For Application Override Application Override Policy

• Used as • Policy defines traffic that will not go through App

placeholder for ID process
applications with
no App ID
• For internal
applications
only
• Used in • Security policy referencing the application is still
Application needed
Override Policy
• Displayed in
ACC, logs and
Reports

Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 31 3/8/10 12:48 PM

 Customize Application Settings New HTTP Applications

Page 20 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 32 3/8/10 12:48 PM

 Thank You

© 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

Page 22 |

PaloAlto Training print.indd 33 3/8/10 12:49 PM

 Content Identification

PaloAlto Training print.indd 35 3/8/10 12:49 PM

 Agenda

• Security Policies and Profiles

• Anti Virus
• Anti Spyware
• Vulnerability Protection
• URL Filtering
• File Blocking
• Data filtering

Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 36 3/8/10 12:49 PM

 Security Profiles Using Profiles and Policies

• Security Profiles look for malicious use of allowed • The profile used for traffic is based on the policy that
applications allows the traffic
• Security Policies define which applications are allowed • Can use AD group and application as well as address
• Profiles are applied to policies that allow traffic • Example:

• Open Twitter: Student users, no URL filtering profile

• Limited Twitter: All other users, URL filtering to specific
twitter URL’s

© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 Page 4 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 37 3/8/10 12:49 PM

 Anti-Virus Profiles Anti Spyware Profiles – Download Protection

• Works
similar to
Anti Virus
• Blocks
installation
of spyware

© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0

PaloAlto Training print.indd 38 3/8/10 12:49 PM

 Anti Spyware Profiles – Phone Home Protection Vulnerability Protection

• Provides IPS functionality

• Detects attempts to use known exploits on the network

• Simple and Custom

views
• Can add exceptions to
the simple view
© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0

PaloAlto Training print.indd 39 3/8/10 12:50 PM

 Exempting Threats URL Filtering Profile
• Exemptions can be • Actions can be
configured for defined for each
Spyware, Anti Virus
and Vulnerability category
protection
• Notification page
• Added by Threat ID for user can be
customized
• Allow List and
Block List accept
wild cards

Page 9 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0

PaloAlto Training print.indd 40 3/8/10 12:50 PM

 URL Filtering Actions Default Block Pages
• Allow – Traffic is passed, no log generated
• Block – Traffic is blocked. Block log generated
• Alert – Traffic is allowed. Allow log generated
• Continue – User is warned that the site is questionable.
Block-Continue log generated
- If user clicks through the traffic is allowed and a Continue log is
generated
• Override – Traffic is blocked. User is offered chance to
enter override password. Block-Override log generated
- If user enters password the traffic is allowed and an Override log is
generated

Page 11 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 12 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 41 3/8/10 12:51 PM

 Interaction of Block and Allow lists File Blocking Profiles

1. Block List • Detects file

attachments
2. Allow List
• Identifies the file based
3. Category Settings 1 on MIME type and file
header, not extension

• 3 criteria to define
2
rules
• Actions can be alert or
block
• User will be notified
3 with a block page

© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0

PaloAlto Training print.indd 42 3/8/10 12:51 PM

 Data Filtering Weight and Thresholds

• Data Patterns • Data Filtering Profiles • Each Pattern has a weight

- Sets of regular - Look for Data Objects in
expressions specific applications
- Credit card and SSN - Have an Alert and a
pre-defined Block threshold
- Signatures can be - Can be configured
weighted differently for upload /
download
• When pattern is detected the count is
incremented by the weight
• When the count reaches a threshold the
action is taken
• Count is the total for all patterns detected
• Count is per session

© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 Page 17 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 43 3/8/10 12:51 PM

 Filter Weight Example Securing DLP Data
•Session
Credit Card Weight = 1 • A password must be set for packet captures on Data Filters

SSN Weight = 2 •Count =1

•Count =4
Block Threshold = 8 •Alert
Alert Threshold = 4

•Count =8
•Block

Page 18 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 44 3/8/10 12:51 PM

 DLP Example The Data Filtering Profile

• Creating a pattern for • The profile should be added to ALL outbound policies
“Confidential”

Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 21 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 45 3/8/10 12:51 PM

 The Traffic The Data Filtering Log and Detail

• Data filtering can be • Log shows application and direction

applied to all
applications
• Here the word
“Confidential” is used
in a Gmail message
• Capture shows the pattern that triggered the filter

Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 23 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 46 3/8/10 12:52 PM

 Thank You

© 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a

Page 24 |

PaloAlto Training print.indd 47 3/8/10 12:52 PM

 User Identification
Agent

PaloAlto Training print.indd 49 3/8/10 12:52 PM

 Agenda

• Introduction to User Identification

• User Agent Tasks
- Enumerating users and groups
- Mapping users
• Captive Portal
• Terminal Services Agent
• Installing the Agent
• Agent Configuration
• Captive Portal Configuration
• Users in Security Policy

Page 2 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 50 3/8/10 12:52 PM

 User Identification Agent Uses for User Information

• The PAN Agent provides user to IP mapping for correlation

of User Name to Application Use Within Logs In Security Policy
• Sort log data by User / • Control application use by
Group Group
•Joe User is
172.19.101.10
running • Filter logs by User • Separate Unknown user
uTorrent traffic from known user
traffic

•Joe User

Page 3 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 51 3/8/10 12:52 PM

 Enumerating Users – Active Directory Mapping Users – AD Security Log

• Agent connects to the Domain Controller over MS RPC
• Users, Groups and Group membership is read
• User information gets sent to the firewall over SSL
• Active Directory records user name and IP address of Log
In event
• Security Log is not replicated between Domain Controllers
• Agent must have rights to read the security log

DC 1

Domain Controllers DC 2

Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 52 3/8/10 12:52 PM

 Mapping Users – Open Server Sessions Terminal Server Agent

• When AD users connect to printer or file shares the server • Runs on the Terminal or Citrix server
logs the user name and IP address.
• Tracks user by source port
• This is specific to each server
• The agent must have rights to view the current open
•User A gets Ports
sessions on the Domain Controller 20400 - 20800

User A

User B Terminal Server with Agent

DC 2 DC 1

Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 53 3/8/10 12:52 PM

 Mapping Users – NetBIOS Query Mapping Users – Captive Portal – NTLM Auth

• Previous methods were all passive • Fully transparent to Windows users

• If no mapping can be achieved with passive methods the • Uses a 302 Redirect and 401 Unauthorized HTTP options
agent switches to active methods
• NetBIOS queries can be sent to workstations to find users

User Agent - AD
Page 9 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 10 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 54 3/8/10 12:53 PM

 Mapping Users – Captive Portal – Web Form PAN Agent Requirements

• Active method for user mapping • Must be installed on a system that is a member of the
domain
• Prompt user for credentials
• Runs as a Windows Service
• Relies on http connections to present portal (HTTP 302)
• The account used by the service must be able to:
- Read the security log and open sessions on the domain controller
- Read the Active Directory for user names and groups
- Submit Net BIOS name requests to client systems
• Can communicate with either 2008, 2003 or 2000 domain
controllers

RADIUS
Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 55 3/8/10 12:53 PM

 PAN Agents and Domains Configuration Steps – User Agent

• Each Agent can only connect to one domain 1. Download PAN Agent .msi file from
• An appliance can communicate to more than one support site
agent 2. Install Agent on domain member server
3. Configure agent to use correct user
•apac.corporate.local
•corporate.local
•emea.corporate.local
account
4. Specify PAN agent configuration

Corp PAN Agent 5. Add Agents to device

APAC PAN Agent EMEA PAN Agent
6. Enable User Identification per Zone
•Firewall
Page 13 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 14 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 56 3/8/10 12:53 PM

 Setting the User Agent Account PAN Agent status - Agent
View errors
encountered by Agent
View IP
Mappings

Verify
LDAP
Connection

Verify Group
enumeration

Page 15 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 16 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 57 3/8/10 12:53 PM

 Configuration of the PAN Agent Filtering Users and Groups

• Domain • Specify Groups to send to firewall

name and IP - Select with “Filter Group Members”
Addresses of
Domain • Specify which Groups to not send to the firewall
controllers - Select them with the “Ignore Groups” button
• Port for the
Agent service
to listen on
• IP ranges to
be checked
and ignored

Page 17 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 58 3/8/10 12:54 PM

 Adding Agents to the Device

• In the Device tab there is a User Identification node

• Enter the Agents IP address and port

Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 20 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 59 3/8/10 12:55 PM

 Enable User Identification for Zone traffic Terminal Server Agent Configuration
Connected
1. Enable User ID by zone firewalls

2. Choose IP Addresses to be identified in each zone

Allowed
Firewalls

2
1

Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 23 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a

PaloAlto Training print.indd 60 3/8/10 12:55 PM