollowingexampleshowshowtotestaKerberosprofilenamedKerberosProfileforausernamed
User5Kerberosandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.

KerberosAuthenticationProfileTestExample

Step1 OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.

Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.

158 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Authentication TestAuthenticationServerConnectivity

KerberosAuthenticationProfileTestExample

Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password

Step5 Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Inthiscase,theoutputshowsWrong realm, whichindicatesthattheKerberosrealmhasanincorrectvalue.

Step6 Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
3. ClickOKtosavethechange.

Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 159


TroubleshootAuthenticationIssues Authentication

TroubleshootAuthenticationIssues

WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:

Task Command

Displaythenumberoflockeduseraccountsassociated show authentication locked-users


withtheauthenticationprofile(auth-profile), {
vsys <value> |
authenticationsequence(is-seq),orvirtualsystem(vsys). auth-profile <value> |
Tounlockusers,usethefollowingoperational is-seq
{yes | no}
command: {auth-profile | vsys} <value>
request authentication [unlock-admin | }
unlock-user]

Usethedebug authenticationcommandto debug authentication


troubleshootauthenticationevents. {
on {debug | dump | error | info | warn} |
Usetheshowoptionstodisplayauthenticationrequest show |
statisticsandthecurrentdebugginglevel: show-active-requests |
show-pending-requests |
showdisplaysthecurrentdebugginglevelforthe connection-show |
authenticationservice(authd). {
connection-id |
show-active-requestsdisplaysthenumberofactive protocol-type
checksforauthenticationrequests,allowlists,and {
Kerberos connection-id <value> |
lockeduseraccounts. LDAP connection-id <value> |
show-pending-requests displaysthenumberof RADIUS connection-id <value> |
TACACS+ connection-id <value> |
pendingchecksforauthenticationrequests,allowlists, }
andlockeduseraccounts. connection-debug-on |
{
connection-showdisplaysauthenticationrequestand connection-id |
responsestatisticsforallauthenticationserversorfora debug-prefix |
protocol-type
specificprotocoltype. {
Usetheconnection-debugoptionstoenableordisable Kerberos connection-id <value> |
LDAP connection-id <value> |
authenticationdebugging: RADIUS connection-id <value> |
Usetheonoptiontoenableortheoffoptiontodisable TACACS+ connection-id <value> |
}
debuggingforauthd. connection-debug-off |
Usetheconnection-debug-onoptiontoenableorthe {
connection-id |
connection-debug-offoptiontodisabledebugging protocol-type
forallauthenticationserversorforaspecificprotocol {
type. Kerberos connection-id <value> |
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on
}

160 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 161


KeysandCertificates CertificateManagement

KeysandCertificates

Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.

Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage Description

AdministrativeAccess SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.

CaptivePortal IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,
designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.

ForwardTrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).

ForwardUntrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.

SSLInboundInspection ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.

162 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement KeysandCertificates

Key/CertificateUsage Description

SSLExcludeCertificate CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.

GlobalProtect AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.

SitetoSiteVPNs(IKE) InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.

MasterKey Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.

SecureSyslog Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.

TrustedRootCA ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 163


CertificateRevocation CertificateManagement

CertificateRevocation

PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)

InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.

CertificateRevocationList(CRL)

Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.

164 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement CertificateRevocation

OnlineCertificateStatusProtocol(OCSP)

WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 165


CertificateDeployment CertificateManagement

CertificateDeployment

ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).

166 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SetUpVerificationforCertificateRevocationStatus

SetUpVerificationforCertificateRevocationStatus

Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption

ConfigureanOCSPResponder

TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation

ConfigureanOCSPResponder

Step1 DefineanOCSPresponder. 1. SelectDevice > Certificate Management > OCSP Responder


andclickAdd.
2. EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
4. IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.Fromthisvalue,
PANOSautomaticallyderivesaURLandaddsittothe
certificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices.
5. ClickOK.

Step2 EnableOCSPcommunicationonthe 1. SelectDevice > Setup > Management.


firewall. 2. IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 167


SetUpVerificationforCertificateRevocationStatus CertificateManagement

ConfigureanOCSPResponder

Step3 (Optional)Toconfigurethefirewallitself 1. SelectNetwork > Network Profiles > Interface Mgmt.


asanOCSPresponder,addanInterface 2. ClickAddtocreateanewprofileorclickthenameofan
ManagementProfiletotheinterface existingprofile.
usedforOCSPservices.
3. SelecttheHTTP OCSPcheckboxandclickOK.
4. SelectNetwork > Interfacesandclickthenameofthe
interfacethatthefirewallwilluseforOCSPservices.The
OCSPHost NamespecifiedinStep 1mustresolvetoanIP
addressinthisinterface.
5. SelectAdvanced > Other infoandselecttheInterface
ManagementProfileyouconfigured.
6. ClickOKandCommit.

ConfigureRevocationStatusVerificationofCertificates

ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.

ConfigureRevocationStatusVerificationofCertificates

Step1 ConfigureaCertificateProfileforeach AssignoneormorerootCAcertificatestotheprofileandselect


application. howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates

Step2 Assignthecertificateprofilestothe Thestepstoassignacertificateprofiledependontheapplication


relevantapplications. thatrequiresit.

ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption

ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.

EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.

168 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SetUpVerificationforCertificateRevocationStatus

ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption

Step1 Definetheservicespecifictimeout 1. SelectDevice > Setup > Sessionand,intheSessionFeatures


intervalsforrevocationstatusrequests. section,selectDecryption Certificate Revocation Settings.
2. Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.

Step2 Definethetotaltimeoutintervalfor EntertheCertificate Status Timeout.Thisistheinterval(160


revocationstatusrequests. seconds)afterwhichthefirewallstopswaitingforaresponsefrom
anycertificatestatusserviceandappliesthesessionblockinglogic
youoptionallydefineinStep 3.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthetwo
Receive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:theCertificate
Status TimeoutvalueortheOCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status
TimeoutvalueortheCRLReceive Timeoutvalue.

Step3 Definetheblockingbehaviorfor IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP


unknowncertificatestatusora orCRLservicereturnsacertificaterevocationstatusofunknown,
revocationstatusrequesttimeout. selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.

Step4 Saveandapplyyourentries. ClickOKandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 169


ConfiguretheMasterKey CertificateManagement

ConfiguretheMasterKey

EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsalltheprivatekeys
andpasswordsintheconfigurationtosecurethem(suchastheprivatekeyusedforSSLForwardProxy
Decryption).Forthebestsecurityposture,configureanewmasterkeyandchangeitperiodically.
Inahighavailability(HA)configuration,ensurebothfirewallsorPanoramamanagementserversinthepair
usethesamemasterkey.Ifthemasterkeysdiffer,HAconfigurationsynchronizationwillnotworkproperly.
Additionally,ifyouareusingPanoramatomanageyourfirewalls,youmustusethesamemasterkeyon
PanoramaandallmanagedfirewallssothatPanoramacanpushconfigurationstothefirewalls.

Foraddedsecurity,EncryptaMasterKeyUsinganHSM.

Besuretostorethemasterkeyinasafelocation.Youcannotrecoverthemasterkeyandtheonlywayto
restorethedefaultmasterkeyistoResettheFirewalltoFactoryDefaultSettings.

ConfigureaMasterKey

Step1 SelectDevice > Master Key and DiagnosticsandedittheMasterKeysection.

Step2 EntertheCurrent Master Keyifoneexists.

Step3 DefineanewNew Master KeyandthenConfirm New Master Key.Thekeymustcontainexactly16


characters.

Step4 TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekeywillexpire.


Youmustconfigureanewmasterkeybeforethecurrentkeyexpires.Ifthemasterkeyexpires,the
firewallorPanoramaautomaticallyrebootsinMaintenancemode.YoumustthenResettheFirewall
toFactoryDefaultSettings.

Step5 EnteraTime for ReminderthatspecifiesthenumberofDaysandHoursbeforethemasterkeyexpireswhen


thefirewallgeneratesanexpirationalarm.ThefirewallautomaticallyopenstheSystemAlarmsdialogto
displaythealarm.
Toensuretheexpirationalarmdisplays,selectDevice > Log Settings,edittheAlarmSettings,and
Enable Alarms.

Step6 (Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.

Step7 ClickOKandCommit.

170 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ObtainCertificates

ObtainCertificates

CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA

CreateaSelfSignedRootCACertificate

Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.

OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.

GenerateaSelfsignedRootCACertificate

Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.

Step3 ClickGenerate.

Step4 EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31


characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.

Step5 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill


configuretheservicethatwillusethiscertificate.

Step6 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.

Step7 LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.

Step8 (Required)SelecttheCertificate Authoritycheckbox.

Step9 LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.

Step10 ClickGenerateandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 171


ObtainCertificates CertificateManagement

GenerateaCertificate

PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.

GenerateaCertificate

Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.

Step3 ClickGenerate.

Step4 SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect


clients.

Step5 EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand


useonlyletters,numbers,hyphens,andunderscores.

Step6 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill


configuretheservicethatwillusethiscertificate.

Step7 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.

Step8 IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.

Step9 (Optional)SelectanOCSP Responder.

Step10 ForthekeygenerationAlgorithm,selectRSA(default)orElliptical Curve DSA(ECDSA).ECDSAis


recommendedforclientbrowsersandoperatingsystemsthatsupportit.
FirewallsthatrunPANOS6.1andearlierreleaseswilldeleteanyECDSAcertificatesthatyoupush
fromPanorama,andanyRSAcertificatessignedbyanECDSAcertificateauthority(CA)willbe
invalidonthosefirewalls.

Step11 SelecttheNumber of Bitstodefinethecertificatekeylength.Highernumbersaremoresecurebutrequire


moreprocessingtime.

Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.

Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.

Step14 (Optional)AddtheCertificate Attributestouniquelyidentifythefirewallandtheservicethatwillusethe


certificate.
IfyouaddaHost Name(DNSname)attribute,itisabestpracticeforittomatchtheCommon Name.
ThehostnamepopulatestheSubjectAlternativeNamefieldofthecertificate.

Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.

172 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ObtainCertificates

GenerateaCertificate(Continued)

Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslogcheckbox.

Step17 ClickOKandCommit.

ImportaCertificateandPrivateKey

Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.

OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.

ImportaCertificateandPrivateKey

Step1 FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.

Step2 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.

Step4 ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It


mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.

Step5 Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.

Step6 EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.

Step7 SelectaFile Format:


Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security Modulecheckboxandskipthenextstep.Otherwise,selecttheImport Private Key
checkbox,entertheKey FileorBrowsetoit,thencontinuetothenextstep.

Step8 Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 173


ObtainCertificates CertificateManagement

ImportaCertificateandPrivateKey

Step9 ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.

ObtainaCertificatefromanExternalCA

Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.

ObtainaCertificatefromanExternalCA

Step1 Requestthecertificatefromanexternal 1. SelectDevice > Certificate Management > Certificates >


CA. Device Certificates.
2. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
3. ClickGenerate.
4. EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5. IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6. Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7. IntheSigned Byfield,selectExternal Authority (CSR).
8. Ifapplicable,selectanOCSP Responder.
9. (Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatory
forGlobalProtect).Thehostnamepopulatesthe
SubjectAlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.

Step2 SubmittheCSRtotheCA. 1. SelecttheCSRandclickExporttosavethe.csrfiletoalocal


computer.
2. Uploadthe.csrfiletotheCA.

174 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ObtainCertificates

ObtainaCertificatefromanExternalCA

Step3 Importthecertificate. 1. AftertheCAsendsasignedcertificateinresponsetotheCSR,


returntotheDevice CertificatestabandclickImport.
2. EntertheCertificate NameusedtogeneratetheCSR.
3. EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4. ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.

Step4 Configurethecertificate. 1. ClickthecertificateName.


2. Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.
3. ClickOKandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 175


ExportaCertificateandPrivateKey CertificateManagement

ExportaCertificateandPrivateKey

PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
ObtainaCertificatefromanExternalCA

ExportaCertificateandPrivateKey

Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.

Step3 Selectthecertificate,clickExport,andselectaFile Format:


Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.

Step4 EnteraPassphraseandConfirm PassphrasetoencrypttheprivatekeyiftheFile FormatisPKCS12orifit


isPEMandyouselectedtheExport Private Keycheckbox.Youwillusethispassphrasewhenimportingthe
certificateandkeyintoclientsystems.

Step5 ClickOKandsavethecertificate/keyfiletoyourcomputer.

176 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ConfigureaCertificateProfile

ConfigureaCertificateProfile

CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.

ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.

ConfigureaCertificateProfile

Step1 Obtainthecertificateauthority(CA) PerformoneofthefollowingstepstoobtaintheCAcertificates


certificatesyouwillassign. youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).

Step2 Identifythecertificateprofile. 1. SelectDevice > Certificate Management > Certificates


ProfileandclickAdd.
2. EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.

Step3 Assignoneormorecertificates. PerformthefollowingstepsforeachCAcertificate:


1. IntheCACertificatestable,clickAdd.
2. SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3. (Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4. ClickOK.TheCACertificatestabledisplaystheassigned
certificate.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 177


ConfigureaCertificateProfile CertificateManagement

ConfigureaCertificateProfile

Step4 Definethemethodsforverifying 1. SelectUse CRLand/orUse OCSP.Ifyouselectboth,the


certificaterevocationstatusandthe firewallfirsttriesOCSPandfallsbacktotheCRLmethodonly
associatedblockingbehavior. iftheOCSPresponderisunavailable.
2. Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3. EntertheCertificate Status Timeout.Thisistheinterval(160
seconds)afterwhichthefirewallstopswaitingforaresponse
fromanycertificatestatusserviceandappliesany
sessionblockinglogicyoudefine.TheCertificate Status
TimeoutrelatestotheOCSP/CRLReceive Timeoutas
follows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthe
twoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheOCSPReceive
Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheCRLReceive
Timeoutvalue.
4. IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5. Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.

Step5 Saveandapplyyourentries. ClickOKandCommit.

178 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ConfigureanSSL/TLSServiceProfile

ConfigureanSSL/TLSServiceProfile

PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.

Intheclientsystemsthatrequestfirewallservices,thecertificatetrustlist(CTL)mustincludethecertificate
authority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,userswill
seeacertificateerrorwhenrequestingfirewallservices.MostthirdpartyCAcertificatesarepresentbydefault
inclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythatCA
certificatetotheCTLinclientbrowsers.

ConfigureanSSL/TLSServiceProfile

Step1 Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notCAcertificates,inSSL/TLSserviceprofiles.

Step2 SelectDevice > Certificate Management > SSL/TLS Service Profile.

Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.

Step4 ClickAddandenteraNametoidentifytheprofile.

Step5 SelecttheCertificateyoujustobtained.

Step6 Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.

Step7 ClickOKandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 179


ReplacetheCertificateforInboundManagementTraffic CertificateManagement

ReplacetheCertificateforInboundManagementTraffic

WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.

Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.

ReplacetheCertificateforInboundManagementTraffic

Step1 Obtainthecertificatethatwill YoucansimplifyyourCertificateDeploymentbyusingacertificate


authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators. thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetheroot
CAcertificateisnotinthetrustedrootcertificatestoreof
clientsystems.Topreventthis,deploytheselfsignedroot
CAcertificatetoallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.

Step2 ConfigureanSSL/TLSServiceProfile. SelecttheCertificateyoujustobtained.


Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.

Step3 ApplytheSSL/TLSServiceProfileto 1. SelectDevice > Setup > ManagementandedittheGeneral


inboundmanagementtraffic. Settings.
2. SelecttheSSL/TLS Service Profileyoujustconfigured.
3. ClickOKandCommit.

180 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement ConfiguretheKeySizeforSSLForwardProxyServerCertificates

ConfiguretheKeySizeforSSLForwardProxyServer
Certificates

WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:

ConfiguretheKeySizeforSSLForwardProxyServerCertificates

Step1 SelectDevice > Setup > Sessionand,intheDecryptionSettingssection,clickSSL Forward Proxy Settings.

Step2 SelectaKey Size:


Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.

Step3 ClickOKandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 181


RevokeandRenewCertificates CertificateManagement

RevokeandRenewCertificates

RevokeaCertificate
RenewaCertificate

RevokeaCertificate

Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.

RevokeaCertificate

Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step2 Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.

Step3 Selectthecertificatetorevoke.

Step4 ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.

RenewaCertificate

Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.

RenewaCertificate

Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.

Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.

Step3 SelectacertificatetorenewandclickRenew.

Step4 EnteraNew Expiration Interval(indays).

Step5 ClickOKandCommit.

182 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SecureKeyswithaHardwareSecurityModule

SecureKeyswithaHardwareSecurityModule

Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment

SetupConnectivitywithanHSM

HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater

TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.

TheIPaddressontheHSMclientfirewallmustbeastaticIPaddress,notadynamicaddressassignedby
DHCP.HSMauthenticatesthefirewallusingtheIPaddressbeforetheHSMconnectioncomesup.
OperationsonHSMwouldstopworkingiftheIPaddressweretochangeduringruntime.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM

SetUpConnectivitywithaSafeNetNetworkHSM

TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 183


SecureKeyswithaHardwareSecurityModule CertificateManagement

HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.

SetupaConnectivitywithaSafeNetNetworkHSM

Step1 Configurethefirewallto 1. LogintothefirewallwebinterfaceandselectDevice > Setup > HSM.


communicatewiththeSafeNet 2. EdittheHardwareSecurityModuleProvidersectionandselect
NetworkHSM. Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4. EntertheIPv4addressoftheHSMmoduleasthe Server Address.
IfyouareconfiguringahighavailabilityHSMconfiguration,enter
modulenamesandIPaddressesfortheadditionalHSMdevices.
5. (Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
6. ClickOKandCommit.

Step2 (Optional)Configureaservice 1. SelectDevice > Setup > Services.


routetoenablethefirewallto 2. SelectService Route ConfigurationfromtheServicesFeaturesarea.
connecttotheHSM.
3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewallusesthe
ManagementInterfaceto 4. SelecttheIPv4tab.
communicatewiththeHSM.To 5. SelectHSMfromtheServicecolumn.
useadifferentinterface,you
mustconfigureaserviceroute. 6. SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
7. ClickOKandCommit.

Step3 Configurethefirewallto 1. SelectDevice > Setup > HSM.


authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. SelecttheHSMServer Namefromthedropdown.
4. Enterthe Administrator Passwordtoauthenticatethefirewalltothe
HSM.
5. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6. ClickOK.

184 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SecureKeyswithaHardwareSecurityModule

SetupaConnectivitywithaSafeNetNetworkHSM(Continued)

Step4 Registerthefirewall(theHSM 1. LogintotheHSMfromaremotesystem.


client)withtheHSMandassign 2. Registerthefirewallusingthefollowingcommand:
ittoapartitionontheHSM.
client register -c <cl-name> -ip <fw-ip-addr>
IftheHSMalreadyhasa where<cl-name>isanamethatyouassigntothefirewallforuseon
firewallwiththesame theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
<cl-name>registered,
beingconfiguredasanHSMclient.ItmustbeastaticIPaddress,not
youmustremovethe anaddressassignedbyDHCP.
duplicateregistration
usingthefollowing 3. Assignapartitiontothefirewallusingthefollowingcommand:
commandbefore client assignpartition -c <cl-name> -p <partition-name>
registrationwillsucceed: where<cl-name>isthenameassignedtothefirewallintheclient
client delete -client register commandand<partition-name>isthenameofa
<cl-name> previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.

Step5 Configurethefirewalltoconnect 1. SelectDevice > Setup > HSM.


totheHSMpartition. 2. ClicktheRefreshicon.
3. SelecttheSetup HSM PartitionintheHardwareSecurityOperations
area.
4. Enterthe Partition Passwordtoauthenticatethefirewalltothe
partitionontheHSM.
5. ClickOK.

Step6 (Optional)Configurean 1. RepeatthepreviousstepstoaddanadditionalHSMforhigh


additionalHSMforhigh availability(HA).
availability(HA). ThisprocessaddsanewHSMtotheexistingHAgroup.
2. IfyouremoveanHSMfromyourconfiguration,repeattheprevious
step.
ThiswillremovethedeletedHSMfromtheHAgroup.

Step7 Verifyconnectivitywiththe 1. SelectDevice > Setup > HSM.


HSM. 2. ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 185


SecureKeyswithaHardwareSecurityModule CertificateManagement

SetUpConnectivitywithaThalesnShieldConnectHSM

ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.

HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.

SetupConnectivitywithaThalesnShieldConnectHSM

Step1 ConfiguretheThales 1. Fromthefirewallwebinterface,selectDevice > Setup > HSMandeditthe


nShieldConnectserveras HardwareSecurityModuleProvidersection.
thefirewallsHSM 2. SelectThales Nshield ConnectastheProvider Configured.
provider.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto31
charactersinlength.
4. EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5. EntertheIPv4addressoftheRemote Filesystem Address.
6. ClickOKandCommit.

Step2 (Optional)Configurea 1. SelectDevice > Setup > Services.


serviceroutetoenable 2. SelectService Route ConfigurationfromtheServicesFeaturesarea.
thefirewalltoconnectto
theHSM. 3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewall 4. SelecttheIPv4tab.
usestheManagement 5. SelectHSMfromtheServicecolumn.
Interfacetocommunicate
withtheHSM.Tousea 6. SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
differentinterface,you IfyouselectadataplaneconnectedportforHSM,issuingtheclear
mustconfigureaservice session allCLIcommandwillclearallexistingHSMsessions,
route. causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
7. ClickOKandCommit.

Step3 Registerthefirewall(the 1. LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.


HSMclient)withtheHSM 2. Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
server. System > System configuration > Client config > New client.
Thisstepbrieflydescribes
3. EntertheIPaddressofthefirewall.ItmustbeastaticIPaddress,notan
theprocedureforusing
addressassignedbyDHCP.
thefrontpanelinterface
oftheThalesnShield 4. SelectSystem > System configuration > Client config > Remote file system
ConnectHSM.Formore andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
details,consulttheThales filesystem.
documentation.

186 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SecureKeyswithaHardwareSecurityModule

SetupConnectivitywithaThalesnShieldConnectHSM(Continued)

Step4 Setuptheremote 1. Logintotheremotefilesystem(RFS)fromaLinuxclient.


filesystemtoaccept 2. Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
connectionsfromthe KNETIkeyauthenticatesthemoduletoclients:
firewall.
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3. Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4. UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.

Step5 Configurethefirewallto 1. Fromthefirewallwebinterface,selectDevice > Setup > HSM.


authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4. ClickOK.

Step6 Synchronizethefirewall 1. SelecttheDevice > Setup > HSM.


withtheremote 2. SelectSynchronize with Remote FilesystemintheHardwareSecurity
filesystem. Operationssection.

Step7 Verifythatthefirewall 1. SelectDevice > Setup > HSM.


canconnecttotheHSM. 2. ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
NameThenameoftheHSMattemptingtobeauthenticated.
IP addressTheIPaddressoftheHSMthatwasassignedonthefirewall.
Module StateThecurrentoperatingstateoftheHSM:Authenticatedor
Not Authenticated.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 187


SecureKeyswithaHardwareSecurityModule CertificateManagement

EncryptaMasterKeyUsinganHSM

AmasterkeyencryptsallprivatekeysandpasswordsonthefirewallandPanorama.Ifyouhavesecurity
requirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkeyusingan
encryptionkeythatisstoredonanHSM.ThefirewallorPanoramathenrequeststheHSMtodecryptthe
masterkeywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSM
isinahighlysecurelocationthatisseparatefromthefirewallorPanoramaforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,youmustoccasionallychange
(refresh)thiswrappingkey.

FirewallsconfiguredinFIPS/CCmodedonotsupportmasterkeyencryptionusinganHSM.

Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption

EncrypttheMasterKey

Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.

EncryptaMasterKeyUsinganHSM

Step1 SelectDevice > Master Key and Diagnostics.

Step2 Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.

Step3 Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.

Step4 SelecttheHSMcheckbox.
Life TimeThenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for ReminderThenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).

Step5 ClickOK.

188 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


CertificateManagement SecureKeyswithaHardwareSecurityModule

RefreshtheMasterKeyEncryption

Asabestpractice,periodicallyrefreshthemasterkeyencryptionbyrotatingthewrappingkeythatencrypts
it.Thefrequencyoftherotationdependsonyourapplication.ThewrappingkeyresidesonyourHSM.The
followingcommandisthesameforSafeNetNetworkandThalesnShieldConnectHSMs.

RefreshtheMasterKeyEncryption

Step1 UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.

StorePrivateKeysonanHSM

Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLForwardProxyTheHSMcanstoretheprivatekeyoftheForwardTrustcertificatethatsigns
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthecertificatestotheclient.
SSLInboundInspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.

StorePrivateKeysonanHSM

Step1 OntheHSM,importorgenerate Forinstructionsonimportingorgeneratingacertificateandprivatekeyon


thecertificateandprivatekey theHSM,refertoyourHSMdocumentation.
usedinyourdecryption
deployment.

Step2 (ThalesnShieldConnectonly) 1. AccessthefirewallwebinterfaceandselectDevice > Setup > HSM.


Synchronizethekeydatafrom 2. SelectSynchronize with Remote FilesystemintheHardwareSecurity
theThalesnShieldremotefile Operationssection.
systemtothefirewall.
Synchronizationwiththe
SafeNetNetworkHSMis
automatic.

Step3 Importthecertificatethat 1. SelectDevice > Certificate Management > Certificates > Device
correspondstotheHSMstored CertificatesandclickImport.
keyontothefirewall. 2. EntertheCertificate Name.
3. BrowsetotheCertificate FileontheHSM.
4. SelectaFile Format.
5. SelectPrivate Key resides on Hardware Security Module.
6. ClickOKandCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 189


SecureKeyswithaHardwareSecurityModule CertificateManagement

StorePrivateKeysonanHSM(Continued)

Step4 (ForwardTrustcertificatesonly) 1. OpenthecertificateyouimportedinStep 3forediting.


Enablethecertificateforusein 2. SelectForward Trust Certificate.
SSL/TLSForwardProxy.
3. ClickOKandCommit.

Step5 Verifythatyousuccessfully LocatethecertificateyouimportedinStep 3andchecktheiconintheKey


importedthecertificateontothe column:
firewall. LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.

ManagetheHSMDeployment

ManageHSM

ViewtheHSMconfiguration SelectDevice > Setup > HSM.


settings.

DisplaydetailedHSM SelectShow Detailed InformationfromtheHardwareSecurityOperations


information. section.
InformationregardingtheHSMservers,HSMHAstatus,andHSMhardwareis
displayed.

ExportSupportfile. SelectExport Support FilefromtheHardwareSecurityOperationssection.


Atestfileiscreatedtohelpcustomersupportwhenaddressingaproblemwithan
HSMconfigurationonthefirewall.

ResetHSMconfiguration. SelectReset HSM ConfigurationfromtheHardwareSecurityOperations section.


SelectingthisoptionremovesallHSMconnections.Allauthenticationprocedures
mustberepeatedafterusingthisoption.

190 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 191


HAOverview HighAvailability

HAOverview

YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.

192 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

HAConcepts

ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode

HAModes

YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.

ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.

Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 193


HAConcepts HighAvailability

Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.

Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.

Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.

Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.

HALinksandBackupLinks

ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA3000Series,PA4000Series,PA5000Series,and
PA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethededicatedHAportsto
managecommunicationandsynchronizationbetweenthefirewalls.ForfirewallswithoutdedicatedHA
portssuchasthePA200,PA500,andPA2000Seriesfirewalls,asabestpracticeusethemanagementport
fortheHA1linktoallowforadirectconnectionbetweenthemanagementplanesonthefirewalls,andan
inbandportfortheHA2link.

TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.

194 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

HALinksand Description
BackupLinks

ControlLink TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).

DataLink TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.

BackupLinks ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.

PacketForwardingLink InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 195


HAConcepts HighAvailability

HAPortsonthePA7000SeriesFirewall

HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:

HALinksand PortsontheSMC Description


BackupLinks

ControlLink HA1A UsedforHAcontrolandsynchronizationinbothHAModes.Connect


Speed:Ethernet thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
10/100/1000 HA1Aportonthesecondfirewallinthepair,orconnectthem
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.

ControlLink HA1B UsedforHAcontrolandsynchronizationasabackupforHA1Ain


Backup Speed:Ethernet bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
10/100/1000port thefirstfirewalltotheHA1Bportonthesecondfirewallinthepair,
orconnectthemthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.

DataLink HSCIA TheHighSpeedChassisInterconnect(HSCI)portsareLayer1Quad


PortSFP+(QSFP+)interfacesusedtoconnecttwoPA7000Series
firewallsinanHAconfiguration.Eachportiscomprisedoffour10
gigabitchannelsmultiplexedforacombinedspeedof40gigabits.
ThetrafficcarriedontheHSCIportsisrawlayer1,whichisnot
DataLink HSCIB
routableorswitchable;thereforetheHSCIportsmustbeconnected
Backup
directlytoeachother.TheHSCIAonthefirstchassisconnects
directlytoHSCIAonthesecondchassisandHSCIBonthefirst
chassisconnectstoHSCIBonthesecondchassis.Thisprovidesfull
80gigabittransferrates.Insoftware,bothports(HSCIAandHSCIB)
aretreatedasoneHAinterface.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link.TheHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport;theHA3traffic
cannotbeconfiguredondataports.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmustusetheHSCI
ports.TheHA2linkandHA2backuplinkscanusetheHSCIports
ordataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.

196 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

DevicePriorityandPreemption

ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.

Failover

Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.Apingissentevery
1000millisecondsandiftherearethreeconsecutiveheartbeatlosses,afailoversoccurs.Fordetailson
theHAtimersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 197


HAConcepts HighAvailability

LACPandLLDPPreNegotiationforActive/PassiveHA

IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,andPA7000Seriesfirewallssupportaprenegotiationconfiguration
dependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,orvirtualwiredeployment.An
HApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.

FloatingIPAddressandVirtualMACAddress

InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)

198 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:

TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:

Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 199


HAConcepts HighAvailability

ARPLoadSharing

InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.

Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.

200 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 201


HAConcepts HighAvailability

RouteBasedRedundancy

InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.

HATimers

Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.

202 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

Timers Description PA7000Series PA2000Series PanoramaVirtual


Appliance
PA5000Series PA500
Panorama
PA4000Series PA200 MSeries

PA3000Series

VMSeries

Monitorfailholdup Intervalduringwhichthe 0/0 0/0 0/0


time firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.

Preemptionhold Timethatapassiveor 1/1 1/1 1/1


time activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.

Heartbeatinterval FrequencyatwhichtheHA 1000/1000 2000/1000 2000/1000


peersexchangeheartbeat 2000/1000(only
messagesintheformofan forVMSeriesin
ICMP(ping). AWS)

Promotionholdtime Timethatthepassivefirewall 2000/500 2000/500 2000/500


(inactive/passivemode)or
theactivesecondaryfirewall
(inactive/activemode)will
waitbeforetakingoverasthe
activeoractiveprimary
firewallaftercommunications
withtheHApeerhavebeen
lost.Thisholdtimewillbegin
onlyafterthepeerfailure
declarationhasbeenmade.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 203


HAConcepts HighAvailability

Timers Description PA7000Series PA2000Series PanoramaVirtual


Appliance
PA5000Series PA500
Panorama
PA4000Series PA200 MSeries

PA3000Series

VMSeries

Additionalmaster Timeintervalthatisappliedto 500/500 500/500 7000/5000


holduptime thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.

Hellointerval Intervalinmilliseconds 8000/8000 8000/8000 8000/8000


betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.

Maximumno.of Aflapiscountedwhenthe 3/3 3/3 NotApplicable


flaps firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).

204 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

SessionOwner

InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.

PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.

SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.

SessionSetup

ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.

SessionSetupOption Description

IP Modulo ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.

IP Hash ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.

Primary Device Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall


sessionsetupresponsibilities.

First Packet Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 205


HAConcepts HighAvailability

Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.

ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.

TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.

206 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAConcepts

Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:

TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.

NATinActive/ActiveHAMode

Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 207


HAConcepts HighAvailability

ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3

ECMPinActive/ActiveHAMode

Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.

208 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/PassiveHA

SetUpActive/PassiveHA

PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover

PrerequisitesforActive/PassiveHA

TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.

Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 209


SetUpActive/PassiveHA HighAvailability

ConfigurationGuidelinesforActive/PassiveHA

Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingchecklistdetailsthesettingsthatyoumustconfigureidenticallyonbothfirewalls:
YoumustenableHAonbothfirewalls.
YoumustconfigurethesameGroupIDvalueonbothfirewalls.ThefirewallusestheGroupIDvalueto
createavirtualMACaddressforalltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMAC
AddressforinformationaboutvirtualMACaddresses.Whenanewactivefirewalltakesover,itsends
GratuitousARPmessagesfromeachofitsconnectedinterfacestoinformtheconnectedLayer2
switchesofthevirtualMACaddressnewlocation.
IfyouareusinginbandportsasHAlinks,youmustsettheinterfacesfortheHA1andHA2linkstotype
HA.
SettheHAModetoActivePassiveonbothfirewalls.
Ifrequired,enablepreemptiononbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onboth
firewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowing
recommendationstodecidewhetheryoushouldenableheartbeatbackup:

HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.

HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
HA1Backup:Inbandport
Recommendation:DonotenableHeartbeatBackup

210 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/PassiveHA

ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.

Independent PeerA PeerB


ConfigurationSettings

ControlLink IPaddressoftheHA1linkconfiguredonthis IPaddressoftheHA1linkconfiguredon


firewall(PeerA). thisfirewall(PeerB).

ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.

DataLink Bydefault,theHA2linkusesEthernet/Layer2. Bydefault,theHA2linkuses


Thedatalink IfusingaLayer3connection,configuretheIP Ethernet/Layer2.
informationis addressforthedatalinkonthisfirewall(PeerA). IfusingaLayer3connection,configure
synchronizedbetween theIPaddressforthedatalinkonthis
thefirewallsafterHA firewall(PeerB).
isenabledandthe
controllinkis
establishedbetween
thefirewalls.

DevicePriority Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority


(required,if lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
preemptionisenabled) istofunctionastheactivefirewall,keepthe onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.

LinkMonitoring Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat


Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
physicalinterfaces condition(allorany)totriggerafailover. anddefinethefailurecondition(allorany)
thathandlevitaltraffic totriggerafailover.
onthisfirewalland
definethefailure
condition.

PathMonitoring Definethefailurecondition(allorany),ping Pickasimilarsetofdevicesordestination


Monitoroneormore intervalandthepingcount.Thisisparticularly IPaddressesthatcanbemonitoredfor
destinationIP usefulformonitoringtheavailabilityofother determiningthefailovertriggerforPeerB.
addressesthatthe interconnectednetworkingdevices.Forexample, Definethefailurecondition(allorany),
firewallcanuseICMP monitortheavailabilityofarouterthatconnects pingintervalandthepingcount.
pingstoascertain toaserver,connectivitytotheserveritself,or
responsiveness. someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 211


SetUpActive/PassiveHA HighAvailability

ConfigureActive/PassiveHA

Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.

Toconfigureanactive/passiveHApair,firstcompletethefollowingworkflowonthefirstfirewallandthen
repeatthestepsonthesecondfirewall.

ConnectandConfiguretheFirewalls

Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto


physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.

Step2 Enablepingonthemanagementport. 1. SelectDevice > Setup > Managementandeditthe


Enablingpingallowsthemanagement ManagementInterfaceSettings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.

Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.


HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplexsettings,asappropriate.

212 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/PassiveHA

ConnectandConfiguretheFirewalls(Continued)

Step4 SettheHAmodeandgroupID. 1. SelectDevice > High Availability > GeneralandedittheSetup


section.
2. SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3. SetthemodetoActive Passive.

Step5 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,edittheControlLink


Thisexampleshowsaninbandportthat (HA1)section.
issettointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected

Step6 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer


controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key.SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,selectDevice > Certificate
Management > Certificates,andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. SelectDevice > High Availability > General,edittheControl
Link(HA1)section.
3. SelectEncryption Enabled.

Step7 Setupthebackupcontrollink 1. InDevice > High Availability > General,edittheControlLink


connection. (HA1Backup)section.
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 213


SetUpActive/PassiveHA HighAvailability

ConnectandConfiguretheFirewalls(Continued)

Step8 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,edittheDataLink


andthebackupHA2connection (HA2)section.
betweenthefirewalls. 2. SelectthePorttouseforthedatalinkconnection.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIPorUDPasthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alivetoenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythatfirewall
willsendthekeepalivemessages.Theotherfirewall
willbenotifiedifafailureoccurs.
7. EdittheData Link (HA2 Backup)section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.

Step9 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,edittheElection


linkusesadedicatedHAportoran Settings.
inbandport. 2. SelectHeartbeat Backup.
Youdonotneedtoenableheartbeat Toallowtheheartbeatstobetransmittedbetweenthe
backupifyouareusingthemanagement firewalls,youmustverifythatthemanagementportacross
portforthecontrollink. bothpeerscanroutetoeachother.
Enablingheartbeatbackupalsoallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdowncausingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievesthattheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Whentheheartbeatbackuplinkis
enabled,splitbrainispreventedbecauseredundant
heartbeatsandhellomessagesaretransmittedover
themanagementport.

214 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/PassiveHA

ConnectandConfiguretheFirewalls(Continued)

Step10 Setthedevicepriorityandenable 1. InDevice > High Availability > General,edittheElection


preemption. Settings.
Thissettingisonlyrequiredifyouwishto 2. SetthenumericalvalueinDevice Priority.Makesuretoseta
makesurethataspecificfirewallisthe lowernumericalvalueonthefirewallthatyouwanttoassigna
preferredactivefirewall.For higherpriorityto.
information,seeDevicePriorityand Ifbothfirewallshavethesamedevicepriorityvalue,
Preemption. thefirewallwiththelowestMACaddressontheHA1
controllinkwillbecometheactivefirewall.
3. SelectPreemptive.
Youmustenablepreemptiveonboththeactivefirewalland
thepassivefirewall.

Step11 (Optional)ModifytheHATimers. 1. InDevice > High Availability > General,edittheElection


Bydefault,theHAtimerprofileissetto Settings.
theRecommendedprofileandissuited 2. SelecttheAggressiveprofilefortriggeringfailoverfaster;
formostHAdeployments. selectAdvancedtodefinecustomvaluesfortriggeringfailover
inyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.

Step12 (Optional,onlyconfiguredonthepassive SettingthelinkstatetoAutoallowsforreducingtheamountoftime


firewall)ModifythelinkstatusoftheHA ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
portsonthepassivefirewall. anditallowsyoutomonitorthelinkstate.
Thepassivelinkstateis Toenablethelinkstatusonthepassivefirewalltostayupand
shutdown,bydefault.Afteryou reflectthecablingstatusonthephysicalinterface:
enableHA,thelinkstateforthe 1. InDevice > High Availability > General,edittheActivePassive
HAportsontheactivefirewall Settings.
willbegreenandthoseonthe
passivefirewallwillbedownand 2. SetthePassive Link StatetoAuto.
displayasred. Theautooptiondecreasestheamountoftimeittakesforthe
passivefirewalltotakeoverwhenafailoveroccurs.
Althoughtheinterfacedisplaysgreen(ascabledand
up)itcontinuestodiscardalltrafficuntilafailoveris
triggered.
Whenyoumodifythepassivelinkstate,makesurethat
theadjacentdevicesdonotforwardtraffictothe
passivefirewallbasedonlyonthelinkstatusofthe
firewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 215


SetUpActive/PassiveHA HighAvailability

ConnectandConfiguretheFirewalls(Continued)

Step13 EnableHA. 1. SelectDevice > High Availability > GeneralandedittheSetup


section.
2. SelectEnable HA.
3. SelectEnable Config Sync.Thissettingenablesthe
synchronizationoftheconfigurationsettingsbetweenthe
activeandthepassivefirewall.
4. EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5. EntertheBackup HA1 IP Address.

Step14 (Optional)EnableLACPandLLDP 1. EnsurethatinStep 12yousetthelinkstatetoAuto.


PreNegotiationforActive/PassiveHA 2. SelectNetwork > Interfaces > Ethernet.
forfasterfailoverifyournetworkuses
LACPorLLDP. 3. ToenableLACPactiveprenegotiation:
EnableLACPandLLDPbefore a. SelectanAEinterfaceinaLayer2orLayer3deployment.
configuringHAprenegotiation b. SelecttheLACPtab.
fortheprotocolifyouwant c. SelectEnable in HA Passive State.
prenegotiationtofunctionin d. ClickOK.
activemode.
YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequires
uniqueinterfaceMACaddressesontheactiveand
passivefirewalls.
4. ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5. ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
IfyouwanttoallowLLDPpassiveprenegotiationfor
avirtualwiredeployment,performStep 5butdonot
enableLLDPitself.

Step15 Saveyourconfigurationchanges. ClickCommit.

216 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/PassiveHA

ConnectandConfiguretheFirewalls(Continued)

Step16 Afteryoufinishconfiguringboth 1. AccesstheDashboardonbothfirewalls,andviewtheHigh


firewalls,verifythatthefirewallsare Availabilitywidget.
pairedinactive/passiveHA. 2. Ontheactivefirewall,clicktheSync to peerlink.
3. Confirmthatthefirewallsarepairedandsynced,asshownas
follows:
Onthepassivefirewall:thestateofthelocalfirewallshould
displaypassiveandtheRunningConfigshouldshowas
synchronized.
Ontheactivefirewall:Thestateofthelocalfirewallshould
displayactiveandtheRunningConfigshouldshowas
synchronized.

DefineHAFailoverConditions

ConfiguretheFailoverTriggers

Step1 Toconfigurelinkmonitoring,definethe 1. SelectDevice > High Availability > Link and Path Monitoring
interfacesyouwanttomonitor.A andAddaLinkGroup.
changeinthelinkstateofthese 2. NametheLink Group,Addtheinterfacestomonitor,and
interfaceswilltriggerafailover. selecttheFailure Conditionforthegroup.TheLinkgroupyou
defineisaddedtotheLink Groupsection.

Step2 (Optional)Modifythefailurecondition 1. SelecttheLink Monitoringsection.


fortheLinkGroupsthatyouconfigured 2. SettheFailure ConditiontoAll.
(intheprecedingstep)onthefirewall.
ThedefaultsettingisAny.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.

Step3 Toconfigurepathmonitoring,definethe 1. InthePath GroupsectionoftheDevice > High Availability >


destinationIPaddressesthatthefirewall Link and Path Monitoringtab,picktheAdd option for your set
shouldpingtoverifynetwork up:VirtualWire,VLAN,orVirtualRouter.
connectivity. 2. SelecttheappropriateitemfromthedropdownfortheName
andAddtheIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
thePath Groupsection.

Step4 (Optional)Modifythefailurecondition SettheFailure ConditiontoAll.


forallPathGroupsconfiguredonthe ThedefaultsettingisAny.
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.

Step5 Saveyourchanges. ClickCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 217


SetUpActive/PassiveHA HighAvailability

IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.

VerifyFailover

TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.

VerifyFailover

Step1 Suspendtheactivefirewall. SelectDevice > High Availability > Operational Commandsand


clicktheSuspend local devicelink.

Step2 Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall


overasactive. changestoactiveintheHighAvailabilitywidget.

Step3 Restorethesuspendedfirewalltoa 1. Onthefirewallyoupreviouslysuspended,selectDevice > High


functionalstate.Waitforacoupleof Availability > Operational CommandsandclicktheMake local
minutes,andthenverifythatpreemption device functionallink.
hasoccurred,ifPreemptiveisenabled. 2. IntheHighAvailabilitywidgetontheDashboard,confirmthat
thefirewallhastakenoverastheactivefirewallandthatthe
peerisnowinapassivestate.

218 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

SetUpActive/ActiveHA

PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
DetermineYourActive/ActiveUseCase

PrerequisitesforActive/ActiveHA

Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsmustberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.

IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 219


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHA

Thefollowingproceduredescribesthebasicworkflowforconfiguringyourfirewallsinanactive/active
configuration.However,beforeyoubegin,DetermineYourActive/ActiveUseCaseforconfiguration
examplesmoretailoredtoyourspecificnetworkenvironment.
Toconfigureactive/active,firstcompletethefollowingstepsononepeerandthencompletethemonthe
secondpeer,ensuringthatyousettheDeviceIDtodifferentvalues(0or1)oneachpeer.

ConfigureActive/ActiveHA

Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto


physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
Foreachusecase,thefirewalls other.
couldbeanyhardwareplatform; ForfirewallswithoutdedicatedHAports,selecttwodata
choosetheHA3stepthat interfacesfortheHA2linkandthebackupHA1link.Then,usean
correspondswithyourplatform. EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.

Step2 Enablepingonthemanagementport. 1. InDevice > Setup > Management,editManagementInterface


Enablingpingallowsthemanagement Settings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.

Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.


HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplexsettings,asappropriate.

Step4 Enableactive/activeHAandsetthe 1. InDevice > High Availability > General,editSetup.


groupID. 2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.

220 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHA(Continued)

Step5 SettheDeviceID,enable 1. InDevice > High Availability > General,editSetup.


synchronization,andidentifythecontrol 2. SelectDevice IDasfollows:
linkonthepeerfirewall
Whenconfiguringthefirstpeer,settheDevice IDto0.
Whenconfiguringthesecondpeer,settheDevice IDto1.
3. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
4. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
5. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
6. ClickOK.

Step6 Determinewhetherornotthefirewall 1. InDevice > High Availability > General,editElectionSettings.


withthelowerDeviceIDpreemptsthe 2. SelectPreemptivetocausethefirewallwiththelowerDevice
activeprimaryfirewalluponrecovery IDtoautomaticallyresumeactiveprimaryoperationafter
fromafailure. eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptiveunselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.

Step7 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,editElectionSettings.


linkusesadedicatedHAportoran 2. SelectHeartbeat Backup.
inbandport.
Toallowtheheartbeatstobetransmittedbetweenthe
Youneednotenableheartbeatbackupif firewalls,youmustverifythatthemanagementportacross
youareusingthemanagementportfor bothpeerscanroutetoeachother.
thecontrollink.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.

Step8 (Optional)ModifytheHA Timers. 1. InDevice > High Availability > General,editElectionSettings.


Bydefault,theHAtimerprofileissetto 2. SelectAggressivetotriggerfasterfailover.SelectAdvanced
theRecommendedprofileandissuited todefinecustomvaluesfortriggeringfailoverinyoursetup.
formostHAdeployments. Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 221


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHA(Continued)

Step9 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,editControlLink


Thisexampleusesaninbandportthatis (HA1).
settointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected.

Step10 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer


controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key.SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,selectDevice > Certificate
Management > Certificates,andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. InDevice > High Availability > General,edittheControlLink
(HA1).
3. SelectEncryption Enabled.

Step11 Setupthebackupcontrollink 1. InDevice > High Availability > General,editControlLink(HA1


connection. Backup).
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.

Step12 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,editDataLink(HA2).


andthebackupHA2connection 2. SelectthePorttouseforthedatalinkconnection.
betweenthefirewalls.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIPorUDPasthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alivetoenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythat
firewallwillsendthekeepalivemessages.Theother
firewallwillbenotifiedifafailureoccurs.
7. EdittheData Link (HA2 Backup)section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.
8. ClickOK.

222 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHA(Continued)

Step13 ConfiguretheHA3linkforpacket 1. InDevice > High Availability > Active/Active Config,edit


forwarding. PacketForwarding.
2. ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3. SelectVR Synctoforcesynchronizationofallvirtualrouters
configuredontheHApeers.Selectwhenthevirtualrouteris
notconfiguredfordynamicroutingprotocols.Bothpeersmust
beconnectedtothesamenexthoprouterthroughaswitched
networkandmustusestaticroutingonly.
4. SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.

Step14 (Optional)ModifytheTentativeHold 1. InDevice > High Availability > Active/Active Config,edit


time. PacketForwarding.
2. ForTentative Hold Time (sec),enterthenumberofseconds
thatafirewallstaysinTentativestateafteritfails(rangeis
10600,defaultis60).

Step15 ConfigureSessionOwnerandSession 1. InDevice > High Availability > Active/Active Config,edit


Setup. PacketForwarding.
2. ForSession Owner Selection,selectoneofthefollowing:
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionisthesessionowner(recommendedsetting).
ThissettingminimizestrafficacrossHA3andloadshares
trafficacrosspeers.
Primary DeviceThefirewallthatisinactiveprimarystate
isthesessionowner.
3. ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 223


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHA(Continued)

Step16 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda


Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
AddressorARPLoadSharing.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 Address orIPv6 Address.
5. ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandskiptoConfigureARP
LoadSharing.

Step17 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device


unlessyouwanttheactive/activeHApairtobehavelikean
active/passiveHApair.
2. ForDevice 0 PriorityandDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
4. ClickOK.

Step18 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:


Thedeviceselectionalgorithm IP ModuloThefirewallthatwillrespondtoARPrequests
determineswhichHAfirewallresponds isbasedontheparityoftheARPrequester'sIPaddress.
totheARPrequeststoprovideload IP HashThefirewallthatwillrespondtoARPrequestsis
sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.

Step19 Enablejumboframesonfirewallsother 1. SelectDevice > Setup > Session.


thanPA7000Seriesfirewalls. 2. IntheSessionSettingssection,selectEnable Jumbo Frames.
SwitchportsthatconnecttheHA3link
3. ClickOK.
mustsupportjumboframestohandle
theoverheadassociatedwiththe 4. Repeatonanyintermediarynetworkingdevices.
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.

Step20 DefineHAFailoverConditions.

Step21 Savetheconfiguration. ClickCommit.

Step22 Rebootthefirewallafterchangingthe 1. SelectDevice > Setup > Operations.


jumboframeconfiguration. 2. ClickReboot Device.

224 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

DetermineYourActive/ActiveUseCase

Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.
IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,orARP
LoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 225


SetUpActive/ActiveHA HighAvailability

UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy

ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.

ConfigureActive/ActiveHAwithRouteBasedRedundancy

Step1 ConfigureActive/ActiveHA. PerformStep 1throughStep 15.

Step2 ConfigureOSPF. SeeOSPF.

Step3 DefineHAfailoverconditions. DefineHAFailoverConditions.

Step4 Savetheconfiguration. ClickCommit.

Step5 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.

226 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses

InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.

ConfigureActive/ActiveHAwithFloatingIPAddresses

Step1 ConfigureActive/ActiveHA. PerformStep 1throughStep 15.

Step2 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda


Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
Address.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 AddressorIPv6 Address.
5. ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.

Step3 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.


2. ForDevice 0 PriorityandDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
4. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 227


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)

Step4 Enablejumboframesonfirewallsother PerformStep 19ofConfigureActive/ActiveHA.


thanPA7000Seriesfirewalls.

Step5 DefineHAfailoverconditions. DefineHAFailoverConditions.

Step6 Savetheconfiguration. ClickCommit.

Step7 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.

UseCase:ConfigureActive/ActiveHAwithARPLoadSharing

Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.

ConfigureActive/ActiveHAwithARPLoadSharing

Step1 PerformStep 1throughStep 15of


ConfigureActive/ActiveHA.

228 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHAwithARPLoadSharing(Continued)

Step2 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
ThevirtualaddressisthesharedIP Virtual AddressandclickAdd.
addressthatallowsARPLoadSharing. 2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 AddressorIPv6 Address.
5. ForType,selectARP Load Sharing,whichallowsbothpeers
tousethevirtualIPaddressforARPLoadSharing.

Step3 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:


Thedeviceselectionalgorithm IP ModuloThefirewallthatwillrespondtoARPrequests
determineswhichHAfirewallresponds isbasedontheparityoftheARPrequester'sIPaddress.
totheARPrequeststoprovideload IP HashThefirewallthatwillrespondtoARPrequestsis
sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.

Step4 Enablejumboframesonfirewallsother EnablejumboframesonfirewallsotherthanPA7000Series


thanPA7000Seriesfirewalls. firewalls.

Step5 DefineHAfailoverconditions. DefineHAFailoverConditions.

Step6 Savetheconfiguration. ClickCommit.

Step7 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.

UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall

Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 229


SetUpActive/ActiveHA HighAvailability

metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.

Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.

230 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.

WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.

YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.

ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall

Step1 PerformStep 1throughStep 5of


ConfigureActive/ActiveHA.

Step2 (Optional)Disablepreemption. 1. InDevice > High Availability > General,edittheElection


Disablingpreemptionallowsyou Settings.
fullcontroloverwhenthe 2. ClearPreemptiveifitisenabled.
recoveredfirewallbecomesthe
3. ClickOK.
activeprimaryfirewall.

Step3 PerformStep 7throughStep 14of


ConfigureActive/ActiveHA.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 231


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)

Step4 ConfigureSessionOwnerandSession 1. InDevice > High Availability > Active/Active Config,edit


Setup. PacketForwarding.
2. ForSession Owner Selection,werecommendyouselect
Primary Device.Thefirewallthatisinactiveprimarystateis
thesessionowner.
Alternatively,forSession Owner Selectionyoucanselect
First PacketandthenforSession Setup,selectPrimary
DeviceorFirst Packet.
3. ForSession Setup,selectPrimary DeviceThe
activeprimaryfirewallsetsupallsessions.Thisisthe
recommendedsettingifyouwantyouractive/active
configurationtobehavelikeanactive/passiveconfiguration
becauseitkeepsallactivityontheactiveprimaryfirewall.
Youmustalsoengineeryournetworktoeliminate
thepossibilityofasymmetrictrafficgoingtotheHA
pair.Ifyoudontdosoandtrafficgoestothe
activesecondaryfirewall,settingSession Owner
SelectionandSession SetuptoPrimary Device
causesthetraffictotraverseHA3togettothe
activeprimaryfirewallforsessionownershipand
sessionsetup.
4. ClickOK.

Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandAddanIPv4 AddressorIPv6
Address.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5. ClickOK.

Step6 BindthefloatingIPaddresstothe 1. SelectFloating IP bound to the Active-Primary device.


activeprimaryfirewall. 2. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
3. ClickOK.

Step7 Enablejumboframesonfirewallsother EnablejumboframesonfirewallsotherthanPA7000Series


thanPA7000Seriesfirewalls. firewalls.

Step8 Savetheconfiguration. ClickCommit.

Step9 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.

232 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses

ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.

ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress

Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 233


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)

Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.


2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. ForMode,selectActive Active.
5. SettheDevice IDto1.
6. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
7. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
8. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
9. ClickOK.

Step3 ConfigureActive/ActiveHA. CompleteStep 6throughStep 14.

Step4 ConfigureSessionOwnerandSession 1. InDevice > High Availability > Active/Active Config,edit


Setup. PacketForwarding.
2. ForSession Owner Selection,selectFirst PacketThe
firewallthatreceivesthefirstpacketofanewsessionisthe
sessionowner.
3. ForSession Setup,selectIP ModuloDistributessession
setuploadbasedonparityofthesourceIPaddress.
4. ClickOK.

Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.101.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.

Step6 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.


2. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
3. ClickOK.

EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.

DefineHAFailoverConditions.

Step7 Savetheconfiguration. ClickCommit.

234 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)

Step8 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.

Step9 StillonPA30501,createthesource 1. SelectPolicies > NATandclickAdd.


NATruleforDeviceID0. 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.
5. ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
7. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
8. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.100.
9. OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select0tobindtheNATruletoDeviceID0.
10. ClickOK.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 235


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)

Step10 CreatethesourceNATrulefor 1. SelectPolicies > NATandclickAdd.


Device ID 1. 2. EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.For
Destination Zone,selectthezoneyoucreatedfortheexternal
network.
5. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
6. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
7. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.101.
8. OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select1tobindtheNATruletoDeviceID1.
9. ClickOK.

Step11 Savetheconfiguration. ClickCommit.

UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls

IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.

CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration

Step1 OnoneHAfirewall,createaddress 1. SelectObjects > AddressesandAddanaddressobjectName,


objects. inthisexample,DynIPPooldev0.
2. ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3. ClickOK.
4. Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.

236 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)

Step2 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,


Device ID 0. forexample,SrcNATdev0.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6. ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7. ClickOK.

Step3 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,


Device ID 1. forexample,SrcNATdev1.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6. ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7. ClickOK.

Step4 Savetheconfiguration. SelectCommit.

UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT

ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 237


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT

Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.

Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.


2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.
6. SelectDevice IDtobe1.
7. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
8. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
9. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
10. ClickOK.

Step3 PerformStep 6throughStep 15in


ConfigureActive/ActiveHA.

238 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)

Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.

Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectIP Modulo.Thefirewall


Thedeviceselectionalgorithm thatwillrespondtoARPrequestsisbasedontheparityofthe
determineswhichHAfirewallresponds ARPrequester'sIPaddress.
totheARPrequeststoprovideload 2. ClickOK.
sharing.

Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.

Step7 DefineHAFailoverConditions.

Step8 Savetheconfiguration. ClickCommit.

Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.

Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.


thedestinationNATrulesothatthe 2. EnteraNamefortherulethat,inthisexample,identifiesitas
activeprimaryfirewallrespondstoARP adestinationNATruleforLayer2ARP.
requests.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample,
192.168.1.200.
10. OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,selectprimarytobindtheNATruletothefirewallin
activeprimarystate.
11. ClickOK.

Step11 Savetheconfiguration. ClickCommit.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 239


SetUpActive/ActiveHA HighAvailability

UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3

ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3

Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.

240 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability SetUpActive/ActiveHA

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)

Step2 Enableactive/activeHA. 1. SelectDevice > High Availability > General > Setupandedit.
2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.
6. SelectDevice IDtobe1.
7. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
8. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
9. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
10. ClickOK.

Step3 ConfigureActive/ActiveHA. PerformStep 6throughStep 15.

Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/2.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.

Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing


Thedeviceselectionalgorithm IP ModuloThefirewallthatwillrespondtoARPrequests
determineswhichHAfirewallresponds isbasedontheparityoftheARPrequester'sIPaddress.
totheARPrequeststoprovideload IP HashThefirewallthatwillrespondtoARPrequestsis
sharing. basedonahashoftheARPrequester'ssourceIPaddress
anddestinationIPaddress.
2. ClickOK.

Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.

Step7 DefineHAFailoverConditions.

Step8 Savetheconfiguration. ClickCommit.

Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptsettheDevice IDto0insteadof1.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 241


SetUpActive/ActiveHA HighAvailability

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)

Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.


thedestinationNATruleforbothDevice 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
ID0andDeviceID1. destinationNATruleforLayer3ARP.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample
192.168.1.200.
10. OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,selectbothtobindtheNATruletobothDeviceID0
andDeviceID1.
11. ClickOK.

Step11 Savetheconfiguration. ClickCommit.

242 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability HAFirewallStates

HAFirewallStates

AnHAfirewallcanbeinoneofthefollowingstates:

HAFirewallState OccursIn Description

Initial A/PorA/A TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis


stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.

Active A/P Stateoftheactivefirewallinanactive/passiveconfiguration.

Passive A/P Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive


firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.

ActivePrimary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID


agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.

ActiveSecondary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID


agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 243


HAFirewallStates HighAvailability

HAFirewallState OccursIn Description

Tentative A/A Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe


following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.

Nonfunctional A/PorA/A Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly


onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.

Suspended A/PorA/A Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein


theHAelectionprocess.

244 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability Reference:HASynchronization

Reference:HASynchronization

IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.

OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.

Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation

WhatSettingsDontSyncinActive/PassiveHA?

YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.

ConfigurationItem WhatDoesntSyncinActive/Passive?

ManagementInterface Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
Settings firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)

MultivsysCapability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 245


Reference:HASynchronization HighAvailability

ConfigurationItem WhatDoesntSyncinActive/Passive?

Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).

PanoramaSettings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >


Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template

SNMP Device > Setup > Operations > SNMP Setup

StatisticsCollection Device > Setup > Operations > Statistics Service Setup

Services Device > Setup > Services

GlobalServiceRoutes Device > Setup > Services > Service Route Configuration

DataProtection Device > Setup > Content-ID > Manage Data Protection

JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame

ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings

MasterKeySecuredby Device > Setup > HSM > Hardware Security Module Provider > Master Key
HSM Secured by HSM

LogExportSettings Device > Scheduled Log Export

SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software

GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client

ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates

Licenses/Subscriptions Device > Licenses

SupportSubscription Device > Support

MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.

Reports,logs,and Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.

HAsettings Device > High Availability

246 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability Reference:HASynchronization

WhatSettingsDontSyncinActive/ActiveHA?

YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.

ConfigurationItem WhatDoesntSyncinActive/Active?

ManagementInterface Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Settings Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)

MultivsysCapability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).

Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).

PanoramaSettings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >


Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template

SNMP Device > Setup > Operations > SNMP Setup

StatisticsCollection Device > Setup > Operations > Statistics Service Setup

Services Device > Setup > Services

GlobalServiceRoutes Device > Setup > Services > Service Route Configuration

DataProtection Device > Setup > Content-ID > Manage Data Protection

JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame

ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings

HSMConfiguration Device > Setup > HSM

LogExportSettings Device > Scheduled Log Export

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 247


Reference:HASynchronization HighAvailability

ConfigurationItem WhatDoesntSyncinActive/Active?

SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software

GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client

ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates

Licenses/Subscriptions Device > Licenses

SupportSubscription Device > Support

EthernetInterfaceIP AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
Addresses > Interface > Ethernet).

LoopbackInterfaceIP AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
Addresses (Network > Interface > Loopback).

TunnelInterfaceIP AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >


Addresses Interface > Tunnel).

LACPSystemPriority EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).

VLANInterfaceIPAddress AllVLANinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >


Interface > VLAN).

VirtualRouters VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >


High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.

IPSecTunnels IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.

GlobalProtectPortal GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.

GlobalProtectGateway GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.

248 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


HighAvailability Reference:HASynchronization

ConfigurationItem WhatDoesntSyncinActive/Active?

QoS QoSconfigurationsynchronizesonlyifyouhaveenabledQoS Sync(Device > High


Availability > Active/Active Config > Packet Forwarding).Youmightchoosenotto
syncQoSsettingif,forexample,youhavedifferentbandwidthoneachlinkor
differentlatencythroughyourserviceproviders.

LLDP NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).

BFD NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).

IKEGateways IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.

MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.

Reports,logs,and Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.

HAsettings Device > High Availability


(TheexceptionisDevice > High Availability > Active/Active Configuration > Virtual
Addresses,whichdosync.)

SynchronizationofSystemRuntimeInformation

ThefollowingtablesummarizeswhatsystemruntimeinformationissynchronizedbetweenHApeers.

RuntimeInformation ConfigSynced? HALink Details

A/P A/A

ManagementPlane

UsertoGroupMappings Yes Yes HA1

DHCPLease(asserver) Yes Yes HA1

DNSCache No No N/A

FQDNRefresh No No N/A

IKEKeys(phase2) Yes Yes HA1

BrightCloudURLDatabase No No N/A

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 249


Reference:HASynchronization HighAvailability

RuntimeInformation ConfigSynced? HALink Details

A/P A/A

BrightCloudURLCache No No N/A Thisfeatureisdisabledbydefaultand


mustbeenabledseparatelyoneachHA
peer.

BrightCloudBloomFilter No No N/A Thisfeatureisdisabledbydefaultand


mustbeenabledseparatelyoneachHA
peer.

PANDBURLCache Yes No HA1 Thisissynchronizedupondatabase


backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.

Content(manualsync) Yes Yes HA1

PPPoE,PPPoELease Yes Yes HA1

DHCPClientSettingsand Yes Yes HA1


Lease

SSLVPNLoggedinUser Yes Yes HA1


List

ForwardInformationBase Yes Yes HA1


(FIB)

Dataplane

SessionTable Yes Yes HA2 Active/passivepeersdonotsyncICMP


orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.

ARPTable Yes No HA2 UponupgradetoPANOS7.1,theARP


tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.

NeighborDiscovery(ND) Yes No HA2


Table

MACTable Yes No HA2

IPSecSequenceNumber Yes Yes HA2


(antireplay)

DoSProtection Yes Yes HA2

UsertoIPAddress Yes Yes HA2


Mappings

VirtualMAC Yes Yes HA2

250 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring
Inordertoforestallpotentialissues,andaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceontrafficanduserpatternsandcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Youcan,forexample,usethepredefinedtemplatestogeneratereportsonuseractivities,
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtablesthatyoucaninteractwithtofindinformationthatyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
AppScope
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
MonitorandManageLogs
ManageReporting
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
NetFlowMonitoring

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 251


UsetheDashboard Monitoring

UsetheDashboard

TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.

DashboardCharts Descriptions

TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.

TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.

GeneralInformation Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.

InterfaceStatus Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).

ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.

ConfigLogs Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.

DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.

URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.

SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.

SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.

LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.

ACCRiskFactor Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.

HighAvailability Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.

Locks Showsconfigurationlockstakenbyadministrators.

252 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

UsetheApplicationCommandCenter

TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 253


UsetheApplicationCommandCenter Monitoring

ACCFirstLook

TakeaquicktouroftheACC.

ACCFirstLook

Tabs TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.

Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.

254 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

ACCFirstLook(Continued)

Time Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.

Global Filters TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The


charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.

Risk Factor Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe


applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.

Source Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData SourceasPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.

Export YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.

ACCTabs

TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.

Tab Description

Network Activity Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:


Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 255


UsetheApplicationCommandCenter Monitoring

Tab Description

Threat Activity Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:


vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.

Blocked Activity Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin


thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.

YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.

ACCWidgets

Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.

256 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

Widgets

View Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.

Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.

Table Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.

Actions MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.

WidgetDescriptions

EachtabontheACCincludesadifferentsetofwidgets.

Widget Description

Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 257


UsetheApplicationCommandCenter Monitoring

Widget Description

Application Usage Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining


applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)

User Activity Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe


largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)

Source IP Activity DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated


activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)

Destination IP Activity DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere


accessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)

Source Regions Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld


fromwhereusersinitiatedactivityonyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar

Destination Regions Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe


worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar

GlobalProtect Host Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis


Information running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall.IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar

Rule Usage Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis


widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line

258 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

Widget Description

Ingress Interfaces Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe


network.
Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line

Egress Interfaces Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.


Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line

Source Zones Displaysthezonesthataremostusedforallowingtrafficintothenetwork.


Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line

Destination Zones Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.


Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line

Threat ActivityDisplaysanoverviewofthethreatsonthenetwork

Compromised Hosts Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget


summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA7000Series,andPanorama.
Sortattributes:severity(bydefault)

Hosts Visiting Malicious Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork


URLs haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Chartsavailable:line

Hosts Resolving Malicious DisplaysthetophostsmatchingDNSsignatures;hostsonthenetworkthatare


Domains attemptingtoresolvethehostnameordomainofamaliciousURL.Thisinformation
isgatheredfromananalysisoftheDNSactivityonyournetwork.Itutilizespassive
DNSmonitoring,DNStrafficgeneratedonthenetwork,activityseeninthesandbox
ifyouhaveconfiguredDNSsinkholeonthefirewall,andDNSreportsonmalicious
DNSsourcesthatareavailabletoPaloAltoNetworkscustomers.
Sortattributes:count
Chartsavailable:line

Threat Activity Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature


matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column

WildFire Activity by DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget


Application usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 259


UsetheApplicationCommandCenter Monitoring

Widget Description

WildFire Activity by File Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat


Type generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line

Applications using Non Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If


Standard Ports youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line

Rules Allowing Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The


Applications On Non graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
Standard Ports thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line

Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork

Blocked Application Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview


Activity thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column

Blocked User Activity DisplaysuserrequeststhatwereblockedbyamatchonanAntivirus,Antispyware,


FileBlockingorURLFilteringprofileattachedtoSecuritypolicyrule.
Sortattributes:threats,content,URLs
Chartsavailable:bar,area,column

Blocked Threats Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats


werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Chartsavailable:bar,area,column

Blocked Content Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent


wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data
Chartsavailable:bar,area,column

260 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

Widget Description

Security Policies Blocking Displaysthesecuritypolicyrulesthatblockedorrestrictedtrafficintoyournetwork.


Activity Becausethiswidget displaysthethreats,content,andURLsthatweredeniedaccess
intoyournetwork,youcanuseittoassesstheeffectivenessofyourpolicyrules.This
widgetdoesnotdisplaytrafficthatblockedbecauseofdenyrulesthatyouhave
definedinpolicy.
Sortattributes:threats,content,URLs
Chartsavailable:bar,area,column

ACCFilters

ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.

GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 261


UsetheApplicationCommandCenter Monitoring

Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.

InteractwiththeACC

TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.

WorkwiththeTabsandWidgets

Addatab. 1. Selectthe iconalongthelistoftabs.


2. AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.

Editatab. Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample.

Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.

Seewhatwidgetsareincludedinatab. 1. Selectthetab,andclickonthepencilicontoeditit.
2. SelecttheAdd Widget dropdownandverifythewidgetsthat
havethecheckboxesselected.

262 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

WorkwiththeTabsandWidgets(Continued)

Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3. (Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.

Deleteataborawidgetgroup/widget. 1. Todeleteacustomtab,selectthetabandclicktheXicon.

Youcannotdeleteapredefinedtab.

2.Todeleteawidgetgroup/widget,editthetabandin
theworkspacesection,clickthe[X]iconontheright.You
cannotundoadeletion.

Resetthedefaultwidgetsinatab. Onapredefinedtab,suchastheBlocked Activitytab,youcan


deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.

Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph. youzoomintoalinegraph,ittriggersarequeryandthefirewall
Watchhowthezoomincapabilityworks. fetchesthedatafortheselectedtimeperiod.Itisnotamere
magnification.

Usethetabledropdowntofindmore 1. Hoveroveranattributeinatabletoseethedropdown.
informationonanattribute. 2. Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.

Setawidgetfilter. 1. Selectawidgetandclickthe icon.


Youcanalsoclickanattributeinthe 2. Clickthe icontoaddthefiltersyouwanttoapply.
table(belowthegraph)toapplyitasa
3. ClickApply.Thesefiltersarepersistentacrossreboots.
widgetfilter.
Theactivewidgetfiltersareindicatednexttothe
widgetname.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 263


UsetheApplicationCommandCenter Monitoring

WorkwiththeTabsandWidgets(Continued)

Negateawidgetfilter 1. Clickthe icontodisplaytheSetupLocalFiltersdialog.


2. Addafilter,andthenclickthe negateicon.

Setaglobalfilterfromatable. Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.

SetaglobalfilterusingtheGlobalFilterspane. 1. LocatetheGlobal FilterspaneontheleftsideoftheACC.


Watchglobalfiltersinaction.

2. Clickthe icontoviewthelistoffiltersyoucanapply.

Promoteawidgetfiltertoaglobalfilter. 1. Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2. Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.

Removeafilter. Clickthe icontoremoveafilter.


Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.

Clearallfilters. Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.


Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.

264 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

WorkwiththeTabsandWidgets(Continued)

Seewhatfiltersareinuse. Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.

Resetthedisplayonawidget. Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.

UseCase:ACCPathofInformationDiscovery

TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activitytab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 265


UsetheApplicationCommandCenter Monitoring

BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.

TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.

Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?

ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.

266 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

TofindoutwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.

Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 267


UsetheApplicationCommandCenter Monitoring

Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.

Toinvestigateeachthreatbyname,youcancreateaglobalfilterforsay,Microsoft Works File Converter Field


Length Remote Code Execution Vulnerability.Then,viewtheUser Activity widgetintheNetwork Activitytab.The
tabisautomaticallyfilteredtodisplaythreatactivityforMarsha(noticetheglobalfiltersinthescreenshot).

268 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.

Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 269


UsetheApplicationCommandCenter Monitoring

Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.

BecausethesessioncountfromthisIPaddressishigh,checktheBlocked ContentandBlocked Threatswidgets


intheBlocked ActivitytabforeventsrelatedtothisIPaddress.TheBlocked Activitytaballowsyoutovalidate
whetherornotyourpolicyrulesareeffectiveinblockingcontentorthreatswhenahostonyournetworkis
compromised.
UsetheExport PDFcapabilityontheACCtoexportthecurrentview(createasnapshotofthedata)andsend
ittoanincidenceresponseteam.Toviewthethreatlogsdirectlyfromthewidget,youcanalsoclickthe
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).

270 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheApplicationCommandCenter

YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 271


AppScope Monitoring

AppScope

TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport

272 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring AppScope

SummaryReport

TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,


losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 273


AppScope Monitoring

ChangeMonitorReport

TheAppScopeChangeMonitorreport(Monitor > App Scope > Change Monitor)displayschangesovera


specifiedtimeperiod.Forexample,thefollowingchartdisplaysthetopapplicationsthatgainedinuseover
thelasthourascomparedwiththelast24hourperiod.Thetopapplicationsaredeterminedbysessioncount
andsortedbypercent.

TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.

Button Description

Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.

Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.

Gainers Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.

Losers Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.

New Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.

Dropped Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.

274 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring AppScope

Button Description

Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.

Determineswhethertodisplaysessionorbyteinformation.

Sort Determineswhethertosortentriesbypercentageorrawgrowth.

Export Exportsthegraphasa.pngimageorasaPDF.

Compare Specifiestheperiodoverwhichthechangemeasurementsaretaken.

ThreatMonitorReport

TheAppScopeThreatMonitorreport(Monitor > App Scope > Threat Monitor)displaysacountofthetop


threatsovertheselectedtimeperiod.Forexample,thefollowingfigureshowsthetop10threattypesover
thelast6hours.

Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.

Button Description

Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.

Threats Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 275


AppScope Monitoring

Button Description

Filter Appliesafiltertodisplayonlytheselectedtypeofitems.

Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.

Export Exportsthegraphasa.pngimageorasaPDF.

Specifiestheperiodoverwhichthemeasurementsaretaken.

ThreatMapReport

TheAppScopeThreatMapreport(Monitor > App Scope > Threat Map)showsageographicalviewofthreats,


includingseverity.Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.
Thefirewallusesgeolocationforcreatingthreatmaps.Thefirewallisplacedatthebottomofthethreatmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management,GeneralSettings
section)onthefirewall.

TheThreatMapreportcontainsthefollowingbuttonsandoptions.

Button Description

Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.

Incoming threats Displaysincomingthreats.

Outdoing threats Displaysoutgoingthreats.

Filer Appliesafiltertodisplayonlytheselectedtypeofitems.

Zoom In and Zoom Out Zoominandzoomoutofthemap.

Export Exportsthegraphasa.pngimageorasaPDF.

Indicatestheperiodoverwhichthemeasurementsaretaken.

276 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring AppScope

NetworkMonitorReport

TheAppScopeNetworkMonitorreport(Monitor > App Scope > Network Monitor)displaysthebandwidth


dedicatedtodifferentnetworkfunctionsoverthespecifiedperiodoftime.Eachnetworkfunctionis
colorcodedasindicatedinthelegendbelowthechart.Forexample,theimagebelowshowsapplication
bandwidthforthepast7daysbasedonsessioninformation.

TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.

Button Description

Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.

Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.

Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.

Determineswhethertodisplaysessionorbyteinformation.

Export Exportsthegraphasa.pngimageorasaPDF.

Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.

Indicatestheperiodoverwhichthechangemeasurementsaretaken.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 277


AppScope Monitoring

TrafficMapReport

TheAppScopeTrafficMap(Monitor > App Scope > Traffic Map)reportshowsageographicalviewoftraffic


flowsaccordingtosessionsorflows.
Thefirewallusesgeolocationforcreatingtrafficmaps.Thefirewallisplacedatthebottomofthetrafficmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.

Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.

Buttons Description

Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.

Incoming threats Displaysincomingthreats.

Outgoing threats Displaysoutgoingthreats.

Determineswhethertodisplaysessionorbyteinformation.

Zoom In and Zoom Out Zoominandzoomoutofthemap.

Export Exportsthegraphasa.pngimageorasaPDF.

Indicatestheperiodoverwhichthechangemeasurementsaretaken.

278 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheAutomatedCorrelationEngine

UsetheAutomatedCorrelationEngine

Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.

Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
PA5000Seriesfirewall
PA3000Seriesfirewall

AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC

AutomatedCorrelationEngineConcepts

Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents

CorrelationObject

Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 279


UsetheAutomatedCorrelationEngine Monitoring

Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.

CorrelatedEvents

Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.

ViewtheCorrelatedObjects

ViewtheCorrelationObjectsAvailableontheFirewall

Step1 Toviewthecorrelationobjectsthatarecurrentlyavailable,selectMonitor > Automated Correlation


Engine > Correlation Objects.Alltheobjectsinthelistareenabledbydefault.

280 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheAutomatedCorrelationEngine

ViewtheCorrelationObjectsAvailableontheFirewall

Step2 Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.

Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.

InterpretCorrelatedEvents

YoucanviewandanalyzethelogsgeneratedforeachcorrelatedeventintheMonitor > Automated Correlation


Engine > Correlated Eventstab.

CorrelatedEventsincludesthefollowingdetails:

Field Description

Match Time Thetimethecorrelationobjecttriggeredamatch.

Update Time Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthe


firewallcollectsevidenceonpatternorsequenceofeventsdefinedinacorrelation
object,thetimestamponthecorrelatedeventlogisupdated.

Object Name Thenameofthecorrelationobjectthattriggeredthematch.

Source Address TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.

Source User Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 281


UsetheAutomatedCorrelationEngine Monitoring

Field Description

Severity Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
To indicatestheextentofdamageorescalationpattern,andthefrequencyof
configure occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
the correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
firewallor andtheseverityimpliesthefollowing:
Panoramatosend CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
alertsusingemail, thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
SNMPorsyslog hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
messagesfora commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
desiredseverity maliciousfile.
level,seeUse HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
ExternalServices betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
forMonitoring. networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.

Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.

Clickthe icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:

282 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.


Monitoring UsetheAutomatedCorrelationEngine

Tab Description

Match ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Information
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.

Match Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
Evidence evidencecollectedforeachsession.

UsetheCompromisedHostsWidgetintheACC

ThecompromisedhostswidgetonACC >Threat Activity,aggregatestheCorrelatedEventsandsortsthemby


severity.ItdisplaysthesourceIPaddress/userwhotriggeredtheevent,thecorrelationobjectthatwas
matchedandthenumberoftimestheobjectwasmatched.Usethematchcountlinktojumptothematch
evidencedetails.

Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.

PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 283


TakePacketCaptures Monitoring

TakePacketCaptures

AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.

PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.

TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface

TypesofPacketCaptures

Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
Threa