Professional Documents
Culture Documents
Pan Os Admin 9.1
Pan Os Admin 9.1
Pan Os Admin 9.1
Version 9.1
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2019–2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
December 14, 2021
PAN-OS® Administrator’s Guide Version Version 9.1 2 ©2021 Palo Alto Networks, Inc.
Table of Contents
Geng Started................................................................................................. 23
Integrate the Firewall into Your Management Network.................................................. 24
Determine Your Management Strategy....................................................................24
Perform Inial Configuraon...................................................................................... 25
Set Up Network Access for External Services........................................................30
Register the Firewall................................................................................................................. 35
Create a New Support Account and Register a Firewall...................................... 35
Register a Firewall......................................................................................................... 37
(Oponal) Perform Day 1 Configuraon.................................................................. 40
Register the Firewall Line Cards................................................................................ 43
Segment Your Network Using Interfaces and Zones........................................................44
Network Segmentaon for a Reduced Aack Surface......................................... 44
Configure Interfaces and Zones................................................................................. 45
Set Up a Basic Security Policy............................................................................................... 48
Assess Network Traffic.............................................................................................................53
Enable Free WildFire Forwarding.......................................................................................... 55
Best Pracces for Compleng the Firewall Deployment.................................................58
Best Pracces for Securing Administrave Access...........................................................59
Isolate the Management Network.............................................................................59
Use Service Routes to Access External Services....................................................60
Restrict Access to the Management Interface........................................................61
Manage Administrator Access.................................................................................... 62
Create Strong Administrator Passwords.................................................................. 63
Scan All Traffic Desned for the Management Interface..................................... 64
Replace the Cerficate for Inbound Management Traffic.................................... 65
Keep Content and Soware Updates Current........................................................65
Subscripons..................................................................................................... 67
Subscripons You Can Use With the Firewall....................................................................68
Acvate Subscripon Licenses.............................................................................................. 71
What Happens When Licenses Expire?............................................................................... 73
Enhanced Applicaon Logs for Palo Alto Networks Cloud Services.............................76
PAN-OS® Administrator’s Guide Version Version 9.1 3 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 4 ©2021 Palo Alto Networks, Inc.
Table of Contents
Authencaon................................................................................................219
Authencaon Types............................................................................................................. 220
External Authencaon Services............................................................................ 220
Mul-Factor Authencaon..................................................................................... 220
SAML.............................................................................................................................. 222
Kerberos.........................................................................................................................222
TACACS+....................................................................................................................... 223
RADIUS.......................................................................................................................... 224
LDAP...............................................................................................................................226
Local Authencaon...................................................................................................226
Plan Your Authencaon Deployment.............................................................................. 227
Configure Mul-Factor Authencaon............................................................................. 229
Configure MFA Between RSA SecurID and the Firewall................................... 233
Configure MFA Between Okta and the Firewall..................................................242
Configure MFA Between Duo and the Firewall...................................................251
Configure SAML Authencaon......................................................................................... 260
Configure Kerberos Single Sign-On....................................................................................265
Configure Kerberos Server Authencaon...................................................................... 268
Configure TACACS+ Authencaon.................................................................................. 269
Configure RADIUS Authencaon..................................................................................... 272
Configure LDAP Authencaon..........................................................................................276
Connecon Timeouts for Authencaon Servers.......................................................... 278
Guidelines for Seng Authencaon Server Timeouts.....................................278
Modify the PAN-OS Web Server Timeout............................................................279
Modify the Capve Portal Session Timeout......................................................... 279
Configure Local Database Authencaon........................................................................ 281
Configure an Authencaon Profile and Sequence....................................................... 282
Test Authencaon Server Connecvity.......................................................................... 286
Authencaon Policy.............................................................................................................288
Authencaon Timestamps...................................................................................... 288
Configure Authencaon Policy..............................................................................289
Troubleshoot Authencaon Issues................................................................................... 293
PAN-OS® Administrator’s Guide Version Version 9.1 5 ©2021 Palo Alto Networks, Inc.
Table of Contents
High Availability.............................................................................................335
HA Overview........................................................................................................................... 336
HA Concepts............................................................................................................................ 337
HA Modes..................................................................................................................... 337
HA Links and Backup Links...................................................................................... 338
Device Priority and Preempon.............................................................................. 343
Failover........................................................................................................................... 344
LACP and LLDP Pre-Negoaon for Acve/Passive HA.................................. 344
Floang IP Address and Virtual MAC Address.................................................... 345
ARP Load-Sharing........................................................................................................347
Route-Based Redundancy......................................................................................... 348
HA Timers..................................................................................................................... 349
Session Owner............................................................................................................. 351
Session Setup............................................................................................................... 352
PAN-OS® Administrator’s Guide Version Version 9.1 6 ©2021 Palo Alto Networks, Inc.
Table of Contents
Monitoring....................................................................................................... 409
Use the Dashboard.................................................................................................................410
Use the Applicaon Command Center..............................................................................412
ACC—First Look........................................................................................................... 412
ACC Tabs....................................................................................................................... 415
ACC Widgets................................................................................................................ 416
Widget Descripons................................................................................................... 418
ACC Filters.................................................................................................................... 423
Interact with the ACC................................................................................................ 425
Use Case: ACC—Path of Informaon Discovery..................................................428
Use the App Scope Reports................................................................................................. 435
Summary Report.......................................................................................................... 435
Change Monitor Report............................................................................................. 436
Threat Monitor Report...............................................................................................437
Threat Map Report......................................................................................................438
Network Monitor Report...........................................................................................439
Traffic Map Report...................................................................................................... 440
Use the Automated Correlaon Engine............................................................................ 442
Automated Correlaon Engine Concepts..............................................................442
View the Correlated Objects....................................................................................443
Interpret Correlated Events...................................................................................... 444
Use the Compromised Hosts Widget in the ACC............................................... 446
PAN-OS® Administrator’s Guide Version Version 9.1 7 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 8 ©2021 Palo Alto Networks, Inc.
Table of Contents
User-ID............................................................................................................. 591
User-ID Overview................................................................................................................... 592
User-ID Concepts....................................................................................................................594
Group Mapping............................................................................................................ 594
User Mapping............................................................................................................... 594
Enable User-ID.........................................................................................................................599
Map Users to Groups.............................................................................................................603
Map IP Addresses to Users.................................................................................................. 610
Create a Dedicated Service Account for the User-ID Agent.............................611
Configure User Mapping Using the Windows User-ID Agent.......................... 632
Configure User Mapping Using the PAN-OS Integrated User-ID Agent.........646
Configure Server Monitoring Using WinRM.........................................................650
Configure User-ID to Monitor Syslog Senders for User Mapping....................658
Map IP Addresses to Usernames Using Capve Portal......................................668
Configure User Mapping for Terminal Server Users............................................675
Send User Mappings to User-ID Using the XML API......................................... 686
Enable User- and Group-Based Policy...............................................................................687
Enable Policy for Users with Mulple Accounts............................................................. 688
Verify the User-ID Configuraon........................................................................................690
Deploy User-ID in a Large-Scale Network....................................................................... 693
Deploy User-ID for Numerous Mapping Informaon Sources......................... 693
Insert Username in HTTP Headers......................................................................... 697
Redistribute User Mappings and Authencaon Timestamps......................... 699
Share User-ID Mappings Across Virtual Systems................................................ 703
App-ID.............................................................................................................. 707
App-ID Overview.................................................................................................................... 708
App-ID and HTTP/2 Inspecon.......................................................................................... 709
Manage Custom or Unknown Applicaons......................................................................711
Manage New and Modified App-IDs................................................................................. 712
Apply Tags to an Applicaon Filter.........................................................................713
Create Custom Applicaon Tags............................................................................. 714
PAN-OS® Administrator’s Guide Version Version 9.1 9 ©2021 Palo Alto Networks, Inc.
Table of Contents
Threat Prevenon..........................................................................................777
Best Pracces for Securing Your Network from Layer 4 and Layer 7 Evasions........778
Set Up Anvirus, An-Spyware, and Vulnerability Protecon.....................................785
DNS Security............................................................................................................................788
About DNS Security................................................................................................... 788
Domain Generaon Algorithm (DGA) Detecon.................................................789
DNS Tunneling Detecon......................................................................................... 789
Cloud-Delivered DNS Signatures and Protecons..............................................790
Enable DNS Security.................................................................................................. 791
Use DNS Queries to Idenfy Infected Hosts on the Network.................................... 796
How DNS Sinkholing Works.....................................................................................796
PAN-OS® Administrator’s Guide Version Version 9.1 10 ©2021 Palo Alto Networks, Inc.
Table of Contents
Decrypon.......................................................................................................867
Decrypon Overview.............................................................................................................868
Decrypon Concepts............................................................................................................. 870
Keys and Cerficates for Decrypon Policies...................................................... 870
SSL Forward Proxy...................................................................................................... 872
SSL Forward Proxy Decrypon Profile...................................................................874
SSL Inbound Inspecon............................................................................................. 876
SSL Inbound Inspecon Decrypon Profile.......................................................... 878
SSL Protocol Sengs Decrypon Profile.............................................................. 879
SSH Proxy......................................................................................................................881
SSH Proxy Decrypon Profile.................................................................................. 882
PAN-OS® Administrator’s Guide Version Version 9.1 11 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 12 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 13 ©2021 Palo Alto Networks, Inc.
Table of Contents
VPNs............................................................................................................... 1063
VPN Deployments................................................................................................................1064
Site-to-Site VPN Overview................................................................................................ 1065
Site-to-Site VPN Concepts.................................................................................................1066
IKE Gateway...............................................................................................................1066
Tunnel Interface.........................................................................................................1066
Tunnel Monitoring.....................................................................................................1067
Internet Key Exchange (IKE) for VPN.................................................................. 1067
IKEv2............................................................................................................................ 1070
Set Up Site-to-Site VPN..................................................................................................... 1074
Set Up an IKE Gateway...........................................................................................1074
Define Cryptographic Profiles................................................................................1081
Set Up an IPSec Tunnel...........................................................................................1084
Set Up Tunnel Monitoring...................................................................................... 1087
Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel...........1088
Test VPN Connecvity............................................................................................ 1090
Interpret VPN Error Messages...............................................................................1090
Site-to-Site VPN Quick Configs........................................................................................1092
Site-to-Site VPN with Stac Roung...................................................................1092
PAN-OS® Administrator’s Guide Version Version 9.1 14 ©2021 Palo Alto Networks, Inc.
Table of Contents
Networking................................................................................................... 1147
Configure Interfaces.............................................................................................................1148
Tap Interfaces.............................................................................................................1148
Virtual Wire Interfaces............................................................................................ 1149
Layer 2 Interfaces..................................................................................................... 1158
Layer 3 Interfaces..................................................................................................... 1164
Configure an Aggregate Interface Group............................................................ 1176
Use Interface Management Profiles to Restrict Access................................... 1178
Virtual Routers...................................................................................................................... 1180
Service Routes.......................................................................................................................1182
Stac Routes..........................................................................................................................1184
Stac Route Overview.............................................................................................1184
Stac Route Removal Based on Path Monitoring............................................. 1184
Configure a Stac Route......................................................................................... 1187
Configure Path Monitoring for a Stac Route................................................... 1189
RIP............................................................................................................................................ 1192
OSPF........................................................................................................................................ 1194
OSPF Concepts..........................................................................................................1194
PAN-OS® Administrator’s Guide Version Version 9.1 15 ©2021 Palo Alto Networks, Inc.
Table of Contents
Configure OSPF.........................................................................................................1196
Configure OSPFv3.................................................................................................... 1199
Configure OSPF Graceful Restart......................................................................... 1202
Confirm OSPF Operaon........................................................................................1203
BGP.......................................................................................................................................... 1205
BGP Overview........................................................................................................... 1205
MP-BGP.......................................................................................................................1205
Configure BGP........................................................................................................... 1207
Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast...................... 1214
Configure a BGP Peer with MP-BGP for IPv4 Mulcast.................................1217
BGP Confederaons.................................................................................................1218
IP Mulcast............................................................................................................................ 1223
IGMP............................................................................................................................ 1223
PIM............................................................................................................................... 1224
Configure IP Mulcast............................................................................................. 1230
View IP Mulcast Informaon...............................................................................1237
Route Redistribuon............................................................................................................ 1240
GRE Tunnels...........................................................................................................................1243
GRE Tunnel Overview..............................................................................................1243
Create a GRE Tunnel................................................................................................1244
DHCP.......................................................................................................................................1248
DHCP Overview........................................................................................................1248
Firewall as a DHCP Server and Client................................................................. 1249
DHCP Messages........................................................................................................1249
DHCP Addressing..................................................................................................... 1250
DHCP Opons...........................................................................................................1252
Configure an Interface as a DHCP Server.......................................................... 1254
Configure an Interface as a DHCP Client........................................................... 1258
Configure the Management Interface as a DHCP Client.................................1260
Configure an Interface as a DHCP Relay Agent................................................ 1262
Monitor and Troubleshoot DHCP......................................................................... 1263
DNS.......................................................................................................................................... 1266
DNS Overview...........................................................................................................1266
DNS Proxy Object.................................................................................................... 1267
DNS Server Profile....................................................................................................1268
Mul-Tenant DNS Deployments........................................................................... 1269
Configure a DNS Proxy Object..............................................................................1270
Configure a DNS Server Profile.............................................................................1272
Use Case 1: Firewall Requires DNS Resoluon................................................. 1273
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resoluon for
Security Policies, Reporng, and Services within its Virtual System............. 1275
PAN-OS® Administrator’s Guide Version Version 9.1 16 ©2021 Palo Alto Networks, Inc.
Table of Contents
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server........... 1277
DNS Proxy Rule and FQDN Matching.................................................................1278
Dynamic DNS Overview.....................................................................................................1282
Configure Dynamic DNS for Firewall Interfaces...........................................................1285
NAT.......................................................................................................................................... 1287
NAT Policy Rules.......................................................................................................1287
Source NAT and Desnaon NAT....................................................................... 1289
NAT Rule Capacies................................................................................................ 1297
Dynamic IP and Port NAT Oversubscripon..................................................... 1297
Dataplane NAT Memory Stascs....................................................................... 1298
Configure NAT...........................................................................................................1299
NAT Configuraon Examples.................................................................................1308
NPTv6...................................................................................................................................... 1315
NPTv6 Overview....................................................................................................... 1315
How NPTv6 Works...................................................................................................1317
NDP Proxy.................................................................................................................. 1318
NPTv6 and NDP Proxy Example........................................................................... 1320
Create an NPTv6 Policy.......................................................................................... 1321
NAT64..................................................................................................................................... 1324
NAT64 Overview...................................................................................................... 1324
IPv4-Embedded IPv6 Address............................................................................... 1325
DNS64 Server............................................................................................................ 1325
Path MTU Discovery................................................................................................1326
IPv6-Iniated Communicaon............................................................................... 1326
Configure NAT64 for IPv6-Iniated Communicaon...................................... 1327
Configure NAT64 for IPv4-Iniated Communicaon...................................... 1330
Configure NAT64 for IPv4-Iniated Communicaon with Port
Translaon...................................................................................................................1332
ECMP....................................................................................................................................... 1336
ECMP Load-Balancing Algorithms........................................................................ 1336
ECMP Model, Interface, and IP Roung Support..............................................1338
Configure ECMP on a Virtual Router...................................................................1338
Enable ECMP for Mulple BGP Autonomous Systems................................... 1340
Verify ECMP............................................................................................................... 1341
LLDP.........................................................................................................................................1342
LLDP Overview..........................................................................................................1342
Supported TLVs in LLDP......................................................................................... 1343
LLDP Syslog Messages and SNMP Traps............................................................ 1344
Configure LLDP......................................................................................................... 1345
View LLDP Sengs and Status.............................................................................1346
Clear LLDP Stascs................................................................................................1348
PAN-OS® Administrator’s Guide Version Version 9.1 17 ©2021 Palo Alto Networks, Inc.
Table of Contents
BFD.......................................................................................................................................... 1349
BFD Overview........................................................................................................... 1349
Configure BFD........................................................................................................... 1352
Reference: BFD Details........................................................................................... 1358
Session Sengs and Timeouts..........................................................................................1362
Transport Layer Sessions.........................................................................................1362
TCP............................................................................................................................... 1362
UDP.............................................................................................................................. 1367
ICMP.............................................................................................................................1367
Control Specific ICMP or ICMPv6 Types and Codes........................................1369
Configure Session Timeouts...................................................................................1370
Configure Session Sengs..................................................................................... 1373
Session Distribuon Policies.................................................................................. 1376
Prevent TCP Split Handshake Session Establishment...................................... 1380
Tunnel Content Inspecon................................................................................................. 1382
Tunnel Content Inspecon Overview.................................................................. 1382
Configure Tunnel Content Inspecon.................................................................. 1386
View Inspected Tunnel Acvity.............................................................................1393
View Tunnel Informaon in Logs.......................................................................... 1393
Create a Custom Report Based on Tagged Tunnel Traffic............................... 1394
Policy.............................................................................................................. 1395
Policy Types........................................................................................................................... 1396
Security Policy....................................................................................................................... 1397
Components of a Security Policy Rule................................................................ 1397
Security Policy Acons............................................................................................ 1400
Create a Security Policy Rule.................................................................................1401
Policy Objects........................................................................................................................1405
Security Profiles.................................................................................................................... 1407
Create a Security Profile Group............................................................................ 1414
Set Up or Override a Default Security Profile Group.......................................1415
Track Rules Within a Rulebase..........................................................................................1418
Rule Numbers............................................................................................................ 1418
Rule UUIDs................................................................................................................. 1419
Enforce Policy Rule Descripon, Tag, and Audit Comment........................................1424
Move or Clone a Policy Rule or Object to a Different Virtual System..................... 1427
Use an Address Object to Represent IP Addresses..................................................... 1429
Address Objects........................................................................................................ 1429
Create an Address Object.......................................................................................1430
Use Tags to Group and Visually Disnguish Objects...................................................1432
Create and Apply Tags.............................................................................................1432
PAN-OS® Administrator’s Guide Version Version 9.1 18 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 19 ©2021 Palo Alto Networks, Inc.
Table of Contents
Cerficaons................................................................................................ 1567
Enable FIPS and Common Criteria Support...................................................................1568
PAN-OS® Administrator’s Guide Version Version 9.1 20 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 21 ©2021 Palo Alto Networks, Inc.
Table of Contents
PAN-OS® Administrator’s Guide Version Version 9.1 22 ©2021 Palo Alto Networks, Inc.
Geng Started
The following topics provide detailed steps to help you deploy a new Palo Alto
Networks next-generaon firewall. They provide details for integrang a new
firewall into your network and how to set up a basic security policy. For guidance on
connuing to deploy the security plaorm features to address your network security
needs, review the Best Pracces for Compleng the Firewall Deployment.
23
Geng Started
Do not enable access to your management interface from the internet or from other
untrusted zones inside your enterprise security boundary. This applies whether you use the
dedicated management port (MGT) or you configured a data port as your management
interface. When integrang your firewall into your management network, follow the
Best Pracces for Securing Administrave Access to ensure that you are securing
administrave access to your firewalls and other security devices in a way that prevents
successful aacks.
The following topics describe how to perform the inial configuraon steps that are necessary
to integrate a new firewall into the management network and deploy it in a basic security
configuraon.
• Determine Your Management Strategy
• Perform Inial Configuraon
• Set Up Network Access for External Services
The following topics describe how to integrate a single Palo Alto Networks next-generaon
firewall into your network. However, for redundancy, consider deploying a pair of firewalls
in a High Availability configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 24 ©2021 Palo Alto Networks, Inc.
Geng Started
The procedures that follow describe how to manage the firewall using the local web interface. If
you want to use Panorama for centralized management, first Perform Inial Configuraon and
verify that the firewall can establish a connecon to Panorama. From that point on you can use
Panorama to configure your firewall centrally.
If your firewall model has dual power supplies, connect the second power supply for
redundancy. Refer to the hardware reference guide for your model for details.
You may need to change the IP address on your computer to an address in the
192.168.1.0/24 network, such as 192.168.1.2, to access this URL.
PAN-OS® Administrator’s Guide Version Version 9.1 25 ©2021 Palo Alto Networks, Inc.
Geng Started
Starng with PAN-OS 9.0.4, the predefined, default administrator password (admin/
admin) must be changed on the first login on a device. The new password must be
a minimum of eight characters and include a minimum of one lowercase and one
uppercase character, as well as one number or special character.
Be sure to use the best pracces for password strength to ensure a strict password
and review the password complexity sengs.
Make sure Telnet and HTTP are not selected because these services use
plaintext and are not as secure as the other services and could compromise
administrator credenals.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 26 ©2021 Palo Alto Networks, Inc.
Geng Started
You must manually configure at least one DNS server on the firewall or it will not be
able to resolve hostnames; it will not use DNS server sengs from another source, such
as an ISP.
PAN-OS® Administrator’s Guide Version Version 9.1 27 ©2021 Palo Alto Networks, Inc.
Geng Started
As a best pracce, avoid using welcoming verbiage. Addionally, you should ask
your legal department to review the banner message to ensure it adequately
warns that unauthorized access is prohibited.
4. Enter the Latude and Longitude to enable accurate placement of the firewall on the
world map.
5. Click OK.
When the configuraon changes are saved, you lose connecvity to the web interface
because the IP address has changed.
Click Commit at the top right of the web interface. The firewall can take up to 90 seconds to
save your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 28 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 13 | Verify network access to external services required for firewall management, such as the Palo
Alto Networks Update Server.
You can do this in one of the following ways:
• If you do not want to allow external network access to the MGT interface, you will need to
set up a data port to retrieve required service updates. Connue to Set Up Network Access
for External Services.
• If you do plan to allow external network access to the MGT interface, verify that you have
connecvity and then proceed to Register the Firewall and Acvate Subscripon Licenses.
1. Use update server connecvity test to verify network connecvity to the Palo Alto
Networks Update server as shown in the following example:
1. Select Device > Troubleshoong, and select Update Server Connecvity from the
Select Test drop-down.
2. Execute the update server connecvity test.
2. Use the following CLI command to retrieve informaon on the support entlement for
the firewall from the Palo Alto Networks update server:
request support
check
If you have connecvity, the update server will respond with the support status for your
firewall. If your firewall is not yet registered, the update server returns the following
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-us.html
Support Home
https://www.paloaltonetworks.com/support/tabs/overview.html
PAN-OS® Administrator’s Guide Version Version 9.1 29 ©2021 Palo Alto Networks, Inc.
Geng Started
Do not enable management access from the internet or from other untrusted zones inside
your enterprise security boundary. Follow the Best Pracces for Securing Administrave
Access to ensure that you are properly securing your firewall.
This task requires familiarity with firewall interfaces, zones, and policies. For more
informaon on these topics, see Configure Interfaces and Zones and Set Up a Basic
Security Policy.
STEP 1 | Decide which port you want to use for access to external services and connect it to your
switch or router port.
The interface you use must have a stac IP address.
STEP 3 | (Oponal) The firewall comes preconfigured with a default virtual wire interface between
ports Ethernet 1/1 and Ethernet 1/2 (and a corresponding default security policy and
zones). If you do not plan to use this virtual wire configuraon, you must manually delete the
configuraon to prevent it from interfering with other interface sengs you define.
You must delete the configuraon in the following order:
1. To delete the default security policy, select Policies > Security, select the rule, and click
Delete.
2. To delete the default virtual wire, select Network > Virtual Wires, select the virtual wire
and click Delete.
3. To delete the default trust and untrust zones, select Network > Zones, select each zone
and click Delete.
4. To delete the interface configuraons, select Network > Interfaces and then select each
interface (ethernet1/1 and ethernet1/2) and click Delete.
5. Commit the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 30 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 4 | Configure the interface you plan to use for external access to management services.
1. Select Network > Interfaces and select the interface that corresponds to the port you
cabled in Step 1.
2. Select the Interface Type. Although your choice here depends on your network topology,
this example shows the steps for Layer3.
3. On the Config tab, expand the Security Zone drop-down and select New Zone.
4. In the Zone dialog, enter a Name for new zone, for example Management, and then click
OK.
5. Select the IPv4 tab, select the Stac radio buon, and click Add in the IP secon,
and enter the IP address and network mask to assign to the interface, for example
192.168.1.254/24. You must use a stac IP address on this interface.
6. Select Advanced > Other Info, expand the Management Profile drop-down, and select
New Management Profile.
7. Enter a Name for the profile, such as allow_ping, and then select the services you want
to allow on the interface. For the purposes of allowing access to the external services,
you probably only need to enable Ping and then click OK.
These services provide management access to the firewall, so only select the
services that correspond to the management acvies you want to allow on this
interface. For example, don’t enable HTTP or Telnet because those protocols
transmit in plaintext and therefore aren’t secure. Or if you plan to use the MGT
interface for firewall configuraon tasks through the web interface or CLI, you
don’t enable HTTP, HTTPS, SSH, or Telnet so that you prevent unauthorized
access through the interface (if you must allow HTTPS or SSH in this scenario,
limit access to a specific set of Permied IP Addresses). For details, see Use
Interface Management Profiles to Restrict Access.
8. To save the interface configuraon, click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 31 ©2021 Palo Alto Networks, Inc.
Geng Started
This example shows how to set up global service routes. For informaon on seng up
network access to external services on a virtual system basis rather than a global basis,
see Customize Service Routes to Services for Virtual Systems.
1. Select Device > Setup > Services > Global and click Service Route Configuraon.
For the purposes of acvang your licenses and geng the most recent content
and soware updates, you will want to change the service route for DNS, Palo
Alto Networks Services, URL Updates, and AutoFocus.
2. Click the Customize radio buon, and select one of the following:
• For a predefined service, select IPv4 or IPv6 and click the link for the service. To
limit the drop-down list for Source Address, select Source Interface and select the
interface you just configured. Then select a Source Address (from that interface) as
the service route.
If more than one IP address is configured for the selected interface, the Source
Address drop-down allows you to select an IP address.
• To create a service route for a custom desnaon, select Desnaon, and click Add.
Enter a Desnaon IP address. An incoming packet with a desnaon address that
matches this address will use as its source the Source Address you specify for this
service route. To limit the drop-down for Source Address, select a Source Interface. If
more than one IP address is configured for the selected interface, the Source Address
drop-down allows you to select an IP address.
3. Click OK to save the sengs.
4. Repeat Steps 5.2 - 5.3 above for each service route you want to modify.
5. Commit your changes.
STEP 6 | Configure an external-facing interface and an associated zone and then create a security
policy rule to allow the firewall to send service requests from the internal zone to the
external zone.
1. Select Network > Interfaces and then select the external-facing interface. Select Layer3
as the Interface Type, Add the IP address (on the IPv4 or IPv6 tab), and create the
PAN-OS® Administrator’s Guide Version Version 9.1 32 ©2021 Palo Alto Networks, Inc.
Geng Started
associated Security Zone (on the Config tab), such as Internet. This interface must have a
stac IP address; you do not need to set up management services on this interface.
2. To set up a security rule that allows traffic from your internal network to the Palo Alto
Networks update server, select Policies > Security and click Add.
As a best pracce when creang Security policy rules, use applicaon-based rules
instead of port-based rules to ensure that you are accurately idenfying the underlying
applicaon regardless of the port, protocol, evasive taccs, or encrypon in use. Always
leave the Service set to applicaon-default. In this case, create a security policy rule
that allows access to the update server (and other Palo Alto Networks services).
STEP 8 | Select Device > Troubleshoong and verify that you have connecvity from the data port
to the external services, including the default gateway, using the Ping connecvity test, and
PAN-OS® Administrator’s Guide Version Version 9.1 33 ©2021 Palo Alto Networks, Inc.
Geng Started
the Palo Alto Networks Update Server using the Update Server Connecvity test. In this
example, the firewall connecvity to the Palo Alto Networks Update Server is tested.
Aer you verify you have the required network connecvity, connue to Register the Firewall
and Acvate Subscripon Licenses.
1. Select Update Server from the Select Test drop-down.
2. Execute the Palo Alto Networks Update Server connecvity test.
3. Access the firewall CLI, and use the following command to retrieve informaon on the
support entlement for the firewall from the Palo Alto Networks update server:
request support
check
If you have connecvity, the update server will respond with the support status for
your firewall. Because your firewall is not registered, the update server will return the
following message:
Contact Us
https://www.paloaltonetworks.com/company/contact-us.html
Support Home
https://www.paloaltonetworks.com/support/tabs/overview.html
Device not found on this update server
PAN-OS® Administrator’s Guide Version Version 9.1 34 ©2021 Palo Alto Networks, Inc.
Geng Started
If you are registering a VM-Series firewall, refer to the VM-Series Deployment Guide
for instrucons.
PAN-OS® Administrator’s Guide Version Version 9.1 35 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 3 | Enter Your Email Address, check I’m not a robot, and click Submit.
STEP 4 | Select Register device using Serial Number or Authorizaon Code and click Next.
PAN-OS® Administrator’s Guide Version Version 9.1 36 ©2021 Palo Alto Networks, Inc.
Geng Started
Register a Firewall
If you already have an acve Palo Alto Networks Customer Support account, perform the
following task to register your firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 37 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 3 | Go to the Palo Alto Networks Customer Support Portal and, if not already logged in, Sign In
now.
PAN-OS® Administrator’s Guide Version Version 9.1 38 ©2021 Palo Alto Networks, Inc.
Geng Started
2. Select Register device using Serial Number or Authorizaon Code, and then click Next.
3. Enter the firewall Serial Number (you can copy and paste it from the firewall Dashboard).
4. (Oponal) Enter the Device Name and Device Tag.
5. (Oponal) If the device will not have a connecon to the internet, select the Device will
be used offline check box and then, from the drop-down, select the OS Release you plan
to use.
6. Provide informaon about where you plan to deploy the firewall including the Address,
City, Postal Code, and Country.
7. Read the End User License Agreement (EULA) and the Support Agreement, then Agree
and Submit.
PAN-OS® Administrator’s Guide Version Version 9.1 39 ©2021 Palo Alto Networks, Inc.
Geng Started
You can view the entry for the firewall you just registered under Devices.
PAN-OS® Administrator’s Guide Version Version 9.1 40 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 1 | From the page that displays aer you have registered your firewall, select Run Day 1
Configuraon.
If you’ve already registered your firewall but haven’t run Day 1 Configuraon, you can
also run it from the Customer Support Portal home page by navigang to Tools > Run
Day 1 Configuraon.
STEP 2 | Enter the Hostname and Pan OS Version for your new device, and oponally, the Serial
Number and Device Type.
PAN-OS® Administrator’s Guide Version Version 9.1 41 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 3 | Under Management, select either Stac or DHCP Client for your Management Type.
Selecng Stac will require you fill out the IPV4, Subnet Mask, and Default Gateway fields.
Selecng DHCP Client only requires that you enter the Primary DNS and Secondary DNS. A
device configured in DHCP client mode will ensure the management interface receives an IP
address from the local DHCP server, or it will fill out all the parameters if they are known.
PAN-OS® Administrator’s Guide Version Version 9.1 42 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 6 | To import and load the Day 1 Configuraon file you just downloaded to your firewall:
1. Log into your firewall web interface.
2. Navigate to Device > Setup > Operaons.
3. Click Import named configuraon snapshot.
4. Select the file.
STEP 4 | Enter the Palo Alto Networks Sales Order Number of the line cards into the Sales Order
Number field to display the line cards eligible for registraon.
STEP 5 | Register the line cards to your firewall by entering its chassis serial number in the Serial
Number field. The Locaon Informaon below auto-populates based on the registraon
informaon of your firewall.
STEP 6 | Click Agree and Submit to accept the legal terms. The system updates to display the
registered line cards under Assets > Line Cards/Opcs/FRUs.
PAN-OS® Administrator’s Guide Version Version 9.1 43 ©2021 Palo Alto Networks, Inc.
Geng Started
PAN-OS® Administrator’s Guide Version Version 9.1 44 ©2021 Palo Alto Networks, Inc.
Geng Started
The firewall comes preconfigured with a default virtual wire interface between ports
Ethernet 1/1 and Ethernet 1/2 (and a corresponding default security policy and virtual
router). If you do not plan to use the default virtual wire, you must manually delete the
configuraon and commit the change before proceeding to prevent it from interfering with
other sengs you define. For instrucons on how to delete the default virtual wire and its
associated security policy and zones, see Step 3 in Set Up Network Access for External
Services.
STEP 2 | Configure the external interface (the interface that connects to the Internet).
1. Select Network > Interfaces and then select the interface you want to configure. In this
example, we are configuring Ethernet1/16 as the external interface.
2. Select the Interface Type. Although your choice here depends on interface topology, this
example shows the steps for Layer3.
3. On the Config tab, select New Zone from the Security Zone drop-down. In the Zone
dialog, define a Name for new zone, for example Internet, and then click OK.
4. In the Virtual Router drop-down, select default.
5. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP secon,
and enter the IP address and network mask to assign to the interface, for example
203.0.113.23/24.
6. To enable you to ping the interface, select Advanced > Other Info, expand the
Management Profile drop-down, and select New Management Profile. Enter a Name for
the profile, select Ping and then click OK.
7. To save the interface configuraon, click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 45 ©2021 Palo Alto Networks, Inc.
Geng Started
In this example, the interface connects to a network segment that uses private IP
addresses. Because private IP addresses cannot be routed externally, you have to
configure NAT.
1. Select Network > Interfaces and select the interface you want to configure. In this
example, we are configuring Ethernet1/15 as the internal interface our users connect to.
2. Select Layer3 as the Interface Type.
3. On the Config tab, expand the Security Zone drop-down and select New Zone. In the
Zone dialog, define a Name for new zone, for example Users, and then click OK.
4. Select the same Virtual Router you used previously, default in this example.
5. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP secon,
and enter the IP address and network mask to assign to the interface, for example
192.168.1.4/24.
6. To enable you to ping the interface, select the management profile that you just created.
7. To save the interface configuraon, click OK.
STEP 4 | Configure the interface that connects to your data center applicaons.
Although this basic security policy example configuraon depicts using a single zone for
all of your data center applicaons, you should define more granular zones to prevent
unauthorized access to sensive applicaons or data and eliminate the possibility of
malware moving laterally within your data center.
PAN-OS® Administrator’s Guide Version Version 9.1 46 ©2021 Palo Alto Networks, Inc.
Geng Started
PAN-OS® Administrator’s Guide Version Version 9.1 47 ©2021 Palo Alto Networks, Inc.
Geng Started
PAN-OS® Administrator’s Guide Version Version 9.1 48 ©2021 Palo Alto Networks, Inc.
Geng Started
As a best pracce, use address objects in the Desnaon Address field to enable
access to specific servers or groups of servers only, parcularly for services such
as DNS and SMTP that are commonly exploited. By restricng users to specific
desnaon server addresses, you can prevent data exfiltraon and command
and control traffic from establishing communicaon through techniques such as
DNS tunneling.
5. In the Applicaons tab, Add the applicaons that correspond to the network services
you want to safely enable. For example, select dns, ntp, ocsp, ping, and smtp.
6. In the Service/URL Category tab, keep the Service set to applicaon-default.
7. In the Acons tab, set the Acon Seng to Allow.
8. Set Profile Type to Profiles and select the following security profiles to aach to the
policy rule:
• For Anvirus, select default
• For Vulnerability Protecon, select strict
• For An-Spyware, select strict
• For URL Filtering, select default
• For File Blocking, select basic file blocking
• For WildFire Analysis, select default
9. Verify that Log at Session End is enabled. Only traffic that matches a Security policy rule
will be logged.
10. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 49 ©2021 Palo Alto Networks, Inc.
Geng Started
This is a temporary rule that allows you to gather informaon about the traffic on your
network. Aer you have more insight into which applicaons your users need to access,
you can make informed decisions about which applicaons to allow and create more
granular applicaon-based rules for each user group.
PAN-OS® Administrator’s Guide Version Version 9.1 50 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 5 | Save your policy rules to the running configuraon on the firewall.
Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 51 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 6 | To verify that you have set up your basic policies effecvely, test whether your Security
policy rules are being evaluated and determine which Security policy rule applies to a traffic
flow.
For example, to verify the policy rule that will be applied for a client in the user zone with the
IP address 10.35.14.150 when it sends a DNS query to the DNS server in the data center:
1. Select Device > Troubleshoong and select Security Policy Match (Select Test).
2. Enter the Source and Desnaon IP addresses.
3. Enter the Protocol..
4. Select dns (Applicaon)
5. Execute the Security policy match test.
PAN-OS® Administrator’s Guide Version Version 9.1 52 ©2021 Palo Alto Networks, Inc.
Geng Started
Use the Applicaon Command Center and Use the Automated Correlaon Engine.
In the ACC, review the most used applicaons and the high-risk applicaons on your network.
The ACC graphically summarizes the log informaon to highlight the applicaons traversing the
network, who is using them (with User-ID enabled), and the potenal security impact of the
content to help you idenfy what is happening on the network in real me. You can then use
this informaon to create appropriate security policy rules that block unwanted applicaons,
while allowing and enabling applicaons in a secure manner.
The Compromised Hosts widget in ACC > Threat Acvity displays potenally compromised
hosts on your network and the logs and match evidence that corroborates the events.
Determine what updates/modificaons are required for your network security policy rules and
implement the changes.
For example:
• Evaluate whether to allow web content based on schedule, users, or groups.
• Allow or control certain applicaons or funcons within an applicaon.
• Decrypt and inspect content.
• Allow but scan for threats and exploits.
For informaon on refining your security policies and for aaching custom security profiles, see
how to Create a Security Policy Rule and Security Profiles.
View Logs.
Specifically, view the traffic and threat logs (Monitor > Logs).
Traffic logs are dependent on how your security policies are defined and set up to log
traffic. The Applicaon Usage widget in the ACC, however, records applicaons and
stascs regardless of policy configuraon; it shows all traffic that is allowed on your
network, therefore it includes the inter-zone traffic that is allowed by policy and the
same zone traffic that is allowed implicitly.
PAN-OS® Administrator’s Guide Version Version 9.1 53 ©2021 Palo Alto Networks, Inc.
Geng Started
Use WildFire verdict informaon (benign, grayware, malware) and AutoFocus matching tags to
look for potenal risks in your network.
AutoFocus tags created by Unit 42, the Palo Alto Networks threat intelligence team,
call aenon to advanced, targeted campaigns and threats in your network.
From the AutoFocus intelligence summary, you can start an AutoFocus search for arfacts and
assess their pervasiveness within global, industry, and network contexts.
PAN-OS® Administrator’s Guide Version Version 9.1 54 ©2021 Palo Alto Networks, Inc.
Geng Started
PAN-OS® Administrator’s Guide Version Version 9.1 55 ©2021 Palo Alto Networks, Inc.
Geng Started
You can also forward files to a WildFire regional cloud or a private cloud based
on your locaon and your organizaonal requirements.
3. Review the File Size Limits for PEs the firewall forwards for WildFire analysis. set the
Size Limit for PEs that the firewall can forward to the maximum available limit of 10 MB.
As a WildFire best pracce, set the Size Limit for PEs to the maximum available
limit of 10 MB.
4. Click OK to save your changes.
STEP 4 | Apply the new WildFire Analysis profile to traffic that the firewall allows.
1. Select Policies > Security and either select an exisng policy rule or create a new policy
rule as described in Set Up a Basic Security Policy.
2. Select Acons and in the Profile Sengs secon, set the Profile Type to Profiles.
3. Select the WildFire Analysis profile you just created to apply that profile rule to all traffic
this policy rule allows.
4. Click OK.
STEP 5 | Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
STEP 6 | Review and implement WildFire best pracces to ensure that you are geng the most of
WildFire detecon and prevenon capabilies.
STEP 8 | Verify that the firewall is forwarding PE files to the WildFire public cloud.
Select Monitor > Logs > WildFire Submissions to view log entries for PEs the firewall
successfully submied for WildFire analysis. The Verdict column displays whether WildFire
found the PE to be malicious, grayware, or benign. (WildFire only assigns the phishing verdict
to email links). The Acon column indicates whether the firewall allowed or blocked the
sample. The Severity column indicates how much of a threat a sample poses to an organizaon
using the following values: crical, high, medium, low, informaon.
PAN-OS® Administrator’s Guide Version Version 9.1 56 ©2021 Palo Alto Networks, Inc.
Geng Started
STEP 9 | (Threat Prevenon subscripon only) If you have a Threat Prevenon subscripon, but do
not have a WildFire subscripon, you can sll receive WildFire signature updates every 24-
48 hours.
1. Select Device > Dynamic Updates.
2. Check that the firewall is scheduled to download, and install Anvirus updates.
PAN-OS® Administrator’s Guide Version Version 9.1 57 ©2021 Palo Alto Networks, Inc.
Geng Started
PAN-OS® Administrator’s Guide Version Version 9.1 58 ©2021 Palo Alto Networks, Inc.
Geng Started
Do not enable access to your management interface from the internet or from other
untrusted zones inside your enterprise security boundary. This applies whether you use
the dedicated management port (MGT) or you configure a data port as your management
interface.
PAN-OS® Administrator’s Guide Version Version 9.1 59 ©2021 Palo Alto Networks, Inc.
Geng Started
If you must enable remote access to the management network, require access through a VPN
tunnel using GlobalProtect. Aer administrators successfully establish a VPN tunnel into your
VPN zone, they must sll authencate into the management network through your bason
host.
Do not use an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on
the interface where you have configured a GlobalProtect portal or gateway because this
configuraon exposes access to the management interface via the internet. Do not use HTTP
or Telnet internally because those protocols transmit in cleartext.
If you are using a template to deploy a VM-Series firewall that includes a field for restricng
management access to a specific IP address, make sure to supply a CIDR block that
corresponds to your dedicated management IP addresses or network. If necessary, modify the
corresponding security group to add addional hosts or networks aer the template launch. Do
not make the allowed source network range larger than necessary and do not ever configure
the allowed source as 0.0.0.0/0.
PAN-OS® Administrator’s Guide Version Version 9.1 60 ©2021 Palo Alto Networks, Inc.
Geng Started
• If you are using a data port as your management interface, aer you configure the interface,
select Network > Network Profiles > Interface Mgmt and Add an interface management
PAN-OS® Administrator’s Guide Version Version 9.1 61 ©2021 Palo Alto Networks, Inc.
Geng Started
profile to restrict who can access the management interface and what services the interface
allows.
Do not aach an interface management profile that allows Telnet, SSH, HTTP, or
HTTPS to an interface where you have configured a GlobalProtect portal or gateway
because this will expose the management interface to the internet. Do not use HTTP
or Telnet for any management interface profile because those protocols transmit in
cleartext.
PAN-OS® Administrator’s Guide Version Version 9.1 62 ©2021 Palo Alto Networks, Inc.
Geng Started
For administrators with change privileges, require MFA using external authencaon and
authorizaon using RADIUS or SAML. See Configure Local or External Authencaon for
Firewall Administrators for details on how to configure external authencaon with MFA.
PAN-OS® Administrator’s Guide Version Version 9.1 63 ©2021 Palo Alto Networks, Inc.
Geng Started
Create security policy rules to allow access to the management interfaces of the firewall and
Panorama (web interface or CLI). The way you define the policy depends on whether or not
you are using a bason host to enable access to the management network.
• If you are not using a bason host to isolate your management network, create a security
policy rule to allow access from the Users zone to the IT Infrastructure zone. This security
policy rule must be very granular and specify the source zone, source IP address (if
available), and source user group of the user aempng to access the management
interface, as well as the desnaon zone, IP address of the appliance (firewall or Panorama),
and the App-ID to idenfy the specific management applicaon (web interface or CLI)
running on the applicaon default port. For example, you would use the web-browsing
App-ID to allow access to the web interface and the ssh App-ID to allow access to the CLI.
You must also aach a Vulnerability Protecon profile to the rule, as described in the next
secon.
The following example rule allows access from the users zone directly to the IT
Infrastructure zone, and restricts access to users in the IT-admins group who are aempng
to access the management interface IP address to access the web-browsing applicaon on
the applicaon-default port only:
• If you are using a bason host to enable access to your management network, you need two
security policy rules: one rule to allow access from user zone to the bason host zone and a
second rule to allow access from the bason host zone to the IT infrastructure zone. Again,
both of these security policy rules should be as granular as possible and include source
zone, address (if available), user and desnaon zone and address, and the App-ID. Keep in
mind that if you are using a bason host, the user IP address is usually the IP address of the
bason host so you cannot idenfy the User-ID for the administrator unless you are using
the Terminal Server agent on the bason host to idenfy individual users. In this case, you
must also aach a Vulnerability Protecon profile to both rules, as described in the next
secon.
In the example rules that follow, the first rule allows access from the Users zone to the
Bason-host zone for users in the IT-admins group who are aempng to access the
specified bason server IP address over SSH and/or RDP. The second rule allows access
to users from the Bason-host zone to the IT-infrastructure zone aempng to access the
PAN-OS® Administrator’s Guide Version Version 9.1 64 ©2021 Palo Alto Networks, Inc.
Geng Started
web-browsing applicaon on the default port on the firewall with the specified desnaon
address.
Aach a best pracce Vulnerability Protecon profile to the security policy rules that allow
access in to your management network to protect against buffer overflows, illegal code
execuon, and other aempts to exploit client- and server-side vulnerabilies. To create a
profile for the purpose of protecng your management interface, clone the strict profile and
then enable extended packet capture to help you track down the source of any potenal
aacks.
Configure SSL Inbound Inspecon or Configure SSL Forward Proxy for traffic to or from the
management interface to ensure that you can decrypt and scan the traffic for threats. Aach
a best pracce decrypon profile to the decrypon policy rule to ensure that you are blocking
vulnerable SSL/TLS versions such as TLS 1.0 and SSLv3, and rejecng sessions using weak
encrypon algorithms such as RC4 and 3DES, and weak authencaon algorithms such as
MD5 and SHA1.
PAN-OS® Administrator’s Guide Version Version 9.1 65 ©2021 Palo Alto Networks, Inc.
Geng Started
Emails, Subscribe to Security Advisories, and Subscribe to Soware Update Emails. Make sure
you Save Edits.
Follow the Best Pracces for Applicaons and Threats Content Updates when updang to the
latest content release version.
Before you upgrade PAN-OS, read the latest release notes.
PAN-OS® Administrator’s Guide Version Version 9.1 66 ©2021 Palo Alto Networks, Inc.
Subscripons
Learn about all the subscripons and services that work with the firewall, and get
started by acvang subscripon licenses:
Certain cloud services, like Cortex XDR™, do not integrate with the firewall directly, but rely on
data stored in Cortex Data Lake for visibility into network acvity. Enhanced applicaon logging
is a feature that comes with a Cortex Data Lake subscripon—it allows the firewall to collect data
specifically for Cortex XDR to use to detect anomalous network acvity. Turning on enhanced
applicaon logging is a Cortex XDR best pracce.
67
Subscripons
URL Filtering Provides the ability to not only control web-access, but how
users interact with online content based on dynamic URL
PAN-OS® Administrator’s Guide Version Version 9.1 68 ©2021 Palo Alto Networks, Inc.
Subscripons
Advanced URL Filtering Advanced URL Filtering uses a cloud-based ML-powered web
security engine to perform ML-based inspecon of web traffic
in real-me. This reduces reliance on URL databases and out-
of-band web crawling to detect and prevent advanced, file-
less web-based aacks including targeted phishing, web-
delivered malware and exploits, command-and-control, social
engineering, and other types of web aacks.
• Get Started with Advanced URL Filtering
Cortex Data Lake Provides cloud-based, centralized log storage and aggregaon.
The Logging Service is required or highly-recommended to
support several other cloud-delivered services, including
Magnifier, GlobalProtect cloud service, and Traps management
service.
PAN-OS® Administrator’s Guide Version Version 9.1 69 ©2021 Palo Alto Networks, Inc.
Subscripons
PAN-OS® Administrator’s Guide Version Version 9.1 70 ©2021 Palo Alto Networks, Inc.
Subscripons
PAN-OS® Administrator’s Guide Version Version 9.1 71 ©2021 Palo Alto Networks, Inc.
Subscripons
STEP 5 | (WildFire subscripons only) Perform a commit to complete WildFire subscripon acvaon.
Aer acvang a WildFire subscripon, a commit is required for the firewall to begin
forwarding advanced file types. You should either:
• Commit any pending changes.
• Check that the WildFire Analysis profile rules include the advanced file types that are now
supported with the WildFire subscripon. If no change to any of the rules is required, make
a minor edit to a rule descripon and perform a commit.
PAN-OS® Administrator’s Guide Version Version 9.1 72 ©2021 Palo Alto Networks, Inc.
Subscripons
The precise moment of license expiry is at the beginning of the following day at 12:00 AM
(GMT). For example, if your license is scheduled to end on 1/20 you will have funconality
for the remainder of that day. At the start of the new day on 1/21 at 12:00 AM (GMT),
the license will expire. All license-related funcons operate on Greenwich Mean Time
(GMT), regardless of the configured me zone on the firewall.
Threat Prevenon Alerts appear in the System Log indicang that the license has
expired.
You can sll:
• Use signatures that were installed at the me the license
expired, unless you install a new Applicaons-only content
update either manually or as part of an automac schedule.
If you do, the update will delete your exisng threat
signatures and you will no longer receive protecon against
them.
• Use and modify Custom App-ID™ and threat signatures.
You can no longer:
• Install new signatures.
• Roll signatures back to previous versions.
PAN-OS® Administrator’s Guide Version Version 9.1 73 ©2021 Palo Alto Networks, Inc.
Subscripons
PAN-OS® Administrator’s Guide Version Version 9.1 74 ©2021 Palo Alto Networks, Inc.
Subscripons
PAN-OS® Administrator’s Guide Version Version 9.1 75 ©2021 Palo Alto Networks, Inc.
Subscripons
STEP 2 | To Enable Enhanced Applicaon Logging on the firewall, select Device > Setup >
Management > Logging Service and edit Cortex Data Lake Sengs.
Cortex Data Lake was previously called the Logging Service; you might connue to see
references to the Logging Service in the firewall web interface.
PAN-OS® Administrator’s Guide Version Version 9.1 76 ©2021 Palo Alto Networks, Inc.
Subscripons
STEP 3 | Connue to enable enhanced applicaon logging for the security policy rules that control the
traffic into which you want extended visibility.
1. Select Objects > Log Forwarding and Add or modify a log forwarding profile.
2. Update the profile to Enable Enhanced Applicaon Logging to the Logging Service.
Noce that when you enable enhanced applicaon logging in a Log Forwarding profile,
match lists that specify the log types required for enhanced applicaon logging are
automacally added to the profile.
3. Click OK to save the profile and connue to update as many profiles as needed.
4. Ensure that the Log Forwarding profile that you’ve updated is aached to a security
policy rule, to trigger log generaon and forwarding for the traffic matched to the rule.
1. Select Policies > Security to view the profiles aached to each security policy rule.
2. To update the log forwarding profile aached to a rule, Add or edit a rule and select
Policies > Security > Acons > Log Forwarding and select the Log Forwarding profile
enabled with enhanced applicaon logging.
PAN-OS® Administrator’s Guide Version Version 9.1 77 ©2021 Palo Alto Networks, Inc.
Subscripons
PAN-OS® Administrator’s Guide Version Version 9.1 78 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS is the soware that runs all Palo Alto Networks next-generaon firewalls.
Palo Alto Networks also frequently publishes updates to equip the firewall with the
latest security features. The firewall can enforce policy based on the applicaons and
threat signatures (and more) that content updates provide, without requiring you to
update the firewall configuraon.
79
Soware and Content Updates
STEP 3 | Once you’ve decided the release version you want, follow the complete workflow to
upgrade the firewall to a new PAN-OS version. The steps you’ll take might dependent on the
release version you’re currently running, if you’re using HA, and whether or not you’re using
Panorama to manage firewalls.
PAN-OS® Administrator’s Guide Version Version 9.1 80 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 81 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
Applicaons and Includes new and updated applicaon and threat signatures. This update
Threats is available if you have a Threat Prevenon subscripon (in this case,
you will get this update instead of the Applicaons update). New threat
updates are published frequently, somemes several mes a week, along
with updated App-IDs. New App-IDs are published only on the third
Tuesday of every month.
The firewall can retrieve the latest threat and applicaon updates within
as lile as 30 minutes of availability.
For guidance on how to best enable applicaon and threat updates to
ensure both applicaon availability and protecon against the latest
threats, review the Best Pracces for Applicaons and Threats Content
Updates.
PAN-OS® Administrator’s Guide Version Version 9.1 82 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 83 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
You cannot download the anvirus update unl you have installed the Applicaon and
Threats update.
Click the Install link in the Acon column. When the installaon completes, a check mark
displays in the Currently Installed column.
Stagger the update schedules because the firewall can only download one update at a
me. If you schedule the updates to download during the same me interval, only the
first download will succeed.
1. Set the schedule of each update type by clicking the None link.
2. Specify how oen you want the updates to occur by selecng a value from the
Recurrence drop-down. The available values vary by content type (WildFire updates are
available Every Minute, Every 15 Minutes, Every 30 minutes, or Every Hour whereas
PAN-OS® Administrator’s Guide Version Version 9.1 84 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
Applicaons and Threats updates can be scheduled for Weekly, Daily, Hourly, or Every
30 Minutes and Anvirus updates can be scheduled for Hourly, Daily, or Weekly).
As new WildFire signatures are made available every five minutes, set the
firewall to retrieve WildFire updates Every Minute to get the latest signatures
within a minute of availability.
You can also select None (Manual) for Applicaons and Threats or for Anvirus updates.
This means there is no recurring schedule for this item and you must manually install
updates. To fully remove the schedule node, select Delete Schedule.
3. Specify the Time and (or, minutes past the hour in the case of WildFire), if applicable
depending on the Recurrence value you selected, Day of the week that you want the
updates to occur.
4. Specify whether you want the system to Download Only or, as a best pracce,
Download And Install the update.
5. Enter how long aer a release to wait before performing a content update in the
Threshold (Hours) field. In rare instances, errors in content updates may be found. For
this reason, you may want to delay installing new updates unl they have been released
for a certain number of hours.
If you have mission crical applicaons that must be 100% available, set the
threshold for Applicaons or Applicaons and Threats updates to a minimum of
24 hours or more and follow the Best Pracces for Applicaons and Threats
Content Updates. Addionally, While scheduling content updates is a one-
me or infrequent task, aer you’ve set the schedule, you’ll need to connue to
Manage New and Modified App-IDs that are included in content releases, as
these App-IDs can change how security policy is enforced.
6. (Oponal) Specify if you want to Allow Extra Time to Review New App-IDs. This
threshold specifies how long the firewall waits before installing content updates that
contain new App-IDs. You can use this wait period to assess and adjust your security
policy based on the new App-IDs.
7. Click OK to save the schedule sengs.
8. Click Commit to save the sengs to the running configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 85 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
Always update content before updang PAN-OS. Every PAN-OS version has a
minimum supported content release version.
PAN-OS® Administrator’s Guide Version Version 9.1 86 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
In rare cases, publicaon of the update that contains new App-IDs may be delayed one or
two days.
Because new App-IDs can change how the security policy enforces traffic, this more limited
release of new App-IDs is intended to provide you with a predictable window in which you can
prepare and update your security policy. Addionally, content updates are cumulave; this means
that the latest content update always includes the applicaon and threat signatures released in
previous versions.
Because applicaon and threat signatures are delivered in a single package—the same decoders
that enable applicaon signatures to idenfy applicaons also enable threat signatures to inspect
traffic—you need to consider whether you want to deploy the signatures together or separately.
How you choose to deploy content updates depends on your organizaon’s network security and
applicaon availability requirements. As a starng point, idenfy your organizaon as having one
of the following postures (or perhaps both, depending on firewall locaon):
• An organizaon with a security-first posture priorizes protecon using the latest threat
signatures over applicaon availability. You’re primarily using the firewall for its threat
prevenon capabilies. Any changes to App-ID that impact how security policy enforces
applicaon traffic is secondary.
• A mission-crical network priorizes applicaon availability over protecon using the latest
threat signatures. Your network has zero tolerance for downme. The firewall is deployed inline
to enforce security policy and if you’re using App-ID in security policy, any change a content
releases introduces that affects App-ID could cause downme.
You can take a mission-crical or security-first approach to deploying content updates, or you
can apply a mix of both approaches to meet the needs of the business. Review and consider Best
Pracces for Applicaons and Threats Content Updates to decide how you want to implement
applicaon and threat updates. Then:
Deploy Applicaons and Threats Content Updates.
Follow our Tips for Content Updates.
While scheduling content updates is a one-me or infrequent task, aer you’ve set the
schedule, you’ll need to connue to Manage New and Modified App-IDs that are
included in content releases, as these App-IDs can change how security policy is enforced.
PAN-OS® Administrator’s Guide Version Version 9.1 87 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
STEP 2 | Set the schedule for the firewall to retrieve and install content updates.
As you complete the following steps, it’s parcularly important that you consider whether your
organizaon is mission-crical or security-first(or a mix of both), and that you have reviewed
the Best Pracces for Applicaons and Threats Content Updates.
1. Select Device > Dynamic Updates.
2. Select the Schedule for Applicaons and Threat content updates.
3. Set how frequently (the Recurrence) the firewall checks with the Palo Alto Networks
update server for new Applicaons and Threat content releases, and on what Day and
Time.
4. Set the Acon for the firewall to take when it finds and retrieves a new content release.
5. Set an installaon Threshold for content releases. Content releases must be available on
the Palo Alto Networks update server at least this amount of me before the firewall can
retrieve the release and perform the Acon you configured in the last step.
6. If yours is a mission-crical network, where you have zero tolerance for applicaon
downme (applicaon availability is tantamount even to the latest threat prevenon),
you can set a New App-ID Threshold. The firewall only retrieves content updates that
contain new App-IDs aer they have been available for this amount of me.
7. Click OK to save the Applicaons and Threats content update schedule, and Commit.
STEP 3 | Set up log forwarding to send Palo Alto Networks crical content alerts to external services
that you use for monitoring network and firewall acvity. This allows you to ensure that the
appropriate personnel is nofied about crical content issues, so that they can take acon as
needed. Crical content alerts are logged as system log entries with the following Type and
Event: (subtype eq content) and (evend eq palo-alto-networks-message).
STEP 4 | While scheduling content updates is a one-me or infrequent task, aer you’ve set the
schedule, you’ll need to connue to Manage New and Modified App-IDs that are included in
content releases, as these App-IDs can change how security policy is enforced.
PAN-OS® Administrator’s Guide Version Version 9.1 88 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 89 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
the alert is displayed by default when you log into the firewall web interface. If you’re already
logged into the firewall web interface, you will noce an exclamaon appear over the message
icon on the menu bar located at the boom of the web interface—click on the message icon to
view the alert.
Crical content update alerts are also logged as system log entries with the Type dynamic-
updates and the Event palo-alto-networks-message. Use the following filter to view these log
entries: ( subtype eq dynamic-updates) and ( evend eq palo-alto-networks-message).
If needed, use Panorama to rollback to an earlier content release.
Aer being nofied about an issue with a content update, you can use Panorama to quickly
revert managed firewalls to the last content update version, instead of manually reverng the
content version for individual firewalls: Revert Content Updates on Managed Firewalls.
PAN-OS® Administrator’s Guide Version Version 9.1 90 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 91 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
describe how the update might impact exisng security policy enforcement and provides
recommendaons on how you can modify your security policy to best leverage what’s new.
To subscribe to get noficaons for new content updates, visit the Customer Support Portal,
edit your Preferences, and select Subscribe to Content Update Emails.
You can also review Content Release Notes for apps and threats on the Palo Alto Networks
Support Portal or directly in the firewall web interface: select Device > Dynamic Updates and
open the Release Note for a specific content release version.
The Notes secon of Content Release Notes highlights future updates that Palo Alto
Networks has idenfied as possibly significantly impacng coverage: for example, new
App-IDs or decoders. Check for these future updates, so that you can account for any
policy impact in advance of the release.
Create a security policy rule to always allow certain categories of new App-IDs, like
authencaon or soware development applicaons on which crical business funcons
rely. This means that when a content release introduces or changes coverage for an important
business applicaon, the firewall connues to seamlessly allow the applicaon without
requiring you to update your security policy. This eliminates any potenal availability impact
PAN-OS® Administrator’s Guide Version Version 9.1 92 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
for App-IDs in crical categories, and gives you thirty days (new App-IDs are released on a
monthly basis) to adjust your security policy to allow the mission-crical App-ID(s).
To do this, create an applicaon filter for new App-IDs in crical categories(Objects >
Applicaon Filters), and add the applicaon filter to a security policy rule.
To migate any impact to security policy enforcement that is associated with enabling new
applicaon and threat signatures, stagger the roll-out of new content. Provide new content
to locaons with less business risk (fewer users in satellite offices) before deploying them to
locaons with more business risk (such as locaons with crical applicaons). Confining the
latest content updates to certain firewalls before deploying them across your network also
makes it easier to troubleshoot any issues that arise. You can use Panorama to push staggered
schedules and installaon thresholds to firewalls and device groups based on organizaon or
locaon (Use Panorama to Deploy Updates to Firewalls).
Schedule content updates so that they download-and-install automacally. Then, set a
Threshold that determines the amount of me the firewall waits before installing the latest
content. In a mission-crical network, schedule up to a 48 hour threshold.
The installaon delay ensures that the firewall only installs content that has been available and
funconing in customer environments for the specified amount of me. To schedule content
updates, select Device > Dynamic Updates > Schedule.
Give yourself addional me to adjust your security policy based on new App-IDs before you
install them. To do this, set an installaon threshold that applies only to content updates that
contain new App-IDs. Content updates with new App-IDs are released only once a month, and
PAN-OS® Administrator’s Guide Version Version 9.1 93 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
installaon threshold triggers only at that me. Schedule content updates to configure a New
App-ID Threshold (Device > Dynamic Updates > Schedule).
Always review the new and modified App-IDs that a content release introduces, in order to
assess how the changes might impact your security policy. The following topic describes the
opons you can use to update your security policy both before and aer installing new App-
IDs: Manage New and Modified App-IDs.
Set up log forwarding to send Palo Alto Networks crical content alerts to external services
that you use for monitoring network and firewall acvity. This allows you to ensure that the
appropriate personnel is nofied about crical content issues, so that they can take acon as
needed. Crical content alerts are logged as system log entries with the following Type and
PAN-OS® Administrator’s Guide Version Version 9.1 94 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS 8.1.2 changed the log type for crical content alerts from general to
dynamic-updates. If you’re using PAN-OS 8.1.0 or PAN-OS 8.1.1, crical content
are logged as system log entries with the following Type and Event, and you should set
up forwarding for these alerts using the following filter: (subtype eq general)
and (eventid eq palo-alto-networks-message).
Test new Applicaons and Threats content updates in a dedicated staging environment before
enabling them in your producon environment. The easiest way to test new applicaons and
threats is to use a test firewall to tap into producon traffic. Install the latest content on the
test firewall and monitor the firewall as it processes the traffic copied from your producon
environment. You can also use test clients and a test firewall or packet captures (PCAPs) to
simulate producon traffic. Using PCAPs works well to simulate traffic for diverse deployments
where firewall security policy varies depending on locaon.
PAN-OS® Administrator’s Guide Version Version 9.1 95 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
describe how the update might impact exisng security policy enforcement and provides
recommendaons on how you can modify your security policy to best leverage what’s new.
To subscribe to get noficaons for new content updates, visit the Customer Support Portal,
edit your Preferences, and select Subscribe to Content Update Emails.
You can also review Content Release Notes for apps and threats on the Palo Alto Networks
Support Portal or directly in the firewall web interface: select Device > Dynamic Updates and
open the Release Note for a specific content release version.
The Notes secon of Content Release Notes highlights future updates that Palo Alto
Networks has idenfied as possibly significantly impacng coverage: for example, new
App-IDs or decoders. Check for these future updates, so that you can account for any
policy impact in advance of the release.
To migate any impact to security policy enforcement that is associated with enabling new
applicaon and threat signatures, stagger the roll-out of new content. Provide new content
to locaons with less business risk (fewer users in satellite offices) before deploying them to
locaons with more business risk (such as locaons with crical applicaons). Confining the
latest content updates to certain firewalls before deploying them across your network also
makes it easier to troubleshoot any issues that arise. You can use Panorama to push staggered
schedules and installaon thresholds to firewalls and device groups based on organizaon or
locaon (Use Panorama to Deploy Updates to Firewalls).
PAN-OS® Administrator’s Guide Version Version 9.1 96 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
The installaon delay ensures that the firewall only installs content that has been available and
funconing in customer environments for the specified amount of me. To schedule content
updates , select Device > Dynamic Updates > Schedule.
Set up log forwarding to send Palo Alto Networks crical content alerts to external services
that you use for monitoring network and firewall acvity. This allows you to ensure that the
appropriate personnel is nofied about crical content issues, so that they can take acon as
needed. Crical content alerts are logged as system log entries with the following Type and
PAN-OS® Administrator’s Guide Version Version 9.1 97 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS 8.1.2 changed the log type for crical content alerts from general to
dynamic-updates. If you’re using PAN-OS 8.1.0 or PAN-OS 8.1.1, crical content
are logged as system log entries with the following Type and Event, and you should set
up forwarding for these alerts using the following filter: (subtype eq general)
and (eventid eq palo-alto-networks-message).
PAN-OS® Administrator’s Guide Version Version 9.1 98 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 99 ©2021 Palo Alto Networks, Inc.
Soware and Content Updates
PAN-OS® Administrator’s Guide Version Version 9.1 100 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Administrators can configure, manage, and monitor Palo Alto Networks firewalls using
the web interface, CLI, and API management interface. You can customize role-based
administrave access to the management interfaces to delegate specific tasks or
permissions to certain administrators.
101
Firewall Administraon
Management Interfaces
You can use the following user interfaces to manage the Palo Alto Networks firewall:
Do not enable management access from the internet or from other untrusted zones inside
your enterprise security boundary. Follow the Best Pracces for Securing Administrave
Access to ensure that you are properly securing your firewall.
• Use the Web Interface to perform configuraon and monitoring tasks with relave ease. This
graphical interface allows you to access the firewall using HTTPS (recommended) or HTTP and
it is the best way to perform administrave tasks.
• Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in
rapid succession over SSH (recommended), Telnet, or the console port. The CLI is a no-frills
interface that supports two command modes, operaonal and configure, each with a disnct
hierarchy of commands and statements. When you become familiar with the nesng structure
and syntax of the commands, the CLI provides quick response mes and administrave
efficiency.
• Use the XML API to streamline your operaons and integrate with exisng, internally
developed applicaons and repositories. The XML API is a web service implemented using
HTTP/HTTPS requests and responses.
• Use Panorama to perform web-based management, reporng, and log collecon for mulple
firewalls. The Panorama web interface resembles the firewall web interface but with addional
funcons for centralized management.
PAN-OS® Administrator’s Guide Version Version 9.1 102 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
By default, the management (MGT) interface allows only HTTPS access to the web
interface. To enable other protocols, select Device > Setup > Interfaces and edit the
Management interface.
STEP 2 | Log in to the firewall according to the type of authencaon used for your account. If logging
in to the firewall for the first me, use the default value admin for your username and
password.
• SAML—Click Use Single Sign-On (SSO). If the firewall performs authorizaon (role
assignment) for administrators, enter your Username and Connue. If the SAML identy
provider (IdP) performs authorizaon, Connue without entering a Username. In both cases,
the firewall redirects you to the IdP, which prompts you to enter a username and password.
Aer you authencate to the IdP, the firewall web interface displays.
• Any other type of authencaon—Enter your user Name and Password. Read the login
banner and select I Accept and Acknowledge the Statement Below if the login page has the
banner and check box. Then click Login.
PAN-OS® Administrator’s Guide Version Version 9.1 103 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Aer you enter the message and click OK, administrators who subsequently
log in, and acve administrators who refresh their browsers, see the new or
updated message immediately; a commit isn’t necessary. This enables you to
inform other administrators of an impending commit that might affect their
configuraon changes. Based on the commit me that your message specifies,
the administrators can then decide whether to complete, save, or undo their
changes.
4. (Oponal) Select Allow Do Not Display Again (default is disabled) to give administrators
the opon to suppress a message of the day aer the first login session. Each
administrator can suppress messages only for his or her own login sessions. In the
message of the day dialog, each message will have its own suppression opon.
5. (Oponal) Enter a header Title for the message of the day dialog (default is Messageof
the Day).
PAN-OS® Administrator’s Guide Version Version 9.1 104 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
A bright background color and contrasng text color can increase the likelihood that
administrators will noce and read a banner. You can also use colors that correspond to
classificaon levels in your organizaon.
STEP 4 | Replace the logos on the login page and in the header.
The maximum size for any logo image is 128KB. The supported file types are png and
jpg. The firewall does not support image files that are interlaced, images that contain
alpha channels, and gif file types because such files interfere with PDF generaon.
1. Select Device > Setup > Operaons and click Custom Logos in the Miscellaneous
secon.
2. Perform the following steps for both the Login Screen logo and the Main UI (header)
logo:
1. Click upload .
2. Select a logo image and click Open.
You can preview the image to see how PAN-OS will crop it to fit by clicking
the magnifying glass icon.
3. Click Close.
3. Commit your changes.
STEP 5 | Verify that the banners, message of the day, and logos display as expected.
1. Log out to return to the login page, which displays the new logos you selected.
2. Enter your login credenals, review the banner, select I Accept and Acknowledge the
Statement Below to enable the Login buon, and then Login.
A dialog displays the message of the day. Messages that Palo Alto Networks embedded
display on separate pages in the same dialog. To navigate the pages, click the right or le
arrows along the sides of the dialog or click a page selector at the boom of
the dialog.
3. (Oponal) You can select Do not show again for the message you configured and for any
messages that Palo Alto Networks embedded.
4. Close the message of the day dialog to access the web interface.
Header and footer banners display in every web interface page with the text and colors
that you configured. The new logo you selected for the web interface displays below the
header banner.
PAN-OS® Administrator’s Guide Version Version 9.1 105 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
3. Look for a cauon symbol to the right of the last login me informaon for failed login
aempts.
The failed login indicator appears if one or more failed login aempts occurred using
your account since the last successful login.
1. If you see the cauon symbol, hover over it to display the number of failed login
aempts.
2. Click the cauon symbol to view the failed login aempts summary. Details include
the admin account name, the reason for the login failure, the source IP address, and
the date and me.
Aer you successfully log in and then log out, the failed login counter resets
to zero so you will see new failed login details, if any, the next me you log in.
PAN-OS® Administrator’s Guide Version Version 9.1 106 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 2 | Locate hosts that are connually aempng to log in to your firewall or Panorama
management server.
1. Click the failed login cauon symbol to view the failed login aempts summary.
2. Locate and record the source IP address of the host that aempted to log in. For
example, the following figure shows mulple failed login aempts from the IP address
192.168.2.10.
3. Work with your network administrator to locate the user and host that is using the IP
address that you idenfied.
If you cannot locate the system that is performing the brute-force aack, consider
renaming the account to prevent future aacks.
PAN-OS® Administrator’s Guide Version Version 9.1 107 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Use the following best pracces to help prevent brute-force aacks on privileged
accounts.
• Limit the number of failed aempts allowed before the firewall locks a
privileged account by seng the number of Failed Aempts and the Lockout
Time (min) in the authencaon profile or in the Authencaon Sengs for
the Management interface (Device > Setup > Management > Authencaon
Sengs).
• Use Interface Management Profiles to Restrict Access.
• Enforce complex passwords for privileged accounts.
You can also view System Logs to monitor system events on the firewall or view Config
Logs to monitor firewall configuraon changes.
STEP 2 | Show only Running tasks (in progress) or All tasks (default). Oponally, filter the tasks by
type:
• Jobs—Administrator-iniated commits, firewall-iniated commits, and soware or content
downloads and installaons.
• Reports—Scheduled reports.
• Log Requests—Log queries that you trigger by accessing the Dashboard or a Monitor page.
PAN-OS® Administrator’s Guide Version Version 9.1 108 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 109 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
longer successfully connect to Panorama, then it reverts its configuraon to the previous running
configuraon.
The commit, validate, preview, save, and revert operaons apply only to changes made
aer the last commit. To restore configuraons to the state they were in before the last
commit, you must load a previously backed up configuraon.
To prevent mulple administrators from making configuraon changes during concurrent
sessions, see Manage Locks for Restricng Configuraon Changes.
STEP 1 | Configure the scope of configuraon changes that you will commit, validate, or preview.
1. Click Commit at the top of the web interface.
2. Select one of the following opons:
• Commit All Changes (default)—Applies the commit to all changes for which you have
administrave privileges. You cannot manually filter the commit scope when you
select this opon. Instead, the administrator role assigned to the account you used to
log in determines the commit scope.
• Commit Changes Made By—Enables you to filter the commit scope by administrator
or locaon. The administrave role assigned to the account you used to log in
determines which changes you can filter.
To commit the changes of other administrators, the account you used to log in
must be assigned the Superuser role or an Admin Role profile with the Commit
For Other Admins privilege enabled.
3. (Oponal) To filter the commit scope by administrator, select Commit Changes Made By,
click the adjacent link, select the administrators, and click OK.
4. (Oponal) To filter by locaon, select Commit Changes Made By and clear any changes
that you want to exclude from the Commit Scope.
PAN-OS® Administrator’s Guide Version Version 9.1 110 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
addional lines help you correlate the preview output to sengs in the web interface. Close
the preview window when you finish reviewing the changes.
Because the preview results display in a new browser window, your browser must allow
pop-ups. If the preview window does not open, refer to your browser documentaon
for the steps to allow pop-ups.
STEP 3 | Preview the individual sengs for which you are comming changes.
This can be useful if you want to know details about the changes, such as the types of sengs
and who changed them.
1. Click Change Summary.
2. (Oponal) Group By a column name (such as the Type of seng).
3. Close the Change Summary dialog when you finish reviewing the changes.
STEP 4 | Validate the changes before you commit to ensure the commit will succeed.
1. Validate Changes.
The results display all the errors and warnings that an actual commit would display.
2. Resolve any errors that the validaon results idenfy.
To view details about commits that are pending (which you can sll cancel), in progress,
completed, or failed, see Manage and Monitor Administrave Tasks.
PAN-OS® Administrator’s Guide Version Version 9.1 111 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 2 | Apply filters as needed to produce the configuraon data you need to export and click PDF/
CSV.
PAN-OS® Administrator’s Guide Version Version 9.1 112 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
are removed, you can then delete the profile. You can do this for any configuraon item that has
dependencies.
Global Find will not search dynamic content (such as logs, address ranges, or allocated
DHCP addresses). In the case of DHCP, you can search on a DHCP server aribute, such
as the DNS entry, but you cannot search for individual addresses allocated to users. Global
Find also does not search for individual user or group names idenfied by User-ID unless
the user/group is defined in a policy. In general, you can only search content that the
firewall writes to the configuraon.
Launch Global Find by clicking the Search icon located on the upper right of the web interface.
To access the Global Find from within a configuraon area, click the drop-down next to an item
and select Global Find:
For example, click Global Find on a zone named l3-vlan-trust to search the candidate
configuraon for each locaon where the zone is referenced. The following screen capture
shows the search results for the zone l3-vlan-trust:
Search ps:
• If you iniate a search on a firewall that has mulple virtual systems enabled or if custom
Administrave Role Types are defined, Global Find will only return results for areas of the
PAN-OS® Administrator’s Guide Version Version 9.1 113 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
firewall in which the administrator has permissions. The same applies to Panorama device
groups.
• Spaces in search terms are handled as AND operaons. For example, if you search on
corp policy, the search results include instances where corp and policy exist in the
configuraon.
• To find an exact phrase, enclose the phrase in quotaon marks.
• Enter no more than five keywords or use an exact phrase match with quotaon marks.
• To rerun a previous search, click Search (located on the upper right of the web interface) to
see a list of the last 20 searches. Click an item in the list to rerun that search. Search history
is unique to each administrator account.
• To search for a UUID, you must copy and paste the UUID.
The firewall queues commit requests and performs them in the order that administrators
iniate the commits. For details, see Commit, Validate, and Preview Firewall
Configuraon Changes. To view the status of queued commits, see Manage and Monitor
Administrave Tasks.
PAN-OS® Administrator’s Guide Version Version 9.1 114 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Lock a configuraon.
1. Click the lock at the top of the web interface.
The lock image varies based on whether exisng locks are or are not set.
Unlock a configuraon.
Only a superuser or the administrator who locked the configuraon can manually unlock it.
However, the firewall automacally removes a lock aer compleng the commit operaon.
1. Click the lock at the top of the web interface.
2. Select the lock entry in the list.
3. Click Remove Lock, OK, and Close.
Configure the firewall to automacally apply a commit lock when you change the candidate
configuraon. This seng applies to all administrators.
1. Select Device > Setup > Management and edit the General Sengs.
2. Select Automacally Acquire Commit Lock and then click OK and Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 115 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
See Commit, Validate, and Preview Firewall Configuraon Changes for details about
commit operaons.
You don’t have to save a configuraon backup to revert the changes made since the last
commit or reboot; just select Config > Revert Changes (see Revert Firewall Configuraon
Changes).
When you edit a seng and click OK, the firewall updates the candidate configuraon but
does not save a backup snapshot.
Addionally, saving changes does not acvate them. To acvate changes, perform a
commit (see Commit, Validate, and Preview Firewall Configuraon Changes).
Palo Alto Networks recommends that you back up any important configuraon to a host
external to the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 116 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 1 | Save a local backup snapshot of the candidate configuraon if it contains changes that you
want to preserve in the event the firewall reboots.
These are changes you are not ready to commit—for example, changes you cannot finish in the
current login session.
To overwrite the default snapshot file (.snapshot.xml) with all the changes that all
administrators made, perform one of the following steps:
• Select Device > Setup > Operaons and Save candidate configuraon.
• Log in to the firewall with an administrave account that is assigned the Superuser role or
an Admin Role profile with the Save For Other Admins privilege enabled. Then select Config
> Save Changes at the top of the web interface, select Save All Changes and Save.
To create a snapshot that includes all the changes that all administrators made but without
overwring the default snapshot file:
1. Select Device > Setup > Operaons and Save named configuraon snapshot.
2. Specify the Name of a new or exisng configuraon file.
3. Click OK and Close.
To save only specific changes to the candidate configuraon without overwring any part of
the default snapshot file:
1. Log in to the firewall with an administrave account that has the role privileges required
to save the desired changes.
2. Select Config > Save Changes at the top of the web interface.
3. Select Save Changes Made By.
4. To filter the Save Scope by administrator, click <administrator-name>, select the
administrators, and click OK.
5. To filter the Save Scope by locaon, clear any locaons that you want to exclude. The
locaons can be specific virtual systems, shared policies and objects, or shared device
and network sengs.
6. Click Save, specify the Name of a new or exisng configuraon file, and click OK.
STEP 2 | Export a candidate configuraon, a running configuraon, or the firewall state informaon to
a host external to the firewall.
Select Device > Setup > Operaons and click an export opon:
• Export named configuraon snapshot—Export the current running configuraon, a named
candidate configuraon snapshot, or a previously imported configuraon (candidate or
running). The firewall exports the configuraon as an XML file with the Name you specify.
• Export configuraon version—Select a Version of the running configuraon to export as an
XML file. The firewall creates a version whenever you commit configuraon changes.
• Export device state—Export the firewall state informaon as a bundle. Besides the running
configuraon, the state informaon includes device group and template sengs pushed
from Panorama. If the firewall is a GlobalProtect portal, the informaon also includes
cerficate informaon, a list of satellites, and satellite authencaon informaon. If you
replace a firewall or portal, you can restore the exported informaon on the replacement by
imporng the state bundle.
PAN-OS® Administrator’s Guide Version Version 9.1 117 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
The privileges that control commit operaons also control revert operaons.
2. Select Config > Revert Changes at the top of the web interface.
3. Select Revert Changes Made By.
4. To filter the Revert Scope by administrator, click <administrator-name>, select the
administrators, and click OK.
5. To filter the Revert Scope by locaon, clear any locaons that you want to exclude.
6. Revert the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 118 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Revert to a previous version of the running configuraon that is stored on the firewall.
The firewall creates a version whenever you commit configuraon changes.
1. Select Device > Setup > Operaons and Load configuraon version.
2. Select a configuraon Version and click OK.
3. (Oponal) Click Commit to overwrite the running configuraon with the version you just
restored.
PAN-OS® Administrator’s Guide Version Version 9.1 119 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
As a best pracce, create a separate administrave account for each person who needs
access to the administrave or reporng funcons of the firewall. This enables you to
beer protect the firewall from unauthorized configuraon and enables logging of the
acons of individual administrators. Make sure you are following the Best Pracces for
Securing Administrave Access to ensure that you are securing administrave access to
your firewalls and other security devices in a way that prevents successful aacks.
PAN-OS® Administrator’s Guide Version Version 9.1 120 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Device administrator Full access to all firewall sengs except for defining new
accounts or virtual systems.
Device administrator (read- Read-only access to all firewall sengs except password
only) profiles (no access) and administrator accounts (only the
logged in account is visible).
Virtual system administrator Access to selected virtual systems on the firewall to create
and manage specific aspects of virtual systems. A virtual
system administrator doesn’t have access to network
interfaces, VLANs, virtual wires, virtual routers, IPSec
tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or
network profiles.
Virtual system administrator Read-only access to selected virtual systems on the firewall
(read-only) and specific aspects of virtual systems. A virtual system
administrator with read-only access doesn’t have access to
network interfaces, VLANs, virtual wires, virtual routers,
IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or
network profiles.
As a best pracce, create Admin Role profiles that allow administrators to access only the
areas of the management interfaces that they need to access to perform their jobs.
STEP 3 | For the scope of the Role, select Device or Virtual System.
STEP 4 | In the Web UI and REST API tabs, click the icon for each funconal area to toggle it to the
desired seng: Enable, Disable, or Read Only. For the XML API, click the icon for each
funconal area to toggle it to the desired seng: Enable or Disable. For details on the Web
UI opons, see Web Interface Access Privileges.
STEP 5 | Select the Command Line tab and select a CLI access opon. The Role scope controls the
available opons:
• Device role—superuser, superreader, deviceadmin, devicereader, or None
• Virtual System role—vsysadmin, vsysreader, or None
PAN-OS® Administrator’s Guide Version Version 9.1 121 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 7 | Assign the role to an administrator. See Configure a Firewall Administrator Account.
Administrave Authencaon
You can configure the following types of authencaon and authorizaon (role and access domain
assignment) for firewall administrators:
AuthencaonAuthorizaon Descripon
Method Method
SSH Keys Local The administrave accounts are local to the firewall, but
authencaon to the CLI is based on SSH keys. You use the
firewall to manage role assignments but access domains are
not supported. For details, see Configure SSH Key-Based
Administrator Authencaon to the CLI.
Cerficates Local The administrave accounts are local to the firewall, but
authencaon to the web interface is based on client cerficates.
You use the firewall to manage role assignments but access
domains are not supported. For details, see Configure Cerficate-
Based Administrator Authencaon to the Web Interface.
External Local The administrave accounts you define locally on the firewall
service serve as references to the accounts defined on an external Mul-
Factor Authencaon, SAML, Kerberos, TACACS+, RADIUS, or
LDAP server. The external server performs authencaon. You
use the firewall to manage role assignments but access domains
are not supported. For details, see Configure Local or External
Authencaon for Firewall Administrators.
PAN-OS® Administrator’s Guide Version Version 9.1 122 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
AuthencaonAuthorizaon Descripon
Method Method
• Configure RADIUS Authencaon
Create a separate administrave account for each person who needs access to the
administrave or reporng funcons of the firewall. This enables you to beer protect the
firewall from unauthorized configuraon and enables logging of the acons of individual
administrators.
Make sure you are following the Best Pracces for Securing Administrave Access to
ensure that you are securing administrave access to your firewalls and other security
devices in a way that prevents successful aacks.
STEP 3 | Select an Authencaon Profile or sequence if you configured either for the administrator.
If the firewall uses Local Authencaon without a local user database for the account, select
None (default) and enter a Password.
PAN-OS® Administrator’s Guide Version Version 9.1 123 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 5 | (Oponal) Select a Password Profile for administrators that the firewall authencates locally
without a local user database. For details, see Define a Password Profile.
If you use an external service to manage both authencaon and authorizaon (role and
access domain assignments), see:
• Configure SAML Authencaon
• Configure TACACS+ Authencaon
• Configure RADIUS Authencaon
To authencate administrators without a challenge-response mechanism, you can
Configure Cerficate-Based Administrator Authencaon to the Web Interface and
Configure SSH Key-Based Administrator Authencaon to the CLI.
STEP 1 | (External authencaon only) Enable the firewall to connect to an external server for
authencang administrators.
Configure a server profile:
• Add a RADIUS server profile.
If the firewall integrates with a Mul-Factor Authencaon (MFA) service through RADIUS,
you must add a RADIUS server profile. In this case, the MFA service provides all the
authencaon factors (challenges). If the firewall integrates with an MFA service through
a vendor API, you can sll use a RADIUS server profile for the first factor but MFA server
profiles are required for addional factors.
• Add an MFA server profile.
• Add a TACACS+ server profile.
• Add a SAML IdP server profile. You cannot combine Kerberos single sign-on (SSO) with
SAML SSO; you can use only one type of SSO service.
• Add a Kerberos server profile.
• Add an LDAP server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 124 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 2 | (Local database authencaon only) Configure a user database that is local to the firewall.
1. Add the user account to the local database.
2. (Oponal) Add the user group to the local database.
STEP 3 | (Local authencaon only) Define password complexity and expiraon sengs.
These sengs help protect the firewall against unauthorized access by making it harder for
aackers to guess passwords.
1. Define global password complexity and expiraon sengs for all local administrators.
The sengs don’t apply to local database accounts for which you specified a password
hash instead of a password (see Local Authencaon).
1. Select Device > Setup > Management and edit the Minimum Password Complexity
sengs.
2. Select Enabled.
3. Define the password sengs and click OK.
2. Define a Password Profile.
You assign the profile to administrator accounts for which you want to override the
global password expiraon sengs. The profiles are available only to accounts that are
not associated with a local database (see Local Authencaon).
1. Select Device > Password Profiles and Add a profile.
2. Enter a Name to idenfy the profile.
3. Define the password expiraon sengs and click OK.
If your administrave accounts are stored across mulple types of servers, you
can create an authencaon profile for each type and add all the profiles to an
authencaon sequence.
Configure an Authencaon Profile and Sequence. In the authencaon profile, specify the
Type of authencaon service and related sengs:
• External service—Select the Type of external service and select the Server Profile you
created for it.
• Local database authencaon—Set the Type to Local Database.
• Local authencaon without a database—Set the Type to None.
• Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab.
PAN-OS® Administrator’s Guide Version Version 9.1 125 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Alternavely, Import a Cerficate and Private Key from your enterprise CA or a third-
party CA.
STEP 2 | Configure a cerficate profile for securing access to the web interface.
Configure a Cerficate Profile.
• Set the Username Field to Subject.
• In the CA Cerficates secon, Add the CA Cerficate you just created or imported.
STEP 3 | Configure the firewall to use the cerficate profile for authencang administrators.
1. Select Device > Setup > Management and edit the Authencaon Sengs.
2. Select the Cerficate Profile you created for authencang administrators and click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 126 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 7 | Import the client cerficate into the client system of each administrator who will access the
web interface.
Refer to your web browser documentaon.
PAN-OS® Administrator’s Guide Version Version 9.1 127 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 3 | Configure the SSH client to use the private key to authencate to the firewall.
Perform this task on the client system of the administrator. For the steps, refer to your SSH
client documentaon.
STEP 4 | Verify that the administrator can access the firewall CLI using SSH key authencaon.
1. Use a browser on the client system of the administrator to go to the firewall IP address.
2. Log in to the firewall CLI as the administrator. Aer entering a username, you will see the
following output (the key value is an example):
3. If prompted, enter the passphrase you defined when creang the keys.
STEP 2 | Edit Authencaon Sengs to specify the API Key Lifeme (min).
Set the API key lifeme to protect against compromise and to reduce the effects of an
accidental exposure. By default, the API key lifeme is set to 0, which means that the keys
will never expire. To ensure that your keys are frequently rotated and each key is unique when
regenerated, you must specify a validity period that ranges between 1—525600 minutes. Refer
to the audit and compliance policies for your enterprise to determine how you should specify
the lifeme for which your API keys are valid.
PAN-OS® Administrator’s Guide Version Version 9.1 128 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 4 | (To revoke all API keys) Select Expire all API Keys to reset currently valid API keys.
If you have just set a key lifeme and want to reset all API keys to adhere to the new term, you
can expire all exisng keys.
On confirmaon, the keys are revoked and you can view the mestamp for when the API Keys
Last Expired.
PAN-OS® Administrator’s Guide Version Version 9.1 129 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 130 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 131 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 132 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Device Group and Template roles can see log data only for the device groups that are
within the access domains assigned to those roles.
PAN-OS® Administrator’s Guide Version Version 9.1 133 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 134 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 135 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Authencaon
Specifies whether the Firewall: Yes Yes No Yes
administrator can see the
Panorama: Yes
Authencaon logs.
Device Group/
Template: No
PAN-OS® Administrator’s Guide Version Version 9.1 136 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 137 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 138 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 139 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 140 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 141 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
GTP Log Specifies whether the mobile Firewall: Yes Yes No Yes
network operator can create a
Panorama: Yes
custom report that includes data
from GTP logs. Device Group/
Template: Yes
SCTP Log Specifies whether the mobile Firewall: Yes Yes No Yes
network operator can create a
Panorama: Yes
custom report that includes data
from SCTP logs. Device Group/
Template: Yes
PAN-OS® Administrator’s Guide Version Version 9.1 142 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 143 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 144 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Policy Based Enable this privilege to allow the Yes Yes Yes
Forwarding administrator to view, add, and/or delete
Policy-Based Forwarding (PBF) rules. Set
the privilege to read-only if you want
the administrator to be able to see the
rules, but not modify them. To prevent
the administrator from seeing the PBF
rulebase, disable this privilege.
Tunnel Inspecon Enable this privilege to allow the Yes Yes Yes
administrator to view, add, and/or delete
Tunnel Inspecon rules. Set the privilege
to read-only if you want the administrator
to be able to see the rules, but not modify
them. To prevent the administrator from
seeing the Tunnel Inspecon rulebase,
disable this privilege.
PAN-OS® Administrator’s Guide Version Version 9.1 145 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
DoS Protecon Enable this privilege to allow the Yes Yes Yes
administrator to view, add, and/or delete
DoS protecon rules. Set the privilege to
read-only if you want the administrator to
be able to see the rules, but not modify
them. To prevent the administrator from
seeing the DoS protecon rulebase,
disable this privilege.
PAN-OS® Administrator’s Guide Version Version 9.1 146 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Address Groups Specifies whether the administrator can Yes Yes Yes
view, add, or delete address group objects
for use in security policy.
Service Groups Specifies whether the administrator can Yes Yes Yes
view, add, or delete service group objects
for use in security policy.
PAN-OS® Administrator’s Guide Version Version 9.1 147 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
HIP Objects Specifies whether the administrator can Yes Yes Yes
view, add, or delete HIP objects, which are
used to define HIP profiles. HIP Objects
also generate HIP Match logs.
Clientless Apps Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete GlobalProtect
VPN Clientless applicaons.
Clientless App Specifies whether the administrator can Yes Yes Yes
Groups view, add, modify, or delete GlobalProtect
VPN Clientless applicaon groups.
HIP Profiles Specifies whether the administrator can Yes Yes Yes
view, add, or delete HIP Profiles for use in
security policy and/or for generang HIP
Match logs.
External Dynamic Specifies whether the administrator can Yes Yes Yes
Lists view, add, or delete external dynamic lists
for use in security policy.
Data Paerns Specifies whether the administrator can Yes Yes Yes
view, add, or delete custom data paern
signatures for use in creang custom
Vulnerability Protecon profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 148 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
URL Filtering Specifies whether the administrator can Yes Yes Yes
view, add, or delete URL filtering profiles.
File Blocking Specifies whether the administrator can Yes Yes Yes
view, add, or delete file blocking profiles.
WildFire Analysis Specifies whether the administrator can Yes Yes Yes
view, add, or delete WildFire analysis
profiles.
Data Filtering Specifies whether the administrator can Yes Yes Yes
view, add, or delete data filtering profiles.
GTP Protecon Specifies whether the mobile network Yes Yes Yes
operator can view, add, or delete GTP
Protecon profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 149 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
SCTP Protecon Specifies whether the mobile network Yes Yes Yes
operator can view, add, or delete Stream
Control Transmission Protocol (SCTP)
Protecon profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 150 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Virtual Wires Specifies whether the administrator can Yes Yes Yes
view, add, or delete virtual wires.
Virtual Routers Specifies whether the administrator can Yes Yes Yes
view, add, modify or delete virtual routers.
IPSec Tunnels Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete IPSec Tunnel
configuraons.
GRE Tunnels Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete GRE Tunnel
configuraons.
DNS Proxy Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete DNS proxy
configuraons.
PAN-OS® Administrator’s Guide Version Version 9.1 151 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Device Block List Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete device block
lists.
Clientless Apps Specifies whether the administrator can Yes Yes Yes
view, add, modify, or delete GlobalProtect
Clientless VPN applicaons.
Clientless App Specifies whether the administrator can Yes Yes Yes
Groups view, add, modify, or delete GlobalProtect
Clientless VPN applicaon groups.
Network Profiles Sets the default state to enable or disable Yes No Yes
for all of the Network sengs described
below.
GlobalProtect Controls access to the Network Profiles > Yes Yes Yes
IPSec Crypto GlobalProtect IPSec Crypto node.
If you disable this privilege, the
administrator will not see that node, or
configure algorithms for authencaon
and encrypon in VPN tunnels between a
GlobalProtect gateway and clients.
If you set the privilege to read-only,
the administrator can view exisng
GlobalProtect IPSec Crypto profiles but
cannot add or edit them.
IKE Gateways Controls access to the Network Profiles Yes Yes Yes
> IKE Gateways node. If you disable
this privilege, the administrator will not
see the IKE Gateways node or define
gateways that include the configuraon
PAN-OS® Administrator’s Guide Version Version 9.1 152 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
IPSec Crypto Controls access to the Network Profiles Yes Yes Yes
> IPSec Crypto node. If you disable this
privilege, the administrator will not see
the Network Profiles > IPSec Crypto
node or specify protocols and algorithms
for idenficaon, authencaon, and
encrypon in VPN tunnels based on IPSec
SA negoaon.
If the privilege state is set to read-only,
you can view the currently configured
IPSec Crypto configuraon but cannot add
or edit a configuraon.
Monitor Controls access to the Network Profiles > Yes Yes Yes
Monitor node. If you disable this privilege,
the administrator will not see the Network
Profiles > Monitor node or be able to
create or edit a monitor profile that
is used to monitor IPSec tunnels and
monitor a next-hop device for policy-
based forwarding (PBF) rules.
If the privilege state is set to read-only,
you can view the currently configured
monitor profile configuraon but cannot
add or edit a configuraon.
Interface Mgmt Controls access to the Network Profiles > Yes Yes Yes
Interface Mgmt node. If you disable this
privilege, the administrator will not see
the Network Profiles > Interface Mgmt
PAN-OS® Administrator’s Guide Version Version 9.1 153 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Zone Protecon Controls access to the Network Profiles > Yes Yes Yes
Zone Protecon node. If you disable this
privilege, the administrator will not see
the Network Profiles > Zone Protecon
node or be able to configure a profile that
determines how the firewall responds to
aacks from specified security zones.
If the privilege state is set to read-only,
you can view the currently configured
Zone Protecon profile configuraon but
cannot add or edit a configuraon.
QoS Profile Controls access to the Network Profiles Yes Yes Yes
> QoS node. If you disable this privilege,
the administrator will not see the Network
Profiles > QoS node or be able to
configure a QoS profile that determines
how QoS traffic classes are treated.
If the privilege state is set to read-only,
you can view the currently configured
QoS profile configuraon but cannot add
or edit a configuraon.
LLDP Profile Controls access to the Network Profiles Yes Yes Yes
> LLDP node. If you disable this privilege,
the administrator will not see the Network
Profiles > LLDP node or be able to
configure an LLDP profile that controls
whether the interfaces on the firewall can
parcipate in the Link Layer Discovery
Protocol.
If the privilege state is set to read-only,
you can view the currently configured
LLDP profile configuraon but cannot add
or edit a configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 154 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
BFD Profile Controls access to the Network Profiles Yes Yes Yes
> BFD Profile node. If you disable this
privilege, the administrator will not see
the Network Profiles > BFD Profile node
or be able to configure a BFD profile.
A Bidireconal Forwarding Detecon
(BFD) profile allows you to configure BFD
sengs to apply to one or more stac
routes or roung protocols. Thus, BFD
detects a failed link or BFD peer and
allows an extremely fast failover.
If the privilege state is set to read-only,
you can view the currently configured
BFD profile but cannot add or edit a BFD
profile.
Setup Controls access to the Setup node. If you Yes Yes Yes
disable this privilege, the administrator
will not see the Setup node or have access
to firewall-wide setup configuraon
informaon, such as Management,
Operaons, Service, Content-ID, WildFire
or Session setup informaon.
If the privilege state is set to read-only,
you can view the current configuraon
but cannot make any changes.
PAN-OS® Administrator’s Guide Version Version 9.1 155 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 156 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
HSM Controls access to the HSM node. If you Yes Yes Yes
disable this privilege, the administrator
will not be able to configure a Hardware
Security Module.
If the privilege state is set to read-only,
you can view the current configuraon
but cannot make any changes.
PAN-OS® Administrator’s Guide Version Version 9.1 157 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
High Availability Controls access to the High Availability Yes Yes Yes
node. If you disable this privilege,
the administrator will not see the
High Availability node or have access
to firewall-wide high availability
configuraon informaon such as General
setup informaon or Link and Path
Monitoring.
If you set this privilege to read-only, the
administrator can view High Availability
configuraon informaon for the firewall
but is not allowed to perform any
configuraon procedures.
Admin Roles Controls access to the Admin Roles node. No Yes Yes
This funcon can only be allowed for
read-only access.
If you disable this privilege, the
administrator will not see the Admin
Roles node or have access to any firewall-
wide informaon concerning Admin Role
profiles configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 158 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Virtual Systems Controls access to the Virtual Systems Yes Yes Yes
node. If you disable this privilege, the
administrator will not see or be able to
configure virtual systems.
If the privilege state is set to read-only,
you can view the currently configured
virtual systems but cannot add or edit a
configuraon.
Shared Gateways Controls access to the Shared Gateways Yes Yes Yes
node. Shared gateways allow virtual
PAN-OS® Administrator’s Guide Version Version 9.1 159 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 160 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Cerficate Profile Controls access to the Cerficate Profile Yes Yes Yes
node. If you disable this privilege, the
administrator will not see the Cerficate
Profile node or be able to create
cerficate profiles.
If you set this privilege to read-only, the
administrator can view Cerficate Profiles
that are currently configured for the
firewall but is not allowed to create or edit
a cerficate profile.
OCSP Responder Controls access to the OCSP Responder Yes Yes Yes
node. If you disable this privilege, the
administrator will not see the OCSP
Responder node or be able to define
a server that will be used to verify the
revocaon status of cerficates issues by
the firewall.
If you set this privilege to read-only,
the administrator can view the OCSP
Responder configuraon for the firewall
but is not allowed to create or edit an
OCSP responder configuraon.
SSL/TLS Service Controls access to the SSL/TLS Service Yes Yes Yes
Profile Profile node.
If you disable this privilege, the
administrator will not see the node
or configure a profile that specifies a
cerficate and a protocol version or range
of versions for firewall services that use
SSL/TLS.
PAN-OS® Administrator’s Guide Version Version 9.1 161 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
SCEP Controls access to the SCEP node. If you Yes Yes Yes
disable this privilege, the administrator
will not see the node or be able to define
a profile that specifies simple cerficate
enrollment protocol (SCEP) sengs for
issuing unique device cerficates.
If you set this privilege to read-only, the
administrator can view exisng SCEP
profiles but cannot create or edit them.
SSL Decrypon Controls access to the SSL Decrypon Yes Yes Yes
Exclusion Exclusion node. If you disable this
privilege, the administrator will not
see the node or be able see the SSL
decrypon add custom exclusions.
If you set this privilege to read-only,
the administrator can view exisng SSL
decrypon excepons but cannot create
or edit them.
Response Pages Controls access to the Response Pages Yes Yes Yes
node. If you disable this privilege, the
administrator will not see the Response
Page node or be able to define a custom
HTML message that is downloaded and
displayed instead of a requested web page
or file.
If you set this privilege to read-only, the
administrator can view the Response Page
configuraon for the firewall but is not
allowed to create or edit a response page
configuraon.
Log Sengs Sets the default state to enable or disable Yes No Yes
for all of the Log sengs described below.
System Controls access to the Log Sengs > Yes Yes Yes
System node. If you disable this privilege,
the administrator cannot see the Log
Sengs > System node or specify which
PAN-OS® Administrator’s Guide Version Version 9.1 162 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Configuraon Controls access to the Log Sengs > Yes Yes Yes
Configuraon node. If you disable this
privilege, the administrator cannot see
the Log Sengs > Configuraon node
or specify which Configuraon logs the
firewall forwards to Panorama or external
services (such as a syslog server).
If you set this privilege to read-only, the
administrator can view the Log Sengs >
Configuraon sengs for the firewall but
cannot add, edit, or delete the sengs.
User-ID Controls access to the Log Sengs > Yes Yes Yes
User-ID node. If you disable this privilege,
the administrator cannot see the Log
Sengs > User-ID node or specify which
User-ID logs the firewall forwards to
Panorama or external services (such as a
syslog server).
If you set this privilege to read-only, the
administrator can view the Log Sengs
> User-ID sengs for the firewall but
cannot add, edit, or delete the sengs.
HIP Match Controls access to the Log Sengs > Yes Yes Yes
HIP Match node. If you disable this
privilege, the administrator cannot see
the Log Sengs > HIP Match node or
specify which Host Informaon Profile
(HIP) match logs the firewall forwards to
Panorama or external services (such as
a syslog server). HIP match logs provide
informaon on Security policy rules that
apply to GlobalProtect endpoints.
If you set this privilege to read-only, the
administrator can view the Log Sengs
PAN-OS® Administrator’s Guide Version Version 9.1 163 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
GlobalProtect Controls access to the Log Sengs > Yes Yes Yes
GlobalProtect node. If you disable this
privilege, the administrator cannot see
the Log Sengs > GlobalProtect node
or specify which GlobalProtect logs the
firewall forwards to Panorama or external
services (such as a syslog server).
If you set this privilege to read-only, the
administrator can view the Log Sengs >
GlobalProtect sengs for the firewall but
cannot add, edit, or delete the sengs.
Correlaon Controls access to the Log Sengs > Yes Yes Yes
Correlaon node. If you disable this
privilege, the administrator cannot see
the Log Sengs > Correlaon node or
add, delete, or modify correlaon log
forwarding sengs or tag source or
desnaon IP addresses.
If you set this privilege to read-only, the
administrator can view the Log Sengs
> Correlaon sengs for the firewall but
cannot add, edit, or delete the sengs.
Alarm Sengs Controls access to the Log Sengs > Yes Yes Yes
Alarm Sengs node. If you disable this
privilege, the administrator cannot see
the Log Sengs > Alarm Sengs node
or configure noficaons that the firewall
generates when a Security policy rule (or
group of rules) is hit repeatedly within a
configurable me period.
If you set this privilege to read-only, the
administrator can view the Log Sengs >
Alarm Sengs for the firewall but cannot
edit the sengs.
Manage Logs Controls access to the Log Sengs > Yes Yes Yes
Manage Logs node. If you disable this
privilege, the administrator cannot see the
Log Sengs > Manage Logs node or clear
the indicated logs.
PAN-OS® Administrator’s Guide Version Version 9.1 164 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Server Profiles Sets the default state to enable or disable Yes No Yes
for all of the Server Profiles sengs
described below.
SNMP Trap Controls access to the Server Profiles Yes Yes Yes
> SNMP Trap node. If you disable this
privilege, the administrator will not see
the Server Profiles > SNMP Trap node
or be able to specify one or more SNMP
trap desnaons to be used for system
log entries.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> SNMP Trap Logs informaon but cannot
specify SNMP trap desnaons.
Syslog Controls access to the Server Profiles > Yes Yes Yes
Syslog node. If you disable this privilege,
the administrator will not see the Server
Profiles > Syslog node or be able to
specify one or more syslog servers.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> Syslog informaon but cannot specify
syslog servers.
Email Controls access to the Server Profiles > Yes Yes Yes
Email node. If you disable this privilege,
the administrator will not see the Server
Profiles > Email node or be able to
configure an email profile that can be used
to enable email noficaon for system and
configuraon log entries.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> Email informaon but cannot configure
an email server profile.
HTTP Controls access to the Server Profiles > Yes Yes Yes
HTTP node. If you disable this privilege,
PAN-OS® Administrator’s Guide Version Version 9.1 165 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Nelow Controls access to the Server Profiles > Yes Yes Yes
Nelow node. If you disable this privilege,
the administrator will not see the Server
Profiles > Nelow node or be able to
define a NetFlow server profile, which
specifies the frequency of the export
along with the NetFlow servers that will
receive the exported data.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> Nelow informaon but cannot define a
Nelow profile.
RADIUS Controls access to the Server Profiles > Yes Yes Yes
RADIUS node. If you disable this privilege,
the administrator will not see the Server
Profiles > RADIUS node or be able to
configure sengs for the RADIUS servers
that are idenfied in authencaon
profiles.
If you set this privilege to read-only,
the administrator can view the Server
Profiles > RADIUS informaon but cannot
configure sengs for the RADIUS servers.
TACACS+ Controls access to the Server Profiles > Yes Yes Yes
TACACS+ node.
If you disable this privilege, the
administrator will not see the node
or configure sengs for the TACACS
+ servers that authencaon profiles
reference.
If you set this privilege to read-only, the
administrator can view exisng TACACS
PAN-OS® Administrator’s Guide Version Version 9.1 166 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
LDAP Controls access to the Server Profiles > Yes Yes Yes
LDAP node. If you disable this privilege,
the administrator will not see the Server
Profiles > LDAP node or be able to
configure sengs for the LDAP servers
to use for authencaon by way of
authencaon profiles.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> LDAP informaon but cannot configure
sengs for the LDAP servers.
SAML Identy Controls access to the Server Profiles Yes Yes Yes
Provider > SAML Identy Provider node. If you
disable this privilege, the administrator
cannot see the node or configure SAML
identy provider (IdP) server profiles.
If you set this privilege to read-only, the
administrator can view the Server Profiles
> SAML Identy Provider informaon but
cannot configure SAML IdP server profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 167 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Local User Sets the default state to enable or disable Yes No Yes
Database for all of the Local User Database sengs
described below.
User Groups Controls access to the Local User Yes Yes Yes
Database > Users node. If you disable this
privilege, the administrator will not see
the Local User Database > Users node or
be able to add user group informaon to
the local database.
If you set this privilege to read-only, the
administrator can view the Local User
Database > Users informaon but cannot
add user group informaon to the local
database.
Access Domain Controls access to the Access Domain Yes Yes Yes
node. If you disable this privilege, the
administrator will not see the Access
Domain node or be able to create or edit
an access domain.
If you set this privilege to read-only,
the administrator can view the Access
Domain informaon but cannot create or
edit an access domain.
PAN-OS® Administrator’s Guide Version Version 9.1 168 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Dynamic Updates Controls access to the Dynamic Updates Yes Yes Yes
node. If you disable this privilege, the
administrator will not see the Dynamic
Updates node or be able to view the latest
updates, read the release notes for each
PAN-OS® Administrator’s Guide Version Version 9.1 169 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Master Key and Controls access to the Master Key and Yes Yes Yes
Diagnoscs Diagnoscs node. If you disable this
privilege, the administrator will not see
the Master Key and Diagnoscs node or
be able to specify a master key to encrypt
private keys on the firewall.
If you set this privilege to read-only,
the administrator can view the Master
Key and Diagnoscs node and view
informaon about master keys that have
PAN-OS® Administrator’s Guide Version Version 9.1 170 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Privacy Sets the default state to enable or disable Yes N/A Yes
for all of the privacy sengs described
below.
Show Full IP When disabled, full IP addresses obtained Yes N/A Yes
addresses by traffic running through the Palo Alto
firewall are not shown in logs or reports.
In place of the IP addresses that are
normally displayed, the relevant subnet is
displayed.
PAN-OS® Administrator’s Guide Version Version 9.1 171 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
View PCAP Files When disabled, packet capture files that Yes N/A Yes
are normally available within the Traffic,
Threat and Data Filtering logs are not
displayed.
PAN-OS® Administrator’s Guide Version Version 9.1 172 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Save For Other When disabled, an administrator cannot Yes N/A Yes
Admins save changes that other administrators
made to the firewall configuraon.
Global Sets the default state to enable or disable Yes N/A Yes
for all of the global sengs described
below. In effect, this seng is only for
System Alarms at this me.
PAN-OS® Administrator’s Guide Version Version 9.1 173 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 174 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 175 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 176 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 177 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
An administrator
with Device
Deployment
privileges can sll
select Panorama
> Device
Deployment to
install updates on
managed firewalls.
PAN-OS® Administrator’s Guide Version Version 9.1 178 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
An administrator
with Device
Deployment
privileges can sll
use the Panorama
> Device
Deployment
opons to
install updates
on managed
collectors.
PAN-OS® Administrator’s Guide Version Version 9.1 179 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 180 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Log Sets the default state, enabled Panorama: Yes Yes No Yes
Sengs or disabled, for all the log
Device Group/
seng privileges.
Template: No
PAN-OS® Administrator’s Guide Version Version 9.1 181 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
This privilege
pertains only to
System logs that
Panorama and
Log Collectors
generate. The
Collector
Groups privilege
(Panorama
> Collector
Groups) controls
forwarding for
System logs that
Log Collectors
receive from
firewalls. The
Device > Log
Sengs >
System privilege
controls log
forwarding from
firewalls directly
to external
services (without
aggregaon on
Log Collectors).
PAN-OS® Administrator’s Guide Version Version 9.1 182 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
This privilege
pertains only to
Config logs that
Panorama and
Log Collectors
generate. The
Collector
Groups privilege
(Panorama
> Collector
Groups) controls
forwarding for
Config logs that
Log Collectors
receive from
firewalls. The
Device > Log
Sengs >
Configuraon
privilege
controls log
forwarding from
firewalls directly
to external
services (without
aggregaon on
Log Collectors).
PAN-OS® Administrator’s Guide Version Version 9.1 183 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
This privilege
pertains only
to User-ID logs
that Panorama
generates.
The Collector
Groups privilege
(Panorama
> Collector
Groups) controls
forwarding for
User-ID logs that
Log Collectors
receive from
firewalls. The
Device > Log
Sengs > User-
ID privilege
controls log
forwarding from
firewalls directly
to external
services (without
aggregaon on
Log Collectors).
HIP Match Specifies whether the Panorama: Yes Yes Yes Yes
administrator can see and
Device Group/
configure the sengs that
Template: No
control the forwarding of HIP
Match logs from a Panorama
virtual appliance in Legacy
mode to external services
(syslog, email, SNMP trap, or
HTTP servers).
If you set this privilege to read-
only, the administrator can see
the forwarding sengs of HIP
Match logs but can’t manage
them.
PAN-OS® Administrator’s Guide Version Version 9.1 184 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
The Collector
Groups privilege
(Panorama
> Collector
Groups) controls
forwarding for HIP
Match logs that
Log Collectors
receive from
firewalls. The
Device > Log
Sengs > HIP
Match privilege
controls log
forwarding from
firewalls directly
to external
services (without
aggregaon on
Log Collectors).
PAN-OS® Administrator’s Guide Version Version 9.1 185 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 186 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 187 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 188 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 189 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Server Sets the default state, enabled Panorama: Yes Yes No Yes
Profiles or disabled, for all the server
Device Group/
profile privileges.
Template: No
PAN-OS® Administrator’s Guide Version Version 9.1 190 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
SNMP Trap Specifies whether the Panorama: Yes Yes Yes Yes
administrator can see and
Device Group/
configure SNMP trap server
Template: No
profiles.
If you set this privilege to read-
only, the administrator can see
SNMP trap server profiles but
can’t manage them.
If you disable this privilege,
the administrator can’t see
or manage SNMP trap server
profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 191 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 192 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 193 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 194 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 195 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Device Sets the default state, enabled Panorama: Yes Yes No Yes
Deployment or disabled, for all the privileges
Device Group/
associated with deploying
Template: Yes
licenses and soware or
content updates to firewalls
and Log Collectors.
PAN-OS® Administrator’s Guide Version Version 9.1 196 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 197 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 198 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 199 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 200 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 201 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
PAN-OS® Administrator’s Guide Version Version 9.1 202 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Force Template This privilege controls access to the Force Yes No Yes
Values Template Values opon in the Push Scope
Selecon dialog.
When disabled, an administrator cannot
replace overridden sengs in local
firewall configuraons with sengs that
Panorama pushes from a template.
PAN-OS® Administrator’s Guide Version Version 9.1 203 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
22 TCP Used for communicaon from a client system to the firewall CLI
interface.
80 TCP The port the firewall listens on for Online Cerficate Status
Protocol (OCSP) updates when acng as an OCSP responder.
443 TCP Used for communicaon from a client system to the firewall web
interface. This is also the port the firewall and User-ID agent
listens on for updates when you Enable VM Monitoring to Track
Changes on the Virtual Network.
For monitoring an AWS environment, this is the only port that is
used.
For monitoring a VMware vCenter/ESXi environment, the
listening port defaults to 443, but it is configurable.
162 UDP Port the firewall, Panorama, or a Log Collector uses to Forward
Traps to an SNMP Manager.
PAN-OS® Administrator’s Guide Version Version 9.1 204 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
161 UDP Port the firewall listens on for polling requests (GET messages)
from the SNMP manager.
514 TCP Port that the firewall, Panorama, or a Log Collector uses to
send logs to a syslog server if you Configure Syslog Monitoring,
514 UDP
and the ports that the PAN-OS integrated User-ID agent or
6514 SSL Windows-based User-ID agent listens on for authencaon
syslog messages.
2055 UDP Default port the firewall uses to send NetFlow records to a
NetFlow collector if you Configure NetFlow Exports, but this is
configurable.
5008 TCP Port the GlobalProtect Mobile Security Manager listens on for HIP
requests from the GlobalProtect gateways.
If you are using a third-party MDM system, you can configure the
gateway to use a different port as required by the MDM vendor.
6080 TCP Ports used for User-ID™ Capve Portal: 6080 for NT LAN
Manager (NTLM) authencaon, 6081 for Capve Portal without
6081 TLS 1.2
an SSL/TLS Server Profile, and 6082 for Capve Portal with an
6082 TCP SSL/TLS Server Profile.
10443 SSL Port that the firewall and Panorama use to provide contextual
informaon about a threat or to seamlessly shi your threat
invesgaon to the Threat Vault and AutoFocus.
28769 TCP Used for the HA1 control link for clear text communicaon
between the HA peer firewalls. The HA1 link is a Layer 3 link and
28260 TCP
requires an IP address.
28 TCP Used for the HA1 control link for encrypted communicaon (SSH
over TCP) between the HA peer firewalls.
PAN-OS® Administrator’s Guide Version Version 9.1 205 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
28771 TCP Used for heartbeat backups. Palo Alto Networks recommends
enabling heartbeat backup on the MGT interface if you use an in-
band port for the HA1 or the HA1 backup links.
PAN-OS® Administrator’s Guide Version Version 9.1 206 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
28443 TCP Used for managed devices (firewalls and Log Collectors) to
retrieve soware and content updates from Panorama.
28769 (5.1 TCP Used for the HA connecvity and synchronizaon between
and later) Panorama HA peers using clear text communicaon.
TCP
Communicaon can be iniated by either peer.
28260 (5.0
TCP
and later)
49160 (5.0
and earlier)
2049 TCP Used by the Panorama virtual appliance to write logs to the
NFS datastore.
23000 to TCP, UDP, or Used for Syslog communicaon between Panorama and
23999 SSL the Traps ESM components.
PAN-OS® Administrator’s Guide Version Version 9.1 207 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
4501 UDP Used for IPSec tunnel connecons between GlobalProtect apps
and gateways.
For ps on how to use a loopback interface to provide access to GlobalProtect on different ports
and addresses, refer to Can GlobalProtect Portal Page be Configured tobe Accessed on any Port?
389 TCP Port the firewall uses to connect to an LDAP server (plaintext or
Start Transport Layer Security (Start TLS) to Map Users to Groups.
3268 TCP Port the firewall uses to connect to an Acve Directory global
catalog server (plaintext or Start TLS) to Map Users to Groups.
636 TCP Port the firewall uses for LDAP over SSL connecons with an
LDAP server to Map Users to Groups.
3269 TCP Port the firewall uses for LDAP over SSL connecons with an
Acve Directory global catalog server to Map Users to Groups.
PAN-OS® Administrator’s Guide Version Version 9.1 208 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
514 TCP Port the User-ID agent listens on for authencaon syslog
messages if you Configure User-ID to Monitor Syslog Senders
6514 UDP
for User Mapping. The port depends on the type of agent and
SSL protocol:
• PAN-OS integrated User-ID agent—Port 6514 for SSL and port
514 for UDP.
• Windows-based User-ID agent—Port 514 for both TCP and
UDP.
5007 TCP Port the firewall listens on for user mapping informaon from
the User-ID or Terminal Services agent. The agent sends the IP
address and username mapping along with a mestamp whenever
it learns of a new or updated mapping. In addion, it connects to
the firewall at regular intervals to refresh known mappings.
5006 TCP Port the User-ID agent listens on for XML API requests. The
source for this communicaon is typically the system running a
script that invokes the API.
1812 UDP Port the User-ID agent uses to authencate to a RADIUS server.
135 TCP Port the User-ID agent uses to establish TCP-based WMI
connecons with the Microso Remote Procedure Call (RPC)
Endpoint Mapper. The Endpoint Mapper then assigns the agent
a randomly assigned port in the 49152-65535 port range. The
agent uses this connecon to make RPC queries for Exchange
Server or AD server security logs, session tables. This is also the
port used to access Terminal Servers.
The User-ID agent also uses this port to connect to client systems
to perform Windows Management Instrumentaon (WMI)
probing.
139 TCP Port the User-ID agent uses to establish TCP-based NetBIOS
connecons to the AD server so that it can send RPC queries for
security logs and session informaon.
The User-ID agent also uses this port to connect to client systems
for NetBIOS probing (supported on the Windows-based User-ID
agent only).
PAN-OS® Administrator’s Guide Version Version 9.1 209 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
445 TCP Port the User-ID agent uses to connect to the Acve Directory
(AD) using TCP-based SMB connecons to the AD server for
access to user logon informaon (print spooler and Net Logon).
5985 HTTP Port the User-ID agent uses to monitor security logs and session
informaon with the WinRM protocol over HTTP.
5986 HTTPS Port the User-ID agent uses to monitor security logs and session
informaon with the WinRM protocol over HTTPS.
PAN-OS® Administrator’s Guide Version Version 9.1 210 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
If your computer does not have a 9-pin serial port, use a USB-to-serial port
connector.
2. Enter your login credenals.
3. Enter the following CLI command:
debug system maintenance-mode
The firewall will reboot in the maintenance mode.
PAN-OS® Administrator’s Guide Version Version 9.1 211 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Kingston
• Kingston SE9 8GB (2.0)
• Kingston SE9 16GB (3.0)
• Kingston SE9 32GB (3.0)
SanDisk
• SanDisk Cruzer Fit CZ33 8GB (2.0)
• SanDisk Cruzer Fit CZ33 16GB (2.0)
• SanDisk Cruzer CZ36 16GB (2.0)
• SanDisk Cruzer CZ36 32GB (2.0)
• SanDisk Extreme CZ80 32GB (3.0)
Silicon Power
• Silicon Power Jewel 32GB (3.0)
• Silicon Power Blaze 16GB (3.0)
PNY
• PNY Aache 16GB (2.0)
PAN-OS® Administrator’s Guide Version Version 9.1 212 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default- ipv6-default-gateway=
gateway=2001:400:f00::2 hostname=Ca-FW-DC1
hostname=Ca-FW-DC1 panorama-server=10.5.107.20
panorama-server=10.5.107.20 panorama-server-2=10.5.107.21
panorama-server-2=10.5.107.21 tplname=FINANCE_TG4
tplname=FINANCE_TG4 dgname=finance_dg
dgname=finance_dg dns-primary=10.5.6.6
dns-primary=10.5.6.6 dns-secondary=10.5.6.7
dns-secondary=10.5.6.7 op-command-modes=multi-
op-command-modes=multi- vsys,jumbo-frame
vsys,jumbo-frame dhcp-send-hostname=yes
dhcp-send-hostname=no dhcp-send-client-id=yes
dhcp-send-client-id=no dhcp-accept-server-
dhcp-accept-server-hostname=no hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
The following table describes the fields in the init-cfg.txt file. The type is required; if the type is
stac, the IP address, default gateway and netmask are required, or the IPv6 address and IPv6
default gateway are required.
Field Descripon
ip-address (Required for IPv4 stac management address) IPv4 address. The
firewall ignores this field if the type is dhcp-client.
PAN-OS® Administrator’s Guide Version Version 9.1 213 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
Field Descripon
netmask (Required for IPv4 stac management address) IPv4 netmask. The
firewall ignores this field if the type is dhcp-client.
ipv6-address (Required for IPv6 stac management address) IPv6 address and /
prefix length of the management interface. The firewall ignores this
field if the type is dhcp-client.
dhcp-send-hostname (DHCP client type only) The DHCP server determines a value of yes
or no. If yes, the firewall sends its hostname to the DHCP server.
dhcp-send-client-id (DHCP client type only) The DHCP server determines a value of yes
or no. If yes, the firewall sends its client ID to the DHCP server.
dhcp-accept-server- (DHCP client type only) The DHCP server determines a value of
hostname yes or no. If yes, the firewall accepts its hostname from the DHCP
server.
dhcp-accept-server- (DHCP client type only) The DHCP server determines a value of
domain yes or no. If yes, the firewall accepts its DNS server from the DHCP
server.
PAN-OS® Administrator’s Guide Version Version 9.1 214 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 3 | Acvate authorizaon codes on the Customer Support portal, which creates license keys.
1. Go to support.paloaltonetworks.com, log in, and select the Assets > Devices on the le-
hand navigaon pane.
2. For each device S/N you just registered, click the Acon link (the pencil icon).
3. Under Acvate Licenses, select Acvate Auth-Code.
4. Enter the Authorizaon code and click Agree and Submit.
If the init-cfg.txt file is missing, the bootstrap process will fail and the firewall will boot
up with the default configuraon in the normal boot-up sequence.
There are no spaces between the key and value in each field; do not add spaces because they
cause failures during parsing on the management server side.
You can have mulple init-cfg.txt files—one each for different remote sites—by prepending the
S/N to the file name. For example:
0008C200105-init-cfg.txt
0008C200107-init-cfg.txt
If no prepended filename is present, the firewall uses the init-cfg.txt file and proceeds with
bootstrapping.
PAN-OS® Administrator’s Guide Version Version 9.1 215 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 7 | Create and download the bootstrap bundle from the Customer Support portal.
For a physical firewall, the bootstrap bundle requires only the /license and /config directories.
Use one of the following methods to create and download the bootstrap bundle:
• Use Method 1 to create a bootstrap bundle specific to a remote site (you have only one init-
cfg.txt file).
• Use Method 2 to create one bootstrap bundle for mulple sites.
Method 1
1. On your local system, go to support.paloaltonetworks.com and log in.
2. Select Assets.
3. Select the S/N of the firewall you want to bootstrap.
4. Select Bootstrap Container.
5. Click Select.
6. Upload and Open the init-cfg.txt file you created.
7. (Oponal) Select the bootstrap.xml file you created and Upload Files.
You must use a bootstrap.xml file from a firewall of the same model and PAN-OS
version.
8. Select Bootstrap Container Download to download a tar.gz file named bootstrap_<S/
N>_<date>.tar.gz to your local system. This bootstrap container includes the license
keys associated with the S/N of the firewall.
Method 2
Create a tar.gz file on your local system with two top-level directories: /license and /config.
Include all licenses and all init-cfg.txt files with S/Ns prepended to the filenames.
The license key files you download from the Customer Support portal have the S/N in the
license file name. PAN-OS checks the S/N in the file name against the firewall S/N while
execung the bootstrap process.
PAN-OS® Administrator’s Guide Version Version 9.1 216 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 8 | Import the tar.gz file you created (to a firewall running a PAN-OS 7.1.0 or later image) using
Secure Copy (SCP) or TFTP.
Access the CLI and enter one of the following commands:
• tftp import bootstrap-bundle file <path and filename> from <host IP
address>
For example:
tftp import bootstrap-bundle file /home/userx/bootstrap/devices/
pa5000.tar.gz from 10.1.2.3
• scp import bootstrap-bundle from <<user>@<host>:<path to file>>
For example:
scp import bootstrap-bundle from userx@10.1.2.3:/home/userx/
bootstrap/devices/pa200_bootstrap_bundle.tar.gz
Microso Windows and Apple Mac operang systems are unable to read the bootstrap
USB flash drive because the drive is formaed using an ext4 file system. You must install
third-party soware or use a Linux system to read the USB drive.
STEP 1 | The firewall must be in a factory default state or must have all private data deleted.
PAN-OS® Administrator’s Guide Version Version 9.1 217 ©2021 Palo Alto Networks, Inc.
Firewall Administraon
STEP 2 | To ensure connecvity with your corporate headquarters, cable the firewall by connecng
the management interface (MGT) using an Ethernet cable to one of the following:
• An upstream modem
• A port on the switch or router
• An Ethernet jack in the wall
STEP 3 | Insert the USB flash drive into the USB port on the firewall and power on the firewall. The
factory default firewall bootstraps itself from the USB flash drive.
The firewall Status light turns from yellow to green when the firewall is configured; autocommit
is successful.
STEP 4 | Verify bootstrap compleon. You can see basic status logs on the console during the
bootstrap and you can verify that the process is complete.
1. If you included Panorama values (panorama-server, tplname, and dgname) in your init-
cfg.txt file, check Panorama managed devices, device group, and template name.
2. Verify the general system sengs and configuraon by accessing the web interface and
selecng Dashboard > Widgets > System or by using the CLI operaonal commands
show system info and show config running.
3. Verify the license installaon by selecng Device > Licenses or by using the CLI
operaonal command request license info.
4. If you have Panorama configured, manage the content versions and soware versions
from Panorama. If you do not have Panorama configured, use the web interface to
manage content versions and soware versions.
PAN-OS® Administrator’s Guide Version Version 9.1 218 ©2021 Palo Alto Networks, Inc.
Authencaon
Authencaon is a method for protecng services and applicaons by verifying the
idenes of users so that only legimate users have access. Several firewall and
Panorama features require authencaon. Administrators authencate to access the
web interface, CLI, or XML API of the firewall and Panorama. End users authencate
through Capve Portal or GlobalProtect to access various services and applicaons.
You can choose from several authencaon services to protect your network and
to accommodate your exisng security infrastructure while ensuring a smooth user
experience.
If you have a public key infrastructure, you can deploy cerficates to enable
authencaon without users having to manually respond to login challenges (see
Cerficate Management). Alternavely, or in addion to cerficates, you can
implement interacve authencaon, which requires users to authencate using
one or more methods. The following topics describe how to implement, test, and
troubleshoot the different types of interacve authencaon:
> Authencaon Types > Configure LDAP Authencaon
> Plan Your Authencaon > Connecon Timeouts for
Deployment Authencaon Servers
> Configure Mul-Factor > Configure Local Database
Authencaon Authencaon
> Configure SAML Authencaon > Configure an Authencaon Profile
> Configure Kerberos Single Sign-On and Sequence
219
Authencaon
Authencaon Types
• External Authencaon Services
• Mul-Factor Authencaon
• SAML
• Kerberos
• TACACS+
• RADIUS
• LDAP
• Local Authencaon
Mul-Factor Authencaon
You can Configure Mul-Factor Authencaon (MFA) to ensure that each user authencates using
mulple methods (factors) when accessing highly sensive services and applicaons. For example,
you can force users to enter a login password and then enter a verificaon code that they receive
by phone before allowing access to important financial documents. This approach helps to prevent
aackers from accessing every service and applicaon in your network just by stealing passwords.
PAN-OS® Administrator’s Guide Version Version 9.1 220 ©2021 Palo Alto Networks, Inc.
Authencaon
Of course, not every service and applicaon requires the same degree of protecon, and MFA
might not be necessary for less sensive services and applicaons that users access frequently.
To accommodate a variety of security needs, you can Configure Authencaon Policy rules that
trigger MFA or a single authencaon factor (such as login credenals or cerficates) based on
specific services, applicaons, and end users.
When choosing how many and which types of authencaon factors to enforce, it’s important
to understand how policy evaluaon affects the user experience. When a user requests a
service or applicaon, the firewall first evaluates Authencaon policy. If the request matches
an Authencaon policy rule with MFA enabled, the firewall displays a Capve Portal web
form so that users can authencate for the first factor. If authencaon succeeds, the firewall
displays an MFA login page for each addional factor. Some MFA services prompt the user
to choose one factor out of two to four, which is useful when some factors are unavailable. If
authencaon succeeds for all factors, the firewall evaluates Security policy for the requested
service or applicaon.
To reduce the frequency of authencaon challenges that interrupt the user workflow, you
can configure the first factor to use Kerberos or SAML single sign-on (SSO) but not NT
LAN Manager (NTLM) authencaon.
To implement MFA for GlobalProtect, refer to Configure GlobalProtect to facilitate mul-
factor authencaon noficaons.
You cannot use MFA authencaon profiles in authencaon sequences.
For end-user authencaon via Authencaon Policy, the firewall directly integrates with several
MFA plaorms (Duo v2, Okta Adapve, PingID, and RSA SecurID), as well as integrang through
RADIUS or SAML for all other MFA plaorms. For remote user authencaon to GlobalProtect
portals and gateways and for administrator authencaon to the Panorama and PAN-OS web
interface, the firewall integrates with MFA vendors using RADIUS and SAML only.
The firewall supports the following MFA factors:
Factor Descripon
Short message An SMS message on the endpoint device prompts the user to allow
service (SMS) or deny authencaon. In some cases, the endpoint device provides a
code that the user must enter in the MFA login page.
PAN-OS® Administrator’s Guide Version Version 9.1 221 ©2021 Palo Alto Networks, Inc.
Authencaon
SAML
You can use Security Asseron Markup Language (SAML) 2.0 to authencate administrators
who access the firewall or Panorama web interface and end users who access web applicaons
that are internal or external to your organizaon. In environments where each user accesses
many applicaons and authencang for each one would impede user producvity, you can
configure SAML single sign-on (SSO) to enable one login to access mulple applicaons. Likewise,
SAML single logout (SLO) enables a user to end sessions for mulple applicaons by logging
out of just one session. SSO is available to administrators who access the web interface and
to end users who access applicaons through GlobalProtect or Capve Portal. SLO is available
to administrators and GlobalProtect end users, but not to Capve Portal end users. When you
configure SAML authencaon on the firewall or on Panorama, you can specify SAML aributes
for administrator authorizaon. SAML aributes enable you to quickly change the roles, access
domains, and user groups of administrators through your directory service, which is oen easier
than reconfiguring sengs on the firewall or Panorama.
Administrators cannot use SAML to authencate to the CLI on the firewall or Panorama.
You cannot use SAML authencaon profiles in authencaon sequences.
SAML authencaon requires a service provider (the firewall or Panorama), which controls access
to applicaons, and an identy provider (IdP) such as PingFederate, which authencates users.
When a user requests a service or applicaon, the firewall or Panorama intercepts the request and
redirects the user to the IdP for authencaon. The IdP then authencates the user and returns
a SAML asseron, which indicates authencaon succeeded or failed. SAML Authencaon
for Capve Portal End Users illustrates SAML authencaon for an end user who accesses
applicaons through Capve Portal.
Kerberos
Kerberos is an authencaon protocol that enables a secure exchange of informaon between
pares over an insecure network using unique keys (called ckets) to idenfy the pares. The
PAN-OS® Administrator’s Guide Version Version 9.1 222 ©2021 Palo Alto Networks, Inc.
Authencaon
firewall and Panorama support two types of Kerberos authencaon for administrators and end
users:
• Kerberos server authencaon—A Kerberos server profile enables users to navely
authencate to an Acve Directory domain controller or a Kerberos V5-compliant
authencaon server. This authencaon method is interacve, requiring users to enter
usernames and passwords. For the configuraon steps, see Configure Kerberos Server
Authencaon.
• Kerberos single sign-on (SSO)—A network that supports Kerberos V5 SSO prompts a user to
log in only for inial access to the network (such as logging in to Microso Windows). Aer this
inial login, the user can access any browser-based service in the network (such as the firewall
web interface) without having to log in again unl the SSO session expires. (Your Kerberos
administrator sets the duraon of SSO sessions.) If you enable both Kerberos SSO and another
external authencaon service (such as a TACACS+ server), the firewall first tries SSO and, only
if that fails, falls back to the external service for authencaon. To support Kerberos SSO, your
network requires:
• A Kerberos infrastructure, including a key distribuon center (KDC) with an authencaon
server (AS) and cket-granng service (TGS).
• A Kerberos account for the firewall or Panorama that will authencate users. An account
is required to create a Kerberos keytab, which is a file that contains the principal name and
hashed password of the firewall or Panorama. The SSO process requires the keytab.
For the configuraon steps, see Configure Kerberos Single Sign-On.
Kerberos SSO is available only for services and applicaons that are internal to your
Kerberos environment. To enable SSO for external services and applicaons, use SAML.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols
that enable authencaon and authorizaon through a centralized server. TACACS+ encrypts
usernames and passwords, making it more secure than RADIUS, which encrypts only passwords.
TACACS+ is also more reliable because it uses TCP, whereas RADIUS uses UDP. You can configure
TACACS+ authencaon for end users or administrators on the firewall and for administrators
on Panorama. Oponally, you can use TACACS+ Vendor-Specific Aributes (VSAs) to manage
administrator authorizaon. TACACS+ VSAs enable you to quickly change the roles, access
domains, and user groups of administrators through your directory service instead of reconfiguring
sengs on the firewall and Panorama.
The firewall and Panorama support the following TACACS+ aributes and VSAs. Refer to your
TACACS+ server documentaon for the steps to define these VSAs on the TACACS+ server.
Name Value
PAN-OS® Administrator’s Guide Version Version 9.1 223 ©2021 Palo Alto Networks, Inc.
Authencaon
Name Value
RADIUS
Remote Authencaon Dial-In User Service (RADIUS) is a broadly supported networking
protocol that provides centralized authencaon and authorizaon. You can configure RADIUS
authencaon for end users or administrators on the firewall and for administrators on Panorama.
Oponally, you can use RADIUS Vendor-Specific Aributes (VSAs) to manage administrator
authorizaon. RADIUS VSAs enable you to quickly change the roles, access domains, and user
groups of administrators through your directory service instead of reconfiguring sengs on the
firewall and Panorama. You can also configure the firewall to use a RADIUS server for:
• Collecng VSAs from GlobalProtect endpoints.
• Implemenng Mul-Factor Authencaon.
When sending authencaon requests to a RADIUS server, the firewall and Panorama use the
authencaon profile name as the network access server (NAS) idenfier, even if the profile is
assigned to an authencaon sequence for the service (such as administrave access to the web
interface) that iniates the authencaon process.
The firewall and Panorama support the following RADIUS VSAs. To define VSAs on a RADIUS
server, you must specify the vendor code (25461 for Palo Alto Networks firewalls or Panorama)
and the VSA name and number. Some VSAs also require a value. Refer to your RADIUS server
documentaon for the steps to define these VSAs.
Alternavely, you can download the Palo Alto Networks RADIUS diconary, which defines
the authencaon aributes that the Palo Alto Networks firewall and a RADIUS server use to
PAN-OS® Administrator’s Guide Version Version 9.1 224 ©2021 Palo Alto Networks, Inc.
Authencaon
communicate with each other, and install it on your RADIUS server to map the aributes to the
RADIUS binary data.
When you predefine dynamic administrator roles for users on the server, use lower-case to
specify the role (for example, enter superuser, not SuperUser).
When configuring the advanced vendor opons on a Cisco Secure Access Control Server
(ACS), you must set both the Vendor Length Field Size and Vendor Type Field Size to 1.
Otherwise, authencaon will fail.
PaloAlto-Client-OS 8
PaloAlto-Client-Hostname 9
PaloAlto-GlobalProtect-Client- 10
Version
PAN-OS® Administrator’s Guide Version Version 9.1 225 ©2021 Palo Alto Networks, Inc.
Authencaon
LDAP
Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing informaon
directories. You can Configure LDAP Authencaon for end users and for firewall and Panorama
administrators.
Configuring the firewall to connect to an LDAP server also enables you to define policy rules
based on users and user groups instead of just IP addresses. For the steps, see Map Users to
Groups and Enable User- and Group-Based Policy.
Local Authencaon
Although the firewall and Panorama provide local authencaon for administrators and end
users, External Authencaon Services are preferable in most cases because they provide
central account management. However, you might require special user accounts that you don’t
manage through the directory servers that your organizaon reserves for regular accounts. For
example, you might define a superuser account that is local to the firewall so that you can access
the firewall even if the directory server is down. In such cases, you can use the following local
authencaon methods:
• (Firewall only) Local database authencaon—To Configure Local Database Authencaon,
you create a database that runs locally on the firewall and contains user accounts (usernames
and passwords or hashed passwords) and user groups. This type of authencaon is useful
for creang user accounts that reuse the credenals of exisng Unix accounts in cases where
you know only the hashed passwords, not the plaintext passwords. Because local database
authencaon is associated with authencaon profiles, you can accommodate deployments
where different sets of users require different authencaon sengs, such as Kerberos
single sign-on (SSO) or Mul-Factor Authencaon (MFA). (For details, see Configure an
Authencaon Profile and Sequence). For administrator accounts that use an authencaon
profile, password complexity and expiraon sengs are not applied. This authencaon
method is available to administrators who access the firewall (but not Panorama) and end users
who access services and applicaons through Capve Portal or GlobalProtect.
• Local authencaon without a database—You can configure firewall administrave accounts
or Panorama administrave accounts without creang a database of users and user groups
that runs locally on the firewall or Panorama. Because this method is not associated with
authencaon profiles, you cannot combine it with Kerberos SSO or MFA. However, this is
the only authencaon method that allows password profiles, which enable you to associate
individual accounts with password expiraon sengs that differ from the global sengs. (For
details, see Define password complexity and expiraon sengs)
PAN-OS® Administrator’s Guide Version Version 9.1 226 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 227 ©2021 Palo Alto Networks, Inc.
Authencaon
your most sensive services and applicaons, you can configure Mul-Factor Authencaon
(MFA) to ensure that each user authencates using mulple methods (factors) when accessing
those services and applicaons. To accommodate a variety of security needs, Configure
Authencaon Policy rules that trigger MFA or single factor authencaon (such as login
credenals or cerficates) based on specific services, applicaons, and end users. Other ways
to reduce your aack surface include network segmentaon and user groups for allowed
applicaons.
For administrators only, consider:
Do you use an external server to centrally manage authorizaon for all administrave
accounts? By defining Vendor-Specific Aributes (VSAs) on the external server, you can quickly
change administrave role assignments through your directory service instead of reconfiguring
sengs on the firewall. VSAs also enable you to specify access domains for administrators
of firewalls with mulple virtual systems. SAML, TACACS+, and RADIUS support external
authorizaon.
PAN-OS® Administrator’s Guide Version Version 9.1 228 ©2021 Palo Alto Networks, Inc.
Authencaon
Palo Alto Networks provides support for MFA vendors through Applicaons content
updates. This means that if you use Panorama to push device group configuraons
to firewalls, you must install the same Applicaons updates on the firewalls as on
Panorama to avoid mismatches in vendor support.
MFA vendor API integraons are supported for end-user authencaon through
Authencaon Policy only. For remote user authencaon to GlobalProtect portals or
gateways or for administrator authencaon to the PAN-OS or Panorama web interface,
you can only use MFA vendors supported through RADIUS or SAML; MFA services through
vendor APIs are not supported in these use cases.
STEP 1 | Configure Capve Portal in Redirect mode to display a web form for the first authencaon
factor, to record authencaon mestamps, and to update user mappings.
STEP 2 | Configure one of the following server profiles to define how the firewall will connect to the
service that authencates users for the first authencaon factor.
• Add a RADIUS server profile. This is required if the firewall integrates with an MFA
vendor through RADIUS. In this case, the MFA vendor provides the first and all addional
authencaon factors, so you can skip the next step (configuring an MFA server profile).
If the firewall integrates with an MFA vendor through an API, you can sll use a RADIUS
server profile for the first factor but MFA server profiles are required for the addional
factors.
• Add a SAML IdP server profile.
• Add a Kerberos server profile.
• Add a TACACS+ server profile.
• Add an LDAP server profile.
In most cases, an external service is recommended for the first authencaon factor.
However, you can configure Configure Local Database Authencaon as an
alternave.
PAN-OS® Administrator’s Guide Version Version 9.1 229 ©2021 Palo Alto Networks, Inc.
Authencaon
through vendor APIs. You can specify up to three addional factors. Each MFA vendor provides
one factor, though some vendors let users choose one factor out of several.
1. Select Device > Server Profiles > Mul Factor Authencaon and Add a profile.
2. Enter a Name to idenfy the MFA server.
3. Select the Cerficate Profile that the firewall will use to validate the MFA server
cerficate when establishing a secure connecon to the MFA server.
4. Select the MFA Vendor you deployed.
5. Configure the Value of each vendor aribute.
The aributes define how the firewall connects to the MFA server. Each vendor Type
requires different aributes and values; refer to your vendor documentaon for details.
6. Click OK to save the profile.
If you set the Authencaon Method to browser-challenge, the Capve Portal web
form displays only if Kerberos SSO authencaon fails. Otherwise, authencaon for
the first factor is automac; users won’t see the web form.
PAN-OS® Administrator’s Guide Version Version 9.1 230 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 231 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 8 | Configure a Security policy rule that allows users to access the services and applicaons that
require authencaon.
1. Create a Security Policy Rule.
2. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 232 ©2021 Palo Alto Networks, Inc.
Authencaon
(OTP) authencaon method. If you select push, your phone prompts you to approve the
authencaon.
The Palo Alto Networks next-generaon firewall integrates with the RSA SecurID Access
Cloud Authencaon Service. The MFA API integraon with RSA SecurID is supported
for cloud-based services only and does not support two-factor authencaon for the on-
premise Authencaon Manager when the second factor uses the Vendor Specific API.
The minimum content version required for this integraon is 752 and PAN-OS 8.0.2.
PAN-OS® Administrator’s Guide Version Version 9.1 233 ©2021 Palo Alto Networks, Inc.
Authencaon
Console and configure the RSA Access ID, the authencaon service URL, and the client API key
that the firewall needs to authencate to and interact with the service. The firewall also needs the
Access Policy ID that uses either the RSA Approve or RSA Tokencode authencaon method to
authencate to the identy source.
Generate the RSA SecurID API key—Log on to RSA SecurID Access Console and select My
Account > Company Sengs > Authencaon API Keys. Add a new key and then Save
Sengs and Publish Changes.
Get the RSA SecurID Access endpoint API (Authencaon Service Domain) to which the
firewall must connect—Select Plaorm > Identy Routers, pick an Identy Router to Edit
and jot down the Authencaon Service Domain. In this example it is hps://rsaready.auth-
demo.auth.
Get the Access Policy ID—Select Access > Policies and jot down the name of the access policy
that will allow the firewall to act as an authencaon client to the RSA SecurID service. The
PAN-OS® Administrator’s Guide Version Version 9.1 234 ©2021 Palo Alto Networks, Inc.
Authencaon
policy must be configured to use either the RSA Approve or the RSA Tokencode authencaon
methods only.
STEP 2 | Configure Capve Portal (Device > User Idenficaon > Capve Portal Sengs) in Redirect
mode to display a web form for authencang to RSA SecureID. Make sure to specify the
PAN-OS® Administrator’s Guide Version Version 9.1 235 ©2021 Palo Alto Networks, Inc.
Authencaon
Redirect Host as an IP address or a hostname (with no periods in its name) that resolves to
the IP address of the Layer 3 interface on the firewall to which web requests are redirected.
PAN-OS® Administrator’s Guide Version Version 9.1 236 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | Configure a mul-factor authencaon server profile to specify how the firewall must
connect with the RSA SecurID cloud service (Device > Server Profiles > Mul Factor
Authencaon and click Add).
1. Enter a Name to idenfy the MFA server profile.
2. Select the Cerficate Profile that you created earlier, rsa-cert-profile in this example. The
firewall will use this cerficate when establishing a secure connecon with RSA SecurID
cloud service.
3. In the MFA Vendor drop-down, select RSA SecurID Access.
4. Configure the Value for each aribute that you noted in Get the RSA SecurID Access
Cloud Authencaon Service Details:
• API Host—Enter the hostname or IP address of the RSA SecurID Access API endpoint
to which the firewall must connect, rsaready.auth-demo.auth in this example.
• Base URI —Do not modify the default value (/mfa/v1_1)
• Client Key—Enter the RSA SecurID Client Key.
• Access ID—Enter the RSA SecurID Access ID.
• Assurance Policy—Enter the RSA SecurID Access Policy name, mfa-policy in this
example.
• Timeout—The default is 30 seconds.
PAN-OS® Administrator’s Guide Version Version 9.1 237 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 4 | Configure an authencaon profile (Device > Authencaon Profile and click Add).
The profile defines the order of the authencaon factors that users must respond to.
1. Select the Type for the first authencaon factor and select the corresponding Server
Profile.
2. Select Factors, Enable Addional Authencaon Factors, and Add the rsa-mfa server
profile you created earlier in this example.
STEP 5 | Configure an authencaon enforcement object. (Objects > Authencaon and click Add).
Make sure to select the authencaon profile you just defined called RSA in this example.
STEP 6 | Configure an Authencaon policy rule. (Policies > Authencaon and click Add)
Your authencaon policy rule must match the services and applicaons you want to protect,
specify the users who must authencate, and include the authencaon enforcement object
that triggers the authencaon profile. In this example, RSA SecurID Access authencates all
users who accessing HTTP, HTTPS, SSH, and VNC traffic with the authencaon enforcement
object called RSA Auth Enforcement (in Acons, select the Authencaon Enforcement
object).
PAN-OS® Administrator’s Guide Version Version 9.1 238 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 239 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 8 | Verify that users on your network are being secured using RSA SecurID using the Push or
PIN Code authencaon method you enabled.
1. Push authencaon
1. Ask a user on your network to launch a web browser and access a website. The
Capve Portal page with the IP address or hostname for the Redirect Host you
defined earlier should display.
2. Verify that the user enters the credenals for the first authencaon factor and then
connues to the secondary authencaon factor, and selects Push.
3. Check for a Sign-In request on the RSA SecurID Access applicaon on the user’s
mobile device.
4. Ask the user to Accept the Sign-In Request on the mobile device, and wait for a few
seconds for the firewall to receive the noficaon of successful authencaon. The
user should be able to access the requested website.
PAN-OS® Administrator’s Guide Version Version 9.1 240 ©2021 Palo Alto Networks, Inc.
Authencaon
3. Check that a PIN Code displays on the RSA SecurID Access applicaon on the user’s
mobile device.
PAN-OS® Administrator’s Guide Version Version 9.1 241 ©2021 Palo Alto Networks, Inc.
Authencaon
4. Ask the user to copy the PIN code in the Enter the PIN... prompt of the web browser
and click Submit. Wait for a few seconds for the firewall to receive the noficaon of
successful authencaon. The user should be able to access the requested website.
Configure Okta
Log in to the Okta Admin Portal to create your user accounts, define your Okta MFA policy, and
obtain the token informaon required to configure MFA with Okta on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 242 ©2021 Palo Alto Networks, Inc.
Authencaon
3. Create a new password that includes at least 8 characters, one lowercase leer, one
uppercase leer, a number, and does not include any part of your username.
4. Select a password reminder queson and enter the answer.
5. Select a security image, then Create My Account.
PAN-OS® Administrator’s Guide Version Version 9.1 243 ©2021 Palo Alto Networks, Inc.
Authencaon
If you log in and are not redirected to the Okta Admin Portal, select Admin at the upper
right.
1. From the Okta Dashboard, log in with your Okta Admin credenals, then select
Applicaons > Applicaons.
PAN-OS® Administrator’s Guide Version Version 9.1 244 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | Create one or more user groups to categorize your users (for example, by device, by policy, or
by department) and assign the Okta Verify applicaon.
1. Select Directory > Groups.
3. Enter a group Name and oponally a Group Descripon, then Add Group.
The default group Everyone includes all users configured for your organizaon
during the first step in Configure Okta.
4. Select the group you created, then select Manage Apps.
5. Assign the Okta Verify applicaon you added in Step 2.
PAN-OS® Administrator’s Guide Version Version 9.1 245 ©2021 Palo Alto Networks, Inc.
Authencaon
2. Enter the user’s First Name, Last Name, and Username. The username must match the
Primary email, which populates automacally, and the username entered on the firewall.
You can oponally enter an alternate email address for the user as the Secondary Email.
3. Enter the name of the group or Groups to associate with this user. When you start
typing, the group name populates automacally.
4. Check Send user acvaon email now, then Save to add a single user or Save and Add
Another to connue adding users.
PAN-OS® Administrator’s Guide Version Version 9.1 246 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 247 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 6 | Record the Okta authencaon token informaon in a safe place because it is only displayed
once.
1. Select Security > API > Tokens.
2. Select Create Token.
5. In the URL for the Okta Admin Dashboard, copy the poron of the URL aer https://
up to /admin to use as the API host.
6. Omit the domain okta.com from this URL to use as the Organizaon.
PAN-OS® Administrator’s Guide Version Version 9.1 248 ©2021 Palo Alto Networks, Inc.
Authencaon
For example, in the example Okta Admin Dashboard URL above, https://
paloaltonetworks-doc-admin.okta.com/admin/dashboard:
• The API hostname is paloaltonetworks-doc-admin.okta.com.
• The Organizaon is paloaltonetworks-doc-admin.
STEP 7 | Export all cerficates in the cerficate chain using Base-64 encoding:
1. Depending on your browser, use one of the following methods to export all cerficates
in the chain.
• Chrome—Press F12, then select Security > View Cerficate > Details > Copy to File.
• Firefox—Select Opons > Privacy & Security > View Cerficates > Export.
• Internet Explorer—Select Sengs > Internet Opons > Content > Cerficates >
Export.
2. Use the Cerficate Export Wizard to export all cerficates in the chain and select
Base-64 encoded X.509 as the format.
PAN-OS® Administrator’s Guide Version Version 9.1 249 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | Configure Capve Portal using Redirect Mode to redirect users to the MFA vendor’s
challenge.
STEP 4 | Enable response pages on the Interface Management Profile to redirect users to the response
page challenge.
PAN-OS® Administrator’s Guide Version Version 9.1 250 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 5 | Create an Authencaon Profile and add the MFA vendor as a Factor (see Configure Mul-
Factor Authencaon, Step 3.)
STEP 6 | Enable User-ID on the source zone to require idenfied users to respond to the challenge
using your MFA vendor.
STEP 7 | Create an Authencaon Enforcement Object to use the MFA vendor and create an
Authencaon policy rule (see Configure Authencaon Policy, Steps 4 and 5).
If you are using a self-signed cerficate instead of a PKI-assigned cerficate from your
organizaon, a security warning displays that users must click through to access the
challenge.
STEP 5 | Confirm users can successfully access the page aer authencang the challenge by
accepng the push noficaon on their devices.
PAN-OS® Administrator’s Guide Version Version 9.1 251 ©2021 Palo Alto Networks, Inc.
Authencaon
• Two-factor authencaon for VPN logins using the GlobalProtect Gateway and a RADIUS
server profile (supported on PAN-OS 7.0 and later).
• API-based integraon using Capve Portal and an MFA server profile (does not require a Duo
Authencaon Proxy or SAML IdP - supported on PAN-OS 8.0 and later).
• SAML integraon for on-premise servers (supported on PAN-OS 8.0 and later).
To enable SAML MFA between the firewall and Duo to secure administrave access to the
firewall:
• Configure Duo for SAML MFA with Duo Access Gateway
• Configure the Firewall to Integrate with Duo
• Verify MFA with Duo
PAN-OS® Administrator’s Guide Version Version 9.1 252 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 253 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 254 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 4 | Upload the configuraon file to the Duo Access Gateway (DAG).
1. In the DAG admin console, select Applicaons.
2. Click Choose File and select the configuraon file you downloaded, then Upload it.
3. In Sengs > Session Management, disable User agent binding, then Save Sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 255 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 5 | In the DAG admin console, configure your Acve Directory or OpenLDAP server as the
authencaon source and download the metadata file.
1. Log in to the DAG admin console.
2. In Authencaon Source > Set Acve Source, select your Source type (Acve Directory
or OpenLDAP) and Set Acve Source.
3. In Configure Sources, enter the Aributes.
• For Acve Directory, enter
mail,sAMAccountName,userPrincipalName,objectGUID.
• For OpenLDAP, enter mail,uid.
• For any custom aributes, append them to the end of the list and separate each
aribute with a comma. Do not delete any exisng aributes.
4. Save Sengs to save the configuraon.
5. Select Applicaons > Metadata, then click Download XML metadata to download the
XML metadata you will need to import into the firewall.
The file will be named dag.xml. Because this file includes sensive informaon to
authencate your Duo account with the firewall, make sure to keep the file in a secure
locaon to avoid the risk of compromising this informaon.
PAN-OS® Administrator’s Guide Version Version 9.1 256 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 257 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | Specify the authencaon sengs that the firewall uses for SAML authencaon with Duo.
1. Select Device > Setup > Management and edit the Authencaon Sengs.
2. Select Duo Access Gateway as the Authencaon Profile, then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 258 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 4 | Add accounts for administrators who will authencate to the firewall using Duo.
1. Select Device > Administrators and Add an account.
2. Enter a user Name.
3. Select Duo Access Gateway as the Authencaon Profile.
4. Select the Administrator Type, then click OK.
Select Role Based if you want to use a custom role for the user. Otherwise, select
Dynamic. To require administrators to log in using SSO with Duo, assign the
authencaon profile to all current administrators.
STEP 3 | Enter your login credenals on the Duo Access Gateway login page.
STEP 4 | Select an authencaon method (push noficaon, phone call, or passcode entry).
When you authencate successfully, you will be redirected to the firewall web interface.
PAN-OS® Administrator’s Guide Version Version 9.1 259 ©2021 Palo Alto Networks, Inc.
Authencaon
SSO is available to administrators and to GlobalProtect and Capve Portal end users. SLO
is available to administrators and GlobalProtect end users, but not to Capve Portal end
users.
Administrators can use SAML to authencate to the firewall web interface, but not to the
CLI.
STEP 1 | Obtain the cerficates that the IdP and firewall will use to sign SAML messages.
If the cerficates don’t specify key usage aributes, all usages are allowed by default, including
signing messages. In this case, you can Obtain Cerficates by any method.
If the cerficates do specify key usage aributes, one of the aributes must be Digital
Signature, which is not available on cerficates that you generate on the firewall or Panorama.
In this case, you must import the cerficates:
• Cerficate the firewall uses to sign SAML messages—Import the cerficate from your
enterprise cerficate authority (CA) or a third-party CA.
• Cerficate the IdP uses to sign SAML messages (Required for all deployments)—Import a
metadata file containing the cerficate from the IdP (see the next step). The IdP cerficate is
limited to the following algorithms:
Public key algorithms—RSA (1,024 bits or larger) and ECDSA (all sizes). A firewall in FIPS/CC
mode supports RSA (2,048 bits or larger) and ECDSA (all sizes).
Signature algorithms—SHA1, SHA256, SHA384, and SHA512. A firewall in FIPS/CC mode
supports SHA256, SHA384, and SHA512.
PAN-OS® Administrator’s Guide Version Version 9.1 260 ©2021 Palo Alto Networks, Inc.
Authencaon
If the IdP doesn’t provide a metadata file, select Device > Server Profiles > SAML
Identy Provider, Add the server profile, and manually enter the informaon (consult
your IdP administrator for the values).
1. Export the SAML metadata file from the IdP to a client system from which you can
upload the metadata to the firewall.
The cerficate specified in the file must meet the requirements listed in the preceding
step. Refer to your IdP documentaon for instrucons on exporng the file.
2. Select Device > Server Profiles > SAML Identy Provider or Panorama > Server Profiles
> SAML Identy Provider on Panorama™ and Import the metadata file onto the firewall.
3. Enter a Profile Name to idenfy the server profile.
4. Browse to the Identy Provider Metadata file.
5. Select Validate Identy Provider Cerficate (default) to validate the chain of trust and
oponally the revocaon status of the IdP cerficate.
To enable this opon, a Cerficate Authority (CA) must issue your IdP’s signing
cerficate. You must create a Cerficate Profile that has the CA that issued the IdP’s
signing cerficate. In the Authencaon Profile, select the SAML Server profile and
Cerficate Profile to validate the IdP cerficate.
If your IdP signing cerficate is a self-signed cerficate, there is no chain of trust; as
a result, you cannot enable this opon. The firewall always validates the signature of
the SAML Responses or Asserons against the Identy Provider cerficate that you
configure whether or not you enable the Validate Identy Provider Cerficate opon. If
your IdP provides a self-signed cerficate, ensure that you are using PAN-OS 9.1.3 or a
later 9.1 version to migate exposure to CVE-2020-2021.
PAN-OS® Administrator’s Guide Version Version 9.1 261 ©2021 Palo Alto Networks, Inc.
Authencaon
When you predefine dynamic administrator roles for users, use lower-case to
specify the role (for example, enter superreader, not SuperReader). If you
manage administrator authorizaon in the IdP identy store, specify the Admin
Role Aribute and Access Domain Aribute also.
9. Select Advanced and Add the users and user groups that are allowed to authencate
with this authencaon profile.
10. Click OK to save the authencaon profile.
STEP 4 | Assign the authencaon profile to firewall applicaons that require authencaon.
1. Assign the authencaon profile to:
• Administrator accounts that you manage locally on the firewall. In this example,
Configure a Firewall Administrator Account before you verify the SAML configuraon
later in this procedure.
• Administrator accounts that you manage externally in the IdP identy store. Select
Device > Setup > Management, edit the Authencaon Sengs, and select the
Authencaon Profile you configured.
• Authencaon policy rules that secure the services and applicaons that end users
access through Capve Portal. See Configure Authencaon Policy.
• GlobalProtect portals and gateways that end users access.
2. Commit your changes.
The firewall validates the Identy Provider Cerficate that you assigned to the SAML IdP
server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 262 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 5 | Create a SAML metadata file to register the firewall applicaon (management access, Capve
Portal, or GlobalProtect) on the IdP.
1. Select Device > Authencaon Profile and, in the Authencaon column for the
authencaon profile you configured, click Metadata.
2. In the Commands drop-down, select the applicaon you want to register:
• management (default)—Administrave access to the web interface.
• capve-portal—End user access to services and applicaons through Capve Portal.
• global-protect—End user access to services and applicaons through GlobalProtect.
3. (Capve Portal or GlobalProtect only) for the Vsysname Combo, select the virtual system
in which the Capve Portal sengs or GlobalProtect portal are defined.
4. Enter the interface, IP address, or hostname based on the applicaon you will register:
• management—For the Management Choice, select Interface (default) and select an
interface that is enabled for management access to the web interface. The default
selecon is the IP address of the MGT interface.
• capve-portal—For the IP Hostname, enter the IP address or hostname of the
Redirect Host (see Device > User Idenficaon > Capve Portal Sengs).
• global-protect—For the IP Hostname, enter the hostname or IP address of the
GlobalProtect portal or gateway.
5. Click OK and save the metadata file to your client system.
6. Import the metadata file into the IdP server to register the firewall applicaon. Refer to
your IdP documentaon for instrucons.
PAN-OS® Administrator’s Guide Version Version 9.1 263 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 264 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 265 ©2021 Palo Alto Networks, Inc.
Authencaon
each keytab in the authencaon sequence unl it is able to successfully authencate using
Kerberos.
If the Kerberos SSO hostname is included in the request sent to the firewall, then
the hostname must match the service principal name of the keytab; otherwise, the
Kerberos authencaon request is not sent.
STEP 2 | Configure an Authencaon Profile and Sequence to define Kerberos sengs and other
authencaon opons that are common to a set of users.
• Enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is
uppercase).
• Import the Kerberos Keytab that you created for the firewall.
STEP 3 | Assign the authencaon profile to the firewall applicaon that requires authencaon.
• Administrave access to the web interface—Configure a Firewall Administrator Account and
assign the authencaon profile you configured.
• End user access to services and applicaons—Assign the authencaon profile you
configured to an authencaon enforcement object. When configuring the object, set
the Authencaon Method to browser-challenge. Assign the object to Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 266 ©2021 Palo Alto Networks, Inc.
Authencaon
policy rules. For the full procedure to configure authencaon for end users, see Configure
Authencaon Policy.
PAN-OS® Administrator’s Guide Version Version 9.1 267 ©2021 Palo Alto Networks, Inc.
Authencaon
To use a Kerberos server for authencaon, the server must be accessible over an IPv4
address. IPv6 addresses are not supported.
If you use an FQDN address object to idenfy the server and you subsequently
change the address, you must commit the change in order for the new server
address to take effect.
4. Click OK to save your changes to the profile.
STEP 2 | Assign the server profile to an Configure an Authencaon Profile and Sequence.
The authencaon profile defines authencaon sengs that are common to a set of users.
STEP 3 | Assign the authencaon profile to the firewall applicaon that requires authencaon.
• Administrave access to the web interface—Configure a Firewall Administrator Account and
assign the authencaon profile you configured.
• End user access to services and applicaons—Assign the authencaon profile you
configured to an authencaon enforcement object and assign the object to Authencaon
policy rules. For the full procedure to configure authencaon for end users, see Configure
Authencaon Policy.
STEP 4 | Verify that the firewall can Test Authencaon Server Connecvity to authencate users.
PAN-OS® Administrator’s Guide Version Version 9.1 268 ©2021 Palo Alto Networks, Inc.
Authencaon
Select CHAP if the TACACS+ server supports that protocol; it is more secure
than PAP.
6. Add each TACACS+ server and enter the following:
• Name to idenfy the server
• TACACS+ Server IP address or FQDN. If you use an FQDN address object to idenfy
the server and you subsequently change the address, you must commit the change for
the new server address to take effect.
• Secret/Confirm Secret (a key to encrypt usernames and passwords)
• Server Port for authencaon requests (default is 49)
7. Click OK to save the server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 269 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | Configure the firewall to use the authencaon profile for all administrators.
1. Select Device > Setup > Management and edit the Authencaon Sengs.
2. Select the Authencaon Profile you configured and click OK.
STEP 4 | Configure the roles and access domains that define authorizaon sengs for administrators.
If you already defined TACACS+ VSAs on the TACACS+ server, the names you specify for roles
and access domains on the firewall must match the VSA values.
1. Configure an Admin Role Profile if the administrator will use a custom role instead of a
predefined (dynamic) role.
2. Configure an access domain if the firewall has more than one virtual system—Select
Device > Access Domain, Add an access domain, enter a Name to idenfy the access
domain, and Add each virtual system that the administrator will access, and then click
OK.
If you selected CHAP as the Authencaon Protocol, you must define accounts
with reversibly encrypted passwords. Otherwise, CHAP authencaon will fail.
3. Define TACACS+ VSAs for the role, access domain, and user group of each administrator.
When you predefine dynamic administrator roles for users, use lower-case to
specify the role (for example, enter superuser, not SuperUser).
PAN-OS® Administrator’s Guide Version Version 9.1 270 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 7 | Verify that the TACACS+ server performs authencaon and authorizaon for
administrators.
1. Log in the firewall web interface using an administrator account that you added to the
TACACS+ server.
2. Verify that you can access only the web interface pages that are allowed for the role you
associated with the administrator.
3. In the Monitor, Policies, and Objects tabs, verify that you can access only the virtual
systems that are allowed for the access domain you associated with the administrator.
PAN-OS® Administrator’s Guide Version Version 9.1 271 ©2021 Palo Alto Networks, Inc.
Authencaon
You can also configure client systems to send RADIUS Vendor-Specific Aributes (VSAs)
to the RADIUS server by assigning the authencaon profile to a GlobalProtect portal or
gateway. RADIUS administrators can then perform administrave tasks based on those
VSAs.
PAN-OS® Administrator’s Guide Version Version 9.1 272 ©2021 Palo Alto Networks, Inc.
Authencaon
If you use the server profile to integrate the firewall with an MFA service, enter
an interval that gives users enough me to authencate. For example, if the MFA
service prompts for a one-me password (OTP), users need me to see the OTP
on their endpoint device and then enter the OTP in the MFA login page.
5. Enter the number of Retries.
6. Select the Authencaon Protocol (default is PEAP-MSCHAPv2) that the firewall uses
to authencate to the RADIUS server.
Depending on which factors you want to use to authencate users within your mul-
factor authencaon (MFA) environment, select the appropriate authencaon protocol:
• Username, password, and push (an automacally triggered out-of-band request):
Supported with all authencaon protocols
• Push, password, token, and PIN (when password or token or PIN are provided
together): Supported with PAP, PEAP with GTC, and EAP-TTLS with PAP
• Username, password, token, and PIN, and challenge-response (when password or
token or PIN are provided together): Supported with PAP and PEAP with GTC
If you select an EAP authencaon method (PEAP-MSCHAPv2, PEAP with GTC,
or EAP-TTLS with PAP), confirm that your RADIUS server supports Transport Layer
Security (TLS) 1.1 or higher and that the root and intermediate cerficate authories
(CAs) for your RADIUS server are included in the cerficate profile associated with the
RADIUS server profile. If you select an EAP method and you do not associate a correctly
configured cerficate profile with the RADIUS profile, authencaon fails.
7. Add each RADIUS server and enter the following:
• Name to idenfy the server
• RADIUS Server IP address or FQDN. If you use an FQDN to idenfy the server and
you subsequently change the address, you must commit the change for the new
server address to take effect.
• Secret/Confirm Secret is a key to encrypt passwords and can be up to 64 characters
in length.
• Server Port for authencaon requests (default is 1812)
8. Click OK to save the server profile.
For redundancy, add mulple RADIUS servers in the sequence you want the firewall to use.
If you have selected an EAP method, configure an authencaon sequence to ensure that
users will be able to successfully respond to the authencaon challenge. There is no alternate
authencaon method with EAP: if the user fails the authencaon challenge and you have
PAN-OS® Administrator’s Guide Version Version 9.1 273 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 2 | If you are using PEAP-MSCHAPv2 with GlobalProtect, select Allow users to change
passwords aer expiry to allow GlobalProtect users to changed expired passwords to log in.
STEP 3 | (PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP only) To anonymize the user’s
identy in the outer tunnel that is created aer authencang with the server, select Make
Outer Identy Anonymous.
You must configure the RADIUS server so that the enre chain allows access for
anonymous users. Some RADIUS server configuraons may not support anonymous
outer IDs, and you may need to clear the opon. When cleared, the RADIUS server
transmits usernames in cleartext.
STEP 6 | Configure the firewall to use the authencaon profile for all administrators.
1. Select Device > Setup > Management and edit the Authencaon Sengs.
2. Select the Authencaon Profile you configured and click OK.
STEP 7 | Configure the roles and access domains that define authorizaon sengs for administrators.
If you already defined RADIUS VSAs on the RADIUS server, the names you specify for roles
and access domains on the firewall must match the VSA values.
1. Configure an Admin Role Profile if the administrator uses a custom role instead of a
predefined (dynamic) role.
2. Configure an access domain if the firewall has more than one virtual system:
1. Select Device > Access Domain, Add an access domain, and enter a Name to idenfy
the access domain.
2. Add each virtual system that the administrator will access, and then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 274 ©2021 Palo Alto Networks, Inc.
Authencaon
If the RADIUS server profile specifies CHAP as the Authencaon Protocol, you
must define accounts with reversibly encrypted passwords. Otherwise, CHAP
authencaon will fail.
3. Define the vendor code for the firewall (25461) and define the RADIUS VSAs for the
role, access domain, and user group of each administrator.
When you predefine dynamic administrator roles for users, use lower-case to specify the
role (for example, enter superuser, not SuperUser).
When configuring the advanced vendor opons on the ACS, you must set both
the Vendor Length Field Size and Vendor Type Field Size to 1. Otherwise,
authencaon will fail.
4. If you have selected an EAP method, the firewall validates the server but not the client.
To ensure client validity, restrict clients by IP address or subdomain.
STEP 10 | Verify that the RADIUS server performs authencaon and authorizaon for administrators.
1. Log in the firewall web interface using an administrator account that you added to the
RADIUS server.
2. Verify that you can access only the web interface pages that are allowed for the role you
associated with the administrator.
3. In the Monitor, Policies, and Objects tabs, verify that you can access only the virtual
systems that are allowed for the access domain you associated with the administrator.
4. In Monitor > Authencaon, verify the Authencaon Protocol.
5. Test the connecon and the validity of the cerficate profile using the following CLI
command:
PAN-OS® Administrator’s Guide Version Version 9.1 275 ©2021 Palo Alto Networks, Inc.
Authencaon
You can also connect to an LDAP server to define policy rules based on user groups. For
details, see Map Users to Groups.
If you use an FQDN address object to idenfy the server and you subsequently
change the address, you must commit the change for the new server address to
take effect.
6. Select the server Type.
7. Select the Base DN.
To idenfy the Base DN of your directory, open the Acve Directory Domains and
Trusts Microso Management Console snap-in and use the name of the top-level
domain.
8. Enter the Bind DN and Password to enable the authencaon service to authencate
the firewall.
The Bind DN account must have permission to read the LDAP directory.
9. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
10. Enter the Retry Interval in seconds (default is 60).
11. (Oponal) If you want the endpoint to use SSL or TLS for a more secure connecon with
the directory server, enable the opon to Require SSL/TLS secured connecon (enabled
by default). The protocol that the endpoint uses depends on the server port:
• 389 (default)—TLS (Specifically, the device uses the StartTLS operaon, which
upgrades the inial plaintext connecon to TLS.)
• 636—SSL
• Any other port—The device first aempts to use TLS. If the directory server doesn’t
support TLS, the device falls back to SSL.
12. (Oponal) For addional security, enable to the opon to Verify Server Cerficate
for SSL sessions so that the endpoint verifies the cerficate that the directory server
PAN-OS® Administrator’s Guide Version Version 9.1 276 ©2021 Palo Alto Networks, Inc.
Authencaon
presents for SSL/TLS connecons. To enable verificaon, you must also enable the
opon to Require SSL/TLS secured connecon. For verificaon to succeed, the
cerficate must meet one of the following condions:
• It is in the list of device cerficates: Device > Cerficate Management > Cerficates >
Device Cerficates. If necessary, import the cerficate into the device.
• The cerficate signer is in the list of trusted cerficate authories: Device >
Cerficate Management > Cerficates > Default Trusted Cerficate Authories.
13. Click OK to save the server profile.
STEP 2 | Assign the server profile to Configure an Authencaon Profile and Sequence to define
various authencaon sengs.
STEP 3 | Assign the authencaon profile to the firewall applicaon that requires authencaon.
• Administrave access to the web interface—Configure a Firewall Administrator Account
and assign the authencaon profile you configured.
• End user access to services and applicaons—For the full procedure to configure
authencaon for end users, see Configure Authencaon Policy.
STEP 4 | Verify that the firewall can Test Authencaon Server Connecvity to authencate users.
PAN-OS® Administrator’s Guide Version Version 9.1 277 ©2021 Palo Alto Networks, Inc.
Authencaon
Do not change the PAN-OS web server meout unless you see authencaon
failures. Seng the meout too high could degrade the performance of the firewall
or cause it to drop authencaon requests. You can review authencaon failures in
Authencaon logs.
The firewall applies a Capve Portal session meout that defines how long end users can take
to respond to the authencaon challenge in a Capve Portal web form. The web form displays
when users request services or applicaons that match an Authencaon policy rule. The
session meout is 30 seconds by default (range is 1 to 1,599,999). It must be the same as or
greater than the PAN-OS web server meout. Modify the Capve Portal Session Timeout if
necessary. Keep in mind that increasing the PAN-OS web server and Capve Portal session
meouts might degrade the performance of the firewall or cause it to drop authencaon
requests.
The Capve Portal session meout is not related to the mers that determine how long
the firewall retains IP address-to-username mappings.
PAN-OS® Administrator’s Guide Version Version 9.1 278 ©2021 Palo Alto Networks, Inc.
Authencaon
Timeouts are cumulave for authencaon sequences. For example, consider the case of
an authencaon sequence with two authencaon profiles. One authencaon profile
specifies a RADIUS server profile with a 3-second meout, 3 retries, and 4 servers. The other
authencaon profile specifies a TACACS+ server profile with a 3-second meout and 2
servers. The longest possible period in which the firewall can try to authencate user accounts
with that authencaon sequence is 42 seconds: 36 seconds for the RADIUS server profile
plus 6 seconds for the TACACS+ server profile.
The non-configurable meout for Kerberos servers is 17 seconds for each server specified in
the Kerberos server profile.
To configure the meouts and related sengs for other server types, see:
• Add an MFA server profile.
• Add a SAML IdP server profile.
• Add a TACACS+ server profile.
• Add a RADIUS server profile.
• Add an LDAP server profile.
Do not change the PAN-OS web server meout unless you see authencaon failures.
Seng the meout too high could degrade the performance of the firewall or cause it to
drop authencaon requests. You can review authencaon failures in Authencaon
logs.
STEP 2 | Set the PAN-OS web server meout by entering the following commands, where <value> is
the number of seconds (default is 30; range is 3 to 125).
> configure
# set deviceconfig setting l3-service timeout <value>
# commit
The more you raise the PAN-OS web server and Capve Portal session meouts, the
slower Capve Portal will respond to users.
STEP 1 | Select Device > Setup > Session and edit the Session Timeouts.
PAN-OS® Administrator’s Guide Version Version 9.1 279 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 2 | Enter a new Capve Portal value in seconds (default is 30; range is 1 to 1,599,999) and click
OK.
PAN-OS® Administrator’s Guide Version Version 9.1 280 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 5 | Verify that the firewall can Test Authencaon Server Connecvity to authencate users.
PAN-OS® Administrator’s Guide Version Version 9.1 281 ©2021 Palo Alto Networks, Inc.
Authencaon
If the firewall integrates with an MFA service through RADIUS, you must
add a RADIUS server profile. In this case, the MFA service provides all the
authencaon factors. If the firewall integrates with an MFA service through a
vendor API, you can sll use a RADIUS server profile for the first factor but MFA
server profiles are required for addional factors.
STEP 2 | (Local database authencaon only) Configure a user database that is local to the firewall.
Perform these steps for each user and user group for which you want to configure Local
Authencaon based on a user identy store that is local to the firewall:
1. Add the user account to the local database.
2. (Oponal) Add the user group to the local database.
STEP 3 | (Kerberos SSO only) Create a Kerberos keytab for the firewall if Kerberos single sign-on (SSO)
is the primary authencaon service.
Create a Kerberos keytab. A keytab is a file that contains Kerberos account informaon for the
firewall. To support Kerberos SSO, your network must have a Kerberos infrastructure.
PAN-OS® Administrator’s Guide Version Version 9.1 282 ©2021 Palo Alto Networks, Inc.
Authencaon
You can also select custom groups defined in a group mapping configuraon.
7. (Oponal) To modify the user informaon before the firewall sends the authencaon
request to the server, configure a Username Modifier.
• %USERDOMAIN%\%USERINPUT%—If the source does not include the domain
(for example, it uses the sAMAccountName), the firewall adds the User Domain you
specify before the username. If the source includes the domain, the firewall replaces
that domain with the User Domain. If the User Domain is empty, the firewall removes
PAN-OS® Administrator’s Guide Version Version 9.1 283 ©2021 Palo Alto Networks, Inc.
Authencaon
the domain from the user informaon that the firewall receives from source before
the firewall sends the request to the authencaon server.
PAN-OS® Administrator’s Guide Version Version 9.1 284 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 6 | Assign the authencaon profile or sequence to an administrave account for firewall
administrators or to Authencaon policy for end users.
• Administrators—Assign the authencaon profile based on how you manager administrator
authorizaon:
Authorizaon managed locally on the firewall—Configure a Firewall Administrator Account.
Authorizaon managed on a SAML, TACACS+, or RADIUS server—Select Device > Setup >
Management, edit the Authencaon Sengs, and select the Authencaon Profile.
• End users—For the full procedure to configure authencaon for end users, see Configure
Authencaon Policy.
STEP 7 | Verify that the firewall can Test Authencaon Server Connecvity to authencate users.
PAN-OS® Administrator’s Guide Version Version 9.1 285 ©2021 Palo Alto Networks, Inc.
Authencaon
STEP 3 | (Firewalls with mulple virtual systems) Define the target virtual system that the test
command will access.
This is required on firewalls with mulple virtual systems so that the test authencaon
command can locate the user you will test.
Define the target virtual system by entering:
The target-vsys opon is per login session; the firewall clears the opon when you
log off.
PAN-OS® Administrator’s Guide Version Version 9.1 286 ©2021 Palo Alto Networks, Inc.
Authencaon
For example, to test an authencaon profile named my-profile for a user named
bsimpson, enter:
When running the test command, the names of authencaon profiles and server
profiles are case sensive. Also, if an authencaon profile has a username modifier
defined, you must enter the modifier with the username. For example, if you add the
username modifier %USERINPUT%@%USERDOMAIN% for a user named bsimpson
and the domain name is mydomain.com, enter bsimpson@mydomain.com
as the username. This ensures that the firewall sends the correct credenals to the
authencaon server. In this example, mydomain.com is the domain that you define in
the User Domain field in the authencaon profile.
The output results vary based on several factors related to the authencaon type that
you are tesng as well as the type of issue. For example, RADIUS and TACACS+ use
different underlying libraries, so the same issue that exists for both of these types will
produce different errors. Also, if there is a network problem, such as using an incorrect
port or IP address in the authencaon server profile, the output error is not specific.
This is because the test command cannot perform the inial handshake between the
firewall and the authencaon server to determine details about the issue.
PAN-OS® Administrator’s Guide Version Version 9.1 287 ©2021 Palo Alto Networks, Inc.
Authencaon
Authencaon Policy
Authencaon policy enables you to authencate end users before they can access services and
applicaons. Whenever a user requests a service or applicaon (such as by vising a web page),
the firewall evaluates Authencaon policy. Based on the matching Authencaon policy rule,
the firewall then prompts the user to authencate using one or more methods (factors), such as
login and password, Voice, SMS, Push, or One-me Password (OTP) authencaon. For the first
factor, users authencate through a Capve Portal web form. For any addional factors, users
authencate through a Mul-Factor Authencaon (MFA) login page.
Aer the user authencates for all factors, the firewall evaluates Security Policy to determine
whether to allow access to the service or applicaon.
To reduce the frequency of authencaon challenges that interrupt the user workflow, you can
specify a meout period during which a user authencates only for inial access to services and
applicaons, not for subsequent access. Authencaon policy integrates with Capve Portal to
record the mestamps used to evaluate the meout and to enable user-based policies and reports.
Based on user informaon that the firewall collects during authencaon, User-ID creates a
new IP address-to-username mapping or updates the exisng mapping for that user (if the
mapping informaon has changed). The firewall generates User-ID logs to record the addions
and updates. The firewall also generates an Authencaon log for each request that matches an
Authencaon rule. If you favor centralized monitoring, you can configure reports based on User-
ID or Authencaon logs and forward the logs to Panorama or external services as you would for
any other log types.
• Authencaon Timestamps
• Configure Authencaon Policy
Authencaon Timestamps
When configuring an Authencaon policy rule, you can specify a meout period during which a
user authencates only for inial access to services and applicaons, not for subsequent access.
Your goal is to specify a meout that strikes a balance between the need to secure services
and applicaons and the need to minimize interrupons to the user workflow. When a user
authencates, the firewall records a mestamp for the first authencaon challenge (factor)
and a mestamp for any addional Mul-Factor Authencaon (MFA) factors. When the user
subsequently requests services and applicaons that match an Authencaon rule, the firewall
evaluates the meout specified in the rule relave to each mestamp. This means the firewall
reissues authencaon challenges on a per-factor basis when meouts expire. If you Redistribute
User Mappings and Authencaon Timestamps, all your firewalls will enforce Authencaon
policy meouts consistently for all users.
The firewall records a separate mestamp for each MFA vendor. For example, if you use
Duo v2 and PingID servers to issue challenges for MFA factors, the firewall records one
mestamp for the response to the Duo factor and one mestamp for the response to the
PingID factor.
PAN-OS® Administrator’s Guide Version Version 9.1 288 ©2021 Palo Alto Networks, Inc.
Authencaon
Within the meout period, a user who successfully authencates for one Authencaon rule
can access services or applicaons that other rules protect. However, this portability applies
only to rules that trigger the same authencaon factors. For example, a user who successfully
authencates for a rule that triggers TACACS+ authencaon must authencate again for a rule
that triggers SAML authencaon, even if the access requests are within the meout period for
both rules.
When evaluang the meout in each Authencaon rule and the global mer defined in the
Capve Portal sengs (see Configure Capve Portal), the firewall prompts the user to re-
authencate for whichever seng expires first. Upon re-authencang, the firewall records new
authencaon mestamps for the rules and resets the me count for the Capve Portal mer.
Therefore, to enable different meout periods for different Authencaon rules, set the Capve
Portal mer to a value that is the same as or higher than the meout in any rule.
STEP 2 | Configure the firewall to use one of the following services to authencate users.
• External Authencaon Services—Configure a server profile to define how the firewall
connects to the service.
• Local database authencaon—Add each user account to the local user database on the
firewall.
• Kerberos single sign-on (SSO)—Create a Kerberos keytab for the firewall. Oponally, you can
configure the firewall to use Kerberos SSO as the primary authencaon service and, if SSO
failures occur, fall back to an external service or local database authencaon.
STEP 3 | Configure an Authencaon Profile and Sequence for each set of users and Authencaon
policy rules that require the same authencaon services and sengs.
Select the Type of authencaon service and related sengs:
• External service—Select the Type of external server and select the Server Profile you
created for it.
• Local database authencaon—Set the Type to Local Database. In the Advanced sengs,
Add the Capve Portal users and user groups you created.
• Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab.
PAN-OS® Administrator’s Guide Version Version 9.1 289 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 290 ©2021 Palo Alto Networks, Inc.
Authencaon
PAN-OS® Administrator’s Guide Version Version 9.1 291 ©2021 Palo Alto Networks, Inc.
Authencaon
If you configured the firewall to use one or more MFA services, authencate for
the addional authencaon factors.
3. End the session for the service or URL you just accessed.
4. Start a new session for the same service or applicaon. Be sure to perform this step
within the Timeout period you configured in the Authencaon rule.
The firewall allows access without re-authencang.
5. Wait unl the Timeout period expires and request the same service or applicaon.
The firewall prompts you to re-authencate.
STEP 8 | (Oponal) Redistribute User Mappings and Authencaon Timestamps to other firewalls that
enforce Authencaon policy to ensure they all apply the meouts consistently for all users.
PAN-OS® Administrator’s Guide Version Version 9.1 292 ©2021 Palo Alto Networks, Inc.
Authencaon
Task Command
PAN-OS® Administrator’s Guide Version Version 9.1 293 ©2021 Palo Alto Networks, Inc.
Authencaon
Task Command
• connection-show displays connection-debug-on |
authencaon request and response {
stascs for all authencaon servers or connection-id |
debug-prefix |
for a specific protocol type. protocol-type
Use the connection-debug opons to {
enable or disable authencaon debugging: Kerberos connection-id
<value> |
• Use the on opon to enable or the off LDAP connection-id <val
opon to disable debugging for authd. ue> |
RADIUS connection-id <v
• Use the connection-debug-on opon alue> |
to enable or the connection-debug- TACACS+ connection-id <
off opon to disable debugging for all value> |
authencaon servers or for a specific }
connection-debug-off |
protocol type.
{
connection-id |
protocol-type
{
Kerberos connection-id
<value> |
LDAP connection-id <val
ue> |
RADIUS connection-id <v
alue> |
TACACS+ connection-id <
value> |
}
connection-debug-on
}
PAN-OS® Administrator’s Guide Version Version 9.1 294 ©2021 Palo Alto Networks, Inc.
Cerficate Management
The following topics describe the different keys and cerficates that Palo Alto
Networks® firewalls and Panorama use, and how to obtain and manage them:
> Keys and Cerficates > Export a Cerficate and Private Key
> Default Trusted Cerficate > Configure a Cerficate Profile
Authories (CAs) > Configure an SSL/TLS Service Profile
> Cerficate Revocaon > Replace the Cerficate for Inbound
> Cerficate Deployment Management Traffic
> Set Up Verificaon for Cerficate > Configure the Key Size for SSL
Revocaon Status Forward Proxy Server Cerficates
> Configure the Master Key > Revoke and Renew Cerficates
> Obtain Cerficates > Secure Keys with a Hardware
Security Module
295
Cerficate Management
Key/Cerficate Descripon
Usage
PAN-OS® Administrator’s Guide Version Version 9.1 296 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Key/Cerficate Descripon
Usage
Forward Trust For outbound SSL/TLS traffic, if a firewall acng as a forward proxy
trusts the CA that signed the cerficate of the desnaon server, the
firewall uses the forward trust CA cerficate to generate a copy of the
desnaon server cerficate to present to the client. To set the private
key size, see Configure the Key Size for SSL Forward Proxy Server
Cerficates. For added security, store the key on a hardware security
module (for details, see Secure Keys with a Hardware Security Module).
Forward Untrust For outbound SSL/TLS traffic, if a firewall acng as a forward proxy
does not trust the CA that signed the cerficate of the desnaon
server, the firewall uses the forward untrust CA cerficate to generate a
copy of the desnaon server cerficate to present to the client.
SSL Inbound The keys that decrypt inbound SSL/TLS traffic for inspecon and policy
Inspecon enforcement. For this applicaon, import onto the firewall a private
key for each server that is subject to SSL/TLS inbound inspecon. See
Configure SSL Inbound Inspecon.
SSL Exclude Cerficates for servers to exclude from SSL/TLS decrypon. For
Cerficate example, if you enable SSL decrypon but your network includes
servers for which the firewall should not decrypt traffic (for example,
web services for your HR systems), import the corresponding
cerficates onto the firewall and configure them as SSL Exclude
Cerficates. See Decrypon Exclusions.
PAN-OS® Administrator’s Guide Version Version 9.1 297 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Key/Cerficate Descripon
Usage
Site-to-Site VPNs In a site-to-site IPSec VPN deployment, peer devices use Internet Key
(IKE) Exchange (IKE) gateways to establish a secure channel. IKE gateways
use cerficates or preshared keys to authencate the peers to each
other. You configure and assign the cerficates or keys when defining
an IKE gateway on a firewall. See Site-to-Site VPN Overview.
Master Key The firewall uses a master key to encrypt all private keys and
passwords. If your network requires a secure locaon for storing private
keys, you can use an encrypon (wrapping) key stored on a hardware
security module (HSM) to encrypt the master key. For details, see
Encrypt a Master Key Using an HSM.
Secure Syslog The cerficate to enable secure connecons between the firewall and a
syslog server. See Syslog Field Descripons.
Trusted Root CA The designaon for a root cerficate issued by a CA that the firewall
trusts. The firewall can use a self-signed root CA cerficate to
automacally issue cerficates for other applicaons (for example, SSL
Forward Proxy).
Also, if a firewall must establish secure connecons with other firewalls,
the root CA that issues their cerficates must be in the list of trusted
root CAs on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 298 ©2021 Palo Alto Networks, Inc.
Cerficate Management
The only addional CAs you might want to add are trusted enterprise CAs that your organizaon
requires—see Obtain Cerficates.
PAN-OS® Administrator’s Guide Version Version 9.1 299 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Cerficate Revocaon
Palo Alto Networks firewalls and Panorama use digital cerficates to ensure trust between pares
in a secure communicaon session. Configuring a firewall or Panorama to check the revocaon
status of cerficates provides addional security. A party that presents a revoked cerficate is not
trustworthy. When a cerficate is part of a chain, the firewall or Panorama checks the status of
every cerficate in the chain except the root CA cerficate, for which it cannot verify revocaon
status.
Various circumstances can invalidate a cerficate before the expiraon date. Some examples are
a change of name, change of associaon between subject and cerficate authority (for example,
an employee terminates employment), and compromise (known or suspected) of the private key.
Under such circumstances, the cerficate authority that issued the cerficate must revoke it.
The firewall and Panorama support the following methods for verifying cerficate revocaon
status. If you configure both methods, the firewall or Panorama first tries the OCSP method; if the
OCSP server is unavailable, it uses the CRL method.
• Cerficate Revocaon List (CRL)
• Online Cerficate Status Protocol (OCSP)
If you configure mulple CRL distribuon points (CDPs) and the firewall cannot reach the
first CDP, the firewall does not check the remaining CDPs. To redirect invalid CRL requests,
configure a DNS proxy as an alternate server.
To use CRLs for verifying the revocaon status of cerficates used for the decrypon of inbound
and outbound SSL/TLS traffic, see Configure Revocaon Status Verificaon of Cerficates Used
for SSL/TLS Decrypon.
To use CRLs for verifying the revocaon status of cerficates that authencate users and devices,
configure a cerficate profile and assign it to the interfaces that are specific to the applicaon:
Capve Portal, GlobalProtect (remote user-to-site or large scale), site-to-site IPSec VPN, or
web interface access to Palo Alto Networks firewalls or Panorama. For details, see Configure
Revocaon Status Verificaon of Cerficates.
PAN-OS® Administrator’s Guide Version Version 9.1 300 ©2021 Palo Alto Networks, Inc.
Cerficate Management
PAN-OS® Administrator’s Guide Version Version 9.1 301 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Cerficate Deployment
The basic approaches to deploy cerficates for Palo Alto Networks firewalls or Panorama are:
• Obtain cerficates from a trusted third-party CA—The benefit of obtaining a cerficate from
a trusted third-party cerficate authority (CA) such as VeriSign or GoDaddy is that end clients
will already trust the cerficate because common browsers include root CA cerficates from
well-known CAs in their trusted root cerficate stores. Therefore, for applicaons that require
end clients to establish secure connecons with the firewall or Panorama, purchase a cerficate
from a CA that the end clients trust to avoid having to pre-deploy root CA cerficates to
the end clients. (Some such applicaons are a GlobalProtect portal or GlobalProtect Mobile
Security Manager.) However, most third-party CAs cannot issue signing cerficates. Therefore,
this type of cerficate is not appropriate for applicaons (for example, SSL/TLS decrypon and
large-scale VPN) that require the firewall to issue cerficates. See Obtain a Cerficate from an
External CA.
• Obtain cerficates from an enterprise CA—Enterprises that have their own internal CA can use
it to issue cerficates for firewall applicaons and import them onto the firewall. The benefit is
that end clients probably already trust the enterprise CA. You can either generate the needed
cerficates and import them onto the firewall, or generate a cerficate signing request (CSR)
on the firewall and send it to the enterprise CA for signing. The benefit of this method is that
the private key does not leave the firewall. An enterprise CA can also issue a signing cerficate,
which the firewall uses to automacally generate cerficates (for example, for GlobalProtect
large-scale VPN or sites requiring SSL/TLS decrypon). See Import a Cerficate and Private
Key.
• Generate self-signed cerficates—You can Create a Self-Signed Root CA Cerficate on the
firewall and use it to automacally issue cerficates for other firewall applicaons.
If you use this method to generate cerficates for an applicaon that requires an end
client to trust the cerficate, end users will see a cerficate error because the root
CA cerficate is not in their trusted root cerficate store. To prevent this, deploy the
self-signed root CA cerficate to all end user systems. You can deploy the cerficates
manually or use a centralized deployment method such as an Acve Directory Group
Policy Object (GPO).
PAN-OS® Administrator’s Guide Version Version 9.1 302 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 2 | If you want the firewall to use the management interface for the OCSP responder interface,
enable OCSP communicaon on the firewall. Otherwise, connue to the next step to
configure an alternate interface.
1. Select Device > Setup > Management.
2. In the Management Interface Sengs secon, edit to select the HTTP OCSP check box,
then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 303 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 3 | To use an alternate interface as the OCSP responder interface, add an Interface Management
Profile to the interface used for OCSP services.
1. Select Network > Network Profiles > Interface Mgmt.
2. Click Add to create a new profile or click the name of an exisng profile.
3. Select the HTTP OCSP check box and click OK.
4. Select Network > Interfaces and click the name of the interface that the firewall will
use for OCSP services. The OCSP Host Name specified in Step 1 must resolve to an IP
address in this interface.
5. Select Advanced > Other info and select the Interface Management Profile you
configured.
6. Click OK and Commit.
Enabling revocaon status verificaon for SSL/TLS decrypon cerficates will add me to
the process of establishing the session. The first aempt to access a site might fail if the
verificaon does not finish before the session mes out. For these reasons, verificaon is
disabled by default.
PAN-OS® Administrator’s Guide Version Version 9.1 304 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 1 | Define the service-specific meout intervals for revocaon status requests.
1. Select Device > Setup > Session and, in the Session Features secon, select Decrypon
Cerficate Revocaon Sengs.
2. Perform one or both of the following steps, depending on whether the firewall will use
Online Cerficate Status Protocol (OCSP) or the Cerficate Revocaon List (CRL) method
to verify the revocaon status of cerficates. If the firewall will use both, it first tries
OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method.
• In the CRL secon, select the Enable check box and enter the Receive Timeout. This
is the interval (1-60 seconds) aer which the firewall stops waing for a response
from the CRL service.
• In the OCSP secon, select the Enable check box and enter the Receive Timeout.
This is the interval (1-60 seconds) aer which the firewall stops waing for a response
from the OCSP responder.
Depending on the Cerficate Status Timeout value you specify in Step 2, the firewall
might register a meout before either or both of the Receive Timeout intervals pass.
STEP 2 | Define the total meout interval for revocaon status requests.
Enter the Cerficate Status Timeout. This is the interval (1-60 seconds) aer which the
firewall stops waing for a response from any cerficate status service and applies the session-
blocking logic you oponally define in Step 3. The Cerficate Status Timeout relates to the
OCSP/CRL Receive Timeout as follows:
• If you enable both OCSP and CRL—The firewall registers a request meout aer the lesser
of two intervals passes: the Cerficate Status Timeout value or the aggregate of the two
Receive Timeout values.
• If you enable only OCSP—The firewall registers a request meout aer the lesser of two
intervals passes: the Cerficate Status Timeout value or the OCSP Receive Timeout value.
• If you enable only CRL—The firewall registers a request meout aer the lesser of two
intervals passes: the Cerficate Status Timeout value or the CRL Receive Timeout value.
STEP 3 | Define the blocking behavior for unknown cerficate status or a revocaon status request
meout.
If you want the firewall to block SSL/TLS sessions when the OCSP or CRL service returns a
cerficate revocaon status of unknown, select the Block Session With Unknown Cerficate
Status check box. Otherwise, the firewall proceeds with the session.
If you want the firewall to block SSL/TLS sessions aer it registers a request meout, select
the Block Session On Cerficate Status Check Timeout check box. Otherwise, the firewall
proceeds with the session.
PAN-OS® Administrator’s Guide Version Version 9.1 305 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 2 | (HA only) Disable Config Sync (required before deploying a new master key to any firewall
HA pair).
Before you deploy a new master key to any firewall HA pair, you must disable Config Sync. For
Panorama-managed firewalls, if you do not disable Config Sync before deploying a new master
key, Panorama loses connecvity to the primary firewall.
1. Select Device > High Availability > General and edit the Setup.
2. Disable (clear) Enable Config Sync and then click OK.
3. Commit your configuraon changes.
STEP 3 | Select Device > Master Key and Diagnoscs and edit the Master Key secon.
STEP 5 | Define a new New Master Key and then Confirm New Master Key. The key must contain
exactly 16 characters.
STEP 6 | To specify the master key Lifeme, enter the number of Days and/or Hours aer which the
key will expire.
You must configure a new master key before the current key expires. If the master key
expires, the firewall or Panorama automacally reboots in Maintenance mode. You
must then Reset the Firewall to Factory Default Sengs.
STEP 7 | Enter a Time for Reminder that specifies the number of Days and Hours before the master
key expires when the firewall generates an expiraon alarm. The firewall automacally opens
the System Alarms dialog to display the alarm.
To ensure the expiraon alarm displays, select Device > Log Sengs, edit the Alarm
Sengs, and Enable Alarms.
PAN-OS® Administrator’s Guide Version Version 9.1 306 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 8 | Enable Auto Renew Master Key to configure the firewall to automacally renew the master
key. To configure Auto Renew With Same Master Key, specify the number of Days and/
or Hours to renew the same master key. The key extension allows the firewall to remain
operaonal and connue securing your network; it is not a replacement for configuring a new
key if the exisng master key lifeme expires soon.
Consider the number of days unl your next available maintenance window when
configuring the master key to automacally renew aer the lifeme of the key expires.
STEP 9 | (Oponal) For added security, select whether to use an HSM to encrypt the master key. For
details, see Encrypt a Master Key Using an HSM.
PAN-OS® Administrator’s Guide Version Version 9.1 307 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Obtain Cerficates
• Create a Self-Signed Root CA Cerficate
• Generate a Cerficate
• Import a Cerficate and Private Key
• Obtain a Cerficate from an External CA
On a Palo Alto Networks firewall or Panorama, you can generate self-signed cerficates
only if they are CA cerficates.
STEP 1 | Select Device > Cerficate Management > Cerficates > Device Cerficates.
STEP 2 | If the firewall has more than one virtual system (vsys), select a Locaon (vsys or Shared) for
the cerficate.
STEP 4 | Enter a Cerficate Name, such as GlobalProtect_CA. The name is case-sensive and
can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be
unique and use only leers, numbers, hyphens, and underscores.
STEP 5 | In the Common Name field, enter the FQDN (recommended) or IP address of the interface
where you will configure the service that will use this cerficate.
STEP 6 | If the firewall has more than one vsys and you want the cerficate to be available to every
vsys, select the Shared check box.
STEP 7 | Leave the Signed By field blank to designate the cerficate as self-signed.
STEP 9 | Leave the OCSP Responder field blank; revocaon status verificaon doesn’t apply to root
CA cerficates.
PAN-OS® Administrator’s Guide Version Version 9.1 308 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Generate a Cerficate
Palo Alto Networks firewalls and Panorama use cerficates to authencate clients, servers, users,
and devices in several applicaons, including SSL/TLS decrypon, Capve Portal, GlobalProtect,
site-to-site IPSec VPN, and web interface access to the firewall/Panorama. Generate cerficates
for each usage: for details, see Keys and Cerficates.
To generate a cerficate, you must first Create a Self-Signed Root CA Cerficate or import one
(Import a Cerficate and Private Key) to sign it. To use Online Cerficate Status Protocol (OCSP)
for verifying cerficate revocaon status, Configure an OCSP Responder before generang the
cerficate.
STEP 1 | Select Device > Cerficate Management > Cerficates > Device Cerficates.
STEP 2 | If the firewall has more than one virtual system (vsys), select a Locaon (vsys or Shared) for
the cerficate.
STEP 4 | Select Local (default) as the Cerficate Type unless you want to deploy SCEP cerficates to
GlobalProtect endpoints.
STEP 5 | Enter a Cerficate Name. The name is case-sensive and can have up to 63 characters on
the firewall or up to 31 characters on Panorama. It must be unique and use only leers,
numbers, hyphens, and underscores.
STEP 6 | In the Common Name field, enter the FQDN (recommended) or IP address of the interface
where you will configure the service that will use this cerficate.
STEP 7 | If the firewall has more than one vsys and you want the cerficate to be available to every
vsys, select the Shared check box.
STEP 8 | In the Signed By field, select the root CA cerficate that will issue the cerficate.
STEP 10 | For the key generaon Algorithm, select RSA (default) or Ellipcal Curve DSA (ECDSA).
ECDSA is recommended for client browsers and operang systems that support it.
Firewalls that run PAN-OS 6.1 and earlier releases will delete any ECDSA cerficates
that you push from Panorama™, and any RSA cerficates signed by an ECDSA
cerficate authority (CA) will be invalid on those firewalls.
You cannot use a hardware security module (HSM) to store ECDSA keys used for SSL/TLS
Decrypon.
STEP 11 | Select the Number of Bits to define the cerficate key length. Higher numbers are more
secure but require more processing me.
PAN-OS® Administrator’s Guide Version Version 9.1 309 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 12 | Select the Digest algorithm. From most to least secure, the opons are: sha512, sha384,
sha256 (default), sha1, and md5.
Client cerficates that are used when requesng firewall services that rely on TLSv1.2
(such as administrator access to the web interface) cannot have sha512 as a digest
algorithm. The client cerficates must use a lower digest algorithm (such as sha384) or
you must limit the Max Version to TLSv1.1 when you Configure an SSL/TLS Service
Profile for the firewall services.
STEP 13 | For the Expiraon, enter the number of days (default is 365) for which the cerficate is valid.
STEP 14 | (Oponal) Add the Cerficate Aributes to uniquely idenfy the firewall and the service that
will use the cerficate.
If you add a Host Name (DNS name) aribute, it is a best pracce for it to match the
Common Name, because the host name populates the Subject Alternate Name (SAN)
field of the cerficate and some browsers require the SAN to specify the domains
the cerficate protects; in addion, the Host Name matching the Common Name is
mandatory for GlobalProtect.
STEP 15 | Click Generate and, in the Device Cerficates page, click the cerficate Name.
Regardless of the me zone on the firewall, it always displays the corresponding
Greenwich Mean Time (GMT) for cerficate validity and expiraon dates/mes.
STEP 16 | Select the check boxes that correspond to the intended use of the cerficate on the firewall.
For example, if the firewall will use this cerficate to secure forwarding of syslogs to an
external syslog server, select the Cerficate for Secure Syslog check box.
On a Palo Alto Networks firewall or Panorama, you can import self-signed cerficates only
if they are CA cerficates.
Instead of imporng a self-signed root CA cerficate into all the client systems, it is a best
pracce to import a cerficate from the enterprise CA because the clients will already have
a trust relaonship with the enterprise CA, which simplifies the deployment.
If the cerficate you will import is part of a cerficate chain, it is a best pracce to import
the enre chain.
PAN-OS® Administrator’s Guide Version Version 9.1 310 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 1 | From the enterprise CA, export the cerficate and private key that the firewall will use for
authencaon.
When exporng a private key, you must enter a passphrase to encrypt the key for transport.
Ensure the management system can access the cerficate and key files. When imporng the
key onto the firewall, you must enter the same passphrase to decrypt it.
STEP 2 | Select Device > Cerficate Management > Cerficates > Device Cerficates.
STEP 3 | If the firewall has more than one virtual system (vsys), select a Locaon (vsys or Shared) for
the cerficate.
STEP 4 | Click Import and enter a Cerficate Name. The name is case-sensive and can have up to
63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use
only leers, numbers, hyphens, and underscores.
STEP 5 | To make the cerficate available to all virtual systems, select the Shared check box. This
check box appears only if the firewall supports mulple virtual systems.
STEP 6 | Enter the path and name of the Cerficate File received from the CA, or Browse to find the
file.
STEP 8 | Enter and re-enter (confirm) the Passphrase used to encrypt the private key.
STEP 9 | Click OK. The Device Cerficates page displays the imported cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 311 ©2021 Palo Alto Networks, Inc.
Cerficate Management
If you add a Host Name aribute, it should match the Common Name (this is
mandatory for GlobalProtect). The host name populates the Subject Alternave
Name field of the cerficate.
10. Click Generate. The Device Cerficates tab displays the CSR with a Status of pending.
PAN-OS® Administrator’s Guide Version Version 9.1 312 ©2021 Palo Alto Networks, Inc.
Cerficate Management
the SCEP client requests it and sends the cerficate to the SCEP client. The SCEP client then
transparently deploys the cerficate to the client device.
You can use a SCEP profile with GlobalProtect to assign user-specific client cerficates to each
GlobalProtect user. In this use case, the GlobalProtect portal acts as a SCEP client to the SCEP
server in your enterprise PKI. Addionally, you can use a SCEP profile to assign client cerficates
to Palo Alto Networks devices for mutual authencaon with other Palo Alto Networks devices
for management access and inter-device communicaon.
STEP 1 | Create a SCEP profile.
1. Select Device > Cerficate Management > SCEP and then Add a new profile.
2. Enter a Name to idenfy the SCEP profile.
3. If this profile is for a firewall with mulple virtual systems capability, select a virtual
system or Shared as the Locaon where the profile is available.
STEP 2 | (Oponal) To make the SCEP-based cerficate generaon more secure, configure a SCEP
challenge-response mechanism between the PKI and portal for each cerficate request.
Aer you configure this mechanism, its operaon is invisible, and no further input from you is
necessary.
To comply with the U.S. Federal Informaon Processing Standard (FIPS), use a Dynamic SCEP
challenge and specify a Server URL that uses HTTPS.
Select one of the following opons:
• None—(Default) The SCEP server does not challenge the portal before it issues a cerficate.
• Fixed—Obtain the enrollment challenge password from the SCEP server in the PKI
infrastructure and then enter the password into the Password field.
• Dynamic—Enter a username and password of your choice (possibly the credenals
of the PKI administrator) and the SCEP Server URL where the portal-client submits
these credenals. The uses the credenals to authencate with the SCEP server
which transparently generates an OTP password for the portal upon each cerficate
request. (You can see this OTP change aer a screen refresh in The enrollment
challengepassword is field aer each cerficate request.) The PKI transparently
passes each new password to the portal, which then uses the password for its cerficate
request.
STEP 3 | Specify the sengs for the connecon between the SCEP server and the portal to enable the
portal to request and receive client cerficates.
You can include addional informaon about the client device or user by specifying tokens in
the Subject name of the cerficate.
The portal includes the token value and host ID in the CSR request to the SCEP server.
1. Configure the Server URL that the portal uses to reach the SCEP server in the PKI (for
example, http://10.200.101.1/certsrv/mscep/).
2. Enter a string (up to 255 characters in length) in the CA-IDENT Name field to idenfy
the SCEP server.
3. Enter the Subject name to use in the cerficates generated by the SCEP server. The
subject must be a disnguished name in the <attribute>=<value> format and
PAN-OS® Administrator’s Guide Version Version 9.1 313 ©2021 Palo Alto Networks, Inc.
Cerficate Management
must include a common name (CN) aribute (CN=<variable>). The CN supports the
following dynamic tokens:
• $USERNAME—Use this token to enable the portal to request cerficates for a specific
user. To use this variable with GlobalProtect, you must also Enable Group Mapping.
The username entered by the user must match the name in the user-group mapping
table.
• $EMAILADDRESS—Use this token to request cerficates associated with a specific
email address. To use this variable, you must also Enable Group Mapping and
configure the Mail Aributes in the Mail Domains secon of the Server Profile. If
GlobalProtect cannot idenfy an email address for the user, it generates a unique ID
and populates the CN with that value.
• $HOSTID—To request cerficates for the device only, specify the host ID token.
When a user aempts to log in to the portal, the endpoint sends idenfying
informaon that includes its host ID value. The host ID value varies by device type,
either GUID (Windows) MAC address of the interface (Mac), Android ID (Android
devices), UDID (iOS devices), or a unique name that GlobalProtect assigns (Chrome).
• $UDID—Use the UDID common name aribute to request cerficates based on
the client’s device UDID for GlobalProtect or device serial number for mutual
authencaon between Palo Alto Networks devices.
When the GlobalProtect portal pushes the SCEP sengs to the agent, the CN poron of
the subject name is replaced with the actual value (username, host ID, or email address)
of the cerficate owner (for example, O=acme,CN=johndoe).
4. Select the Subject Alternave Name Type:
Use stac entries for the Subject Alternave Name Type. The firewall does not
support dynamic tokens such as $USERNAME.
• RFC 822 Name—Enter the email name in a cerficate’s subject or Subject Alternave
Name extension.
• DNS Name—Enter the DNS name used to evaluate cerficates.
• Uniform Resource Idenfier—Enter the name of the resource from which the client
will obtain the cerficate.
• None—Do not specify aributes for the cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 314 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 5 | (Oponal) Configure the permied uses of the cerficate, either for signing or encrypon.
• To use this cerficate for signing, select the Use as digital signature check box. This enables
the endpoint use the private key in the cerficate to validate a digital signature.
• To use this cerficate for encrypon, select the Use for key encipherment check box. This
enables the client use the private key in the cerficate to encrypt data exchanged over the
HTTPS connecon established with the cerficates issued by the SCEP server.
STEP 6 | (Oponal) To ensure that the portal is connecng to the correct SCEP server, enter the
CA Cerficate Fingerprint. Obtain this fingerprint from the SCEP server interface in the
Thumbprint field.
1. Enter the URL for the SCEP server’s administrave UI (for example, http://
<hostname or IP>/CertSrv/mscep_admin/).
2. Copy the thumbprint and enter it in the CA Cerficate Fingerprint field.
STEP 7 | Enable mutual SSL authencaon between the SCEP server and the firewall. This is required
to comply with the U.S. Federal Informaon Processing Standard (FIPS).
FIPS-CC operaon is indicated on the firewall login page and in its status bar.
Select the SCEP server’s root CA Cerficate. Oponally, you can enable mutual SSL
authencaon between the SCEP server and the firewall by selecng a Client Cerficate.
STEP 9 | (Oponal) If aer saving the SCEP profile, the portal fails to obtain the cerficate, you can
manually generate a cerficate signing request (CSR) from the portal.
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and then
click Generate.
2. Enter a Cerficate Name. This name cannot contain spaces.
3. Select the SCEP Profile to use to submit a CSR to your enterprise PKI.
4. Click OK to submit the request and generate the cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 315 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 2 | If the firewall has more than one virtual system (vsys), select a Locaon (a specific vsys or
Shared) for the cerficate.
STEP 3 | Select the cerficate, click Export, and select a File Format:
• Base64 Encoded Cerficate (PEM)—This is the default format. It is the most common and
has the broadest support on the Internet. If you want the exported file to include the private
key, select the Export Private Key check box.
• Encrypted Private Key and Cerficate (PKCS12)—This format is more secure than PEM but
is not as common or as broadly supported. The exported file will automacally include the
private key.
• Binary Encoded Cerficate (DER)—More operang system types support this format than
the others. You can export only the cerficate, not the key: ignore the Export Private Key
check box and passphrase fields.
STEP 4 | Enter a Passphrase and Confirm Passphrase to encrypt the private key if the File Format is
PKCS12 or if it is PEM and you selected the Export Private Key check box. You will use this
passphrase when imporng the cerficate and key into client systems.
PAN-OS® Administrator’s Guide Version Version 9.1 316 ©2021 Palo Alto Networks, Inc.
Cerficate Management
It is a best pracce to enable Online Cerficate Status Protocol (OCSP) and Cerficate
Revocaon List (CRL) status verificaon for cerficate profiles to verify that the cerficate
hasn’t been revoked. Enable both OCSP and CRL so that if the OCSP server isn’t available,
the firewall uses CRL. For details on these methods, see Cerficate Revocaon.
STEP 1 | Obtain the cerficate authority (CA) cerficates you will assign.
Perform one of the following steps to obtain the CA cerficates you will assign to the profile.
You must assign at least one.
• Generate a Cerficate.
• Export a cerficate from your enterprise CA and then import it onto the firewall (see step to
3).
PAN-OS® Administrator’s Guide Version Version 9.1 317 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 4 | Define the methods for verifying cerficate revocaon status and the associated blocking
behavior.
1. Select Use CRL and/or Use OCSP. If you select both, the firewall first tries OCSP and
falls back to the CRL method only if the OCSP responder is unavailable.
2. Depending on the verificaon method, enter the CRL Receive Timeout and/or OCSP
Receive Timeout. These are the intervals (1-60 seconds) aer which the firewall stops
waing for a response from the CRL/OCSP service.
3. Enter the Cerficate Status Timeout. This is the interval (1-60 seconds) aer which the
firewall stops waing for a response from any cerficate status service and applies any
PAN-OS® Administrator’s Guide Version Version 9.1 318 ©2021 Palo Alto Networks, Inc.
Cerficate Management
session-blocking logic you define. The Cerficate Status Timeout relates to the OCSP/
CRL Receive Timeout as follows:
• If you enable both OCSP and CRL—The firewall registers a request meout aer the
lesser of two intervals passes: the Cerficate Status Timeout value or the aggregate
of the two Receive Timeout values.
• If you enable only OCSP—The firewall registers a request meout aer the lesser
of two intervals passes: the Cerficate Status Timeout value or the OCSP Receive
Timeout value.
• If you enable only CRL—The firewall registers a request meout aer the lesser of two
intervals passes: the Cerficate Status Timeout value or the CRL Receive Timeout
value.
4. If you want the firewall to block sessions when the OCSP or CRL service returns a
cerficate revocaon status of unknown, select Block session if cerficate status is
unknown. Otherwise, the firewall allows the sessions.
5. If you want the firewall to block sessions aer it registers an OCSP or CRL request
meout, select Block session if cerficate status cannot be retrieved within meout.
Otherwise, the firewall allows the sessions.
6. (GlobalProtect only) If you want the firewall to block sessions when the serial number
aribute in the subject of the client cerficate does not match the host ID that the
GlobalProtect app reports for the endpoint, select Block sessions if the cerficate was
not issued to the authencang device.
PAN-OS® Administrator’s Guide Version Version 9.1 319 ©2021 Palo Alto Networks, Inc.
Cerficate Management
In the client systems that request firewall services, the cerficate trust list (CTL) must
include the cerficate authority (CA) cerficate that issued the cerficate specified in
the SSL/TLS service profile. Otherwise, users will see a cerficate error when requesng
firewall services. Most third-party CA cerficates are present by default in client browsers.
If an enterprise or firewall-generated CA cerficate is the issuer, you must deploy that CA
cerficate to the CTL in client browsers.
STEP 1 | For each desired service, generate or import a cerficate on the firewall (see Obtain
Cerficates).
STEP 2 | Select Device > Cerficate Management > SSL/TLS Service Profile.
STEP 3 | If the firewall has more than one virtual system (vsys), select the Locaon (vsys or Shared)
where the profile is available.
STEP 6 | Define the range of protocols that the service can use:
• For the Min Version, select the earliest allowed TLS version: TLSv1.0 (default), TLSv1.1, or
TLSv1.2.
• For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or
Max (latest available version). The default is Max.
As a best pracce, set the Min Version to TLSv1.2 and the Max Version to Max.
On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release, TLSv1.1 is the earliest
supported TLS version; do not select TLSv1.0.
Client cerficates that are used when requesng firewall services that rely on TLSv1.2 cannot
have SHA512 as a digest algorithm. The client cerficates must use a lower digest algorithm
(such as SHA384) or you must limit the Max Version to TLSv1.1 for the firewall services.
PAN-OS® Administrator’s Guide Version Version 9.1 320 ©2021 Palo Alto Networks, Inc.
Cerficate Management
PAN-OS® Administrator’s Guide Version Version 9.1 321 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 1 | Obtain the cerficate that will authencate the firewall or Panorama to the client systems of
administrators.
You can simplify your Cerficate Deployment by using a cerficate that the client systems
already trust. Therefore, we recommend that you Import a Cerficate and Private Key from
your enterprise cerficate authority (CA) or Obtain a Cerficate from an External CA; the
trusted root cerficate store of the client systems is likely to already have the associated root
CA cerficate that ensures trust.
For enhanced security, we recommend that you set the Min Version (earliest allowed
TLS version) to TLSv1.2 for inbound management traffic. We also recommend that you
use a different SSL/TLS Service Profile for each firewall or Panorama service instead of
reusing this profile for all services.
PAN-OS® Administrator’s Guide Version Version 9.1 322 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Changing the key size seng clears the current cerficate cache.
PAN-OS® Administrator’s Guide Version Version 9.1 323 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Revoke a Cerficate
Various circumstances can invalidate a cerficate before the expiraon date. Some examples are
a change of name, change of associaon between subject and cerficate authority (for example,
an employee terminates employment), and compromise (known or suspected) of the private key.
Under such circumstances, the cerficate authority (CA) that issued the cerficate must revoke it.
The following task describes how to revoke a cerficate for which the firewall is the CA.
STEP 1 | Select Device > Cerficate Management > Cerficates > Device Cerficates.
STEP 2 | If the firewall supports mulple virtual systems, the tab displays a Locaon drop-down.
Select the virtual system to which the cerficate belongs.
STEP 4 | Click Revoke. PAN-OS immediately sets the status of the cerficate to revoked and adds the
serial number to the Online Cerficate Status Protocol (OCSP) responder cache or cerficate
revocaon list (CRL). You need not perform a commit.
Renew a Cerficate
If a cerficate expires, or soon will, you can reset the validity period. If an external cerficate
authority (CA) signed the cerficate and the firewall uses the Online Cerficate Status Protocol
(OCSP) to verify cerficate revocaon status, the firewall uses the OCSP responder informaon
to update the cerficate status (see Configure an OCSP Responder). If the firewall is the CA that
issued the cerficate, the firewall replaces it with a new cerficate that has a different serial
number but the same aributes as the old cerficate.
STEP 1 | Select Device > Cerficate Management > Cerficates > Device Cerficates.
STEP 2 | If the firewall has more than one virtual system (vsys), select a Locaon (vsys or Shared) for
the cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 324 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Downgrading HSM servers might not be an opon aer you upgrade them.
PAN-OS® Administrator’s Guide Version Version 9.1 325 ©2021 Palo Alto Networks, Inc.
Cerficate Management
HSM configuraons are not synchronized between high availability (HA) firewall peers.
Consequently, you must configure the HSM separately on each peer. In acve/passive HA
configuraons, you must manually perform one failover to individually configure and
authencate each HA peer to the HSM. Aer this inial manual failover, user interacon is
not required for failover to funcon properly.
PAN-OS® Administrator’s Guide Version Version 9.1 326 ©2021 Palo Alto Networks, Inc.
Cerficate Management
should use a SafeNet cluster only when you want to replicate the keys across the cluster.
Alternavely, you can add up to 16 SafeNet HSM servers to funcon independently.
1. Enter a Module Name (an ASCII string of up to 31 characters) for the HSM server.
2. Enter an IPv4 address for the HSM Server Address.
4. (HA only) Select High Availability, specify the Auto Recovery Retry value (maximum
number of mes the HSM client tries to recover its connecon to an HSM server before
failing over to an HSM HA peer server; range is 0 to 500; default is 0), and enter a High
Availability Group Name (an ASCII string up to 31 characters long).
If you configure two or more HSM servers, the best pracce is to enable High
Availability. Otherwise the firewall does not use the addional HSM servers.
5. Click OK and Commit your changes.
STEP 2 | (Oponal) Configure a service route to connect to the HSM if you don’t want the firewall to
connect through the Management interface (default).
If you configure a service route for the HSM, running the clear session all
CLI command clears all exisng HSM sessions, which brings all HSM states down and
then up again. During the several seconds required for HSM to recover, all SSL/TLS
operaons will fail.
1. Select Device > Setup > Services and click Service Route Configuraon.
2. Customize a service route. The IPv4 tab is acve by default.
3. Click HSM in the Service column.
4. Select a Source Interface for the HSM.
5. Click OK and Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 327 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 4 | Register the firewall as an HSM client with the HSM server and assign the firewall to a
paron on the HSM server.
If the HSM has a firewall with the same <cl-name> already registered, you must first
remove the duplicate registraon by running the client delete -client <cl-
name> command, where <cl-name> is the name of the registered client (firewall) you
want to delete.
STEP 6 | (HA only) Repeat the previous authencaon, registraon, and paron connecon steps to
add another HSM to the exisng HA group.
If you remove an HSM from your configuraon, repeat the previous paron
connecon step to remove the deleted HSM from the HA group.
PAN-OS® Administrator’s Guide Version Version 9.1 328 ©2021 Palo Alto Networks, Inc.
Cerficate Management
Connect client version on your firewalls is compable with your nShield Connect server, see Set
Up Connecvity with an HSM.
Before the HSM and firewalls connect, the HSM authencates the firewalls based on their IP
addresses. Therefore, you must configure the firewalls to use stac IP addresses—not dynamic
addresses assigned through DHCP. (Operaons on the HSM stop working if a firewall IP address
changes during runme).
HSM configuraons are not synchronized between high availability (HA) firewall peers.
Consequently, you must configure the HSM separately on each peer. In acve/passive HA
configuraons, you must manually perform one failover to individually configure and
authencate each HA peer to the HSM. Aer this inial manual failover, user interacon is
not required for failover to funcon properly.
STEP 1 | Define connecon sengs for each nCipher nShield Connect HSM.
1. Log in to the firewall web interface and select Device > Setup > HSM.
2. Edit the Hardware Security Module Provider sengs and set the Provider Configured to
nShield Connect.
3. Add each HSM server as follows. An HA HSM configuraon requires two servers.
1. Enter a Module Name for the HSM server. This can be any ASCII string of up to 31
characters.
2. Enter an IPv4 address for the HSM Server Address.
4. Enter an IPv4 address for the Remote Filesystem Address.
5. Click OK and Commit your changes.
STEP 2 | (Oponal) Configure a service route to connect to the HSM if you don’t want the firewall to
connect through the Management interface (default).
If you configure a service route for the HSM, running the clear session all
CLI command clears all exisng HSM sessions, which brings all HSM states down and
then up again. During the several seconds required for HSM to recover, all SSL/TLS
operaons will fail.
1. Select Device > Setup > Services and click Service Route Configuraon.
2. Customize a service route. The IPv4 tab is acve by default.
3. Click HSM in the Service column.
4. Select a Source Interface for the HSM.
5. Click OK and Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 329 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 3 | Register the firewall as an HSM client with the HSM server.
This step briefly describes the procedure for using the front panel interface of the nShield
Connect HSM. For more details, refer to nCipher documentaon.
1. Log in to the front panel display of the nCipher nShield Connect HSM.
2. Use the right-hand navigaon buon to select System > System configuraon > Client
config > New client.
3. Enter the firewall IP address.
4. Select System > System configuraon > Client config > Remote file system and enter
the IP address of the client computer where you set up the RFS.
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
The <ip-address> is the IP address of the HSM, <ESN> is the electronic serial number, and
<hash-Kne-key> is the hash of the KNETI key.
The following example uses the values obtained in this procedure:
4. Use the following command to permit HSM client submissions on the RFS:
PAN-OS® Administrator’s Guide Version Version 9.1 330 ©2021 Palo Alto Networks, Inc.
Cerficate Management
STEP 6 | Synchronize the firewall with the RFS by selecng Device > Setup > HSM and Synchronize
with Remote Filesystem.
Firewalls configured in FIPS/CC mode do not support master key encrypon using an
HSM.
The following topics describe how to encrypt the master key inially and how to refresh the
master key encrypon:
• Encrypt the Master Key
• Refresh the Master Key Encrypon
PAN-OS® Administrator’s Guide Version Version 9.1 331 ©2021 Palo Alto Networks, Inc.
Cerficate Management
and you want to encrypt it. If you want to refresh the encrypon on a previously encrypted key,
see Refresh the Master Key Encrypon.
STEP 1 | Select Device > Master Key and Diagnoscs.
STEP 2 | Specify the key that is currently used to encrypt all of the private keys and passwords on the
firewall in the Master Key field.
STEP 3 | If changing the master key, enter the new master key and confirm.
STEP 2 | Use the following CLI command to rotate the wrapping key for the master key on an HSM:
If the master key is encrypted on the HSM, the CLI command will generate a new wrapping key
on the HSM and encrypt the master key with the new wrapping key.
If the master key is not encrypted on the HSM, the CLI command will generate new wrapping
key on the HSM for future use.
The old wrapping key is not deleted by this command.
PAN-OS® Administrator’s Guide Version Version 9.1 332 ©2021 Palo Alto Networks, Inc.
Cerficate Management
If you use the DHE or ECDHE key exchange algorithms to enable perfect forward secrecy (PFS)
support for SSL decrypon, you can use an HSM to store the private keys for SSL Inbound
Inspecon. You can also use an HSM to store ECDSA keys used for SSL Forward Proxy or SSL
Inbound Inspecon decrypon.
STEP 1 | On the HSM, import or generate the cerficate and private key used in your decrypon
deployment.
For instrucons on imporng or generang a cerficate and private key on the HSM, refer to
your HSM documentaon.
STEP 2 | (nCipher nShield Connect only) Synchronize the key data from the nCipher nShield remote
file system to the firewall.
1. Access the firewall web interface and select Device > Setup > HSM.
2. Synchronize with Remote Filesystem (Hardware Security Operaons sengs).
STEP 4 | (Forward Trust cerficates only) Enable the cerficate for use in SSL/TLS Forward Proxy.
1. Open the cerficate you imported in Step 3 for eding.
2. Select Forward Trust Cerficate.
3. Click OK and Commit your changes.
STEP 5 | Verify that you successfully imported the cerficate onto the firewall.
Locate the cerficate you imported in Step 3 and check the icon in the Key column:
• Lock icon—The private key for the cerficate is on the HSM.
• Error icon—The private key is not on the HSM or the HSM is not properly authencated or
connected.
PAN-OS® Administrator’s Guide Version Version 9.1 333 ©2021 Palo Alto Networks, Inc.
Cerficate Management
PAN-OS® Administrator’s Guide Version Version 9.1 334 ©2021 Palo Alto Networks, Inc.
High Availability
High availability (HA) is a deployment in which two firewalls are placed in a group
and their configuraon is synchronized to prevent a single point of failure on your
network. A heartbeat connecon between the firewall peers ensures seamless failover
in the event that a peer goes down. Seng up two firewalls in an HA pair provides
redundancy and allows you to ensure business connuity.
> HA Overview
> HA Concepts
> Set Up Acve/Passive HA
> Set Up Acve/Acve HA
> Refresh HA1 SSH Keys and Configure Key Opons
> HA Firewall States
> Reference: HA Synchronizaon
335
High Availability
HA Overview
You can set up two Palo Alto Networks firewalls as an HA pair; the HA peers should use the
same version of PAN-OS and the same content version. HA allows you to minimize downme
by making sure that an alternate firewall is available in the event that the peer firewall fails. The
firewalls in an HA pair use dedicated or in-band HA ports on the firewall to synchronize data—
network, object, and policy configuraons—and to maintain state informaon. Firewall-specific
configuraon such as management interface IP address or administrator profiles, HA specific
configuraon, log data, and the Applicaon Command Center (ACC) informaon is not shared
between peers. For a consolidated applicaon and log view across the HA pair, you must use
Panorama, the Palo Alto Networks centralized management system.
When a failure occurs on a firewall in an HA pair and the peer firewall takes over the task of
securing traffic, the event is called a Failover. The condions that trigger a failover are:
• One or more of the monitored interfaces fail. (Link Monitoring)
• One or more of the desnaons specified on the firewall cannot be reached. (Path Monitoring)
• The firewall does not respond to heartbeat polls. (Heartbeat Polling and Hello messages)
• A crical chip or soware component fails, known as packet path health monitoring.
You can use Panorama to manage HA firewalls. See Context Switch—Firewall or Panorama in the
Panorama Administrator’s Guide.
Palo Alto Networks firewalls support stateful acve/passive or acve/acve high availability with
session and configuraon synchronizaon with a few excepons:
• The VM-Series firewall on Azure and VM-Series firewall on AWS support acve/passive HA
only.
On AWS, when you deploy the firewall with the Amazon Elasc Load Balancing (ELB) service, it
does not support HA (in this case, ELB service provides the failover capabilies).
• The VM-Series firewall on Google Cloud Plaorm does not support HA.
Aer you understand the HA Concepts, proceed to Set Up Acve/Passive HA or Set Up Acve/
Acve HA.
PAN-OS® Administrator’s Guide Version Version 9.1 336 ©2021 Palo Alto Networks, Inc.
High Availability
HA Concepts
The following topics provide conceptual informaon about how HA works on a Palo Alto
Networks firewall:
• HA Modes
• HA Links and Backup Links
• Device Priority and Preempon
• Failover
• LACP and LLDP Pre-Negoaon for Acve/Passive HA
• Floang IP Address and Virtual MAC Address
• ARP Load-Sharing
• Route-Based Redundancy
• HA Timers
• Session Owner
• Session Setup
• NAT in Acve/Acve HA Mode
• ECMP in Acve/Acve HA Mode
HA Modes
You can set up the firewalls for HA in one of two modes:
• Acve/Passive— One firewall acvely manages traffic while the other is synchronized and
ready to transion to the acve state, should a failure occur. In this mode, both firewalls share
the same configuraon sengs, and one acvely manages traffic unl a path, link, system, or
network failure occurs. When the acve firewall fails, the passive firewall transions to the
acve state and takes over seamlessly and enforces the same policies to maintain network
security. Acve/passive HA is supported in the virtual wire, Layer 2, and Layer 3 deployments.
• Acve/Acve— Both firewalls in the pair are acve and processing traffic and work
synchronously to handle session setup and session ownership. Both firewalls individually
maintain session tables and roung tables and synchronize to each other. Acve/acve HA is
supported in virtual wire and Layer 3 deployments.
In acve/acve HA mode, the firewall does not support DHCP client. Furthermore, only the
acve-primary firewall can funcon as a DHCP Relay. If the acve-secondary firewall receives
DHCP broadcast packets, it drops them.
An acve/acve configuraon does not load-balance traffic. Although you can load-
share by sending traffic to the peer, no load balancing occurs. Ways to load share
sessions to both firewalls include using ECMP, mulple ISPs, and load balancers.
When deciding whether to use acve/passive or acve/acve mode, consider the following
differences:
PAN-OS® Administrator’s Guide Version Version 9.1 337 ©2021 Palo Alto Networks, Inc.
High Availability
In acve/acve mode, the HA pair can be used to temporarily process more traffic
than what one firewall can normally handle. However, this should not be the norm
because a failure of one firewall causes all traffic to be redirected to the remaining
firewall in the HA pair. Your design must allow the remaining firewall to process the
maximum capacity of your traffic loads with content inspecon enabled. If the design
oversubscribes the capacity of the remaining firewall, high latency and/or applicaon
failure can occur.
For informaon on seng up your firewalls in acve/passive mode, see Set Up Acve/Passive
HA. For informaon on seng up your firewalls in acve/acve mode, see Set Up Acve/Acve
HA.
For firewalls without dedicated HA ports, decide which ports to use for HA1 and HA1
backup based on your environment and understanding which are the least used and
least congested. Assign HA1 to the best interface and HA1 backup to the other one.
Control Link The HA1 link is used to exchange hellos, heartbeats, and HA state
informaon, and management plane sync for roung, and User-
ID informaon. The firewalls also use this link to synchronize
PAN-OS® Administrator’s Guide Version Version 9.1 338 ©2021 Palo Alto Networks, Inc.
High Availability
Data Link The HA2 link is used to synchronize sessions, forwarding tables, IPSec
security associaons and ARP tables between firewalls in an HA pair.
Data flow on the HA2 link is always unidireconal (except for the HA2
keep-alive); it flows from the acve or acve-primary firewall to the
passive or acve-secondary firewall. The HA2 link is a Layer 2 link, and
it uses ether type 0x7261 by default.
Ports used for HA2—The HA data link can be configured to use either
IP (protocol number 99) or UDP (port 29281) as the transport, and
thereby allow the HA data link to span subnets.
Backup Links Provide redundancy for the HA1 and the HA2 links. In-band ports
can be used for backup links for both HA1 and HA2 connecons
when dedicated backup links are not available. Consider the following
guidelines when configuring backup HA links:
• The IP addresses of the primary and backup HA links must not
overlap each other.
• HA backup links must be on a different subnet from the primary HA
links.
• HA1-backup and HA2-backup ports must be configured on
separate physical ports. The HA1-backup link uses port 28770 and
28260.
• PA-3200 Series firewalls don’t support an IPv6 address for the
HA1-backup link; use an IPv4 address.
PAN-OS® Administrator’s Guide Version Version 9.1 339 ©2021 Palo Alto Networks, Inc.
High Availability
The HA1 and AUX links provide synchronizaon for funcons that reside on the
management plane. Using the dedicated HA interfaces on the management plane is
more efficient than using the in-band ports as this eliminates the need to pass the
synchronizaon packets over the dataplane.
If your firewall does not have dedicated HA ports, you can configure data ports as HA interfaces.
If your firewall does have dedicated HA ports but does not have a dedicated HA backup port, you
can also configure data ports as backups to dedicated HA ports.
Whenever possible, connect HA ports directly between the two firewalls in an HA pair
(not through a switch or router) to avoid HA link and communicaons problems that could
occur if there is a network issue.
Use the following table to learn about dedicated HA ports and how to connect the HA Links and
Backup Links:
PAN-OS® Administrator’s Guide Version Version 9.1 340 ©2021 Palo Alto Networks, Inc.
High Availability
PAN-OS® Administrator’s Guide Version Version 9.1 341 ©2021 Palo Alto Networks, Inc.
High Availability
The traffic carried on the HSCI port is raw Layer 1 traffic, which
is not routable or switchable. Therefore, you must connect the
HSCI ports directly to each other (from the HSCI port on the first
firewall to the HSCI port on the second firewall).
PA-5200 Series • AUX-1 and AUX-2—The auxiliary SFP+ ports are mulpurpose
Firewalls (connued) ports that you can configure for HA1, management funcons, or
log forwarding to Panorama. Use these ports when you need a
fiber connecon for one of these funcons.
• For HA1 traffic—Connect the AUX-1 port on the first firewall
directly to the AUX-1 port on the second firewall in the pair or
connect them together through a switch or router.
• For a backup to the AUX-1 connecon—Connect the AUX-2
port on the first firewall directly to the AUX-2 port on the
second firewall in the pair or connect them together through a
switch or router.
PAN-OS® Administrator’s Guide Version Version 9.1 342 ©2021 Palo Alto Networks, Inc.
High Availability
PAN-OS® Administrator’s Guide Version Version 9.1 343 ©2021 Palo Alto Networks, Inc.
High Availability
By default, preempon is disabled on the firewalls and must be enabled on both firewalls. When
enabled, the preempve behavior allows the firewall with the higher priority (lower numerical
value) to resume as acve or acve-primary aer it recovers from a failure. When preempon
occurs, the event is logged in the system logs.
Failover
When a failure occurs on one firewall and the peer takes over the task of securing traffic, the
event is called a failover. A failover is triggered, for example, when a monitored metric on a firewall
in the HA pair fails. The metrics that are monitored for detecng a firewall failure are:
• Heartbeat Polling and Hello messages
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive
and operaonal. Hello messages are sent from one peer to the other at the configured Hello
Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over
the control link, and the peer responds to the ping to establish that the firewalls are connected
and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent
every 1000 milliseconds and if there are three consecuve heartbeat losses, a failovers occurs.
For details on the HA mers that trigger a failover, see HA Timers.
• Link Monitoring
The physical interfaces to be monitored are grouped into a link group and their state (link up
or link down) is monitored. A link group can contain one or more physical interfaces. A firewall
failure is triggered when any or all of the interfaces in the group fail. The default behavior is
failure of any one link in the link group will cause the firewall to change the HA state to non-
funconal (or to tentave state in acve/acve mode) to indicate a failure of a monitored
object.
• Path Monitoring
Monitors the full path through the network to mission-crical IP addresses. ICMP pings are
used to verify reachability of the IP address. The default interval for pings is 200ms. An IP
address is considered unreachable when 10 consecuve pings (the default value) fail, and a
firewall failure is triggered when any or all of the IP addresses monitored become unreachable.
The default behavior is any one of the IP addresses becoming unreachable will cause the
firewall to change the HA state to non-funconal (or to tentave state in acve/acve mode)
to indicate a failure of a monitored object.
In addion to the failover triggers listed above, a failover also occurs when the administrator
suspends the firewall or when preempon occurs.
On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, a failover can occur when an
internal health check fails. This health check is not configurable and is enabled to monitor the
crical components, such as the FPGA and CPUs. Addionally, general health checks occur on any
plaorm, causing failover.
PAN-OS® Administrator’s Guide Version Version 9.1 344 ©2021 Palo Alto Networks, Inc.
High Availability
All firewall models except VM-Series firewalls support a pre-negoaon configuraon, which
depends on whether the Ethernet or AE interface is in a Layer 2, Layer 3, or virtual wire
deployment. An HA passive firewall handles LACP and LLDP packets in one of two ways:
• Acve—The firewall has LACP or LLDP configured on the interface and acvely parcipates in
LACP or LLDP pre-negoaon, respecvely.
• Passive—LACP or LLDP is not configured on the interface and the firewall does not parcipate
in the protocol, but allows the peers on either side of the firewall to pre-negoate LACP or
LLDP, respecvely.
The following table displays which deployments are supported on Aggregate Ethernet (AE) and
Ethernet interfaces.
PAN-OS® Administrator’s Guide Version Version 9.1 345 ©2021 Palo Alto Networks, Inc.
High Availability
If a link or firewall fails or a path monitoring event causes a failover, the floang IP address and
virtual MAC address move over to the funconal firewall. (In the figure below, each firewall has
two floang IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The
funconing firewall sends a gratuitous ARP to update the MAC tables of the connected switches
to inform them of the change in floang IP address and MAC address ownership to redirect traffic
to itself.
Aer the failed firewall recovers, by default the floang IP address and virtual MAC address
move back to firewall with the Device ID [0 or 1] to which the floang IP address is bound.
More specifically, aer the failed firewall recovers, it comes on line. The currently acve firewall
determines that the firewall is back online and checks whether the floang IP address it is
handling belongs navely to itself or the other firewall. If the floang IP address was originally
bound to the other Device ID, the firewall automacally gives it back. (For an alternave to this
default behavior, see Use Case: Configure Acve/Acve HA with Floang IP Address Bound to
Acve-Primary Firewall.)
Each firewall in the HA pair creates a virtual MAC address for each of its interfaces that has a
floang IP address or ARP Load-Sharing IP address.
The format of the virtual MAC address (on firewalls other than PA-7000, PA-5200, and PA-3200
Series firewalls) is 00-1B-17-00-xx-yy, where 00-1B-17 is the vendor ID (of Palo Alto Networks
in this case), 00 is fixed, xx indicates the Device ID and Group ID as shown in the following figure,
and yy is the Interface ID:
7 6 543210 76543210
The format of the virtual MAC address on PA-7000, PA-5200, and PA-3200 Series firewalls is
B4-0C-25-xx-xx-xx, where B4-0C-25 is the vendor ID (of Palo Alto Networks in this case), and the
next 24 bits indicate the Device ID, Group ID and Interface ID as follows:
PAN-OS® Administrator’s Guide Version Version 9.1 346 ©2021 Palo Alto Networks, Inc.
High Availability
When a new acve firewall takes over, it sends gratuitous ARPs from each of its connected
interfaces to inform the connected Layer 2 switches of the new locaon of the virtual MAC
address. To configure floang IP addresses, see Use Case: Configure Acve/Acve HA with
Floang IP Addresses.
ARP Load-Sharing
In a Layer 3 interface deployment and acve/acve HA configuraon, ARP load-sharing allows the
firewalls to share an IP address and provide gateway services. Use ARP load-sharing only when no
Layer 3 device exists between the firewall and end hosts, that is, when end hosts use the firewall
as their default gateway.
In such a scenario, all hosts are configured with a single gateway IP address. One of the firewalls
responds to ARP requests for the gateway IP address with its virtual MAC address. Each firewall
has a unique virtual MAC address generated for the shared IP address. The load-sharing algorithm
that controls which firewall will respond to the ARP request is configurable; it is determined by
compung the hash or modulo of the source IP address of the ARP request.
Aer the end host receives the ARP response from the gateway, it caches the MAC address and
all traffic from the host is routed via the firewall that responded with the virtual MAC address for
PAN-OS® Administrator’s Guide Version Version 9.1 347 ©2021 Palo Alto Networks, Inc.
High Availability
the lifeme of the ARP cache. The lifeme of the ARP cache depends on the end host operang
system.
If a link or firewall fails, the floang IP address and virtual MAC address move over to the
funconal firewall. The funconal firewall sends gratuitous ARPs to update the MAC table of the
connected switches to redirect traffic from the failed firewall to itself. See Use Case: Configure
Acve/Acve HA with ARP Load-Sharing.
You can configure interfaces on the WAN side of the HA firewalls with floang IP addresses, and
configure interfaces on the LAN side of the HA firewalls with a shared IP address for ARP load-
sharing. For example, the figure below illustrates floang IP addresses for the upstream WAN
edge routers and an ARP load-sharing address for the hosts on the LAN segment.
Route-Based Redundancy
In a Layer 3 interface deployment and acve/acve HA configuraon, the firewalls are connected
to routers, not switches. The firewalls use dynamic roung protocols to determine the best path
(asymmetric route) and to load share between the HA pair. In such a scenario, no floang IP
addresses are necessary. If a link, monitored path, or firewall fails, or if Bidireconal Forwarding
Detecon (BFD) detects a link failure, the roung protocol (RIP, OSPF, or BGP) handles the
reroung of traffic to the funconing firewall. You configure each firewall interface with a unique
IP address. The IP addresses remain local to the firewall where they are configured; they do not
move between devices when a firewall fails. See Use Case: Configure Acve/Acve HA with
Route-Based Redundancy.
PAN-OS® Administrator’s Guide Version Version 9.1 348 ©2021 Palo Alto Networks, Inc.
High Availability
HA Timers
High availability (HA) mers facilitate a firewall to detect a firewall failure and trigger a
failover. To reduce the complexity in configuring HA mers, you can select from three profiles:
Recommended, Aggressive and Advanced. These profiles auto-populate the opmum HA mer
values for the specific firewall plaorm to enable a speedier HA deployment.
Use the Recommended profile for typical failover mer sengs and the Aggressive profile for
faster failover mer sengs. The Advanced profile allows you to customize the mer values to
suit your network requirements.
The following table describes each mer included in the profiles and the current preset values
(Recommended/Aggressive) across the different hardware models; these values are for current
reference only and can change in a subsequent release.
PAN-OS® Administrator’s Guide Version Version 9.1 349 ©2021 Palo Alto Networks, Inc.
High Availability
PAN-OS® Administrator’s Guide Version Version 9.1 350 ©2021 Palo Alto Networks, Inc.
High Availability
Session Owner
In an HA acve/acve configuraon, both firewalls are acve simultaneously, which means
packets can be distributed between them. Such distribuon requires the firewalls to fulfill two
PAN-OS® Administrator’s Guide Version Version 9.1 351 ©2021 Palo Alto Networks, Inc.
High Availability
funcons: session ownership and session setup. Typically, each firewall of the pair performs one
of these funcons, thereby avoiding race condions that can occur in asymmetrically routed
environments.
You configure the session owner of sessions to be either the firewall that receives the First Packet
of a new session from the end host or the firewall that is in acve-primary state (the Primary
device). If Primary device is configured, but the firewall that receives the first packet is not in
acve-primary state, the firewall forwards the packet to the peer firewall (the session owner) over
the HA3 link.
The session owner performs all Layer 7 processing, such as App-ID, Content-ID, and threat
scanning for the session. The session owner also generates all traffic logs for the session.
If the session owner fails, the peer firewall becomes the session owner. The exisng sessions fail
over to the funconing firewall and no Layer 7 processing is available for those sessions. When a
firewall recovers from a failure, by default, all sessions it owned before the failure revert back to
that original firewall; Layer 7 processing does not resume.
If you configure session ownership to be Primary device, the session setup defaults to Primary
device also.
Palo Alto Networks recommends seng the Session Owner to First Packet and the
Session Setup to IP Modulo unless otherwise indicated in a specific use case. Seng the
Session Owner to First Packet reduces traffic across the HA3 link and helps distribute the
dataplane load across peers.
Seng Session Owner and Session Setup to Primary Device causes the acve-primary
firewall to perform all traffic processing. You might want to configure this for one of these
reasons:
• You are troubleshoong and capturing logs and pcaps, so that packet processing is not
split between the firewalls.
• You want to force the acve/acve HA pair to funcon like an acve/passive HA pair.
See Use Case: Configure Acve/Acve HA with Floang IP Address Bound to
Acve-Primary Firewall.
Session Setup
The session setup firewall performs the Layer 2 through Layer 4 processing necessary to set up
a new session. The session setup firewall also performs NAT using the NAT pool of the session
owner. You determine the session setup firewall in an acve/acve configuraon by selecng one
of the following session setup load sharing opons.
IP Modulo The firewall distributes the session setup load based on parity of the
source IP address. This is a determinisc method of sharing the session
setup.
IP Hash The firewall uses a hash of the source and desnaon IP addresses to
distribute session setup responsibilies.
PAN-OS® Administrator’s Guide Version Version 9.1 352 ©2021 Palo Alto Networks, Inc.
High Availability
Primary Device The acve-primary firewall always sets up the session; only one
firewall performs all session setup responsibilies.
First Packet The firewall that receives the first packet of a session performs session
setup.
• If you want to load-share the session owner and session setup responsibilies,
set session owner to First Packet and session setup to IP modulo. These are the
recommended sengs.
• If you want to do troubleshoong or capture logs or pcaps, or if you want an acve/
acve HA pair to funcon like an acve/passive HA pair, set both the session owner
and session setup to Primary device so that the acve-primary device performs all
traffic processing. See Use Case: Configure Acve/Acve HA with Floang IP
Address Bound to Acve-Primary Firewall.
The firewall uses the HA3 link to send packets to its peer for session setup if necessary. The
following figure and text describe the path of a packet that firewall FW1 receives for a new
session. The red doed lines indicate FW1 forwarding the packet to FW2 and FW2 forwarding
the packet back to FW1 over the HA3 link.
PAN-OS® Administrator’s Guide Version Version 9.1 353 ©2021 Palo Alto Networks, Inc.
High Availability
FW2 sets up the session and returns the packet to FW1 for Layer 7 processing, if any.
FW1 then forwards the packet out the egress interface to the desnaon.
The following figure and text describe the path of a packet that matches an exisng session:
PAN-OS® Administrator’s Guide Version Version 9.1 354 ©2021 Palo Alto Networks, Inc.
High Availability
If one of the peer firewalls fails, the acve firewall connues to process traffic for synchronized
sessions from the failed firewall, including NAT traffic. In a source NAT configuraon, when one
firewall fails:
• The floang IP address that is used as the Translated IP address of the NAT rule transfers to
the surviving firewall. Hence, the exisng sessions that fail over will sll use this IP address.
• All new sessions will use the device-specific NAT rules that the surviving firewall naturally
owns. That is, the surviving firewall translates new sessions using only the NAT rules that
match its Device ID; it ignores any NAT rules bound to the failed Device ID.
For examples of acve/acve HA with NAT, see:
• Use Case: Configure Acve/Acve HA with Source DIPP NAT Using Floang IP Addresses
• Use Case: Configure Separate Source NAT IP Address Pools for Acve/Acve HA Firewalls
• Use Case: Configure Acve/Acve HA for ARP Load-Sharing with Desnaon NAT
• Use Case: Configure Acve/Acve HA for ARP Load-Sharing with Desnaon NAT in Layer 3
PAN-OS® Administrator’s Guide Version Version 9.1 355 ©2021 Palo Alto Networks, Inc.
High Availability
Set Up Acve/Passive HA
• Prerequisites for Acve/Passive HA
• Configuraon Guidelines for Acve/Passive HA
• Configure Acve/Passive HA
• Define HA Failover Condions
• Verify Failover
As a best pracce, if you have an exisng firewall and you want to add a new firewall
for HA purposes and the new firewall has an exisng configuraon Reset the Firewall
to Factory Default Sengs on the new firewall. This ensures that the new firewall has
a clean configuraon. Aer HA is configured, you will then sync the configuraon on
the primary firewall to the newly introduced firewall with the clean configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 356 ©2021 Palo Alto Networks, Inc.
High Availability
PAN-OS® Administrator’s Guide Version Version 9.1 357 ©2021 Palo Alto Networks, Inc.
High Availability
Based on the combinaon of HA1 and HA1 Backup ports you are using, use the following
recommendaons to decide whether you should enable heartbeat backup:
HA funconality (HA1 and HA1 backup) is not supported on the management interface
if it's configured for DHCP addressing (IP Type set to DHCP Client). The excepons are
AWS and Azure, where the management interface is configured as DHCP Client and it
supports HA1 and HA1 Backup links.
Control Link IP address of the HA1 link configured IP address of the HA1 link
on this firewall (PeerA). configured on this firewall
(PeerB).
Data Link By default, the HA2 link uses By default, the HA2 link uses
Ethernet/Layer 2. Ethernet/Layer 2.
The data link
informaon is
synchronized
PAN-OS® Administrator’s Guide Version Version 9.1 358 ©2021 Palo Alto Networks, Inc.
High Availability
Device Priority The firewall you plan to make acve If PeerB is passive, set the device
(required, if must have a lower numerical value priority value to a number larger
preempon is than its peer. So, if Peer A is to than the seng on PeerA. For
enabled) funcon as the acve firewall, keep example, set the value to 110.
the default value of 100 and increment
the value on PeerB.
If the firewalls have the same device
priority value, they use the MAC
address of their HA1 as the e-
breaker.
Link Monitoring Select the physical interfaces on the Pick a similar set of physical
—Monitor one firewall that you would like to monitor interfaces that you would like
or more physical and define the failure condion (all or to monitor on this firewall and
interfaces that any) to trigger a failover. define the failure condion (all or
handle vital traffic any) to trigger a failover.
on this firewall
and define the
failure condion.
Path Monitoring Define the failure condion (all or any), Pick a similar set of devices or
—Monitor one or ping interval and the ping count. This desnaon IP addresses that can
more desnaon is parcularly useful for monitoring be monitored for determining
IP addresses the availability of other interconnected the failover trigger for PeerB.
that the firewall networking devices. For example, Define the failure condion (all
can use ICMP monitor the availability of a router that or any), ping interval and the
pings to ascertain connects to a server, connecvity to ping count.
responsiveness. the server itself, or some other vital
device that is in the flow of traffic.
Make sure that the node/device that
you are monitoring is not likely to
be unresponsive, especially when it
comes under load, as this could cause
a a path monitoring failure and trigger
a failover.
PAN-OS® Administrator’s Guide Version Version 9.1 359 ©2021 Palo Alto Networks, Inc.
High Availability
Configure Acve/Passive HA
The following procedure shows how to configure a pair of firewalls in an acve/passive
deployment as depicted in the following example topology.
To configure an acve/passive HA pair, first complete the following workflow on the first firewall
and then repeat the steps on the second firewall.
STEP 1 | Connect the HA ports to set up a physical connecon between the firewalls.
• For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1
ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected
to each other.
• For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and
the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces
across both firewalls.
Use the management port for the HA1 link and ensure that the management ports can connect
to each other across your network.
STEP 3 | If the firewall does not have dedicated HA ports, set up the data ports to funcon as HA
ports.
For firewalls with dedicated HA ports connue to the next step.
1. Select Network > Interfaces.
2. Confirm that the link is up on the ports that you want to use.
3. Select the interface and set Interface Type to HA.
4. Set the Link Speed and Link Duplex sengs, as appropriate.
PAN-OS® Administrator’s Guide Version Version 9.1 360 ©2021 Palo Alto Networks, Inc.
High Availability
If you enable encrypon, aer you finish configuring the HA firewalls, you can
Refresh HA1 SSH Keys and Configure Key Opons.
PA-3200 Series firewalls don’t support an IPv6 address for the HA1 backup
control link; use an IPv4 address.
PAN-OS® Administrator’s Guide Version Version 9.1 361 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 8 | Set up the data link connecon (HA2) and the backup HA2 connecon between the firewalls.
1. In Device > High Availability > General, edit the Data Link (HA2) secon.
2. Select the Port to use for the data link connecon.
3. Select the Transport method. The default is ethernet, and will work when the HA pair is
connected directly or through a switch. If you need to route the data link traffic through
the network, select IP or UDP as the transport mode.
4. If you use IP or UDP as the transport method, enter the IPv4/IPv6 Address and
Netmask.
5. Verify that Enable Session Synchronizaon is selected.
6. Select HA2 Keep-alive to enable monitoring on the HA2 data link between the HA
peers. If a failure occurs based on the threshold that is set (default is 10000 ms), the
defined acon will occur. For acve/passive configuraon, a crical system log message
is generated when an HA2 keep-alive failure occurs.
You can configure the HA2 keep-alive opon on both firewalls, or just one
firewall in the HA pair. If the opon is only enabled on one firewall, only that
firewall will send the keep-alive messages. The other firewall will be nofied if a
failure occurs.
7. Edit the Data Link (HA2 Backup) secon, select the interface, and add the IPv4/IPv6
Address and Netmask.
STEP 9 | Enable heartbeat backup if your control link uses a dedicated HA port or an in-band port.
You do not need to enable heartbeat backup if you are using the management port for the
control link.
1. In Device > High Availability > General, edit the Elecon Sengs.
2. Select Heartbeat Backup.
To allow the heartbeats to be transmied between the firewalls, you must verify that the
management port across both peers can route to each other.
PAN-OS® Administrator’s Guide Version Version 9.1 362 ©2021 Palo Alto Networks, Inc.
High Availability
If both firewalls have the same device priority value, the firewall with the lowest
MAC address on the HA1 control link will become the acve firewall.
3. Select Preempve.
You must enable preempve on both the acve firewall and the passive firewall.
To view the preset value for an individual mer included in a profile, select
Advanced and click Load Recommended or Load Aggressive. The preset values
for your hardware model will be displayed on screen.
STEP 12 | (Oponal) Modify the link status of the HA ports on the passive firewall.
The passive link state is shutdown, by default. Aer you enable HA, the link state for
the HA ports on the acve firewall will be green and those on the passive firewall will
be down and display as red.
Seng the link state to Auto allows for reducing the amount of me it takes for the passive
firewall to take over when a failover occurs and it allows you to monitor the link state.
To enable the link status on the passive firewall to stay up and reflect the cabling status on the
physical interface:
1. In Device > High Availability > General, edit the Acve Passive Sengs.
2. Set the Passive Link State to Auto.
The auto opon decreases the amount of me it takes for the passive firewall to take
over when a failover occurs.
Although the interface displays green (as cabled and up) it connues to discard
all traffic unl a failover is triggered.
When you modify the passive link state, make sure that the adjacent devices do not
forward traffic to the passive firewall based only on the link status of the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 363 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 14 | (Oponal) Enable LACP and LLDP Pre-Negoaon for Acve/Passive HA for faster failover if
your network uses LACP or LLDP.
Enable LACP and LLDP before configuring HA pre-negoaon for the protocol if you
want pre-negoaon to funcon in acve mode.
You cannot also select Same System MAC Address for Acve-Passive HA
because pre-negoaon requires unique interface MAC addresses on the
acve and passive firewalls.
4. To enable LACP passive pre-negoaon:
1. Select an Ethernet interface in a virtual wire deployment.
2. Select the Advanced tab.
3. Select the LACP tab.
4. Select Enable in HA Passive State.
5. Click OK.
5. To enable LLDP acve pre-negoaon:
1. Select an Ethernet interface in a Layer 2, Layer 3, or virtual wire deployment.
2. Select the Advanced tab.
3. Select the LLDP tab.
4. Select Enable in HA Passive State.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 364 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 16 | Aer you finish configuring both firewalls, verify that the firewalls are paired in acve/
passive HA.
1. Access the Dashboard on both firewalls, and view the High Availability widget.
2. On the acve firewall, click the Sync to peer link.
3. Confirm that the firewalls are paired and synced, as shown as follows:
• On the passive firewall: the state of the local firewall should display passive and the
Running Config should show as synchronized.
• On the acve firewall: The state of the local firewall should display acve and the
Running Config should show as synchronized.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID
is unique to each firewall; the EngineID is not synchronized between the HA pair
and, therefore, allows you to independently monitor each firewall in the HA pair. For
informaon on seng up SNMP, see Forward Traps to an SNMP Manager. Because the
EngineID is generated using the firewall serial number, on the VM-Series firewall you must
apply a valid license in order to obtain a unique EngineID for each firewall.
STEP 1 | To configure link monitoring, define the interfaces you want to monitor. A change in the link
state of these interfaces will trigger a failover.
1. Select Device > High Availability > Link and Path Monitoring and Add a Link Group.
2. Name the Link Group, Add the interfaces to monitor, and select the Failure Condion for
the group. The Link group you define is added to the Link Group secon.
STEP 2 | (Oponal) Modify the failure condion for the Link Groups that you configured (in the
preceding step) on the firewall.
By default, the firewall will trigger a failover when any monitored link fails.
1. Select the Link Monitoring secon.
2. Set the Failure Condion to All.
The default seng is Any.
PAN-OS® Administrator’s Guide Version Version 9.1 365 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 3 | To configure path monitoring, define the desnaon IP addresses that the firewall should
ping to verify network connecvity.
1. In the Path Group secon of the Device > High Availability > Link and Path Monitoring
tab, pick the Add opon for your set up: Virtual Wire, VLAN, or Virtual Router.
2. Select the appropriate item for the Name and Add the IP addresses (source and/or
desnaon, as prompted) that you wish to monitor. Then select the Failure Condion for
the group. The path group you define is added to the Path Group secon.
STEP 4 | (Oponal) Modify the failure condion for all Path Groups configured on the firewall.
By default, the firewall will trigger a failover when any monitored path fails.
Set the Failure Condion to All.
The default seng is Any.
Verify Failover
To test that your HA configuraon works properly, trigger a manual failover and verify that the
firewalls transion states successfully.
STEP 1 | Suspend the acve firewall.
Select Device > High Availability > Operaonal Commands and click the Suspend local device
link.
STEP 2 | Verify that the passive firewall has taken over as acve.
On the Dashboard, verify that the state of the passive firewall changes to acve in the High
Availability widget.
STEP 3 | Restore the suspended firewall to a funconal state. Wait for a couple of minutes, and then
verify that preempon has occurred, if Preempve is enabled.
1. On the firewall you previously suspended, select Device > High Availability >
Operaonal Commands and click the Make local device funconal link.
2. In the High Availability widget on the Dashboard, confirm that the firewall has taken over
as the acve firewall and that the peer is now in a passive state.
PAN-OS® Administrator’s Guide Version Version 9.1 366 ©2021 Palo Alto Networks, Inc.
High Availability
Set Up Acve/Acve HA
• Prerequisites for Acve/Acve HA
• Configure Acve/Acve HA
• Determine Your Acve/Acve Use Case
PAN-OS® Administrator’s Guide Version Version 9.1 367 ©2021 Palo Alto Networks, Inc.
High Availability
an idencal set of licenses, they cannot synchronize configuraon informaon and maintain
parity for a seamless failover.
If you have an exisng firewall and you want to add a new firewall for HA purposes
and the new firewall has an exisng configuraon, it is recommended that you Reset
the Firewall to Factory Default Sengs on the new firewall. This will ensure that the
new firewall has a clean configuraon. Aer HA is configured, you will then sync the
configuraon on the primary firewall to the newly introduced firewall with the clean
config. You will also have to configure local IP addresses.
Configure Acve/Acve HA
The following procedure describes the basic workflow for configuring your firewalls in an acve/
acve configuraon. However, before you begin, Determine Your Acve/Acve Use Case for
configuraon examples more tailored to your specific network environment.
If you have a switch located between your HA firewalls, the switch ports that connect the
HA3 link must support jumbo frames to handle the overhead associated with the MAC-in-
MAC encapsulaon on the HA3 link.
To configure acve/acve, first complete the following steps on one peer and then complete them
on the second peer, ensuring that you set the Device ID to different values (0 or 1) on each peer.
STEP 1 | Connect the HA ports to set up a physical connecon between the firewalls.
For each use case, the firewalls could be any hardware model; choose the HA3 step
that corresponds with your model.
• For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1
ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected
to each other.
• For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and
the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces
across both firewalls. Use the management port for the HA1 link and ensure that the
management ports can connect to each other across your network.
• For HA3:
• On PA-7000 Series firewalls, connect the High Speed Chassis Interconnect (HSCI-A) on
the first chassis to the HSCI-A on the second chassis, and the HSCI-B on the first chassis
to the HSCI-B on the second chassis.
• On PA-5200 Series firewalls (which have one HSCI port), connect the HSCI port on the
first chassis to the HSCI port on the second chassis. You can also use data ports for HA3
on PA-5200 Series firewalls.
• On PA-3200 Series firewalls (which have one HSCI port), connect the HSCI port on the
first chassis to the HSCI port on the second chassis.
• On any other hardware model, use dataplane interfaces for HA3.
PAN-OS® Administrator’s Guide Version Version 9.1 368 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 3 | If the firewall does not have dedicated HA ports, set up the data ports to funcon as HA
ports.
For firewalls with dedicated HA ports connue to the next step.
1. Select Network > Interfaces.
2. Confirm that the link is up on the ports that you want to use.
3. Select the interface and set Interface Type to HA.
4. Set the Link Speed and Link Duplex sengs, as appropriate.
STEP 5 | Set the Device ID, enable synchronizaon, and idenfy the control link on the peer firewall
1. In Device > High Availability > General, edit Setup.
2. Select Device ID as follows:
• When configuring the first peer, set the Device ID to 0.
• When configuring the second peer, set the Device ID to 1.
3. Select Enable Config Sync. This seng is required to synchronize the two firewall
configuraons (enabled by default).
4. Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the
peer firewall.
5. (Oponal) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup
control link on the peer firewall.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 369 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 6 | Determine whether or not the firewall with the lower Device ID preempts the acve-primary
firewall upon recovery from a failure.
1. In Device > High Availability > General, edit Elecon Sengs.
2. Select Preempve to cause the firewall with the lower Device ID to automacally
resume acve-primary operaon aer either firewall recovers from a failure. Both
firewalls must have Preempve selected for preempon to occur.
Leave Preempve unselected if you want the acve-primary role to remain with the
current firewall unl you manually make the recovered firewall the acve-primary
firewall.
STEP 7 | Enable heartbeat backup if your control link uses a dedicated HA port or an in-band port.
You need not enable heartbeat backup if you are using the management port for the control
link.
1. In Device > High Availability > General, edit Elecon Sengs.
2. Select Heartbeat Backup.
To allow the heartbeats to be transmied between the firewalls, you must verify that the
management port across both peers can route to each other.
To view the preset value for an individual mer included in a profile, select
Advanced and click Load Recommended or Load Aggressive. The preset values
for your hardware model will be displayed on screen.
PAN-OS® Administrator’s Guide Version Version 9.1 370 ©2021 Palo Alto Networks, Inc.
High Availability
If you enable encrypon, aer you finish configuring the HA firewalls, you can
Refresh HA1 SSH Keys and Configure Key Opons.
PA-3200 Series firewalls don’t support an IPv6 address for the HA1 backup
control link; use an IPv4 address.
PAN-OS® Administrator’s Guide Version Version 9.1 371 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 12 | Set up the data link connecon (HA2) and the backup HA2 connecon between the firewalls.
1. In Device > High Availability > General, edit Data Link (HA2).
2. Select the Port to use for the data link connecon.
3. Select the Transport method. The default is ethernet, and will work when the HA pair is
connected directly or through a switch. If you need to route the data link traffic through
the network, select IP or UDP as the transport mode.
4. If you use IP or UDP as the transport method, enter the IPv4/IPv6 Address and
Netmask.
5. Verify that Enable Session Synchronizaon is selected.
6. Select HA2 Keep-alive to enable monitoring on the HA2 data link between the HA
peers. If a failure occurs based on the threshold that is set (default is 10000 ms), the
defined acon will occur. When an HA2 Keep-alive failure occurs, the system either
generates a crical system log message or causes a split dataplane depending on your
configuraon.
You can configure the HA2 Keep-alive opon on both firewalls, or just one
firewall in the HA pair. If the opon is only enabled on one firewall, only that
firewall sends the Keep-alive messages. The other firewall is nofied if a failure
occurs.
PAN-OS® Administrator’s Guide Version Version 9.1 372 ©2021 Palo Alto Networks, Inc.
High Availability
Start with First Packet for Session Owner and Session Setup, and then based
on load distribuon, you can change to one of the other opons.
• IP Hash—The firewall uses a hash of either the source IP address or a combinaon of
the source and desnaon IP addresses to distribute session setup responsibilies.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 373 ©2021 Palo Alto Networks, Inc.
High Availability
peer owns the floang IP address you just configured (range is 0-255). The firewall with
the lowest priority value (highest priority) owns the floang IP address.
3. Select Failover address if link state is down to cause the firewall to use the failover
address when the link state on the interface is down.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 374 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 5 | Configure the peer firewall in the same way, except in Step 5, if you selected Device ID 0 for
the first firewall, select Device ID 1 for the peer firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 375 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 4 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
Perform Step 19 of Configure Acve/Acve HA.
PAN-OS® Administrator’s Guide Version Version 9.1 376 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 7 | Configure the peer firewall in the same way, except selecng a different Device ID.
For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer
firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 377 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 4 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
STEP 7 | Configure the peer firewall in the same way, except selecng a different Device ID.
For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer
firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 378 ©2021 Palo Alto Networks, Inc.
High Availability
Upon a failover, when the acve-primary firewall (Peer A) goes down and the acve-secondary
firewall (Peer B) takes over as the acve-primary peer, the floang IP address moves to Peer B
(shown in the following figure). Peer B remains the acve-primary firewall and traffic connues to
go to Peer B, even when Peer A recovers and becomes the acve-secondary firewall. You decide if
and when to make Peer A the acve-primary firewall again.
Binding the floang IP address to the acve-primary firewall provides you with more control over
how the firewalls determine floang IP address ownership as they move between various HA
Firewall States. The following advantages result:
• You can have an acve/acve HA configuraon for path monitoring out of both firewalls, but
have the firewalls funcon like an acve/passive HA configuraon because traffic directed to
the floang IP address always goes to the acve-primary firewall.
When you disable preempon on both firewalls, you have the following addional benefits:
• The floang IP address does not move back and forth between HA firewalls if the acve-
secondary firewall flaps up and down.
• You can review the funconality of the recovered firewall and the adjacent components before
manually direcng traffic to it again, which you can do at a convenient down me.
PAN-OS® Administrator’s Guide Version Version 9.1 379 ©2021 Palo Alto Networks, Inc.
High Availability
• You have control over which firewall owns the floang IP address so that you keep all flows of
new and exisng sessions on the acve-primary firewall, thereby minimizing traffic on the HA3
link.
You cannot configure NAT for a floang IP address that is bound to an acve-primary
firewall.
Disabling preempon allows you full control over when the recovered firewall becomes
the acve-primary firewall.
1. In Device > High Availability > General, edit the Elecon Sengs.
2. Clear Preempve if it is enabled.
3. Click OK.
You must also engineer your network to eliminate the possibility of asymmetric
traffic going to the HA pair. If you don’t do so and traffic goes to the acve-
secondary firewall, seng Session Owner Selecon and Session Setup to
Primary Device causes the traffic to traverse HA3 to get to the acve-primary
firewall for session ownership and session setup.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 380 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 7 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
STEP 9 | Configure the peer firewall in the same way, except selecng a different Device ID.
For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer
firewall.
Use Case: Configure Acve/Acve HA with Source DIPP NAT Using Floang IP
Addresses
This Layer 3 interface example uses source NAT in Acve/Acve HA Mode. The Layer 2 switches
create broadcast domains to ensure users can reach everything north and south of the firewalls.
PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1. In this use case, NAT
translates the source IP address and port number to the floang IP address configured on the
egress interface. Each host is configured with a default gateway address, which is the floang IP
address on Ethernet1/1 of each firewall. The configuraon requires two source NAT rules, one
bound to each Device ID, although you configure both NAT rules on a single firewall and they are
synchronized to the peer firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 381 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 1 | On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Acve/Acve HA.
PAN-OS® Administrator’s Guide Version Version 9.1 382 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 7 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
STEP 10 | Configure the peer firewall, PA-3050-1 with the same sengs, except for the following
changes:
• Select Device ID 0.
• Configure an HA virtual address of 10.1.1.100.
• For Device 1 Priority, enter 255. For Device 0 Priority, enter 0.
In this example, Device ID 0 has a lower priority value so a higher priority; therefore, the
firewall with Device ID 0 (PA-3050-1) owns the floang IP address 10.1.1.100.
STEP 11 | Sll on PA-3050-1, create the source NAT rule for Device ID 0.
1. Select Policies > NAT and click Add.
2. Enter a Name for the rule that in this example idenfies it as a source NAT rule for
Device ID 0.
3. For NAT Type, select ipv4 (default).
4. On the Original Packet, for Source Zone, select Any.
5. For Desnaon Zone, select the zone you created for the external network.
6. Allow Desnaon Interface, Service, Source Address, and Desnaon Address to
remain set to Any.
7. For the Translated Packet, select Dynamic IP And Port for Translaon Type.
8. For Address Type, select Interface Address, in which case the translated address will
be the IP address of the interface. Select an Interface (eth1/1 in this example) and an IP
Address of the floang IP address 10.1.1.100.
9. On the Acve/Acve HA Binding tab, for Acve/Acve HA Binding, select 0 to bind the
NAT rule to Device ID 0.
10. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 383 ©2021 Palo Alto Networks, Inc.
High Availability
Use Case: Configure Separate Source NAT IP Address Pools for Acve/Acve HA
Firewalls
If you want to use IP address pools for source NAT in Acve/Acve HA Mode, each firewall must
have its own pool, which you then bind to a Device ID in a NAT rule.
Address objects and NAT rules are synchronized (in both acve/passive and acve/acve mode),
so they need to be configured on only one of the firewalls in the HA pair.
This example configures an address object named Dyn-IP-Pool-dev0 containing the IP address
pool 10.1.1.140-10.1.1.150. It also configures an address object named Dyn-IP-Pool-dev1
containing the IP address pool 10.1.1.160-10.1.1.170. The first address object is bound to Device
ID 0; the second address object is bound to Device ID 1.
STEP 1 | On one HA firewall, create address objects.
1. Select Objects > Addresses and Add an address object Name, in this example, Dyn-IP-
Pool-dev0.
2. For Type, select IP Range and enter the range 10.1.1.140-10.1.1.150.
3. Click OK.
4. Repeat this step to configure another address object named Dyn-IP-Pool-dev1 with the
IP Range of 10.1.1.160-10.1.1.170.
PAN-OS® Administrator’s Guide Version Version 9.1 384 ©2021 Palo Alto Networks, Inc.
High Availability
Use Case: Configure Acve/Acve HA for ARP Load-Sharing with Desnaon NAT
This Layer 3 interface example uses NAT in Acve/Acve HA Mode and ARP Load-Sharing
with desnaon NAT. Both HA firewalls respond to an ARP request for the desnaon NAT
address with the ingress interface MAC address. Desnaon NAT translates the public, shared
IP address (in this example, 10.1.1.200) to the private IP address of the server (in this example,
192.168.2.200).
When the HA firewalls receive traffic for the desnaon 10.1.1.200, both firewalls could possibly
respond to the ARP request, which could cause network instability. To avoid the potenal issue,
configure the firewall that is in acve-primary state to respond to the ARP request by binding the
desnaon NAT rule to the acve-primary firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 385 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 1 | On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Acve/Acve HA.
PAN-OS® Administrator’s Guide Version Version 9.1 386 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 6 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
STEP 9 | Configure the peer firewall, PA-3050-1 (Device ID 0), with the same sengs, except in Step 2
select Device ID 0.
STEP 10 | Sll on PA-3050-1 (Device ID 0), create the desnaon NAT rule so that the acve-primary
firewall responds to ARP requests.
1. Select Policies > NAT and click Add.
2. Enter a Name for the rule that, in this example, idenfies it as a desnaon NAT rule for
Layer 2 ARP.
3. For NAT Type, select ipv4 (default).
4. On the Original Packet, for Source Zone, select Any.
5. For Desnaon Zone, select the Untrust zone you created for the external network.
6. Allow Desnaon Interface, Service, and Source Address to remain set to Any.
7. For Desnaon Address, specify 10.1.1.200.
8. For the Translated Packet, Source Address Translaon remains None.
9. For Desnaon Address Translaon, enter the private IP address of the desnaon
server, in this example, 192.168.1.200.
10. On the Acve/Acve HA Binding tab, for Acve/Acve HA Binding, select primary to
bind the NAT rule to the firewall in acve-primary state.
11. Click OK.
Use Case: Configure Acve/Acve HA for ARP Load-Sharing with Desnaon NAT in
Layer 3
This Layer 3 interface example uses NAT in Acve/Acve HA Mode and ARP Load-Sharing.
PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1.
In this use case, both of the HA firewalls must respond to an ARP request for the desnaon
NAT address. Traffic can arrive at either firewall from either WAN router in the untrust zone.
Desnaon NAT translates the public-facing, shared IP address to the private IP address of the
server. The configuraon requires one desnaon NAT rule bound to both Device IDs so that
both firewalls can respond to ARP requests.
PAN-OS® Administrator’s Guide Version Version 9.1 387 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 1 | On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Acve/Acve HA.
PAN-OS® Administrator’s Guide Version Version 9.1 388 ©2021 Palo Alto Networks, Inc.
High Availability
STEP 6 | Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
STEP 9 | Configure the peer firewall, PA-3050-1 (Device ID 0), with the same sengs, except set the
Device ID to 0 instead of 1.
STEP 10 | Sll on PA-3050-1 (Device ID 0), create the desnaon NAT rule for both Device ID 0 and
Device ID 1.
1. Select Policies > NAT and click Add.
2. Enter a Name for the rule that in this example idenfies it as a desnaon NAT rule for
Layer 3 ARP.
3. For NAT Type, select ipv4 (default).
4. On the Original Packet, for Source Zone, select Any.
5. For Desnaon Zone, select the Untrust zone you created for the external network.
6. Allow Desnaon Interface, Service, and Source Address to remain set to Any.
7. For Desnaon Address, specify 10.1.1.200.
8. For the Translated Packet, Source Address Translaon remains None.
9. For Desnaon Address Translaon, enter the private IP address of the desnaon
server, in this example 192.168.1.200.
10. On the Acve/Acve HA Binding tab, for Acve/Acve HA Binding, select both to bind
the NAT rule to both Device ID 0 and Device ID 1.
11. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 389 ©2021 Palo Alto Networks, Inc.
High Availability
You must enable encrypon and it must be funconing properly on an HA pair before you
can perform the following tasks.
If you are configuring the HA1 control link with encrypon in FIPS-CC mode, you must
set automac rekeying parameters for session keys.
To use the same SSH connecon sengs for each Dedicated Log Collector (M-series or
Panorama™ virtual appliance in Log Collector mode) in a Collector Group, configure
the sengs from the Panorama management server, Commit the changes to Panorama,
and then Push the configuraon to the Log Collectors. You can use the set log-
collector-group <name> general-setting management ssh commands.
PAN-OS® Administrator’s Guide Version Version 9.1 390 ©2021 Palo Alto Networks, Inc.
High Availability
an ECDSA key of 256 bits. It also reestablishes the HA1 connecon using the new host key
without restarng the HA peers.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh default-hostkey ha key-
type ECDSA key-length 256
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. admin@PA-3250> request high-availability sync-to-remote ssh-key
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon when an HA1 backup is configured has no effect.)
8. admin@PA-3250> configure
9. admin@PA-3250# show deviceconfig system ssh default-hostkey
Establish when automac rekeying of the session keys occurs for SSH over the HA1 control link
by seng parameters.
The session keys are used for encrypng the traffic between the HA peers. Aer any one
rekeying parameter reaches its configured value, SSH uses the new session encrypon keys.
The parameters are data, interval (seconds), and packet count. If you set more than one
parameter, rekeying occurs when the first parameter reaches its configured value and then the
firewall resets all rekeying parameters. You can set a second or third parameter if you aren’t
sure that one parameter you configured will reach its specified value as soon as you want
rekeying to occur.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh session-rekey ha data
32
Rekeying occurs aer the volume of data (in megabytes) is transmied following the
previous rekeying. The default is based on the type of cipher you use and ranges
from 1GB to 4GB; the range is 10MB to 4,000MB. Alternavely, you can use the set
PAN-OS® Administrator’s Guide Version Version 9.1 391 ©2021 Palo Alto Networks, Inc.
High Availability
If you are configuring the HA1 control link with encrypon in FIPS-CC mode, you
must set a data value (you cannot let it default) and the value must be no greater
than 1000MB.
3. admin@PA-3250# set deviceconfig system ssh session-rekey ha
interval 3600
Rekeying occurs aer the specified me interval (in seconds) passes following the
previous rekeying. By default, me-based rekeying is disabled (set to none); the range is
10 to 3,600.
If you are configuring the HA1 control link with encrypon in FIPS-CC mode, you
must set a me interval within the range; you cannot leave it disabled.
4. admin@PA-3250# set deviceconfig system ssh session-rekey ha
packets 27
n
Rekeying occurs aer the defined number of packets (2 ) are transmied following
the previous rekeying. Enter the exponent to which 2 is raised; for example, 14
14
configures that a maximum of 2 packets are transmied before a rekeying occurs.
28 12 27
The default is 2 ; the range is 12 to 27 (2 to 2 ). Alternavely, you can use the set
deviceconfig system ssh session-rekey ha packets default command,
28
which sets the value to 2 .
Choose rekeying parameters based on your type of traffic and network speeds (in
addion to FIPS-CC requirements if they apply to you). Don’t set the parameters
so low that they affect SSH performance.
5. admin@PA-3250# commit
6. admin@PA-3250# exit
7. (HA1 Backup is configured) admin@PA-3250> request high-availability
session-reestablish
8. (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3250> request
high-availability session-reestablish force
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon when an HA1 backup is configured has no effect.)
9. admin@PA-3250> configure
10. admin@PA-3250# show deviceconfig system ssh session-rekey ha
PAN-OS® Administrator’s Guide Version Version 9.1 392 ©2021 Palo Alto Networks, Inc.
High Availability
(Oponal) Set the SSH server to use the specified encrypon ciphers for the HA1 sessions.
HA1 SSH allows all supported ciphers by default. When you set one or more ciphers, the SSH
server adverses only those ciphers while connecng, and if the SSH client (HA peer) tries to
connect using a different cipher, the server terminates the connecon.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh ciphers ha cipher
aes128-cbc—AES 128-bit cipher with Cipher Block Chaining
aes128-ctr—AES 128-bit cipher with Counter Mode
aes128-gcm—AES 128-bit cipher with GCM (Galois/Counter Mode)
aes192-cbc—AES 192-bit cipher with Cipher Block Chaining
aes192-ctr—AES 192-bit cipher with Counter Mode
aes256-cbc—AES 256-bit cipher with Cipher Block Chaining
aes256-ctr—AES 256-bit cipher with Counter Mode
aes256-gcm—AES 256-bit cipher with GCM
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. (HA1 Backup is configured) admin@PA-3250> request high-availability
session-reestablish
6. (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3250> request
high-availability session-reestablish force
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the HA peers. (Using the force
opon when an HA1 backup is configured has no effect.)
7. admin@PA-3250> configure
8. admin@PA-3250# show deviceconfig system ssh ciphers ha
PAN-OS® Administrator’s Guide Version Version 9.1 393 ©2021 Palo Alto Networks, Inc.
High Availability
(Oponal) Delete a cipher from the set of ciphers you selected for SSH over the HA1 control
link.
This example deletes the AES CBC cipher with 128-bit key.
1. admin@PA-3250PA-3250> configure
2. admin@PA-3250PA-3250# delete deviceconfig system ssh ciphers ha
aes128-cbc
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. (HA1 Backup is configured) admin@PA-3250> request high-availability
session-reestablish
6. (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3250> request
high-availability session-reestablish force
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon when an HA1 backup is configured has no effect.
7. admin@PA-3250> configure
8. admin@PA-3250# show deviceconfig system ssh ciphers ha
PAN-OS® Administrator’s Guide Version Version 9.1 394 ©2021 Palo Alto Networks, Inc.
High Availability
(Oponal) Set the session key exchange algorithm for HA1 SSH.
By default, the SSH server (HA firewall) adverses all the key exchange algorithms to the SSH
client (HA peer firewall).
If you are using an ECDSA default key type, the best pracce is to use an ECDH key
algorithm.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh kex ha value
diffie-hellman-group14-sha1—Diffie-Hellman group 14 with SHA1 hash
ecdh-sha2-nistp256—Ellipc-Curve Diffie-Hellman over Naonal Instute of
Standards and Technology (NIST) P-256 with SHA2-256 hash
ecdh-sha2-nistp384—Ellipc-Curve Diffie-Hellman over NIST P-384 with SHA2-384
hash
ecdh-sha2-nistp521—Ellipc-Curve Diffie-Hellman over NIST P-521 with SHA2-521
hash
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. (HA1 Backup is configured) admin@PA-3250> request high-availability
session-reestablish
6. (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3250> request
high-availability session-reestablish force
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon when an HA1 backup is configured has no effect.
PAN-OS® Administrator’s Guide Version Version 9.1 395 ©2021 Palo Alto Networks, Inc.
High Availability
(Oponal) Set the message authencaon code (MAC) for HA1 SSH.
By default, the server adverses all of the MAC algorithms to the client.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh mac ha value
hmac-sha1—MAC with SHA1 cryptographic hash
hmac-sha2-256—MAC with SHA2-256 cryptographic hash
hmac-sha2-512—MAC with SHA2-512 cryptographic hash
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. (HA1 Backup is configured) admin@PA-3250> request high-availability
session-reestablish
6. (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3250> request
high-availability session-reestablish force
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon has no effect when an HA1 backup is configured
PAN-OS® Administrator’s Guide Version Version 9.1 396 ©2021 Palo Alto Networks, Inc.
High Availability
Regenerate ECDSA or RSA host keys for HA1 SSH to replace the exisng keys, and reestablish
HA1 sessions between HA peers using the new keys without restarng the HA peers.
The HA peers use the host keys to authencate each other. This example regenerates the
ECDSA 256 default host key.
Regenerang a host key does not change your default host key type. To regenerate the
default host key you are using, you must specify your default host key type and length
when you regenerate. Regenerang a host key that isn’t your default host key type
simply regenerates a key that you aren’t using and therefore has no effect.
1. admin@PA-3250> configure
2. admin@PA-3250# set deviceconfig system ssh regenerate-hostkeys ha
key-type ECDSA key-length 256
3. admin@PA-3250# commit
4. admin@PA-3250# exit
5. admin@PA-3250> request high-availability sync-to-remote ssh-key
You can force the firewall to reestablish HA1 sessions if there is no HA1 backup,
which causes a brief split-brain condion between the two HA peers. (Using the
force opon when an HA1 backup is configured has no effect.)
PAN-OS® Administrator’s Guide Version Version 9.1 397 ©2021 Palo Alto Networks, Inc.
High Availability
HA Firewall States
An HA firewall can be in one of the following states:
Inial A/P or A/ Transient state of a firewall when it joins the HA pair. The firewall
A remains in this state aer boot-up unl it discovers a peer and
negoaons begins. Aer a meout, the firewall becomes acve
if HA negoaon has not started.
PAN-OS® Administrator’s Guide Version Version 9.1 398 ©2021 Palo Alto Networks, Inc.
High Availability
Suspended A/P or A/ The device is disabled so won’t pass data traffic and although
A HA communicaons sll occur, the device doesn’t parcipate in
the HA elecon process. It can’t move to an HA funconal state
without user intervenon.
PAN-OS® Administrator’s Guide Version Version 9.1 399 ©2021 Palo Alto Networks, Inc.
High Availability
Reference: HA Synchronizaon
If you have enabled configuraon synchronizaon on both peers in an HA pair, most of the
configuraon sengs you configure on one peer will automacally sync to the other peer upon
commit. To avoid configuraon conflicts, always make configuraon changes on the acve (acve/
passive) or acve-primary (acve/acve) peer and wait for the changes to sync to the peer before
making any addional configuraon changes.
The following topics idenfy which configuraon sengs you must configure on each firewall
independently (these sengs are not synchronized from the HA peer).
• What Sengs Don’t Sync in Acve/Passive HA?
• What Sengs Don’t Sync in Acve/Acve HA?
• Synchronizaon of System Runme Informaon
Mul-vsys Capability You must acvate the Virtual Systems license on each firewall in the
pair to increase the number of virtual systems beyond the base number
provided by default on PA-3200 Series, PA-5200 Series, and PA-7000
Series firewalls.
You must also enable Mul Virtual System Capability on each firewall
(Device > Setup > Management > General Sengs).
Panorama Sengs Set the following Panorama sengs on each firewall (Device > Setup >
Management > Panorama Sengs).
• Panorama Servers
PAN-OS® Administrator’s Guide Version Version 9.1 400 ©2021 Palo Alto Networks, Inc.
High Availability
Global Service Routes Device > Setup > Services > Service Route Configuraon
Telemetry and Threat Device > Setup > Telemetry and Threat Intelligence
Intelligence Sengs
Data Protecon Device > Setup > Content-ID > Manage Data Protecon
Jumbo Frames Device > Setup > Session > Session Sengs > Enable Jumbo Frame
Forward Proxy Server Device > Setup > Session > Decrypon Sengs > SSL Forward Proxy
Cerficate Sengs Sengs
Master Key Secured Device > Setup > HSM > Hardware Security Module Provider >
by HSM Master Key Secured by HSM
Soware Updates With soware updates, you can either download and install them
separately on each firewall, or download them on one peer and sync
the update to the other peer. You must install the update on each peer
(Device > Soware).
GlobalProtect Agent With GlobalProtect app updates, you can either download and install
Package them separately on each firewall, or download them to one peer and
sync the update to the other peer. You must acvate separately on
each peer (Device > GlobalProtect Client).
Content Updates With content updates, you can either download and install them
separately on each firewall, or download them on one peer and sync
the update to the other peer. You must install the update on each peer
(Device > Dynamic Updates).
Master Key The master key must be idencal on each firewall in the HA pair, but
you must manually enter it on each firewall (Device > Master Key and
Diagnoscs).
PAN-OS® Administrator’s Guide Version Version 9.1 401 ©2021 Palo Alto Networks, Inc.
High Availability
Reports, logs, and Log data, reports, and Dashboard data and sengs (column display,
Dashboard Sengs widgets) are not synced between peers. Report configuraon sengs,
however, are synced.
Rule Usage Data Rule usage data, such as hit count, Created, and Modified Dates, are
not synced between peers. You need to log in to the each firewall to
view the policy rule hit count data for each firewall or use Panorama to
view informaon on the HA firewall peers.
SSL/TLS Service Device > Cerficate Management > SSL/TLS Service Profile
Profile for Device
SSL/TLS Service Profile for Device Management doesn’t synchronize
Management only
with an HA peer.
PAN-OS® Administrator’s Guide Version Version 9.1 402 ©2021 Palo Alto Networks, Inc.
High Availability
Mul-vsys Capability You must acvate the Virtual Systems license on each firewall in the
pair to increase the number of virtual systems beyond the base number
provided by default on PA-3200 Series, PA-5200 Series, and PA-7000
Series firewalls.
You must also enable Mul Virtual System Capability on each firewall
(Device > Setup > Management > General Sengs).
Panorama Sengs Set the following Panorama sengs on each firewall (Device > Setup >
Management > Panorama Sengs).
• Panorama Servers
• Disable Panorama Policy and Objects and Disable Device and
Network Template
Global Service Routes Device > Setup > Services > Service Route Configuraon
Telemetry and Threat Device > Setup > Telemetry and Threat Intelligence
Intelligence Sengs
Data Protecon Device > Setup > Content-ID > Manage Data Protecon
Jumbo Frames Device > Setup > Session > Session Sengs > Enable Jumbo Frame
Forward Proxy Server Device > Setup > Session > Decrypon Sengs > SSL Forward Proxy
Cerficate Sengs Sengs
Soware Updates With soware updates, you can either download and install them
separately on each firewall, or download them on one peer and sync
the update to the other peer. You must install the update on each peer
(Device > Soware).
GlobalProtect Agent With GlobalProtect app updates, you can either download and install
Package them separately on each firewall, or download them to one peer and
sync the update to the other peer. You must acvate separately on
each peer (Device > GlobalProtect Client).
PAN-OS® Administrator’s Guide Version Version 9.1 403 ©2021 Palo Alto Networks, Inc.
High Availability
Content Updates With content updates, you can either download and install them
separately on each firewall, or download them on one peer and sync
the update to the other peer. You must install the update on each peer
(Device > Dynamic Updates).
Ethernet Interface IP All Ethernet interface configuraon sengs sync except for the IP
Addresses address (Network > Interface > Ethernet).
Loopback Interface IP All Loopback interface configuraon sengs sync except for the IP
Addresses address (Network > Interface > Loopback).
Tunnel Interface IP All Tunnel interface configuraon sengs sync except for the IP
Addresses address (Network > Interface > Tunnel).
LACP System Priority Each peer must have a unique LACP System ID in an acve/acve
deployment (Network > Interface > Ethernet > Add Aggregate Group
> System Priority).
VLAN Interface IP All VLAN interface configuraon sengs sync except for the IP
Address address (Network > Interface > VLAN).
Virtual Routers Virtual router configuraon synchronizes only if you have enabled
VR Sync (Device > High Availability > Acve/Acve Config > Packet
Forwarding). Whether or not to do this depends on your network
design, including whether you have asymmetric roung.
PAN-OS® Administrator’s Guide Version Version 9.1 404 ©2021 Palo Alto Networks, Inc.
High Availability
Master Key The master key must be idencal on each firewall in the HA pair, but
you must manually enter it on each firewall (Device > Master Key and
Diagnoscs).
Before changing the master key, you must disable config sync on both
peers (Device > High Availability > General > Setup and clear the
Enable Config Sync check box) and then re-enable it aer you change
the keys.
Reports, logs, and Log data, reports, and dashboard data and sengs (column display,
Dashboard Sengs widgets) are not synced between peers. Report configuraon sengs,
however, are synced.
Rule Usage Data Rule usage data, such as hit count, Created, and Modified Dates, are
not synced between peers. You need to log in to the each firewall to
PAN-OS® Administrator’s Guide Version Version 9.1 405 ©2021 Palo Alto Networks, Inc.
High Availability
SSL/TLS Service Device > Cerficate Management > SSL/TLS Service Profile
Profile for Device
SSL/TLS Service Profile for Device Management doesn’t synchronize
Management only
with an HA peer.
A/P A/A
Management Plane
DHCP Lease (as server) Yes Yes HA1 If the PAN-OS versions
on the HA peers don’t
match, the DHCP
Lease (as server) config
informaon won’t sync.
PAN-OS® Administrator’s Guide Version Version 9.1 406 ©2021 Palo Alto Networks, Inc.
High Availability
A/P A/A
DHCP Client Sengs and Yes Yes HA1 If the PAN-OS versions
Lease on the HA peers don’t
match, the DHCP Client
Sengs and Lease config
informaon won’t sync.
Dataplane
PAN-OS® Administrator’s Guide Version Version 9.1 407 ©2021 Palo Alto Networks, Inc.
High Availability
A/P A/A
session, or BFD
session informaon.
A host
session is
a session
terminated
on one
of the
firewall
interfaces,
such as
an ICMP
session
pinging
one
of the
firewall
interfaces
or a GP
tunnel.
PAN-OS® Administrator’s Guide Version Version 9.1 408 ©2021 Palo Alto Networks, Inc.
Monitoring
To forestall potenal issues and to accelerate incidence response when needed, the
firewall provides intelligence about traffic and user paerns using customizable and
informave reports. The dashboard, Applicaon Command Center (ACC), reports, and
logs on the firewall allow you to monitor acvity on your network. You can monitor
the logs and filter the informaon to generate reports with predefined or customized
views. For example, you can use the predefined templates to generate reports on
user acvies or analyze the reports and logs to interpret unusual behavior on your
network and generate a custom report on the traffic paern. For a visually engaging
presentaon of network acvity, the dashboard and the ACC include widgets, charts,
and tables with which you can interact to find the informaon you care about. In
addion, you can configure the firewall to forward monitored informaon as email
noficaons, syslog messages, SNMP traps, and NetFlow records to external services.
> Use the Dashboard > View Policy Rule Usage
> Use the Applicaon Command > Use External Services for Monitoring
Center > Configure Log Forwarding
> Use the App Scope Reports > Configure Email Alerts
> Use the Automated Correlaon > Use Syslog for Monitoring
Engine
> SNMP Monitoring and Traps
> Take Packet Captures
> Forward Logs to an HTTP(S)
> Monitor Applicaons and Threats Desnaon
> View and Manage Logs > NetFlow Monitoring
> Monitor Block List
> View and Manage Reports
409
Monitoring
Top Applicaons Displays the applicaons with the most sessions. The block size
indicates the relave number of sessions (mouse-over the block to
view the number), and the color indicates the security risk—from green
(lowest) to red (highest). Click an applicaon to view its applicaon
profile.
Top High Risk Similar to Top Applicaons, except that it displays the highest-risk
Applicaons applicaons with the most sessions.
General Informaon Displays the firewall name, model, PAN-OS soware version, the
applicaon, threat, and URL filtering definion versions, the current
date and me, and the length of me since the last restart.
Threat Logs Displays the threat ID, applicaon, and date and me for the last 10
entries in the Threat log. The threat ID is a malware descripon or URL
that violates the URL filtering profile.
Config Logs Displays the administrator username, client (Web or CLI), and date and
me for the last 10 entries in the Configuraon log.
Data Filtering Logs Displays the descripon and date and me for the last 60 minutes in
the Data Filtering log.
URL Filtering Logs Displays the descripon and date and me for the last 60 minutes in
the URL Filtering log.
System Logs Displays the descripon and date and me for the last 10 entries in the
System log.
PAN-OS® Administrator’s Guide Version Version 9.1 410 ©2021 Palo Alto Networks, Inc.
Monitoring
System Resources Displays the Management CPU usage, Data Plane usage, and the
Session Count, which displays the number of sessions established
through the firewall.
Logged In Admins Displays the source IP address, session type (Web or CLI), and session
start me for each administrator who is currently logged in.
ACC Risk Factor Displays the average risk factor (1 to 5) for the network traffic
processed over the past week. Higher values indicate higher risk.
High Availability If high availability (HA) is enabled, indicates the HA status of the local
and peer firewall—green (acve), yellow (passive), or black (other). For
more informaon about HA, see High Availability.
PAN-OS® Administrator’s Guide Version Version 9.1 411 ©2021 Palo Alto Networks, Inc.
Monitoring
ACC data, including ACC widgets and exported ACC reports, use Security policy rule data
that you enabled to Log at Session End. If some data you expect to view in the ACC is
not displayed, view your Traffic and Threat logs to determine the correct Security policy
rule to modify as needed so all new logs generated that match the Security policy rule are
viewable in the ACC.
• ACC—First Look
• ACC Tabs
• ACC Widgets (Widget Descripons)
• ACC Filters
• Interact with the ACC
• Use Case: ACC—Path of Informaon Discovery
ACC—First Look
Take a quick tour of the ACC.
PAN-OS® Administrator’s Guide Version Version 9.1 412 ©2021 Palo Alto Networks, Inc.
Monitoring
ACC—First Look
PAN-OS® Administrator’s Guide Version Version 9.1 413 ©2021 Palo Alto Networks, Inc.
Monitoring
ACC—First Look
The me period used to render data, by default,
is the Last Hour updated in 15 minute intervals.
The date and me interval are displayed onscreen,
for example at 11:40, the me range is 01/12
10:30:00-01/12 11:29:59.
Global Filters The Global Filters allow you to set the filter across
all widgets and all tabs. The charts/graphs apply
the selected filters before rendering the data. For
informaon on using the filters, see ACC Filters.
Source The data used for the ACC display. The opons
vary on the firewall and on Panorama.
On the firewall, if enabled for mulple virtual
systems, you can use the Virtual System drop-
down to change the ACC display to include data
from all virtual systems or just a selected virtual
system.
On Panorama, you can select the Device Group
drop-down to change the ACC display to include
PAN-OS® Administrator’s Guide Version Version 9.1 414 ©2021 Palo Alto Networks, Inc.
Monitoring
ACC—First Look
data from all device groups or just a selected
device group.
Addionally, on Panorama, you can change the
Data Source as Panorama data or Remote Device
Data. Remote Device Data is only available when
all the managed firewalls are on PAN-OS 7.0.0
or later. When you filter the display for a specific
device group, Panorama data is used as the data
source.
ACC Tabs
The ACC includes the following predefined tabs for viewing network acvity, threat acvity, and
blocked acvity.
Tab Descripon
Network Acvity Displays an overview of traffic and user acvity on your network
including:
• Top applicaons in use
• Top users who generate traffic (with a drill down into the bytes,
content, threats or URLs accessed by the user)
• Most used security rules against which traffic matches occur
In addion, you can also view network acvity by source or
desnaon zone, region, or IP address, ingress or egress interfaces,
and GlobalProtect host informaon such as the operang systems
of the devices most commonly used on the network.
PAN-OS® Administrator’s Guide Version Version 9.1 415 ©2021 Palo Alto Networks, Inc.
Monitoring
Tab Descripon
Blocked Acvity Focuses on traffic that was prevented from coming into the
network. The widgets in this tab allow you to view acvity denied
by applicaon name, username, threat name, blocked content—files
and data that were blocked by a file blocking profile. It also lists the
top security rules that were matched on to block threats, content,
and URLs.
Tunnel Acvity Displays the acvity of tunnel traffic that the firewall inspected
based on your tunnel inspecon policies. Informaon includes
tunnel usage based on tunnel ID, monitor tag, user, and tunnel
protocols such as Generic Roung Encapsulaon (GRE), General
Packet Radio Service (GPRS) Tunneling Protocol for User Data
(GTP-U), and non-encrypted IPSec.
You can also Interact with the ACC to create customized tabs with custom layout and widgets that
meet your network monitoring needs, export the tab and share with another administrator.
ACC Widgets
The widgets on each tab are interacve; you can set the ACC Filters and drill down into the details
for each table or graph, or customize the widgets included in the tab to focus on the informaon
you need. For details on what each widget displays, see Widget Descripons.
PAN-OS® Administrator’s Guide Version Version 9.1 416 ©2021 Palo Alto Networks, Inc.
Monitoring
Widgets
Acons
Maximize view— Allows you enlarge the widget
and view the table in a larger screen space and with
more viewable informaon.
PAN-OS® Administrator’s Guide Version Version 9.1 417 ©2021 Palo Alto Networks, Inc.
Monitoring
Widgets
logs (Monitor > Logs > <log-type> tab). The logs are
filtered using the me period for which the graph is
rendered.
If you have set local and global filters, the log query
concatenates the me period and the filters and
only displays logs that match the combined filter
set.
Widget Descripons
Each tab on the ACC includes a different set of widgets.
Widget Descripon
Applicaon Usage The table displays the top ten applicaons used on your network, all
the remaining applicaons used on the network are aggregated and
displayed as other. The graph displays all applicaons by applicaon
category, sub category, and applicaon. Use this widget to scan
for applicaons being used on the network, it informs you about
the predominant applicaons using bandwidth, session count, file
transfers, triggering the most threats, and accessing URLs.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: treemap, area, column, line (the charts vary by the
sort by aribute selected)
User Acvity Displays the top ten most acve users on the network who have
generated the largest volume of traffic and consumed network
resources to obtain content. Use this widget to monitor top users on
usage sorted on bytes, sessions, threats, content (files and paerns),
and URLs visited.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by
aribute selected)
PAN-OS® Administrator’s Guide Version Version 9.1 418 ©2021 Palo Alto Networks, Inc.
Monitoring
Widget Descripon
Source IP Acvity Displays the top ten IP addresses or hostnames of the devices that
have iniated acvity on the network. All other devices are aggregated
and displayed as other.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by
aribute selected)
Source Regions Displays the top ten regions (built-in or custom defined regions) around
the world from where users iniated acvity on your network.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: map, bar
Desnaon Regions Displays the top ten desnaon regions (built-in or custom defined
regions) on the world map from where content is being accessed by
users on the network.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: map, bar
HIP Informaon Displays informaon on the state of the hosts on which the
GlobalProtect agent is running; the host system is a GlobalProtect
endpoint. This informaon is sourced from entries in the HIP match log
that are generated when the data submied by the GlobalProtect app
matches a HIP object or a HIP profile you have defined on the firewall.
If you do not have HIP Match logs, this widget is blank. To learn how
to create HIP objects and HIP profiles and use them as policy match
criteria, see Configure HIP-Based Policy Enforcement.
Sort aributes: profiles, objects, operang systems
Charts available: bar
Rule Usage Displays the top ten rules that have allowed the most traffic on the
network. Use this widget to view the most commonly used rules,
monitor the usage paerns, and to assess whether the rules are
effecve in securing your network.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: line
PAN-OS® Administrator’s Guide Version Version 9.1 419 ©2021 Palo Alto Networks, Inc.
Monitoring
Widget Descripon
Ingress Interfaces Displays the firewall interfaces that are most used for allowing traffic
into the network.
Sort aributes: bytes, bytes sent, bytes received
Charts available: line
Egress Interfaces Displays the firewall interfaces that are most used by traffic exing the
network.
Sort aributes: bytes, bytes sent, bytes received
Charts available: line
Source Zones Displays the zones that are most used for allowing traffic into the
network.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: line
Desnaon Zones Displays the zones that are most used by traffic going outside the
network.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: line
Compromised Hosts Displays the hosts that are likely compromised on your network. This
widget summarizes the events from the correlaon logs. For each
source user/IP address, it includes the correlaon object that triggered
the match and the match count, which is aggregated from the match
evidence collated in the correlated events logs. For details see Use the
Automated Correlaon Engine.
Available on the PA-5200 Series, PA-7000 Series, and Panorama.
Sort aributes: severity (by default)
Hosts Vising Displays the frequency with which hosts (IP address/hostnames) on
Malicious URLs your network have accessed malicious URLs. These URLs are known to
be malware based on categorizaon in PAN-DB.
Sort aributes: count
Charts available: line
Hosts Resolving Displays the top hosts matching DNS signatures; hosts on the network
Malicious Domains that are aempng to resolve the hostname or domain of a malicious
URL. This informaon is gathered from an analysis of the DNS acvity
on your network. It ulizes passive DNS monitoring, DNS traffic
PAN-OS® Administrator’s Guide Version Version 9.1 420 ©2021 Palo Alto Networks, Inc.
Monitoring
Widget Descripon
generated on the network, acvity seen in the sandbox if you have
configured DNS sinkhole on the firewall, and DNS reports on malicious
DNS sources that are available to Palo Alto Networks customers.
Sort aributes: count
Charts available: line
Threat Acvity Displays the threats seen on your network. This informaon is based
on signature matches in Anvirus, An-Spyware, and Vulnerability
Protecon profiles and viruses reported by WildFire.
Sort aributes: threats
Charts available: bar, area, column
WildFire Acvity by Displays the applicaons that generated the most WildFire
Applicaon submissions. This widget uses the malicious and benign verdict from
the WildFire Submissions log.
Sort aributes: malicious, benign
Charts available: bar, line
WildFire Acvity by Displays the threat vector by file type. This widget displays the file
File Type types that generated the most WildFire submissions and uses the
malicious and benign verdict from the WildFire Submissions log. If this
data is unavailable, the widget is empty.
Sort aributes: malicious, benign
Charts available: bar, line
Applicaons using Displays the applicaons that are entering your network on non-
Non Standard Ports standard ports. If you have migrated your firewall rules from a port-
based firewall, use this informaon to cra policy rules that allow
traffic only on the default port for the applicaon. Where needed,
make an excepon to allow traffic on a non-standard port or create a
custom applicaon.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line
Rules Allowing Displays the security policy rules that allow applicaons on non-
Applicaons On Non default ports. The graph displays all the rules, while the table displays
Standard Ports the top ten rules and aggregates the data from the remaining rules as
other.
This informaon helps you idenfy gaps in network security by
allowing you to assess whether an applicaon is hopping ports or
sneaking into your network. For example, you can validate whether
you have a rule that allows traffic on any port except the default port
PAN-OS® Administrator’s Guide Version Version 9.1 421 ©2021 Palo Alto Networks, Inc.
Monitoring
Widget Descripon
for the applicaon. Say for example, you have a rule that allow DNS
traffic on its applicaon-default port (port 53 is the standard port for
DNS). This widget will display any rule that allows DNS traffic into your
network on any port except port 53.
Sort aributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line
Blocked Acvity—Focuses on traffic that was prevented from coming into the network
Blocked Applicaon Displays the applicaons that were denied on your network, and
Acvity allows you to view the threats, content, and URLs that you kept out of
your network.
Sort aributes: threats, content, URLs
Charts available: treemap, area, column
Blocked User Displays user requests that were blocked by a match on an Anvirus,
Acvity An-spyware, File Blocking or URL Filtering profile aached to
Security policy rule.
Sort aributes: threats, content, URLs
Charts available: bar, area, column
Blocked Threats Displays the threats that were successfully denied on your network.
These threats were matched on anvirus signatures, vulnerability
signatures, and DNS signatures available through the dynamic content
updates on the firewall.
Sort aributes: threats
Charts available: bar, area, column
Blocked Content Displays the files and data that was blocked from entering the
network. The content was blocked because security policy denied
access based on criteria defined in a File Blocking security profile or a
Data Filtering security profile.
Sort aributes: files, data
Charts available: bar, area, column
Security Policies Displays the security policy rules that blocked or restricted traffic
Blocking Acvity into your network. Because this widget displays the threats, content,
and URLs that were denied access into your network, you can use
it to assess the effecveness of your policy rules. This widget does
not display traffic that blocked because of deny rules that you have
defined in policy.
Sort aributes: threats, content, URLs
PAN-OS® Administrator’s Guide Version Version 9.1 422 ©2021 Palo Alto Networks, Inc.
Monitoring
Widget Descripon
Charts available: bar, area, column
GlobalProtect Displays a chart view summary of your deployment. Use the toggle at
Deployment Acvity the top of the chart to view the distribuon of users by authencaon
method, GlobalProtect app version, and operang system version.
Sort aributes: auth method, globalprotect app version, os
Charts available: bar, line
ACC Filters
The graphs and tables on the ACC widgets allow you to use filters to narrow the scope of data
that is displayed, so that you can isolate specific aributes and analyze informaon you want to
view in greater detail. The ACC supports the simultaneous use of widget and global filters.
• Widget Filters—Apply a widget filter, which is a filter that is local to a specific widget. A widget
filter allows you to interact with the graph and customize the display so that you can drill down
PAN-OS® Administrator’s Guide Version Version 9.1 423 ©2021 Palo Alto Networks, Inc.
Monitoring
in to the details and access the informaon you want to monitor on a specific widget. To create
a widget filter that is persistent across reboots, you must use the Set Local Filter opon.
• Global filters—Apply global filters across all the tabs in the ACC. A global filter allows you
to pivot the display around the details you care about right now and exclude the unrelated
informaon from the current display. For example, to view all events relang to a specific user
and applicaon, you can apply the username and the applicaon as a global filter and view only
informaon pertaining to the user and the applicaon through all the tabs and widgets on the
ACC. Global filters are not persistent.
PAN-OS® Administrator’s Guide Version Version 9.1 424 ©2021 Palo Alto Networks, Inc.
Monitoring
Add a tab.
1. Select the icon along the list of tabs.
2. Add a View Name. This name will be used as the name for the tab. You can add up to five
tabs.
Edit a tab.
Select the tab, and click the pencil icon next to the tab name, to edit the tab. For example
.
Eding a tab allows you to add or delete or reset the widgets that are displayed in the tab. You
can also change the widget layout in the tab.
PAN-OS® Administrator’s Guide Version Version 9.1 425 ©2021 Palo Alto Networks, Inc.
Monitoring
2. To delete a widget group/widget, edit the tab and in the workspace secon, click the [X]
icon on the right. You cannot undo a deleon.
You can also click an aribute in the table (below the graph) to apply it as a widget
filter.
The acve widget filters are indicated next to the widget name.
PAN-OS® Administrator’s Guide Version Version 9.1 426 ©2021 Palo Alto Networks, Inc.
Monitoring
2. Click the icon to view the list of filters you can apply.
Remove a filter.
Click the icon to remove a filter.
• For global filters: It is located in the Global Filters pane.
• For widget filters: Click the icon to display the Setup Local Filters dialog, then select the
filter, and click the icon.
PAN-OS® Administrator’s Guide Version Version 9.1 427 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 428 ©2021 Palo Alto Networks, Inc.
Monitoring
Because Marsha has transferred a large volume of data, apply her username as a global filter (ACC
Filters) and pivot all the views in the ACC to Marsha’s traffic acvity.
The Applicaon Usage tab now shows that the top applicaon that Martha used was rapidshare,
a Swiss-owned file-hosng site that belongs to the file-sharing URL category. For further
invesgaon, add rapidshare as a global filter, and view Marsha’s acvity in the context of
rapidshare.
Consider whether you want to sancon rapidshare for company use. Should you allow
uploads to this site and do you need a QoS policy to limit bandwidth?
To view which IP addresses Marsha has communicated with, check the Desnaon IP Acvity
widget, and view the data by bytes and by URLs.
PAN-OS® Administrator’s Guide Version Version 9.1 429 ©2021 Palo Alto Networks, Inc.
Monitoring
To find out which countries Marsha communicated with, sort on sessions in the Desnaon
Regions widget.
From this data, you can confirm that Marsha, a user on your network, has established sessions in
Korea and the European Union, and she logged 19 threats in her sessions within the United States.
To look at Marsha’s acvity from a threat perspecve, remove the global filter for rapidshare.
In the Threat Acvity widget on the Threat Acvity tab, view the threats. The widget displays
that her acvity had triggered a match for 26 vulnerabilies in the overflow, DoS and code-
execuon threat category. Several of these vulnerabilies are of crical severity.
PAN-OS® Administrator’s Guide Version Version 9.1 430 ©2021 Palo Alto Networks, Inc.
Monitoring
To further drill-down into each vulnerability, click into the graph and narrow the scope of your
invesgaon. Each click automacally applies a local filter on the widget.
To invesgate each threat by name, you can create a global filter for say, Microso Works File
Converter Field Length Remote Code Execuon Vulnerability. Then, view the User Acvity
widget in the Network Acvity tab. The tab is automacally filtered to display threat acvity for
Marsha (noce the global filters in the screenshot).
PAN-OS® Administrator’s Guide Version Version 9.1 431 ©2021 Palo Alto Networks, Inc.
Monitoring
Noce that this Microso code-execuon vulnerability was triggered over email, by the imap
applicaon. You can now establish that Martha has IE vulnerabilies and email aachment
vulnerabilies, and perhaps her computer needs to be patched. You can now either navigate to
the Blocked Threats widget in the Blocked Acvity tab to check how many of these vulnerabilies
were blocked.
Or, you can check the Rule Usage widget on the Network Acvity tab to discover how many
vulnerabilies made it into your network and which security rule allowed this traffic, and navigate
directly to the security rule using the Global Find capability.
Then, drill into why imap used a non-standard port 43206 instead of port 143, which is the default
port for the applicaon. Consider modifying the security policy rule to allow applicaons to only
use the default port for the applicaon, or assess whether this port should be an excepon on
your network.
To review if any threats were logged over imap, check Marsha’s acvity in the WildFire
Acvity by Applicaon widget in the Threat Acvity tab. You can confirm that Marsha had no
malicious acvity, but to verify that other no other user was compromised by the imap applicaon,
negate Marsha as a global filter and look for other users who triggered threats over imap.
PAN-OS® Administrator’s Guide Version Version 9.1 432 ©2021 Palo Alto Networks, Inc.
Monitoring
Click into the bar for imap in the graph and drill into the inbound threats associated with the
applicaon. To find out who an IP address is registered to, hover over the aacker IP address and
select the Who Is link in the drop-down.
Because the session count from this IP address is high, check the Blocked Content and Blocked
Threats widgets in the Blocked Acvity tab for events related to this IP address. The Blocked
Acvity tab allows you to validate whether or not your policy rules are effecve in blocking
content or threats when a host on your network is compromised.
Use the Export PDF capability on the ACC to export the current view (create a snapshot of the
data) and send it to an incidence response team. To view the threat logs directly from the widget,
you can also click the icon to jump to the logs; the query is generated automacally and only
the relevant logs are displayed onscreen (for example in Monitor > Logs > Threat Logs).
PAN-OS® Administrator’s Guide Version Version 9.1 433 ©2021 Palo Alto Networks, Inc.
Monitoring
You have now used the ACC to review network data/trends to find which applicaons or users are
generang the most traffic, and how many applicaon are responsible for the threats seen on the
network. You were able to idenfy which applicaon(s), user(s) generated the traffic, determine
whether the applicaon was on the default port, and which policy rule(s) allowed the traffic
into the network, and determine whether the threat is spreading laterally on the network. You
also idenfied the desnaon IP addresses, geo-locaons with which hosts on the network are
communicang with. Use the conclusions from your invesgaon to cra goal-oriented policies
that can secure users and your network.
PAN-OS® Administrator’s Guide Version Version 9.1 434 ©2021 Palo Alto Networks, Inc.
Monitoring
Summary Report
The App Scope Summary report (Monitor > App Scope > Summary) displays charts for the top five
gainers, losers, and bandwidth consuming applicaons, applicaon categories, users, and sources.
PAN-OS® Administrator’s Guide Version Version 9.1 435 ©2021 Palo Alto Networks, Inc.
Monitoring
The Change Monitor Report contains the following buons and opons.
Buon Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 436 ©2021 Palo Alto Networks, Inc.
Monitoring
Buon Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 437 ©2021 Palo Alto Networks, Inc.
Monitoring
Each threat type is color-coded as indicated in the legend below the chart. The Threat Monitor
report contains the following buons and opons.
Buon Descripon
The Threat Map report contains the following buons and opons.
Buon Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 438 ©2021 Palo Alto Networks, Inc.
Monitoring
Buon Descripon
Zoom In and Zoom Out Zoom in and zoom out of the map.
The Network Monitor report contains the following buons and opons.
Buon Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 439 ©2021 Palo Alto Networks, Inc.
Monitoring
Buon Descripon
Each traffic type is color-coded as indicated in the legend below the chart. The Traffic Map report
contains the following buons and opons.
Buons Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 440 ©2021 Palo Alto Networks, Inc.
Monitoring
Buons Descripon
Zoom In and Zoom Out Zoom in and zoom out of the map.
PAN-OS® Administrator’s Guide Version Version 9.1 441 ©2021 Palo Alto Networks, Inc.
Monitoring
Correlaon Object
A correlaon object is a definion file that specifies paerns to match against, the data sources
to use for the lookups, and me period within which to look for these paerns. A paern is a
boolean structure of condions that queries the following data sources (or logs) on the firewall:
applicaon stascs, traffic, traffic summary, threat summary, threat, data filtering, and URL
filtering. Each paern has a severity rang, and a threshold for the number of mes the paern
match must occur within a defined me limit to indicate malicious acvity. When the match
condions are met, a correlated event is logged.
A correlaon object can connect isolated network events and look for paerns that indicate a
more significant event. These objects idenfy suspicious traffic paerns and network anomalies,
including suspicious IP acvity, known command-and-control acvity, known vulnerability
exploits, or botnet acvity that, when correlated, indicate with a high probability that a host on
the network has been compromised. Correlaon objects are defined and developed by the Palo
Alto Networks Threat Research team, and are delivered with the weekly dynamic updates to
the firewall and Panorama. To obtain new correlaon objects, the firewall must have a Threat
Prevenon license. Panorama requires a support license to get the updates.
PAN-OS® Administrator’s Guide Version Version 9.1 442 ©2021 Palo Alto Networks, Inc.
Monitoring
The paerns defined in a correlaon object can be stac or dynamic. Correlated objects that
include paerns observed in WildFire are dynamic, and can correlate malware paerns detected
by WildFire with command-and-control acvity iniated by a host that was targeted with the
malware on your network or acvity seen by a Traps protected endpoint on Panorama. For
example, when a host submits a file to the WildFire cloud and the verdict is malicious, the
correlaon object looks for other hosts or clients on the network that exhibit the same behavior
seen in the cloud. If the malware sample had performed a DNS query and browsed to a malware
domain, the correlaon object will parse the logs for a similar event. When the acvity on a host
matches the analysis in the cloud, a high severity correlated event is logged.
Correlated Events
A correlated event is logged when the paerns and thresholds defined in a correlaon object
match the traffic paerns on your network. To Interpret Correlated Events and to view a graphical
display of the events, see Use the Compromised Hosts Widget in the ACC.
STEP 2 | View the details on each correlaon object. Each object provides the following informaon:
• Name and Title—The name and tle indicate the type of acvity that the correlaon object
detects. The name column is hidden from view, by default. To view the definion of the
object, unhide the column and click the name link.
• ID— A unique number that idenfies the correlaon object; this column is also hidden by
default. The IDs are in the 6000 series.
• Category—A classificaon of the kind of threat or harm posed to the network, user, or host.
For now, all the objects idenfy compromised hosts on the network.
• State—Indicates whether the correlaon object is enabled (acve) or disabled (inacve). All
the objects in the list are enabled by default, and are hence acve. Because these objects
are based on threat intelligence data and are defined by the Palo Alto Networks Threat
Research team, keep the objects acve in order to track and detect malicious acvity on
your network.
• Descripon—Specifies the match condions for which the firewall or Panorama will analyze
logs. It describes the sequence of condions that are matched on to idenfy acceleraon or
escalaon of malicious acvity or suspicious host behavior. For example, the Compromise
PAN-OS® Administrator’s Guide Version Version 9.1 443 ©2021 Palo Alto Networks, Inc.
Monitoring
Field Descripon
Update Time The me when the event was last updated with evidence on the
match. As the firewall collects evidence on paern or sequence
of events defined in a correlaon object, the me stamp on the
correlated event log is updated.
Object Name The name of the correlaon object that triggered the match.
Source Address The IP address of the user/device on your network from which the
traffic originated.
Source User The user and user group informaon from the directory server, if
User-ID is enabled.
Severity A rang that indicates the urgency and impact of the match. The
severity level indicates the extent of damage or escalaon paern,
and the frequency of occurrence. Because correlaon objects are
PAN-OS® Administrator’s Guide Version Version 9.1 444 ©2021 Palo Alto Networks, Inc.
Monitoring
Field Descripon
To primarily for detecng threats, the correlated events typically relate
configure to idenfying compromised hosts on the network and the severity
the implies the following:
firewall
• Crical—Confirms that a host has been compromised based on
or
correlated events that indicate an escalaon paern. For example,
Panorama
a crical event is logged when a host that received a file with a
to send
malicious verdict by WildFire exhibits the same command-and-
alerts
control acvity that was observed in the WildFire sandbox for that
using
malicious file.
email,
SNMP • High—Indicates that a host is very likely compromised based on
or syslog a correlaon between mulple threat events, such as malware
messages detected anywhere on the network that matches the command-
for a and-control acvity generated by a parcular host.
desired • Medium—Indicates that a host is likely compromised based
severity on the detecon of one or mulple suspicious events, such as
level, repeated visits to known malicious URLs, which suggests a scripted
see Use command-and-control acvity.
External
Services • Low—Indicates that a host is possibly compromised based on the
for detecon of one or mulple suspicious events, such as a visit to a
Monitoring. malicious URL or a dynamic DNS domain.
• Informaonal—Detects an event that may be useful in aggregate
for idenfying suspicious acvity, but the event is not necessarily
significant on its own.
Click the icon to see the detailed log view, which includes all the evidence on a match:
PAN-OS® Administrator’s Guide Version Version 9.1 445 ©2021 Palo Alto Networks, Inc.
Monitoring
Tab Descripon
Match Object Details: Presents informaon on the Correlaon Object that triggered the
Informaon match.
Match Details: A summary of the match details that includes the match me, last
update me on the match evidence, severity of the event, and an event summary.
Match Presents all the evidence that corroborates the correlated event. It lists detailed
Evidence informaon on the evidence collected for each session.
For more details, see Use the Automated Correlaon Engine and Use the Applicaon Command
Center.
PAN-OS® Administrator’s Guide Version Version 9.1 446 ©2021 Palo Alto Networks, Inc.
Monitoring
Packet capture can be very CPU intensive and can degrade firewall performance. Only
use this feature when necessary and make sure you turn it off aer you have collected the
required packets.
PAN-OS® Administrator’s Guide Version Version 9.1 447 ©2021 Palo Alto Networks, Inc.
Monitoring
• GTP Event Packet Capture—The firewall captures a single GTP event, such as GTP-in-GTP, end
user IP spoofing, and abnormal GTP messages, to make GTP troubleshoong easier for mobile
network operators. Enable packet capture in a GTP Protecon profile.
Hardware offload is supported on the following firewalls: PA-3200 Series, PA-5200 Series,
and PA-7000 Series firewall.
Disabling hardware offload may increase the dataplane CPU usage. If dataplane CPU
usage is already high, you may want to schedule a maintenance window before disabling
hardware offload.
STEP 2 | Aer the firewall captures the required traffic, enable hardware offload by running the
following CLI command:
PAN-OS® Administrator’s Guide Version Version 9.1 448 ©2021 Palo Alto Networks, Inc.
Monitoring
The following example shows how to use a packet capture to troubleshoot a Telnet
connecvity issue from a user in the Trust zone to a server in the DMZ zone.
PAN-OS® Administrator’s Guide Version Version 9.1 449 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 2 | Set packet capture filters, so the firewall only captures traffic you are interested in.
Using filters makes it easier for you to locate the informaon you need in the packet capture
and will reduce the processing power required by the firewall to take the packet capture. To
capture all traffic, do not define filters and leave the filter opon off.
For example, if you configured NAT on the firewall, you will need to apply two filters. The first
one filters on the pre-NAT source IP address to the desnaon IP address and the second one
filters traffic from the desnaon server to the source NAT IP address.
1. Select Monitor > Packet Capture.
2. Click Clear All Sengs at the boom of the window to clear any exisng capture
sengs.
3. Click Manage Filters and click Add.
4. Select Id 1 and in the Source field enter the source IP address you are interested in and
in the Desnaon field enter a desnaon IP address.
For example, enter the source IP address 192.168.2.10 and the desnaon IP address
10.43.14.55. To further filter the capture, set Non-IP to exclude non-IP traffic, such as
broadcast traffic.
5. Add the second filter and select Id 2.
For example, in the Source field enter 10.43.14.55 and in the Desnaon field enter
10.43.14.25. In the Non-IP drop-down menu select exclude.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 450 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 4 | Specify the traffic stage(s) that trigger the packet capture and the filename(s) to use to store
the captured content. For a definion of each stage, click the Help icon on the packet capture
page.
For example, to configure all packet capture stages and define a filename for each stage,
perform the following procedure:
1. Add a Stage to the packet capture configuraon and define a File name for the resulng
packet capture.
For example, select receive as the Stage and set the File name to telnet-test-received.
2. Connue to Add each Stage you want to capture (receive, firewall, transmit, and drop)
and set a unique File name for each stage.
STEP 6 | Generate traffic that matches the filters that you defined.
For this example, generate traffic from the source system to the Telnet-enabled server by
running the following command from the source system (192.168.2.10):
telnet 10.43.14.55
PAN-OS® Administrator’s Guide Version Version 9.1 451 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 7 | Turn packet capture OFF and then click the refresh icon to see the packet capture files.
Noce that in this case, there were no dropped packets, so the firewall did not create a file for
the drop stage.
STEP 8 | Download the packet captures by clicking the filename in the File Name column.
STEP 9 | View the packet capture files using a network packet analyzer.
In this example, the received.pcap packet capture shows a failed Telnet session from the source
system at 192.168.2.10 to the Telnet-enabled server at 10.43.14.55. The source system sent
the Telnet request to the server, but the server did not respond. In this example, the server may
not have Telnet enabled, so check the server.
STEP 10 | Enable the Telnet service on the desnaon server (10.43.14.55) and turn on packet capture
to take a new packet capture.
PAN-OS® Administrator’s Guide Version Version 9.1 452 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 12 | Download and open the received.pcap file and view it using a network packet analyzer.
The following packet capture now shows a successful Telnet session from the host user at
192.168.2.10 to the Telnet-enabled server at 10.43.14.55.
You also see the NAT address 10.43.14.25. When the server responds, it does so to
the NAT address. You can see the session is successful as indicated by the three-way
handshake between the host and the server and then you see Telnet data.
PAN-OS® Administrator’s Guide Version Version 9.1 453 ©2021 Palo Alto Networks, Inc.
Monitoring
If the acon for a given threat is allow, the firewall does not trigger a Threat log and
does not capture packets. If the acon is alert, you can set the packet capture to
single-packet or extended-capture. All blocking acons (drop, block, and reset acons)
capture a single packet. The content package on the device determines the default
acon.
1. Select Objects > Security Profiles and enable the packet capture opon for the
supported profiles as follows:
• Anvirus—Select a custom anvirus profile and in the Anvirus tab select the Packet
Capture check box.
• An-Spyware—Select a custom An-Spyware profile, click the DNS Signatures tab
and in the Packet Capture drop-down, select single-packet or extended-capture.
• Vulnerability Protecon—Select a custom Vulnerability Protecon profile and in the
Rules tab, click Add to add a new rule, or select an exisng rule. Set Packet Capture
to single-packet or extended-capture.
If the profile has signature excepons defined, click the Excepons tab and in the
Packet Capture column for a signature, set single-packet or extended-capture.
2. (Oponal) If you selected extended-capture for any of the profiles, define the extended
packet capture length.
1. Select Device > Setup > Content-ID and edit the Content-ID Sengs.
2. In the Extended Packet Capture Length (packets) secon, specify the number of
packets that the firewall will capture (range is 1-50; default is 5).
3. Click OK.
STEP 2 | Add the security profile (with packet capture enabled) to a Security Policy rule.
1. Select Policies > Security and select a rule.
2. Select the Acons tab.
3. In the Profile Sengs secon, select a profile that has packet capture enabled.
For example, click the Anvirus drop-down and select a profile that has packet capture
enabled.
PAN-OS® Administrator’s Guide Version Version 9.1 454 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 455 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Click the packet capture icon to view the packet capture or Export it to your local system.
PAN-OS® Administrator’s Guide Version Version 9.1 456 ©2021 Palo Alto Networks, Inc.
Monitoring
For example, to capture packets for the facebook-base applicaon that matches the security
rule named rule1, run the following CLI command:
You can also apply other filters, such as source IP address and desnaon IP address.
STEP 3 | View the output of the packet capture sengs to ensure that the correct filters are applied.
The output appears aer enabling the packet capture.
In the following output, you see that applicaon filtering is now on based on the facebook-
base applicaon for traffic that matches rule1.
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
Rule : rule1
From : any
To : any
Source : any
Destination : any
Protocol : any
Source Port : any
Dest. Port : any
Application : facebook-base
Current APPID Signature
Signature Usage : 21 MB (Max. 32 MB)
TCP 1 C2S : 15503 states
TCP 1 S2C : 5070 states
TCP 2 C2S : 2426 states
TCP 2 S2C : 702 states
UDP 1 C2S : 11379 states
UDP 1 S2C : 2967 states
PAN-OS® Administrator’s Guide Version Version 9.1 457 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 4 | Access Facebook.com from a web browser to generate Facebook traffic and then turn off
applicaon packet capture by running the following CLI command:
Each plaorm has a default number of bytes that tcpdump captures. The PA-220
firewalls capture 68 bytes of data from each packet and anything over that is truncated.
The PA-7000 Series firewalls and VM-Series firewalls capture 96 bytes of data from each
packet. To define the number of packets that tcpdump will capture, use the snaplen
(snap length) opon (range 0-65535). Seng the snaplen to 0 will cause the firewall to
use the maximum length required to capture whole packets.
STEP 1 | Using a terminal emulaon applicaon, such as PuTTY, launch an SSH session to the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 458 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 2 | To start a packet capture on the MGT interface, run the following command:
For example, to capture the traffic that is generated when and administrator authencates
to the firewall using RADIUS, filter on the desnaon IP address of the RADIUS server
(10.5.104.99 in this example):
You can also filter on src (source IP address), host, net, and you can exclude content. For
example, to filter on a subnet and exclude all SCP, SFTP, and SSH traffic (which uses port 22),
run the following command:
Each me tcpdump takes a packet capture, it stores the content in a file named
mgmt.pcap. This file is overwrien each me you run tcpdump.
STEP 3 | Aer the traffic you are interested in has traversed the MGT interface, press Ctrl + C to stop
the capture.
The following output shows the packet capture from the MGT port (10.5.104.98) to the
RADIUS server (10.5.104.99):
PAN-OS® Administrator’s Guide Version Version 9.1 459 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 5 | (Oponal) Export the packet capture from the firewall using SCP (or TFTP). For example, to
export the packet capture using SCP, run the following command:
For example, to export the pcap to an SCP enabled server at 10.5.5.20 to a temp folder named
temp-SCP, run the following CLI command:
Enter the login name and password for the account on the SCP server to enable the firewall to
copy the packet capture to the c:\temp-SCP folder on the SCP-enabled.
STEP 6 | You can now view the packet capture files using a network packet analyzer, such as
Wireshark.
PAN-OS® Administrator’s Guide Version Version 9.1 460 ©2021 Palo Alto Networks, Inc.
Monitoring
Content Delivery Network Infrastructure to check whether logged events on the firewall pose a
security risk. The AutoFocus intelligence summary shows the prevalence of properes, acvies,
or behaviors associated with logs in your network and on a global scale, as well as the WildFire
verdict and AutoFocus tags linked to them. With an acve AutoFocus subscripon, you can
use this informaon to create customized AutoFocus Alerts that track specific threats on your
network.
PAN-OS® Administrator’s Guide Version Version 9.1 461 ©2021 Palo Alto Networks, Inc.
Monitoring
Traffic Logs
Traffic logs display an entry for the start and end of each session. Each entry includes the
following informaon: date and me; source and desnaon zones, addresses and ports;
PAN-OS® Administrator’s Guide Version Version 9.1 462 ©2021 Palo Alto Networks, Inc.
Monitoring
applicaon name; security rule applied to the traffic flow; rule acon (allow, deny, or drop); ingress
and egress interface; number of bytes; and session end reason.
The Type column indicates whether the entry is for the start or end of the session. The Acon
column indicates whether the firewall allowed, denied, or dropped the session. A drop indicates
the security rule that blocked the traffic specified any applicaon, while a deny indicates the rule
idenfied a specific applicaon. If the firewall drops traffic before idenfying the applicaon,
such as when a rule drops all traffic for a specific service, the Applicaon column displays not-
applicable.
Click beside an entry to view addional details about the session, such as whether an ICMP
entry aggregates mulple sessions between the same source and desnaon (in which case the
Count column value is greater than one).
Threat Logs
Threat logs display entries when traffic matches one of the Security Profiles aached to a security
rule on the firewall. Each entry includes the following informaon: date and me; type of threat
(such as virus or spyware); threat descripon or URL (Name column); source and desnaon
zones, addresses, and ports; applicaon name; alarm acon (such as allow or block); and severity
level.
To see more details on individual Threat log entries:
• Click beside a threat entry to view details such as whether the entry aggregates mulple
threats of the same type between the same source and desnaon (in which case the Count
column value is greater than one).
• If you configured the firewall to Take Packet Captures, click beside an entry to access the
captured packets.
The following table summarizes the Threat severity levels:
Severity Descripon
Crical Serious threats, such as those that affect default installaons of widely
deployed soware, result in root compromise of servers, and the exploit code
is widely available to aackers. The aacker usually does not need any special
authencaon credenals or knowledge about the individual vicms and the
target does not need to be manipulated into performing any special funcons.
High Threats that have the ability to become crical but have migang factors; for
example, they may be difficult to exploit, do not result in elevated privileges, or do
not have a large vicm pool.
WildFire Submissions log entries with a malicious verdict and an acon set to allow
are logged as High.
Medium Minor threats in which impact is minimized, such as DoS aacks that do not
compromise the target or exploits that require an aacker to reside on the same
LAN as the vicm, affect only non-standard configuraons or obscure applicaons,
or provide very limited access.
PAN-OS® Administrator’s Guide Version Version 9.1 463 ©2021 Palo Alto Networks, Inc.
Monitoring
Severity Descripon
• Threat log entries with a malicious verdict and an acon of block or alert, based
on the exisng WildFire signature severity, are logged as Medium.
InformaonalSuspicious events that do not pose an immediate threat, but that are reported to
call aenon to deeper problems that could possibly exist.
• URL Filtering log entries are logged as Informaonal.
• WildFire Submissions log entries with a benign verdict and any acon are
logged as Informaonal.
• WildFire Submissions log entries with any verdict and an acon set to block and
forward are logged as Informaonal.
• Log entries with any verdict and an acon set to block are logged as
Informaonal.
Verdict Descripon
Benign Indicates that the entry received a WildFire analysis verdict of benign. Files
categorized as benign are safe and do not exhibit malicious behavior.
Grayware Indicates that the entry received a WildFire analysis verdict of grayware. Files
categorized as grayware do not pose a direct security threat, but might display
PAN-OS® Administrator’s Guide Version Version 9.1 464 ©2021 Palo Alto Networks, Inc.
Monitoring
Verdict Descripon
otherwise obtrusive behavior. Grayware can include, adware, spyware, and
Browser Helper Objects (BHOs).
Phishing Indicates that WildFire assigned a link an analysis verdict of phishing. A phishing
verdict indicates that the site to which the link directs users displayed credenal
phishing acvity.
Malicious Indicates that the entry received a WildFire analysis verdict of malicious. Samples
categorized as malicious are can pose a security threat. Malware can include
viruses, C2 (command-and-control), worms, Trojans, Remote Access Tools (RATs),
rootkits, and botnets. For samples that are idenfied as malware, the WildFire
cloud generates and distributes a signature to prevent against future exposure.
Correlaon Logs
The firewall logs a correlated event when the paerns and thresholds defined in a Correlaon
Object match the traffic paerns on your network. To Interpret Correlated Events and view a
graphical display of the events, see Use the Compromised Hosts Widget in the ACC.
The following table summarizes the Correlaon log severity levels:
Severity Descripon
Crical Confirms that a host has been compromised based on correlated events that
indicate an escalaon paern. For example, a crical event is logged when a
host that received a file with a malicious verdict by WildFire, exhibits the same
command-and control acvity that was observed in the WildFire sandbox for that
malicious file.
High Indicates that a host is very likely compromised based on a correlaon between
mulple threat events, such as malware detected anywhere on the network that
matches the command and control acvity being generated from a parcular
host.
PAN-OS® Administrator’s Guide Version Version 9.1 465 ©2021 Palo Alto Networks, Inc.
Monitoring
Severity Descripon
Medium Indicates that a host is likely compromised based on the detecon of one or
mulple suspicious events, such as repeated visits to known malicious URLs that
suggests a scripted command-and-control acvity.
Low Indicates that a host is possibly compromised based on the detecon of one or
mulple suspicious events, such as a visit to a malicious URL or a dynamic DNS
domain.
Config Logs
Config logs display entries for changes to the firewall configuraon. Each entry includes the date
and me, the administrator username, the IP address from where the administrator made the
change, the type of client (Web, CLI, or Panorama), the type of command executed, the command
status (succeeded or failed), the configuraon path, and the values before and aer the change.
System Logs
System logs display entries for each system event on the firewall. Each entry includes the date
and me, event severity, and event descripon. The following table summarizes the System log
severity levels. For a paral list of System log messages and their corresponding severity levels,
refer to System Log Events.
Severity Descripon
Crical Hardware failures, including high availability (HA) failover and link failures.
High Serious issues, including dropped connecons with external devices, such as LDAP
and RADIUS servers.
PAN-OS® Administrator’s Guide Version Version 9.1 466 ©2021 Palo Alto Networks, Inc.
Monitoring
Severity Descripon
InformaonalLog in/log off, administrator name or password change, any configuraon change,
and all other events not covered by the other severity levels.
GlobalProtect Logs
GlobalProtect logs display the following logs related to GlobalProtect:
• GlobalProtect system logs.
GlobalProtect authencaon event logs remain in Monitor > Logs > System; however, the
Auth Method column of the GlobalProtect logs display the authencaon method used for
logins.
• LSVPN/satellite events.
• GlobalProtect portal and gateway logs.
• Clientless VPN logs.
IP-Tag Logs
IP-tag logs display how and when a source IP address is registered or unregistered on the
firewall and what tag the firewall applied to the address. Addionally, each log entry displays
the configured meout (when configured) and the source of the IP address-to-tag mapping
informaon, such as User-ID agent VM informaon sources and auto-tagging. See how to Register
IP Address and Tags Dynamically for more informaon.
User-ID Logs
User-ID logs display informaon about IP address-to-username mappings and Authencaon
Timestamps, such as the sources of the mapping informaon and the mes when users
authencated. You can use this informaon to help troubleshoot User-ID and authencaon
issues. For example, if the firewall is applying the wrong policy rule for a user, you can view the
logs to verify whether that user is mapped to the correct IP address and whether the group
associaons are correct.
Alarms Logs
An alarm is a firewall-generated message indicang that the number of events of a parcular type
(for example, encrypon and decrypon failures) has exceeded the threshold configured for that
PAN-OS® Administrator’s Guide Version Version 9.1 467 ©2021 Palo Alto Networks, Inc.
Monitoring
event type. To enable alarms and configure alarm thresholds, select Device > Log Sengs and edit
the Alarm Sengs.
When generang an alarm, the firewall creates an Alarm log and opens the System Alarms dialog
to display the alarm. Aer you Close the dialog, you can reopen it anyme by clicking Alarms ( )
at the boom of the web interface. To prevent the firewall from automacally opening the dialog
for a parcular alarm, select the alarm in the Unacknowledged Alarms list and Acknowledge the
alarm.
Authencaon Logs
Authencaon logs display informaon about authencaon events that occur when end users
try to access network resources for which access is controlled by Authencaon Policy rules. You
can use this informaon to help troubleshoot access issues and to adjust your Authencaon
policy as needed. In conjuncon with correlaon objects, you can also use Authencaon logs to
idenfy suspicious acvity on your network, such as brute force aacks.
Oponally, you can configure Authencaon rules to log meout events. These meouts relate to
the period when a user need authencate for a resource only once but can access it repeatedly.
Seeing informaon about the meouts helps you decide if and how to adjust them (for details, see
Authencaon Timestamps).
Unified Logs
Unified logs are entries from the Traffic, Threat, URL Filtering, WildFire Submissions, and Data
Filtering logs displayed in a single view. Unified log view enables you to invesgate and filter the
latest entries from different log types in one place, instead of searching through each log type
separately. Click Effecve Queries ( ) in the filter area to select which log types will display
entries in Unified log view.
The Unified log view displays only entries from logs that you have permission to see. For example,
an administrator who does not have permission to view WildFire Submissions logs will not see
WildFire Submissions log entries when viewing Unified logs. Administrave Role Types define
these permissions.
When you Set Up Remote Search in AutoFocus to perform a targeted search on the
firewall, the search results are displayed in Unified log view.
View Logs
You can view the different log types on the firewall in a tabular format. The firewall locally stores
all log files and automacally generates Configuraon and System logs by default. To learn more
about the security rules that trigger the creaon of entries for the other types of logs, see Log
Types and Severity Levels.
To configure the firewall to forward logs as syslog messages, email noficaons, or Simple
Network Management Protocol (SNMP) traps, Use External Services for Monitoring.
PAN-OS® Administrator’s Guide Version Version 9.1 468 ©2021 Palo Alto Networks, Inc.
Monitoring
The firewall displays only the logs you have permission to see. For example,
if your administrave account does not have permission to view WildFire
Submissions logs, the firewall does not display that log type when you access the
logs pages. Administrave Role Types define the permissions.
Enable AutoFocus in Panorama to view AutoFocus threat data for all Panorama
log entries, including those from firewalls that are not connected to AutoFocus
and/or are running PAN-OS 7.0 and earlier release versions (Panorama > Setup
> Management > AutoFocus).
2. Hover over an IP address, URL, user agent, threat name (subtype: virus and wildfire-virus
only), filename, or SHA-256 hash.
3. Click the drop-down ( ) and select AutoFocus.
4. Content Delivery Network Infrastructure.
Next Steps...
• Filter Logs.
• Export Logs.
• Configure Log Storage Quotas and Expiraon Periods.
Filter Logs
Each log has a filter area that allows you to set a criteria for which log entries to display. The
ability to filter logs is useful for focusing on events on your firewall that possess parcular
properes or aributes. Filter logs by arfacts that are associated with individual log entries.
For example, filtering by the rule UUID makes it easier to pinpoint the specific rule you want to
locate, even among many similarly-named rules. If your ruleset is very large and contains many
PAN-OS® Administrator’s Guide Version Version 9.1 469 ©2021 Palo Alto Networks, Inc.
Monitoring
rules, using the rule’s UUID as a filter spotlights the parcular rule you need to find without having
to navigate through pages of results.
STEP 1 | (Unified logs only) Select the log types to include in the Unified log display.
1. Click Effecve Queries ( ).
2. Select one or more log types from the list (traffic, threat, url, data, and wildfire).
3. Click OK. The Unified log updates to show only entries from the log types you have
selected.
If the value of the arfact matches the operator (such as has or in), enclose the value
in quotaon marks to avoid a syntax error. For example, if you filter by desnaon
country and use IN as a value to specify INDIA, enter the filter as ( dstloc eq
“IN” ).
• Click one or more arfacts (such as the applicaon type associated with traffic and the
IP address of an aacker) in a log entry. For example, click the Source 10.0.0.25 and
Applicaon web-browsing of a log entry to display only entries that contain both arfacts in
the log (AND search).
• To specify arfacts to add to the filter field, click Add Filter ( ).
• To add a previously saved filter, click Load Filter ( ).
Export Logs
You can export the contents of a log type to a comma-separated value (CSV) formaed report. By
default, the report contains up to 2,000 rows of log entries.
PAN-OS® Administrator’s Guide Version Version 9.1 470 ©2021 Palo Alto Networks, Inc.
Monitoring
If you want to manually delete logs, select Device > Log Sengs and, in the Manage Logs
secon, click the links to clear logs by type.
STEP 1 | Select Device > Setup > Management and edit the Logging and Reporng Sengs.
STEP 2 | Select Log Storage and enter a Quota (%) for each log type. When you change a percentage
value, the dialog refreshes to display the corresponding absolute value (Quota GB/MB
column).
STEP 3 | Enter the Max Days (expiraon period) for each log type (range is 1-2,000). The fields are
blank by default, which means the logs never expire.
The firewall synchronizes expiraon periods across high availability (HA) pairs. Because
only the acve HA peer generates logs, the passive peer has no logs to delete unless
failover occurs and it starts generang logs.
PAN-OS® Administrator’s Guide Version Version 9.1 471 ©2021 Palo Alto Networks, Inc.
Monitoring
You can use Secure Copy (SCP) commands from the CLI to export the enre log
database to an SCP server and import it to another firewall. Because the log database is
too large for an export or import to be praccal on the following plaorms, they do not
support these opons: PA-7000 Series firewalls (all PAN-OS releases), Panorama virtual
appliance running Panorama 6.0 or later releases, and Panorama M-Series appliances (all
Panorama releases).
STEP 1 | Select Device > Scheduled Log Export and click Add.
STEP 2 | Enter a Name for the scheduled log export and Enable it.
STEP 4 | Select the daily Scheduled Export Start Time. The opons are in 15-minute increments for a
24-hour clock (00:00 - 23:59).
STEP 5 | Select the Protocol to export the logs: SCP (secure) or FTP.
STEP 7 | Enter the Port number. By default, FTP uses port 21 and SCP uses port 22.
STEP 8 | Enter the Path or directory in which to save the exported logs.
STEP 9 | Enter the Username and, if necessary, the Password (and Confirm Password) to access the
server.
STEP 10 | (FTP only) Select Enable FTP Passive Mode if you want to use FTP passive mode, in which
the firewall iniates a data connecon with the FTP server. By default, the firewall uses FTP
acve mode, in which the FTP server iniates a data connecon with the firewall. Choose
the mode based on what your FTP server supports and on your network requirements.
STEP 11 | (SCP only) Click Test SCP server connecon. Before establishing a connecon, the firewall
must accept the host key for the SCP server.
If you use a Panorama template to configure the log export schedule, you must
perform this step aer comming the template configuraon to the firewalls. Aer the
template commit, log in to each firewall, open the log export schedule, and click Test
SCP server connecon.
PAN-OS® Administrator’s Guide Version Version 9.1 472 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 473 ©2021 Palo Alto Networks, Inc.
Monitoring
Report Types
The firewall includes predefined reports that you can use as-is, or you can build custom reports
that meet your needs for specific data and aconable tasks, or you can combine predefined and
custom reports to compile informaon you need. The firewall provides the following types of
reports:
• Predefined Reports—Allow you to view a quick summary of the traffic on your network. A suite
of predefined reports are available in four categories—Applicaons, Traffic, Threat, and URL
Filtering. See View Reports.
• User or Group Acvity Reports—Allow you to schedule or create an on-demand report on the
applicaon use and URL acvity for a specific user or for a user group. The report includes the
URL categories and an esmated browse me calculaon for individual users. See Generate
User/Group Acvity Reports.
• Custom Reports—Create and schedule custom reports that show exactly the informaon
you want to see by filtering on condions and columns to include. You can also include query
builders for more specific drill down on report data. See Generate Custom Reports.
• PDF Summary Reports—Aggregate up to 18 predefined or custom reports/graphs from Threat,
Applicaon, Trend, Traffic, and URL Filtering categories into one PDF document. See Manage
PDF Summary Reports.
• Botnet Reports—Allow you to use behavior-based mechanisms to idenfy potenal botnet-
infected hosts in the network. See Generate Botnet Reports.
PAN-OS® Administrator’s Guide Version Version 9.1 474 ©2021 Palo Alto Networks, Inc.
Monitoring
• Report Groups—Combine custom and predefined reports into report groups and compile a
single PDF that is emailed to one or more recipients. See Manage Report Groups.
Reports can be generated on demand, on a recurring schedule, and can be scheduled for email
delivery.
View Reports
The firewall provides an assortment of over 40 predefined reports that it generates every day. You
can view these reports directly on the firewall. You can also view custom reports and summary
reports.
About 200 MB of storage is allocated for saving reports on the firewall. This limit can be
reconfigured for PA-7000 series and PA-5200 series firewalls only. For all other firewall models,
you can Configure the Expiraon Period and Run Time for Reports to allow the firewall to delete
reports that exceed the period. Keep in mind that when the firewall reaches its storage limit, it
automacally deletes older reports to create space even if you don’t set an expiraon period.
Another way to conserve system resources on the firewall is to Disable Predefined Reports. For
long-term retenon of reports, you can export the reports (as described below) or Schedule
Reports for Email Delivery.
Unlike other reports, you can’t save User/Group Acvity reports on the firewall. You must
Generate User/Group Acvity Reports on demand or schedule them for email delivery.
STEP 1 | (VM-50, VM-50 Lite, and PA-200 firewalls only) Enable generaon of predefined reports.
By default, predefined reports are disabled on VM-50, VM-50 Lite, and PA-200
firewalls to save resources.
1. Select Device > Setup > Management and edit Logging and Reporng.
2. Select Pre-Defined Reports and enable (check) Pre-Defined Reports.
3. Check (enable) the predefined reports you want to generate and click OK
4. Commit your configuraon changes.
5. Access the firewall CLI to enable predefined reports.
This step is required for local predefined reports and predefined reports pushed from a
Panorama™ management server.
STEP 3 | Select a report to view. The reports page then displays the report for the previous day.
To view reports for other days, select a date in the calendar at the boom right of the page and
select a report. If you select a report in another secon, the date selecon resets to the current
date.
PAN-OS® Administrator’s Guide Version Version 9.1 475 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 4 | To view a report offline, you can export the report to PDF, CSV or to XML formats. Click
Export to PDF, Export to CSV, or Export to XML at the boom of the page, then print or
save the file.
STEP 2 | Set the Report Runme to an hour in the 24-hour clock schedule (default is 02:00; range is
00:00 [midnight] to 23:00).
STEP 3 | Enter the Report Expiraon Period in days (default is no expiraon; range is 1 is 2,000).
You can’t change the storage that the firewall allocates for saving reports: it is
predefined at about 200 MB. When the firewall reaches the storage maximum, it
automacally deletes older reports to create space even if you don’t set a Report
Expiraon Period.
STEP 2 | Select the Pre-Defined Reports tab and clear the check box for each report you want to
disable. To disable all predefined reports, click Deselect All.
Custom Reports
In order to create purposeful custom reports, you must consider the aributes or key pieces of
informaon that you want to retrieve and analyze, such as threats, as well as the best way to
categorize the informaon, such as grouping by rule UUID, which will allow you to see the rule
that applies to each threat type. This consideraon guides you in making the following selecons
in a custom report:
PAN-OS® Administrator’s Guide Version Version 9.1 476 ©2021 Palo Alto Networks, Inc.
Monitoring
Selecon Descripon
Database You can base the report on one of the following database types:
• Summary databases—These databases are available for Applicaon
Stascs, Traffic, Threat, URL Filtering, and Tunnel Inspecon logs.
The firewall aggregates the detailed logs at 15-minute intervals. To
enable faster response me when generang reports, the firewall
condenses the data: duplicate sessions are grouped and incremented
with a repeat counter, and some aributes (columns) are excluded
from the summary.
• Detailed logs—These databases itemize the logs and list all the
aributes (columns) for each log entry.
Aributes The columns that you want to use as the match criteria. The aributes
are the columns that are available for selecon in a report. From the list
of Available Columns, you can add the selecon criteria for matching
data and for aggregang the details (the Selected Columns).
Sort By/ Group By The Sort By and the Group By criteria allow you to organize/segment
the data in the report; the sorng and grouping aributes available vary
based on the selected data source.
The Sort By opon specifies the aribute that is used for aggregaon. If
you do not select an aribute to sort by, the report will return the first
N number of results without any aggregaon.
The Group By opon allows you to select an aribute and use it as an
anchor for grouping data; all the data in the report is then presented in
a set of top 5, 10, 25 or 50 groups. For example, when you select Hour
as the Group By selecon and want the top 25 groups for a 24-hr me
period, the results of the report will be generated on an hourly basis
over a 24-hr period. The first column in the report will be the hour and
the next set of columns will be the rest of your selected report columns.
The following example illustrates how the Selected Columns and Sort
By/Group By criteria work together when generang reports:
PAN-OS® Administrator’s Guide Version Version 9.1 477 ©2021 Palo Alto Networks, Inc.
Monitoring
Selecon Descripon
The columns circled in red (above) depict the columns selected, which
are the aributes that you match against for generang the report.
Each log entry from the data source is parsed and these columns are
matched on. If mulple sessions have the same values for the selected
columns, the sessions are aggregated and the repeat count (or sessions)
is incremented.
The column circled in blue indicates the chosen sort order. When the
sort order (Sort By) is specified, the data is sorted (and aggregated) by
the selected aribute.
The column circled in green indicates the Group By selecon, which
serves as an anchor for the report. The Group By column is used as a
match criteria to filter for the top N groups. Then, for each of the top
N groups, the report enumerates the values for all the other selected
columns.
The report is anchored by Day and sorted by Sessions. It lists the 5 days
(5 Groups) with maximum traffic in the Last 7 Days me frame. The
data is enumerated by the Top 5 sessions for each day for the selected
columns—App Category, App Subcategory and Risk.
Time Frame The date range for which you want to analyze data. You can define a
custom range or select a me period ranging from the last 15 minutes
to the last 30 days. The reports can be run on demand or scheduled to
run at a daily or weekly cadence.
Query Builder The query builder allows you to define specific queries to further
refine the selected aributes. It allows you see just what you want in
PAN-OS® Administrator’s Guide Version Version 9.1 478 ©2021 Palo Alto Networks, Inc.
Monitoring
Selecon Descripon
your report using and and or operators and a match criteria, and then
include or exclude data that matches or negates the query in the report.
Queries enable you to generate a more focused collaon of informaon
in a report.
Aer the firewall has generated a scheduled custom report, you risk invalidang the past
results of that report if you modify its configuraon to change its future output. If you
need to modify a scheduled report configuraon, the best pracce is to create a new
report.
STEP 2 | Click Add and then enter a Name for the report.
To base a report on an predefined template, click Load Template and choose the
template. You can then edit the template and save it as a custom report.
Each me you create a custom report, a log view report is automacally created. This
report show the logs that were used to build the custom report. The log view report
uses the same name as the custom report, but appends the phrase (Log View) to the
report name.
When creang a report group, you can include the log view report with the custom report. For
more informaon, see Manage Report Groups.
STEP 4 | Select the Scheduled check box to run the report each night. The report is then available for
viewing in the Reports column on the side.
To generate a scheduled custom report using logs stored in Cortex Data Lake on the
Panorama™ management server running PAN-OS 9.1.2 and later releases, Cloud
Service plugin 1.8 or later release must be installed on Panorama.
STEP 5 | Define the filtering criteria. Select the Time Frame, the Sort By order, Group By preference,
and select the columns that must display in the report.
PAN-OS® Administrator’s Guide Version Version 9.1 479 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 6 | (Oponal) Select the Query Builder aributes if you want to further refine the selecon
criteria. To build a report query, specify the following and click Add. Repeat as needed to
construct the full query.
• Connector—Choose the connector (and/or) to precede the expression you are adding.
• Negate—Select the check box to interpret the query as a negaon. If, for example, you
choose to match entries in the last 24 hours and/or are originang from the untrust zone,
the negate opon causes a match on entries that are not in the past 24 hours and/or are not
from the untrust zone.
• Aribute—Choose a data element. The available opons depend on the choice of database.
• Operator—Choose the criterion to determine whether the aribute applies (such as =). The
available opons depend on the choice of database.
• Value—Specify the aribute value to match.
For example, the following figure (based on the Traffic Log database) shows a query that
matches if the Traffic log entry was received in the past 24 hours and is from the untrust zone.
STEP 7 | To test the report sengs, select Run Now. Modify the sengs as required to change the
informaon that is displayed in the report.
PAN-OS® Administrator’s Guide Version Version 9.1 480 ©2021 Palo Alto Networks, Inc.
Monitoring
And the PDF output for the report would look as follows:
Now, if you want to use the query builder to generate a custom report that represents the top
consumers of network resources within a user group, you would set up the report to look like
this:
PAN-OS® Administrator’s Guide Version Version 9.1 481 ©2021 Palo Alto Networks, Inc.
Monitoring
The report would display the top users in the product management user group sorted by bytes.
The firewall requires Threat Prevenon and URL Filtering licenses to use the botnet report.
You can Use the Automated Correlaon Engine to monitor suspicious acvies based on
addional indicators besides those that the botnet report uses. However, the botnet report
is the only tool that uses newly registered domains as an indicator.
PAN-OS® Administrator’s Guide Version Version 9.1 482 ©2021 Palo Alto Networks, Inc.
Monitoring
entry for the host. For example, if you set the Count to three for Malware URL visit, then
hosts that visit three or more known malware URLs will have higher scores than hosts
that visit less than three. For details, see Interpret Botnet Report Output.
3. Define the thresholds that determine whether the report will include hosts associated
with traffic involving Unknown TCP or Unknown UDP applicaons.
4. Select the IRC check box to include traffic involving IRC servers.
5. Click OK to save the report configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 483 ©2021 Palo Alto Networks, Inc.
Monitoring
The predefined SaaS applicaon usage report is sll available as a daily View Reports that
lists the top 100 SaaS applicaons (which means applicaons with the SaaS applicaon
characterisc, SaaS=yes) running on your network on a given day. This report does
not give visibility into applicaons you have designated as sanconed, but rather gives
visibility into all of the SaaS applicaons in use on your network.
PAN-OS® Administrator’s Guide Version Version 9.1 484 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 1 | Tag applicaons that you approve for use on your network as Sanconed.
For generang an accurate and informave report, you need to tag the sanconed
applicaons consistently across firewalls with mulple virtual systems, and across
firewalls that belong to a device group on Panorama. If the same applicaon is tagged
as sanconed in one virtual system and is not sanconed in another or, on Panorama,
if an applicaon is unsanconed in a parent device group but is tagged as sanconed
in a child device group (or vice versa), the SaaS Applicaon Usage report will report the
applicaon as parally sanconed and will have overlapping results.
Example: If Box is sanconed on vsys1 and Google Drive is sanconed on vsys2, Google Drive
users in vsys1 will be counted as users of an unsanconed SaaS applicaon and Box users
in vsys2 will be counted as users of an unsanconed SaaS applicaon. The key finding in the
report will highlight that a total of two unique SaaS applicaons are discovered on the network
with two sanconed applicaons and two unsanconed applicaons.
1. Select Objects > Applicaons.
2. Click the applicaon Name to edit an applicaon and select Edit in the Tag secon.
3. Select Sanconed from the Tags drop-down.
You must use the predefined Sanconed tag ( ). If you use any other tag to
indicate that you sanconed an applicaon, the firewall will fail to recognize the tag and
the report will be inaccurate.
PAN-OS® Administrator’s Guide Version Version 9.1 485 ©2021 Palo Alto Networks, Inc.
Monitoring
By default, the report includes detailed informaon on the top SaaS and non-
SaaS applicaon subcategories, which can make the report large by page count
and file size. Clear the Include detailed applicaon category informaon in
report check box if you want to reduce the file size and restrict the page count to
10 pages.
3. Select whether you want the report to Include logs from:
• All User Groups and Zones—The report includes data on all security zones and user
groups available in the logs.
If you want to include specific user groups in the report, select Include user group
informaon in the report and click the manage groups link to select the groups you
want to include. You must add between one and up to a maximum of 25 user groups,
so that the firewall or Panorama can filter the logs for the selected user groups. If you
do select the groups to include, the report will aggregate all user groups in to one
group called Others.
• Selected Zone—The report filters data for the specified security zone, and includes
data on that zone only.
If you want to include specific user groups in the report, select Include user group
informaon in the report and click the manage groups for selected zone link to select
the user groups within this zone that you want to include in the report. You must
add between one and up to a maximum of 25 user groups, so that the firewall or
Panorama can filter the logs for the selected user groups within the security zone. If
PAN-OS® Administrator’s Guide Version Version 9.1 486 ©2021 Palo Alto Networks, Inc.
Monitoring
you do select the groups to include, the report will aggregate all user groups in to one
group called Others.
• Selected User Group—The report filters data for the specified user group only, and
includes SaaS applicaon usage informaon for the selected user group only.
4. Select whether you want to include all the applicaon subcategories in the report
(the default) or Limit the max subcategories in the report to the top 10, 15, 20 or 25
categories (default is all subcategories).
5. Click Run Now to generate the report on-demand for the last 7-day and the last 30-day
me period. Make sure that the pop-up blocker is disabled on your browser because the
report opens in a new tab.
6. Click OK to save your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 487 ©2021 Palo Alto Networks, Inc.
Monitoring
• To remove an element from the report, click the x icon or clear the selecon from the
drop-down for the appropriate report group.
• To rearrange the reports, drag and drop the element icons to another area of the
report.
4. Click OK to save the report.
5. Commit the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 488 ©2021 Palo Alto Networks, Inc.
Monitoring
The following summary secons refer to the following PDF Summary Report elements:
• Top 5 Aacks—Refers to the Top threats element.
• Top 5 Threats—Refers to the High risk user - Top threats element.
• Top Threats report—Refers to the full list of threats from the Top threats element.
PAN-OS® Administrator’s Guide Version Version 9.1 489 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 1 | Configure the browse mes and number of logs for User/Group Acvity reports.
Required only if you want to change the default values.
1. Select Device > Setup > Management, edit the Logging and Reporng Sengs, and
select the Log Export and Reporng tab.
2. For the Max Rows in User Acvity Report, enter the maximum number of rows that
the detailed user acvity report supports (range is 1-1048576, default is 5000). This
determines the number of logs that the report analyzes.
3. Enter the Average Browse Time in seconds that you esmate users should take to
browse a web page (range is 0-300, default is 60). Any request made aer the average
browse me elapses is considered a new browsing acvity. The calculaon uses Log
Only the Page a User Visits (logged in the URL Filtering logs) as the basis and ignores any
new web pages that are loaded between the me of the first request (start me) and the
average browse me. For example, if you set the Average Browse Time to two minutes
and a user opens a web page and views that page for five minutes, the browse me for
that page will sll be two minutes. This is done because the firewall can’t determine
how long a user views a given page. The average browse me calculaon ignores sites
categorized as web adversements and content delivery networks.
4. For the Page Load Threshold, enter the esmated me in seconds for page elements to
load on the page (default is 20). Any requests that occur between the first page load and
the page load threshold are assumed to be elements of the page. Any requests that occur
outside of the page load threshold are assumed to be the user clicking a link within the
page.
5. Click OK to save your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 490 ©2021 Palo Alto Networks, Inc.
Monitoring
The Log View report is a report type that is automacally created each me you
create a custom report and uses the same name as the custom report. This report will
show the logs that were used to build the contents of the custom report.
To include the log view data, when creang a report group, add your custom report
under the Custom Reports list and then add the log view report by selecng the
matching report name from the Log View list. The report will include the custom
report data and the log data that was used to create the custom report.
5. Click OK to save the sengs.
6. To use the report group, see Schedule Reports for Email Delivery.
PAN-OS® Administrator’s Guide Version Version 9.1 491 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Select the Report Group for email delivery. To set up a report group; see Manage Report
Groups.
STEP 4 | For the Email Profile, select an Email server profile to use for delivering the reports, or click
the Email Profile link to Create an Email server profile.
STEP 5 | Select the frequency at which to generate and send the report in Recurrence.
STEP 6 | The Override Email Addresses field allows you to send this report exclusively to the specified
recipients. When you add recipients to the field, the firewall does not send the report to the
recipients configured in the Email server profile. Use this opon for those occasions when the
report is for the aenon of someone other than the administrators or recipients defined in
the Email server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 492 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Verify you have sufficient storage across the firewall to allocate toward expanding the report
storage capacity:
STEP 5 | Verify that the report storage capacity is increased to the amount set in the previous step:
PAN-OS® Administrator’s Guide Version Version 9.1 493 ©2021 Palo Alto Networks, Inc.
Monitoring
The rule hit count data is not synchronized across firewalls in a high availability (HA)
deployment so you need to log in to each firewall to view the policy rule hit count data for
each firewall or use Panorama to view informaon on the HA firewall peers.
Policy rule usage data is also useful when using Security Policy Rule Opmizaon to
determine which rules to migrate or clean up first.
PAN-OS® Administrator’s Guide Version Version 9.1 494 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 4 | View the policy rule usage for each policy rule:
• Hit Count—The number of mes traffic matched the criteria you defined in the policy rule.
Persists through reboot, dataplane restarts, and upgrades unless you manually reset or
rename the rule.
• Last Hit—The most recent mestamp for when traffic matched the rule.
• First Hit—The first instance when traffic was matched to this rule.
• Modified—The date and me the policy rule was last modified.
• Created—The date and me the policy rule was created.
If the rule was created when Panorama was running PAN-OS 8.1 and the Policy
Rule Hit Count seng is enabled, the First Hit date and me is used as the Created
date and me on upgrade to PAN-OS 9.0. If the rule was created in PAN-OS 8.1
when the Policy Rule Hit Count seng was disabled or if the rule was created when
Panorama was running PAN-OS 8.0 or an earlier release, the Created date for the
rule will be the date and me you successfully upgraded Panorama to PAN-OS 9.0
STEP 5 | In the Policy Opmizer dialog, view the Rule Usage filter.
Use the rule usage filter to evaluate the rule usage within a specified period of me. For
example, filter the selected rulebase for Unused rules within the last 30 days. You can
also evaluate rule usage with other rule aributes, such as the Created and Modified
dates, which enables you to filter for the correct set of rules to review. You can use this
data to help manage your rule lifecycle and to determine if a rule needs to be removed
to reduce your network aack surface.
1. Select the Timeframe you want to filter on or specify a Custom me frame.
2. Select the rule Usage on which to filter.
3. (Oponal) If you have reset the rule usage data for any rules, check for Exclude rules
reset during the last <number of days> days and decide when to exclude a rule based
PAN-OS® Administrator’s Guide Version Version 9.1 495 ©2021 Palo Alto Networks, Inc.
Monitoring
on the number of days you specify since the rule was reset. Only rules that were reset
before your specified number of days are included in the filtered results.
3. Hover your cursor over the column data that you would like to filter on Filter. For data
that contain dates, select whether to filter using This date, This date or earlier, or This
date or later.
PAN-OS® Administrator’s Guide Version Version 9.1 496 ©2021 Palo Alto Networks, Inc.
Monitoring
4. Apply Filter ( ).
PAN-OS® Administrator’s Guide Version Version 9.1 497 ©2021 Palo Alto Networks, Inc.
Monitoring
You can’t aggregate NetFlow records on Panorama; you must send them directly from the
firewalls to a NetFlow collector.
PAN-OS® Administrator’s Guide Version Version 9.1 498 ©2021 Palo Alto Networks, Inc.
Monitoring
You can forward logs from the firewalls directly to external services or from the firewalls
to Panorama and then configure Panorama to forward logs to the servers. Refer to Log
Forwarding Opons for the factors to consider when deciding where to forward logs.
You can use Secure Copy (SCP) commands from the CLI to export the enre log
database to an SCP server and import it to another firewall. Because the log database is
too large for an export or import to be praccal on the PA-7000 Series firewall, it does not
support these opons. You can also use the web interface on all plaorms to View and
Manage Reports, but only on a per log type basis, not for the enre log database.
STEP 1 | Configure a server profile for each external service that will receive log informaon.
You can use separate profiles to send different sets of logs, filtered by log aributes, to
a different server. To increase availability, define mulple servers in a single profile.
PAN-OS® Administrator’s Guide Version Version 9.1 499 ©2021 Palo Alto Networks, Inc.
Monitoring
an exisng default profile, enter a Name that will help you idenfy the profile when
assigning it to security rules and zones.
If no log forwarding profile named default exists, the profile selecon is set
to None by default in new security rules (Log Forwarding field) and new security
zones (Log Seng field), although you can change the selecon.
3. Add one or more match list profiles.
The profiles specify log query filters, forwarding desnaons, and automac acons such
as tagging. For each match list profile:
1. Enter a Name to idenfy the profile.
2. Select the Log Type.
3. In the Filter drop-down, select Filter Builder. Specify the following and then Add each
query:
• Connector logic (and/or)
• Log Aribute
• Operator to define inclusion or exclusion logic
• Aribute Value for the query to match
4. Select Panorama if you want to forward logs to Log Collectors or the Panorama
management server.
5. For each type of external service that you use for monitoring (SNMP, Email, Syslog,
and HTTP), Add one or more server profiles.
4. Click OK to save the Log Forwarding profile.
STEP 3 | Assign the Log Forwarding profile to policy rules and network zones.
Security, Authencaon, and DoS Protecon rules support log forwarding. In this example, you
assign the profile to a Security rule.
Perform the following steps for each rule that you want to trigger log forwarding:
1. Select Policies > Security and edit the rule.
2. Select Acons and select the Log Forwarding profile you created.
3. Set the Profile Type to Profiles or Group, and then select the security profiles or Group
Profile required to trigger log generaon and forwarding for:
• Threat logs—Traffic must match any security profile assigned to the rule.
• WildFire Submission logs—Traffic must match a WildFire Analysis profile assigned to
the rule.
4. For Traffic logs, select Log At Session Start and/or Log At Session End.
5. Click OK to save the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 500 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 4 | Configure the desnaons for System, Configuraon, Correlaon, GlobalProtect, HIP Match,
and User-ID logs.
Panorama generates Correlaon logs based on the firewall logs it receives, rather than
aggregang Correlaon logs from firewalls.
STEP 5 | (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
1. Select Network > Interfaces > Ethernet and click Add Interface.
2. Select the Slot and Interface Name.
3. Set the Interface Type to Log Card.
4. Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
5. Select Advanced and specify the Link Speed, Link Duplex, and Link State.
These fields default to auto, which specifies that the firewall automacally
determines the values based on the connecon. However, the minimum
recommended Link Speed for any connecon is 1000 (Mbps).
6. Click OK to save your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 501 ©2021 Palo Alto Networks, Inc.
Monitoring
You can use separate profiles to send email noficaons for each log type to a different
server. To increase availability, define mulple servers (up to four) in a single profile.
STEP 2 | Configure email alerts for Traffic, Threat, and WildFire Submission logs.
1. See Step Create a Log Forwarding profile.
1. Select Objects > Log Forwarding, click Add, and enter a Name to idenfy the profile.
2. For each log type and each severity level or WildFire verdict, select the Email server
profile and click OK.
2. See Step Assign the Log Forwarding profile to policy rules and network zones.
PAN-OS® Administrator’s Guide Version Version 9.1 502 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Configure email alerts for System, Config, HIP Match, and Correlaon logs.
1. Select Device > Log Sengs.
2. For System and Correlaon logs, click each Severity level, select the Email server profile,
and click OK.
3. For Config and HIP Match logs, edit the secon, select the Email server profile, and click
OK.
4. Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 503 ©2021 Palo Alto Networks, Inc.
Monitoring
For CEF-formated syslog events collecon, you must edit the default syslog
configuraon. The default syslog monitoring configuraon is not supported for CEF syslog
events collecon.
PAN-OS® Administrator’s Guide Version Version 9.1 504 ©2021 Palo Alto Networks, Inc.
Monitoring
You can use separate profiles to send syslogs for each log type to a different server. To
increase availability, define mulple servers (up to four) in a single profile.
If you configure an FQDN and use UDP transport, if the firewall cannot
resolve the FQDN, the firewall uses the exisng IP address resoluon for the
FQDN as the Syslog Server address.
• Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicang with the
syslog server. For SSL, the firewall supports only TLSv1.2.
• Port—The port number on which to send syslog messages (default is UDP on port
514); you must use the same port number on the firewall and the syslog server.
• Format—Select the syslog message format to use: BSD (the default) or IETF.
Tradionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
• Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority
(PRI) field in your syslog server implementaon. Select the value that maps to how
you use the PRI field to manage your syslog messages.
5. (Oponal) To customize the format of the syslog messages that the firewall sends, select
the Custom Log Format tab. For details on how to create custom formats for the various
log types, refer to the Common Event Format Configuraon Guide.
6. Click OK to save the server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 505 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 2 | Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
1. Configure the firewall to forward logs. For more informaon, see Step Create a Log
Forwarding profile.
1. Select Objects > Log Forwarding, click Add, and enter a Name to idenfy the profile.
2. For each log type and each severity level or WildFire verdict, select the Syslog server
profile and click OK.
2. Assign the log forwarding profile to a security policy to trigger log generaon and
forwarding. For more informaon, See Step Assign the Log Forwarding profile to policy
rules and network zones.
1. Select Policies > Security and select a policy rule.
2. Select the Acons tab and select the Log Forwarding profile you created.
3. In the Profile Type drop-down, select Profiles or Groups, and then select the security
profiles or Group Profiles required to trigger log generaon and forwarding.
4. For Traffic logs, select one or both of the Log at Session Start and Log At Session End
check boxes, and click OK.
For detailed informaon about configuring a log forwarding profile and assigning the
profile to a policy rule, see Configure Log Forwarding.
STEP 3 | Configure syslog forwarding for System, Config, HIP Match, and Correlaon logs.
1. Select Device > Log Sengs.
2. For System and Correlaon logs, click each Severity level, select the Syslog server profile,
and click OK.
3. For Config, HIP Match, and Correlaon logs, edit the secon, select the Syslog server
profile, and click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 506 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 6 | Commit your changes and review the logs on the syslog server.
1. Click Commit.
2. To review the logs, refer to the documentaon of your syslog management soware. You
can also review the Syslog Field Descripons.
STEP 7 | (Oponal) Configure the firewall to terminate the connecon to the syslog server upon
FQDN refresh.
When you configure a syslog server profile using a FQDN, the firewall maintains its connecon
to the syslog server by default in the event of an FQDN name change. This is supported on
PAN-OS 9.1.11 and later releases.
For example, you have replaced an exisng syslog server with a new syslog server that uses
a different FQDN name. If you want the firewall to connect to the new syslog server using a
new FQDN name, you can configure the firewall to automacally terminate its connecon to
PAN-OS® Administrator’s Guide Version Version 9.1 507 ©2021 Palo Alto Networks, Inc.
Monitoring
the old syslog server and establish a connecon to the new syslog server using the new FQDN
name.
1. Log in to the firewall CLI.
2. Configure the firewall to terminate the connecon to the syslog server upon FQDN
refresh.
WildFire Submissions logs are a subtype of Threat log and use the same syslog format.
PAN-OS® Administrator’s Guide Version Version 9.1 508 ©2021 Palo Alto Networks, Inc.
Monitoring
Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual
System Name, Device Name, Acon Source, Source VM UUID, Desnaon VM UUID, Tunnel ID/
IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Associaon ID,
SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connecon, App
Flap Count, Policy ID, Link Switches, SD-WAN Cluster, SD-WAN Device Type, SD-WAN Cluster
Type, SD-WAN Site, Dynamic User Group Name
Receive Time (receive_me Time the log was received at the management plane.
or cef-formaed-
receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny
(subtype)
• Start—session started
• End—session ended
• Drop—session dropped before the applicaon is idenfied
and there is no rule that allows the session.
• Deny—session dropped aer the applicaon is idenfied
and there is a rule to block or no rule that allows the
session.
NAT Source IP (natsrc) If Source NAT performed, the post-NAT Source IP address.
Rule Name (rule) Name of the rule that the session matched.
Source User (srcuser) Username of the user who iniated the session.
Desnaon User (dstuser) Username of the user to which the session was desned.
PAN-OS® Administrator’s Guide Version Version 9.1 509 ©2021 Palo Alto Networks, Inc.
Monitoring
Log Acon (logset) Log Forwarding Profile that was applied to the session.
Repeat Count (repeatcnt) Number of sessions with same Source IP, Desnaon IP,
Applicaon, and Subtype seen within 5 seconds.
Flags (flags) 32-bit field that provides details on session; this field can be
decoded by AND-ing the values with the logged value:
• 0x80000000—session has a packet capture (PCAP)
• 0x40000000—opon is enabled to allow a client to use
mulple paths to connect to a desnaon host
• 0x20000000—file is submied to WildFire for a verdict
• 0x10000000—enterprise credenal submission by end user
detected
• 0x08000000— source for the flow is an allow list and not
subject to recon protecon
• 0x02000000—IPv6 session
• 0x01000000—SSL session is decrypted (SSL Proxy)
• 0x00800000—session is denied via URL filtering
• 0x00400000—session has a NAT translaon performed
PAN-OS® Administrator’s Guide Version Version 9.1 510 ©2021 Palo Alto Networks, Inc.
Monitoring
Acon (acon) Acon taken for the session; possible values are:
• allow—session was allowed by policy
• deny—session was denied by policy
• drop—session was dropped silently
• drop ICMP—session was silently dropped with an ICMP
unreachable message to the host or applicaon
• reset both—session was terminated and a TCP reset is sent
to both the sides of the connecon
• reset client—session was terminated and a TCP reset is sent
to the client
• reset server—session was terminated and a TCP reset is sent
to the server
Bytes (bytes) Number of total bytes (transmit and receive) for the session.
PAN-OS® Administrator’s Guide Version Version 9.1 511 ©2021 Palo Alto Networks, Inc.
Monitoring
Packets (packets) Number of total packets (transmit and receive) for the session.
Category (category) URL category associated with the session (if applicable).
Sequence Number (seqno) A 64-bit log entry idenfier incremented sequenally; each log
type has a unique number space.
Acon Flags (aconflags) A bit field indicang if the log was forwarded to Panorama.
Source Country (srcloc) Source country or Internal region for private addresses;
maximum length is 32 bytes.
Desnaon Country (dstloc) Desnaon country or Internal region for private addresses.
Maximum length is 32 bytes.
Session End Reason The reason a session terminated. If the terminaon had
(session_end_reason) mulple causes, this field displays only the highest priority
reason. The possible session end reason values are as follows,
in order of priority (where the first is highest):
• threat—The firewall detected a threat associated with a
reset, drop, or block (IP address) acon.
• policy-deny—The session matched a security rule with a
deny or drop acon.
• decrypt-cert-validaon—The session terminated
because you configured the firewall to block SSL
forward proxy decrypon or SSL inbound inspecon
when the session uses client authencaon or when
the session uses a server cerficate with any of the
following condions: expired, untrusted issuer, unknown
status, or status verificaon me-out. This session
end reason also displays when the server cerficate
PAN-OS® Administrator’s Guide Version Version 9.1 512 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 513 ©2021 Palo Alto Networks, Inc.
Monitoring
Device Group Hierarchy A sequence of idenficaon numbers that indicate the device
(dg_hier_level_1 to group’s locaon within a device group hierarchy. The firewall
dg_hier_level_4) (or virtual system) generang the log includes the idenficaon
number of each ancestor in its device group hierarchy. The
shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was
generated by a firewall (or virtual system) that belongs to
device group 45, and its ancestors are 34, and 12. To view the
device group names that correspond to the value 12, 34 or 45,
use one of the following methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session;
(vsys_name) only valid on firewalls enabled for mulple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
Acon Source (acon_source) Specifies whether the acon taken to allow or block an
applicaon was defined in the applicaon or in policy. The
acons can be allow, deny, drop, reset- server, reset-client or
reset-both for the session.
Source VM UUID (src_uuid) Idenfies the source universal unique idenfier for a guest
virtual machine in the VMware NSX environment.
Desnaon VM UUID Idenfies the desnaon universal unique idenfier for a guest
(dst_uuid) virtual machine in the VMware NSX environment.
PAN-OS® Administrator’s Guide Version Version 9.1 514 ©2021 Palo Alto Networks, Inc.
Monitoring
SCTP Chunks (chunks) Sum of SCTP chunks sent and received for an associaon.
Rule UUID (rule_uuid) The UUID that permanently idenfies the rule.
App Flap Count Number of link flaps that occurred during the session.
(link_change_count)
Link Switches (link_switches) Contains up to four link flap entries, with each entry containing
the link name, link tag, link type, physical interface, mestamp,
bytes read, bytes wrien, link health, and link flap cause.
PAN-OS® Administrator’s Guide Version Version 9.1 515 ©2021 Palo Alto Networks, Inc.
Monitoring
Dynamic User Group Name Name of the dynamic user group that contains the user who
(dynusergroup_name) iniated the session.
Receive Time Time the log was received at the management plane.
(receive_me or cef-
formaed-receive_me)
Serial Number (serial #) Serial number of the firewall that generated the log.
PAN-OS® Administrator’s Guide Version Version 9.1 516 ©2021 Palo Alto Networks, Inc.
Monitoring
NAT Source IP (natsrc) If source NAT performed, the post-NAT source IP address.
Rule Name (rule) Name of the rule that the session matched.
Source User (srcuser) Username of the user who iniated the session.
Desnaon User Username of the user to which the session was desned.
(dstuser)
Log Acon (logset) Log Forwarding Profile that was applied to the session.
PAN-OS® Administrator’s Guide Version Version 9.1 517 ©2021 Palo Alto Networks, Inc.
Monitoring
Repeat Count Number of sessions with same Source IP, Desnaon IP,
(repeatcnt) Applicaon, and Content/Threat Type seen within 5 seconds.
Flags (flags) 32-bit field that provides details on session; this field can be
decoded by AND-ing the values with the logged value:
• 0x80000000—session has a packet capture (PCAP)
• 0x40000000—opon is enabled to allow a client to use mulple
paths to connect to a desnaon host
• 0x20000000—file is submied to WildFire for a verdict
• 0x10000000—enterprise credenal submission by end user
detected
• 0x08000000— source for the flow is on an allow list and not
subject to recon protecon
• 0x02000000—IPv6 session
• 0x01000000—SSL session is decrypted (SSL Proxy)
• 0x00800000—session is denied via URL filtering
• 0x00400000—session has a NAT translaon performed
• 0x00200000—user informaon for the session was captured
through Capve Portal
• 0x00100000—applicaon traffic is on a non-standard desnaon
port
• 0x00080000 —X-Forwarded-For value from a proxy is in the
source user field
• 0x00040000 —log corresponds to a transacon within a hp
proxy session (Proxy Transacon)
• 0x00020000—Client to Server flow is subject to policy based
forwarding
• 0x00010000—Server to Client flow is subject to policy based
forwarding
• 0x00008000 —session is a container page access (Container
Page)
PAN-OS® Administrator’s Guide Version Version 9.1 518 ©2021 Palo Alto Networks, Inc.
Monitoring
Acon (acon) Acon taken for the session; values are alert, allow, deny, drop,
drop-all-packets, reset-client, reset-server, reset-both, block-url.
• alert—threat or URL detected but not blocked
• allow— flood detecon alert
• deny—flood detecon mechanism acvated and deny traffic
based on configuraon
• drop— threat detected and associated session was dropped
• reset-client —threat detected and a TCP RST is sent to the client
• reset-server —threat detected and a TCP RST is sent to the
server
• reset-both —threat detected and a TCP RST is sent to both the
client and the server
• block-url —URL request was blocked because it matched a URL
category that was set to be blocked
• block-ip—threat detected and client IP is blocked
• random-drop—flood detected and packet was randomly dropped
• sinkhole—DNS sinkhole acvated
• syncookie-sent—syncookie alert
• block-connue (URL subtype only)—a HTTP request is blocked
and redirected to a Connue page with a buon for confirmaon
to proceed
• connue (URL subtype only)—response to a block-connue URL
connue page indicang a block-connue request was allowed
to proceed
• block-override (URL subtype only)—a HTTP request is blocked
and redirected to an Admin override page that requires a pass
code from the firewall administrator to connue
PAN-OS® Administrator’s Guide Version Version 9.1 519 ©2021 Palo Alto Networks, Inc.
Monitoring
Threat/Content Name Palo Alto Networks idenfier for the threat. It is a descripon string
(thread) followed by a 64-bit numerical idenfier in parentheses for some
Subtypes:
• 8000 – 8099— scan detecon
• 8500 – 8599— flood detecon
• 9999— URL filtering log
• 10000 – 19999 —spyware phone home detecon
• 20000 – 29999 —spyware download detecon
• 30000 – 44999 —vulnerability exploit detecon
• 52000 – 52999— filetype detecon
• 60000 – 69999 —data filtering detecon
Category (category) For URL Subtype, it is the URL Category; For WildFire subtype, it is
the verdict on the file and is either ‘malware’, ‘phishing’, ‘grayware’,
or ‘benign’; For other subtypes, the value is ‘any’.
PAN-OS® Administrator’s Guide Version Version 9.1 520 ©2021 Palo Alto Networks, Inc.
Monitoring
Severity (severity) Severity associated with the threat; values are informaonal, low,
medium, high, crical.
Sequence Number A 64-bit log entry idenfier incremented sequenally. Each log type
(seqno) has a unique number space.
Acon Flags (aconflags) A bit field indicang if the log was forwarded to Panorama.
Source Country (srcloc) Source country or Internal region for private addresses. Maximum
length is 32 bytes.
PCAP ID (pcap_id) The packet capture (pcap) ID is a 64 bit unsigned integral denong
an ID to correlate threat pcap files with extended pcaps taken as a
part of that flow. All threat logs will contain either a pcap_id of 0 (no
associated pcap), or an ID referencing the extended pcap file.
File Digest (filedigest) Only for WildFire subtype; all other types do not use this field
The filedigest string shows the binary hash of the file sent to be
analyzed by the WildFire service.
Cloud (cloud) Only for WildFire subtype; all other types do not use this field.
The cloud string displays the FQDN of either the WildFire appliance
(private) or the WildFire cloud (public) from where the file was
uploaded for analysis.
PAN-OS® Administrator’s Guide Version Version 9.1 521 ©2021 Palo Alto Networks, Inc.
Monitoring
User Agent (user_agent) Only for the URL Filtering subtype; all other types do not use this
field.
The User Agent field specifies the web browser that the user used
to access the URL, for example Internet Explorer. This informaon is
sent in the HTTP request to the server.
File Type (filetype) Only for WildFire subtype; all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire
analysis.
X-Forwarded-For (xff) Only for the URL Filtering subtype; all other types do not use this
field.
The X-Forwarded-For field in the HTTP header contains the IP
address of the user who requested the web page. It allows you to
idenfy the IP address of the user, which is useful parcularly if
you have a proxy server on your network that replaces the user IP
address with its own address in the source IP address field of the
packet header.
Referer (referer) Only for the URL Filtering subtype; all other types do not use this
field.
The Referer field in the HTTP header contains the URL of the web
page that linked the user to another web page; it is the source
that redirected (referred) the user to the web page that is being
requested.
Report ID (repord) Only for WildFire subtype; all other types do not use this field.
Idenfies the analysis request on the WildFire cloud or the WildFire
appliance.
PAN-OS® Administrator’s Guide Version Version 9.1 522 ©2021 Palo Alto Networks, Inc.
Monitoring
Device Group Hierarchy A sequence of idenficaon numbers that indicate the device
(dg_hier_level_1 to group’s locaon within a device group hierarchy. The firewall (or
dg_hier_level_4) virtual system) generang the log includes the idenficaon number
of each ancestor in its device group hierarchy. The shared device
group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was
generated by a firewall (or virtual system) that belongs to device
group 45, and its ancestors are 34, and 12. To view the device group
names that correspond to the value 12, 34 or 45, use one of the
following methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only
(vsys_name) valid on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Source VM UUID Idenfies the source universal unique idenfier for a guest virtual
(src_uuid) machine in the VMware NSX environment.
Desnaon VM UUID Idenfies the desnaon universal unique idenfier for a guest
(dst_uuid) virtual machine in the VMware NSX environment.
HTTP Method Only in URL filtering logs. Describes the HTTP Method used in
(hp_method) the web request. Only the following methods are logged: Connect,
Delete, Get, Head, Opons, Post, Put.
Parent Session ID ID of the session in which this session is tunneled. Applies to inner
(parent_session_id) tunnel (if two levels of tunneling) or inside content (if one level of
tunneling) only.
PAN-OS® Administrator’s Guide Version Version 9.1 523 ©2021 Palo Alto Networks, Inc.
Monitoring
Threat Category Describes threat categories used to classify different types of threat
(thr_category) signatures.
Content Version Applicaons and Threats version on your firewall when the log was
(contentver) generated.
SCTP Associaon ID Number that idenfies all connecons for an associaon between
(assoc_id) two SCTP endpoints.
Payload Protocol ID ID of the protocol for the payload in the data poron of the
(ppid)
data chunk.
HTTP Headers Indicates the inserted HTTP header in the URL log entries on the
(hp_headers) firewall.
URL Category List Lists the URL Filtering categories that the firewall used to enforce
policy.
Rule UUID (rule_uuid) The UUID that permanently idenfies the rule.
Dynamic User The name of the dynamic user group that contains the user who
Group Name iniated the session.
(dynusergroup_name)
Receive Time Time the log was received at the management plane.
(receive_me or
PAN-OS® Administrator’s Guide Version Version 9.1 524 ©2021 Palo Alto Networks, Inc.
Monitoring
Serial Number Serial number of the firewall that generated the log.
(serial)
Virtual System (vsys) Virtual System associated with the HIP match log.
Operang System The operang system installed on the user’s machine or device (or on
(os) the client system).
HIP Type Whether the hip field represents a HIP object or a HIP profile.
(matchtype)
Sequence Number A 64-bit log entry idenfier incremented sequenally; each log type has
(seqno) a unique number space.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4)
PAN-OS® Administrator’s Guide Version Version 9.1 525 ©2021 Palo Alto Networks, Inc.
Monitoring
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System The name of the virtual system associated with the session; only valid
Name (vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Virtual System ID A unique idenfier for a virtual system on a Palo Alto Networks firewall.
(vsys_id)
PAN-OS® Administrator’s Guide Version Version 9.1 526 ©2021 Palo Alto Networks, Inc.
Monitoring
Receive Time The me that the log was received at the management plane.
(receive_me)
Serial # (serial) The serial number of the firewall that generated the log.
Sequence Number A 64-bit log entry idenfier incremented sequenally; each log type
(seqno) has a unique number space.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Generate Time The me that the log was generated on the dataplane.
(me_generated)
Virtual System (vsys) The Virtual System associated with the session.
Stage (stage) A string showing the stage of the connecon (for example, before-
login, login, or tunnel).
PAN-OS® Administrator’s Guide Version Version 9.1 527 ©2021 Palo Alto Networks, Inc.
Monitoring
Source User (srcuser) The username of the user who iniated the session.
Source Region The region for the user who iniated the session.
(srcregion)
Public IP (public_ip) The public IP address for the user who iniated the session.
Public IPv6 The public IPv6 address for the user who iniated the session.
(public_ipv6)
Private IP (private_ip) The private IP address for the user who iniated the session.
Private IPv6 The private IPv6 address for the user who iniated the session.
(private_ipv6)
Host ID (hosd) The unique ID that GlobalProtect assigns to idenfy the host.
Client OS (client_os) The client device’s OS type (for example, Windows or Linux).
Repeat Count The number of sessions with the same source IP address, desnaon
(repeatcnt) IP address, applicaon, and subtype that GlobalProtect has detected
within the last five seconds.
Reason (reason) A string that shows the reason for the quaranne.
Error (error) A string showing that error that has occurred in any event.
PAN-OS® Administrator’s Guide Version Version 9.1 528 ©2021 Palo Alto Networks, Inc.
Monitoring
Descripon (opaque) Addional informaon for any event that has occurred.
Login Duraon The length of me, in seconds, the user is connected to the
(login_duraon) GlobalProtect gateway from logging in to logging out.
Connect Method A string showing the how the GlobalProtect app connects to Gateway,
(connect_method) (for example, on-demand or user-logon.
Receive Time The me that the log was received at the management plane.
(receive_me)
Serial # (serial) The serial number of the firewall that generated the log.
PAN-OS® Administrator’s Guide Version Version 9.1 529 ©2021 Palo Alto Networks, Inc.
Monitoring
Generate Time The me that the log was generated on the dataplane.
(me_generated)
Virtual System (vsys) The Virtual System associated with the session.
Stage (stage) A string showing the stage of the connecon (for example, before-
login, login, or tunnel).
Source User (srcuser) The username of the user who iniated the session.
Source Region The region for the user who iniated the session.
(srcregion)
Public IP (public_ip) The public IP address for the user who iniated the session.
Public IPv6 The public IPv6 address for the user who iniated the session.
(public_ipv6)
Private IP (private_ip) The private IP address for the user who iniated the session.
Private IPv6 The private IPv6 address for the user who iniated the session.
(private_ipv6)
PAN-OS® Administrator’s Guide Version Version 9.1 530 ©2021 Palo Alto Networks, Inc.
Monitoring
Host ID (hosd) The unique ID that GlobalProtect assigns to idenfy the host.
Client OS (client_os) The client device’s OS type (for example, Windows or Linux).
Repeat Count The number of sessions with the same source IP address, desnaon
(repeatcnt) IP address, applicaon, and subtype that GlobalProtect has detected
within the last five seconds.
Reason (reason) A string that shows the reason for the quaranne.
Error (error) A string showing that error that has occurred in any event.
Descripon (opaque) Addional informaon for any event that has occurred.
Login Duraon The length of me, in seconds, the user is connected to the
(login_duraon) GlobalProtect gateway from logging in to logging out.
Connect Method A string showing the how the GlobalProtect app connects to Gateway,
(connect_method) (for example, on-demand or user-logon.
Sequence Number A 64-bit log entry idenfier incremented sequenally; each log type
(seqno) has a unique number space.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
PAN-OS® Administrator’s Guide Version Version 9.1 531 ©2021 Palo Alto Networks, Inc.
Monitoring
Receive Time The me the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number (serial) The serial number of the firewall that generated the log.
Generated Time The me the log was generated on the dataplane.
(me_generated
or cef-formaed-
me_generated)
Virtual System (vsys) The virtual system associated with the HIP match log.
Repeat Count The number of sessions with the same Source IP, Desnaon IP,
(repeatcnt) Applicaon, and Subtype seen within 5 seconds.
Timeout (meout) The amount of me before the IP address-to-tag mapping expires for
the source IP address.
Data Source Name The name of the source from which mapping informaon is collected.
(datasourcename)
Data Source Type The source from which mapping informaon is collected.
(datasource_type)
Data Source Subtype The mechanism used to idenfy the IP address-to-username mappings
(datasource_subtype) within a data source.
PAN-OS® Administrator’s Guide Version Version 9.1 532 ©2021 Palo Alto Networks, Inc.
Monitoring
Sequence Number A 64-bit log entry idenfier incremented sequenally. Each log type
(seqno) has a unique number space.
Acon Flags A bit field indicang whether the log was forwarded to Panorama.
(aconflags)
Device Group A sequence of idenficaon numbers that indicates the locaon of the
Hierarchy device group within a device group hierarchy. The firewall (or virtual
(dg_hier_level_1 to system) generang the log includes the idenficaon number of each
dg_hier_level_4) ancestor in its device group hierarchy except the shared device group
(level 0), which is not included in this structure.
If the log values are 12, 34, 45, and 0, it means that the log was
generated by a firewall (or virtual system) that belongs to device group
45 and its ancestors are 34 and 12. To view the device group names
that correspond to the value 12, 34, or 45, use one of the following
methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid
(vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Virtual System ID A unique idenfier for a virtual system on a Palo Alto Networks
(vsys_id) firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 533 ©2021 Palo Alto Networks, Inc.
Monitoring
Receive Time Time the log was received at the management plane.
(receive_me or cef-
formaed-receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Threat/Content Type Subtype of User-ID log; values are login, logout, register-tag, and
(subtype) unregister-tag.
• login—User logged in.
• logout—User logged out.
• register-tag—Indicates a tag or tags were registered for the user.
• unregister-tag—Indicates a tag or tags were unregistered for the
user.
Generated Time The me the log was generated on the dataplane.
(me_generated
or cef-formaed-
me_generated)
Virtual System (vsys) Virtual System associated with the configuraon log.
Data Source Name User-ID source that sends the IP (Port)-User Mapping.
(datasourcename)
Repeat Count Number of sessions with same Source IP, Desnaon IP,
(repeatcnt) Applicaon, and Subtype seen within 5 seconds.
Time Out Threshold Timeout aer which the IP/User Mappings are cleared.
(meout)
PAN-OS® Administrator’s Guide Version Version 9.1 534 ©2021 Palo Alto Networks, Inc.
Monitoring
Data Source Type Mechanism used to idenfy the IP/User mappings within a data
(datasourcetype) source.
Sequence Number Serial number of the firewall that generated the log.
(seqno)
Acon Flags (aconflags) A bit field indicang if the log was forwarded to Panorama.
Device Group Hierarchy A sequence of idenficaon numbers that indicate the device
(dg_hier_level_1 to group’s locaon within a device group hierarchy. The firewall (or
dg_hier_level_4) virtual system) generang the log includes the idenficaon number
of each ancestor in its device group hierarchy. The shared device
group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was
generated by a firewall (or virtual system) that belongs to device
group 45, and its ancestors are 34, and 12. To view the device group
names that correspond to the value 12, 34 or 45, use one of the
following methods:
API query: /api/?type=op&cmd=<show><dg-hierarchy></
dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only
(vsys_name) valid on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Virtual System ID A unique idenfier for a virtual system on a Palo Alto Networks
(vsys_id) firewall.
Factor Type (factortype) Vendor used to authencate a user when Mul Factor
authencaon is present.
Factor Number Indicates the use of primary authencaon (1) or addional factors
(factorno) (2, 3).
User Group Flags Displays whether the user group that was found during user group
(ugflags) mapping. Supported values are:
• User Group Found—Indicates whether the user could be mapped
to a group.
PAN-OS® Administrator’s Guide Version Version 9.1 535 ©2021 Palo Alto Networks, Inc.
Monitoring
User by Source Indicates the username received from the source through IP
(userbysource) address-to-username mapping.
Receive Time Month, day, and me the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny
(subtype)
• Start—session started
• End—session ended
• Drop—session dropped before the applicaon is idenfied and there
is no rule that allows the session.
• Deny—session dropped aer the applicaon is idenfied and there
is a rule to block or no rule that allows the session.
PAN-OS® Administrator’s Guide Version Version 9.1 536 ©2021 Palo Alto Networks, Inc.
Monitoring
Rule Name (rule) Name of the Security policy rule in effect on the session.
Log Acon (logset) Log Forwarding Profile that was applied to the session.
Repeat Count Number of sessions with same Source IP, Desnaon IP, Applicaon,
(repeatcnt) and Subtype seen within 5 seconds.
PAN-OS® Administrator’s Guide Version Version 9.1 537 ©2021 Palo Alto Networks, Inc.
Monitoring
Flags (flags) 32-bit field that provides details on session; this field can be decoded
by AND-ing the values with the logged value:
• 0x80000000 —session has a packet capture (PCAP)
• 0x02000000 —IPv6 session
• 0x01000000 —SSL session was decrypted (SSL Proxy)
• 0x00800000 —session was denied via URL filtering
• 0x00400000 —session has a NAT translaon performed (NAT)
• 0x00200000 —user informaon for the session was captured via
the capve portal (Capve Portal)
• 0x00080000 —X-Forwarded-For value from a proxy is in the source
user field
• 0x00040000 —log corresponds to a transacon within a hp proxy
session (Proxy Transacon)
• 0x00008000 —session is a container page access (Container Page)
• 0x00002000 —session has a temporary match on a rule for implicit
applicaon dependency handling. Available in PAN-OS 5.0.0 and
above.
• 0x00000800 —symmetric return was used to forward traffic for this
session
Acon (acon) Acon taken for the session; possible values are:
• Allow—session was allowed by policy
• Deny—session was denied by policy
• Drop—session was dropped silently
• Drop ICMP—session was silently dropped with an ICMP
unreachable message to the host or applicaon
• Reset both—session was terminated and a TCP reset is sent to both
the sides of the connecon
• Reset client—session was terminated and a TCP reset is sent to the
client
• Reset server—session was terminated and a TCP reset is sent to the
server
PAN-OS® Administrator’s Guide Version Version 9.1 538 ©2021 Palo Alto Networks, Inc.
Monitoring
Severity (severity) Severity associated with the event; values are informaonal, low,
medium, high, crical.
Sequence Number A 64-bit log entry idenfier incremented sequenally; each log type
(seqno) has a unique number space. This field is not supported on PA-7000
Series firewalls.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Source Locaon Source country or Internal region for private addresses; maximum
(srcloc) length is 32 bytes.
Desnaon Locaon Desnaon country or Internal region for private addresses. Maximum
(dstloc) length is 32 bytes.
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4) in its device group hierarchy. The shared device group (level 0) is not
included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated
by a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid
(vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Tunnel ID (tunnelid) ID of the tunnel being inspected or the Internaonal Mobile Subscriber
Identy (IMSI) ID of the mobile user.
Monitor Tag Monitor name you configured for the Tunnel Inspecon policy rule or
(monitortag) the Internaonal Mobile Equipment Identy (IMEI) ID of the mobile
device.
PAN-OS® Administrator’s Guide Version Version 9.1 539 ©2021 Palo Alto Networks, Inc.
Monitoring
Parent Session ID ID of the session in which this session is tunneled. Applies to inner
(parent_session_id) tunnel (if two levels of tunneling) or inside content (if one level of
tunneling) only.
Parent Start Time Year/month/day hours:minutes:seconds that the parent tunnel session
(parent_start_me) began.
Packets (packets) Number of total packets (transmit and receive) for the session.
Maximum Number of packets the firewall dropped because the packet exceeded
Encapsulaon the maximum number of encapsulaon levels configured in the Tunnel
(max_encap) Inspecon policy rule (Drop packet if over maximum tunnel inspecon
level).
Unknown Protocol Number of packets the firewall dropped because the packet contains
(unknown_proto) an unknown protocol, as enabled in the Tunnel Inspecon policy rule
(Drop packet if unknown protocol inside tunnel).
Strict Checking Number of packets the firewall dropped because the tunnel protocol
(strict_check) header in the packet failed to comply with the RFC for the tunnel
protocol, as enabled in the Tunnel Inspecon policy rule (Drop packet
if tunnel protocol fails strict header check).
PAN-OS® Administrator’s Guide Version Version 9.1 540 ©2021 Palo Alto Networks, Inc.
Monitoring
Session End Reason The reason a session terminated. If the terminaon had mulple
(session_end_reason) causes, this field displays only the highest priority reason. The possible
session end reason values are as follows, in order of priority (where the
first is highest):
• threat—The firewall detected a threat associated with a reset, drop,
or block (IP address) acon.
• policy-deny—The session matched a security rule with a deny or
drop acon.
• decrypt-cert-validaon—The session terminated because you
configured the firewall to block SSL forward proxy decrypon or
SSL inbound inspecon when the session uses client authencaon
or when the session uses a server cerficate with any of the
following condions: expired, untrusted issuer, unknown status, or
status verificaon me-out. This session end reason also displays
when the server cerficate produces a fatal error alert of type
bad_cerficate, unsupported_cerficate, cerficate_revoked,
access_denied, or no_cerficate_RESERVED (SSLv3 only).
• decrypt-unsupport-param—The session terminated because you
configured the firewall to block SSL forward proxy decrypon or
SSL inbound inspecon when the session uses an unsupported
protocol version, cipher, or SSH algorithm. This session end
reason is displays when the session produces a fatal error
alert of type unsupported_extension, unexpected_message, or
handshake_failure.
• decrypt-error—The session terminated because you configured
the firewall to block SSL forward proxy decrypon or SSL inbound
inspecon when firewall resources or the hardware security module
(HSM) were unavailable. This session end reason is also displayed
when you configured the firewall to block SSL traffic that has SSH
errors or that produced any fatal error alert other than those listed
for the decrypt-cert-validaon and decrypt-unsupport-param end
reasons.
• tcp-rst-from-client—The client sent a TCP reset to the server.
• tcp-rst-from-server—The server sent a TCP reset to the client.
• resources-unavailable—The session dropped because of a system
resource limitaon. For example, the session could have exceeded
the number of out-of-order packets allowed per flow or the global
out-of-order packet queue.
• tcp-fin—One host or both hosts in the connecon sent a TCP FIN
message to close the session.
PAN-OS® Administrator’s Guide Version Version 9.1 541 ©2021 Palo Alto Networks, Inc.
Monitoring
Acon Source Specifies whether the acon taken to allow or block an applicaon was
(acon_source) defined in the applicaon or in policy. The acons can be allow, deny,
drop, reset- server, reset-client or reset-both for the session.
Tunnel Name of the tunnel inspecon rule matching the cleartext tunnel
Inspecon Rule traffic.
(tunnel_insp_rule)
Remote User ID IMSI identy of a remote user, and if available, one IMEI identy or
(remote_user_id) one MSISDN identy.
Security Rule UUID The UUID that permanently idenfies the rule.
(rule_uuid)
PCAP ID (pcap_id) Unique packet capture ID that defines the locaon of the pcap file on
the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 542 ©2021 Palo Alto Networks, Inc.
Monitoring
Dynamic User The name of the dynamic user group that contains the user who
Group Name iniated the session.
(dynusergroup_name)
Receive Time (receive_me Time the log was received at the management plane.
or cef-formaed-
receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Rule Name (rule) Name of the Security policy rule in effect on the session.
PAN-OS® Administrator’s Guide Version Version 9.1 543 ©2021 Palo Alto Networks, Inc.
Monitoring
Log Acon (logset) Log Forwarding Profile that was applied to the session.
Repeat Count (repeatcnt) Number of sessions with same Source IP, Desnaon IP,
Applicaon, and Subtype seen within 5 seconds.
Acon (acon) Acon taken for the session; possible values are:
• allow—session was allowed by the policy
• deny—session was denied by the policy
Device Group Hierarchy A sequence of idenficaon numbers that indicate the device
(dg_hier_level_1 to group’s locaon within a device group hierarchy. The firewall
dg_hier_level_4) (or virtual system) generang the log includes the idenficaon
number of each ancestor in its device group hierarchy. The
shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was
generated by a firewall (or virtual system) that belongs to
device group 45, and its ancestors are 34, and 12. To view the
device group names that correspond to the value 12, 34 or 45,
use one of the following methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session;
(vsys_name) only valid on firewalls enabled for mulple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
PAN-OS® Administrator’s Guide Version Version 9.1 544 ©2021 Palo Alto Networks, Inc.
Monitoring
Sequence Number (seqno) A 64-bit log entry idenfier incremented sequenally; each log
type has a unique number space.
Payload Protocol ID (ppid) Idenfies the Payload Protocol ID (PPID) in the data chunk
which triggered this event. PPID is assigned by Internet
Assigned Numbers Authority (IANA).
Severity (severity) Severity associated with the event; values are informaonal,
low, medium, high, crical.
SCTP Chunk Type Describes the type of informaon contained in a chunk, such
(sctp_chunk_type) as control or data.
SCTP Event Type Defines the event triggered per SCTP chunk or packet when
(sctp_event_type) SCTP protecon profile is applied to the SCTP traffic. It is also
triggered by start or end of a SCTP associaon.
SCTP Verificaon Tag 1 Used by endpoint1 which iniates the associaon to verify if
(verif_tag_1) the SCTP packet received belongs to current SCTP associaon
and validate the endpoint2.
SCTP Verificaon Tag 2 Used by endpoint2 to verify if the SCTP packet received
(verif_tag_2) belongs to current SCTP associaon and validate the
endpoint1.
SCTP Cause Code Sent by an endpoint to specify reason for an error condion to
(sctp_cause_code) other endpoint of same SCTP associaon.
Diameter App ID The diameter applicaon in the data chunk which triggered
(diam_app_id) the event. Diameter Applicaon ID is assigned by Internet
Assigned Numbers Authority (IANA).
Diameter Command Code The diameter command code in the data chunk which triggered
(diam_cmd_code) the event. Diameter Command Code is assigned by Internet
Assigned Numbers Authority (IANA)
Diameter AVP Code The diameter AVP code in the data chunk which triggered the
(diam_avp_code) event.
SCTP Stream ID (stream_id) ID of the stream which carries the data chunk which triggered
the event.
PAN-OS® Administrator’s Guide Version Version 9.1 545 ©2021 Palo Alto Networks, Inc.
Monitoring
SCTP Associaon End Reason an associaon was terminated. If the terminaon had
Reason (assoc_end_reason) mulple causes, the highest priority reason is displayed. The
possible session end reasons in descending priority are:
• shutdown-from-endpoint (highest)—endpoint sends out
SHUTDOWN
• abort-from-endpoint—endpoint sends out ABORT
• unknown (lowest)—the associaon aged out, or associaon
terminaon reason is not covered by one of the previous
reasons (for example, a clear session all command).
SCCP Calling Party SSN The Signaling Connecon Control Part (SCCP) calling party
(sccp_calling_ssn) subsystem number (SSN) in the data chunk which triggered the
event.
SCCP Calling Party Global The Signaling Connecon Control Part (SCCP) calling party
Title (sccp_calling_gt) global tle (GT) in the data chunk which triggered the event.
SCTP Filter (sctp_filter) Name of the filter that the SCTP chunk matched.
SCTP Chunks (chunks) Number of total chunks (transmit and receive) for the
associaon.
Packets (packets) Number of total packets (transmit and receive) for the session.
UUID for rule (rule_uuid) The UUID that permanently idenfies the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 546 ©2021 Palo Alto Networks, Inc.
Monitoring
Repeat Count, Authencaon ID, Vendor, Log Acon, Server Profile, Descripon, Client Type,
Event Type, Factor Number, Sequence Number, Acon Flags, Device Group Hierarchy 1, Device
Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name,
Device Name, Virtual System ID, Authencaon Protocol, UUID for rule
Receive Time Time the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number (serial) Serial number of the device that generated the log.
Threat/Content Type Subtype of the system log; refers to the system daemon generang the
(subtype) log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha,
hw, nat, ntpd, pbf, port, pppoe, ras, roung, satd, sslmgr, sslvpn, userid,
url-filtering, vpn.
Object (object) Name of the object associated with the system event.
Authencaon Policy Policy invoked for authencaon before allowing access to a protected
(authpolicy) resource.
Repeat Count Number of sessions with same Source IP, Desnaon IP, Applicaon,
(repeatcnt) and Subtype seen within 5 seconds.
PAN-OS® Administrator’s Guide Version Version 9.1 547 ©2021 Palo Alto Networks, Inc.
Monitoring
Log Acon (logset) Log Forwarding Profile that was applied to the session.
Factor Number Indicates the use of primary authencaon (1) or addional factors (2,
(factorno) 3).
Sequence Number A 64-bit log entry idenfier incremented sequenally. Each log type
(seqno) has a unique number space.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4) in its device group hierarchy. The shared device group (level 0) is not
included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated
by a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid
(vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Virtual System ID A unique idenfier for a virtual system on a Palo Alto Networks
(vsys_id) firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 548 ©2021 Palo Alto Networks, Inc.
Monitoring
Authencaon Indicates the authencaon protocol used by the server. For example,
Protocol (authproto) PEAP with GTC.
UUID for rule The UUID that permanently idenfies the rule.
(rule_uuid)
Receive Time Time the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number Serial number of the device that generated the log.
(serial)
Virtual System (vsys) Virtual System associated with the configuraon log
Command (cmd) Command performed by the Admin; values are add, clone, commit,
delete, edit, move, rename, set.
Client (client) Client used by the Administrator; values are Web and CLI
PAN-OS® Administrator’s Guide Version Version 9.1 549 ©2021 Palo Alto Networks, Inc.
Monitoring
Result (result) Result of the configuraon acon; values are Submied, Succeeded,
Failed, and Unauthorized
Configuraon Path The path of the configuraon command issued; up to 512 bytes in
(path) length
Before This field is in custom logs only; it is not in the default format.
Change Detail
It contains the full xpath before the configuraon change.
(before_change_detail)
Aer Change Detail This field is in custom logs only; it is not in the default format.
(aer_change_detail)
It contains the full xpath aer the configuraon change.
Sequence Number A 64bit log entry idenfier incremented sequenally; each log type has
(seqno) a unique number space.
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4) in its device group hierarchy. The shared device group (level 0) is not
included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated
by a firewall (or virtual system) that belongs to device group 45, and
its ancestors are 34, and 12. To view the device group names that
correspond to the value 12, 34 or 45, use one of the following methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System The name of the virtual system associated with the session; only valid
Name (vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Device Group (dg_id) The device group the firewall belongs to if managed by a Panorama™
management server.
Audit Comment The audit comment entered in a policy rule configuraon change.
(comment)
PAN-OS® Administrator’s Guide Version Version 9.1 550 ©2021 Palo Alto Networks, Inc.
Monitoring
Receive Time Time the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Content/Threat Type Subtype of the system log; refers to the system daemon generang the
(subtype) log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha,
hw, nat, ntpd, pbf, port, pppoe, ras, roung, satd, sslmgr, sslvpn, userid,
url-filtering, vpn.
Virtual System (vsys) Virtual System associated with the configuraon log.
Object (object) Name of the object associated with the system event.
Module (module) This field is valid only when the value of the Subtype field is general. It
provides addional informaon about the sub-system generang the
log; values are general, management, auth, ha, upgrade, chassis.
Severity (severity) Severity associated with the event; values are informaonal, low,
medium, high, crical.
Sequence Number A 64-bit log entry idenfier incremented sequenally; each log type
(seqno) has a unique number space.
PAN-OS® Administrator’s Guide Version Version 9.1 551 ©2021 Palo Alto Networks, Inc.
Monitoring
Acon Flags A bit field indicang if the log was forwarded to Panorama.
(aconflags)
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4) in its device group hierarchy. The shared device group (level 0) is not
included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated
by a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid
(vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Receive Time Time the log was received at the management plane.
(receive_me or
cef-formaed-
receive_me)
Serial Number (serial) Serial number of the device that generated the log.
PAN-OS® Administrator’s Guide Version Version 9.1 552 ©2021 Palo Alto Networks, Inc.
Monitoring
Content/Threat Type Subtype of the system log; refers to the system daemon generang the
(subtype) log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha,
hw, nat, ntpd, pbf, port, pppoe, ras, roung, satd, sslmgr, sslvpn, userid,
url-filtering, vpn.
Source Address (src) IP address of the user who iniated the event.
Source User (srcuser) Username of the user who iniated the event.
Virtual System (vsys) Virtual System associated with the configuraon log.
Category (category) A summary of the kind of threat or harm posed to the network, user, or
host.
Severity (severity) Severity associated with the event; values are informaonal, low,
medium, high, crical.
Device Group A sequence of idenficaon numbers that indicate the device group’s
Hierarchy locaon within a device group hierarchy. The firewall (or virtual system)
(dg_hier_level_1 to generang the log includes the idenficaon number of each ancestor
dg_hier_level_4) in its device group hierarchy. The shared device group (level 0) is not
included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated
by a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-
hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid
(vsys_name) on firewalls enabled for mulple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
(device_name)
Virtual System ID A unique idenfier for a virtual system on a Palo Alto Networks
(vsys_id) firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 553 ©2021 Palo Alto Networks, Inc.
Monitoring
Object Name Name of the correlaon object that was matched on.
(objectname)
Object ID (object_id) Name of the object associated with the system event.
Evidence (evidence) A summary statement that indicates how many mes the host has
matched against the condions defined in the correlaon object. For
example, Host visited known malware URl (19 mes).
Receive Time (receive_me Month, Day and me the log was received at the management
or cef-formaed- plane.
receive_me)
Serial Number (serial) Serial number of the firewall that generated the log.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny
(subtype)
• Start—session started
• End—session ended
• Drop—session dropped before the applicaon is idenfied
and there is no rule that allows the session.
PAN-OS® Administrator’s Guide Version Version 9.1 554 ©2021 Palo Alto Networks, Inc.
Monitoring
Rule Name (rule) Name of the Security policy rule in effect on the session.
Log Acon (logset) Log Forwarding Profile that was applied to the session.
Acon (acon) Acon taken for the session; possible values are:
• allow—session was allowed by policy
• deny—session was denied by policy
GTP Event Type (event_type) Defines event triggered by a GTP message when checks in
GTP protecon profile are applied to the GTP traffic. Also
triggered by the start or end of a GTP session.
PAN-OS® Administrator’s Guide Version Version 9.1 555 ©2021 Palo Alto Networks, Inc.
Monitoring
Access Point Name (apn) Reference to a Packet Data Network Data Gateway (PGW)/
Gateway GPRS Support Node in a mobile network. Composed
of a mandatory APN Network Idenfier and an oponal APN
Operator Idenfier.
Radio Access Technology (rat) Type of technology used for radio access. For example,
EUTRAN, WLAN, Virtual, HSPA Evoluon, GAN and GERAN.
Tunnel Endpoint Idenfier1 Idenfies the GTP tunnel in the network node. TEID1 is the
(teid1) first TEID in the GTP message.
Tunnel Endpoint Idenfier2 Idenfies the GTP tunnel in the network node. TEID2 is the
(teid2) second TEID in the GTP message.
GTP Interface (gtp_interface) 3GPP interface from which a GTP message is received.
GTP Cause (cause_code) GTP cause value in logs responses which contain an
Informaon Element that provides informaon about
acceptance or rejecon of GTP requests by a network node.
Severity (severity) Severity associated with the event; values are informaonal,
low, medium, high, crical.
Serving Network MCC (mcc) Mobile country code of serving core network operator.
Serving Network MNC (mnc) Mobile network code of serving core network operator.
Area Code (area_code) Area within a Public Land Mobile Network (PLMN).
GTP Event Code (event_code) Event code describing the GTP event.
Source Locaon (srcloc) Source country or Internal region for private addresses;
maximum length is 32 bytes.
PAN-OS® Administrator’s Guide Version Version 9.1 556 ©2021 Palo Alto Networks, Inc.
Monitoring
Desnaon Locaon (dstloc) Desnaon country or Internal region for private addresses;
maximum length is 32 bytes.
Tunnel Inspecon Rule Name of the tunnel inspecon rule matching the cleartext
tunnel traffic
(tunnel_insp_rule)
Remote User ID IMSI identy of a remote user, and if available, one IMEI
(remote_user_id) identy and/or one MSISDN identy.
PCAP ID (pcap_id) Unique packet capture ID that is used to locate the pcap file
saved on the firewall.
Syslog Severity
The syslog severity is set based on the log type and contents.
Traffic Info
Config Info
Threat/System— Info
Informaonal
Threat/System—Low Noce
Threat/System—Medium Warning
PAN-OS® Administrator’s Guide Version Version 9.1 557 ©2021 Palo Alto Networks, Inc.
Monitoring
Threat/System—High Warning
Threat/System—Crical Crical
Escape Sequences
Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if
a double-quote appears inside a field it is escaped by preceding it with another double-quote. To
maintain backward compability, the Misc field in threat log is always enclosed in double-quotes.
PAN-OS® Administrator’s Guide Version Version 9.1 558 ©2021 Palo Alto Networks, Inc.
Monitoring
SNMP Support
You can use an SNMP manager to monitor event-driven alerts and operaonal stascs for the
firewall, Panorama, or WF-500 appliance and for the traffic they process. The stascs and traps
can help you idenfy resource limitaons, system changes or failures, and malware aacks. You
configure alerts by forwarding log data as traps, and enable the delivery of stascs in response to
GET messages (requests) from your SNMP manager. Each trap and stasc has an object idenfier
(OID). Related OIDs are organized hierarchically within the Management Informaon Bases (MIBs)
that you load into the SNMP manager to enable monitoring.
When an event triggers SNMP trap generaon (for example, an interface goes down), the
firewall, Panorama virtual appliance, M-Series appliance, and WF-500 appliance respond
by updang the corresponding SNMP object (for example, the interfaces MIB) instead of
waing for the periodic update of all objects that occurs every ten seconds. This ensures
that your SNMP manager displays the latest informaon when polling an object to confirm
an event.
The firewall, Panorama, and WF-500 appliance support SNMP Version 2c and Version 3. Decide
which to use based on the version that other devices in your network support and on your
network security requirements. SNMPv3 is more secure and enables more granular access control
for system stascs than SNMPv2c. The following table summarizes the security features of each
version. You select the version and configure the security features when you Monitor Stascs
Using SNMP and Forward Traps to an SNMP Manager.
SNMPVersion
Authencaon Message Privacy MessageIntegrity
MIB Access Granularity
SNMPv3 EngineID, username, Privacy Yes User access based on views that
and authencaon password include or exclude specific OIDs
password (SHA for AES 128
hashing for the encrypon
password)
PAN-OS® Administrator’s Guide Version Version 9.1 559 ©2021 Palo Alto Networks, Inc.
Monitoring
SNMPVersion
Authencaon Message Privacy MessageIntegrity
MIB Access Granularity
of SNMP
messages
PAN-OS® Administrator’s Guide Version Version 9.1 560 ©2021 Palo Alto Networks, Inc.
Monitoring
• Walk a MIB
• Idenfy the OID for a System Stasc or Trap
STEP 1 | Load all the Supported MIBs into your SNMP manager.
STEP 2 | Search the enre MIB tree for the known OID. The search result displays the MIB path for
the OID, as well as informaon about the OID (for example, name, status, and descripon).
You can then select other OIDs in the same MIB to see informaon about them.
Walk a MIB
If you want to see which SNMP objects (system stascs and traps) are available for monitoring,
displaying all the objects of a parcular MIB can be useful. To do this, load the Supported
MIBs into your SNMP manager and perform a walk on the desired MIB. To list the traps
that Palo Alto Networks firewalls, Panorama, and WF-500 appliance support, walk the
panCommonEventEventsV2 MIB. In the following example, walking the PAN-COMMON-MIB.my
displays the following list of OIDs and their values for certain stascs:
PAN-OS® Administrator’s Guide Version Version 9.1 561 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 2 | Open the MIB in a text editor and perform a keyword search. For example, using Hardware
version as a search string in PAN-COMMON-MIB idenfies the panSysHwVersion object:
panSysHwVersion OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}
PAN-OS® Administrator’s Guide Version Version 9.1 562 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | In a MIB browser, search the MIB tree for the idenfied object name to display its OID. For
example, the panSysHwVersion object has an OID of 1.3.6.1.4.1.25461.2.1.2.1.2.
You don’t need a security rule to enable SNMP monitoring of Palo Alto Networks firewalls,
Panorama, or WF-500 appliances. For details, see Monitor Stascs Using SNMP.
PAN-OS® Administrator’s Guide Version Version 9.1 563 ©2021 Palo Alto Networks, Inc.
Monitoring
idenfy resource limitaons, and monitor traffic or processing loads. The stascs include
informaon such as interface states (up or down), acve user sessions, concurrent sessions,
session ulizaon, temperature, and system upme.
You can’t configure an SNMP manager to control Palo Alto Networks firewalls (using SET
messages), only to collect stascs from them (using GET messages). For details on how
SNMP is implemented for Palo Alto Networks firewalls, see SNMP Support.
The SNMP manager can use the same or different connecon and authencaon
sengs for mulple firewalls. The sengs must match those you define when you
configure SNMP on the firewall (see Step 3). For example, if you use SNMPv2c, the
community string you define when configuring the firewall must match the community
string you define in the SNMP manager for that firewall.
3. Determine the object idenfiers (OIDs) of the stascs you want to monitor. For
example, to monitor the session ulizaon percentage of a firewall, a MIB browser shows
that this stasc corresponds to OID 1.3.6.1.4.1.25461.2.1.2.3.1.0 in PAN-COMMON-
MIB.my. For details, see Use an SNMP Manager to Explore MIBs and Objects.
4. Configure the SNMP manager to monitor the desired OIDs.
PAN-OS® Administrator’s Guide Version Version 9.1 564 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Configure the firewall to respond to stascs requests from an SNMP manager.
PAN-OS doesn’t synchronize SNMP response sengs for firewalls in a high availability
(HA) configuraon. You must configure these sengs for each HA peer.
1. Select Device > Setup > Operaons and, in the Miscellaneous secon, click SNMP
Setup.
2. Select the SNMP Version and configure the authencaon values as follows. For version
details, see SNMP Support.
• V2c—Enter the SNMP Community String, which idenfies a community of SNMP
managers and monitored devices, and serves as a password to authencate the
community members to each other.
As a best pracce, don’t use the default community string public; it’s well
known and therefore not secure.
• V3—Create at least one SNMP view group and one user. User accounts and views
provide authencaon, privacy, and access control when firewalls forward traps and
SNMP managers get firewall stascs.
• Views—Each view is a paired OID and bitwise mask: the OID specifies a MIB and
the mask (in hexadecimal format) specifies which objects are accessible within
(include matching) or outside (exclude matching) that MIB. Click Add in the first list
and enter a Name for the group of views. For each view in the group, click Add and
configure the view Name, OID, matching Opon (include or exclude), and Mask.
• Users—Click Add in the second list, enter a username under Users, select the View
group from the drop-down, enter the authencaon password (Auth Password)
used to authencate to the SNMP manager, and enter the privacy password (Priv
Password) used to encrypt SNMP messages to the SNMP manager.
3. Click OK and Commit.
When monitoring stascs related to firewall interfaces, you must match the interface
indexes in the SNMP manager with interface names in the firewall web interface.
For details, see Firewall Interface Idenfiers in SNMP Managers and NetFlow
Collectors.
To see the list of traps that Palo Alto Networks firewalls support, use your SNMP Manager
to access the panCommonEventEventsV2 MIB. For details, see Use an SNMP Manager to
Explore MIBs and Objects.
For details on how for Palo Alto Networks firewalls implement SNMP, see SNMP Support.
PAN-OS® Administrator’s Guide Version Version 9.1 565 ©2021 Palo Alto Networks, Inc.
Monitoring
Oponally, configure separate SNMP Trap server profiles for different log types,
severity levels, and WildFire verdicts.
As a best pracce, don’t use the default community string public; it’s well
known and therefore not secure.
• V3—For each server, click Add and enter the server Name, IP address (SNMP
Manager), SNMP User account (this must match a username defined in the SNMP
manager), EngineID used to uniquely idenfy the firewall (you can leave the field
blank to use the firewall serial number), authencaon password (Auth Password)
used to authencate to the server, and privacy password (Priv Password) used to
encrypt SNMP messages to the server.
6. Click OK to save the server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 566 ©2021 Palo Alto Networks, Inc.
Monitoring
When monitoring traps related to firewall interfaces, you must match the interface
indexes in the SNMP manager with interface names in the firewall web interface.
For details, see Firewall Interface Idenfiers in SNMP Managers and NetFlow
Collectors.
Supported MIBs
The following table lists the Simple Network Management Protocol (SNMP) management
informaon bases (MIBs) that Palo Alto Networks firewalls, Panorama, and WF-500 appliances
support. You must load these MIBs into your SNMP manager to monitor the objects (system
stascs and traps) that are defined in the MIBs. For details, see Use an SNMP Manager to
Explore MIBs and Objects.
PAN-OS® Administrator’s Guide Version Version 9.1 567 ©2021 Palo Alto Networks, Inc.
Monitoring
MIB-II
MIB-II provides object idenfiers (OIDs) for network management protocols in TCP/IP-based
networks. Use this MIB to monitor general informaon about systems and interfaces. For example,
you can analyze trends in bandwidth usage by interface type (ifType object) to determine if the
firewall needs more interfaces of that type to accommodate spikes in traffic volume.
Palo Alto Networks firewalls, Panorama, and WF-500 appliances support only the following object
groups:
interfaces Provides stascs for physical and logical interfaces such as type,
current bandwidth (speed), operaonal status (for example, up or
down), and discarded packets. Logical interface support includes VPN
tunnels, aggregate groups, Layer 2 subinterfaces, Layer 3 subinterfaces,
loopback interfaces, and VLAN interfaces.
IF-MIB
IF-MIB supports interface types (physical and logical) and larger counters (64K) beyond those
defined in MIB-II. Use this MIB to monitor interface stascs in addion to those that MIB-
II provides. For example, to monitor the current bandwidth of high-speed interfaces (greater
than 2.2Gps) such as the 10G interfaces of the PA-5200 Series firewalls, you must check the
ifHighSpeed object in IF-MIB instead of the ifSpeed object in MIB-II. IF-MIB stascs can be
useful when evaluang the capacity of your network.
Palo Alto Networks firewalls, Panorama, and WF-500 appliances support only the ifXTable in IF-
MIB, which provides interface informaon such as the number of mulcast and broadcast packets
transmied and received, whether an interface is in promiscuous mode, and whether an interface
has a physical connector.
RFC 2863 defines this MIB.
HOST-RESOURCES-MIB
HOST-RESOURCES-MIB provides informaon for host computer resources. Use this MIB
to monitor CPU and memory usage stascs. For example, checking the current CPU load
(hrProcessorLoad object) can help you troubleshoot performance issues on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 568 ©2021 Palo Alto Networks, Inc.
Monitoring
Palo Alto Networks firewalls, Panorama, and WF-500 appliances support porons of the following
object groups:
hrDevice Provides informaon such as CPU load, storage capacity, and paron
size. The hrProcessorLoad OIDs provide an average of the cores
that process packets. For the PA-5260 firewall, which has mulple
dataplanes (DPs), the average is of the cores across the three DPs that
process packets.
ENTITY-MIB
ENTITY-MIB provides OIDs for mulple logical and physical components. Use this MIB to
determine what physical components are loaded on a system (for example, fans and temperature
sensors) and see related informaon such as models and serial numbers. You can also use the
index numbers for these components to determine their operaonal status in the ENTITY-
SENSOR-MIB and ENTITY-STATE-MIB.
Palo Alto Networks firewalls, Panorama, and WF-500 appliances support only porons of the
entPhysicalTable group:
Object Descripon
entPhysicalIndex A single namespace that includes disk slots and disk drives.
entPhysicalClass Chassis (3), container (5) for a slot, power supply (6), fan (7), sensor (8)
for each temperature or other environmental, and module (9) for each
line card.
entPhysicalParentRelPos
The relave posion of this child component among its sibling
components. Sibling components are defined as entPhysicalEntry
PAN-OS® Administrator’s Guide Version Version 9.1 569 ©2021 Palo Alto Networks, Inc.
Monitoring
Object Descripon
components that share the same instance values of each of the
entPhysicalContainedIn and entPhysicalClass objects.
entPhysicalName Supported only if the management (MGT) interface allows for naming
the line card.
entPhysicalHardwareRev
The vendor-specific hardware revision of the component.
entPhysicalAlias An alias that the network manager specified for the component.
ENTITY-SENSOR-MIB
ENTITY-SENSOR-MIB adds support for physical sensors of networking equipment beyond what
ENTITY-MIB defines. Use this MIB in tandem with the ENTITY-MIB to monitor the operaonal
status of the physical components of a system (for example, fans and temperature sensors). For
example, to troubleshoot issues that might result from environmental condions, you can map
the enty indexes from the ENTITY-MIB (entPhysicalDescr object) to operaonal status values
(entPhysSensorOperStatus object) in the ENTITY-SENSOR-MIB. In the following example, all the
fans and temperature sensors for a PA-3020 firewall are working:
PAN-OS® Administrator’s Guide Version Version 9.1 570 ©2021 Palo Alto Networks, Inc.
Monitoring
The same OID might refer to different sensors on different plaorms. Use the ENTITY-MIB
for the targeted plaorm to match the value to the descripon.
Palo Alto Networks firewalls, Panorama, and WF-500 appliances support only porons of the
entPhySensorTable group. The supported porons vary by plaorm and include only thermal
(temperature in Celsius) and fan (in RPM) sensors.
RFC 3433 defines the ENTITY-SENSOR-MIB.
ENTITY-STATE-MIB
ENTITY-STATE-MIB provides informaon about the state of physical components beyond what
ENTITY-MIB defines, including the administrave and operaonal state of components in chassis-
based plaorms. Use this MIB in tandem with the ENTITY-MIB to monitor the operaonal state
of the components of a PA-7000 Series firewall (for example, line cards, fan trays, and power
supplies). For example, to troubleshoot log forwarding issues for Threat logs, you can map the log
processing card (LPC) indexes from the ENTITY-MIB (entPhysicalDescr object) to operaonal state
values (entStateOper object) in the ENTITY-STATE-MIB. The operaonal state values use numbers
to indicate state: 1 for unknown, 2 for disabled, 3 for enabled, and 4 for tesng. The PA-7000
Series firewall is the only Palo Alto Networks firewall that supports this MIB.
RFC 4268 defines the ENTITY-STATE-MIB.
The dot3adTablesLastChanged object indicates the me of the most recent change to
dot3adAggTable, dot3adAggPortListTable, and dot3adAggPortTable.
Table Descripon
Aggregator This table contains informaon about every aggregate group that is
Configuraon Table associated with a firewall. Each aggregate group has one entry.
(dot3adAggTable)
Some table objects have restricons, which the dot3adAggIndex
object describes. This index is the unique idenfier that the local
PAN-OS® Administrator’s Guide Version Version 9.1 571 ©2021 Palo Alto Networks, Inc.
Monitoring
Table Descripon
system assigns to the aggregate group. It idenfies an aggregate
group instance among the subordinate managed objects of the
containing object. The idenfier is read-only.
Aggregaon This table lists the ports associated with each aggregate group in a
Port List Table firewall. Each aggregate group has one entry.
(dot3adAggPortListTable)
The dot3adAggPortListPorts aribute lists the complete set of ports
associated with an aggregate group. Each bit set in the list represents
a port member. For non-chassis plaorms, this is a 64-bit value. For
chassis plaorms, the value is an array of eight 64-bit entries.
Aggregaon Port Table This table contains LACP configuraon informaon about every port
(dot3adAggPortTable) associated with an aggregate group in a firewall. Each port has one
entry. The table has no entries for ports that are not associated with
an aggregate group.
LACP Stascs Table This table contains link aggregaon informaon about every port
(dot3adAggPortStatsTable)associated with an aggregate group in a firewall. Each port has one
row. The table has no entries for ports that are not associated with an
aggregate group.
The IEEE 802.3 LAG MIB includes the following LACP-related traps:
panLACPLostConnecvityTrap
The peer lost connecvity to the firewall.
panLACPSpeedDuplexTrap The link speed and duplex sengs on the firewall and peer do not
match.
PAN-OS® Administrator’s Guide Version Version 9.1 572 ©2021 Palo Alto Networks, Inc.
Monitoring
LLDP-V2-MIB.my
Use the LLDP-V2-MIB to monitor Link Layer Discovery Protocol (LLDP) events. For example,
you can check the lldpV2StatsRxPortFramesDiscardedTotal object to see the number of LLDP
frames that were discarded for any reason. The Palo Alto Networks firewall uses LLDP to discover
neighboring devices and their capabilies. LLDP makes troubleshoong easier, especially for
virtual wire deployments where the ping or traceroute ulies won’t detect the firewall.
Palo Alto Networks firewalls support all the LLDP-V2-MIB objects except:
• The following lldpV2Stascs objects:
• lldpV2StatsRemTablesLastChangeTime
• lldpV2StatsRemTablesInserts
• lldpV2StatsRemTablesDeletes
• lldpV2StatsRemTablesDrops
• lldpV2StatsRemTablesAgeouts
• The following lldpV2RemoteSystemsData objects:
• The lldpV2RemOrgDefInfoTable table
• In the lldpV2RemTable table: lldpV2RemTimeMark
RFC 4957 defines this MIB.
BFD-STD-MIB
Use the Bidireconal Forwarding Detecon (BFD) MIB to monitor and receive failure alerts for the
bidireconal path between two forwarding engines, such as interfaces, data links, or the actual
engines. For example, you can check the bfdSessState object to see the state of a BFD session
between forwarding engines. In the Palo Alto Networks implementaon, one of the forwarding
engines is a firewall interface and the other is an adjacent configured BFD peer.
RFC 7331 defines this MIB.
PAN-COMMON-MIB.my
Use the PAN-COMMON-MIB to monitor the following informaon for Palo Alto Networks
firewalls, Panorama, and WF-500 appliances:
PAN-OS® Administrator’s Guide Version Version 9.1 573 ©2021 Palo Alto Networks, Inc.
Monitoring
panSession Session ulizaon informaon. For example, the total number of acve
sessions on the firewall or a specific virtual system.
panLogCollector Logging stascs for each Log Collector, including logging rate, log
quotas, disk usage, retenon periods, log redundancy (enabled or
disabled), the forwarding status from firewalls to Log Collectors, the
forwarding status from Log Collectors to external services, and the
status of firewall-to-Log Collector connecons.
panDeviceLogging Logging stascs for each firewall, including logging rate, disk usage,
retenon periods, the forwarding status from individual firewalls
to Panorama and external servers, and the status of firewall-to-Log
Collector connecons.
PAN-GLOBAL-REG-MIB.my
PAN-GLOBAL-REG-MIB.my contains global, top-level OID definions for various sub-trees of Palo
Alto Networks enterprise MIB modules. This MIB doesn’t contain objects for you to monitor; it is
required only for referencing by other MIBs.
PAN-GLOBAL-TC-MIB.my
PAN-GLOBAL-TC-MIB.my defines convenons (for example, character length and allowed
characters) for the text values of objects in Palo Alto Networks enterprise MIB modules. All Palo
Alto Networks products use these convenons. This MIB doesn’t contain objects for you to
monitor; it is required only for referencing by other MIBs.
PAN-LC-MIB.my
PAN-LC-MIB.my contains definions of managed objects that Log Collectors (M-Series appliances
in Log Collector mode) implement. Use this MIB to monitor the logging rate, log database storage
duraon (in days), and disk usage (in MB) of each logical disk (up to four) on a Log Collector. For
example, you can use this informaon to determine whether you should add more Log Collectors
or forward logs to an external server (for example, a syslog server) for archiving.
PAN-PRODUCT-MIB.my
PAN-PRODUCT-MIB.my defines sysObjectID OIDs for all Palo Alto Networks products. This MIB
doesn’t contain objects for you to monitor; it is required only for referencing by other MIBs.
PAN-OS® Administrator’s Guide Version Version 9.1 574 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-ENTITY-EXT-MIB.my
Use PAN-ENTITY-EXT-MIB.my in tandem with the ENTITY-MIB to monitor power usage
for the physical components of a PA-7000 Series firewall (for example, fan trays, and power
supplies), which is the only Palo Alto Networks firewall that supports this MIB. For example,
when troubleshoong log forwarding issues, you might want to check the power usage of the log
processing cards (LPCs): you can map the LPC indexes from the ENTITY-MIB (entPhysicalDescr
object) to values in the PAN-ENTITY-EXT-MIB (panEntryFRUModelPowerUsed object).
PAN-TRAPS.my
Use PAN-TRAPS.my to see a complete lisng of all the generated traps and informaon about
them (for example, a descripon). For a list of traps that Palo Alto Networks firewalls, Panorama,
and WF-500 appliances support, refer to the PAN-COMMON-MIB.my panCommonEvents >
panCommonEventsEvents > panCommonEventEventsV2 object.
PAN-OS® Administrator’s Guide Version Version 9.1 575 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 576 ©2021 Palo Alto Networks, Inc.
Monitoring
3. Send Test Log to verify that the HTTP server receives the request. When you
interacvely send a test log, the firewall uses the format as is and does not replace the
variable with a value from a firewall log. If your HTTP server sends a 404 response,
provide values for the parameters so that the server can process the request successfully.
PAN-OS® Administrator’s Guide Version Version 9.1 577 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 3 | Define the match criteria for when the firewall will forward logs to the HTTP server and
aach the HTTP server profile you will use.
1. Select the log types for which you want to trigger a workflow:
• Add a Log Forwarding Profile (Objects > Log Forwarding) for logs that pertain to user
acvity (for example, Traffic, Threat, or Authencaon logs).
• Select Device > Log Sengs for logs that pertain to system events, such as
Configuraon or System logs.
2. Select the Log Type and use the new Filter Builder to define the match criteria.
3. Add the HTTP server profile for forwarding logs to the HTTP desnaon.
PAN-OS® Administrator’s Guide Version Version 9.1 578 ©2021 Palo Alto Networks, Inc.
Monitoring
NetFlow Monitoring
NetFlow is an industry-standard protocol that the firewall can use to export stascs about the IP
traffic ingressing its interfaces. The firewall exports the stascs as NetFlow fields to a NetFlow
collector. The NetFlow collector is a server you use to analyze network traffic for security,
administraon, accounng and troubleshoong. All Palo Alto Networks firewalls support NetFlow
Version 9. The firewalls support only unidireconal NetFlow, not bidireconal. The firewalls
perform NetFlow processing on all IP packets on the interfaces and do not support sampled
NetFlow. You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback,
and tunnel interfaces. For aggregate Ethernet sub-interfaces, you can export records for the
individual sub-interfaces that data flows through within the group. To idenfy firewall interfaces in
a NetFlow collector, see Firewall Interface Idenfiers in SNMP Managers and NetFlow Collectors.
The firewalls support standard and enterprise (PAN-OS specific) NetFlow Templates, which
NetFlow collectors use to decipher the NetFlow fields.
• Configure NetFlow Exports
• NetFlow Templates
PAN-OS® Administrator’s Guide Version Version 9.1 579 ©2021 Palo Alto Networks, Inc.
Monitoring
STEP 2 | Assign the NetFlow server profile to the firewall interfaces that the traffic you want to
analyze is ingressing.
In this example, you assign the profile to an exisng Ethernet interface.
1. Select Network > Interfaces > Ethernet and click an interface name to edit it.
You can export NetFlow records for Layer 3, Layer 2, virtual wire, tap, VLAN,
loopback, and tunnel interfaces. For aggregate Ethernet interfaces, you can
export records for the individual sub-interfaces that data flows through within
the group.
2. Select the NetFlow server profile (NetFlow Profile) you configured and click OK.
STEP 3 | (Required for PA-7000 Series and PA-5200 Series firewalls) Configure a service route for the
interface that the firewall will use to send NetFlow records.
You cannot use the management (MGT) interface to send NetFlow records from the PA-7000
Series and PA-5200 Series firewalls. For other firewall models, a service route is oponal. For
all firewalls, the interface that sends NetFlow records does not have to be the same as the
interface for which the firewall collects the records.
1. Select Device > Setup > Services.
2. (Firewall with mulple virtual systems) Select one of the following:
• Global—Select this opon if the service route applies to all virtual systems on the
firewall.
• Virtual Systems—Select this opon if the service route applies to a specific virtual
system. Set the Locaon to the virtual system.
3. Select Service Route Configuraon and Customize.
4. Select the protocol (IPv4 or IPv6) that the interface uses. You can configure the service
route for both protocols if necessary.
5. Click Nelow in the Service column.
6. Select the Source Interface.
Any, Use default, and MGT are not valid interface opons for sending NetFlow records
from PA-7000 Series or PA-5200 Series firewalls.
7. Select a Source Address (IP address).
8. Click OK twice to save your changes.
When monitoring stascs, you must match the interface indexes in the NetFlow
collector with interface names in the firewall web interface. For details, see Firewall
Interface Idenfiers in SNMP Managers and NetFlow Collectors.
To troubleshoot NetFlow delivery issues, use the operaonal CLI command debug log-
receiver netflow statistics.
PAN-OS® Administrator’s Guide Version Version 9.1 580 ©2021 Palo Alto Networks, Inc.
Monitoring
NetFlow Templates
NetFlow collectors use templates to decipher the fields that the firewall exports. The firewall
selects a template based on the type of exported data: IPv4 or IPv6 traffic, with or without
NAT, and with standard or enterprise-specific (PAN-OS specific) fields. The firewall periodically
refreshes templates to re-evaluate which one to use (in case the type of exported data changes)
and to apply any changes to the fields in the selected template. When you Configure NetFlow
Exports, set the refresh rate based on a me interval and a number of exported records according
to the requirements of your NetFlow collector. The firewall refreshes the templates aer either
threshold is passed.
The Palo Alto Networks firewall supports the following NetFlow templates:
Template ID
The following table lists the NetFlow fields that the firewall can send, along with the templates
that define them:
PAN-OS® Administrator’s Guide Version Version 9.1 581 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 582 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 583 ©2021 Palo Alto Networks, Inc.
Monitoring
226 postNATDesnaonIPv4Address
The definion of this informaon IPv4 with NAT
element is idencal to that of standard
desnaonIPv4Address, except
IPv4 with NAT
that it reports a modified value
enterprise
that the firewall produced during
network address translaon aer
the packet traversed the interface.
PAN-OS® Administrator’s Guide Version Version 9.1 584 ©2021 Palo Alto Networks, Inc.
Monitoring
228 postNAPTDesnaonTransportPort
The definion of this informaon IPv4 with NAT
element is idencal to that of standard
desnaonTransportPort, except
IPv4 with NAT
that it reports a modified value
enterprise
that the firewall produced during
network address port translaon
aer the packet traversed the
interface.
282 postNATDesnaonIPv6Address
The definion of this informaon IPv6 with NAT
element is idencal to the standard
definion of informaon element
IPv6 with NAT
desnaonIPv6Address, except
enterprise
that it reports a modified value
that the firewall produced
during NAT64 network address
translaon aer the packet
traversed the interface. See RFC
2460 for the definion of the
desnaon address field in the
IPv6 header. See RFC 6146 for
NAT64 specificaon.
PAN-OS® Administrator’s Guide Version Version 9.1 585 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 586 ©2021 Palo Alto Networks, Inc.
Monitoring
You can match the indexes with names by understanding the formulas that the firewall uses to
calculate indexes. The formulas vary by plaorm and interface type: physical or logical.
Physical interface indexes have a range of 1-9999, which the firewall calculates as follows:
PAN-OS® Administrator’s Guide Version Version 9.1 587 ©2021 Palo Alto Networks, Inc.
Monitoring
PA-7000 Series (Max. ports * slot) + physical port PA-7000 Series firewall,
offset + number of management Eth3/9 =
ports
[64 (max. ports) * 3 (slot)] + 9
• Maximum ports—This is a (physical port) + 5 (number of
constant of 64. management ports) = 206
• Slot—This is the chassis
slot number of the network
interface card.
• Physical port offset—This is
the physical port number.
• Number of management
ports—This is a constant of 5.
Logical interface indexes for all plaorms are nine-digit numbers that the firewall calculates as
follows:
Interface Range Digit Digits Digits Digits 1-4 Example Interface Index
Type 9 7-8 5-6
Layer 101010001-199999999
Type: Interface Interface Subinterface: Eth1/5.22 =
3 1 slot: port: suffix 100000000 (type) +
subinterface 1-9 1-9 1-9999 100000 (slot) + 50000
(01-09) (01-09) (0001-9999) (port) + 22 (suffix) =
101050022
Layer 101010001-199999999
Type: Interface Interface Subinterface: Eth2/3.6 = 100000000
2 1 slot: port: suffix (type) + 200000 (slot) +
subinterface 1-9 1-9 1-9999 30000 (port) + 6 (suffix)
(01-09) (01-09) (0001-9999) = 102030006
Vwire 101010001-199999999
Type: Interface Interface Subinterface: Eth4/2.312 =
subinterface 1 slot: port: suffix 100000000 (type) +
1-9 1-9 1-9999 400000 (slot) + 20000
(01-09) (01-09) (0001-9999) (port) + 312 (suffix) =
104020312
VLAN 200000001-200009999
Type: 00 00 VLAN VLAN.55 = 200000000
2 suffix: (type) + 55 (suffix) =
1-9999 200000055
(0001-9999)
PAN-OS® Administrator’s Guide Version Version 9.1 588 ©2021 Palo Alto Networks, Inc.
Monitoring
Interface Range Digit Digits Digits Digits 1-4 Example Interface Index
Type 9 7-8 5-6
Loopback300000001-300009999
Type: 00 00 Loopback Loopback.55 =
3 suffix: 300000000 (type) + 55
1-9999 (suffix) = 300000055
(0001-9999)
Tunnel 400000001-400009999
Type: 00 00 Tunnel Tunnel.55 =
4 suffix: 400000000 (type) + 55
1-9999 (suffix) = 400000055
(0001-9999)
Aggregate500010001-500089999
Type: 00 AE Subinterface: AE5.99 = 500000000
group 5 suffix: suffix (type) + 50000 (AE
1-8 1-9999 Suffix) + 99 (suffix) =
(01-08) (0001-9999) 500050099
PAN-OS® Administrator’s Guide Version Version 9.1 589 ©2021 Palo Alto Networks, Inc.
Monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 590 ©2021 Palo Alto Networks, Inc.
User-ID
The user identy, as opposed to an IP address, is an integral component of an effecve
security infrastructure. Knowing who is using each of the applicaons on your
network, and who may have transmied a threat or is transferring files, can strengthen
security policies and reduce incident response mes. User-ID™, a standard feature on
the Palo Alto Networks firewall, enables you to leverage user informaon stored in a
wide range of repositories. The following topics provide more details about User-ID
and how to configure it:
591
User-ID
User-ID Overview
User-ID™ enables you to idenfy all users on your network using a variety of techniques to
ensure that you can idenfy users in all locaons using a variety of access methods and operang
systems, including Microso Windows, Apple iOS, Mac OS, Android, and Linux®/UNIX. Knowing
who your users are instead of just their IP addresses enables:
• Visibility—Improved visibility into applicaon usage based on users gives you a more relevant
picture of network acvity. The power of User-ID becomes evident when you noce a
strange or unfamiliar applicaon on your network. Using either ACC or the log viewer, your
security team can discern what the applicaon is, who the user is, the bandwidth and session
consumpon, along with the source and desnaon of the applicaon traffic, as well as any
associated threats.
• Policy control—Tying user informaon to Security policy rules improves safe enablement of
applicaons traversing the network and ensures that only those users who have a business
need for an applicaon have access. For example, some applicaons, such as SaaS applicaons
that enable access to Human Resources services (such as Workday or Service Now) must be
available to any known user on your network. However, for more sensive applicaons you can
reduce your aack surface by ensuring that only users who need these applicaons can access
them. For example, while IT support personnel may legimately need access to remote desktop
applicaons, the majority of your users do not.
• Logging, reporng, forensics—If a security incident occurs, forensics analysis and reporng
based on user informaon rather than just IP addresses provides a more complete picture of
the incident. For example, you can use the pre-defined User/Group Acvity to see a summary
of the web acvity of individual users or user groups, or the SaaS Applicaon Usage report to
see which users are transferring the most data over unsanconed SaaS applicaons.
To enforce user- and group-based policies, the firewall must be able to map the IP addresses in
the packets it receives to usernames. User-ID provides many mechanisms to collect this User
Mapping informaon. For example, the User-ID agent monitors server logs for login events and
listens for syslog messages from authencang services. To idenfy mappings for IP addresses
that the agent didn’t map, you can configure Authencaon Policy to redirect HTTP requests to
a Capve Portal login. You can tailor the user mapping mechanisms to suit your environment, and
even use different mechanisms at different sites to ensure that you are safely enabling access to
applicaons for all users, in all locaons, all the me.
PAN-OS® Administrator’s Guide Version Version 9.1 592 ©2021 Palo Alto Networks, Inc.
User-ID
Figure 4: User-ID
To enable user- and group-based policy enforcement, the firewall requires a list of all available
users and their corresponding group memberships so that you can select groups when defining
your policy rules. The firewall collects Group Mapping informaon by connecng directly to your
LDAP directory server, or using XML API integraon with your directory server.
See User-ID Concepts for informaon on how User-ID works and Enable User-ID for instrucons
on seng up User-ID.
User-ID does not work in environments where the source IP addresses of users are subject
to NAT translaon before the firewall maps the IP addresses to usernames.
PAN-OS® Administrator’s Guide Version Version 9.1 593 ©2021 Palo Alto Networks, Inc.
User-ID
User-ID Concepts
• Group Mapping
• User Mapping
Group Mapping
To define policy rules based on user or group, first you create an LDAP server profile that defines
how the firewall connects and authencates to your directory server. The firewall supports a
variety of directory servers, including Microso Acve Directory (AD), Novell eDirectory, and
Sun ONE Directory Server. The server profile also defines how the firewall searches the directory
to retrieve the list of groups and the corresponding list of members. If you are using a directory
server that is not navely supported by the firewall, you can integrate the group mapping funcon
using the XML API. You can then create a group mapping configuraon to Map Users to Groups
and Enable User- and Group-Based Policy.
Defining policy rules based on group membership rather than on individual users simplifies
administraon because you don’t have to update the rules whenever new users are added
to a group. When configuring group mapping, you can limit which groups will be available
in policy rules. You can specify groups that already exist in your directory service or define
custom groups based on LDAP filters. Defining custom groups can be quicker than creang new
groups or changing exisng ones on an LDAP server, and doesn’t require an LDAP administrator
to intervene. User-ID maps all the LDAP directory users who match the filter to the custom
group. For example, you might want a security policy that allows contractors in the Markeng
Department to access social networking sites. If no Acve Directory group exists for that
department, you can configure an LDAP filter that matches users for whom the LDAP aribute
Department is set to Markeng. Log queries and reports that are based on user groups will include
custom groups.
User Mapping
Knowing user and groups names is only one piece of the puzzle. The firewall also needs to know
which IP addresses map to which users so that security rules can be enforced appropriately.
Figure 4: User-ID illustrates the different methods that are used to idenfy users and groups on
your network and shows how user mapping and group mapping work together to enable user-
and group-based security enforcement and visibility. The following topics describe the different
methods of user mapping:
• Server Monitoring
• Port Mapping
• Syslog
• XFF Headers
• Username Header Inseron
• Authencaon Policy and Capve Portal
• GlobalProtect
• XML API
PAN-OS® Administrator’s Guide Version Version 9.1 594 ©2021 Palo Alto Networks, Inc.
User-ID
• Client Probing
Server Monitoring
With server monitoring a User-ID agent—either a Windows-based agent running on a domain
server in your network, or the PAN-OS integrated User-ID agent running on the firewall—monitors
the security event logs for specified Microso Exchange Servers, Domain Controllers, or Novell
eDirectory servers for login events. For example, in an AD environment, you can configure the
User-ID agent to monitor the security logs for Kerberos cket grants or renewals, Exchange server
access (if configured), and file and print service connecons. For these events to be recorded in
the security log, the AD domain must be configured to log successful account login events. In
addion, because users can log in to any of the servers in the domain, you must set up server
monitoring for all servers to capture all user login events. See Configure User Mapping Using the
Windows User-ID Agent or Configure User Mapping Using the PAN-OS Integrated User-ID Agent
for details.
Port Mapping
In environments with mul-user systems—such as Microso Terminal Server or Citrix
environments—many users share the same IP address. In this case, the user-to-IP address mapping
process requires knowledge of the source port of each client. To perform this type of mapping,
you must install the Palo Alto Networks Terminal Server Agent on the Windows/Citrix terminal
server itself to intermediate the assignment of source ports to the various user processes. For
terminal servers that do not support the Terminal Server agent, such as Linux terminal servers, you
can use the XML API to send user mapping informaon from login and logout events to User-ID.
See Configure User Mapping for Terminal Server Users for configuraon details.
XFF Headers
If you have a proxy server deployed between the users on your network and the firewall, the
firewall might see the proxy server IP address as the source IP address in HTTP/HTTPS traffic that
the proxy forwards rather than the IP address of the client that requested the content. In many
cases, the proxy server adds an X-Forwarded-For (XFF) header to traffic packets that includes the
actual IPv4 or IPv6 address of the client that requested the content or from whom the request
originated. In such cases, you can configure the firewall to extract the end user IP address from
the XFF so that User-ID can map the IP address to a username. This enables you to Use XFF
Values for Policies and Logging Source Users so that you can enforce user-based policy to safely
enable access to web-based for your users behind a proxy server.
PAN-OS® Administrator’s Guide Version Version 9.1 595 ©2021 Palo Alto Networks, Inc.
User-ID
Syslog
Your environment might have exisng network services that authencate users. These services
include wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, and
other Network Access Control (NAC) mechanisms. You can configure these services to send
syslog messages that contain informaon about login and logout events and configure the User-
ID agent to parse those messages. The User-ID agent parses for login events to map IP addresses
to usernames and parses for logout events to delete outdated mappings. Deleng outdated
mappings is parcularly useful in environments where IP address assignments change oen.
Both the PAN-OS integrated User-ID agent and Windows-based User-ID agent use Syslog Parse
profiles to parse syslog messages. In environments where services send the messages in different
formats, you can create a custom profile for each format and associate mulple profiles with
each syslog sender. If you use the PAN-OS integrated User-ID agent, you can also use predefined
Syslog Parse profiles that Palo Alto Networks provides through Applicaons content updates.
Syslog messages must meet the following criteria for a User-ID agent to parse them:
• Each message must be a single-line text string. The allowed delimiters for line breaks are a new
line (\n) or a carriage return plus a new line (\r\n).
• The maximum size for individual messages is 2,048 bytes.
• Messages sent over UDP must be contained in a single packet; messages sent over SSL can
span mulple packets. A single packet might contain mulple messages.
See Configure User-ID to Monitor Syslog Senders for User Mapping for configuraon details.
PAN-OS® Administrator’s Guide Version Version 9.1 596 ©2021 Palo Alto Networks, Inc.
User-ID
GlobalProtect
For mobile or roaming users, the GlobalProtect endpoint provides the user mapping informaon to
the firewall directly. In this case, every GlobalProtect user has an app running on the endpoint that
requires the user to enter login credenals for VPN access to the firewall. This login informaon
is then added to the User-ID user mapping table on the firewall for visibility and user-based
security policy enforcement. Because GlobalProtect users must authencate to gain access to
the network, the IP address-to-username mapping is explicitly known. This is the best soluon
in sensive environments where you must be certain of who a user is in order to allow access
to an applicaon or service. For more informaon on seng up GlobalProtect, refer to the
GlobalProtect Administrator’s Guide.
XML API
Capve Portal and the other standard user mapping methods might not work for certain types of
user access. For example, the standard methods cannot add mappings of users connecng from
a third-party VPN soluon or users connecng to a 802.1x-enabled wireless network. For such
cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS
integrated User-ID agent. See Send User Mappings to User-ID Using the XML API for details.
Client Probing
Palo Alto Networks strongly recommends disabling client probing because it is not a
recommended method of obtaining User-ID informaon in a high-security network.
Palo Alto Networks does not recommend using client probing due to the following potenal risks:
• Because client probing trusts data reported back from the endpoint, it can expose you to
security risks when misconfigured. If you enable it on external, untrusted interfaces, this
would cause the agent to send client probes containing sensive informaon such as the
username, domain name, and password hash of the User-ID agent service account outside
of your network. If you do not configure the service account correctly, the credenals could
potenally be exploited by an aacker to penetrate the network to gain further access.
PAN-OS® Administrator’s Guide Version Version 9.1 597 ©2021 Palo Alto Networks, Inc.
User-ID
• Client probing was designed for legacy networks where most users were on Windows
workstaons on the internal network, but is not ideal for today’s more modern networks that
support a roaming and mobile user base on a variety of devices and operang systems.
• Client probing can generate a large amount of network traffic (based on the total number of
mapped IP addresses).
Instead, Palo Alto Networks strongly recommends using the following alternate methods for user
mapping:
• Using more isolated and trusted sources, such as domain controllers and integraons with
Syslog or the XML API, to safely capture user mapping informaon from any device type or
operang system.
• Configuring Authencaon Policy and Capve Portal to ensure that you only allow access to
authorized users.
The User-ID agent supports two types of client probing:
• NetBIOS probing, which uses the Windows User-ID agent.
• WMI probing, which uses either the PAN-OS integrated User-ID agent or the Windows User-
ID agent.
Client probing is not recommended as a user mapping method, but if you plan to enable
it, Palo Alto Networks strongly recommends using WMI probing over NetBIOS probing.
In a Microso Windows environment, you can configure the User-ID agent to probe client systems
using Windows Management Instrumentaon (WMI) or NetBIOS probing at regular intervals to
verify that an exisng user mapping is sll valid or to obtain the username for an IP address that is
not yet mapped.
If you do choose to enable probing in your trusted zones, the agent will probe each learned IP
address periodically (every 20 minutes by default, but this is configurable) to verify that the same
user is sll logged in. In addion, when the firewall encounters an IP address for which it has no
user mapping, it will send the address to the agent for an immediate probe.
See Configure User Mapping Using the Windows User-ID Agent or Configure User Mapping Using
the PAN-OS Integrated User-ID Agent for details.
PAN-OS® Administrator’s Guide Version Version 9.1 598 ©2021 Palo Alto Networks, Inc.
User-ID
Enable User-ID
The user identy, as opposed to an IP address, is an integral component of an effecve security
infrastructure. Knowing who is using each of the applicaons on your network, and who may
have transmied a threat or is transferring files, can strengthen your security policy and reduce
incident response mes. User-ID enables you to leverage user informaon stored in a wide range
of repositories for visibility, user- and group-based policy control, and improved logging, reporng,
and forensics:
STEP 1 | Enable User-ID on the source zones that contain the users who will send requests that
require user-based access controls.
Enable User-ID on trusted zones only. If you enable User-ID and client probing on
an external untrusted zone (such as the internet), probes could be sent outside your
protected network, resulng in an informaon disclosure of the User-ID agent service
account name, domain name, and encrypted password hash, which could allow an
aacker to gain unauthorized access to protected services and applicaons.
1. Select Network > Zones and click the Name of the zone.
2. Enable User Idenficaon and click OK.
As a best pracce, create a service account with the minimum set of permissions
required to support the User-ID opons you enable to reduce your aack surface in the
event that the service account is compromised.
This is required if you plan to use the Windows-based User-ID agent or the PAN-OS integrated
User-ID agent to monitor domain controllers, Microso Exchange servers, or Windows clients
for user login and logout events.
PAN-OS® Administrator’s Guide Version Version 9.1 599 ©2021 Palo Alto Networks, Inc.
User-ID
As a best pracce, do not enable client probing as a user mapping method on high-
security networks. Client probing can generate a large amount of network traffic and
can pose a security threat when misconfigured.
The way you do this depends on where your users are located and what types of systems they
are using, and what systems on your network are collecng login and logout events for your
users. You must configure one or more User-ID agents to enable User Mapping:
• Configure User Mapping Using the Windows User-ID Agent.
• Configure User Mapping Using the PAN-OS Integrated User-ID Agent.
• Configure User-ID to Monitor Syslog Senders for User Mapping.
• Configure User Mapping for Terminal Server Users.
• Send User Mappings to User-ID Using the XML API.
• Insert Username in HTTP Headers.
STEP 5 | Specify the networks to include and exclude from user mapping.
As a best pracce, always specify which networks to include and exclude from User-ID.
This allows you to ensure that only your trusted assets are probed and that unwanted
user mappings are not created unexpectedly.
The way you specify which networks to include and exclude depends on whether you are using
the Windows-based User-ID agent or the PAN-OSintegrated User-ID agent.
PAN-OS® Administrator’s Guide Version Version 9.1 600 ©2021 Palo Alto Networks, Inc.
User-ID
Create rules based on group rather than user whenever possible. This prevents you
from having to connually update your rules (which requires a commit) whenever your
user base changes.
Aer configuring User-ID, you will be able to choose a username or group name when defining
the source or desnaon of a security rule:
1. Select Policies > Security and Add a new rule or click an exisng rule name to edit.
2. Select User and specify which users and groups to match in the rule in one of the
following ways:
• If you want to select specific users or groups as matching criteria, click Add in the
Source User secon to display a list of users and groups discovered by the firewall
group mapping funcon. Select the users or groups to add to the rule.
• If you want to match any user who has or has not authencated and you don’t need
to know the specific user or group name, select known-user or unknown from the
drop-down above the Source User list.
3. Configure the rest of the rule as appropriate and then click OK to save it. For details on
other fields in the security rule, see Set Up a Basic Security Policy.
STEP 8 | Create the Security policy rules to safely enable User-ID within your trusted zones and
prevent User-ID traffic from egressing your network.
Follow the Best Pracce Internet Gateway Security Policy to ensure that the User-ID
applicaon (paloalto-userid-agent) is only allowed in the zones where your agents
(both your Windows agents and your PAN-OS integrated agents) are monitoring services and
distribung mappings to firewalls. Specifically:
• Allow the paloalto-userid-agent applicaon between the zones where your agents
reside and the zones where the monitored servers reside (or even beer, between the
specific systems that host the agent and the monitored servers).
• Allow the paloalto-userid-agent applicaon between the agents and the firewalls
that need the user mappings and between firewalls that are redistribung user mappings
and the firewalls they are redistribung the informaon to.
• Deny the paloalto-userid-agent applicaon to any external zone, such as your
internet zone.
STEP 9 | Configure the firewall to obtain user IP addresses from X-Forwarded-For (XFF) headers.
When the firewall is between the Internet and a proxy server, the IP addresses in the packets
that the firewall sees are for the proxy server rather than users. To enable visibility of user IP
addresses instead, configure the firewall to use the XFF headers for user mapping. With this
opon enabled, the firewall matches the IP addresses with usernames referenced in policy to
PAN-OS® Administrator’s Guide Version Version 9.1 601 ©2021 Palo Alto Networks, Inc.
User-ID
enable control and visibility for the associated users and groups. For details, see Idenfy Users
Connected through a Proxy Server.
1. Select Device > Setup > Content-ID and edit the X-Forwarded-For Headers sengs.
2. Select X-Forwarded-For Header in User-ID.
As a best pracce, always enable the Enable Config Sync opon for an HA
configuraon to ensure that the group mappings and user mappings are synchronized
between the acve and passive firewall.
1. Select Device > High Availability > General and edit the Setup secon.
2. Select Enable HA.
3. Select Enable Config Sync.
4. Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the
peer firewall.
5. (Oponal) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup
control link on the peer firewall.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 602 ©2021 Palo Alto Networks, Inc.
User-ID
The following are best pracces for group mapping in an Acve Directory (AD)
environment:
• If you have a single domain, you need only one group mapping configuraon with an
LDAP server profile that connects the firewall to the domain controller with the best
connecvity. You can add up to four domain controllers to the LDAP server profile for
redundancy. Note that you cannot increase redundancy beyond four domain controllers
for a single domain by adding mulple group mapping configuraons for that domain.
• If you have mulple domains and/or mulple forests, you must create a group mapping
configuraon with an LDAP server profile that connects the firewall to a domain server
in each domain/forest. Take steps to ensure unique usernames in separate forests.
• If you have Universal Groups, create an LDAP server profile to connect to the root
domain of the Global Catalog server on port 3268 or 3269 for SSL, then create another
LDAP server profile to connect to the root domain controllers on port 389. This helps
ensure that users and group informaon is available for all domains and subdomains.
• Before using group mapping, configure a Primary Username for user-based security
policies, since this aribute will idenfy users in the policy configuraon, logs, and
reports.
PAN-OS® Administrator’s Guide Version Version 9.1 603 ©2021 Palo Alto Networks, Inc.
User-ID
If you create mulple group mapping configuraons that use the same base
disnguished name (DN) or LDAP server, the group mapping configuraons cannot
contain overlapping groups (for example, the Include list for one group mapping
configuraon cannot contain a group that is also in a different group mapping
configuraon).
1. Select Device > Server Profiles > LDAP and Add a server profile.
2. Enter a Profile Name to idenfy the server profile.
3. Add the LDAP servers. You can add up to four servers to the profile but they must be
the same Type. For each server, enter a Name (to idenfy the server), LDAP Server IP
address or FQDN, and server Port (default 389).
4. Select the server Type.
Based on your selecon (such as acve-directory), the firewall automacally populates
the correct LDAP aributes in the group mapping sengs. However, if you customized
your LDAP schema, you might need to modify the default sengs.
5. For the Base DN, enter the Disnguished Name (DN) of the LDAP tree locaon where
you want the firewall to start searching for user and group informaon.
6. For the Bind DN, Password and Confirm Password, enter the authencaon credenals
for binding to the LDAP tree.
The Bind DN can be a fully qualified LDAP name (such as
cn=administrator,cn=users,dc=acme,dc=local) or a user principal name (such
as administrator@acme.local).
7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
8. Click OK to save the server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 604 ©2021 Palo Alto Networks, Inc.
User-ID
if you need to enter a value, enter the NetBIOS domain name (for example, example not
example.com).
If you use Global Catalog, entering a value replaces the domain name for all users and
groups from this server, including those from other domains.
7. (Oponal) To filter the groups that the firewall tracks for group mapping, in the Group
Objects secon, enter a Search Filter (LDAP query) and Object Class (group definion).
8. (Oponal) To filter the users that the firewall tracks for group mapping, in the User
Objects secon, enter a Search Filter (LDAP query), and Object Class (user definion).
9. Make sure the group mapping configuraon is Enabled (default is enabled).
STEP 3 | (Oponal) Define User and Group Aributes to collect for user and group mapping. This step
is required if you want to map users based on directory aributes other than the domain.
1. If your User-ID sources only send the username and the username is unique across the
organizaon, select Device > User Idenficaon > User Mapping > Setup and Edit the
Setup secon to Allow matching usernames without domains to allow the firewall to
check if unique usernames collected from the LDAP server during group mapping match
the users associated with a policy and avoid overwring the domain in your source
profile.
Before enabling this opon, configure group mapping for the LDAP group
containing the User-ID source (such as GlobalProtect or Capve Portal) that
collects the mappings. Aer you commit the changes, the User-ID source
populates the usernames without domains. Only usernames collected during
group mapping can be matched without a domain. If your User-ID sources send
user informaon in mulple formats and you enable this opon, verify that the
aributes collected by the firewall have a unique prefix. To ensure users are
idenfied correctly if you enable this opon, all aributes for group mapping
should be unique. If the username is not unique, the firewall logs an error in the
Debug logs.
2. Select Device > User Idenficaon > Group Mapping Sengs > Add > User and Group
Aributes > User Aributes and enter the Directory Aribute you want to collect for
user idenficaon. Specify a Primary Username to idenfy the user on the firewall and
PAN-OS® Administrator’s Guide Version Version 9.1 605 ©2021 Palo Alto Networks, Inc.
User-ID
to represent the user in reports and logs that will override any other format the firewall
receives from the User-ID source.
When you select the Server Profile Type, the firewall auto-populates the values for the
user and group aributes. Based on the user informaon that your User-ID sources send,
you may need to configure the correct aributes:
• User Principal Name (UPN): userPrincipalName
• NetBios Name: sAMAccountName
• Email ID: Directory aribute for that email
• Mulple formats: Retrieve the user mapping aributes from the user directory before
enabling your User-ID sources.
If you do not specify a primary username, the firewall uses the following default values
for each server profile type:
PAN-OS® Administrator’s Guide Version Version 9.1 606 ©2021 Palo Alto Networks, Inc.
User-ID
Each entry can be a single group or a list of groups. By default, if you don’t specify groups, all
groups are available in policy rules.
Any custom groups you create will also be available in the Allow List of authencaon
profiles (Configure an Authencaon Profile and Sequence).
To minimize the performance impact on the LDAP directory server, use only
indexed aributes in the filter.
3. Click OK to save your changes.
You must commit before custom groups will be available in policies and objects.
Aer configuring the firewall to retrieve group mapping informaon from an LDAP
server, but before configuring policies based on the groups it retrieves, the best pracce
is to either wait for the firewall to refresh its group mappings cache or refresh the cache
manually. To verify which groups you can currently use in policies, access the firewall
CLI and run the show user group command. To determine when the firewall will
next refresh the group mappings cache, run the show user group-mapping
statistics command and check the Next Action. To manually refresh the
cache, run the debug user-id refresh group-mapping all command.
PAN-OS® Administrator’s Guide Version Version 9.1 607 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | Verify that the user and group mapping has correctly idenfied users.
1. Select Device > User Idenficaon > Group Mapping > Group Include List to confirm
the firewall has fetched all of the groups.
2. To verify that all of the user aributes have been correctly captured, use the following
CLI command:
The normalized format for the User Principal Name (UPN), primary username, email
aributes, and any configured alternate usernames display for all users:
2) nam\sam-user-upn
3) sam-user-upn@nam.local
4) sam-user@nam.com
3. Verify that the usernames are correctly displayed in the Source User column under
Monitor > Logs > Traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 608 ©2021 Palo Alto Networks, Inc.
User-ID
4. Verify that the users are mapped to the correct usernames in the User Provided by
Source column under Monitor > Logs > User-ID.
PAN-OS® Administrator’s Guide Version Version 9.1 609 ©2021 Palo Alto Networks, Inc.
User-ID
While you can configure either the Windows agent or the PAN-OS integrated User-
ID agent on the firewall to listen for authencaon syslog messages from the network
services, because only the PAN-OS integrated agent supports syslog listening over TLS,
it is the preferred configuraon.
To include the username and domain in the headers for outgoing traffic so other devices in your
network can idenfy the user and enforce user-based policy, you can Insert Username in HTTP
Headers.
To Share User-ID Mappings Across Virtual Systems, you can configure a virtual system as a
User-ID hub.
For other clients that you can’t map using the other methods, you can Send User Mappings to
User-ID Using the XML API.
A large-scale network can have hundreds of informaon sources that firewalls query for
user and group mapping and can have numerous firewalls that enforce policies based on
the mapping informaon. You can simplify User-ID administraon for such a network by
aggregang the mapping informaon before the User-ID agents collect it. You can also reduce
the resources that the firewalls and informaon sources use in the querying process by
PAN-OS® Administrator’s Guide Version Version 9.1 610 ©2021 Palo Alto Networks, Inc.
User-ID
configuring some firewalls to redistribute the mapping informaon. For details, see Deploy
User-ID in a Large-Scale Network.
User-ID provides many methods for safely collecng user mapping informaon. Some
legacy features designed for environments that only required user mapping on Windows
desktops aached to the local network require privileged service accounts. If the privileged
service account is compromised, this would open your network to aack. As a best
pracce, avoid using legacy features that require privileges that would pose a threat if
compromised, such as client probing, NTLM authencaon, and session monitoring.
The following workflow details all required privileges and provides guidance for the User-
ID features which require privileges that could pose a threat so that you can decide how to
best idenfy users without compromising your overall security posture.
PAN-OS® Administrator’s Guide Version Version 9.1 611 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 612 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Configure either local or group policy to allow the service account to log on as a service.
The permission to log on as a service is only needed locally on the Windows server that is the
agent host.
• To assign permissions locally:
1. select Control Panel > Administrave Tools > Local Security Policy.
2.
3. Select Local Policies > User Rights Assignment > Log on as a service.
PAN-OS® Administrator’s Guide Version Version 9.1 613 ©2021 Palo Alto Networks, Inc.
User-ID
5. Enter the object names to select (the service account name) in domain\username
format and click OK.
• To configure group policy if you are installing Windows User-ID agents on mulple servers,
use the Group Policy Management Editor.
1. Select Start > Group Policy Management > <your domain> > Default Domain Policy >
Acon > Edit for the Windows server that is the agent host.
2. Select Computer Configuraon > Policies > Windows Sengs > Security Sengs >
Local Policies > User Rights Assignment.
PAN-OS® Administrator’s Guide Version Version 9.1 614 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | If you want to use WMI to collect user data, assign DCOM privileges to the service account
so that it can use WMI queries on monitored servers.
1. Select Acve Directory Users and Computers > <your domain> > Builn > Distributed
COM Users.
2. Right-click Properes > Members > Add and enter the service account name.
PAN-OS® Administrator’s Guide Version Version 9.1 615 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 4 | If you plan to use WMI probing, enable the account to read the CIMV2 namespace and
assign the required permissions on the client systems to be probed.
Do not enable client probing on high-security networks. Client probing can generate
a large amount of network traffic and can pose a security threat when misconfigured.
Instead collect user mapping informaon from more isolated and trusted sources, such
as domain controllers and through integraons with Syslog or the XML API, which have
the added benefit of allowing you to safely capture user mapping informaon from any
device type or operang system, instead of just Windows clients.
Perform this task on each client system that the User-ID agent will probe for user mapping
informaon:
1. Right-click the Windows icon ( ), Search for wmimgmt.msc, and launch the WMI
Management Console.
2. In the console tree, right-click WMI Control and select Properes.
3. Select the Security tab, then select Root > CIMV2, and click the Security buon.
4. Add the name of the service account you created, Check Names to verify your entry, and
click OK.
You might have to change the Locaons or click Advanced to query for account
names. See the dialog help for details.
PAN-OS® Administrator’s Guide Version Version 9.1 616 ©2021 Palo Alto Networks, Inc.
User-ID
5. In the Permissions for <Username> secon, Allow the Enable Account and Remote
Enable permissions.
6. Click OK twice.
7. Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account
to the local Distributed Component Object Model (DCOM) Users and Remote Desktop
Users groups on the system that will be probed.
PAN-OS® Administrator’s Guide Version Version 9.1 617 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 5 | If you want to use Server Monitoring to idenfy users, add the service account to the Event
Log Reader builn group to allow the service account to read the security log events.
1. On the domain controller or Exchange server that contains the logs you want the User-
ID agent to read, or on the member server that receives events from Windows log
forwarding, select Start > Run, enter MMC.
2. Select File > Add/Remove Snap-in > Acve Directory Users and Computers > Add, then
click OK to run the MMC and launch the Acve Directory Users and Computers snap-in.
3. Navigate to the Builn folder for the domain, right-click the Event Log Readers group,
and select Properes > Members.
4. Add the service account then click Check Names to validate that you have the proper
object name.
PAN-OS® Administrator’s Guide Version Version 9.1 618 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 619 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | Assign account permissions to the installaon folder to allow the service account to access
the agent’s installaon folder to read the configuraon and write logs.
You only need to perform this step if the service account you configured for the User-ID agent
is not either a domain administrator or a local administrator on the User-ID agent server host.
1. From the Windows Explorer, navigate to C:\Program Files(x86)\Palo Alto
Networks, right-click the folder, and select Properes.
2. On the Security tab, click Edit.
3. Add the User-ID agent service account and Allow permissions to Modify, Read &
execute, List folder contents, Read, and Write, and then click OK to save the account
sengs.
If you do not want to configure individual permissions, you can Allow the Full
Control permission instead.
PAN-OS® Administrator’s Guide Version Version 9.1 620 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 7 | To allow the agent to make configuraon changes (for example, if you select a different
logging level), give the service account permissions to the User-ID agent registry sub-tree.
1. Select Start > Run and enter regedt32 and navigate to the Palo Alto Networks sub-tree
in one of the following locaons:
• 32-bit systems—HKEY_LOCAL_MACHINE\Software\Palo Alto Networks
• 64-bit systems—HKEY_LOCAL_MACHINE\Software\WOW6432Node\PaloAlto
Networks
2. Right-click the Palo Alto Networks node and select Permissions.
3. Assign the User-ID service account Full Control and then click OK to save the seng.
PAN-OS® Administrator’s Guide Version Version 9.1 621 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 622 ©2021 Palo Alto Networks, Inc.
User-ID
privilege using Group Policies or by using a Managed Service account (refer to Microso
TechNet for more informaon).
1. Select Group Policy Management Editor > Default Domain Policy > Computer
Configuraon > Policies > Windows Sengs > Security Sengs > User Rights
Assignment.
2. For Deny log on as a batch job, Deny log on locally, and Deny log on through Remote
Desktop Services, right-click Properes.
3. Select Define these policy sengs > Add User or Group and add the service account
name, then click OK.
• Deny remote access for the User-ID service account—This prevents an aacker from using
the account to access your network from the outside the network.
1. Select Start > Run, enter MMC, and select File > Add/Remove Snap-in > Acve Directory
Users and Computers > Users.
2. Right-click the service account name, then select Properes.
3. Select Dial-in, then Deny the Network Access Permission.
PAN-OS® Administrator’s Guide Version Version 9.1 623 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 9 | As a next step, Configure User Mapping Using the Windows User-ID Agent.
The following workflow details all required privileges and provides guidance for the User-
ID features which require privileges that could pose a threat so that you can decide how to
best idenfy users without compromising your overall security posture.
PAN-OS® Administrator’s Guide Version Version 9.1 624 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | If you want to use Server Monitoring to idenfy users, add the service account to the Event
Log Reader builn group to allow the service account to read the security log events.
1. On the domain controller or Exchange server that contains the logs you want the User-
ID agent to read, or on the member server that receives events from Windows log
forwarding, select Start > Run, enter MMC.
2. Select File > Add/Remove Snap-in > Acve Directory Users and Computers > Add, then
click OK to run the MMC and launch the Acve Directory Users and Computers snap-in.
3. Navigate to the Builn folder for the domain, right-click the Event Log Readers group,
and select Properes > Members.
4. Add the service account then click Check Names to validate that you have the proper
object name.
PAN-OS® Administrator’s Guide Version Version 9.1 625 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | If you want to use WMI to collect user data, assign DCOM privileges to the service account
so that it can use WMI queries on monitored servers.
1. Select Acve Directory Users and Computers > <your domain> > Builn > Distributed
COM Users.
2. Right-click Properes > Members > Add and enter the service account name.
PAN-OS® Administrator’s Guide Version Version 9.1 626 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 4 | Enable the service account to read the CIMV2 namespace on the domain controllers you
want to monitor and assign the required permissions on the client systems to be probed.
Do not enable client probing on high-security networks. Client probing can generate
a large amount of network traffic and can pose a security threat when misconfigured.
Instead collect user mapping informaon from more isolated and trusted sources, such
as domain controllers and through integraons with Syslog or the XML API, which have
the added benefit of allowing you to safely capture user mapping informaon from any
device type or operang system, instead of just Windows clients.
Perform this task on each client system that the User-ID agent will probe for user mapping
informaon:
1. Right-click the Windows icon ( ), Search for wmimgmt.msc, and launch the WMI
Management Console.
2. In the console tree, right-click WMI Control and select Properes.
3. Select the Security tab, then select Root > CIMV2, and click the Security buon.
4. Add the name of the service account you created, Check Names to verify your entry, and
click OK.
You might have to change the Locaons or click Advanced to query for account
names. See the dialog help for details.
PAN-OS® Administrator’s Guide Version Version 9.1 627 ©2021 Palo Alto Networks, Inc.
User-ID
5. In the Permissions for <Username> secon, Allow the Enable Account and Remote
Enable permissions.
6. Click OK twice.
7. Use the Local Users and Groups MMC snap-in (lusrmgr.msc) to add the service account
to the local Distributed Component Object Model (DCOM) Users and Remote Desktop
Users groups on the system that will be probed.
STEP 5 | (Not Recommended) To allow the agent to monitor user sessions to poll Windows servers for
user mapping informaon, assign Server Operator privileges to the service account.
Because this group also has privileges for shung down and restarng servers, only
assign the account to this group if monitoring user sessions is very important.
1. Select Acve Directory Users and Computers > <your domain> > Builn > Server
Operators Group.
2. Right-click Properes > Members > Add and add the service account name.
STEP 6 | If you want to configure NTLM authencaon for Capve Portal, configure the firewall to
join the domain.
If you plan to configure NTLM authencaon for Capve Portal, the firewall where you’ve
configured the agent will need to join the domain. To enable this, enter the name of a group
PAN-OS® Administrator’s Guide Version Version 9.1 628 ©2021 Palo Alto Networks, Inc.
User-ID
that has administrave privileges to join the domain, write to the validated service principal
name, and create a computer object within the computers organizaon unit (ou=computers).
For a firewall with mulple virtual systems, only vsys1 can join the domain because of AD
restricons on virtual systems running on the same host.
The PAN-OS integrated agent requires privileged operaons to join the domain, which
poses a security threat if the account is compromised. As a best pracce, configure
Kerberos single sign-on (SSO) or SAML SSO authencaon for Capve Portal instead
of NTLM. Kerberos and SAML are stronger, more secure authencaon methods and
do not require the firewall to join the domain.
1. Select Start > Run, enter MMC, and select File > Add/Remove Snap-in > Acve Directory
Users and Computers > Users.
2. Right-click the domain and select Delegate Control.
3. Click Next, then Add the service account name and click OK.
4. Click Next, then Join a computer to the domain.
PAN-OS® Administrator’s Guide Version Version 9.1 629 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 630 ©2021 Palo Alto Networks, Inc.
User-ID
privilege using Group Policies or by using a Managed Service account (refer to Microso
TechNet for more informaon).
1. Select Group Policy Management Editor > Default Domain Policy > Computer
Configuraon > Policies > Windows Sengs > Security Sengs > User Rights
Assignment.
2. For Deny log on as a batch job, Deny log on locally, and Deny log on through Remote
Desktop Services, right-click Properes, then select Define these policy sengs > Add
User or Group and add the service account name, then click OK.
• Deny remote access for the User-ID service account—This prevents an aacker from using
the account to access your network from the outside the network.
1. Start > Run, enter MMC, and select File > Add/Remove Snap-in > Acve Directory Users
and Computers > Users.
2. Right-click the service account name, then select Properes.
3. Select Dial-in, then Deny the Network Access Permission.
PAN-OS® Administrator’s Guide Version Version 9.1 631 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 8 | As a next step, Configure User Mapping Using the PAN-OS Integrated User-ID Agent.
For informaon about the system requirements for installing the Windows-based User-
ID agent and for informaon on supported server OS versions, refer to the User-ID agent
release notes and the Palo Alto Networks Compability Matrix.
PAN-OS® Administrator’s Guide Version Version 9.1 632 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 1 | Create a dedicated Acve Directory service account for the User-ID agent to access the
services and hosts it will monitor to collect user mappings.
Create a Dedicated Service Account for the User-ID Agent and grant the necessary
permissions for the Windows User-ID agent.
1. Enable the service account to log on as a service by configuring either local or group
policy.
1. To configure the group policy if you are installing Windows-based User-ID agents
on mulple servers, select Group Policy Management > Default Domain Policy >
PAN-OS® Administrator’s Guide Version Version 9.1 633 ©2021 Palo Alto Networks, Inc.
User-ID
Computer Configuraon > Policies > Windows Sengs > Security Sengs > Local
Policies > User Rights Assignment for the Windows server that is the agent host.
2. Right-click Log on as a service, then select Properes.
3. Add the service account username or builn group (Administrators have this privilege
by default).
1. To assign permissions locally, select Control Panel > Administrave Tools > Local
Security Policy.
2. Select Local Policies > User Rights Assignment > Log on as a service.
PAN-OS® Administrator’s Guide Version Version 9.1 634 ©2021 Palo Alto Networks, Inc.
User-ID
4. Enter the service account name in domain\username format in the Enter the object
names to select entry field and click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 635 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 636 ©2021 Palo Alto Networks, Inc.
User-ID
log forwarding, run the MMC and launch the Acve Directory Users and Computers
snap-in.
2. Navigate to the Builn folder for the domain, right-click the Event Log Reader group
and select Add to Group to open the properes dialog.
3. Click Add and enter the name of the service account that you configured the User-ID
service to use and then click Check Names to validate that you have the proper object
name.
4. Click OK twice to save the sengs.
5. Confirm that the builn Event Log Reader group lists the service account as a member.
3. Assign account permissions to the installaon folder to allow the service account to
access the agent’s installaon folder to read the configuraon and write logs.
You only need to perform this step if the service account you configured for the User-ID
agent is not either a domain administrator or a local administrator on the User-ID agent
server host.
1. From the Windows Explorer, navigate to C:\Program Files(x86)\Palo Alto
Networks for 32-bit systems, right-click the folder, and select Properes.
2. On the Security tab, click Edit.
PAN-OS® Administrator’s Guide Version Version 9.1 637 ©2021 Palo Alto Networks, Inc.
User-ID
3. Add the User-ID agent service account and assign it permissions to Modify, Read &
execute, List folder contents, Read, and Write, and then click OK to save the account
sengs.
If you want to allow the service account to access the User-ID agent’s registry
keys, Allow the Full Control permission.
4. Give the service account permissions to the User-ID Agent registry sub-tree:
1. Run regedt32 and navigate to the Palo Alto Networks sub-tree in the following
locaon: HKEY_LOCAL_MACHINE\Software\Palo Alto Networks.
2. Right-click the Palo Alto Networks node and select Permissions.
3. Assign the User-ID service account Full Control and then click OK to save the seng.
PAN-OS® Administrator’s Guide Version Version 9.1 638 ©2021 Palo Alto Networks, Inc.
User-ID
Do not use the User-ID agent installed on the RODC to map IP addresses to users. The
User-ID agent installer for credenal detecon is named UaCredInstall64-x.x.x.msi.
Install the User-ID agent version that is the same as the PAN-OS version running on
the firewalls. If there is not a User-ID agent version that matches the PAN-OS version,
install the latest version that is closest to the PAN-OS version.
C:\Users\administrator.acme>cd Desktop
PAN-OS® Administrator’s Guide Version Version 9.1 639 ©2021 Palo Alto Networks, Inc.
User-ID
C:\Users\administrator.acme\Desktop>UaInstall-6.0.0-1.msi
3. Follow the setup prompts to install the agent using the default sengs. By default, the
agent gets installed to C:\Program Files(x86)\Palo Alto Networks for 32-bit
systems, but you can Browse to a different locaon.
4. When the installaon completes, Close the setup window.
You must run the User-ID Agent applicaon as an administrator to install the
applicaon, commit configuraon changes, or uninstall the applicaon.
STEP 6 | (Oponal) Change the service account that the User-ID agent uses to log in.
By default, the agent uses the administrator account used to install the .msi file. To change the
account to a restricted account:
1. Select User Idenficaon > Setup and click Edit.
2. Select the Authencaon tab and enter the service account name that you want the
User-ID agent to use in the User name for Acve Directory field.
3. Enter the Password for the specified account.
4. Commit the changes to the User-ID agent configuraon to restart the service using the
service account credenals.
PAN-OS® Administrator’s Guide Version Version 9.1 640 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 7 | (Oponal) Assign your own cerficates for mutual authencaon between the Windows
User-ID agent and the firewall.
1. Obtain your cerficate for the Windows User-ID agent using one of the following
methods. Upload the server cerficate in Privacy Enhanced Mail (PEM) format and the
server cerficate’s encrypted key.
• Generate a Cerficate and export it for upload to the Windows User-ID agent.
• Export a cerficate from your enterprise cerficate authority (CA) and the upload it to
the Windows User-ID agent.
2. Add a server cerficate to Windows User-ID agent.
1. On the Windows User-ID agent, select Server Cerficate and click Add.
2. Enter the path and name of the cerficate file received from the CA or browse to the
cerficate file.
3. Enter the private key passphrase.
4. Click OK and then Commit.
3. Upload a cerficate to the firewall to validate the Windows User-ID agent’s identy.
4. Configure the cerficate profile for the client device (firewall or Panorama).
1. Select Device > Cerficate Management > Cerficate Profile.
2. Configure a Cerficate Profile.
You can only assign one cerficate profile for Windows User-ID agents and
Terminal Server (TS) agents. Therefore, your cerficate profile must include all
cerficate authories that issued cerficates uploaded to connected User-ID
and TS agents.
5. Assign the cerficate profile on the firewall.
1. Select Device > User Idenficaon > Connecon Security and click the edit buon.
2. Select the User-ID Cerficate Profile you configured in the previous step.
3. Click OK.
6. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 641 ©2021 Palo Alto Networks, Inc.
User-ID
For informaon about the server OS versions supported by the User-ID agent, refer to
“Operang System (OS) Compability User-ID Agent” in the User-ID Agent Release
Notes.
STEP 1 | Define the servers the User-ID agent will monitor to collect IP address to user mapping
informaon.
The User-ID agent can monitor up to 100 servers, of which up to 50 can be syslog senders.
To collect all of the required mappings, the User-ID agent must connect to all servers
that your users log in to in order to monitor the security log files on all servers that
contain login events.
Auto-discovery locates domain controllers in the local domain only; you must
manually add Exchange servers, eDirectory servers, and syslog senders.
7. (Oponal) To tune the frequency at which the Windows User-ID agent polls configured
servers for mapping informaon, select User Idenficaon > Setup and Edit the
Setup secon. On the Server Monitor tab, modify the value in the Server Log Monitor
Frequency (seconds) field. Increase the value in this field to 5 seconds in environments
with older Domain Controllers or high-latency links.
Ensure that the Enable Server Session Read seng is not selected. This seng
requires that the User-ID agent have an Acve Directory account with Server
Operator privileges so that it can read all user sessions. Instead, use a syslog or
XML API integraon to monitor sources that capture login and logout events
for all device types and operang systems (instead of just Windows), such as
wireless controllers and Network Access Controllers (NACs).
8. Click OK to save the sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 642 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Specify the subnetworks the Windows User-ID agent should include in or exclude from User-
ID.
By default, the User-ID maps all users accessing the servers you are monitoring.
As a best pracce, always specify which networks to include and exclude from User-
ID to ensure that the agent is only communicang with internal resources and to
prevent unauthorized users from being mapped. You should only enable User-ID on the
subnetworks where users internal to your organizaon are logging in.
If you add Exclude profiles without adding any Include profiles, the User-ID
agent excludes all subnetworks, not just the ones you added.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 643 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | (Oponal) If you configured the agent to connect to a Novell eDirectory server, you must
specify how the agent should search the directory.
1. Select User Idenficaon > Setup and click Edit in the Setup secon of the window.
2. Select the eDirectory tab and then complete the following fields:
• Search Base—The starng point or root context for agent queries, for example:
dc=domain1,dc=example, dc=com.
• Bind Disnguished Name—The account to use to bind to the directory, for example:
cn=admin,ou=IT, dc=domain1, dc=example, dc=com.
• Bind Password—The bind account password. The agent saves the encrypted password
in the configuraon file.
• Search Filter—The search query for user entries (default is objectClass=Person).
• Server Domain Prefix—A prefix to uniquely idenfy the user. This is only required if
there are overlapping name spaces, such as different users with the same name from
two different directories.
• Use SSL—Select the check box to use SSL for eDirectory binding.
• Verify Server Cerficate—Select the check box to verify the eDirectory server
cerficate when using SSL.
1. On the Client Probing tab, deselect the Enable WMI Probing check box if it is enabled.
2. Deselect the Enable NetBIOS Probing check box if it is enabled.
Palo Alto Network strongly recommends that you collect user mapping
informaon from isolated and trusted sources, such as domain controllers
or integraons with Syslog or the XML API, to safely capture user mapping
informaon from any device type or operang system.
If you must enable client probing, select the Enable WMI Probing check box and
on the Client Probing tab. Due to the potenal security risks of this method, only
select the Enable NetBIOS Probing check box if the firewall cannot obtain user
mappings using any other method. Then add a remote administraon excepon
to the Windows firewall for each probed client to ensure the Windows firewall
will allow client probing. Each probed client PC must allow port 139 in the
Windows firewall and must also have file and printer sharing services enabled.
PAN-OS® Administrator’s Guide Version Version 9.1 644 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | (Oponal) Define the set of users for which you do not need to provide IP address-to-
username mappings, such as kiosk accounts.
Save the ignore-user list as a text document on the agent host using the tle
ignore_user_list and use the .txt file extension to save it to the User-ID Agent folder on
the domain server where the agent is installed.
List the user accounts to ignore; there is no limit to the number of accounts you can add to the
list. Each user account name must be on a separate line. For example:
SPAdmin
SPInstall
TFSReport
You can use an asterisk as a wildcard character to match mulple usernames, but only as
the last character in the entry. For example, corpdomain\it-admin* would match all
administrators in the corpdomain domain whose usernames start with the string it‑admin.
You can also use the ignore-user list to idenfy users whom you want to force to
authencate using Capve Portal.
Aer adding entries to the Ignore User list, you must stop and restart the connecon to
the service.
The firewall can connect to only one Windows-based User-ID agent that is using the
User-ID credenal service add-on to detect corporate credenal submissions. See
Configure Credenal Detecon with the Windows-based User-ID Agent for more
details on how to use this service for credenal phishing prevenon.
Complete the following steps on each firewall you want to connect to the User-ID agent to
receive user mappings:
1. Select Device > User Idenficaon > User-ID Agents and click Add.
2. Enter a Name for the User-ID agent.
3. Enter the IP address of the Windows Host on which the User-ID Agent is installed.
4. Enter the Port number (1-65535) on which the agent will listen for user mapping
requests. This value must match the value configured on the User-ID agent. By default,
the port is set to 5007 on the firewall and on newer versions of the User-ID agent.
However, some older User-ID agent versions use port 2010 as the default.
5. Make sure that the configuraon is Enabled, then click OK.
6. Commit the changes.
7. Verify that the Connected status displays as connected (a green light).
PAN-OS® Administrator’s Guide Version Version 9.1 645 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 8 | Verify that the User-ID agent is successfully mapping IP addresses to usernames and that the
firewalls can connect to the agent.
1. Launch the User-ID agent and select User Idenficaon.
2. Verify that the agent status shows Agent is running. If the Agent is not running, click
Start.
3. To verify that the User-ID agent can connect to monitored servers, make sure the Status
for each Server is Connected.
4. To verify that the firewalls can connect to the User-ID agent, make sure the Status for
each of the Connected Devices is Connected.
5. To verify that the User-ID agent is mapping IP addresses to usernames, select Monitoring
and make sure that the mapping table is populated. You can also Search for specific
users, or Delete user mappings from the list.
PAN-OS® Administrator’s Guide Version Version 9.1 646 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Define the servers that the firewall will monitor to collect user mapping informaon.
Within the total maximum of 100 monitored servers per firewall, you can define no more than
50 syslog senders for any single virtual system.
To collect all the required mappings, the firewall must connect to all servers that your
users log in to so that the firewall can monitor the Security log files on all servers that
contain login events.
If you are using WinRM with Kerberos, you must enter a fully qualified domain
name (FDQN). If you want to use WinRM with basic authencaon or use
WMI to monitor the server, you can enter an IP address or FQDN.
To monitor servers using WMI, specify an IP address, the service account name
(if all server monitoring is in the same domain), or a fully qualified domain
name (FQDN). If you specify an FQDN, use the down-level logon name in the
(DLN)\sAMAccountName format instead of the FQDN\sAMAccountName
format. For example, use example\user.services not example.com
\user.services. If you specify an FQDN, the firewall will aempt to
authencate using Kerberos, which does not support WMI.
7. (Syslog Sender only) If you select Syslog Sender as the server Type, Configure the PAN-
OS Integrated User-ID Agent as a Syslog Listener.
8. (Novell eDirectory only) Make sure the Server Profile you select is Enabled and click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 647 ©2021 Palo Alto Networks, Inc.
User-ID
The auto-discovery feature is for domain controllers only; you must manually
add any Exchange servers or eDirectory servers you want to monitor.
STEP 3 | (Oponal) Specify the frequency at which the firewall polls Windows servers for mapping
informaon. This is the interval between the end of the last query and the start of the next
query.
If the domain controller is processing many requests, delays between queries may
exceed the specified value.
Ensure that the Enable Session seng is not enabled. This seng requires
that the User-ID agent have an Acve Directory account with Server Operator
privileges so that it can read all user sessions. Instead, use a Syslog or XML
API integraon to monitor sources that capture login and logout events for all
device types and operang systems (instead of just Windows), such as wireless
controllers and network access control (NAC) devices.
3. Click OK to save your changes.
STEP 4 | Specify the subnetworks that the PAN-OS integrated User-ID agent should include in or
exclude from user mapping.
By default, the User-ID maps all users accessing the servers you are monitoring.
As a best pracce, always specify which networks to include and, oponally, which
networks to exclude from User-ID to ensure that the agent is communicang only
with internal resources and to prevent unauthorized users from being mapped. You
should enable user mapping only on the subnetworks where users internal to your
organizaon are logging in.
PAN-OS® Administrator’s Guide Version Version 9.1 648 ©2021 Palo Alto Networks, Inc.
User-ID
exclude 10.2.50.0/22, the agent will map users on all the subnetworks of 10.0.0.0/8
except 10.2.50.0/22 and will exclude all subnetworks outside of 10.0.0.0/8.
If you add Exclude profiles without adding any Include profiles, the User-ID
agent excludes all subnetworks, not just the ones you added.
4. Click OK.
STEP 5 | Set the domain credenals for the account that the firewall will use to access Windows
resources. This is required for monitoring Exchange servers and domain controllers as well as
for WMI probing.
1. Edit the Palo Alto Networks User-ID Agent Setup.
2. Select the Server Monitor Account tab and enter the User Name and Password for the
service account that the User-ID agent will use to probe the clients and monitor servers.
Enter the username using the domain\username syntax.
3. If you are using WinRM to monitor servers, configure the firewall to authencate with
the server you are monitoring.
• If you want to use WinRM with basic authencaon, enable WinRM on the server,
configure basic authencaon, and specify the service account Domain’s DNS Name.
• If you want to use WinRM with Kerberos, Configure a Kerberos server profile if you
have not already done so and then select the Kerberos Server Profile.
STEP 6 | (Oponal, not recommended) Configure WMI probing (the PAN-OS integrated User-ID agent
does not support NetBIOS probing).
Do not enable WMI probing on high-security networks. Client probing can generate a
large amount of network traffic and can pose a security threat when misconfigured.
If the request load is high, the observed delay between requests might
significantly exceed the specified interval.
3. Click OK.
4. Make sure the Windows firewall will allow client probing by adding a remote
administraon excepon to the Windows firewall for each probed client.
PAN-OS® Administrator’s Guide Version Version 9.1 649 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 7 | (Oponal) Define the set of user accounts that don’t require IP address-to-username
mappings, such as kiosk accounts.
Define the ignore user list on the firewall that is the User-ID agent, not the client. If
you define the ignore user list on the client firewall, the users in the list are sll mapped
during redistribuon.
On the Ignore User List tab, Add each username you want to exclude from user mapping. You
can also use the ignore user list to idenfy the users you want to force to use Capve Portal
to authencate. You can use an asterisk as a wildcard character to match mulple usernames
but only as the last character in the entry. For example, corpdomain\it-admin* would
match all administrators in the corpdomain domain whose usernames start with the string
it‑admin. You can add up to 5,000 entries to exclude from user mapping.
3. On the Device > User Idenficaon > User Mapping tab in the web interface, verify that
the Status of each server you configured for server monitoring is Connected.
PAN-OS® Administrator’s Guide Version Version 9.1 650 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 1 | Configure the service account with Remote Management User and CIMV2 privileges for the
server you want to monitor.
STEP 2 | On the Windows server you are monitoring, obtain the thumbprint from the cerficate for
the Windows server to use with WinRM and enable WinRM.
Ensure that you use an account with administrator privileges to configure WinRM on
the server you want to monitor. As a best pracce for security, this account should not
be the same account as the service account in Step 1.
1. Verify the cerficate is installed in the Local Computer cerficate store (Cerficates
(Local Computer) > Personal > Cerficates).
If you do not see the Local Computer cerficate store, launch the Microso Management
Console (Start > Run > MMC) and add the Cerficates snap-in (File > Add/Remove
Snap-in > Cerficates > Add > Computer account > Next > Finish).
2. Open the cerficate and select General > Details > Show: <All>.
3. Select the Thumbprint and copy it.
4. To enable the firewall to connect to the Windows server using WinRM, enter the
following command: winrm quickconfig.
5. Enter y to confirm the changes and then confirm the output displays WinRM service
started.
If WinRM is enabled, the output displays WinRM service is already running
on this machine. You will be prompted to confirm any addional required
configuraon changes.
6. To verify that WinRM is communicang using HTTPS, enter the following command:
winrm enumerate winrm/config/listener and confirm that the output displays
Transport = HTTPS.
By default, WinRM/HTTPS uses port 5986.
7. From the Windows server command prompt, enter the following command:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname=”<hostname>";CertificateThumbprint=”Certificate
Thumbprint"}, where hostname is the hostname of the Windows server and Cerficate
Thumbprint is the value you copied from the cerficate.
Use the command prompt (not Powershell) and remove any spaces in the
Cerficate Thumbprint to ensure that WinRM can validate the cerficate.
8. From the Windows server command prompt, enter the following command:
PAN-OS® Administrator’s Guide Version Version 9.1 651 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | Enable Basic Authencaon between the PAN-OS integrated User-ID agent and the
monitored servers.
1. Select Device > User Idenficaon > User Mapping > Palo Alto Networks User-ID
Agent Setup > Server Monitor Account.
2. In domain\username format, enter the User Name for the service account that the
User-ID agent will use to monitor servers.
3. Enter the Domain’s DNS Name of the server monitor account.
4. Enter the Password and Confirm Password for the service account.
5. Click OK
STEP 4 | Configure server monitoring for the PAN-OS integrated User-ID agent.
1. Select the Microso server Type (Microso Acve Directory or Microso Exchange).
2. Select Win-RM-HTTPS as the Transport Protocol to use Windows Remote Management
(WinRM) over HTTPS to monitor the server security logs and session informaon.
3. Enter the IP address or FQDN Network Address of the server.
STEP 5 | To enable the PAN-OS integrated User-ID agent to communicate with the monitored servers
using WinRM-HTTPS, verify that you successfully imported the root cerficate for the
PAN-OS® Administrator’s Guide Version Version 9.1 652 ©2021 Palo Alto Networks, Inc.
User-ID
service cerficates that the Windows server uses for WinRM on to the firewall and associate
the cerficate with the User-ID Cerficate Profile.
1. Select Device > User Idenficaon > Connecon Security.
2. Click Edit.
3. Select the Windows server cerficate to use for the User-ID Cerficate Profile.
4. Click OK.
STEP 7 | Verify that the status of each monitored server is Connected (Device > User Idenficaon >
User Mapping).
STEP 1 | Configure the service account with Remote Management User and CIMV2 privileges for the
server you want to monitor.
PAN-OS® Administrator’s Guide Version Version 9.1 653 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Confirm that WinRM is enabled on the Windows server you are monitoring.
Ensure that you use an account with administrator privileges to configure WinRM on
the server you want to monitor. As a best pracce for security, this account should not
be the same account as the service account in Step 1.
1. To enable the firewall to connect to the Windows server using WinRM, enter the
following command: winrm quickconfig.
2. Enter y to confirm the changes and then confirm the output displays WinRM service
started.
If WinRM is enabled, the output displays WinRM service is already running
on this machine. You will be prompted to confirm any addional required
configuraon changes.
3. To verify that WinRM is communicang using HTTP, enter the following command:
winrm enumerate winrm/config/listener and confirm that the output displays
Transport = HTTP.
By default, WinRM/HTTP uses port 5985.
4. Enter the following command: winrm get winrm/config/service/Auth and
confirm that Kerberos = true.
STEP 3 | Enable the PAN-OS integrated User-ID agent and the monitored servers to authencate
using Kerberos.
1. If you did not do so during the inial configuraon, configure date and me (NTP)
sengs to ensure successful Kerberos negoaon.
2. Configure a Kerberos server profile on the firewall to authencate with the server to
monitor the security logs and session informaon.
3. Select Device > User Idenficaon > User Mapping > Palo Alto Networks User-ID
Agent Setup > Server Monitor Account.
4. In domain\username format, enter the User Name for the service account that the
User-ID agent will use to monitor servers.
5. Enter the Domain’s DNS Name of the server monitor account.
Kerberos uses the domain name to locate the service account.
6. Enter the Password and Confirm Password for the service account.
7. Select the Kerberos Server Profile you configured in Step 3.2.
8. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 654 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 4 | Configure server monitoring for the PAN-OS integrated User-ID agent.
1. Configure the Microso server type (Microso Acve Directory or Microso Exchange).
2. Select WinRM-HTTP as the Transport Protocol to use Windows Remote Management
(WinRM) over HTTP to monitor the server security logs and session informaon.
3. Enter the FQDN Network Address of the server.
If you are using Kerberos, the network address must be a fully qualified domain name
(FDQN).
STEP 6 | Verify that the status of each monitored server is Connected (Device > User Idenficaon >
User Mapping).
STEP 1 | Configure the service account with Remote Management User and CIMV2 privileges for the
server you want to monitor.
PAN-OS® Administrator’s Guide Version Version 9.1 655 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | On the Windows server you are monitoring, obtain the thumbprint from the cerficate for
the Windows server to use with WinRM and enable WinRM.
Ensure that you use an account with administrator privileges to configure WinRM on
the server you want to monitor. As a best pracce for security, this account should not
be the same account as the service account in Step 1.
1. Verify the cerficate is installed in the Local Computer cerficate store (Cerficates
(Local Computer) > Personal > Cerficates).
If you do not see the Local Computer cerficate store, launch the Microso Management
Console (Start > Run > MMC) and add the Cerficates snap-in (File > Add/Remove
Snap-in > Cerficates > Add > Computer account > Next > Finish).
2. Open the cerficate and select General > Details > Show: <All>.
3. Select the Thumbprint and copy it.
4. To enable the firewall to connect to the Windows server using WinRM, enter the
following command: winrm quickconfig.
5. Enter y to confirm the changes and then confirm the output displays WinRM service
started.
If WinRM is enabled, the output displays WinRM service is already running
on this machine. You will be prompted to confirm any addional required
configuraon changes.
6. To verify that WinRM is communicang using HTTPS, enter the following command:
winrm enumerate winrm/config/listener. Then confirm that the output
displays Transport = HTTPS.
By default, WinRM/HTTPS uses 5986.
7. From the Windows server command prompt, enter the following command:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
@{Hostname=”<hostname>";CertificateThumbprint=”Certificate
Thumbprint"}, where hostname is the hostname of the Windows server and Cerficate
Thumbprint is the value you copied from the cerficate.
Use the command prompt (not Powershell) and remove any spaces in the
Cerficate Thumbprint to ensure that WinRM can validate the cerficate.
8. Enter the following command: winrm get winrm/config/service/Auth and
confirm that Basic = false and Kerberos= true.
PAN-OS® Administrator’s Guide Version Version 9.1 656 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | Enable the PAN-OS integrated User-ID agent and the monitored servers to authencate
using Kerberos.
1. If you did not do so during the inial configuraon, configure date and me (NTP)
sengs to ensure successful Kerberos negoaon.
2. Configure a Kerberos server profile on the firewall to authencate with the server to
monitor the security logs and session informaon.
3. Select Device > User Idenficaon > User Mapping > Palo Alto Networks User-ID
Agent Setup > Server Monitor Account.
4. In domain\username format, enter the User Name for the service account that the
User-ID agent will use to monitor servers.
5. Enter the Domain’s DNS Name of the server monitor account.
Kerberos uses the domain name to locate the service account.
6. Enter the Password and Confirm Password for the service account.
7. Select the Kerberos Server Profile you created in Step 3.2.
8. Click OK.
STEP 4 | Configure server monitoring for the PAN-OS integrated User-ID agent.
1. Configure the Microso server type (Microso Acve Directory or Microso Exchange).
2. Select Win-RM-HTTPS as the Transport Protocol to use Windows Remote Management
(WinRM) over HTTPS to monitor the server security logs and session informaon.
3. Enter the FQDN Network Address of the server.
If you are using Kerberos, the network address must be a fully qualified domain name
(FDQN).
STEP 5 | To enable the PAN-OS integrated User-ID agent to communicate with the monitored servers
using WinRM-HTTPS, verify that you successfully imported the root cerficate for the
PAN-OS® Administrator’s Guide Version Version 9.1 657 ©2021 Palo Alto Networks, Inc.
User-ID
service cerficates that the Windows server uses for WinRM on to the firewall and associate
the cerficate with the User-ID Cerficate Profile.
The firewall uses the same cerficate to authencate with all monitored servers.
1. Select Device > User Idenficaon > Connecon Security.
2. Click Edit.
3. Select the Windows server cerficate to use for the User-ID Cerficate Profile.
4. Click OK.
5. Commit your changes.
STEP 6 | Verify that the status of each monitored server is Connected (Device > User Idenficaon >
User Mapping).
PAN-OS® Administrator’s Guide Version Version 9.1 658 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 1 | Determine whether there is a predefined Syslog Parse profile for your parcular syslog
senders.
Palo Alto Networks provides several predefined profiles through Applicaon content updates.
The predefined profiles are global to the firewall, whereas custom profiles apply to a single
virtual system only.
Any new Syslog Parse profiles in a given content release is documented in the
corresponding release note along with the specific regex used to define the filter.
STEP 2 | Define custom Syslog Parse profiles to create and delete user mappings.
Each profile filters syslog messages to idenfy either login events (to create user mappings) or
logout events (to delete mappings), but no single profile can do both.
1. Review the syslog messages that the syslog sender generates to idenfy the syntax for
login and logout events. This enables you to define the matching paerns when creang
Syslog Parse profiles.
While reviewing syslog messages, also determine whether they include the
domain name. If they don’t, and your user mappings require domain names,
enter the Default Domain Name when defining the syslog senders that the User-
ID agent monitors (later in this procedure).
2. Select Device > User Idenficaon > User Mapping and edit the Palo Alto Networks
User-ID Agent Setup.
3. Select Syslog Filters and Add a Syslog Parse profile.
4. Enter a name to idenfy the Syslog Parse Profile.
5. Select the Type of parsing to find login or logout events in syslog messages:
• Regex Idenfier—Regular expressions.
• Field Idenfier—Text strings.
The following steps describe how to configure these parsing types.
PAN-OS® Administrator’s Guide Version Version 9.1 659 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | (Regex Idenfier parsing only) Define the regex matching paerns.
If the syslog message contains a standalone space or tab as a delimiter, use \s for a
space and \t for a tab.
1. Enter the Event Regex for the type of events you want to find:
• Login events—For the example message, the regex (authentication\ success)
{1} extracts the first {1} instance of the string authentication success.
• Logout events—For the example message, the regex (logout\ successful){1}
extracts the first {1} instance of the string logout successful.
The backslash (\) before the space is a standard regex escape character that instructs the
regex engine not to treat the space as a special character.
2. Enter the Username Regex to idenfy the start of the username.
In the example message, the regex User:([a-zA-Z0-9\\\._]+) matches the string
User:johndoe1 and idenfies johndoe1 as the username.
3. Enter the Address Regex to idenfy the IP address poron of syslog messages. Use a
queson mark (?) to indicate an oponal second and third IP address.
In the following example, the highlighted queson marks indicate the second and third IP
addresses are oponal. Source:((?:(?:[\d]{1,3}\.){3}[\d]{1,3})|(?:[A-Fa-f\d:]+))(?:.*?Source:((?:
(?:[\d]{1,3}\.){3}[\d]{1,3})|(?:[A-Fa-f\d:]+)))?(?:.*?Source:((?:(?:[\d]{1,3}\.){3}[\d]{1,3})|(?:[A-
Fa-f\d:]+)))?
In the example message, the regular expression Source:([0-9]{1,3}\.
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address
Source:192.168.3.212.
The following is an example of a completed Syslog Parse profile that uses regex to
idenfy login events:
PAN-OS® Administrator’s Guide Version Version 9.1 660 ©2021 Palo Alto Networks, Inc.
User-ID
6. Enter the maximum number of IP Address Per Log that you want the firewall to parse
(default is 1; range is 1—3).
7. Click OK twice to save the profile.
PAN-OS® Administrator’s Guide Version Version 9.1 661 ©2021 Palo Alto Networks, Inc.
User-ID
To select the TLS cerficate that the firewall uses to receive syslog messages,
select Device > User Idenficaon > User Mapping > Palo Alto Networks User-
ID Agent Setup. Edit the sengs and select Server Monitor, then select the
Syslog Service Profile that contains the TLS cerficate you want to the firewall
to use to receive syslog messages.
The PAN-OS integrated User-ID agent accepts syslogs over SSL and UDP only.
However, you must use cauon when using UDP to receive syslog messages
because it is an unreliable protocol and as such there is no way to verify that
a message was sent from a trusted syslog sender. Although you can restrict
syslog messages to specific source IP addresses, an aacker can sll spoof the IP
address, potenally allowing the injecon of unauthorized syslog messages into
the firewall.
Always use SSL to listen for syslog messages because the traffic is encrypted
(UDP sends the traffic in cleartext). If you must use UDP, make sure that the
syslog sender and client are both on a dedicated, secure network to prevent
untrusted hosts from sending UDP traffic to the firewall.
A syslog sender using SSL to connect will show a Status of Connected only when there is
an acve SSL connecon. Syslog senders using UDP will not show a Status value.
7. For each syslog syntax that the sender uses, Add a Syslog Parse profile to the Filter list.
Select the Event Type that each profile is configured to idenfy: login (default) or logout.
8. (Oponal) If the syslog messages don’t contain domain informaon and your user
mappings require domain names, enter a Default Domain Name to append to the
mappings.
9. Click OK to save the sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 662 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | Enable syslog listener services on the interface that the firewall uses to collect user
mappings.
1. Select Network > Network Profiles > Interface Mgmt and edit an exisng Interface
Management profile or Add a new profile.
2. Select User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP or both, based on
the protocols you defined for the syslog senders in the Server Monitoring list.
The listening ports (514 for UDP and 6514 for SSL) are not configurable; they
are enabled through the management service only.
3. Click OK to save the interface management profile.
Even aer enabling the User-ID Syslog Listener service on the interface,
the interface only accepts syslog connecons from senders that have a
corresponding entry in the User-ID monitored servers configuraon. The firewall
discards connecons or messages from senders that are not on the list.
4. Assign the Interface Management profile to the interface that the firewall uses to collect
user mappings:
1. Select Network > Interfaces and edit the interface.
2. Select Advanced > Other info, select the Interface Management Profile you just
added, and click OK.
5. Commit your changes.
STEP 7 | Verify that the firewall adds and deletes user mappings when users log in and out.
You can use CLI commands to see addional informaon about syslog senders, syslog
messages, and user mappings.
1. Log in to a client system for which a monitored syslog sender generates login and logout
event messages.
2. Log in to the firewall CLI.
3. Verify that the firewall mapped the login username to the client IP address:
PAN-OS® Administrator’s Guide Version Version 9.1 663 ©2021 Palo Alto Networks, Inc.
User-ID
agent uses the profiles to find login and logout events in syslog messages. In environments where
syslog senders (the network services that authencate users) deliver syslog messages in different
syntaxes, configure a profile for each syslog syntax. Syslog messages must meet certain criteria
for a User-ID agent to parse them (see Syslog). This procedure uses examples with the following
syntaxes:
• Login events—[Tue Jul 5 13:15:04 2016 CDT] Administratorauthentication
success User:johndoe1 Source:192.168.3.212
• Logout events—[Tue Jul 5 13:18:05 2016 CDT]User logout successful
User:johndoe1 Source:192.168.3.212
Aer configuring the Syslog Parse profiles, you specify the syslog senders that the User-ID agent
monitors.
The Windows User-ID agent accepts syslogs over TCP and UDP only. However, you
must use cauon when using UDP to receive syslog messages because it is an unreliable
protocol and as such there is no way to verify that a message was sent from a trusted
syslog sender. Although you can restrict syslog messages to specific source IP addresses,
an aacker can sll spoof the IP address, potenally allowing the injecon of unauthorized
syslog messages into the firewall. As a best pracce, use TCP instead of UDP. In either
case, make sure that the syslog sender and client are both on a dedicated, secure VLAN to
prevent untrusted hosts from sending syslogs to the User-ID agent.
STEP 2 | Define custom Syslog Parse profiles to create and delete user mappings.
Each profile filters syslog messages to idenfy either login events (to create user mappings) or
logout events (to delete mappings), but no single profile can do both.
1. Review the syslog messages that the syslog sender generates to idenfy the syntax for
login and logout events. This enables you to define the matching paerns when creang
Syslog Parse profiles.
While reviewing syslog messages, also determine whether they include the
domain name. If they don’t, and your user mappings require domain names,
enter the Default Domain Name when defining the syslog senders that the User-
ID agent monitors (later in this procedure).
2. Open the Windows Start menu and select User-ID Agent.
3. Select User Idenficaon > Setup and Edit the Setup.
4. Select Syslog, Enable Syslog Service, and Add a Syslog Parse profile.
5. Enter a Profile Name and Descripon.
6. Select the Type of parsing to find login and logout events in syslog messages:
• Regex—Regular expressions.
• Field—Text strings.
The following steps describe how to configure these parsing types.
PAN-OS® Administrator’s Guide Version Version 9.1 664 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 665 ©2021 Palo Alto Networks, Inc.
User-ID
6. Enter the maximum number of IP Address Per Log that you want the firewall to parse
(default is 1; range is 1—3).
7. Click OK twice to save the profile.
PAN-OS® Administrator’s Guide Version Version 9.1 666 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 5 | Specify the syslog senders that the User-ID agent monitors.
Within the total maximum of 100 servers of all types that the User-ID agent can monitor, up to
50 can be syslog senders.
The User-ID agent discards any syslog messages received from senders that are not on this list.
1. Select User Idenficaon > Discovery and Add an entry to the Servers list.
2. Enter a Name to idenfy the sender.
3. Enter the Server Address of the syslog sender (IP address or FQDN).
4. Set the Server Type to Syslog Sender.
5. (Oponal) If you want to override the current domain in the username of your syslog
message or prepend the domain to the username if your syslog message doesn’t contain
a domain, enter a Default Domain Name.
6. For each syslog syntax that the sender uses, Add a Syslog Parse profile to the Filter list.
Select the Event Type that you configured each profile to idenfy—login (default) or
logout—and then click OK.
7. Click OK to save the sengs.
8. Commit your changes to the User-ID agent configuraon.
STEP 6 | Verify that the User-ID agent adds and deletes user mappings when users log in and out.
You can use CLI commands to see addional informaon about syslog senders, syslog
messages, and user mappings.
1. Log in to a client system for which a monitored syslog sender generates login and logout
event messages.
2. Verify that the User-ID agent mapped the login username to the client IP address:
1. In the User-ID agent, select Monitoring.
2. Enter the username or IP address in the filter field, Search, and verify that the list
displays the mapping.
3. Verify that the firewall received the user mapping from the User-ID agent:
1. Log in to the firewall CLI.
2. Run the following command:
If the firewall received the user mapping, the output resembles the following:
IP address: 192.0.2.1 (vsys1)
User: localdomain\username
PAN-OS® Administrator’s Guide Version Version 9.1 667 ©2021 Palo Alto Networks, Inc.
User-ID
From: SYSLOG
No matched record
Kerberos SSO The firewall uses Kerberos single sign-on (SSO) to transparently
obtain user credenals from the browser. To use this method,
your network requires a Kerberos infrastructure, including a
key distribuon center (KDC) with an authencaon server
and cket granng service. The firewall must have a Kerberos
account.
PAN-OS® Administrator’s Guide Version Version 9.1 668 ©2021 Palo Alto Networks, Inc.
User-ID
Web Form The firewall redirects web requests to a web form for
authencaon. For this method, you can configure
Authencaon policy to use Mul-Factor Authencaon (MFA),
SAML, Kerberos, TACACS+, RADIUS, or LDAP authencaon.
Although users have to manually enter their login credenals,
this method works with all browsers and operang systems.
Client Cerficate The firewall prompts the browser to present a valid client
Authencaon cerficate to authencate the user. To use this method, you must
provision client cerficates on each user system and install the
trusted cerficate authority (CA) cerficate used to issue those
cerficates on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 669 ©2021 Palo Alto Networks, Inc.
User-ID
Mode Descripon
SSL Inbound Inspecon does not support Capve Portal redirect. To use Capve Portal
redirect and decrypon, you must use SSL Forward Proxy.
Based on their sensivity, the applicaons that users access through Capve Portal require
different authencaon methods and sengs. To accommodate all authencaon requirements,
you can use default and custom authencaon enforcement objects. Each object associates an
Authencaon rule with an authencaon profile and a Capve Portal authencaon method.
• Default authencaon enforcement objects—Use the default objects if you want to associate
mulple Authencaon rules with the same global authencaon profile. You must configure
PAN-OS® Administrator’s Guide Version Version 9.1 670 ©2021 Palo Alto Networks, Inc.
User-ID
this authencaon profile before configuring Capve Portal, and then assign it in the Capve
Portal Sengs. For Authencaon rules that require Mul-Factor Authencaon (MFA), you
cannot use default authencaon enforcement objects.
• Custom authencaon enforcement objects—Use a custom object for each Authencaon
rule that requires an authencaon profile that differs from the global profile. Custom objects
are mandatory for Authencaon rules that require MFA. To use custom objects, create
authencaon profiles and assign them to the objects aer configuring Capve Portal—when
you Configure Authencaon Policy.
Keep in mind that authencaon profiles are necessary only if users authencate through a
Capve Portal Web Form, Kerberos SSO, or NT LAN Manager (NTLM). Alternavely, or in addion
to these methods, the following procedure also describes how to implement Client Cerficate
Authencaon.
If you use Capve Portal without the other User-ID funcons (user mapping and group
mapping), you don’t need to configure a User-ID agent.
STEP 1 | Configure the interfaces that the firewall will use for incoming web requests, authencang
users, and communicang with directory servers to map usernames to IP addresses.
When the firewall connects to authencaon servers or User-ID agents, it uses the
management interface by default. As a best pracce, isolate your management network by
configuring service routes to connect to the authencaon servers or User-ID agents.
1. (MGT interface only) Select Device > Setup > Interfaces, edit the Management interface,
select User-ID, and click OK.
2. (Non-MGT interface only) Assign an Interface Management Profile to the Layer 3
interface that the firewall will use for incoming web requests and communicaon
with directory servers. You must enable Response Pages and User-ID in the Interface
Management profile.
3. (Non-MGT interface only) Configure a service route for the interface that the firewall
will use to authencate users. If the firewall has more than one virtual system (vsys),
the service route can be global or vsys-specific. The services must include LDAP and
potenally the following:
• Kerberos, RADIUS, TACACS+, or Mul-Factor Authencaon—Configure a service
route for any authencaon services that you use.
• UID Agent—Configure this service only if you enable NT LAN Manager (NTLM)
authencaon or if you Enable User- and Group-Based Policy.
4. (Redirect mode only) Create a DNS address (A) record that maps the IP address on the
Layer 3 interface to the redirect host. If you will use Kerberos SSO, you must also add a
DNS pointer (PTR) record that performs the same mapping.
If your network doesn’t support access to the directory servers from any firewall interface, you
must Configure User Mapping Using the Windows User-ID Agent.
PAN-OS® Administrator’s Guide Version Version 9.1 671 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Make sure Domain Name System (DNS) is configured to resolve your domain controller
addresses.
To verify proper resoluon, ping the server FQDN. For example:
If you don’t assign an SSL/TLS Service Profile, the firewall uses TLS 1.2 by
default. To use a different TLS version, configure an SSL/TLS Service Profile for
the TLS version you want to use.
5. Configure clients to trust the cerficate:
1. Export the CA cerficate you created or imported.
2. Import the cerficate as a trusted root CA into all client browsers, either by manually
configuring the browser or by adding the cerficate to the trusted roots in an Acve
Directory (AD) Group Policy Object (GPO).
PAN-OS® Administrator’s Guide Version Version 9.1 672 ©2021 Palo Alto Networks, Inc.
User-ID
1. Use a root CA cerficate to generate a client cerficate for each user who will
authencate through Capve Portal. The CA in this case is usually your enterprise CA,
not the firewall.
2. Export the CA cerficate in PEM format to a system that the firewall can access.
3. Import the CA cerficate onto the firewall: see Import a Cerficate and Private Key. Aer
the import, click the imported cerficate, select Trusted Root CA, and click OK.
4. Configure a Cerficate Profile.
• In the Username Field drop-down, select the cerficate field that contains the user
identy informaon.
• In the CA Cerficates list, click Add and select the CA cerficate you just imported.
As a best pracce, choose Kerberos single sign-on (SSO) or SAML SSO authencaon
over NTLM authencaon. Kerberos and SAML are stronger, more robust
authencaon methods than NTLM and do not require the firewall to have an
administrave account to join the domain. If you do configure NTLM, the PAN-OS
integrated User-ID agent must be able to successfully resolve the DNS name of your
domain controller to join the domain.
1. If you haven’t already done so, Create a Dedicated Service Account for the User-ID
Agent.
As a best pracce, you use a User-ID agent account that is separate from your
firewall administrator account.
2. Select Device > User Idenficaon > User Mapping and edit the Palo Alto Networks
User ID Agent Setup secon.
3. Select NTLM and Enable NTLM authencaon processing.
4. Enter the NTLM Domain against which the User-ID agent on the firewall will check
NTLM credenals.
5. Enter the Admin User Name and Password of the Acve Directory account you created
for the User-ID agent.
Do not include the domain in the Admin User Name field. Otherwise, the firewall
will fail to join the domain.
6. Click OK to save your sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 673 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | (Oponal) Configure Capve Portal for the Apple Capve Network Assistant.
This step is only required if you are using Capve Portal with the Apple Capve Network
Assistant (CNA). To use Capve Portal with CNA, perform the following steps.
1. Verify you have specified an FQDN for the redirect host (not just an IP address).
2. Select an SSL/TLS service profile that uses a publicly-signed cerficate for the specified
FQDN.
3. Enter the following command to adjust the number of requests supported for Capve
Portal: set deviceconfig setting ctd cap-portal-ask-requests
<threshold-value>
By default, the firewall has a rate limit threshold for Capve Portal that limits the number
of requests to one request every two seconds. The CNA sends mulple requests that
can exceed this limit, which can result in a TCP reset and an error from the CNA. The
recommended threshold value is 5 (default is one). This value will allow up to 5 requests
every two seconds. Based on your environment, you may need to configure a different
value. If the current value is not sufficient to handle the number of requests, increase the
value.
PAN-OS® Administrator’s Guide Version Version 9.1 674 ©2021 Palo Alto Networks, Inc.
User-ID
the mapping and any associated Authencaon Timestamps used to evaluate the
Timeout in Authencaon policy rules.
When evaluang the Capve Portal Timer and the Timeout value in each
Authencaon policy rule, the firewall prompts the user to re-authencate
for whichever seng expires first. Upon re-authencang, the firewall resets
the me count for the Capve Portal Timer and records new authencaon
mestamps for the user. Therefore, to enable different Timeout periods for
different Authencaon rules, set the Capve Portal Timer to a value the same
as or higher than any rule Timeout.
4. Select the SSL/TLS Service Profile you created for redirect requests over TLS. See
Configure an SSL/TLS Service Profile.
5. Select the Mode (in this example, Redirect).
6. (Redirect mode only) Specify the Redirect Host, which is the intranet hostname (a
hostname with no period in its name) that resolves to the IP address of the Layer 3
interface on the firewall to which web requests are redirected.
If users authencate through Kerberos single sign-on (SSO), the Redirect Host must be
the same as the hostname specified in the Kerberos keytab.
7. Select the authencaon method to use if NTLM fails (or if you don’t use NTLM):
• To use client cerficate authencaon, select the Cerficate Profile you created.
• To use global sengs for interacve or SSO authencaon, select the Authencaon
Profile you configured.
• To use Authencaon policy rule-specific sengs for interacve or SSO
authencaon, assign authencaon profiles to authencaon enforcement objects
when you Configure Authencaon Policy.
8. Click OK and Commit the Capve Portal configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 675 ©2021 Palo Alto Networks, Inc.
User-ID
For informaon about the terminal servers supported by the TS agent and the number of TS
agents supported on each firewall model, refer to the Palo Alto Networks Compability Matrix
and the Product Comparison Tool.
The following secons describe how to configure user mapping for terminal server users:
• Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
• Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API
Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
Use the following procedure to install and configure the TS agent on the terminal server. To map
all your users, you must install the TS agent on all terminal servers to which your users log in.
• If you are using TS agent 7.0 or a later version, disable any Sophos anvirus soware
on the TS agent host. Otherwise, the anvirus soware overwrites the source ports
that the TS agent allocates.
• If you are installing a TS agent running TS agent 8.0 or a later version on Windows
Server 2008 R2, download and install the security advisory patch on the server before
you install the TS agent. Otherwise, the TS agent service fails to launch and writes the
following error to the logs: servicefails with error 577.
For informaon about default values, ranges, and other specificaons, refer to Configure
User Mapping for Terminal Server Users. For informaon about the terminal servers
supported by the TS agent and the number of TS agents supported on each firewall model,
refer to the Palo Alto Networks Compability Matrix.
PAN-OS® Administrator’s Guide Version Version 9.1 676 ©2021 Palo Alto Networks, Inc.
User-ID
C:\Users\administrator.acme>cd Desktop
PAN-OS® Administrator’s Guide Version Version 9.1 677 ©2021 Palo Alto Networks, Inc.
User-ID
C:\Users\administrator.acme\Desktop>TaInstall-9.0.0-1.msi
3. Follow the setup prompts to install the agent using the default sengs. The setup
installs the agent in C:\ProgramFiles (x86)\Palo Alto Networks\Terminal
Server Agent.
To ensure correct port allocaon, you must use the default Terminal Server agent
installaon folder locaon.
4. When the installaon completes, Close the setup dialog.
If you are upgrading to a TS agent version that has a newer driver than the
exisng installaon, the installaon wizard prompts you to reboot the system
aer you upgrade.
STEP 3 | Define the range of ports for the TS agent to allocate to end users.
The System Source Port Allocaon Range and System Reserved Source Ports specify
the range of ports that are allocated to non-user sessions. Make sure the values in
these fields do not overlap with the ports you designate for user traffic. These values
can be changed only by eding the corresponding Windows registry sengs. The TS
agent does not allocate ports for network traffic emied by session 0.
1. Open the Windows Start menu and select Terminal Server Agent to launch the Terminal
Server agent applicaon.
2. Configure (side menu) the agent.
3. Enter the Source Port Allocaon Range (default is 20,000-39,999). This is the full range
of port numbers that the TS agent will allocate for user mapping. The port range you
specify cannot overlap the System Source Port Allocaon Range.
4. (Oponal) If there are ports or port ranges within the source port allocaon that
you do not want the TS agent to allocate to user sessions, specify them as Reserved
Source Ports. To include mulple ranges, use commas with no spaces (for example:
2000-3000,3500,4000-5000).
5. Specify the number of ports to allocate to each individual user upon login to the terminal
server (Port Allocaon Start Size Per User); default is 200.
6. Specify the Port Allocaon Maximum Size Per User, which is the maximum number of
ports the Terminal Server agent can allocate to an individual user.
7. Specify whether to connue processing traffic from the user if the user runs out of
allocated ports. The Fail port binding when available ports are used up opon is enabled
by default, which indicates that the applicaon will fail to send traffic when all ports are
used. To enable users to connue using applicaons when they run out of ports, disable
(clear) this opon, but if you do, this traffic may not be idenfied with User-ID.
8. If the terminal server stops responding when you aempt to shut it down, enable the
Detach agent driver at shutdown opon.
STEP 4 | (Oponal) Assign your own cerficates for mutual authencaon between the TS agent and
the firewall.
1. Obtain your cerficate for the TS agent from your enterprise PKI or generate one
on your firewall. The private key of the server cerficate must be encrypted and the
PAN-OS® Administrator’s Guide Version Version 9.1 678 ©2021 Palo Alto Networks, Inc.
User-ID
cerficate must be uploaded in PEM file format. Perform one of the following tasks to
upload a cerficate:
• Generate a Cerficate and export it.
• Export a cerficate from your enterprise cerficate authority (CA).
2. Add a server cerficate to the TS agent.
1. On the TS agent, select Server Cerficate and Add a new cerficate.
2. Enter the path and name of the cerficate file received from the CA or browse to the
cerficate file.
3. Enter the private key password.
4. Click OK.
5. Commit your changes.
You can assign only one cerficate profile for Windows User-ID agents and
TS agents. Therefore, your cerficate profile must include all cerficate
authories that issued cerficates uploaded to connected Windows User-ID
and TS agents.
2. Select Device > User Idenficaon > Connecon Security.
3. Edit ( ) and select the cerficate profile you configured in the previous step as the
User-ID Cerficate Profile.
4. Click OK.
5. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 679 ©2021 Palo Alto Networks, Inc.
User-ID
hostname. If the hostname resolves to mulple IP addresses, the TS agent uses the first
address in the list.
4. (Oponal) Enter the hostname or IP address for any Alternave IP Addresses that can
appear as the source IP address for the outgoing traffic.
The hostname or IP address must resolve to a stac IP address. You can enter up to 8 IP
addresses or hostnames.
5. Enter the Port number on which the agent will listen for user mapping requests. This
value must match the value configured on the Terminal Server agent. By default, the port
is set to 5009 on the firewall and on the agent. If you change it on the firewall, you must
also change the Listening Port on the Terminal Server agent Configure dialog to the same
port.
6. Make sure that the configuraon is Enabled and then click OK.
7. Commit your changes.
8. Verify that the Connected status displays as connected (a green light).
STEP 6 | Verify that the Terminal Server agent is successfully mapping IP addresses to usernames and
that the firewalls can connect to the agent.
1. Open the Windows Start menu and select Terminal Server Agent.
2. Verify that the firewalls can connect by making sure the Connecon Status of each
firewall in the Connecon List is Connected.
3. Verify that the Terminal Server agent is successfully mapping port ranges to usernames
(Monitor in the side menu) and confirm that the mapping table is populated.
STEP 7 | (Windows 2012 R2 servers only) Disable Enhanced Protected Mode in Microso Internet
Explorer for each user who uses that browser.
This task is not necessary for other browsers, such as Google Chrome or Mozilla Firefox.
To disable Enhanced Protected Mode for all users, use Local Security Policy.
In Internet Explorer, Palo Alto Networks recommends that you do not disable
Protected Mode, which differs from Enhanced Protected Mode.
Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API
The PAN-OS XML API uses standard HTTP requests to send and receive data. API calls can be
made directly from command line ulies such as cURL or using any scripng or applicaon
framework that supports RESTful services.
To enable a non-Windows terminal server to send user mapping informaon directly to the
firewall, create scripts that extract the user login and logout events and use them for input to
PAN-OS® Administrator’s Guide Version Version 9.1 680 ©2021 Palo Alto Networks, Inc.
User-ID
the PAN-OS XML API request format. Then define the mechanisms for subming the XML
API request(s) to the firewall using cURL or wget and providing the firewall’s API key for secure
communicaon. Creang user mappings from mul-user systems such as terminal servers requires
use of the following API messages:
• <multiusersystem>—Sets up the configuraon for an XML API Mul-user System on the
firewall. This message allows for definion of the terminal server IP address (this will be the
source address for all users on that terminal server). In addion, the <multiusersystem>
setup message specifies the range of source port numbers to allocate for user mapping and
the number of ports to allocate to each individual user upon login (called the block size). If you
want to use the default source port allocaon range (1025-65534) and block size (200), you do
not need to send a <multiusersystem> setup event to the firewall. Instead, the firewall will
automacally generate the XML API Mul-user System configuraon with the default sengs
upon receipt of the first user login event message.
• <blockstart>—Used with the <login> and <logout> messages to indicate the starng
source port number allocated to the user. The firewall then uses the block size to determine the
actual range of port numbers to map to the IP address and username in the login message. For
example, if the <blockstart> value is 13200 and the block size configured for the mul-user
system is 300, the actual source port range allocated to the user is 13200 through 13499. Each
connecon iniated by the user should use a unique source port number within the allocated
range, enabling the firewall to idenfy the user based on its IP address-port-user mappings
for enforcement of user- and group-based security rules. When a user exhausts all the ports
allocated, the terminal server must send a new <login> message allocang a new port range
for the user so that the firewall can update the IP address-port-user mapping. In addion, a
single username can have mulple blocks of ports mapped simultaneously. When the firewall
receives a <logout> message that includes a <blockstart> parameter, it removes the
corresponding IP address-port-user mapping from its mapping table. When the firewall receives
a <logout> message with a username and IP address, but no <blockstart>, it removes the
user from its table. And, if the firewall receives a <logout> message with an IP address only, it
removes the mul-user system and all mappings associated with it.
The XML files that the terminal server sends to the firewall can contain mulple message
types and the messages do not need to be in any parcular order within the file. However,
upon receiving an XML file that contains mulple message types, the firewall will process
them in the following order: mulusersystem requests first, followed by logins, then
logouts.
The following workflow provides an example of how to use the PAN-OS XML API to send user
mappings from a non-Windows terminal server to the firewall.
STEP 1 | Generate the API key that will be used to authencate the API communicaon between
the firewall and the terminal server. To generate the key you must provide login credenals
PAN-OS® Administrator’s Guide Version Version 9.1 681 ©2021 Palo Alto Networks, Inc.
User-ID
for an administrave account; the API is available to all administrators (including role-based
administrators with XML API privileges enabled).
From a browser, log in to the firewall. Then, to generate the API key for the firewall, open a
new browser window and enter the following URL:
https://<Firewall-IPaddress>/api/?
type=keygen&user=<username>&password=<password>
https://10.1.2.5/api/?type=keygen&user=admin&password=admin
The firewall responds with a message containing the key, for example:
<response status="success">
<result>
<key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
</result>
</response>
STEP 2 | (Oponal) Generate a setup message that the terminal server will send to specify the port
range and block size of ports per user that your terminal services agent uses.
If the terminal services agent does not send a setup message, the firewall will automacally
create a Terminal Server agent configuraon using the following default sengs upon receipt
of the first login message:
• Default port range: 1025 to 65534
• Per user block size: 200
• Maximum number of mul-user systems: 1,000
The following shows a sample setup message:
<uid-message>
<payload>
<multiusersystem>
<entry ip="10.1.1.23" startport="20000" endport="39999"
blocksize="100/">
</multiusersystem>
</payload>
<type>update</type>
<version>1.0</version>
PAN-OS® Administrator’s Guide Version Version 9.1 682 ©2021 Palo Alto Networks, Inc.
User-ID
</uid-message>
where entry ip specifies the IP address assigned to terminal server users, startport
and endport specify the port range to use when assigning ports to individual users, and
blocksize specifies the number of ports to assign to each user. The maximum blocksize is
4000 and each mul-user system can allocate a maximum of 1000 blocks.
If you define a custom blocksize and or port range, keep in mind that you must configure the
values such that every port in the range gets allocated and that there are no gaps or unused
ports. For example, if you set the port range to 1000–1499, you could set the block size to
100, but not to 200. This is because if you set it to 200, there would be unused ports at the
end of the range.
STEP 3 | Create a script that will extract the login events and create the XML input file to send to the
firewall.
Make sure the script enforces assignment of port number ranges at fixed boundaries with
no port overlaps. For example, if the port range is 1000–1999 and the block size is 200,
acceptable blockstart values would be 1000, 1200, 1400, 1600, or 1800. Blockstart values of
1001, 1300, or 1850 would be unacceptable because some of the port numbers in the range
would be le unused.
The login event payload that the terminal server sends to the firewall can contain
mulple login events.
The following shows the input file format for a PAN-OS XML login event:
<uid-message>
<payload>
<login>
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
<entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
<entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
</login>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
The firewall uses this informaon to populate its user mapping table. Based on the mappings
extracted from the example above, if the firewall received a packet with a source address and
port of 10.1.1.23:20101, it would map the request to user jparker for policy enforcement.
STEP 4 | Create a script that will extract the logout events and create the XML input file to send to the
firewall.
Upon receipt of a logout event message with a blockstart parameter, the firewall removes
the corresponding IP address-port-user mapping. If the logout message contains a username
and IP address, but no blockstart parameter, the firewall removes all mappings for the user.
PAN-OS® Administrator’s Guide Version Version 9.1 683 ©2021 Palo Alto Networks, Inc.
User-ID
If the logout message contains an IP address only, the firewall removes the mul-user system
and all associated mappings.
The following shows the input file format for a PAN-OS XML logout event:
<uid-message>
<payload>
<logout>
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
<entry name="acme\ccrisp" ip="10.1.1.23">
<entry ip="10.2.5.4">
</logout>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
You can also clear the muluser system entry from the firewall using the following CLI
command: clear xml-api multiusersystem
STEP 5 | Make sure that the scripts you create include a way to dynamically enforce that the port
block range allocated using the XML API matches the actual source port assigned to the user
on the terminal server and that the mapping is removed when the user logs out or the port
allocaon changes.
One way to do this would be to use netfilter NAT rules to hide user sessions behind the
specific port ranges allocated via the XML API based on the uid. For example, to ensure that a
user with the user ID jjaso is mapped to a source network address translaon (SNAT) value of
10.1.1.23:20000-20099, the script you create should include the following:
Similarly, the scripts you create should also ensure that the IP table roung configuraon
dynamically removes the SNAT mapping when the user logs out or the port allocaon changes:
PAN-OS® Administrator’s Guide Version Version 9.1 684 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 6 | Define how to package the XML input files containing the setup, login, and logout events into
wget or cURL messages for transmission to the firewall.
To apply the files to the firewall using wget:
For example, the syntax for sending an input file named login.xml to the firewall at 10.2.5.11
using key k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg using wget would look
as follows:
For example, the syntax for sending an input file named login.xml to the firewall at 10.2.5.11
using key k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg using cURL would
look as follows:
STEP 7 | Verify that the firewall is successfully receiving login events from the terminal servers.
Verify the configuraon by opening an SSH connecon to the firewall and then running the
following CLI commands:
To verify if the terminal server is connecng to the firewall over XML:
To verify that the firewall is receiving mappings from a terminal server over XML:
PAN-OS® Administrator’s Guide Version Version 9.1 685 ©2021 Palo Alto Networks, Inc.
User-ID
Total host: 1
PAN-OS® Administrator’s Guide Version Version 9.1 686 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 687 ©2021 Palo Alto Networks, Inc.
User-ID
Later, if other users that are in the group for less restricted services are given
addional usernames that access more restricted services, you can add those
usernames to the group for more restricted services. This scenario is more
common than the inverse; a user with access to more restricted services usually
already has access to less restricted services.
PAN-OS® Administrator’s Guide Version Version 9.1 688 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Configure the rules that control user access based on the groups you just configured.
For more informaon, refer to Enable user- and group-based policy enforcement.
1. Configure a security rule that allows the corp_employees group to access email.
2. Configure a security rule that allows the network_services group to access the MySQL
server.
If you use the PAN-OS integrated User-ID agent, see Configure User Mapping
Using the PAN-OS Integrated User-ID Agent for instrucons on how to
configure the ignore list.
If the user logs in to the network as admin_user, the user can then access the MySQL
server without it prompng for the admin_user credenals again.
In this example, both corp_user and admin_user have email accounts, so the email server won’t
prompt for addional credenals regardless of which username the user entered when logging
in to the network.
The firewall is now ready to enforce rules for a user with mulple usernames.
PAN-OS® Administrator’s Guide Version Version 9.1 689 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 690 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 691 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 692 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 693 ©2021 Palo Alto Networks, Inc.
User-ID
configure Windows Log Forwarding, mulple domain controllers export their login events to a
single domain member from which a User-ID agent collects the user mapping informaon.
You can configure Windows Log Forwarding for Windows Server versions 2003, 2008,
2008 R2, 2012, and 2012 R2. Windows Log Forwarding is not available for non-Microso
servers.
To collect group mapping informaon in a large-scale network, you can configure the firewall to
query a Global Catalog server that receives account informaon from the domain controllers.
The following figure illustrates user mapping and group mapping for a large-scale network
in which the firewall uses a Windows-based User-ID agent. See Plan a Large-Scale User-ID
Deployment to determine if this deployment suits your network.
PAN-OS® Administrator’s Guide Version Version 9.1 694 ©2021 Palo Alto Networks, Inc.
User-ID
Bandwidth required for domain controllers to forward login events to member servers.
The bandwidth is a mulple of the login rate (number of logins per minute) of the domain
controllers and the byte size of each login event.
Domain controllers won’t forward their enre security logs; they forward only the events that
the user mapping process requires per login: three events for Windows Server 2003 or four
events for Windows Server 2008/2012 and MS Exchange.
Whether the following network elements support the required bandwidth:
• Domain controllers—Must support the processing load associated with forwarding the
events.
• Member Servers—Must support the processing load associated with receiving the events.
• Connecons—The geographic distribuon (local or remote) of the domain controllers,
member servers, and Global Catalog servers is a factor. Generally, a remote distribuon
supports less bandwidth.
User-ID agents monitor the Security log on Windows Event Collectors, not the default
forwarded events locaon. To change the event logging path to the Security log, perform the
following steps on each Windows Event Collector.
1. Open the Event Viewer.
2. Right-click the Security log and select Properes.
3. Copy the Log path (default %SystemRoot%\System32\Winevt\Logs
\security.evtx) and click OK.
4. Right-click the Forwarded Events folder and select Properes.
5. Replace the default Log path (%SystemRoot%\System32\Winevt\Logs
\ForwardedEvents.evtx) by pasng the value from the Security log, and then click OK.
STEP 2 | Configure a group policy to enable Windows Remote Management (WinRM) on the domain
controllers.
PAN-OS® Administrator’s Guide Version Version 9.1 695 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 3 | Configure a group policy to enable Windows Event Forwarding on the domain controllers.
STEP 1 | Configure Windows Log Forwarding on the member servers that will collect login events.
Configure Windows Log Forwarding. This step requires administrave privileges for configuring
group policies on Windows servers.
STEP 3 | Configure the User-ID agent to collect user mapping informaon from the member servers.
1. Start the Windows-based User-ID agent.
2. Select User Idenficaon > Discovery and perform the following steps for each member
server that will receive events from domain controllers:
1. In the Servers secon, click Add and enter a Name to idenfy the member server.
2. In the Server Address field, enter the FQDN or IP address of the member server.
3. For the Server Type, select Microso Acve Directory.
4. Click OK to save the server entry.
3. Configure the remaining User-ID agent sengs (refer to Configure the Windows-Based
User-ID Agent for User Mapping).
4. If the User-ID sources provide usernames in mulple formats, specify the format for the
Primary Username when you Map Users to Groups.
The primary username is the username that idenfies the user on the firewall and
represents the user in reports and logs, regardless of the format that the User-ID source
provides.
STEP 4 | Configure an LDAP server profile to specify how the firewall connects to the Global Catalog
servers (up to four) for group mapping informaon.
To improve availability, use at least two Global Catalog servers for redundancy.
You can collect group mapping informaon only for universal groups, not local domain groups
(subdomains).
1. Select Device > Server Profiles > LDAP, click Add, and enter a Name for the profile.
2. In the Servers secon, for each Global Catalog, click Add and enter the server Name, IP
address (LDAP Server), and Port. For a plaintext or Start Transport Layer Security (Start
TLS) connecon, use Port 3268. For an LDAP over SSL connecon, use Port 3269. If
PAN-OS® Administrator’s Guide Version Version 9.1 696 ©2021 Palo Alto Networks, Inc.
User-ID
the connecon will use Start TLS or LDAP over SSL, select the Require SSL/TLS secured
connecon check box.
3. In the Base DN field, enter the Disnguished Name (DN) of the point in the Global
Catalog server where the firewall will start searching for group mapping informaon (for
example, DC=acbdomain,DC=com).
4. For the Type, select acve-directory.
STEP 5 | Configure an LDAP server profile to specify how the firewall connects to the servers (up to
four) that contain domain mapping informaon.
User-ID uses this informaon to map DNS domain names to NetBIOS domain names. This
mapping ensures consistent domain/username references in policy rules.
The steps are the same as for the LDAP server profile you created for Global Catalogs in the
previous step, except for the following fields:
• LDAP Server—Enter the IP address of the domain controller that contains the domain
mapping informaon.
• Port—For a plaintext or Start TLS connecon, use Port 389. For an LDAP over SSL
connecon, use Port 636. If the connecon will use Start TLS or LDAP over SSL, select the
Require SSL/TLS secured connecon check box.
• Base DN—Select the DN of the point in the domain controller where the
firewall will start searching for domain mapping informaon. The value must
start with the string: cn=partitions,cn=configuration (for example,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).
STEP 6 | Create a group mapping configuraon for each LDAP server profile you created.
1. Select Device > User Idenficaon > Group Mapping Sengs.
2. Click Add and enter a Name to idenfy the group mapping configuraon.
3. Select the LDAP Server Profile and ensure the Enabled check box is selected.
If the Global Catalog and domain mapping servers reference more groups than
your security rules require, configure the Group Include List and/or Custom
Group list to limit the groups for which User-ID performs mapping.
4. Click OK and Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 697 ©2021 Palo Alto Networks, Inc.
User-ID
When you configure this feature, apply the URL profile to your Security policy, and commit your
changes, the firewall:
1. Populates the user and domain values with the format of the primary username in the group
mapping for the source user.
2. Encodes this informaon using Base64.
3. Adds the Base64-encoded header to the payload.
4. Routes the traffic to the downstream appliance.
If you want to include the username and domain only when the user accesses specific domains,
configure a domain list and the firewall inserts the header only when a domain in the list matches
the Host header of the HTTP request.
To share user informaon with downstream appliances, you must first enable User-ID and
configure group mapping.
To include the username and domain in the header, the firewall requires the IP address-to-
username mapping for the user. If the user is not mapped, the firewall inserts unknown in
Base64 encoding for both the domain and username in the header.
To include the username and domain in headers for HTTPS traffic, you must first create a
decrypon profile to decrypt HTTPS traffic.
The firewall does not insert headers if the acon for the URL filtering profile is block
for the domain.
STEP 2 | Create or edit an HTTP header inseron entry using predefined types.
You can define up to five headers for each profile.
STEP 4 | Add the Domains where you want insert headers. When the user accesses a domain in the
list, the firewall inserts the specified header.
PAN-OS® Administrator’s Guide Version Version 9.1 698 ©2021 Palo Alto Networks, Inc.
User-ID
Do not use the same dynamic token (either ($user) or ($domain)) more than once
per value.
Each value can be up to 512 characters. The firewall populates the ($user) and ($domain)
dynamic tokens using the primary username in the group mapping profile. For example:
• If the primary username is the sAMAccountName, the value for ($user) is the
sAMAccountName and the value for ($domain) is the NetBios domain name.
• If the primary username is the UserPrincipalName, the ($user) the user account name
(prefix) and the ($domain) is the Domain Name System (DNS) name.
STEP 7 | (Oponal) Select Log to enable logging for the header inseron.
STEP 8 | Apply the URL filtering profile to the security policy rule for HTTP or HTTPS traffic.
STEP 11 | Verify the firewall includes the username and domain in the HTTP headers.
• Use the show user user-ids all command to verify the group mapping is correct.
• Use the show counter global name ctd_header_insert command to view the
number of HTTP headers inserted by the firewall.
• If you configured logging in Step 7, check the logs for the inserted Base64 encoded
payload (for example, corpexample\testuser would appear in the logs as
Y29ycGV4YW1wbGVcdGVzdHVzZXI=).
You can redistribute user mapping informaon collected through any method except
Terminal Server (TS) agents. You cannot redistribute Group Mapping or HIP match
informaon.
If you use Panorama and Dedicated Log Collectors to manage firewalls and aggregate
firewall logs, you can use Panorama to manage User-ID redistribuon. Leveraging
Panorama and your distributed log collecon infrastructure is a simpler soluon than
creang extra connecons between firewalls to redistribute User-ID informaon.
PAN-OS® Administrator’s Guide Version Version 9.1 699 ©2021 Palo Alto Networks, Inc.
User-ID
If you Configure Authencaon Policy, your firewalls must also redistribute the Authencaon
Timestamps that are generated when users authencate to access applicaons and services.
Firewalls use the mestamps to evaluate the meouts for Authencaon policy rules. The
meouts allow a user who successfully authencates to later request services and applicaons
without authencang again within the meout periods. Redistribung mestamps enables you
to enforce consistent meouts across all the firewalls in your network.
Firewalls share user mappings and authencaon mestamps as part of the same redistribuon
flow; you don’t have to configure redistribuon for each informaon type separately.
• Firewall Deployment for User-ID Redistribuon
• Configure User-ID Redistribuon
PAN-OS® Administrator’s Guide Version Version 9.1 700 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 701 ©2021 Palo Alto Networks, Inc.
User-ID
Perform the following steps on the firewalls in the User-ID redistribuon sequence.
STEP 1 | Configure the firewall to redistribute User-ID informaon.
Skip this step if the firewall receives but does not redistribute User-ID informaon.
1. Select Device > User Idenficaon > User Mapping.
2. (Firewalls with mulple virtual systems only) Select the Locaon. You must configure the
User-ID sengs for each virtual system.
STEP 2 | Configure the service route that the firewall uses to query other firewalls for User-ID
informaon.
Skip this step if the firewall receives user mapping informaon from Windows-based User-
ID agents or directly from the informaon sources (such as directory servers) instead of from
other firewalls.
1. Select Device > Setup > Services.
2. (Firewalls with mulple virtual systems only) Select Global (for a firewall-wide service
route) or Virtual Systems (for a virtual system-specific service route), and then configure
the service route.
3. Click Service Route Configuraon, select Customize, and select IPv4 or IPv6 based on
your network protocols. Configure the service route for both protocols if your network
uses both.
4. Select UID Agent and then select the Source Interface and Source Address.
5. Click OK twice to save the service route.
STEP 3 | Enable the firewall to respond when other firewalls query it for User-ID informaon.
Skip this step if the firewall receives but does not redistribute User-ID informaon.
Configure an Interface Management Profile with the User-ID service enabled and assign the
profile to a firewall interface.
PAN-OS® Administrator’s Guide Version Version 9.1 702 ©2021 Palo Alto Networks, Inc.
User-ID
This example output shows the authencaon mestamp for one response to
an authencaon challenge (factor). For Authencaon policy rules that use
Mul-Factor Authencaon (MFA), the output shows mulple Authencaon
Timestamps.
PAN-OS® Administrator’s Guide Version Version 9.1 703 ©2021 Palo Alto Networks, Inc.
User-ID
STEP 2 | Consolidate your User-ID sources and migrate them to the virtual system that you want to
use as a User-ID hub.
This consolidates the User-ID configuraon for operaonal simplicity. By configuring the hub
to monitor servers and connect to agents that were previously monitored by other virtual
systems, the hub collects the user mapping informaon instead of having each virtual system
collect it independently. If you don’t want to share mappings from specific virtual systems,
configure those mappings on a virtual system that will not be used as the hub.
1. Remove any sources that are unnecessary or outdated.
2. Idenfy all configuraons for your Windows-based or integrated agents and any sources
that send user mappings using the XML API and copy them to the virtual system you
want to use as a User-ID hub.
On the hub, you can configure any User-ID source that is currently configured
on a virtual system. However, IP address-and-port-to-username mapping
informaon from Terminal Server agents and group mappings are not shared
between the User-ID hub and the connected virtual systems.
3. Specify the subnetworks that User-ID should include in or exclude from mapping.
4. Define the Ignore User List.
5. On all other virtual systems, remove any sources that are on the User-ID hub.
STEP 3 | Commit the changes to enable the User-ID hub and begin collecng mappings for the
consolidated sources.
PAN-OS® Administrator’s Guide Version Version 9.1 704 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 705 ©2021 Palo Alto Networks, Inc.
User-ID
PAN-OS® Administrator’s Guide Version Version 9.1 706 ©2021 Palo Alto Networks, Inc.
App-ID
To safely enable applicaons on your network, the Palo Alto Networks next-
generaon firewalls provide both an applicaon and web perspecve—App-ID and
URL Filtering—to protect against a full spectrum of legal, regulatory, producvity, and
resource ulizaon risks.
App-ID enables visibility into the applicaons on the network, so you can learn how
they work and understand their behavioral characteriscs and their relave risk. This
applicaon knowledge allows you to create and enforce security policy rules to enable,
inspect, and shape desired applicaons and block unwanted applicaons. When
you define policy rules to allow traffic, App-ID begins to classify traffic without any
addional configuraon.
New and modified App-IDs are released as part of Applicaons and Threat Content
Updates—follow the Best Pracces for Applicaons and Threats Content Updates to
seamlessly keep your applicaon and threat signatures up-to-date.
> App-ID Overview > Applicaons with Implicit Support
> App-ID and HTTP/2 Inspecon > Security Policy Rule Opmizaon
> Manage Custom or Unknown > Applicaon Level Gateways
Applicaons > Disable the SIP Applicaon-level
> Manage New and Modified App-IDs Gateway (ALG)
> Use Applicaon Objects in Policy > Use HTTP Headers to Manage SaaS
> Safely Enable Applicaons on Applicaon Access
Default Ports > Maintain Custom Timeouts for
Legacy Applicaons
707
App-ID
App-ID Overview
App-ID, a patented traffic classificaon system only available in Palo Alto Networks firewalls,
determines what an applicaon is irrespecve of port, protocol, encrypon (SSH or SSL) or
any other evasive tacc used by the applicaon. It applies mulple classificaon mechanisms
—applicaon signatures, applicaon protocol decoding, and heuriscs—to your network traffic
stream to accurately idenfy applicaons.
Here's how App-ID idenfies applicaons traversing your network:
• Traffic is matched against policy to check whether it is allowed on the network.
• Signatures are then applied to allowed traffic to idenfy the applicaon based on unique
applicaon properes and related transacon characteriscs. The signature also determines if
the applicaon is being used on its default port or it is using a non-standard port. If the traffic is
allowed by policy, the traffic is then scanned for threats and further analyzed for idenfying the
applicaon more granularly.
• If App-ID determines that encrypon (SSL or SSH) is in use, and a Decrypon policy rule is in
place, the session is decrypted and applicaon signatures are applied again on the decrypted
flow.
• Decoders for known protocols are then used to apply addional context-based signatures to
detect other applicaons that may be tunneling inside of the protocol (for example, Yahoo!
Instant Messenger used across HTTP). Decoders validate that the traffic conforms to the
protocol specificaon and provide support for NAT traversal and opening dynamic pinholes for
applicaons such as SIP and FTP.
• For applicaons that are parcularly evasive and cannot be idenfied through advanced
signature and protocol analysis, heuriscs or behavioral analysis may be used to determine the
identy of the applicaon.
When the applicaon is idenfied, the policy check determines how to treat the applicaon, for
example—block, or allow and scan for threats, inspect for unauthorized file transfer and data
paerns, or shape using QoS.
PAN-OS® Administrator’s Guide Version Version 9.1 708 ©2021 Palo Alto Networks, Inc.
App-ID
The firewall processes and inspects HTTP/2 traffic by default when SSL decrypon is enabled. For
HTTP/2 inspecon to work correctly, the firewall must be enabled to use ECDHE (ellipc curve
Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE is enabled by default, but
you can check to confirm that it’s enabled by selecng Objects > Decrypon > Decrypon Profile
> SSL Decrypon > SSL Protocol Sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 709 ©2021 Palo Alto Networks, Inc.
App-ID
when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2
traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
1. Select Objects > Decrypon > Decrypon Profile > SSL Decrypon > SSL Forward
Proxy and then select Strip ALPN.
2. Aach the decrypon profile to a decrypon policy (Policies > Decrypon) to turn off
HTTP/2 inspecon for traffic that matches the policy.
3. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 710 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 711 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 712 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | (Oponal) Exclude tags from your filter by selecng the check box in the Exclude column.
STEP 3 | Create a security policy rule and Add your new applicaon filter on the Applicaon tab.
PAN-OS® Administrator’s Guide Version Version 9.1 713 ©2021 Palo Alto Networks, Inc.
App-ID
3. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 714 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | Create a security policy rule and Add your new applicaon filter on the Applicaon tab.
3. Click OK.
STEP 2 | Review and apply the Best Pracces for Applicaons and Threats Content Updates based on
your organizaon’s network security and applicaon availability requirements.
STEP 3 | Configure a security policy rule to always allow new App-IDs that might have network-wide
impact, like authencaon or soware development applicaons.
The New App-ID characterisc matches to only the App-IDs introduced in the latest content
release. When used in a security policy, this gives you a month’s me to fine tune your security
policy based on new App-IDs while ensuring constant availability for App-IDs that fall into
crical categories (Ensure Crical New App-IDs are Allowed).
PAN-OS® Administrator’s Guide Version Version 9.1 715 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 4 | Set the schedule to Deploy Applicaon and Threat Content Updates; this includes the opon
to delay new App-ID installaon unl you’ve had me to make necessary security policy
updates (using the New App-ID Threshold).
STEP 5 | Aer you’ve setup a content updates installaon schedule, you’ll want to regularly check in
and See the New and Modified App-IDs in a Content Release.
STEP 6 | You can then See How New and Modified App-IDs Impact Your Security Policy, and make
adjustments to your security policy as needed.
STEP 7 | Monitor New App-IDs to get a view into new App-ID acvity on your network, so that you’re
best equipped to make the most effecve security policy updates.
STEP 2 | For either a downloaded or currently installed content release, click Review Apps link in the
Acons column to view details on newly-idenfied and modified applicaons in that release:
PAN-OS® Administrator’s Guide Version Version 9.1 716 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | Review the App-IDs this content release introduces or modifies since the last content
version.
New and modified App-IDs are listed separately. Full applicaon details are provided for each,
and App-IDs that Palo Alto Networks foresees as having network-wide impact are flagged as
recommended for policy review.
New App-ID details that you can use to assess possible impact to policy enforcement include:
• Depends on—Lists the applicaon signatures that this App-ID relies on to uniquely idenfy
the applicaon. If one of the applicaon signatures listed in the Depends On field is
disabled, the dependent App-ID is also disabled.
• Previously Idenfied As—Lists the App-IDs that matched to the applicaon before the new
App-ID was installed to uniquely idenfy the applicaon.
• App-ID Enabled—All App-IDs display as enabled when a content release is downloaded,
unless you choose to manually disable the App-ID signature before installing the content
update.
For modified App-IDs, details include informaon on: Expanded Coverage, Remove False
Posive, and applicaon metadata changes. The Expanded Coverage and Remove False
Posive fields both indicate how the applicaon’s coverage has changed (it’s either more
comprehensive or has been narrowed) and a clock icon indicates a metadata change, where
certain applicaon details are updated.
STEP 4 | Based on your findings, click Review Policies to see how the new and modified App-IDs
impact security policy enforcement: See How New and Modified App-IDs Impact Your
Security Policy.
See How New and Modified App-IDs Impact Your Security Policy
Newly-categorized and modified App-IDs can change the way the firewall enforces traffic.
Perform a content update policy review to see how new and modified App-IDs impact your
PAN-OS® Administrator’s Guide Version Version 9.1 717 ©2021 Palo Alto Networks, Inc.
App-ID
security policy, and to easily make any necessary adjustments. You can perform a content update
policy review for both downloaded and installed content.
STEP 1 | Select Device > Dynamic Updates.
STEP 2 | See the New and Modified App-IDs in a Content Release to learn more about each App-ID
that a content release introduces or modifies.
STEP 3 | For a downloaded or currently installed content release, click Review Policies in the Acon
column. The Policy review based on candidate configuraon dialog allows you to filter by
Content Version and view either new or modified App-IDs introduced in a specific release
(you can also filter the policy impact of new App-IDs according to Rulebase, Virtual System,
and Applicaon).
STEP 4 | Select an App-ID from the Applicaon drop-down to view policy rules that currently enforce
the applicaon. The rules displayed are based on the App-IDs that match to the applicaon
before the new App-ID is installed (view applicaon details to see the list of applicaon
signatures that an applicaon was Previously Idenfied As before the new App-ID).
STEP 5 | Use the detail provided in the policy review to plan policy rule updates to take effect when
the App-ID is installed, or if the content release version that included the App-ID is currently
installed, the changes you make take effect immediately.
You can Add app to selected policies or Remove app from selected policies.
PAN-OS® Administrator’s Guide Version Version 9.1 718 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | Define the types of new applicaons for which you want to ensure constant availability
based on subcategory or characterisc. For example, select the category “auth-service”
to ensure that any newly-installed applicaons that are known to perform or support
authencaon are allowed.
STEP 3 | Only aer narrowing the types of new applicaons that you want to allow immediately upon
installaon, select Apply to New App-IDs only.
STEP 4 | Select Policies > Security and add or edit a security policy rule that is configured to allow
matching traffic.
STEP 5 | Select Applicaon and add the new Applicaon Filter to the policy rule as match criteria.
STEP 7 | To connue to adjust your security policy to account for any changes to enforcement that
new App-IDs introduce:
• Monitor New App-IDs—Monitor and get reports on new App-ID acvity.
• See the New and Modified App-IDs in a Content Release—See how the newly-installed App-
IDs impact your exisng security policy rules.
PAN-OS® Administrator’s Guide Version Version 9.1 719 ©2021 Palo Alto Networks, Inc.
App-ID
the new App-IDs in the most recently installed content releases. When a new content release is
installed, the new App-ID characterisc automacally begins to match only to the new App-IDs in
that content release version.
Generate a report with details specifically regarding new applicaons (applicaons introduced
only in the latest content release).
Use the ACC to monitor new applicaon acvity: select ACCand under Global Filters, select
Applicaon > Applicaon Characteriscs > New App-ID.
PAN-OS® Administrator’s Guide Version Version 9.1 720 ©2021 Palo Alto Networks, Inc.
App-ID
Enable App-IDs.
Enable App-IDs that you previously disabled by selecng Objects > Applicaons. Select one or
more applicaon check box and click Enable or open the details for a specific applicaon and
click Enable App-ID.
PAN-OS® Administrator’s Guide Version Version 9.1 721 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | (Oponal) Select Shared to create the object in a shared locaon for access as a shared
object in Panorama or for use across all virtual systems in a mulple virtual system firewall.
STEP 4 | Add the applicaons you want in the group and then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 722 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | (Oponal) Select Shared to create the object in a shared locaon for access as a shared
object in Panorama or for use across all virtual systems in a mulple virtual system firewall.
STEP 4 | Define the filter by selecng aribute values from the Category, Subcategory, Technology,
Risk, and Characterisc secons. As you select values, noce that the list of matching
applicaons at the boom of the dialog narrows. When you have adjusted the filter
aributes to match the types of applicaons you want to safely enable, click OK.
If you are seeing unknown traffic for a commercial applicaon that does not
yet have an App-ID, you can submit a request for a new App-ID here: hp://
researchcenter.paloaltonetworks.com/submit-an-applicaon/.
To ensure that your internal custom applicaons do not show up as unknown traffic, create a
custom applicaon. You can then exercise granular policy control over these applicaons in order
PAN-OS® Administrator’s Guide Version Version 9.1 723 ©2021 Palo Alto Networks, Inc.
App-ID
to minimize the range of unidenfied traffic on your network, thereby reducing the aack surface.
Creang a custom applicaon also allows you to correctly idenfy the applicaon in the ACC and
Traffic logs, which enables you to audit/report on the applicaons on your network.
To create a custom applicaon, you must define the applicaon aributes: its characteriscs,
category and sub-category, risk, port, meout. In addion, you must define paerns or values that
the firewall can use to match to the traffic flows themselves (the signature). Finally, you can aach
the custom applicaon to a security policy that allows or denies the applicaon (or add it to an
applicaon group or match it to an applicaon filter). You can also create custom applicaons to
idenfy ephemeral applicaons with topical interest, such as ESPN3-Video for world cup soccer
or March Madness.
In order to collect the right data to create a custom applicaon signature, you'll need a
good understanding of packet captures and how datagrams are formed. If the signature is
created too broadly, you might inadvertently include other similar traffic; if it is defined too
narrowly, the traffic will evade detecon if it does not strictly match the paern.
Custom applicaons are stored in a separate database on the firewall and this database is
not impacted by the weekly App-ID updates.
The supported applicaon protocol decoders that enable the firewall to detect applicaons
that may be tunneling inside of the protocol include the following as of content release
version 609: FTP, HTTP, IMAP, POP3, SMB, and SMTP.
PAN-OS® Administrator’s Guide Version Version 9.1 724 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | Define details about the applicaon, such as the underlying protocol, the port number the
applicaon runs on, the meout values, and any types of scanning you want to be able to
perform on the traffic.
On the Advanced tab, define sengs that will allow the firewall to idenfy the applicaon
protocol:
• Specify the default ports or protocol that the applicaon uses.
• Specify the session meout values. If you don’t specify meout values, the default meout
values will be used.
• Indicate any type of addional scanning you plan to perform on the applicaon traffic.
For example, to create a custom TCP-based applicaon that runs over SSL, but uses port 4443
(instead of the default port for SSL, 443), you would specify the port number. By adding the
port number for a custom applicaon, you can create policy rules that use the default port
PAN-OS® Administrator’s Guide Version Version 9.1 725 ©2021 Palo Alto Networks, Inc.
App-ID
for the applicaon rather than opening up addional ports on the firewall. This improves your
security posture.
STEP 4 | Define the criteria that the firewall will use to match the traffic to the new applicaon.
You will use the informaon you gathered from the packet captures to specify unique string
context values that the firewall can use to match paerns in the applicaon traffic.
1. On the Signatures tab, click Add and define a Signature Name and oponally a Comment
to provide informaon about how you intend to use this signature.
2. Specify the Scope of the signature: whether it matches to a full Session or a single
Transacon.
3. Specify condions to define signatures by clicking Add And Condion or Add Or
Condion.
4. Select an Operator to define the type of match condions you will use: Paern Match or
Equal To.
• If you selected Paern Match, select the Context and then use a regular expression
to define the Paern to match the selected context. Oponally, click Add to define a
qualifier/value pair. The Qualifier list is specific to the Context you chose.
• If you selected Equal To, select the Context and then use a regular expression to
define the Posion of the bytes in the packet header to use match the selected
context. Choose from first-4bytes or second-4bytes. Define the 4-byte hex value for
the Mask (for example, 0xffffff00) and Value (for example, 0xaabbccdd).
For example, if you are creang a custom applicaon for one of your internal
applicaons, you could use the ssl-rsp-cerficate Context to define a paern match
PAN-OS® Administrator’s Guide Version Version 9.1 726 ©2021 Palo Alto Networks, Inc.
App-ID
for the cerficate response message of a SSL negoaon from the server and create a
Paern to match the commonName of the server in the message as shown here:
PAN-OS® Administrator’s Guide Version Version 9.1 727 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | Specify the applicaon that the rule will allow or block.
1. In the Applicaons tab, Add the Applicaon you want to safely enable. You can select
mulple applicaons or you can use applicaon groups or applicaon filters.
2. View dependencies for selected applicaons and Add To Current Rule or Add To Exisng
Rule.
PAN-OS® Administrator’s Guide Version Version 9.1 728 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 729 ©2021 Palo Alto Networks, Inc.
App-ID
Select Policy > Security and add or a modify a rule to enforce applicaons only on their default
port(s):
PAN-OS® Administrator’s Guide Version Version 9.1 730 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 731 ©2021 Palo Alto Networks, Inc.
App-ID
360-safeguard-update hp
apple-update hp
apt-get hp
as2 hp
avg-update hp
blokus rtmp
bugzilla hp
clubcooee hp
corba hp
dropbox ssl
PAN-OS® Administrator’s Guide Version Version 9.1 732 ©2021 Palo Alto Networks, Inc.
App-ID
esignal hp
ezhelp hp
facebook-chat jabber
facebook-social-plugin hp
forclient-update hp
google-desktop hp
google-talk jabber
google-update hp
gotomypc-desktop-sharing citrix-jedi
gotomypc-file-transfer citrix-jedi
gotomypc-prinng citrix-jedi
hipchat hp
infront hp
java-update hp
jepptech-updates hp
PAN-OS® Administrator’s Guide Version Version 9.1 733 ©2021 Palo Alto Networks, Inc.
App-ID
kerberos rpc
mcafee-update hp
megaupload hp
metatrader hp
mocha-rdp t_120
mount rpc
ms-frs msrpc
ms-rdp t_120
ms-scheduler msrpc
ms-service-controller msrpc
nfs rpc
paloalto-updates ssl
panos-global-protect hp
panos-web-interface hp
pastebin hp
pastebin-posng hp
portmapper rpc
PAN-OS® Administrator’s Guide Version Version 9.1 734 ©2021 Palo Alto Networks, Inc.
App-ID
rdp2tcp t_120
renren-im jabber
salesforce hp
stumbleupon hp
supremo hp
symantec-av-update hp
trendmicro hp
twier hp
xm-radio rtsp
PAN-OS® Administrator’s Guide Version Version 9.1 735 ©2021 Palo Alto Networks, Inc.
App-ID
PA-7000 Series Firewalls support two logging cards, the PA-7000 Series Firewall Log
Processing Card (LPC) and the high-performance PA-7000 Series Firewall Log Forwarding
Card (LFC). Unlike the LPC, the LFC does not have disks to store logs locally. Instead, the
LFC forwards all logs to one or more external logging systems, such as Panorama or a
syslog server. If you use the LFC, the applicaon usage informaon for Policy Opmizer
does not display on the firewall because traffic logs aren’t stored locally. If you use the LPC,
the traffic logs are stored locally on the firewall, so the applicaon usage informaon for
Policy Opmizer displays on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 736 ©2021 Palo Alto Networks, Inc.
App-ID
• Idenfy over-provisioned applicaon-based rules—Rules that are too broad allow applicaons
you don’t use on your network, which increases the aack surface and the risk of inadvertently
allowing malicious traffic.
Remove unused applicaons from Security policy rules to reduce the aack surface and
keep the rulebase clean. Don’t allow applicaons that nobody uses on your network.
To migrate a configuraon from a legacy firewall to a Palo Alto Networks device, see Best
Pracces for Migrang to Applicaon-Based Policy.
You can’t sort Security policy rules in Security > Policies because sorng would change the rule
order in the rulebase. However, under Polices > Security > Policy Opmizer, Policy Opmizer
provides sorng opons that don’t affect the rule order to help you priorize which rules to
convert or clean up first. You can sort rules by the amount of traffic during the past 30 days, the
number of applicaons seen on the rule, the number of days with no new applicaons, and the
number of applicaons allowed (for over-provisioned rules).
You can use Policy Opmizer in other ways as well, including validang pre-producon rules and
troubleshoong exisng rules. Note that Policy Opmizer honors only Log at Session End and
ignores Log at Session Start to avoid counng transient applicaons on rules.
Due to resource constraints, VM-50 Lite virtual firewalls don’t support Policy Opmizer.
PAN-OS® Administrator’s Guide Version Version 9.1 737 ©2021 Palo Alto Networks, Inc.
App-ID
You can’t filter or sort rules in Policies > Security because that would change the order of
the policy rules in the rulebase. Filtering and sorng Policies > Security > Policy Opmizer
> No App Specified and Policies > Security > Policy Opmizer > Unused Apps does not
change the order of the rules in the rulebase.
You can click several column headers to sort port-based rules (No App Specified) and rules with
unused applicaons (Unused Apps) based on applicaon usage stascs. In addion, you can
View Policy Rule Usage to help idenfy and remove unused rules to reduce security risks and
keep your policy rule base organized. Rule usage tracking allows you to quickly validate new rule
addions and rule changes and to monitor rule usage for operaons and troubleshoong tasks.
• Traffic (Bytes, 30 days)—The amount of traffic seen on the rule over the last 30 days. The 30-
day window places rules that currently match the most traffic at the top of the list by default (a
longer me frame places more emphasis on older rules that would remain at the top of the list
because they have large cumulave totals even though they may no longer see much traffic).
Click to reverse the order.
• Apps Seen—Place the rules with the most or least applicaons seen at the top. The firewall
never automacally purges the applicaon data.
The firewall updates Apps Seen approximately every hour. However, if there is a large
volume of applicaon traffic or a large number of rules, it may take longer than an hour
to update. Aer you add an applicaon to a rule, wait at least an hour before running
Traffic logs to see the applicaon’s log informaon.
• Days with No New Apps—Place the rules with the most or least days since the last new
applicaon matched the rule at the top.
• (Unused Apps only) Apps Allowed—Place the rules with the most or least applicaons
configured on the rule at the top.
Applicaon usage stascs only count applicaons for rules that meet the following criteria:
• The rule’s Acon must be Allow.
• The rule’s Log Seng must be Log at Session End (this is the default Log Seng). Rules that
Log at Session Start are ignored to prevent counng transient applicaons.
PAN-OS® Administrator’s Guide Version Version 9.1 738 ©2021 Palo Alto Networks, Inc.
App-ID
• Valid traffic must match the rule. For example, if the session ends before enough traffic passes
through the firewall to idenfy the applicaon, it is not counted. The following traffic types are
not valid and therefore don’t count for Policy Opmizer stascs:
• Insufficient-data
• Not-applicable
• Non-syn-tcp
• Incomplete
You can filter the Traffic logs (Monitor > Logs > Traffic) to see traffic idenfied as one of
these types. For example, to see all traffic idenfied as incomplete, use the filter (app eq
incomplete).
If these criteria aren’t met, the applicaon isn’t counted for stascs such as Apps Seen, doesn’t
affect stascs such as Days with No New Apps, and doesn’t appear in lists of applicaons.
The firewall doesn’t track applicaon usage stascs for the interzone-default and
intrazone-default Security policy rules.
If the UUID of a rule changes, the applicaon usage stascs for that rule reset because
the UUID change makes the firewall see the rule as a different (new) rule.
To see and sort the applicaons seen on a rule, in the rule’s row, click Compare or click the
number in Apps Seen.
For the rules you see in Policies > Security > Policy Opmizer > No App Specified and Policies >
Security > Policy Opmizer > Unused Apps, clicking Compare or the Apps Seen number brings
up Applicaons & Usage, which gives you a view of the applicaons seen on the rule and the
ability to sort them. Applicaons & Usage is also where you Migrate Port-Based to App-ID Based
Security Policy Rules and remove unused applicaons from rules.
PAN-OS® Administrator’s Guide Version Version 9.1 739 ©2021 Palo Alto Networks, Inc.
App-ID
You can sort the applicaons seen on the rule by all six of the Apps Seen stascs (Apps Seen is
not updated in real me and takes an hour or longer to update, depending on the volume of traffic
and number of rules).
• Applicaons—Alphabecal by applicaon name. If you configure specific ports or port ranges
for a rule’s Service (the Service cannot be any), and there are standard (applicaon default)
ports for the applicaon, and the configured ports don’t match the applicaon-default ports,
then a yellow, triangular warning icon appears next to the applicaon.
• Subcategory—Alphabecal by applicaon subcategory, derived from the applicaon content
metadata.
• Risk—According to the risk rang of the applicaon.
• First Seen—The first day the applicaon was seen on the rule. The me stamp resoluon is by
the day only (not hourly).
• Last Seen—The last day the applicaon was seen on the rule. The me stamp resoluon is by
the day only (not hourly).
• Traffic (30 days)—Traffic in bytes that matched the rule over the last 30 days is the default
sorng method.
Set the Timeframe to display stascs for a parcular me period—Anyme, the Past 7 days, the
Past 15 days, or the Past 30 days.
Traffic (30 days) always displays only the last 30 days of traffic in bytes. Changing the
Timeframe does not change the duraon of the Traffic (30 days) bytes measurement.
Clicking the column header orders the display and clicking the same column again reverses the
order. For example, click Risk to sort applicaons from low risk to high risk. Click Risk again to sort
applicaons from high risk to low risk.
The firewall doesn’t report applicaon usage stascs in real me on Policies > Security > Policy
Opmizer > No App Specified, Policies > Security > Policy Opmizer > Unused Apps, or on
Applicaons & Usage, so this feature isn’t a replacement for running reports.
PAN-OS® Administrator’s Guide Version Version 9.1 740 ©2021 Palo Alto Networks, Inc.
App-ID
• The firewall updates Apps Allowed, Apps Seen, and the applicaons listed in Applicaons &
Usage approximately every hour, not in real me. If there is a large amount of traffic or a large
number of rules, updates may take longer. Aer you add an applicaon to a rule, wait at least
an hour before running Traffic logs to see the applicaon’s log informaon.
The firewall updates Apps Seen approximately every hour. However, if there is a large volume
of applicaon traffic or a large number of rules, it may take longer than an hour to update. Aer
you add an applicaon to a rule, wait at least an hour before running Traffic logs to see the
applicaon’s log informaon.
• The firewall updates Days with No New Apps and also First Seen and Last Seen on
Applicaons & Usage once per day, at midnight device me.
• For rules with large numbers of applicaons seen, it may take longer to process applicaon
usage stascs.
• For Security policy rulebases with large numbers of rules that have many applicaons, it may
take longer to process applicaon usage stascs.
• For firewalls managed by Panorama, applicaon usage data is visible only for rules Panorama
pushes to the firewalls, not for rules configured locally on individual firewalls.
PAN-OS® Administrator’s Guide Version Version 9.1 741 ©2021 Palo Alto Networks, Inc.
App-ID
To migrate a configuraon from a legacy firewall to a Palo Alto Networks device, see Best
Pracces for Migrang to Applicaon-Based Policy.
PAN-OS® Administrator’s Guide Version Version 9.1 742 ©2021 Palo Alto Networks, Inc.
App-ID
to reduce the aack surface and increase visibility. (Clicking the Apps Seen number or
Compare shows you the applicaons that have matched the rule.)
The firewall updates Apps Seen approximately every hour. However, if there is a
large volume of applicaon traffic or a large number of rules, it may take longer
than an hour to update. Aer you add an applicaon to a rule, wait at least an hour
before running Traffic logs to see the applicaon’s log informaon.
• Days with No New Apps—(Click to sort.) When the applicaons seen on a port-based
rule stabilize, you can be more confident the rule is mature, conversion won’t accidentally
exclude legimate applicaons, and no more new applicaons will match the rule. The
Created and Modified dates help you evaluate a rule’s stability because older rules that
have not been modified recently may also be more stable.
• Hit Count—Displays rules with the most matches over a selected me frame. You can
exclude rules for which you reset the hit counter and specify the exclusion me period in
days. Excluding rules with recently reset hit counters prevents misconcepons about rules
that show fewer hits than you expect because you didn’t know the counter was reset.
You can also use Hit Count to View Policy Rule Usage and help idenfy and
remove unused rules to reduce security risks and keep your rulebase organized.
STEP 3 | Review the Apps Seen on port-based rules, starng with the highest priority rules.
On No Apps Specified, click Compare or the number in Apps Seen to open Applicaons &
Usage, which lists applicaons that matched a port-based rule over a specified Timeframe,
with each applicaon’s Risk, the date it was First Seen, the date it was Last Seen, and the
amount of traffic over the last 30 days.
You can check Applicaons seen on port-based rules over the past 7, 15, or 30 days, or
over the rule’s lifeme (Anyme). For migrang rules, Anyme provides the most complete
assessment of applicaons that matched the rule.
You can search and filter the Apps Seen, but keep in mind that it takes an hour or more to
update Apps Seen. You can also order the Apps Seen by clicking the column headers. For
PAN-OS® Administrator’s Guide Version Version 9.1 743 ©2021 Palo Alto Networks, Inc.
App-ID
example, you can click Traffic (30 days) to bring the applicaons with the most recent traffic to
the top of the list, or click Subcategory to organize the applicaons by subcategory.
The granularity of measurement for First Seen and Last Seen data is one day, so on the
day you define a rule, the dates in these two columns are the same. On the second day
the firewall sees traffic on an applicaon, you’ll see a difference in the dates.
STEP 4 | Clone or add applicaons to the rule to specify the applicaons you want to allow on the
rule.
On Applicaons & Usage, convert a port-based rule to an applicaon-based rule by:
• Cloning the rule—Preserves the original port-based rule and places the cloned applicaon-
based rule directly above it in the rulebase.
• Adding applicaons to the rule—Replaces the original port-based rule with the new
applicaon-based rule and deletes the original rule.
If you have exisng applicaon-based rules and you want to migrate applicaons to
them from port-based rules, you can Add Applicaons to an Exisng Rule.
Some applicaons appear on the network at intervals, for example, for quarterly or
yearly events. These applicaons may not display on the Applicaons & Usage screen
if the history isn’t long enough to capture their latest acvity.
When you clone a rule or add applicaons to a rule, nothing else about the original rule
changes. The original rule’s configuraon remains the same except for the applicaons
you added to the rule. For example, if the original rule’s Service allowed Any applicaon
or specified a parcular service, you need to change the Service to Applicaon-Default
to restrict the allowed applicaons to their default ports on the new rule.
Cloning is the safest way to migrate rules, especially when Applicaons & Usage shows more
than a few well-known applicaons matching the rule (Rule Cloning Migraon Use Case: Web
Browsing and SSL Traffic provides an example of this). Cloning preserves the original port-
based rule and places it below the cloned applicaon-based rule, which eliminates the risk of
losing applicaon availability because traffic that doesn’t match the cloned rule flows through
to the port-based rule. When traffic from legimate applicaons hasn’t hit the port-based rule
for a reasonable period of me, you can remove it to complete that rule’s migraon.
To clone a port-based rule:
1. In Apps Seen, click the check box next to each applicaon you want in the cloned rule. Keep
in mind that it takes an hour or more to update Apps Seen.
2. Click Create Cloned Rule. In the Create Cloned Rule dialog, Name the cloned rule
(“slack” in this example) and add other applicaons in the same container and applicaon
PAN-OS® Administrator’s Guide Version Version 9.1 744 ©2021 Palo Alto Networks, Inc.
App-ID
The green text is the selected applicaon to clone. The container applicaon (slack) is in
the gray row. The applicaons listed in italics are applicaons that have not been seen on
the rule but are in the same container as the selected applicaon. Individual applicaons
that have been seen on the rule are in normal font. All the applicaons are included in the
cloned rule by default (Add Container App, which adds all the applicaons in the container,
is selected by default) to help prevent the rule from breaking in the future.
3. If you want to allow all of the applicaons in the container, leave Add container app
selected. This also “future proofs” the rule because when an applicaon is added to the
container app, it’s automacally added to the rule.
If you want to constrain access to some of the individual applicaons in the container,
uncheck the box next to each individual applicaon you don’t want users to access. This
also unchecks the container app, so if you want to allow new applicaons in the container
later, you have to add those applicaons individually.
If you uncheck the container app, all the apps are unchecked and you manually select the
apps you want to include in the cloned rule.
4. Leave the applicaon dependencies checked, in this example, ssl and web-browsing (these
are applicaons that the selected applicaon requires).
5. Click OK to add the new applicaon-based rule directly above the port-based rule in the
rulebase.
6. Commit the configuraon.
When you clone a rule and Commit the configuraon, the applicaons you select for the
cloned rule are removed from the original port-based rule’s Apps Seen list. For example,
PAN-OS® Administrator’s Guide Version Version 9.1 745 ©2021 Palo Alto Networks, Inc.
App-ID
if a port-based rule has 16 Apps Seen and you select two individual applicaons and one
dependent applicaon for the cloned rule, aer cloning, the port-based rule shows 13 Apps
Seen because the three selected applicaons have been removed from the port-based rule
(16-3 = 13). The cloned rule shows the three added applicaons in Apps on Rule.
Creang a cloned rule with a container app works a bit differently. For example, a port-
based rule has 16 Apps Seen and you select one individual applicaon and a container
app for the cloned rule. The container app has five individual applicaons and has one
dependent applicaon. Aer cloning, the cloned rule shows seven Apps on Rule—the
individual applicaon, the five individual applicaons in the container app, and the dependent
applicaon for the container app. However, in the original port-based rule, Apps Seen shows
13 applicaons because only the individual applicaon, the container app, and the container
app’s dependent applicaon are removed from the port-based rule.
In contrast to cloning, adding applicaons to a port-based rule replaces the rule with the
resulng applicaon-based rule. Adding applicaons to a rule is simpler than cloning, but riskier
because you may inadvertently miss applicaons that should be on the rule, and the original
port-based rule is no longer in the rulebase to catch accidental omissions. However, adding
applicaons to port-based rules that apply to only a few well-known applicaons migrates the
rule quickly to an applicaon-based rule. For example, for a port-based rule that only controls
PAN-OS® Administrator’s Guide Version Version 9.1 746 ©2021 Palo Alto Networks, Inc.
App-ID
traffic to TCP port 22, the only legimate applicaon is SSH, so it’s safe to add applicaons to
the rule.
Adding applicaons using the tradional Security policy rule’s Applicaon tab does
not change Apps Seen or Apps on Rule. To preserve accurate applicaon usage
informaon, when replacing port-based rules with applicaon-based rules, add
applicaons using Add to This Rule or Match Usage (or create a cloned rule or add
applicaons to an exisng applicaon-based rule instead) in Apps Seen.
There are three ways to replace a port-based rule with an applicaon-based rule by adding
applicaons (Add to This Rule and Match Usage in Apps Seen and Add in Apps on Rule):
• Add to This Rule applicaons from Apps Seen (applicaons that matched the rule). Keep in
mind that it takes an hour or more to update Apps Seen.
1. Select applicaons from Apps Seen on the rule.
2. Click Add to Rule. In the Add to Rule dialog, add other applicaons in the same container
app and applicaon dependencies, if required. For example, to add slack-base to a rule:
Similar to the Create Cloned Rule dialog, the green text in Add to This Rule is the
selected applicaon to add to the rule. The container app (slack) is in the gray row. The
applicaons listed in italics are applicaons that have not been seen on the rule but are
in the same container as the selected applicaon. Individual applicaons that have been
seen on the rule are in normal font. All the applicaons are included in the cloned rule by
PAN-OS® Administrator’s Guide Version Version 9.1 747 ©2021 Palo Alto Networks, Inc.
App-ID
default (Add Container App, which adds all the applicaons in the container, is selected
by default) to help prevent the rule from breaking in the future.
3. If you want to allow all of the applicaons in the container, leave Add container app
selected. This also “future proofs” the rule because when an applicaon is added to the
container app, it’s automacally added to the rule.
If you want to constrain access to some of the individual applicaons in the container,
uncheck the box next to each individual applicaon you don’t want users to access.
This also unchecks the container app, so if you want to allow new applicaons in the
container later, you have to add those applicaons individually.
If you uncheck the container app, all the apps are unchecked and you manually select the
apps you want to include in the cloned rule.
4. Leave the applicaon dependencies checked, in this example, ssl and web-browsing
(these are applicaons that the selected applicaon requires).
5. Click OK to replace the port-based rule with the new applicaon-based rule.
When you Add to This Rule and Commit the configuraon, the applicaons you didn’t add
are removed from Apps Seen because the new applicaon-based rule no longer allows
them. For example, if a rule has 16 Apps Seen and you Add to This Rule three applicaons,
the resulng new rule shows only those three added applicaons in Apps Seen.
Add to This Rule with a container app works a bit differently. For example, a port-based
rule has 16 Apps Seen and you select one individual applicaon and a container app to add
to the new rule. The container app has five individual applicaons and has one dependent
applicaon. Aer adding the applicaons to the rule, the new rule shows seven Apps on
Rule—the individual applicaon, the five individual applicaons in the container app, and the
dependent applicaon for the container app. However, Apps Seen shows 13 applicaons
because the individual applicaon, the container app, and the container app’s dependent
applicaon are removed from that list.
• Add all of the Apps Seen on the rule to the rule at one me with one click (Match Usage).
Port-based rules allow any applicaon, so Apps Seen may include unneeded or
unsafe applicaons. Use Match Usage to convert a rule only when the rule has seen
a small number of well-known applicaons with legimate business purposes. A
good example is TCP port 22, which should only allow SSH traffic, so if SSH is the
only applicaon seen on a port-based rule that opens port 22, you can safely Match
Usage.
1. In Apps Seen, click Match Usage. Keep in mind that it takes an hour or more to update
Apps Seen. All the applicaons in Apps Seen are copied to Apps on Rule.
2. Click OK to create the applicaon-based rule and replace the port-based rule.
• If you know the applicaons you want on the rule, you can Add applicaons manually in
Apps on Rule. However, this method is equivalent to using the tradional Security policy
rule Applicaon tab and does not change Apps Seen or Apps on Rule. To preserve accurate
PAN-OS® Administrator’s Guide Version Version 9.1 748 ©2021 Palo Alto Networks, Inc.
App-ID
applicaon usage informaon, convert rules using Add to Rule, Create Cloned Rule, or
Match Usage in Apps Seen.
1. In Apps on Rule, Add (or Browse) and select applicaons to add to the rule. This is
equivalent to adding applicaons on the Applicaon tab.
2. Click OK to add the applicaons to the rule and replace the port-based rule with the new
applicaon-based rule.
If business needs require you to allow applicaons (for example, internal custom
applicaons) on non-standard ports between parcular clients and servers, restrict
the excepon to only the required applicaon, sources, and desnaons. Consider
rewring custom applicaons so they use the applicaon default port.
Rule Cloning Migraon Use Case: Web Browsing and SSL Traffic
A port-based rule that allows web access on TCP ports 80 (HTTP web-browsing) and 443 (HTTPS
SSL) provides no control over which applicaons use those open ports. There are many web
applicaons, so a general rule that allows web traffic allows thousands of applicaons, many of
which you don’t want on your network.
This use case shows how to migrate a port-based policy that allows all web applicaons to an
applicaon-based policy that allows only the applicaons you want, so you can safely enable the
applicaons you choose to allow. For rules that see a lot of applicaons, cloning the original port-
based rule is safer than adding applicaons to the rule because adding replaces the port-based
rule, so if you inadvertently forget to add a crical applicaon, you affect applicaon availability.
And if you Match Usage, which also replaces the port-based rule, you allow all of the applicaons
the rule has seen, which could be dangerous, especially with web browsing traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 749 ©2021 Palo Alto Networks, Inc.
App-ID
Cloning the rule retains the original port-based rule and places the cloned rule directly above
the port-based rule in the rulebase, so you can monitor the rules. Cloning also allows you to split
rules that see a lot of different applicaons—such as a port-based web traffic rule—into mulple
applicaon-based rules so you can treat different groups of applicaons differently. When you’re
sure you’re allowing all the applicaons you need to allow in the cloned rule (or rules), you can
remove the port-based rule.
This example clones a port-based web traffic rule to create an applicaon-based rule for social
networking traffic (a subset of the applicaon traffic seen on the port-based rule).
STEP 1 | Navigate to Policies > Security > Policy Opmizer > No App Specified to view the port-
based rules.
PAN-OS® Administrator’s Guide Version Version 9.1 750 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | Use the sorng opons to review and select the applicaons you want to allow from Apps
Seen.
The number of Apps Seen is updated approximately every hour, so if you don’t see as
many applicaons as you expect, check again aer about an hour. Depending on the
firewall’s load, it may take longer than one hour for these fields to update.
For example, click Subcategory to sort the applicaons, scroll to the social-networking
subcategory, and then select the applicaons you want to allow.
PAN-OS® Administrator’s Guide Version Version 9.1 751 ©2021 Palo Alto Networks, Inc.
App-ID
individual applicaons that have been seen on the rule in normal text font. Scrolling through
Applicaons shows all the container apps and their individual applicaons.
Create Cloned Rule also shows the applicaon dependencies of the selected applicaons.
Because we selected social applicaons but not web-browsing or ssl, web-browsing and ssl are
among the listed applicaon dependencies.
STEP 5 | Name the cloned rule (in this example, the name will be Social Networking Apps).
PAN-OS® Administrator’s Guide Version Version 9.1 752 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 8 | In Policies > Security, the cloned rule (Social Networking Apps) is inserted in the rulebase
above the original port-based rule (Traffic to internet).
STEP 9 | Click the rule name to edit the cloned rule, which inherits the properes of the original port-
based rule.
STEP 10 | On the Service/URL Category tab, delete service-hp and service-hps from Service.
This changes the Service to applicaon-default, which prevents applicaons from using non-
standard ports and further reduces the aack surface.
If business needs require you to allow applicaons (for example, internal custom
applicaons) on non-standard ports between parcular clients and servers, restrict
the excepon to only the required applicaon, sources, and desnaons. Consider
rewring custom applicaons so they use the applicaon default port.
STEP 11 | On the Source, User, and Desnaon tabs, ghten the rule to apply to only the right users in
only the right locaons (zones, subnets).
For example, you may decide to limit social media acvity to certain markeng, public relaons,
sales, and execuve groups.
STEP 14 | Repeat the process for other applicaon categories in the port-based web access rule unl
your applicaon-based rules allow only the applicaons you want to allow on your network.
When traffic you want to allow stops hing the original port-based rule for a sufficient amount
of me to be confident that the port-based rule is no longer needed, you can remove the port-
based rule from the rulebase.
PAN-OS® Administrator’s Guide Version Version 9.1 753 ©2021 Palo Alto Networks, Inc.
App-ID
This example uses file-sharing applicaons to show you how to add applicaons to an exisng
rule.
STEP 1 | You have already taken the following steps to clone an applicaon-based rule from the port-
based internet access rule so you can control file-sharing apps:
1. Clicked Compare (or the number in Apps Seen) in Policies > Security > Policy Opmizer >
No App Specified and filtered the file-sharing applicaons.
PAN-OS® Administrator’s Guide Version Version 9.1 754 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | You check the port-based internet access rule later and discover that more file-sharing
applicaons you need to allow for your business have been seen on the rule.
STEP 3 | Select the file-sharing apps you want to add to the exisng rule.
PAN-OS® Administrator’s Guide Version Version 9.1 755 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 4 | Click Add to Exisng Rule and select the Name of the rule to which you want to add the
applicaons, in this case, file-sharing-apps.
PAN-OS® Administrator’s Guide Version Version 9.1 756 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 6 | The updated rule now controls the original cloned file-sharing applicaons and the
applicaons you just added.
The number of Apps Allowed and Apps Seen are updated approximately every hour,
so if you configure applicaons on a rule and don’t see as many Apps Allowed as you
expect, check again aer about an hour. Depending on the firewall’s load, it may take
longer than one hour for these fields to update.
PAN-OS® Administrator’s Guide Version Version 9.1 757 ©2021 Palo Alto Networks, Inc.
App-ID
was Modified, the more likely the rule is mature. (If Created and Modified are the same, the
rule hasn’t been modified.)
• Hit Count—Displays rules with the most matches over a selected me frame. You can
exclude rules for which you reset the hit counter and specify the exclusion me period in
days. Excluding rules with recently reset hit counters prevents misconcepons about rules
that show fewer hits than you expect because you didn’t know the counter was reset.
You can also use Hit Count to View Policy Rule Usage.
You can also click Traffic (Bytes, 30 days) to sort by the amount of traffic a rule has seen over
the last 30 days. Use this informaon to priorize which rules to modify first. For example, you
can priorize rules with the largest difference between Apps Allowed and Apps Seen and that
also have the most Days with No New Apps, because those rules have the greatest number of
unused applicaons and are the most mature.
• The number next to Apps Seen (12 in this example) is the number of applicaons actually
seen on the rule. Keep in mind that it takes at least one hour to update Apps Seen.
• The number next to Apps on Rule (32 in this example) is how many applicaons are
configured on the rule, which is calculated by counng each applicaon in a container
app (but not the container app itself—if you configure a container app on the rule, the rule
allows the container app’s individual applicaons). However, the Applicaons list shows only
the applicaons manually configured on the rule, so when you configure a container app
on a rule, Applicaons only shows the container app, not the individual applicaons in the
container (unless you also manually configure the individual applicaons on the rule). For
PAN-OS® Administrator’s Guide Version Version 9.1 758 ©2021 Palo Alto Networks, Inc.
App-ID
this reason, the number of Apps on Rule may not be the same as the number of applicaons
in the Applicaons list.
• The pink-shaded Apps on Rule are either:
• Applicaons configured on the rule but no matching traffic has been seen on the rule, so
the applicaon hasn’t been seen on the rule.
• Container apps, even when their individual applicaons have been seen on the rule. For
example, if a rule configured with the container app acve-directory sees traffic from
the acve-directory-base individual applicaon, the container app is shaded pink even
though one of the container app’s individual applicaons was seen on the rule.
• Click the number next to Apps on Rule for a pop-up dialog that shows all of the individual
applicaons on the rule. Because Apps on Rule lists container apps but not the individual
applicaons in those container apps (unless the individual applicaons were manually
configured on the rule), the pop-up dialog may show a different number of applicaons than
the Applicaons list under Apps on Rule.
In the following example, 7 applicaons have been seen on the rule and the rule allows 50
Apps on Rule. The linked in container app is configured on the rule and the rule sees traffic
from the individual applicaons linkedin-apps, linkedin-base, linkedin-eding, linkedin-
intro, linkedin-mail, and linkedin-posng. Apps on Rule shades the container app linkedin
(which is configured on the rule) pink. It does not show the individual applicaons, which
are not specifically configured on the rule. When you click the Apps on Rule number, the
PAN-OS® Administrator’s Guide Version Version 9.1 759 ©2021 Palo Alto Networks, Inc.
App-ID
pop-up dialog expands the container app to display the individual applicaons, but not the
container app itself.
You can clone rules from Policies > Security and from No App Specified to Migrate
Port-Based to App-ID Based Security Policy Rules. You can’t clone a rule starng
from Unused Apps.
PAN-OS® Administrator’s Guide Version Version 9.1 760 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 6 | Monitor updated rules and listen to user feedback to ensure that updated rules allow the
applicaons you want to allow and don’t inadvertently block periodically used applicaons.
The number of Apps Allowed and Apps Seen are updated approximately every hour.
Aer you remove all of the unused applicaons from a rule, the rule remains listed in
Policies > Security > Policy Opmzer > Unused Apps unl the firewall updates the
display. When the firewall updates the display and the number of Apps Allowed is
the same as the number of Apps Seen, the rule no longer displays in the Unused Apps
screen. However, depending on the firewall’s load, it may take longer than one hour for
these fields to update.
PAN-OS® Administrator’s Guide Version Version 9.1 761 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 2 | Select the Policy Applicaon Usage check box to enable the feature and deselect the check
box to disable the feature.
PAN-OS® Administrator’s Guide Version Version 9.1 762 ©2021 Palo Alto Networks, Inc.
App-ID
• H.323 (H.225 and H.248) ALG is not supported in gatekeeper routed mode.
• When the firewall serves as an ALG for the Session Iniaon Protocol (SIP), by default
it performs NAT on the payload and opens dynamic pinholes for media ports. In some
cases, depending on the SIP applicaons in use in your environment, the SIP endpoints
have NAT intelligence embedded in their clients. In such cases, you might need to
disable the SIP ALG funconality to prevent the firewall from modifying the signaling
sessions. When SIP ALG is disabled, if App-ID determines that a session is SIP, the
payload is not translated and dynamic pinholes are not opened. See Disable the SIP
Applicaon-level Gateway (ALG).
When you use Dynamic IP and Port (DIPP) NAT, the Palo Alto Networks firewall ALG
decoder needs a combinaon of IP and Port (Sent-by Address and Sent-by Port) under SIP
headers (Contact and Via fields) to be able to translate the menoned headers and open
predict sessions based on them.
The following table lists IPv4, NAT, IPv6, NPTv6 and NAT64 ALGs and indicates with a check mark
whether the ALG supports each protocol (such as SIP).
SIP — —
SCCP — —
MGCP — — —
FTP —
RTSP —
MySQL — — —
PAN-OS® Administrator’s Guide Version Version 9.1 763 ©2021 Palo Alto Networks, Inc.
App-ID
Oracle/ —
SQLNet/ TNS
RPC — — —
RSH — — —
UNISm — — —
H.225 — — —
H.248 — — —
PAN-OS® Administrator’s Guide Version Version 9.1 764 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 3 | Select Customize... for ALG in the Opons secon of the Applicaon dialog box.
PAN-OS® Administrator’s Guide Version Version 9.1 765 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 4 | Select the Disable ALG check box in the Applicaon - sip dialog box and click OK.
STEP 5 | Close the Applicaon dialog box and Commit the change.
PAN-OS® Administrator’s Guide Version Version 9.1 766 ©2021 Palo Alto Networks, Inc.
App-ID
To understand how to use HTTP headers to manage SaaS applicaons, see the following:
• Understand SaaS Custom Headers
• Domains used by the Predefined SaaS Applicaon Types
• Create HTTP Header Inseron Entries using Predefined Types
• Create Custom HTTP Header Inseron Entries
PAN-OS® Administrator’s Guide Version Version 9.1 767 ©2021 Palo Alto Networks, Inc.
App-ID
The following table lists the headers that you can use for the SaaS applicaons for which Palo
Alto Networks provides predefined support; each header also includes a link to more informaon
specific to that header.
PAN-OS® Administrator’s Guide Version Version 9.1 768 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 769 ©2021 Palo Alto Networks, Inc.
App-ID
Applicaon Domains
Dropbox *.dropbox.com
G Suite *.google.com
gmail.com
YouTube www.youtube.com
m.youtube.com
youtubei.googleapis.com
youtube.googleapis.com
www.youtube-nocookie.com
PAN-OS® Administrator’s Guide Version Version 9.1 770 ©2021 Palo Alto Networks, Inc.
App-ID
If you are configuring SSL decrypon for Dropbox, then you must also configure your
Dropbox clients to allow SSL traffic. These procedures are specific and private to
Dropbox — to obtain these procedures, contact your Dropbox account representave.
1. Add a Custom URL Category for the SaaS applicaon you are managing (Objects >
Custom Objects > URL Category).
2. Specify a Name for the category.
3. Add the domains specific to the SaaS applicaon you are managing or for which you
want to insert the username and domain in the headers. See Domains used by the
Predefined SaaS Applicaon Types for a list of the domains that you use for each of
the predefined SaaS applicaons. See Insert Username in HTTP Headers for more
informaon on configuring the firewall to include the username and domain in the HTTP
headers.
Each domain name can be up to 254 characters and you can idenfy a maximum
of 50 domains for each entry. The domain list supports wildcards (for example,
*.example.com). As a best pracce, do not nest wildcards (for example, *.*.*) and do
not overlap domains within the same URL profile.
4. For SaaS applicaon management, Create a Decrypon Policy Rule and, as you follow
this procedure, configure the following:
• In the Service/URL Category tab, Add the URL Category that you created in the
previous step.
• In the Opons tab, make sure the Acon is set to Decrypt and that the Type is set to
SSL Forward Proxy.
STEP 3 | Select HTTP Header Inseron in the URL Filtering Profile dialog.
PAN-OS® Administrator’s Guide Version Version 9.1 771 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 5 | Add or edit a Security Policy rule (Policies > Security) to include the HTTP header inseron
URL filtering profile.
• For SaaS applicaon management, allow users to access the SaaS applicaon for which you
are configuring this header inseron rule.
• To include the username and domain in the HTTP headers, apply the URL filtering profile to
the security policy rule for HTTP or HTTPS traffic.
1. Choose the URL filtering profile (Acons > URL Filtering) that you edited or created in
Step 2.
2. Click OK to save and then Commit your changes.
STEP 3 | Select HTTP Header Inseron in the URL Filtering Profile dialog.
PAN-OS® Administrator’s Guide Version Version 9.1 772 ©2021 Palo Alto Networks, Inc.
App-ID
HTTP header inseron occurs when a domain in this list matches the domain in
the Host header of the HTTP request.
4. Add headers to the Headers list.
You can add up to 5 headers and each header can have up to 100 characters but cannot
contain any spaces.
5. For each header Value.
6. (Oponal) Select Log to enable logging of inseron acvity for the headers.
7. Click OK to save your changes.
STEP 5 | Add or edit a Security Policy rule (Policies > Security) Security Policythat allows users to
access the SaaS applicaon for which you are configuring this header inseron rule.
1. Choose the URL filtering profile (Acons > URL Filtering) that you edited or created in
Step 2.
2. Click OK to save and then Commit your changes.
STEP 6 | Verify that access to the SaaS applicaon is working in the way you expect. From an endpoint
that is connected to your network:
1. Try to access an account or content that you expect to be able to access. If you cannot
access the SaaS account or content, then the configuraon is not working.
2. Try to access an account or content that you expect will be blocked. If you can access the
SaaS account or content, then the configuraon is not working.
3. If both of the previous steps work as expected, then you can View Logs (if you
configured logging in step 4.6) and you should see the recorded HTTP header inseron
acvity.
PAN-OS® Administrator’s Guide Version Version 9.1 773 ©2021 Palo Alto Networks, Inc.
App-ID
Then add the service object in a policy rule to apply the custom meouts to the applicaon(s) the
rule enforces.
The following steps describe how apply custom meouts to applicaons; to apply custom
meouts to user groups, you can follow the same steps but just make sure to add the service
object to the security policy rule that enforces the users to whom you want the meout to apply.
STEP 1 | Select Objects > Services to add or modify a service object.
You can also create service objects as you are defining match criteria for a security policy rule:
select Policies > Security > Service/URL Category and Add a new Service object to apply to
the applicaon traffic the rule governs.
STEP 2 | Select the protocol for the service to use (TCP or UDP).
STEP 3 | Enter the desnaon port number or a range of port numbers used by the service.
PAN-OS® Administrator’s Guide Version Version 9.1 774 ©2021 Palo Alto Networks, Inc.
App-ID
STEP 5 | If you chose to override the applicaon meout and define a custom session meout,
connue to:
• Enter a TCP Timeout value to set the Maximum length of me in seconds that a TCP
session can remain open aer data transmission has started. When this me expires, the
session closes. The value range is 1 - 604800, and the default value is 3600 seconds.
• Enter a TCP Half Closed value to set the maximum length of me in seconds that a
session remains in the session table between receiving the first FIN packet and receiving
the second FIN packet or RST packet. If the mer expires, the session closes. The value
range is 1 - 604800, and the default value is 120 seconds.
• Enter a TCP Wait Time value to set the maximum length of me in seconds that a session
remains in the session table aer receiving the second FIN packet or a RST packet. When
the mer expires, the session closes. The value range is 1 - 600, and the default value is
15 seconds.
STEP 7 | Select Policies > Security and Add or modify a policy rule to govern the applicaon traffic
you want to control.
STEP 8 | Select Service/URL Category and Add the service object you just created to the security
policy rule.
PAN-OS® Administrator’s Guide Version Version 9.1 775 ©2021 Palo Alto Networks, Inc.
App-ID
PAN-OS® Administrator’s Guide Version Version 9.1 776 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
The Palo Alto Networks® next-generaon firewall protects and defends your network
from commodity threats and advanced persistent threats (APTs). The mul-pronged
detecon mechanisms of the firewall include a signature-based (IPS/Command and
Control/Anvirus) approach, heuriscs-based (bot detecon) approach, sandbox-
based (WildFire) approach, and Layer 7 protocol analysis-based (App-ID) approach.
Commodity threats are exploits that are less sophiscated and more easily detected
and prevented using a combinaon of anvirus, an-spyware, and vulnerability
protecon features along with URL filtering and Applicaon idenficaon capabilies
on the firewall.
Advanced threats are perpetuated by organized cyber adversaries who use
sophiscated aack vectors to target your network, most commonly for intellectual
property the and financial data the. These threats are more evasive and require
intelligent monitoring mechanisms for detailed host and network forensics on
malware. The Palo Alto Networks next-generaon firewall together with WildFire™
and Panorama™ provide a comprehensive soluon that intercepts and breaks the
aack chain and provides visibility to prevent security infringement on your network
infrastructure—both mobile and virtualized.
Aer you implement your threat prevenon configuraons, Export Configuraon Table Data to
create a PDF or CSV report of your configuraons to use for internal review or for auding.
> Best Pracces for Securing Your > Enable Evasion Signatures
Network from Layer 4 and Layer 7 > Prevent Credenal Phishing
Evasions
> Monitor Blocked IP Addresses
> Set Up Anvirus, An-Spyware, and
Vulnerability Protecon > Threat Signature Categories
> DNS Security > Create Threat Excepons
> Use DNS Queries to Idenfy Infected > Custom Signatures
Hosts on the Network > Learn More About and Assess
> Set Up Data Filtering Threats
> Predefined Data Filtering Paerns > Share Threat Intelligence with Palo
Alto Networks
> Create a Data Filtering Profile
> Threat Prevenon Resources
> Set Up File Blocking
> Prevent Brute Force Aacks
> Customize the Acon and Trigger
Condions for a Brute Force
Signature
777
Threat Prevenon
For servers, create Security policy rules to allow only the applicaon(s) that you sancon on
each server. Verify that the standard port for the applicaon matches the listening port on
the server. For example, to ensure that only SMTP traffic is allowed to your email server, set
the Applicaon to smtp and set the Service to applicaon-default. If your server uses only a
subset of the standard ports (for example, if your SMTP server uses only port 587 while the
SMTP applicaon has standard ports defined as 25 and 587), create a new custom service
that includes only port 587 and use that new service in your security policy rule instead
of applicaon-default. Addionally, make sure you restrict access to specific source and
desnaons zones and sets of IP addresses.
PAN-OS® Administrator’s Guide Version Version 9.1 778 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Block all unknown applicaons and traffic using the Security policy. Typically, the only
applicaons classified as unknown traffic are internal or custom applicaons on your network
and potenal threats. Unknown traffic can be either non-compliant applicaons or protocols
that are anomalous or abnormal or it can be known applicaons that are using non-standard
ports, both of which should be blocked. See Manage Custom or Unknown Applicaons.
Set Up File Blocking to block Portable Executable (PE) file types for internet-based SMB (Server
Message Block) traffic from traversing trust to untrust zones (ms-ds-smb applicaons).
Create a Zone Protecon profile that is configured to protect against packet-based aacks
(Network > Network Profiles > Zone Protecon):
• Select the opon to drop Malformed IP packets (Packet Based Aack Protecon > IP Drop).
• Enable the drop Mismatched overlapping TCP segment opon (Packet Based Aack
Protecon > TCP Drop).
By deliberately construcng connecons with overlapping but different data in them,
aackers aempt to cause misinterpretaon of the intent of the connecon and deliberately
induce false posives or false negaves. Aackers also use IP spoofing and sequence
number predicon to intercept a user's connecon and inject their own data into that
connecon. Selecng the Mismatched overlapping TCP segment opon specifies that
PAN-OS discards frames with mismatched and overlapping data. Received segments are
PAN-OS® Administrator’s Guide Version Version 9.1 779 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
discarded when they are contained within another segment, when they overlap with part of
another segment, or when they contain another complete segment.
• Enable the drop TCP SYN with Data and drop TCP SYNACK with Data opons (Packet
Based Aack Protecon > TCP Drop).
Dropping SYN and SYN-ACK packets that contain data in the payload during a three-way
handshake increases security by blocking malware contained in the payload and prevenng
it from extracng unauthorized data before the TCP handshake is completed.
• Strip TCP mestamps from SYN packets before the firewall forwards the packet (Packet
Based Aack Protecon > TCP Drop).
When you enable the Strip TCP Opons - TCP Timestamp opon, the TCP stack on both
ends of the TCP connecon will not support TCP mestamps. This prevents aacks that use
different mestamps on mulple packets for the same sequence number.
If you configure IPv6 addresses on your network hosts, be sure to enable support for IPv6 if
not already enabled (Network > Interfaces > Ethernet > IPv6).
Enabling support for IPv6 allows access to IPv6 hosts and also filters IPv6 packets encapsulated
in IPv4 packets, which prevents IPv6 over IPv4 mulcast addresses from being leveraged for
network reconnaissance.
PAN-OS® Administrator’s Guide Version Version 9.1 780 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Enable support for mulcast traffic so that the firewall can enforce policy on mulcast traffic
(Network > Virtual Router > Mulcast).
Disable the opons to Forward datagrams exceeding UDP content inspecon queue and
Forward segments exceeding TCP content inspecon queue (Device > Setup > Content-ID >
Content-ID Sengs).
By default, when the TCP or UDP content inspecon queues are full, the firewall skips content
inspecon for TCP segments or UDP datagrams that exceed the queue limit of 64. Disabling
this opon ensures content inspecon for all TCP and UDP datagrams that the firewall
allows. Only under specific circumstances—for example, if the firewall plaorm is not sized
appropriately to align with a use case—could disabling this seng impact performance.
Disable the Allow HTTP paral response (Device > Setup > Content-ID > Content-ID
Sengs).
The HTTP paral response opon allows a client to fetch only part of a file. When a next-
generaon firewall in the path of a transfer idenfies and drops a malicious file, it terminates
the TCP session with an RST packet. If the web browser implements the HTTP header range
opon, it can start a new session to fetch only the remaining part of the file, which prevents
the firewall from triggering the same signature again due to the lack of context into the inial
session and, at the same me, allows the web browser to reassemble the file and deliver the
malicious content. Disabling this opon prevents this from happening.
Allow HTTP paral response is enabled on the firewall by default. This provides maximum
availability but increases the risk of a successful cyberaack. For maximum security, disable this
opon to prevent the web browser from starng a new session to fetch the rest of a file aer
the firewall terminates the original session due to malicious acvity. Disabling HTTP paral
response affects HTTP-based data transfers which use the RANGE header, which may cause
service anomalies for certain applicaons. Aer you disable HTTP paral response, validate the
operaon of your business-crical applicaons.
If you experience HTTP data transfer disrupon on a business-crical applicaon, you can
create an Applicaon Override policy for that specific applicaon. Because Applicaon
Override bypasses App-ID (including threat and content inspecon), create an Applicaon
Override policy for only the specific business-crical applicaon, and specify sources and
desnaons to limit the rule (principle of least privilege access). Do not create Applicaon
PAN-OS® Administrator’s Guide Version Version 9.1 781 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Override policy unless you must. For informaon about Applicaon Override policies, refer to
hps://knowledgebase.paloaltonetworks.com/KCSArcleDetail?id=kA10g000000ClVLCA0.
Create a Vulnerability Protecon Profile that blocks protocol anomalies and all vulnerabilies
with low and high severies.
A protocol anomaly occurs when a protocol behavior deviates from standard and compliant
usage. For example, a malformed packet, poorly wrien applicaon, or an applicaon running
on a non-standard port would all be considered protocol anomalies, and could be used as
evasion tools.
If yours is a mission-crical network, where the business’s highest priority is applicaon
availability, you should begin by alerng on protocol anomalies for a period of me to ensure
that no crical internal applicaons are using established protocols in a non-standard way. If
you find that certain crical applicaons trigger protocol anomaly signatures, you can then
exclude those applicaons from protocol anomaly enforcement. To do this, add another rule to
the Vulnerability Protecon Profile that allows protocol anomalies and aach the profile to the
security policy rule that enforces traffic to and from the crical applicaons.
Make sure that Vulnerability Protecon Profile rules and security policy rules that allow
protocol anomalies for crical internal applicaons are listed above rules that block protocol
anomalies. Traffic is evaluated against security policy rules and associated Vulnerability
Protecon Profiles rules from top to boom, and is enforced based on the first matching rule.
• Begin by alerng on protocol anomalies:
Create a Vulnerability Protecon Profile rule with the Acon set to Alert, the Category set
to protocol-anomaly, and the Severity set to Any. Monitor your traffic to determine if any
crical internal applicaons are using established protocols in non-standard ways. If you find
PAN-OS® Administrator’s Guide Version Version 9.1 782 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
this to be true, connue to allow protocol anomalies for those applicaons, and then block
protocol anomalies for all other applicaons.
• Oponally allow protocol anomalies for crical applicaons that use established protocols
in a non-standard way. To do this, create a Vulnerability Protecon Profile rule that allows
protocol anomalies: set the rule Acon to Allow, the Category to protocol-anomaly, and the
PAN-OS® Administrator’s Guide Version Version 9.1 783 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Severity to any. Aach the Vulnerability Protecon Profile rule to the security policy rule
that enforces traffic to and from crical applicaons.
• Add another rule to the Vulnerability Protecon profile to block all vulnerabilies with low
and higher severity. This rule must be listed aer the rule that blocks protocol anomalies.
Connue to aach the following security profiles to your Security policy rules to provide
signature-based protecon:
• An An-Spyware profile to block all spyware with severity low and higher.
• An Anvirus profile to block all content that matches an anvirus signature.
PAN-OS® Administrator’s Guide Version Version 9.1 784 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Palo Alto Networks defines a default acon for all an-spyware and vulnerability
protecon signatures. To see the default acon, select Objects > Security Profiles >
An-Spyware or Objects > Security Profiles > Vulnerability Protecon and then select
a profile. Click the Excepons tab and then click Show all signatures to view the list
of the signatures and the corresponding default Acon. To change the default acon,
create a new profile and specify an Acon, and/or add individual signature excepons to
Excepons in the profile.
PAN-OS® Administrator’s Guide Version Version 9.1 785 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Review the Best Pracces for Applicaons and Threats Content Updates for
important informaon on deploying updates.
1. Select Device > Dynamic Updates and then click Schedule to automacally retrieve
signature updates for Anvirus and Applicaons and Threats.
2. Specify the frequency and ming for the updates:
• download-only—The firewall automacally downloads the latest updates per the
schedule you define but you must manually Install them.
• download-and-install—The firewall automacally downloads and installs the updates
per the schedule you define.
3. Click OK to save the update schedule; a commit is not required.
4. (Oponal) Define a Threshold to indicate the minimum number of hours aer an
update becomes available before the firewall will download it. For example, seng the
Threshold to 10 means the firewall will not download an update unl it is at least 10
hours old regardless of the schedule.
5. (HA only) Decide whether to Sync To Peer, which enables peers to synchronize content
updates aer download and install (the update schedule does not sync across peers; you
must manually configure the schedule on both peers).
There are addional consideraons for deciding if and how to Sync To Peer depending
on your HA deployment:
• Acve/Passive HA—If the firewalls are using the MGT port for content updates, then
schedule both firewalls to download and install updates independently. However,
if the firewalls are using a data port for content updates, then the passive firewall
will not download or install updates unless and unl it becomes acve. To keep the
schedules in sync on both firewalls when using a data port for updates, schedule
updates on both firewalls and then enable Sync To Peer so that whichever firewall is
acve downloads and installs the updates and also pushes the updates to the passive
firewall.
• Acve/Acve HA—If the firewalls are using the MGT interface for content updates,
then select download-and-install on both firewalls but do not enable Sync To Peer.
However, if the firewalls are using a data port, then select download-and-install on
both firewalls and enable Sync To Peer so that if one firewall goes into the acve-
secondary state, the acve-primary firewall will download and install the updates and
push them to the acve-secondary firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 786 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 4 | (Oponal) Create custom security profiles for anvirus, an-spyware, and vulnerability
protecon.
Alternavely, you can use the predefined default or strict profiles.
Transion safely to best pracce Security profiles for the best security posture.
• To create custom Anvirus Profiles, select Objects > Security Profiles > Anvirus and Add a
new profile. Use the Anvirus profile transion steps to safely reach your goal.
• To create custom An-Spyware Profiles, select Objects > Security Profiles > An-Spyware
and Add a new profile. Use the An-Spyware profile transion steps to safely reach your
goal.
• To create custom Vulnerability Protecon Profiles, select Objects > Security Profiles >
Vulnerability Protecon and Add a new profile. Use the Vulnerability Protecon profile
transion steps to safely reach your goal.
When you configure the firewall with a Security policy rule that uses a Vulnerability
Protecon profile to block connecons, the firewall automacally blocks that traffic in
hardware (see Monitor Blocked IP Addresses).
1. Select Policies > Security and select the rule you want to modify.
2. In the Acons tab, select Profiles as the Profile Type.
3. Select the security profiles you created for Anvirus, An-Spyware, and Vulnerability
Protecon.
PAN-OS® Administrator’s Guide Version Version 9.1 787 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
DNS Security
DNS Security is a connuously evolving threat prevenon service designed to protect and defend
your network from advanced threats using DNS. By leveraging advanced machine learning and
predicve analycs, the service provides real-me DNS request analysis and rapidly produces and
distributes DNS signatures that are specifically designed to defend against malware using DNS for
C2 and data the. Combined with an extensible cloud architecture, it provides access to a scalable
threat intelligence system to keep your network protecons up to date.
• About DNS Security
• Domain Generaon Algorithm (DGA) Detecon
• DNS Tunneling Detecon
• Cloud-Delivered DNS Signatures and Protecons
• Enable DNS Security
PAN-OS® Administrator’s Guide Version Version 9.1 788 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 789 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
which they can transfer files or remotely access the system. DNS tunnel detecon uses machine
learning to analyze the behavioral qualies of DNS queries, including n-gram frequency analysis
of domains, entropy, query rate, and paerns to determine if the query is consistent with a DNS
tunneling-based aack. Combined with the firewall’s automated policy acons, this allows you to
quickly detect C2 or data the hidden in DNS tunnels and to automacally block it, based on your
defined policy rules.
You can analyze the sinkholed DNS queries by viewing the threat logs (Monitor > Logs, then select
the log type from the list):
PAN-OS® Administrator’s Guide Version Version 9.1 790 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS security cloud security service.
PAN-OS® Administrator’s Guide Version Version 9.1 791 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 3 | Configure DNS Security signature policy sengs to send malware DNS queries to the
defined sinkhole.
If you use an external dynamic list as a domain allow list, it does not have precedence
over the DNS Security domain policy acons. As a result, when there is a domain
match to an entry in the EDL and a DNS Security domain category, the acon specified
under DNS Security is sll applied, even when the EDL is explicitly configured with an
acon of Allow. If you want to add DNS domain excepons, you can configure an EDL
with an Alert acon.
PAN-OS® Administrator’s Guide Version Version 9.1 792 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
access a Palo Alto Networks server. Palo Alto Networks can automacally refresh this
address through content updates.
If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on
your network or to a loopback address, see Configure the Sinkhole IP Address to a Local
Server on Your Network.
9. Click OK to save the An-Spyware profile.
PAN-OS® Administrator’s Guide Version Version 9.1 793 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 7 | (Oponal) Add domain signature excepons in cases where false-posives occur.
1. Select Objects > Security Profiles > An-Spyware.
2. Select a profile to modify.
3. Add or modify the An-Spyware profile from which you want to exclude the threat
signature, and select DNS Signatures > Excepons.
4. Search for a DNS signature to exclude by entering the name or FQDN.
5. Select the DNS Threat ID for the DNS signature that you want to exclude from
enforcement.
6. Click OK to save your new or modified An-Spyware profile.
STEP 8 | (Oponal) Configure the DNS signature lookup meout seng. If the firewall is unable
to retrieve a signature verdict in the alloed me due to connecvity issues, the request,
including all subsequent DNS responses, are passed through. You can check the average
latency to verify that the requests fall within the configured period. If the average latency
exceeds the configured period, consider updang the seng to a value that is higher than
the average latency to prevent requests from ming out.
1. In the CLI, issue the following command to view the average latency.
PAN-OS® Administrator’s Guide Version Version 9.1 794 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
.
.
[latency ] :
max 1870 (ms) min 16(ms) avg 27(ms)
50 or less : 47246
100 or less : 113
200 or less : 25
400 or less : 15
else : 21
3. If the average latency is consistency above the default meout value, you can raise the
seng so that the requests fall within a given period. Select Device > Content-ID and
update the Realme Signature Lookup seng.
4. Commit the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 795 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 796 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
that you define if you choose to Configure DNS Sinkholing for a List of Custom Domains). Infected
hosts can then be easily idenfied in the traffic logs.
PAN-OS® Administrator’s Guide Version Version 9.1 797 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 4 | Test that the policy acon is enforced by monitoring the acvity on the firewall.
1. Select ACC and add a URL Domain as a global filter to view the Threat Acvity and
Blocked Acvity for the domain you accessed.
2. Select Monitor > Logs > Threat and filter by (action eq sinkhole) to view logs on
sinkholed domains.
PAN-OS® Administrator’s Guide Version Version 9.1 798 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 1 | Enable DNS sinkholing for the custom list of domains in an external dynamic list.
1. Select Objects > Security Profiles > An-Spyware.
2. Modify an exisng profile, or select one of the exisng default profiles and clone it.
3. Name the profile and select the DNS Signatures tab.
4. Click Add and select External Dynamic Lists in the drop-down.
If you have already created an external dynamic list of type: Domain List, you
can select it from here. The drop-down does not display external dynamic lists of
type URL or IP Address that you may have created.
5. Configure the external dynamic list from the An-Spyware profile (see Configure the
Firewall to Access an External Dynamic List). The Type is preset to Domain List.
6. (Oponal) In the Packet Capture drop-down, select single-packet to capture the first
packet of the session or extended-capture to set between 1-50 packets. You can then
use the packet captures for further analysis.
PAN-OS® Administrator’s Guide Version Version 9.1 799 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 5 | Verify whether entries in the external dynamic list are ignored or skipped.
Use the following CLI command on the firewall to review the details about the list.
For example:
As an alternave, you can use the firewall interface to Retrieve an External Dynamic
List from the Web Server.
PAN-OS® Administrator’s Guide Version Version 9.1 800 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
sinkhole address must be in a different zone than the client hosts to ensure that when an infected
host aempts to start a session with the sinkhole IP address, it will be routed through the firewall.
The sinkhole addresses must be reserved for this purpose and do not need to be assigned
to a physical host. You can oponally use a honey-pot server as a physical host to further
analyze the malicious traffic.
The configuraon steps that follow use the following example DNS sinkhole addresses:
IPv4 DNS sinkhole address—10.15.0.20
IPv6 DNS sinkhole address—fd97:3dec:4d27:e37c:5:5:5:5
Use a dedicated zone for sinkhole traffic, because the infected host will be sending
traffic to this zone.
1. Select Network > Interfaces and select an interface to configure as your sinkhole
interface.
2. In the Interface Type drop-down, select Layer3.
3. To add an IPv4 address, select the IPv4 tab and select Stac and then click Add. In this
example, add 10.15.0.20 as the IPv4 DNS sinkhole address.
4. Select the IPv6 tab and click Stac and then click Add and enter an IPv6 address and
subnet mask. In this example, enter fd97:3dec:4d27:e37c::/64 as the IPv6 sinkhole
address.
5. Click OK to save.
6. To add a zone for the sinkhole, select Network > Zones and click Add.
7. Enter zone Name.
8. In the Type drop-down select Layer3.
9. In the Interfaces secon, click Add and add the interface you just configured.
10. Click OK.
STEP 3 | Edit the security policy rule that allows traffic from client hosts in the trust zone to the
untrust zone to include the sinkhole zone as a desnaon and aach the An-Spyware
profile.
Eding the Security policy rule(s) that allows traffic from client hosts in the trust zone to
the untrust zone ensures that you are idenfying traffic from infected hosts. By adding the
PAN-OS® Administrator’s Guide Version Version 9.1 801 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
sinkhole zone as a desnaon on the rule, you enable infected clients to send bogus DNS
queries to the DNS sinkhole.
1. Select Policies > Security.
2. Select an exisng rule that allows traffic from the client host zone to the untrust zone.
3. On the Desnaon tab, Add the Sinkhole zone. This allows client host traffic to flow to
the sinkhole zone.
4. On the Acons tab, select the Log at Session Start check box to enable logging. This will
ensure that traffic from client hosts in the Trust zone will be logged when accessing the
Untrust or Sinkhole zones.
5. In the Profile Seng secon, select the An-Spyware profile in which you enabled DNS
sinkholing.
6. Click OK to save the Security policy rule and then Commit.
STEP 4 | To confirm that you will be able to idenfy infected hosts, verify that traffic going from the
client host in the Trust zone to the new Sinkhole zone is being logged.
In this example, the infected client host is 192.168.2.10 and the Sinkhole IPv4 address is
10.15.0.20.
1. From a client host in the trust zone, open a command prompt and run the following
command:
The following example output shows the ping request to the DNS sinkhole address at
10.15.0.2 and the result, which is Request timed out because in this example the
sinkhole IP address is not assigned to a physical host:
C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2. On the firewall, select Monitor > Logs > Traffic and find the log entry with the Source
192.168.2.10 and Desnaon 10.15.0.20. This will confirm that the traffic to the
sinkhole IP address is traversing the firewall zones.
You can search and/or filter the logs and only show logs with the desnaon
10.15.0.20. To do this, click the IP address (10.15.0.20) in the Desnaon
column, which will add the filter (addr.dst in 10.15.0.20) to the search field. Click
the Apply Filter icon to the right of the search field to apply the filter.
PAN-OS® Administrator’s Guide Version Version 9.1 802 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
conficker:tbsbana 1
variants: net
C:\>nslookup
track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:510.15.0.20
In the output, note that the NSLOOKUP to the malicious domain has been forged using
the sinkhole IP addresses that we configured (10.15.0.20). Because the domain matched
a malicious DNS signature, the sinkhole acon was performed.
4. Select Monitor > Logs > Threat and locate the corresponding threat log entry to verify
that the correct acon was taken on the NSLOOKUP request.
5. Perform a ping to track.bidtrk.com, which will generate network traffic to the
sinkhole address.
PAN-OS® Administrator’s Guide Version Version 9.1 803 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Configure a custom report to idenfy all client hosts that have sent traffic to the sinkhole IP
address, which is 10.15.0.20 in this example.
In this example, the infected client host performed an NSLOOKUP to a known malicious
domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred,
the query was sent to the local DNS server, which then forwarded the request through
the firewall to an external DNS server. The firewall security policy with the An-Spyware
profile configured matched the query to the DNS Signature database, which then forged the
reply using the sinkhole address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client
PAN-OS® Administrator’s Guide Version Version 9.1 804 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
aempts to start a session and the traffic log records the acvity with the source host and the
desnaon address, which is now directed to the forged sinkhole address.
Viewing the traffic log on the firewall allows you to idenfy any client host that is sending
traffic to the sinkhole address. In this example, the logs show that the source address
192.168.2.10 sent the malicious DNS query. The host can then be found and cleaned. Without
the DNS sinkhole opon, the administrator would only see the local DNS server as the system
that performed the query and would not see the client host that is infected. If you aempted
to run a report on the threat log using the acon “Sinkhole”, the log would show the local DNS
server, not the infected host.
1. Select Monitor > Manage Custom Reports.
2. Click Add and Name the report.
3. Define a custom report that captures traffic to the sinkhole address as follows:
• Database—Select Traffic Log.
• Scheduled—Enable Scheduled and the report will run every night.
• Time Frame—30 days
• Selected Columns—Select Source address or Source User (if you have User-ID
configured), which will idenfy the infected client host in the report, and Desnaon
address, which will be the sinkhole address.
• In the secon at the boom of the screen, create a custom query for traffic to the
sinkhole address (10.15.0.20 in this example). You can either enter the desnaon
address in the Query Builder window (addr.dst in 10.15.0.20) or select the following
PAN-OS® Administrator’s Guide Version Version 9.1 805 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
in each column and click Add: Connector = and, Aribute = Desnaon Address,
Operator = in, and Value = 10.15.0.20. Click Add to add the query.
4. Click Run Now to run the report. The report will show all client hosts that have sent
traffic to the sinkhole address, which indicates that they are most likely infected. You can
now track down the hosts and check them for spyware.
5. To view scheduled reports that have run, select Monitor > Reports.
PAN-OS® Administrator’s Guide Version Version 9.1 806 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Data Filtering
Use Data Filtering Profiles to prevent sensive, confidenal, and proprietary informaon from
leaving your network. Predefined paerns, built-in sengs, and customizable opons make it easy
for you to protect files that contain certain file properes (such as a document tle or author),
credit card numbers, regulated informaon from different countries (like social security numbers),
and third-party data loss prevenon (DLP) labels.
• Predefined Data Paerns—Easily filter common paerns, including credit card numbers.
Predefined data filtering paerns also idenfy specific (regulated) informaon from different
countries of the world, such as social security numbers (United States), INSEE Idenficaon
numbers (France), and New Zealand Internal Revenue Department Idenficaon Numbers.
Many of the predefined data filtering paerns enable compliance for standards such as HIPAA,
GDPR, Gramm-Leach-Bliley Act.
• Built-In Support for Azure Informaon Protecon and Titus Data Classificaon—Predefined
file properes allow you to filter content based on Azure Informaon Protecon and Titus
labels. Azure Informaon Protecon labels are stored in metadata, so make sure that you know
the GUID of the Azure Informaon Protect label that you want the firewall to filter.
• Custom Data Paerns for Data Loss Prevenon (DLP) Soluons—If you’re using a third-party,
endpoint DLP soluon that populates file properes to indicate sensive content, you can
create a custom data paern to idenfy the file properes and values tagged by your DLP
soluon and then log or block the files that your Data Filtering profile detects based on that
paern.
PAN-OS® Administrator’s Guide Version Version 9.1 807 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
This selecon is cleared by default, which means administrators can override the sengs
for any device group that inherits the object.
5. (Oponal—Panorama only) Select Data Capture to automacally collect the data that is
blocked by the filter.
Specify a password for Manage Data Protecon on the Sengs page to view
your captured data (Device > Setup > Content-ID > Manage Data Protecon).
6. Set the Paern Type to one of the following:
• Predefined Paern—Filter for credit card, social security numbers, and personally
idenfiable informaon for several compliance standards including HIPAA, GDPR,
Gramm-Leach-Bliley Act.
• Regular Expression—Filter for custom data paerns.
• File Properes—Filter based on file properes and the associated values.
7. Add a new rule to the data paern object.
8. Specify the data paern according to the Paern Type you selected for this object:
• Predefined—Select the Name and choose the predefined data paern on which to
filter.
• Regular Expression—Specify a descripve Name, select the File Type (or types) you
want to scan, and then enter the specific Data Paern you want the firewall to detect.
• File Properes—Specify a descripve Name, select the File Type and File Property
you want to scan, and enter the specific Property Value that you want the firewall to
detect.
• To filter Titus classified documents: Select one of the non-AIP protected file
types, and set the File Property to TITUS GUID. Enter the Titus label GUID as the
Property Value.
• For Azure Informaon Protecon labeled documents: Select any File Type except
Rich Text Format. For the file type you choose, set the File Property to Microso
MIP Label, and enter the Azure Informan Protect label GUID as the Property
Value.
PAN-OS® Administrator’s Guide Version Version 9.1 808 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
The file type you select must be the same file type you defined for the data
paern earlier, or it must be a file type that includes the data paern file type.
For example, you could define both the data paern object and the data filtering
profile to scan all Microso Office documents. Or, you could define the data
paern object to match to only Microso PowerPoint Presentaons while the
data filtering profile scans all Microso Office documents.
If a data paern object is aached to a data filtering profile and the configured file types
do not align between the two, the profile will not correctly filter documents matched to
the data paern object.
5. Set the Alert Threshold to specify the number of mes the data paern must be
detected in a file to trigger an alert.
6. Set the Block Threshold to block files that contain at least this many instances of the
data paern.
7. Set the Log Severity recorded for files that match this rule.
8. Click OK to save the data filtering profile.
STEP 4 | (Recommended) Prevent web browsers from resuming sessions that the firewall has
terminated.
This opon ensures that when the firewall detects and then drops a sensive file, a web
browser cannot resume the session in an aempt to retrieve the file.
1. Select Device > Setup > Content-ID and edit Content-ID Sengs.
2. Clear the Allow HTTP paral response.
3. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 809 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
If the type of informaon you want to protect is not covered in the list of predefined
paerns, you can use regular expressions to create custom paerns.
Paern Descripon
Social Security Numbers (without dash 9-digit social security numbers without dashes
separator)
PAN-OS® Administrator’s Guide Version Version 9.1 810 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Paern Descripon
Codice Fiscale Idenficaon Number Italian Fiscal Tax Code Card Idenficaon
Number
PAN-OS® Administrator’s Guide Version Version 9.1 811 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Paern Descripon
Republic of South Korea Resident Registraon Republic of South Korea Resident Registraon
Number
PAN-OS® Administrator’s Guide Version Version 9.1 812 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 813 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Only web browsers can display the response page (connue prompt) that allows
users to confirm their Choosing any other applicaon results in blocked traffic
for those applicaons because there is no prompt displayed to allow users to
connue.
4. Select Any or specify one or more specific File Types, such as exe.
5. Specify the Direcon, such as download.
6. Specify the Acon (alert, block, or connue). For example, select connue to prompt
users for confirmaon before they are allowed to download an executable (.exe) file.
Alternavely, you could block the specified files or you could configure the firewall to
simply trigger an alert when a user downloads an executable file.
7. Click OK to save the profile.
STEP 4 | To test your file blocking configuraon, access an endpoint PC in the trust zone of the
firewall and aempt to download an executable file from a website in the untrust zone; a
response page should display. Click Connue to confirm that you can download the file. You
PAN-OS® Administrator’s Guide Version Version 9.1 814 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
can also set other acons, such as alert or block, which do not provide an opon for the user
to connue the download. The following shows the default response page for File Blocking:
STEP 5 | (Oponal) Define custom file blocking response pages (Device > Response Pages). This
allows you to provide more informaon to users when they see a response page. You can
include informaon such as company policy informaon and contact informaon for a
Helpdesk.
When you create a file blocking profile with the connue acon, you can choose only
the web-browsing applicaon. If you choose any other applicaon, traffic that matches
the security policy will not flow through the firewall because users are not prompted
with an opon to connue. Addionally, you need to configure and enable a decrypon
policy for HTTPS websites.
Check your logs to determine the applicaon used when you test this feature. For
example, if you are using Microso SharePoint to download files, even though you are
using a web-browser to access the site, the applicaon is actually sharepoint-
base, or sharepoint-document. (It can help to set the applicaon type to Any for
tesng.)
PAN-OS® Administrator’s Guide Version Version 9.1 815 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 816 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
To effecvely migate an aack, specify the block-ip address acon instead of the drop or
reset acon for most brute force signatures.
PAN-OS® Administrator’s Guide Version Version 9.1 817 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Create a rule that defines the acon for all signatures in a category.
1. On the Rules tab, Add and enter a Rule Name for a new rule.
2. (Oponal) Specify a specific threat name (default is any).
3. Set the Acon. In this example, it is set to Block IP.
If you set a Vulnerability Protecon profile to Block IP, the firewall first uses
hardware to block IP addresses. If aack traffic exceeds the blocking capacity of
the hardware, the firewall then uses soware blocking mechanisms to block the
remaining IP addresses.
4. Set Category to brute-force.
5. (Oponal) If blocking, specify the Host Type on which to block: server or client (default is
any).
6. See Step 3 to customize the acon for a specific signature.
7. See Step 4 to customize the trigger threshold for a parent signature.
PAN-OS® Administrator’s Guide Version Version 9.1 818 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
3. Set the acon: Allow, Alert, Block Ip, or Drop. If you select Block Ip, complete these
addional tasks:
1. Specify the Time period (in seconds) aer which to trigger the acon.
2. Specify whether to Track By and block the IP address using the IP source or the IP
source and desnaon.
4. Click OK.
5. For each modified signature, select the check box in the Enable column.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 819 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 820 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Get the latest Applicaons and Threats content version (at least content version 579 or later).
1. Select Device > Dynamic Updates.
2. Check Now to get the latest Applicaons and Threats content update.
3. Download and Install Applicaons and Threats content version 579 (or later).
STEP 3 | Define how the firewall should enforce traffic matched to evasion signatures.
1. Select Objects > Security Profiles > An-Spyware and Add or modify an An-spyware
profile.
2. Select Excepons and select Show all signatures.
3. Filter signatures based on the keyword evasion.
4. For all evasion signatures, set the Acon to any seng other than allow or the default
acon (the default acon is for evasion signatures is allow). For example, set the Acon
for signature IDs 14978 and 14984 to alert or drop.
5. Click OK to save the updated An-spyware profile.
6. Aach the An-spyware profile to a security policy rule: Select Policies > Security, select
the desired policy to modify and then click the Acons tab. In Profile Sengs, click the
drop-down next to An-Spyware and select the an-spyware profile you just modified to
enforce evasion signatures.
PAN-OS® Administrator’s Guide Version Version 9.1 821 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Group Mapping Group Mapping The firewall checks to determine if the username a
configuraon on user submits to a restricted site matches any valid
the firewall corporate username.
To do this, the firewall matches the submied
username to the list of usernames in its user-to-group
mapping table to detect when users submit corporate
usernames to sites in a restricted category.
This method only checks for corporate username
submissions based on LDAP group membership, which
PAN-OS® Administrator’s Guide Version Version 9.1 822 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 823 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
The Domain Credenal Filter detecon method is supported with the Windows User-ID
agent only. You cannot use the PAN-OS integrated User-ID agent to configure this method
of credenal detecon.
An RODC is a Microso Windows server that maintains a read-only copy of an Acve Directory
database that a domain controller hosts. When the domain controller is located at a corporate
headquarters, for example, RODCs can be deployed in remote network locaons to provide local
authencaon services. Installing the User-ID agent on an RODC can be useful for a few reasons:
access to the domain controller directory is not required to enable credenal detecon and you
can support credenal detecon for a limited or targeted set of users. Because the directory the
RODC hosts is read-only, the directory contents remain secure on the domain controller.
Because you must install the Windows User-ID agent on the RODC for credenal
detecon, as a best pracce deploy a separate agent for this purpose. Do not use the User-
ID agent installed on the RODC to map IP addresses to users.
Aer you install the User-ID agent on an RODC, the User-ID credenal service runs in the
background and scans the directory for the usernames and password hashes of group members
that are listed in the RODC password replicaon policy (PRP)—you can define who you want to
be on this list. The User-ID credenal service then takes the collected usernames and password
hashes and deconstructs the data into a type of bit mask called a bloom filter. Bloom filters are
compact data structures that provide a secure method to check if an element (a username or
a password hash) is a member of a set of elements (the sets of credenals you have approved
for replicaon to the RODC). The User-ID credenal service forwards the bloom filter to the
Windows User-ID agent; the firewall retrieves the latest bloom filter from the User-ID agent at
regular intervals and uses it to detect usernames and password hash submissions. Depending
on your sengs, the firewall then blocks, alerts, or allows on valid password submissions to web
PAN-OS® Administrator’s Guide Version Version 9.1 824 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
pages, or displays a response page to users warning them of the dangers of phishing, but allowing
them to connue with the submission.
Throughout this process, the User-ID agent does not store or expose any password hashes, nor
does it forward password hashes to the firewall. Once the password hashes are deconstructed into
a bloom filter, there is no way to recover them.
STEP 1 | Configure User Mapping Using the Windows User-ID Agent.
To enable credenal detecon, you must install the Windows User-ID agent on an
RODC. Refer to the Compability Matrix for a list of supported servers. Install a
separate User-ID agent for this purpose.
Important items to remember when seng up User-ID to enable Domain Credenal Filter
detecon:
• Because the effecveness of credenal phishing detecon is dependent on your RODC
setup, make sure that you also review best pracces and recommendaons for RODC
Administraon.
• Download User-ID soware updates:
• User-ID Agent Windows installer—UaInstall-x.x.x-x.msi.
• User-ID Agent Credenal Service Windows installer—UaCredInstall64-x.x.x-x.msi.
• Install the User-ID agent and the User Agent Credenal service on an RODC using an
account that has privileges to read Acve Directory via LDAP (the User-ID agent also
requires this privilege).
• The User-ID Agent Credenal Service requires permission to log on with the local system
account. For more informaon, refer to Create a Dedicated Service Account for the User-
ID Agent.
• The service account must be a member of the local administrator group on the RODC.
For more informaon, refer to the following link.
PAN-OS® Administrator’s Guide Version Version 9.1 825 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Enable the User-ID agent and the User Agent Credenal service (which runs in the
background to scan permied credenals) to share informaon.
1. On the RODC server, launch the User-ID Agent.
2. Select Setup and edit the Setup secon.
3. Select the Credenals tab. This tab only displays if you have already installed the User-ID
Agent Credenal Service.
4. Select Import from User-ID Credenal Agent. This enables the User-ID agent to import
the bloom filter that the User-ID credenal agent creates to represent users and the
corresponding password hashes.
5. Click OK, Save your sengs, and Commit.
STEP 3 | In the RODC directory, define the group of users for which you want to support credenal
submission detecon.
• Confirm that the groups that should receive credenal submission enforcement are added
to the Allowed RODC Password Replicaon Group.
• Check that none of the groups in the Allowed RODC Password Replicaon Group are also in
the Denied RODC Password Replicaon Group by default. Groups listed in both will not be
subject to credenal phishing enforcement.
PAN-OS® Administrator’s Guide Version Version 9.1 826 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | If you have not done so already, configure a best pracce URL Filtering profile to ensure
protecon against URLs that have been observed hosng malware or exploive content.
1. Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering
profile.
2. Block access to all known dangerous URL categories: malware, phishing, dynamic-dns,
unknown, command-and-control, extremism, copyright-infringement, proxy-avoidance-
and-anonymizers, newly-registered-domain, grayware, and parked.
STEP 3 | Add a decrypon policy rule to decrypt the traffic you want to monitor for user credenal
submissions.
PAN-OS® Administrator’s Guide Version Version 9.1 827 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 4 | Configure the URL Filtering profile to detect corporate credenal submissions to websites
that are in allowed URL categories.
The firewall does not check credenal submissions for trusted sites, even if you enable
the checks for the URL categories for these sites, to provide best performance. The
trusted sites represent sites where Palo Alto Networks has not observed any malicious
or phishing aacks. Updates for this trusted site list are delivered through Applicaon
and Threat content updates. For a list of App-IDs that are exempt from credenal
detecon, see Trusted App-IDs That Skip Credenal Submission Detecon on
live.paloaltonetworks.com.
Confirm that the format for the primary username is the same as the username
format that the User-ID source provides.
• Use IP User Mapping—Checks for valid corporate username submissions and verifies
that the login username maps to the source IP address of the session. To do this, the
firewall matches the submied username and source IP address of the session against
its IP-address-to-username mapping table. To use this method you can use any of the
user mapping methods described in Map IP Addresses to Users.
• Use Domain Credenal Filter—Checks for valid corporate usernames and password
submissions and verifies that the username maps to the IP address of the logged in
user. See Configure Credenal Detecon with the Windows-based User-ID Agent for
instrucons on how to set up User-ID to enable this method.
• Use Group Mapping—Checks for valid username submissions based on the user-
to-group mapping table populated when you configure the firewall to Map Users to
Groups.
With group mapping, you can apply credenal detecon to any part of the directory,
or for specific groups that have access to your most sensive applicaons, such as IT.
PAN-OS® Administrator’s Guide Version Version 9.1 828 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 6 | Apply the URL Filtering profile with the credenal detecon sengs to your Security policy
rules.
1. Select Policies > Security and Add or modify a Security policy rule.
2. On the Acons tab, set the Profile Type to Profiles.
3. Select the new or updated URL Filtering profile to aach it to the Security policy rule.
4. Select OK to save the Security policy rule.
PAN-OS® Administrator’s Guide Version Version 9.1 829 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Select ACC > Hosts Vising Malicious URLs to see the number of users who have
visited malware and phishing sites.
To display this column, hover over any column header and click the arrow to select the columns
you’d like to display.
Log entry details also indicate credenal submissions:
The output for this command varies depending on the method configured for the firewall
to detect credenal submissions. For example, if the Domain Credenal Filter method is
configured in any URL Filtering profile, a list of User-ID agents that have forwarded a bloom
filter to the firewall is displayed, along with the number of credenals contained in the bloom
filter.
• (Group Mapping method only) Use the following CLI command to view group mapping
informaon, including the number of URL Filtering profiles with Group Mapping credenal
PAN-OS® Administrator’s Guide Version Version 9.1 830 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
detecon enabled and the usernames of group members that have aempted to submit
credenals to a restricted site.
• (Domain Credenal Filter method only) Use the following CLI command to see all Windows-
based User-ID agents that are sending mappings to the firewall:
The command output now displays bloom filter counts that include the number of bloom
filter updates the firewall has received from each agent, if any bloom filter updates failed to
process, and how many seconds have passed since the last bloom filter update.
• (Domain Credenal Filter method only) The Windows-based User-ID agent displays log
messages that reference BF (bloom filter) pushes to the firewall. In the User-ID agent
interface, select Monitoring > Logs.
PAN-OS® Administrator’s Guide Version Version 9.1 831 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 832 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Delete an entry if you determine the IP address shouldn’t be blocked. Then revise the
policy rule that caused the firewall to block the address.
While hardware IP address blocking is disabled, the firewall sll performs any soware
IP address blocking you have configured.
To conserve CPU and packet buffer resources, leave hardware IP address blocking
enabled unless Palo Alto Networks technical support asks you to disable it, for
example, if they are debugging a traffic flow.
Tune the number of seconds that IP addresses blocked by hardware remain on the block list
(range is 1-3,600; default is 1).
Maintain a shorter duraon for hardware block list entries than soware block list
entries to reduce the likelihood of exceeding the blocking capacity of the hardware.
Change the default website for finding more informaon about an IP address from Network
Soluons Who Is to a different website.
PAN-OS® Administrator’s Guide Version Version 9.1 833 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
View counts of source IP addresses blocked by hardware and soware, for example to see the
rate of an aack.
View the total sum of IP address entries on the hardware block table and block list (blocked by
hardware and soware):
View the count of IP address entries on the hardware block table that were blocked by
hardware:
View the count of IP address entries on the block list that were blocked by soware:
PAN-OS® Administrator’s Guide Version Version 9.1 834 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Anvirus Signatures
dmg Anvirus Malicious Apple disk image (DMG) files, that are used
with Mac OS X.
WildFire or
WildFire Private
PAN-OS® Administrator’s Guide Version Version 9.1 835 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
pkg Anvirus Apple soware installer packages (PKGs), used with Mac
OS X.
Wildfire or
WildFire Private
Spyware Signatures
PAN-OS® Administrator’s Guide Version Version 9.1 836 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 837 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
hacktool Applicaons and Detects traffic generated by soware tools that are
Threats used by malicious actors to conduct reconnaissance,
aack or gain access to vulnerable systems, exfiltrate
data, or create a command and control channel to
PAN-OS® Administrator’s Guide Version Version 9.1 838 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
webshell Applicaons and Detects web shells and web shell traffic, including
Threats implant detecon and command and control interacon.
Web shells must first be implanted by a malicious actor
onto the compromised host, most oen targeng a
PAN-OS® Administrator’s Guide Version Version 9.1 839 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Vulnerability Signatures
code execuon Applicaons and Detects a code execuon vulnerability that an aacker
Threats can leverage to run code on a system with the privileges
of the logged-in user.
code- Applicaons and Detects code that has been transformed to conceal
obfuscaon Threats certain data while retaining its funcon. Obfuscated
code is difficult or impossible to read, so it’s not
apparent what commands the code is execung or
with which programs its designed to interact. Most
PAN-OS® Administrator’s Guide Version Version 9.1 840 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
exploit-kit Applicaons and Detects an exploit kit landing page. Exploit kit landing
Threats pages oen contain several exploits that target one or
many common vulnerabilies and exposures (CVEs), for
mulple browsers and plugins. Because the targeted
CVEs change quickly, exploit-kit signatures trigger
based on the exploit kit landing page, and not the CVEs.
When a user visits a website with an exploit kit, the
exploit kit scans for the targeted CVEs and aempts
to silently deliver a malicious payload to the vicm’s
computer.
PAN-OS® Administrator’s Guide Version Version 9.1 841 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 842 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
While you can use an Anvirus profile to exclude anvirus signatures from
enforcement, you cannot change the acon the firewall enforces for a specific anvirus
signature. However, you can define the acon for the firewall to enforce for viruses
found in different types of traffic by eding the Decoders (Objects > Security Profiles >
Anvirus > <anvirus-profile> > Anvirus).
PAN-OS® Administrator’s Guide Version Version 9.1 843 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Modify enforcement for vulnerability and spyware signatures (except DNS signatures; skip
to the next opon to modify enforcement for DNS signatures, which are a type of spyware
signature).
1. Select Objects > Security Profiles > An-Spyware or Objects > Security Profiles >
Vulnerability Protecon.
2. Add or modify an exisng An-Spyware or Vulnerability Protecon profile from which
you want to exclude the threat signature and then select Excepons.
3. Show all signatures and then filter to select the signature for which you want to modify
enforcement rules.
4. Check the box under the Enable column for the signature whose enforcement you want
to modify.
5. Select the Acon you want the firewall to enforce for this threat signature.
For signatures that you want to exclude from enforcement because they trigger false
posives, set the Acon to Allow.
6. Click OK to save your new or modified An-Spyware or Vulnerability Protecon profile.
PAN-OS® Administrator’s Guide Version Version 9.1 844 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 845 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Custom Signatures
You can create custom threat signatures to detect and block very specific traffic. The following
resources will help you get started:
• Creang Custom Threat Signatures from Snort Signatures—This tech note provides guidance
on how to create custom signatures, by demonstrang how to create one based on a Snort
signature (Snort is a free and open source IPS).
• Creang Custom Threat and Applicaon Signatures—Walks through custom signature
examples, and describes how to use regex and contexts to create custom signatures (with
details on each available context).
PAN-OS® Administrator’s Guide Version Version 9.1 846 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Addionally, you can use Threat Signature Categories—which classify types of threat events—to
narrow your view into a certain type of threat acvity or to build custom reports.
• Monitor Acvity and Create Custom Reports Based on Threat Categories
• Learn More About Threat Signatures
• AutoFocus Threat Intelligence for Network Traffic
PAN-OS® Administrator’s Guide Version Version 9.1 847 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 848 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Create custom reports based on threat categories to receive informaon about specific types of
threats that the firewall has detected.
1. Select Monitor > Manage Custom reports to add a new custom report or modify an
exisngone.
2. Choose the Database to use as the source for the custom report—in this case, select
Threat from either of the two types of database sources, summary databases and
Detailed logs. Summary database data is condensed to allow a faster response me when
generang reports. Detailed logs take longer to generate but provide an itemized and
complete set of data for each log entry.
3. In the Query Builder, add a report filter with the Aribute Threat Category and in the
Value field, select a threat category on which to base your report.
4. To test the new report sengs, click Run Now.
5. Click OK to save the report.
PAN-OS® Administrator’s Guide Version Version 9.1 849 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
top threats on your network. Each event the firewall records includes an ID that idenfies the
associated threat signature.
You can use the threat ID found with a Threat log or ACC entry to:
• Easily check if a threat signature is configured as an excepon to your security policy (Create
Threat Excepons).
• Find the latest Threat Vault informaon about a specific threat. Because the Threat Vault is
integrated with the firewall, you can view threat details directly in the firewall context or launch
a Threat Vault search in a new browser window for a threat the firewall logged.
If a signature has been disabled, the signature UTID might be reused for a new signature.
Review the content update release notes for noficaons regarding new and disabled
signatures. Signatures might disabled in cases where: the acvity the signature detects
has fallen out of use by aackers, the signature generated significant false posives, or
the signature was consolidated with other like signatures into a single signature (signature
opmizaon).
PAN-OS® Administrator’s Guide Version Version 9.1 850 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 3 | Hover over a Threat Name or the threat ID to open the drop-down, and click Excepon to
review both the threat details and how the firewall is configured to enforce the threat.
For example, find out more about a top threat charted on the ACC:
STEP 4 | Review the latest Threat Details for the threat and launch a Threat Vault search based on the
threat ID.
• Threat details displayed include the latest Threat Vault informaon for the threat, resources
you can use to learn more about the threat, and CVEs associated with the threat.
• Select View in Threat Vault to open a Threat Vault search in a new window and look up the
latest informaon the Palo Alto Networks threat database has for this threat signature.
PAN-OS® Administrator’s Guide Version Version 9.1 851 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
The Used in security rule column does not indicate if the Security policy rule is enabled,
only if the Security policy rule is configured with the threat excepon. Select Policies >
Security to check if an indicated security policy rule is enabled.
STEP 6 | Add an IP address on which to filter the threat excepon or view exisng Exempt IP
Addresses.
Configure an exempt IP address to enforce a threat excepon only when the associated session
has either a matching source or desnaon IP address; for all other sessions, the threat is
enforced based on the default signature acon.
PAN-OS® Administrator’s Guide Version Version 9.1 852 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Analysis Informaon The Analysis Informaon tab displays the following informaon:
• Sessions—The number of sessions logged in your firewall(s) in which
the firewall detected samples associated with the arfact.
• Samples—A comparison of organizaon and global samples
associated with the arfact and grouped by WildFire verdict
(benign, malware, or grayware). Global refers to samples from all
WildFire submissions, while organizaon refers only to samples
submied to WildFire by your organizaon.
• Matching Tags—The AutoFocus tags matched to the arfact.
AutoFocus Tags indicate whether an arfact is linked to malware or
targeted aacks.
Passive DNS The Passive DNS tab displays passive DNS history that includes the
arfact. This passive DNS history is based on global DNS intelligence
in AutoFocus; it is not limited to the DNS acvity in your network.
Passive DNS history consists of:
• The domain request
• The DNS request type
• The IP address or domain to which the DNS request resolved
(private IP addresses are not displayed)
• The number of mes the request was made
• The date and me the request was first seen and last seen
PAN-OS® Administrator’s Guide Version Version 9.1 853 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Matching Hashes The Matching Hashes tab displays the 5 most recently detected
matching samples. Sample informaon includes:
• The SHA256 hash of the sample
• The sample file type
• The date and me that WildFire analyzed a sample and assigned a
WildFire verdict to it
• The WildFire verdict for the sample
• The date and me that WildFire updated the WildFire verdict for
the sample (if applicable)
As a best pracce, set the query meout to the default value of 15 seconds.
AutoFocus queries are opmized to complete within this duraon.
4. Select Enabled to allow the firewall to connect to AutoFocus.
5. Click OK.
6. Commit your changes to retain the AutoFocus sengs upon reboot.
PAN-OS® Administrator’s Guide Version Version 9.1 854 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 855 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 3 | Hover over an arfact to open the drop-down, and click AutoFocus.
The AutoFocus Intelligence Summary is only available for the following types of arfacts:
IP address
URL
Domain
User agent
Threat name (only for threats of the subtypes virus and wildfire-virus)
Filename
SHA-256 hash
STEP 4 | Launch an AutoFocus search for the arfact for which you opened the AutoFocus
Intelligence Summary.
Click the Search AutoFocus for... link at the top of the AutoFocus Intelligence Summary
window. The search results include all samples associated with the arfact. Toggle between
the My Samples and All Samples tabs and compare the number of samples to determine the
pervasiveness of the arfact in your organizaon.
STEP 5 | Launch an AutoFocus search for other arfacts in the AutoFocus Intelligence Summary.
Click on the following arfacts to determine their pervasiveness in your organizaon:
• WildFire verdicts in the Analysis Informaon tab
• URLs and IP addresses in the Passive DNS tab
• The SHA256 hashes in the Matching Hashes tab
PAN-OS® Administrator’s Guide Version Version 9.1 856 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 6 | View the number of sessions associated with the arfact in your organizaon per month.
Hover over the session bars.
STEP 7 | View the number of samples associated with the arfact by scope and WildFire verdict.
Hover over the samples bars.
PAN-OS® Administrator’s Guide Version Version 9.1 857 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
other malware, malicious behavior, threat actors, exploits, or campaigns where the arfact is
commonly detected.
PAN-OS® Administrator’s Guide Version Version 9.1 858 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Seng Descripon
Applicaon Reports The number and size of known applicaons by desnaon port,
unknown applicaons by desnaon port, and unknown applicaons
by desnaon IP address. The firewall generates these reports from
Traffic logs and forwards them every 4 hours.
Threat Prevenon Aacker informaon, the number of threats for each source country
Reports and desnaon port, and the correlaon objects that threat events
triggered.The firewall generates these reports from Threat logs and
forwards them every 4 hours.
URL Reports URLs with the following PAN-DB URL categories: malware, phishing,
dynamic DNS, proxy-avoidance, quesonable, parked, and unknown
PAN-OS® Administrator’s Guide Version Version 9.1 859 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Seng Descripon
(URLs that PAN-DB has not yet categorized). The firewall generates
these reports from URL Filtering logs.
URL Reports also include PAN-DB stascs such as the version of the
URL filtering database on the firewall and on the PAN-DB cloud, the
number of URLs in those databases, and the number of URLs that the
firewall categorized. These stascs are based on the me that the
firewall forwarded the URL Reports.
The firewall forwards URL Reports every 4 hours.
File Type Informaon about files that the firewall has blocked or allowed based
Idenficaon Reports on data filtering and file blocking sengs. The firewall generates these
reports from Data Filtering logs and forwards them every 4 hours.
Threat Prevenon Log data from threat events that triggered signatures that Palo Alto
Data Networks is evaluang for efficacy. Threat Prevenon Data provides
Palo Alto Networks more visibility into your network traffic than other
telemetry sengs. When enabled, the firewall may collect informaon
such as source or vicm IP addresses.
Enabling Threat Prevenon Data also allows unreleased signatures that
Palo Alto Networks is currently tesng to run in the background. These
signatures do not affect your security policy rules and firewall logs, and
have no impact to your firewall performance.
The firewall forwards Threat Prevenon Data every 5 minutes.
Threat Prevenon Packet captures (if you have enabled your firewall to Take a Threat
Packet Captures Packet Capture) of threat events that triggered signatures that Palo
Alto Networks is evaluang for efficacy. Threat Prevenon Packet
Captures provide Palo Alto Networks more visibility into your network
traffic than other telemetry sengs. When enabled, the firewall may
collect informaon such as source or vicm IP addresses.
The firewall forwards Threat Prevenon Packet Captures every 5
minutes.
Product Usage Back traces of firewall processes that have failed, as well as
Stascs informaon about the firewall status. Back traces outline the execuon
history of the failed processes. These reports include details about the
firewall model and the PAN-OS and content release versions installed
on your firewall.
The firewall forwards Product Usage Stascs every 5 minutes.
Passive DNS Domain-to-IP address mappings based on firewall traffic. When you
Monitoring enable Passive DNS Monitoring, the firewall acts as a passive DNS
sensor and send DNS informaon to Palo Alto Networks for analysis.
PAN-OS® Administrator’s Guide Version Version 9.1 860 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
Seng Descripon
The firewall forwards data from Passive DNS Monitoring in 1 MB
batches.
Enable Telemetry
When you enable telemetry, you define what data the firewall collects and shares with Palo Alto
Networks. For some telemetry sengs, you can preview what the data that your firewall sends
will look like before comming. The firewall uses the Palo Alto Networks Services service route
to send the data you share from telemetry to Palo Alto Networks.
STEP 1 | Select Device > Setup > Telemetry, and edit the Telemetry sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 861 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
STEP 2 | Select the telemetry data you want to share with Palo Alto Networks. For more specific
descripons of this data, see What Telemetry Data Does the Firewall Collect? By default, all
telemetry sengs are disabled.
To enable Threat Prevenon Packet Captures, you must also enable Threat Prevenon
Data.
STEP 3 | Open a report sample ( ) to view the type of data that the firewall collects for Applicaon
Reports, Threat Prevenon Reports, URL Reports, and File Type Idenficaon Reports.
The report sample, formaed in XML, is based on your firewall acvity in the first 4 hours since
you first viewed the report sample. A report sample does not display any entries if the firewall
PAN-OS® Administrator’s Guide Version Version 9.1 862 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
did not find any matching traffic for the report. The firewall only collects new informaon for a
report sample when you restart the firewall and open a report sample.
The figure below shows a report sample for Threat Prevenon Reports:
Applicaon Reports, Threat Prevenon Reports, URL Reports, and File Type Idenficaon
Reports each consist of mulple reports. In the report sample, Type describes the name of a
report. Aggregate lists the log fields that the firewall collects for the report (refer to Syslog
Field Descripons to determine the name of the fields as they appear in the firewall logs).
Values indicates the units of measure used in the report (for example, the value count for the
Aackers (threat) report refers to the number of mes the firewall detected a threat associated
with a parcular threat ID).
STEP 4 | View the type of data that the firewall collects for Product Usage Stascs.
Enter the following operaonal CLI command: show system info
STEP 6 | If you enabled Threat Prevenon Data and Threat Prevenon Packet Captures, view the data
that the firewall collected.
1. Edit the Telemetry sengs.
2. Click Download Threat Prevenon Data ( ) to download a tarball file (.tar.gz) with the
most recent 100 folders of data that the firewall collected for Threat Prevenon Data
and Threat Prevenon Packet Captures. If you never enabled these sengs or if you
PAN-OS® Administrator’s Guide Version Version 9.1 863 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
enabled them but no threat events have matched the condions for these sengs, the
firewall does not generate a file and instead returns an error message.
There is currently no way to view the DNS informaon that the firewall collects through
passive DNS monitoring.
PAN-OS® Administrator’s Guide Version Version 9.1 864 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 865 ©2021 Palo Alto Networks, Inc.
Threat Prevenon
PAN-OS® Administrator’s Guide Version Version 9.1 866 ©2021 Palo Alto Networks, Inc.
Decrypon
Palo Alto Networks firewalls can decrypt and inspect traffic to provide visibility
into threats and to control protocols, cerficate verificaon, and failure handling.
Decrypon can enforce policies on encrypted traffic so that the firewall handles
encrypted traffic according to your configured security sengs. Decrypt traffic to
prevent malicious encrypted content from entering your network and sensive
content from leaving your network concealed as encrypted traffic. Enabling decrypon
can include preparing the keys and cerficates required for decrypon, creang
decrypon profiles and policies, and configuring decrypon port mirroring.
> Decrypon Overview > Decrypon Exclusions
> Decrypon Concepts > Enable Users to Opt Out of SSL
> Prepare to Deploy Decrypon Decrypon
> Configure SSL Forward Proxy > Configure Decrypon Port Mirroring
867
Decrypon
Decrypon Overview
The Secure Sockets Layer (SSL) and Secure Shell (SSH) encrypon protocols secure traffic between
two enes, such as a web server and a client. SSL and SSH encapsulate traffic, encrypng data
so that it is meaningless to enes other than the client and server with the cerficates to affirm
trust between the devices and the keys to decode the data. Decrypt SSL and SSH traffic to:
• Prevent malware concealed as encrypted traffic from being introduced into your network. For
example, an aacker compromises a website that uses SSL encrypon. Employees visit that
website and unknowingly download an exploit or malware. The malware then uses the infected
employee endpoint to move laterally through the network and compromise other systems.
• Prevent sensive informaon from moving outside the network.
• Ensure the appropriate applicaons are running on a secure network.
• Selecvely decrypt traffic; for example, create a Decrypon policy and profile to exclude traffic
for financial or healthcare sites from decrypon.
Palo Alto Networks firewall decrypon is policy-based, and can decrypt, inspect, and control
inbound and outbound SSL and SSH connecons. A Decrypon policy enables you to specify
traffic to decrypt by desnaon, source, service, or URL category, and to block, restrict, or forward
the specified traffic according to the security sengs in the associated Decrypon profile. A
Decrypon profile controls SSL protocols, cerficate verificaon, and failure checks to prevent
traffic that uses weak algorithms or unsupported modes from accessing the network. The firewall
uses cerficates and keys to decrypt traffic to plaintext, and then enforces App-ID and security
sengs on the plaintext traffic, including Decrypon, Anvirus, Vulnerability, An-Spyware, URL
Filtering, WildFire, and File-Blocking profiles. Aer decrypng and inspecng traffic, the firewall
re-encrypts the plaintext traffic as it exits the firewall to ensure privacy and security.
The firewall provides three types of Decrypon policy rules: SSL Forward Proxy to control
outbound SSL traffic, SSL Inbound Inspecon to control inbound SSL traffic, and SSH Proxy to
control tunneled SSH traffic. You can aach a Decrypon profile to a policy rule to apply granular
access sengs to traffic, such as checks for server cerficates, unsupported modes, and failures.
SSL decrypon (both forward proxy and inbound inspecon) requires cerficates to establish the
firewall as a trusted third party, and to establish trust between a client and a server to secure an
SSL/TLS connecon. You can also use cerficates when excluding servers from SSL decrypon for
technical reasons (the site breaks decrypon for reasons such as cerficate pinning, unsupported
ciphers, or mutual authencaon). SSH decrypon does not require cerficates.
Use the Decrypon Best Pracces Checklist to plan, implement, and maintain your
decrypon deployment.
You can integrate a hardware security module (HSM) with a firewall to enable enhanced security
for the private keys used in SSL forward proxy and SSL inbound inspecon decrypon. To learn
more about storing and generang keys using an HSM and integrang an HSM with your firewall,
see Secure Keys with a Hardware Security Module.
You can also use Decrypon Mirroring to forward decrypted traffic as plaintext to a third party
soluon for addional analysis and archiving.
PAN-OS® Administrator’s Guide Version Version 9.1 868 ©2021 Palo Alto Networks, Inc.
Decrypon
If you enable Decrypon mirroring, be aware of local laws and regulaons about what
traffic you can mirror and where and how you can store the traffic, because all mirrored
traffic, including sensive informaon, is forwarded in cleartext.
PAN-OS® Administrator’s Guide Version Version 9.1 869 ©2021 Palo Alto Networks, Inc.
Decrypon
Decrypon Concepts
Review the following topics to learn more about decrypon features and support:
• Keys and Cerficates for Decrypon Policies
• SSL Forward Proxy
• SSL Forward Proxy Decrypon Profile
• SSL Inbound Inspecon
• SSL Inbound Inspecon Decrypon Profile
• SSL Protocol Sengs Decrypon Profile
• SSH Proxy
• SSH Proxy Decrypon Profile
• Decrypon Profile for No Decrypon
• SSL Decrypon for Ellipcal Curve Cryptography (ECC) Cerficates
• Perfect Forward Secrecy (PFS) Support for SSL Decrypon
• SSL Decrypon and Subject Alternave Names (SANs)
• High Availability Support for Decrypted Sessions
• Decrypon Mirroring
• Decrypon Broker
If you have two CAs (Device > Cerficate Management > Device Cerficates) with the
same subject and key, and one CA expires, delete (custom) or disable (predefined) the
expired CA. If you do not delete or disable an expired CA, the firewall can build a chain to
the expired CA if it is enabled in the trusted chain resulng in a Block page.
When you apply a decrypon policy to traffic, a session between the client and the server is
established only if the firewall trusts the CA that signed the server cerficate. In order to establish
PAN-OS® Administrator’s Guide Version Version 9.1 870 ©2021 Palo Alto Networks, Inc.
Decrypon
trust, the firewall must have the server root CA cerficate in its cerficate trust list (CTL) and
use the public key contained in that root CA cerficate to verify the signature. The firewall then
presents a copy of the server cerficate signed by the Forward Trust cerficate for the client
to authencate. You can also configure the firewall to use an enterprise CA as a forward trust
cerficate for SSL Forward Proxy. If the firewall does not have the server root CA cerficate in
its CTL, the firewall will present a copy of the server cerficate signed by the Forward Untrust
cerficate to the client. The Forward Untrust cerficate ensures that clients are prompted with a
cerficate warning when aempng to access sites hosted by a server with untrusted cerficates.
For detailed informaon on cerficates, see Cerficate Management.
To control the trusted CAs that your firewall trusts, use the Device > Cerficate
Management > Cerficates > Default Trusted Cerficate Authories tab on the firewall
web interface.
The following table describes the different cerficates Palo Alto Networks firewalls use for
decrypon.
Forward Trust (Used The cerficate the firewall presents to clients during decrypon if the
for SSL Forward site the client is aempng to connect to has a cerficate signed by a
Proxy decrypon) CA that the firewall trusts. To configure a Forward Trust cerficate on
the firewall to present to clients when the server cerficate is signed
by a trusted CA, see Configure SSL Forward Proxy.
By default, the firewall determines the key size to use for the client
cerficate based on the key size of the desnaon server. However,
you can Configure the Key Size for SSL Proxy Server cerficates. For
added security, consider storing the private key associated with the
Forward Trust cerficate on a hardware security module (see Store
Private Keys on an HSM).
Forward Untrust The cerficate the firewall presents to clients during decrypon if
(Used for SSL the site the client is aempng to connect to has a cerficate that is
Forward Proxy signed by a CA that the firewall does not trust. To configure a Forward
decrypon) Untrust cerficate on the firewall, see Configure SSL Forward Proxy.
PAN-OS® Administrator’s Guide Version Version 9.1 871 ©2021 Palo Alto Networks, Inc.
Decrypon
SSL Inbound The cerficates of the servers on your network for which you want to
Inspecon perform SSL Inbound Inspecon of traffic desned for those servers.
Import the server cerficates onto the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 872 ©2021 Palo Alto Networks, Inc.
Decrypon
1. The internal client on your network aempts to iniate a TLS session with an external server.
2. The firewall intercepts the client’s SSL cerficate request. For the client, the firewall acts as the
external server, even though the secure session being established is with the firewall, not with
the actual server.
3. The firewall then forwards the client’s SSL cerficate request to the server to iniate a separate
session with the server. To the server, the firewall looks like the client, the server doesn’t know
there’s a man-in-the-middle, and the server verifies the cerficate.
4. The server sends the firewall a signed cerficate intended for the client.
5. The firewall analyzes the server cerficate. If the server cerficate is signed by a CA that the
firewall trusts and meets the policies and profiles you configure, the firewall generates an SSL
Forward Trust copy of the server cerficate and sends it to the client. If the server cerficate
is signed by a CA that the firewall does not trust, the firewall generates an SSL Forward
Untrust copy of the server cerficate and sends it to the client. The cerficate copy the firewall
generates and sends to the client contains extensions from the original server cerficate and is
called an impersonaon cerficate because it is not the server’s actual cerficate. If the firewall
does not trust the server, the client sees a block page warning message that the site they’re
aempng to connect to is not trusted, and if you Enable Users to Opt Out of SSL Decrypon,
the client can choose to proceed or terminate the session.
6. The client verifies the firewall’s impersonaon cerficate. The client then iniates a session
key exchange with the server, which the firewall proxies in the same manner as it proxies the
cerficates. The firewall forwards the client key to the server, and makes an impersonaon
copy of the server key for the client, so that firewall remains an “invisible” proxy, the client and
server believe their session is with each other, but there are sll two separate sessions, one
between the client and the firewall, and the other between the firewall and the server. Now all
pares have the cerficates and keys required and the firewall can decrypt the traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 873 ©2021 Palo Alto Networks, Inc.
Decrypon
7. All SSL session traffic between goes through the firewall transparently between the client
and the server. The firewall decrypts the SSL traffic, applies security policies and profiles and
decrypon profiles to the traffic, re-encrypts the traffic, and then forwards it.
When you configure SSL Forward Proxy, the proxied traffic does not support DSCP code
points or QoS.
PAN-OS® Administrator’s Guide Version Version 9.1 874 ©2021 Palo Alto Networks, Inc.
Decrypon
• Block sessions on cerficate status check meout—Whether to block sessions if the status
check mes out depends on your company’s security compliance stance because it’s a tradeoff
between ghter security and a beer user experience. Cerficate status verificaon examines
the Cerficate Revocaon List (CRL) on a revocaon server or uses Online Cerficate Status
Protocol (OCSP) to find out if the issuing CA has revoked the cerficate and the cerficate
should not be trusted. However, revocaon servers can be slow to respond, which can cause
the session to meout and the firewall to block the session even though the cerficate may
be valid. If you Block sessions on cerficate status check meout and the revocaon server
is slow to respond, you can use Device > Setup > Session > Decrypon Sengs and click
Cerficate Revocaon Checking to change the default meout value of five seconds to
another value. For example, you could increase the meout value to eight seconds, as shown
in the following figure. Enable both CRL and OCSP cerficate revocaon checking because
server cerficates can contain the CRL URL in the CRL Distribuon Point (CDP) extension or
the OCSP URL in the Authority Informaon Access (AIA) cerficate extension.
• Restrict cerficate extensions—Checking this box limits the cerficate extensions in the server
cerficate to key usage and extended key usage and blocks cerficates with other extensions.
However, in certain deployments, some other cerficate extensions may be necessary, so only
check this box if your deployment requires no other cerficate extensions.
• Append cerficate’s CN value to SAN extension—Checking this box ensures that when a
browser requires a server cerficate to use a Subject Alternave Name (SAN) and doesn’t
support cerficate matching based on the Common Name (CN), if the cerficate doesn’t have
a SAN extension, users can sll access the requested web resources because the firewall adds
the SAN extension (based on the CN) to the impersonaon cerficate.
Unsupported Mode Checks. If you don’t block sessions with unsupported modes, users receive
a warning message if they connect with potenally unsafe servers, and they can click through
that message and reach the potenally dangerous site. Blocking these sessions protects you from
servers that use weak, risky protocol versions and algorithms:
• Block sessions with unsupported versions—When you configure the SSL Protocol Sengs
Decrypon Profile, you specify the minimum version of SSL protocol to allow on your network
to reduce the aack surface by blocking weak protocols. Always check this box to block
sessions with the weak SSL protocol versions that you have chosen not to support.
• Block sessions with unsupported cipher suites—Always check this box to block sessions if the
firewall doesn’t support the cipher suite specified in the SSL handshake. You configure which
algorithms the firewall supports on the SSL Protocol Sengs tab of the Decrypon profile.
• Block sessions with client authencaon—If you have no crical applicaons that require
client authencaon, block it because firewall can’t decrypt sessions that require client
PAN-OS® Administrator’s Guide Version Version 9.1 875 ©2021 Palo Alto Networks, Inc.
Decrypon
authencaon. The firewall needs both the client and the server cerficates to perform bi-
direconal decrypon, but the firewall only knows the server cerficate. This breaks decrypon
for client authencaon sessions. When you check this box, the firewall blocks all sessions with
client authencaon except sessions from sites on the SSL Decrypon Exclusion list (Device >
Cerficate Management > SSL Decrypon Exclusion).
If you don’t Block sessions with client authencaon, when the firewall aempts to decrypt
a session that uses client authencaon, the firewall allows the session and adds an entry that
contains the server URL/IP address, the applicaon, and the Decrypon profile to its Local SSL
Decrypon Exclusion Cache. Entries remain in the local cache for 12 hours and then age out.
If the same user or a different user aempts to access the server within 12 hours using client
authencaon, the firewall matches the session to the SSL Decrypon Exclusion Cache entry,
does not aempt to decrypt the traffic, and allows the encrypted session.
If the SSL Decrypon Exclusion Cache becomes full, the firewall purges the oldest entries as
new entries arrive. If you change the Decrypon policy or profile, the firewall flushes the local
exclusion cache because changing the policy or profile can change the classificaon outcome of
the session.
You may need to allow traffic on your network from other sites that use client
authencaon in addion to the Predefined sites on the SSL Decrypon Exclusion list.
Create a Decrypon profile that allows sessions with client authencaon. Add it to a
Decrypon policy rule that applies only to the server(s) that house the applicaon. To
increase security even more, you can require Mul-Factor Authencaon to complete
the user login process.
Failure Checks:
• Block sessions if resources not available—If you don’t block sessions when firewall processing
resources aren’t available, then encrypted traffic that you want to decrypt enters the network
sll encrypted, risking allowing potenally dangerous connecons. However, blocking sessions
when firewall processing resources aren’t available may affect the user experience by making
sites that users normally can reach temporarily unreachable. Whether to implement failure
checks depends on your company’s security compliance stance and the importance to your
business of the user experience, weighed against ghter security. Alternavely, consider using
firewall models with more processing power so that you can decrypt more traffic.
• Block sessions if HSM not available—If you use a Hardware Security Module (HSM) to store
your private keys, whether you use one depends on your compliance rules about where the
private key must come from and how you want to handle encrypted traffic if the HSM isn’t
available. For example, if your company mandates the use of an HSM for private key signing,
then block sessions if the HSM isn’t available. However, if your company is less strict about
this, then you can consider not blocking sessions if the HSM isn’t available. (If the HSM is
down, the firewall can process decrypon for sites for which it has cached the response from
the HSM, but not for other sites.) The best pracce in this case depends on your company’s
policies. If the HSM is crical to your business, run the HSM in a high-availability (HA) pair
(PAN-OS 8.1 supports two members in an HSM HA pair).
PAN-OS® Administrator’s Guide Version Version 9.1 876 ©2021 Palo Alto Networks, Inc.
Decrypon
firewall) and block suspicious sessions. For example, if an employee is remotely connected
to a web server hosted on the company network and is aempng to add restricted internal
documents to his Dropbox folder (which uses SSL for data transmission), SSL Inbound Inspecon
can ensure that the sensive data does not move outside the secure company network by
blocking or restricng the session.
On the firewall, you must install the cerficate and private key for each server for which you want
to perform SSL Inbound Inspecon. You must also install the public key cerficate as well as the
private key on each firewall that performs SSL Inbound Inspecon. The way the firewall performs
SSL Inbound Inspecon depends on the type of key negoated, Rivest, Shamir, Adleman (RSA) or
Perfect Forward Secrecy (PFS).
For RSA keys, the firewall performs SSL Inbound Inspecon without terminang the connecon.
As the encrypted session flows through the firewall, the firewall transparently makes a copy of it
and decrypts it so that the firewall can apply the appropriate policy to the traffic.
When you configure the SSL Protocol Sengs Decrypon Profile for SSL Inbound
Inspecon traffic, create separate profiles for servers with different security capabilies.
For example, if one set of servers supports only RSA, the SSL Protocol Sengs only need
to support RSA. However, the SSL Protocol Sengs for servers that support PFS should
support PFS. Configure SSL Protocol Sengs for the highest level of security that the
server supports, but check performance to ensure that the firewall resources can handle
the higher processing load that higher security protocols and algorithms require.
For PFS keys using the Diffie-Hellman exchange (DHE) or Ellipc Curve Diffie-Hellman exchange
(ECDHE), the firewall acts as a man-in-the-middle proxy between the external client and the
internal server. Because PFS generates a new key with every session, the firewall can’t simply copy
and decrypt the inbound SSL flow as it passes through, the firewall must act as a proxy device.
If you have enabled SSL Inbound Inspecon using PFS key exchange algorithms, you must
upload a cerficate bundle (a single file) to the firewall with your cerficates arranged as
follows:
1. End-enty (leaf) cerficate
2. Intermediate cerficates (in issuing order)
3. (Oponal) Root cerficate
Uploading the file ensures that clients receive the complete cerficate chain during SSL
handshakes, avoiding client-side server cerficate authencaon issues.
The following figure shows how SSL Inbound Inspecon works when the key exchange algorithm
is RSA. When the key exchange algorithm is PFS, the firewall funcons as a proxy (creates a secure
session between the client and the firewall and another secure session between the firewall and
the server) and must generate a new session key for each secure session.
When you configure SSL Inbound Inspecon and use a PFS cipher, session resumpon is
not supported.
See Configure SSL Inbound Inspecon for details on enabling this feature.
PAN-OS® Administrator’s Guide Version Version 9.1 877 ©2021 Palo Alto Networks, Inc.
Decrypon
When you configure SSL Inbound Inspecon, the proxied traffic does not support DSCP
code points or QoS.
Unsupported Mode Checks. If you don’t block sessions with unsupported modes, users receive
a warning message if they connect with potenally unsafe servers, and they can click through
that message and reach the potenally dangerous site. Blocking these sessions protects you from
servers that use weak, risky protocol versions and algorithms:
PAN-OS® Administrator’s Guide Version Version 9.1 878 ©2021 Palo Alto Networks, Inc.
Decrypon
1. Block sessions with unsupported versions—When you configure the SSL Protocol Sengs
Decrypon Profile, you specify the minimum version of SSL protocol to allow on your network
to reduce the aack surface by blocking weak protocols. Always check this box to block
sessions with the weak SSL protocol versions that you have chosen not to support.
2. Block sessions with unsupported cipher suites—Always check this box to block sessions if the
firewall doesn’t support the cipher suite specified in the SSL handshake. You configure which
algorithms the firewall supports on the SSL Protocol Sengs tab of the Decrypon profile.
Failure Checks:
• Block sessions if resources not available—If you don’t block sessions when firewall processing
resources aren’t available, then encrypted traffic that you want to decrypt enters the network
sll encrypted, risking allowing potenally dangerous connecons. However, blocking sessions
when firewall processing resources aren’t available may affect the user experience by making
sites that users normally can reach temporarily unreachable. Whether to implement failure
checks depends on your company’s security compliance stance and the importance to your
business of the user experience, weighed against ghter security. Alternavely, consider using
firewall models with more processing power so that you can decrypt more traffic.
• Block sessions if HSM not available—If you use a Hardware Security Module (HSM) to store
your private keys, whether you use one depends on your compliance rules about where the
private key must come from and how you want to handle encrypted traffic if the HSM isn’t
available. For example, if your company mandates the use of an HSM for private key signing,
then block sessions if the HSM isn’t available. However, if your company is less strict about
this, then you can consider not blocking sessions if the HSM isn’t available. (If the HSM is
down, the firewall can process decrypon for sites for which it has cached the response from
the HSM, but not for other sites.) The best pracce in this case depends on your company’s
policies. If the HSM is crical to your business, run the HSM in a high-availability (HA) pair
(PAN-OS 8.1 supports two members in an HSM HA pair).
When you configure SSL Protocol Sengs for SSL Inbound Inspecon traffic, create
separate profiles for servers with different security capabilies. For example, if one set of
servers supports only RSA, the SSL Protocol Sengs only need to support RSA. However,
the SSL Protocol Sengs for servers that support PFS should support PFS. Configure SSL
Protocol Sengs for the highest level of security that the target server you are protecng
supports, but check performance to ensure that the firewall resources can handle the
higher processing load that higher security protocols and algorithms require.
PAN-OS® Administrator’s Guide Version Version 9.1 879 ©2021 Palo Alto Networks, Inc.
Decrypon
Protocol Versions:
• Set the Min Version to TLSv1.2 to provide the strongest security—business sites that value
security support TLSv1.2. If a site (or a category of sites) only supports weaker ciphers, review
the site and determine if it really houses a legimate business applicaon. If it does, make
an excepon for only that site by configuring a Decrypon profile with a Min Version that
matches the strongest cipher the site supports and then applying the profile to a Decrypon
policy rule that limits allowing the weak cipher to only the site or sites in queson. If the
site doesn’t house a legimate business applicaon, don’t weaken your security posture to
support the site—weak protocols (and ciphers) contain known vulnerabilies that aackers can
exploit. If the site belongs to a category of sites that you don’t need for business purposes,
use URL Filtering to block access to the enre category. Don’t support weak encrypon or
authencaon algorithms unless you must do so to support important legacy sites, and when
you make excepons, create a separate Decrypon profile that allows the weaker protocol just
for those sites. Don’t downgrade the main Decrypon profile that you apply to most sites to
TLSv1.1 just to accommodate a few excepons.
Qualys SSL Labs SSL Pulse web page provides up-to-date stascs on the percentages
of different ciphers and protocols in use on the 150,000 most popular sites in the world
so you can see trends and understand how widespread worldwide support is for more
secure ciphers and protocols.
• Set the Max Version to Max rather than to a parcular version so that as the protocols
improve, the firewall automacally supports the newest and best protocols. Whether you
intend to aach a Decrypon profile to a Decrypon policy rule that governs inbound (SSL
Inbound Inspecon) or outbound (SSL Forward Proxy) traffic, avoid allowing weak algorithms.
Key Exchange Algorithms: Leave all three boxes checked (default) to support both RSA and PFS
(DHE and ECDHE) key exchanges.
To support HTTP/2 traffic, you must leave the ECDHE box checked.
PAN-OS® Administrator’s Guide Version Version 9.1 880 ©2021 Palo Alto Networks, Inc.
Decrypon
Encrypon Algorithms: When you set the protocol version to TLSv1.2, the older, weaker 3DES
and RC4 algorithms are automacally unchecked (blocked). For any traffic for which you must
allow a weaker TLS protocol, create a separate Decrypon profile and apply it only to traffic for
that site, and uncheck the 3DES and RC4 boxes. Do not allow traffic that uses the 3DES or RC4
algorithms. If unchecking the 3DES or RC4 boxes prevents you from accessing a site that you must
use for business, create a separate Decrypon profile for that site. Don’t weaken decrypon for
any other sites.
Authencaon Algorithms: The older, weaker MD5 algorithm is automacally unchecked
(blocked). Do not allow MD5 authencated traffic on your network; SHA1 is the weakest
authencaon algorithm you should allow. If no necessary sites use SHA1, uncheck the box and
block traffic to further reduce the aack surface.
SSH Proxy
In an SSH Proxy configuraon, the firewall resides between a client and a server. SSH Proxy
enables the firewall to decrypt inbound and outbound SSH connecons and ensures that aackers
don’t use SSH to tunnel unwanted applicaons and content. SSH decrypon does not require
cerficates and the firewall automacally generates the key used for SSH decrypon when the
firewall boots up. During the boot up process, the firewall checks if there is an exisng key. If
not, the firewall generates a key. The firewall uses the key to decrypt SSH sessions for all virtual
systems configured on the firewall and all SSH v2 sessions.
SSH allows tunneling, which can hide malicious traffic from decrypon. The firewall can’t decrypt
traffic inside an SSH tunnel. You can block all SSH tunnel traffic by configuring a Security policy
rule for the applicaon ssh-tunnel with the Acon set to Deny (along with a Security policy rule to
allow traffic from the ssh applicaon).
SSH tunneling sessions can tunnel X11 Windows packets and TCP packets. One SSH connecon
may contain mulple channels. When you apply an SSH Decrypon profile to traffic, for each
channel in the connecon, the firewall examines the App-ID of the traffic and idenfies the
channel type. The channel type can be:
• session
• X11
• forwarded-tcpip
• direct-tcpip
When the channel type is session, the firewall idenfies the traffic as allowed SSH traffic such
as SFTP or SCP. When the channel type is X11, forwarded-tcpip, or direct-tcpip, the firewall
idenfies the traffic as SSH tunneling traffic and blocks it.
Limit SSH use to administrators who need to manage network devices, log all SSH traffic,
and consider configuring Mul-Factor Authencaon to help ensure that only legimate
users can use SSH to access devices, which reduces the aack surface.
The following figure shows how SSH Proxy decrypon works. See Configure SSH Proxy for how to
enable SSH Proxy decrypon.
PAN-OS® Administrator’s Guide Version Version 9.1 881 ©2021 Palo Alto Networks, Inc.
Decrypon
When the client sends an SSH request to the server to iniate a session, the firewall intercepts
the request and forwards it to the server. The firewall then intercepts the server response and
forwards it to the client. This establishes two separate SSH tunnels, one between the firewall
and the client and one between the firewall and the server, with firewall funconing as a proxy.
As traffic flows between the client and the server, the firewall checks whether the SSH traffic is
being routed normally or if it is using SSH tunneling (port forwarding). The firewall doesn’t perform
content and threat inspecon on SSH tunnels; however, if the firewall idenfies SSH tunnels, it
blocks the SSH tunneled traffic and restricts the traffic according to configured security policies.
When you configure SSH Proxy, the proxied traffic does not support DSCP code points or
QoS.
The firewall doesn’t perform content and threat inspecon on SSH tunnels (port
forwarding). However, the firewall disnguishes between the SSH applicaon and the SSH-
tunnel applicaon. If the firewall idenfies SSH tunnels, it blocks the SSH tunneled traffic
and restricts the traffic according to configured security policies.
PAN-OS® Administrator’s Guide Version Version 9.1 882 ©2021 Palo Alto Networks, Inc.
Decrypon
Unsupported Mode Checks. The firewall supports SSHv2. If you don’t block sessions with
unsupported modes, users receive a warning message if they connect with potenally unsafe
servers, and they can click through that message and reach the potenally dangerous site.
Blocking these sessions protects you from servers that use weak, risky protocol versions and
algorithms:
1. Block sessions with unsupported versions—The firewall has a set of predefined supported
versions. Checking this box blocks traffic with weak versions. Always check this box to block
sessions with the weak protocol versions to reduce the aack surface.
2. Block sessions with unsupported algorithms—The firewall has a set of predefined supported
algorithms. Checking this box blocks traffic with weak algorithms. Always check this box to
block sessions with unsupported algorithms to reduce the aack surface.
Failure Checks:
• Block sessions on SSH errors—Checking this box terminates the session if SSH errors occur.
• Block sessions if resources not available—If you don’t block sessions when firewall processing
resources aren’t available, then encrypted traffic that you want to decrypt enters the network
sll encrypted, risking allowing potenally dangerous connecons. However, blocking sessions
when firewall processing resources aren’t available may affect the user experience by making
sites that users normally can reach temporarily unreachable. Whether to implement failure
checks depends on your company’s security compliance stance and the importance to your
business of the user experience, weighed against ghter security. Alternavely, consider using
firewall models with more processing power so that you can decrypt more traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 883 ©2021 Palo Alto Networks, Inc.
Decrypon
• Block sessions with expired cerficates—Always check this box to block sessions with servers
that have expired cerficates and prevent access to potenally insecure sites. If you don’t
check this box, users can connect with and transact with potenally malicious sites and see
warning messages when they aempt to connect, but the connecon is not prevented.
• Block sessions with untrusted issuers—Always check this box to block sessions with servers
that have untrusted cerficate issuers. An untrusted issuer may indicate a man-in-the-middle
aack, a replay aack, or other aack.
(Applies to TLSv1.2 and earlier) If you choose to allow sessions with untrusted issuers (not
recommended) and only Block sessions with expired cerficates, there is a scenario in
which a session with a trusted, expired issuer may be blocked inadvertently. When the
firewall’s cerficate store contains a valid, self-signed Trusted CA and the server sends an
expired CA in the cerficate chain, the firewall does not check its cerficate store. Instead,
the firewall blocks the session based on the expired CA when it should find the trusted,
valid alternave trust anchor and allow the session based on that trusted self-signed
cerficate.
To avoid this scenario, in addion to Block sessions with expired cerficates, enable Block
sessions with untrusted issuers. This forces the firewall to check its cerficate store, find
the self-signed Trusted CA, and allow the session.
Decrypon for websites and applicaons using ECC cerficates is not supported for traffic
that is mirrored to the firewall; encrypted traffic using ECC cerficates must pass through
the firewall directly for the firewall to decrypt it.
You can use a hardware security module (HSM) to store the private keys associated with
ECDSA cerficates.
PAN-OS® Administrator’s Guide Version Version 9.1 884 ©2021 Palo Alto Networks, Inc.
Decrypon
If you use the DHE or ECDHE key exchange algorithms to enable PFS support for SSL
decrypon, you can use a hardware security module (HSM) to store the private keys for
SSL Inbound Inspecon.
When you configure SSL Inbound Inspecon and use a PFS cipher, session resumpon is
not supported.
PAN-OS® Administrator’s Guide Version Version 9.1 885 ©2021 Palo Alto Networks, Inc.
Decrypon
support the connecon. End users can connue to access the resources they need, and the
firewall can decrypt the sessions.
To enable SAN support for decrypted SSL traffic, update the decrypon profile aached to the
relevant decrypon policy: select Objects > Decrypon Profile > SSL Decrypon > SSL Forward
Proxy > Append Cerficate’s CN Value to SAN Extension).
PAN-OS® Administrator’s Guide Version Version 9.1 886 ©2021 Palo Alto Networks, Inc.
Decrypon
Decrypon Mirroring
Decrypon mirroring creates a copy of decrypted traffic from a firewall and sends it to a traffic
collecon tool such as NetWitness or Solera, which can receive raw packet captures for archiving
and analysis. Organizaons that require comprehensive data capture for forensic and historical
purposes or for data leak prevenon (DLP) can install a free license to enable the feature.
Aer you install the license, connect the traffic collecon tool directly to an Ethernet interface on
the firewall and set the Interface Type to Decrypt Mirror. The firewall simulates a TCP handshake
with the collecon tool and then sends every data packet through that interface, decrypted (as
cleartext).
Decrypon port mirroring is not available on the VM-Series for public cloud plaorms
(AWS, Azure, Google Cloud Plaorm) and VMware NSX.
Keep in mind that the decrypon, storage, inspecon, and/or use of SSL traffic is governed in
certain countries and user consent might be required in order to use the decrypon mirror feature.
Addionally, use of this feature could enable malicious users with administrave access to the
firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other
sensive informaon submied using an encrypted channel. Palo Alto Networks recommends that
you consult with your corporate counsel before acvang and using this feature in a producon
environment.
The following graphic shows the process for mirroring decrypted traffic and the secon Configure
Decrypon Port Mirroring describes how to license and enable this feature.
PAN-OS® Administrator’s Guide Version Version 9.1 887 ©2021 Palo Alto Networks, Inc.
Decrypon
Migrate from port-based to applicaon-based Security policy rules before you create
and deploy Decrypon policy rules. If you create Decrypon rules based on port-based
Security policy and then migrate to applicaon-based Security policy, the change could
cause the Decrypon rules to block traffic that you intend to allow because Security policy
rules are likely to use applicaon default ports to prevent applicaon traffic from using
non-standard ports. For example, traffic idenfied as web-browsing applicaon traffic
(default port 80) may have underlying applicaons that have different default ports, such
as HTTPS traffic (default port 443). The applicaon-default rule blocks the HTTPS traffic
because it sees the decrypted traffic using a “non-standard” port (443 instead of 80).
Migrang to App-ID based rules before deploying decrypon means that when you test
your decrypon deployment in POCs, you’ll discover Security policy misconfiguraon and
fix it before rolling it out to the general user populaon.
PAN-OS® Administrator’s Guide Version Version 9.1 888 ©2021 Palo Alto Networks, Inc.
Decrypon
Next, idenfy traffic that you can’t decrypt because the traffic breaks decrypon for technical
reasons such as a pinned cerficate, an incomplete cerficate chain, unsupported ciphers, or
mutual authencaon. Decrypng sites that break decrypon technically results in blocking that
traffic. Evaluate the websites that break decrypon technically and ask yourself if you need access
to those sites for business reasons. If you don’t need access to those sites, allow decrypon to
block them. If you need access to any of those sites for business purposes, add them to the SSL
Decrypon Exclusion list to except them from decrypon. The SSL Decrypon Exclusion list is
exclusively for sites that break decrypon technically.
Idenfy sensive traffic that you choose not to decrypt for legal, regulatory, personal, or other
reasons, such as financial, health, or government traffic, or the traffic of certain execuves. This is
not traffic that breaks decrypon technically, so you don’t use the SSL Decrypon Exclusion list
to except this traffic from decrypon. Instead, you Create a Policy-Based Decrypon Exclusion
to idenfy and control traffic you choose not to decrypt and apply the No Decrypon decrypon
profile to the policy to prevent servers with cerficate issues from accessing the network. Policy-
based decrypon exclusions are only for traffic you choose not to decrypt.
When you plan decrypon policy, consider your company’s security compliance rules, computer
usage policy, and your business goals. Extremely strict controls can impact the user experience
by prevenng access to non-business sites the user used to access, but may be required for
government or financial instuons. There is always a tradeoff between usability, management
overhead, and security. The ghter the decrypon policy, the greater the chance that a website
will become unreachable, which may result in user complaints and possibly modifying the
rulebase.
Although a ght decrypon policy may inially cause a few user complaints, those
complaints can draw your aenon to unsanconed or undesirable websites that are
blocked because they use weak algorithms or have cerficate issues. Use complaints as a
tool to beer understand the traffic on your network.
Different groups of users and even individual users may require different decrypon policies, or
you may want to apply the same decrypon policy to all users. For example, execuves may be
exempted from decrypon policies that apply to other employees. And you may want to apply
different decrypon policies to employee groups, contracts, partners, and guests. Prepare updated
legal and HR computer usage policies to distribute to all employees, contractors, partners, guests,
and any other network users so that when you roll out decrypon, users understand their data can
be decrypted and scanned for threats.
PAN-OS® Administrator’s Guide Version Version 9.1 889 ©2021 Palo Alto Networks, Inc.
Decrypon
How you handle guest users depends on the access they require. Isolate guests from the
rest of your network by placing them on a separate VLAN and on a separate SSID for
wireless access. If guests don’t need to access your corporate network, don’t let them on it
and there will be no need to decrypt their traffic. If guests need to access your corporate
network, decrypt their traffic:
• Enterprises don’t control guest devices. Decrypt guest traffic and subject it to your
guest Security policy so the firewall can inspect the traffic and prevent threats. To do
this, redirect guest users through a capve portal, instruct them how to download and
install the CA cerficate, and clearly nofy guests that their traffic will be decrypted.
Include the process in your company’s privacy and computer usage policy.
• Create separate Decrypon policy rules and Security policy rules to ghtly control
guest access so that guests can only access the areas of your network that they need to
access.
Similarly to different groups of users, decide which devices to decrypt and which applicaons
to decrypt. Today’s networks support not only corporate devices, but BYOD, mobile, remote-
user and other devices, including contractor, partner, and guest devices. Today’s users aempt to
access many sites, both sanconed and unsanconed, and you should decide how much of that
traffic you want to decrypt.
Enterprises don’t control BYOD devices. If you allow BYOD devices on your network,
decrypt their traffic and subject it to the same Security policy that you apply to other
network traffic so the firewall can inspect the traffic and prevent threats. To do this,
redirect BYOD users through a capve portal, instruct them how to download and install
the CA cerficate, and clearly nofy users that their traffic will be decrypted. Educate
BYOD users about the process and include it in your company’s privacy and computer
usage policy.
Decide what traffic you want to log and invesgate what traffic you can log. Be aware of local
laws regarding what types of data you can log and store, and where you can log and store the
data. For example, local laws may prevent logging and storing personal informaon such as health
and financial data.
Decide how to handle bad cerficates. For example, will you block or allow sessions for which the
cerficate status is unknown? Understanding how you want to handle bad cerficates determines
how you configure the decrypon profiles that you aach to decrypon policies to control which
sessions you allow based on the server cerficate verificaon status.
PAN-OS® Administrator’s Guide Version Version 9.1 890 ©2021 Palo Alto Networks, Inc.
Decrypon
network devices already trust the Enterprise Root CA, so you avoid any cerficate issues when
you begin the deployment phase. If you don’t have an Enterprise Root CA, consider geng one.
• Generate a self-signed Root CA cerficate on the firewall and create subordinate CA
cerficates on that firewall—If you don’t have an Enterprise Root CA, this method provides a
self-signed Root CA cerficate and the subordinate Forward Trust and Untrust CA cerficates.
With this method, you need to install the self-signed cerficates on all of your network devices
so that those devices recognize the firewall’s self-signed cerficates. Because the cerficates
must be deployed to all devices, this method is beer for small deployments and proof-of-
concept (POC) trials than for large deployments.
Do not export the Forward Untrust cerficate to the Cerficate Trust Lists of your network
devices! This is crical because installing the Untrust cerficate in the Trust List results
in devices trusng websites that the firewall does not trust. In addion, users won’t see
cerficate warnings for untrusted sites, so they won’t know the sites are untrusted and
may access those sites, which could expose your network to threats.
Regardless of whether you generate Forward Trust cerficates from your Enterprise
Root CA or use a self-signed cerficate generated on the firewall, generate a separate
subordinate Forward Trust CA cerficate for each firewall. The flexibility of using separate
subordinate CAs enables you to revoke one cerficate when you decommission a device
(or device pair) without affecng the rest of the deployment and reduces the impact in any
situaon in which you need to revoke a cerficate. Separate Forward Trust CAs on each
firewall also helps troubleshoot issues because the CA error message the user sees includes
informaon about the firewall the traffic is traversing. If you use the same Forward Trust
CA on every firewall, you lose the granularity of that informaon.
There is no benefit to using different Forward Untrust cerficates on different firewalls, so you can
use the same Forward Untrust cerficate on all firewalls. If you need addional security for your
private keys, consider storing them on an HSM.
You may need to make special accommodaons for guest users. If guest users don’t need access
to your corporate network, don’t allow access, and then you won’t have to decrypt their traffic or
create infrastructure to support guest access. If you need to support guest users, discuss with your
legal department whether you can decrypt guest traffic.
If you can decrypt guest traffic, treat guests similarly to the way you treat BYOD devices. Decrypt
guest traffic and subject it to the same Security policy that you apply to other network traffic. Do
this by redirecng guest users through a capve portal, instruct them how to download and install
the CA cerficate, and clearly nofy users that their traffic will be decrypted. Include the process
in your company’s privacy and computer usage policy. In addion, restrict guest traffic to only the
areas guests need to access.
If you can’t decrypt guest traffic for legal reasons, then isolate guest traffic and prevent it from
moving laterally in your network:
• Create a separate zone for guests and restrict guest access to that zone. To prevent lateral
movement, don’t allow guest access to other zones.
• Allow only sanconed applicaons, use URL filtering to prevent access to risky URL categories,
and apply the best pracce Security profiles.
• Apply a No Decrypt decrypon policy and profile to prevent guests from accessing websites
with unknown or expired CAs.
PAN-OS® Administrator’s Guide Version Version 9.1 891 ©2021 Palo Alto Networks, Inc.
Decrypon
All employees, contractors, partners, and other users should use your normal corporate
infrastructure and you should decrypt and inspect their traffic.
The combinaon of the key exchange algorithm and the cerficate authencaon
method affect throughput performance as shown in RSA and ECDSA benchmark tests.
The performance cost of PFS trades off against the higher security that PFS achieves,
but PFS may not be needed for all types of traffic. You can save firewall CPU cycles
by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t
sensive.
• Average transacon sizes. For example, small average transacon sizes consume more
processing power to decrypt. Measure the average transacon size of all traffic, then measure
the average transacon size of traffic on port 443 (the default port for HTTPS encrypted traffic)
to understand the proporon of encrypted traffic going to the firewall in relaon to your total
traffic and the average transacon sizes. Eliminate anomalous outliers such as unusually large
transacons to get a truer measurement of average transacon size.
PAN-OS® Administrator’s Guide Version Version 9.1 892 ©2021 Palo Alto Networks, Inc.
Decrypon
• The firewall model and resources. Newer firewall models have more processing power than
older models.
The combinaon of these factors determines how decrypon consumes firewall processing
resources. To best ulize the firewall’s resources, understand the risks of the data you’re
protecng. If firewall resources are an issue, use stronger decrypon for higher-priority traffic and
use less processor-intensive decrypon to decrypt and inspect lower-priority traffic unl you can
increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA
for traffic that isn’t sensive or high-priority to preserve firewall resources for using PFS-based
decrypon for higher priority, sensive traffic. (You’re sll decrypng and inspecng the lower-
priority traffic, but trading off consuming fewer computaonal resources with using algorithms
that aren’t as secure as PFS.) The key is to understand the risks of different traffic types and treat
them accordingly.
Measure firewall performance so that you understand the currently available resources, which
helps you understand whether you need more firewall resources to decrypt the traffic you want to
decrypt. Measuring firewall performance also sets a baseline for performance comparisons aer
deploying decrypon.
When you size the firewall deployment, base it not only on your current needs, but also on your
future needs. Include headroom for the growth of decrypon traffic because Gartner predicts that
through 2019, more than 80 percent of enterprise web traffic will be encrypted, and more than 50
percent of new malware campaigns will use various forms of encrypon. Work with your Palo Alto
Networks representaves and take advantage of their experience in sizing firewalls to help you
size your firewall decrypon deployment.
PAN-OS® Administrator’s Guide Version Version 9.1 893 ©2021 Palo Alto Networks, Inc.
Decrypon
The interacon between POC users and technical support also allows you to fine-tune policies
and how to communicate with users.
POCs enable you to experiment with priorizing what to decrypt first, so that when you phase
in decrypon in the general populaon, your POC experience helps you understand how to
phase in decrypng different URL Categories. Measure the way decrypon affects firewall
CPU and memory ulizaon to help understand if the firewall sizing is correct or if you need to
upgrade. POCs can also reveal applicaons that break decrypon technically (decrypng them
blocks their traffic) and need to be added to the Decrypon Exclusion list.
When you set up POCs, also set up a user group that can cerfy the operaonal readiness and
procedures prior to the general rollout.
• Educate the user populaon before the general rollout, and plan to educate new users as they
join the company. This is a crical phase of deploying decrypon because the deployment
may affect websites that users previously visited but are not safe, so those sites are no longer
reachable. The POC experience helps idenfy the most important points to communicate.
• Phase in decrypon. You can accomplish this several ways. You can decrypt the highest priority
traffic first (for example, the URL Categories most likely to harbor malicious traffic, such as
gaming) and then decrypt more as you gain experience. Alternavely, you can take a more
conservave approach and decrypt the URL Categories that don’t affect your business first
(so if something goes wrong, no issues occur that affect business), for example, news feeds.
In all cases, the best way to phase in decrypon is to decrypt a few URL Categories, take user
feedback into account, run reports to ensure that decrypon is working as expected, and then
gradually decrypt a few more URL Categories and verify, and so on. Plan to make Decrypon
Exclusions to exclude sites from decrypon if you can’t decrypt them for technical reasons or
because you choose not to decrypt them.
If you Enable Users to Opt Out of SSL Decrypon (users see a response page that allows them
either to opt out of decrypon and end the session without going to the site or to proceed to
the site and agree to have the traffic decrypted), educate them about what it is, why they’re
seeing it, and what their opons are.
• Create realisc deployment schedules that allow me to evaluate each stage of the rollout.
Place firewalls in posions where they can see all of the network traffic so that no
encrypted traffic inadvertently gains access to your network because it bypasses the
firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 894 ©2021 Palo Alto Networks, Inc.
Decrypon
Review the Decrypon deployment best pracces checklist to ensure that you
understand the recommended best pracces.
As a best pracce, you should always block known dangerous URL Filtering categories such
as malware, phishing, dynamic-dns, unknown, command-and-control, proxy-avoidance-and-
anonymizers, copyright-infringement, extremism, newly-registered-domain, grayware, and parked.
If you must allow any of these categories for business reasons, you must decrypt them and apply
strict Security profiles to the traffic.
URL categories that you should always decrypt if you allow them include: online-storage-and-
backup, web-based-email, web-hosng, personal-sites-and-blogs, and content-delivery-networks.
In Security policy, block Quick UDP Internet Connecons (QUIC) protocol unless for
business reasons, you want to allow encrypted browser traffic. Chrome and some other
browsers establish sessions using QUIC instead of TLS, but QUIC uses proprietary
encrypon that the firewall can’t decrypt, so potenally dangerous traffic may enter the
network as encrypted traffic. Blocking QUIC forces the browser to fall back to TLS and
enables the firewall to decrypt the traffic.
Create a Security policy rule to block QUIC on its UDP service ports (80 and 443) and
create a separate rule to block the QUIC applicaon. For the rule that blocks UDP ports
80 and 443, create a Service (Objects > Services) that includes UDP ports 80 and 443:
Use the Service to specify the UDP ports to block for QUIC. In the second rule, block the
QUIC applicaon:
PAN-OS® Administrator’s Guide Version Version 9.1 895 ©2021 Palo Alto Networks, Inc.
Decrypon
Avoid supporng weak protocols or algorithms because they contain known vulnerabilies
that aackers can exploit. If you must allow a weaker protocol or algorithm to support a
key partner or contractor who uses legacy systems with weak protocols, create a separate
Decrypon profile for the excepon and aach it to a Decrypon policy rule that applies
the profile only to the relevant traffic (for example, the source IP address of the partner).
Don’t allow the weak protocol for all traffic.
STEP 2 | (Oponal) Allow the profile rule to be Shared across every virtual system on a firewall or
every Panorama device group.
STEP 3 | (Decrypon Mirroring Only) Enable an Ethernet Interface for the firewall to use to copy and
forward decrypted traffic.
Separate from this task, follow the steps to Configure Decrypon Port Mirroring. Be aware of
local privacy regulaons that may prohibit mirroring or control the type of traffic that you can
mirror. Decrypon port mirroring requires a decrypon port mirror license.
PAN-OS® Administrator’s Guide Version Version 9.1 896 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 4 | (Oponal) Block and control SSL tunneled and/or inbound traffic:
STEP 5 | (Oponal) Block and control traffic (for example, a URL category) for which you choose to
Create a Policy-Based Decrypon Exclusion.
Although applying a Decrypon profile to traffic that you choose not to decrypt is
oponal, it is a best pracce to always apply a Decrypon profile to the policy rules to
protect your network against sessions with expired cerficates or untrusted issuers.
Select No Decrypon to configure the Decrypon Profile for No Decrypon and check the
Block sessions with expired cerficates and Block sessions with untrusted issuers boxes to
validate cerficates for traffic that is excluded from decrypon. Create policy-based exclusions
only for traffic that you choose not to decrypt. If a server breaks decrypon for technical
reasons, don’t create a policy-based exclusion, add the server to the SSL Decrypon Exclusion
list (Device > Cerficate Management > SSL Decrypon Exclusion).
These seng are acve only when the decrypon profile is aached to a decrypon policy rule
that disables decrypon for certain traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 897 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 7 | Add the decrypon profile when you Create a Decrypon Policy Rule.
The firewall applies the decrypon profile to and enforces the profile’s sengs on the traffic
that matches the decrypon policy rule.
STEP 2 | Configure the decrypon rule to match to traffic based on network and policy objects:
• Firewall security zones—Select Source and/or Desnaon and match to traffic based on the
Source Zone and/or the Desnaon Zone.
• IP addresses, address objects, and/or address groups—Select Source and/or Desnaon
to match to traffic based on Source Address and/or the Desnaon Address. Alternavely,
select Negate to exclude the source address list from decrypon.
• Users—Select Source and set the Source User for whom to decrypt traffic. You can decrypt
specific user or group traffic, or decrypt traffic for certain types of users, such as unknown
users or pre-logon users (users that are connected to GlobalProtect but are not yet logged
in).
• Ports and protocols—Select Service/URL Category to set the rule to match to traffic based
on service. By default, the policy rule is set to decrypt Any traffic on TCP and UDP ports.
PAN-OS® Administrator’s Guide Version Version 9.1 898 ©2021 Palo Alto Networks, Inc.
Decrypon
You can Add a service or a service group, and oponally set the rule to applicaon-default
to match to applicaons only on the applicaon default ports.
• URLs and URL categories—Select Service/URL Category and decrypt traffic based on:
• An externally-hosted list of URLs that the firewall retrieves for policy-enforcement (see
Objects > External Dynamic Lists).
• Palo Alto Networks predefined URL categories, which make it easy to decrypt enre
categories of allowed traffic. This opon is also useful when you create policy-based
decrypon exclusions because you can exclude sensive sites by category instead of
individually. For example, although you can create a custom URL category to group sites
that you do not want to decrypt, you can also exclude financial or healthcare-related
sites from decrypon based on the predefined Palo Alto Networks URL categories. In
addion, you can block risky URL Categories and create comfort pages to communicate
the reason the sites are blocked or Enable Users to Opt Out of SSL Decrypon.
You can use the predefined high-risk and medium-risk URL categories to create a
Decrypon policy rule that decrypts all high-risk and medium-risk URL traffic. Place the
rule at the boom of the rulebase (all decrypon excepons must be above this rule so
that you don’t decrypt sensive informaon) as a safety net to ensure that you decrypt
and inspect all risky traffic. However, if high-risk or medium-risk sites to which you allow
access contain personally idenfiable informaon (PII) or other sensive informaon
that you don’t want to decrypt, either block those sites to avoid allowing encrypted risky
traffic while also avoiding privacy issues, or create a No Decrypon rule to handle the
sensive traffic.
• Custom URL categories (see Objects > Custom Objects > URL Category). For example,
you can create a custom URL Category to specify a group of sites you need to access for
business purposes but that don’t support the safest protocols and algorithms, and then
apply a customized Decrypon profile to allow the looser protocols and algorithms for
just those sites (that way, you don’t decrease security by downgrading the Decrypon
profile you use for most sites).
PAN-OS® Administrator’s Guide Version Version 9.1 899 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 3 | Set the rule to either decrypt matching traffic or to exclude matching traffic from decrypon.
Select Opons and set the policy rule Acon:
To decrypt matching traffic:
1. Set the Acon to Decrypt .
2. Set the Type of decrypon for the firewall to perform on matching traffic:
• SSL Forward Proxy
• SSL Inbound Inspecon. If you want to enable SSL Inbound Inspecon, also select the
Cerficate for the desnaon internal server for the inbound SSL traffic.
• SSH Proxy
To exclude matching traffic from decrypon:
Set the Acon to No Decrypt.
STEP 4 | (Oponal) Select a Decrypon Profile to perform addional checks on traffic that matches
the policy rule.
For example, aach a decrypon profile to a policy rule to ensure that server cerficates are
valid and to block sessions using unsupported protocols or ciphers. To Create a Decrypon
Profile, select Objects > Decrypon Profile.
1. Create a decrypon policy rule or open an exisng rule to modify it.
2. Select Opons and select a Decrypon Profile to block and control various aspects of
the traffic matched to the rule.
The profile rule sengs the firewall applies to matching traffic depends on the policy
rule Acon (Decrypt or No Decrypt) and the policy rule Type (SSL Forward Proxy, SSL
Inbound Inspecon, or SSH Proxy). This allows you to use the different decrypon
profiles with different types of decrypon policy rules that apply to different types of
traffic and users.
3. Click OK.
STEP 6 | Choose your next step to fully enable the firewall to decrypt traffic...
• ConfigureSSL Forward Proxy
• ConfigureSSL Inbound Inspecon
• ConfigureSSH Proxy
• Create policy-based Decrypon Exclusions for traffic you choose not to decrypt and add
sites that break decrypon for technical reasons such as pinned cerficates or mutual
authencaon to the SSL Decrypon Exclusion list.
PAN-OS® Administrator’s Guide Version Version 9.1 900 ©2021 Palo Alto Networks, Inc.
Decrypon
Regardless of whether you generate Forward Trust cerficates from your Enterprise
Root CA or use a self-signed cerficate generated on the firewall, generate a separate
subordinate Forward Trust CA cerficate for each firewall. The flexibility of using separate
subordinate CAs enables you to revoke one cerficate when you decommission a device
(or device pair) without affecng the rest of the deployment and reduces the impact in any
situaon in which you need to revoke a cerficate. Separate Forward Trust CAs on each
firewall also helps troubleshoot issues because the CA error message the user sees includes
informaon about the firewall the traffic is traversing. If you use the same Forward Trust
CA on every firewall, you lose the granularity of that informaon.
Aer seng up the Forward Trust and Forward Untrust cerficates required for SSL Forward
Proxy decrypon, create a Decrypon policy rule to define the traffic you want the firewall to
decrypt and create a Decrypon profile to apply SSL controls and checks to the traffic. The
Decrypon policy decrypts SSL tunneled traffic that matches the rule into clear text traffic. The
firewall blocks and restricts traffic based on the Decrypon profile aached to the Decrypon
policy and on the firewall Security policy. The firewall re-encrypts traffic as it exits the firewall.
When you configure SSL Forward Proxy, the proxied traffic does not support DSCP code
points or QoS.
PAN-OS® Administrator’s Guide Version Version 9.1 901 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 1 | Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer
3 interfaces.
View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface
Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer
3 interface. You can select an interface to modify its configuraon, including what type of
interface it is.
PAN-OS® Administrator’s Guide Version Version 9.1 902 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 2 | Configure the Forward Trust cerficate for the firewall to present to clients when a trusted
CA has signed the server cerficate. You can use an enterprise CA-signed cerficate or a self-
signed cerficate as the forward trust cerficate.
(Recommended Best Pracce) Use an enterprise CA-signed cerficate as the Forward Trust
cerficate. Create a uniquely named Forward Trust cerficate on each firewall:
1. Generate a Cerficate Signing Request (CSR) for the enterprise CA to sign and validate:
1. Select Device > Cerficate Management > Cerficates and click Generate.
2. Enter a Cerficate Name. Use a unique name for each firewall.
3. In the Signed By drop-down, select External Authority (CSR).
4. (Oponal) If your enterprise CA requires it, add Cerficate Aributes to further idenfy
the firewall details, such as Country or Department.
5. Click Generate to save the CSR. The pending cerficate is now displayed on the Device
Cerficates tab.
2. Export the CSR:
1. Select the pending cerficate displayed on the Device Cerficates tab.
2. Click Export to download and save the cerficate file.
Leave Export private key unselected in order to ensure that the private key
remains securely on the firewall.
3. Click OK.
3. Provide the cerficate file to your enterprise CA. When you receive the enterprise CA-
signed cerficate from your enterprise CA, save the enterprise CA-signed cerficate to
import onto the firewall.
4. Import the enterprise CA-signed cerficate onto the firewall:
1. Select Device > Cerficate Management > Cerficates and click Import.
2. Enter the pending Cerficate Name exactly. The Cerficate Name that you enter must
exactly match the pending cerficate name in order for the pending cerficate to be
validated.
3. Select the signed Cerficate File that you received from your enterprise CA.
4. Click OK. The cerficate is displayed as valid with the Key and CA check boxes selected.
5. Select the validated cerficate to enable it as a Forward Trust Cerficate to be used for SSL
Forward Proxy decrypon.
6. Click OK to save the enterprise CA-signed forward trust cerficate.
Use a self-signed cerficate as the Forward Trust cerficate:
1. Create a self-signed Root CA cerficate.
2. Click the self-signed root CA cerficate (Device > Cerficate Management > Cerficates
> Device Cerficates) to open Cerficate informaon and then click the Trusted Root CA
checkbox.
3. Click OK.
4. Generate new subordinate CA cerficates for each firewall:
1. Select Device > Cerficate Management > Cerficates.
PAN-OS® Administrator’s Guide Version Version 9.1 903 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 3 | Distribute the forward trust cerficate to client system cerficate stores.
If you are using an enterprise-CA signed cerficate as the forward trust cerficate for SSL
Forward Proxy decrypon, and the client systems already have the enterprise CA installed in
the local trusted root CA list, you can skip this step. (The client systems trust the subordinate
CA cerficates you generate on the firewall because the Enterprise Trusted Root CA has signed
them.)
If you do not install the forward trust cerficate on client systems, users see cerficate
warnings for each SSL site they visit.
This opon is supported with Windows and Mac client OS versions, and requires
GlobalProtect agent 3.0.0 or later to be installed on the client systems.
1. Select Network > GlobalProtect > Portals and then select an exisng portal
configuraon or Add a new one.
2. Select Agent and then select an exisng agent configuraon or Add a new one.
3. Add the self-signed firewall Trusted Root CA cerficate to the Trusted Root CA secon.
Aer GlobalProtect distributes the firewall’s Trusted Root CA cerficate to client
PAN-OS® Administrator’s Guide Version Version 9.1 904 ©2021 Palo Alto Networks, Inc.
Decrypon
systems, the client systems trust the firewall’s subordinate CA cerficates because the
clients trust the firewall’s Root CA cerficate.
4. Install in Local Root Cerficate Store so that the GlobalProtect portal automacally
distributes the cerficate and installs it in the cerficate store on GlobalProtect client
systems.
5. Click OK twice.
Without GlobalProtect:
Export the firewall Trusted Root CA cerficate so that you can import it into client systems.
Highlight the cerficate and click Export at the boom of the window. Choose PEM format.
Do not select the Export private key checkbox! The private key should remain on the
firewall and should not be exported to client systems.
Import the firewall’s Trusted Root CA cerficate into the browser Trusted Root CA list on
the client systems in order for the clients to trust it. When imporng into the client browser,
ensure that you add the cerficate to the Trusted Root Cerficaon Authories cerficate
store. On Windows systems, the default import locaon is the Personal cerficate store. You
can also simplify this process by using a centralized deployment opon, such as an Acve
Directory Group Policy Object (GPO).
STEP 4 | Configure the Forward Untrust cerficate (use the same Forward Untrust cerficate for all
firewalls).
1. Click Generate at the boom of the cerficates page.
2. Enter a Cerficate Name, such as my-ssl-fwd-untrust.
3. Set the Common Name, for example 192.168.2.1. Leave Signed By blank.
4. Click the Cerficate Authority check box to enable the firewall to issue the cerficate.
5. Click Generate to generate the cerficate.
6. Click OK to save.
7. Click the new my-ssl-fwd-untrust cerficate to modify it and enable the Forward Untrust
Cerficate opon.
Do not export the Forward Untrust cerficate to the Cerficate Trust Lists of
your network devices! Do not install the Forward Untrust cerficate on client
systems. This is crical because installing the Untrust cerficate in the Trust List
results in devices trusng websites that the firewall does not trust. In addion,
users won’t see cerficate warnings for untrusted sites, so they won’t know the
sites are untrusted and may access those sites, which could expose your network
to threats.
8. Click OK to save.
STEP 5 | (Oponal) Configure the Key Size for SSL Forward Proxy Server Cerficates that the firewall
presents to clients. By default, the firewall determines the key size to use based on the key
size of the desnaon server cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 905 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 6 | Create a Decrypon Policy Rule to define traffic for the firewall to decrypt and Create a
Decrypon Profile to apply SSL controls to the traffic.
1. Select Policies > Decrypon, Add or modify an exisng rule, and define traffic to be
decrypted.
2. Select Opons and:
• Set the rule Acon to Decrypt matching traffic.
• Set the rule Type to SSL Forward Proxy.
• (Oponal but a best pracce) Configure or select an exisng Decrypon Profile
to block and control various aspects of the decrypted traffic (for example, create a
decrypon profile to perform cerficate checks and enforce strong cipher suites and
protocol versions).
3. Click OK to save.
STEP 7 | Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
This opon requires an acve WildFire license and is a WildFire best pracce.
PAN-OS® Administrator’s Guide Version Version 9.1 906 ©2021 Palo Alto Networks, Inc.
Decrypon
When you configure SSL Inbound Inspecon, the proxied traffic does not support DSCP
code points or QoS.
SSL Inbound Inspecon does not support Capve Portal redirect. To use Capve Portal
redirect and decrypon, you must use SSL Forward Proxy.
STEP 1 | Ensure that the appropriate interfaces are configured as either Tap, Virtual Wire, Layer 2, or
Layer 3 interfaces.
You cannot use a Tap mode interface for SSL Inbound inspecon if the negoated
ciphers include PFS key exchange algorithms (DHE and ECDHE).
View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface Type
column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3
interface. You can select an interface to modify its configuraon, including the interface type.
PAN-OS® Administrator’s Guide Version Version 9.1 907 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 2 | Ensure that the targeted server cerficate is installed on the firewall.
If you have enabled SSL Inbound Inspecon using PFS key exchange algorithms, you
must upload a cerficate bundle (a single file) to the firewall with your cerficates
arranged as follows:
1. End-enty (leaf) cerficate
2. Intermediate cerficates (in issuing order)
3. (Oponal) Root cerficate
Uploading the file ensures that clients receive the complete cerficate chain during SSL
handshakes, avoiding client-side server cerficate authencaon issues.
On the web interface, select Device > Cerficate Management > Cerficates > Device
Cerficates to view cerficates installed on the firewall.
To import the targeted server cerficate onto the firewall:
1. On the Device Cerficates tab, select Import.
2. Enter a descripve Cerficate Name.
3. Browse for and select the targeted server Cerficate File.
4. Click OK.
STEP 3 | Create a Decrypon Policy Rule to define traffic for the firewall to decrypt and Create a
Decrypon Profile to apply SSL controls to the traffic.
1. Select Policies > Decrypon, Add or modify an exisng rule, and define traffic to be
decrypted.
2. Select Opons and:
• Set the rule Acon to Decrypt matching traffic.
• Set the rule Type to SSL Inbound Inspecon.
• Select the Cerficate for the internal server that is the desnaon of the inbound SSL
traffic.
• (Oponal but a best pracce) Configure or select an exisng Decrypon Profile
to block and control various aspects of the decrypted traffic (for example, create
PAN-OS® Administrator’s Guide Version Version 9.1 908 ©2021 Palo Alto Networks, Inc.
Decrypon
When you configure the SSL Protocol Sengs Decrypon Profile for SSL
Inbound Inspecon traffic, create separate profiles for servers with different
security capabilies. For example, if one set of servers supports only RSA, the
SSL Protocol Sengs only need to support RSA. However, the SSL Protocol
Sengs for servers that support PFS should support PFS. Configure SSL
Protocol Sengs for the highest level of security that the server supports, but
check performance to ensure that the firewall resources can handle the higher
processing load that higher security protocols and algorithms require.
3. Click OK to save.
STEP 4 | Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
This opon requires an acve WildFire license and is a WildFire best pracce.
PAN-OS® Administrator’s Guide Version Version 9.1 909 ©2021 Palo Alto Networks, Inc.
Decrypon
When you configure SSH Proxy, the proxied traffic does not support DSCP code points or
QoS.
STEP 1 | Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer
3 interfaces. Decrypon can only be performed on virtual wire, Layer 2, or Layer 3 interfaces.
View configured interfaces on the Network > Interfaces > Ethernet tab. The Interface
Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer
3 interface. You can select an interface to modify its configuraon, including what type of
interface it is.
STEP 2 | Create a Decrypon Policy Rule to define traffic for the firewall to decrypt and Create a
Decrypon Profile to apply checks to the SSH traffic.
1. Select Policies > Decrypon, Add or modify an exisng rule, and define traffic to be
decrypted.
2. Select Opons and:
• Set the rule Acon to Decrypt matching traffic.
• Set the rule Type to SSH Proxy.
• (Oponal but a best pracce) Configure or select an exisng Decrypon Profile
to block and control various aspects of the decrypted traffic (for example, create a
Decrypon profile to terminate sessions with unsupported versions and unsupported
algorithms).
3. Click OK to save.
STEP 4 | (Oponal) Connue to Decrypon Exclusions to disable decrypon for certain types of
traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 910 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 911 ©2021 Palo Alto Networks, Inc.
Decrypon
Decrypon Exclusions
You can exclude two types of traffic from decrypon:
• Traffic that breaks decrypon for technical reasons, such as using a pinned cerficate, an
incomplete cerficate chain, unsupported ciphers, or mutual authencaon (decrypng blocks
the traffic). Palo Alto Networks provides a predefined SSL Decrypon Exclusion list (Device
> Cerficate management > SSL Decrypon Exclusion) that excludes hosts with applicaons
and services that are known to break decrypon technically from SSL Decrypon by default.
If you encounter sites that break decrypon technically and are not on the SSL Decrypon
Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites
whose applicaons and services break decrypon technically unless you add them to the SSL
Decrypon Exclusion list.
• Traffic that you choose not to decrypt because of business, regulatory, personal, or other
reasons, such as financial-services, health-and-medicine, or government traffic. You can choose
to exclude traffic based on source, desnaon, URL category, and service.
You can use asterisks (*) as wildcards to create decrypon exclusions for mulple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for URL category
excepons—each asterisk controls one variable subdomain (label) in the hostname. This enables
you to create both very specific and very general exclusions. For example:
• mail.*.com matches mail.company.com but does not match mail.company.sso.com.
• *.company.com matches tools.company.com but does not match eng.tools.company.com.
• *.*.company.com matches eng.tools.company.com but does not match eng.company.com.
• *.*.*.company.com matches corp.exec.mail.company.com, but does not match
corp.mail.company.com.
• mail.google.* matches mail.google.com, but does not match mail.google.uk.com.
• mail.google.*.* matches mail.google.co.uk, but does not match mail.google.com.
For example, to use wildcards to exclude video-stats.video.google.com from decrypon but not to
exclude video.google.com from decrypon, exclude *.*.google.com.
Regardless of the number of asterisk wildcards that precede a hostname (without a non-
wildcard label preceding the hostname), the hostname matches the entry. For example,
*.google.com, *.*.google.com, and *.*.*.google.com all match google.com. However,
*.dev.*.google.com does not match google.com because one label (dev) is not a wildcard.
To increase visibility into traffic and reduce the aack surface as much as possible, don’t make
decrypon excepons unless you must.
• Palo Alto Networks Predefined Decrypon Exclusions
• Exclude a Server from Decrypon for Technical Reasons
• Create a Policy-Based Decrypon Exclusion
PAN-OS® Administrator’s Guide Version Version 9.1 912 ©2021 Palo Alto Networks, Inc.
Decrypon
The SSL Decrypon Exclusion list is not for sites that you choose not to decrypt for legal,
regulatory, business, privacy, or other volional reasons, it is only for sites that break
decrypon technically (decrypng these sites blocks their traffic). For traffic such as IP
addresses, users, URL categories, services, and even enre zones that you choose not to
decrypt, Create a Policy-Based Decrypon Exclusion.
Because the traffic of sites on the SSL Decrypon Exclusion list remains encrypted, the firewall
does not inspect or provide further security enforcement the traffic. You can disable a predefined
exclusion. For example, you may choose to disable predefined exclusions to enforce a strict
security policy that allows only applicaons and services that the firewall can inspect and
on which the firewall can enforce Security policy. However, the firewall blocks sites whose
applicaons and services break decrypon technically if they are not enabled on the SSL
Decrypon Exclusion list.
You can view and manage all Palo Alto Networks predefined SSL decrypon exclusions directly on
the firewall (Device > Cerficate Management > SSL Decrypon Exclusions).
The Hostname displays the name of the host that houses the applicaon or service that breaks
decrypon technically. You can also Add hosts to Exclude a Server from Decrypon for Technical
Reasons if it is not on the predfined list.
The Descripon displays the reason the firewall can’t decrypt the site’s traffic, for example,
pinned-cert (a pinned cerficate) or client-cert-auth (client authencaon).
PAN-OS® Administrator’s Guide Version Version 9.1 913 ©2021 Palo Alto Networks, Inc.
Decrypon
The firewall automacally removes enabled predefined SSL decrypon exclusions from the list
when they become obsolete (the firewall removes an applicaon that decrypon previously
caused to break when the applicaon becomes supported with decrypon). Show Obsoletes
checks if any disabled predefined exclusions remain on the list and are no longer needed. The
firewall does not remove disabled predefined decrypon exclusions from the list automacally, but
you can select and Delete obsolete entries.
You can select a hostname’s checkbox and then click Disable to remove predefined sites from
the list. Use the SSL Decrypon Exclusion list only for sites that break decrypon for technical
reasons, don’t use it for sites that you choose not to decrypt.
The SSL Decrypon Exclusion list is not for sites that you choose not to decrypt for legal,
regulatory, business, privacy, or other volional reasons, it is only for sites that break
decrypon technically. For traffic (IP addresses, users, URL categories, services, and
even enre zones) that you choose not to decrypt, Create a Policy-Based Decrypon
Exclusion.
Reasons that sites break decrypon technically include pinned cerficates, mutual authencaon,
incomplete cerficate chains, and unsupported ciphers. For HTTP public key pinning (HPKP), most
browsers that use HPKP permit Forward Proxy decrypon as long as you install the enterprise CA
cerficate (or the cerficate chain) on the client.
If the technical reason for excluding a site from decrypon is an incomplete cerficate
chain, the next-generaon firewall doesn’t automacally fix the chain as a browser would.
If you need to add a site to the SSL Decrypon Exclusion list, manually review the site to
ensure it’s a legimate business site, then download the missing sub-CA cerficates and
load and deploy them onto the firewall.
Aer you add a server to the SSL Decrypon Exclusion list, the firewall compares the server
hostname that you use to define the decrypon exclusion against both the Server Name
Indicaon (SNI) in the client hello message and the Common Name (CN) in the server cerficate. If
either the SNI or CN match the entry in the SSL Decrypon Exclusion list, the firewall excludes the
traffic from decrypon.
STEP 1 | Select Device > Cerficate Management > SSL Decrypon Exclusions.
STEP 2 | Add a new decrypon exclusion, or select an exisng custom entry to modify it.
PAN-OS® Administrator’s Guide Version Version 9.1 914 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 3 | Enter the hostname of the website or applicaon you want to exclude from decrypon.
You can use wildcards to exclude mulple hostnames associated with a domain. The
firewall excludes all sessions where the server presents a CN that matches the domain from
decrypon.
Make sure that the hostname field is unique for each custom entry. If a predefined exclusion
matches a custom entry, the custom entry takes precedence.
STEP 4 | (Oponal) Select Shared to share the exclusion across all virtual systems in a mulple virtual
system firewall.
STEP 5 | Exclude the applicaon from decrypon. Alternavely, if you are modifying an exisng
decrypon exclusion, you can clear this checkbox to start decrypng an entry that was
previously excluded from decrypon.
PAN-OS® Administrator’s Guide Version Version 9.1 915 ©2021 Palo Alto Networks, Inc.
Decrypon
Create an EDL or a custom URL Category that contains all the categories you choose not
to decrypt so that one Decrypon policy rule governs the encrypted traffic you choose to
allow. Apply a No Decrypon profile to the rule. The ability to add categories to an EDL or
a custom URL Category makes it easy to exclude traffic from decrypon and helps keep
the rulebase clean.
Similar to Security policy rules, the firewall compares incoming traffic to Decrypon policy
rules in the policy rulebase’s sequence. Place Decrypon exclusion rules at the top of
the rulebase to prevent inadvertently decrypng sensive traffic or traffic that laws and
regulaons prevent you from decrypng.
If you create policy-based decrypon exclusions, the best pracce is to place the following
exclusion rules at the top of the decrypon rulebase, in the following order:
1. IP-address based excepons for sensive desnaon servers.
2. Source-user based excepons for execuves and other users or groups.
3. Custom URL or EDL based excepons for desnaon URLs.
4. Sensive predefined URL Category based excepons for desnaon URLs of enre categories
such as financial-services, health-and-medicine, and government.
Place rules that decrypt traffic aer these rules in the decrypon rulebase.
PAN-OS® Administrator’s Guide Version Version 9.1 916 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 2 | Place the decrypon exclusion rule at the top of your decrypon policy rulebase.
The firewall enforces decrypon rules against incoming traffic in the rulebase sequence and
enforces the first rule that match the traffic.
Select the No-Decrypt-Finance-Health policy (Decrypon > Policies), and click Move Up unl
it appears at the top of the list, or drag and drop the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 917 ©2021 Palo Alto Networks, Inc.
Decrypon
Custom response pages larger than the maximum supported size are not decrypted or
displayed to users. In PAN-OS 8.1.2 and earlier PAN-OS 8.1 releases, custom response
pages on a decrypted site cannot exceed 8,191 bytes; the maximum size is increased to
17,999 bytes in PAN-OS 8.1.3 and later releases.
PAN-OS® Administrator’s Guide Version Version 9.1 918 ©2021 Palo Alto Networks, Inc.
Decrypon
7. Save the edited page with a new filename. Make sure that the page retains its UTF-8
encoding.
8. Back on the firewall, select Device > Response Pages.
9. Select the SSL Decrypon Opt-out Page link.
10. Click Import and then enter the path and filename in the Import File field or Browse to
locate the file.
11. (Oponal) Select the virtual system on which this login page will be used from the
Desnaon drop-down or select shared to make it available to all virtual systems.
12. Click OK to import the file.
13. Select the response page you just imported and click Close.
STEP 3 | Verify that the Opt Out page displays when you aempt to browse to a site.
From a browser, go to an encrypted site that matches your decrypon policy.
Verify that the SSL Decrypon Opt-out response page displays.
PAN-OS® Administrator’s Guide Version Version 9.1 919 ©2021 Palo Alto Networks, Inc.
Decrypon
The command to disable SSL decrypon doesn’t persist in the configuraon aer a reboot.
If you turn off decrypon temporarily and then reboot the firewall, regardless of whether
the issue has been fixed, decrypon is turned on again.
PAN-OS® Administrator’s Guide Version Version 9.1 920 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 921 ©2021 Palo Alto Networks, Inc.
Decrypon
4. Reboot the firewall (Device > Setup > Operaons). This feature is not available for
configuraon unl PAN-OS reloads.
STEP 3 | Enable the firewall to forward decrypted traffic. Superuser permission is required to perform
this step.
On a firewall with a single virtual system:
1. Select Device > Setup > Content - ID.
2. Select the Allow forwarding of decrypted content check box.
3. Click OK to save.
On a firewall with mulple virtual systems:
1. Select Device > Virtual System.
2. Select a Virtual System to edit or create a new Virtual System by selecng Add.
3. Select the Allow forwarding of decrypted content check box.
4. Click OK to save.
PAN-OS® Administrator’s Guide Version Version 9.1 922 ©2021 Palo Alto Networks, Inc.
Decrypon
forwarding the decrypted traffic to other threat detecon devices, such as a DLP device
or another intrusion prevenon system (IPS).
4. Click OK to save the decrypon profile.
STEP 6 | Aach the decrypon profile rule (with decrypon port mirroring enabled) to a decrypon
policy rule. All traffic decrypted based on the policy rule is mirrored.
1. Select Policies > Decrypon.
2. Click Add to configure a decrypon policy or select an exisng decrypon policy to edit.
3. In the Opons tab, select Decrypt and the Decrypon Profile created in step 4.
4. Click OK to save the policy.
PAN-OS® Administrator’s Guide Version Version 9.1 923 ©2021 Palo Alto Networks, Inc.
Decrypon
Verify Decrypon
Aer you configure a best pracce decrypon profile and apply it to traffic, check the log files
to verify that the firewall is decrypng the traffic that you intend to decrypt and that the firewall
is not decrypng the traffic that you don’t want to decrypt. In addion, follow post-deployment
decrypon best pracces to maintain the deployment.
View Decrypted Traffic Sessions—Filter the Traffic Logs (Monitor > Logs > Traffic) using the
filter ( flags has proxy ).
This filter displays only logs in which the SSL proxy flag is on, meaning only decrypted traffic—
every log entry has the value yes in the Decrypted column.
You can filter the traffic in a more granular fashion by adding more terms to the filter.
For example, you can filter for decrypted traffic going only to the desnaon IP address
172.217.3.206 by adding the filter ( addr.dst in 172.217.3.206 ):
PAN-OS® Administrator’s Guide Version Version 9.1 924 ©2021 Palo Alto Networks, Inc.
Decrypon
View SSL Traffic Sessions That Are Not Decrypted—Filter the Traffic Logs (Monitor > Logs >
Traffic) using the filter ( not flags has proxy ) and ( app eqssl ).
This filter displays only logs in which the SSL proxy flag is off (meaning only encrypted traffic)
and the traffic is SSL traffic; every log entry has the value no in the Decrypted column and the
value ssl in the Applicaon column.
Similar to the example for viewing decrypted traffic logs, you can add terms to filter the traffic
that you don’t decrypt in a more granular fashion.
View The Log for a Parcular Session—To view the decrypon log for a parcular session, filter
on the Session ID.
For example, to see the log for a session with the ID 362370, filter using the term
( sessionid eq 362370 ). You can find the ID number in the Session ID column in the
log output, as shown in the previous screens. If the Session ID column isn’t displayed, add the
column to the output.
PAN-OS® Administrator’s Guide Version Version 9.1 925 ©2021 Palo Alto Networks, Inc.
Decrypon
View All TLS and SSH Traffic—Filter the Traffic Logs (Monitor > Logs > Traffic) to view both
decrypted and undecrypted TLS and SSH traffic, use the filter ( s_encrypted neq 0):
Drill Down Into the Details—To view more informaon about a parcular log entry, click the
magnifying glass to see a detailed log view. For example, for Session ID 362370 (shown in the
previous bullet), the detailed log looks like this:
The box for the Decrypted flag provides a second way to verify if traffic was decrypted.
You can also take upstream and downstream packet captures of decrypted traffic to view
how the firewall processes SSL traffic and takes acons on packets, or perform deep packet
inspecon.
PAN-OS® Administrator’s Guide Version Version 9.1 926 ©2021 Palo Alto Networks, Inc.
Decrypon
Decrypon Broker
Decrypon broker allows you to offload SSL decrypon to the Palo Alto Networks next-
generaon firewall and decrypt traffic only once. A firewall enabled as a decrypon broker
forwards clear text traffic to security chains (sets of inline, third-party appliances) for addional
enforcement.
This allows you to consolidate security funcons on the firewall and to simplify your network
security deployment: decrypon broker eliminates the need for a third-party SSL decrypon
soluon and allows you to reduce the number of third-party devices performing traffic analysis
and enforcement. For networks without a dedicated SSL decrypon appliance, decrypon broker
reduces latency because the traffic flow is decrypted only once.
Decrypon broker is supported for PA-7000 Series, PA-5200 Series, PA-3200 Series devices and
VM-300, VM-500, and VM-700 models. It requires SSL Forward Proxy decrypon to be enabled,
where the firewall is established as a trusted third party (or man-in-the-middle) to session traffic.
A firewall interface cannot be both a decrypon broker and a GRE tunnel endpoint.
PAN-OS® Administrator’s Guide Version Version 9.1 927 ©2021 Palo Alto Networks, Inc.
Decrypon
the security chain either unidireconally or bidireconally based on your analysis needs (see
Decrypon Broker: Security Chain Session Flow to learn more about when to use a unidireconal
or bidireconal flow).
The following figure shows how decrypon broker works.
PAN-OS® Administrator’s Guide Version Version 9.1 928 ©2021 Palo Alto Networks, Inc.
Decrypon
assigned to a brand new virtual router (one that has no configured routes or other interfaces used
to pass dataplane traffic); this ensures that the clear text sessions that the firewall forwards to a
security chain for addional analysis are totally segmented from dataplane traffic.
In a decrypon broker deployment with a Layer 3 Security Chain, a pair of two decrypon
forwarding interfaces can support up to 64 security chains.
A pair of decrypon forwarding interfaces supports a single Transparent Bridge security chains;
however, you can configure mulple decrypon forwarding interface pairs to support mulple
transparent bridge security chains.
PAN-OS® Administrator’s Guide Version Version 9.1 929 ©2021 Palo Alto Networks, Inc.
Decrypon
Alternavely, the following figure shows the same firewall enabled as a decrypon broker
direcng decrypted traffic through a Layer 3 security chain; however, in this example, the firewall
directs all sessions to flow through the security unidireconally. The firewall uses the Primary
Interface dedicated to decrypon forwarding to forward both inbound and outbound sessions to
the first security chain device. The last security chain device forwards both inbound and outbound
sessions back to the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 930 ©2021 Palo Alto Networks, Inc.
Decrypon
In both Layer 3 security chain deployments (bidireconal and unidireconal), the firewall re-
encrypts the traffic the security chain returns and connues to forward it to its desnaon.
Configure Decrypon Broker with One or More Layer 3 Security Chain to get started with either
of these deployments.
PAN-OS® Administrator’s Guide Version Version 9.1 931 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 932 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 933 ©2021 Palo Alto Networks, Inc.
Decrypon
process traffic, you can configure the firewall to distribute clear text sessions to mulple security
chain networks for inspecon. The firewall can distribute sessions among both types of security
chain networks, so that security chains can share the inspecon load; however, the methods to
enable session distribuon varies depending on whether you are using Layer 3 security chains or
Transparent Bridge security chains.A decrypon broker forwarding to mulple Layer 3 Security
Chains can distribute sessions for inspecon using one of four methods:
• IP modulo—The firewall assigns sessions based on the modulo hash of the source and
desnaon IP addresses.
• IP hash—The firewall assigns sessions based on the IP hash of the source and desnaon IP
addresses and port numbers.
• Round robin—The firewall allocates sessions evenly amongst the security chains.
• Lowest latency—The firewall allocates more sessions to the security chain with the lowest
latency.
A decrypon broker forwarding to mulple Transparent Bridge Security Chains must be configured
to perform policy-based session distribuon; traffic matched to a policy rule is forwarded only to
the security chain associated with that rule. For example, specify a different source address range
for each decrypon policy to dedicate a single Transparent Bridge security chain to analyze and
enforce traffic originang from specified IP address ranges.
When configuring mulple security chains, make sure that you’re deploying enough security
chains to provide excess capacity in the event of a security chain failure. If you enable the firewall
to perform Security Chain Health Checks, and a security chain fails, the firewall connues to
distribute decrypted sessions among the healthy security chains. If there are not enough healthy
chains to cover the addional load, that single security chain failure could result in cascading
failures as the remaining healthy security chains are oversubscribed.
The first image below shows a decrypon broker deployment with mulple Layer 3 security
chains. Note that a single pair of Decrypon Forwarding Interfaces can forward decrypted traffic
to mulple Layer 3 security chains (up to 64).
The second image below shows a decrypon broker deployment with mulple Transparent Bridge
security chains; a dedicated pair of decrypon forwarding interfaces is required to forward to each
separate Transparent Bridge security chain.
PAN-OS® Administrator’s Guide Version Version 9.1 934 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 935 ©2021 Palo Alto Networks, Inc.
Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 936 ©2021 Palo Alto Networks, Inc.
Decrypon
policy enforcement; however, it does not undergo security chain analysis. This opon is only
supported with Layer 3 security chains. Because session distribuon for Transparent Bridge
security chains is policy-based traffic cannot bypass a failed chain as the traffic matched to a
policy rule is assigned to a specific chain for inspecon.
You might choose if you want the firewall to block sessions or bypass a security chain if a security
chain fails based on your organizaon’s compliance and usability needs.
When configuring mulple security chains, it is a best pracce to deploy enough security chains
to provide excess capacity in the event of a security chain failure. If you enable the firewall
to perform Security Chain Health Checks, and a security chain fails, the firewall connues to
distribute decrypted sessions among the healthy security chains. If there are not enough healthy
chains to cover the addional load, that single security chain failure could result in cascading
failures as the remaining healthy security chains are oversubscribed.
PAN-OS® Administrator’s Guide Version Version 9.1 937 ©2021 Palo Alto Networks, Inc.
Decrypon
• When configuring mulple security chains, it is a best pracce to deploy enough security chains
to provide excess capacity in the event of a security chain failure. If you enable the firewall
to perform Security Chain Health Checks, and a security chain fails, the firewall connues
to distribute decrypted sessions among the healthy security chains. If there are not enough
healthy chains to cover the addional load, that single security chain failure could result in
cascading failures as the remaining healthy security chains are oversubscribed.
STEP 2 | Acvate the free Decrypon Broker license (see Decrypon Licenses).
STEP 3 | Confirm that the firewall is enabled to perform SSL Forward Proxy decrypon.
Select Policies > Decrypon to Add or modify a decrypon policy rule. You can also aach a
decrypon profile to a decrypon policy rule, to perform cerficate checks and to validate SSL
protocols. For example, a decrypon profile allows you to block sessions based on cerficate
status, using unsupported protocols or cipher suits, or if the resources to perform decrypon
are not available.
PAN-OS® Administrator’s Guide Version Version 9.1 938 ©2021 Palo Alto Networks, Inc.
Decrypon
to the decrypon forwarding interfaces to ensure the clear text sessions that the firewall
forwards for addional analysis are totally segmented from dataplane traffic.
3. Connue to assign the interface to a Security Zone. (Assign both interfaces to the same
security zone).
4. On the Advanced tab, select Decrypt Forward.
5. Click OK to save the interface sengs.
6. Repeat these steps for an even number of interfaces, pairing two as you go.
7. Make sure that the interfaces enabled to forward decrypted traffic are not being used to
pass any other type of traffic.
STEP 5 | Create a Decrypon Forwarding profile to define sengs for the firewall to forward
decrypted traffic to a Layer 3 security chain.
1. Select Objects > Decrypon > Forwarding Profile, Add a new Decrypon Forwarding
Profile, and give the profile a descripve Name.
2. On the General tab, set the Security Chain Type to Routed (layer 3) to configure the
firewall to forward decrypted traffic to a security chain with Layer 3 devices.
3. Set the Flow Direcon for decrypted traffic the firewall forwards: Unidireconal or
Bidireconal.
4. Select the Primary Interface and Secondary Interface the firewall uses to communicate
with the security chain.
Together, the primary and secondary interfaces form a pair of decrypon forwarding
interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are
displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic
flow direcon (unidireconal or bidireconal) determine which of the two interfaces
forwards allowed, clear text traffic to the security chain, and which interface receives the
traffic back from the security chain aer it has undergone addional enforcement.
5. Click OK to save the decrypon profile.
STEP 7 | (Mulple Security Chains Only) Connue on the Security Chains tab and choose the Session
Distribuon Method for the firewall to use to distribute decrypted sessions amongst security
chains.
Choose for session distribuon to be based on IP Modulo, IP Hash, Round Robin, or Lowest
Latency. The Lowest Latency distribuon method requires you to also enable the firewall to
perform HTTP Latency Monitoring and HTTP Monitoring on the security chain.
PAN-OS® Administrator’s Guide Version Version 9.1 939 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 8 | Select the Health Monitor tab to enable the firewall to perform Security Chain Health Checks
on security chains.
If a security chain fails a health check, the firewall can then either block traffic unl the security
chain passes a subsequent health check and is able to process it, or the firewall can allow traffic
to bypass a failed security chain.
1. On Health Check Failure, choose for the firewall to either Bypass Security Chain or Block
Session.
2. Define a Health Check Failed Condion as an event where any of the health monitor
condions are met (an OR Condion), or when all of the condions are met (an AND
Condion).
3. Enable Path Monitoring, HTTP Latency Monitoring, and/or HTTP Monitoring. For each
type of monitoring you want to enable, define the periods of me and/or counts that you
want to trigger a health check failure.
Latency and HTTP monitoring are required to effecvely support Lowest Latency session
distribuon (Objects > Decrypon > Forwarding Profile > Security Chains Session
Distribuon Method).
STEP 11 | Monitor the decrypted traffic that the firewalls forwards for addional inspecon.
1. Select Monitor > Logs > Traffic and use the following filter: (flags has decrypt-
forwarded).
2. Check the details for a traffic log entry and look for the Decrypt Forwarded flag.
PAN-OS® Administrator’s Guide Version Version 9.1 940 ©2021 Palo Alto Networks, Inc.
Decrypon
• When configuring mulple security chains, it is a best pracce to deploy enough security chains
to provide excess capacity in the event of a security chain failure. If you enable the firewall
to perform Security Chain Health Checks, and a security chain fails, the firewall connues
to distribute decrypted sessions among the healthy security chains. If there are not enough
healthy chains to cover the addional load, that single security chain failure could result in
cascading failures as the remaining healthy security chains are oversubscribed.
STEP 2 | Acvate the free Decrypon Broker license (see Decrypon Licenses).
STEP 3 | Confirm that the firewall is enabled to perform SSL Forward Proxy decrypon.
Select Policies > Decrypon to Add or modify a decrypon policy rule. You can also aach a
decrypon profile to a decrypon policy rule, to perform cerficate checks and validate SSL
protocols. For example, a decrypon profile allows you to block sessions based on cerficate
status, using unsupported protocols or cipher suits, or if the resources to perform decrypon
are not available.
PAN-OS® Administrator’s Guide Version Version 9.1 941 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 5 | Create a Decrypon Forwarding profile to define sengs for the firewall to forward
decrypted traffic to a Transparent Bridge security chain.
1. Select Objects > Decrypon > Forwarding Profile, Add a new Decrypon Forwarding
Profile, and give the profile a descripve Name.
2. On the General tab, set the Security Chain Type to Transparent Bridge to configure the
firewall to forward decrypted traffic to a security chain with Transparent Bridge devices.
3. Set the Flow Direcon for decrypted traffic the firewall forwards: Unidireconal or
Bidireconal.
4. Select the Primary Interface and Secondary Interface the firewall uses to forward traffic
to the security chain.
Together, the primary and secondary interfaces form a pair of decrypon forwarding
interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are
displayed here.
PAN-OS® Administrator’s Guide Version Version 9.1 942 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 6 | Select the Health Monitor tab to enable the firewall to perform health checks on a
Transparent Bridge security chain.
1. Set On Health Check Failure to Block Session if you want to drop traffic unl the health
check succeeds or set it to Bypass Security Chain to forward traffic without going
through the security chain.
Transparent Bridge security chain session distribuon is policy-based, so traffic cannot
fail over to a different security chain (as it can in Layer 3 mode) because the traffic
matched to a policy rule is assigned to a specific chain for inspecon.
2. Define a Health Check Failed Condion as an event where any of the health monitor
condions are met (an OR Condion), or when all of the condions are met (an AND
Condion).
3. Enable Path Monitoring, HTTP Latency Monitoring, and/or HTTP Monitoring. For each
type of monitoring you want to enable, define the periods of me and/or counts that you
want to trigger a health check failure.
Latency and HTTP monitoring are required to effecvely support Lowest Latency session
distribuon (Objects > Decrypon > Forwarding Profile > Security Chains > Session
Distribuon Method).
STEP 9 | (Oponal) Connue to Configure Decrypon Broker with Mulple Transparent Bridge
Security Chains.
STEP 10 | Monitor the decrypted traffic that the firewall has forwarded for addional inspecon.
• Select Monitor > Logs > Traffic and add the filter: (flags has decrypt-forwarded).
• Check the details for a traffic log entry and look for the Decrypt Forwarded flag.
PAN-OS® Administrator’s Guide Version Version 9.1 943 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 2 | Aach each Transparent Bridge Decrypon Forwarding profile to a separate decrypon
policy rule.
In addion to applying the decrypon forwarding sengs to matching traffic, aaching
Transparent Bridge Decrypon Forwarding profiles to decrypon policies rules allows you to
distribute sessions amongst the Transparent Bridge Security chains. Specify a different source
address range for each policy rule to dedicate a single Transparent Bridge security chain to
analyze and enforce traffic originang from that range.
1. Select Policies > Decrypon and select a decrypon policy rule.
2. Select Source and Add a Source Address range, or click New Address to create a new
address objects that idenfies traffic originang from a given IP address range. Only
traffic originang from this IP address range is forwarded to the associated Transparent
Bridge security chain for analysis.
3. Select Opons.
4. Set the Acon to Decrypt and Forward.
5. Select a Transparent Bridge Forwarding Profile to aach to the policy rule.
6. Click OK to save the policy rule and Commit your changes.
STEP 3 | Connue to repeat these steps—associated one Transparent Bridge decrypon forwarding
profile with one decrypon policy—for as many security chains as you want to support.
PAN-OS® Administrator’s Guide Version Version 9.1 944 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 3 | Find the device on which you want to enable decrypon broker or decrypon port mirroring
and select Acons (the pencil icon).
PAN-OS® Administrator’s Guide Version Version 9.1 945 ©2021 Palo Alto Networks, Inc.
Decrypon
STEP 5 | Select the feature for which you want to acvate a free license: Decrypon Port Mirror or
SSL Decrypon Broker.
STEP 7 | Install the decrypon broker or decrypon mirroring license on the firewall.
1. Select Device > Licenses.
2. Click Retrieve license keys from the license server.
3. Verify that the SSL Decrypon Broker or the Decrypon Port Mirror license is now
acve on the firewall.
4. Restart the firewall (Device > Setup > Operaons). Decrypon port mirroring and
decrypon broker are not available for configuraon unl the firewall reloads.
PAN-OS® Administrator’s Guide Version Version 9.1 946 ©2021 Palo Alto Networks, Inc.
URL Filtering
Palo Alto Networks URL Filtering allows you to monitor and control the sites users can
access, to prevent phishing aacks by controlling the sites to which users can submit
valid corporate credenals, and to enforce safe search for search engines like Google
and Bing.
> About Palo Alto Networks URL > Create a Custom URL Category
Filtering Soluon > URL Category Excepons
> How Advanced URL Filtering Works > Use an External Dynamic List in a
> URL Filtering Use Cases URL Filtering Profile
> URL Categories > Allow Password Access to Certain
> Plan Your URL Filtering Deployment Sites
> Acvate The Advanced URL Filtering > URL Filtering Response Pages
Subscripon > Customize the URL Filtering
> Configure URL Filtering Response Pages
> Monitor Web Acvity > Request to Change the Category for
a URL
> Log Only the Page a User Visits
> Troubleshoot URL Filtering
> PAN-DB Private Cloud
947
URL Filtering
Legacy URL Filtering subscripon holders are able to connue using their URL filtering
deployment unl the end of the license term.
You can create policy rules to limit access to sites based on URL categories, users, and groups.
(See URL Filtering Use Cases for different ways you can leverage your Advanced URL Filtering
subscripon to meet your organizaon’s web security needs.)
With Advanced URL Filtering enabled, URL requests are:
• Compared against the PAN-DB URL database, which contains millions of websites that have
been categorized. You can use these URL categories in URL Filtering profiles or as match
criteria to enforce Security policy. You can also use URL filtering to enforce safe search sengs
for your users and to prevent credenal phishing based on URL category.
• Analyzed in real-me using the cloud-based Advanced URL Filtering detecon modules to
provide protecon against new and unknown threats that do not currently exist in the URL
filtering database.
If the network security requirements in your enterprise prohibit the firewalls from directly
accessing the Internet, Palo Alto Networks provides an offline URL filtering soluon with the
PAN-DB Private Cloud. This allows you to deploy a PAN-DB private cloud on one or more M-600
appliances that funcon as PAN-DB servers within your network.
PAN-OS® Administrator’s Guide Version Version 9.1 948 ©2021 Palo Alto Networks, Inc.
URL Filtering
When a user requests a web page, the firewall queries user-added excepons and PAN-DB for
the site’s risk category. PAN-DB uses URL informaon from Unit 42, WildFire, passive DNS,
Palo Alto Networks telemetry data, data from the Cyber Threat Alliance, and applies various
analyzers to determine the category. If the URL displays risky or malicious characteriscs, it is also
submied to Advanced URL Filtering in the cloud for real-me analysis and generates addional
analysis data. The resulng risk category is then retrieved by the firewall and is used to enforce
the web-access rules based on your policy configuraon. Addionally, the firewall caches site
categorizaon informaon for new entries to enable fast retrieval for subsequent requests, while
it removes URLs that users have not accessed recently so that it accurately reflects the traffic
in your network. Addionally, checks built into PAN-DB cloud queries ensure that the firewall
receives the latest URL categorizaon informaon. If you do not have Internet connecvity or an
acve URL filtering license, no queries are made to PAN-DB.
PAN-OS® Administrator’s Guide Version Version 9.1 949 ©2021 Palo Alto Networks, Inc.
URL Filtering
The firewall determines a website’s URL category by comparing it to entries in 1) custom URL
categories, 2) external dynamic lists (EDLs), and 3) predefined URL categories, in order of
precedence.
Firewalls configured to analyze URLs in real-me using machine learning (PAN-OS 10.0 and later)
on the dataplane provides an addional layer of security against phishing websites and JavaScript
exploits. The inline ML models used to idenfy these URL-based threats extend to currently
unknown as well as future variants of threats that match characteriscs that Palo Alto Networks
has idenfied as malicious. To keep up with the latest changes in the threat landscape, inline ML
models are added or updated via content releases.
When the firewall checks PAN-DB for a URL, it also looks for crical updates, such as URLs that
previously qualified as benign but are now malicious.
If you believe PAN-DB has incorrectly categorized a site, you can submit a URL category change
request in your browser through Test A Site or directly from the firewall logs.
PAN-OS® Administrator’s Guide Version Version 9.1 950 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 951 ©2021 Palo Alto Networks, Inc.
URL Filtering
Enforce Security, Decrypon, Authencaon, and QoS policies based on URL category
You can enforce different types of firewall policies based on URL categories. For example, suppose
you have enabled Decrypon, but you want to exclude certain personal informaon from being
decrypted. In this case you could create a Decrypon policy rule that excludes websites that
match the URL categories financial-services and health-and-medicine from decrypon. Another
example would be to use the URL category streaming-media in a QoS policy to apply bandwidth
controls to websites that fall in to this category.
The following table describes the policies that accept URL categories as match criteria:
PAN-OS® Administrator’s Guide Version Version 9.1 952 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 953 ©2021 Palo Alto Networks, Inc.
URL Filtering
URL Categories
PAN-DB classifies websites based on site content, features, and safety. A URL can have up to four
categories, including risk categories (high, medium, and low), which indicate how likely it is that
the site will expose you to threats. For a complete list of predefined URL categories, see PAN-DB
URL Filtering Categories.
Visit Test A Site to see how PAN-DB categorizes a URL, and to learn about all available URL
categories. You can also use Test A Site to submit a URL category change request, or you can
submit the request directly in the firewall: select Monitor > Logs and open the details for a log
entry. Under the URL category, you’ll see the opon to submit a change request.
Read on to learn more about URL categories:
• URL Filtering Use Cases
• Security-Focused URL Categories
• Malicious URL Categories
• Verified URL Categories
• Policy Acons You Can Take Based on a URL Category
PAN-OS® Administrator’s Guide Version Version 9.1 954 ©2021 Palo Alto Networks, Inc.
URL Filtering
Low-Risk Sites that are not medium or high risk are considered
low risk. These sites have displayed benign acvity for a
minimum of 90 days.
Default and Recommended Policy Acon: Allow
Newly-Registered Domains Idenfies sites that have been registered within the last
32 days. New domains are frequently used as tools in
malicious campaigns.
Default Policy Acon: Alert
Recommended Policy Acon: Block
PAN-OS® Administrator’s Guide Version Version 9.1 955 ©2021 Palo Alto Networks, Inc.
URL Filtering
• malware—Sites known to host malware or used for command and control (C2) traffic. May also
exhibit Exploit Kits.
• phishing—Known to host credenal phishing pages or phishing for personal idenficaon. This
includes web content that covertly aempts to fool the user in order to harvest informaon,
including login credenals, credit card informaon – voluntarily or involuntarily, account
numbers, PINs, and any informaon considered to be personally idenfiable informaon (PII)
from vicms via social engineering techniques. Technical support scams and scareware are also
included as phishing.
• grayware—Websites and services that do not meet the definion of a virus or pose a direct
security threat but displays obtrusive behavior and influences users to grant remote access
or perform other unauthorized acons. Grayware includes scams, illegal acvies, criminal
acvies, get rich quick sites, adware, and other unwanted or unsolicited applicaons, such as
embedded crypto miners or hijackers that change the elements of the browser. Typosquang
domains that do not exhibit maliciousness and is not owned by the targeted domain will be
categorized as grayware. Prior to Content release version 8206, the firewall placed grayware
in either the malware or quesonable URL category. If you are unsure about whether to block
grayware, start by alerng on grayware, invesgate the alerts, and then decide whether to
block grayware or connue to alert on grayware.
• dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses
and which are oenmes used to deliver malware payloads or C2 traffic. Also, dynamic DNS
domains do not go through the same veng process as domains that are registered by a
reputable domain registraon company, and are therefore less trustworthy.
• unknown—Sites that have not yet been idenfied by PAN-DB. If availability is crical to your
business and you must allow the traffic, alert on unknown sites, apply the best pracce Security
profiles to the traffic, and invesgate the alerts.
PAN-DB Real-Time Updates learns unknown sites aer the first aempt to access an
unknown site, so unknown URLs are idenfied quickly and become known URLs that
the firewall can then handle based on the actual URL category.
• newly-registered-domain—Newly registered domains are oen generated purposely or by
domain generaon algorithms and used for malicious acvity.
• copyright-infringement—Domains with illegal content, such as content that allows illegal
download of soware or other intellectual property, which poses a potenal liability risk. This
category was introduced to enable adherence to child protecon laws required in the educaon
industry as well as laws in countries that require internet providers to prevent users from
sharing copyrighted material through their service.
• extremism—Websites promong terrorism, racism, fascism, or other extremist views
discriminang against people or groups of different ethnic backgrounds, religions or other
beliefs. This category was introduced to enable adherence to child protecon laws required in
the educaon industry. In some regions, laws and regulaons may prohibit allowing access to
extremist sites, and allowing access may pose a liability risk.
• proxy-avoidance-and-anonymizers—URLs and services oen used to bypass content filtering
products.
• quesonable— Websites containing tasteless humor, offensive content targeng specific
demographics of individuals, or groups of people.
PAN-OS® Administrator’s Guide Version Version 9.1 956 ©2021 Palo Alto Networks, Inc.
URL Filtering
Malware Block
Phishing
Grayware
For more informaon about current URL categories, refer to: Complete List of PAN-DB
URL Filtering Categories
PAN-OS® Administrator’s Guide Version Version 9.1 957 ©2021 Palo Alto Networks, Inc.
URL Filtering
Learn more about configuring a best pracce URL Filtering profile to ensure protecon
against URLs that have been observed hosng malware or exploitave content.
Acon Descripon
Site Access
alert The website is allowed and a log entry is generated in the URL filtering
log.
Set alert as the Acon for categories of traffic you don’t block
to log and provide visibility into the traffic.
block The website is blocked and the user will see a response page and will
not be able to connue to the website. A log entry is generated in the
URL filtering log.
Blocking site access for a URL category also sets User Credenal
Submissions for that URL category to block.
connue The user will be prompted with a response page indicang that the site
has been blocked due to company policy, but the user is prompted with
the opon to connue to the website. The connue acon is typically
used for categories that are considered benign and is used to improve
the user experience by giving them the opon to connue if they feel
the site is incorrectly categorized. The response page message can be
PAN-OS® Administrator’s Guide Version Version 9.1 958 ©2021 Palo Alto Networks, Inc.
URL Filtering
Acon Descripon
customized to contain details specific to your company. A log entry is
generated in the URL filtering log.
override The user will see a response page indicang that a password is required
to allow access to websites in the given category. With this opon, the
security admin or helpdesk person would provide a password granng
temporary access to all websites in the given category. A log entry
is generated in the URL filtering log. See Allow Password Access to
Certain Sites.
In earlier release versions, URL Filtering category overrides had priority
enforcement ahead of custom URL categories. As part of the upgrade
to PAN-OS 9.0, URL category overrides are converted to custom URL
categories, and no longer receive priority enforcement over other
custom URL categories. Instead of the acon you defined for the
category override in previous release versions, the new custom URL
category is enforced by the Security policy rule with the strictest URL
Filtering profile acon. From most strict to least strict, possible URL
Filtering profile acons are: block, override, connue, alert, and allow.
This means that, if you had URL category overrides with the acon
allow, there’s a possibility the overrides might be blocked aer they are
converted to custom URL category in PAN-OS 9.0.
none The none acon only applies to custom URL categories. Select none to
ensure that if mulple URL profiles exist, the custom category will not
have any impact on other profiles. For example, if you have two URL
profiles and the custom URL category is set to block in one profile, if
you do not want the block acon to apply to the other profile, you must
set the acon to none.
Also, in order to delete a custom URL category, it must be set to none in
any profile where it is used.
PAN-OS® Administrator’s Guide Version Version 9.1 959 ©2021 Palo Alto Networks, Inc.
URL Filtering
Acon Descripon
allow (default) Allow users to submit corporate credenals to websites in this URL
category.
connue Display a response page to users that prompts them to select Connue
to access to access the site. By default, the An Phishing Connue Page
is shown to user when they access sites to which credenal submissions
are discouraged. You can also choose to create a custom response page
to display—for example, if you want to warn users against phishing
aempts or reusing their credenals on other websites.
PAN-OS® Administrator’s Guide Version Version 9.1 960 ©2021 Palo Alto Networks, Inc.
URL Filtering
At that me, you can also reduce URL filtering logs by enabling the Log container page
only opon in the URL Filtering profile so only the main page that matches the category
will be logged, not subsequent pages/categories that may be loaded within the container
page.
STEP 1 | At any me, you can use Test A Site to see how PAN-DB—the URL Filtering cloud database—
categorizes a specific URL, and to learn about all possible URL categories.
You can also use Test A Site to submit a change request, if you disagree with how a specific
URL is categorized.
STEP 2 | Create a passive URL Filtering profile, that alerts on all categories so you have visibility into
web traffic.
1. Select Objects > Security Profiles > URL Filtering .
2. Select the default profile and then click Clone. The new profile will be named default-1.
3. Select the default-1 profile and rename it. For example, rename it to URL-Monitoring.
PAN-OS® Administrator’s Guide Version Version 9.1 961 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | Configure the acon for all categories to alert, except for malware, command-and-control,
and phishing, which should remain blocked.
1. In the secon that lists all URL categories, select all categories.
2. To the right of the Acon column heading, mouse over and select the down arrow and
then select Set Selected Acons and choose alert.
STEP 4 | Apply the URL Filtering profile to the security policy rule(s) that allows web traffic for users.
1. Select Policies > Security and select the appropriate security policy to modify it.
2. Select the Acons tab and in the Profile Seng secon, click the drop-down for URL
Filtering and select the new profile.
3. Click OK to save.
STEP 6 | View the URL filtering logs to see all of the website categories that your users are accessing.
The categories you’ve set to block are also logged.
For informaon on viewing the logs and generang reports, see Monitor Web Acvity.
Select Monitor > Logs > URL Filtering. A log entry will be created for any website that exists in
the URL filtering database that is in a category set to any acon other than allow. URL Filtering
reports give you a view of web acvity in a 24-hour period. ( Monitor > Reports).
PAN-OS® Administrator’s Guide Version Version 9.1 962 ©2021 Palo Alto Networks, Inc.
URL Filtering
recently. For everything that you do not explicitly allow or block, you can use risk categories
to write simple policy based on website safety.
You can take precauonary measures to limit your users’ interacon high-risk sites
especially, as there might be some cases where you want to give your users access to
sites that might also present safety concerns (for example, you might want to allow
your developers to use developer blogs for research, yet blogs are a category known to
commonly host malware).
• Pair URL Filtering with User-ID to control web access based on organizaon or department
and to block corporate credenal submissions to unsanconed sites:
• URL Filtering prevents credenal the by detecng corporate credenal submissions to
sites based on the site category. Block users from subming credenals to malicious and
untrusted sites, warn users against entering corporate credenals on unknown sites or
reusing corporate credenals on non-corporate sites, and explicitly allow users to submit
credenals to corporate sites.
• Add or update a security policy rule with the passive URL Filtering profile so that it
applies to a department user group, for example, Markeng or Engineering ( Policies >
Security > User). Monitor the department acvity, and get feedback from department
members to understand the web resources that are essenal to the work they do.
• Consider all the ways you can use URL Filtering to reduce your aack surface and to control
web usage. For example, if you’re a school, you can use URL Filtering to enforce strict safe
search sengs, where search engines filter out adult images and videos from search results.
Or, if you have a security operaons center, you might give threat analysts password access
to compromised or dangerous sites for research, that you might not want to otherwise open
up to enre organizaons or teams.
• Follow the URL Filtering Best Pracces.
PAN-OS® Administrator’s Guide Version Version 9.1 963 ©2021 Palo Alto Networks, Inc.
URL Filtering
• Prevent credenal the by enabling the firewall to detect corporate credenal submissions to
sites, and then control those submissions based on URL category. Block users from subming
credenals to malicious and untrusted sites, warn users against entering corporate credenals
PAN-OS® Administrator’s Guide Version Version 9.1 964 ©2021 Palo Alto Networks, Inc.
URL Filtering
on unknown sites or reusing corporate credenals on non-corporate sites, and explicitly allow
users to submit credenals to corporate and sanconed sites.
• Decrypt, inspect, and strictly limit how users interact with high-risk and medium-risk content (if
you decided not to block any of the Malicious URL Categories for business reasons, you should
also strictly limit how users interact with those categories).
The web content that you sancon and the malicious URL categories that you block outright
are just one poron of your overall web traffic. The rest of the content your users are accessing
is a combinaon of benign (low-risk) and risky content (high-risk and medium-risk). High-risk
and medium-risk content is not confirmed malicious but is closely associated with malicious
sites. For example, a high-risk URL might be on the same domain as a malicious site, or maybe it
hosted malicious content in the past.
However, many sites that pose a risk to your organizaon also provide valuable resources
and services to your users (cloud storage services are a good example). While these resources
and services are necessary for business, they are also more likely to be used as part of a
cyberaack. Here’s how to control how users interact with this potenally-dangerous content,
while sll providing them a good user experience:
• In a URL Filtering profile, set the high-risk and medium-risk categories to connue to display
a response page that warns users they’re vising a potenally-dangerous site. Advise them
how to take precauons if they decide to connue to the site. If you don’t want to prompt
users with a response page, alert on the high-risk and medium-risk categories instead.
• Decrypt decrypt high-risk and medium-risk sites.
• Follow the An-Spyware, Vulnerability Protecon, and File Blocking best pracces for high-
risk and medium-risk sites. A protecve measure would be to block downloads of dangerous
file types and blocking obfuscated JavaScript.
• Stop credenal the by blocking users from subming their corporate credenals to high-
risk and medium-risk sites.
• Schools or educaonal instuons should use safe search enforcement to make sure
that search engines filter out adult images and videos from search results. You can even
transparently enable safe search for users.
• Enable the firewall to hold an inial web request as it looks up a website’s URL category with
PAN-DB.
When a user visits a website, a firewall with URL filtering enabled checks its local cache of URL
categories to categorize the site. If the firewall doesn’t find the URL’s category in the cache, it
performs a lookup in PAN-DB, the Palo Alto Networks URL database. By default, the firewall
allows the user’s web request during this cloud lookup and enforces policy when the server
responds.
But when you choose to hold web requests, the firewall blocks the request unl it either finds
the URL category or mes out. If the lookup mes out, the firewall considers the URL category
not-resolved.
1. In Device > Setup > Content-ID, check the box for
Hold client request for category lookup.
PAN-OS® Administrator’s Guide Version Version 9.1 965 ©2021 Palo Alto Networks, Inc.
URL Filtering
The Advanced URL Filtering license includes access to PAN-DB; if the license expires,
the firewall ceases to perform all URL filtering funcons, URL category enforcement,
and URL cloud lookups. Addionally, all other cloud based updates will not funcon
unl you install a valid license.
1. Select Device > Licenses and, in the License Management secon, select the license
installaon method:
• Retrieve license keys from license server
• Acvate feature using authorizaon code
2. Aer installing the license, confirm that the Advanced URL Filtering secon, Date
Expires field, displays a valid date.
When you acvate the advanced URL filtering license, your license entlements
for PAN-DB and advanced URL filtering might not display correctly on the
firewall — this is a display anomaly, not a licensing issue, and does not affect
access to the services. You can update the licenses on the firewall to recfy
the display issue by using the following CLI command: request license
fetch.
STEP 2 | Download and install the latest PAN-OS content release. PAN-OS Applicaons and Threats
content release 8390-6607 and later allows firewalls operang PAN-OS 9.x and later to
idenfy URLs that have been categorized using the new real-me-detecon category,
idenfying URLs classified by advanced URL filtering. For more informaon about the
update, refer to the Applicaons and Threat Content Release Notes. You can also review
Content Release Notes for apps and threats on the Palo Alto Networks Support Portal or
directly in the firewall web interface: select Device > Dynamic Updates and open the Release
Note for a specific content release version.
Follow the Best Pracces for Applicaons and Threats Content Updates when
updang to the latest content release version.
PAN-OS® Administrator’s Guide Version Version 9.1 966 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | Schedule the firewall to download dynamic updates for Applicaons and Threats.
You can only schedule dynamic updates if the firewall has direct Internet access.
If updates are already scheduled in a secon, the link text displays the schedule
sengs.
The Applicaons and Threats updates somemes contain updates for URL filtering
related to Safe Search Enforcement.
Next Steps:
1. Configure a URL filtering profile to define your organizaon’s web usage policies.
2. Verify Advanced URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 967 ©2021 Palo Alto Networks, Inc.
URL Filtering
If you didn’t already, configure a best pracce URL Filtering profile to ensure
protecon against URLs hosng malware or exploive content.
Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.
STEP 3 | Configure the URL Filtering profile to detect corporate credenal submissions to websites
that are in allowed URL categories.
To ensure the best performance and a low false posive rate, the firewall automacally
skips checking the credenal submissions for any App-ID™ associated with sites that
have never been observed hosng malware or phishing content—even if you enable
checks in the corresponding category. The list of sites for which the firewall skips
credenal checking is automacally updated through Applicaons and Threats content
updates.
PAN-OS® Administrator’s Guide Version Version 9.1 968 ©2021 Palo Alto Networks, Inc.
URL Filtering
address-to-username mapping table. To use this method, you can use any of the user
mapping methods described in Map IP Addresses to Users.
• Use Domain Credenal Filter—Checks for valid corporate usernames and password
submissions and verifies that the username maps to the IP address of the logged-in
user. See Configure User Mapping Using the Windows User-ID Agent for instrucons
on how to set up User-ID to enable this method.
• Use Group Mapping—Checks for valid username submissions based on the user-
to-group mapping table populated when you configure the firewall to map users to
groups.
With group mapping, you can apply credenal detecon to any part of the directory
or to a specific group, such as groups like IT that have access to your most sensive
applicaons.
STEP 4 | Allow or block users from subming corporate credenals to sites based on URL category to
prevent credenal phishing.
To ensure the best performance and a low false posive rate, the firewall automacally
skips checking the credenal submissions for any App-ID associated with sites that
have never been observed hosng malware or phishing content—even if you enable
checks in the corresponding category. The list of sites for which the firewall skips
credenal checking is automacally updated through Applicaons and Threats content
updates.
1. For each URL category to which you allow Site Access, select how you want to treat
User Credenal Submissions:
• alert—Allow users to submit credenals to the website but generate a URL filtering
alert log each me a user submits credenals to sites in this URL category.
• allow (default)—Allow users to submit credenals to the website.
• block—Displays the An Phishing Block Page to block users from subming
credenals to the website.
• connue—Present the An Phishing Connue Page to require users to click Connue
to access the site.
2. Configure the URL Filtering profile to detect corporate credenal submissions to
websites that are in allowed URL categories.
PAN-OS® Administrator’s Guide Version Version 9.1 969 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 5 | Define URL category excepon lists to specify websites that should always be blocked or
allowed, regardless of URL category.
For example, to reduce URL filtering logs, you may want to add your corporate websites to
the allow list so that no logs are generated for those sites or, if there is a website that is being
overly used and is not work-related, you can add that site to the block list.
The policy acons configured for custom URL categories have priority enforcement over
matching URLs in external dynamic lists.
Traffic to websites in the block list is always blocked regardless of the acon for the associated
category and traffic to URLs in the allow list is always allowed.
For more informaon on the proper format and wildcard usage, see URL Category Excepon
Lists.
STEP 8 | Enable HTTP Header Logging for one or more of the supported HTTP header fields.
Select URL Filtering Sengs and select one or more of the following fields to log:
• User-Agent
• Referer
• X-Forwarded-For
STEP 9 | Save the URL Filtering profile and commit your changes.
1. Click OK.
2. Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 970 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 11 | Enable Hold client request for category lookup to block client requests while the firewall
performs URL category lookups.
1. Select Device > Setup > Content-ID.
2. Select Hold client request for category lookup.
3. Commit your changes.
STEP 12 | Set the amount of me, in seconds, before a URL category lookup mes out.
1. Select Device > Setup > Content-ID > gear icon.
2. Enter a number in Category lookup meout (sec).
3. Click OK.
4. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 971 ©2021 Palo Alto Networks, Inc.
URL Filtering
You must enable SSL decrypon for test pages to work over an HTTPS connecon.
Advanced URL filtering test pages contain “real-me-detecon” in the URL and confirm
that firewalls correctly categorize and analyze malicious URLs in real-me. They do not
verify firewall behavior for all other categories.
You can check the classificaon of a specific website using Palo Alto Networks URL
category lookup tool, Test A Site.
PAN-OS® Administrator’s Guide Version Version 9.1 972 ©2021 Palo Alto Networks, Inc.
URL Filtering
Palo Alto Networks recommends seng the real-me-detecon acon seng to alert for
your acve URL filtering profiles. This provides visibility into URLs analyzed in real-me
and will block (or allow, depending on your policy sengs) based on the category sengs
configured for specific web threats.
The firewall enforces the most severe acon of the acons configured for detected URL
categories of a given URL. For example, suppose example.com is categorized as real-me-
detecon, command-and-control, and shopping—categories with an alert, block, and allow
acon configured, respecvely. The firewall will block the URL because block is the most
severe acon from the detected categories.
Verify that URLs are being analyzed and categorized using the Advanced URL Filtering service.
1. Visit each of the following test URLs to verify that the Advanced URL Filtering service is
properly categorizing URLs:
• Malware—urlfiltering.paloaltonetworks.com/test-real-me-detecon-malware
• Phishing—urlfiltering.paloaltonetworks.com/test-real-me-detecon-phishing
• C2—urlfiltering.paloaltonetworks.com/test-real-me-detecon-command-and-control
• Grayware—urlfiltering.paloaltonetworks.com/test-real-me-detecon-grayware
• Benign (unknown)—urlfiltering.paloaltonetworks.com/test-real-me-detecon
2. Monitor the acvity on the firewall to verify that the tested URLs have been properly
categorized as real-me-detecon.
1. Select Monitor > Logs > URL Filtering and filter by (url_category_list
contains real-time-detection) to view logs that have been analyzed using
advanced URL filtering. Addional web page category matches are also displayed and
corresponds to the categories as defined by PAN-DB.
2. Take a detailed look at the logs to verify that each type of web threat is correctly
analyzed and categorized. In the example below, the URL is categorized as having
been analyzed in real-me, and, addionally, as possessing qualies that define it as
command and control. Because C&C has a more severe acon compared to real-me-
PAN-OS® Administrator’s Guide Version Version 9.1 973 ©2021 Palo Alto Networks, Inc.
URL Filtering
detecon (block as opposed to alert), this URL has been categorized as command and
control and has been blocked.
PAN-OS® Administrator’s Guide Version Version 9.1 974 ©2021 Palo Alto Networks, Inc.
URL Filtering
For a quick view of the most common categories users access in your environment, check the
ACC widgets. Most Network Acvity widgets allow you to sort on URLs. For example, in the
Applicaon Usage widget, you can see that the networking category is the most accessed
category, followed by encrypted tunnel, and ssl. You can also view the list of Threat Acvity
and Blocked Acvity sorted on URLs.
PAN-OS® Administrator’s Guide Version Version 9.1 975 ©2021 Palo Alto Networks, Inc.
URL Filtering
From the ACC, you can jump directly to the logs ( ) or select Monitor > Logs > URL Filtering.
The log acon for each entry depends on the Site Access seng you defined for the
corresponding category:
• Alert log—In this example, the computer-and-internet-info category is set to alert.
• Block log—In this example, the insufficient-content category is set to connue. If the
category had been set to block instead, the log Acon would be block-url.
• Alert log on encrypted website—In this example, the category is private-ip-addresses and
the applicaon is web-browsing. This log also indicates that the firewall decrypted this
traffic.
You can also add several other columns to your URL Filtering log view, such as: to and from
zone, content type, and whether or not a packet capture was performed. To modify what
columns to display, click the down arrow in any column and select the aribute to display.
PAN-OS® Administrator’s Guide Version Version 9.1 976 ©2021 Palo Alto Networks, Inc.
URL Filtering
To view the complete log details and/or request a category change for the given URL that was
accessed, click the log details icon in the first column of the log.
Generate predefined URL filtering reports on URL categories, URL users, Websites accessed,
Blocked categories, and more.
Select Monitor > Reports and under the URL Filtering Reports secon, select one of the
reports. The reports cover the 24-hour period of the date you select on the calendar. You can
also export the report to PDF, CSV, or XML.
PAN-OS® Administrator’s Guide Version Version 9.1 977 ©2021 Palo Alto Networks, Inc.
URL Filtering
You must enable User-ID in order to be able to select user or group names. If
User-ID is not configured, you can select the type User and enter the IP address
of the user’s computer.
4. Enter the Username/IP Address for a user report or enter the group name for a user
group report.
5. Select the me period. You can select an exisng me period, or select Custom.
6. Select the Include Detailed Browsing check box, so browsing informaon is included in
the report.
PAN-OS® Administrator’s Guide Version Version 9.1 978 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | View the user acvity report by opening the file that you downloaded. The PDF version of
the report shows the user or group on which you based the report, the report me frame,
and a table of contents:
STEP 4 | Click an item in the table of contents to view the report details. For example, click Traffic
Summary by URL Category to view stascs for the selected user or group.
PAN-OS® Administrator’s Guide Version Version 9.1 979 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 980 ©2021 Palo Alto Networks, Inc.
URL Filtering
3. If the firewall is enabled to prevent credenal phishing, select the Aribute Flags, the
Operator has and the Value Credenal Detected to also include events in the report that
record when a user submied a valid corporate credenal to a site.
4. (Oponal) Select a Sort By opon to set the aribute to use to aggregate the report
details. If you do not select an aribute to sort by, the report will return the first N
number of results without any aggregaon. Select a Group By aribute to use as an
anchor for grouping data. The following example shows a report with Group By set to
App Category and Sort By set to a Count of Top 5.
PAN-OS® Administrator’s Guide Version Version 9.1 981 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 982 ©2021 Palo Alto Networks, Inc.
URL Filtering
If you have enabled the Log container page only opon, there may not always be a
correlated URL log entry for threats detected by anvirus or vulnerability protecon.
PAN-OS® Administrator’s Guide Version Version 9.1 983 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 2 | Add or modify a custom URL category, and give the category a descripve Name.
STEP 3 | Set the category Type to either Category Match or URL List:
• URL List—Add URLs that you want to enforce differently than the URL category to which
they belong. Use this list type to define excepons for URL category enforcement, or to
define a list of URLs as belonging to a custom category. For details on how to populate
this list, such as guidelines on how to use wildcards, see URL Category Excepons.
• Category Match—Provide targeted enforcement for websites that match a set of
categories. The website or page must match all the categories defined as part of the
custom category.
STEP 5 | Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.
Your new custom category will be listed under the Custom URL Categories drop down:
PAN-OS® Administrator’s Guide Version Version 9.1 984 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 6 | Decide how you want to enforce Site Access and User Credenal Submissions for the
custom URL category. (To control the sites to which users can submit their corporate
credenals, see Prevent Credenal Phishing).
STEP 7 | Aach the URL Filtering Profile to a security policy rule, to enforce traffic that matches that
rule.
Select Policies > Security > Acons and specify for the security policy rule to enforce traffic
based on the URL Filtering profile you just updated. Make sure to Commit your changes.
You can also use custom URL categories as security policy match criteria. In this case,
you do not need to define how the category should be enforced as part of a URL
Filtering Profile. Aer seng up the custom category, go directly to the Security policy
rule to which you want to add the custom URL category (Policies > Security). Select
Service/URL Category to use the custom URL category as match criteria for the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 985 ©2021 Palo Alto Networks, Inc.
URL Filtering
You can also use a custom URL category as match criteria in a Security policy rule
(Policies > Security, and select Service/URL Category). The excepon rule must be
placed above any rules that block or allow the categories to which the URL excepons
belong.
• Use an external dynamic list in a URL Filtering profile or as match criteria in a Security policy
rule. The benefit to using an external dynamic list is that you can update the list without
performing a configuraon change or commit on the firewall.
The following guidelines describe how to populate URL category block and allow lists, or a text file
that you’re using as the source of an external dynamic list for URLs:
• Basic Guidelines For URL Category Excepon Lists
• Wildcard Guidelines for URL Category Excepon Lists
• URL Category Excepon List—Wildcard Examples
PAN-OS® Administrator’s Guide Version Version 9.1 986 ©2021 Palo Alto Networks, Inc.
URL Filtering
Do not create an entry with consecuve asterisk (*) wildcards or more than nine
consecuve caret (^) wildcards—entries like these can affect firewall performance.
For example, do not add an entry like mail.*.*.com; instead, depending on the range
of websites you want to control access to, enter mail.*.com or mail.^.^.com. An
entry like mail.*.com matches to a greater number of sites than mail.^.^.com;
mail.*.com matches to sites with any number of subdomains and mail.^.^.com
matches to sites with exactly two subdomains.
PAN-OS® Administrator’s Guide Version Version 9.1 987 ©2021 Palo Alto Networks, Inc.
URL Filtering
Example Set 1
*.company.com eng.tools.company.com
support.tools.company.com
tools.company.com
docs.company.com
^.company.com tools.company.com
docs.company.com
^.^.company.com eng.tools.company.com
support.tools.company.com
Example Set 2
mail.google.* mail.google.com
mail.google.co.uk
mail.google.example.org
mail.google.^ mail.google.com
mail.google.info
mail.google.^.^ mail.google.co.uk
mail.google.example.info
Example Set 3
site.*.com site.yourname.com
site.abc.xyz.com
site.^.com site.company.com
site.example.com
site.^.^.com site.a.b.com
site.com/* site.com/photos
site.com/blog/latest
any site.com subdirectory
PAN-OS® Administrator’s Guide Version Version 9.1 988 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 989 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 4 | Verify whether entries in the external dynamic list were ignored or skipped.
In a list of type URL, the firewall skips non-URL entries as invalid and ignores entries that
exceed the maximum limit for the firewall model.
To check whether you have reached the limit for an external dynamic list type, select
Objects > External Dynamic Lists and click List Capacies.
Use the following CLI command on a firewall to review the details for a list.
For example:
PAN-OS® Administrator’s Guide Version Version 9.1 990 ©2021 Palo Alto Networks, Inc.
URL Filtering
The client browser will display cerficate errors if it does not trust the
cerficate.
• Redirect—The firewall intercepts HTTP or HTTPS traffic to a URL category set to
override and redirects the request to a Layer 3 interface on the firewall using an HTTP
302 redirect in order to prompt for the override password. If you select this opon,
you must provide the Address (IP address or DNS hostname) to which to redirect the
traffic.
7. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 991 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | (Redirect mode only) Create a Layer 3 interface to which to redirect web requests to sites in a
category configured for override.
1. Create a management profile to enable the interface to display the URL Filtering
Connue and Override Page response page:
1. Select Network > Interface Mgmt and click Add.
2. Enter a Name for the profile, select Response Pages, and then click OK.
2. Create the Layer 3 interface. Be sure to aach the management profile you just created
(on the Advanced > Other Info tab of the Ethernet Interface dialog).
STEP 4 | (Redirect mode only) To transparently redirect users without displaying cerficate errors,
install a cerficate that matches the IP address of the interface to which you are redirecng
web requests to a site in a URL category configured for override.You can either generate a
self-signed cerficate or import a cerficate that is signed by an external CA.
To use a self-signed cerficate, you must first create a root CA cerficate and then use that CA
to sign the cerficate you will use for URL admin override as follows:
1. To create a root CA cerficate, select Device > Cerficate Management > Cerficates >
Device Cerficates and then click Generate. Enter a Cerficate Name, such as RootCA.
Do not select a value in the Signed By field (this is what indicates that it is self-signed).
Make sure you select the Cerficate Authority check box and then click Generate the
cerficate.
2. To create the cerficate to use for URL admin override, click Generate. Enter a
Cerficate Name and enter the DNS hostname or IP address of the interface as the
Common Name. In the Signed By field, select the CA you created in the previous step.
Add an IP address aribute and specify the IP address of the Layer 3 interface to which
you will be redirecng web requests to URL categories that have the override acon.
3. Generate the cerficate.
4. To configure clients to trust the cerficate, select the CA cerficate on the Device
Cerficates tab and click Export. You must then import the cerficate as a trusted root
CA into all client browsers, either by manually configuring the browser or by adding the
cerficate to the trusted roots in an Acve Directory Group Policy Object (GPO).
STEP 5 | Specify which URL categories require an override password to enable access.
1. Select Objects > URL Filtering and either select an exisng URL Filtering profile or Add a
new one.
2. On the Categories tab, set the Acon to override for each category that requires a
password.
3. Complete any remaining secons on the URL Filtering profile and then click OK to save
the profile.
STEP 6 | Apply the URL Filtering profile to the Security policy rule(s) that allows access to the sites
requiring password override for access.
1. Select Policies > Security and select the appropriate Security policy to modify it.
2. Select the Acons tab and in the Profile Seng secon, click the drop-down for URL
Filtering and select the profile.
3. Click OK to save.
PAN-OS® Administrator’s Guide Version Version 9.1 992 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 993 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 994 ©2021 Palo Alto Networks, Inc.
URL Filtering
Yahoo Offers safe search on individual computers only. The Yahoo Search
Preferences includes three SafeSearch sengs: Strict, Moderate, or Off.
When enabled, the seng is stored in a browser cookie as vm= and passed
to the server each me the user performs a Yahoo search.
Appending vm=r to a Yahoo search query URL also enables the strictest
safe search sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 995 ©2021 Palo Alto Networks, Inc.
URL Filtering
Bing Offers safe search on individual computers or through their Bing in the
Classroom program. The Bing Sengs include three SafeSearch sengs:
Strict, Moderate, or Off. When enabled, the seng is stored in a browser
cookie as adtl= and passed to the server each me the user performs a
Bing search.
Appending adlt=strict to a Bing search query URL also enables the
strictest safe search sengs.
The Bing SSL search engine does not enforce the safe search URL
parameters and you should therefore consider blocking Bing over SSL for
full safe search enforcement.
PAN-OS® Administrator’s Guide Version Version 9.1 996 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 2 | Add the URL Filtering profile to the Security policy rule that allows traffic from clients in the
trust zone to the Internet.
1. Select Policies > Security and select a rule to which to apply the URL Filtering profile
that you just enabled for Safe Search Enforcement.
2. On the Acons tab, select the URL Filtering profile.
3. Click OK to save the Security policy rule.
PAN-OS® Administrator’s Guide Version Version 9.1 997 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 998 ©2021 Palo Alto Networks, Inc.
URL Filtering
4. Use the link in the block page to go to the search sengs for the search provider and set
the safe search seng back to the strictest seng (Strict in the case of Bing) and then
click Save.
5. Perform a search again from Bing and verify that the filtered search results display
instead of the block page.
PAN-OS® Administrator’s Guide Version Version 9.1 999 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | Add the URL Filtering profile to the Security policy rule that allows traffic from clients in the
trust zone to the Internet.
1. Select Policies > Security and select a rule to which to apply the URL Filtering profile
that you just enabled for Safe Search Enforcement.
2. On the Acons tab, select the URL Filtering profile.
3. Click OK to save the Security policy rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1000 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 5 | Edit the URL Filtering Safe Search Block Page, replacing the exisng code with the JavaScript
for rewring search query URLs to enforce safe search transparently.
1. Select Device > Response Pages > URL Filtering Safe Search Block Page.
2. Select Predefined and then click Export to save the file locally.
3. Use an HTML editor and replace all of the exisng block page text with the following
text and then save the file.
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
PAN-OS® Administrator’s Guide Version Version 9.1 1001 ©2021 Palo Alto Networks, Inc.
URL Filtering
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Search Blocked</h1>
<p>
<b>User:</b>
<user/>
</p>
<p>Your search results have been blocked because your
search settings are not in accordance with company policy.
In order to continue, please update your search settings so
that Safe Search is set to the strictest setting. If you are
currently logged into your account, please also lock Safe
Search and try your search again.</p>
<p>
For more information, please refer to:
<a href="<ssurl/>">
<ssurl/>
</a>
</p>
<p id="java_off"> Please enable JavaScript in your
browser.<br></p>
<p><b>Please contact your system administrator if you
believe this message is in error.</b></p>
</div>
</body>
<script>
// Grab the URL that's in the browser.
var s_u = location.href;
//bing
// Matches the forward slashes in the beginning, anything,
then ".bing." then anything followed by a non greedy slash.
Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
s_u = s_u + "&adlt=strict";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You
are being redirected to a safer search!';
PAN-OS® Administrator’s Guide Version Version 9.1 1002 ©2021 Palo Alto Networks, Inc.
URL Filtering
}
//google
// Matches the forward slashes in the beginning, anything,
then ".google." then anything followed by a non greedy slash.
Hopefully the first forward slash.
var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);
if (g_a) {
s_u = s_u.replace(/&safe=off/ig,"");
s_u = s_u + "&safe=active";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You
are being redirected to a safer search!'; }
//yahoo
// Matches the forward slashes in the beginning, anything,
then ".yahoo."" then anything followed by a non greedy slash.
Hopefully the first forward slash.
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You
are being redirected to a safer search!';
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
STEP 6 | Import the edited URL Filtering Safe Search Block page onto the firewall.
1. To import the edited block page, select Device > Response Pages > URL Filtering Safe
Search Block Page.
2. Click Import and then enter the path and filename in the Import File field or Browse to
locate the file.
3. (Oponal) Select the virtual system on which this login page will be used from the
Desnaon drop-down or select shared to make it available to all virtual systems.
4. Click OK to import the file.
PAN-OS® Administrator’s Guide Version Version 9.1 1003 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1004 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1005 ©2021 Palo Alto Networks, Inc.
URL Filtering
search is performed using Google, Bing, Yahoo, or Yandex and their browser or search engine
account seng for Safe Search is not set to strict.
PAN-OS® Administrator’s Guide Version Version 9.1 1006 ©2021 Palo Alto Networks, Inc.
URL Filtering
You can either use the predefined pages, or you can customize the URL Filtering response pages
to communicate your specific acceptable use policies and/or corporate branding. In addion, you
can use the URL Filtering response page variables for substuon at the me of the block event
or add one of the supported response page references to external images, sounds, or style sheets.
Variable Usage
<user/> The firewall replaces the variable with the username (if available via
User-ID) or IP address of the user when displaying the response page.
<url/> The firewall replaces the variable with the requested URL when
displaying the response page.
<category/> The firewall replaces the variable with the URL filtering category of the
blocked request.
<pan_form/> HTML code for displaying the Connue buon on the URL Filtering
Connue and Override page.
You can also add code that triggers the firewall to display different messages depending on what
URL category the user is aempng to access. For example, the following code snippet from
a response page specifies to display Message 1 if the URL category is games, Message 2 if the
category is travel, or Message 3 if the category is kids:
Only a single HTML page can be loaded into each virtual system for each type of block page.
However, other resources such as images, sounds, and cascading style sheets (CSS files) can be
loaded from other servers at the me the response page is displayed in the browser. All references
must include a fully qualified URL.
PAN-OS® Administrator’s Guide Version Version 9.1 1007 ©2021 Palo Alto Networks, Inc.
URL Filtering
Image
<img src="http://virginiadot.org/images/Stop-Sign
-gif.gif">
Sound
<embed src="http://simplythebest.net/sounds/WAV/W
AV_files/ movie_WAV_files/ do_not_go.wav" volume=
"100" hidden="true" autostart="true">
Style Sheet
<link href="http://example.com/style.css" rel="st
ylesheet" type="text/css" />
Hyperlink
<a href="http://en.wikipedia.org/wiki/Acceptable_
use_policy">View Corporate
Policy</a>
PAN-OS® Administrator’s Guide Version Version 9.1 1008 ©2021 Palo Alto Networks, Inc.
URL Filtering
Custom response pages larger than the maximum supported size are not decrypted or
displayed to users. In PAN-OS 8.1.2 and earlier PAN-OS 8.1 releases, custom response
pages on a decrypted site cannot exceed 8,191 bytes; the maximum size is increased to
17,999 bytes in PAN-OS 8.1.3 and later releases.
PAN-OS® Administrator’s Guide Version Version 9.1 1009 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1010 ©2021 Palo Alto Networks, Inc.
URL Filtering
You can also use HTTP headers to manage access to SaaS applicaons. You don’t need a
URL Filtering license to do this, but you must use a URL Filtering profile to turn this feature
on.
Aribute Descripon
User-Agent The web browser that the user used to access the URL, for
example, Internet Explorer. This informaon is sent in the
HTTP request to the server.
Referer The URL of the web page that linked the user to another web
page; it is the source that redirected (referred) the user to the
web page that is being requested.
X-Forwarded-For (XFF) The opon in the HTTP request header field that preserves
the IP address of the user who requested the web page. If you
have a proxy server on your network, the XFF allows you to
idenfy the IP address of the user who requested the content,
instead of only recording the proxy server’s IP address as
source IP address that requested the web page.
Headers Inserted The type of header and the text of the header that the firewall
inserts.
PAN-OS® Administrator’s Guide Version Version 9.1 1011 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1012 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | Review the URL categories, and if you don’t think that they’re accurate, select Request
Change.
PAN-OS® Administrator’s Guide Version Version 9.1 1013 ©2021 Palo Alto Networks, Inc.
URL Filtering
From here you can complete the request form, and submit it.
PAN-OS® Administrator’s Guide Version Version 9.1 1014 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1015 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 2 | Verify whether Advanced URL Filtering has been acvated by running the following
command:
show system setting url-database
If the response is paloaltonetworks, PAN-DB, the Palo Alto Networks URL filtering
database, is the acve vendor.
STEP 3 | Verify that the firewall has a valid Advanced URL Filtering license by running the following
command:
request license info
You should see the license entry Feature: Advanced URL Filtering. If the license is
not installed, you will need to obtain and install a license. See Configure URL Filtering.
PAN-OS® Administrator’s Guide Version Version 9.1 1016 ©2021 Palo Alto Networks, Inc.
URL Filtering
If the cloud is not accessible, the expected response is similar to the following:
For example, if your management interface IP address is 10.1.1.5, run the following command:
Is the firewall in an HA configuraon? Verify that the HA state of the firewalls is in the acve,
acve-primary, or acve-secondary state. Access to the PAN-DB cloud will be blocked if the
firewall is in a different state. Run the following command on each firewall in the pair to see the
state:
If you sll have problems with connecvity between the firewall and the PAN-DB cloud, contact
Palo Alto Networks support.
PAN-OS® Administrator’s Guide Version Version 9.1 1017 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 1 | Check the PAN-DB cloud connecon by running the following command:
show url-cloud status
The Cloud connecon: field should show connected. If you see anything other than
connected, any URL that do not exist in the management plane cache will be categorized as
not-resolved. To resolve this issue, see PAN-DB Cloud Connecvity Issues.
STEP 2 | If the cloud connecon status shows connected, check the current ulizaon of the
firewall. If firewall ulizaon is spiking, URL requests may be dropped (may not reach the
management plane), and will be categorized as not-resolved.
To view system resources, run the following command and view the %CPU and %MEM columns:
show system resources
You can also view system resources on the System Resources widget on the Dashboard in the
web interface.
Incorrect Categorizaon
Somemes you may come across a URL that you believe is categorized incorrectly. Use the
following workflow to determine the URL categorizaon for a site and request a category change,
if appropriate.
STEP 1 | Verify the category in the dataplane by running the following command:
For example, to view the category for the Palo Alto Networks website, run the following
command:
If the URL stored in the dataplane cache has the correct category (computer-and-internet-
info in this example), then the categorizaon is correct and no further acon is required. If the
category is not correct, connue to the next step.
PAN-OS® Administrator’s Guide Version Version 9.1 1018 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 2 | Verify if the category in the management plane by running the command:
For example:
If the URL stored in the management plane cache has the correct category, remove the URL
from the dataplane cache by running the following command:
The next me the firewall requests the category for this URL, the request will be forwarded to
the management plane. This will resolve the issue and no further acon is required. If this does
not solve the issue, go to the next step to check the URL category on the cloud systems.
STEP 3 | Verify the category in the cloud by running the following command:
STEP 4 | If the URL stored in the cloud has the correct category, remove the URL from the dataplane
and the management plane caches.
Run the following command to delete a URL from the dataplane cache:
Run the following command to delete a URL from the management plane cache:
The next me the firewall queries for the category of the given URL, the request will be
forwarded to the management plane and then to the cloud. This should resolve the category
lookup issue. If problems persist, see the next step to submit a categorizaon change request.
STEP 5 | To submit a change request from the web interface, go to the URL log and select the log
entry for the URL you would like to have changed.
STEP 6 | Click the Request Categorizaon change link and follow instrucons. You can also request
a category change from the Palo Alto Networks Test A Site website by searching for the
URL and then clicking the Request Change icon. To view a list of all available categories
PAN-OS® Administrator’s Guide Version Version 9.1 1019 ©2021 Palo Alto Networks, Inc.
URL Filtering
PAN-OS® Administrator’s Guide Version Version 9.1 1020 ©2021 Palo Alto Networks, Inc.
URL Filtering
Firewalls running PAN-OS 5.0 or later versions can communicate with the PAN-DB private
cloud.
When you set up the PAN-DB private cloud, you can either configure the M-600 appliance(s) to
have direct internet access or keep it completely offline. Because the M-600 appliance requires
database and content updates to perform URL lookups, if the appliance does not have an acve
internet connecon, you must manually download the updates to a server on your network and
then, import the updates using SCP into each M-600 appliance in the PAN-DB private cloud. In
addion, the appliances must be able to obtain the seed database and any other regular or crical
content updates for the firewalls that it services.
To authencate the firewalls that connect to the PAN-DB private cloud, a set of default server
cerficates are packaged with the appliance; you cannot import or use another server cerficate
for authencang the firewalls. If you change the hostname on the M-600 appliance, the
appliance automacally generates a new set of cerficates to authencate the firewalls.
• M-600 Appliance for PAN-DB Private Cloud
• Set Up the PAN-DB Private Cloud
PAN-OS® Administrator’s Guide Version Version 9.1 1021 ©2021 Palo Alto Networks, Inc.
URL Filtering
Table 4: Differences Between the PAN-DB Public Cloud and PAN-DB Private Cloud
Content and Content (regular and crical) updates Content updates and full URL
Database and full database updates are database updates are available once a
Updates published mulple mes during day during the work week.
the day. The PAN-DB public cloud
updates the URL categories malware
and phishing every five minutes. The
firewall checks for crical updates
whenever it queries the cloud
servers for URL lookups.
Unresolved If the firewall cannot resolve a URL If the firewall cannot resolve a query,
URL Queries query, the request is sent to the the request is sent to the M-600
servers in the public cloud. appliance(s) in the PAN-DB private
cloud. If there is no match for the
URL, the PAN-DB private cloud sends
a category unknown response to the
firewall; the request is not sent to
the public cloud unless you have
configured the M-600 appliance to
access the PAN-DB public cloud.
If the M-600 appliance(s) that
constute your PAN-DB private cloud
is configured to be completely offline,
PAN-OS® Administrator’s Guide Version Version 9.1 1022 ©2021 Palo Alto Networks, Inc.
URL Filtering
The M-600 appliance in PAN-DB mode uses two ports- MGT (Eth0) and Eth1; Eth2
is not used in PAN-DB mode. The management port is used for administrave access
to the appliance and for obtaining the latest content updates from the PAN-DB public
cloud. For communicaon between the appliance (PAN-DB server) and the firewalls on
the network, you can use the MGT port or Eth1.
PAN-OS® Administrator’s Guide Version Version 9.1 1023 ©2021 Palo Alto Networks, Inc.
URL Filtering
URL might require changing the IP address on the computer to an address in the
192.168.1.0 network (for example, 192.168.1.2).
2. When prompted, log in to the appliance. Log in using the default username and password
(admin/admin). The appliance will begin to inialize.
3. Configure network access sengs including the IP address for the MGT interface:
where <server-IP> is the IP address you want to assign to the management interface of
the server, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network
gateway, and <DNS-IP> is the IP address of the primary DNS server.
4. Configure network access sengs including the IP address for the Eth1 interface:
where <server-IP> is the IP address you want to assign to the data interface of the server,
<netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway,
and <DNS-IP> is the IP address of the DNS server.
5. Save your changes to the PAN-DB server.
commit
You can switch from Panorama mode to PAN-DB mode and back; and from
Panorama mode to Log Collector mode and back. Switching directly from
PAN-DB mode to Log Collector mode or vice versa is not supported. When
switching operaonal mode, a data reset is triggered. With the excepon of
management access sengs, all exisng configuraon and logs will be deleted on
restart.
2. Use the following command to verify that the mode is changed:
show pan-url-cloud-status
hostname: M-600
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
PAN-OS® Administrator’s Guide Version Version 9.1 1024 ©2021 Palo Alto Networks, Inc.
URL Filtering
3. Use the following command to check the version of the cloud database on the appliance:
show pan-url-cloud-status
Cloud status: Up
URL database version: 20150417-220
PAN-OS® Administrator’s Guide Version Version 9.1 1025 ©2021 Palo Alto Networks, Inc.
URL Filtering
The appliance only stores the currently running version of the content and one earlier
version.
Pick one of the following methods of installing the content and database updates:
• If the PAN-DB server has direct Internet access use the following commands:
1. To check whether a new version is published use:
request pan-url-db upgrade check
2. To check the version that is currently installed on your server use:
request pan-url-db upgrade info
3. To download and install the latest version:
• request pan-url-db upgrade download latest
• request pan-url-db upgrade install <version latest | file>
• If the PAN-DB server is offline, access the Palo Alto Networks Customer Support web site
to download and save the content updates to an SCP server on your network. You can then
import and install the updates using the following commands:
• scp import pan-url-db remote-port <port-number> from
username@host:path
PAN-OS® Administrator’s Guide Version Version 9.1 1026 ©2021 Palo Alto Networks, Inc.
URL Filtering
The appliance has a default admin account. Any addional administrave users that
you create can either be superusers (with full access) or superusers with read-only
access.
PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on
the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an
authencaon failure will occur.
• To set up a local administrave user on the PAN-DB server:
1. configure
2. set mgt-config users <username> permissions role-based
<superreader | superuser> yes
4. Enter password:xxxxx
5. Confirm password:xxxxx
6. commit
• To set up an administrave user with RADIUS authencaon:
1. Create RADIUS server profile.
2. Create authencaon-profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1027 ©2021 Palo Alto Networks, Inc.
URL Filtering
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
> configure
Or, in the web interface for each firewall, select Device > Setup > Content-ID, edit the URL
Filtering secon and enter the PAN-DB Server IP address(es) or FQDN(s). The list must be
comma separated.
• To delete the entries for the private PAN-DB servers, use the following command:
When you delete the list of private PAN-DB servers, a re-elecon process is triggered on
the firewall. The firewall first checks for the list of PAN-DB private cloud servers and when
it cannot find one, the firewall accesses the PAN-DB servers in the AWS cloud to download
the list of eligible servers to which it can connect.
PAN-OS® Administrator’s Guide Version Version 9.1 1028 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 3 | To verify that the change is effecve, use the following CLI command on the firewall:
admin@M-600> configure
STEP 3 | Use TFTP or SCP to import the key pair that contains the server cerficate and private key
for the PAN-DB M-600 appliance.
PAN-OS® Administrator’s Guide Version Version 9.1 1029 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 4 | Configure a cerficate profile that includes the root CA and intermediate CA. This cerficate
profile defines the device authencaon between the PAN-DB server and the firewall.
1. In the CLI of the PAN-DB server, enter configuraon mode.
admin@M-600> configure
PAN-OS® Administrator’s Guide Version Version 9.1 1030 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 5 | Configure an SSL/TLS profile for the PAN-DB M-600 appliance. This profile defines the
cerficate and protocol range that PAN-DB and client devices use for SSL/TLS services.
1. Idenfy the SSL/TLS profile.
PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You
must set the max version to TLS 1.2 or max.
3. Set the disconnect wait me in number of minutes that PAN-DB should wait before
breaking and reestablishing the connecon with its firewall (range is 0 to 44,640).
STEP 7 | Import the CA cerficate to validate the cerficate for the PAN-DB M-600 appliance.
1. Log in to the firewall web interface.
2. Import the CA cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 1031 ©2021 Palo Alto Networks, Inc.
URL Filtering
STEP 9 | Configure the cerficate profile for the firewall. You can configure this on each firewall
individually or you can push the configuraon from Panorama to the firewalls as part of a
template.
1. Select Device > Cerficate Management > Cerficate Profile for firewalls or Panorama >
Cerficate Management > Cerficate Profile for Panorama.
2. Configure a Cerficate Profile.
STEP 10 | Deploy custom cerficates on each firewall. You can either deploy cerficates centrally from
Panorama or configure them manually on each firewall.
1. Log in to the firewall web interface.
2. Select Device > Setup > Management for a firewall or Panorama > Setup > Management
for Panorama and Edit the Secure Communicaon
3. Select the Cerficate Type, Cerficate, and Cerficate Profile from the respecve drop-
downs.
4. In the Customize Communicaon sengs, select PAN-DB Communicaon.
5. Click OK.
6. Commit your changes.
Aer comming your changes, the firewalls do not terminate their current sessions with
the PAN-DB server unl aer the Disconnect Wait Time. The disconnect wait me begins
counng down aer you enforce the use of custom cerficates in the next step.
STEP 11 | Aer deploying custom cerficates on all firewalls, enforce custom cerficate authencaon.
1. Log in to the CLI on the PAN-DB server and enter configuraon mode.
admin@M-600> configure
Aer comming this change, the disconnect wait me begins counng down (if you
configured seng on PAN-DB). When the wait me ends, PAN-DB and its firewall connect
using only the configured cerficates.
STEP 12 | You have two choices when adding new firewalls or Panorama to your PAN-DB private cloud
deployment.
• If you did not enable Custom Cerficates Only then you can add a new firewall to the PAN-
DB private cloud and then deploy the custom cerficate as described above.
• If you enabled Custom Cerficates Only on the PAN-DB private cloud, then you must
deploy the custom cerficates on the firewalls before connecng them to the PAN-DB
private cloud.
PAN-OS® Administrator’s Guide Version Version 9.1 1032 ©2021 Palo Alto Networks, Inc.
Quality of Service
Quality of Service (QoS) is a set of technologies that work on a network to guarantee
its ability to dependably run high-priority applicaons and traffic under limited
network capacity. QoS technologies accomplish this by providing differenated
handling and capacity allocaon to specific flows in network traffic. This enables the
network administrator to assign the order in which traffic is handled, and the amount
of bandwidth afforded to traffic.
Palo Alto Networks Applicaon Quality of Service (QoS) provides basic QoS applied to
networks and extends it to provide QoS to applicaons and users.
Use the following topics to learn about and configure Palo Alto Networks applicaon-
based QoS:
Use the Palo Alto Networks product comparison tool to view the QoS features
supported on your firewall model. Select two or more product models and click
Compare Now to view QoS feature support for each model (for example, you can
check if your firewall model supports QoS on subinterfaces and if so, the maximum
number of subinterfaces on which QoS can be enabled).
QoS on Aggregate Ethernet (AE) interfaces is supported on PA-7000 Series, PA-5200
Series, and PA-3200 Series firewalls running PAN-OS 7.0 or later release versions.
1033
Quality of Service
QoS Overview
Use QoS to priorize and adjust quality aspects of network traffic. You can assign the order in
which packets are handled and allot bandwidth, ensuring preferred treatment and opmal levels of
performance are afforded to selected traffic, applicaons, and users.
Service quality measurements subject to a QoS implementaon are bandwidth (maximum rate
of transfer), throughput (actual rate of transfer), latency (delay), and jier (variance in latency).
The capability to shape and control these service quality measurements makes QoS of parcular
importance to high-bandwidth, real-me traffic such as voice over IP (VoIP), video conferencing,
and video-on-demand that has a high sensivity to latency and jier. Addionally, use QoS to
achieve outcomes such as the following:
• Priorize network and applicaon traffic, guaranteeing high priority to important traffic or
liming non-essenal traffic.
• Achieve equal bandwidth sharing among different subnets, classes, or users in a network.
• Allocate bandwidth externally or internally or both, applying QoS to both upload and download
traffic or to only upload or download traffic.
• Ensure low latency for customer and revenue-generang traffic in an enterprise environment.
• Perform traffic profiling of applicaons to ensure bandwidth usage.
QoS implementaon on a Palo Alto Networks firewall begins with three primary configuraon
components that support a full QoS soluon: a QoS Profile, a QoS Policy, and seng up the QoS
Egress Interface. Each of these opons in the QoS configuraon task facilitate a broader process
that opmizes and priorizes the traffic flow and allocates and ensures bandwidth according to
configurable parameters.
The figure QoS Traffic Flow shows traffic as it flows from the source, is shaped by the firewall with
QoS enabled, and is ulmately priorized and delivered to its desnaon.
The QoS configuraon opons allow you to control the traffic flow and define it at different points
in the flow. The figure QoS Traffic Flow indicates where the configurable opons define the traffic
flow. A QoS policy rule allows you to define traffic you want to receive QoS treatment and assign
PAN-OS® Administrator’s Guide Version Version 9.1 1034 ©2021 Palo Alto Networks, Inc.
Quality of Service
that traffic a QoS class. The matching traffic is then shaped based on the QoS profile class sengs
as it exits the physical interface.
Each of the QoS configuraon components influence each other and the QoS configuraon
opons can be used to create a full and granular QoS implementaon or can be used sparingly
with minimal administrator acon.
Each firewall model supports a maximum number of ports that can be configured with QoS. Refer
to the spec sheet for your firewall model or use the product comparison tool to view QoS feature
support for two or more firewalls on a single page.
PAN-OS® Administrator’s Guide Version Version 9.1 1035 ©2021 Palo Alto Networks, Inc.
Quality of Service
QoS Concepts
Use the following topics to learn about the different components and mechanisms of a QoS
configuraon on a Palo Alto Networks firewall:
• QoS for Applicaons and Users
• QoS Policy
• QoS Profile
• QoS Classes
• QoS Priority Queuing
• QoS Bandwidth Management
• QoS Egress Interface
• QoS for Clear Text and Tunneled Traffic
QoS Policy
Use a QoS policy rule to define traffic to receive QoS treatment (either preferenal treatment or
bandwidth-liming) and assigns such traffic a QoS class of service.
Define a QoS policy rule to match to traffic based on:
• Applicaons and applicaon groups.
• Source zones, source addresses, and source users.
• Desnaon zones and desnaon addresses.
• Services and service groups limited to specific TCP and/or UDP port numbers.
• URL categories, including custom URL categories.
• Differenated Services Code Point (DSCP) and Type of Service (ToS) values, which are used to
indicate the level of service requested for traffic, such as high priority or best effort delivery.
You cannot apply DSCP code points or QoS to SSL Forward Proxy, SSL Inbound Inspecon,
and SSH Proxy traffic.
Set up mulple QoS policy rules (Policies > QoS) to associate different types of traffic with
different QoS Classes of service.
PAN-OS® Administrator’s Guide Version Version 9.1 1036 ©2021 Palo Alto Networks, Inc.
Quality of Service
Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to
traffic aer the firewall has enforced all other security policy rules, including Network Address
Translaon (NAT) rules. If you want to apply QoS treatment to traffic based on source, make
sure to specify the post-NAT source address in a QoS policy rule (do not use the pre-NAT source
address).
QoS Profile
Use a QoS profile rule to define values of up to eight QoS Classes contained within that single
profile rule.
With a QoS profile rule, you can define QoS Priority Queuing and QoS Bandwidth Management
for QoS classes. Each QoS profile rule allows you to configure individual bandwidth and priority
sengs for up eight QoS classes, as well as the total bandwidth alloted for the eight classes
combined. Aach the QoS profile rule (or mulple QoS profile rules) to a physical interface to
apply the defined priority and bandwidth sengs to the traffic exing that interface.
A default QoS profile rule is available on the firewall. The default profile rule and the classes
defined in the profile do not have predefined maximum or guaranteed bandwidth limits.
To define priority and bandwidth sengs for QoS classes, see Step Add a QoS profile rule.
QoS Classes
A QoS class determines the priority and bandwidth for traffic matching a QoS Policy rule. You can
use a QoS Profile rule to define QoS classes. There are up to eight definable QoS classes in a single
QoS profile. Unless otherwise configured, traffic that does not match a QoS class is assigned a
class of 4.
QoS Priority Queuing and QoS Bandwidth Management, the fundamental mechanisms of a QoS
configuraon, are configured within the QoS class definion (see Step Add a QoS profile rule.).
For each QoS class, you can set a priority (real-me, high, medium, and low) and the maximum
and guaranteed bandwidth for matching traffic. QoS priority queuing and bandwidth management
determine the order of traffic and how traffic is handled upon entering or leaving a network.
PAN-OS® Administrator’s Guide Version Version 9.1 1037 ©2021 Palo Alto Networks, Inc.
Quality of Service
PAN-OS® Administrator’s Guide Version Version 9.1 1038 ©2021 Palo Alto Networks, Inc.
Quality of Service
• Egress Guaranteed—The amount of bandwidth guaranteed for matching traffic. When the
egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis.
Bandwidth that is guaranteed but is unused connues to remain available for all traffic.
Depending on your QoS configuraon, you can guarantee bandwidth for a single QoS class, for
all or some clear text traffic, and for all or some tunneled traffic.
Example:
Class 1 traffic has 5 Gbps of egress guaranteed bandwidth, which means that 5 Gbps is
available but is not reserved for class 1 traffic. If Class 1 traffic does not use or only parally
uses the guaranteed bandwidth, the remaining bandwidth can be used by other classes of
traffic. However, during high traffic periods, 5 Gbps of bandwidth is absolutely available for
class 1 traffic. During these periods of congeson, any Class 1 traffic that exceeds 5 Gbps is
best effort.
• Egress Max—The overall bandwidth allocaon for matching traffic. The firewall drops traffic
that exceeds the egress max limit that you set. Depending on your QoS configuraon, you can
set a maximum bandwidth limit for a QoS class, for all or some clear text traffic, for all or some
tunneled traffic, and for all traffic exing the QoS interface.
The cumulave guaranteed bandwidth for the QoS profile rules aached to the
interface must not exceed the total bandwidth allocated to the interface.
To define bandwidth sengs for QoS classes, see Step Add a QoS profile rule. To then apply those
bandwidth sengs to clear text and tunneled traffic, and to set the overall bandwidth limit for a
QoS interface, see Step Enable QoS on a physical interface.
PAN-OS® Administrator’s Guide Version Version 9.1 1039 ©2021 Palo Alto Networks, Inc.
Quality of Service
Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to
traffic aer the firewall has enforced all other security policy rules, including Network Address
Translaon (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must
specify the post-NAT source address in a QoS policy rule (do not use the pre-NAT source address).
Learn more about how to Idenfy the egress interface for applicaons that you want to receive
QoS treatment.
PAN-OS® Administrator’s Guide Version Version 9.1 1040 ©2021 Palo Alto Networks, Inc.
Quality of Service
Configure QoS
Follow these steps to configure Quality of Service (QoS), which includes creang a QoS profile,
creang a QoS policy, and enabling QoS on an interface.
STEP 1 | Idenfy the traffic you want to manage with QoS.
This example shows how to use QoS to limit web browsing.
Select ACC to view the Applicaon Command Center page. Use the sengs and charts on the
ACC page to view trends and traffic related to Applicaons, URL filtering, Threat Prevenon,
Data Filtering, and HIP Matches.
Click any applicaon name to display detailed applicaon informaon.
PAN-OS® Administrator’s Guide Version Version 9.1 1041 ©2021 Palo Alto Networks, Inc.
Quality of Service
STEP 2 | Idenfy the egress interface for applicaons that you want to receive QoS treatment.
The egress interface for traffic depends on the traffic flow. If you are shaping incoming
traffic, the egress interface is the internal-facing interface. If you are shaping outgoing
traffic, the egress interface is the external-facing interface.
Select Monitor > Logs > Traffic to view the Traffic logs.
To filter and only show logs for a specific applicaon:
• If an entry is displayed for the applicaon, click the underlined link in the Applicaon
column then click the Submit icon.
• If an entry is not displayed for the applicaon, click the Add Log icon and search for the
applicaon.
The Egress I/F in the traffic logs displays each applicaon’s egress interface. To display the
Egress I/F column if it is not displayed by default:
• Click any column header to add a column to the log:
• Click the spyglass icon to the le of any entry to display a detailed log that includes the
applicaon’s egress interface listed in the Desnaon secon:
PAN-OS® Administrator’s Guide Version Version 9.1 1042 ©2021 Palo Alto Networks, Inc.
Quality of Service
Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is
applied to traffic aer the firewall has enforced all other security policy rules, including
Network Address Translaon (NAT) rules. If you want to apply QoS treatment to traffic
based on source, you must specify the post-NAT source address in a QoS policy rule (do
not use the pre-NAT source address).
PAN-OS® Administrator’s Guide Version Version 9.1 1043 ©2021 Palo Alto Networks, Inc.
Quality of Service
Any traffic that exceeds the Egress Guaranteed value is best effort and not
guaranteed. Bandwidth that is guaranteed but is unused connues to remain
available for all traffic.
4. In the Classes secon, specify how to treat up to eight individual QoS classes:
1. Add a class to the QoS Profile.
2. Select the Priority for the class: real-me, high, medium, or low.
3. Enter the Egress Max and Egress Guaranteed bandwidth for traffic assigned to each
QoS class.
5. Click OK.
In the following example, the QoS profile rule Limit Web Browsing limits Class 2 traffic to a
maximum bandwidth of 50Mbps and a guaranteed bandwidth of 2Mbps.
PAN-OS® Administrator’s Guide Version Version 9.1 1044 ©2021 Palo Alto Networks, Inc.
Quality of Service
Check if the firewall model you’re using supports enabling QoS on a subinterface by
reviewing a summary of the Product Specificaons.
It is a best pracce to always define the Egress Max value for a QoS interface.
Ensure that the cumulave guaranteed bandwidth for the QoS profile rules
aached to the interface does not exceed the total bandwidth allocated to the
interface.
4. Select Turn on QoS feature on this interface.
5. In the Default Profile secon, select a QoS profile rule to apply to all Clear Text traffic
exing the physical interface.
6. (Oponal) Select a default QoS profile rule to apply to all tunneled traffic exing the
interface.
For example, enable QoS on ethernet 1/1 and apply the bandwidth and priority sengs you
defined for the QoS profile rule Limit Web Browsing (Step 4) to be used as the default sengs
for clear text egress traffic.
1. (Oponal) Connue to define more granular sengs to provide QoS for Clear Text and
Tunneled Traffic. Sengs configured on the Clear Text Traffic tab and the Tunneled
PAN-OS® Administrator’s Guide Version Version 9.1 1045 ©2021 Palo Alto Networks, Inc.
Quality of Service
Traffic tab automacally override the default profile sengs for clear text and tunneled
traffic on the Physical Interface tab.
• Select Clear Text Traffic and:
• Set the Egress Guaranteed and Egress Max bandwidths for clear text traffic.
• Click Add and apply a QoS profile rule to enforce clear text traffic based on source
interface and source subnet.
(PA-3200 Series, PA-5200 Series, PA-7000 Series only) You must also
select a desnaon interface when configuring a QoS policy rule if the rule
is applied to a specific subinterface.
• Select Tunneled Traffic and:
• Set the Egress Guaranteed and Egress Max bandwidths for tunneled traffic.
• Click Add and aach a QoS profile rule to a single tunnel interface.
2. Click OK.
Bandwidth limits shown on the QoS Stascs window include a hardware adjustment
factor.
PAN-OS® Administrator’s Guide Version Version 9.1 1046 ©2021 Palo Alto Networks, Inc.
Quality of Service
Refer to Virtual Systems for informaon on virtual systems and how to configure them.
STEP 1 | Confirm that the appropriate interfaces, virtual routers, and security zones are associated
with each virtual system.
• To view configured interfaces, select Network > Interface.
• To view configured zones, select Network > Zones.
• To view informaon on defined virtual routers, select Network > Virtual Routers.
PAN-OS® Administrator’s Guide Version Version 9.1 1047 ©2021 Palo Alto Networks, Inc.
Quality of Service
PAN-OS® Administrator’s Guide Version Version 9.1 1048 ©2021 Palo Alto Networks, Inc.
Quality of Service
STEP 3 | Idenfy the egress interface for applicaons that you idenfied as needing QoS treatment.
In a virtual system environment, QoS is applied to traffic on the traffic’s egress point on the
virtual system. Depending the configuraon and QoS policy for a virtual system, the egress
point of QoS traffic could be associated with a physical interface or could be a zone.
This example shows how to limit web-browsing traffic on vsys 1.
Select Monitor > Logs > Traffic to view traffic logs. Each entry has the opon to display
columns with informaon necessary to configure QoS in a virtual system environment:
• virtual system
• egress interface
• ingress interface
• source zone
• desnaon zone
To display a column if it is not displayed by default:
• Click any column header to add a column to the log:
• Click the spyglass icon to the le of any entry to display a detailed log that includes the
applicaon’s egress interface, as well as source and desnaon zones, in the Source and
Desnaon secons:
For example, for web-browsing traffic from VSYS 1, the ingress interface is ethernet 1/2, the
egress interface is ethernet 1/1, the source zone is trust and the desnaon zone is untrust.
PAN-OS® Administrator’s Guide Version Version 9.1 1049 ©2021 Palo Alto Networks, Inc.
Quality of Service
Any traffic that exceeds the QoS profile’s egress guaranteed limit is best effort
but is not guaranteed.
5. In the Classes secon of the QoS Profile, specify how to treat up to eight individual QoS
classes:
1. Click Add to add a class to the QoS Profile.
2. Select the Priority for the class.
3. Enter an Egress Max for a class to set the overall bandwidth limit for that individual
class.
4. Enter an Egress Guaranteed for the class to set the guaranteed bandwidth for that
individual class.
6. Click OK to save the QoS profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1050 ©2021 Palo Alto Networks, Inc.
Quality of Service
priorized and shaped only for that virtual system (and not for other virtual systems through
which the traffic might flow).
1. Select Policies > QoS and Add a QoS Policy Rule.
2. Select General and give the QoS Policy Rule a descripve Name.
3. Specify the traffic to which the QoS policy rule will apply. Use the Source, Desnaon,
Applicaon, and Service/URL Category tabs to define matching parameters for
idenfying traffic.
For example, select Applicaon and Add web-browsing to apply the QoS policy rule to
that applicaon:
4. Select Source and Add the source zone of vsys 1 web-browsing traffic.
5. Select Desnaon and Add the desnaon zone of vsys 1 web-browsing traffic.
6. Select Other Sengs and select a QoS Class to assign to the QoS policy rule. For
example, assign Class 2 to web-browsing traffic on vsys 1:
PAN-OS® Administrator’s Guide Version Version 9.1 1051 ©2021 Palo Alto Networks, Inc.
Quality of Service
It is a best pracce to always define the Egress Max value for a QoS interface.
1. Select Network > QoS and click Add to open the QoS Interface dialog.
2. Enable QoS on the physical interface:
1. On the Physical Interface tab, select the Interface Name of the interface to apply the
QoS Profile to.
In this example, ethernet 1/1 is the egress interface for web-browsing traffic on vsys 1
(see Step 2).
PAN-OS® Administrator’s Guide Version Version 9.1 1052 ©2021 Palo Alto Networks, Inc.
Quality of Service
acve sessions of a selected QoS node or class, and acve applicaons for the selected QoS
node or class.
• In a mul-vsys environment, sessions cannot span mulple systems. Mulple sessions are
created for one traffic flow if the traffic passes through more than one virtual system. To
browse sessions running on the firewall and view applied QoS Rules and QoS Classes, select
Monitor > Session Browser.
PAN-OS® Administrator’s Guide Version Version 9.1 1053 ©2021 Palo Alto Networks, Inc.
Quality of Service
You cannot apply DSCP code points or QoS to SSL Forward Proxy, SSL Inbound Inspecon,
and SSH Proxy traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1054 ©2021 Palo Alto Networks, Inc.
Quality of Service
STEP 2 | Define the traffic to receive QoS treatment based on DSCP value.
1. Select Policies > QoS and Add or modify an exisng QoS rule and populate required
fields.
2. Select DSCP/ToS and select Codepoints.
3. Add DSCP/ToS codepoints for which you want to enforce QoS.
4. Select the Type of DSCP/ToS marking for the QoS rule to match to traffic:
It is a best pracce to use a single DSCP type to manage and priorize your
network traffic.
5. Match the QoS policy to traffic on a more granular scale by specifying the Codepoint
value. For example, with Assured Forwarding (AF) selected as the Type of DSCP value for
the policy to match, further specify an AF Codepoint value such as AF11.
STEP 3 | Define the QoS priority for traffic to receive when it is matched to a QoS rule based the
DSCP marking detected at the beginning of a session.
1. Select Network > Network Profiles > QoS Profile and Add or modify an exisng QoS
profile. For details on profile opons to set priority and bandwidth for traffic, see QoS
Concepts and Configure QoS.
2. Add or modify a profile class. For example, because Step 2 showed steps to classify AF11
traffic as Class 1 traffic, you could add or modify a class1 entry.
3. Select a Priority for the class of traffic, such as high.
4. Click OK to save the QoS Profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1055 ©2021 Palo Alto Networks, Inc.
Quality of Service
PAN-OS® Administrator’s Guide Version Version 9.1 1056 ©2021 Palo Alto Networks, Inc.
Quality of Service
The admin assigns a guaranteed bandwidth (Egress Guaranteed) of 50 Mbps to ensure that the
CEO will have that amount that bandwidth guaranteed to her at all mes (more than she would
need to use), regardless of network congeson.
The admin connues by designang Class 1 traffic as high priority and sets the profile’s
maximum bandwidth usage (Egress Max) to 1000 Mbps, the same maximum bandwidth for the
interface that the admin will enable QoS on. The admin is choosing to not restrict the CEO’s
bandwidth usage in any way.
It is a best pracce to populate the Egress Max field for a QoS profile, even if the max
bandwidth of the profile matches the max bandwidth of the interface. The QoS profile’s
max bandwidth should never exceed the max bandwidth of the interface you are
planning to enable QoS on.
STEP 2 | The admin creates a QoS policy to idenfy the CEO’s traffic (Policies > QoS) and assigns it
the class that he defined in the QoS profile (see prior step). Because User-ID is configured,
the admin uses the Source tab in the QoS policy to singularly idenfy the CEO’s traffic by her
PAN-OS® Administrator’s Guide Version Version 9.1 1057 ©2021 Palo Alto Networks, Inc.
Quality of Service
company network username. (If User-ID is not configured, the administrator could Add the
CEO’s IP address under Source Address. See User-ID.):
The admin associates the CEO’s traffic with Class 1 (Other Sengs tab) and then connues
to populate the remaining required policy fields; the admin gives the policy a descripve
Name (General tab) and selects Any for the Source Zone (Source tab) and Desnaon Zone
(Desnaon tab):
STEP 3 | Now that Class 1 is associated with the CEO’s traffic, the admin enables QoS by checking
Turn on QoS feature on interface and selecng the traffic flow’s egress interface. The egress
interface for the CEO’s traffic flow is the external-facing interface, in this case, ethernet 1/2:
Because the admin wants to ensure that all traffic originang from the CEO is guaranteed by
the QoS profile and associated QoS policy he created, he selects the CEO_traffic to apply to
Clear Text traffic flowing from ethernet 1/2.
STEP 4 | Aer comming the QoS configuraon, the admin navigates to the Network > QoS page to
confirm that the QoS profile CEO_traffic is enabled on the external-facing interface, ethernet
1/2:
PAN-OS® Administrator’s Guide Version Version 9.1 1058 ©2021 Palo Alto Networks, Inc.
Quality of Service
STEP 5 | He clicks Stascs to view how traffic originang with the CEO (Class 1) is being shaped as it
flows from ethernet 1/2:
This case demonstrates how to apply QoS to traffic originang from a single source
user. However, if you also wanted to guarantee or shape traffic to a desnaon user,
you could configure a similar QoS setup. Instead of, or in addion to this work flow,
create a QoS policy that specifies the user’s IP address as the Desnaon Address on
the Policies > QoS page (instead of specifying the user’s source informaon) and then
enable QoS on the network’s internal-facing interface on the Network > QoS page
(instead of the external-facing interface).
PAN-OS® Administrator’s Guide Version Version 9.1 1059 ©2021 Palo Alto Networks, Inc.
Quality of Service
STEP 1 | The admin creates a QoS profile, defining Class 2 so that Class 2 traffic receives real-me
priority and on an interface with a maximum bandwidth of 1000 Mbps, is guaranteed a
bandwidth of 250 Mbps at all mes, including peak periods of network usage.
Real-me priority is typically recommended for applicaons affected by latency, and is
parcularly useful in guaranteeing performance and quality of voice and video applicaons.
On the firewall web interface, the admin selects Network > Network Profiles > Qos Profile
page, clicks Add, enters the Profile Name ensure voip-video traffic and defines Class 2 traffic.
STEP 2 | The admin creates a QoS policy to idenfy voice and video traffic. Because the company
does not have one standard voice and video applicaon, the admin wants to ensure
QoS is applied to a few applicaons that are widely and regularly used by employees to
communicate with other offices, with partners, and with customers. On the Policies > QoS
> QoS Policy Rule > Applicaons tab, the admin clicks Add and opens the Applicaon Filter
window. The admin connues by selecng criteria to filter the applicaons he wants to apply
PAN-OS® Administrator’s Guide Version Version 9.1 1060 ©2021 Palo Alto Networks, Inc.
Quality of Service
QoS to, choosing the Subcategory voip-video, and narrowing that down by specifying only
voip-video applicaons that are both low-risk and widely-used.
The applicaon filter is a dynamic tool that, when used to filter applicaons in the QoS policy,
allows QoS to be applied to all applicaons that meet the criteria of voip-video, low risk, and
widely used at any given me.
The admin names the Applicaon Filter voip-video-low-risk and includes it in the QoS policy:
The admin names the QoS policy Voice-Video and selects Other Sengs to assign all traffic
matched to the policy Class 2. He is going to use the Voice-Video QoS policy for both incoming
and outgoing QoS traffic, so he sets Source and Desnaon informaon to Any:
STEP 3 | Because the admin wants to ensure QoS for both incoming and outgoing voice and video
communicaons, he enables QoS on the network’s external-facing interface (to apply QoS
PAN-OS® Administrator’s Guide Version Version 9.1 1061 ©2021 Palo Alto Networks, Inc.
Quality of Service
to outgoing communicaons) and to the internal-facing interface (to apply QoS to incoming
communicaons).
The admin begins by enabling the QoS profile he created, ensure voice-video traffic (Class 2 in
this profile is associated with policy, Voice-Video) on the external-facing interface, in this case,
ethernet 1/2.
He then enables the same QoS profile ensure voip-video traffic on a second interface, the
internal-facing interface (in this case, ethernet 1/1).
STEP 4 | The admin selects Network > QoS to confirm that QoS is enabled for both incoming and
outgoing voice and video traffic:
The admin has successfully enabled QoS on both the network’s internal- and external-facing
interfaces. Real-me priority is now ensured for voice and video applicaon traffic as it flows
both into and out of the network, ensuring that these communicaons, which are parcularly
sensive to latency and jier, can be used reliably and effecvely to perform both internal and
external business communicaons.
PAN-OS® Administrator’s Guide Version Version 9.1 1062 ©2021 Palo Alto Networks, Inc.
VPNs
Virtual private networks (VPNs) create tunnels that allow users/systems to connect
securely over a public network, as if they were connecng over a local area network
(LAN). To set up a VPN tunnel, you need a pair of devices that can authencate each
other and encrypt the flow of informaon between them. The devices can be a pair
of Palo Alto Networks firewalls, or a Palo Alto Networks firewall along with a VPN-
capable device from another vendor.
1063
VPNs
VPN Deployments
The Palo Alto Networks firewall supports the following VPN deployments:
• Site-to-Site VPN— A simple VPN that connects a central site and a remote site, or a hub and
spoke VPN that connects a central site with mulple remote sites. The firewall uses the IP
Security (IPSec) set of protocols to set up a secure tunnel for the traffic between the two sites.
See Site-to-Site VPN Overview.
• Remote User-to-Site VPN—A soluon that uses the GlobalProtect agent to allow a remote
user to establish a secure connecon through the firewall. This soluon uses SSL and IPSec
to establish a secure connecon between the user and the site. Refer to the GlobalProtect
Administrator’s Guide.
• Large Scale VPN— The Palo Alto Networks GlobalProtect Large Scale VPN (LSVPN) provides
a simplified mechanism to roll out a scalable hub and spoke VPN with up to 1,024 satellite
offices. The soluon requires Palo Alto Networks firewalls to be deployed at the hub and at
every spoke. It uses cerficates for device authencaon, SSL for securing communicaon
between all components, and IPSec to secure data. See Large Scale VPN (LSVPN).
PAN-OS® Administrator’s Guide Version Version 9.1 1064 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1065 ©2021 Palo Alto Networks, Inc.
VPNs
IKE Gateway
The Palo Alto Networks firewalls or a firewall and another security device that iniate and
terminate VPN connecons across the two networks are called the IKE Gateways. To set up the
VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP address—stac
or dynamic—or FQDN. The VPN peers use preshared keys or cerficates to mutually authencate
each other.
The peers must also negoate the mode—main or aggressive—for seng up the VPN tunnel and
the SA lifeme in IKE Phase 1. Main mode protects the identy of the peers and is more secure
because more packets are exchanged when seng up the tunnel. Main mode is the recommended
mode for IKE negoaon if both peers support it. Aggressive mode uses fewer packets to set up
the VPN tunnel and is hence faster but a less secure opon for seng up the VPN tunnel.
See Set Up an IKE Gateway for configuraon details.
Tunnel Interface
To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface
for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a logical (virtual)
interface that is used to deliver traffic between two endpoints. If you configure any proxy IDs, the
proxy ID is counted toward any IPSec tunnel capacity.
The tunnel interface must belong to a security zone to apply policy and it must be assigned to a
virtual router in order to use the exisng roung infrastructure. Ensure that the tunnel interface
and the physical interface are assigned to the same virtual router so that the firewall can perform a
route lookup and determine the appropriate tunnel to use.
Typically, the Layer 3 interface that the tunnel interface is aached to belongs to an external zone,
for example the untrust zone. While the tunnel interface can be in the same security zone as the
physical interface, for added security and beer visibility, you can create a separate zone for the
tunnel interface. If you create a separate zone for the tunnel interface, say a VPN zone, you will
need to create security policies to enable traffic to flow between the VPN zone and the trust
zone.
To route traffic between the sites, a tunnel interface does not require an IP address. An IP address
is only required if you want to enable tunnel monitoring or if you are using a dynamic roung
PAN-OS® Administrator’s Guide Version Version 9.1 1066 ©2021 Palo Alto Networks, Inc.
VPNs
protocol to route traffic across the tunnel. With dynamic roung, the tunnel IP address serves as
the next hop IP address for roung traffic to the VPN tunnel.
If you are configuring the Palo Alto Networks firewall with a VPN peer that performs policy-based
VPN, you must configure a local and remote Proxy ID when seng up the IPSec tunnel. Each peer
compares the Proxy-IDs configured on it with what is actually received in the packet in order to
allow a successful IKE phase 2 negoaon. If mulple tunnels are required, configure unique Proxy
IDs for each tunnel interface; a tunnel interface can have a maximum of 250 Proxy IDs. Each Proxy
ID counts towards the IPSec VPN tunnel capacity of the firewall, and the tunnel capacity varies by
the firewall model.
See Set Up an IPSec Tunnel for configuraon details.
Tunnel Monitoring
For a VPN tunnel, you can check connecvity to a desnaon IP address across the tunnel. The
network monitoring profile on the firewall allows you to verify connecvity (using ICMP) to a
desnaon IP address or a next hop at a specified polling interval, and to specify an acon on
failure to access the monitored IP address.
If the desnaon IP is unreachable, you either configure the firewall to wait for the tunnel to
recover or configure automac failover to another tunnel. In either case, the firewall generates
a system log that alerts you to a tunnel failure and renegoates the IPSec keys to accelerate
recovery.
See Set Up Tunnel Monitoring for configuraon details.
PAN-OS® Administrator’s Guide Version Version 9.1 1067 ©2021 Palo Alto Networks, Inc.
VPNs
IKE Phase 1
In this phase, the firewalls use the parameters defined in the IKE Gateway configuraon and the
IKE Crypto profile to authencate each other and set up a secure control channel. IKE Phase
supports the use of preshared keys or digital cerficates (which use public key infrastructure,
PKI) for mutual authencaon of the VPN peers. Preshared keys are a simple soluon for
securing smaller networks because they do not require the support of a PKI infrastructure. Digital
cerficates can be more convenient for larger networks or implementaons that require stronger
authencaon security.
When using cerficates, make sure that the CA issuing the cerficate is trusted by both gateway
peers and that the maximum length of cerficates in the cerficate chain is 5 or less. With IKE
fragmentaon enabled, the firewall can reassemble IKE messages with up to 5 cerficates in the
cerficate chain and successfully establish a VPN tunnel.
The IKE Crypto profile defines the following opons that are used in the IKE SA negoaon:
• Diffie-Hellman (DH) group for generang symmetrical keys for IKE.
The Diffie-Hellman algorithm uses the private key of one party and the public key of the other
to create a shared secret, which is an encrypted key that both VPN tunnel peers share. The DH
groups supported on the firewall are: Group 1—768 bits, Group 2—1024 bits (default), Group 5
—1536 bits, Group 14—2048 bits, Group 19—256-bit ellipc curve group, and Group 20—384-
bit ellipc curve group.
• Authencaon algorithms—sha1, sha 256, sha 384, sha 512, or md5
• Encrypon algorithms—3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des
IKE Phase 2
Aer the tunnel is secured and authencated, in Phase 2 the channel is further secured for the
transfer of data between the networks. IKE Phase 2 uses the keys that were established in Phase
1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for
the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communicaon:
PAN-OS® Administrator’s Guide Version Version 9.1 1068 ©2021 Palo Alto Networks, Inc.
VPNs
• Encapsulang Security Payload (ESP)—Allows you to encrypt the enre IP packet, and
authencate the source and verify integrity of the data. While ESP requires that you encrypt
and authencate the packet, you can choose to only encrypt or only authencate by seng
the encrypon opon to Null; using encrypon without authencaon is discouraged.
• Authencaon Header (AH)—Authencates the source of the packet and verifies data integrity.
AH does not encrypt the data payload and is unsuited for deployments where data privacy is
important. AH is commonly used when the main concern is to verify the legimacy of the peer,
and data privacy is not required.
ESP AH
PAN-OS® Administrator’s Guide Version Version 9.1 1069 ©2021 Palo Alto Networks, Inc.
VPNs
ESP AH
• md5 • md5
• sha 1 • sha 1
IKEv2
An IPSec VPN gateway uses IKEv1 or IKEv2 to negoate the IKE security associaon (SA) and
IPSec tunnel. IKEv2 is defined in RFC 5996.
Unlike IKEv1, which uses Phase 1 SA and Phase 2 SA, IKEv2 uses a child SA for Encapsulang
Security Payload (ESP) or Authencaon Header (AH), which is set up with an IKE SA.
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device
that sits between the two gateways. A gateway can see only the public (globally routable) IP
address of the NAT device.
IKEv2 provides the following benefits over IKEv1:
• Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages;
IKEv1 uses either nine messages (in main mode) or six messages (in aggressive mode).
• Built-in NAT-T funconality improves compability between vendors.
PAN-OS® Administrator’s Guide Version Version 9.1 1070 ©2021 Palo Alto Networks, Inc.
VPNs
• Built-in health check automacally re-establishes a tunnel if it goes down. The liveness check
replaces the Dead Peer Detecon used in IKEv1.
• Supports traffic selectors (one per exchange). The traffic selectors are used in IKE negoaons
to control what traffic can access the tunnel.
• Supports Hash and URL cerficate exchange to reduce fragmentaon.
• Resiliency against DoS aacks with improved peer validaon. An excessive number of half-
open SAs can trigger cookie validaon.
Before configuring IKEv2, you should be familiar with the following concepts:
• Liveness Check
• Cookie Acvaon Threshold and Strict Cookie Validaon
• Traffic Selectors
• Hash and URL Cerficate Exchange
• SA Key Lifeme and Re-Authencaon Interval
Aer you Set Up an IKE Gateway, if you chose IKEv2, perform the following oponal tasks related
to IKEv2 as required by your environment:
• Export a Cerficate for a Peer to Access Using Hash and URL
• Import a Cerficate for IKEv2 Gateway Authencaon
• Change the Key Lifeme or Authencaon Interval for IKEv2
• Change the Cookie Acvaon Threshold for IKEv2
• Configure IKEv2 Traffic Selectors
Liveness Check
The liveness check for IKEv2 is similar to Dead Peer Detecon (DPD), which IKEv1 uses as the
way to determine whether a peer is sll available.
In IKEv2, the liveness check is achieved by any IKEv2 packet transmission or an empty
informaonal message that the gateway sends to the peer at a configurable interval, five seconds
by default. If necessary, the sender aempts the retransmission up to ten mes. If it doesn’t get
a response, the sender closes and deletes the IKE_SA and corresponding CHILD_SAs. The sender
will start over by sending out another IKE_SA_INIT message.
PAN-OS® Administrator’s Guide Version Version 9.1 1071 ©2021 Palo Alto Networks, Inc.
VPNs
validaon is successful, another SA can be iniated. A value of 0 means that cookie validaon is
always on.
The Responder does not maintain a state of the Iniator, nor does it perform a Diffie-Hellman
key exchange, unl the Iniator returns the cookie. IKEv2 cookie validaon migates a DoS
aack that would try to leave numerous connecons half open.
The Cookie Acvaon Threshold must be lower than the Maximum Half Opened SA seng.
If you Change the Cookie Acvaon Threshold for IKEv2 to a very high number (for example,
65534) and the Maximum Half Opened SA seng remained at the default value of 65535,
cookie validaon is essenally disabled.
• You can enable Strict Cookie Validaon if you want cookie validaon performed for every
new IKEv2 SA a gateway receives, regardless of the global threshold. Strict Cookie Validaon
affects only the IKE gateway being configured and is disabled by default. With Strict Cookie
Validaon disabled, the system uses the Cookie Acvaon Threshold to determine whether a
cookie is needed or not.
Traffic Selectors
In IKEv1, a firewall that has a route-based VPN needs to use a local and remote Proxy ID in order
to set up an IPSec tunnel. Each peer compares its Proxy IDs with what it received in the packet in
order to successfully negoate IKE Phase 2. IKE Phase 2 is about negoang the SAs to set up an
IPSec tunnel. (For more informaon on Proxy IDs, see Tunnel Interface.)
In IKEv2, you can Configure IKEv2 Traffic Selectors, which are components of network traffic that
are used during IKE negoaon. Traffic selectors are used during the CHILD_SA (tunnel creaon)
Phase 2 to set up the tunnel and to determine what traffic is allowed through the tunnel. The two
IKE gateway peers must negoate and agree on their traffic selectors; otherwise, one side narrows
its address range to reach agreement. One IKE connecon can have mulple tunnels; for example,
you can assign different tunnels to each department to isolate their traffic. Separaon of traffic
also allows features such as QoS to be implemented.
The IPv4 and IPv6 traffic selectors are:
• Source IP address—A network prefix, address range, specific host, or wildcard.
• Desnaon IP address—A network prefix, address range, specific host, or wildcard.
• Protocol—A transport protocol, such as TCP or UDP.
• Source port—The port where the packet originated.
• Desnaon port—The port the packet is desned for.
During IKE negoaon, there can be mulple traffic selectors for different networks and
protocols. For example, the Iniator might indicate that it wants to send TCP packets from
172.168.0.0/16 through the tunnel to its peer, desned for 198.5.0.0/16. It also wants to send
UDP packets from 172.17.0.0/16 through the same tunnel to the same gateway, desned for
0.0.0.0 (any network). The peer gateway must agree to these traffic selectors so that it knows
what to expect.
It is possible that one gateway will start negoaon using a traffic selector that is a more specific
IP address than the IP address of the other gateway.
• For example, gateway A offers a source IP address of 172.16.0.0/16 and a desnaon IP
address of 192.16.0.0/16. But gateway B is configured with 0.0.0.0 (any source) as the
source IP address and 0.0.0.0 (any desnaon) as the desnaon IP address. Therefore,
PAN-OS® Administrator’s Guide Version Version 9.1 1072 ©2021 Palo Alto Networks, Inc.
VPNs
gateway B narrows down its source IP address to 192.16.0.0/16 and its desnaon address to
172.16.0.0/16. Thus, the narrowing down accommodates the addresses of gateway A and the
traffic selectors of the two gateways are in agreement.
• If gateway B (configured with source IP address 0.0.0.0) is the Iniator instead of the
Responder, gateway A will respond with its more specific IP addresses, and gateway B will
narrow down its addresses to reach agreement.
PAN-OS® Administrator’s Guide Version Version 9.1 1073 ©2021 Palo Alto Networks, Inc.
VPNs
If there is a deny rule at the end of the security rulebase, intra-zone traffic is blocked
unless otherwise allowed. Rules to allow IKE and IPSec applicaons must be explicitly
included above the deny rule.
If your VPN traffic is passing through (not originang or terminang on) a PA-7000
Series or PA-5200 Series firewall, configure bi-direconal Security policy rules to allow
the ESP or AH traffic in both direcons.
When these tasks are complete, the tunnel is ready for use. Traffic desned for the zones/
addresses defined in policy is automacally routed properly based on the desnaon route in the
roung table, and handled as VPN traffic. For a few examples on site-to-site VPN, see Site-to-Site
VPN Quick Configs.
For troubleshoong purposes, you can Enable/Disable, Refresh or Restart an IKE Gateway or
IPSec Tunnel.
PAN-OS® Administrator’s Guide Version Version 9.1 1074 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 3 | Establish the peer at the far end of the tunnel (gateway).
For Peer IP Address Type, select one of the following and enter the corresponding informaon
for the peer:
• IP—Enter a Peer Address that is either an IPv4 or IPv6 address or enter an address object
that is an IPv4 or IPv6 address.
• FQDN—Enter a Peer Address that is an FQDN string or an address object that uses an
FQDN string. If the FQDN or FQDN address object resolves to more than one IP address,
the firewall selects the preferred address from the set of addresses that match the Address
Type (IPv4 or IPv6) of the IKE gateway as follows:
• If no IKE security associaon (SA) is negoated, the preferred address is the IP address
with the smallest value.
• If the IKE gateway uses an address that is in the set of returned addresses, the firewall
selects that address (whether or not it is the smallest address in the set).
• If the IKE gateway uses an address that isn’t in the set of returned addresses, the firewall
selects a new address, and it is the smallest address in the set.
• Dynamic—Select Dynamic if the peer IP address or FQDN value is unknown so that the
peer will iniate the negoaon.
Using an FQDN or FQDN address object reduces issues in environments where the
peer is subject to dynamic IP address changes (and would otherwise require you to
reconfigure this IKE gateway peer address).
PAN-OS® Administrator’s Guide Version Version 9.1 1075 ©2021 Palo Alto Networks, Inc.
VPNs
Generate a key that is difficult to crack with diconary aacks; use a pre-shared
key generator, if necessary.
2. For Local Idenficaon, choose from the following types and enter a value that you
determine: FQDN (hostname), IP address, KEYID (binary format ID string in HEX), and
User FQDN (email address). Local idenficaon defines the format and idenficaon of
the local gateway. If you do not specify a value, the local IP address is used as the local
idenficaon value.
3. For Peer Idenficaon, choose from the following types and enter a value that you
determine: FQDN (hostname), IP address, KEYID (binary format ID string in HEX), and
User FQDN (email address). Peer idenficaon defines the format and idenficaon of
the peer gateway. If you do not specify a value, the peer IP address is used as the peer
idenficaon value.
4. Proceed to Step 7 (Configure advanced opons for the gateway).
PAN-OS® Administrator’s Guide Version Version 9.1 1076 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1077 ©2021 Palo Alto Networks, Inc.
VPNs
If you do not set the exchange mode to auto, then you must configure both
peers with the same exchange mode to allow each peer to accept negoaon
requests.
• Select an exisng profile or keep the default profile from the IKE Crypto Profile list. If
needed, you can Define IKE Crypto Profiles.
• (Only when using cerficate-based authencaon and when exchange mode is not
set to aggressive mode) Click Enable Fragmentaon to enable the firewall to operate
with IKE Fragmentaon.
• Click Dead Peer Detecon and enter an Interval (range is 2 to 100 seconds). For
Retry, define the me to delay (range is 2 to 100 seconds) before aempng to
re-check availability. Dead peer detecon idenfies inacve or unavailable IKE
peers by sending an IKE phase 1 noficaon payload to the peer and waing for an
acknowledgment.
4. If you configured IKEv2 only mode or IKEv2 preferred mode in Step 1, then on the IKEv2
tab:
• Select an IKE Crypto Profile, which configures IKE Phase 1 opons such, as the DH
group, hash algorithm, and ESP authencaon. For informaon about IKE crypto
profiles, see IKE Phase 1.
• (Oponal) Enable Strict Cookie Validaon Cookie Acvaon Threshold and Strict
Cookie Validaon.
• (Oponal) Enable Liveness Check and enter an Interval (sec) (default is 5) if you
want to have the gateway send a message request to its gateway peer, requesng a
response. If necessary, the Iniator aempts the liveness check as many as 10 mes.
If it doesn’t get a response, the Iniator closes and deletes the IKE_SA and CHILD_SA.
The Iniator will start over by sending out another IKE_SA_INIT.
PAN-OS® Administrator’s Guide Version Version 9.1 1078 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 1 | Select Device > Cerficates, and if your plaorm supports mulple virtual systems, for
Locaon, select the appropriate virtual system.
STEP 2 | On the Device Cerficates tab, select the cerficate to Export to the server.
The status of the cerficate should be valid, not expired. The firewall will not stop you
from exporng an invalid cerficate.
STEP 4 | Leave Export private key clear. Exporng the private key is unnecessary for Hash and URL.
PAN-OS® Administrator’s Guide Version Version 9.1 1079 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1080 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 3 | Click Add and enter the Name in the Proxy ID field.
STEP 6 | In the Protocol field, select the transport protocol (TCP or UDP).
All IKE gateways configured on the same interface or local IP address must use the same
crypto profile when the IKE gateway’s Peer IP Address Type is configured as Dynamic and
IKEv1 main mode or IKEv2 is applied.
PAN-OS® Administrator’s Guide Version Version 9.1 1081 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Specify the DH (Diffie–Hellman) Group for key exchange and the Authencaon and
Encrypon algorithms.
Click Add in the corresponding secons (DH Group, Authencaon, and Encrypon) and select
from the menus.
If you are not certain of what the VPN peers support, add mulple groups or algorithms in the
order of most-to-least secure as follows; the peers negoate the strongest supported group or
algorithm to establish the tunnel:
• DH Group—group20, group19, group14, group5, group2, and group1.
• Authencaon—sha512, sha384, sha256, sha1, md5.
• Encrypon—aes-256-cbc, aes-192-cbc, aes-128-cbc, 3des, des.
As a best pracce, choose the strongest authencaon and encrypon algorithms the
peer can support. For the authencaon algorithm, use SHA-256 or higher (SHA-384
or higher preferred for long-lived transacons). Do not use SHA-1 or MD5. For the
encrypon algorithm, use AES; DES and 3DES are weak and vulnerable.
STEP 3 | Specify the duraon for which the key is valid and the re-authencaon interval.
For details, see SA Key Lifeme and Re-Authencaon Interval.
1. In the Key Lifeme fields, specify the period (in seconds, minutes, hours, or days) for
which the key is valid (range is 3 minutes to 365 days; default is 8 hours). When the
key expires, the firewall renegoates a new key. A lifeme is the period between each
renegoaon.
2. For the IKEv2 Authencaon Mulple, specify a value (range is 0-50; default is 0) that is
mulplied by the Key Lifeme to determine the authencaon count. The default value
of 0 disables the re-authencaon feature.
STEP 5 | Aach the IKE Crypto profile to the IKE Gateway configuraon.
See Configure advanced opons for the gateway.
PAN-OS® Administrator’s Guide Version Version 9.1 1082 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Select the DH Group to use for the IPSec SA negoaons in IKE phase 2.
From DH Group, select the key strength you want to use: group1, group2, group5, group14,
group19, or group20. For highest security, choose the group with the highest number.
If you don’t want to renew the key that the firewall creates during IKE phase 1, select no-
pfs (no perfect forward secrecy); the firewall reuses the current key for the IPSec security
associaon (SA) negoaons.
PAN-OS® Administrator’s Guide Version Version 9.1 1083 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 3 | Select the Tunnel interface on which to set up the IPSec tunnel.
To create a new tunnel interface:
1. Select Tunnel Interface > New Tunnel Interface. (You can also select Network >
Interfaces > Tunnel and click Add.)
2. In the Interface Name field, specify a numeric suffix, such as .2.
3. On the Config tab, select the Security Zone list to define the zone as follows:
Use your trust zone as the terminaon point for the tunnel—Select the zone. Associang the
tunnel interface with the same zone (and virtual router) as the external-facing interface on
which the packets enter the firewall migates the need to create inter-zone roung.
Or:
Create a separate zone for VPN tunnel terminaon (Recommended)—Select New Zone, define
a Name for the new zone (for example vpn-corp), and click OK.
1. For Virtual Router, select default.
2. (Oponal) If you want to assign an IPv4 address to the tunnel interface, select the IPv4
tab, and Add the IP address and network mask, for example 10.31.32.1/32.
3. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1084 ©2021 Palo Alto Networks, Inc.
VPNs
ESP. To route IPv6 traffic to the tunnel, you can use a stac route to the tunnel, or use
OSPFv3, or use a Policy-Based Forwarding (PBF) rule.
3. Enter the 64-bit extended unique Interface ID in hexadecimal format, for example,
00:26:08:FF:FE:DE:4E:29. By default, the firewall will use the EUI-64 generated from the
physical interface’s MAC address.
4. To assign an IPv6 Address to the tunnel interface, Add the IPv6 address and prefix
length, for example 2001:400:f00::1/64. If Prefix is not selected, the IPv6 address
assigned to the interface will be wholly specified in the address text box.
1. Select Use interface ID as host poron to assign an IPv6 address to the interface that
will use the interface ID as the host poron of the address.
2. Select Anycast to include roung through the nearest node.
PAN-OS® Administrator’s Guide Version Version 9.1 1085 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 7 | (Oponal) Preserve the Type of Service header for the priority or treatment of IP packets.
In the Show Advanced Opons secon, select Copy TOS Header. This copies the Type of
Service (TOS) header from the inner IP header to the outer IP header of the encapsulated
packets in order to preserve the original TOS informaon.
If there are mulple sessions inside the tunnel (each with a different TOS value),
copying the TOS header can cause the IPSec packets to arrive out of order.
STEP 8 | (Oponal) Select Add GRE Encapsulaon to enable GRE over IPSec.
Add GRE encapsulaon in cases where the remote endpoint requires traffic to be encapsulated
within a GRE tunnel before IPSec encrypts the traffic. For example, some implementaons
require mulcast traffic to be encapsulated before IPSec encrypts it. Add GRE Encapsulaon
when the GRE packet encapsulated in IPSec has the same source IP address and desnaon IP
address as the encapsulang IPSec tunnel.
To alert the device administrator to tunnel failures and to provide automac failover to another
tunnel interface:
1. Select Tunnel Monitor.
2. Specify a Desnaon IP address on the other side of the tunnel to determine if the
tunnel is working properly.
3. Select a Profile to determine the acon upon tunnel failure. To create a new profile, see
Define a Tunnel Monitoring Profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1086 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 4 | Specify the Interval (sec) and Threshold to trigger the specified acon.
• Threshold specifies the number of heartbeats to wait before taking the specified acon
(range is 2-100; default is 5).
• Interval (sec) specifies the me (in seconds) between heartbeats (range is 2-10; default is 3).
STEP 5 | Aach the monitoring profile to the IPsec Tunnel configuraon. See Enable Tunnel
Monitoring.
PAN-OS® Administrator’s Guide Version Version 9.1 1087 ©2021 Palo Alto Networks, Inc.
VPNs
IKE Updates the onscreen stascs for Restarts the selected IKE gateway.
Gateway the selected IKE gateway.
PAN-OS® Administrator’s Guide Version Version 9.1 1088 ©2021 Palo Alto Networks, Inc.
VPNs
IPSec Updates the onscreen stascs for Restarts the IPSec tunnel.
Tunnel the selected IPSec tunnel.
A restart is disrupve to all exisng
(IKE Phase
Equivalent to issuing a second show sessions.
2)
command in the CLI (aer an inial
Equivalent to issuing a clear, test,
show command).
show command sequence in the CLI.
PAN-OS® Administrator’s Guide Version Version 9.1 1089 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Enter the following command to test if IKE phase 1 is set up:
In the output, check whether the Security Associaon displays. If it doesn’t, review the system
log messages to interpret the reason for failure.
STEP 3 | Iniate IKE phase 2 by either pinging a host from across the tunnel or using the following CLI
command:
STEP 4 | Enter the following command to test if IKE phase 2 is set up:
In the output, check whether the Security Associaon displays. If it doesn’t, review the system
log messages to interpret the reason for failure.
STEP 5 | To view the VPN traffic flow informaon, use the following command:
PAN-OS® Administrator’s Guide Version Version 9.1 1090 ©2021 Palo Alto Networks, Inc.
VPNs
Received unencrypted notify payload (no Check the IKE Crypto profile
proposal chosen) from IP x.x.x.x[500] to configuraon to verify that the
y.y.y.y[500], ignored... proposals on both sides have a
common encrypon, authencaon,
or and DH Group proposal.
IKE phase-1 negotiation is failed.
Unable to process peer’s SA payload.
IKE phase-2 negotiation failed when The VPN peer on one end is using
processing Proxy ID. Received local id policy-based VPN. You must
x.x.x.x/x type IPv4 address protocol configure a Proxy ID on the Palo
0 port 0, received remote id y.y.y.y/y Alto Networks firewall. See Create a
type IPv4 address protocol 0 port 0. Proxy ID to idenfy the VPN peers..
PAN-OS® Administrator’s Guide Version Version 9.1 1091 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1092 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1093 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Create a tunnel interface and aach it to a virtual router and security zone.
1. Select Network > Interfaces > Tunnel and click Add.
2. In the Interface Name field, specify a numeric suffix, such as .1.
3. On the Config tab, expand the Security Zone to define the zone as follows:
• To use your trust zone as the terminaon point for the tunnel, select the zone.
• (Recommended) To create a separate zone for VPN tunnel terminaon, click New
Zone. In the Zone dialog, define a Name for new zone (for example vpn-tun), and then
click OK.
4. Select the Virtual Router.
5. (Oponal) Assign an IP address to the tunnel interface, select the IPv4 or IPv6 tab,
click Add in the IP secon, and enter the IP address and network mask to assign to the
interface.
With stac routes, the tunnel interface does not require an IP address. For traffic that is
desned to a specified subnet/IP address, the tunnel interface will automacally become
the next hop. Consider adding an IP address if you want to enable tunnel monitoring.
6. To save the interface configuraon, click OK.
In this example, the configuraon for VPN Peer A is:
• Interface—tunnel.10
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—172.19.9.2/24
The configuraon for VPN Peer B is:
• Interface—tunnel.11
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—192.168.69.2/24
STEP 3 | Configure a stac route, on the virtual router, to the desnaon subnet.
1. Select Network > Virtual Router and click the router you defined in the prior step.
2. Select Stac Route, click Add, and enter a new route to access the subnet that is at the
other end of the tunnel.
In this example, the configuraon for VPN Peer A is:
• Desnaon—192.168.69.0/24
• Interface—tunnel.10
The configuraon for VPN Peer B is:
• Desnaon—172.19.9.0/24
• Interface—tunnel.11
PAN-OS® Administrator’s Guide Version Version 9.1 1094 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 4 | Set up the Crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase
2).
Complete this task on both peers and make sure to set idencal values.
1. Select Network > Network Profiles > IKE Crypto. In this example, we use the default
profile.
2. Select Network > Network Profiles > IPSec Crypto. In this example, we use the default
profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1095 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1096 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1097 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Create a tunnel interface and aach it to a virtual router and security zone.
1. Select Network > Interfaces > Tunnel and click Add.
2. In the Interface Name field, specify a numeric suffix, such as, .11.
3. On the Config tab, expand Security Zone to define the zone as follows:
• To use your trust zone as the terminaon point for the tunnel, select the zone.
• (Recommended) To create a separate zone for VPN tunnel terminaon, click New
Zone. In the Zone dialog, define a Name for new zone (for example, vpn-tun), and
then click OK.
4. Select the Virtual Router.
5. Assign an IP address to the tunnel interface, select the IPv4 or IPv6 tab, click Add in the
IP secon, and enter the IP address and network mask/prefix to assign to the interface,
for example, 172.19.9.2/24.
This IP address will be used as the next hop IP address to route traffic to the tunnel and
can also be used to monitor the status of the tunnel.
6. To save the interface configuraon, click OK.
In this example, the configuraon for VPN Peer A is:
• Interface—tunnel.41
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—2.1.1.141/24
The configuraon for VPN Peer B is:
• Interface—tunnel.40
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—2.1.1.140/24
STEP 3 | Set up the Crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase
2).
Complete this task on both peers and make sure to set idencal values.
1. Select Network > Network Profiles > IKE Crypto. In this example, we use the default
profile.
2. Select Network > Network Profiles > IPSec Crypto. In this example, we use the default
profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1098 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 4 | Set up the OSPF configuraon on the virtual router and aach the OSPF areas with the
appropriate interfaces on the firewall.
For more informaon on the OSPF opons that are available on the firewall, see Configure
OSPF.
Use Broadcast as the link type when there are more than two OSPF routers that need to
exchange roung informaon.
1. Select Network > Virtual Routers, and select the default router or add a new router.
2. Select OSPF (for IPv4) or OSPFv3 (for IPv6) and select Enable.
3. In this example, the OSPF configuraon for VPN Peer A is:
• Router ID: 192.168.100.141
• Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
• Area ID: 0.0.0.10 that is assigned to the interface Ethernet1/1 and Link Type:
Broadcast
The OSPF configuraon for VPN Peer B is:
• Router ID: 192.168.100.140
• Area ID: 0.0.0.0 that is assigned to the tunnel.1 interface with Link type: p2p
• Area ID: 0.0.0.20 that is assigned to the interface Ethernet1/15 and Link Type:
Broadcast
PAN-OS® Administrator’s Guide Version Version 9.1 1099 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1100 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1101 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1102 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 2 | Set up the Crypto profiles (IKE Crypto profile for phase 1 and IPSec Crypto profile for phase
2).
Complete this task on both peers and make sure to set idencal values.
1. Select Network > Network Profiles > IKE Crypto. In this example, we use the default
profile.
2. Select Network > Network Profiles > IPSec Crypto. In this example, we use the default
profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1103 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1104 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 4 | Create a tunnel interface and aach it to a virtual router and security zone.
1. Select Network > Interfaces > Tunnel and click Add.
2. In the Interface Name field, specify a numeric suffix, say, .41.
3. On the Config tab, expand the Security Zone to define the zone as follows:
• To use your trust zone as the terminaon point for the tunnel, select the zone.
• (Recommended) To create a separate zone for VPN tunnel terminaon, click New
Zone. In the Zone dialog, define a Name for new zone (for example vpn-tun), and then
click OK.
4. Select the Virtual Router.
5. Assign an IP address to the tunnel interface, select the IPv4 or IPv6 tab, click Add in the
IP secon, and enter the IP address and network mask/prefix to assign to the interface,
for example, 172.19.9.2/24.
This IP address will be used to route traffic to the tunnel and to monitor the status of the
tunnel.
6. To save the interface configuraon, click OK.
In this example, the configuraon for VPN Peer A is:
• Interface—tunnel.41
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—2.1.1.141/24
The configuraon for VPN Peer B is:
• Interface—tunnel.42
• Security Zone—vpn_tun
• Virtual Router—default
• IPv4—2.1.1.140/24
STEP 5 | Specify the interface to route traffic to a desnaon on the 192.168.x.x network.
1. On VPN Peer A, select the virtual router.
2. Select Stac Routes, and Add tunnel.41 as the Interface for roung traffic with a
Desnaon in the 192.168.x.x network.
PAN-OS® Administrator’s Guide Version Version 9.1 1105 ©2021 Palo Alto Networks, Inc.
VPNs
STEP 6 | Set up the stac route and the OSPF configuraon on the virtual router and aach the OSPF
areas with the appropriate interfaces on the firewall.
1. On VPN Peer B, select Network > Virtual Routers, and select the default router or add a
new router.
2. Select Stac Routes and Add the tunnel IP address as the next hop for traffic in the
172.168.x.x. network.
Assign the desired route metric; using a lower the value makes the a higher priority for
route selecon in the forwarding table.
3. Select OSPF (for IPv4) or OSPFv3 (for IPv6) and select Enable.
4. In this example, the OSPF configuraon for VPN Peer B is:
• Router ID: 192.168.100.140
• Area ID: 0.0.0.0 is assigned to the interface Ethernet 1/12 Link type: Broadcast
• Area ID: 0.0.0.10 that is assigned to the interface Ethernet1/1 and Link Type:
Broadcast
• Area ID: 0.0.0.20 is assigned to the interface Ethernet1/15 and Link Type: Broadcast
STEP 7 | Create a redistribuon profile to inject the stac routes into the OSPF autonomous system.
1. Create a redistribuon profile on VPN Peer B.
1. Select Network > Virtual Routers, and select the router you used above.
2. Select Redistribuon Profiles, and click Add.
3. Enter a Name for the profile and select Redist and assign a Priority value. If you have
configured mulple profiles, the profile with the lowest priority value is matched first.
4. Set Source Type as stac, and click OK. The stac route you defined in Step 6 will be
used for the redistribuon.
2. Inject the stac routes in to the OSPF system.
1. Select OSPF > Export Rules (for IPv4) or OSPFv3 > Export Rules (for IPv6).
2. Click Add, and select the redistribuon profile that you just created.
3. Select how the external routes are brought into the OSPF system. The default opon,
Ext2 calculates the total cost of the route using only the external metrics. To use both
internal and external OSPF metrics, use Ext1.
4. Assign a Metric (cost value) for the routes injected into the OSPF system. This opon
allows you to change the metric for the injected route as it comes into the OSPF
system.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1106 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1107 ©2021 Palo Alto Networks, Inc.
VPNs
PAN-OS® Administrator’s Guide Version Version 9.1 1108 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
The GlobalProtect Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-
generaon firewall simplifies the deployment of tradional hub and spoke VPNs,
enabling you to quickly deploy enterprise networks with several branch offices with a
minimum amount of configuraon required on the remote satellites. This soluon uses
cerficates for firewall authencaon and IPSec to secure data.
LSVPN enables site-to-site VPNs between Palo Alto Networks firewalls. To set up a
site-to-site VPN between a Palo Alto Networks firewall and another device, see VPNs.
The following topics describe the LSVPN components and how to set them up to
enable site-to-site VPN services between Palo Alto Networks firewalls:
1109
Large Scale VPN (LSVPN)
LSVPN Overview
GlobalProtect provides a complete infrastructure for managing secure access to corporate
resources from your remote sites. This infrastructure includes the following components:
• GlobalProtect Portal—Provides the management funcons for your GlobalProtect LSVPN
infrastructure. Every satellite that parcipates in the GlobalProtect LSVPN receives
configuraon informaon from the portal, including configuraon informaon to enable the
satellites (the spokes) to connect to the gateways (the hubs). You configure the portal on an
interface on any Palo Alto Networks next-generaon firewall.
• GlobalProtect Gateways—A Palo Alto Networks firewall that provides the tunnel end point for
satellite connecons. The resources that the satellites access is protected by security policy
on the gateway. It is not required to have a separate portal and gateway; a single firewall can
funcon both as portal and gateway.
• GlobalProtect Satellite—A Palo Alto Networks firewall at a remote site that establishes
IPSec tunnels with the gateway(s) at your corporate office(s) for secure access to centralized
resources. Configuraon on the satellite firewall is minimal, enabling you to quickly and easily
scale your VPN as you add new sites.
The following diagram illustrates how the GlobalProtect LSVPN components work together.
PAN-OS® Administrator’s Guide Version Version 9.1 1110 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1111 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 2 | On the firewall(s) hosng GlobalProtect gateway(s), configure the logical tunnel interface that
will terminate VPN tunnels established by the GlobalProtect satellites.
IP addresses are not required on the tunnel interface unless you plan to use dynamic
roung. However, assigning an IP address to the tunnel interface can be useful for
troubleshoong connecvity issues.
Make sure to enable User-ID in the zone where the VPN tunnels terminate.
STEP 3 | If you created a separate zone for tunnel terminaon of VPN connecons, create a security
policy to enable traffic flow between the VPN zone and your trust zone.
For example, a policy rule enables traffic between the lsvpn-tun zone and the L3-Trust zone.
PAN-OS® Administrator’s Guide Version Version 9.1 1112 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1113 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 1 | On the firewall hosng the GlobalProtect portal, create the root CA cerficate for signing the
cerficates of the GlobalProtect components.
Create a Self-Signed Root CA Cerficate:
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and click
Generate.
2. Enter a Cerficate Name, such as LSVPN_CA.
3. Do not select a value in the Signed By field (this is what indicates that it is self-signed).
4. Select the Cerficate Authority check box and then click OK to generate the cerficate.
STEP 2 | Create SSL/TLS service profiles for the GlobalProtect portal and gateways.
For the portal and each gateway, you must assign an SSL/TLS service profile that references a
unique self-signed server cerficate.
The best pracce is to issue all of the required cerficates on the portal, so that the
signing cerficate (with the private key) doesn’t have to be exported.
If the GlobalProtect portal and gateway are on the same firewall interface, you can use
the same server cerficate for both components.
1. Use the root CA on the portal to Generate a Cerficate for each gateway you will deploy:
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and click
Generate.
2. Enter a Cerficate Name.
3. Enter the FQDN (recommended) or IP address of the interface where you plan to
configure the gateway in the Common Name field.
4. In the Signed By field, select the LSVPN_CA cerficate you just created.
5. In the Cerficate Aributes secon, click Add and define the aributes to uniquely
idenfy the gateway. If you add a Host Name aribute (which populates the SAN field
of the cerficate), it must exactly match the value you defined for the Common Name.
6. Generate the cerficate.
2. Configure an SSL/TLS Service Profile for the portal and each gateway:
1. Select Device > Cerficate Management > SSL/TLS Service Profile and click Add.
2. Enter a Name to idenfy the profile and select the server Cerficate you just created
for the portal or gateway.
3. Define the range of TLS versions (Min Version to Max Version) allowed for
communicang with satellites and click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1114 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
Best Pracces:
• Export the self-signed server cerficates issued by the root CA from the portal and import
them onto the gateways.
• Be sure to issue a unique server cerficate for each gateway.
• The Common Name (CN) and, if applicable, the Subject Alternave Name (SAN) fields of
the cerficate must match the IP address or fully qualified domain name (FQDN) of the
interface where you configure the gateway.
1. On the portal, select Device > Cerficate Management > Cerficates > Device
Cerficates, select the gateway cerficate you want to deploy, and click Export.
2. Select Encrypted Private Key and Cerficate (PKCS12) from the File Format drop-down.
3. Enter (and re-enter) a Passphrase to encrypt the private key associated with the
cerficate and then click OK to download the PKCS12 file to your computer.
4. On the gateway, select Device > Cerficate Management > Cerficates > Device
Cerficates and click Import.
5. Enter a Cerficate Name.
6. Enter the path and name to the Cerficate File you just downloaded from the portal, or
Browse to find the file.
7. Select Encrypted Private Key and Cerficate (PKCS12) as the File Format.
8. Enter the path and name to the PKCS12 file in the Key File field or Browse to find it.
9. Enter and re-enter the Passphrase you used to encrypt the private key when you
exported it from the portal and then click OK to import the cerficate and key.
PAN-OS® Administrator’s Guide Version Version 9.1 1115 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 4 | Import the root CA cerficate used to issue server cerficates for the LSVPN components.
You must import the root CA cerficate onto all gateways and satellites. For security reasons,
make sure you export the cerficate only, and not the associated private key.
1. Download the root CA cerficate from the portal.
1. Select Device > Cerficate Management > Cerficates > Device Cerficates.
2. Select the root CA cerficate used to issue cerficates for the LSVPN components
and click Export.
3. Select Base64 Encoded Cerficate (PEM) from the File Format drop-down and click
OK to download the cerficate. (Do not export the private key.)
2. On the firewalls hosng the gateways and satellites, import the root CA cerficate.
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and click
Import.
2. Enter a Cerficate Name that idenfies the cerficate as your client CA cerficate.
3. Browse to the Cerficate File you downloaded from the CA.
4. Select Base64 Encoded Cerficate (PEM) as the File Format and then click OK.
5. Select the cerficate you just imported on the Device Cerficates tab to open it.
6. Select Trusted Root CA and then click OK.
7. Commit the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1116 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
the sengs in the SCEP profile and automacally includes the serial number of the device in the
subject of the client cerficate. Aer receiving the client cerficate from the enterprise PKI, the
portal transparently deploys the client cerficate to the satellite device. The satellite device then
presents the client cerficate to the portal or gateway for authencaon.
STEP 1 | Create a SCEP profile.
1. Select Device > Cerficate Management > SCEP and then Add a new profile.
2. Enter a Name to idenfy the SCEP profile.
3. If this profile is for a firewall with mulple virtual systems capability, select a virtual
system or Shared as the Locaon where the profile is available.
STEP 2 | (Oponal) To make the SCEP-based cerficate generaon more secure, configure a SCEP
challenge-response mechanism between the PKI and portal for each cerficate request.
Aer you configure this mechanism, its operaon is invisible, and no further input from you is
necessary.
To comply with the U.S. Federal Informaon Processing Standard (FIPS), use a Dynamic SCEP
challenge and specify a Server URL that uses HTTPS (see Step 7).
Select one of the following opons:
• None—(Default) The SCEP server does not challenge the portal before it issues a cerficate.
• Fixed—Obtain the enrollment challenge password from the SCEP server (for example,
http://10.200.101.1/CertSrv/mscep_admin/) in the PKI infrastructure and then
copy or enter the password into the Password field.
• Dynamic—Enter the SCEP Server URL where the portal-client submits these credenals (for
example, http://10.200.101.1/CertSrv/mscep_admin/), and a username and OTP
of your choice. The username and password can be the credenals of the PKI administrator.
STEP 3 | Specify the sengs for the connecon between the SCEP server and the portal to enable the
portal to request and receive client cerficates.
To idenfy the satellite, the portal automacally includes the device serial number in the CSR
request to the SCEP server. Because the SCEP profile requires a value in the Subject field, you
can leave the default $USERNAME token even though the value is not used in client cerficates
for LSVPN.
1. Configure the Server URL that the portal uses to reach the SCEP server in the PKI (for
example, http://10.200.101.1/certsrv/mscep/).
2. Enter a string (up to 255 characters in length) in the CA-IDENT Name field to idenfy
the SCEP server.
3. Select the Subject Alternave Name Type:
• RFC 822 Name—Enter the email name in a cerficate’s subject or Subject Alternave
Name extension.
• DNS Name—Enter the DNS name used to evaluate cerficates.
• Uniform Resource Idenfier—Enter the name of the resource from which the client
will obtain the cerficate.
• None—Do not specify aributes for the cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 1117 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 5 | (Oponal) Configure the permied uses of the cerficate, either for signing or encrypon.
• To use this cerficate for signing, select the Use as digital signature check box. This enables
the endpoint use the private key in the cerficate to validate a digital signature.
• To use this cerficate for encrypon, select the Use for key encipherment check box. This
enables the client use the private key in the cerficate to encrypt data exchanged over the
HTTPS connecon established with the cerficates issued by the SCEP server.
STEP 6 | (Oponal) To ensure that the portal is connecng to the correct SCEP server, enter the
CA Cerficate Fingerprint. Obtain this fingerprint from the SCEP server interface in the
Thumbprint field.
1. Enter the URL for the SCEP server’s administrave UI (for example, http://
<hostname or IP>/CertSrv/mscep_admin/).
2. Copy the thumbprint and enter it in the CA Cerficate Fingerprint field.
STEP 7 | Enable mutual SSL authencaon between the SCEP server and the GlobalProtect portal.
This is required to comply with the U.S. Federal Informaon Processing Standard (FIPS).
FIPS-CC operaon is indicated on the firewall login page and in its status bar.
Select the SCEP server’s root CA Cerficate. Oponally, you can enable mutual SSL
authencaon between the SCEP server and the GlobalProtect portal by selecng a Client
Cerficate.
STEP 9 | (Oponal) If aer saving the SCEP profile, the portal fails to obtain the cerficate, you can
manually generate a cerficate signing request (CSR) from the portal.
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and then
click Generate.
2. Enter a Cerficate Name. This name cannot contain spaces.
3. Select the SCEP Profile to use to submit a CSR to your enterprise PKI.
4. Click OK to submit the request and generate the cerficate.
PAN-OS® Administrator’s Guide Version Version 9.1 1118 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
The following workflow describes how to set up the portal to authencate satellites against an
exisng authencaon service. GlobalProtect LSVPN supports external authencaon using a
local database, LDAP (including Acve Directory), Kerberos, TACACS+, or RADIUS.
PAN-OS® Administrator’s Guide Version Version 9.1 1119 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
If you use local authencaon, skip this step and instead add a local user for the
satellite administrator: see Add the user account to the local database.
PAN-OS® Administrator’s Guide Version Version 9.1 1120 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 2 | Specify the network informaon that enables satellite devices to connect to the gateway.
If you haven’t created the network interface for the gateway, see Create Interfaces and Zones
for the LSVPN for instrucons.
1. Select the Interface that satellites will use for ingress access to the gateway.
2. Specify the IP Address Type and IP address for gateway access:
• The IP address type can be IPv4 (only), IPv6 (only), or IPv4 and IPv6. Use IPv4 and
IPv6 if your network supports dual stack configuraons, where IPv4 and IPv6 run at
the same me.
• The IP address must be compable with the IP address type. For example,
172.16.1/0 for IPv4 addresses or 21DA:D3:0:2F3B for IPv6 addresses. For dual
stack configuraons, enter both an IPv4 and IPv6 address.
3. Click OK to save changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1121 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 3 | Specify how the gateway authencates satellites aempng to establish tunnels. If
you haven’t yet created an SSL/TLS Service profile for the gateway, see Deploy Server
Cerficates to the GlobalProtect LSVPN Components.
If you haven’t set up the authencaon profiles or cerficate profiles, see Configure the Portal
to Authencate Satellites for instrucons.
If you have not yet set up the cerficate profile, see Enable SSL Between GlobalProtect LSVPN
Components for instrucons.
On the GlobalProtect Gateway Configuraon dialog, select Authencaon and then configure
any of the following:
• To secure communicaon between the gateway and the satellites, select the SSL/TLS
Service Profile for the gateway.
• To specify the authencaon profile to use to authencate satellites, Add a Client
Authencaon. Then, enter a Name to idenfy the configuraon, select OS: Satellite to
apply the configuraon to all satellites, and specify the Authencaon Profile to use to
authencate the satellite. You can also select a Cerficate Profile for the gateway to use to
authencate satellite devices aempng to establish tunnels.
If there are mulple sessions inside the tunnel (each with a different TOS value),
copying the TOS header can cause the IPSec packets to arrive out of order.
STEP 6 | Select the IPSec Crypto profile to use when establishing tunnel connecons.
The profile specifies the type of IPSec encrypon and the authencaon method for securing
the data that will traverse the tunnel. Because both tunnel endpoints in an LSVPN are trusted
PAN-OS® Administrator’s Guide Version Version 9.1 1122 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
firewalls within your organizaon, you can typically use the default (predefined) profile, which
uses ESP as the IPSec protocol, group2 for the DH group, AES-128-CBC for encrypon, and
SHA-1 for authencaon.
In the IPSec Crypto Profile drop-down, select default to use the predefined profile or select
New IPSec Crypto Profile to define a new profile. For details on the authencaon and
encrypon opons, see Define IPSec Crypto Profiles.
STEP 7 | Configure the network sengs to assign the satellites during establishment of the IPSec
tunnel.
You can also configure the satellite to push the DNS sengs to its local clients by
configuring a DHCP server on the firewall hosng the satellite. In this configuraon, the
satellite will push DNS sengs it learns from the gateway to the DHCP clients.
1. On the GlobalProtect Gateway Configuraon dialog, select Satellite > Network Sengs.
2. (Oponal) If clients local to the satellite need to resolve FQDNs on the corporate
network, configure the gateway to push DNS sengs to the satellites in one of the
following ways:
• If the gateway has an interface that is configured as a DHCP client, you can set the
Inheritance Source to that interface and assign the same sengs received by the
DHCP client to GlobalProtect satellites. You can also inherit the DNS suffix from the
same source.
• Manually define the Primary DNS, Secondary DNS, and DNS Suffix sengs to push
to the satellites.
3. To specify the IP Pool of addresses to assign the tunnel interface on the satellites when
the VPN is established, click Add and then specify the IP address range(s) to use.
4. To define what desnaon subnets to route through the tunnel click Add in the Access
Route area and then enter the routes as follows:
• If you want to route all traffic from the satellites through the tunnel, leave this field
blank.
In this case, all traffic except traffic desned for the local subnet will be tunneled
to the gateway.
• To route only some traffic through the gateway (called split tunneling), specify the
desnaon subnets that must be tunneled. In this case, the satellite will route traffic
that is not desned for a specified access route using its own roung table. For
example, you may choose to only tunnel traffic desned for your corporate network,
and use the local satellite to safely enable Internet access.
• If you want to enable roung between satellites, enter the summary route for the
network protected by each satellite.
PAN-OS® Administrator’s Guide Version Version 9.1 1123 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 8 | (Oponal) Define what routes, if any, the gateway will accept from satellites.
By default, the gateway will not add any routes satellites adverse to its roung table. If you do
not want the gateway to accept routes from satellites, you do not need to complete this step.
1. To enable the gateway to accept routes adversed by satellites, select Satellite > Route
Filter.
2. Select the Accept published routes check box.
3. To filter which of the routes adversed by the satellites to add to the gateway roung
table, click Add and then define the subnets to include. For example, if all the satellites
are configured with subnet 192.168.x.0/24 on the LAN side, configuring a permied
route of 192.168.0.0/16 to enable the gateway to only accept routes from the satellite if
it is in the 192.168.0.0/16 subnet.
PAN-OS® Administrator’s Guide Version Version 9.1 1124 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1125 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 2 | Specify the network informaon to enable satellites to connect to the portal.
If you haven’t yet created the network interface for the portal, see Create Interfaces and Zones
for the LSVPN for instrucons.
1. Select the Interface that satellites will use for ingress access to the portal.
2. Specify the IP Address Type and IP address for satellite access to the portal:
• The IP address type can be IPv4 (for IPv4 traffic only), IPv6 (for IPv6 traffic only, or
IPv4 and IPv6. Use IPv4 and IPv6 if your network supports dual stack configuraons,
where IPv4 and IPv6 run at the same me.
• The IP address must be compable with the IP address type. For example,
172.16.1/0 for IPv4 addresses or 21DA:D3:0:2F3B for IPv6 addresses. For dual
stack configuraons, enter both an IPv4 and IPv6 address.
3. Click OK to save changes.
STEP 3 | Specify an SSL/TLS Service profile to use to enable the satellite to establish an SSL/TLS
connecon to the portal.
If you haven’t yet created an SSL/TLS service profile for the portal and issued gateway
cerficates, see Deploy Server Cerficates to the GlobalProtect LSVPN Components.
1. On the GlobalProtect Portal Configuraon dialog, select Authencaon.
2. Select the SSL/TLS Service Profile.
STEP 4 | Specify an authencaon profile and oponal cerficate profile for authencang satellites.
If the portal can’t validate the serial numbers of connecng satellites, it will fall back to
the authencaon profile. Therefore, before you can save the portal configuraon (by
clicking OK), you must Configure an authencaon profile.
Add a Client Authencaon, and then enter a Name to idenfy the configuraon, select OS:
Satellite to apply the configuraon to all satellites, and specify the Authencaon Profile to
use to authencate satellite devices. You can also specify a Cerficate Profile for the portal to
use to authencate satellite devices.
STEP 5 | Connue with defining the configuraons to push to the satellites or, if you have already
created the satellite configuraons, save the portal configuraon.
Click OK to save the portal configuraon or connue to Define the Satellite Configuraons.
PAN-OS® Administrator’s Guide Version Version 9.1 1126 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
from the top of the list. When it finds a match, it delivers the corresponding configuraon to the
satellite.
For example, the following figure shows a network in which some branch offices require VPN
access to the corporate applicaons protected by your perimeter firewalls and another site needs
VPN access to the data center.
PAN-OS® Administrator’s Guide Version Version 9.1 1127 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
will be automacally added when the satellite connects). Repeat this step for each satellite
you want to receive this configuraon.
• Select the Enrollment User/User Group tab, click Add, and then select the user or group
you want to receive this configuraon. Satellites that do not match on serial number will
be required to authencate as a user specified here (either an individual user or group
member).
Before you can restrict the configuraon to specific groups, you must Map Users to
Groups.
STEP 3 | Specify the gateways that satellites with this configuraon can establish VPN tunnels with.
Routes published by the gateway are installed on the satellite as stac routes. The
metric for the stac route is 10x the roung priority. If you have more than one
gateway, make sure to also set the roung priority to ensure that routes adversed
by backup gateways have higher metrics compared to the same routes adversed by
primary gateways. For example, if you set the roung priority for the primary gateway
and backup gateway to 1 and 10 respecvely, the satellite will use 10 as the metric for
the primary gateway and 100 as the metric for the backup gateway.
STEP 5 | Arrange the satellite configuraons so that the proper configuraon is deployed to each
satellite.
• To move a satellite configuraon up on the list of configuraons, select the configuraon
and click Move Up.
• To move a satellite configuraon down on the list of configuraons, select the configuraon
and click Move Down.
STEP 6 | Specify the cerficates required to enable satellites to parcipate in the LSVPN.
1. In the Trusted Root CA field, click Add and then select the CA cerficate used to issue
the gateway server cerficates. The portal will deploy the root CA cerficate you add
PAN-OS® Administrator’s Guide Version Version 9.1 1128 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
here to all satellites as part of the configuraon to enable the satellite to establish an SSL
connecon with the gateways. As a best pracce, all of your gateways should use the
same issuer.
2. Select the method of Client Cerficate distribuon:
• To store the client cerficates on the portal—select Local and select the Root
CA cerficate that the portal will use to issue client cerficates to satellites upon
successfully authencang them from the Issuing Cerficate drop-down.
If the root CA cerficate used to issue your gateway server cerficates is not
on the portal, you can Import it now. See Enable SSL Between GlobalProtect
LSVPN Components for details on how to import a root CA cerficate.
• To enable the portal to act as a SCEP client to dynamically request and issue client
cerficates—select SCEP and then select the SCEP profile used to generate CSRs to
your SCEP server.
If the you have not yet set up the portal to act as a SCEP client, you can add a
New SCEP profile now. See Deploy Client Cerficates to the GlobalProtect
Satellites Using SCEP for details.
PAN-OS® Administrator’s Guide Version Version 9.1 1129 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 2 | Configure the logical tunnel interface for the tunnel to use to establish VPN tunnels with the
GlobalProtect gateways.
IP addresses are not required on the tunnel interface unless you plan to use dynamic
roung. However, assigning an IP address to the tunnel interface can be useful for
troubleshoong connecvity issues.
PAN-OS® Administrator’s Guide Version Version 9.1 1130 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 3 | If you generated the portal server cerficate using a Root CA that is not trusted by the
satellites (for example, if you used self-signed cerficates), import the root CA cerficate
used to issue the portal server cerficate.
The root CA cerficate is required to enable the satellite to establish the inial connecon with
the portal to obtain the LSVPN configuraon.
1. Download the CA cerficate that was used to generate the portal server cerficates. If
you are using self-signed cerficates, export the root CA cerficate from the portal as
follows:
1. Select Device > Cerficate Management > Cerficates > Device Cerficates.
2. Select the CA cerficate, and click Export.
3. Select Base64 Encoded Cerficate (PEM) from the File Format drop-down and click
OK to download the cerficate. (You do not need to export the private key.)
2. Import the root CA cerficate you just exported onto each satellite as follows.
1. Select Device > Cerficate Management > Cerficates > Device Cerficates and click
Import.
2. Enter a Cerficate Name that idenfies the cerficate as your client CA cerficate.
3. Browse to the Cerficate File you downloaded from the CA.
4. Select Base64 Encoded Cerficate (PEM) as the File Format and then click OK.
5. Select the cerficate you just imported on the Device Cerficates tab to open it.
6. Select Trusted Root CA and then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1131 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 5 | (Oponal) Configure the satellite to publish local routes to the gateway.
Pushing routes to the gateway enables traffic to the subnets local to the satellite via the
gateway. However, you must also configure the gateway to accept the routes as detailed in
Configure GlobalProtect Gateways for LSVPN.
1. To enable the satellite to push routes to the gateway, on the Advanced tab select Publish
all stac and connected routes to Gateway.
If you select this check box, the firewall will forward all stac and connected routes
from the satellite to the gateway. However, to prevent the creaon of roung loops, the
firewall will apply some route filters, such as the following:
• Default routes
• Routes within a virtual router other than the virtual router associated with the tunnel
interface
• Routes using the tunnel interface
• Routes using the physical interface associated with the tunnel interface
2. (Oponal) If you only want to push routes for specific subnets rather than all routes, click
Add in the Subnet secon and specify which subnet routes to publish.
STEP 7 | If required, provide the credenals to allow the satellite to authencate to the portal.
This step is only required if the portal was unable to find a serial number match in its
configuraon or if the serial number didn’t work. In this case, the satellite will not be able to
establish the tunnel with the gateway(s).
1. Select Network > IPSec Tunnels and click the Gateway Info link in the Status column of
the tunnel configuraon you created for the LSVPN.
2. Click the enter credenals link in the Portal Status field and username and password
required to authencate the satellite to the portal.
Aer the portal successfully authencates to the portal, it will receive its signed
cerficate and configuraon, which it will use to connect to the gateway(s). You should
see the tunnel establish and the Status change to Acve.
PAN-OS® Administrator’s Guide Version Version 9.1 1132 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1133 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
The following workflow shows the steps for seng up this basic configuraon:
STEP 1 | Configure a Layer 3 interface.
In this example, the Layer 3 interface on the portal/gateway requires the following
configuraon:
• Interface—ethernet1/11
• Security Zone—lsvpn-tun
• IPv4—203.0.113.11/24
STEP 2 | On the firewall(s) hosng GlobalProtect gateway(s), configure the logical tunnel interface that
will terminate VPN tunnels established by the GlobalProtect satellites.
To enable visibility into users and groups connecng over the VPN, enable User-ID in
the zone where the VPN tunnels terminate.
In this example, the Tunnel interface on the portal/gateway requires the following
configuraon:
• Interface—tunnel.1
• Security Zone—lsvpn-tun
PAN-OS® Administrator’s Guide Version Version 9.1 1134 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 3 | Create the Security policy rule to enable traffic flow between the VPN zone where the tunnel
terminates (lsvpn-tun) and the trust zone where the corporate applicaons reside (L3-Trust).
See Create a Security Policy Rule.
STEP 4 | Assign an SSL/TLS Service profile to the portal/gateway. The profile must reference a self-
signed server cerficate.
The cerficate subject name must match the FQDN or IP address of the Layer 3 interface you
create for the portal/gateway.
1. On the firewall hosng the GlobalProtect portal, create the root CA cerficate for signing
the cerficates of the GlobalProtect components. In this example, the root CA cerficate,
lsvpn-CA, will be used to issue the server cerficate for the portal/gateway. In addion,
the portal will use this root CA cerficate to sign the CSRs from the satellites.
2. Create SSL/TLS service profiles for the GlobalProtect portal and gateways.
Because the portal and gateway are on the same interface in this example, they can
share an SSL/TLS Service profile that uses the same server cerficate. In this example,
the profile is named lsvpnserver.
STEP 6 | Configure an authencaon profile for the portal to use if the satellite serial number is not
available.
1. Create one type of server profile on the portal:
• Add a RADIUS server profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1135 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1136 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1137 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
For a basic setup of a LSVPN, follow the steps in Basic LSVPN Configuraon with Stac Roung.
You can then complete the steps in the following workflow to extend the configuraon to use
dynamic roung rather than stac roung.
STEP 1 | Add an IP address to the tunnel interface configuraon on each gateway and each satellite.
Complete the following steps on each gateway and each satellite:
1. Select Network > Interfaces > Tunnel and select the tunnel configuraon you created for
the LSVPN to open the Tunnel Interface dialog.
If you have not yet created the tunnel interface, see Step 2 in Create Interfaces and
Zones for the LSVPN.
2. On the IPv4 tab, click Add and then enter an IP address and subnet mask. For example,
to add an IP address for the gateway tunnel interface you would enter 2.2.2.100/24.
3. Click OK to save the configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 1138 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
STEP 4 | Verify that the gateways and satellites are able to form router adjacencies.
• On each satellite and each gateway, confirm that peer adjacencies have formed and that
roung table entries have been created for the peers (that is, the satellites have routes to
the gateways and the gateways have routes to the satellites). Select Network > Virtual
Router and click the More Runme Stats link for the virtual router you are using for the
LSVPN. On the Roung tab, verify that the LSVPN peer has a route.
• On the OSPF > Interface tab, verify that the Type is p2mp.
• On the OSPF > Neighbor tab, verify that the firewalls hosng your gateways have
established router adjacencies with the firewalls hosng your satellites and vice versa. Also
verify that the Status is Full, indicang that full adjacencies have been established.
PAN-OS® Administrator’s Guide Version Version 9.1 1139 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
center also has two PA-5200s in an acve/passive HA pair acng as the backup LSVPN gateway.
The portal and gateways serve 500 PA-220s deployed as LSVPN satellites in branch offices.
Both data center sites adverse routes but with different metrics. As a result, the satellites prefer
and install the acve data center’s routes. However, the backup routes also exist in the local
roung informaon base (RIB). If the acve data center fails, the routes adversed by that data
center are removed and replaced with routes from the disaster recovery data center’s routes. The
failover me depends on selecon of iBGP mes and roung convergence associated with iBGP.
The following workflow shows the steps for configuring this deployment:
PAN-OS® Administrator’s Guide Version Version 9.1 1140 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
Configure the zones, interfaces, and IP addresses on each satellite. The interface and
local IP address will be different for each satellite. This interface is used for the VPN
connecon to the portal and gateway.
STEP 2 | On the firewall(s) hosng GlobalProtect gateway(s), configure the logical tunnel interface that
will terminate VPN tunnels established by the GlobalProtect satellites.
Primary gateway:
• Interface: tunnel.5
• IPv4: 10.11.15.254/22
• Zone: LSVPN-Tunnel-Primary
Backup gateway:
• Interface: tunnel.1
• IPv4: 10.11.15.245/22
• Zone: LSVPN-Tunnel-Backup
PAN-OS® Administrator’s Guide Version Version 9.1 1141 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1142 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
single satellite configuraon is needed. Satellites are matched based on their serial
numbers, so no satellites will need to authencate as a user.
6. On Satellite > Network Sengs, define the pool of IP address to assign to the tunnel
interface on the satellite once the VPN connecon is established. Because this use case
uses dynamic roung, the Access Routes seng remains blank.
7. Repeat steps 1 through 5 on the backup gateway with the following sengs:
• Name: LSVPN-backup
• Gateway interface: ethernet1/5
• Gateway IP: 172.16.22.25/24
• Server cert: LSVPN-backup-GW-cert
• Tunnel interface: tunnel.1
STEP 5 | Configure iBGP on the primary and backup gateways and add a redistribuon profile to allow
the satellites to inject local routes back to the gateways.
Each satellite office manages its own network and firewall, so the redistribuon profile called
ToAllSat is configured to redistribute local routes back to the GlobalProtect gateway.
1. Select Network > Virtual Routers and Add a virtual router.
2. On Router Sengs, add the Name and Interface for the virtual router.
3. On Redistribuon Profile and select Add.
1. Name the redistribuon profile ToAllSat and set the Priority to 1.
2. Set Redistribute to Redist.
3. Add ethernet1/23 from the Interface drop-down.
4. Click OK.
4. Select BGP on the Virtual Router to configure BGP.
1. On BGP > General, select Enable.
2. Enter the gateway IP address as the Router ID (172.16.22.1) and 1000 as the AS
Number.
3. In the Opons secon, select Install Route.
4. On BGP > Peer Group, click Add a peer group with all the satellites that will connect
to the gateway.
5. On BGP > Redist Rules, Add the ToAllSat redistribuon profile you created
previously.
5. Click OK.
6. Repeat steps 1 through 5 on the backup gateway using ethernet1/6 for the
redistribuon profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1143 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1144 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1145 ©2021 Palo Alto Networks, Inc.
Large Scale VPN (LSVPN)
PAN-OS® Administrator’s Guide Version Version 9.1 1146 ©2021 Palo Alto Networks, Inc.
Networking
All Palo Alto Networks® next-generaon firewalls provide a flexible networking
architecture that includes support for dynamic roung, switching, and VPN
connecvity, and enables you to deploy the firewall into nearly any networking
environment. When configuring the Ethernet ports on your firewall, you can choose
from virtual wire, Layer 2, or Layer 3 interface deployments. In addion, to allow you
to integrate into a variety of network segments, you can configure different types of
interfaces on different ports. Once your network interfaces have been configured, you
can Export Configuraon Table Data as a PDF or CSV for internal review or audits.
The following topics describe networking concepts and how to integrate Palo Alto
Networks next-generaon firewalls into your network.
> Configure Interfaces > DNS
> Virtual Routers > Dynamic DNS Overview
> Service Routes > Configure Dynamic DNS for Firewall
> Stac Routes Interfaces
1147
Networking
Configure Interfaces
A Palo Alto Networks next-generaon firewall can operate in mulple deployments at once
because the deployments occur at the interface level. For example, you can configure some
interfaces for Layer 3 interfaces to integrate the firewall into your dynamic roung environment,
while configuring other interfaces to integrate into your Layer 2 switching network. The following
topics describe each type of interface deployment and how to configure the corresponding
interface types:
• Tap Interfaces
• Virtual Wire Interfaces
• Layer 2 Interfaces
• Layer 3 Interfaces
• Configure an Aggregate Interface Group
• Use Interface Management Profiles to Restrict Access
Tap Interfaces
A network tap is a device that provides a way to access data flowing across a computer network.
Tap mode deployment allows you to passively monitor traffic flows across a network by way of a
switch SPAN or mirror port.
The SPAN or mirror port permits the copying of traffic from other ports on the switch. By
dedicang an interface on the firewall as a tap mode interface and connecng it with a switch
SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides
applicaon visibility within the network without being in the flow of network traffic.
By deploying the firewall in tap mode, you can get visibility into what applicaons are running on
your network without having to make any changes to your network design. In addion, when in
tap mode, the firewall can also idenfy threats on your network. Keep in mind, however, because
the traffic is not running through the firewall when in tap mode it cannot take any acon on the
traffic, such as blocking traffic with threats or applying QoS traffic control.
To configure a tap interface and begin monitoring the applicaons and threats on your network:
STEP 1 | Decide which port you want to use as your tap interface and connect it to a switch
configured with SPAN/RSPAN or port mirroring.
You will send your network traffic from the SPAN desnaon port through the firewall so you
can have visibility into the applicaons and threats on your network.
STEP 2 | From the firewall web interface, configure the interface you want to use as your network tap.
1. Select Network > Interfaces and select the interface that corresponds to the port you
just cabled.
2. Select Tap as the Interface Type.
3. On the Config tab, expand the Security Zone and select New Zone.
4. In the Zone dialog, enter a Name for new zone, for example TapZone, and then click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1148 ©2021 Palo Alto Networks, Inc.
Networking
STEP 4 | Create Security Profiles to scan your network traffic for threats:
1. Select Objects > Security Profiles.
2. For each security profile type, Add a new profile and set the acon to alert.
Because the firewall is not inline with the traffic you cannot use any block or reset
acons. By seng the acon to alert, you will be able to see any threats the firewall
detects in the logs and ACC.
STEP 5 | Create a security policy rule to allow the traffic through the tap interface.
When creang a security policy rule for tap mode, both the source zone and desnaon zone
must be the same.
1. Select Policies > Security and click Add.
2. In the Source tab, set the Source Zone to the TapZone you just created.
3. In the Desnaon tab, set the Desnaon Zone to the TapZone also.
4. Set the all of the rule match criteria (Applicaons, User, Service, Address) to any.
5. In the Acons tab, set the Acon Seng to Allow.
6. Set Profile Type to Profiles and select each of the security profiles you created to alert
you of threats.
7. Verify that Log at Session End is enabled.
8. Click OK.
9. Place the rule at the top of your rulebase.
STEP 7 | Monitor the firewall logs (Monitor > Logs) and the ACC for insight into the applicaons and
threats on your network.
PAN-OS® Administrator’s Guide Version Version 9.1 1149 ©2021 Palo Alto Networks, Inc.
Networking
QoS, zone protecon (with some excepons), non-IP protocol protecon, DoS protecon, packet
buffer protecon, tunnel content inspecon, and NAT.
Each virtual wire interface is directly connected to a Layer 2 or Layer 3 networking device or host.
The virtual wire interfaces have no Layer 2 or Layer 3 addresses. When one of the virtual wire
interfaces receives a frame or packet, it ignores any Layer 2 or Layer 3 addresses for switching or
roung purposes, but applies your security or NAT policy rules before passing an allowed frame or
packet over the virtual wire to the second interface and on to the network device connected to it.
You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN
tunnels, or roung because they require a Layer 2 or Layer 3 address. A virtual wire interface
doesn’t use an interface management profile, which controls services such as HTTP and ping and
therefore requires the interface have an IP address.
All firewalls shipped from the factory have two Ethernet ports (ports 1 and 2) preconfigured as
virtual wire interfaces, and these interfaces allow all untagged traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1150 ©2021 Palo Alto Networks, Inc.
Networking
If you’re using security group tags (SGTs) in a Cisco Trustsec network, it’s a best pracce to
deploy inline firewalls in either Layer 2 or virtual wire mode. Firewalls in Layer 2 or virtual
wire mode can inspect and provide threat prevenon for the tagged traffic.
If you don’t intend to use the preconfigured virtual wire, you must delete that
configuraon to prevent it from interfering with other sengs you configure on the
firewall. See Set Up Network Access for External Services.
PAN-OS® Administrator’s Guide Version Version 9.1 1151 ©2021 Palo Alto Networks, Inc.
Networking
In order for aggregate interface groups to funcon properly, ensure all links belonging to
the same LACP group on the same side of the virtual wire are assigned to the same zone.
PAN-OS® Administrator’s Guide Version Version 9.1 1152 ©2021 Palo Alto Networks, Inc.
Networking
By default, a virtual wire interface forwards all non-IP traffic it receives. However, you can apply a
zone protecon profile with Protocol Protecon to block or allow certain non-IP protocol packets
between security zones on a virtual wire.
VLAN-Tagged Traffic
Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to
connect two interfaces and configure either interface to block or allow traffic based on the virtual
LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
You can also create mulple subinterfaces, add them into different zones, and then classify traffic
according to a VLAN tag or a combinaon of a VLAN tag with IP classifiers (address, range, or
subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific
source IP address, range, or subnet.
• Configure two Ethernet interfaces as type virtual wire, and assign these interfaces to a
virtual wire.
• Create subinterfaces on the parent Virtual Wire to separate CustomerA and CustomerB
traffic. Make sure that the VLAN tags defined on each pair of subinterfaces that are
configured as virtual wire(s) are idencal. This is essenal because a virtual wire does not
switch VLAN tags.
• Create new subinterfaces and define IP classifiers. This task is oponal and only required if
you wish to add addional subinterfaces with IP classifiers for further managing traffic from
a customer based on the combinaon of VLAN tags and a specific source IP address, range
or subnet.
You can also use IP classifiers for managing untagged traffic. To do so, you must create a sub-
interface with the vlan tag “0”, and define subinterface(s) with IP classifiers for managing
untagged traffic using IP classifiers.
PAN-OS® Administrator’s Guide Version Version 9.1 1153 ©2021 Palo Alto Networks, Inc.
Networking
IP classificaon may only be used on the subinterfaces associated with one side of the
virtual wire. The subinterfaces defined on the corresponding side of the virtual wire must
use the same VLAN tag, but must not include an IP classifier.
Figure 10: Virtual Wire Deployment with Subinterfaces (VLAN Tags only)
Virtual Wire Deployment with Subinterfaces (VLAN Tags only) depicts CustomerA and CustomerB
connected to the firewall through one physical interface, ethernet1/1, configured as a Virtual
Wire; it is the ingress interface. A second physical interface, ethernet1/2, is also part of the Virtual
Wire; it is the egress interface that provides access to the internet.
For CustomerA, you also have subinterfaces ethernet1/1.1 (ingress) and ethernet1/2.1 (egress).
For CustomerB, you have the subinterface ethernet1/1.2 (ingress) and ethernet1/2.2 (egress).
When configuring the subinterfaces, you must assign the appropriate VLAN tag and zone in
order to apply policies for each customer. In this example, the policies for CustomerA are created
between Zone1 and Zone2, and policies for CustomerB are created between Zone3 and Zone4.
When traffic enters the firewall from CustomerA or CustomerB, the VLAN tag on the incoming
packet is first matched against the VLAN tag defined on the ingress subinterfaces. In this example,
a single subinterface matches the VLAN tag on the incoming packet, hence that subinterface is
selected. The policies defined for the zone are evaluated and applied before the packet exits from
the corresponding subinterface.
The same VLAN tag must not be defined on the parent virtual wire interface and the
subinterface. Verify that the VLAN tags defined on the Tag Allowed list of the parent
virtual wire interface (Network > Virtual Wires) are not included on a subinterface.
Virtual Wire Deployment with Subinterfaces (VLAN Tags and IP Classifiers) depicts CustomerA
and CustomerB connected to one physical firewall that has two virtual systems (vsys), in addion
to the default virtual system (vsys1). Each virtual system is an independent virtual firewall that
is managed separately for each customer. Each vsys has aached interfaces/subinterfaces and
security zones that are managed independently.
PAN-OS® Administrator’s Guide Version Version 9.1 1154 ©2021 Palo Alto Networks, Inc.
Networking
Figure 11: Virtual Wire Deployment with Subinterfaces (VLAN Tags and IP Classifiers)
Vsys1 is set up to use the physical interfaces ethernet1/1 and ethernet1/2 as a virtual wire;
ethernet1/1 is the ingress interface and ethernet1/2 is the egress interface that provides access
to the Internet. This virtual wire is configured to accept all tagged and untagged traffic with the
excepon of VLAN tags 100 and 200 that are assigned to the subinterfaces.
CustomerA is managed on vsys2 and CustomerB is managed on vsys3. On vsys2 and vsys3, the
following vwire subinterfaces are created with the appropriate VLAN tags and zones to enforce
policy measures.
PAN-OS® Administrator’s Guide Version Version 9.1 1155 ©2021 Palo Alto Networks, Inc.
Networking
When traffic enters the firewall from CustomerA or CustomerB, the VLAN tag on the incoming
packet is first matched against the VLAN tag defined on the ingress subinterfaces. In this case,
for CustomerA, there are mulple subinterfaces that use the same VLAN tag. Hence, the firewall
first narrows the classificaon to a subinterface based on the source IP address in the packet.
The policies defined for the zone are evaluated and applied before the packet exits from the
corresponding subinterface.
For return-path traffic, the firewall compares the desnaon IP address as defined in the IP
classifier on the customer-facing subinterface and selects the appropriate virtual wire to route
traffic through the accurate subinterface.
The same VLAN tag must not be defined on the parent virtual wire interface and the
subinterface. Verify that the VLAN tags defined on the Tag Allowed list of the parent
virtual wire interface (Network > Virtual Wires) are not included on a subinterface.
PAN-OS® Administrator’s Guide Version Version 9.1 1156 ©2021 Palo Alto Networks, Inc.
Networking
consistent link state, as if there were no firewall between them. If you don’t select this
opon, link status is not propagated across the virtual wire.
7. Click OK to save the virtual wire object.
STEP 4 | Configure the second virtual wire interface (ethernet1/4 in this example) by repeang the
preceding steps.
When you select the Virtual Wire object you created, the firewall automacally adds the
second virtual wire interface as Interface2.
STEP 5 | Create a separate security zone for each virtual wire interface.
1. Select Network > Zones and Add a zone.
2. Enter the Name of the zone (such as internet).
3. For Locaon, select the virtual system where the zone applies.
4. For Type, select Virtual Wire.
5. Add the Interface that belongs to the zone.
6. Click OK.
STEP 6 | (Oponal) Create security policy rules to allow Layer 3 traffic to pass through.
To allow Layer 3 traffic across the virtual wire, Create a Security Policy Rule to allow traffic
from the user zone to the internet zone, and another to allow traffic from the internet zone to
the user zone, selecng the applicaons you want to allow, such as BGP or OSPF.
STEP 9 | (Oponal) Configure an LLDP profile and apply it to the virtual wire interfaces (see Configure
LLDP).
STEP 10 | (Oponal) Apply non-IP protocol control to the virtual wire zones (see Configure Protocol
Protecon). Otherwise, all non-IP traffic is forwarded over the virtual wire.
PAN-OS® Administrator’s Guide Version Version 9.1 1157 ©2021 Palo Alto Networks, Inc.
Networking
Layer 2 Interfaces
In a Layer 2 deployment, the firewall provides switching between two or more networks. Devices
are connected to a Layer 2 segment; the firewall forwards the frames to the proper port, which
is associated with the MAC address idenfied in the frame. Configure a Layer 2 Interface when
switching is required.
If you’re using security group tags (SGTs) in a Cisco Trustsec network, it’s a best pracce to
deploy inline firewalls in either Layer 2 or virtual wire mode. Firewalls in Layer 2 or virtual
wire mode can inspect and provide threat prevenon for the tagged traffic.
The following topics describe the different types of Layer 2 interfaces you can configure for each
type of deployment you need, including details on using virtual LANs (VLANs) for traffic and policy
separaon among groups. Another topic describes how the firewall rewrites the inbound port
VLAN ID number in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge protocol data
unit (BPDU).
• Layer 2 Interfaces with No VLANs
• Layer 2 Interfaces with VLANs
• Configure a Layer 2 Interface
• Configure a Layer 2 Interface, Subinterface, and VLAN
• Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite
PAN-OS® Administrator’s Guide Version Version 9.1 1158 ©2021 Palo Alto Networks, Inc.
Networking
The firewall begins with an empty MAC table. When the host with source address 0A-76-
F2-60-EA-83 sends a frame to the firewall, the firewall doesn’t have desnaon address
0B-68-2D-05-12-76 in its MAC table, so it doesn’t know which interface to forward the frame
to; it broadcasts the frame to all of its Layer 2 interfaces. The firewall puts source address 0A-76-
F2-60-EA-83 and associated Eth1/1 into its MAC table.
The host at 0C-71-D4-E6-13-44 receives the broadcast, but the desnaon MAC address is not
its own MAC address, so it drops the frame.
The receiving interface Ethernet 1/2 forwards the frame to its host. When host
0B-68-2D-05-12-76 responds, it uses the desnaon address 0A-76-F2-60-EA-83, and the
firewall adds to its MAC table Ethernet 1/2 as the interface to reach 0B-68-2D-05-12-76.
PAN-OS® Administrator’s Guide Version Version 9.1 1159 ©2021 Palo Alto Networks, Inc.
Networking
In this example, the host at MAC address 0A-76-F2-60-EA-83 sends a frame with VLAN ID 10
to the firewall, which the firewall broadcasts to its other L2 interfaces. Ethernet interface 1/3
accepts the frame because it’s connected to the host with desnaon 0C-71-D4-E6-13-44 and
its subinterface .1 is assigned VLAN 10. Ethernet interface 1/3 forwards the frame to the Finance
host.
STEP 2 | Commit.
Click OK and Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1160 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Configure a Layer 2 interface and subinterface and assign a VLAN ID.
1. Select Network > Interfaces > Ethernet and select an interface. The Interface Name is
fixed, such as ethernet1/1.
2. For Interface Type, select Layer2.
3. Select the Config tab.
4. For VLAN, leave the seng None.
5. Assign the interface to a Security Zone or create a New Zone.
6. Click OK.
7. With the Ethernet interface highlighted, click Add Subinterface.
8. The Interface Name remains fixed. Aer the period, enter the subinterface number, in
the range 1-9,999.
9. Enter a VLAN Tag ID in the range 1-4,094.
10. Assign the subinterface to a Security Zone.
11. Click OK.
STEP 2 | Commit.
Click Commit.
STEP 3 | (Oponal) Apply a Zone Protecon profile with protocol protecon to control non-IP
protocol packets between Layer 2 zones (or between interfaces within a Layer 2 zone).
Configure Protocol Protecon.
The Cisco switch must have the loopguard disabled for the PVST+ or Rapid PVST+ BPDU
rewrite to funcon properly on the firewall.
This feature is supported on Layer 2 Ethernet and Aggregated Ethernet (AE) interfaces only. The
firewall supports a PVID range of 1 to 4,094 with a nave VLAN ID of 1 to be compable with the
Cisco nave VLAN implementaon.
To support the PVST+ BPDU rewrite feature, PAN-OS supports the concept of a PVST+ nave
VLAN. Frames sent to and received from a nave VLAN are untagged with a PVID equal to the
nave VLAN. All switches and firewalls in the same Layer 2 deployment must have the same
nave VLAN for PVST+ to funcon properly. Although the Cisco nave VLAN defaults to vlan1,
the VLAN ID could be a number other than 1.
PAN-OS® Administrator’s Guide Version Version 9.1 1161 ©2021 Palo Alto Networks, Inc.
Networking
For example, the firewall is configured with a VLAN object (named VLAN_BRIDGE), which
describes the interfaces and subinterfaces that belong to a switch or broadcast domain. In
this example, the VLAN includes three subinterfaces: ethernet1/21.100 tagged with 100,
ethernet1/22.1000 tagged with 1000, and ethernet1/23.1500 tagged with 1500.
The subinterfaces belonging to VLAN_BRIDGE look like this:
The sequence in which the firewall automacally rewrites the PVST+ BPDU is shown in the
following graphic and explanaon:
1. The Cisco switch port belonging to VLAN 100 sends a PVST+ BPDU—with the PVID and
802.1Q VLAN tag set to 100—to the firewall.
2. The firewall interfaces and subinterfaces are configured as a Layer 2 interface type. The ingress
subinterface on the firewall is tagged with VLAN 100, which matches the PVID and VLAN tag
of the incoming BPDU, so the firewall accepts the BPDU. The firewall floods the PVST+ BPDU
to all other interfaces belonging to the same VLAN object (in this example, ethernet1/22.1000
and ethernet1/23.1500). If the VLAN tags did not match, the firewall would instead drop the
BPDU.
3. When the firewall floods the BPDU out through other interfaces (belonging to the same VLAN
object), the firewall rewrites the PVID and any 802.1Q VLAN tags to match the VLAN tag of
the egress interface. In this example, the firewall rewrites the BPDU PVID from 100 to 1000
for one subinterface and from 100 to 1500 for the second subinterface as the BPDU traverses
the Layer 2 bridge on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1162 ©2021 Palo Alto Networks, Inc.
Networking
4. Each Cisco switch receives the correct PVID and VLAN tag on the incoming BPDU and
processes the PVST+ packet to detect possible loops in the network.
The following CLI operaonal commands allow you to manage PVST+ and Rapid PVST+ BPDUs.
Globally disable or re-enable the PVST+ and Rapid PVST+ BPDU rewrite of the PVID (default is
enabled).
set session rewrite-pvst-pvid <yes|no>
Set the nave VLAN ID for the firewall (range is 1 to 4,094; default is 1).
If the nave VLAN ID on your switch is a value other than 1, you must set the nave
VLAN ID on the firewall to that same number; otherwise, the firewall will drop packets
with that VLAN ID. This applies to trunked and non-trunked interfaces.
Verify whether PVST+BPDU rewrite is enabled, view the PVST nave VLAN ID, and determine
whether the firewall is dropping all STP BPDU packets.
show vlan all
pvst+ tag rewrite: disabled
pvst native vlan id: 5
drop stp: disabled
total vlans shown: 1
name interface virtual interface
bridge ethernet1/1
ethernet1/2
ethernet1/1.1
ethernet1/2.1
PAN-OS® Administrator’s Guide Version Version 9.1 1163 ©2021 Palo Alto Networks, Inc.
Networking
Layer 3 Interfaces
In a Layer 3 deployment, the firewall routes traffic between mulple ports. Before you can
Configure Layer 3 Interfaces, you must configure the Virtual Routers that you want the firewall to
use to route the traffic for each Layer 3 interface.
If you’re using security group tags (SGTs) in a Cisco Trustsec network, it’s a best pracce
to deploy inline firewalls in either Layer 2 or virtual wire mode. However, if you need to
use a Layer 3 firewall in a Cisco Trustsec network, you should deploy the Layer 3 firewall
between two SGT exchange protocol (SXP) peers, and configure the firewall to allow traffic
between the SXP peers.
The following topics describe how to configure Layer 3 interfaces, and how to use Neighbor
Discovery Protocol (NDP) to provision IPv6 hosts and view the IPv6 addresses of devices on the
link local network to quickly locate devices.
• Configure Layer 3 Interfaces
• Manage IPv6 Hosts Using NDP
If you’re using IPv6 routes, you can configure the firewall to provide IPv6 Router Adversements
for DNS Configuraon. The firewall provisions IPv6 DNS clients with Recursive DNS Server
(RDNS) addresses and a DNS Search List so that the client can resolve its IPv6 DNS requests. Thus
the firewall is acng like a DHCPv6 server for you.
PAN-OS® Administrator’s Guide Version Version 9.1 1164 ©2021 Palo Alto Networks, Inc.
Networking
If you’re using a /31 subnet mask for the Layer 3 interface address, the
interface must be configured with the .1/31 address in order for ulies such
as ping to work properly.
PAN-OS® Administrator’s Guide Version Version 9.1 1165 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | Configure an interface with Point-to-Point Protocol over Ethernet (PPPoE). See Layer 3
Interfaces.
1. Select Network > Interfaces and either Ethernet, VLAN, loopback, or Tunnel.
2. Select the interface to configure.
3. On the IPv4 tab, set Type to PPPoE.
4. On the General tab, select Enable to acvate the interface for PPPoE terminaon.
5. Enter the Username for the point-to-point connecon.
6. Enter the Password for the username and Confirm Password.
7. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1166 ©2021 Palo Alto Networks, Inc.
Networking
anycast traffic to the node it considers the nearest, based on roung protocol costs and
other factors.
9. (Ethernet interface only) Select Send Router Adversement (RA) to enable the firewall
to send this address in Router Adversements, in which case you must also enable the
global Enable Router Adversement opon on the interface (next step).
10. (Ethernet interface only) Enter the Valid Lifeme (sec), in seconds, that the firewall
considers the address valid. The Valid Lifeme must equal or exceed the Preferred
Lifeme (sec) (default is 2,592,000).
11. (Ethernet interface only) Enter the Preferred Lifeme (sec) (in seconds) that the valid
address is preferred, which means the firewall can use it to send and received traffic.
Aer the Preferred Lifeme expires, the firewall can’t use the address to establish new
connecons, but any exisng connecons are valid unl the Valid Lifeme expires
(default is 604,800).
12. (Ethernet interface only) Select On-link if systems that have addresses within the prefix
are reachable without a router.
13. (Ethernet interface only) Select Autonomous if systems can independently create an IP
address by combining the adversed prefix with an Interface ID.
14. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1167 ©2021 Palo Alto Networks, Inc.
Networking
STEP 6 | (Ethernet or VLAN interface using IPv6 address only) Enable the firewall to send IPv6 Router
Adversements (RAs) from an interface, and oponally tune RA parameters.
Tune RA parameters for either of these reasons: To interoperate with a router/host that
uses different values. To achieve fast convergence when mulple gateways are present.
For example, set lower Min Interval, Max Interval, and Router Lifeme values so the
IPv6 client/host can quickly change the default gateway aer the primary gateway
fails, and start forwarding to another default gateway in the network.
PAN-OS® Administrator’s Guide Version Version 9.1 1168 ©2021 Palo Alto Networks, Inc.
Networking
the RA adverses indicang the relave priority of firewall virtual router relave to other
routers on the segment.
14. Select Managed Configuraon to indicate to the client that addresses are available via
DHCPv6.
15. Select Other Configuraon to indicate to the client that other address informaon (such
as DNS-related sengs) is available via DHCPv6.
16. Select Consistency Check to have the firewall verify that RAs sent from other routers are
adversing consistent informaon on the link. The firewall logs any inconsistencies.
17. Click OK.
STEP 7 | (Ethernet or VLAN interface using IPv6 address only) Specify the Recursive DNS Server
addresses and DNS Search List the firewall will adverse in ND Router Adversements from
this interface.
The RDNS servers and DNS Search List are part of the DNS configuraon for the DNS client so
that the client can resolve IPv6 DNS requests.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface you are configuring.
3. Select IPv6 > DNS Support.
4. Include DNS informaon in Router Adversement to enable the firewall to send IPv6
DNS informaon.
5. For DNS Server, Add the IPv6 address of a Recursive DNS Server. Add up to eight
Recursive DNS servers. The firewall sends server addresses in an ICMPv6 Router
Adversement in order from top to boom.
6. Specify the Lifeme in seconds, which is the maximum length of me the client can use
the specific RDNS Server to resolve domain names.
• The Lifeme range is any value equal to or between the Max Interval (that you
configured on the Router Adversement tab) and two mes that Max Interval.
For example, if your Max Interval is 600 seconds, the Lifeme range is 600-1,200
seconds.
• The default Lifeme is 1,200 seconds.
7. For DNS Suffix, Add a DNS Suffix (domain name of a maximum of 255 bytes). Add up
to eight DNS suffixes. The firewall sends suffixes in an ICMPv6 Router Adversement in
order from top to boom.
8. Specify the Lifeme in seconds, which is the maximum length of me the client can use
the suffix. The Lifeme has the same range and default value as the Server.
9. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1169 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | (Ethernet or VLAN interface) Specify stac ARP entries. Stac ARP entries reduce ARP
processing.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface you are configuring.
3. Select Advanced > ARP Entries.
4. Add an IP Address and its corresponding MAC Address (hardware or media access
control address). For a VLAN interface, you must also select the Interface.
Stac ARP entries do not me out. Auto learned ARP entries in the cache me
out in 1,800 seconds by default; you can customize the ARP cache meout; see
Configure Session Timeouts.
5. Click OK.
STEP 9 | (Ethernet or VLAN interface) Specify stac Neighbor Discovery Protocol (NDP) entries. NDP
for IPv6 performs funcons similar to those provided by ARP for IPv4.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface you are configuring.
3. Select Advanced > ND Entries.
4. Add an IPv6 Address and its corresponding MAC Address.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1170 ©2021 Palo Alto Networks, Inc.
Networking
STEP 14 | Configure stac routes and/or a dynamic roung protocol (RIP, OSPF, or BGP) so that the
virtual router can route traffic.
• Configure a Stac Route
• RIP
• OSPF
• BGP
The capability of the firewall to send IPv6 RAs for DNS configuraon allows the firewall to
perform a role similar to DHCP, and is unrelated to the firewall being a DNS proxy, DNS
client or DNS server.
Aer you configure the firewall with the addresses of RDNS servers, the firewall provisions
an IPv6 host (the DNS client) with those addresses. The IPv6 host uses one or more of those
addresses to reach an RDNS server. Recursive DNS refers to a series of DNS requests by an RDNS
Server, as shown with three pairs of queries and responses in the following figure. For example,
PAN-OS® Administrator’s Guide Version Version 9.1 1171 ©2021 Palo Alto Networks, Inc.
Networking
when a user tries to access www.paloaltonetworks.com, the local browser sees that it does not
have the IP address for that domain name in its cache, nor does the client’s operang system have
it. The client’s operang system launches a DNS query to a Recursive DNS Server belonging to the
local ISP.
An IPv6 Router Adversement can contain mulple DNS Recursive Server Address opons, each
with the same or different lifemes. A single DNS Recursive DNS Server Address opon can
contain mulple Recursive DNS Server addresses as long as the addresses have the same lifeme.
A DNS Search List is a list of domain names (suffixes) that the firewall adverses to a DNS client.
The firewall thus provisions the DNS client to use the suffixes in its unqualified DNS queries. The
DNS client appends the suffixes, one at a me, to an unqualified domain name before it enters
the name into a DNS query, thereby using a fully qualified domain name (FQDN) in the DNS
query. For example, if a user (of the DNS client being configured) tries to submit a DNS query
for the name “quality” without a suffix, the router appends a period and the first DNS suffix from
the DNS Search List to the name and transmits a DNS query. If the first DNS suffix on the list is
“company.com”, the resulng DNS query from the router is for the FQDN “quality.company.com”.
If the DNS query fails, the client appends the second DNS suffix from the list to the unqualified
name and transmits a new DNS query. The client uses the DNS suffixes in order unl a DNS
lookup succeeds (ignoring the remaining suffixes) or the router has tried all of the suffixes on the
list.
You configure the firewall with the suffixes that you want to provide to the DNS client router in an
ND DNSSL opon; the DNS client receiving the DNS Search List opon is provisioned to use the
suffixes in its unqualified DNS queries.
To specify RDNS Servers and a DNS Search List, Configure RDNS Servers and DNS Search List for
IPv6 Router Adversements.
Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements
Perform this task to configure IPv6 Router Adversements for DNS Configuraon of IPv6 hosts.
PAN-OS® Administrator’s Guide Version Version 9.1 1172 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Enable the firewall to send IPv6 Router Adversements from an interface.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface to configure.
3. On the IPv6 tab, select Enable IPv6 on the interface.
4. On the Router Adversement tab, select Enable Router Adversement.
5. Click OK.
STEP 2 | Specify the Recursive DNS Server addresses and DNS Search List the firewall will adverse in
ND Router Adversements from this interface.
The RDNS servers and DNS Search List are part of the DNS configuraon for the DNS client so
that the client can resolve IPv6 DNS requests.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface you are configuring.
3. Select IPv6 > DNS Support.
4. Include DNS informaon in Router Adversement to enable the firewall to send IPv6
DNS informaon.
5. For DNS Server, Add the IPv6 address of a Recursive DNS Server. Add up to eight
Recursive DNS servers. The firewall sends server addresses in an ICMPv6 Router
Adversement in order from top to boom.
6. Specify the Lifeme in seconds, which is the maximum length of me the client can use
the specific RDNS Server to resolve domain names.
• The Lifeme range is any value equal to or between the Max Interval (that you
configured on the Router Adversement tab) and two mes that Max Interval.
For example, if your Max Interval is 600 seconds, the Lifeme range is 600-1,200
seconds.
• The default Lifeme is 1,200 seconds.
7. For DNS Suffix, Add a DNS Suffix (domain name of a maximum of 255 bytes). Add up
to eight DNS suffixes. The firewall sends suffixes in an ICMPv6 Router Adversement in
order from top to boom.
8. Specify the Lifeme in seconds, which is the maximum length of me the client can use
the suffix. The Lifeme has the same range and default value as the Server.
9. Click OK.
NDP Monitoring
Neighbor Discovery Protocol (NDP) for IPv6 (RFC 4861) performs funcons similar to ARP
funcons for IPv4. The firewall by default runs NDP, which uses ICMPv6 packets to discover and
track the link-layer addresses and status of neighbors on connected links.
Enable NDP Monitoring so you can view the IPv6 addresses of devices on the link local network,
their MAC address, associated username from User-ID (if the user of that device used the
directory service to log in), reachability Status of the address, and Last Reported date and me the
PAN-OS® Administrator’s Guide Version Version 9.1 1173 ©2021 Palo Alto Networks, Inc.
Networking
NDP monitor received a Router Adversement from this IPv6 address. The username is on a best-
case basis; there can be many IPv6 devices on a network with no username, such as printers, fax
machines, servers, etc.
If you want to quickly track a device and user who has violated a security rule, it is very useful to
have the IPv6 address, MAC address and username displayed all in one place. You need the MAC
address that corresponds to the IPv6 address in order to trace the MAC address back to a physical
switch or Access Point.
NDP monitoring is not guaranteed to discover all devices because there could be other
networking devices between the firewall and the client that filter out NDP or Duplicate
Address Detecon (DAD) messages. The firewall can monitor only the devices that it learns
about on the interface.
NDP monitoring also monitors Duplicate Address Detecon (DAD) packets from clients and
neighbors. You can also monitor IPv6 ND logs to make troubleshoong easier.
NDP monitoring is supported for Ethernet interfaces, subinterfaces, Aggregated Ethernet
interfaces, and VLAN interfaces on all PAN-OS models.
Enable NDP Monitoring
Perform this task to enable NDP Monitoring for an interface.
STEP 1 | Enable NDP monitoring.
1. Select Network > Interfaces and Ethernet or VLAN.
2. Select the interface you are configuring.
3. Select IPv6.
4. Select Address Resoluon.
5. Select Enable NDP Monitoring.
Aer you enable or disable NDP monitoring, you must Commit before NDP
monitoring can start or stop.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1174 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | Monitor NDP and DAD packets from clients and neighbors.
1. Select Network > Interfaces and Ethernet or VLAN.
2. For the interface where you enabled NDP monitoring, in the Features column, hover over
the NDP Monitoring icon:
The NDP Monitoring summary for the interface displays the list of IPv6 Prefixes that this
interface will send in the Router Adversement (RA) if RA is enabled (they are the IPv6
prefixes of the interface itself).
The summary also indicates whether DAD, Router Adversement, and DNS Support are
enabled; IP addresses of any Recursive DNS Servers configured; and any DNS suffixes
configured on the DNS Search List.
3. Click on the NDP Monitoring icon to display detailed informaon.
Each row of the detailed NDP Monitoring table for the interface displays the IPv6
address of a neighbor the firewall has discovered, the corresponding MAC address,
corresponding User ID (on a best-case basis), reachability Status of the address, and Last
Reported date and me this NDP Monitor received an RA from this IP address. A User ID
will not display for printers or other non-user-based hosts. If the status of the IP address
is Stale, the neighbor is not known to be reachable, per RFC 4861.
At the boom right is the count of Total Devices Detected on the link local network.
• Enter an IPv6 address in the filter field to search for an address to display.
• Select the check boxes to display or not display IPv6 addresses.
• Click the numbers, the right or le arrow, or the vercal scroll bar to advance through
many entries.
• Click Clear All NDP Entries to clear the enre table.
PAN-OS® Administrator’s Guide Version Version 9.1 1175 ©2021 Palo Alto Networks, Inc.
Networking
Before configuring an aggregate group, you must configure its interfaces. Among the interfaces
assigned to any parcular aggregate group, the hardware media can differ (for example, you
can mix fiber opc and copper), but the bandwidth and interface type must be the same. The
bandwidth and interface type opons are:
• Bandwidth—1Gbps, 10Gbps, 40Gbps, or 100Gbps
• Interface type—HA3, virtual wire, Layer 2, or Layer 3.
This procedure describes configuraon steps only for the Palo Alto Networks firewall. You
must also configure the aggregate group on the peer device. Refer to the documentaon of
that device for instrucons.
PAN-OS® Administrator’s Guide Version Version 9.1 1176 ©2021 Palo Alto Networks, Inc.
Networking
As a best pracce, set one LACP peer to acve and the other to passive. LACP
cannot funcon if both peers are passive. The firewall cannot detect the mode of
its peer device.
3. Set the Transmission Rate for LACP query and response exchanges to Slow (every 30
seconds—the default) or Fast (every second). Base your selecon on how much LACP
processing your network supports and how quickly LACP peers must detect and resolve
interface failures.
4. Select Fast Failover if you want to enable failover to a standby interface in less than one
second. By default, the opon is disabled and the firewall uses the IEEE 802.1ax standard
for failover processing, which takes at least three seconds.
As a best pracce, use Fast Failover in deployments where you might lose crical
data during the standard failover interval.
5. Enter the Max Ports (number of interfaces) that are acve (1–8) in the aggregate group.
If the number of interfaces you assign to the group exceeds the Max Ports, the remaining
interfaces will be in standby mode. The firewall uses the LACP Port Priority of each
interface you assign (Step 3) to determine which interfaces are inially acve and to
determine the order in which standby interfaces become acve upon failover. If the
LACP peers have non-matching port priority values, the values of the peer with the
lower System Priority number (default is 32,768; range is 1–65,535) will override the
other peer.
6. (Oponal) For acve/passive firewalls only, select Enable in HA Passive State if you want
to enable LACP pre-negoaon for the passive firewall. LACP pre-negoaon enables
quicker failover to the passive firewall (for details, see LACP and LLDP Pre-Negoaon
for Acve/Passive HA).
If you select this opon, you cannot select Same System MAC Address for
Acve-Passive HA; pre-negoaon requires unique interface MAC addresses on
each HA firewall.
7. (Oponal) For acve/passive firewalls only, select Same System MAC Address for
Acve-Passive HA and specify a single MAC Address for both HA firewalls. This opon
minimizes failover latency if the LACP peers are virtualized (appearing to the network
as a single device). By default, the opon is disabled: each firewall in an HA pair has a
unique MAC address.
If the LACP peers are not virtualized, use unique MAC addresses to minimize
failover latency.
PAN-OS® Administrator’s Guide Version Version 9.1 1177 ©2021 Palo Alto Networks, Inc.
Networking
As a best pracce, set the same link speed and duplex values for every interface
in the group. For non-matching values, the firewall defaults to the higher speed
and full duplex.
5. (Oponal) Enter an LACP Port Priority (default is 32,768; range is 1–65,535) if you
enabled LACP for the aggregate group. If the number of interfaces you assign exceeds
the Max Ports value of the group, the port priories determine which interfaces are
acve or standby. The interfaces with the lower numeric values (higher priories) will be
acve.
6. Click OK.
STEP 4 | If the firewalls have an acve/acve configuraon and you are aggregang HA3 interfaces,
enable packet forwarding for the aggregate group.
1. Select Device > High Availability > Acve/Acve Config and edit the Packet Forwarding
secon.
2. Select the aggregate group you configured for the HA3 Interface and click OK.
STEP 5 | Commit your changes and verify the aggregate group status.
1. Click Commit.
2. Select Network > Interfaces > Ethernet.
3. Verify that the Link State column displays a green icon for the aggregate group,
indicang that all member interfaces are up. If the icon is yellow, at least one member is
down but not all. If the icon is red, all members are down.
4. If you configured LACP, verify that the Features column displays the LACP enabled icon
for the aggregate group.
PAN-OS® Administrator’s Guide Version Version 9.1 1178 ©2021 Palo Alto Networks, Inc.
Networking
The management (MGT) interface does not require an Interface Management profile. You
restrict protocols, services, and IP addresses for the MGT interface when you Perform
Inial Configuraon of the firewall. In case the MGT interface goes down, allowing
management access over another interface enables you to connue managing the firewall.
Don’t enable HTTP or Telnet because those protocols transmit in cleartext and
therefore aren’t secure.
3. Select the services that the interface permits for management traffic:
• Response Pages—Use to enable response pages for:
• Capve Portal—To serve Capve Portal response pages, the firewall leaves ports
open on Layer 3 interfaces: port 6080 for NT LAN Manager (NTLM), 6081 for
Capve Portal in transparent mode, and 6082 for Capve Portal in redirect mode.
For details, see Configure Capve Portal.
• URL Admin Override—For details, see Allow Password Access to Certain Sites.
• User-ID—Use to Redistribute User Mappings and Authencaon Timestamps.
• User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP—Use to Configure User-
ID to Monitor Syslog Senders for User Mapping over SSL or UDP.
4. (Oponal) Add the Permied IP Addresses that can access the interface. If you don’t add
entries to the list, the interface has no IP address restricons.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1179 ©2021 Palo Alto Networks, Inc.
Networking
Virtual Routers
A virtual router is a funcon of the firewall that parcipates in Layer 3 roung. The firewall uses
virtual routers to obtain routes to other subnets by you manually defining stac routes or through
parcipaon in one or more Layer 3 roung protocols (dynamic routes). The routes that the
firewall obtains through these methods populate the IP roung informaon base (RIB) on the
firewall. When a packet is desned for a different subnet than the one it arrived on, the virtual
router obtains the best route from the RIB, places it in the forwarding informaon base (FIB),
and forwards the packet to the next hop router defined in the FIB. The firewall uses Ethernet
switching to reach other devices on the same IP subnet. (An excepon to one best route going in
the FIB occurs if you are using ECMP, in which case all equal-cost routes go in the FIB.)
The Ethernet, VLAN, and tunnel interfaces defined on the firewall receive and forward Layer 3
packets. The desnaon zone is derived from the outgoing interface based on the forwarding
criteria, and the firewall consults policy rules to idenfy the security policies that it applies to each
packet. In addion to roung to other network devices, virtual routers can route to other virtual
routers within the same firewall if a next hop is specified to point to another virtual router.
You can configure Layer 3 interfaces on a virtual router to parcipate with dynamic roung
protocols (BGP, OSPF, OSPFv3, or RIP) as well as add stac routes. You can also create mulple
virtual routers, each maintaining a separate set of routes that aren’t shared between virtual
routers, enabling you to configure different roung behaviors for different interfaces.
You can configure dynamic roung from one virtual router to another by configuring a loopback
interface in each virtual router, creang a stac route between the two loopback interfaces, and
then configuring a dynamic roung protocol to peer between these two interfaces.
Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the firewall must be
associated with a virtual router. While each interface can belong to only one virtual router, you
can configure mulple roung protocols and stac routes for a virtual router. Regardless of
the stac routes and dynamic roung protocols you configure for a virtual router, one general
configuraon is required:
STEP 1 | Gather the required informaon from your network administrator.
• Interfaces on the firewall that you want to perform roung.
• Administrave distances for stac, OSPF internal, OSPF external, IBGP, EBGP and RIP.
PAN-OS® Administrator’s Guide Version Version 9.1 1180 ©2021 Palo Alto Networks, Inc.
Networking
See ECMP if you want to leverage having mulple equal-cost paths for forwarding.
PAN-OS® Administrator’s Guide Version Version 9.1 1181 ©2021 Palo Alto Networks, Inc.
Networking
Service Routes
The firewall uses the management (MGT) interface by default to access external services, such as
DNS servers, external authencaon servers, Palo Alto Networks services such as soware, URL
updates, licenses and AutoFocus. An alternave to using the MGT interface is to configure a data
port (a regular interface) to access these services. The path from the interface to the service on a
server is known as a service route. The service packets exit the firewall on the port assigned for the
external service and the server sends its response to the configured source interface and source IP
address.
When set to default sengs, certain services (such as External Dynamic Lists and URL
updates) use service route sengs that are inherited by a parent service (in this case, Palo
Alto Networks Services) if it is explicitly configured with an interface. If the defaults are not
used, Palo Alto Networks recommends configuring each of the services that you use with
an interface to ensure that the proper service route is used.
You can configure service routes globally for the firewall (shown in the following task) or
Customize Service Routes for a Virtual System on a firewall enabled for mulple virtual systems so
that you have the flexibility to use interfaces associated with a virtual system. Any virtual system
that does not have a service route configured for a parcular service inherits the interface and IP
address that are set globally for that service.
The following procedure enables you to change the interface the firewall uses to send requests to
external services.
STEP 1 | Customize service routes.
1. Select Device > Setup > Services > Global (omit Global on a firewall without mulple
virtual system capability), and in the Services Features secon, click Service Route
Configuraon.
To easily use the same source address for mulple services, select the
checkbox for the services, click Set Selected Routes, and proceed to the
next step.
• To limit the list for Source Address, select a Source Interface; then select a Source
Address (from that interface) as the service route. An Address Object can also be
referenced as a Source Address if it is already configured on the selected interface.
Selecng Any Source Interface makes all IP addresses on all interfaces available in
the Source Address list from which you select an address. Selecng Use default
causes the firewall to use the management interface for the service route, unless
the packet desnaon IP address matches the configured Desnaon IP address,
in which case the source IP address is set to the Source Address configured for the
PAN-OS® Administrator’s Guide Version Version 9.1 1182 ©2021 Palo Alto Networks, Inc.
Networking
Desnaon. Selecng MGT causes the firewall to use the MGT interface for the
service route, regardless of any desnaon service route.
The Service Route Source Address does not inherit configuraon changes
from the referenced interface and vice versa. Modificaon of an Interface
IP Address to a different IP address or Address Object will not update a
corresponding Service Route Source Address. This may lead to commit
failure and require you to update the Service Route(s) to a valid Source
Address value.
• Click OK to save the seng.
• Repeat this step if you want to specify both an IPv4 and IPv6 address for a service.
• For a desnaon service route:
• Select Desnaon and Add a Desnaon IP address. In this case, if a packet
arrives with a desnaon IP address that matches this configured Desnaon
address, then the source IP address of the packet will be set to the Source Address
configured in the next step.
• To limit the list for Source Address, select a Source Interface; then select a Source
Address (from that interface) as the service route. Selecng Any Source Interface
makes all IP addresses on all interfaces available in the Source Address list from
which you select an address. Selecng MGT causes the firewall to use the MGT
interface for the service route.
• Click OK to save the seng.
3. Repeat the prior steps for each service route you want to customize.
4. Click OK to save the service route configuraon.
STEP 2 | Commit.
Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1183 ©2021 Palo Alto Networks, Inc.
Networking
Stac Routes
Stac routes are typically used in conjuncon with dynamic roung protocols. You might configure
a stac route for a locaon that a dynamic roung protocol can’t reach. Stac routes require
manual configuraon on every router in the network, rather than the firewall entering dynamic
routes in its route tables; even though stac routes require that configuraon on all routers, they
may be desirable in small networks rather than configuring a roung protocol.
• Stac Route Overview
• Stac Route Removal Based on Path Monitoring
• Configure a Stac Route
• Configure Path Monitoring for a Stac Route
PAN-OS® Administrator’s Guide Version Version 9.1 1184 ©2021 Palo Alto Networks, Inc.
Networking
reroute traffic using alternave routes. The firewall uses path monitoring for stac routes much
like path monitoring for HA or policy-based forwarding (PBF), as follows:
The firewall sends ICMP ping messages (heartbeat messages) to one or more monitored
desnaons that you determine are robust and reflect the availability of the stac route.
If pings to any or all of the monitored desnaons fail, the firewall considers the stac route
down too and removes it from the Roung Informaon Base (RIB) and Forwarding Informaon
Base (FIB). The RIB is the table of stac routes the firewall is configured with and dynamic
routes it has learned from roung protocols. The FIB is the forwarding table of routes the
firewall uses for forwarding packets. The firewall selects an alternave stac route to the same
desnaon (based on the route with the lowest metric) from the RIB and places it in the FIB.
The firewall connues to monitor the failed route. When the route comes back up, and (based
on the Any or All failure condion) the path monitor returns to Up state, the preempve
hold mer begins. The path monitor must remain up for the duraon of the hold mer; then
the firewall considers the stac route stable and reinstates it into the RIB. The firewall then
compares metrics of routes to the same desnaon to decide which route goes in the FIB.
Path monitoring is a desirable mechanism to avoid silently dropping traffic for:
• A stac or default route.
• A stac or default route redistributed into a roung protocol.
• A stac or default route when one peer does not support BFD. (The best pracce is not to
enable both BFD and path monitoring on a single interface.)
• A stac or default route instead of using PBF path monitoring, which doesn’t remove a failed
stac route from the RIB, FIB, or redistribuon policy.
Path monitoring doesn’t apply to stac routes configured between virtual routers.
In the following figure, the firewall is connected to two ISPs for route redundancy to the internet.
The primary default route 0.0.0.0 (metric 10) uses Next Hop 192.0.2.10; the secondary default
route 0.0.0.0 (metric 50) uses Next Hop 198.51.100.1. The customer premises equipment (CPE)
for ISP A keeps the primary physical link acve, even aer internet connecvity goes down. With
the link arficially acve, the firewall can’t detect that the link is down and that it should replace
the failed route with the secondary route in its RIB.
To avoid silently dropping traffic to a failed link, configure path monitoring of 192.0.2.20,
192.0.2.30, and 192.0.2.40 and if all (or any) of the paths to these desnaons fail, the firewall
presumes the path to Next Hop 192.0.2.10 is also down, removes the stac route 0.0.0.0 (that
uses Next Hop 192.0.2.10) from its RIB, and replaces it with the secondary route to the same
desnaon 0.0.0.0 (that uses Next Hop 198.51.100.1), which also accesses the internet.
PAN-OS® Administrator’s Guide Version Version 9.1 1185 ©2021 Palo Alto Networks, Inc.
Networking
When you Configure a Stac Route, one of the required fields is the Next Hop toward that
desnaon. The type of next hop you configure determines the acon the firewall takes during
path monitoring, as follows:
IP Address The firewall uses the source IP address and egress interface of the stac
route as the source address and egress interface in the ICMP ping. It uses
the configured Desnaon IP address of the monitored desnaon as the
PAN-OS® Administrator’s Guide Version Version 9.1 1186 ©2021 Palo Alto Networks, Inc.
Networking
Next VR The firewall uses the source IP address of the stac route as the source
address in the ICMP ping. The egress interface is based on the lookup
result from the next hop’s virtual router. The configured Desnaon IP
address of the monitored desnaon is the ping’s desnaon address.
None The firewall uses the desnaon IP address of the path monitor as the next
hop and sends the ICMP ping to the interface specified in the stac route.
When path monitoring for a stac or default route fails, the firewall logs a crical event (path-
monitor-failure). When the stac or default route recovers, the firewall logs another crical event
(path-monitor-recovery).
Firewalls synchronize path monitoring configuraons for an acve/passive HA deployment, but
the firewall blocks egress ICMP ping packets on a passive HA peer because it is not acvely
processing traffic. The firewall doesn’t synchronize path monitoring configuraons for acve/
acve HA deployments.
PAN-OS® Administrator’s Guide Version Version 9.1 1187 ©2021 Palo Alto Networks, Inc.
Networking
Alternavely, you can create an address object of type IP Netmask. The address
object must have a netmask of /32 for IPv4 or /128 for IPv6.
• Next VR—Select this opon and then select a virtual router if you want to route
internally to a different virtual router on the firewall.
• FQDN—Enter an FQDN or select an address object that uses an FQDN, or create a
new address object of type FQDN.
If you use an FQDN as a stac route next hop, that FQDN must resolve to an
IP address that belongs to the same subnet as the interface you configured
for the stac route; otherwise, the firewall rejects the resoluon and the
FQDN remains unresolved.
The firewall uses only one IP address (from each IPv4 or IPv6 family type)
from the DNS resoluon of the FQDN. If the DNS resoluon returns more
than one address, the firewall uses the preferred IP address that matches
the IP family type (IPv4 or IPv6) configured for the next hop. The preferred
IP address is the first address the DNS server returns in its inial response.
The firewall retains this address as preferred as long as the address appears in
subsequent responses, regardless of its order.
• Discard—Select to drop packets that are addressed to this desnaon.
• None—Select if there is no next hop for the route. For example, a point-to-point
connecon does not require a next hop because there is only one way for packets to
go.
8. Enter an Admin Distance for the route to override the default administrave distance set
for stac routes for this virtual router (range is 10 to 240; default is 10).
9. Enter a Metric for the route (range is 1 to 65,535).
STEP 3 | (Oponal) If your firewall model supports BFD, you can apply a BFD Profile to the stac
route so that if the stac route fails, the firewall removes the route from the RIB and FIB and
uses an alternave route. Default is None.
PAN-OS® Administrator’s Guide Version Version 9.1 1188 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | Determine whether path monitoring for the stac route is based on one or all monitored
desnaons, and set the preempve hold me.
1. Select a Failure Condion, whether Any or All of the monitored desnaons for the
stac route must be unreachable by ICMP for the firewall to remove the stac route
PAN-OS® Administrator’s Guide Version Version 9.1 1189 ©2021 Palo Alto Networks, Inc.
Networking
from the RIB and FIB and add the stac route that has the next lowest metric going to
the same desnaon to the FIB.
Select All to avoid the possibility of any single monitored desnaon signaling a
route failure when the desnaon is simply offline for maintenance, for example.
2. (Oponal) Specify the Preempve Hold Time (min), which is the number of minutes a
downed path monitor must remain in Up state before the firewall reinstalls the stac
route into the RIB. The path monitor evaluates all of its monitored desnaons for the
stac route and comes up based on the Any or All failure condion. If a link goes down
or flaps during the hold me, when the link comes back up, the path monitor can come
back up; the mer restarts when the path monitor returns to Up state.
A Preempve Hold Time of zero causes the firewall to reinstall the route into the RIB
immediately upon the path monitor coming up. Range is 0-1,440; default is 2.
3. Click OK.
STEP 4 | Commit.
Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1190 ©2021 Palo Alto Networks, Inc.
Networking
STEP 6 | View the RIB and FIB to verify that the stac route is removed.
1. Select Network > Virtual Routers and in the row of the virtual router you are interested
in, select More Runme Stats.
2. From the Roung tab, select Route Table (RIB) and then the Forwarding Table (FIB) to
view each, respecvely.
3. Select Unicast or Mulcast to view the appropriate route table.
4. For Display Address Family, select IPv4 and IPv6, IPv4 Only, or IPv6 Only.
5. (Oponal) In the filter field, enter the route you are searching for and select the arrow, or
use the scroll bar to move through pages of routes.
6. See if the route is removed or present.
7. Select Refresh periodically to see the latest state of the path monitoring (health check).
To view the events logged for path monitoring, select Monitor > Logs > System.
View the entry for path-monitor-failure, which indicates path monitoring for
a stac route desnaon failed, so the route was removed. View the entry for
path-monitor-recovery, which indicates path monitoring for the stac route
desnaon recovered, so the route was restored.
PAN-OS® Administrator’s Guide Version Version 9.1 1191 ©2021 Palo Alto Networks, Inc.
Networking
RIP
Roung Informaon Protocol (RIP) is an interior gateway protocol (IGP) that was designed for
small IP networks. RIP relies on hop count to determine routes; the best routes have the fewest
number of hops. RIP is based on UDP and uses port 520 for route updates. By liming routes to a
maximum of 15 hops, the protocol helps prevent the development of roung loops, but also limits
the supported network size. If more than 15 hops are required, traffic is not routed. RIP also can
take longer to converge than OSPF and other roung protocols. The firewall supports RIP v2.
Perform the following procedure to configure RIP.
STEP 1 | Configure general virtual router configuraon sengs.
See Virtual Routers for details.
PAN-OS® Administrator’s Guide Version Version 9.1 1192 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1193 ©2021 Palo Alto Networks, Inc.
Networking
OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) that is most oen used to
dynamically manage network routes in large enterprise networks. It determines routes dynamically
by obtaining informaon from other routers and adversing routes to other routers by way of
Link State Adversements (LSAs). The informaon gathered from the LSAs is used to construct a
topology map of the network. This topology map is shared across routers in the network and used
to populate the IP roung table with available routes.
Changes in the network topology are detected dynamically and used to generate a new topology
map within seconds. A shortest path tree is computed of each route. Metrics associated with
each roung interface are used to calculate the best route. These can include distance, network
throughput, link availability etc. Addionally, these metrics can be configured stacally to direct
the outcome of the OSPF topology map.
The Palo Alto Networks implementaon of OSPF fully supports the following RFCs:
• RFC 2328 (for IPv4)
• RFC 5340 (for IPv6)
The following topics provide more informaon about the OSPF and procedures for configuring
OSPF on the firewall:
• OSPF Concepts
• Configure OSPF
• Configure OSPFv3
• Configure OSPF Graceful Restart
• Confirm OSPF Operaon
OSPF Concepts
The following topics introduce the OSPF concepts you must understand in order to configure the
firewall to parcipate in an OSPF network:
• OSPFv3
• OSPF Neighbors
• OSPF Areas
• OSPF Router Types
OSPFv3
OSPFv3 provides support for the OSPF roung protocol within an IPv6 network. As such, it
provides support for IPv6 addresses and prefixes. It retains most of the structure and funcons in
OSPFv2 (for IPv4) with some minor changes. The following are some of the addions and changes
to OSPFv3:
• Support for mulple instances per link—With OSPFv3, you can run mulple instances of the
OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID
number. An interface that is assigned to an instance ID drops packets that contain a different
ID.
PAN-OS® Administrator’s Guide Version Version 9.1 1194 ©2021 Palo Alto Networks, Inc.
Networking
OSPF Neighbors
Two OSPF-enabled routers connected by a common network and in the same OSPF area that
form a relaonship are OSPF neighbors. The connecon between these routers can be through
a common broadcast domain or by a point-to-point connecon. This connecon is made through
the exchange of hello OSPF protocol packets. These neighbor relaonships are used to exchange
roung updates between routers.
OSPF Areas
OSPF operates within a single autonomous system (AS). Networks within this single AS, however,
can be divided into a number of areas. By default, Area 0 is created. Area 0 can either funcon
alone or act as the OSPF backbone for a larger number of areas. Each OSPF area is named using
a 32-bit idenfier which in most cases is wrien in the same doed-decimal notaon as an IP4
address. For example, Area 0 is usually wrien as 0.0.0.0.
The topology of an area is maintained in its own link state database and is hidden from other
areas, which reduces the amount of traffic roung required by OSPF. The topology is then shared
in a summarized form between areas by a connecng router.
Backbone Area The backbone area (Area 0) is the core of an OSPF network. All
other areas are connected to it and all traffic between areas must
traverse it. All roung between areas is distributed through the
backbone area. While all other OSPF areas must connect to the
backbone area, this connecon doesn’t need to be direct and can
be made through a virtual link.
Normal OSPF Area In a normal OSPF area there are no restricons; the area can carry
all types of routes.
Stub OSPF Area A stub area does not receive routes from other autonomous
systems. Roung from the stub area is performed through the
default route to the backbone area.
PAN-OS® Administrator’s Guide Version Version 9.1 1195 ©2021 Palo Alto Networks, Inc.
Networking
NSSA Area The Not So Stubby Area (NSSA) is a type of stub area that can
import external routes, with some limited excepons.
Configure OSPF
OSPF determines routes dynamically by obtaining informaon from other routers and adversing
routes to other routers by way of Link State Adversements (LSAs). The router keeps informaon
about the links between it and the desnaon and can make highly efficient roung decisions. A
cost is assigned to each router interface, and the best routes are determined to be those with the
lowest costs, when summed over all the encountered outbound router interfaces and the interface
receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be adversed and
the associated LSAs. Because OSPF dynamically processes a considerable amount of route
informaon, it has greater processor and memory requirements than does RIP.
STEP 1 | Configure general virtual router configuraon sengs.
See Virtual Routers for details.
PAN-OS® Administrator’s Guide Version Version 9.1 1196 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1197 ©2021 Palo Alto Networks, Inc.
Networking
manually and Add the neighbor IP addresses for all neighbors that are reachable
through this interface.
• Metric—Enter an OSPF metric for this interface (range is 0-65,535; default is 10).
• Priority—Enter an OSPF priority for this interface. This is the priority for the router
to be elected as a designated router (DR) or as a backup DR (BDR) (range is 0-255;
default is 1). If zero is configured, the router will not be elected as a DR or BDR.
• Auth Profile—Select a previously-defined authencaon profile.
• Timing—Modify the ming sengs if desired (not recommended). For details on these
sengs, refer to the online help.
2. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1198 ©2021 Palo Alto Networks, Inc.
Networking
Configure OSPFv3
OSPF supports both IPv4 and IPv6. You must use OSPFv3 if you are using IPv6.
STEP 1 | Configure general virtual router configuraon sengs.
See Virtual Routers for details.
PAN-OS® Administrator’s Guide Version Version 9.1 1199 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1200 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1201 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1202 ©2021 Palo Alto Networks, Inc.
Networking
resume normal operaon, which will involve reconfiguring the roung table to bypass the
firewall.
• Firewall as a Graceful Restart Helper—If neighboring routers may be down for short periods
of me, the firewall can be configured to operate in Graceful Restart helper mode, in which
case the firewall employs a Max Neighbor Restart Time. When the firewall receives the Grace
LSAs from its OSPF neighbor, it connues to route traffic to the neighbor and adverse routes
through the neighbor unl either the grace period or max neighbor restart me expires. If
neither expires before the neighbor returns to service, traffic forwarding connues as before
without network disrupon. If either period expires before the neighbor returns to service,
the firewall exits helper mode and resumes normal operaon, which involves reconfiguring the
roung table to bypass the neighbor.
STEP 1 | Select Network > Virtual Routers and select the virtual router you want to configure.
STEP 3 | Verify that the following are selected (they are enabled by default):
• Enable Graceful Restart
• Enable Helper Mode
• Enable Strict LSA Checking
These should remain selected unless required by your topology.
PAN-OS® Administrator’s Guide Version Version 9.1 1203 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Select Roung > Route Table and examine the Flags column of the roung table for routes
that were learned by OSPF.
STEP 2 | Select OSPF > Neighbor and examine the Status column to determine if OSPF adjacencies
have been established.
STEP 2 | Select OSPF > Neighbor and examine the Status column to determine if OSPF adjacencies
have been established (are full).
PAN-OS® Administrator’s Guide Version Version 9.1 1204 ©2021 Palo Alto Networks, Inc.
Networking
BGP
Border Gateway Protocol (BGP) is the primary Internet roung protocol. BGP determines network
reachability based on IP prefixes that are available within autonomous systems (AS), where an AS
is a set of IP prefixes that a network provider has designated to be part of a single roung policy.
• BGP Overview
• MP-BGP
• Configure BGP
• Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
• Configure a BGP Peer with MP-BGP for IPv4 Mulcast
• BGP Confederaons
BGP Overview
BGP funcons between autonomous systems (exterior BGP or eBGP) or within an AS (interior
BGP or iBGP) to exchange roung and reachability informaon with BGP speakers. The firewall
provides a complete BGP implementaon, which includes the following features:
• Specificaon of one BGP roung instance per virtual router.
• BGP sengs per virtual router, which include basic parameters such as local route ID and local
AS, and advanced opons such as path selecon, route reflector, BGP Confederaons, route
flap dampening, and graceful restart.
• Peer group and neighbor sengs, which include neighbor address and remote AS, and
advanced opons such as neighbor aributes and connecons.
• Route policies to control route import, export and adversement; prefix-based filtering; and
address aggregaon.
• IGP-BGP interacon to inject routes to BGP using redistribuon profiles.
• Authencaon profiles, which specify the MD5 authencaon key for BGP connecons.
Authencaon helps prevent route leaking and successful DoS aacks.
• Mulprotocol BGP (MP-BGP) to allow BGP peers to carry IPv6 unicast routes and IPv4
mulcast routes in Update packets, and to allow the firewall and a BGP peer to communicate
with each other using IPv6 addresses.
• Beginning with PAN-OS 9.1.9, BGP supports a maximum of 255 AS numbers in an AS_PATH
list for a prefix.
MP-BGP
BGP supports IPv4 unicast prefixes, but a BGP network that uses IPv4 mulcast routes or IPv6
unicast prefixes needs mulprotocol BGP (MP-BGP) in order to exchange routes of address
types other than IPv4 unicast. MP-BGP allows BGP peers to carry IPv4 mulcast routes and IPv6
unicast routes in Update packets, in addion to the IPv4 unicast routes that BGP peers can carry
without MP-BGP enabled.
In this way, MP-BGP provides IPv6 connecvity to your BGP networks that use either nave
IPv6 or dual stack IPv4 and IPv6. Service providers can offer IPv6 service to their customers,
PAN-OS® Administrator’s Guide Version Version 9.1 1205 ©2021 Palo Alto Networks, Inc.
Networking
and enterprises can use IPv6 service from service providers. The firewall and a BGP peer can
communicate with each other using IPv6 addresses.
In order for BGP to support mulple network-layer protocols (other than BGP for IPv4),
Mulprotocol Extensions for BGP-4 (RFC 4760) use Network Layer Reachability Informaon
(NLRI) in a Mulprotocol Reachable NLRI aribute that the firewall sends and receives in BGP
Update packets. That aribute contains informaon about the desnaon prefix, including these
two idenfiers:
• The Address Family Idenfier (AFI), as defined by the IANA in Address Family Numbers,
indicates that the desnaon prefix is an IPv4 or IPv6 address. (PAN-OS supports IPv4 and
IPv6 AFIs.)
• The Subsequent Address Family Idenfier (SAFI) in PAN-OS indicates that the desnaon
prefix is a unicast or mulcast address (if the AFI is IPv4), or that the desnaon prefix is a
unicast address (if the AFI is IPv6). PAN-OS does not support IPv6 mulcast.
If you enable MP-BGP for IPv4 mulcast or if you configure a mulcast stac route, the firewall
supports separate unicast and mulcast route tables for stac routes. You might want to separate
the unicast and mulcast traffic going to the same desnaon. The mulcast traffic can take a
different path from unicast traffic because, for example, your mulcast traffic is crical, so you
need it to be more efficient by having it take fewer hops or undergo less latency.
You can also exercise more control over how BGP funcons by configuring BGP to use routes
from only the unicast or mulcast route table (or both) when BGP imports or exports routes, sends
condional adversements, or performs route redistribuon or route aggregaon.
You can decide to use a dedicated mulcast RIB (route table) by enabling MP-BGP and selecng
the Address Family of IPv4 and Subsequent Address Family of mulcast or by installing an IPv4
stac route in the mulcast route table. Aer you do either of those methods to use the mulcast
RIB, the firewall uses the mulcast RIB for all mulcast roung and reverse path forwarding (RPF).
If you prefer to use the unicast RIB for all roung (unicast and mulcast), you should not enable
the mulcast RIB by either method.
In the following figure, a stac route to 192.168.10.0/24 is installed in the unicast route table,
and its next hop is 198.51.100.2. However, mulcast traffic can take a different path to a private
MPLS cloud; the same stac route is installed in the mulcast route table with a different next hop
(198.51.100.4) so that its path is different.
PAN-OS® Administrator’s Guide Version Version 9.1 1206 ©2021 Palo Alto Networks, Inc.
Networking
Using separate unicast and mulcast route tables gives you more flexibility and control when you
configure these BGP funcons:
• Install an IPv4 stac route into the unicast or mulcast route table, or both, as described in the
preceding example. (You can install an IPv6 stac route into the unicast route table only).
• Create an Import rule so that any prefixes that match the criteria are imported into the unicast
or mulcast route table, or both.
• Create an Export rule so that prefixes that match the criteria are exported (sent to a peer) from
the unicast or mulcast route table, or both.
• Configure a condional adversement with a Non Exist filter so that the firewall searches the
unicast or mulcast route table (or both) to ensure the route doesn’t exist in that table, and so
the firewall adverses a different route.
• Configure a condional adversement with an Adverse filter so that the firewall adverses
routes matching the criteria from the unicast or mulcast route table, or both.
• Redistribute a route that appears in the unicast or mulcast route table, or both.
• Configure route aggregaon with an adverse filter so that aggregated routes to be adversed
come from the unicast or mulcast route table, or both.
• Conversely, configure route aggregaon with a suppress filter so that aggregated routes that
should be suppressed (not adversed) come from the unicast or mulcast route table, or both.
When you configure a peer with MP-BGP using an Address Family of IPv6, you can use IPv6
addresses in the Address Prefix and Next Hop fields of an Import rule, Export rule, Condional
Adversement (Adverse Filter and Non Exist Filter), and Aggregate rule (Adverse Filter,
Suppress Filter, and Aggregate Route Aribute).
Configure BGP
Perform the following task to configure BGP.
STEP 1 | Configure general virtual router configuraon sengs.
See Virtual Routers for details.
STEP 2 | Enable BGP for the virtual router, assign a router ID, and assign the virtual router to an AS.
1. Select Network > Virtual Routers and select a virtual router.
2. Select BGP.
3. Enable BGP for this virtual router.
4. Assign a Router ID to BGP for the virtual router, which is typically an IPv4 address to
ensure the Router ID is unique.
5. Assign the AS Number—the number of the AS to which the virtual router belongs based
on the router ID (range is 1 to 4,294,967,295).
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1207 ©2021 Palo Alto Networks, Inc.
Networking
Runme stats display BGP 4-byte AS numbers using asplain notaon according
to RFC 5396.
8. Enable or disable each of the following sengs for Path Selecon:
• Always Compare MED—Enable this comparison to choose paths from neighbors in
different autonomous systems.
• Determinisc MED Comparison—Enable this comparison to choose between routes
that are adversed by IBGP peers (BGP peers in the same autonomous system).
9. For Auth Profiles, Add an authencaon profile:
• Profile Name—Enter a name to idenfy the profile.
• Secret/Confirm Secret—Enter and confirm a passphrase for BGP peer
communicaons. The Secret is used as a key in MD5 authencaon.
10. Click OK twice.
PAN-OS® Administrator’s Guide Version Version 9.1 1208 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1209 ©2021 Palo Alto Networks, Inc.
Networking
STEP 6 | Configure a BGP peer that belongs to the peer group and specify its addressing.
1. Select Network > Virtual Routers and select a virtual router.
2. Select BGP > Peer Group and select the peer group you created.
3. For Peer, Add a peer by Name.
4. Enable the peer.
5. Enter the Peer AS to which the peer belongs.
6. Select Addressing.
7. For Local Address, select the Interface for which you are configuring BGP. If the interface
has more than one IP address, enter the IP address for that interface to be the BGP peer.
8. For Peer Address, select either IP and enter the IP address or select or create an address
object, or select FQDN and enter the FQDN or address object that is type FQDN.
The firewall uses only one IP address (from each IPv4 or IPv6 family type) from
the DNS resoluon of the FQDN. If the DNS resoluon returns more than one
address, the firewall uses the preferred IP address that matches the IP family
type (IPv4 or IPv6) configured for the BGP peer. The preferred IP address is the
first address the DNS server returns in its inial response. The firewall retains
this address as preferred as long as the address appears in subsequent responses
regardless of its order.
9. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1210 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1211 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | Configure the BGP peer with sengs for route reflector client, peering type, maximum
prefixes, and Bidireconal Forwarding Detecon (BFD).
1. Select Network > Virtual Routers and select a virtual router.
2. Select BGP > Peer Group and select the peer group you created.
3. Select the Peer you configured.
4. Select Advanced.
5. For Reflector Client, select one of the following:
• non-client (default)—Peer is not a route reflector client.
• client—Peer is a route reflector client.
• meshed-client
6. For Peering Type, select one of the following:
• Bilateral—The two BGP peers establish a peer connecon.
• Unspecified (default).
7. For Max Prefixes, enter the maximum number of supported IP prefixes (range is 1 to
100,000) or select unlimited.
8. To enable BFD for the peer (and thereby override the BFD seng for BGP, as long as
BFD is not disabled for BGP at the virtual router level), select one of the following:
• default—Peer uses only default BFD sengs.
• Inherit-vr-global-seng (default)—Peer inherits the BFD profile that you selected
globally for BGP for the virtual router.
• A BFD profile you configured—See Create a BFD Profile.
9. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1212 ©2021 Palo Alto Networks, Inc.
Networking
STEP 10 | Configure condional adversing, which allows you to control what route to adverse in the
event that a different route is not available in the local BGP roung table (LocRIB), indicang
a peering or reachability failure.
This is useful in cases where you want to try to force routes to one AS over another, such as
when you have links to the internet through mulple ISPs and you want traffic to be routed to
one provider instead of the other except when there is a loss of connecvity to the preferred
provider.
1. Select Condional Adv and Add a Policy name.
2. Enable the condional adversement.
3. In the Used By secon, Add the peer groups that will use the condional adversement
policy.
4. Select Non Exist Filter and define the network prefixes of the preferred route. This
specifies the route that you want to adverse when it is available in the local BGP
roung table. If a prefix is going to be adversed and matches a Non Exist filter, the
adversement will be suppressed.
5. Select Adverse Filters and define the prefixes of the route in the Local-RIB roung
table that should be adversed in the event that the route in the non-exist filter is
unavailable in the local roung table. If a prefix is going to be adversed and does not
match a Non Exist filter, the adversement will occur.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1213 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1214 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | (Oponal) Create a stac route and install it in the unicast route table because you want the
route to be used only for unicast purposes.
1. Select Network > Virtual Routers and select the virtual router you are configuring.
2. Select Stac Routes, select IPv4 or IPv6, and Add a route.
3. Enter a Name for the stac route.
4. Enter the IPv4 or IPv6 Desnaon prefix and netmask, depending on whether you chose
IPv4 or IPv6.
5. Select the egress Interface.
6. Select the Next Hop as IPv6 Address (or IP Address if you chose IPv4) and enter the
address of the next hop to which you want to direct unicast traffic for this stac route.
7. Enter an Admin Distance.
8. Enter a Metric.
9. For Route Table, select Unicast.
10. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1215 ©2021 Palo Alto Networks, Inc.
Networking
2. View the BGP RIB Out table, which shows the routes that the firewall sends to BGP
neighbors.
1. Select Network > Virtual Routers.
2. In the row for the virtual router, click More Runme Stats.
3. Select BGP > RIB Out.
4. For Route Table, select Unicast or Mulcast to display only those routes.
5. For Display Address Family, select IPv4 Only, IPv6 Only, or IPv4 and IPv6 to display
only routes for that address family.
PAN-OS® Administrator’s Guide Version Version 9.1 1216 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | (Oponal) Create an IPv4 stac route and install it in the mulcast route table only.
You would do this to direct mulcast traffic for a BGP peer to a specific next hop, as shown in
the topology in MP-BGP.
1. Select Network > Virtual Routers and select the virtual router you are configuring.
2. Select Stac Routes > IPv4 and Add a Name for the route.
3. Enter the IPv4 Desnaon prefix and netmask.
4. Select the egress Interface.
5. Select the Next Hop as IP Address and enter the IP address of the next hop to which you
want to direct mulcast traffic for this stac route.
6. Enter an Admin Distance.
7. Enter a Metric.
8. For Route Table, select Mulcast.
9. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1217 ©2021 Palo Alto Networks, Inc.
Networking
STEP 5 | To view the Forwarding table, BGP Local RIB, or BGP RIB Out table, see Configure a BGP
Peer with MP-BGP for IPv4 or IPv6 Unicast.
BGP Confederaons
BGP confederaons provide a way to divide an autonomous system (AS) into two or more sub-
autonomous systems (sub-AS) to reduce the burden that the full mesh requirement for IBGP
causes. The firewalls (or other roung devices) within a sub-AS must sll have a full iBGP mesh
with the other firewalls in the same sub-AS. You need BGP peering between sub-autonomous
systems for full connecvity within the main AS. The firewalls peering with each other within a
sub-AS form an IBGP confederaon peering. The firewall in one sub-AS peering with a firewall in
a different sub-AS form an EBGP confederaon peering. Two firewalls from different autonomous
systems that connect are EBGP peers.
PAN-OS® Administrator’s Guide Version Version 9.1 1218 ©2021 Palo Alto Networks, Inc.
Networking
figure, the confederaons are AS 65100 and AS 65110. (RFC6996, Autonomous System (AS)
Reservaon for Private Use, indicates that the IANA reserves AS numbers 64512-65534 for
private use.)
The sub-AS confederaons seem like full autonomous systems to each other within the AS.
However, when the firewall sends an AS path to an EBGP peer, only the public AS number appears
in the AS path; no private sub-AS (Confederaon Member AS) numbers are included.
BGP peering occurs between the firewall and R2; the firewall in the figure has these relevant
configuraon sengs:
• AS number—24
• Confederaon Member AS—65100
• Peering Type—EBGP confed
• Peer AS—65110
PAN-OS® Administrator’s Guide Version Version 9.1 1219 ©2021 Palo Alto Networks, Inc.
Networking
• Peer AS—65100
BGP peering occurs between the firewall and R5. The firewall has the following addional
configuraon:
• AS number—24
• Confederaon Member AS—65100
• Peering Type—EBGP
• Peer AS—25
R5 is configured as follows:
• AS—25
• Peering Type—EBGP
• Peer AS—24
Aer the firewall is configured to peer with R1, R2, and R5, its peers are visible on the Peer Group
tab:
PAN-OS® Administrator’s Guide Version Version 9.1 1220 ©2021 Palo Alto Networks, Inc.
Networking
To verify that the routes from the firewall to the peers are established, on the virtual router’s
screen, select More Runme Stats and select the Peer tab.
Select the Local RIB tab to view informaon about the routes stored in the Roung Informaon
Base (RIB).
PAN-OS® Administrator’s Guide Version Version 9.1 1221 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1222 ©2021 Palo Alto Networks, Inc.
Networking
IP Mulcast
IP mulcast is a set of protocols that network appliances use to send mulcast IP datagrams to a
group of interested receivers using one transmission rather than unicasng the traffic to mulple
receivers, thereby saving bandwidth. IP mulcast is suitable for communicaon from one source
(or many sources) to many receivers, such as audio or video streaming, IPTV, video conferencing,
and distribuon of other communicaon, such as news and financial data.
A mulcast address idenfies a group of receivers that want to receive the traffic going to that
address. You should not use the mulcast addresses reserved for special uses, such as the range
224.0.0.0 through 224.0.0.255 or 239.0.0.0 through 239.255.255.255. Mulcast traffic uses UDP,
which does not resend missed packets.
Palo Alto Networks® firewalls support IP mulcast and Protocol Independent Mulcast (PIM) on a
Layer 3 interface that you configure for a virtual router on the firewall.
For mulcast roung, the Layer 3 interface type can be Ethernet, Aggregate Ethernet (AE), VLAN,
loopback, or tunnel. Interface groups allow you to configure more than one firewall interface at a
me with the same Internet Group Management Protocol (IGMP) and PIM parameters, and with
the same group permissions (mulcast groups allowed to accept traffic from any source or from
only a specific source). An interface can belong to only one interface group.
The firewall supports IPv4 mulcast—it does not support IPv6 mulcast. The firewall also does
not support PIM Dense Mode (PIM-DM), IGMP proxy, IGMP stac joins, Anycast RP, GRE, or
mulcast configuraons on a Layer 2 or virtual wire interface type. However, a virtual wire
interface can pass mulcast packets. Also, a Layer 2 interface can switch Layer 3 IPv4 mulcast
packets between different VLANs and the firewall will retag the VLAN ID using the VLAN ID of
the egress interface.
You must enable mulcast for a virtual router and enable PIM for an ingress and an egress
interface in order for the interfaces to receive or forward mulcast packets. In addion to PIM,
you must also enable IGMP on egress interfaces that face receivers. You must configure a Security
policy rule to allow IP mulcast traffic to a predefined Layer 3 desnaon zone named mulcast
or to any desnaon zone.
• IGMP
• PIM
• Configure IP Mulcast
• View IP Mulcast Informaon
IGMP
Internet Group Management Protocol (IGMP) is an IPv4 protocol that a mulcast receiver uses
to communicate with an interface on a Palo Alto Networks® firewall and that the firewall uses
to track the membership of mulcast groups. When a host wants to receive mulcast traffic, its
implementaon of IGMP sends an IGMP Membership report message and the receiving router, in
turn, sends a PIM Join message to the mulcast group address of the group that the host wants to
join. An IGMP-enabled router on the same physical network (such as an Ethernet segment) then
uses PIM to communicate with other PIM-enabled routers to determine a path from the source to
interested receivers.
PAN-OS® Administrator’s Guide Version Version 9.1 1223 ©2021 Palo Alto Networks, Inc.
Networking
Enable IGMP only on interfaces that face a mulcast receiver. The receivers can be only one Layer
3 hop away from the virtual router. IGMP messages are Layer 2 messages that have a TTL value of
one and, therefore, cannot go outside the LAN.
When you Configure IP Mulcast, specify whether an interface uses IGMP Version 1, IGMP
Version 2, or IGMP Version 3. You can enforce the IP Router Alert opon, RFC 2113, so that
incoming IGMP packets that use IGMPv2 or IGMPv3 have the IP Router Alert opon.
By default, an interface accepts IGMP Membership reports for all mulcast groups. You can
configure mulcast group permissions to control the groups for which the virtual router accepts
Membership reports from any source (Any-Source Mulcast, or ASM), which is basically PIM
Sparse Mode (PIM-SM). You can also specify the groups for which the virtual router accepts
Membership reports from a specific source (PIM Source-Specific Mulcast [PIM-SSM]). If you
specify permissions for either ASM or SSM groups, the virtual router denies Membership reports
from other groups. The interface must use IGMPv3 to pass PIM-SSM traffic.
You can specify the maximum number of sources and the maximum number of mulcast groups
that IGMP can process simultaneously for an interface.
The virtual router mulcasts an IGMP Query at regular intervals to all receivers of a mulcast
group. A receiver responds to an IGMP Query with an IGMP Membership report that confirms the
receiver sll wants to receive mulcast traffic for that group. The virtual router maintains a table
of the mulcast groups that have receivers; the virtual router forwards a mulcast packet out the
interface to the next hop only if there is sll a receiver down that mulcast distribuon tree that is
joined to the group. The virtual router does not track exactly which receivers are joined to a group.
Only one router on a subnet responds to IGMP Queries and that is the IGMP Querier—the router
with the lowest IP address.
You can configure an interface with an IGMP Query interval and the amount of me allowed for
a receiver to respond to a query (the Max Query Response Time). When a virtual router receives
an IGMP Leave message from a receiver to leave a group, the virtual router checks that the
interface that received the Leave message is not configured with the Immediate Leave opon.
In the absence of the Immediate Leave opon, the virtual router sends a Query to determine
whether there are sll receiver members for the group. The Last Member Query Interval specifies
how many seconds are allowed for any remaining receivers for that group to respond and confirm
that they sll want mulcast traffic for that group.
An interface supports the IGMP robustness variable, which you can adjust so that the firewall then
tunes the Group Membership Interval, Other Querier Present Interval, Startup Query Count, and
Last Member Query Count. A higher robustness variable can accommodate a subnet that is likely
to drop packets.
View IP Mulcast Informaon to see IGMP-enabled interfaces, the IGMP version, Querier
address, robustness seng, limits on the number of mulcast groups and sources, and whether
the interface is configured for Immediate Leave. You can also see the mulcast groups to which
interfaces belong and other IGMP membership informaon.
PIM
IP mulcast uses the Protocol Independent Mulcast (PIM) roung protocol between routers
to determine the path on the distribuon tree that mulcast packets take from the source to
the receivers (mulcast group members). A Palo Alto Networks® firewall supports PIM Sparse
Mode (PIM-SM) (RFC 4601), PIM Any-Source Mulcast (ASM) (somemes referred to as PIM
PAN-OS® Administrator’s Guide Version Version 9.1 1224 ©2021 Palo Alto Networks, Inc.
Networking
Sparse Mode), and PIM Source-Specific Mulcast (SSM). In PIM-SM, the source does not forward
mulcast traffic unl a receiver (user) belonging to a mulcast group requests that the source send
the traffic. When a host wants to receive mulcast traffic, its implementaon of IGMP sends an
IGMP Membership report message, and the receiving router then sends a PIM Join message to the
mulcast group address of the group it wants to join.
• In ASM, the receiver uses IGMP to request traffic for a mulcast group address; any source
could have originated that traffic. Consequently, the receiver doesn’t necessarily know the
senders, and the receiver could receive mulcast traffic in which it has no interest.
• In SSM (RFC 4607), the receiver uses IGMP to request traffic from one or more specific sources
to a mulcast group address. The receiver knows the IP address of the senders and receives
only the mulcast traffic it wants. SSM requires IGMPv3. You can override the default SSM
address space, which is 232.0.0.0/8.
When you Configure IP Mulcast on a Palo Alto Networks® firewall, you must enable PIM for an
interface to forward mulcast traffic, even on receiver-facing interfaces. This is unlike IGMP, which
you enable only on receiver-facing interfaces.
ASM requires a rendezvous point (RP), which is a router located at the juncture or root of a shared
distribuon tree. The RP for a mulcast domain serves as a single point to which all mulcast
group members send their Join messages. This behavior reduces the likelihood of a roung loop
that would otherwise occur if group members sent their Join messages to mulple routers. (SSM
doesn’t need an RP because source-specific mulcast uses a shortest-path tree and therefore has
no need for an RP.)
In an ASM environment, there are two ways that the virtual router determines which router is the
RP for a mulcast group:
• Stac RP-to-Group Mapping—configures the virtual router on the firewall to act as RP for
mulcast groups. You configure a local RP, either by configuring a stac RP address or by
specifying that the local RP is a candidate RP and the RP is chosen dynamically (based on
lowest priority value). You can also stacally configure one or more external RPs for different
group address ranges not covered by the local RP, which helps you load-balance mulcast
traffic so that one RP is not overloaded.
PAN-OS® Administrator’s Guide Version Version 9.1 1225 ©2021 Palo Alto Networks, Inc.
Networking
• Bootstrap Router (BSR)—(RFC 5059)—defines the role of a BSR. First, candidates for BSR
adverse their priority to each other and then the candidate with the largest priority is elected
BSR, as shown in the following figure:
Next, the BSR discovers RPs when candidate RPs periodically unicast a BSR message to the
BSR containing their IP address and the mulcast group range for which they will act as RP.
You can configure the local virtual router to be a candidate RP, in which case the virtual router
announces its RP candidacy for a specific mulcast group or groups. The BSR sends out RP
informaon to the other RPs in the PIM domain.
When you configure PIM for an interface, you can select BSR Border when the interface on
the firewall is at an enterprise boundary facing away from the enterprise network. The BSR
Border seng prevents the firewall from sending RP candidacy BSR messages outside the LAN.
In the following illustraon, BSR Border is enabled for the interface facing the LAN and that
interface has the highest priority. If the virtual router has both a stac RP and a dynamic RP
(learned from the BSR), you can specify whether the stac RP should override the learned RP
for a group when you configure the local, stac RP.
In order for PIM Sparse Mode to nofy the RP that it has traffic to send down a shared tree, the
RP must be aware of the source. The host nofies the RP that it is sending traffic to a mulcast
PAN-OS® Administrator’s Guide Version Version 9.1 1226 ©2021 Palo Alto Networks, Inc.
Networking
group address when the designated router (DR) encapsulates the first packet from the host in
a PIM Register message and unicasts the packet to the RP on its local network. The DR also
forwards Prune messages from a receiver to the RP. The RP maintains the list of IP addresses
of sources that are sending to a mulcast group and the RP can forward mulcast packets from
sources.
Why do the routers in a PIM domain need a DR? When a router sends a PIM Join message to a
switch, two routers could receive it and forward it to the same RP, causing redundant traffic and
wasng bandwidth. To prevent unnecessary traffic, the PIM routers elect a DR (the router with the
highest IP address), and only the DR forwards the Join message to the RP. Alternavely, you can
assign a DR priority to an interface group, which takes precedence over IP address comparisons.
As a reminder, the DR is forwarding (unicasng) PIM messages; it is not mulcasng IP mulcast
packets.
You can specify the IP addresses of PIM neighbors (routers) that the interface group will allow
to peer with the virtual router. By default, all PIM-enabled routers can be PIM neighbors, but
the opon to limit neighbors provides a step toward securing the virtual router in your PIM
environment.
• Shortest Path Tree (SPT) and Shared Tree
• PIM Assert Mechanism
• Reverse-Path Forwarding
PAN-OS® Administrator’s Guide Version Version 9.1 1227 ©2021 Palo Alto Networks, Inc.
Networking
for example, (192.168.1.1, 225.9.2.6). The following figure illustrates three shortest-path trees
from the source to three receivers.
• A shared tree—A path rooted at the RP, not at the mulcast source. A shared tree is also known
as an RP tree or RPT. Routers forward mulcast packets from various sources to the RP and
the RP forwards the packets down the shared tree. A shared tree is annotated as (*, G), using
a wildcard as the source because all sources belonging to the mulcast group share the same
distribuon tree from the RP. An example shared tree annotaon is (*, 226.3.1.5). The following
figure illustrates a shared tree from the root at the RP to the receivers.
Source-Specific Mulcast (SSM) uses source tree distribuon. When you Configure IP Mulcast
to use Any Source Mulcast (ASM), you can specify which distribuon tree the virtual router on
your Palo Alto Networks® firewall uses to deliver mulcast packets to a group by seng an SPT
threshold for the group:
• By default the virtual router switches mulcast roung from shared tree to SPT when it
receives the first mulcast packet for a group or prefix (the SPT Threshold is set to 0).
PAN-OS® Administrator’s Guide Version Version 9.1 1228 ©2021 Palo Alto Networks, Inc.
Networking
• You can configure the virtual router to switch to SPT when the total number of kilobits in
packets arriving for the specified mulcast group or prefix at any interface over any length of
me reaches a configured number.
• You can configure the virtual router to never switch to SPT for the group or prefix (it connues
to use shared tree).
SPT requires more memory, so choose your seng based on your mulcast traffic level to the
group. If the virtual router switches to SPT, then packets will arrive from the source (rather than
the RP) and the virtual router sends a Prune message to the RP. The source sends subsequent
mulcast packets for that group down the shortest-path tree.
Reverse-Path Forwarding
PIM uses reverse-path forwarding (RPF) to prevent mulcast roung loops by leveraging the
unicast roung table on the virtual router. When the virtual router receives a mulcast packet,
it looks up the source of the mulcast packet in its unicast roung table to see if the outgoing
interface associated with that source IP address is the interface on which that packet arrived. If
the interfaces match, the virtual router duplicates the packet and forwards it out the interfaces
toward the mulcast receivers in the group. If the interfaces don’t match, the virtual router drops
the packet. The unicast roung table is based on the underlying stac routes or the interior
gateway protocol (IGP) your network uses, such as OSPF.
PIM also uses RPF to build a shortest-path tree to a source, one PIM router hop at a me. The
virtual router has the address of the mulcast source, so the virtual router selects as its next hop
back to the source the upstream PIM neighbor that the virtual router would use to forward unicast
packets to the source. The next hop router does the same thing.
PAN-OS® Administrator’s Guide Version Version 9.1 1229 ©2021 Palo Alto Networks, Inc.
Networking
Aer RPF succeeds and the virtual router has a route entry in its mulcast roung informaon
base (mRIB), the virtual router maintains source-based tree entries (S,G) and shared tree entries
(*,G) in its mulcast forwarding informaon base (mulcast forwarding table or mFIB). Each entry
includes the source IP address, mulcast group, incoming interface (RPF interface) and outgoing
interface list. There can be mulple outgoing interfaces for an entry because the shortest path
tree can branch at the router, and the router must forward the packet out mulple interfaces to
reach receivers of the group that are located down different paths. When the virtual router uses
the mFIB to forward a mulcast packet, it matches an (S,G) entry before it aempts to match a
(*,G) entry.
If you are adversing mulcast source prefixes into BGP (you configured MP-BGP with the IPv4
Address Family and the mulcast Subsequent Address Family), then the firewall always performs
the RPF check on the BGP routes that the firewall received under the mulcast Subsequent
Address Family.
View IP Mulcast Informaon to see how to view the mFIB and mRIB entries. Keep in mind that
the mulcast route table (mRIB) is a separate table from the unicast route table (RIB).
Configure IP Mulcast
Configure interfaces on a virtual router of a Palo Alto Networks® firewall to receive and forward
IP mulcast packets. You must enable IP mulcast for the virtual router, configure Protocol
Independent Mulcast (PIM) on the ingress and egress interfaces, and configure Internet Group
Management Protocol (IGMP) on receiver-facing interfaces.
STEP 1 | Enable IP mulcast for a virtual router.
1. Select Network > Virtual Routers and select a virtual router.
2. Select Mulcast and Enable IP mulcast.
PAN-OS® Administrator’s Guide Version Version 9.1 1230 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | (ASM only) If the mulcast domain in which the virtual router is located uses Any-Source
Mulcast (ASM), idenfy and configure the local and remote rendezvous points (RPs) for
mulcast groups.
1. Select Rendezvous Point.
2. Select a Local RP Type, which determines how the RP is chosen (the opons are Stac,
Candidate, or None):
• Stac—Establishes a stac mapping of an RP to mulcast groups. Configuring a stac
RP requires you to explicitly configure the same RP on other PIM routers in the PIM
domain.
• Select the RP Interface. Valid interface types are Layer3, virtual wire, loopback,
VLAN, Aggregate Ethernet (AE), and tunnel.
• Select the RP Address. The IP addresses of the RP interface you selected populate
the list.
• Select Override learned RP for the same group so that this stac RP serves as RP
instead of the RP elected for the groups in the Group List.
• Add one or more mulcast Groups for which the RP acts as the RP.
PAN-OS® Administrator’s Guide Version Version 9.1 1231 ©2021 Palo Alto Networks, Inc.
Networking
which one acts as RP for the specified groups; the firewall selects the candidate RP
with the lowest priority value (range is 0 to 255; default is 192).
• (Oponal) Change the Adversement Interval (sec) (range is 1 to 26,214; default is
60).
• Enter a Group List of mulcast groups that communicate with the RP.
• None—Select if this virtual router is not an RP.
3. Add a Remote Rendezvous Point and enter the IP Address of that remote (external) RP.
4. Add the mulcast Group Addresses for which the specified remote RP address acts as
RP.
5. Select Override learned RP for the same group so that the external RP you configured
stacally serves as RP instead of an RP that is dynamically learned (elected) for the
groups in the Group Addresses list.
6. Click OK.
STEP 3 | Specify a group of interfaces that share a mulcast configuraon (IGMP, PIM, and group
permissions).
1. On the Interfaces tab, Add a Name for the interface group.
2. Enter a Descripon.
3. Add an Interface and select one or more Layer 3 interfaces that belong to the interface
group.
STEP 4 | (Oponal) Configure mulcast group permissions for the interface group. By default, the
interface group accepts IGMP membership reports and PIM join messages from all groups.
1. Select Group Permissions.
2. To configure Any-Source Mulcast (ASM) groups for this interface group, in the
Any Source window, Add a Name to idenfy a mulcast group that accepts IGMP
membership reports and PIM join messages from any source.
3. Enter the mulcast Group address or group address and /prefix that can receive
mulcast packets from any source on these interfaces.
4. Select Included to include the ASM Group address in the interface group (default). De-
select Included to easily exclude an ASM group from the interface group, such as during
tesng.
5. Add addional mulcast Groups (for the interface group) that want to receive mulcast
packets from any source.
6. To configure Source-Specific Mulcast (SSM) groups in this interface group, in the Source
Specific window, Add a Name to idenfy a mulcast group and source address pair.
PAN-OS® Administrator’s Guide Version Version 9.1 1232 ©2021 Palo Alto Networks, Inc.
Networking
Don’t use a name that you used for Any Source mulcast. (You must use IGMPv3 to
configure SSM.)
7. Enter the mulcast Group address or group address and /prefix of the group that wants
to receive mulcast packets from the specified source only (and can receive the packets
on these interfaces).
A Source Specific group for which you specify permissions is a group that the
virtual router must treat as source-specific. Configure Source Specific Address
Space (Step 9) that includes the source-specific groups for which you configured
permission.
8. Enter the Source IP address from which this mulcast group can receive mulcast
packets.
9. Select Included to include the SSM Group and source address pair in the interface group
(default). De-select Included to easily exclude the pair from the interface group, such as
during tesng.
10. Add addional mulcast Groups (for the interface group) that receive mulcast packets
from a specific source only.
STEP 5 | Configure IGMP for the interface group if an interface faces mulcast receivers, which must
use IGMP to join a group.
1. On the IGMP tab, Enable IGMP (default).
2. Specify IGMP parameters for interfaces in the interface group:
• IGMP Version—1, 2, or 3 (default).
• Enforce Router-Alert IP Opon (disabled by default)—Select this opon if you require
incoming IGMP packets that use IGMPv2 or IGMPv3 to have the IP Router Alert
Opon, RFC 2113.
• Robustness—A variable that the firewall uses to tune the Group Membership Interval,
Other Querier Present Interval, Startup Query Count, and Last Member Query Count
PAN-OS® Administrator’s Guide Version Version 9.1 1233 ©2021 Palo Alto Networks, Inc.
Networking
(range is 1 to 7; default is 2). Increase the value if the subnet on which this firewall is
located is prone to losing packets.
• Max Sources—Maximum number of sources that IGMP can process simultaneously
for an interface (range is 1 to 65,535; default is unlimited).
• Max Groups—Maximum number of groups that IGMP can process simultaneously for
an interface (range is 1 to 65,535; default is unlimited).
• Query Interval—Number of seconds between IGMP membership Query messages
that the virtual router sends to a receiver to determine whether the receiver sll
wants to receive the mulcast packets for a group (range is 1 to 31,744; default is
125).
• Max Query Response Time (sec)—Maximum number of seconds allowed for a
receiver to respond to an IGMP membership Query message before the virtual router
determines that the receiver no longer wants to receive mulcast packets for the
group (range is 0 to 3,174.4; default is 10).
• Last Member Query Interval (sec)—Number of seconds allowed for a receiver to
respond to a Group-Specific Query that the virtual router sends aer a receiver sends
a Leave Group message (range is 0.1 to 3,174.4; default is 1).
• Immediate Leave (disabled by default)—When there is only one member in a mulcast
group and the virtual router receives an IGMP Leave message for that group, the
Immediate Leave seng causes the virtual router to remove that group and outgoing
interface from the mulcast roung informaon base (mRIB) and mulcast forwarding
informaon base (mFIB) immediately, rather than waing for the Last Member Query
Interval to expire. The Immediate Leave seng saves network resources. You cannot
select Immediate Leave if the interface group uses IGMPv1.
STEP 6 | Configure PIM Sparse Mode (PIM-SM) for the interface group.
1. On the PIM tab, Enable PIM (enabled by default).
2. Specify PIM parameters for the interface group:
• Assert Interval—Number of seconds between PIM Assert messages that the virtual
router sends to other PIM routers on the mulaccess network when they are elecng
a PIM forwarder (range is 0 to 65,534; default is 177).
• Hello Interval—Number of seconds between PIM Hello messages that the virtual
router sends to its PIM neighbors from each interface in the interface group (range is
0 to 18,000; default is 30).
• Join Prune Interval—Number of seconds between PIM Join messages (and between
PIM Prune messages) that the virtual router sends upstream toward a mulcast source
(range is 0 to 18,000; default is 60).
• DR Priority—Designated Router (DR) priority that controls which router in a
mulaccess network forwards PIM Join and Prune messages to the RP (range is
PAN-OS® Administrator’s Guide Version Version 9.1 1234 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | (Oponal) Change the Shortest-Path Tree (SPT) threshold, as described in Shortest-Path Tree
(SPT) and Shared Tree.
1. Select SPT Threshold and Add a Mulcast Group/Prefix, the mulcast group or prefix
for which you are specifying the distribuon tree.
2. Specify the Threshold (kb)—The point at which roung to the specified mulcast group
or prefix switches from shared tree (sourced from the RP) to SPT distribuon:
• 0 (switch on first data packet) (default)—The virtual router switches from shared tree
to SPT for the group or prefix when the virtual router receives the first data packet for
the group or prefix.
• never (do not switch to spt)—The virtual router connues to use the shared tree to
forward packets to the group or prefix.
• Enter the total number of kilobits from mulcast packets that can arrive for the
mulcast group or prefix at any interface and over any me period, upon which the
virtual router changes to SPT distribuon for that mulcast group or prefix.
STEP 9 | Idenfy the mulcast groups or groups and prefixes that accept mulcast packets only from a
specific source.
1. Select Source Specific Address Space and Add the Name for the space.
2. Enter the mulcast Group address with prefix length to idenfy the address space that
receives mulcast packets from a specific source. If the virtual router receives a mulcast
packet for an SSM group but the group is not covered by a Source Specific Address
Space, the virtual router drops the packet.
3. Select Included to include the source-specific address space as a mulcast group address
range from which the virtual router will accept mulcast packets that originated from an
PAN-OS® Administrator’s Guide Version Version 9.1 1235 ©2021 Palo Alto Networks, Inc.
Networking
allowed specific source. De-select Included to easily exclude a group address space for
tesng.
4. Add other source-specific address spaces to include all those groups for which you
specified SSM group permission.
STEP 10 | (Oponal) Change the length of me that a mulcast route remains in the mRIB aer the
session ends between a mulcast group and a source.
1. Select the Advanced tab.
2. Specify the Mulcast Route Age Out Time (sec) (range is 210 to 7,200; default is 210).
STEP 12 | Create a Security policy rule to allow mulcast traffic to the desnaon zone.
1. Create a Security Policy Rule and on the Desnaon tab, select mulcast or any for
the Desnaon Zone. The mulcast zone is a predefined Layer 3 zone that matches all
mulcast traffic. The Desnaon Address can be a mulcast group address.
2. Configure the rest of the Security policy rule.
STEP 13 | (Oponal) Enable buffering of mulcast packets before a route is set up.
1. Select Device > Setup > Session and edit Session Sengs.
2. Enable Mulcast Route Setup Buffering (disabled by default). The firewall can preserve
the first packet(s) from a mulcast flow if an entry for the corresponding mulcast group
does not yet exist in the mulcast forwarding table (mFIB). The Buffer Size controls how
many packets the firewall buffers from a flow. Aer the route is installed in the mFIB, the
firewall automacally forwards the buffered first packet(s) to the receiver. (You need to
enable mulcast route setup buffering only if your content servers are directly connected
to the firewall and your mulcast applicaon cannot withstand the first packet of the
flow being dropped.)
3. (Oponal) Change the Buffer Size. Buffer size is the number of packets per mulcast flow
that the firewall can buffer unl the mFIB entry is set up (range is 1 to 2,000; default is
1,000). The firewall can buffer a maximum of 5,000 packets total (for all flows).
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1236 ©2021 Palo Alto Networks, Inc.
Networking
STEP 15 | View IP Mulcast Informaon to view mRIB and mFIB entries, IGMP interface sengs, IGMP
group memberships, PIM ASM and SSM modes, group mappings to RPs, DR addresses, PIM
sengs, PIM neighbors, and more.
STEP 16 | If you Configure a Stac Route for mulcast traffic, you can install the route only in the
mulcast roung table (not the unicast roung table) so that the route is used for mulcast
traffic only.
STEP 17 | If you enable IP mulcast, it is not necessary to Configure BGP with MP-BGP for IPv4
Mulcast unless you have a logical mulcast topology separate from a logical unicast
topology. You configure MP-BGP extensions with the IPv4 address family and mulcast
subsequent address family only when you want to adverse mulcast source prefixes into
BGP under mulcast subsequent address family.
Select Network > Virtual Routers and in the row for the virtual router you configured, click
More Runme Stats.
1. Select Roung > Route Table and then the Mulcast radio buon to display only
mulcast routes (desnaon IP mulcast group, the next hop toward that group, and
outgoing interface). This informaon comes from the mRIB.
2. Select Mulcast > FIB to view mulcast route informaon from the mFIB: mulcast
groups to which the virtual router belongs, the corresponding source, incoming
interfaces, and outgoing interfaces toward the receivers.
3. Select Mulcast > IGMP > Interface to view IGMP-enabled interfaces, the associated
IGMP version, IP address of the IGMP Querier, Querier up me and expiry me, the
PAN-OS® Administrator’s Guide Version Version 9.1 1237 ©2021 Palo Alto Networks, Inc.
Networking
robustness seng, limits on numbers of mulcast groups and sources, and whether the
interface is configured for immediate leave.
4. Select Mulcast > IGMP > Membership to see IGMP-enabled interfaces and the
mulcast groups to which they belong, the source, and other IGMP informaon.
5. Select Mulcast > PIM > Group Mapping to view mulcast groups mapped to an RP, the
origin of the RP mapping, the PIM mode for the group (ASM or SSM), and whether the
PAN-OS® Administrator’s Guide Version Version 9.1 1238 ©2021 Palo Alto Networks, Inc.
Networking
group is inacve. Groups in SSM mode don’t use an RP, so the RP address displayed is
0.0.0.0. The default SSM group is 232.0.0.0/8.
6. Select Mulcast > PIM > Interface to view the IP address of the DR for an interface; the
DR priority; the Hello, Join/Prune, and Assert intervals; and whether the interface is a
bootstrap router (BSR).
7. Select Mulcast > PIM > Neighbor to view informaon about routers that are PIM
neighbors to the virtual router.
PAN-OS® Administrator’s Guide Version Version 9.1 1239 ©2021 Palo Alto Networks, Inc.
Networking
Route Redistribuon
Route redistribuon on the firewall is the process of making routes that the firewall learned from
one roung protocol (or a stac or connected route) available to a different roung protocol,
thereby increasing accessibility of network traffic. Without route redistribuon, a router or
virtual router adverses and shares routes only with other routers that run the same roung
protocol. You can redistribute IPv4 or IPv6 BGP, connected, or stac routes into the OSPF RIB and
redistribute OSPFv3, connected, or stac routes into the BGP RIB.
This means, for example, you can make specific networks that were once available only by manual
stac route configuraon on specific routers available to BGP autonomous systems or OSPF
areas. You can also adverse locally connected routes, such as routes to a private lab network, into
BGP autonomous systems or OSPF areas.
You might want to give users on your internal OSPFv3 network access to BGP so they can access
devices on the internet. In this case you would redistribute BGP routes into the OSPFv3 RIB.
Conversely, you might want to give your external users access to some parts of your internal
network, so you make internal OSPFv3 networks available through BGP by redistribung OSPFv3
routes into the BGP RIB.
STEP 1 | Create a redistribuon profile.
1. Select Network > Virtual Routers and select a virtual router.
2. Select Redistribuon Profile and IPv4 or IPv6 and Add a profile.
3. Enter a Name for the profile, which must start with an alphanumeric character and can
contain zero or more underscores (_), hyphens (-), dots (.), or spaces (up to 16 characters).
4. Enter a Priority for the profile in the range 1 to 255. The firewall matches routes to
profiles in order using the profile with the highest priority (lowest priority value) first.
Higher priority rules take precedence over lower priority rules.
5. For Redistribute, select one of the following:
• Redist—Select for redistribuon the routes that match this filter.
• No Redist—Select for redistribuon routes that match the redistribuon profiles
except the routes that match this filter. This selecon treats the profile as a block list
that specifies which routes not to select for redistribuon. For example, if you have
mulple redistribuon profiles for BGP, you can create a No Redist profile to exclude
several prefixes, and then a general redistribuon profile with a lower priority (higher
priority value) aer it. The two profiles combine and the higher priority profile takes
PAN-OS® Administrator’s Guide Version Version 9.1 1240 ©2021 Palo Alto Networks, Inc.
Networking
precedence. You can’t have only No Redist profiles; you would always need at least
one Redist profile to redistribute routes.
6. On the General Filter tab, for Source Type, select one or more types of route to
redistribute:
• bgp—Redistribute BGP routes that match the profile.
• connect—Redistribute connected routes that match the profile.
• ospf (IPv4 only)—Redistribute OSPF routes that match the profile.
• rip (IPv4 only)—Redistribute RIP routes that match the profile.
• ospfv3 (IPv6 only)—Redistribute OSPFv3 routes that match the profile.
• stac—Redistribute stac routes that match the profile.
7. (Oponal) For Interface, Add one or more egress interfaces of associated routes to
match for redistribuon. To remove an entry, click Delete.
8. (Oponal) For Desnaon, Add one or more IPv4 or IPv6 desnaons of routes to
match for redistribuon. To remove an entry, click Delete.
9. (Oponal) For Next Hop, Add one or more next hop IPv4 or IPv6 addresses of routes to
match for redistribuon. To remove an entry, click Delete.
10. Click OK.
STEP 2 | (Oponal—When General Filter includes ospf or ospfv3) Create an OSPF filter to further
specify which OSPF or OSPFv3 routes to redistribute.
1. Select Network > Virtual Routers and select the virtual router.
2. Select Redistribuon Profile and IPv4 or IPv6 and select the profile you created.
3. Select OSPF Filter.
4. For Path Type, select one or more of the following types of OSPF path to redistribute:
ext-1, ext-2, inter-area, or intra-area.
5. To specify an Area from which to redistribute OSPF or OSPFv3 routes, Add an area in IP
address format.
6. To specify a Tag, Add a tag in IP address format.
7. Click OK.
STEP 3 | (Oponal—When General Filter includes bgp) Create a BGP filter to further specify which
BGP routes to redistribute.
1. Select Network > Virtual Routers and select the virtual router.
2. Select Redistribuon Profile and IPv4 or IPv6 and select the profile you created.
3. Select BGP Filter.
4. For Community, Add to select from the list of communies, such as well-known
communies: local-as, no-adverse, no-export, or nopeer. You can also enter a 32-bit
PAN-OS® Administrator’s Guide Version Version 9.1 1241 ©2021 Palo Alto Networks, Inc.
Networking
value in decimal or hexadecimal or in AS:VAL format, where AS and VAL are each in the
range 0 to 65,535. Enter a maximum of 10 entries.
5. For Extended Community, Add an extended community as a 64-bit value in hexadecimal
or in TYPE:AS:VAL or TYPE:IP:VAL format. TYPE is 16 bits; AS or IP is 16 bits; VAL is 32
bits. Enter a maximum of five entries.
6. Click OK.
STEP 4 | Select the protocol into which you are redistribung routes, and set the aributes for those
routes.
This task illustrates redistribung routes into BGP.
1. Select Network > Virtual Routers and select the virtual router.
2. Select BGP > Redist Rules.
3. Select Allow Redistribute Default Route to allow the firewall to redistribute the default
route.
4. Click Add.
5. Select Address Family Type: IPv4 or IPv6 to specify in which route table the
redistributed routes will be put.
6. Select the Name of the Redistribuon profile you created, which selects the routes to
redistribute.
7. Enable the redistribuon rule.
8. (Oponal) Enter any of the following values, which the firewall applies to the routes
being redistributed:
• Metric in the range 1 to 65,535.
• Set Origin—Origin of the route: igp, egp, or incomplete.
• Set MED—MED value in the range 0 to 4,294,967,295.
• Set Local Preference—Local preference value in the range 0 to 4,294,967,295.
• Set AS Path Limit—Maximum number of autonomous systems in the AS_PATH in the
range 1 to 255.
• Set Community—Select or enter a 32-bit value in decimal or hexadecimal, or enter a
value in AS:VAL format, where AS and VAL are each in the range 0 to 65,525. Enter a
maximum of 10 entries.
• Set Extended Community—Select or enter an extended community as a 64-bit value
in hexadecimal or in TYPE:AS:VAL or TYPE:IP:VAL format. TYPE is 16 bits; AS or IP is
16 bits; VAL is 32 bits. Enter a maximum of five entries.
9. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1242 ©2021 Palo Alto Networks, Inc.
Networking
GRE Tunnels
The Generic Roung Encapsulaon (GRE) tunnel protocol is a carrier protocol that encapsulates a
payload protocol. The GRE packet itself is encapsulated in a transport protocol (IPv4 or IPv6).
• GRE Tunnel Overview
• Create a GRE Tunnel
For beer performance and to avoid single points of failure, split mulple connecons to
the firewall among mulple GRE tunnels rather than use a single tunnel. Each GRE tunnel
needs a tunnel interface.
When the firewall allows a packet to pass (based on a policy match) and the packet egresses to
a GRE tunnel interface, the firewall adds GRE encapsulaon; it doesn’t generate a session. The
firewall does not perform a Security policy rule lookup for the GRE-encapsulated traffic, so you
don’t need a Security policy rule for the GRE traffic that the firewall encapsulates. However, when
the firewall receives GRE traffic, it generates a session and applies all policies to the GRE IP header
in addion to the encapsulated traffic. The firewall treats the received GRE packet like any other
packet. Therefore:
PAN-OS® Administrator’s Guide Version Version 9.1 1243 ©2021 Palo Alto Networks, Inc.
Networking
• If the firewall receives the GRE packet on an interface that has the same zone as the tunnel
interface associated with the GRE tunnel (for example, tunnel.1), the source zone is the same
as the desnaon zone. By default, traffic is allowed within a zone (intrazone traffic), so the
ingress GRE traffic is allowed by default.
• However, if you configured your own intrazone Security policy rule to deny such traffic, you
must explicitly allow GRE traffic.
• Likewise, if the zone of the tunnel interface associated with the GRE tunnel (for example,
tunnel.1) is a different zone from that of the ingress interface, you must configure a Security
policy rule to allow the GRE traffic.
Because the firewall encapsulates the tunneled packet in a GRE packet, the addional 24 bytes
of GRE header automacally result in a smaller Maximum Segment Size (MSS) in the maximum
transmission unit (MTU). If you don’t change the IPv4 MSS Adjustment Size for the interface, the
firewall reduces the MTU by 64 bytes by default (40 bytes of IP header + 24 bytes of GRE header).
This means if the default MTU is 1,500 bytes, the MSS will be 1,436 bytes (1,500 - 40 - 24 =
1,436). If you configure an MSS Adjustment Size of 300 bytes, for example, the MSS will be only
1,176 bytes (1,500 - 300 - 24 = 1,176).
The firewall does not support roung a GRE or IPSec tunnel to a GRE tunnel, but you can route a
GRE tunnel to an IPSec tunnel. Addionally:
• A GRE tunnel does not support QoS.
• The firewall does not support a single interface acng as both a GRE tunnel endpoint and a
decrypon broker.
• GRE tunneling does not support NAT between GRE tunnel endpoints.
If you need to connect to another vendor’s network, we recommend you Set Up an IPSec
Tunnel, not a GRE tunnel; you should use a GRE tunnel only if that is the only point-to-
point tunnel mechanism that the vendor supports. You can also enable GRE over IPSec
if the remote endpoint requires that (Add GRE Encapsulaon). Add GRE encapsulaon
in cases where the remote endpoint requires traffic to be encapsulated within a GRE
tunnel before IPSec encrypts the traffic. For example, some implementaons require
mulcast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for
your environment and the GRE tunnel and IPSec tunnel share the same IP address, Add
GRE Encapsulaon when you set up the IPSec tunnel.
If you aren’t planning to terminate a GRE tunnel on the firewall, but you want the ability
to inspect and control traffic passing through the firewall inside a GRE tunnel, don’t create
a GRE tunnel. Instead, perform Tunnel Content Inspecon of GRE traffic. With tunnel
content inspecon, you are inspecng and enforcing policy on GRE traffic passing through
the firewall, not creang a point-to-point, logical link for the purpose of direcng traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1244 ©2021 Palo Alto Networks, Inc.
Networking
6. Assign an IP address to the tunnel interface. (You must assign an IP address if you want
to route to this tunnel or monitor the tunnel endpoint.) Select IPv4 or IPv6 or configure
both.
This address and the corresponding address of the tunnel interface of the peer
should be on the same subnet because it is a point-to-point, logical link.
• (IPv4 only) On the IPv4 tab, Add an IPv4 address, select an address object, or click
New Address and specify the Type of address and enter it. For example, enter
192.168.2.1.
• (IPv6 only) On the IPv6 tab, Enable IPv6 on the interface.
1. For Interface ID, select EUI-64 (default 64-bit Extended Unique Idenfier).
2. Add a new Address, select an IPv6 address object, or click New Address and
specify an address Name. Enable address on interface and click OK.
3. Select Type of address and enter the IPv6 address or FQDN and click OK to save
the new address.
4. Select Enable address on interface and click OK.
7. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1245 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Create a GRE tunnel to force packets to traverse a specific point-to-point path.
1. Select Network > GRE Tunnels and Add a tunnel by Name.
2. Select the Interface to use as the local GRE tunnel endpoint (source interface), which is
an Ethernet interface or subinterface, an Aggregate Ethernet (AE) interface, a loopback
interface, or a VLAN interface.
3. Select the Local Address to be IP and select the IP address of the interface you just
selected.
4. Enter the Peer Address, which is the IP address of the opposite endpoint of the GRE
tunnel.
5. Select the Tunnel Interface that you created in Step 1. (This idenfies the tunnel when it
is the egress Interface for roung.)
6. Enter the TTL for the IP packet encapsulated in the GRE packet (range is 1 to 255;
default is 64).
7. Select Copy ToS Header to copy the Type of Service (ToS) field from the inner IP
header to the outer IP header of the encapsulated packets to preserve the original ToS
informaon. Select this opon if your network uses QoS and depends on the ToS bits for
enforcing QoS policies.
STEP 3 | (Best Pracce) Enable the Keep Alive funcon for the GRE tunnel.
If Keep Alive is enabled, by default it takes three unreturned keepalive packets (Retries)
at 10-second intervals for the GRE tunnel to go down and it takes five Hold Timer
intervals at 10-second intervals for the GRE tunnel to come back up.
1. Select Keep Alive to enable the keepalive funcon for the GRE tunnel (default is
disabled).
2. (Oponal) Set the Interval (sec) (in seconds) between keepalive packets that the local end
of the GRE tunnel sends to the tunnel peer. This is also the interval that, when mulplied
by the Hold Timer, is the length of me that the firewall must see successful keepalive
packets before the GRE tunnel comes back up (range is 1 to 50; default is 10). Seng an
interval too small will cause many keepalive packets that might be unnecessary in your
environment and will require extra bandwidth and processing. Seng an interval too
large can delay failover because error condions might not be idenfied immediately.
3. (Oponal) Enter the Retry seng, which is the number of intervals that keepalive
packets are not returned before the firewall considers the tunnel peer down (range is 1
to 255; default is 3). When the tunnel is down, the firewall removes routes associated
PAN-OS® Administrator’s Guide Version Version 9.1 1246 ©2021 Palo Alto Networks, Inc.
Networking
with the tunnel from the forwarding table. Configuring a retry seng helps avoid taking
measures on a tunnel that is not really down.
4. (Oponal) Set the Hold Timer, which is the number of Intervals that keepalive packets
are successful, aer which the firewall re-establishes communicaon with the tunnel
peer (range is 1 to 64; default is 5).
STEP 5 | Configure a roung protocol or stac route to route traffic to the desnaon by way of the
GRE tunnel. For example, Configure a Stac Route to the network of the desnaon server
and specify the egress Interface to be the local tunnel endpoint (tunnel.1). Configure the
Next Hop to be the IP address of the tunnel at the opposite end. For example, 192.168.2.3.
STEP 7 | Configure the opposite end of the tunnel with its public IP address, its local and peer IP
addresses (that correspond to the peer and local IP addresses, respecvely, of the GRE tunnel
on the firewall), and its roung protocol or stac route.
STEP 8 | Verify that the firewall can communicate with the tunnel peer over the GRE tunnel.
1. Access the CLI.
2. > ping source 192.168.2.1 host 192.168.2.3
PAN-OS® Administrator’s Guide Version Version 9.1 1247 ©2021 Palo Alto Networks, Inc.
Networking
DHCP
This secon describes Dynamic Host Configuraon Protocol (DHCP) and the tasks required to
configure an interface on a Palo Alto Networks firewall to act as a DHCP server, client, or relay
agent. By assigning these roles to different interfaces, the firewall can perform mulple roles.
• DHCP Overview
• Firewall as a DHCP Server and Client
• DHCP Messages
• DHCP Addressing
• DHCP Opons
• Configure an Interface as a DHCP Server
• Configure an Interface as a DHCP Client
• Configure the Management Interface as a DHCP Client
• Configure an Interface as a DHCP Relay Agent
• Monitor and Troubleshoot DHCP
DHCP Overview
DHCP is a standardized protocol defined in RFC 2131, Dynamic Host Configuraon Protocol.
DHCP has two main purposes: to provide TCP/IP and link-layer configuraon parameters and to
provide network addresses to dynamically configured hosts on a TCP/IP network.
DHCP uses a client-server model of communicaon. This model consists of three roles that the
device can fulfill: DHCP client, DHCP server, and DHCP relay agent.
• A device acng as a DHCP client (host) can request an IP address and other configuraon
sengs from a DHCP server. Users on client devices save configuraon me and effort,
and need not know the network’s addressing plan or other resources and opons they are
inhering from the DHCP server.
• A device acng as a DHCP server can service clients. By using any of three DHCP Addressing
mechanisms, the network administrator saves configuraon me and has the benefit of reusing
a limited number of IP addresses when a client no longer needs network connecvity. The
server can deliver IP addressing and many DHCP opons to many clients.
• A device acng as a DHCP relay agent transmits DHCP messages between DHCP clients and
servers.
DHCP uses User Datagram Protocol (UDP), RFC 768, as its transport protocol. DHCP messages
that a client sends to a server are sent to well-known port 67 (UDP—Bootstrap Protocol and
DHCP). DHCP Messages that a server sends to a client are sent to port 68.
An interface on a Palo Alto Networks firewall can perform the role of a DHCP server, client, or
relay agent. The interface of a DHCP server or relay agent must be a Layer 3 Ethernet, Aggregated
Ethernet, or Layer 3 VLAN interface. You configure the firewall interfaces with the appropriate
sengs for any combinaon of roles. The behavior of each role is summarized in Firewall as a
DHCP Server and Client.
PAN-OS® Administrator’s Guide Version Version 9.1 1248 ©2021 Palo Alto Networks, Inc.
Networking
DHCP Messages
DHCP uses eight standard message types, which are idenfied by an opon type number in
the DHCP message. For example, when a client wants to find a DHCP server, it broadcasts a
DHCPDISCOVER message on its local physical subnetwork. If there is no DHCP server on its
subnet and if DHCP Helper or DHCP Relay is configured properly, the message is forwarded to
DHCP servers on a different physical subnet. Otherwise, the message will go no further than
the subnet on which it originated. One or more DHCP servers will respond with a DHCPOFFER
message that contains an available network address and other configuraon parameters.
When the client needs an IP address, it sends a DHCPREQUEST to one or more servers. Of course
if the client is requesng an IP address, it doesn’t have one yet, so RFC 2131 requires that the
broadcast message the client sends out have a source address of 0 in its IP header.
When a client requests configuraon parameters from a server, it might receive responses from
more than one server. Once a client has received its IP address, it is said that the client has at least
an IP address and possibly other configuraon parameters bound to it. DHCP servers manage such
binding of configuraon parameters to clients.
The following table lists the DHCP messages.
PAN-OS® Administrator’s Guide Version Version 9.1 1249 ©2021 Palo Alto Networks, Inc.
Networking
DHCPRELEASE Client to server message giving up the user of the network address
and canceling the remaining me on the lease.
DHCP Addressing
• DHCP Address Allocaon Methods
• DHCP Leases
PAN-OS® Administrator’s Guide Version Version 9.1 1250 ©2021 Palo Alto Networks, Inc.
Networking
• Stac allocaon—The network administrator chooses the IP address to assign to the client
and the DHCP server sends it to the client. A stac DHCP allocaon is permanent; it is done
by configuring a DHCP server and choosing a Reserved Address to correspond to the MAC
Address of the client device. The DHCP assignment remains in place even if the client logs off,
reboots, has a power outage, etc.
Stac allocaon of an IP address is useful, for example, if you have a printer on a LAN and
you do not want its IP address to keep changing, because it is associated with a printer name
through DNS. Another example is if a client device is used for something crucial and must keep
the same IP address, even if the device is turned off, unplugged, rebooted, or a power outage
occurs, etc.
Keep these points in mind when configuring a Reserved Address:
• It is an address from the IP Pools. You may configure mulple reserved addresses.
• If you configure no Reserved Address, the clients of the server will receive new DHCP
assignments from the pool when their leases expire or if they reboot, etc. (unless you
specified that a Lease is Unlimited).
• If you allocate all of the addresses in the IP Pools as a Reserved Address, there are no
dynamic addresses free to assign to the next DHCP client requesng an address.
• You may configure a Reserved Address without configuring a MAC Address. In this case, the
DHCP server will not assign the Reserved Address to any device. You might reserve a few
addresses from the pool and stacally assign them to a fax and printer, for example, without
using DHCP.
DHCP Leases
A lease is defined as the me period for which a DHCP server allocates a network address to a
client. The lease might be extended (renewed) upon subsequent requests. If the client no longer
needs the address, it can release the address back to the server before the lease is up. The server
is then free to assign that address to a different client if it has run out of unassigned addresses.
The lease period configured for a DHCP server applies to all of the addresses that a single
DHCP server (interface) dynamically assigns to its clients. That is, all of that interface’s addresses
assigned dynamically are of Unlimited duraon or have the same Timeout value. A different
DHCP server configured on the firewall may have a different lease term for its clients. A Reserved
Address is a stac address allocaon and is not subject to the lease terms.
Per the DHCP standard, RFC 2131, a DHCP client does not wait for its lease to expire, because it
risks geng a new address assigned to it. Instead, when a DHCP client reaches the halfway point
of its lease period, it aempts to extend its lease so that it retains the same IP address. Thus, the
lease duraon is like a sliding window.
Typically if an IP address was assigned to a device, the device was subsequently taken off the
network and its lease was not extended, the DHCP server will let that lease run out. Because the
client is gone from the network and no longer needs the address, the lease duraon in the server
is reached and the lease is in “Expired” state.
The firewall has a hold mer that prevents the expired IP address from being reassigned
immediately. This behavior temporarily reserves the address for the device in case it comes back
onto the network. But if the address pool runs out of addresses, the server re-allocates this
expired address before the hold mer expires. Expired addresses are cleared automacally as the
systems needs more addresses or when the hold mer releases them.
PAN-OS® Administrator’s Guide Version Version 9.1 1251 ©2021 Palo Alto Networks, Inc.
Networking
In the CLI, use the show dhcp server lease operaonal command to view lease informaon
about the allocated IP addresses. If you don’t want to wait for expired leases to be released
automacally, you can use the clear dhcp lease interface <interface> expired-
only command to clear expired leases, making those addresses available in the pool again. You
can use the clear dhcp lease interface <interface> ip <ip_address> command
to release a parcular IP address. Use the clear dhcp lease interface <interface>
mac <mac_address> command to release a parcular MAC address.
DHCP Opons
The history of DHCP and DHCP opons traces back to the Bootstrap Protocol (BOOTP). BOOTP
was used by a host to configure itself dynamically during its boong procedure. A host could
receive an IP address and a file from which to download a boot program from a server, along with
the server’s address and the address of an Internet gateway.
Included in the BOOTP packet was a vendor informaon field, which could contain a number of
tagged fields containing various types of informaon, such as the subnet mask, the BOOTP file
size, and many other values. RFC 1497 describes the BOOTP Vendor Informaon Extensions.
DHCP replaces BOOTP; BOOTP is not supported on the firewall.
These extensions eventually expanded with the use of DHCP and DHCP host configuraon
parameters, also known as opons. Similar to vendor extensions, DHCP opons are tagged data
items that provide informaon to a DHCP client. The opons are sent in a variable-length field at
the end of a DHCP message. For example, the DHCP Message Type is opon 53, and a value of 1
indicates the DHCPDISCOVER message. DHCP opons are defined in RFC 2132, DHCP Opons
and BOOTP Vendor Extensions.
A DHCP client can negoate with the server, liming the server to send only those opons that
the client requests.
• Predefined DHCP Opons
• Mulple Values for a DHCP Opon
• DHCP Opons 43, 55, and 60 and Other Customized Opons
51 Lease duraon
3 Gateway
PAN-OS® Administrator’s Guide Version Version 9.1 1252 ©2021 Palo Alto Networks, Inc.
Networking
15 DNS suffix
As menoned, you can also configure vendor-specific and customized opons, which support
a wide variety of office equipment, such as IP phones and wireless infrastructure devices. Each
opon code supports mulple values, which can be IP address, ASCII, or hexadecimal format. With
the firewall enhanced DCHP opon support, branch offices do not need to purchase and manage
their own DHCP servers in order to provide vendor-specific and customized opons to DHCP
clients.
PAN-OS® Administrator’s Guide Version Version 9.1 1253 ©2021 Palo Alto Networks, Inc.
Networking
43 Vendor Specific Sent from server to client. Vendor-specific informaon that the
Informaon DHCP server has been configured to offer to the client. The
informaon is sent to the client only if the server has a Vendor
Class Idenfier (VCI) in its table that matches the VCI in the
client’s DHCPREQUEST.
An Opon 43 packet can contain mulple vendor-specific
pieces of informaon. It can also include encapsulated, vendor-
specific extensions of data.
60 Vendor Class Sent from client to server. Vendor type and configuraon
Idenfier (VCI) of a DHCP client. The DHCP client sends opon code 60
in a DHCPREQUEST to the DHCP server. When the server
receives opon 60, it sees the VCI, finds the matching VCI
in its own table, and then it returns opon 43 with the value
(that corresponds to the VCI), thereby relaying vendor-specific
informaon to the correct client. Both the client and server
have knowledge of the VCI.
You can send custom, vendor-specific opon codes that are not defined in RFC 2132. The opon
codes can be in the range 1-254 and of fixed or variable length.
Custom DHCP opons are not validated by the DHCP Server; you must ensure that you
enter correct values for the opons you create.
For ASCII and hexadecimal DHCP opon types, the opon value can be a maximum of 255 octets.
PAN-OS® Administrator’s Guide Version Version 9.1 1254 ©2021 Palo Alto Networks, Inc.
Networking
• On PA-5220 firewalls, you can configure a maximum of 500 DHCP servers and a maximum of
2,048 DHCP relay agents minus the number of DHCP servers configured. For example, if you
configure 500 DHCP servers, you can configure 1,548 DHCP relay agents.
• On PA-5250, PA-5260, and PA-7000 Series firewalls, you can configure a maximum of 500
DHCP servers, and a maximum of 4,096 DHCP relay agents minus the number of DHCP
servers configured. For example, if you configure 500 DHCP servers, you can configure 3,596
DHCP relay agents.
Perform the following task to configure an interface on the firewall to act as a DHCP server.
STEP 1 | Select an interface to be a DHCP Server.
1. Select Network > DHCP > DHCP Server and Add an Interface name or select one.
2. For Mode, select enabled or auto mode. Auto mode enables the server and disables it
if another DHCP server is detected on the network. The disabled seng disables the
server.
3. (Oponal) Select Ping IP when allocang new IP if you want the server to ping the IP
address before it assigns that address to its client.
If the ping receives a response, that means a different device already has that
address, so it is not available. The server assigns the next address from the pool
instead. This behavior is similar to Opmisc Duplicate Address Detecon
(DAD)forIPv6,RFC 4429.
Aer you set opons and return to the DHCP server tab, the Probe IP column for
the interface indicates if Ping IP when allocang new IP was selected.
STEP 2 | Configure the predefined DHCP Opons that the server sends to its clients.
• In the Opons secon, select a Lease type:
• Unlimited causes the server to dynamically choose IP addresses from the IP Pools and
assign them permanently to clients.
• Timeout determines how long the lease will last. Enter the number of Days and Hours, and
oponally the number of Minutes.
• Inheritance Source—Leave None or select a source DHCP client interface or PPPoE client
interface to propagate various server sengs into the DHCP server. If you specify an
Inheritance Source, select one or more opons below that you want inherited from this
source.
Specifying an inheritance source allows the firewall to quickly add DHCP opons from the
upstream server received by the DHCP client. It also keeps the client opons updated if the
source changes an opon. For example, if the source replaces its NTP server (which had been
PAN-OS® Administrator’s Guide Version Version 9.1 1255 ©2021 Palo Alto Networks, Inc.
Networking
idenfied as the Primary NTP server), the client will automacally inherit the new address as
its Primary NTP server.
When inhering DHCP opon(s) that contain mulple IP addresses, the firewall uses
only the first IP address contained in the opon to conserve cache memory. If you
require mulple IP addresses for a single opon, configure the DHCP opons directly
on that firewall rather than configure inheritance.
• Check inheritance source status—If you selected an Inheritance Source, clicking this link
opens the Dynamic IP Interface Status window, which displays the opons that were
inherited from the DHCP client.
• Gateway—IP address of the network gateway (an interface on the firewall) that is used to
reach any device not on the same LAN as this DHCP server.
• Subnet Mask—Network mask used with the addresses in the IP Pools.
For the following fields, click the down arrow and select None, or inherited, or enter a remote
server’s IP address that your DHCP server will send to clients for accessing that service. If you
select inherited, the DHCP server inherits the values from the source DHCP client specified as
the Inheritance Source.
• Primary DNS, Secondary DNS—IP address of the preferred and alternate Domain Name
System (DNS) servers.
• Primary WINS, Secondary WINS—IP address of the preferred and alternate Windows
Internet Naming Service (WINS) servers.
• Primary NIS, Secondary NIS—IP address of the preferred and alternate Network
Informaon Service (NIS) servers.
• Primary NTP, Secondary NTP—IP address of the available Network Time Protocol servers.
• POP3 Server—IP address of Post Office Protocol (POP3) server.
• SMTP Server—IP address of a Simple Mail Transfer Protocol (SMTP) server.
• DNS Suffix—Suffix for the client to use locally when an unqualified hostname is entered that
it cannot resolve.
STEP 3 | (Oponal) Configure a vendor-specific or custom DHCP opon that the DHCP server sends
to its clients.
1. In the Custom DHCP Opons secon, Add a descripve Name to idenfy the DHCP
opon.
2. Enter the Opon Code you want to configure the server to offer (range is 1-254). (See
RFC 2132 for opon codes.)
3. If the Opon Code is 43, the Vendor Class Idenfier field appears. Enter a VCI, which is
a string or hexadecimal value (with 0x prefix) used as a match against a value that comes
PAN-OS® Administrator’s Guide Version Version 9.1 1256 ©2021 Palo Alto Networks, Inc.
Networking
from the client Request containing opon 60. The server looks up the incoming VCI in its
table, finds it, and returns Opon 43 and the corresponding opon value.
4. Inherit from DHCP server inheritance source—Select it only if you specified an
Inheritance Source for the DHCP Server predefined opons and you want the vendor-
specific and custom opons also to be inherited from this source.
5. Check inheritance source status—If you selected an Inheritance Source, clicking this link
opens Dynamic IP Interface Status, which displays the opons that were inherited from
the DHCP client.
6. If you did not select Inherit from DHCP server inheritance source, select an Opon
Type: IP Address, ASCII, or Hexadecimal. Hexadecimal values must start with the 0x
prefix.
7. Enter the Opon Value you want the DHCP server to offer for that Opon Code. You
can enter mulple values on separate lines.
8. Click OK.
STEP 5 | Idenfy the stateful pool of IP addresses from which the DHCP server chooses an address
and assigns it to a DHCP client.
If you are not the network administrator for your network, ask the network
administrator for a valid pool of IP addresses from the network plan that can be
designated to be assigned by your DHCP server.
1. In the IP Pools field, Add the range of IP addresses from which this server assigns an
address to a client. Enter an IP subnet and subnet mask (for example, 192.168.1.0/24) or
a range of IP addresses (for example, 192.168.1.10-192.168.1.20).
• An IP Pool or a Reserved Address is mandatory for dynamic IP address assignment.
• An IP Pool is oponal for stac IP address assignment as long as the stac IP
addresses that you assign fall into the subnet that the firewall interface services.
2. (Oponal) Repeat this step to specify another IP address pool.
PAN-OS® Administrator’s Guide Version Version 9.1 1257 ©2021 Palo Alto Networks, Inc.
Networking
STEP 6 | (Oponal) Specify an IP address from the IP pools that will not be assigned dynamically. If
you also specify a MAC Address, the Reserved Address is assigned to that device when the
device requests an IP address through DHCP.
PAN-OS® Administrator’s Guide Version Version 9.1 1258 ©2021 Palo Alto Networks, Inc.
Networking
characters, including uppercase and lowercase leers, numbers, period (.), hyphen (-), and
underscore (_).
7. (Oponal) Enter a Default Route Metric (priority level) for the route between the firewall
and the DHCP server (range is 1 to 65,535; default is 10). A route with a lower number
has higher priority during route selecon. For example, a route with a metric of 10 is
used before a route with a metric of 100.
The Default Route Metric for the route between the firewall and the DHCP
server is 10 by default. If the stac default route 0.0.0.0/0 uses the DHCP
interface as its egress interface, that route’s default Metric is also 10. Therefore,
there are two routes with a metric of 10 and the firewall can randomly choose
one of the routes one me and the other route another me.
Suppose you enable the opon to Automacally create default route poinng to
default gateway provided by server, select a virtual router, add a stac route for
a Layer 3 interface, change the Metric (which defaults to 10) to a value greater
than 10 (for this example, 100) and Commit your changes. In the route table, the
route’s metric will not indicate 100. Instead, it will indicate the default value of
10, as expected, because 10 takes precedence over the configured value of 100.
However, if you change the stac route’s Metric to a value less than 10 (such as
6), the route in the route table is updated to indicate the configured metric of 6.
8. (Oponal) Enable the opon to Show DHCP Client Runme Info to see all of the sengs
the client inherited from its DHCP server.
STEP 3 | (Oponal) See which interfaces on the firewall are configured as DHCP clients.
1. Select Network > Interfaces > Ethernet and check the IP Address to see which
interfaces indicate DHCP Client.
2. Select Network > Interfaces > VLAN and check the IP Address to see which interfaces
indicate DHCP Client.
PAN-OS® Administrator’s Guide Version Version 9.1 1259 ©2021 Palo Alto Networks, Inc.
Networking
If you configure the management interface as a DHCP client, the following restricons apply:
• You cannot use the management interface in an HA configuraon for control link (HA1 or HA1
backup), data link (HA2 or HA2 backup), or packet forwarding (HA3) communicaon.
• You cannot select MGT as the Source Interface when you customize service routes (Device >
Setup > Services > Service Route Configuraon > Customize). However, you can select Use
default to route the packets via the management interface.
• You cannot use the dynamic IP address of the management interface to connect to a Hardware
Security Module (HSM). The IP address on the HSM client firewall must be a stac IP address
because HSM authencates the firewall using the IP address, and operaons on HSM would
stop working if the IP address were to change during runme.
A prerequisite for this task is that the management interface must be able to reach a DHCP server.
PAN-OS® Administrator’s Guide Version Version 9.1 1260 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Configure the Management interface as a DHCP client so that it can receive its IP address
(IPv4), netmask (IPv4), and default gateway from a DHCP server.
Oponally, you can also send the hostname and client idenfier of the management interface
to the DHCP server if the orchestraon system you use accepts this informaon.
1. Select Device > Setup > Management and edit Management Interface Sengs.
2. For IP Type, select DHCP Client.
3. (Oponal) Select one or both opons for the firewall to send to the DHCP server in
DHCP Discover or Request messages:
• Send Hostname—Sends the Hostname (as defined in Device > Setup > Management)
as part of DHCP Opon 12.
• Send Client ID—Sends the client idenfier as part of DHCP Opon 61. A client
idenfier uniquely idenfies a DHCP client, and the DHCP Server uses it to index its
configuraon parameter database.
4. Click OK.
STEP 2 | (Oponal) Configure the firewall to accept the host name and domain from the DHCP server.
1. Select Device > Setup > Management and edit General Sengs.
2. Select one or both opons:
• Accept DHCP server provided Hostname—Allows the firewall to accept the hostname
from the DHCP server (if valid). When enabled, the hostname from the DHCP server
overwrites any exisng Hostname specified in Device > Setup > Management. Don’t
select this opon if you want to manually configure a hostname.
• Accept DHCP server provided Domain—Allows the firewall to accept the domain
from the DHCP Server. The domain (DNS suffix) from the DHCP Server overwrites
any exisng Domain specified in Device > Setup > Management. Don’t select this
opon if you want to manually configure a domain.
3. Click OK.
STEP 5 | (Oponal) Renew the DHCP lease with the DHCP server, regardless of the lease term.
This opon is convenient if you are tesng or troubleshoong network issues.
1. Select Device > Setup > Management and edit Management Interface Sengs.
2. Click Show DHCP Client Runme Info.
3. Click Renew.
PAN-OS® Administrator’s Guide Version Version 9.1 1261 ©2021 Palo Alto Networks, Inc.
Networking
STEP 6 | (Oponal) Release the following DHCP opons that came from the DHCP server:
• IP Address
• Netmask
• Default Gateway
• DNS Server (primary and secondary)
• NTP Server (primary and secondary)
• Domain (DNS Suffix)
A release frees the IP address, which drops your network connecon and renders the
firewall unmanageable if no other interface is configured for management access.
PAN-OS® Administrator’s Guide Version Version 9.1 1262 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Specify the IP address of each DHCP server with which the DHCP relay agent will
communicate.
1. In the Interface field, select the interface you want to be the DHCP relay agent.
2. Select either IPv4 or IPv6, indicang the type of DHCP server address you will specify.
3. If you checked IPv4, in the DHCP Server IP Address field, Add the address of the DHCP
server to and from which you will relay DHCP messages.
4. If you checked IPv6, in the DHCP Server IPv6 Address field, Add the address of the
DHCP server to and from which you will relay DHCP messages. If you specify a mulcast
address, also specify an outgoing Interface.
5. (Oponal) Repeat the prior three steps to enter a maximum of eight DHCP server
addresses per IP address family.
View DHCP pool stascs, IP address the DHCP server assigned, MAC address, state and
duraon of lease, and lease start me.
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip mac state duration
lease_time
192.168.3.11 f0:2f:af:42:70:cf committed 0 Wed Jul
2 08:10:56 2014
admin@PA-220>
PAN-OS® Administrator’s Guide Version Version 9.1 1263 ©2021 Palo Alto Networks, Inc.
Networking
Release expired DHCP Leases of an interface (server), such as ethernet1/2, before the hold
mer releases them automacally. Those addresses will be available in the IP pool again.
PAN-OS® Administrator’s Guide Version Version 9.1 1264 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1265 ©2021 Palo Alto Networks, Inc.
Networking
DNS
Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain
name, such as www.paloaltonetworks.com, to an IP address so that users can access computers,
websites, services, or other resources on the internet or private networks.
• DNS Overview
• DNS Proxy Object
• DNS Server Profile
• Mul-Tenant DNS Deployments
• Configure a DNS Proxy Object
• Configure a DNS Server Profile
• Use Case 1: Firewall Requires DNS Resoluon
• Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resoluon for Security Policies,
Reporng, and Services within its Virtual System
• Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
• DNS Proxy Rule and FQDN Matching
DNS Overview
DNS performs a crucial role in enabling user access to network resources so that users need not
remember IP addresses and individual computers need not store a huge volume of domain names
mapped to IP addresses. DNS employs a client/server model; a DNS server resolves a query for a
DNS client by looking up the domain in its cache and if necessary sending queries to other servers
unl it can respond to the client with the corresponding IP address.
The DNS structure of domain names is hierarchical; the top-level domain (TLD) in a domain name
can be a generic TLD (gTLD): com, edu, gov, int, mil, net, or org (gov and mil are for the United
States only) or a country code (ccTLD), such as au (Australia) or us (United States). ccTLDs are
generally reserved for countries and dependent territories.
A fully qualified domain name (FQDN) includes at a minimum a host name, a second-level domain,
and a TLD to completely specify the locaon of the host in the DNS structure. For example,
www.paloaltonetworks.com is an FQDN.
Wherever a Palo Alto Networks firewall uses an FQDN in the user interface or CLI, the firewall
must resolve that FQDN using DNS. Depending on where the FQDN query originates, the firewall
determines which DNS sengs to use to resolve the query.
A DNS record of an FQDN includes a me-to-live (TTL) value, and by default the firewall refreshes
each FQDN in its cache based on that individual TTL provided the DNS server, as long as the TTL
is greater than or equal to the Minimum FQDN Refresh Time you configure on the firewall, or the
default seng of 30 seconds if you don’t configure a minimum. Refreshing an FQDN based on its
TTL value is especially helpful for securing access to cloud plaorm services, which oen require
frequent FQDN refreshes to ensure highly available services. For example, cloud environments
that support autoscaling depend on FQDN resoluons for dynamically scaling services up and
down, and fast resoluons of FQDNs are crical in such me-sensive environments.
PAN-OS® Administrator’s Guide Version Version 9.1 1266 ©2021 Palo Alto Networks, Inc.
Networking
By configuring a minimum FQDN refresh me, you limit how small a TTL value the firewall honors.
If your IP addresses don’t change very oen you may want to set a higher Minimum FQDN
Refresh Time so that the firewall doesn’t refresh entries unnecessarily. The firewall uses the higher
of the DNS TTL me and the configured Minimum FQDN Refresh Time.
For example, two FQDNs have the following TTL values. The Minimum FQDN Refresh Time
overrides smaller (faster) TTL values.
FQDN A 20 26
FQDN B 30 30
The FQDN refresh mer starts when the firewall receives a DNS response from the DNS server or
DNS proxy object that is resolving the FQDN.
Addionally, you can set a stale meout to configure how long the firewall connues to use stale
(expired) FQDN resoluons in the event of an unreachable DNS Server. At the end of the stale
meout period, if the DNS server is sll unreachable, the stale FQDN entries become unresolved
(the firewall removes stale FQDN entries).
The following firewall tasks are related to DNS:
• Configure your firewall with at least one DNS server so it can resolve hostnames. Configure
primary and secondary DNS servers or a DNS Proxy object that specifies such servers, as
shown in Use Case 1: Firewall Requires DNS Resoluon.
• Customize how the firewall handles DNS resoluon iniated by Security policy rules, reporng,
and management services (such as email, Kerberos, SNMP, syslog, and more) for each virtual
system, as shown in Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resoluon for
Security Policies, Reporng, and Services within its Virtual System.
• Configure the firewall to act as a DNS server for a client, as shown in Use Case 3: Firewall Acts
as DNS Proxy Between Client and Server.
• Configure an An-Spyware profile to Use DNS Queries to Idenfy Infected Hosts on the
Network.
• Enable Passive DNS Monitoring, which allows the firewall to automacally share domain-to-
IP address mappings based on your network traffic with Palo Alto Networks. The Palo Alto
Networks threat research team uses this informaon to gain insight into malware propagaon
and evasion techniques that abuse the DNS system.
• Enable Evasion Signatures and then enable evasion signatures for threat prevenon.
• Configure an Interface as a DHCP Server. This enables the firewall to act as a DHCP Server and
sends DNS informaon to its DHCP clients so the provisioned DHCP clients can reach their
respecve DNS servers.
PAN-OS® Administrator’s Guide Version Version 9.1 1267 ©2021 Palo Alto Networks, Inc.
Networking
domain name in its DNS proxy cache, the firewall searches for a match to the domain name among
the entries in the specific DNS proxy object (on the interface on which the DNS query arrived).
The firewall forwards the query to the appropriate DNS server based on the match results. If no
match is found, the firewall uses default DNS servers.
A DNS proxy object is where you configure the sengs that determine how the firewall funcons
as a DNS proxy. You can assign a DNS proxy object to a single virtual system or it can be shared
among all virtual systems.
• If the DNS proxy object is for a virtual system, you can specify a DNS Server Profile, which
specifies the primary and secondary DNS server addresses, along with other informaon. The
DNS server profile simplifies configuraon.
• If the DNS proxy object is shared, you must specify at least the primary address of a DNS
server.
When configuring mulple tenants (ISP subscribers) with DNS services, each tenant
should have its own DNS proxy defined, which keeps the tenant’s DNS service separate
from other tenants’ services.
In the proxy object, you specify the interfaces for which the firewall is acng as DNS proxy. The
DNS proxy for the interface does not use the service route; responses to the DNS requests are
always sent to the interface assigned to the virtual router where the DNS request arrived.
When you Configure a DNS Proxy Object, you can supply the DNS proxy with stac FQDN-to-
address mappings. You can also create DNS proxy rules that control to which DNS server the
domain name queries (that match the proxy rules) are directed. You can configure a maximum of
256 DNS proxy objects on a firewall. You must enable Cache and Cache EDNS Responses (under
Network > DNS Proxy > Advanced) if this DNS proxy object is assigned to Device > Setup >
Services > DNS or Device > Virtual Systems > vsys > General > DNS Proxy. Furthermore, if this
DNS proxy object has DNS proxy rules configured, those rules also need to have cache enabled
(Turn on caching of domains resolved by this mapping).
When the firewall receives an FQDN query (and the domain name is not in the DNS proxy cache),
the firewall compares the domain name from the FQDN query to the domain names in DNS Proxy
rules of the DNS Proxy object. If you specify mulple domain names in a single DNS Proxy rule, a
query that matches any one of the domain names in the rule means the query matches the rule.
DNS Proxy Rule and FQDN Matching describes how the firewall determines whether an FQDN
matches a domain name in a DNS proxy rule. A DNS query that matches a rule is sent to the
primary DNS server configured for the proxy object to be resolved.
PAN-OS® Administrator’s Guide Version Version 9.1 1268 ©2021 Palo Alto Networks, Inc.
Networking
The virtual system report and virtual system server profile send their queries to the DNS server
specified for the virtual system, if there is one. (The DNS server used is defined in Device > Virtual
Systems > General > DNS Proxy.) If there is no DNS server specified for the virtual system, the
DNS server specified for the firewall is queried.
You Configure a DNS Server Profile for a virtual system only; it is not for a global Shared locaon.
PAN-OS® Administrator’s Guide Version Version 9.1 1269 ©2021 Palo Alto Networks, Inc.
Networking
When the firewall is enabled to act as a DNS proxy, evasion signatures that detected
craed HTTP or TLS requests can alert to instances where a client connects to a domain
other than the domains specified in the original DNS query. As a best pracce, Enable
Evasion Signatures aer configuring DNS proxy to trigger an alert if craed requests are
detected.
PAN-OS® Administrator’s Guide Version Version 9.1 1270 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | (Oponal) Supply the DNS Proxy with stac FQDN-to-address entries. Stac DNS entries
allow the firewall to resolve the FQDN to an IP address without sending a query to the DNS
server.
1. On the Stac Entries tab, Add a Name.
2. Enter the Fully Qualified Domain Name (FQDN).
3. For Address, Add the IP address to which the FQDN should be mapped.
You can provide addional IP addresses for an entry. The firewall will provide all of the IP
addresses in its DNS response and the client chooses which address to use.
4. Click OK.
STEP 4 | Enable caching and configure other advanced sengs for the DNS Proxy.
1. On the Advanced tab, select TCP Queries to enable DNS queries using TCP.
• Max Pending Requests—Enter the maximum number of concurrent, pending TCP
DNS requests that the firewall will support (range is 64-256; default is 64).
2. For UDP Queries Retries, enter:
• Interval (sec)—The length of me (in seconds) aer which another request is sent if no
response has been received (range is 1-30; default is 2).
• Aempts—The maximum number of UDP query aempts (excluding the first aempt)
aer which the next DNS server is queried (range is 1-30; default is 5.)
3. Select Cache to enable the firewall to cache FQDN-to-address mappings that it learns.
You must enable Cache (enabled by default) if this DNS proxy object is used for queries
PAN-OS® Administrator’s Guide Version Version 9.1 1271 ©2021 Palo Alto Networks, Inc.
Networking
that the firewall generates (that is, under Device > Setup > Services > DNS, or under
Device > Virtual Systems and you select a virtual system and General > DNS Proxy.
• Select Enable TTL to limit the length of me the firewall caches DNS resoluon
entries for the proxy object. Disabled by default.
• Enter Time to Live (sec), the number of seconds aer which all cached entries for
the proxy object are removed. Aer the entries are removed, new DNS requests
must be resolved and cached again. Range is 60-86,400. There is no default TTL;
entries remain unl the firewall runs out of cache memory.
• Cache EDNS Responses—You must enable this seng if this DNS proxy object is
used for queries that the firewall generates (that is, under Device > Setup > Services >
DNS, or under Device > Virtual Systems and you select a virtual system and General
> DNS Proxy.
Keep in mind that if you specify an FQDN instead of an IP address, the DNS for
that FQDN is resolved in Device > Virtual Systems > DNS Proxy.
5. Specify the IP address of the Secondary DNS server, or leave as inherited if you chose an
Inheritance Source.
STEP 2 | Configure the service route that the firewall automacally uses, based on whether the target
DNS Server has an IP address family type of IPv4 or IPv6.
1. Click Service Route IPv4 to enable the subsequent interface and IPv4 address to be used
as the service route, if the target DNS address is an IPv4 address.
2. Specify the Source Interface to select the DNS server’s source IP address that the
service route will use. The firewall determines which virtual router is assigned that
PAN-OS® Administrator’s Guide Version Version 9.1 1272 ©2021 Palo Alto Networks, Inc.
Networking
interface, and then does a route lookup in the virtual router roung table to reach the
desnaon network (based on the Primary DNS address).
3. Specify the IPv4 Source Address from which packets going to the DNS server are
sourced.
4. Click Service Route IPv6 to enable the subsequent interface and IPv6 address to be used
as the service route, if the target DNS address is an IPv6 address.
5. Specify the Source Interface to select the DNS server’s source IP address that the
service route will use. The firewall determines which virtual router is assigned that
interface, and then does a route lookup in the virtual router roung table to reach the
desnaon network (based on the Primary DNS address).
6. Specify the IPv6 Source Address from which packets going to the DNS server are
sourced.
7. Click OK.
STEP 1 | Configure the primary and secondary DNS servers you want the firewall to use for DNS
resoluons.
You must manually configure at least one DNS server on the firewall or it won’t be able
to resolve hostnames; the firewall cannot use DNS server sengs from another source,
such as an ISP.
1. Edit the Services sengs (Device > Setup > Services > Global for firewalls that support
mulple virtual systems; Device > Setup > Services for those that don’t).
2. On the Services tab, for DNS, select Servers and enter the Primary DNS Server address
and Secondary DNS Server address.
3. Proceed to Step 3.
PAN-OS® Administrator’s Guide Version Version 9.1 1273 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Alternavely, you can configure a DNS Proxy Object if you want to configure advanced DNS
funcons such as split DNS, DNS proxy overrides, DNS proxy rules, stac entries, or DNS
inheritance.
1. Edit the Services sengs (Device > Setup > Services > Global for firewalls that support
mulple virtual systems; Device > Setup > Services for those that don’t).
2. On the Services tab, for DNS, select DNS Proxy Object.
3. From the DNS Proxy list, select the DNS proxy that you want to use to configure global
DNS services, or select DNS Proxy to configure a new DNS proxy object as follows:
1. Enable and then enter a Name for the DNS proxy object.
2. On firewalls that support mulple virtual systems, for Locaon, select Shared for
global, firewall-wide DNS proxy services.
Shared DNS proxy objects don’t use DNS server profiles because they don’t
require a specific service route belonging to a tenant virtual system.
3. Enter the Primary DNS server IP address. Oponally enter a Secondary DNS server IP
address.
4. Select the Advanced tab. Ensure that Cache is enabled and Cache EDNS Responses is
enabled (both are enabled by default).
5. Click OK.
STEP 3 | (Oponal) Set a Minimum FQDN Refresh Time (sec) to limit how frequently the firewall
refreshes FQDN cache entries.
By default, the firewall refreshes each FQDN in its cache based on the individual TTL for the
FQDN in a DNS record, as long as the TTL is greater than or equal to this minimum FQDN
refresh seng (or as long as the TTL is greater than or equal to the default seng of 30
seconds if you don’t configure a minimum FQDN refresh me). To set a minimum FQDN
refresh me, enter a value in seconds (range is 0 to 14,400; default is 30). A seng of 0 means
the firewall refreshes FQDNs based on the TTL value in the DNS records; the firewall doesn’t
enforce a minimum FQDN refresh me. The firewall uses the higher of the DNS TTL me and
the minimum FQDN refresh me.
If the TTL for the FQDN in DNS is short, but your FQDN resoluons don’t change
as frequently as the TTL meframe so don’t need a faster refresh, you should set a
Minimum FQDN Refresh Time to avoid making FQDN refresh aempts more oen
than necessary.
STEP 4 | (Oponal) Specify an FQDN Stale Entry Timeout (min), which is the number of minutes that
the firewall connues to use stale FQDN resoluons in the event of an unreachable DNS
server (range is 0 to 10,080; default is 1,440).
A seng of 0 means the firewall does not connue to use a stale FQDN entry.
Make sure the FQDN stale entry meout is short enough not to allow incorrect traffic
forwarding (which can pose a security risk), but long enough to allow traffic connuity
without causing an unplanned network outage.
PAN-OS® Administrator’s Guide Version Version 9.1 1274 ©2021 Palo Alto Networks, Inc.
Networking
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resoluon
for Security Policies, Reporng, and Services within its Virtual
System
In this use case, mulple tenants (ISP subscribers) are defined on the firewall and each tenant is
allocated a separate virtual system (vsys) and virtual router in order to segment its services and
administrave domains. The following figure illustrates several virtual systems within a firewall.
Each tenant has its own server profiles for Security policy rules, reporng, and management
services (such as email, Kerberos, SNMP, syslog, and more) defined in its own networks.
For the DNS resoluons iniated by these services, each virtual system is configured with its
own DNS Proxy Object to allow each tenant to customize how DNS resoluon is handled within
its virtual system. Any service with a Locaon will use the DNS Proxy object configured for
the virtual system to determine the primary (or secondary) DNS server to resolve FQDNs, as
illustrated in the following figure.
PAN-OS® Administrator’s Guide Version Version 9.1 1275 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | For each virtual system, specify the DNS Proxy to use.
1. Select Device > Virtual Systems and Add the ID of the virtual system (range is 1-255),
and an oponal Name, in this example, Corp1 Corporaon.
2. On the General tab, choose a DNS Proxy or create a new one. In this example, Corp1
DNS Proxy is selected as the proxy for Corp1 Corporaon’s virtual system.
3. For Interfaces, click Add. In this example, Ethernet1/20 is dedicated to this tenant.
4. For Virtual Routers, click Add. A virtual router named Corp1 VR is assigned to the virtual
system in order to separate roung funcons.
5. Click OK.
STEP 2 | Configure a DNS Proxy and a server profile to support DNS resoluon for a virtual system.
1. Select Network > DNS Proxy and click Add.
2. Click Enable and enter a Name for the DNS Proxy.
3. For Locaon, select the virtual system of the tenant, in this example, Corp1 Corporaon
(vsys6). (You could choose the Shared DNS Proxy resource instead.)
4. For Server Profile, choose or create a profile to customize DNS servers to use for DNS
resoluons for this tenant’s security policy, reporng, and server profile services.
If the profile is not already configured, in the Server Profile field, click DNS Server Profile
to Configure a DNS Server Profile.
The DNS server profile idenfies the IP addresses of the primary and secondary DNS
server to use for management DNS resoluons for this virtual system.
5. Also for this server profile, oponally configure a Service Route IPv4 and/or a Service
Route IPv6 to instruct the firewall which Source Interface to use in its DNS requests. If
that interface has more than one IP address, configure the Source Address also.
6. Select the Advanced tab. Ensure that Cache is enabled and Cache EDNS Responses is
enabled (both are enabled by default). This is required if the DNS proxy object is used
under Device > Virtual Systems > vsys > General > DNS Proxy.
7. Click OK.
8. Click OK and Commit.
Oponal advanced features such as split DNS can be configured using DNS
Proxy Rules. A separate DNS server profile can be used to redirect DNS
resoluons matching the Domain Name in a DNS Proxy Rule to another set of
DNS servers, if required. Use Case 3 illustrates split DNS.
If you use two separate DNS server profiles in the same DNS Proxy object, one for the
DNS Proxy and one for the DNS proxy rule, the following behaviors occur:
• If a service route is defined in the DNS server profile used by the DNS Proxy, it takes
precedence and is used.
• If a service route is defined in the DNS server profile used in the DNS proxy rules,
it is not used. If the service route differs from the one defined in the DNS server
PAN-OS® Administrator’s Guide Version Version 9.1 1276 ©2021 Palo Alto Networks, Inc.
Networking
profile used by the DNS Proxy, the following warning message is displayed during the
Commit process:
Warning: The DNS service route defined in the DNS proxy object
is different from the DNS proxy rule’s service route. Using
the DNS proxy object’s service route.
• If no service route is defined in any DNS server profile, the global service route is used
if needed.
Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
In this use case, the firewall is located between a DNS client and a DNS server. A DNS Proxy
on the firewall is configured to act as the DNS server for the hosts that reside on the tenant’s
network connected to the firewall interface. In such a scenario, the firewall performs DNS
resoluon on its dataplane.
This scenario happens to use split DNS, a configuraon where DNS Proxy rules are configured
to redirect DNS requests to a set of DNS servers based on a domain name match. If there is no
match, the server profile determines the DNS servers to which to send the request, hence the
two, split DNS resoluon methods.
For dataplane DNS resoluons, the source IP address from the DNS proxy in PAN-OS
to the outside DNS server would be the address of the proxy (the desnaon IP of the
original request). Any service routes defined in the DNS Server Profile are not used. For
example, if the request is from host 172.16.1.1 to the DNS proxy at 192.168.1.1, then
the request to the DNS server (at 10.10.10.10) would use a source of 192.168.1.1 and a
desnaon of 10.10.10.10.
STEP 2 | Click Enable and enter a Name for the DNS Proxy.
STEP 3 | For Locaon, select the virtual system of the tenant, in this example, Corp1 Corporaon
(vsys6).
STEP 4 | For Interface, select the interface that will receive the DNS requests from the tenant’s hosts,
in this example, Ethernet1/20.
STEP 5 | Choose or create a Server Profile to customize DNS servers to resolve DNS requests for this
tenant.
STEP 6 | On the DNS Proxy Rules tab, Add a Name for the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1277 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | Add one or more Domain Name(s), one entry per row. DNS Proxy Rule and FQDN Matching
describes how the firewall matches FQDNs to domain names in a DNS proxy rule.
STEP 9 | For DNS Server profile, select a profile. The firewall compares the domain name in the DNS
request to the domain name(s) defined in the DNS Proxy Rules. If there is a match, the DNS
Server profile defined in the rule is used to determine the DNS server.
STEP 10 | In this example, if the domain in the request matches myweb.corp1.com, the DNS server
defined in the myweb DNS Server Profile is used. If there is no match, the DNS server
defined in the Server Profile (Corp1 DNS Server Profile) is used.
The firewall first tokenizes the FQDNs *.boat.fish.com consists of four tokens: [*]
and the domain names in the DNS [boat][fish][com]
proxy rules. In a domain name, a string
delimited by a period (.) is a token.
PAN-OS® Administrator’s Guide Version Version 9.1 1278 ©2021 Palo Alto Networks, Inc.
Networking
Rule: www.boat.*
FQDN: www.boat.com — Match
FQDN: www.boat.fish.com — Match
PAN-OS® Administrator’s Guide Version Version 9.1 1279 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1280 ©2021 Palo Alto Networks, Inc.
Networking
Best Pracces for Creang DNS Proxy Rules to Avoid Ambiguity and Unexpected Results
PAN-OS® Administrator’s Guide Version Version 9.1 1281 ©2021 Palo Alto Networks, Inc.
Networking
For high availability (HA) configuraons, make sure that content versions on the HA
firewall peers (acve/passive or acve/acve) are in sync because the firewall maintains
the DDNS configuraon based on the current Palo Alto Networks content release version.
Palo Alto Networks can change or deprecate exisng DDNS services through a content
release. Addionally, a DDNS service provider can change the services it provides. A
mismatch in content release versions between the HA peers can cause issues with their
ability to use the DDNS service.
The firewall does not support DDNS over an interface that is a Point-to-Point Protocol
over Ethernet (PPPoE) terminaon point.
In the following example, the firewall is a DDNS client of a DDNS service provider. Inially, the
DHCP server assigns IP address 10.1.1.1 to the Ethernet 1/2 interface. A desnaon NAT policy
translates the public-facing 10.1.1.1 to the real address of Server A (192.168.10.1) behind the
firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1282 ©2021 Palo Alto Networks, Inc.
Networking
1. When a user aempts to contact www.serverA.companyx.com, the user queries its local DNS
server for the IP address. The www.serverA.companyx.com (set, for example, as a CNAME to
your duckdns.org record: serverA.companyx.duckdns.org) is a domain belonging to the DDNS
provider (DuckDNS in this example). The DNS server checks for the record with the DDNS
provider to resolve the query.
2. The DNS server responds to the user with 10.1.1.1, which is the IP address for
www.serverA.companyx.com.
3. The user packet with desnaon 10.1.1.1 goes to firewall interface Ethernet 1/2.
4. In this example, the firewall performs desnaon NAT and translates 10.1.1.1 to 192.168.10.1
before sending the packet to the desnaon.
Aer some me passes, DHCP assigns a new IP address to the firewall interface, which triggers a
DDNS update, as follows:
PAN-OS® Administrator’s Guide Version Version 9.1 1283 ©2021 Palo Alto Networks, Inc.
Networking
If your firewall is configured for HA acve/passive mode, be aware that the firewall sends
DDNS updates to the DDNS service while the two HA firewall states are converging. Aer
the HA states converge, DDNS is disabled on the passive firewall. For example, when two
HA firewalls first boot up, they both send DDNS updates unl they establish whether
they are in HA acve or passive mode. During this interval, you sll see DDNS updates
in system logs. Aer the HA states converge and each firewall nofies its clients that it is
acve or passive, the passive firewall no longer sends DDNS updates. (In HA acve/acve
mode, each firewall has an independent DDNS configuraon and doesn’t synchronize the
DDNS configuraon.)
PAN-OS® Administrator’s Guide Version Version 9.1 1284 ©2021 Palo Alto Networks, Inc.
Networking
Make sure this hostname matches the hostname you registered with your
DDNS service. You should enter an FQDN for the hostname; the firewall
doesn’t validate the hostname except to confirm that the syntax uses only valid
characters allowed by DNS for a domain name.
6. Select IPv4 and select one or more IPv4 addresses assigned to the interface or Add an
IPv4 address to associate with the hostname (for example, 10.1.1.1). You can select only
as many IPv4 addresses as the DDNS service allows. All selected IPv4 addresses are
registered with the DDNS service. Select at least one IPv4 or one IPv6 address.
7. Select IPv6 and select one or more IPv6 addresses assigned to the interface or Add
an IPv6 address to associate with the hostname. You can select only as many IPv6
addresses as the DDNS service allows. All selected IPv6 addresses are registered with
the DDNS service. Select at least one IPv4 or one IPv6 address.
8. Select or create a new cerficate profile (Cerficate Profile) using the imported SSL
cerficate from the DDNS service to verify the SSL cerficate of the DDNS service
PAN-OS® Administrator’s Guide Version Version 9.1 1285 ©2021 Palo Alto Networks, Inc.
Networking
when the firewall first connects to a DDNS service to register an IP address and at every
update. When the firewall connects to the DDNS service to send updates, the DDNS
service presents the firewall with an SSL cerficate signed by the cerficate authority
(CA) so that the firewall can authencate the DDNS service.
9. Select the Vendor (and version number) you are using for DDNS service.
Palo Alto Networks may change the supported DDNS service providers via a
content update.
10. The vendor choice determines the vendor-specific Name and Value fields below the
Vendor field. Some Value fields are read-only to nofy you of the parameters the firewall
uses to connect to the DDNS service. Configure the remaining Value fields, such as a
password that the DDNS service provides to you and a meout that the firewall uses if it
doesn’t receive an update from the DDNS service.
11. Click OK.
STEP 2 | (Oponal) If you want the firewall to communicate with the DDNS service using an interface
other than the management interface, configure a service route for DDNS (Set Up Network
Access for External Services).
PAN-OS® Administrator’s Guide Version Version 9.1 1286 ©2021 Palo Alto Networks, Inc.
Networking
NAT
This secon describes Network Address Translaon (NAT) and how to configure the firewall
for NAT. NAT allows you to translate private, non-routable IPv4 addresses to one or more
globally-routable IPv4 addresses, thereby conserving an organizaon’s routable IP addresses.
NAT allows you to not disclose the real IP addresses of hosts that need access to public addresses
and to manage traffic by performing port forwarding. You can use NAT to solve network design
challenges, enabling networks with idencal IP subnets to communicate with each other. The
firewall supports NAT on Layer 3 and virtual wire interfaces.
The NAT64 opon translates between IPv6 and IPv4 addresses, providing connecvity between
networks using disparate IP addressing schemes, and therefore a migraon path to IPv6
addressing. IPv6-to-IPv6 Network Prefix Translaon (NPTv6) translates one IPv6 prefix to another
IPv6 prefix. PAN-OS supports all of these funcons.
If you use private IP addresses within your internal networks, you must use NAT to translate
the private addresses to public addresses that can be routed on external networks. In PAN-OS,
you create NAT policy rules that instruct the firewall which packet addresses and ports need
translaon and what the translated addresses and ports are.
• NAT Policy Rules
• Source NAT and Desnaon NAT
• Desnaon NAT with DNS Rewrite Use Cases
• NAT Rule Capacies
• Dynamic IP and Port NAT Oversubscripon
• Dataplane NAT Memory Stascs
• Configure NAT
• NAT Configuraon Examples
PAN-OS® Administrator’s Guide Version Version 9.1 1287 ©2021 Palo Alto Networks, Inc.
Networking
NAT rules provide address translaon, and are different from security policy rules, which allow or
deny packets. It is important to understand the firewall’s flow logic when it applies NAT rules and
security policy rules so that you can determine what rules you need, based on the zones you have
defined. You must configure security policy rules to allow the NAT traffic.
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress
interface and zone. Then the firewall determines if the packet matches one of the NAT rules that
have been defined, based on source and/or desnaon zone. It then evaluates and applies any
security policies that match the packet based on the original (pre-NAT) source and desnaon
addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall
translates the source and/or desnaon address and port numbers.
Keep in mind that the translaon of the IP address and port do not occur unl the packet leaves
the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT
address). A NAT rule is configured based on the zone associated with a pre-NAT IP address.
Security policies differ from NAT rules because security policies examine post-NAT zones to
determine whether the packet is allowed or not. Because the very nature of NAT is to modify
source or desnaon IP addresses, which can result in modifying the packet’s outgoing interface
and zone, security policies are enforced on the post-NAT zone.
A SIP call somemes experiences one-way audio when going through the firewall because
the call manager sends a SIP message on behalf of the phone to set up the connecon.
When the message from the call manager reaches the firewall, the SIP ALG must put the
IP address of the phone through NAT. If the call manager and the phones are not in the
same security zone, the NAT lookup of the IP address of the phone is done using the call
manager zone. The NAT policy should take this into consideraon.
No-NAT rules are configured to allow exclusion of IP addresses defined within the range of NAT
rules defined later in the NAT policy. To define a no-NAT policy, specify all of the match criteria
and select No Source Translaon in the source translaon column.
You can verify the NAT rules processed by selecng Device > Troubleshoong and tesng the
traffic matches for the NAT rule. For example:
PAN-OS® Administrator’s Guide Version Version 9.1 1288 ©2021 Palo Alto Networks, Inc.
Networking
Because both NAT rules and security policy rules use address objects, it is a best pracce
to disnguish between them by naming an address object used for NAT with a prefix, such
as “NAT-name.”
The firewall performs source NAT for a client, translang the source address 10.1.1.1 to the
address in the NAT pool, 192.168.2.2. The translated packet is sent on to a router.
For the return traffic, the router does not know how to reach 192.168.2.2 (because that IP
address is just an address in the NAT address pool), so it sends an ARP request packet to the
firewall.
• If the address pool (192.168.2.2) is in the same subnet as the egress/ingress interface IP
address (192.168.2.3/24), the firewall can send a proxy ARP reply to the router, indicang the
Layer 2 MAC address of the IP address, as shown in the figure above.
• If the address pool (192.168.2.2) is not a subnet of an interface on the firewall, the firewall
will not send a proxy ARP reply to the router. This means that the router must be configured
with the necessary route to know where to send packets desned for 192.168.2.2, in order to
ensure the return traffic is routed back to the firewall, as shown in the figure below.
Source NAT
Source NAT is typically used by internal users to access the Internet; the source address is
translated and thereby kept private. There are three types of source NAT:
• Dynamic IP and Port (DIPP)—Allows mulple hosts to have their source IP addresses translated
to the same public IP address with different port numbers. The dynamic translaon is to the
PAN-OS® Administrator’s Guide Version Version 9.1 1289 ©2021 Palo Alto Networks, Inc.
Networking
next available address in the NAT address pool, which you configure as a Translated Address
pool be to an IP address, range of addresses, a subnet, or a combinaon of these.
As an alternave to using the next address in the NAT address pool, DIPP allows you to specify
the address of the Interface itself. The advantage of specifying the interface in the NAT rule is
that the NAT rule will be automacally updated to use any address subsequently acquired by
the interface. DIPP is somemes referred to as interface-based NAT or network address port
translaon (NAPT).
DIPP has a default NAT oversubscripon rate, which is the number of mes that the same
translated IP address and port pair can be used concurrently. For more informaon, see
Dynamic IP and Port NAT Oversubscripon and Modify the Oversubscripon Rate for DIPP
NAT.
(Affects only PA-7000 Series firewalls that do not use second-generaon PA-7050-
SMC-B or PA-7080-SMC-B Switch Management Cards) When you use Point-to-Point
Tunnel Protocol (PPTP) with DIPP NAT, the firewall is limited to using a translated IP
address-and-port pair for only one connecon; the firewall does not support DIPP
NAT. The workaround is to upgrade the PA-7000 Series firewall to a second-generaon
SMC-B card.
• Dynamic IP—Allows the one-to-one, dynamic translaon of a source IP address only (no
port number) to the next available address in the NAT address pool. The size of the NAT
pool should be equal to the number of internal hosts that require address translaons. By
default, if the source address pool is larger than the NAT address pool and eventually all of the
NAT addresses are allocated, new connecons that need address translaon are dropped. To
override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable use of DIPP
addresses when necessary. In either event, as sessions terminate and the addresses in the pool
become available, they can be allocated to translate new connecons.
Dynamic IP NAT supports the opon for you to Reserve Dynamic IP NAT Addresses.
• Stac IP—Allows the 1-to-1, stac translaon of a source IP address, but leaves the source
port unchanged. A common scenario for a stac IP translaon is an internal server that must be
available to the Internet.
Desnaon NAT
Desnaon NAT is performed on incoming packets when the firewall translates a desnaon
address to a different desnaon address; for example, it translates a public desnaon address to
a private desnaon address. Desnaon NAT also offers the opon to perform port forwarding
or port translaon.
Desnaon NAT allows stac and dynamic translaon:
• Stac IP—You can configure a one-to-one, stac translaon in several formats. You can specify
that the original packet have a single desnaon IP address, a range of IP addresses, or an IP
netmask, as long as the translated packet is in the same format and specifies the same number
of IP addresses. The firewall stacally translates an original desnaon address to the same
translated desnaon address each me. That is, if there is more than one desnaon address,
the firewall translates the first desnaon address configured for the original packet to the first
desnaon address configured for the translated packet, and translates the second original
PAN-OS® Administrator’s Guide Version Version 9.1 1290 ©2021 Palo Alto Networks, Inc.
Networking
desnaon address configured to the second translated desnaon address configured, and so
on, always using the same translaon.
If you use desnaon NAT to translate a stac IPv4 address, you might also use DNS services
on one side of the firewall to resolve FQDNs for a client on the other side. When the DNS
response containing the IPv4 address traverses the firewall, the DNS server provides an
internal IP address to an external device, or vice versa. Beginning with PAN-OS 9.0.2 and
in later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS
response (that matches the rule) so that the client receives the appropriate address to reach the
desnaon service. The applicable DNS rewrite use case determines how you configure such a
rewrite.
• Dynamic IP (with session distribuon)—Desnaon NAT allows you to translate the original
desnaon address to a desnaon host or server that has a dynamic IP address, meaning an
address object that uses an FQDN, which can return mulple addresses from DNS. Dynamic IP
(with session distribuon) supports IPv4 addresses only. Desnaon NAT using a dynamic IP
address is especially helpful in cloud deployments that use dynamic IP addressing.
If the translated desnaon address resolves to more than one address, the firewall distributes
incoming NAT sessions among the mulple addresses to provide improved session distribuon.
Distribuon is based on one of several methods: round-robin (the default method), source IP
hash, IP modulo, IP hash, or least sessions. If a DNS server returns more than 32 IPv4 addresses
for an FQDN, the firewall uses the first 32 addresses in the packet.
If the translated address is an address object of type FQDN that resolves to only IPv6
addresses, the desnaon NAT policy rule considers the FQDN as unresolved.
Using Dynamic IP (with session distribuon) allows you to translate mulple pre-NAT
desnaon IP addresses M to mulple post-NAT desnaon IP addresses N. A many-to-many
translaon means there can be M x N desnaon NAT translaons using a single NAT rule.
The following are common examples of desnaon NAT translaons that the firewall allows:
PAN-OS® Administrator’s Guide Version Version 9.1 1291 ©2021 Palo Alto Networks, Inc.
Networking
One common use for desnaon NAT is to configure several NAT rules that map a single public
desnaon address to several private desnaon host addresses assigned to servers or services.
In this case, the desnaon port numbers are used to idenfy the desnaon hosts. For example:
PAN-OS® Administrator’s Guide Version Version 9.1 1292 ©2021 Palo Alto Networks, Inc.
Networking
• Port Forwarding—Can translate a public desnaon address and port number to a private
desnaon address but keeps the same port number.
• Port Translaon—Can translate a public desnaon address and port number to a private
desnaon address and a different port number, thus keeping the actual port number private.
The port translaon is configured by entering a Translated Port on the Translated Packet tab in
the NAT policy rule. See the Desnaon NAT with Port Translaon Example.
If you have an overlapping NAT rule with DNS Rewrite disabled, and a NAT rule below it
that has DNS Rewrite enabled and is included in the overlap, the firewall rewrites the DNS
response according to the overlapped NAT rule (in either reverse or forward seng). The
rewrite takes precedence and the order of the NAT rules is ignored.
PAN-OS® Administrator’s Guide Version Version 9.1 1293 ©2021 Palo Alto Networks, Inc.
Networking
Use case 2 illustrates the DNS client on the internal side of the firewall, while the DNS server
and the ulmate desnaon server are both on the public side. This case requires DNS rewrite
in the reverse direcon. The DNS client queries for the IP address of red.com. Based on the NAT
rule, the firewall translates the query (originally going to internal address 192.168.2.1) to the
public address 1.1.2.1. The DNS server responds that red.com has IP address 1.1.2.10. The rule
includes Enable DNS Rewrite - reverse and the DNS response of 1.1.2.10 matches the desnaon
Translated Address of 1.1.2.0/24 in the rule, so the firewall translates the DNS response using
the reverse translaon that the rule uses. The rule says translate 192.168.2.0/24 to 1.1.2.0/24,
so the firewall rewrites the DNS response 1.1.2.10 to 192.168.2.10. The DNS client receives
PAN-OS® Administrator’s Guide Version Version 9.1 1294 ©2021 Palo Alto Networks, Inc.
Networking
the response and sends to 192.168.2.10, which the rule translates to 1.1.2.10 to reach server
red.com.
Use case 2 summary is the same as Use case 1 summary: DNS client and desnaon server are
on opposite sides of the firewall. The DNS server provides an address that matches the translated
desnaon address in the NAT rule, so translate the DNS response using the reverse translaon
of the NAT rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1295 ©2021 Palo Alto Networks, Inc.
Networking
Use case 4 illustrates the DNS client and the ulmate desnaon server both on the public side
of the firewall, while the DNS server is on the internal side. This case requires DNS Rewrite in
the forward direcon. The DNS client queries for the IP address of red.com. Based on Rule 2,
the firewall translates the query (originally going to public desnaon 1.1.2.1) to 192.168.2.1.
The DNS server responds that red.com has IP address 192.168.2.10. Rule 1 includes Enable
DNS Rewrite - forward and the DNS response of 192.168.2.10 matches the original desnaon
address of 192.168.2.0/24 in Rule 1, so the firewall translates the DNS response using the same
translaon the rule uses. Rule 1 says translate 192.168.2.0/24 to 1.1.2.0/24, so the firewall
rewrites DNS response 192.168.2.10 to 1.1.2.10. The DNS client receives the response and sends
to 1.1.2.10 to reach server red.com.
Use case 4 summary is the same as Use case 3 summary: DNS client and desnaon server are
on the same side of the firewall. The DNS server provides an address that matches the original
desnaon address in the NAT rule, so translate the DNS response using the same (forward)
translaon as the NAT rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1296 ©2021 Palo Alto Networks, Inc.
Networking
PA-220 2
PA-820 2
PA-850 2
PAN-OS® Administrator’s Guide Version Version 9.1 1297 ©2021 Palo Alto Networks, Inc.
Networking
PA-3220 4
PA-3250 4
PA-3260 4
PA-5220 8
PA-5250 8
PA-5260 8
PA-5280 8
PA-7050 8
PA-7080 8
VM-50 2
VM-100 2
VM-200 2
VM-300 2
VM-500 8
VM-700 8
VM-1000-HV 2
The firewall supports a maximum of 256 translated IP addresses per NAT rule, and each
model supports a maximum number of translated IP addresses (for all NAT rules combined).
If oversubscripon causes the maximum translated addresses per rule (256) to be exceeded,
the firewall will automacally reduce the oversubscripon rao in an effort to have the commit
succeed. However, if your NAT rules result in translaons that exceed the maximum translated
addresses for the model, the commit will fail.
PAN-OS® Administrator’s Guide Version Version 9.1 1298 ©2021 Palo Alto Networks, Inc.
Networking
For NAT pool stascs for a virtual system, the show running ippool command has columns
indicang the memory size used per NAT rule and the oversubscripon rao used (for DIPP rules).
The following is sample output for the command.
A field in the output of the show running nat-rule-ippool rule command shows the
memory (bytes) used per NAT rule. The following is sample output for the command, with the
memory usage for the rule encircled.
Configure NAT
Perform the following tasks to configure various aspects of NAT. In addion to the examples
below, there are examples in the secon NAT Configuraon Examples.
• Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
• Enable Clients on the Internal Network to Access your Public Servers (Desnaon U-Turn NAT)
• Enable Bi-Direconal Address Translaon for Your Public-Facing Servers (Stac Source NAT)
• Configure Desnaon NAT with DNS Rewrite
• Configure Desnaon NAT Using Dynamic IP Addresses
• Modify the Oversubscripon Rate for DIPP NAT
• Reserve Dynamic IP NAT Addresses
PAN-OS® Administrator’s Guide Version Version 9.1 1299 ©2021 Palo Alto Networks, Inc.
Networking
Based on this topology, there are three NAT policies we need to create as follows:
• To enable the clients on the internal network to access resources on the Internet, the internal
192.168.1.0 addresses will need to be translated to publicly routable addresses. In this case, we
will configure source NAT (the purple enclosure and arrow above), using the egress interface
address, 203.0.113.100, as the source address in all packets that leave the firewall from the
internal zone. See Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP
NAT) for instrucons.
• To enable clients on the internal network to access the public web server in the DMZ zone,
we must configure a NAT rule that redirects the packet from the external network, where the
original roung table lookup will determine it should go based on the desnaon address of
203.0.113.11 within the packet, to the actual address of the web server on the DMZ network
of 10.1.1.11. To do this you must create a NAT rule from the trust zone (where the source
address in the packet is) to the untrust zone (where the original desnaon address is) to
translate the desnaon address to an address in the DMZ zone. This type of desnaon NAT
is called U-Turn NAT (the yellow enclosure and arrow above). See Enable Clients on the Internal
Network to Access your Public Servers (Desnaon U-Turn NAT) for instrucons.
• To enable the web server—which has both a private IP address on the DMZ network and a
public-facing address for access by external users—to both send and receive requests, the
firewall must translate the incoming packets from the public IP address to the private IP
address and the outgoing packets from the private IP address to the public IP address. On the
firewall, you can accomplish this with a single bi-direconal stac source NAT policy (the green
PAN-OS® Administrator’s Guide Version Version 9.1 1300 ©2021 Palo Alto Networks, Inc.
Networking
enclosure and arrow above). See Enable Bi-Direconal Address Translaon for Your Public-
Facing Servers (Stac Source NAT).
Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
When a client on your internal network sends a request, the source address in the packet contains
the IP address for the client on your internal network. If you use private IP address ranges
internally, the packets from the client will not be able to be routed on the Internet unless you
translate the source IP address in the packets leaving the network into a publicly routable address.
On the firewall you can do this by configuring a source NAT policy that translates the source
address (and oponally the port) into a public address. One way to do this is to translate the
source address for all packets to the egress interface on your firewall, as shown in the following
procedure.
STEP 1 | Create an address object for the external IP address you plan to use.
1. Select Objects > Addresses and Add a Name and oponal Descripon for the object.
2. Select IP Netmask from the Type and then enter the IP address of the external interface
on the firewall, 203.0.113.100 in this example.
3. Click OK.
Although you do not have to use address objects in your policies, it is a best
pracce because it simplifies administraon by allowing you to make updates
in one place rather than having to update every policy where the address is
referenced.
PAN-OS® Administrator’s Guide Version Version 9.1 1301 ©2021 Palo Alto Networks, Inc.
Networking
Enable Clients on the Internal Network to Access your Public Servers (Desnaon U-
Turn NAT)
When a user on the internal network sends a request for access to the corporate web server in
the DMZ, the DNS server will resolve it to the public IP address. When processing the request,
the firewall will use the original desnaon in the packet (the public IP address) and route the
packet to the egress interface for the untrust zone. In order for the firewall to know that it must
translate the public IP address of the web server to an address on the DMZ network when it
receives requests from users on the trust zone, you must create a desnaon NAT rule that will
enable the firewall to send the request to the egress interface for the DMZ zone as follows.
STEP 1 | Create an address object for the web server.
1. Select Objects > Addresses and Add a Name and oponal Descripon for the address
object.
2. For Type, select IP Netmask and enter the public IP address of the web server,
203.0.113.11 in this example.
You can switch the address object type from IP Netmask to FQDN by clicking Resolve,
and when the FQDN appears, click Use this FQDN. Alternavely, for Type, select FQDN
and enter the FQDN to use for the address object. If you enter an FQDN and click
Resolve, the IP address to which the FQDN resolves appears in the field. To switch the
address object Type from an FQDN to an IP Netmask using this IP address, click Use
this address and the Type will switch to IP Netmask with the IP address appearing in the
field.
3. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1302 ©2021 Palo Alto Networks, Inc.
Networking
of these can return mulple addresses from DNS. If the translated desnaon address
resolves to more than one address, the firewall distributes incoming NAT sessions among
the mulple addresses based on one of several methods you can select: Round Robin
(the default method), Source IP Hash, IP Modulo, IP Hash, or Least Sessions.
6. Click OK.
Enable Bi-Direconal Address Translaon for Your Public-Facing Servers (Stac Source
NAT)
When your public-facing servers have private IP addresses assigned on the network segment
where they are physically located, you need a source NAT rule to translate the source address
of the server to the external address upon egress. You create a stac NAT rule to translate the
internal source address, 10.1.1.11, to the external web server address, 203.0.113.11 in our
example.
However, a public-facing server must be able to both send and receive packets. You need a
reciprocal policy that translates the public address (the desnaon IP address in incoming packets
from Internet users) into the private address so that the firewall can route the packet to your DMZ
network. You create a bi-direconal stac NAT rule, as described in the following procedure. Bi-
direconal translaon is an opon for stac NAT only.
STEP 1 | Create an address object for the web server’s internal IP address.
1. Select Objects > Addresses and Add a Name and oponal Descripon for the object.
2. Select IP Netmask from the Type list and enter the IP address of the web server on the
DMZ network, 10.1.1.11 in this example.
3. Click OK.
If you did not already create an address object for the public address of your web
server, you should create that object now.
STEP 3 | Commit.
Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1303 ©2021 Palo Alto Networks, Inc.
Networking
You cannot enable Bi-direconal source address translaon in the same NAT rule where
you enable DNS rewrite.
STEP 1 | Create a desnaon NAT policy rule that specifies the firewall perform stac translaon
of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses
in DNS responses when that IPv4 address (from the A Record) matches the original or
translated desnaon address in the NAT rule.
1. Select Policies > NAT and Add a NAT policy rule.
2. (Oponal) On the General tab, enter a descripve Name for the rule.
3. For NAT Type, select ipv4.
4. On the Original Packet tab, Add a Desnaon Address.
You will also have to select a Source Zone or Any source zone, but DNS rewrite
occurs at the global level; only the Desnaon Address on the Original Packet
tab is matched. DNS Rewrite ignores all other fields on the Original Packet tab.
5. On the Translated Packet tab, for Desnaon Address Translaon, select Translaon
Type to be Stac IP.
6. Select a Translated Address or enter a new address.
7. Enable DNS Rewrite and select a Direcon:
• Select reverse (default) when the IP address in the DNS response requires the
opposite translaon that the NAT rule specifies. If the DNS response matches the
Translated Desnaon Address in the rule, translate the DNS response using the
reverse translaon that the rule uses. For example, if the rule translates IP address
1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to
1.1.1.10.
• Select forward when the IP address in the DNS response requires the same
translaon that the NAT rule specifies. If the DNS response matches the Original
Desnaon Address in the rule, translate the DNS response using the same
translaon the rule uses. For example, if the rule translates IP address 1.1.1.10 to
192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
8. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1304 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Create an address object using the FQDN of the server to which you want to translate the
address.
1. Select Objects > Addresses and Add an address object by Name, such as post-NAT-
Internal-ELB.
2. Select FQDN as the Type and enter the FQDN. In this example, the FQDN is
ielb.appweb.com.
3. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1305 ©2021 Palo Alto Networks, Inc.
Networking
The firewall does not remove duplicate IP addresses from the list of desnaon
IP addresses before it distributes sessions among the mulple IP addresses.
The firewall distributes sessions to the duplicate addresses in the same way
it distributes sessions to non-duplicate addresses. (Duplicate addresses in the
translaon pool can occur, for example, if the translated address is an address
group of address objects, and one address object is an FQDN that resolves to
an IP address, while another address object is a range that includes the same IP
address.)
7. Click OK.
STEP 4 | (Oponal) You can configure the frequency at which the firewall refreshes an FQDN (Use
Case 1: Firewall Requires DNS Resoluon).
PAN-OS® Administrator’s Guide Version Version 9.1 1306 ©2021 Palo Alto Networks, Inc.
Networking
The Plaorm Default seng applies the default oversubscripon seng for the
model. If you want no oversubscripon, select 1x.
3. Click OK and Commit the change.
For example, suppose there is a Dynamic IP NAT pool of 30 addresses and there are 20
translaons in progress when the nat reserve-time is set to 28800 seconds (8 hours).
Those 20 translaons are now reserved, so that when the last session (of any applicaon) that
PAN-OS® Administrator’s Guide Version Version 9.1 1307 ©2021 Palo Alto Networks, Inc.
Networking
uses each source IP/translated IP mapping expires, the translated IP address is reserved for
only that source IP address for 8 hours, in case that source IP address needs translaon again.
Addionally, as the 10 remaining translated addresses are allocated, they each are reserved for
their source IP address, each with a mer that begins when the last session for that source IP
address expires.
In this manner, each source IP address can be repeatedly translated to its same NAT address
from the pool; another host will not be assigned a reserved translated IP address from the pool,
even if there are no acve sessions for that translated address.
Suppose a source IP/translated IP mapping has all of its sessions expire, and the reservaon
mer of 8 hours begins. Aer a new session for that translaon begins, the mer stops, and
the sessions connue unl they all end, at which point the reservaon mer starts again,
reserving the translated address.
The reservaon mer remain in effect on the Dynamic IP NAT pool unl you disable it by
entering the set setting nat reserve-ip no command or you change the nat
reserve-time to a different value.
The CLI commands for reservaons do not affect Dynamic IP and Port (DIPP) or Stac IP NAT
pools.
NAT rules are processed in order from the top to the boom, so place the NAT
exempon policy before other NAT policies to ensure it is processed before an address
translaon occurs for the sources you want to exempt.
PAN-OS® Administrator’s Guide Version Version 9.1 1308 ©2021 Palo Alto Networks, Inc.
Networking
Before configuring the NAT rules, consider the sequence of events for this scenario.
Host 192.0.2.250 sends an ARP request for the address 192.0.2.100 (the public address of the
desnaon server).
The firewall receives the ARP request packet for desnaon 192.0.2.100 on the Ethernet1/1
interface and processes the request. The firewall responds to the ARP request with its own
MAC address because of the desnaon NAT rule configured.
The NAT rules are evaluated for a match. For the desnaon IP address to be translated, a
desnaon NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate
the desnaon IP of 192.0.2.100 to 10.1.1.100.
Aer determining the translated address, the firewall performs a route lookup for desnaon
10.1.1.100 to determine the egress interface. In this example, the egress interface is
Ethernet1/2 in zone DMZ.
PAN-OS® Administrator’s Guide Version Version 9.1 1309 ©2021 Palo Alto Networks, Inc.
Networking
The firewall performs a security policy lookup to see if the traffic is permied from zone
Untrust-L3 to DMZ.
The direcon of the policy matches the ingress zone and the zone where the server is
physically located.
The security policy refers to the IP address in the original packet, which has a
desnaon address of 192.0.2.100.
The firewall forwards the packet to the server out egress interface Ethernet1/2. The
desnaon address is changed to 10.1.1.100 as the packet leaves the firewall.
For this example, address objects are configured for webserver-private (10.1.1.100) and
Webserver-public (192.0.2.100). The configured NAT rule would look like this:
The direcon of the NAT rules is based on the result of route lookup.
The configured security policy to provide access to the server from the Untrust-L3 zone would
look like this:
The following NAT and security rules must be configured on the firewall:
Use the show session all CLI command to verify the translaon.
PAN-OS® Administrator’s Guide Version Version 9.1 1310 ©2021 Palo Alto Networks, Inc.
Networking
All HTTP traffic is sent to host 10.1.1.100 and SSH traffic is sent to server 10.1.1.101. The
following address objects are required:
• Address object for the one pre-translated IP address of the server
• Address object for the real IP address of the SSH server
• Address object for the real IP address of the web server
The corresponding address objects are created:
• Servers-public: 192.0.2.100
• SSH-server: 10.1.1.101
• webserver-private: 10.1.1.100
The NAT rules would look like this:
PAN-OS® Administrator’s Guide Version Version 9.1 1311 ©2021 Palo Alto Networks, Inc.
Networking
• Desnaon NAT—The desnaon addresses in the packets from the clients to the server
are translated from the server’s public address (80.80.80.80) to the server’s private address
(10.2.133.15).
To verify the translaons, use the CLI command show session all filter destination
80.80.80.80. A client address 192.168.1.11 and its port number are translated to 10.16.1.103
and a port number. The desnaon address 80.80.80.80 is translated to 10.2.133.15.
PAN-OS® Administrator’s Guide Version Version 9.1 1312 ©2021 Palo Alto Networks, Inc.
Networking
When performing NAT on virtual wire interfaces, it is recommended that you translate the source
address to a different subnet than the one on which the neighboring devices are communicang.
The firewall will not proxy ARP for NAT addresses. Proper roung must be configured on the
upstream and downstream routers in order for the packets to be translated in virtual wire mode.
Neighboring devices will only be able to resolve ARP requests for IP addresses that reside on the
interface of the device on the other end of the virtual wire. See Proxy ARP for NAT Address Pools
for more explanaon about proxy ARP.
In the source NAT example below, security policies (not shown) are configured from the virtual
wire zone named vw-trust to the zone named vw-untrust.
In the following topology, two routers are configured to provide connecvity between subnets
192.0.2.0/24 and 172.16.1.0/24. The link between the routers is configured in subnet
198.51.100.0/30. Stac roung is configured on both routers to establish connecvity between
the networks. Before the firewall is deployed in the environment, the topology and the roung
table for each router look like this:
Route on R1:
172.16.1.0/24 198.51.100.2
Route on R2:
192.0.2.0/24 198.51.100.1
Now the firewall is deployed in virtual wire mode between the two Layer 3 devices. A NAT
IP address pool with range 198.51.100.9 to 198.51.100.14 is configured on the firewall. All
communicaons from clients in subnet 192.0.2.0/24 accessing servers in network 172.16.1.0/24
will arrive at R2 with a translated source address in the range 198.51.100.9 to 198.51.100.14. The
response from servers will be directed to these addresses.
In order for source NAT to work, you must configure proper roung on R2, so that packets
desned for other addresses are not dropped. The roung table below shows the modified roung
table on R2; the route ensures traffic to the desnaons 198.51.100.9-198.51.100.14 (that is,
hosts on subnet 198.51.100.8/29) will be sent back through the firewall to R1.
Route on R2:
PAN-OS® Administrator’s Guide Version Version 9.1 1313 ©2021 Palo Alto Networks, Inc.
Networking
198.51.100.8/29 198.51.100.1
Route on R2:
198.51.100.100/32 198.51.100.1
Route on R2:
198.51.100.100/32 198.51.100.1
PAN-OS® Administrator’s Guide Version Version 9.1 1314 ©2021 Palo Alto Networks, Inc.
Networking
NPTv6
IPv6-to-IPv6 Network Prefix Translaon (NPTv6) performs a stateless, stac translaon of one
IPv6 prefix to another IPv6 prefix (port numbers are not changed). There are four primary benefits
of NPTv6:
• You can prevent the asymmetrical roung problems that result from Provider Independent
addresses being adversed from mulple datacenters.
• NPTv6 allows more specific routes to be adversed so that return traffic arrives at the same
firewall that transmied the traffic.
• Private and public addresses are independent; you can change one without affecng the other.
• You have the ability to translate Unique Local Addresses to globally routable addresses.
This topic builds on a basic understanding of NAT. You should be sure you are familiar with NAT
concepts before configuring NPTv6.
• NPTv6 Overview
• How NPTv6 Works
• NDP Proxy
• NPTv6 and NDP Proxy Example
• Create an NPTv6 Policy
NPTv6 Overview
This secon describes IPv6-to-IPv6 Network Prefix Translaon (NPTv6) and how to configure it.
NPTv6 is defined in RFC 6296. Palo Alto Networks does not implement all funconality defined in
the RFC, but is compliant with the RFC in the funconality it has implemented.
NPTv6 performs stateless translaon of one IPv6 prefix to another IPv6 prefix. It is stateless,
meaning that it does not keep track of ports or sessions on the addresses translated. NPTv6 differs
from NAT66, which is stateful. Palo Alto Networks supports NPTv6 RFC 6296 prefix translaon; it
does not support NAT66.
With the limited addresses in the IPv4 space, NAT was required to translate private, non-routable
IPv4 addresses to one or more globally-routable IPv4 addresses.
For organizaons using IPv6 addressing, there is no need to translate IPv6 addresses to IPv6
addresses due to the abundance of IPv6 addresses. However, there are Reasons to Use NPTv6 to
translate IPv6 prefixes at the firewall.
NPTv6 translates the prefix poron of an IPv6 address but not the host poron or the applicaon
port numbers. The host poron is simply copied, and therefore remains the same on either side of
the firewall. The host poron also remains visible within the packet header.
• NPTv6 Does Not Provide Security
• Model Support for NPTv6
• Unique Local Addresses
• Reasons to Use NPTv6
PAN-OS® Administrator’s Guide Version Version 9.1 1315 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1316 ©2021 Palo Alto Networks, Inc.
Networking
• Reduces exposure to IPv6 prefixes—IPv6 prefixes are less exposed than if you didn’t translate
network prefixes, however, NPTv6 is not a security measure. The interface idenfier poron of
each IPv6 address is not translated; it remains the same on each side of the firewall and visible
to anyone who can see the packet header. Addionally, the prefixes are not secure; they can be
determined by others.
It is important to understand that NPTv6 does not provide security. While you are planning your
NPTv6 NAT policies, remember also to configure security policies in each direcon.
A NAT or NPTv6 policy rule cannot have both the Source Address and the Translated Address set
to Any.
In an environment where you want IPv6 prefix translaon, three firewall features work together:
NPTv6 NAT policies, security policies, and NDP Proxy.
The firewall does not translate the following:
• Addresses that the firewall has in its Neighbor Discovery (ND) cache.
• The subnet 0xFFFF (in accordance with RFC 6296, Appendix B).
• IP mulcast addresses.
• IPv6 addresses with a prefix length of /31 or shorter.
• Link-local addresses. If the firewall is operang in virtual wire mode, there are no IP addresses
to translate, and the firewall does not translate link-local addresses.
• Addresses for TCP sessions that authencate peers using the TCP Authencaon Opon (RFC
5925).
PAN-OS® Administrator’s Guide Version Version 9.1 1317 ©2021 Palo Alto Networks, Inc.
Networking
When using NPTv6, performance for fast path traffic is impacted because NPTv6 is performed in
the slow path.
NPTv6 will work with IPSec IPv6 only if the firewall is originang and terminang the tunnel.
Transit IPSec traffic would fail because the source and/or desnaon IPv6 address would be
modified. A NAT traversal technique that encapsulates the packet would allow IPSec IPv6 to work
with NPTv6.
• Checksum-Neutral Mapping
• Bi-Direconal Translaon
• NPTv6 Applied to a Specific Service
Checksum-Neutral Mapping
The NPTv6 mapping translaons that the firewall performs are checksum-neutral, meaning that
“... they result in IP headers that will generate the same IPv6 pseudo-header checksum when the
checksum is calculated using the standard Internet checksum algorithm [RFC 1071].” See RFC
6296, Secon 2.6, for more informaon about checksum-neutral mapping.
If you are using NPTv6 to perform desnaon NAT, you can provide the internal IPv6 address and
the external prefix/prefix length of the firewall interface in the syntax of the test nptv6 CLI
command. The CLI responds with the checksum-neutral, public IPv6 address to use in your NPTv6
configuraon to reach that desnaon.
Bi-Direconal Translaon
When you Create an NPTv6 Policy, the Bi-direconal opon in the Translated Packet tab provides
a convenient way for you to have the firewall create a corresponding NAT or NPTv6 translaon
in the opposite direcon of the translaon you configured. By default, Bi-direconal translaon is
disabled.
If you enable Bi-direconal translaon, it is very important to make sure you have security
policies in place to control the traffic in both direcons. Without such policies, the Bi-
direconal feature will allow packets to be automacally translated in both direcons,
which you might not want.
NDP Proxy
Neighbor Discovery Protocol (NDP) for IPv6 performs funcons similar to those provided by
Address Resoluon Protocol (ARP) for IPv4. RFC 4861 defines Neighbor Discovery for IP version
6 (IPv6). Hosts, routers, and firewalls use NDP to determine the link-layer addresses of neighbors
on connected links, to keep track of which neighbors are reachable, and to update neighbors’ link-
layer addresses that have changed. Peers adverse their own MAC address and IPv6 address, and
they also solicit addresses from peers.
PAN-OS® Administrator’s Guide Version Version 9.1 1318 ©2021 Palo Alto Networks, Inc.
Networking
NDP also supports the concept of proxy, when a node has a neighboring device that is able to
forward packets on behalf of the node. The device (firewall) performs the role of NDP Proxy.
Palo Alto Networks firewalls support NDP and NDP Proxy on their interfaces. When you
configure the firewall to act as an NDP Proxy for addresses, it allows the firewall to send Neighbor
Discovery (ND) adversements and respond to ND solicitaons from peers that are asking for
MAC addresses of IPv6 prefixes assigned to devices behind the firewall. You can also configure
addresses for which the firewall will not respond to proxy requests (negated addresses).
In fact, NDP is enabled by default, and you need to configure NDP Proxy when you configure
NPTv6, for the following reasons:
• The stateless nature of NPTv6 requires a way to instruct the firewall to respond to ND packets
sent to specified NDP Proxy addresses, and to not respond to negated NDP Proxy addresses.
It is recommended that you negate your neighbors’ addresses in the NDP Proxy
configuraon, because NDP Proxy indicates the firewall will reach those addresses
behind the firewall, but the neighbors are not behind the firewall.
• NDP causes the firewall to save the MAC addresses and IPv6 addresses of neighbors in its ND
cache. (Refer to the figure in NPTv6 and NDP Proxy Example.) The firewall does not perform
NPTv6 translaon for addresses that it finds in its ND cache because doing so could introduce
a conflict. If the host poron of an address in the cache happens to overlap with the host
poron of a neighbor’s address, and the prefix in the cache is translated to the same prefix as
that of the neighbor (because the egress interface on the firewall belongs to the same subnet
as the neighbor), then you would have a translated address that is exactly the same as the
legimate IPv6 address of the neighbor, and a conflict occurs. (If an aempt to perform NPTv6
translaon occurs on an address in the ND cache, an informaonal syslog message logs the
event: NPTv6 Translation Failed.)
When an interface with NDP Proxy enabled receives an ND solicitaon requesng a MAC address
for an IPv6 address, the following sequence occurs:
The firewall searches the ND cache to ensure the IPv6 address from the solicitaon is not
there. If the address is there, the firewall ignores the ND solicitaon.
If the source IPv6 address is 0, that means the packet is a Duplicate Address Detecon packet,
and the firewall ignores the ND solicitaon.
The firewall does a Longest Prefix Match search of the NDP Proxy addresses and finds the best
match to the address in the solicitaon. If the Negate field for the match is checked (in the
NDP Proxy list), the firewall drops the ND solicitaon.
Only if the Longest Prefix Match search matches, and that matched address is not negated,
will the NDP Proxy respond to the ND solicitaon. The firewall responds with an ND packet,
providing its own MAC address as the MAC address of the next hop toward the queried
desnaon.
In order to successfully support NDP, the firewall does not perform NDP Proxy for the following:
• Duplicate Address Detecon (DAD).
• Addresses in the ND cache (because such addresses do not belong to the firewall; they belong
to discovered neighbors).
PAN-OS® Administrator’s Guide Version Version 9.1 1319 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1320 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1321 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Specify the match criteria for incoming packets; packets that match all of the criteria are
subject to the NPTv6 translaon.
Zones are required for both types of translaon.
1. On the Original Packet tab, for Source Zone, leave Any or Add the source zone to which
the policy applies.
2. Enter the Desnaon Zone to which the policy applies.
3. (Oponal) Select a Desnaon Interface.
4. (Oponal) Select a Service to restrict what type of packets are translated.
5. If you are doing source translaon, enter a Source Address or select Any. The address
could be an address object. The following constraints apply to Source Address and
Desnaon Address:
• Prefixes of Source Address and Desnaon Address for the Original Packet and
Translated Packet must be in the format xxxx:xxxx::/yy, although leading zeros in the
prefix can be dropped.
• The IPv6 address cannot have an interface idenfier (host) poron defined.
• The range of supported prefix lengths is /32 to /64.
• The Source Address and Desnaon Address cannot both be set to Any.
6. If you are doing source translaon, you can oponally enter a Desnaon Address.
If you are doing desnaon translaon, the Desnaon Address is required. The
desnaon address (an address object is allowed) must be a netmask, not just an IPv6
address and not a range. The prefix length must be a value from /32 to /64, inclusive. For
example, 2001:db8::/32.
PAN-OS® Administrator’s Guide Version Version 9.1 1322 ©2021 Palo Alto Networks, Inc.
Networking
If the address is a subnet, the NDP Proxy will respond to all addresses in the
subnet, so you should list the neighbors in that subnet with Negate selected, as
described in the next step.
4. (Oponal) Enter one or more addresses for which you do not want NDP Proxy enabled,
and select Negate. For example, from an IP address range or prefix range configured in
the prior step, you could negate a smaller subset of addresses. It is recommended that
you negate the addresses of the neighbors of the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1323 ©2021 Palo Alto Networks, Inc.
Networking
NAT64
NAT64 provides a way to transion to IPv6 while you sll need to communicate with IPv4
networks. When you need to communicate from an IPv6-only network to an IPv4 network,
you use NAT64 to translate source and desnaon addresses from IPv6 to IPv4 and vice versa.
NAT64 allows IPv6 clients to access IPv4 servers and allows IPv4 clients to access IPv6 servers.
You should understand NAT before configuring NAT64.
• NAT64 Overview
• IPv4-Embedded IPv6 Address
• DNS64 Server
• Path MTU Discovery
• IPv6-Iniated Communicaon
• Configure NAT64 for IPv6-Iniated Communicaon
• Configure NAT64 for IPv4-Iniated Communicaon
• Configure NAT64 for IPv4-Iniated Communicaon with Port Translaon
NAT64 Overview
You can configure two types of NAT64 translaon on a Palo Alto Networks firewall; each one is
doing a bidireconal translaon between the two IP address families:
• The firewall supports stateful NAT64 for IPv6-Iniated Communicaon, which maps mulple
IPv6 addresses to one IPv4 address, thus preserving IPv4 addresses. (It does not support
stateless NAT64, which maps one IPv6 address to one IPv4 address and therefore does not
preserve IPv4 addresses.) Configure NAT64 for IPv6-Iniated Communicaon.
• The firewall supports IPv4-iniated communicaon with a stac binding that maps an
IPv4 address and port number to an IPv6 address. Configure NAT64 for IPv4-Iniated
Communicaon. It also supports port rewrite, which preserves even more IPv4 addresses by
translang an IPv4 address and port number to an IPv6 address with mulple port numbers.
Configure NAT64 for IPv4-Iniated Communicaon with Port Translaon.
A single IPv4 address can be used for NAT44 and NAT64; you don’t reserve a pool of IPv4
addresses for NAT64 only.
NAT64 operates on Layer 3 interfaces, subinterfaces, and tunnel interfaces. To use NAT64 on a
Palo Alto Networks firewall for IPv6-iniated communicaon, you must have a third-party DNS64
Server or a soluon in place to separate the DNS query funcon from the NAT funcon. The
DNS64 server translates between your IPv6 host and an IPv4 DNS server by encoding the IPv4
address it receives from a public DNS server into an IPv6 address for the IPv6 host.
Palo Alto Networks supports the following NAT64 features:
• Hairpinning (NAT U-Turn); addionally, NAT64 prevents hairpinning loop aacks by dropping
all incoming IPv6 packets that have a source prefix of 64::/n.
• Translaon of TCP/UDP/ICMP packets per RFC 6146 and the firewall makes a best effort to
translate other protocols that don’t use an applicaon-level gateway (ALG). For example, the
firewall can translate a GRE packet. This translaon has the same limitaon as NAT44: if you
PAN-OS® Administrator’s Guide Version Version 9.1 1324 ©2021 Palo Alto Networks, Inc.
Networking
don’t have an ALG for a protocol that can use a separate control and data channel, the firewall
might not understand the return traffic flow.
• Translaon between IPv4 and IPv6 of the ICMP length aribute of the original datagram field,
per RFC 4884.
The firewall supports translaon for /32, /40, /48, /56, /64, and /96 subnets using these prefixes.
A single firewall supports mulple prefixes; each NAT64 rule uses one prefix. The prefix can be
the Well-Known Prefix (64:FF9B::/96) or a Network-Specific Prefix (NSP) that is unique to the
organizaon that controls the address translator (the DNS64 device). An NSP is usually a network
within the organizaon’s IPv6 prefix. The DNS64 device typically sets the u field and suffix to
zeros; the firewall ignores those fields.
DNS64 Server
If you need to use a DNS and you want to perform NAT64 translaon using IPv6-Iniated
Communicaon, you must use a third-party DNS64 server or other DNS64 soluon that is set
up with the Well-Known Prefix or your NSP. When an IPv6 host aempts to access an IPv4 host
or domain on the internet, the DNS64 server queries an authoritave DNS server for the IPv4
address mapped to that host name. The DNS server returns an Address record (A record) to the
DNS64 server containing the IPv4 address for the host name.
The DNS64 server in turn converts the IPv4 address to hexadecimal and encodes it into the
appropriate octets of the IPv6 prefix it is set up to use (the Well-Known Prefix or your NSP) based
on the prefix length, which results in an IPv4-Embedded IPv6 Address. The DNS64 server sends
an AAAA record to the IPv6 host that maps the IPv4-embedded IPv6 address to the IPv4 host
name.
PAN-OS® Administrator’s Guide Version Version 9.1 1325 ©2021 Palo Alto Networks, Inc.
Networking
IPv6-Iniated Communicaon
IPv6-iniated communicaon to the firewall is similar to source NAT for an IPv4 topology.
Configure NAT64 for IPv6-Iniated Communicaon when your IPv6 host needs to communicate
with an IPv4 server.
In the NAT64 policy rule, configure the original source to be an IPv6 host address or Any.
Configure the desnaon IPv6 address as either the Well-Known Prefix or the NSP that the
DNS64 server uses. (You do not configure the full IPv6 desnaon address in the rule.)
If you need to use a DNS, you need to use a DNS64 Server to convert an IPv4 DNS “A” result
into an “AAAA” result merged with the NAT64 prefix. If you don’t use a DNS, you need to create
the address using the IPv4 desnaon address and the NAT64 prefix configured on the firewall,
following RFC 6052 rules.
For environments that use a DNS, the example topology below illustrates communicaon with the
DNS64 server. The DNS64 server must be set up to use the Well-Known Prefix 64:FF9B::/96 or
your Network-Specific Prefix, which must comply with RFC 6052 (/32, /40,/48,/56,/64, or /96).
On the translated side of the firewall, the translaon type must be Dynamic IP and Port in order
to implement stateful NAT64. You configure the source translated address to be the IPv4 address
of the egress interface on the firewall. You do not configure the desnaon translaon field; the
firewall translates the address by first finding the prefix length in the original desnaon address
of the rule and then based on the prefix, extracng the encoded IPv4 address from the original
desnaon IPv6 address in the incoming packet.
Before the firewall looks at the NAT64 rule, the firewall must do a route lookup to find the
desnaon security zone for an incoming packet. You must ensure that the NAT64 prefix can
be reached through the desnaon zone assignment because the NAT64 prefix should not be
routable by the firewall. The firewall would likely assign the NAT64 prefix to the default route or
PAN-OS® Administrator’s Guide Version Version 9.1 1326 ©2021 Palo Alto Networks, Inc.
Networking
drop the NAT64 prefix because there is no route for it. The firewall will not find a desnaon zone
because the NAT64 prefix is not in its roung table, associated with an egress interface and zone.
You must also configure a tunnel interface (with no terminaon point). You apply the NAT64 prefix
to the tunnel and apply the appropriate zone to ensure that IPv6 traffic with the NAT64 prefix
is assigned to the proper desnaon zone. The tunnel also has the advantage of dropping IPv6
traffic with the NAT64 prefix if the traffic does not match the NAT64 rule. Your configured roung
protocol on the firewall looks up the IPv6 prefix in its roung table to find the desnaon zone
and then looks at the NAT64 rule.
The following figure illustrates the role of the DNS64 server in the name resoluon process. In this
example, the DNS64 server is configured to use Well-Known Prefix 64:FF9B::/96.
1. A user at the IPv6 host enters the URL www.abc.com, which generates a name server lookup
(nslookup) to the DNS64 server.
2. The DNS64 Server sends an nslookup to the public DNS server for www.abc.com, requesng
its IPv4 address.
3. The DNS server returns an A record that provides the IPv4 address to the DNS64 server.
4. The DNS64 server sends an AAAA record to the IPv6 user, converng the IPv4 doed
decimal address 198.51.100.1 into C633:6401 hexadecimal and embedding it into its own IPv6
prefix, 64:FF9B::/96. [198 = C6 hex; 51 = 33 hex; 100 = 64 hex; 1 = 01 hex.] The result is IPv4-
Embedded IPv6 Address 64:FF9B::C633:6401.
Keep in mind that in a /96 prefix, the IPv4 address is the last four octets encoded in the IPv6
address. If the DNS64 server uses a /32, /40, /48, /56 or /64 prefix, the IPv4 address is encoded
as shown in RFC 6052.
Upon the transparent name resoluon, the IPv6 host sends a packet to the firewall containing
its IPv6 source address and desnaon IPv6 address 64:FF9B::C633:6401 as determined by the
DNS64 server. The firewall performs the NAT64 translaon based on your NAT64 rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1327 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | Create an address object for the IPv6 desnaon address (pre-translaon).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64-IPv4 Server.
3. For Type, select IP Netmask and enter the IPv6 prefix with a netmask that is compliant
with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or
your Network-Specific Prefix that is configured on the DNS64 Server.
For this example, enter 64:FF9B::/96.
The source and desnaon must have the same netmask (prefix length).
(You don’t enter a full desnaon address because, based on the prefix length, the
firewall extracts the encoded IPv4 address from the original desnaon IPv6 address in
the incoming packet. In this example, the prefix in the incoming packet is encoded with
C633:6401 in hexadecimal, which is the IPv4 desnaon address 198.51.100.1.)
4. Click OK.
STEP 3 | (Oponal) Create an address object for the IPv6 source address (pre-translaon).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object.
3. For Type, select IP Netmask and enter the address of the IPv6 host, in this example,
2001:DB8::5/96.
4. Click OK.
STEP 4 | (Oponal) Create an address object for the IPv4 source address (translated).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object.
3. For Type, select IP Netmask and enter the IPv4 address of the firewall’s egress interface,
in this example, 192.0.2.1.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1328 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | Configure a tunnel interface to emulate a loopback interface with a netmask other than 128.
1. Select Network > Interfaces > Tunnel and Add a tunnel.
2. For Interface Name, enter a numeric suffix, such as .2.
3. On the Config tab, select the Virtual Router where you are configuring NAT64.
4. For Security Zone, select the desnaon zone associated with the IPv4 server
desnaon (Trust zone).
5. On the IPv6 tab, select Enable IPv6 on the interface.
6. Click Add and for the Address, select New Address.
7. Enter a Name for the address.
8. (Oponal) Enter a Descripon for the tunnel address.
9. For Type, select IP Netmask and enter your IPv6 prefix and prefix length, in this example,
64:FF9B::/96.
10. Click OK.
11. Select Enable address on interface and click OK.
12. Click OK.
13. Click OK to save the tunnel.
PAN-OS® Administrator’s Guide Version Version 9.1 1329 ©2021 Palo Alto Networks, Inc.
Networking
STEP 9 | Create a security policy to allow NAT traffic from the trust zone.
1. Select Policies > Security and Add a rule Name.
2. Select Source and Add a Source Zone; select Trust.
3. For Source Address, select Any.
4. Select Desnaon and Add a Desnaon Zone; select Untrust.
5. For Applicaon, select Any.
6. For Acons, select Allow.
7. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1330 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | (Oponal) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not
fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the
desnaon IPv6 network.
1. Select Device > Setup > Session and edit Session Sengs.
2. For NAT64 IPv6 Minimum Network MTU, enter the smallest number of bytes into
which the firewall will fragment IPv4 packets for translaon to IPv6 (range is 1280-9216,
default is 1280).
If you don’t want the firewall to fragment an IPv4 packet prior to translaon,
set the MTU to 9216. If the translated IPv6 packet sll exceeds this value, the
firewall drops the packet and issues an ICMP packet indicang desnaon
unreachable - fragmentaon needed.
3. Click OK.
STEP 3 | Create an address object for the IPv4 desnaon address (pre-translaon).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_ip4server.
3. For Type, select IP Netmask and enter the IPv4 address of the firewall interface in the
Untrust zone. The address must use no netmask or a netmask of /32 only. This example
uses 198.51.19.1/32.
4. Click OK.
STEP 4 | Create an address object for the IPv6 source address (translated).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_ip6source.
3. For Type, select IP Netmask and enter the NAT64 IPv6 address with a netmask that is
compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
For this example, enter 64:FF9B::/96.
(The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is
C001:0208 in hexadecimal.)
4. Click OK.
STEP 5 | Create an address object for the IPv6 desnaon address (translated).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_server_2.
3. For Type, select IP Netmask and enter the IPv6 address of the IPv6 server (desnaon).
The address must use no netmask or a netmask of /128 only. This example uses
2001:DB8::2/128.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1331 ©2021 Palo Alto Networks, Inc.
Networking
STEP 9 | Create a security policy to allow the NAT traffic from the Untrust zone.
1. Select Policies > Security and Add a rule Name.
2. Select Source and Add a Source Zone; select Untrust.
3. For Source Address, select Any.
4. Select Desnaon and Add a Desnaon Zone; select DMZ.
5. For Acons, select Allow.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1332 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | (Oponal) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not
fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the
desnaon IPv6 network.
1. Select Device > Setup > Session and edit Session Sengs.
2. For NAT64 IPv6 Minimum Network MTU, enter the smallest number of byes into which
the firewall will fragment IPv4 packets for translaon to IPv6 (range is 1280-9216,
default is 1280).
If you don’t want the firewall to fragment an IPv4 packet prior to translaon,
set the MTU to 9216. If the translated IPv6 packet sll exceeds this value, the
firewall drops the packet and issues an ICMP packet indicang desnaon
unreachable - fragmentaon needed.
3. Click OK.
STEP 3 | Create an address object for the IPv4 desnaon address (pre-translaon).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_ip4server.
3. For Type, select IP Netmask and enter the IPv4 address and netmask of the firewall
interface in the Untrust zone. This example uses 198.51.19.1/24.
4. Click OK.
STEP 4 | Create an address object for the IPv6 source address (translated).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_ip6source.
3. For Type, select IP Netmask and enter the NAT64 IPv6 address with a netmask that is
compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
For this example, enter 64:FF9B::/96.
(The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is
C001:0208 in hexadecimal.)
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1333 ©2021 Palo Alto Networks, Inc.
Networking
STEP 5 | Create an address object for the IPv6 desnaon address (translated).
1. Select Objects > Addresses and click Add.
2. Enter a Name for the object, for example, nat64_server_2.
3. For Type, select IP Netmask and enter the IPv6 address of the IPv6 server (desnaon).
This example uses 2001:DB8::2/64.
The source and desnaon must have the same netmask (prefix length).
4. Click OK.
STEP 7 | Specify the original source and desnaon informaon, and create a service to limit the
translaon to a single ingress port number.
1. For the Original Packet, Add the Source Zone, likely an untrust zone.
2. Select the Desnaon Zone, likely a trust or DMZ zone.
3. For Service, select New Service.
4. Enter a Name for the Service, such as Port_8080.
5. Select TCP as the Protocol.
6. For Desnaon Port, enter 8080.
7. Click OK to save the Service.
8. For Source Address, select Anyor Add the address object for the IPv4 host.
9. For Desnaon Address, Add the address object for the IPv4 desnaon, in this
example, nat64_ip4server.
PAN-OS® Administrator’s Guide Version Version 9.1 1334 ©2021 Palo Alto Networks, Inc.
Networking
STEP 9 | Create a security policy to allow the NAT traffic from the Untrust zone.
1. Select Policies > Security and Add a rule Name.
2. Select Source and Add a Source Zone; select Untrust.
3. For Source Address, select Any.
4. Select Desnaon and Add a Desnaon Zone; select DMZ.
5. For Acons, select Allow.
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1335 ©2021 Palo Alto Networks, Inc.
Networking
ECMP
Equal Cost Mulple Path (ECMP) processing is a networking feature that enables the firewall
to use up to four equal-cost routes to the same desnaon. Without this feature, if there are
mulple equal-cost routes to the same desnaon, the virtual router chooses one of those routes
from the roung table and adds it to its forwarding table; it will not use any of the other routes
unless there is an outage in the chosen route.
Enabling ECMP funconality on a virtual router allows the firewall to have up to four equal-cost
paths to a desnaon in its forwarding table, allowing the firewall to:
• Load balance flows (sessions) to the same desnaon over mulple equal-cost links.
• Efficiently use all available bandwidth on links to the same desnaon rather than leave some
links unused.
• Dynamically shi traffic to another ECMP member to the same desnaon if a link fails, rather
than having to wait for the roung protocol or RIB table to elect an alternave path/route. This
can help reduce downme when links fail.
For informaon about ECMP path selecon when an HA peer fails, see ECMP in Acve/Acve HA
Mode.
The following secons describe ECMP and how to configure it.
• ECMP Load-Balancing Algorithms
• ECMP Model, Interface, and IP Roung Support
• Configure ECMP on a Virtual Router
• Enable ECMP for Mulple BGP Autonomous Systems
• Verify ECMP
Enabling, disabling, or changing ECMP on an exisng virtual router causes the system to
restart the virtual router, which might cause exisng sessions to be terminated.
PAN-OS® Administrator’s Guide Version Version 9.1 1336 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1337 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | Specify the maximum number of equal-cost paths (to a desnaon network) that can be
copied from the Roung Informaon Base (RIB) to the Forwarding Informaon Base (FIB).
For Max Path allowed, enter 2, 3, or 4. Default: 2.
PAN-OS® Administrator’s Guide Version Version 9.1 1338 ©2021 Palo Alto Networks, Inc.
Networking
STEP 4 | Select the load-balancing algorithm for the virtual router. For more informaon on load-
balancing methods and how they differ, see ECMP Load-Balancing Algorithms.
For Load Balance, select one of the following opons from the Method list:
• IP Modulo (default)—Uses a hash of the source and desnaon IP addresses in the packet
header to determine which ECMP route to use.
• IP Hash—There are two IP hash methods that determine which ECMP route to use (select
hash opons in Step 5):
• Use a hash of the source address (available in PAN-OS 8.0.3 and later releases).
• Use a hash of the source and desnaon IP addresses (the default IP hash method).
• Balanced Round Robin—Uses round robin among the ECMP paths and re-balances paths
when the number of paths changes.
• Weighted Round Robin—Uses round robin and a relave weight to select from among
ECMP paths. Specify the weights in Step 6 below.
If you select Use Source Address Only, you shouldn’t push the configuraon from
Panorama to firewalls running PAN-OS 8.0.2, 8.0.1, or 8.0.0.
2. Select Use Source/Desnaon Ports if you want to use source or desnaon port
numbers in the IP Hash calculaon.
Enabling this opon along with Use Source Address Only will randomize path
selecon even for sessions belonging to the same source IP address.
3. Enter a Hash Seed value (an integer with a maximum of nine digits). Specify a Hash Seed
value to further randomize load balancing. Specifying a hash seed value is useful if you
have a large number of sessions with the same tuple informaon.
STEP 6 | (Weighted Round Robin only) Define a weight for each interface in the ECMP group.
If you selected Weighted Round Robin as the Method, define a weight for each of the
interfaces that are the egress points for traffic to be routed to the same desnaons (that is,
PAN-OS® Administrator’s Guide Version Version 9.1 1339 ©2021 Palo Alto Networks, Inc.
Networking
interfaces that are part of an ECMP group, such as the interfaces that provide redundant links
to your ISP or interfaces to the core business applicaons on your corporate network).
The higher the weight, the more oen that equal-cost path will be selected for a new session.
Give higher speed links a higher weight than a slower links so that more of the ECMP
traffic goes over the faster link.
This message displays only if you are modifying an exisng virtual router with
ECMP.
In the following figure, two ECMP paths to a desnaon go through two firewalls belonging to
two different ISPs in different BGP autonomous systems.
PAN-OS® Administrator’s Guide Version Version 9.1 1340 ©2021 Palo Alto Networks, Inc.
Networking
STEP 2 | For BGP roung, enable ECMP over mulple autonomous systems.
1. Select Network > Virtual Routers and select the virtual router on which to enable ECMP
for mulple BGP autonomous systems.
2. Select BGP > Advanced and select ECMP Mulple AS Support.
Verify ECMP
A virtual router configured for ECMP indicates in the Forwarding Informaon Base (FIB) table
which routes are ECMP routes. An ECMP flag (E) for a route indicates that it is parcipang in
ECMP for the egress interface to the next hop for that route. To verify ECMP, use the following
procedure to look at the FIB and confirm that some routes are equal-cost mulple paths.
STEP 1 | Select Network > Virtual Routers.
STEP 2 | In the row of the virtual router for which you enabled ECMP, click More Runme Stats.
In the table, mulple routes to the same Desnaon (out a different Interface) have the
E flag. An asterisk (*) denotes the preferred path for the ECMP group.
PAN-OS® Administrator’s Guide Version Version 9.1 1341 ©2021 Palo Alto Networks, Inc.
Networking
LLDP
Palo Alto Networks firewalls support Link Layer Discovery Protocol (LLDP), which funcons at
the link layer to discover neighboring devices and their capabilies. LLDP allows the firewall and
other network devices to send and receive LLDP data units (LLDPDUs) to and from neighbors. The
receiving device stores the informaon in a MIB, which the Simple Network Management Protocol
(SNMP) can access. LLDP makes troubleshoong easier, especially for virtual wire deployments
where the firewall would typically go undetected by a ping or traceroute.
• LLDP Overview
• Supported TLVs in LLDP
• LLDP Syslog Messages and SNMP Traps
• Configure LLDP
• View LLDP Sengs and Status
• Clear LLDP Stascs
LLDP Overview
LLDP operates at Layer 2 of the OSI model, using MAC addresses. An LLDPDU is a sequence of
type-length-value (TLV) elements encapsulated in an Ethernet frame. The IEEE 802.1AB standard
defines three MAC addresses for LLDPDUs: 01-80-C2-00-00-0E, 01-80-C2-00-00-03, and
01-80-C2-00-00-00.
The Palo Alto Networks firewall supports only one MAC address for transming and receiving
LLDP data units: 01-80-C2-00-00-0E. When transming, the firewall uses 01-80-C2-00-00-0E
as the desnaon MAC address. When receiving, the firewall processes datagrams with 01-80-
C2-00-00-0E as the desnaon MAC address. If the firewall receives either of the other two MAC
addresses for LLDPDUs on its interfaces, the firewall takes the same forwarding acon it took
prior to this feature, as follows:
• If the interface type is vwire, the firewall forwards the datagram to the other port.
• If the interface type is L2, the firewall floods the datagram to the rest of the VLAN.
• If the interface type is L3, the firewall drops the datagrams.
Panorama and the WildFire appliance are not supported.
Interface types that do not support LLDP are TAP, high availability (HA), Decrypt Mirror, virtual
wire/vlan/L3 subinterfaces, and PA-7000 Series Log Processing Card (LPC) interfaces.
An LLDP Ethernet frame has the following format:
PAN-OS® Administrator’s Guide Version Version 9.1 1342 ©2021 Palo Alto Networks, Inc.
Networking
Within the LLDP Ethernet frame, the TLV structure has the following format:
Chassis ID TLV 1 Idenfies the firewall chassis. Each firewall must have exactly one
unique Chassis ID. The Chassis ID subtype is 4 (MAC address) on
Palo Alto Networks models will use the MAC address of Eth0 to
ensure uniqueness.
Port ID TLV 2 Idenfies the port from which the LLDPDU is sent. Each firewall
uses one Port ID for each LLDPDU message transmied. The
Port ID subtype is 5 (interface name) and uniquely idenfies the
transming port. The firewall uses the interface’s ifname as the
Port ID.
End of 0 Indicates the end of the TLVs in the LLDP Ethernet frame.
LLDPDU TLV
The following table lists the oponal TLVs that the Palo Alto Networks firewall supports:
PAN-OS® Administrator’s Guide Version Version 9.1 1343 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1344 ©2021 Palo Alto Networks, Inc.
Networking
Because the LLDP syslog and SNMP trap messages are rate-limited, some LLDP informaon
provided to those processes might not match the current LLDP stascs seen when you View the
LLDP status informaon. This is normal, expected behavior.
A maximum of 5 MIBs can be received per interface (Ethernet or AE). Each different source has
one MIB. If this limit is exceeded, the error message tooManyNeighbors is triggered.
Configure LLDP
To configure LLDP and create an LLDP profile, you must be a superuser or device administrator
(deviceadmin). A firewall interface supports a maximum of five LLDP peers.
STEP 1 | Enable LLDP on the firewall.
Select Network > LLDP and edit the LLDP General secon; select Enable.
PAN-OS® Administrator’s Guide Version Version 9.1 1345 ©2021 Palo Alto Networks, Inc.
Networking
trap and a syslog event as configured in the Device > Log Sengs > System > SNMP
Trap Profile and Syslog Profile.
4. For Oponal TLVs, select the TLVs you want transmied:
• Port Descripon
• System Name
• System Descripon
• System Capabilies
5. (Oponal) Select Management Address to add one or more management addresses and
Add a Name.
6. Select the Interface from which to obtain the management address. At least one
management address is required if Management Address TLV is enabled. If no
management IP address is configured, the system uses the MAC address of the
transming interface as the management address TLV.
7. Select IPv4 or IPv6, and in the adjacent field, select an IP address from the list (which
lists the addresses configured on the selected interface), or enter an address.
8. Click OK.
9. Up to four management addresses are allowed. If you specify more than one
Management Address, they will be sent in the order they are specified, starng at the
top of the list. To change the order of the addresses, select an address and use the Move
Up or Move Down buons.
10. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1346 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1347 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | View summary LLDP informaon for each neighbor seen on an interface.
1. Select the Peers tab.
2. (Oponal) Enter a filter to restrict the informaon being displayed.
Local Interface—Interface on the firewall that detected the neighboring device.
Remote Chassis ID—Chassis ID of the peer. The MAC address will be used.
Port ID—Port ID of the peer.
Name—Name of peer.
More info—Provides the following remote peer details, which are based on the
Mandatory and Oponal TLVs:
• Chassis Type: MAC address.
• MAC Address: MAC address of the peer.
• System Name: Name of the peer.
• System Descripon: Descripon of the peer.
• Port Descripon: Port descripon of the peer.
• Port Type: Interface name.
• Port ID: The firewall uses the interface’s ifname.
• System Capabilies: Capabilies of the system. O=Other, P=Repeater, B=Bridge,
W=Wireless-LAN, R=Router, T=Telephone
• Enabled Capabilies: Capabilies enabled on the peer.
• Management Address: Management address of the peer.
PAN-OS® Administrator’s Guide Version Version 9.1 1348 ©2021 Palo Alto Networks, Inc.
Networking
BFD
The firewall supports Bidireconal Forwarding Detecon (BFD) (RFC 5880), a protocol that
recognizes a failure in the bidireconal path between two roung peers. BFD failure detecon is
extremely fast, providing for a faster failover than can be achieved by link monitoring or frequent
dynamic roung health checks, such as Hello packets or heartbeats. Mission-crical data centers
and networks that require high availability and extremely fast failover need the extremely fast
failure detecon that BFD provides.
• BFD Overview
• Configure BFD
• Reference: BFD Details
BFD Overview
When you enable BFD, BFD establishes a session from one endpoint (the firewall) to its BFD peer
at the endpoint of a link using a three-way handshake. Control packets perform the handshake
and negoate the parameters configured in the BFD profile, including the minimum intervals at
which the peers can send and receive control packets. BFD control packets for both IPv4 and IPv6
are transmied over UDP port 3784. BFD control packets for mulhop support are transmied
over UDP port 4784. BFD control packets transmied over either port are encapsulated in the
UDP packets.
Aer the BFD session is established, the Palo Alto Networks implementaon of BFD operates in
asynchronous mode, meaning both endpoints send each other control packets (which funcon
like Hello packets) at the negoated interval. If a peer does not receive a control packet within
the detecon me (calculated as the negoated transmit interval mulplied by a Detecon Time
Mulplier), the peer considers the session down. (The firewall does not support demand mode, in
which control packets are sent only if necessary rather than periodically.)
When you enable BFD for a stac route and a BFD session between the firewall and the BFD
peer fails, the firewall removes the failed route from the RIB and FIB tables and allows an alternate
path with a lower priority to take over. When you enable BFD for a roung protocol, BFD nofies
the roung protocol to switch to an alternate path to the peer. Thus, the firewall and BFD peer
reconverge on a new path.
A BFD profile allows you to Configure BFD sengs and apply them to one or more roung
protocols or stac routes on the firewall. If you enable BFD without configuring a profile, the
firewall uses its default BFD profile (with all of the default sengs). You cannot change the default
BFD profile.
When an interface is running mulple protocols that use different BFD profiles, BFD uses the
profile having the lowest Desired Minimum Tx Interval. See BFD for Dynamic Roung Protocols.
Acve/passive HA peers synchronize BFD configuraons and sessions; acve/acve HA peers do
not.
BFD is standardized in RFC 5880. PAN-OS does not support all components of RFC 5880; see
Non-Supported RFC Components of BFD.
PAN-OS also supports RFC 5881, hp://www.rfc-editor.org/rfc/rfc5881.txt. In this case, BFD
tracks a single hop between two systems that use IPv4 or IPv6, so the two systems are directly
PAN-OS® Administrator’s Guide Version Version 9.1 1349 ©2021 Palo Alto Networks, Inc.
Networking
connected to each other. BFD also tracks mulple hops from peers connected by BGP. PAN-OS
follows BFD encapsulaon as described in RFC 5883, hps://www.rfc-editor.org/rfc/rfc5883.txt.
However, PAN-OS does not support authencaon.
• BFD Model, Interface, and Client Support
• Non-Supported RFC Components of BFD
• BFD for Stac Routes
• BFD for Dynamic Roung Protocols
PAN-OS® Administrator’s Guide Version Version 9.1 1350 ©2021 Palo Alto Networks, Inc.
Networking
You must first enable a DHCP or PPPoE client for the interface, perform a commit, and wait
for the DHCP or PPPoE server to send the firewall the client IP address and default gateway IP
address. Then you can configure the stac route (using the default gateway address of the DHCP
or PPPoE client as the next hop), enable BFD, and perform a second commit.
The Palo Alto Networks implementaon of mulhop BFD follows the encapsulaon
poron of RFC 5883, Bidireconal Forwarding Detecon (BFD) for Mulhop Paths
but does not support authencaon. A workaround is to configure BFD in a VPN tunnel
for BGP. The VPN tunnel can provide authencaon without the duplicaon of BFD
authencaon.
When you enable BFD for OSPFv2 or OSPFv3 broadcast interfaces, OSPF establishes a BFD
session only with its Designated Router (DR) and Backup Designated Router (BDR). On point-to-
point interfaces, OSPF establishes a BFD session with the direct neighbor. On point-to-mulpoint
interfaces, OSPF establishes a BFD session with each peer.
The firewall does not support BFD on an OSPF or OSPFv3 virtual link.
Each roung protocol can have independent BFD sessions on an interface. Alternavely, two or
more roung protocols (BGP, OSPF, and RIP) can share a common BFD session for an interface.
When you enable BFD for mulple protocols on the same interface, and the source IP address
and desnaon IP address for the protocols are also the same, the protocols share a single BFD
session, thus reducing both dataplane overhead (CPU) and traffic load on the interface. If you
configure different BFD profiles for these protocols, only one BFD profile is used: the one that
has the lowest Desired Minimum Tx Interval. If the profiles have the same Desired Minimum Tx
Interval, the profile used by the first created session takes effect. In the case where a stac route
and OSPF share the same session, because a stac session is created right aer a commit, while
OSPF waits unl an adjacency is up, the profile of the stac route takes effect.
The benefit of using a single BFD session in these cases is that this behavior uses resources more
efficiently. The firewall can use the saved resources to support more BFD sessions on different
interfaces or support BFD for different source IP and desnaon IP address pairs.
IPv4 and IPv6 on the same interface always create different BFD sessions, even though they can
use the same BFD profile.
If you implement both BFD for BGP and HA path monitoring, Palo Alto Networks
recommends you not implement BGP Graceful Restart. When the BFD peer’s interface
fails and path monitoring fails, BFD can remove the affected routes from the roung table
and synchronize this change to the passive HA firewall before Graceful Restart can take
effect. If you decide to implement BFD for BGP, Graceful Restart for BGP, and HA path
monitoring, you should configure BFD with a larger Desired Minimum Tx Interval and
larger Detecon Time Mulplier than the default values.
PAN-OS® Administrator’s Guide Version Version 9.1 1351 ©2021 Palo Alto Networks, Inc.
Networking
Configure BFD
Aer you read the BFD Overview, which includes firewall models and interfaces supported,
perform the following before configuring BFD:
• Configure one or more Virtual Routers.
• Configure one or more Stac Routes if you are applying BFD to stac routes.
• Configure a roung protocol (BGP, OSPF, OSPFv3, or RIP) if you are applying BFD to a roung
protocol.
If you change a seng in a BFD profile that an exisng BFD session is using and
you commit the change, before the firewall deletes that BFD session and recreates
it with the new seng, the firewall sends a BFD packet with the local state set to
admin down. The peer device may or may not flap the roung protocol or stac
route, depending on the peer’s implementaon of RFC 5882, Secon 3.2.
1. Select Network > Network Profiles > BFD Profile and Add a Name for the BFD profile.
The name is case-sensive and must be unique on the firewall. Use only leers, numbers,
spaces, hyphens, and underscores.
2. Select the Mode in which BFD operates:
• Acve—BFD iniates sending control packets to peer (default). At least one of the
BFD peers must be Acve; both can be Acve.
• Passive—BFD waits for peer to send control packets and responds as required.
If you have mulple roung protocols that use different BFD profiles on the
same interface, configure the BFD profiles with the same Desired Minimum Tx
Interval.
2. Enter the Required Minimum Rx Interval (ms). This is the minimum interval, in
milliseconds, at which BFD can receive BFD control packets. Minimum on PA-7000
PAN-OS® Administrator’s Guide Version Version 9.1 1352 ©2021 Palo Alto Networks, Inc.
Networking
and PA-5200 Series firewalls is 50; minimum on VM-Series firewall is 200. Maximum is
2,000; default is 1,000.
When configuring a BFD profile, take into consideraon that the firewall is a session-
based device typically at the edge of a network or data center and may have slower
links than a dedicated router. Therefore, the firewall likely needs a longer interval and
a higher mulplier than the fastest sengs allowed. A detecon me that is too short
can cause false failure detecons when the issue is really just traffic congeson.
STEP 5 | (Oponal—For a BGP IPv4 implementaon only) Configure hop-related sengs for the BFD
profile.
1. Select Mulhop to enable BFD over BGP mulhop.
2. Enter the Minimum Rx TTL.This is the minimum Time-to-Live value (number of hops)
BFD will accept (receive) in a BFD control packet when BGP supports mulhop BFD.
(Range is 1-254; there is no default).
The firewall drops the packet if it receives a smaller TTL than its configured Minimum Rx
TTL. For example, if the peer is 5 hops away, and the peer transmits a BFD packet with
a TTL of 100 to the firewall, and if the Minimum Rx TTL for the firewall is set to 96 or
higher, the firewall drops the packet.
PAN-OS® Administrator’s Guide Version Version 9.1 1353 ©2021 Palo Alto Networks, Inc.
Networking
Selecng None (Disable BFD) disables BFD for this stac route.
8. Click OK.
A BFD column on the IPv4 or IPv6 tab indicates the BFD profile configured for the stac route.
PAN-OS® Administrator’s Guide Version Version 9.1 1354 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | (Oponal) Enable BFD for all BGP interfaces or for a single BGP peer.
If you enable or disable BFD globally, all interfaces running BGP will be taken down
and brought back up with the BFD funcon. This can disrupt all BGP traffic. When
you enable BFD on the interface, the firewall stops the BGP connecon to the peer to
program BFD on the interface. The peer device sees the BGP connecon drop, which
can result in a reconvergence. Enable BFD for BGP interfaces during an off-peak me
when a reconvergence will not impact producon traffic.
If you implement both BFD for BGP and HA path monitoring, Palo Alto Networks
recommends you not implement BGP Graceful Restart. When the BFD peer’s interface
fails and path monitoring fails, BFD can remove the affected routes from the roung
table and synchronize this change to the passive HA firewall before Graceful Restart
can take effect. If you decide to implement BFD for BGP, Graceful Restart for BGP,
and HA path monitoring, you should configure BFD with a larger Desired Minimum Tx
Interval and larger Detecon Time Mulplier than the default values.
1. Select Network > Virtual Routers and select the virtual router where BGP is configured.
2. Select the BGP tab.
3. (Oponal) To apply BFD to all BGP interfaces on the virtual router, in the BFD list, select
one of the following and click OK:
• default—Uses only default sengs.
• A BFD profile you configured—See Create a BFD profile.
• New BFD Profile—Allows you to Create a BFD profile.
Selecng None (Disable BFD) disables BFD for all BGP interfaces on the virtual
router; you cannot enable BFD for a single BGP interface.
4. (Oponal) To enable BFD for a single BGP peer interface (thereby overriding the BFD
seng for BGP as long as it is not disabled), perform the following tasks:
1. Select the Peer Group tab.
2. Select a peer group.
3. Select a peer.
4. In the BFD list, select one of the following:
default—Uses only default sengs.
Inherit-vr-global-seng (default)—The BGP peer inherits the BFD profile that you
selected globally for BGP for the virtual router.
A BFD profile you configured—See Create a BFD profile.
5. Click OK.
6. Click OK.
A BFD column on the BGP - Peer Group/Peer list indicates the BFD profile configured for the
interface.
PAN-OS® Administrator’s Guide Version Version 9.1 1355 ©2021 Palo Alto Networks, Inc.
Networking
STEP 9 | (Oponal) Enable BFD for OSPF or OSPFv3 globally or for an OSPF interface.
1. Select Network > Virtual Routers and select the virtual router where OSPF or OSPFv3 is
configured.
2. Select the OSPF or OSPFv3 tab.
3. (Oponal) In the BFD list, select one of the following to enable BFD for all OSPF or
OSPFv3 interfaces and click OK:
• default—Uses only default sengs.
• A BFD profile you configured—See Create a BFD profile.
• New BFD Profile—Allows you to Create a BFD profile.
Selecng None (Disable BFD) disables BFD for all OSPF interfaces on the
virtual router; you cannot enable BFD for a single OSPF interface.
4. (Oponal) To enable BFD on a single OSPF peer interface (and thereby override the BFD
seng for OSPF, as long as it is not disabled), perform the following tasks:
1. Select the Areas tab and select an area.
2. On the Interface tab, select an interface.
3. In the BFD list, select one of the following to configure BFD for the specified OSPF
peer:
default—Uses only default sengs.
Inherit-vr-global-seng (default)—OSPF peer inherits the BFD seng for OSPF or
OSPFv3 for the virtual router.
A BFD profile you configured—See Create a BFD profile.
Selecng Disable BFD disables BFD for the OSPF or OSPFv3 interface.
4. Click OK.
5. Click OK.
A BFD column on the OSPF Interface tab indicates the BFD profile configured for the
interface.
PAN-OS® Administrator’s Guide Version Version 9.1 1356 ©2021 Palo Alto Networks, Inc.
Networking
STEP 10 | (Oponal) Enable BFD for RIP globally or for a single RIP interface.
1. Select Network > Virtual Routers and select the virtual router where RIP is configured.
2. Select the RIP tab.
3. (Oponal) In the BFD list, select one of the following to enable BFD for all RIP interfaces
on the virtual router and click OK:
• default—Uses only default sengs.
• A BFD profile you configured—See Create a BFD profile.
• New BFD Profile—Allows you to Create a BFD profile.
Selecng None (Disable BFD) disables BFD for all RIP interfaces on the virtual
router; you cannot enable BFD for a single RIP interface.
4. (Oponal) To enable BFD for a single RIP interface (and thereby override the BFD seng
for RIP, as long as it is not disabled), perform the following tasks:
1. Select the Interfaces tab and select an interface.
2. In the BFD list, select one of the following:
default—Uses only default sengs).
Inherit-vr-global-seng (default)—RIP interface inherits the BFD profile that you
selected for RIP globally for the virtual router.
A BFD profile you configured—See Create a BFD profile.
Selecng None (Disable BFD) disables BFD for the RIP interface.
3. Click OK.
5. Click OK.
The BFD column on the Interface tab indicates the BFD profile configured for the interface.
PAN-OS® Administrator’s Guide Version Version 9.1 1357 ©2021 Palo Alto Networks, Inc.
Networking
STEP 13 | Monitor BFD profiles referenced by a roung configuraon; monitor BFD stascs, status,
and state.
Use the following CLI operaonal commands:
• show routing bfd active-profile [<name>]
• show routing bfd details [interface<name>][local-ip<ip>][multihop]
[peer-ip <ip>][session-id][virtual-router<name>]
• show routing bfd drop-counters session-id <session-id>
• show counter global | match bfd
Protocol STATIC(IPV4) Stac route (IP address family of stac route) and/
OSPF or dynamic roung protocol that is running BFD on
the interface.
BFD Profile default *(This Name of BFD profile applied to the interface.
BFD session
Because the sample interface has both a stac
has mulple
route and OSPF running BFD with different profiles,
BFD profiles.
the firewall uses the profile with the lowest Desired
Lowest ‘Desired
Minimum Tx Interval. In this example, the profile
Minimum Tx
used is the default profile.
Interval (ms)’ is
used to select
PAN-OS® Administrator’s Guide Version Version 9.1 1358 ©2021 Palo Alto Networks, Inc.
Networking
State (local/remote) up/up BFD states of the local and remote BFD peers.
Possible states are admin down, down, init, and up.
Up Time 2h 36m 21s Length of me BFD has been up (hours, minutes,
419ms seconds, and milliseconds).
Discriminator (local/ 1391591427/1 Discriminators for local and remote BFD peers.
remote)
Demand Mode Disabled PAN-OS does not support BFD Demand Mode, so
it is always in Disabled state.
Local Diag Code 0 (No Diagnosc codes indicang the reason for the local
Diagnosc) system’s last change in state:
0—No Diagnosc
1—Control Detecon Time Expired
2—Echo Funcon Failed
3—Neighbor Signaled Session Down
4—Forwarding Plane Reset
5—Path Down
6—Concatenated Path Down
7—Administravely Down
8—Reverse Concatenated Path Down
Last Received 0 (No Diagnosc code last received from BFD peer.
Remote Diag Code Diagnosc)
Transmit Hold Time 0ms Hold me (in milliseconds) aer a link comes up
before BFD transmits BFD control packets. A hold
me of 0ms means to transmit immediately. Range
is 0-120000ms.
PAN-OS® Administrator’s Guide Version Version 9.1 1359 ©2021 Palo Alto Networks, Inc.
Networking
Received Min Rx 1000ms Minimum Rx interval received from the peer; the
Interval interval at which the BFD peer can receive control
packets. Maximum is 2000ms.
Negoated Transmit 1000ms Transmit interval (in milliseconds) that the BFD
Interval peers have agreed to send BFD control packets to
each other. Maximum is 2000ms.
Tx Control Packets 9383 (420ms Number of BFD control packets transmied (and
(last) ago) length of me since BFD transmied the most
recent control packet).
Rx Control Packets 9384 (407ms Number of BFD control packets received (and
(last) ago) length of me since BFD received the most recent
control packet).
Agent Data Plane Slot 1 - DP 0 On PA-7000 Series firewalls, the dataplane CPU
that is assigned to handle packets for this BFD
session.
PAN-OS® Administrator’s Guide Version Version 9.1 1360 ©2021 Palo Alto Networks, Inc.
Networking
Diagnosc Code 0 (No Diagnosc code of last packet causing state change.
Diagnosc)
Required Min Echo 0ms PAN-OS does not support the BFD Echo funcon,
Rx Interval so this will always be 0ms.
PAN-OS® Administrator’s Guide Version Version 9.1 1361 ©2021 Palo Alto Networks, Inc.
Networking
TCP
Transmission Control Protocol (TCP) (RFC 793) is one of the main protocols in the Internet
Protocol (IP) suite, and is so prevalent that it is frequently referenced together with IP as TCP/
IP. TCP is considered a reliable transport protocol because it provides error-checking while
transming and receiving segments, acknowledges segments received, and reorders segments
that arrive in the wrong order. TCP also requests and provides retransmission of segments that
were dropped. TCP is stateful and connecon-oriented, meaning a connecon between the
sender and receiver is established for the duraon of the session. TCP provides flow control of
packets, so it can handle congeson over networks.
TCP performs a handshake during session setup to iniate and acknowledge a session. Aer
the data is transferred, the session is closed in an orderly manner, where each side transmits
a FIN packet and acknowledges it with an ACK packet. The handshake that iniates the TCP
session is oen a three-way handshake (an exchange of three messages) between the iniator
and the listener, or it could be a variaon, such as a four-way or five-way split handshake or a
PAN-OS® Administrator’s Guide Version Version 9.1 1362 ©2021 Palo Alto Networks, Inc.
Networking
simultaneous open. The TCP Split Handshake Drop explains how to Prevent TCP Split Handshake
Session Establishment.
Applicaons that use TCP as their transport protocol include Hypertext Transfer Protocol (HTTP),
HTTP Secure (HTTPS), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Telnet,
Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP), and Secure Shell
(SSH).
The following topics describe details of the PAN-OS implementaon of TCP.
• TCP Half Closed and TCP Time Wait Timers
• Unverified RST Timer
• TCP Split Handshake Drop
• Maximum Segment Size (MSS)
You can use Zone Protecon Profiles on the firewall to configure packet-based aack protecon
and thereby drop IP, TCP, and IPv6 packets with undesirable characteriscs or strip undesirable
opons from packets before allowing them into the zone. You can also configure flood protecon,
specifying the rate of SYN connecons per second (not matching an exisng session) that trigger
an alarm, cause the firewall to randomly drop SYN packets or use SYN cookies, and cause the
firewall to drop SYN packets that exceed the maximum rate.
PAN-OS® Administrator’s Guide Version Version 9.1 1363 ©2021 Palo Alto Networks, Inc.
Networking
The TCP Time Wait mer should be set to a value less than the TCP Half Closed mer for the
following reasons:
• The longer me allowed aer the first FIN is seen gives the opposite side of the connecon
me to fully close the session.
• The shorter Time Wait me is because there is no need for the session to remain open for a
long me aer the second FIN or a RST is seen. A shorter Time Wait me frees up resources
sooner, yet sll allows me for the firewall to see the final ACK and possible retransmission of
other datagrams.
If you configure a TCP Time Wait mer to a value greater than the TCP Half Closed mer, the
commit will be accepted, but in pracce the TCP Time Wait mer will not exceed the TCP Half
Closed value.
The mers can be set globally or per applicaon. The global sengs are used for all applicaons
by default. If you configure TCP wait mers at the applicaon level, they override the global
sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 1364 ©2021 Palo Alto Networks, Inc.
Networking
The Split Handshake opon is configured for a Zone Protecon profile that is assigned to a zone.
An interface that is a member of the zone drops any synchronizaon (SYN) packets sent from the
server, prevenng the following variaons of handshakes. The leer A in the figure indicates the
session iniator and B indicates the listener. Each numbered segment of the handshake has an
arrow indicang the direcon of the segment from the sender to the receiver, and each segment
indicates the control bit(s) seng.
PAN-OS® Administrator’s Guide Version Version 9.1 1365 ©2021 Palo Alto Networks, Inc.
Networking
If the DF (don’t fragment) bit is set for a packet, it is especially helpful to have a larger MSS
adjustment size and smaller MSS so that longer headers do not result in a packet length that
exceeds the allowed MTU. If the DF bit were set and the MTU were exceeded, the larger packets
would be dropped.
(PAN-OS 9.1.3 and later 9.1 releases) You can configure the firewall globally to fragment
IPv4 packets that exceed the egress interface MTU, even when the DF bit is set in the
packet. Enable this for Layer 3 physical interfaces and IPSec tunnel interfaces using the CLI
command debug dataplane set ip4-df-ignore yes. Restore the firewall to
the default behavior by using the CLI command debug dataplane set ipv4-df-
ignore no.
The firewall supports a configurable MSS adjustment size for IPv4 and IPv6 addresses on the
following Layer 3 interface types: Ethernet, subinterfaces, Aggregated Ethernet (AE), VLAN, and
loopback. The IPv6 MSS adjustment size applies only if IPv6 is enabled on the interface.
If IPv4 and IPv6 are enabled on an interface and the MSS Adjustment Size differs between
the two IP address formats, the proper MSS value corresponding to the IP type is used for
TCP traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1366 ©2021 Palo Alto Networks, Inc.
Networking
For IPv4 and IPv6 addresses, the firewall accommodates larger-than-expected TCP header
lengths. In the case where a TCP packet has a larger header length than you planned for, the
firewall chooses as the MSS adjustment size the larger of the following two values:
• The configured MSS adjustment size
• The sum of the length of the TCP header (20) + the length of IP headers in the TCP SYN
This behavior means that the firewall overrides the configured MSS adjustment size if necessary.
For example, if you configure an MSS adjustment size of 42, you expect the MSS to equal 1458
(the default MTU size minus the adjustment size [1500 - 42]). However, the TCP packet has 4
extra bytes of IP opons in the header, so the MSS adjustment size (20+20+4) equals 44, which is
larger than the configured MSS adjustment size of 42. The resulng MSS is 1500-44=1456 bytes,
smaller than you expected.
To configure the MSS adjustment size, in Configure Session Sengs, see 10
UDP
User Datagram Protocol (UDP) (RFC 768) is another main protocol of the IP suite, and is an
alternave to TCP. UDP is stateless and conneconless in that there is no handshake to set up
a session, and no connecon between the sender and receiver; the packets may take different
routes to get to a single desnaon. UDP is considered an unreliable protocol because it does not
provide acknowledgments, error-checking, retransmission, or reordering of datagrams. Without
the overhead required to provide those features, UDP has reduced latency and is faster than TCP.
UDP is referred to as a best-effort protocol because there is no mechanism or guarantee to ensure
that the data will arrive at its desnaon.
A UDP datagram is encapsulated in an IP packet. Although UDP uses a checksum for data
integrity, it performs no error checking at the network interface level. Error checking is assumed to
be unnecessary or is performed by the applicaon rather than UDP itself. UDP has no mechanism
to handle flow control of packets.
UDP is oen used for applicaons that require faster speeds and me-sensive, real-me
delivery, such as Voice over IP (VoIP), streaming audio and video, and online games. UDP is
transacon-oriented, so it is also used for applicaons that respond to small queries from many
clients, such as Domain Name System (DNS) and Trivial File Transfer Protocol (TFTP).
You can use Zone Protecon Profiles on the firewall to configure flood protecon and thereby
specify the rate of UDP connecons per second (not matching an exisng session) that trigger
an alarm, trigger the firewall to randomly drop UDP packets, and cause the firewall to drop UDP
packets that exceed the maximum rate. (Although UDP is conneconless, the firewall tracks UDP
datagrams in IP packets on a session basis; therefore if the UDP packet doesn’t match an exisng
session, it is considered a new session and it counts as a connecon toward the thresholds.)
ICMP
Internet Control Message Protocol (ICMP) (RFC 792) is another one of the main protocols of
the Internet Protocol suite; it operates at the Network layer of the OSI model. ICMP is used for
diagnosc and control purposes, to send error messages about IP operaons, or messages about
requested services or the reachability of a host or router. Network ulies such as traceroute and
ping are implemented by using various ICMP messages.
PAN-OS® Administrator’s Guide Version Version 9.1 1367 ©2021 Palo Alto Networks, Inc.
Networking
ICMP is a conneconless protocol that does not open or maintain actual sessions. However, the
ICMP messages between two devices can be considered a session.
Palo Alto Networks firewalls support ICMPv4 and ICMPv6. You can control ICMPv4 and ICMPv6
packets in several ways:
• Create Security Policy Rules Based on ICMP and ICMPv6 Packets and select the icmp or ipv6-
icmp applicaon in the rule.
• Control ICMPv6 Rate Liming when you Configure Session Sengs.
• Use Zone Protecon Profiles to configure flood protecon, specifying the rate of ICMP or
ICMPv6 connecons per second (not matching an exisng session) that trigger an alarm, trigger
the firewall to randomly drop ICMP or ICMPv6 packets, and cause the firewall to drop ICMP or
ICMPv6 packets that exceed the maximum rate.
• Use Zone Protecon Profiles to configure packet based aack protecon:
• For ICMP, you can drop certain types of packets or suppress the sending of certain packets.
• For ICMPv6 packets (Types 1, 2, 3, 4, and 137), you can specify that the firewall use the
ICMP session key to match a security policy rule, which determines whether the ICMPv6
packet is allowed or not. (The firewall uses the security policy rule, overriding the default
behavior of using the embedded packet to determine a session match.) When the firewall
drops ICMPv6 packets that match a security policy rule, the firewall logs the details in Traffic
logs.
PAN-OS® Administrator’s Guide Version Version 9.1 1368 ©2021 Palo Alto Networks, Inc.
Networking
recognizes as an icmp or ipv6-icmp session), the firewall forwards or drops the packet based on
the security policy rule acon. Security policy counters and traffic logs reflect the acons.
If no security policy rule matches the packet, the firewall applies its default security policy
rules, which allow intrazone traffic and block interzone traffic (logging is disabled by default for
these rules).
Although you can override the default rules to enable logging or change the default
acon, we don’t recommend you change the default behavior for a specific case
because it will impact all traffic that those default rules affect. Instead, create security
policy rules to control and log ICMP or ICMPv6 packets explicitly.
There are two ways to create explicit security policy rules to handle ICMP or ICMPv6 packets
that are not error or redirect packets:
• Create a security policy rule to allow (or deny) all ICMP or ICMPv6 packets—In the security
policy rule, specify the applicaon icmp or ipv6-icmp; the firewall allows (or denies) all
IP packets matching the ICMP protocol number (1) or ICMPv6 protocol number (58),
respecvely, through the firewall.
• Create a custom applicaon and a security policy rule to allow (or deny) packets from or
to that applicaon—This more granular approach allows you to Control Specific ICMP or
ICMPv6 Types and Codes.
PAN-OS® Administrator’s Guide Version Version 9.1 1369 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Create a custom applicaon for ICMP or ICMPv6 message types and codes.
1. Select Object > Applicaons and Add a custom applicaon.
2. On the Configuraon tab, enter a Name for the custom applicaon and a Descripon.
For example, enter the name ping6.
3. For Category, select networking.
4. For Subcategory, select ip-protocol.
5. For Technology, select network-protocol.
6. Click OK.
7. On the Advanced tab, select ICMP Type or ICMPv6 Type.
8. For Type, enter the number (range is 0-255) that designates the ICMP or ICMPv6
message type you want to allow or deny. For example, Echo Request message (ping) is
128.
9. If the Type includes codes, enter the Code number (range is 0-255) that applies to the
Type value you want to allow or deny. Some Type values have Code 0 only.
10. Click OK.
STEP 2 | Create a Security policy rule that allows or denies the custom applicaon you created.
Create a Security Policy Rule. On the Applicaon tab, specify the name of the custom
applicaon you just created.
If you change the TCP or UDP mers at the applicaon level, these mers for predefined
applicaons and shared custom applicaons will be implemented across all virtual
systems. If you need an applicaon’s mers to be different for a virtual system, you
must create a custom applicaon, assign it unique mers, and then assign the custom
applicaon to a unique virtual system.
PAN-OS® Administrator’s Guide Version Version 9.1 1370 ©2021 Palo Alto Networks, Inc.
Networking
Perform the following task if you need to change default values of the global session meout
sengs for TCP, UDP, ICMP, Capve Portal authencaon, or other types of sessions. All values
are in seconds.
The defaults are opmal values. However, you can modify these according to your network
needs. Seng a value too low could cause sensivity to minor network delays and could
result in a failure to establish connecons with the firewall. Seng a value too high could
delay failure detecon.
PAN-OS® Administrator’s Guide Version Version 9.1 1371 ©2021 Palo Alto Networks, Inc.
Networking
PAN-OS® Administrator’s Guide Version Version 9.1 1372 ©2021 Palo Alto Networks, Inc.
Networking
expire according to the TTL and the firewall caches new enres with the larger meout
value.
2. View the ARP cache meout seng with the operaonal CLI command show system
setting arp-cache-timeout.
STEP 2 | Specify whether to apply newly configured Security policy rules to sessions that are in
progress.
Select Rematch all sessions on config policy change to apply newly configured Security policy
rules to sessions that are already in progress. This capability is enabled by default. If you clear
this check box, any policy rule changes you make apply only to sessions iniated aer you
commit the policy change.
For example, if a Telnet session started while an associated policy rule was configured that
allowed Telnet, and you subsequently commied a policy change to deny Telnet, the firewall
applies the revised policy to the current session and blocks it.
PAN-OS® Administrator’s Guide Version Version 9.1 1373 ©2021 Palo Alto Networks, Inc.
Networking
Jumbo Frames can take up to five mes more memory compared to normal
packets and can reduce the number of available packet-buffers by 20%. This
reduces the queue sizes dedicated for out of order, applicaon idenficaon,
and other such packet processing tasks. As of PAN-OS 8.1, if you enable
the jumbo frame global MTU configuraon and reboot your firewall, packet
buffers are then redistributed to process jumbo frames more efficiently.
If you enable jumbo frames and you have interfaces where the MTU is not specifically
configured, those interfaces will automacally inherit the jumbo frame size. Therefore,
before you enable jumbo frames, if you have any interface that you do not want to have
jumbo frames, you must set the MTU for that interface to 1500 bytes or another value.
If you import (Device > Setup > Operaons > Import) and load a configuraon
that has Jumbo Frame enabled, and then commit to a firewall that does not
already have Jumbo Frame enabled, the Enable Jumbo Frame seng is not
commied to the configuraon. You should first Enable Jumbo Frame, reboot,
and then import, load and commit the configuraon.
PAN-OS® Administrator’s Guide Version Version 9.1 1374 ©2021 Palo Alto Networks, Inc.
Networking
Alert events are recorded in the system log. Events for dropped traffic, discarded
sessions, and blocked IP address are recorded in the threat log.
• Block Hold Time (sec): The amount of me a RED-migated session is allowed to
connue before it is discarded. By default, the block hold me is 60 seconds. The
range is 0 to 65,535 seconds. If the value is set to 0, the firewall does not discard
sessions based on packet buffer protecon.
• Block Duraon (sec): This seng defines how long a session is discarded or an
IP address is blocked. The default is 3,600 seconds with a range of 0 seconds to
15,999,999 seconds. If this value is set to 0, the firewall does not discard sessions or
block IP addresses based on packet buffer protecon.
PAN-OS® Administrator’s Guide Version Version 9.1 1375 ©2021 Palo Alto Networks, Inc.
Networking
packet to set up the mulcast route. This is expected behavior for mulcast traffic. You
only need to enable mulcast route setup buffering if your content servers are directly
connected to the firewall and your custom applicaon cannot withstand the first packet
in the session being dropped. This opon is disabled by default.
2. If you enable buffering, you can also tune the Buffer Size, which specifies the buffer size
per flow. The firewall can buffer a maximum of 5,000 packets.
You can also tune the duraon, in seconds, for which a mulcast route remains
in the roung table on the firewall aer the session ends by configuring the
mulcast sengs on the virtual router that handles your virtual router (set the
Mulcast Route Age Out Time (sec) on the Mulcast > Advanced tab in the
virtual router configuraon.
STEP 10 | Tune the Maximum Segment Size (MSS) adjustment size sengs for a Layer 3 interface.
1. Select Network > Interfaces, select Ethernet, VLAN, or Loopback, and select a Layer 3
interface.
2. Select Advanced > Other Info.
3. Select Adjust TCP MSS and enter a value for one or both of the following:
• IPv4 MSS Adjustment Size (range is 40 to 300 bytes; default is 40 bytes).
• IPv6 MSS Adjustment Size (range is 60 to 300 bytes; default is 60 bytes).
4. Click OK.
STEP 12 | Reboot the firewall aer changing the jumbo frame configuraon.
1. Select Device > Setup > Operaons.
2. Click Reboot Device.
PAN-OS® Administrator’s Guide Version Version 9.1 1376 ©2021 Palo Alto Networks, Inc.
Networking
PA-5220 firewall 1
PA-5250 firewall 2
The following topics provide informaon about the available session distribuon policies, how to
change an acve policy, and how to view session distribuon stascs.
• Session Distribuon Policy Descripons
• Change the Session Distribuon Policy and View Stascs
PAN-OS® Administrator’s Guide Version Version 9.1 1377 ©2021 Palo Alto Networks, Inc.
Networking
Ingress-slot (default on PA-7000 (PA-7000 Series firewalls only) New sessions are assigned
Series firewalls) to a DP on the same NPC on which the first packet of
the session arrived. The selecon of the DP is based on
the session-load algorithm but, in this case, sessions are
limited to the DPs on the ingress NPC.
Depending on the traffic and network topology, this policy
generally decreases the odds that traffic will need to
traverse the switch fabric.
Use this policy to reduce latency if both ingress and
egress are on the same NPC. If the firewall has a mix of
NPCs (PA-7000 20G and PA-7000 20GXM for example),
this policy can isolate the increased capacity to the
corresponding NPCs and help to isolate the impact of
NPC failures.
Round-robin (default on PA-5200 The firewall selects the dataplane processor based on
Series firewalls) a round-robin algorithm between acve dataplanes so
that input, output, and security processing funcons are
shared among all dataplanes.
Use this policy in low to medium demand environments
where a simple and predictable load balancing algorithm
will suffice.
In high demand environments, we recommend that you
use the session-load algorithm.
PAN-OS® Administrator’s Guide Version Version 9.1 1378 ©2021 Palo Alto Networks, Inc.
Networking
Task Command
Show the acve Use the show session distribution policy command to
session distribuon view the acve session distribuon policy.
policy.
The following output is from a PA-7080 firewall with four NPCs
installed in slots 2, 10, 11, and 12 with the ingress-slot distribuon
policy enabled:
PAN-OS® Administrator’s Guide Version Version 9.1 1379 ©2021 Palo Alto Networks, Inc.
Networking
Task Command
PAN-OS® Administrator’s Guide Version Version 9.1 1380 ©2021 Palo Alto Networks, Inc.
Networking
STEP 1 | Configure a Zone Protecon profile to prevent TCP sessions that use anything other than a
three-way handshake to establish a session.
1. Select Network > Network Profiles > Zone Protecon and Add a new profile (or select
an exisng profile).
2. If creang a new profile, enter a Name for the profile and an oponal Descripon.
3. Select Packet Based Aack Protecon > TCP Drop and select Split Handshake.
4. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1381 ©2021 Palo Alto Networks, Inc.
Networking
Tunnel content inspecon is for cleartext tunnels, not for VPN or LSVPN tunnels, which
carry encrypted traffic.
You can use tunnel content inspecon to enforce Security, DoS Protecon, and QoS policies on
traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, a
Null Encrypted IPSec tunnel inside a GRE tunnel). You can view tunnel inspecon logs and tunnel
acvity in the ACC to verify that tunneled traffic complies with your corporate security and usage
policies.
All firewall models support tunnel content inspecon for GRE, non-encrypted IPSec, and VXLAN
protocols. Only firewalls that support GTP security support GTP-U tunnel content inspecon—see
the PAN-OS Releases by Model that Support GTP and SCTP Security in the Compability Matrix.
• Tunnel Content Inspecon Overview
• Configure Tunnel Content Inspecon
• View Inspected Tunnel Acvity
• View Tunnel Informaon in Logs
• Create a Custom Report Based on Tagged Tunnel Traffic
PAN-OS® Administrator’s Guide Version Version 9.1 1382 ©2021 Palo Alto Networks, Inc.
Networking
the firewall can inspect the traffic of any non-encrypted tunnel protocols that tunnel content
inspecon supports.)
Tunnel content inspecon is supported in Layer 3, Layer 2, virtual wire, and tap deployments.
Tunnel content inspecon works on shared gateways and on virtual system-to-virtual system
communicaons.
The preceding figure illustrates the two levels of tunnel inspecon the firewall can perform. When
a firewall configured with Tunnel Inspecon policy rules receives a packet:
• The firewall first performs a Security policy check to determine whether the tunnel protocol
(Applicaon) in the packet is permied or denied. (IPv4 and IPv6 packets are supported
protocols inside the tunnel.)
• If the Security policy allows the packet, the firewall matches the packet to a Tunnel Inspecon
policy rule based on source zone, source address, source user, desnaon zone, and
desnaon address. The Tunnel Inspecon policy rule determines the tunnel protocols that the
firewall inspects, the maximum level of encapsulaon allowed (a single tunnel or a tunnel within
a tunnel), whether to allow packets containing a tunnel protocol that doesn’t pass strict header
inspecon per RFC 2780, and whether to allow packets containing unknown protocols.
• If the packet passes the Tunnel Inspecon policy rule’s match criteria, the firewall inspects the
inner content, which is subject to your Security policy (required) and oponal policies you can
specify. (The supported policy types for the original session are listed in the following table).
• If the firewall instead finds another tunnel, the firewall recursively parses the packet for the
second header and is now at level two of encapsulaon, so the second tunnel inspecon policy
PAN-OS® Administrator’s Guide Version Version 9.1 1383 ©2021 Palo Alto Networks, Inc.
Networking
rule, which matches a tunnel zone, must allow a maximum tunnel inspecon level of two levels
for the firewall to connue processing the packet.
• If your rule allows two levels of inspecon, the firewall performs a Security policy check on
this inner tunnel and then the Tunnel Inspecon policy check. The tunnel protocol you use in
an inner tunnel can differ from the tunnel protocol you use in the outer tunnel.
• If your rule doesn’t allow two levels of inspecon, the firewall bases its acon on whether
you configured it to drop packets that have more levels of encapsulaon than the maximum
tunnel inspecon level you configured.
By default, the content encapsulated in a tunnel belongs to the same security zone as the tunnel,
and is subject to the Security policy rules that protect that zone. However, you can configure a
tunnel zone, which gives you the flexibility to configure Security policy rules for inside content that
differ from the Security policy rules for the tunnel. If you use a different tunnel inspecon policy
for the tunnel zone, it must always have a maximum tunnel inspecon level of two levels because
by definion the firewall is looking at the second level of encapsulaon.
The firewall doesn’t support a Tunnel Inspecon policy rule that matches traffic for a tunnel that
terminates on the firewall; the firewall discards packets that match the inner tunnel session. For
example, when an IPSec tunnel terminates on the firewall, don’t create a Tunnel Inspecon policy
rule that matches the tunnel you terminate. The firewall already inspects the inner tunnel traffic so
no Tunnel Inspecon policy rule is needed.
Although tunnel content inspecon works on shared gateways and on virtual system-
to-virtual system communicaons, you can’t assign tunnel zones to shared gateways or
virtual system-to-virtual system communicaons; they are subject to the same Security
policy rules as the zones to which they belong.
Both the inner tunnel sessions and the outer tunnel sessions count toward the maximum session
capacity for the firewall model.
The following table indicates with a check mark which types of policy you can apply to an outer
tunnel session, an inner tunnel session, and the inside, original session:
App-Override
VXLAN Only
DoS Protecon
NAT
Policy-Based Forwarding
(PBF) and Symmetric Return
PAN-OS® Administrator’s Guide Version Version 9.1 1384 ©2021 Palo Alto Networks, Inc.
Networking
QoS
Security (required)
User-ID
Zone Protecon
VXLAN is different than other protocols. The firewall can use either of two different sets of
session keys to create outer tunnel sessions for VXLAN.
• VXLAN UDP Session—A six-tuple key (zone, source IP, desnaon IP, protocol, source port, and
desnaon port) creates a VXLAN UDP Session.
• VNI Session—A five-tuple key that incorporates the tunnel ID (the VXLAN Network Idenfier,
or VNI) and uses zone, source IP, desnaon IP, protocol, and tunnel ID (VNI) to create a VNI
Session.
You can View Inspected Tunnel Acvity on the ACC or View Tunnel Informaon in Logs. To
facilitate quick viewing, configure a Monitor tag so you can monitor tunnel acvity and filter log
results by that tag.
The ACC tunnel acvity provides data in various views. For the Tunnel ID Usage, Tunnel Monitor
Tag, and Tunnel Applicaon Usage, the data for bytes, sessions, threats, content, and URLs
come from the Traffic Summary database. For the Tunnel User, Tunneled Source IP and Tunneled
Desnaon IP Acvity, data for bytes and sessions come from Traffic Summary database, data for
threats come from the Threat Summary, data for URLs come from the URL Summary, and data for
contents come from the Data database, which is a subset of the Threat logs.
If you enable NetFlow on the interface, NetFlow will capture stascs for the outer tunnel only, to
avoid double-counng (counng bytes of both outer and inner flows).
For the Tunnel Inspecon policy rule and tunnel zone capacies for your firewall model, see the
Product Selecon tool.
The following figure illustrates a corporaon that runs mulple divisions and uses different
Security policies and a Tunnel Inspecon policy. A Central IT team provides connecvity between
regions. A tunnel connects Site A to Site C; another tunnel connects Site A to Site D. Central
IT places a firewall in the path of each tunnel; the firewall in the tunnel between Sites A and
C performs tunnel inspecon; the firewall in the tunnel between Sites A and D has no tunnel
inspecon policy because the traffic is very sensive.
PAN-OS® Administrator’s Guide Version Version 9.1 1385 ©2021 Palo Alto Networks, Inc.
Networking
The firewall can create tunnel inspecon logs at the start of a session, at the end of a
session, or both. When you specify Acons for the Security policy rule, select Log at
Session Start for long-lived tunnel sessions, such as GRE sessions.
STEP 3 | Specify the criteria that determine the source of packets to which the tunnel inspecon
policy rule applies.
1. Select the Source tab.
2. Add a Source Zone from the list of zones (default is Any).
3. (Oponal) Add a Source Address. You can enter an IPv4 or IPv6 address, an address
group, or a Geo Region address object (Any).
4. (Oponal) Select Negate to choose any addresses except those you specify.
5. (Oponal) Add a Source User (default is any). Known-user is a user who has
authencated; an Unknown user has not authencated.
PAN-OS® Administrator’s Guide Version Version 9.1 1386 ©2021 Palo Alto Networks, Inc.
Networking
STEP 4 | Specify the criteria that determine the desnaon of packets to which the tunnel inspecon
policy rule applies.
1. Select the Desnaon tab.
2. Add a Desnaon Zone from the list of zones (default is Any).
3. (Oponal) Add a Desnaon Address. You can enter an IPv4 or IPv6 address, an address
group, or a Geo Region address object (default is Any).
You can also configure a new address or address group.
4. (Oponal) Select Negate to choose any addresses except those you specify.
STEP 5 | Specify the tunnel protocols that the firewall will inspect for this rule.
1. Select the Inspecon tab.
2. Add one or more tunnel Protocols that you want the firewall to inspect:
• GRE—Firewall inspects packets that use Generic Route Encapsulaon (GRE) in the
tunnel.
• GTP-U—Firewall inspects packets that use General Packet Radio Service (GPRS)
Tunneling Protocol for User Data (GTP-U) in the tunnel.
• Non-encrypted IPSec—Firewall inspects packets that use non-encrypted IPSec (Null
EncryVpted IPSec or transport mode AH IPSec) in the tunnel.
• VXLAN—Firewall inspects packets that use the Virtual Extensible Local Area Network
(VXLAN) tunneling protocol in the tunnel.
STEP 6 | Specify how many levels of encapsulaon the firewall inspects and the condions under
which the firewall drops a packet.
1. Select Inspect Opons.
2. Select the Maximum Tunnel Inspecon Levels that the firewall will inspect:
• One Level (default)—Firewall inspects content that is in the outer tunnel only.
For VXLAN, the firewall inspects a VXLAN payload to find the encapsulated content
or applicaons within the tunnel. You must select One Level because VXLAN
inspecon only occurs on the outer tunnel.
• Two Levels (Tunnel In Tunnel)—Firewall inspects content that is in the outer tunnel
and content that is in the inner tunnel.
3. Select any, all, or none of the following to specify whether the firewall drops a packet
under each condion:
• Drop packet if over maximum tunnel inspecon level—Firewall drops a packet that
contains more levels of encapsulaon than are configured for Maximum Tunnel
Inspecon Levels.
• Drop packet if tunnel protocol fails strict header check—Firewall drops a packet that
contains a tunnel protocol that uses a header that is non-compliant with the RFC for
PAN-OS® Administrator’s Guide Version Version 9.1 1387 ©2021 Palo Alto Networks, Inc.
Networking
the protocol. Non-compliant headers can indicate suspicious packets. This opon
causes the firewall to verify GRE headers against RFC 2890.
PAN-OS® Administrator’s Guide Version Version 9.1 1388 ©2021 Palo Alto Networks, Inc.
Networking
STEP 8 | (Oponal) Create a tunnel source zone and tunnel desnaon zone for tunnel content and
configure a Security policy rule for each zone.
The best pracce is to create tunnel zones for your tunnel traffic. Thus, the firewall
creates separate sessions for tunneled and non-tunneled packets that have the same
five-tuple (source IP address and port, desnaon IP address and port, and protocol).
Assigning tunnel zones to tunnel traffic on a PA-5200 Series firewall causes the firewall
to do tunnel inspecon in soware; tunnel inspecon is not offloaded to hardware.
1. If you want tunnel content to be subject to Security policy rules that are different from
the Security policy rules for the zone of the outer tunnel (configured earlier), select
Network > Zones and Add a Name for the Tunnel Source Zone.
2. For Locaon, select the virtual system.
3. For Type, select Tunnel.
4. Click OK.
5. Repeat these substeps to create the Tunnel Desnaon Zone.
6. Configure a Security policy rule for the Tunnel Source Zone.
Because you might not know the originator of the tunnel traffic or the direcon
of the traffic flow and you don’t want to inadvertently prohibit traffic for an
applicaon through the tunnel, specify both tunnel zones as the Source Zone
and both tunnel zones as the Desnaon Zone in your Security policy rule,
or select Any for both the source and desnaon zones; then specify the
Applicaons.
7. Configure a Security policy rule for the Tunnel Desnaon Zone. The p in the previous
step for configuring a Security policy rule for the Tunnel Source Zone applies to the
Tunnel Desnaon Zone, as well.
STEP 9 | (Oponal) Specify the Tunnel Source Zone and Tunnel Desnaon Zone for the inner
content.
1. Specify the Tunnel Source Zone and Tunnel Desnaon Zone (that you just added) for
the inner content. Select Policies > Tunnel Inspecon and on the General tab, select the
Name of the tunnel inspecon policy rule you created.
2. Select Inspecon.
3. Select Security Opons.
4. Enable Security Opons (disabled by default) to cause the inner content source to
belong to the Tunnel Source Zone you specify and to cause the inner content desnaon
to belong to the Tunnel Desnaon Zone you specify.
If you don’t Enable Security Opons, the inner content source belongs to the same
source zone as the outer tunnel source and the inner content desnaon belongs to the
same desnaon zone as the outer tunnel desnaon, which means they are subject to
the same Security policy rules that apply to those outer zones.
5. For Tunnel Source Zone, select the appropriate tunnel zone you created in the previous
step so that the policies associated with that zone apply to the tunnel source zone.
Otherwise, by default, the inner content will use the same source zone that is used in the
PAN-OS® Administrator’s Guide Version Version 9.1 1389 ©2021 Palo Alto Networks, Inc.
Networking
outer tunnel and the policies of the outer tunnel source zone apply to the inner content
source zone, as well.
6. For Tunnel Desnaon Zone, select the appropriate tunnel zone you created in
the previous step so that the policies associated with that zone apply to the tunnel
desnaon zone. Otherwise, by default, the inner content will use the same desnaon
zone that is used in the outer tunnel and the policies of the outer tunnel desnaon zone
apply to the inner content desnaon zone, as well.
If you configure a Tunnel Source Zone and Tunnel Desnaon Zone for the
tunnel inspecon policy rule, you should configure a specific Source Zone (in
Step 3) and a specific Desnaon Zone (in Step 4) in the match criteria of the
tunnel inspecon policy rule, instead of specifying a Source Zone of Any and a
Desnaon Zone of Any. This p ensures the direcon of zone reassignment
corresponds appropriately to the parent zones.
STEP 10 | Set monitoring opons for traffic that matches a tunnel inspecon policy rule.
1. Select Policies > Tunnel Inspecon and select the tunnel inspecon policy rule you
created.
2. Select Inspecon > Monitor Opons.
3. Enter a Monitor Name to group similar traffic together for purposes of logging and
reporng.
4. Enter a Monitor Tag (number) to group similar traffic together for logging and reporng
(range is 1 to 16,777,215). The tag number is globally defined.
This field does not apply to the VXLAN protocol. VXLAN logs automacally use
the VNI ID from the VXLAN header.
If you tag tunnel traffic, you can later filter on the Monitor Tag in the tunnel
inspecon log and use the ACC to view tunnel acvity based on Monitor Tag.
5. Override Security Rule Log Seng to enable logging and log forwarding opons for
sessions that meet the selected tunnel inspecon policy rule. If you don’t select this
seng, tunnel log generaon and log forwarding are determined by the log sengs for
the Security policy rule that applies to the tunnel traffic. You can override log forwarding
sengs in Security policy rules that control traffic logs by configuring tunnel inspecon
log sengs to store tunnel logs separately from traffic logs. The tunnel inspecon logs
PAN-OS® Administrator’s Guide Version Version 9.1 1390 ©2021 Palo Alto Networks, Inc.
Networking
store the outer tunnel (GRE, non-encrypted IPSec, VXLAN, or GTP-U) sessions and the
traffic logs store the inner traffic flows.
6. Select Log at Session Start to log traffic at the start of a session.
The best pracce for Tunnel logs is to log both at session start and session end
because tunnels can stay up for long periods of me. For example, GRE tunnels
can come up when the router boots and never terminate unl the router is
rebooted. If you don’t log at session start, you will never see in the ACC that
there is an acve GRE tunnel.
7. Select Log at Session End to log traffic at the end of a session.
8. Select a Log Forwarding profile that determines where the firewall forwards tunnel logs
for sessions that meet the tunnel inspecon rule. Alternavely, you can create a new Log
Forwarding profile if you Configure Log Forwarding.
9. Click OK.
STEP 11 | (Oponal, VXLAN Only) Configure a VXLAN ID (VNI). By default, all VXLAN network
interfaces (VNIs) are inspected. If you configure one or more VXLAN IDs, the policy inspects
only those VNIs.
Only the VXLAN protocol uses the Tunnel ID tab to specify the VNI.
PAN-OS® Administrator’s Guide Version Version 9.1 1391 ©2021 Palo Alto Networks, Inc.
Networking
STEP 12 | (Oponal) If you enabled Rematch Sessions (Device > Setup > Session), ensure the firewall
doesn’t drop exisng sessions when you create or revise a tunnel inspecon policy by
disabling Reject Non-SYN TCP for the zones that control your tunnel Security policy rules.
The firewall displays the following warning when you:
• Create a tunnel inspecon policy rule.
• Edit a tunnel inspecon policy rule by adding a Protocol or by increasing the Maximum
Tunnel Inspecon Levels from One Level to Two Levels.
• Enable Security Opons in the Security Opons tab by either adding new zones or
changing one zone to another zone.
Warning: Enabling tunnel inspecon policies on exisng tunnel sessions will cause
exisng TCP sessions inside the tunnel to be treated as non-syn-tcp flows. To ensure
exisng sessions are not dropped when the tunnel inspecon policy is enabled, set
the Reject Non-SYN TCP seng for the zone(s) to no using a Zone Protecon profile
and apply it to the zones that control the tunnel’s security policies. Once the exisng
sessions have been recognized by the firewall, you can re-enable the Reject Non-SYN
TCP seng by seng it to yes or global.
1. Select Network > Network Profiles > Zone Protecon and Add a profile.
2. Enter a Name for the profile.
3. Select Packet Based Aack Protecon > TCP Drop.
4. For Reject Non-SYN TCP, select no.
5. Click OK.
6. Select Network > Zones and select the zone that controls your tunnel Security policy
rules.
7. For Zone Protecon Profile, select the Zone Protecon profile you just created.
8. Click OK.
9. Repeat the previous three substeps (12.f, 12.g, and 12.h) to apply the Zone Protecon
profile to addional zones that control your tunnel Security policy rules.
10. Aer the firewall has recognized the exisng sessions, you can re-enable Reject Non-
SYN TCP by seng it to yes or global.
PAN-OS® Administrator’s Guide Version Version 9.1 1392 ©2021 Palo Alto Networks, Inc.
Networking
STEP 3 | Select a Time period to view, such as Last 24 Hrs or Last 30 Days.
STEP 4 | For Global Filters, click the + or - buons to use ACC Filters on tunnel acvity.
STEP 5 | View inspected tunnel acvity; you can display and sort data in each window by bytes,
sessions, threats, content, or URLs. Each window displays a different aspect of tunnel data in
graph and table format:
• Tunnel ID Usage—Each tunnel protocol lists the Tunnel IDs of tunnels using that protocol.
Tables provide totals of Bytes, Sessions, Threats, Content, and URLs for the protocol. Hover
over the tunnel ID to get a breakdown per tunnel ID.
• Tunnel Monitor Tag—Each tunnel protocol lists tunnel monitor tags of tunnels using that
tag. Tables provide totals of Bytes, Sessions, Threats, Content, and URLs for the tag and for
the protocol. Hover over the tunnel monitor tag to get a breakdown per tag.
• Tunneled Applicaon Usage—Applicaon categories graphically display types of
applicaons grouped into media, general interest, collaboraon, and networking, and color-
coded by their risk. The Applicaon tables also include a count of users per applicaon.
• Tunneled User Acvity—Displays a graph of bytes sent and bytes received, for example,
along an x-axis of date and me. Hover over a point on the graph to view data at that point.
The Source User and Desnaon User table provides data per user.
• Tunneled Source IP Acvity—Displays graphs and tables of bytes, sessions, and threats, for
example, from an Aacker at an IP address. Hover over a point on the graph to view data at
that point.
• Tunneled Desnaon IP Acvity—Displays graphs and tables based on desnaon IP
addresses. View threats per Vicm at an IP address, for example. Hover over a point on the
graph to view data at that point.
PAN-OS® Administrator’s Guide Version Version 9.1 1393 ©2021 Palo Alto Networks, Inc.
Networking
• When there is a TCI traffic rule match, VXLAN protocol is logged in the Tunnel Inspecon log
with the Tunnel (VXLAN) log type, the configured Monitor name, and the Tunnel ID (VNI).
In the Traffic log for the inner session, the Tunnel Inspected flag indicates a VNI session. The
Parent Session is the session that was acve when the inner session was created so the ID
might not match the current Session ID.
• When there is no TCI rule match, VNI sessions are logged in Traffic logs with the UDP protocol,
source port 0, and desnaon port 4789 (the default).
STEP 2 | For Database, select the Traffic, Threat, URL, Data Filtering, or WildFire Submissions log.
STEP 3 | For Available Columns, select Flags and Monitor Tag, along with other data you want in the
report.
You can also Generate Custom Reports.
PAN-OS® Administrator’s Guide Version Version 9.1 1394 ©2021 Palo Alto Networks, Inc.
Policy
Policies allow you to enforce rules and take acon. The different types of policy rules
that you can create on the firewall are: Security, NAT, Quality of Service (QoS), Policy
Based Forwarding (PBF), Decrypon, Applicaon Override, Authencaon, Denial of
Service (DoS), and Zone protecon policies. All these different policies work together
to allow, deny, priorize, forward, encrypt, decrypt, make excepons, authencate
access, and reset connecons as needed to help secure your network. The following
topics describe how to work with policy:
> Policy Types > Use an External Dynamic List in
> Security Policy Policy
1395
Policy
Policy Types
The Palo Alto Networks next-generaon firewall supports a variety of policy types that work
together to safely enable applicaons on your network.
For all policy types, when you Enforce Policy Rule Descripon, Tag, and Audit Comment, you
can use the audit comment archive to view how a policy rule changed over me. The archive,
which includes the audit comment history and the configuraon logs, enables you to compare
configuraon versions and review who created or modified and why.
NAT Instruct the firewall which packets need translaon and how to do
the translaon. The firewall supports both source address and/or port
translaon and desnaon address and/or port translaon. For more
details, see NAT.
Policy Based Idenfy traffic that should use a different egress interface than the
Forwarding one that would normally be used based on the roung table. For more
details, see Policy-Based Forwarding.
Decrypon Idenfy encrypted traffic that you want to inspect for visibility, control,
and granular security. For more details, see Decrypon.
Applicaon Override Idenfy sessions that you do not want processed by the App-ID
engine, which is a Layer-7 inspecon. Traffic matching an applicaon
override policy forces the firewall to handle the session as a regular
stateful inspecon firewall at Layer-4. For more details, see Manage
Custom or Unknown Applicaons.
Authencaon Idenfy traffic that requires users to authencate. For more details, see
Authencaon Policy.
DoS Protecon Idenfy potenal denial-of-service (DoS) aacks and take protecve
acon in response to rule matches. For more details, see DoS
Protecon Profiles.
PAN-OS® Administrator’s Guide Version Version 9.1 1396 ©2021 Palo Alto Networks, Inc.
Policy
Security Policy
Security policy protects network assets from threats and disrupons and helps to opmally
allocate network resources for enhancing producvity and efficiency in business processes. On a
Palo Alto Networks firewall, individual Security policy rules determine whether to block or allow
a session based on traffic aributes, such as the source and desnaon security zone, the source
and desnaon IP address, the applicaon, the user, and the service.
To ensure that end users authencate when they try to access your network resources, the
firewall evaluates Authencaon Policy before Security policy.
All traffic passing through the firewall is matched against a session and each session is matched
against a Security policy rule. When a session match occurs, the firewall applies the matching
Security policy rule to bidireconal traffic in that session (client to server and server to client). For
traffic that doesn’t match any defined rules, the default rules apply. The default rules—displayed
at the boom of the security rulebase—are predefined to allow all intrazone traffic (within a zone)
and deny all interzone traffic (between zones). Although these rules are part of the predefined
configuraon and are read-only by default, you can override them and change a limited number of
sengs, including the tags, acon (allow or block), log sengs, and security profiles.
Security policy rules are evaluated le to right and from top to boom. A packet is matched
against the first rule that meets the defined criteria and, aer a match is triggered, subsequent
rules are not evaluated. Therefore, the more specific rules must precede more generic ones in
order to enforce the best match criteria. Traffic that matches a rule generates a log entry at the
end of the session in the traffic log if you enable logging for that rule. The logging opons are
configurable for each rule and can, for example, be configured to log at the start of a session
instead of, or in addion to, logging at the end of a session.
Aer an administrator configures a rule, you can View Policy Rule Usage to determine when
and how many mes traffic matches the Security policy rule to determine its effecveness. As
your rulebase evolves, change and audit informaon get lost over me unless you archived this
informaon at the me the rule is created or modified. You can Enforce Policy Rule Descripon,
Tag, and Audit Comment to ensure that all administrators enter audit comments so that you can
view the audit comment archive and review comments and configuraon log history and can
compare rule configuraon versions for a selected rule. Together, you now have more visibility
into and control over the rulebase.
• Components of a Security Policy Rule
• Security Policy Acons
• Create a Security Policy Rule
PAN-OS® Administrator’s Guide Version Version 9.1 1397 ©2021 Palo Alto Networks, Inc.
Policy
Required/Field Descripon
Oponal
Rule Type Specifies whether the rule applies to traffic within a zone, between
zones, or both:
• universal (default)—Applies the rule to all matching interzone
and intrazone traffic in the specified source and desnaon
zones. For example, if you create a universal rule with source
zones A and B and desnaon zones A and B, the rule would
apply to all traffic within zone A, all traffic within zone B, and all
traffic from zone A to zone B and all traffic from zone B to zone
A.
• intrazone—Applies the rule to all matching traffic within the
specified source zones (you cannot specify a desnaon zone
for intrazone rules). For example, if you set the source zone to
A and B, the rule would apply to all traffic within zone A and all
traffic within zone B, but not to traffic between zones A and B.
• interzone—Applies the rule to all matching traffic between the
specified source and desnaon zones. For example, if you set
the source zone to A, B, and C and the desnaon zone to A
and B, the rule would apply to traffic from zone A to zone B,
from zone B to zone A, from zone C to zone A, and from zone C
to zone B, but not traffic within zones A, B, or C.
Desnaon The zone at which the traffic terminates. If you use NAT, make sure
Zone to always reference the post-NAT zone.
Applicaon The applicaon that you wish to control. The firewall uses App-
ID, the traffic classificaon technology, to idenfy traffic on your
network. App-ID provides applicaon control and visibility in
creang security policies that block unknown applicaons, while
enabling, inspecng, and shaping those that are allowed.
Acon Specifies an Allow or Deny acon for the traffic based on the
criteria you define in the rule. When you configure the firewall
to deny traffic, it either resets the connecon or silently drops
packets. To provide a beer user experience, you can configure
granular opons to deny traffic instead of silently dropping
packets, which can cause some applicaons to break and appear
PAN-OS® Administrator’s Guide Version Version 9.1 1398 ©2021 Palo Alto Networks, Inc.
Policy
Required/Field Descripon
Oponal
unresponsive to the user. For more details, see Security Policy
Acons.
Oponal Tag A keyword or phrase that allows you to filter security rules. This
is handy when you have defined many rules and wish to then
review those that are tagged with a keyword such as IT-sanconed
applicaons or High-risk applicaons.
Source Address Define host IP addresses, subnets, address objects (of type IP
netmask, IP range, FQDN, or IP wildcard mask), address groups, or
country-based enforcement. If you use NAT, make sure to always
refer to the original IP addresses in the packet (i.e. the pre-NAT IP
address).
User The user or group of users for whom the policy applies. You must
have User-ID enabled on the zone. To enable User-ID, see User-ID
Overview.
URL Category Using the URL Category as match criteria allows you to customize
security profiles (Anvirus, An-Spyware, Vulnerability, File-
Blocking, Data Filtering, and DoS) on a per-URL-category basis.
For example, you can prevent.exe file download/upload for URL
categories that represent higher risk while allowing them for other
categories. This funconality also allows you to aach schedules to
specific URL categories (allow social-media websites during lunch
& aer-hours), mark certain URL categories with QoS (financial,
medical, and business), and select different log forwarding profiles
on a per-URL-category-basis.
Although you can manually configure URL categories on your
firewall, to take advantage of the dynamic URL categorizaon
updates available on Palo Alto Networks firewalls, you must
purchase a URL filtering license.
PAN-OS® Administrator’s Guide Version Version 9.1 1399 ©2021 Palo Alto Networks, Inc.
Policy
Required/Field Descripon
Oponal
To block or allow traffic based on URL category, you
must apply a URL Filtering profile to the security policy
rules. Define the URL Category as Any and aach a
URL Filtering profile to the security policy. See Set Up
a Basic Security Policy for informaon on using the
default profiles in your security policy.
Service Allows you to select a Layer 4 (TCP or UDP) port for the
applicaon. You can choose any, specify a port, or use applicaon-
default to permit use of the standards-based port for the
applicaon. For example, for applicaons with well-known port
numbers such as DNS, the applicaon-default opon will match
against DNS traffic only on TCP port 53. You can also add a custom
applicaon and define the ports that the applicaon can use.
HIP Profile (for Allows you to idenfy clients with Host Informaon Profile (HIP)
GlobalProtect) and then enforce access privileges.
Opons Allow you to define logging for the session, log forwarding sengs,
change Quality of Service (QoS) markings for packets that match
the rule, and schedule when (day and me) the security rule should
be in effect.
Acon Descripon
PAN-OS® Administrator’s Guide Version Version 9.1 1400 ©2021 Palo Alto Networks, Inc.
Policy
Acon Descripon
Deny Blocks traffic and enforces the default Deny Acon defined for
the applicaon that is being denied. To view the deny acon
defined by default for an applicaon, view the applicaon details
in Objects > Applicaons or check the applicaon details in
Applipedia.
Drop Silently drops the traffic; for an applicaon, it overrides the default
deny acon. A TCP reset is not sent to the host/applicaon.
For Layer 3 interfaces, to oponally send an ICMP unreachable
response to the client, set Acon: Drop and enable the Send ICMP
Unreachable check box. When enabled, the firewall sends the
ICMP code for communicaon with the desnaon is administravely
prohibited—ICMPv4: Type 3, Code 13; ICMPv6: Type 1, Code 1.
Reset both Sends a TCP reset to both the client-side and server-side devices.
A reset is sent only aer a session is formed. If the session is blocked before a 3-
way handshake is completed, the firewall will not send the reset.
For a TCP session with a reset acon, the firewall does not send an ICMP Unreachable
response.
For a UDP session with a drop or reset acon, if the ICMP Unreachable check box is
selected, the firewall sends an ICMP message to the client.
PAN-OS® Administrator’s Guide Version Version 9.1 1401 ©2021 Palo Alto Networks, Inc.
Policy
STEP 3 | Define the matching criteria for the source fields in the packet.
1. In the Source tab, select a Source Zone.
2. Specify a Source IP Address or leave the value set to any.
If you decide to Negate a region as a Source Address, ensure that all regions
that contain private IP addresses are added to the Source Address to avoid
connecvity loss between those private IP addresses.
3. Specify a Source User or leave the value set to any.
STEP 4 | Define the matching criteria for the desnaon fields in the packet.
1. In the Desnaon tab, set the Desnaon Zone.
2. Specify a Desnaon IP Address or leave the value set to any.
If you decide to Negate a region as the Desnaon Address, ensure that all
regions that contain private IP addresses are added to the Desnaon Address
to avoid connecvity loss between those private IP addresses.
STEP 5 | Specify the applicaon that the rule will allow or block.
As a best pracce, always use applicaon-based security policy rules instead of port-
based rules and always set the Service to applicaon-default unless you are using a
more restricve list of ports than the standard ports for an applicaon.
1. In the Applicaons tab, Add the Applicaon you want to safely enable. You can select
mulple applicaons or you can use applicaon groups or applicaon filters.
2. In the Service/URL Category tab, keep the Service set to applicaon-default to ensure
that any applicaons that the rule allows are allowed only on their standard ports.
STEP 6 | (Oponal) Specify a URL category as match criteria for the rule.
In the Service/URL Category tab, select the URL Category.
If you select a URL category, only web traffic will match the rule and only if the traffic is
desned for that specified category.
STEP 7 | Define what acon you want the firewall to take for traffic that matches the rule.
In the Acons tab, select an Acon. See Security Policy Acons for a descripon of each
acon.
PAN-OS® Administrator’s Guide Version Version 9.1 1402 ©2021 Palo Alto Networks, Inc.
Policy
As a best pracce, do not select the check box to Disable Server Response Inspecon
(DSRI). Selecng this opon prevents the firewall from inspecng packets from the
server to the client. For the best security posture, the firewall must inspect both the
client-to-server flows and the server-to-client flows to detect and prevent threats.
STEP 9 | Aach security profiles to enable the firewall to scan all allowed traffic for threats.
Make sure you create best pracce security profiles that help protect your network
from both known and unknown threats.
In the Acons tab, select Profiles from the Profile Type drop-down and then select the
individual security profiles to aach to the rule.
Alternavely, select Group from the Profile Type drop-down and select a security Group
Profile to aach.
STEP 10 | Click Commit to save the policy rule to the running configuraon on the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1403 ©2021 Palo Alto Networks, Inc.
Policy
STEP 11 | To verify that you have set up your basic security policies effecvely, test whether your
security policy rules are being evaluated and determine which security policy rule applies to a
traffic flow.
The output displays the best rule that matches the source and desnaon IP address specified
in the CLI command.
For example, to verify the policy rule that will be applied for a server in the data center with
the IP address 208.90.56.11 when it accesses the Microso update server:
1. Select Device > Troubleshoong, and select Security Policy Match from the Select Test
drop-down.
2. Enter the Source and Desnaon IP addresses.
3. Enter the Protocol.
4. Execute the security policy match test.
STEP 12 | Aer waing long enough to allow traffic to pass through the firewall, View Policy Rule
Usage to monitor the policy rule usage status and determine the effecveness of the policy
rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1404 ©2021 Palo Alto Networks, Inc.
Policy
Policy Objects
A policy object is a single object or a collecve unit that groups discrete idenes such as IP
addresses, URLs, applicaons, or users. With policy objects that are a collecve unit, you can
reference the object in security policy instead of manually selecng mulple objects one at a
me. Typically, when creang a policy object, you group objects that require similar permissions
in policy. For example, if your organizaon uses a set of server IP addresses for authencang
users, you can group the set of server IP addresses as an address group policy object and reference
the address group in the security policy. By grouping objects, you can significantly reduce the
administrave overhead in creang policies.
If you need to export specific parts of the configuraon for internal review or audit, you
can Export Configuraon Table Data as a PDF or CSV file.
User/User Group Allow you to create a list of users from the local database, an external
database, or match criteria and group them.
PAN-OS® Administrator’s Guide Version Version 9.1 1405 ©2021 Palo Alto Networks, Inc.
Policy
Service/Service Allows you to specify the source and desnaon ports and protocol
Groups that a service can use. The firewall includes two pre-defined services
—service-hp and service-hps— that use TCP ports 80 and 8080
for HTTP, and TCP port 443 for HTTPS. You can however, create
any custom service on any TCP/UDP port of your choice to restrict
applicaon usage to specific ports on your network (in other words,
you can define the default port for the applicaon).
PAN-OS® Administrator’s Guide Version Version 9.1 1406 ©2021 Palo Alto Networks, Inc.
Policy
Security Profiles
While security policy rules enable you to allow or block traffic on your network, security profiles
help you define an allow but scan rule, which scans allowed applicaons for threats, such as
viruses, malware, spyware, and DDOS aacks. When traffic matches the allow rule defined in the
security policy, the security profile(s) that are aached to the rule are applied for further content
inspecon rules such as anvirus checks and data filtering.
Security profiles are not used in the match criteria of a traffic flow. The security profile is
applied to scan traffic aer the applicaon or category is allowed by the security policy.
The firewall provides default security profiles that you can use out of the box to begin protecng
your network from threats. See Set Up a Basic Security Policy for informaon on using the default
profiles in your security policy. As you get a beer understanding about the security needs on
your network, see Create Best Pracce Security Profiles for the Internet Gateway to learn how
you can create custom profiles.
For recommendaons on the best-pracce sengs for security profiles, see Create Best
Pracce Security Profiles for the Internet Gateway.
You can add security profiles that are commonly applied together to Create a Security Profile
Group; this set of profiles can be treated as a unit and added to security policies in one step (or
included in security policies by default, if you choose to set up a default security profile group).
Anvirus Profiles Anvirus profiles protect against viruses, worms, and trojans as well
as spyware downloads. Using a stream-based malware prevenon
engine, which inspects traffic the moment the first packet is received,
the Palo Alto Networks anvirus soluon can provide protecon for
clients without significantly impacng the performance of the firewall.
This profile scans for a wide variety of malware in executables, PDF
files, HTML and JavaScript viruses, including support for scanning
inside compressed files and data encoding schemes. If you have
enabled Decrypon on the firewall, the profile also enables scanning of
decrypted content.
The default profile inspects all of the listed protocol decoders for
viruses, and generates alerts for SMTP, IMAP, and POP3 protocols
while blocking for FTP, HTTP, and SMB protocols. You can configure
the acon for a decoder or Anvirus signature and specify how the
firewall responds to a threat event:
• Default—For each threat signature and Anvirus signature that
is defined by Palo Alto Networks, a default acon is specified
internally. Typically, the default acon is an alert or a reset-both.
The default acon is displayed in parenthesis, for example default
(alert) in the threat or Anvirus signature.
PAN-OS® Administrator’s Guide Version Version 9.1 1407 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1408 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1409 ©2021 Palo Alto Networks, Inc.
Policy
URL Filtering Profiles URL Filtering profiles enable you to monitor and control how users
access the web over HTTP and HTTPS. The firewall comes with a
PAN-OS® Administrator’s Guide Version Version 9.1 1410 ©2021 Palo Alto Networks, Inc.
Policy
Data Filtering Profiles Data filtering profiles prevent sensive informaon such as credit
card or social security numbers from leaving a protected network.
The data filtering profile also allows you to filter on key words, such
as a sensive project name or the word confidenal. It is important to
focus your profile on the desired file types to reduce false posives.
For example, you may only want to search Word documents or Excel
spreadsheets. You may also only want to scan web-browsing traffic, or
FTP.
You can create custom data paern objects and aach them to a Data
Filtering profile to define the type of informaon on which you want to
filter. Create data paern objects based on:
• Predefined Paerns—Filter for credit card and social security
numbers (with or without dashes) using predefined paerns.
• Regular Expressions—Filter for a string of characters.
• File Properes—Filter for file properes and values based on file
type.
File Blocking Profiles The firewall uses file blocking profiles to block specified file types
over specified applicaons and in the specified session flow direcon
(inbound/outbound/both). You can set the profile to alert or block on
upload and/or download and you can specify which applicaons will
be subject to the file blocking profile. You can also configure custom
block pages that will appear when a user aempts to download the
specified file type. This allows the user to take a moment to consider
whether or not they want to download a file.
You can define your own custom File Blocking profiles, or choose one
of the following predefined profiles when applying file blocking to a
Security policy rule. The predefined profiles, which are available with
PAN-OS® Administrator’s Guide Version Version 9.1 1411 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1412 ©2021 Palo Alto Networks, Inc.
Policy
DoS Protecon DoS protecon profiles provide detailed control for Denial of Service
Profiles (DoS) protecon policies. DoS policies allow you to control the number
of sessions between interfaces, zones, addresses, and countries based
on aggregate sessions or source and/or desnaon IP addresses. There
are two DoS protecon mechanisms that the Palo Alto Networks
firewalls support.
• Flood Protecon—Detects and prevents aacks where the network
is flooded with packets resulng in too many half-open sessions
and/or services being unable to respond to each request. In this
case the source address of the aack is usually spoofed. See DoS
Protecon Against Flooding of New Sessions.
• Resource Protecon— Detects and prevent session exhauson
aacks. In this type of aack, a large number of hosts (bots) are
used to establish as many fully established sessions as possible to
consume all of a system’s resources.
You can enable both types of protecon mechanisms in a single DoS
protecon profile.
The DoS profile is used to specify the type of acon to take and
details on matching criteria for the DoS policy. The DoS profile defines
sengs for SYN, UDP, and ICMP floods, can enable resource protect
and defines the maximum number of concurrent connecons. Aer
you configure the DoS protecon profile, you then aach it to a DoS
policy.
When configuring DoS protecon, it is important to analyze your
environment in order to set the correct thresholds and due to some of
the complexies of defining DoS protecon policies, this guide will not
go into detailed examples.
PAN-OS® Administrator’s Guide Version Version 9.1 1413 ©2021 Palo Alto Networks, Inc.
Policy
Security Profile A security profile group is a set of security profiles that can be treated
Group as a unit and then easily added to security policies. Profiles that are
oen assigned together can be added to profile groups to simplify
the creaon of security policies. You can also setup a default security
profile group—new security policies will use the sengs defined in
the default profile group to check and control traffic that matches
the security policy. Name a security profile group default to allow
the profiles in that group to be added to new security policies by
default. This allows you to consistently include your organizaon’s
preferred profile sengs in new policies automacally, without having
to manually add security profiles each me you create new rules.
See Create a Security Profile Group and Set Up or Override a Default
Security Profile Group.
If you name the group default, the firewall will automacally aach it to any new
rules you create. This is a me saver if you have a preferred set of security profiles that
you want to make sure get aached to every new rule.
1. Select Objects > Security Profile Groups and Add a new security profile group.
2. Give the profile group a descripve Name, for example, Threats.
3. If the firewall is in Mulple Virtual System Mode, enable the profile to be Shared by all
virtual systems.
4. Add exisng profiles to the group.
PAN-OS® Administrator’s Guide Version Version 9.1 1414 ©2021 Palo Alto Networks, Inc.
Policy
If no default security profile exists, the profile sengs for a new security policy are set to
None by default.
PAN-OS® Administrator’s Guide Version Version 9.1 1415 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1416 ©2021 Palo Alto Networks, Inc.
Policy
By default, the new security policy correctly shows the Profile Type set to Group and
the default Group Profile is selected.
PAN-OS® Administrator’s Guide Version Version 9.1 1417 ©2021 Palo Alto Networks, Inc.
Policy
Rule Numbers
The firewall automacally numbers each rule within a rulebase; when you move or reorder
rules, the numbers change based on the new order. When you filter the list of rules to find rules
that match specific criteria, the firewall display each rule with its number in the context of the
complete set of rules in the rulebase and its place in the evaluaon order.
Panorama independently numbers pre-rules, post-rules, and default rules. When Panorama pushes
rules to a firewall, the rule numbering reflects the hierarchy and evaluaon order of shared rules,
device group pre-rules, firewall rules, device group post-rules, and default rules. You can Preview
Rules in Panorama to display an ordered list of the total number of rules on a firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1418 ©2021 Palo Alto Networks, Inc.
Policy
Aer you push the rules from Panorama, view the complete list of rules with numbers on the
firewall.
From the web interface on the firewall, select Policies and pick any rulebase under it. For
example, select Policies > Security and view the complete set of numbered rules that the
firewall will evaluate.
Rule UUIDs
The universally unique idenfier (UUID) for a rule is a 32-character string (based on data such as
the network address and the mestamp of creaon) that the firewall or Panorama assigns to the
rule. The UUID uses the format 8-4-4-4-12 (where 8, 4, and 12 represent the number of unique
characters separated by hyphens). UUIDs idenfy rules for all policy rulebases. You can also use
UUIDs to idenfy applicable rules in the following log types: Traffic, Threat, URL Filtering, WildFire
Submission, Data Filtering, GTP, SCTP, Tunnel Inspecon, Configuraon, and Unified.
Using the UUID to search for a rule enables you to locate a specific rule you want to find among
thousands of rules that may have similar or idencal names. UUIDs also simplify automaon and
integraon for rules in third-party systems (such as ckeng or orchestraon) that do not support
names.
In some cases, you may need to generate new UUIDs for exisng rulebases. For example, if you
want to export a configuraon to another firewall, you need to regenerate the UUIDs for the rules
as you import the configuraon to ensure there are no duplicate UUIDs. If you regenerate UUIDs,
you are no longer able to track those rules using their previous UUIDs and the hit data and app
usage data for those rules are reset.
The firewall or Panorama assigns UUIDs when you:
• Create new rules
• Clone exisng rules
• Override the default security rules
• Load a named configuraon and regenerate UUIDs
• Load a named configuraon containing new rules that are not in the running configuraon
• Upgrade the firewall or Panorama to a PAN-OS 9.0 release
PAN-OS® Administrator’s Guide Version Version 9.1 1419 ©2021 Palo Alto Networks, Inc.
Policy
When you load a configuraon that contains rules with UUIDs, the firewall considers rules to be
the same if the rule name, rulebase, and virtual system all match. Panorama considers rules to be
the same if the rule name, rulebase, and the device group all match.
Keep in mind the following important points for UUIDs:
• If you manage firewall policy from Panorama, UUIDs are generated on Panorama and therefore
must be pushed from Panorama. If you do not push the configuraon from Panorama prior to
upgrading the firewalls to PAN-OS 9.0, the firewall upgrade will not succeed because it will not
have the UUIDs.
• In addion, if you are upgrading an HA pair, upon upgrade to PAN-OS 9.0, each peer
independently assigns UUIDs for each policy rule. Because of this, the peers will show as out
of sync unl you sync the configuraon (Dashboard > Widgets > System > High Availability >
Sync to peer).
• If you remove an exisng high availability (HA) configuraon aer upgrading to PAN-OS 9.0,
you must regenerate the UUIDs on one of the peers (Device > Setup > Operaons > Load
named configuraon snapshot > Regenerate UUIDs for the selected named configuraon) and
commit the changes to prevent UUID duplicaon.
• All rules pushed from Panorama will share the same UUID; all rules local to a firewall will
have different UUIDs. If you create a rule locally on the firewall aer you push the rules from
Panorama to the firewalls, the rule you created locally has its own UUID.
• To replace an RMA Panorama, make sure you Retain Rule UUIDs when you load the named
Panorama configuraon snapshot. If you do not select this opon, Panorama removes all
previous rule UUIDs from the configuraon snapshot and assigns new UUIDs to the rules on
Panorama, which means it does not retain informaon associated with the previous UUIDs,
such as the policy rule hit count.
PAN-OS® Administrator’s Guide Version Version 9.1 1420 ©2021 Palo Alto Networks, Inc.
Policy
Display the Rule UUID column for logs and the UUID column for policy rules.
To view the UUIDs, you must display the column, which does not display by default.
• To display the UUID in logs:
1. Select Monitor and then expand the column header ( ).
2. Select Columns.
3. Enable Rule UUID.
PAN-OS® Administrator’s Guide Version Version 9.1 1421 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1422 ©2021 Palo Alto Networks, Inc.
Policy
You can also go to the Policies tab, click the arrow to the right of the rule name, and
Copy UUID.
PAN-OS® Administrator’s Guide Version Version 9.1 1423 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | Select Device > Setup > Management and edit the Policy Rulebase Sengs.
STEP 3 | Configure the sengs you want to enforce. In this example, tags and audit comments are
required for all policies.
Enforce audit comments for policy rules to capture the reason an administrator creates
or modifies a rule. Requiring audit comments on policy rules helps maintain an accurate
rule history for auding purposes.
STEP 4 | Configure the Audit Comment Regular Expression to specify the audit comment format.
When administrators create or modify a rule, you can require they enter a comment those
audit comments adhere to a specific format that fits your business and auding needs by
specifying leer and number expressions. For example, you can use this seng to specify
regular expressions that match your ckeng number formats:
• [0-9]{<Number of digits>}—Requires the audit comment to contain a minimum
number of digits that range from 0 to 9. For example, [0-9]{6} requires a minimum of six
digit in a numerical expression with numbers 0 to 9.
• <Letter Expression>—Requires the audit comment to contain a leer expression. For
example, Reason for Change- requires that the administrator begin the audit comment
with this leer expression.
• <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit comment
to contain a predetermined character followed by a minimum number of digits that range
from 0 to 9. For example, SB-[0-9]{6} requires the audit comment format to begin with
SB-, followed by a minimum six digits in a numerical expression with values from 0 to 9. For
example, SB-012345.
• (<Letter Expression>)|(<Letter Expression>)|(<Letter
Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to
contain a prefix using any one of the predetermined leer expressions with a minimum
number of digits that range from 0 to 9. For example, (SB|XY|PN)-[0-9]{6} requires the
PAN-OS® Administrator’s Guide Version Version 9.1 1424 ©2021 Palo Alto Networks, Inc.
Policy
audit comment format to begin with SB-, XY-, or PN- followed by a minimum of six digits
in a numerical expression with values from 0 to 9. For example, SB-012345, XY-654321,
or PN-012543.
Aer you commit the policy rulebase sengs changes, modify the exisng policy rule
based on the rulebase sengs you decided to enforce.
PAN-OS® Administrator’s Guide Version Version 9.1 1425 ©2021 Palo Alto Networks, Inc.
Policy
STEP 7 | Verify that the firewall is enforcing the new policy rulebase sengs.
1. Select Policies and Add a new rule.
2. Confirm that you must add a tag and enter an audit comment click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1426 ©2021 Palo Alto Networks, Inc.
Policy
When cloning mulple policy rules, the order by which you select the rules will determine
the order they are copied to the device group. For example, if you have rules 1-4 and your
selecon order is 2-1-4-3, the device group where these rules will be cloned will display
the rules in the same order you selected. However, you can reorganize the rules as you see
fit once they have been successfully copied.
STEP 1 | Select the policy type (for example, Policy > Security) or object type (for example, Objects >
Addresses).
STEP 2 | Select the Virtual System and select one or more policy rules or objects.
STEP 4 | In the Desnaon drop-down, select the new virtual system or Shared.
STEP 6 | The Error out on first detected error in validaon check box is selected by default. The
firewall stops performing the checks for the move or clone acon when it finds the first
error, and displays just this error. For example, if an error occurs when the Desnaon vsys
doesn’t have an object that the policy rule you are moving references, the firewall will display
the error and stop any further validaon. When you move or clone mulple items at once,
selecng this check box will allow you to find one error at a me and troubleshoot it. If you
clear the check box, the firewall collects and displays a list of errors. If there are any errors in
validaon, the object is not moved or cloned unl you fix all the errors.
PAN-OS® Administrator’s Guide Version Version 9.1 1427 ©2021 Palo Alto Networks, Inc.
Policy
STEP 7 | Click OK to start the error validaon. If the firewall displays errors, fix them and retry the
move or clone operaon. If the firewall doesn’t find errors, the object is moved or cloned
successfully. Aer the operaon finishes, click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1428 ©2021 Palo Alto Networks, Inc.
Policy
Address Objects
An address object is a set of IP addresses that you can manage in one place and then use in
mulple firewall policy rules, filters, and other funcons. There are four types of address objects:
IP Netmask, IP Range, IP Wildcard Mask, and FQDN.
An address object of type IP Netmask, IP Range, or FQDN can specify IPv4 or IPv6 addresses. An
address object of type IP Wildcard Mask can specify only IPv4 addresses.
An address object of type IP Netmask requires you to enter the IP address or network using slash
notaon to indicate the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24 or
2001:db8:123:1::/64.
An address object of type IP Range requires you to enter the IPv4 or IPv6 range of addresses
separated by a hyphen.
An address object of type FQDN (for example, paloaltonetworks.com) provides further ease of use
because DNS provides the FQDN resoluon to the IP addresses instead of you needing to know
the IP addresses and manually updang them every me the FQDN resolves to new IP addresses.
An address object of type IP Wildcard Mask is useful if you define private IPv4 addresses to
internal devices and your addressing structure assigns meaning to certain bits in the address. For
example, the IP address of cash register 156 in the northeastern U.S. could be 10.132.1.156 based
on these bit assignments:
An address object of type IP Wildcard Mask specifies which source or desnaon addresses are
subject to a Security policy rule. For example, 10.132.1.1/0.0.2.255. A zero (0) bit in the mask
indicates that the bit being compared must match the bit in the IP address that is covered by
the zero. A one (1) bit in the mask (a wildcard bit) indicates that the bit being compared need
not match the bit in the IP address. The following snippets of an IP address and wildcard mask
illustrate how they yield four matches:
PAN-OS® Administrator’s Guide Version Version 9.1 1429 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1430 ©2021 Palo Alto Networks, Inc.
Policy
firewall or Panorama). To change the address object type from FQDN to IP Netmask,
select an IP Netmask and click Use this address. The Type changes to IP Netmask and
the IP address you select appears in the text field.
3. (Oponal) Enter one or more Use Tags to Group and Visually Disnguish Objects to apply
to the address object.
4. Click OK.
STEP 3 | View logs filtered by address object, address group, or wildcard address.
1. For example, select Monitor > Logs > Traffic to view traffic logs.
2. Select to add a log filter.
3. Select the Address aribute, the in Operator, and enter the name of the address object
for which you want to view logs. Alternavely, enter an address group name or a
wildcard address, such as 10.155.3.4/0.0.240.255.
4. Click Apply.
STEP 5 | Use a filter in the ACC to view network acvity based on a source IP address or desnaon
IP address that uses an address object.
1. Select ACC > Network Acvity.
2. View the Source IP Acvity—For Global Filters, click to add a filter and select one
of the following: Address or Source > Source Address or Desnaon > Desnaon
Address and select an address object.
3. View the Desnaon IP Acvity—For Global Filters, click the to add a filter and select
one of the following: Address or Source > Source Address or Desnaon > Desnaon
Address and select an address object.
PAN-OS® Administrator’s Guide Version Version 9.1 1431 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1432 ©2021 Palo Alto Networks, Inc.
Policy
To tag a zone, you must create a tag with the same name as the zone. When the zone
is aached in policy rules, the tag color automacally displays as the background color
against the zone name.
STEP 3 | Apply tags to an address object, address group, service, or service group.
1. Create the object.
For example, to create a service group, select Objects > Service Groups > Add.
2. Select a tag (Tags) or enter a name in the field to create a new tag.
To edit a tag or add color to the tag, see Modify Tags.
Modify Tags
PAN-OS® Administrator’s Guide Version Version 9.1 1433 ©2021 Palo Alto Networks, Inc.
Policy
Select Objects > Tags to perform any of the following operaons with tags:
• Click the Name to edit the properes of a tag.
• Select a tag in the table and Delete the tag from the firewall.
• Clone a tag to duplicate it with the same properes. A numerical suffix is added to the tag
name (for example, FTP-1).
For details on creang tags, see Create and Apply Tags. For informaon on working with tags,
see View Rules by Tag Group.
STEP 2 | Create and Apply Tags you want to use for grouping rules.
PAN-OS® Administrator’s Guide Version Version 9.1 1434 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1435 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1436 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1437 ©2021 Palo Alto Networks, Inc.
Policy
hoc, you can use an external dynamic list of type IP address as a source or desnaon address
object in policy rules, and configure the firewall to deny or allow access to the IP addresses
(IPv4 and IPv6 address, IP range and IP subnets) included in the list. You can also use an IP
address EDL in the source or desnaon of an SD-WAN policy rule. The firewall treats an
external dynamic list of type IP address as an address object; all the IP addresses included in a
list are handled as one address object.
• Domain—An external dynamic list of type domain allows you to import custom domain names
into the firewall to enforce policy using an An-Spyware profile or SD-WAN policy rule. An
EDL in an An-Spyware profile is very useful if you subscribe to third-party threat intelligence
feeds and want to protect your network from new sources of threat or malware as soon as
you learn of a malicious domain. For each domain you include in the external dynamic list,
the firewall creates a custom DNS-based spyware signature so that you can enable DNS
sinkholing. The DNS-based spyware signature is of type spyware with medium severity and
each signature is named Custom Malicious DNS Query <domain name>. You can
also specify the firewall to include the subdomains of a specifed domain. For example, if
your domain list includes paloaltonetworks.com, all lower level components of the domain
name (e.g., *.paloaltonetworks.com) will also be included as part of the list. When this seng
is enabled, each domain in a given list requires an addional entry, effecvely doubling the
number of entries used by the list. For details on configuring domain lists, see Configure DNS
Sinkholing for a List of Custom Domains.
• URL—An external dynamic list of type URL gives you the agility to protect your network from
new sources of threat or malware. The firewall handles an external dynamic list with URLs like a
custom URL category and you can use this list in two ways:
• As a match criterion in Security policy rules, Decrypon policy rules, and QoS policy rules
to allow, deny, decrypt, not decrypt, or allocate bandwidth for the URLs in the custom
category.
• In a URL Filtering profile where you can define more granular acons, such as connue,
alert, or override, before you aach the profile to a Security policy rule (see Use an External
Dynamic List in a URL Filtering Profile).
On each firewall model, you can add a maximum of 30 custom EDLs with unique sources to a
single policy rule to enforce policy. The external dynamic list limit is not applicable to Panorama.
When using Panorama to manage a firewall that is enabled for mulple virtual systems, if you
exceed the limit for the firewall, a commit error displays on Panorama. A source is a URL that
includes the IP address or hostname, the path, and the filename for the external dynamic list. The
firewall matches the URL (complete string) to determine whether a source is unique.
While the firewall does not impose a limit on the number of lists of a specific type, the following
limits are enforced:
• IP address—The PA-5200 Series and the PA-7000 Series firewalls support a maximum of
150,000 total IP addresses; all other models support a maximum of 50,000 total IP addresses.
No limits are enforced for the number of IP addresses per list. When the maximum supported
IP address limit is reached on the firewall, the firewall generates a syslog message. The IP
addresses in predefined IP address lists do not count toward the limit.
PAN-OS® Administrator’s Guide Version Version 9.1 1438 ©2021 Palo Alto Networks, Inc.
Policy
• URL and domain—The maximum number of URLs and domains supported varies by model.
No limits are enforced for the number of URL or domain entries per list. Refer to the following
table for specifics on your model:
PA-7000
appliances
with mixed
NPCs only
support the
standard
capacies.
List entries only count toward the firewall limits if they belong to an external dynamic list that is
referenced in policy.
PAN-OS® Administrator’s Guide Version Version 9.1 1439 ©2021 Palo Alto Networks, Inc.
Policy
• When parsing the list, the firewall skips entries that do not match the list type, and
ignores entries that exceed the maximum number supported for the model. To ensure
that the entries do not exceed the limit, check the number of entries currently used in
policy. Select Objects > External Dynamic Lists and click List Capacies.
• An external dynamic list should not be empty. If you want to stop using the list, remove
the reference from the policy rule or profile rather than leave the list empty. If the list
is empty the firewall fails to refresh the list and connues to use the last informaon it
retrieved.
• As a best pracce, Palo Alto Networks recommends using shared EDLs when mulple
virtual systems are used. Using individual EDLs with duplicate entries for each virtual
system uses more memory, which might over-ulize firewall resources.
• EDL entry counts on firewalls operang mul-virtual systems take addional factors
into account (such as DAGs, number of vsys, rules bases) to generate a more accurate
capacity consumpon lisng. This might result in a discrepancy in capacity usage aer
upgrading from PAN-OS 8.x releases.
• Depending on the features enabled on the firewall, memory usage limits might be
exceeded before EDL capacity limits are met due to memory allocaon updates. As a
best pracce, Palo Alto Networks recommends reviewing EDL capacies and, when
necessary, removing or consolidang EDLs into shared lists to minimize memory usage.
IP Address List
The external dynamic list can include individual IP addresses, subnet addresses (address/mask),
or range of IP addresses. In addion, the block list can include comments and special characters
such as * , : , ; , #, or /. The syntax for each line in the list is [IP address, IP/Mask, or IP
start range-IP end range] [space] [comment].
Enter each IP address/range/subnet in a new line; URLs or domains are not supported in this list.
A subnet or an IP address range, such as 92.168.20.0/24 or 192.168.20.40-192.168.20.50, count
as one IP address entry and not as mulple IP addresses. If you add comments, the comment must
be on the same line as the IP address/range/subnet. The space at the end of the IP address is the
delimiter that separates a comment from the IP address.
An example IP address list:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
PAN-OS® Administrator’s Guide Version Version 9.1 1440 ©2021 Palo Alto Networks, Inc.
Policy
192.168.20.40-192.168.20.50
For an IP address that is blocked, you can display a noficaon page only if the protocol is
HTTP.
Domain List
You can use placeholder characters in domain lists to configure a single entry to match against
mulple website subdomains, pages, including enre top-level domains, as well as matches to
specific web pages.
Follow these guidelines when creang domain list entries:
• Enter each domain name in a new line; URLs or IP addresses are not supported in this list.
• Do not prefix the domain name with the protocol, hp:// or hps://.
• You can use an asterisk (*) to indicate a wildcard value.
• You can use a caret (^) to indicate an exact match value.
• The following characters are considered token separators: . / ? & = ; +
Every string separated by one or two of these characters is a token. Use wildcard characters as
token placeholders, indicang that a specific token can contain any value.
• Wildcard characters must be the only character within a token; however, an entry can contain
mulple wildcards.
• Each domain entry can be up to 255 characters in length.
When to use the asterisk (*) wildcard:
Use an asterisk (*) wildcard to indicate one or mulple variable subdomains. For example,
to specify enforcement for Palo Alto Network’s website regardless of the domain extension
used, which might be one or two subdomains depending on locaon, you would add the entry:
*.paloaltonetworks.com. This entry would match to both docs.paloaltonetworks.com and
support.paloaltonetworks.com.
You can also use this wildcard to indicate enre top-level domains. For example, to specify
enforcement of a TLD named .work, you would add the entry *.work. This matches all websites
ending with .work.
*.company.com eng.tools.company.com
support.tools.company.com
tools.company.com
docs.company.com
PAN-OS® Administrator’s Guide Version Version 9.1 1441 ©2021 Palo Alto Networks, Inc.
Policy
^company.com company.com
^eng.company.com eng.company.com
URL List
See URL Category Excepons.
PAN-OS® Administrator’s Guide Version Version 9.1 1442 ©2021 Palo Alto Networks, Inc.
Policy
Configure the Firewall to Access an External Dynamic List) and exclude entries from the list as
needed.
The firewall does not use the External Dynamic Lists service route to retrieve Built-in
External Dynamic Lists; content updates modify or update the contents of those lists
(acve Threat Prevenon license required).
STEP 4 | Click Add and enter a descripve Name for the list.
PAN-OS® Administrator’s Guide Version Version 9.1 1443 ©2021 Palo Alto Networks, Inc.
Policy
STEP 5 | (Oponal) Select Shared to share the list with all virtual systems on a device that is enabled
for mulple virtual systems. By default, the object is created on the virtual system that is
currently selected in the Virtual Systems drop-down.
As a best pracce, Palo Alto Networks recommends using shared EDLs when mulple
virtual systems are used. Using individual EDLs with duplicate entries for each vsys
uses more memory, which might over-ulize firewall resources.
STEP 6 | (Panorama only) Select Disable override to ensure that a firewall administrator cannot
override sengs locally on a firewall that inherits this configuraon through a Device Group
commit from Panorama.
STEP 8 | Enter the Source for the list you just created on the web server. The source must include the
full path to access the list. For example, https://1.2.3.4/EDL_IP_2015.
If you are creang a list of type Predefined IP, select a Palo Alto Networks malicious IP address
feed to use as a source.
STEP 9 | If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server
authencaon. Select a Cerficate Profile or create a New Cerficate Profile for
authencang the server that hosts the list. The cerficate profile you select must have
root CA (cerficate authority) and intermediate CA cerficates that match the cerficates
installed on the server you are authencang.
Maximize the number of external dynamic lists that you can use to enforce policy. Use
the same cerficate profile to authencate external dynamic lists from the same source
URL. If you assign different cerficate profiles to external dynamic lists from the same
source URL, the firewall counts each list as a unique external dynamic list.
PAN-OS® Administrator’s Guide Version Version 9.1 1444 ©2021 Palo Alto Networks, Inc.
Policy
STEP 10 | Enable client authencaon if the list source has an HTTPS URL and requires basic HTTP
authencaon for list access.
1. Select Client Authencaon.
2. Enter a valid Username to access the list.
3. Enter the Password and Confirm Password.
STEP 11 | (Not available on Panorama) Click Test Source URL to verify that the firewall can connect to
the web server.
The Test Source URL funcon is not available when authencaon is used for EDL
access.
STEP 12 | (Oponal) Specify the Check for updates frequency at which the firewall retrieves the list. By
default, the firewall retrieves the list once every hour and commits the changes.
The interval is relave to the last commit. So, for the five-minute interval, the commit
occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately,
see Retrieve an External Dynamic List from the Web Server.
STEP 14 | (Oponal) EDLs are shown top to boom, in order of evaluaon. Use the direconal controls
at the boom of the page to change the list order. This allows you to or order the lists to
make sure the most important EDLs are commied before capacity limits are reached.
You can only change the EDL order when Group By Type is deselected.
PAN-OS® Administrator’s Guide Version Version 9.1 1445 ©2021 Palo Alto Networks, Inc.
Policy
If the server or client authencaon fails, the firewall ceases to enforce policy based on
the last successfully retrieved external dynamic list. Find External Dynamic Lists That
Failed Authencaon and view the reasons for authencaon failure.
PAN-OS® Administrator’s Guide Version Version 9.1 1446 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | (Best Pracces) Create a cerficate profile to authencate the EDL Hosng Service.
1. Download the GlobalSign Root R1 cerficate.
2. Convert the GlobalSign Root R1 Cerficate to PEM Format.
3. Launch the firewall web interface.
4. Import the GlobalSign Root R1 cerficate.
1. Select Device > Cerficate Management > Cerficates and Import a new cerficate.
2. For Cerficate Type, select Local.
3. Enter a descripve Cerficate Name.
4. For the Cerficate File, select Browse and select the cerficate you downloaded in
the previous step.
5. For the File Format, select Base64 Encoded Cerficate (PEM).
6. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1447 ©2021 Palo Alto Networks, Inc.
Policy
6. Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1448 ©2021 Palo Alto Networks, Inc.
Policy
STEP 3 | Create an EDL using a Feed URL from the EDL Hosng Service.
1. Select Objects > External Dynamic Lists and Add a new EDL.
2. Enter a descripve Name for the EDL.
3. Select the EDL Type.
• For an IP-based EDL, select IP List.
• For a URL-based EDL, select URL List.
4. (Oponal) Enter a Descripon for the EDL
5. Enter the Feed URL as the EDL Source.
Enforce all endpoints within a specific Feed URL. Adding an excluding a specific
endpoint from a Feed URL can cause connecvity issues to the SaaS applicaon.
6. (Best Pracces) Select the Cerficate Profile you created in the previous step.
7. Specify the frequency the firewall should Check for updates to match the update
frequency of the Feed URL.
For example, if the Feed URL is updated daily by Palo Alto Networks then configure the
EDL to check for updates Daily.
Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosng
Service. Feed URLs are automacally updated with any new endpoints.
8. Click Test Source URL to verify that the firewall can access the Feed URL from the EDL
Hosng Service.
9. Click OK.
Leverage App-ID alongside EDLs in a policy rule for addional strict enforcement of
SaaS applicaon traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1449 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1450 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1451 ©2021 Palo Alto Networks, Inc.
Policy
STEP 1 | To retrieve the list on demand, select Objects > External Dynamic Lists.
STEP 2 | Select the list that you want to refresh, and click Import Now. The job to import the list is
queued.
STEP 3 | To view the status of the job in the Task Manager, see Manage and Monitor Administrave
Tasks.
STEP 4 | (Oponal) Aer the firewall retrieves the list, View External Dynamic List Entries.
PAN-OS® Administrator’s Guide Version Version 9.1 1452 ©2021 Palo Alto Networks, Inc.
Policy
STEP 3 | Click List Entries and Excepons and view the objects that the firewall retrieved from the list.
STEP 4 | Enter an IP address, domain, or URL (depending on the type of list) in the filter field and
Apply Filter ( ) to check if it’s in the list. Exclude Entries from an External Dynamic List
based on which IP addresses, domains, and URLs you need to block or allow.
STEP 5 | (Oponal) View the AutoFocus Intelligence Summary for a list entry. Hover over an entry to
open the drop-down and then click AutoFocus.
PAN-OS® Administrator’s Guide Version Version 9.1 1453 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | Select up to 100 entries to exclude from the list and click Submit ( ) or manually Add a list
excepon.
• You cannot save your changes to the external dynamic list if you have duplicate entries
in the Manual Excepons list. To idenfy duplicate entries, look for entries with a red
underline.
• A manual excepon must match a list entry exactly. Addionally, you cannot exclude a
specific IP address from within an IP address range. To exclude a specific IP address from an
IP address range, you must add each IP address in the range as a list entry and then exclude
the desired IP address.
The firewall does not support excluding an individual IP address from an IP address range.
Use an External Dynamic List of Type URL as Match Criteria in a Security Policy Rule.
1. Select Policies > Security.
2. Click Add and enter a descripve Name for the rule.
3. In the Source tab, select the Source Zone.
4. In the Desnaon tab, select the Desnaon Zone.
5. In the Service/URL Category tab, click Add to select the appropriate external dynamic
list from the URL Category list.
6. In the Acons tab, set the Acon Seng to Allow or Deny.
7. Click OK and Commit.
8. Verify whether entries in the external dynamic list were ignored or skipped.
Use the following CLI command on a firewall to review the details for a list.
request
system external-list show type <domain | ip | url>
name_of_list
For example:
request system
PAN-OS® Administrator’s Guide Version Version 9.1 1454 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1455 ©2021 Palo Alto Networks, Inc.
Policy
Create separate external dynamic lists if you want to specify allow and deny
acons for specific IP addresses.
6. Leave all the other opons at the default values.
7. Click OK to save the changes.
8. Commit the changes.
9. Test that the policy acon is enforced.
1. View External Dynamic List Entries for the external dynamic list, and aempt to
access an IP address from the list.
2. Verify that the acon you defined is enforced.
3. Select Monitor > Logs > Traffic and view the log entry for the session.
4. To verify the policy rule that matches a flow, select Device > Troubleshoong, and
execute a Security Policy Match test:
PAN-OS® Administrator’s Guide Version Version 9.1 1456 ©2021 Palo Alto Networks, Inc.
Policy
Tips for enforcing policy on the firewall with external dynamic lists:
• When viewing external dynamic lists on the firewall (Objects > External
Dynamic Lists), click List Capacies to compare how many IP addresses,
domains, and URLs are currently used in policy with the total number of
entries that the firewall supports for each list type.
• Use Global Find to Search the Firewall or Panorama Management
Server for a domain, IP address, or URL that belongs to one or more external
dynamic lists is used in policy. This is useful for determining which external
dynamic list (referenced in a Security policy rule) is causing the firewall to
block or allow a certain domain, IP address, or URL.
• Use the direconal controls at the boom of the page to change the
evaluaon order of EDLs. This allows you to or order the lists to make sure the
most important entries in an EDL are commied before capacity limits are
reached.
You can only change the EDL order when Group By Type is
deselected.
STEP 2 | Construct the following filters to view all messages related to authencaon failure, and
apply the filters. For more informaon, review the complete workflow to Filter Logs.
• Server authencaon failure—(eventid eq tls-edl-auth-failure)
• Client authencaon failure—(eventid eq edl-cli-auth-failure)
STEP 3 | Review the system log messages. The message descripon includes the name of the external
dynamic list, the source URL for the list, and the reason for the authencaon failure.
The server that hosts the external dynamic list fails authencaon if the cerficate is expired. If
you have configured the cerficate profile to check cerficate revocaon status via Cerficate
PAN-OS® Administrator’s Guide Version Version 9.1 1457 ©2021 Palo Alto Networks, Inc.
Policy
Revocaon List (CRL) or Online Cerficate Status Protocol (OCSP), the server may also fail
authencaon if:
• The cerficate is revoked.
• The revocaon status of the cerficate is unknown.
• The connecon mes out as the firewall is aempng to connect to the CRL/OCSP service.
For more informaon on cerficate profile sengs, refer to the steps to Configure a Cerficate
Profile.
Verify that you added the root CA and intermediate CA of the server to the cerficate
profile configured with the external dynamic list. Otherwise, the firewall will not
authencate the list properly.
Client authencaon fails if you have entered the incorrect username and password
combinaon for the external dynamic list.
STEP 4 | (Oponal) Disable Authencaon for an External Dynamic List that failed authencaon as
a stop-gap measure unl the list owner renews the cerficate(s) of the server that hosts the
list.
Disabling server authencaon for an external dynamic list also disables client
authencaon. With client authencaon disabled, the firewall will not be able to connect
to an external dynamic list that requires a username and password for access.
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
The change from the > to the # symbol indicates that you are now in configuraon mode.
PAN-OS® Administrator’s Guide Version Version 9.1 1458 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | Enter the appropriate CLI command for the list type:
• IP Address
• Domain
• URL
STEP 3 | Verify that authencaon is disabled for the external dynamic list.
Trigger a refresh for the list (see Retrieve an External Dynamic List from the Web Server). If the
firewall retrieves the list successfully, server authencaon is disabled.
PAN-OS® Administrator’s Guide Version Version 9.1 1459 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1460 ©2021 Palo Alto Networks, Inc.
Policy
the firewall generates a threat log, you can configure the firewall to tag the source IP address
in the threat log with a specific tag name. For more informaon, refer to Use Auto-Tagging to
Automate Security Acons.
Addionally, you can configure the firewall to dynamically unregister a tag aer a configured
amount of me using a meout. For example, you can configure the meout to be the same
duraon as the DHCP lease meout for the IP address. This allows the IP address-to-tag
mapping to expire at the same me as the DHCP lease so that you don’t unintenonally apply
policy when the IP address is reassigned.
See Forward Logs to an HTTP(S) Desnaon.
For informaon on creang and using Dynamic Address Groups, see Use Dynamic Address Groups
in Policy.
For the CLI commands for registering tags dynamically, see CLI Commands for Dynamic IP
Addresses and Tags.
PAN-OS® Administrator’s Guide Version Version 9.1 1461 ©2021 Palo Alto Networks, Inc.
Policy
To support redistribuon for dynamic user group tags, all firewalls must use PAN-OS 9.1 to
receive the tags from the registraon sources.
The firewall redistributes the tags for the dynamic user group to the next hop and you can
configure log forwarding to send the logs to a specific server. Log forwarding also allows you
to use auto-tagging to automacally add or remove members of dynamic user groups based on
events in the logs.
STEP 1 | Select Objects > Dynamic User Groups and Add a new dynamic user group.
PAN-OS® Administrator’s Guide Version Version 9.1 1462 ©2021 Palo Alto Networks, Inc.
Policy
This tag displays in the Tags column in the Dynamic User Group list and defines
the dynamic group object, not the members in the group.
7. Click OK and Commit your changes.
If you update the user group object filter, you must commit the changes to
update the configuraon.
STEP 3 | Depending on the log informaon that you want to use as match criteria, configure auto-
tagging by creang a log forwarding profile or configuring the log sengs.
• For Authencaon, Data, Threat, Traffic, Tunnel Inspecon, URL, and WildFire logs, create a
log forwarding profile.
• For User-ID, GlobalProtect, and IP-Tag logs, configure the log sengs.
STEP 4 | (Oponal) To return dynamic user group members to their original groups aer a specific
duraon of me, enter a Timeout value in minutes (default is 0, range is 0-43200).
STEP 5 | Use the dynamic user group in a policy to regulate traffic for the members of the group.
You will need to create at least two rules: one to allow inial traffic to populate the dynamic
user group and one to deny traffic for the acvity you want to prevent. To tag users, the rule to
allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
1. Select the dynamic user group from Step 1 as the Source User.
2. Create the rule where the Acon denies traffic to the dynamic user group members.
3. Create the rule that allows the traffic to populate the dynamic user group members.
4. If you configured a Log Forwarding profile in Step 3, select it to add it to the policy.
5. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1463 ©2021 Palo Alto Networks, Inc.
Policy
STEP 6 | (Oponal) Refine the group’s membership and define the registraon source for the user-to-
tag mapping updates.
If the inial user-to-tag mapping retrieves users who should not be members or if it does not
include users who should be, modify the members of the group to include the users for whom
you want to enforce the policy and specify the source for the mappings.
1. In the Users column, select more.
2. Register Users to add them to the group and select the Registraon Source for the tags
and user-to-tag mappings.
• Local (Default)—Register the tags and mappings for the dynamic user group members
locally on the firewall.
• Panorama User-ID Agent—Register the tags and mappings for the dynamic user group
members on a User-ID agent connected to Panorama. If the dynamic user group
originates from Panorama, the row displays in yellow and the group name, descripon,
match criteria, and tags are read-only. However, you can sll register or unregister
users from the group.
• Remote device User-ID Agent—Register the tags and mappings for the dynamic
user group members on a remote User-ID agent. To select this opon, you must first
configure an HTTP server profile.
3. Select the Tags you want to register on the source using the tag(s) you used to configure
the group.
4. (Oponal) To return dynamic user group members to their original groups aer a specific
duraon of me, enter a Timeout value in minutes (default is 0, range is 0-43200).
5. Add or Delete users as necessary.
6. (Oponal) Unregister Users to remove their tags and user-to-tag mappings.
STEP 7 | Verify the firewall correctly populates the users in the dynamic user group.
1. Confirm the Dynamic User Group column in the Traffic, Threat, URL Filtering, WildFire
Submissions, Data Filtering, and Tunnel Inspecon logs displays the dynamic user groups
correctly.
2. Use the show user group list dynamic command to display a list of all dynamic
user groups as well as the total number of dynamic user groups.
3. Use the show object registered-user all command to display a list of users
who are registered members of dynamic user groups.
4. Use the show user group name group-name command to display informaon
about the dynamic user group, such as the source type.
PAN-OS® Administrator’s Guide Version Version 9.1 1464 ©2021 Palo Alto Networks, Inc.
Policy
Dynamic user groups do not support auto-tagging from HIP Match logs.
Redistribute the mappings across your network by registering the IP address-to-tag and user-to-
tag mappings to a PAN-OS integrated User-ID agent on the firewall or Panorama or to a remote
User-ID agent using an HTTP server profile. The firewall can automacally remove (unregister)
a tag associated with an IP address or user when you configure a meout as part of a built-in
acon for a log forwarding profile or as part of log forwarding sengs. For example, if the firewall
detects a user has potenally compromised credenals, you could configure the firewall to require
MFA authencaon for that user for a given period of me, then configure a meout to remove
the user from the MFA requirement group.
STEP 1 | Depending on the type of log you want to use for tagging, create a log forwarding profile or
configure the log sengs to define how you want the firewall or Panorama to handle logs.
• For Authencaon, Data, Threat, Traffic, Tunnel Inspecon, URL, and WildFire logs, create
a log forwarding profile.
• For User-ID, GlobalProtect, and IP-Tag logs, configure the log sengs.
STEP 2 | Define the match list criteria that determine when the firewall or Panorama adds the tag to
the policy object.
For example, you can use a filter to configure a threshold or define a value (such as user eq
“unknown” to idenfy users that the firewall has not yet mapped); when the firewall reaches
that threshold or finds that value, the firewall adds the tag.
• To create a log forwarding profile, Add it and select the Log Type you want to monitor for
match list criteria (Objects > Log Forwarding).
• To configure log sengs, Add the log sengs for the type of log you want to monitor for
match list criteria (Device > Log Sengs).
STEP 3 | Copy and paste a Filter value or use the Filter Builder to define the match criteria for the tag.
PAN-OS® Administrator’s Guide Version Version 9.1 1465 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1466 ©2021 Palo Alto Networks, Inc.
Policy
STEP 5 | (Remote User-ID only) Configure an HTTP server profile to forward logs to a remote User-ID
agent.
1. Select Device > Server Profiles > HTTP.
2. Add a profile and specify a Name for the server profile.
3. (Virtual systems only) Select the Locaon. The profile can be Shared across all virtual
systems or can belong to a specific virtual system.
4. Select Tag Registraon to enable the firewall to register the IP address and tag mapping
with the User-ID agent on a remote firewall. With tag registraon enabled, you cannot
specify the payload format.
5. Add the server connecon details to access the remote User-ID agent and click OK.
6. Select the log forwarding profile you created then select this server profile as the HTTP
server profile for your Remote User-ID tag Registraon.
STEP 6 | Define the policy objects to which you want to apply the tags.
1. Create or select one of the following policy objects: dynamic address groups, Use
Dynamic User Groups in Policy, addresses, address groups, zones, policy rules, services,
or service groups.
2. Enter the tags you want to apply to the object as the Match criteria.
Confirm that the tag is idencal to the tag in Step 4.
STEP 8 | If you configured a log forwarding profile, assign it to your Security policy.
You can assign one log forwarding profile for each policy but you can assign mulple methods
and acons per profile. For an example, refer to Use Dynamic Address Groups in Policy.
PAN-OS® Administrator’s Guide Version Version 9.1 1467 ©2021 Palo Alto Networks, Inc.
Policy
STEP 10 | (Oponal) Configure a meout to remove the tag from the policy object aer the specified
me has elapsed.
Specify the amount of me (in minutes) that passes before the firewall removes the tag from
the policy object. The range is from 0 to 43,200. If you set the meout to zero, the IP address-
to-tag mapping does not meout and must be removed with an explicit acon. If you set the
meout to the maximum of 43,200 minutes, the firewall removes the tag aer 30 days.
Set the IP-tag meout to the same amount of me as the DHCP lease meout
for that IP address. This allows the IP address-to-tag mapping to expire at the
same me as the DHCP lease so that you do not unintenonally apply policy
when the IP address is reassigned.
4. Click OK and Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1468 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1469 ©2021 Palo Alto Networks, Inc.
Policy
• When monitoring ESXi hosts that are part of the VM-Series NSX edion soluon,
use Dynamic Address Groups instead of using VM Informaon Sources to learn about
changes in the virtual environment. For the VM-Series NSX edion soluon, the NSX
Manager provides Panorama with informaon on the NSX security group to which an
IP address belongs. The informaon from the NSX Manager provides the full context
for defining the match criteria in a Dynamic Address Group because it uses the service
profile ID as a disnguishing aribute and allows you to properly enforce policy when
you have overlapping IP addresses across different NSX security groups. Up to a
maximum of 32 tags (from vCenter server and NSX Manager) that can be registered to
an IP address.
• For monitoring the virtual machines within your Azure deployment, instead of VM
Monitoring Sources, you need to deploy the VM Monitoring script that runs on a
virtual machine within the Azure public cloud. This script collects the IP address-to-
tag mapping informaon for your Azure assets and publishes it to the firewalls and
corresponding virtual systems you specify in the script.
• For Panorama version 8.1.3 and later, you can also use the Panorama plugin for AWS
or Azure to retrieve VM Informaon and register it to the managed firewalls. See
Aributes Monitored on Virtual Machines in Cloud Plaormsfor details.
You can configure up to 10 VM informaon sources for each firewall, or for each virtual
system on a mulple virtual systems capable firewall.
• Add the credenals (Username and Password) to authencate to the server specified
above.
• Use the credenals of an administrave user to enable access.
• Define the Source.
• (Oponal) Modify the Update interval to a value between 5-600 seconds. By default,
the firewall polls every 5 seconds. The API calls are queued and retrieved within
PAN-OS® Administrator’s Guide Version Version 9.1 1470 ©2021 Palo Alto Networks, Inc.
Policy
every 60 seconds, so updates may take up to 60 seconds plus the configured polling
interval.
• (Oponal) Enter the interval in hours when the connecon to the monitored source is
closed, if the host does not respond. (range is 2-10 hours; default is 2).
To change the default value, select the check box to Enable meout when the source
is disconnected and specify the value. When the specified limit is reached or if the
host cannot be accessed or does not respond, the firewall will close the connecon to
the source.
• Click OK, and Commit the changes.
• Verify that the connecon Status displays as connected.
If the connecon status is pending or disconnected, verify that the source is operaonal and
that the firewall is able to access the source. If you use a port other than the MGT port for
communicang with the monitored source, you must change the service route (Device > Setup
> Services, click the Service Route Configuraon link and modify the Source Interface for the
VM Monitor service).
PAN-OS® Administrator’s Guide Version Version 9.1 1471 ©2021 Palo Alto Networks, Inc.
Policy
virtual system if your firewall has mulple virtual system capability), you can configure up to 10
sources.For informaon on how VM Informaon Sources and Dynamic Address Groups work
synchronously and enable you to monitor changes in the virtual environment, refer to the VM-
Series Deployment Guide .If your firewalls are configured in a high availability configuraon:
• In an acve/passive setup, only the acve firewall monitors the VM informaon sources.
• In an acve/acve setup, only the primary firewall monitors the VM informaon sources.
Panorama Plugin—On a Panorama —hardware appliance or virtual appliance running version
8.1.3—you can install the plugin for Microso Azure and AWS. The plugin allows you to connect
Panorama to your Azure public cloud subscripons or AWS VPCs and retrieve the IP address-
to-tag mapping for your virtual machines. Panorama then registers the VM informaon to the
managed Palo Alto Networks® firewall(s) that you have configured for noficaon.
Use the following secons to review the opons supported on each cloud vendor and the virtual
machine aributes that you can monitor to create Dynamic Address Groups:
• VMware ESXi
• Amazon Web Services (AWS)
• Microso Azure
• Google
VMware ESXi
Each VM on a monitored ESXi or vCenter server must have VMware Tools installed and running.
VMware Tools provide the capability to glean the IP address(es) and other values assigned to each
VM.
When monitoring ESXi hosts that are part of the VM-Series NSX edion soluon, use
Dynamic Address Groups (instead of using VM Informaon Sources) to learn about
changes in the virtual environment. For the VM-Series NSX edion soluon, the NSX
Manager provides Panorama with informaon on the NSX security group to which an
IP address belongs. The informaon from the NSX Manager provides the full context for
defining the match criteria in a Dynamic Address Group because it uses the service profile
ID as a disnguishing aribute and allows you to properly enforce policy when you have
overlapping IP addresses across different NSX security groups.
Up to 32 tags (from vCenter server and NSX Manager) can be registered to an IP address.
To collect the values assigned to the monitored VMs, use the VM Informaon Sources on the
firewall to monitor the following predefined set of ESXi aributes:
UUID
Name
Guest OS
PAN-OS® Administrator’s Guide Version Version 9.1 1472 ©2021 Palo Alto Networks, Inc.
Policy
VM State — the power state can be poweredOff, poweredOn, standBy, and unknown.
Annotaon
Version
Container Name —vCenter Name, Data Center Object Name, Resource Pool Name, Cluster
Name, Host, Host IP address.
Architecture Yes No
Guest OS Yes No
Instance ID Yes No
Owner ID No Yes
PAN-OS® Administrator’s Guide Version Version 9.1 1473 ©2021 Palo Alto Networks, Inc.
Policy
Microso Azure
For VM Monitoring on Azure you need to retrieve the IP address-to-tag mapping for your Azure
VMs and make it available as match criteria in dynamic address groups. The Panorama plugin for
Microso Azure allows you to connect Panorama to your Azure public cloud subscripons and
retrieve the IP address-to-tag mapping for your Azure virtual machines. Panorama can retrieve
a total of 26 tags for each virtual machine, 11 predefined tags and up to 15 user-defined tags
and registers the VM informaon to the managed Palo Alto Networks® firewall(s) that you have
configured for noficaon.
With the Panorama plugin for Azure, you can monitor the following set of virtual machine
aributes within your Microso Azure deployment.
PAN-OS® Administrator’s Guide Version Version 9.1 1474 ©2021 Palo Alto Networks, Inc.
Policy
VM Name Yes
VM Size No
OS Type Yes
OS Publisher Yes
OS Offer Yes
OS SKU Yes
Subnet Yes
VNet Yes
Subscripon ID Yes
Google
Using VM Informaon Sources on the next-gen firewall, you can monitor the following predefined
set of Google Compute Engine (GCE) aributes.
Hostname of the VM
Machine type
Project ID
PAN-OS® Administrator’s Guide Version Version 9.1 1475 ©2021 Palo Alto Networks, Inc.
Policy
Status
Subnetwork
VPC Network
PAN-OS® Administrator’s Guide Version Version 9.1 1476 ©2021 Palo Alto Networks, Inc.
Policy
The following example shows how dynamic address groups can simplify network security
enforcement. The example workflow shows how to:
• Enable the VM Monitoring agent on the firewall, to monitor the VMware ESX(i) host or vCenter
Server and register VM IP addresses and the associated tags.
• Create dynamic address groups and define the tags to filter. In this example, two address
groups are created. One that only filters for dynamic tags and another that filters for both stac
and dynamic tags to populate the members of the group.
• Validate that the members of the dynamic address group are populated on the firewall.
• Use dynamic address groups in policy. This example uses two different security policies:
• A security policy for all Linux servers that are deployed as FTP servers; this rule matches on
dynamically registered tags.
• A security policy for all Linux servers that are deployed as web servers; this rule matches on
a dynamic address group that uses stac and dynamic tags.
• Validate that the members of the dynamic address groups are updated as new FTP or web
servers are deployed. This ensure that the security rules are enforced on these new virtual
machines too.
STEP 1 | Enable VM Source Monitoring.
See Enable VM Monitoring to Track Changes on the Virtual Network.
PAN-OS® Administrator’s Guide Version Version 9.1 1477 ©2021 Palo Alto Networks, Inc.
Policy
operator and select the aributes that you would like to filter for or match against. and
then click OK.
6. Click Commit.
STEP 3 | The match criteria for each dynamic address group in this example is as follows:
p_server: matches on the guest operang system “Linux 64-bit” and annotated as
“p” ('guestos.Ubuntu Linux 64-bit' and 'annotaon.p').
web-servers: matches on two criteria—the tag black or if the guest operang system is Linux
64-bit and the name of the server us Web_server_Corp. ('guestos.Ubuntu Linux 64-bit' and
'vmname.WebServer_Corp' or 'black')
PAN-OS® Administrator’s Guide Version Version 9.1 1478 ©2021 Palo Alto Networks, Inc.
Policy
STEP 5 | This example shows how to create two policies: one for all access to FTP servers and the
other for access to web servers.
STEP 6 | Validate that the members of the dynamic address group are populated on the firewall.
1. Select Policies > Security, and select the rule.
2. Select the drop-down arrow next to the address group link, and select Inspect. You can
also verify that the match criteria is accurate.
3. Click the more link and verify that the list of registered IP addresses is displayed.
Policy will be enforced for all IP addresses that belong to this address group, and are
displayed here.
If you want to delete all registered IP addresses, use the CLI command debug
object registered-ip clear all and then reboot the firewall aer clearing
the tags.
PAN-OS® Administrator’s Guide Version Version 9.1 1479 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1480 ©2021 Palo Alto Networks, Inc.
Policy
View all tags registered from a specific • To view tags registered from the CLI:
data source, for example from the VM
Monitoring Agent on the firewall, the show log iptag datasource_type equ
XML API, Windows User-ID Agent or al unknown
the CLI.
PAN-OS® Administrator’s Guide Version Version 9.1 1481 ©2021 Palo Alto Networks, Inc.
Policy
PAN-OS® Administrator’s Guide Version Version 9.1 1482 ©2021 Palo Alto Networks, Inc.
Policy
Enabling the firewall to use the X-Forwarded-For headers to perform user mapping
does not enable the firewall to use the client IP address in the XFF header as the source
address in the logs; the logs sll display the proxy server IP address as the source address.
However, to simplify the debugging and troubleshoong process you can configure the
firewall to Add XFF Values to URL Filtering Logs to display the client IP address from the
XFF header in the URL Filtering logs.
PAN-OS® Administrator’s Guide Version Version 9.1 1483 ©2021 Palo Alto Networks, Inc.
Policy
To ensure that aackers can’t read and exploit the XFF values in web request packets that exit the
firewall to retrieve content from an external server, you can also configure the firewall to strip the
XFF values from outgoing packets.
These opons are not mutually exclusive: if you configure both, the firewall zeroes out XFF values
only aer using them in policy enforcement and logging.
STEP 1 | Enable the firewall to use XFF values in policies and in the source user fields of logs.
1. Select Device > Setup > Content-ID and edit the X-Forwarded-For Headers sengs.
2. Select Use X-Forwarded-For Header in User-ID.
STEP 3 | Verify the firewall is populang the source user fields of logs.
1. Select a log type that has a source user field (for example, Monitor > Logs > Traffic).
2. Verify that the Source User column displays the usernames of users who access web
applicaons.
Enabling the firewall to use the XFF header as the Source address in URL Filtering logs
does not enable user mapping of the source address. To populate the source user fields, see
Use XFF Values for Policies and Logging Source Users.
STEP 1 | Enable the X-Forwarded-For opon within HTTP Header Logging in the URL Filtering profile.
1. Select Objects > Security Profiles > URL Filtering and select the URL Filtering profile you
want to configure, or add a new one.
You can’t enable XFF logging in the default URL Filtering profile.
PAN-OS® Administrator’s Guide Version Version 9.1 1484 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | Aach the URL Filtering profile to the security policy rule(s) that enable access to web
applicaons.
1. Select Policies > Security and click the rule.
2. Select the Acons tab, set the Profile Type to Profiles, and select the URL Filtering
profile you just configured for X-Forwarded-For HTTP Header Logging.
3. Click OK and Commit.
STEP 4 | Use the XFF field in the URL Filtering log to troubleshoot a log event in another log type.
Although only the URL Filtering logs display the IP address of the source user in the X-
Forwarded-For column of the logs, if you noce an event associated with HTTP/HTTPS traffic
but that you cannot idenfy the source IP address because it is that of the proxy server, you
can use the X-Forwarded-For value in a correlated URL Filtering log to help you idenfy the
source address associated with the log event. To do this:
1. Find an event you want invesgate in a Traffic, Threat, or WildFire Submissions logs that
is showing the IP address of the proxy server as the source address.
2. Click the spyglass icon for the log to display its details and look for an associated URL
Filtering log at the boom of the Detailed Log Viewer window.
3. Select the header row and then select X-Forwarded-For from the Columns drop-down
to display this value. The IP address in this column of the X-Forwarded-For column
represents the IP address of the source user behind the proxy server. Use this IP address
to track down the device that triggered the event you are invesgang.
PAN-OS® Administrator’s Guide Version Version 9.1 1485 ©2021 Palo Alto Networks, Inc.
Policy
Policy-Based Forwarding
Normally, the firewall uses the desnaon IP address in a packet to determine the outgoing
interface. The firewall uses the roung table associated with the virtual router to which the
interface is connected to perform the route lookup. Policy-Based Forwarding (PBF) allows you
to override the roung table, and specify the outgoing or egress interface based on specific
parameters such as source or desnaon IP address, or type of traffic.
• PBF
• Create a Policy-Based Forwarding Rule
• Use Case: PBF for Outbound Access with Dual ISPs
PBF
PBF rules allow traffic to take an alternave path from the next hop specified in the route table,
and are typically used to specify an egress interface for security or performance reasons. Let's
say your company has two links between the corporate office and the branch office: a cheaper
internet link and a more expensive leased line. The leased line is a high-bandwidth, low-latency
link. For enhanced security, you can use PBF to send applicaons that aren’t encrypted traffic,
such as FTP traffic, over the private leased line and all other traffic over the internet link. Or, for
performance, you can choose to route business-crical applicaons over the leased line while
sending all other traffic, such as web browsing, over the cheaper link.
• Egress Path and Symmetric Return
• Path Monitoring for PBF
• Service Versus Applicaons in PBF
To determine the next hop for symmetric returns, the firewall uses an Address Resoluon
Protocol (ARP) table. The maximum number of entries that this ARP table supports is
limited by the firewall model and the value is not user configurable. To determine the limit
for your model, use the CLI command: show pbf return-mac all.
PAN-OS® Administrator’s Guide Version Version 9.1 1486 ©2021 Palo Alto Networks, Inc.
Policy
Behavior of a session If the rule stays enabled when If rule is disabled when the
on a monitoring failure the monitored IP address is monitored IP address is
unreachable unreachable
PAN-OS® Administrator’s Guide Version Version 9.1 1487 ©2021 Palo Alto Networks, Inc.
Policy
same from the inial session (based on the App-ID cache) and apply the PBF rule. Therefore, a
session that is not an exact match and is not the same applicaon, can be forwarded based on the
PBF rule.
Further, applicaons have dependencies and the identy of the applicaon can change as the
firewall receives more packets. Because PBF makes a roung decision at the start of a session,
the firewall cannot enforce a change in applicaon identy. YouTube, for example, starts as web-
browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included
on the page. However with PBF, because the firewall idenfies the applicaon as web-browsing at
the start of the session, the change in applicaon is not recognized thereaer.
You cannot use custom applicaons, applicaon filters, or applicaon groups in PBF rules.
PAN-OS® Administrator’s Guide Version Version 9.1 1488 ©2021 Palo Alto Networks, Inc.
Policy
You can specify the source and desnaon addresses using an IP address, an address
object, or an FQDN.
1. Select Policies > Policy Based Forwarding and Add a PBF policy rule.
2. Give the rule a descripve name (General).
3. Select Source and configure the following:
1. Select the Type (Zone or Interface) to which you will apply the forwarding policy and
specify the relevant zone or interface. If you want to enforce symmetric return, you
must select a source interface.
Only Layer 3 interfaces support PBF; loopback interfaces do not support PBF.
2. (Oponal) Specify the Source Address to which the PBF rule applies. For example, a
specific IP address or subnet IP address from which you want to forward traffic to the
interface or zone specified in this rule.
Click Negate to exclude one or more Source Addresses from the PBF rule.
For example, if your PBF rule directs all traffic from the specified zone to the
internet, Negate allows you to exclude internal IP addresses from the PBF
rule.
The evaluaon order is top down. A packet is matched against the first rule that meets
the defined criteria; aer a match is triggered, subsequent rules are not evaluated.
3. (Oponal) Add and select the Source User or groups of users to whom the policy
applies.
4. Select Desnaon/Applicaon/Service and configure the following:
1. Desnaon Address—By default, the rule applies to Any IP address. Click Negate to
exclude one or more desnaon IP addresses from the PBF rule.
2. Add any Applicaon and Service that you want to control using PBF.
PAN-OS® Administrator’s Guide Version Version 9.1 1489 ©2021 Palo Alto Networks, Inc.
Policy
If you are configuring PBF in a mul-VSYS environment, you must create separate
PBF rules for each virtual system (and create the appropriate Security policy rules to
enable the traffic).
1. Select Forwarding.
2. Set the Acon to take when matching a packet:
• Forward—Directs the packet to the specified Egress Interface.
• Forward to VSYS (On a firewall enabled for mulple virtual systems)—Select the
virtual system to which to forward the packet.
• Discard—Drops the packet.
• No PBF—Excludes packets that match the criteria for source, desnaon, applicaon,
or service defined in the rule. Matching packets use the route table instead of PBF;
the firewall uses the route table to exclude the matched traffic from the redirected
port.
3. To trigger the specified Acon at a daily, weekly, or non-recurring frequency, create and
aach a Schedule.
4. For Next Hop, select one of the following:
• IP Address—Enter an IP address or select an address object of type IP Netmask to
which the firewall forwards matching packets. An IPv4 address object must have a /32
netmask and an IPv6 address object must have a /128 netmask.
• FQDN—Enter an FQDN (or select or create an address object of type FQDN) to which
the firewall forwards matching packets. The FQDN can resolve to an IPv4 address, an
IPv6 address, or both. If the FQDN resolves to both IPv4 and IPv6 addresses, then the
PBF rule has two next hops: one IPv4 address and one IPv6 address. You can use the
same PBF rule for both IPv4 and IPv6 traffic. IPv4 traffic is forwarded to the IPv4 next
hop; IPv6 traffic is forwarded to the IPv6 next hop.
This FQDN must resolve to an IP address that belongs to the same subnet
as the interface you configured for PBF; otherwise, the firewall rejects the
resoluon and the FQDN remains unresolved.
The firewall uses only one IP address (from each IPv4 or IPv6 family type)
from the DNS resoluon of the FQDN. If the DNS resoluon returns more
than one address, the firewall uses the preferred IP address that matches
the IP family type (IPv4 or IPv6) configured for the next hop. The preferred
IP address is the first address the DNS server returns in its inial response.
The firewall retains this address as preferred as long as the address appears in
subsequent responses, regardless of order.
• None—No next hop mean the desnaon IP address of the packet is used as the next
hop. Forwarding fails if the desnaon IP address is not in the same subnet as the
egress interface.
5. (Oponal) Enable monitoring to verify connecvity to a target IP address or to the Next
Hop IP address if no IP address is specified. Select Monitor and aach a monitoring
PAN-OS® Administrator’s Guide Version Version 9.1 1490 ©2021 Palo Alto Networks, Inc.
Policy
Profile (default or custom) that specifies the acon when the monitored address is
unreachable.
• You can Disable this rule if nexthop/monitor ip is unreachable.
• Enter a target IP Address to monitor.
The Egress Interface can have both IPv4 and IPv6 addresses and the Next Hop FQDN
can resolve to both IPv4 and IPv6 addresses. In this case:
1. If the egress interface has both IPv4 and IPv6 addresses and the next hop FQDN
resolves to only one address family type, the firewall monitors the resolved IP address.
If the FQDN resolves to both IPv4 and IPv6 addresses but the egress interface has
only one address family type address, the firewall monitors the resolved next hop
address that matches the address family of the egress interface.
2. If both the egress interface and next hop FQDN have both IPv4 and IPv6 addresses,
the firewall monitors the IPv4 next hop address.
3. If the egress interface has one address family address and the next hop FQDN
resolves to a different address family address, the firewall does not monitor anything.
6. (Required for asymmetric roung environments; otherwise, oponal) Enforce Symmetric
Return and Add one or more IP addresses in the Next Hop Address List. You can add up
to 8 next-hop IP addresses; tunnel and PPoE interfaces are not available as a next-hop IP
address.
Enabling symmetric return ensures that return traffic (such asfrom the Trust zone on the
LAN to the internet) is forwarded out through the same interface through which traffic
ingresses from the internet.
PAN-OS® Administrator’s Guide Version Version 9.1 1491 ©2021 Palo Alto Networks, Inc.
Policy
STEP 1 | Configure the ingress and the egress interfaces on the firewall.
Egress interfaces can be in the same zone.
1. Select Network > Interfaces and then select the interface you want to configure, for
example, Ethernet1/1 and Ethernet1/3.
The interface configuraon on the firewall used in this example is as follows:
• Ethernet 1/1 connected to the primary ISP:
• Zone: TwoISP
• IP Address: 1.1.1.2/30
• Virtual Router: Default
• Ethernet 1/3 connected to the backup ISP:
• Zone: TwoISP
• IP Address: 2.2.2.2/30
• Virtual Router: Default
• Ethernet 1/2 is the ingress interface, used by the network clients to connect to the
internet:
• Zone: Corporate
• IP Address: 192.168. 54.1/24
• Virtual Router: Default
2. To save the interface configuraon, click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1492 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | On the virtual router, add a stac route to the backup ISP.
1. Select Network > Virtual Router and then select the default link to open the Virtual
Router dialog.
2. Select the Stac Routes tab and click Add. Enter a Name for the route and specify the
Desnaon IP address for which you are defining the stac route. In this example, we
use 0.0.0.0/0 for all traffic.
3. Select the IP Address radio buon and set the Next Hop IP address for your router that
connects to the backup internet gateway (you cannot use a domain name for the next
hop). In this example, 2.2.2.1.
4. Specify a cost metric for the route. In this example, we use 10.
PAN-OS® Administrator’s Guide Version Version 9.1 1493 ©2021 Palo Alto Networks, Inc.
Policy
STEP 3 | Create a PBF rule that directs traffic to the interface that is connected to the primary ISP.
Make sure to exclude traffic desned to internal servers/IP addresses from PBF. Define a
negate rule so that traffic desned to internal IP addresses is not routed through the egress
interface defined in the PBF rule.
1. Select Policies > Policy Based Forwarding and click Add.
2. Give the rule a descripve Name in the General tab.
3. In the Source tab, set the Source Zone to Corporate.
4. In the Desnaon/Applicaon/Service tab, set the following:
1. In the Desnaon Address secon, Add the IP addresses or address range for servers
on the internal network or create an address object for your internal servers. Select
Negate to exclude the IP addresses or address object listed above from using this rule.
2. In the Service secon, Add the service-hp and service-hps services to allow HTTP
and HTTPS traffic to use the default ports. For all other traffic that is allowed by
security policy, the default route will be used.
3. Enable Monitor and aach the default monitoring profile to trigger a failover to the
backup ISP. In this example, we do not specify a target IP address to monitor. The firewall
PAN-OS® Administrator’s Guide Version Version 9.1 1494 ©2021 Palo Alto Networks, Inc.
Policy
will monitor the next hop IP address; if this IP address is unreachable, the firewall will
direct traffic to the default route specified on the virtual router.
4. (Required if you have asymmetric routes) Select Enforce Symmetric Return to ensure
that return traffic from the Corporate zone to the internet is forwarded out on the same
interface through which traffic ingressed from the internet.
5. NAT ensures that the traffic from the internet is returned to the correct interface/IP
address on the firewall.
6. Click OK to save the changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1495 ©2021 Palo Alto Networks, Inc.
Policy
STEP 5 | Create NAT rules based on the egress interface and ISP. These rules ensure that the correct
source IP address is used for outbound connecons.
1. Select Policies > NAT and click Add.
2. In this example, the NAT rule we create for each ISP is as follows:
NAT for Primary ISP
In the Original Packet tab,
Source Zone: Corporate
Desnaon Zone: TwoISP
In the Translated Packet tab, under Source Address Translaon
Translaon Type: Dynamic IP and Port
Address Type: Interface Address
Interface: ethernet1/1
IP Address: 1.1.1.2/30
NAT for Backup ISP
In the Original Packet tab,
Source Zone: Corporate
Desnaon Zone: TwoISP
In the Translated Packet tab, under Source Address Translaon
Translaon Type: Dynamic IP and Port
Address Type: Interface Address
Interface: ethernet1/2
IP Address: 2.2.2.2/30
PAN-OS® Administrator’s Guide Version Version 9.1 1496 ©2021 Palo Alto Networks, Inc.
Policy
STEP 8 | Verify that the PBF rule is acve and that the primary ISP is used for internet access.
1. Launch a web browser and access a web server. On the firewall, check the traffic log for
web-browsing acvity.
2. From a client on the network, use the ping ulity to verify connecvity to a web server
on the internet, and check the traffic log on the firewall.
C:\Users\pm-user1>ping 198.51.100.6
Pinging 198.51.100.6 with 32 bytes of data:
Reply from 198.51.100.6: bytes=32 time=34ms TTL=117
Reply from 198.51.100.6: bytes=32 time=13ms TTL=117
Reply from 198.51.100.6: bytes=32 time=25ms TTL=117
Reply from 198.51.100.6: bytes=32 time=3ms TTL=117
Ping statistics for 198.51.100.6:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3. To confirm that the PBF rule is acve, use the following CLI command:
PAN-OS® Administrator’s Guide Version Version 9.1 1497 ©2021 Palo Alto Networks, Inc.
Policy
STEP 9 | Verify that the failover to the backup ISP occurs and that the Source NAT is correctly applied.
1. Unplug the connecon to the primary ISP.
2. Confirm that the PBF rule is inacve with the following CLI command:
3. Access a web server, and check the traffic log to verify that traffic is being forwarded
through the backup ISP.
4. View the session details to confirm that the NAT rule is working properly.
5. Obtain the session idenficaon number from the output and view the session details.
The PBF rule is not used and hence is not listed in the output.
PAN-OS® Administrator’s Guide Version Version 9.1 1498 ©2021 Palo Alto Networks, Inc.
Policy
src user:
unknown
dst user:
unknown
start time : Wed Nov5 11:16:10 2014
timeout : 1800 sec
time to live : 1757 sec
total byte count(c2s) : 1918
total byte count(s2c) : 4333
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 7
vsys : vsys1
application : ssl
rule : Corp2ISP
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source
nat-rule : NAT-Backup ISP(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : search-engines
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
PAN-OS® Administrator’s Guide Version Version 9.1 1499 ©2021 Palo Alto Networks, Inc.
Policy
STEP 2 | Select Device > Troubleshoong to perform a policy match or connecvity test.
STEP 3 | Enter the required informaon to perform the policy match test. In this example, we run a
NAT policy match test.
1. Select Test—Select NAT Policy Match.
2. From—Select the zone traffic is originang from.
3. To—Select the target zone of the traffic.
4. Source—Enter the IP address from which traffic originated.
5. Desnaon—Enter the IP address of the target device for the traffic.
6. Desnaon Port—Enter the port used for the traffic. This port varies depending on the
IP protocol used in the following step.
7. Protocol—Enter the IP protocol used for the traffic.
8. If necessary, enter any addional informaon relevant for your NAT policy rule tesng.
STEP 5 | Review the NAT Policy Match Result to see the policy rules that match the test criteria.
PAN-OS® Administrator’s Guide Version Version 9.1 1500 ©2021 Palo Alto Networks, Inc.
Virtual Systems
This topic describes virtual systems, their benefits, typical use cases, and how to
configure them. It also provides links to other topics where virtual systems are
documented as they funcon with other features.
1501
Virtual Systems
A virtual system consists of a set of physical and logical interfaces and subinterfaces (including
VLANs and virtual wires), virtual routers, and security zones. You choose the deployment mode(s)
(any combinaon of virtual wire, Layer 2, or Layer 3) of each virtual system. By using virtual
systems, you can segment any of the following:
• Administrave access
PAN-OS® Administrator’s Guide Version Version 9.1 1502 ©2021 Palo Alto Networks, Inc.
Virtual Systems
• The management of all policies (Security, NAT, QoS, Policy-based Forwarding, Decrypon,
Applicaon Override, Tunnel Inspecon, Authencaon, and DoS protecon)
• All objects (such as address objects, applicaon groups and filters, external dynamic lists,
security profiles, decrypon profiles, custom objects, etc.)
• User-ID
• Cerficate management
• Server profiles
• Logging, reporng, and visibility funcons
Virtual systems affect the security funcons of the firewall, but virtual systems alone do not affect
networking funcons such as stac and dynamic roung. You can segment roung for each virtual
system by creang one or more virtual routers for each virtual system, as in the following use
cases:
• If you have virtual systems for departments of one organizaon, and the network traffic for
all of the departments is within a common network, you can create a single virtual router for
mulple virtual systems.
• If you want roung segmentaon and each virtual system’s traffic must be isolated from other
virtual systems, you can create one or more virtual routers for each virtual system.
• If you want to segment the user mappings so that not all mappings are shared across virtual
systems, you can configure the User-ID sources on a virtual system that is not a User-ID hub.
See Share User-ID Mappings Across Virtual Systems.
PAN-OS® Administrator’s Guide Version Version 9.1 1503 ©2021 Palo Alto Networks, Inc.
Virtual Systems
disabled easily. The firewall’s role-based administraon allows the ISP or MSSP to control each
customer’s access to funconality (such as logging and reporng) while hiding or offering read-
only capabilies for other funcons.
Another common use case is within a large enterprise that requires different firewall instances
because of different technical or confidenality requirements among mulple departments.
Like the above case, different groups can have different levels of access while IT manages the
firewall itself. Services can be tracked and/or billed back to departments to thereby make separate
financial accountability possible within an organizaon.
The default is vsys1. You cannot delete vsys1 because it is relevant to the internal
hierarchy on the firewall; vsys1 appears even on firewall models that don’t support
mulple virtual systems.
You can limit the resource allocaons for sessions, rules and VPN tunnels allowed for a virtual
system, and thereby control firewall resources. Each resource seng displays the valid range of
values, which varies per firewall model. The default seng is 0, which means the limit for the
virtual system is the limit for the firewall model. However, the limit for a specific seng isn’t
replicated for each virtual system. For example, if a firewall has four virtual systems, each virtual
system can’t have the total number of Decrypon Rules allowed per firewall. Aer the total
number of Decrypon Rules for all of the virtual systems reaches the firewall limit, you cannot add
more.
PAN-OS® Administrator’s Guide Version Version 9.1 1504 ©2021 Palo Alto Networks, Inc.
Virtual Systems
A virtual system administrator can view logs of only the virtual systems assigned to that
administrator. A Superuser or Device administrator can view all of the logs, select a virtual system
to view, or configure a virtual system as a User-ID hub.
PAN-OS® Administrator’s Guide Version Version 9.1 1505 ©2021 Palo Alto Networks, Inc.
Virtual Systems
PAN-OS® Administrator’s Guide Version Version 9.1 1506 ©2021 Palo Alto Networks, Inc.
Virtual Systems
External Zone
The communicaon desired in the use case above is achieved by configuring security policies that
point to or from an external zone. An external zone is a security object that is associated with a
specific virtual system that it can reach; the zone is external to the virtual system. A virtual system
can have only one external zone, regardless of how many security zones the virtual system has
within it. External zones are required to allow traffic between zones in different virtual systems,
without the traffic leaving the firewall.
The virtual system administrator configures the security policies needed to allow traffic between
two virtual systems. Unlike security zones, an external zone is not associated with an interface;
it is associated with a virtual system. The security policy allows or denies traffic between the
security (internal) zone and the external zone.
Because external zones do not have interfaces or IP addresses associated with them, some zone
protecon profiles are not supported on external zones.
Remember that each virtual system is a separate instance of a firewall, which means that each
packet moving between virtual systems is inspected for security policy and App-ID evaluaon.
PAN-OS® Administrator’s Guide Version Version 9.1 1507 ©2021 Palo Alto Networks, Inc.
Virtual Systems
To create external zones, the firewall administrator must configure the virtual systems so that they
are visible to each other. External zones do not have security policies between them because their
virtual systems are visible to each other.
To communicate between virtual systems, the ingress and egress interfaces on the firewall are
either assigned to a single virtual router or else they are connected using inter-virtual router
stac routes. The simpler of these two approaches is to assign all virtual systems that must
communicate with each other to a single virtual router.
There might be a reason that the virtual systems need to have their own virtual router, for
example, if the virtual systems use overlapping IP address ranges. Traffic can be routed between
the virtual systems, but each virtual router must have stac routes that point to the other virtual
router(s) as the next hop.
Referring to the scenario in the figure above, we have an enterprise with two administrave
groups: departmentA and departmentB. The departmentA group manages the local network and
the DMZ resources. The departmentB group manages traffic in and out of the sales segment
of the network. All traffic is on a local network, so a single virtual router is used. There are two
external zones configured for communicaon between the two virtual systems. The departmentA
virtual system has three zones used in security policies: deptA-DMZ, deptA-trust, and deptA-
External. The departmentB virtual system also has three zones: deptB-DMZ, deptB-trust, and
deptB-External. Both groups can control the traffic passing through their virtual systems.
In order to allow traffic from deptA-trust to deptB-trust, two security policies are required. In the
following figure, the two vercal arrows indicate where the security policies (described below the
figure) are controlling traffic.
• Security Policy 1: In the preceding figure, traffic is desned for the deptB-trust zone. Traffic
leaves the deptA-trust zone and goes to the deptA-External zone. A security policy must allow
traffic from the source zone (deptA-trust) to the desnaon zone (deptA-External). A virtual
system allows any policy type to be used for this traffic, including NAT.
No policy is needed between external zones because traffic sent to an external zone appears
in and has automac access to the other external zones that are visible to the original external
zone.
• Security Policy 2: In the preceding figure, the traffic from deptB-External is sll desned to the
deptB-trust zone, and a security policy must be configured to allow it. The policy must allow
traffic from the source zone (deptB-External) to the desnaon zone (deptB-trust).
The departmentB virtual system could be configured to block traffic from the departmentA virtual
system, and vice versa. Like traffic from any other zone, traffic from external zones must be
explicitly allowed by policy to reach other zones in a virtual system.
PAN-OS® Administrator’s Guide Version Version 9.1 1508 ©2021 Palo Alto Networks, Inc.
Virtual Systems
In addion to external zones being required for inter-virtual system traffic that does not
leave the firewall, external zones are also required if you configure a Shared Gateway, in
which case the traffic is intended to leave the firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1509 ©2021 Palo Alto Networks, Inc.
Virtual Systems
Shared Gateway
This topic includes the following informaon about shared gateways:
• External Zones and Shared Gateway
• Networking Consideraons for a Shared Gateway
The shared gateway has one globally-routable IP address used to communicate with the outside
world. Interfaces in the virtual systems have IP addresses too, but they can be private, non-
routable IP addresses.
PAN-OS® Administrator’s Guide Version Version 9.1 1510 ©2021 Palo Alto Networks, Inc.
Virtual Systems
You will recall that an administrator must specify whether a virtual system is visible to other virtual
systems. Unlike a virtual system, a shared gateway is always visible to all of the virtual systems on
the firewall.
A shared gateway ID number appears as sg<ID> on the web interface. It is recommended that you
name your shared gateway with a name that includes its ID number.
When you add objects such as zones or interfaces to a shared gateway, the shared gateway
appears as an available virtual system in the vsys menu.
A shared gateway is a limited version of a virtual system; it supports NAT and policy-based
forwarding (PBF), but does not support Security, DoS policies, QoS, Decrypon, Applicaon
Override, or Authencaon policies.
PAN-OS® Administrator’s Guide Version Version 9.1 1511 ©2021 Palo Alto Networks, Inc.
Virtual Systems
The default is vsys1. You cannot delete vsys1 because it is relevant to the
internal hierarchy on the firewall; vsys1 appears even on firewall models that
don’t support mulple virtual systems.
2. Select Allow forwarding of decrypted content if you want to allow the firewall to
forward decrypted content to an outside service. For example, you must enable this
opon for the firewall to be able to send decrypted content to WildFire for analysis.
3. Enter a descripve Name for the virtual system. A maximum of 31 alphanumeric, space,
and underscore characters is allowed.
PAN-OS® Administrator’s Guide Version Version 9.1 1512 ©2021 Palo Alto Networks, Inc.
Virtual Systems
STEP 4 | (Oponal) Limit the resource allocaons for sessions, rules, and VPN tunnels allowed for the
virtual system. The flexibility of being able to allocate limits per virtual system allows you to
effecvely control firewall resources.
1. On the Resource tab, oponally set limits for a virtual system. Each field displays the
valid range of values, which varies per firewall model. The default seng is 0, which
means the limit for the virtual system is the limit for the firewall model. However, the
limit for a specific seng isn’t replicated for each virtual system. For example, if a firewall
has four virtual systems, each virtual system can’t have the total number of Decrypon
PAN-OS® Administrator’s Guide Version Version 9.1 1513 ©2021 Palo Alto Networks, Inc.
Virtual Systems
Rules allowed per firewall. Aer the total number of Decrypon Rules for all of the
virtual systems reaches the firewall limit, you cannot add more.
• Sessions Limit
If you use the show session meter CLI command, it displays the Maximum
number of sessions allowed per dataplane, the Current number of sessions
being used by the virtual system, and the Throled number of sessions per
virtual system. On a PA-5200 or PA-7000 Series firewall, the Current number
of sessions being used can be greater than the Maximum configured for
Sessions Limit because there are mulple dataplanes per virtual system. The
Sessions Limit you configure on a PA-5200 Series or PA-7000 Series firewall
is per dataplane, and will result in a higher maximum per virtual system.
• Security Rules
• NAT Rules
• Decrypon Rules
• QoS Rules
• Applicaon Override Rules
• Policy Based Forwarding Rules
• Authencaon Rules
• DoS Protecon Rules
• Site to Site VPN Tunnels
• Concurrent SSL VPN Tunnels
2. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1514 ©2021 Palo Alto Networks, Inc.
Virtual Systems
STEP 5 | (Oponal) Configure a virtual system as a User-ID hub to Share User-ID Mappings Across
Virtual Systems.
1. For any exisng virtual systems, transfer the configuraon for the User-ID sources you
want to share (such as monitored servers and User-ID agents) to the virtual system you
will use as a hub.
2. On the Resource tab, select Make this vsys a User-ID data hub.
PAN-OS® Administrator’s Guide Version Version 9.1 1515 ©2021 Palo Alto Networks, Inc.
Virtual Systems
Select the New User-ID hub from the list, or select none to disable the User-ID hub and
stop sharing mappings across virtual systems.
PAN-OS® Administrator’s Guide Version Version 9.1 1516 ©2021 Palo Alto Networks, Inc.
Virtual Systems
STEP 7 | Create at least one virtual router for the virtual system in order to make the virtual system
capable of networking funcons, such as stac and dynamic roung.
Alternavely, your virtual system might use a VLAN or a virtual wire, depending on your
deployment.
1. Select Network > Virtual Routers and Add a virtual router by Name.
2. For Interfaces, click Add and select the interfaces that belong to the virtual router.
3. Click OK.
STEP 8 | Configure a security zone for each interface in the virtual system.
For at least one interface, create a Layer 3 security zone. See Configure Interfaces and Zones.
STEP 9 | Configure the security policy rules that allow or deny traffic to and from the zones in the
virtual system.
See Create a Security Policy Rule.
Aer creang a virtual system, you can use the CLI to commit a configuraon for only a
specific virtual system:
STEP 11 | (Oponal) View the security policies configured for a virtual system.
Open an SSH session to use the CLI. To view the security policies for a virtual system, in
operaonal mode, use the following commands:
set system setting target-vsys <vsys-id>
show running security-policy
PAN-OS® Administrator’s Guide Version Version 9.1 1517 ©2021 Palo Alto Networks, Inc.
Virtual Systems
STEP 2 | Configure the Security policy rules to allow or deny traffic from the internal zones to the
external zone of the virtual system, and vice versa.
• See Create a Security Policy Rule.
• See Inter-VSYS Traffic That Remains Within the Firewall.
PAN-OS® Administrator’s Guide Version Version 9.1 1518 ©2021 Palo Alto Networks, Inc.
Virtual Systems
When adding objects such as zones or interfaces to a shared gateway, the shared
gateway itself will be listed as an available vsys in the VSYS menu.
PAN-OS® Administrator’s Guide Version Version 9.1 1519 ©2021 Palo Alto Networks, Inc.
Virtual Systems
You can select a virtual router for a service route in a virtual system; you cannot select
the egress interface. Aer you select the virtual router and the firewall sends the packet
from the virtual router, the firewall selects the egress interface based on the desnaon
IP address. Therefore, if a virtual system has mulple virtual routers, packets to all of the
servers for a service must egress out of only one virtual router. A packet with an interface
source address may egress a different interface, but the return traffic would be on the
interface that has the source IP address, creang asymmetric traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1520 ©2021 Palo Alto Networks, Inc.
Virtual Systems
The firewall supports syslog forwarding on a virtual system basis. When mulple virtual
systems on a firewall are connecng to a syslog server using SSL transport, the firewall can
generate only one cerficate for secure communicaon. The firewall does not support each
virtual system having its own cerficate.
To easily use the same source address for mulple services, select the checkbox
for the services, click Set Selected Routes, and connue.
• To limit the list for Source Address, select a Source Interface, then select a Source
Address (from that interface) as the service route. Selecng Any Source Interface
makes all IP addresses on all interfaces for the virtual system available in the Source
Address list from which you select an address. You can select Inherit Global Seng.
• Source Address will indicate Inherited if you selected Inherit Global Seng for the
Source Interface or it will indicate the source address you selected. If you selected
Any for Source Interface, select an IP address or enter an IP address (using the IPv4 or
IPv6 format that matches the tab you chose) to specify the source address that will be
used in packets sent to the external service.
• If you modify an address object and the IP family type (IPv4/IPv6) changes, a Commit
is required to update the service route family to use.
5. Click OK.
6. Repeat the prior steps to configure source addresses for other external services.
7. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1521 ©2021 Palo Alto Networks, Inc.
Virtual Systems
In other Palo Alto Networks models, the dataplane sends logging service route traffic to the
management plane, which sends the traffic to logging servers. In a PA-7000 Series firewall, the
LPC or LFC have only one interface, and dataplanes for mulple virtual systems send logging
server traffic (types menoned above) to the PA-7000 Series firewall logging card. The logging
card is configured with mulple subinterfaces, over which the plaorm sends the logging service
traffic out to a customer’s switch, which can be connected to mulple logging servers.
Each subinterface can be configured with a subinterface name and a doed subinterface number.
The subinterface is assigned to a virtual system, which is configured for logging services. The other
service routes on a PA-7000 Series firewall funcon similarly to service routes on other Palo Alto
Networks plaorms. For informaon about the LPC or LFC, see the PA-7000 Series Hardware
Reference Guide.
• Configure a PA-7000 Series LPC for Logging per Virtual System
• Configure a PA-7000 Series LFC for Logging per Virtual System
PAN-OS® Administrator’s Guide Version Version 9.1 1522 ©2021 Palo Alto Networks, Inc.
Virtual Systems
STEP 2 | Add a subinterface for each tenant on the LPCs physical interface.
1. Highlight the Ethernet interface that is a Log Card interface type and click Add
Subinterface.
2. For Interface Name, aer the period, enter the subinterface assigned to the tenant’s
virtual system.
3. For Tag, enter a VLAN tag value.
Make the tag the same as the subinterface number for ease of use, but it could
be a different number.
4. (Oponal) Enter a Comment.
5. On the Config tab, in the Assign Interface to Virtual System field, select the virtual
system to which the LPC subinterface is assigned. Alternavely, you can click Virtual
Systems to add a new virtual system.
6. Click OK.
STEP 3 | Enter the addresses assigned to the subinterface, and configure the default gateway.
1. Select the Log Card Forwarding tab, and do one or both of the following:
• For the IPv4 secon, enter the IP Address and Netmask assigned to the subinterface.
Enter the Default Gateway (the next hop where packets will be sent that have no
known next hop address in the Roung Informaon Base [RIB]).
• For the IPv6 secon, enter the IPv6 Address assigned to the subinterface. Enter the
IPv6 Default Gateway.
2. Click OK.
STEP 5 | If you haven’t already done so, configure the remaining service routes for the virtual system.
Customize Service Routes for a Virtual System.
You can choose to configure only the physical interface. Because syslog forwarding via
subinterfaces is not yet supported on LFCs, each virtual system uses the single untagged
physical interface.
If you configure an LFC subinterface to forward logs externally, the interfaces will no longer
work as expected.
PAN-OS® Administrator’s Guide Version Version 9.1 1523 ©2021 Palo Alto Networks, Inc.
Virtual Systems
For a PA-7000 Series firewall managed by a Panorama management server, you cannot
override or revert the LFC configuraon locally on the firewall if the LFC configuraon is
pushed from Panorama. To override the LFC configuraon pushed from Panorama, you
must log in to the firewall CLI and delete the Panorama pushed configuraon.
admin> configure
admin# commit
PAN-OS® Administrator’s Guide Version Version 9.1 1524 ©2021 Palo Alto Networks, Inc.
Virtual Systems
Services > Virtual Systems tab. If the Role was specified as Virtual System in the
prior step, Services is the only seng that can be enabled under Device > Setup.
• Content-ID—Allows an admin with this profile to configure sengs on the
Content-ID tab.
• WildFire—Allows an admin with this profile to configure sengs on the WildFire
tab.
• Session—Allows an admin with this profile to configure sengs on the Session tab.
• HSM—Allows an admin with this profile to configure sengs on the HSM tab.
5. Click OK.
6. (Oponal) Repeat the enre step to create another Admin Role profile with different
permissions, as necessary.
PAN-OS® Administrator’s Guide Version Version 9.1 1525 ©2021 Palo Alto Networks, Inc.
Virtual Systems
PAN-OS® Administrator’s Guide Version Version 9.1 1526 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Segmenng the network into funconal and organizaonal zones reduces the
network’s aack surface—the poron of the network exposed to potenal aackers.
Zone protecon defends network zones against flood aacks, reconnaissance
aempts, packet-based aacks, and aacks that use non-IP protocols. Tailor a Zone
Protecon profile to protect each zone (you can apply the same profile to similar
zones). Denial-of-service (DoS) protecon defends specific crical systems against
flood aacks, especially devices that user access from the internet such as web
servers and database servers, and protects resources from session floods. Tailor DoS
Protecon profiles and policy rules to protect each set of crical devices. Visit the
Best Pracces documentaon portal to get a checklist of Zone Protecon and DoS
Protecon best pracces.
Check and monitor firewall dataplane CPU consumpon to ensure that each firewall is properly
sized to support DoS and Zone Protecon along with any other features that consume CPU cycles,
such as decrypon. If you use Panorama to manage your firewalls, use Device Monitor (Panorama >
Managed Devices > Health) to check and monitor the CPU consumpon of all managed firewalls at
one me.
1527
Zone Protecon and DoS Protecon
PAN-OS® Administrator’s Guide Version Version 9.1 1528 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Tunnel zones are for non-encrypted tunnels. You can apply different security policy rules
to the tunnel content and to the zone of the outer tunnel, as described in the Tunnel
Content Inspecon Overview.
PAN-OS® Administrator’s Guide Version Version 9.1 1529 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Zone Defense
Zone Protecon profiles defend zones against flood, reconnaissance, packet-based, and non-
IP-protocol-based aacks. DoS Protecon profiles used in DoS Protecon policy rules defend
specific, crical devices against targeted flood and resource-based aacks. A DoS aack overloads
the network or targeted crical systems with large amounts of unwanted traffic an aempt to
disrupt network services.
Plan to defend your network against different types of DoS aacks:
• Applicaon-Based Aacks—Target weaknesses in a parcular applicaon and try to exhaust its
resources so legimate users can’t use it. An example of this is the Slowloris aack.
• Protocol-Based Aacks—Also known as state-exhauson aacks, these aacks target protocol
weaknesses. A common example is a SYN flood aack.
• Volumetric Aacks—High-volume aacks that aempt to overwhelm the available network
resources, especially bandwidth, and bring down the target to prevent legimate users from
accessing those resources. An example of this is a UDP flood aack.
There are no default Zone Protecon profiles or DoS Protecon profiles and DoS Protecon
policy rules. Configure and apply zone protecon based on each zone’s traffic characteriscs and
configure DoS protecon based on the individual crical systems you want to protect in each
zone.
• Zone Defense Tools
• How Do the Zone Defense Tools Work?
• Firewall Placement for DoS Protecon
• Zone Protecon Profiles
• Packet Buffer Protecon
• DoS Protecon Profiles and Policy Rules
PAN-OS® Administrator’s Guide Version Version 9.1 1530 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
zone. Zone Protecon profiles don’t take individual devices (IP addresses) into account because
the profiles apply to the aggregate traffic entering the zone.
Zone protecon profiles defend the network as a session is formed, before the firewall
performs DoS Protecon policy and Security policy rule lookups, and consume fewer CPU
cycles than a DoS Protecon policy or Security policy rule lookup. If a Zone Protecon profile
denies traffic, the firewall doesn’t spend CPU cycles on policy rule lookups.
Apply Zone Protecon profiles to every zone, both internet-facing and internal.
• DoS Protecon profiles and policy rules defend specific individual endpoints and resources
against flood aacks, especially high-value targets that users access from the internet. While
a Zone Protecon profile defends the zone from flood aacks, a DoS Protecon policy rule
with an appropriate DoS Protecon profile defends crical individual systems in a zone from
targeted flood aacks, providing a granular third layer of defense against DoS aacks.
Because the intent of DoS protecon is to defend crical devices and because it
consumes resources, DoS protecon defends only the devices you specify in a DoS
Protecon policy rule. No other devices are protected.
DoS Protecon profiles set flood protecon thresholds (new CPS limits) for individual devices
or groups of devices, resource protecon thresholds (session limits for specified endpoints and
resources), and whether the profile applies to aggregate or classified traffic. DoS Protecon
policy rules specify match criteria (source, desnaon, service ports), the acon to take when
traffic matches the rule, and the aggregate and classified DoS Protecon profiles associated
with each rule.
Aggregate DoS Protecon policy rules apply the CPS thresholds defined in an aggregate DoS
Protecon profile to the combined traffic of all the devices that meet the DoS Protecon
policy rule match criteria. For example, if you configure the aggregate DoS Protecon profile
to limit the CPS rate to 20,000, the 20,000 CPS limit applies to the aggregate number of
connecons for the enre group. In this case, one device could receive the majority of the
allowed connecons.
Classified DoS Protecon policy rules apply the CPS thresholds defined in a classified DoS
Protecon profile to each individual device that matches the policy rule. For example, if you
configure the classified DoS Protecon profile to limit the CPS rate to 4,000, then no device in
the group can accept more than 4,000 CPS. A DoS Protecon policy can have one aggregate
profile and one classified profile.
Classified profiles can classify connecons by source IP, desnaon IP, or both. For
internet-facing zones, classify by desnaon IP only because the firewall can’t scale to
hold the internet roung table.
Apply DoS Protecon only to crical devices, especially popular aack targets that users access
from the internet, such as web servers and database servers.
• For exisng sessions, Packet Buffer Protecon protects the firewall (and therefore the zone)
against single-session DoS aacks that aempt to overwhelm the firewall’s packet buffer, using
thresholds and mers to migate abusive sessions. You configure Packet Buffer Protecon
sengs globally and apply them per zone.
• Security Policy rules affect both the ingress and egress flows of a session. To establish a
session, incoming traffic must match an exisng Security policy rule. If there is no match, the
PAN-OS® Administrator’s Guide Version Version 9.1 1531 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
firewall discards the packet. A Security policy allows or denies traffic between zones (interzone)
and within zones (intrazone) using criteria including zones, IP addresses, users, applicaons,
services, and URL categories.
Apply the best pracce Vulnerability Protecon profile to each Security policy rule to
help defend against DoS aacks.
The default Security policy rules don’t permit traffic to travel between zones, so you need to
configure a Security policy rule if you want to allow interzone traffic. All intrazone traffic is
allowed by default. You can configure Security policy rules to match and control intrazone,
interzone, or universal (intrazone and interzone) traffic.
Zone Protecon profiles, DoS Protecon profiles and policy rules, and Security policy
rules only affect dataplane traffic on the firewall. Traffic originang on the firewall
management interface does not cross the dataplane, so the firewall does not match
management traffic against these profiles or policy rules.
• You can also search the Palo Alto Networks Threat Vault (requires a valid support account and
login) for threats by hash, CVE, signature ID, domain name, URL, or IP address.
PAN-OS® Administrator’s Guide Version Version 9.1 1532 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Security policy rule match for the packet, the firewall discards the packet. If the firewall finds a
matching Security policy rule, the firewall applies the rule to the packet. The firewall enforces the
Security policy rule on traffic in both direcons (c2s and s2c) for the life of the session. Apply the
best pracce Vulnerability Protecon profile to all Security policy rules to help defend against DoS
aacks.
The fourth protecon the firewall applies is packet buffer protecon, which you apply globally
to protect the device and can also apply individually to zones to prevent single-session DoS
aacks that aempt to overwhelm the firewall’s packet buffer. For global protecon, the firewall
used Random Early Drop (RED) to drop packets (not sessions) when the level of traffic crosses
protecon thresholds. For per-zone protecon, the firewall blocks the source IP address if it
violates the packet buffer thresholds. Unlike zone and DoS protecon, packet buffer protecon
applies to exisng sessions.
PAN-OS® Administrator’s Guide Version Version 9.1 1533 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
The operaonal CLI command show counter interface displays two mes the
actual CPS value. If you use this command, divide the CPS value by two to derive the
real CPS value.
• For seng appropriate DoS Protecon profile thresholds, work with applicaon teams to
understand the normal and peak CPS to their servers and the maximum CPS those servers can
support.
In addion, you can filter firewall Traffic logs and Threat logs for the desnaon IP addresses of
the crical devices you want to protect to obtain normal and peak session acvity informaon.
• Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
• Use scripts to automate CPS informaon collecon and connuous monitoring, and to mine
informaon from the logs.
• Configure every Security policy rule on the firewall to Log at Session End. If you have no
monitoring tools such as NetFlow or Wireshark, and cannot obtain or develop automated
PAN-OS® Administrator’s Guide Version Version 9.1 1534 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
scripts, Log at Session End captures the number of connecons at the session end. While
this doesn’t provide CPS informaon, it does show you the number of sessions ending in the
selected me duraon and you can make an approximate calculaon of the sessions per second
from that informaon.
To conserve resources, the firewall measures the aggregate CPS at ten-second intervals.
For this reason, measurements you see on the firewall may not catch bursts within the ten-
second interval. Although the average CPS measurements aren’t affected, the peak CPS
measurements may not be precise. For example, if the firewall logs report a 5,000 CPS
average in a ten-second interval, it’s possible that 4,000 CPS came in a one-second burst
and the other 1,000 CPS were spread out over the remaining nine seconds.
To gather historical CPS data over me, if you use an SNMP server, you can use your own
management tools to poll SNMP MIBs. However, it is important to understand that the CPS
measurements in the MIBs show twice the actual CPS value (for example, if the true CPS
measurement is 10,000, the MIBs show 20,000 as the value). You can sll see trends from the
MIBs and you can divide the CPS values by two to derive the true values. The SNMP MIB OIDs
are: PanZoneAcveTcpCps, PanZoneAcveUdpCps, and PanZoneOtherIpCps. Because the firewall
only takes measurements and updates the SNMP server every 10 seconds, poll every 10 seconds.
In addion, create separate log forwarding profiles for flood events so the appropriate
administrator receives emails that contain only flood (potenal DoS aack) events. Set Log
Forwarding for both zone protecon and DoS protecon threshold events.
Aer you implement zone and DoS protecon, use these methods to monitor the
deployment, so as your network evolves and traffic paerns change, you adjust flood
protecon thresholds.
In addion to configuring zone protecon and DoS protecon, apply the best pracce
Vulnerability Protecon profile to each Security policy rule to help defend against DoS
aacks.
• Flood Protecon
• Reconnaissance Protecon
• Packet-Based Aack Protecon
• Protocol Protecon
Flood Protecon
A Zone Protecon profile with flood protecon configured defends an enre ingress zone against
SYN, ICMP, ICMPv6, UDP, and other IP flood aacks. The firewall measures the aggregate amount
of each flood type entering the zone in new connecons-per-second (CPS) and compares the
totals to the thresholds you configure in the Zone Protecon profile. (You protect crical individual
devices within a zone with DoS Protecon profiles and policy rules.)
PAN-OS® Administrator’s Guide Version Version 9.1 1535 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Measure and monitor firewall dataplane CPU consumpon to ensure that each firewall is
properly sized to support DoS and Zone Protecon and any other features that consume
CPU cycles, such as decrypon. If you use Panorama to manage your firewalls, Device
Monitoring (Panorama > Managed Devices > Health > All Devices) shows you the CPU
and memory consumpon of each managed firewall. It can also show you a 90-day trend
line of CPU average and peak use to help you understand the typical available capacity of
each firewall.
For each flood type, you set three thresholds for new CPS entering the zone, and you can set a
drop Acon for SYN floods. If you know the baseline CPS rates for the zone, use these guidelines
to set the inial thresholds, and then monitor and adjust the thresholds as necessary.
• Alarm Rate—The new CPS threshold to trigger an alarm. Target seng the Alarm Rate to
15-20% above the average CPS rate for the zone so that normal fluctuaons don’t cause alerts.
• Acvate—The new CPS threshold to acvate the flood protecon mechanism and begin
dropping new connecons. For ICMP, ICMPv6, UDP, and other IP floods, the protecon
mechanism is Random Early Drop (RED, also known as Random Early Detecon). For SYN
floods only, you can set the drop Acon to SYN Cookies or RED. Target seng the Acvate
rate to just above the peak CPS rate for the zone to begin migang potenal floods.
• Maximum—The number of connecons-per-second to drop incoming packets when RED is the
protecon mechanism. Target seng the Maximum rate to approximately 80-90% of firewall
capacity, taking into account other features that consume firewall resources.
If you don’t know the baseline CPS rates for the zone, start by seng the Maximum CPS rate
to approximately 80-90% of firewall capacity and use it to derive reasonable flood migaon
alarm and acvaon rates. Set the Alarm Rate and Acvate rate based on the Maximum rate.
For example, you could set the Alarm Rate to half the Maximum rate and adjust it depending on
how many alarms you receive and the firewall resources being consumed. Be careful seng the
Acvate Rate since it begins to drop connecons. Because normal traffic loads experience some
fluctuaon, it’s best not to drop connecons too aggressively. Err on the high side and adjust the
rate if firewall resources are impacted.
SYN Flood Protecon is the only type for which you set the drop Acon. Start by seng
the Acon to SYN Cookies. SYN Cookies treats legimate traffic fairly and only drops
traffic that fails the SYN handshake, while using Random Early Drop drops traffic
randomly, so RED may affect legimate traffic. However, SYN Cookies is more resource-
intensive because the firewall acts as a proxy for the target server and handles the
three-way handshake for the server. The tradeoff is not dropping legimate traffic (SYN
Cookies) versus preserving firewall resources (RED). Monitor the firewall, and if SYN
Cookies consumes too many resources, switch to RED. If you don’t have a dedicated DDoS
prevenon device in front of the firewall, always use RED as the drop mechanism.
When SYN Cookies is acvated, the firewall does not honor the TCP opons that the
server sends because it does not know these values at the me that it proxies the SYN/
ACK. Therefore, values such as the TCP server’s window size and MSS values cannot be
negoated during the TCP handshake and the firewall will use its own default values. In
the scenario where the MSS of the path to the server is smaller than the firewall’s default
MSS value, the packet will need to be fragmented.
The default threshold values are high so that acvang a Zone Protecon profile doesn’t
unexpectedly drop legimate traffic. Adjust the thresholds to values appropriate for your
PAN-OS® Administrator’s Guide Version Version 9.1 1536 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
network’s traffic. The best method for understanding how to set reasonable flood thresholds is
to take baseline measurements of average and peak CPS for each flood type to determine the
normal traffic condions for each zone and to understand the capacity of the firewall, including
the impact of other resource-consuming features such as decrypon. Monitor and adjust the flood
thresholds as needed and as your network evolves.
Firewalls with mulple dataplane processors (DPs) distribute connecons across DPs. In
general, the firewall divides the CPS threshold sengs equally across its DPs. For example,
if a firewall has five DPs and you set the Alarm Rate to 20,000 CPS, each DP has an
Alarm Rate of 4,000 CPS (20,000 / 5 = 4,000), so if the new sessions on a DP exceeds
4,000, it triggers the Alarm Rate threshold for that DP.
Reconnaissance Protecon
Similar to the military definion of reconnaissance, the network security definion of
reconnaissance is when aackers aempt to gain informaon about your network’s vulnerabilies
by secretly probing the network to find weaknesses. Reconnaissance acvies are oen preludes
to a network aack. Enable Reconnaissance Protecon on all zones to defend against port scans and
host sweeps:
• Port scans discover open ports on a network. A port scanning tool sends client requests to a
range of port numbers on a host, with the goal of locang an acve port to exploit in an aack.
Zone Protecon profiles defend against TCP and UDP port scans.
• Host sweeps examine mulple hosts to determine if a specific port is open and vulnerable.
You can use reconnaissance tools for legimate purposes such as pen tesng of network security
or the strength of a firewall. You can specify up to 20 IP addresses or netmask address objects
to exclude from Reconnaissance Protecon so that your internal IT department can conduct pen
tests to find and fix network vulnerabilies.
You can set the acon to take when reconnaissance traffic (excluding pen tesng traffic) exceeds
the configured threshold when you Configure Reconnaissance Protecon. Retain the default
Interval and Threshold to log a few packets for analysis before blocking the reconnaissance
operaon.
PAN-OS® Administrator’s Guide Version Version 9.1 1537 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
• TCP Drop—Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop
Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP
Timestamp from packets.
Enabling Rematch Sessions (Device > Setup > Session > Session Sengs) is a best
pracce that applies commied newly configured or edited Security Policy rules to
exisng sessions. However, if you configure Tunnel Content Inspecon on a zone
and Rematch Sessions is enabled, you must also disable Reject Non-SYN TCP (change
the selecon from Global to No), or else when you enable or edit a Tunnel Content
Inspecon policy, the firewall drops all exisng tunnel sessions. Create a separate Zone
Protecon profile to disable Reject Non-SYN TCP only on zones that have Tunnel
Content Inspecon policies and only when you enable Rematch Sessions.
• ICMP Drop—There are no standard best pracce sengs because dropping ICMP packets
depends on how you use ICMP (or if you use ICMP). For example, if you want to block ping
acvity, you can block ICMP Ping ID 0.
• IPv6 Drop—If compliance maers, ensure that the firewall drops packets with non-compliant
roung headers, extensions, etc.
• ICMPv6 Drop—If compliance maers, ensure that the firewall drops certain packets if the
packets don’t match a Security policy rule.
Protocol Protecon
In a Zone Protecon profile, Protocol Protecon defends against non-IP protocol based aacks.
Enable Protocol Protecon to block or allow non-IP protocols between security zones on a
Layer 2 VLAN or on a virtual wire, or between interfaces within a single zone on a Layer 2 VLAN
(Layer 3 interfaces and zones drop non-IP protocols so non-IP Protocol Protecon doesn’t apply).
Configure Protocol Protecon to reduce security risks and facilitate regulatory compliance by
prevenng less secure protocols from entering a zone, or an interface in a zone.
If you don’t configure a Zone Protecon profile that prevents non-IP protocols in the
same zone from going from one Layer 2 interface to another, the firewall allows the
traffic because of the default intrazone allow Security policy rule. You can create a Zone
Protecon profile that blocks protocols such as LLDP within a zone to prevent discovery
of networks reachable through other zone interfaces.
If you need to discover which non-IP protocols are running on your network, use monitoring
tools such as NetFlow, Wireshark, or other third-party tools discover non-IP protocols on your
network. Examples of non-IP protocols you can block or allow are LLDP, NetBEUI, Spanning Tree,
and Supervisory Control and Data Acquision (SCADA) systems such as Generic Object Oriented
Substaon Event (GOOSE), among many others.
Create an Exclude List or an Include List to configure Protocol Protecon for a zone. The Exclude
List is a block list—the firewall blocks all of the protocols you place in the Exclude List and allows
all other protocols. The Include List is an allow list—the firewall allows only the protocols you
specify in the list and blocks all other protocols.
Use include lists for Protocol Protecon instead of exclude lists. Include lists specifically
sancon only the protocols you want to allow and block the protocols you don’t need or
didn’t know were on your network, which reduces the aack surface and blocks unknown
traffic.
PAN-OS® Administrator’s Guide Version Version 9.1 1538 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
A list supports up to 64 Ethertype entries, each idenfied by its IEEE hexadecimal Ethertype code.
Other sources of Ethertype codes are standards.ieee.org/develop/regauth/ethertype/eth.txt
and hp://www.cavebear.com/archive/cavebear/Ethernet/type.html. When you configure zone
protecon for non-IP protocols on zones that have Aggregated Ethernet (AE) interfaces, you can’t
block or allow a non-IP protocol on only one AE interface member because AE interface members
are treated as a group.
Protocol Protecon doesn’t allow blocking IPv4 (Ethertype 0x0800), IPv6 (0x86DD), ARP
(0x0806), or VLAN-tagged frames (0x8100). The firewall always implicitly allows these
four Ethertypes in an Include List even if you don’t explicitly list them and doesn’t permit
you to add them to an Exclude List.
If you don’t enable Packet Buffer Protecon globally, it won’t be acve in zones unl
you enable it globally.
Take baseline measurements of firewall packet buffer ulizaon over a period of me—at least one
business week, but a longer measurement period provides a beer baseline—to understand typical
usage. To see packet buffer ulizaon for a specified period of me (or to see the top five sessions
that use as least 2 percent of the packet buffer), use the operaonal CLI command:
The CLI command provides a snapshot of buffer ulizaon for the specified period of me,
but is neither automated nor connuous. To automate connuous packet buffer ulizaon
PAN-OS® Administrator’s Guide Version Version 9.1 1539 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
measurements so you can monitor changes in behavior and anomalous events, use a script. Your
Palo Alto Networks account team can provide a sample script that you can modify to develop
your own script; however, the script is not officially supported and there is no technical support
available for script usage or modificaon.
If baseline measurements consistently show abnormally high packet buffer ulizaon, then
the firewall’s capacity may be undersized for typical traffic loads. In this case, consider resizing
the firewall deployment. Otherwise, you need to tune the Packet Buffer Protecon thresholds
carefully to prevent impacted buffers from overflowing (and to prevent dropping legimate traffic).
When firewall sizing is correct for the deployment, only an aack should cause a large spike in
buffer usage.
Overrunning the firewall packet buffer negavely impacts the firewall’s packet forwarding
capabilies. When the buffers are full, no packets can enter the firewall on any interface,
not just the interface that experienced the aack.
Network Address Translaon (NAT) (an external source that has translated its internet-
bound traffic using source NAT) can give the appearance of greater packet buffer
ulizaon because of IP address translaon acvity. If this occurs, adjust the thresholds in
a way that penalizes individual sessions but doesn’t penalize the underlying IP addresses
(so other sessions from the same IP address aren’t affected). To do this, reduce the Block
Hold Time so the firewall blocks individual sessions that overulize the buffers faster, and
reduce the Block Duraon so that the underlying IP address is not unduly penalized.
PAN-OS® Administrator’s Guide Version Version 9.1 1540 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
In addion to configuring DoS protecon and zone protecon, apply the best pracce
Vulnerability Protecon profile to each Security policy rule to help defend against DoS
aacks.
PAN-OS® Administrator’s Guide Version Version 9.1 1541 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
way you count address matches affects firewall resource consumpon. You can use classified
DoS protecon to:
• Protect crical individual devices, especially servers that users access from the internet
and are oen aack targets, such as web servers, database servers, and DNS servers. Set
appropriate flood and resource protecon thresholds in a classified DoS Protecon profile.
Create a DoS Protecon policy rule that applies the profile to each server’s IP address by
adding the IP addresses as the rule’s desnaon criteria, and set the Address to desnaon-
ip-only.
The firewall uses more resources to track src-dest-ip-both as the Address than to track
source-IP-only or desnaon-ip-only because the counters consume resources for both
the source and desnaon IP addresses instead of just one of the two.
If you apply both an aggregate and a classified DoS Protecon profile to the same DoS Protecon
policy rule, the firewall applies the aggregate profile first and then applies the classified profile
if needed. For example, we protect a group of five web servers with both types of profiles in a
DoS Protecon policy rule. The aggregate profile configuraon drops new connecons when
the combined total for the group reaches a Max Rate of 25,000 CPS. The classified profile
configuraon drops new connecons to any individual web server in the group when it reaches a
Max Rate of 6,000 CPS. There are three scenarios where new connecon traffic crosses Max Rate
thresholds:
• The new CPS rate exceeds the aggregate Max Rate but doesn’t exceed the classified Max Rate.
In this scenario, the firewall applies the aggregate profile and blocks all new connecons for the
configured Block Duraon.
• The new CPS rate doesn’t exceed the aggregate Max Rate, but the CPS to one of the web
servers exceeds the classified Max Rate. In this scenario, the firewall checks the aggregate
profile and finds that the rate for the group is less than 25,000 CPS, so the firewall doesn’t
block new connecons based on that. Next, the firewall checks the classified profile and finds
that the rate for a parcular server exceeds 6,000 CPS. The firewall applies the classified
profile and blocks new connecons to that parcular server for the configured Block Duraon.
Because the other servers in the group are within the classified profile’s Max Rate, their traffic
is not affected.
PAN-OS® Administrator’s Guide Version Version 9.1 1542 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
• The new CPS rate exceeds the aggregate Max Rate and also exceeds the classified Max Rate
for one of the web servers. In this scenario, the firewall checks the aggregate profile and finds
that the rate for the group exceeds 25,000 CPS, so the firewall blocks new connecons to limit
the group’s total CPS. The firewall then checks the classified profile and finds that the rate for
a parcular server exceeds 6,000 CPS (so the aggregate profile enforced the group’s combined
limit, but that wasn’t enough to protect this parcular server). The firewall applies the classified
profile and blocks new connecons to that parcular server for the configured Block Duraon.
Because the other servers in the group are within the classified profile’s Max Rate, their traffic
is not affected.
If you want both an aggregate and a classified DoS Protecon profile to apply to the same
traffic, you must apply both profiles to the same DoS Protecon policy rule. If you apply
the aggregate profile to one rule and the classified profile to a different rule, even if they
specify exactly the same traffic, the firewall can apply only one profile because when
the traffic matches the first DoS Protecon policy rule, the firewall executes the Acon
specified in that rule and doesn’t compare to the traffic to any subsequent rules, so the
traffic never matches the second rule and the firewall can’t apply its acon. (This is the
same way that Security policy rules work.)
Measure and monitor firewall dataplane CPU consumpon to ensure that each firewall is
properly sized to support DoS and Zone Protecon and any other features that consume
CPU cycles, such as decrypon. If you use Panorama to manage your firewalls, Device
Monitoring (Panorama > Managed Devices > Health > All Devices) shows you the CPU
and memory consumpon of each managed firewall. It can also show you a 90-day trend
line of CPU average and peak use to help you understand the typical available capacity of
each firewall.
For each flood type, you set three thresholds for new CPS to a group of devices (aggregate) or to
individual devices (classified) and a Block Duraon, and you can set a drop Acon for SYN floods:
• Alarm Rate—When new CPS exceeds this threshold, the firewall generates a DoS alarm. For
classified profiles, set the rate to 15-20% above the device’s average CPS rate so that normal
fluctuaons don’t cause alerts. For aggregate profiles, set the rate to 15-20% above the group’s
average CPS rate.
• Acvate Rate—When new CPS exceeds this threshold, the firewall begins to drop new
connecons to migate the flood unl the CPS rate drops below the threshold. For classified
profiles, the Max Rate should be an acceptable CPS rate for the device(s) you’re protecng
PAN-OS® Administrator’s Guide Version Version 9.1 1543 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
(the Max Rate won’t flood the crical device(s)). You can set the Acvate Rate to the same
threshold as the Max Rate so that the firewall doesn’t use RED or SYN Cookies to begin
dropping traffic before it reaches the Max Rate. Set the Acvate Rate lower than the Max Rate
only if you want to drop traffic before it reaches the Max Rate. For aggregate profiles, set the
threshold just above the average peak CPS rate for the group to begin migang floods using
RED (or SYN Cookies for SYN floods).
• Max Rate—When new CPS exceeds this threshold, the firewall blocks (drops) all new
connecons from the offending IP address for the specified Block Duraon me period.
For classified profiles, base the Max Rate threshold on the capacity of the device(s) you’re
protecng so that the CPS rate can’t flood them. For aggregate profiles, set to 80-90% of the
group’s capacity.
• Block Duraon—When new CPS exceeds the Max Rate, the firewall blocks new connecons
from the offending IP address. The Block Duraon specifies the amount of me the
firewall connues to block the IP address’s new connecons. While the firewall blocks new
connecons, it doesn’t count incoming connecons and doesn’t increment the threshold
counters. For classified and aggregate profiles, use the default value (300 seconds) to block the
aacking session without penalizing legimate sessions from the source for too long a period
of me.
SYN Flood Protecon is the only type for which you set the drop Acon. Start by seng
the Acon to SYN Cookies. SYN Cookies treats legimate traffic fairly and only drops
traffic that fails the SYN handshake, while using Random Early Drop drops traffic
randomly, so RED may affect legimate traffic. However, SYN Cookies is more resource-
intensive because the firewall acts as a proxy for the target server and handles the
three-way handshake for the server. The tradeoff is not dropping legimate traffic (SYN
Cookies) versus preserving firewall resources (RED). Monitor the firewall, and if SYN
Cookies consumes too many resources, switch to RED. If you don’t have a dedicated DDoS
prevenon device in front of the firewall, always use RED as the drop mechanism.
The default threshold values are high so that DoS Protecon profiles don’t unexpectedly drop
legimate traffic. Monitor connecon traffic and adjust the thresholds to values appropriate for
your network. Start by taking baseline measurements of average and peak CPS for each flood
type to determine the normal traffic condions for the crical devices you want to protect.
Because normal traffic loads experience some fluctuaon, it’s best not to drop connecons too
aggressively. Monitor and adjust the flood thresholds as needed and as your network evolves.
Another method of seng flood thresholds is to use the baseline measurements to set the
maximum CPS you want to allow and work back from there to derive reasonable flood migaon
alarm and acvaon rates.
Firewalls with mulple dataplane processors (DPs) distribute connecons across DPs. In
general, the firewall divides the CPS threshold sengs equally across its DPs. For example,
if a firewall has five DPs and you set the Alarm Rate to 20,000 CPS, each DP has an
Alarm Rate of 4,000 CPS (20,000 / 5 = 4,000), so if the new sessions on a DP exceeds
4,000, it triggers the Alarm Rate threshold for that DP.
In addion to seng IP flood thresholds, you can also use DoS Protecon profiles to detect and
prevent session exhauson aacks in which a large number of hosts (bots) establish as many
sessions as possible to consume a target’s resources. On the profile’s Resources Protecon tab,
you can set the maximum number of concurrent sessions that the device(s) defined in the DoS
PAN-OS® Administrator’s Guide Version Version 9.1 1544 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Protecon policy rule to which you apply the profile can receive. When the number of concurrent
sessions reaches its maximum limit, new sessions are dropped.
The maximum number of concurrent sessions to set depends on your network context.
Understand the number of concurrent sessions that the resources you are protecng (defined in
the DoS Protecon policy rule to which you aach the profile) can handle. Set the threshold to
approximately 80% of the resources’ capacity, then monitor and adjust the threshold as needed.
For aggregate profiles, the Resources Protecon threshold applies to all traffic of the devices
defined in the policy rule (source and desnaon). For classified profiles, the Resources Protecon
threshold applies to the traffic based on whether the classified policy rule applies to the source IP
only, to the desnaon IP only, or to both the source and desnaon IPs.
In addion to protecng service ports in use on crical servers, you can also protect
against DoS aacks on the unused service ports of crical servers. For crical systems,
you can do this by creang one DoS Protecon policy rule and profile to protect ports
with services running, and a different DoS Protecon policy rule and profile to protect
ports with no services running. For example, you can protect a web server’s normal
service ports, such as 80 and 443, with one policy/profile, and protect all of the other
service ports with the other policy/profile. Be aware of the firewall’s capacity so that
servicing the DoS counters doesn’t impact performance.
When traffic matches a DoS Protecon policy rule, the firewall takes one of three acons:
• Deny—The firewall denies access and doesn’t apply a DoS Protecon profile. Traffic that
matches the rule is blocked.
• Allow—The firewall permits access and doesn’t apply a DoS Protecon profile. Traffic that
matches the rule is allowed.
• Protect—The firewall protects the devices defined in the DoS Protecon policy rule by applying
the specified DoS Protecon profile or profiles thresholds to traffic that matches the rule. A
rule can have one aggregate DoS Protecon profile and one classified DoS Protecon profile,
and for classified profiles, you can use the source IP, desnaon IP, or both to increment the
flood threshold counters, as described in Classified Versus Aggregate DoS Protecon. Incoming
packets count against both DoS Protecon profile thresholds if the they match the rule.
PAN-OS® Administrator’s Guide Version Version 9.1 1545 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
The firewall applies DoS Protecon profiles only if the Acon is Protect. If the DoS Protecon
policy rule’s Acon is Protect, specify the appropriate aggregate and/or classified DoS Protecon
profiles in the rule so that the firewall applies the DoS Protecon profile’s thresholds to traffic that
matches the rule. Most rules are Protect rules.
The Allow and Deny acons enable you to make excepons within larger groups but do not apply
DoS protecon to the traffic. For example, you can deny the traffic from most of a group but allow
a subset of that traffic. Conversely, you can allow the traffic from most of a group and deny a
subset of that traffic.
You can Schedule when a DoS Protecon policy rule is acve (start and end me, recurrence
period). One use case for scheduling is to apply different flood thresholds at different mes of
the day or week. For example, if your business experiences significantly less traffic at night than
during the day, you may want to apply higher flood thresholds during the day than at night.
Another use case is to schedule special thresholds for special events, providing that the firewall
supports the CPS rates.
For easier management and granular reporng, configure Log Forwarding to separate DoS
protecon logs from other threat logs. Forward DoS threshold violaon events directly to the
administrators via email in addion to forwarding the logs to a server such an SNMP or syslog
server. Providing that the firewalls are appropriately sized, threshold breaches should not be
frequent and will be strong indicators of an aack aempt.
PAN-OS® Administrator’s Guide Version Version 9.1 1546 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
PAN-OS® Administrator’s Guide Version Version 9.1 1547 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
If you have exisng Zone Protecon profiles in place when you upgrade to PAN-OS 8.0,
the three default sengs will apply to each profile and the firewall will act accordingly.
Beginning with PAN-OS 8.1.2 and later releases, you can use a CLI command (Step 4 in this task)
to enable the firewall to generate a Threat log when the firewall receives and drops the following
types of packets, so that you can more easily analyze these occurrences and also fulfill audit and
compliance requirements:
• Teardrop aack
• DoS aack using ping of death
Furthermore, the same CLI command also enables the firewall to generate Threat logs for the
following types of packets if you enable the corresponding Packet Based Aack Protecon:
• Fragmented IP packets
• IP address spoofing
• ICMP packets larger than 1024 bytes
• Packets containing ICMP fragments
• ICMP packets embedded with an error message
• First packets for a TCP session that are not SYN packets
STEP 1 | Create a Zone Protecon profile and configure Packet-Based Aack Protecon sengs.
1. Select Network > Network Profiles > Zone Protecon and Add a new profile.
2. Enter a Name for the profile and an oponal Descripon.
3. Select Packet Based Aack Protecon.
4. On each tab (IP Drop, TCP Drop, ICMP Drop, IPv6 Drop, and ICMPv6 Drop), select the
Packet-Based Aack Protecon sengs you want to enforce to protect a zone.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1548 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
STEP 2 | Apply the Zone Protecon profile to a security zone that is assigned to interfaces you want
to protect.
1. Select Network > Zones and select the zone where you want to assign the Zone
Protecon profile.
2. Add the Interfaces belonging to the zone.
3. For Zone Protecon Profile, select the profile you just created.
4. Click OK.
STEP 4 | (PAN-OS 8.1.2 and later releases) Enable the firewall to generate Threat logs for a teardrop
aack and a DoS aack using ping of death, and also generate Threat logs for the types of
packets listed above if you enable the corresponding packet-based aack protecon (in Step
1). For example, if you enable packet-based aack protecon for Spoofed IP address, using
the following CLI causes the firewall to generate a Threat log when the firewall receives and
drops a packet with a spoofed IP address.
1. Access the CLI.
2. Use the operaonal CLI command set system setting additional-threat-
log on. Default is off.
Use Case: Non-IP Protocol Protecon Between Security Zones on Layer 2 Interfaces
In this use case, the firewall is in a Layer 2 VLAN divided into two subinterfaces. VLAN 100 is
192.168.100.1/24, subinterface .6. VLAN 200 is 192.168.100.1/24, subinterface .7. Non-IP
protocol protecon applies to ingress zones. In this use case, if the Internet zone is the ingress
zone, the firewall blocks the Generic Object Oriented Substaon Event (GOOSE) protocol. If
the User zone is the ingress zone, the firewall allows the GOOSE protocol. The firewall implicitly
allows IPv4, IPv6, ARP, and VLAN-tagged frames in both zones.
PAN-OS® Administrator’s Guide Version Version 9.1 1549 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
STEP 2 | Configure protocol protecon in a Zone Protecon profile to block GOOSE protocol packets.
1. Select Network > Network Profiles > Zone Protecon and Add a profile.
2. Enter the Name Block GOOSE.
3. Select Protocol Protecon.
4. Choose Rule Type of Exclude List.
5. Enter the Protocol Name, GOOSE, to easily idenfy the Ethertype on the list. The
firewall doesn’t verify that the name you enter matches the Ethertype code; it uses only
the Ethertype code to filter.
6. Enter Ethertype code 0x88B8. The Ethertype must be preceded by 0x to indicate a
hexadecimal value. Range is 0x0000 to 0xFFFF.
7. Select Enable to enforce the protocol protecon. You can disable a protocol on the list,
for example, for tesng.
8. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1550 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
When configuring an Include list, include all required non-IP protocols; an incomplete
list can result in legimate non-IP traffic being blocked.
STEP 6 | Commit.
Click Commit.
STEP 7 | View the number of non-IP packets the firewall has dropped based on protocol protecon.
Access the CLI.
Use Case: Non-IP Protocol Protecon Within a Security Zone on Layer 2 Interfaces
If you don’t implement a Zone Protecon profile with non-IP protocol protecon, the firewall
allows non-IP protocols in a single zone to go from one Layer 2 interface to another. In this use
case, blocking LLDP packets ensures that LLDP for one network doesn’t discover a network
reachable through another interface in the zone.
In the following figure, the Layer 2 VLAN named Datacenter is divided into two subinterfaces:
192.168.1.1/24, subinterface .7 and 192.168.1.2/24, subinterface .8. The VLAN belongs to the
User zone. By applying a Zone Protecon profile that blocks LLDP to the User zone:
PAN-OS® Administrator’s Guide Version Version 9.1 1551 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
• Subinterface .7 blocks LLDP from its switch to the firewall at the red X on the le, prevenng
that traffic from reaching subinterface .8.
• Subinterface .8 blocks LLDP from its switch to the firewall at the red X on the right, prevenng
that traffic from reaching subinterface .7.
STEP 3 | Create a VLAN for the Layer2 interface and two subinterfaces.
1. Select Network > VLANs and Add a VLAN.
2. Enter the Name of the VLAN; for this example, enter Datacenter.
3. For VLAN Interface, select None.
4. For Interfaces, click Add and select the Layer 2 interface: ethernet1/1, and two
subinterfaces: ethernet1/1.7 and ethernet1/1.8.
5. Click OK.
PAN-OS® Administrator’s Guide Version Version 9.1 1552 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
STEP 5 | Apply the Zone Protecon profile to the security zone to which Layer 2 VLAN belongs.
1. Select Network > Zones.
2. Add a zone.
3. Enter the Name of the zone, User.
4. For Locaon, select the virtual system where the zone applies.
5. For Type, select Layer2.
6. Add an Interface that belongs to the zone, ethernet1/1.7
7. Add an Interface that belongs to the zone, ethernet1/1.8.
8. For Zone Protecon Profile, select the profile Block LLDP.
9. Click OK.
STEP 6 | Commit.
Click Commit.
STEP 7 | View the number of non-IP packets the firewall has dropped based on protocol protecon.
Access the CLI.
PAN-OS® Administrator’s Guide Version Version 9.1 1553 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
IP address. If one abusive user triggers packet buffer protecon and the ingress zone has packet
buffer protecon enabled, all traffic from that offending source IP address (even from non-abusive
users) can be blocked when the firewall puts the IP address on its block list.
The most effecve way to block DoS aacks against a service behind the firewall is to configure
packet buffer protecon globally and per ingress zone.
You can Enable Packet Buffer Protecon for a zone, but it is not acve unl you enable packet
buffer protecon globally and specify the sengs.
STEP 1 | Enable packet buffer protecon globally.
1. Select Device > Setup > Session and edit the Session Sengs.
2. Select Packet Buffer Protecon.
3. Define the packet buffer protecon behavior:
• Alert (%)—When packet buffer ulizaon exceeds this threshold for more than 10
seconds, the firewall creates a log event every minute. Range s 0% to 99%; default is
50%. If the value is 0%, the firewall does not create a log event.
• Acvate (%)—When packet buffer ulizaon reaches this threshold, the firewall
begins to migate the most abusive sessions by applying random early drop (RED).
Range is 0% to 99%; default is 50%. If the value is 0%, the firewall does not apply
RED. If the abuser is ingressing a zone that has Packet Buffer Protecon enabled, the
firewall can also discard the abusive session or block the offending source IP address.
Start with the default threshold and adjust it if necessary.
The firewall records alert events in the System log, and records events for
dropped traffic, discarded sessions, and blocked IP address in the Threat log.
• Block Hold Time (sec)—Number of seconds a RED-migated session is allowed to
connue before the firewall discards it. Range is 0 to 65,535; default is 60. If the value
is 0, the firewall does not discard sessions based on packet buffer protecon.
• Block Duraon (sec)—Number of seconds a session remains discarded or an IP
address remains blocked. Range is 1 to 15,999,999; default is 3,600.
4. Click OK.
5. Commit your changes.
PAN-OS® Administrator’s Guide Version Version 9.1 1554 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
This feature defends against DoS aacks of new sessions only, that is, traffic that has
not been offloaded to hardware. An offloaded aack is not protected by this feature.
However, this topic describes how you can create a Security policy rule to reset the client;
the aacker reiniates the aack with numerous connecons per second and is blocked by
the defenses illustrated in this topic.
DoS Protecon Profiles and Policy Rules work together to provide protecon against flooding
of many incoming SYN, UDP, ICMP, and ICMPv6 packets, and other types of IP packets. You
determine what thresholds constute flooding. In general, the DoS Protecon profile sets the
thresholds at which the firewall generates a DoS alarm, takes acon such as Random Early Drop,
and drops addional incoming connecons. A DoS Protecon policy rule that is set to protect
(rather than to allow or deny packets) determines the criteria for packets to match (such as source
address) in order to be counted toward the thresholds. This flexibility allows you to block certain
traffic, or allow certain traffic and treat other traffic as DoS traffic. When the incoming rate
exceeds your maximum threshold, the firewall blocks incoming traffic from the source address.
• Mulple-Session DoS Aack
• Single-Session DoS Aack
• Configure DoS Protecon Against Flooding of New Sessions
• End a Single Session DoS Aack
• Idenfy Sessions That Use Too Much of the On-Chip Packet Descriptor
• Discard a Session Without a Commit
PAN-OS® Administrator’s Guide Version Version 9.1 1555 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
PAN-OS® Administrator’s Guide Version Version 9.1 1556 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
The 10,000 new connecons per second exceed the Max Rate
threshold. When all of the following occur:
• the threshold is exceeded,
• a Block Duraon is specified, and
• Classified is set to include source IP address,
the firewall puts the offending source IP address on the block list.
The following figure describes in more detail what happens aer an IP address that matches the
DoS Protecon policy rule is put on the block list. It also describes the Block Duraon mer.
PAN-OS® Administrator’s Guide Version Version 9.1 1557 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Every one second, the firewall allows the IP address to come off the block list so that the firewall
can test the traffic paerns and determine if the aack is ongoing. The firewall takes the following
acon:
• During this one-second test period, the firewall allows packets that don’t match the DoS
Protecon policy criteria (HTTP traffic in this example) through the DoS Protecon policy rules
to the Security policy for validaon. Very few packets, if any, have me to get through because
the first aack packet that the firewall receives aer the IP address is let off the block list will
match the DoS Protecon policy criteria, quickly causing the IP address to be placed back on
the block list for another second. The firewall repeats this test each second unl the aack
stops.
• The firewall blocks all aack traffic from going past the DoS Protecon policy rules (the address
remains on the block list) unl the Block Duraon expires.
The 1-second checks illustrated in the preceding figure occur on firewall models that have
mulple dataplane CPUs and a hardware network processor. All single dataplane systems
or systems without a hardware network processor perform this migaon in soware and
use a 5-second interval.
When the aack stops, the firewall does not put the IP address back on the block list. The firewall
allows non-aack traffic to proceed through the DoS Protecon policy rules to the Security policy
PAN-OS® Administrator’s Guide Version Version 9.1 1558 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
rules for evaluaon. You must configure a Security policy rule to allow or deny traffic because
without one, an implicit Deny rule denies all traffic.
The block list is based on a source zone and source address combinaon. This behavior allows
duplicate IP addresses to exist as long as they are in different zones belonging to separate virtual
routers.
The Block Duraon seng in a DoS Protecon profile specifies how long the firewall blocks the
[offending] packets that match a DoS Protecon policy rule. The aack traffic remains blocked
unl the Block Duraon expires, aer which the aack traffic must again exceed the Max Rate
threshold to be blocked again.
If the aacker uses mulple sessions or bots that iniate mulple aack sessions, the
sessions count toward the thresholds in the DoS Protecon profile without a Security
policy deny or drop rule in place. Hence, a single-session aack requires a Security policy
deny or drop rule in order for each packet to count toward the thresholds; a mulple-
session aack does not.
Therefore, the DoS protecon against flooding of new sessions allows the firewall to efficiently
defend against a source IP address while aack traffic is ongoing and to permit non-aack traffic
to pass as soon as the aack stops. Pung the offending IP address on the block list allows the
DoS protecon funconality to take advantage of the block list, which is designed to quaranne
all acvity from that source IP address, such as packets with a different applicaon. Quaranning
the IP address from all acvity protects against a modern aacker who aempts a rotang
applicaon aack, in which the aacker simply changes applicaons to start a new aack or uses
a combinaon of different aacks in a hybrid DoS aack. You can Monitor Blocked IP Addresses
to view the block list, remove entries from it, and get addional informaon about an IP address
on the block list.
Beginning with PAN-OS 7.0.2, it is a change in behavior that the firewall places the
aacking source IP address on the block list. When the aack stops, non-aack traffic is
allowed to proceed to Security policy enforcement. The aack traffic that matched the
DoS Protecon profile and DoS Protecon policy rules remains blocked unl the Block
Duraon expires.
PAN-OS® Administrator’s Guide Version Version 9.1 1559 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
that have not triggered the DoS Protecon policy threshold; oponal for mulple-session
aack migaon).
This step is one of the steps typically performed to stop an exisng aack. See End a
Single Session DoS Aack.
Because flood aacks can occur over mulple protocols, as a best pracce, acvate
protecon for all of the flood types in the DoS Protecon profile.
1. Select Objects > Security Profiles > DoS Protecon and Add a profile Name.
2. Select Classified as the Type.
3. For Flood Protecon, select all types of flood protecon:
• SYN Flood
• UDP Flood
• ICMP Flood
• ICMPv6 Flood
• Other IP Flood
4. When you enable SYN Flood, select the Acon that occurs when connecons per
second (cps) exceed the Acvate Rate threshold:
1. Random Early Drop—The firewall uses an algorithm to progressively start dropping
that type of packet. If the aack connues, the higher the incoming cps rate (above
the Acvate Rate) gets, the more packets the firewall drops. The firewall drops
packets unl the incoming cps rate reaches the Max Rate, at which point the firewall
drops all incoming connecons. Random Early Drop (RED) is the default acon for
SYN Flood, and the only acon for UDP Flood, ICMP Flood, ICMPv6 Flood, and
Other IP Flood. RED is more efficient than SYN Cookies and can handles larger
aacks, but doesn’t discern between good and bad traffic.
2. SYN Cookies—Rather than immediately sending the SYN to the server, the firewall
generates a cookie (on behalf of the server) to send in the SYN-ACK to the client. The
client responds with its ACK and the cookie; upon this validaon the firewall then
sends the SYN to the server. The SYN Cookies acon requires more firewall resources
than Random Early Drop; it’s more discerning because it affects bad traffic.
5. (Oponal) On each of the flood tabs, change the following thresholds to suit your
environment:
• Alarm Rate (connecons/s)—Specify the threshold rate (cps) above which a DoS alarm
is generated. (Range is 0-2,000,000; default is 10,000.)
• Acvate Rate (connecons/s)—Specify the threshold rate (cps) above which a DoS
response is acvated. When the Acvate Rate threshold is reached, Random Early
PAN-OS® Administrator’s Guide Version Version 9.1 1560 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
Drop occurs. Range is 0-2,000,000; default is 10,000. (For SYN Flood, you can select
the acon that occurs.)
• Max Rate (connecons/s)—Specify the threshold rate of incoming connecons per
second that the firewall allows. When the threshold is exceeded, new connecons
that arrive are dropped. (Range is 2-2,000,000; default is 40,000.)
The default threshold values in this step are only starng points and might not
be appropriate for your network. You must analyze the behavior of your network
to properly set inial threshold values.
6. On each of the flood tabs, specify the Block Duraon (in seconds), which is the length
of me the firewall blocks packets that match the DoS Protecon policy rule that
references this profile. Specify a value greater than zero. (Range is 1-21,600; default is
300.)
Set a low Block Duraon value if you are concerned that packets you incorrectly
idenfy as aack traffic will be blocked unnecessarily.
Set a high Block Duraon value if you are more concerned about blocking volumetric
aacks than you are about incorrectly blocking packets that aren’t part of an aack.
7. Click OK.
STEP 3 | Configure a DoS Protecon policy rule that specifies the criteria for matching the incoming
traffic.
The firewall resources are finite, so you wouldn’t want to classify using source address
on an internet-facing zone because there can be an enormous number of unique
IP addresses that match the DoS Protecon policy rule. That would require many
counters and the firewall would run out of tracking resources. Instead, define a DoS
Protecon policy rule that classifies using the desnaon address (of the server you are
protecng).
1. Select Policies > DoS Protecon and Add a Name on the General tab. The name is case-
sensive and can be a maximum of 31 characters, including leers, numbers, spaces,
hyphens, and underscores.
2. On the Source tab, choose the Type to be a Zone or Interface, and then Add the zone(s)
or interface(s). Choose zone or interface depending on your deployment and what you
PAN-OS® Administrator’s Guide Version Version 9.1 1561 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
want to protect. For example, if you have only one interface coming into the firewall,
choose Interface.
3. (Oponal) For Source Address, select Any for any incoming IP address to match the rule
or Add an address object such as a geographical region.
4. (Oponal) For Source User, select any or specify a user.
5. (Oponal) Select Negate to match any sources except those you specify.
6. (Oponal) On the Desnaon tab, choose the Type to be a Zone or Interface, and then
Add the desnaon zone(s) or interface(s). For example, enter the security zone you
want to protect.
7. (Oponal) For Desnaon Address, select Any or enter the IP address of the device you
want to protect.
8. (Oponal) On the Opon/Protecon tab, Add a Service. Select a service or click Service
and enter a Name. Select TCP or UDP. Enter a Desnaon Port. Not specifying a
parcular service allows the rule to match a flood of any protocol type without regard to
an applicaon-specific port.
9. On the Opon/Protecon tab, for Acon, select Protect.
10. Select Classified.
11. For Profile, select the name of the DoS Protecon profile you created.
12. For Address, select source-ip-only or src-dest-ip-both, which determines the type of IP
address to which the rule applies. Choose the seng based on how you want the firewall
to idenfy offending traffic:
• Specify source-ip-only if you want the firewall to classify only on the source IP
address. Because aackers oen test the enre network for hosts to aack, source-
ip-only is the typical seng for a wider examinaon.
• Specify src-dest-ip-both if you want to protect against DoS aacks only on the server
that has a specific desnaon address, and you also want to ensure that every source
IP address won’t surpass a specific cps threshold to that server.
13. Click OK.
STEP 4 | Commit.
Click Commit.
PAN-OS® Administrator’s Guide Version Version 9.1 1562 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
STEP 2 | Create a DoS Protecon policy rule that will block the aacker’s IP address aer the aack
thresholds are exceeded.
STEP 3 | Create a Security policy rule to deny the source IP address and its aack traffic.
STEP 4 | End any exisng aacks from the aacking source IP address by execung the clear
session all filter source <ip-address> operaonal command.
Alternavely, if you know the session ID, you can execute the clear session id <value>
command to end that session only.
Aer you end the exisng aack session, any subsequent aempts to form an aack session
are blocked by the Security policy. The DoS Protecon policy counts all connecon aempts
toward the thresholds. When the Max Rate threshold is exceeded, the source IP address is
blocked for the Block Duraon, as described in Mulple-Session DoS Aack.
PAN-OS® Administrator’s Guide Version Version 9.1 1563 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21
ethernet1/22 undecided
The command displays a maximum of the top five sessions that each use 2% or more of the on-
chip packet descriptor.
The sample output above indicates that Session 6 is using 92% of the on-chip packet
descriptor with TCP packets (protocol 6) coming from source IP address 192.168.2.35.
• SESS-ID—Indicates the global session ID that is used in all other show session
commands. The global session ID is unique within the firewall.
• GRP-ID—Indicates an internal stage of processing packets.
• COUNT—Indicates how many packets are in that GRP-ID for that session.
• APP—Indicates the App-ID extracted from the Session informaon, which can help you
determine whether the traffic is legimate. For example, if packets use a common TCP or
UDP port but the CLI output indicates an APP of undecided, the packets are possibly
aack traffic. The APP is undecided when Applicaon IP Decoders cannot get enough
informaon to determine the applicaon. An APP of unknown indicates that Applicaon
IP Decoders cannot determine the applicaon; a session of unknown APP that uses a high
percentage of the on-chip packet descriptor is also suspicious.
To restrict the display output:
On a PA-7000 Series model only, you can limit output to a slot, a dataplane, or both. For
example:
On PA-5200 Series and PA-7000 Series models only, you can limit output to a dataplane. For
example:
STEP 2 | Use the command output to determine whether the source at the source IP address using a
high percentage of the on-chip packet descriptor is sending legimate or aack traffic.
In the sample output above, a single-session aack is likely occurring. A single session (Session
ID 6) is using 92% of the on-chip packet descriptor for Slot 1, DP 1, and the applicaon at that
point is undecided.
• If you determine a single user is sending an aack and the traffic is not offloaded, you can
End a Single Session DoS Aack. At a minimum, you can Configure DoS Protecon Against
Flooding of New Sessions.
• On a hardware model that has a field-programmable gate array (FPGA), the firewall offloads
traffic to the FPGA when possible to increase performance. If the traffic is offloaded to
PAN-OS® Administrator’s Guide Version Version 9.1 1564 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
hardware, clearing the session does not help because then it is the soware that must
handle the barrage of packets. You should instead Discard a Session Without a Commit.
To see whether a session is offloaded or not, use the show session id <session-id>
operaonal command in the CLI as shown in the following example. The layer7processing
value indicates completed for sessions offloaded or enabled for sessions not offloaded.
PAN-OS® Administrator’s Guide Version Version 9.1 1565 ©2021 Palo Alto Networks, Inc.
Zone Protecon and DoS Protecon
firewall. One reason why this can occur is because the traffic is denied due to a configured
Security policy rule.
> show session id xxxxxxxxxx
Session xxxxxxxxxx
Bad Key: c2s: ‘c2s’
Bad Key: s2c: ‘s2c’
index(local): : yyyyyyy
PAN-OS® Administrator’s Guide Version Version 9.1 1566 ©2021 Palo Alto Networks, Inc.
Cerficaons
The following topics describe how to configure Palo Alto Networks® firewalls and
appliances to support the Common Criteria and the Federal Informaon Processing
Standard 140-2 (FIPS 140-2), which are security cerficaons that ensure a standard
set of security assurances and funconalies. These cerficaons are oen required
by civilian U.S. government agencies and government contractors.
For details about product cerficaons and third-party validaon, refer to the
Cerficaons page.
1567
Cerficaons
When you enable FIPS-CC mode, the firewall will reset to the factory default sengs; all
configuraon will be removed.
PAN-OS® Administrator’s Guide Version Version 9.1 1568 ©2021 Palo Alto Networks, Inc.
Cerficaons
Access the MRT on hardware firewalls and appliances (such as PA-220 firewalls, PA-7000
Series firewalls, or M-Series appliances).
1. Establish a serial console session to the firewall or appliance.
1. Connect a serial cable from the serial port on your computer to the console port on
the firewall or appliance.
If your computer does not have a 9-pin serial port but does have a USB port,
use a serial-to-USB converter to establish the connecon. If the firewall has a
micro USB console port, connect to the port using a standard Type-A USB
to micro USB cable.
2. Open terminal emulaon soware on your computer and set to 9600-8-N-1 and then
connect to the appropriate COM port.
On a Windows system, you can go to the Control Panel to view the COM port
sengs for Device and Printers to determine which COM port is assigned to
the console.
3. Log in using an administrator account. (The default username/password is admin/
admin.)
2. Enter the following CLI command and press y to confirm:
3. Aer the firewall or appliance boots to the MRT welcome screen (in approximately 2 to 3
minutes), press Enter on Continue to access the MRT main menu.
You can also access the MRT by reboong the firewall or appliance and entering
maint at the maintenance mode prompt. A direct serial console connecon is
required.
Aer the firewall or appliance boots into the MRT, you can access the MRT remotely by
establishing an SSH connecon to the management (MGT) interface IP address. At the
login prompt, enter maint as the username and the firewall or appliance serial number
as the password.
PAN-OS® Administrator’s Guide Version Version 9.1 1569 ©2021 Palo Alto Networks, Inc.
Cerficaons
Access the MRT on VM-Series firewalls deployed in a private cloud (such as on a VMware ESXi
or KVM hypervisor).
1. Establish an SSH session to the management IP address of the firewall and log in using an
administrator account.
2. Enter the following CLI command and press y to confirm:
It will take approximately 2 to 3 minutes for the firewall to boot to the MRT.
During this me, your SSH session will disconnect.
3. Aer the firewall boots to the MRT welcome screen, log in based on the operaonal
mode:
• Normal mode—Establish an SSH session to the management IP address of the firewall
and log in using maint as the username and the firewall or appliance serial number as
the password.
• FIPS-CC mode—Access the virtual machine management ulity (such as the vSphere
client) and connect to the virtual machine console.
4. From the MRT welcome screen, press Enter on Continue to access the MRT main
menu.
Access the MRT on VM-Series firewalls deployed in the public cloud (such as AWS or Azure).
1. Establish an SSH session to the management IP address of the firewall and log in using an
administrator account.
2. Enter the following CLI command and press y to confirm:
It will take approximately 2 to 3 minutes for the firewall to boot to the MRT.
During this me, your SSH session will disconnect.
3. Aer the firewall boots to the MRT welcome screen, log in based on the virtual machine
type:
• AWS—Log in as ec2-user and select the SSH public key associated with the virtual
machine when you deployed it.
• Azure—Enter the credenals you created when you deployed the VM-Series firewall.
• GCP—Log in as gcp-user and select the SSH public key associated with the virtual
machine when you deployed it.
4. From the MRT welcome screen, press Enter on Continue to access the MRT main
menu.
PAN-OS® Administrator’s Guide Version Version 9.1 1570 ©2021 Palo Alto Networks, Inc.
Cerficaons
When the appliance is in FIPS-CC mode, you will not be able to configure any sengs via
the console, including the management interface sengs. Before enabling FIPS-CC mode,
make sure that your network is set up to allow access to the management interface via
SSH or the web interface. The management interface will default to a stac address of
192.168.1.1 if using a PA-Series firewall or to an address retrieved via DHCP if it is a VM-
Series firewall. The WildFire, virtual Panorama, and M-series Panorama appliances will
default to a stac address of 192.168.1.1.
Once FIPS-CC mode is enabled, all configuraons and sengs are erased. If an
administrator has configuraons or sengs they would like to reuse aer FIPS-CC mode is
enabled, the administrator can save and export the configuraon before changing to FIPS-
CC mode. The configuraon can then be imported once the operaonal mode change is
complete. The imported configuraon must be edited per the FIPS-CC Security Funcons
or else the import process will fail.
Keys, passwords, and other crical security parameters cannot be shared across modes.
If you change the operaonal mode of a firewall or Dedicated Log Collector managed by
a Panorama management server to FIPS-CC mode, you must also change the operaonal
mode of Panorama to FIPS-CC mode. This is required to secure password hashes for local
admin passwords pushed from Panorama.
STEP 1 | (Public Cloud VM-Series firewalls or Public Cloud Panorama Virtual Appliances only) Create
an SSH key and log in to the firewall or Panorama.
On some public cloud plaorms, such as Microso Azure, you must have an SSH key to
prevent an authencaon failure aer changing to FIPS-CC mode. Verify that you have
deployed the firewall to authencate using the SSH key. Although on Azure you can deploy
the VM-Series firewall or Panorama and log in using a username and password, you will be
unable to authencate using the username and password aer changing the operaonal mode
to FIPS-CC. Aer reseng to FIPS-CC mode, you must use the SSH key to log in and can then
configure a username and password that you can use for subsequently logging in to the firewall
web interface.
STEP 2 | Connect to the firewall or appliance and Access the Maintenance Recovery Tool (MRT).
STEP 4 | Select Enable FIPS-CC Mode. The mode change operaon starts and a status indicator
shows progress. Aer the mode change is complete, the status shows Success.
All configuraons and sengs are erased and cannot be retrieved once the mode
change is complete.
PAN-OS® Administrator’s Guide Version Version 9.1 1571 ©2021 Palo Alto Networks, Inc.
Cerficaons
If you change the operaonal mode on a VM-Series firewall deployed in the public
cloud and you lose your SSH connecon to the MRT before you are able to Reboot,
you must wait 10-15 minutes for the mode change to complete, log back into the MRT,
and then reboot the firewall to complete the operaon. Aer reseng to FIPS-CC
mode, on some virtual form factors (Panorama or VM-Series) you can only log in using
the SSH key, and if you have not set up authencaon using an SSH key, you can no
longer log in to the firewall on reboot.
Aer you switch to FIPS-CC mode, you see the following status: FIPS-CC mode enabled
successfully.
In addion, the following changes are in effect:
• FIPS-CC displays at all mes in the status bar at the boom of the web interface.
• The default administrator login credenals change to admin/paloalto.
See FIPS-CC Security Funcons for details on the security funcons that are enforced in FIPS-
CC mode.
PAN-OS® Administrator’s Guide Version Version 9.1 1572 ©2021 Palo Alto Networks, Inc.
Cerficaons
You cannot use a hardware security module (HSM) to store the private ECDSA keys
used for SSL Forward Proxy or SSL Inbound Inspecon.
Telnet, TFTP, and HTTP management connecons are not available.
You must enable encrypon for the HA1 control link. You must set automac rekeying
parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot
let it default) and you must set a me interval (you cannot leave it disabled).
The serial console port in FIPS-CC mode funcons as a limited status output port only; CLI
access is not available.
The serial console port on hardware and private-cloud VM-Series firewalls booted into the
MRT provides interacve access to the MRT.
Interacve console access is not supported in the hypervisor environment private-cloud VM-
Series firewalls booted into the MRT; you can access the MRT only using SSH.
You must manually configure a new master key before the old master key expires; Auto Renew
Master Key is not supported in FIPS-CC mode.
If the master key expires, the firewall or Panorama automacally reboots in Maintenance mode.
You must then Reset the Firewall to Factory Default Sengs.
PAN-OS® Administrator’s Guide Version Version 9.1 1573 ©2021 Palo Alto Networks, Inc.
Cerficaons
PAN-OS® Administrator’s Guide Version Version 9.1 1574 ©2021 Palo Alto Networks, Inc.
Cerficaons
If you send a firewall that is managed by Panorama in for repair, see Before Starng RMA
Firewall Replacement.
STEP 4 | Verify that the scrub completed successfully. View the System log and filter on the word
swap. The System log indicates the scrub status for each swap paron (either one or two
parons depending on the model) and also displays a log entry that indicates the overall
status of the scrub. If the scrub completed successfully on all swap parons, the System log
shows Swap space scrub was successful.
If the scrub failed on one or more swap parons, the System log shows Swap space scrub
was unsuccessful. The following screen capture shows the log results for a firewall that
has two parons.
To view the scrub logs using the CLI, run the show log system | match swap
command.
If you iniate the scrub using the shutdown command, the firewall or appliance will
power off aer the scrub completes. Before you can power on the firewall or appliance,
you must first disconnect and reconnect the power source.
PAN-OS® Administrator’s Guide Version Version 9.1 1575 ©2021 Palo Alto Networks, Inc.
Cerficaons
PAN-OS® Administrator’s Guide Version Version 9.1 1576 ©2021 Palo Alto Networks, Inc.