Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 20 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 22 |
• Security Profiles look for malicious use of allowed • The profile used for traffic is based on the policy that
applications allows the traffic
• Security Policies define which applications are allowed • Can use AD group and application as well as address
• Profiles are applied to policies that allow traffic • Example:
© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 Page 4 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Works
similar to
Anti Virus
• Blocks
installation
of spyware
© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0
Page 9 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0
Page 11 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 12 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
• 3 criteria to define
2
rules
• Actions can be alert or
block
• User will be notified
3 with a block page
© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 © 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0
© 2008 Palo Alto Networks. Proprietary and Confidential 2.1v1.0 Page 17 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
•Count =4
Block Threshold = 8 •Alert
Alert Threshold = 4
•Count =8
•Block
Page 18 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 19 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Creating a pattern for • The profile should be added to ALL outbound policies
“Confidential”
Page 20 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 21 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 22 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 23 | © 2008 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 24 |
•Joe User
Page 3 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 4 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Agent connects to the Domain Controller over MS RPC • Active Directory records user name and IP address of Log
In event
• Users, Groups and Group membership is read
• Security Log is not replicated between Domain Controllers
• User information gets sent to the firewall over SSL
• Agent must have rights to read the security log
DC 1
Domain Controllers DC 2
Page 5 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 6 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• When AD users connect to printer or file shares the server • Runs on the Terminal or Citrix server
logs the user name and IP address.
• Tracks user by source port
• This is specific to each server
• The agent must have rights to view the current open
•User A gets Ports
sessions on the Domain Controller 20400 - 20800
User A
DC 2 DC 1
Page 7 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 8 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
User Agent - AD
Page 9 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 10 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Active method for user mapping • Must be installed on a system that is a member of the
domain
• Prompt user for credentials
• Runs as a Windows Service
• Relies on http connections to present portal (HTTP 302)
• The account used by the service must be able to:
- Read the security log and open sessions on the domain controller
- Read the Active Directory for user names and groups
- Submit Net BIOS name requests to client systems
• Can communicate with either 2008, 2003 or 2000 domain
controllers
RADIUS
Page 11 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 12 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
• Each Agent can only connect to one domain 1. Download PAN Agent .msi file from
• An appliance can communicate to more than one support site
agent 2. Install Agent on domain member server
3. Configure agent to use correct user
•apac.corporate.local
•corporate.local
•emea.corporate.local
account
4. Specify PAN agent configuration
Verify
LDAP
Connection
Verify Group
enumeration
Page 15 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 16 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 17 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 18 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 19 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 20 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Allowed
Firewalls
2
1
Page 21 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a Page 23 | © 2009 Palo Alto Networks. Proprietary and Confidential 3.0-a