Security Platform Overview

Thursday, 07-May-2020 4:23 PM

The Cyber-Attack lifecycle is a sequence of events that an attacker goes through to infiltrate a network
and exfiltrate data from it.

This Cyber-Attack lifecycle model illustrates how Palo Alto networks use each stage in lifecycle.

EDU-110 Page 1
EDU-110 Page 2
EDU-110 Page 3
EDU-110 Page 4
EDU-110 Page 5
Next Generation Firewall Architecture
Thursday, 07-May-2020 5:34 PM

The strength of the Palo Alto networks firewall is it Single Pass Parallel Processing (SP3) engine each
current protection feature in the device anti-virus, spyware, data filtering and vulnerability protection
uses the same stream based signature format as a result the SP3 engine can search for all the risks
simultaneously , the advantage of providing a stream based engine is that the traffic is scanned as it
crosses the box with a minimal amount of buffering, this speed enables to allow advance feature such as
scanning for viruses and malware without slowing the firewall performance.

EDU-110 Page 6
On the higher end hardware models data planes contains three types of processors connected by high
speed 1 Gigabit per second buses.

Signature match processors scans traffic and detects vulnerability exploits, intrusion protection systems,
viruses, spyware, credit card numbers.

Security Processors multicore processors that handle security tasks such as Secure Sockets layer
decryption.

Network Processor responsible for routing, Network Address Translation, and network layer
communication.

On the higher end hardware models control plane has its own dual core processors, RAM and hard
drive. This processor is responsible for task such as management UI, logging and route updates.

EDU-110 Page 7
EDU-110 Page 8
Zero Trust Security Model
Friday, 08-May-2020 2:08 PM

The constant cyber attacks against organization shows that the perimeter security alone are not effective.

If IT and network security team has no true visibility they cannot control the users and application traversing the network.

The lack of full visibility means that the organization are vulnerable to attacks both within the organization and from the
public internet.

In the majority of region hackers first infiltrated in end user device before moving into data center.

Protection is needed for traffic that enters the network from external location where the egress point is the perimeter
known as north south traffic.

Protection is also needed for traffic within the network because that is where the malicious movement techniques will take
place, this traffic is called east west traffic.

Primary issue with the perimeter security at both the ingress and egress points on the network is the false assumption that
the internal traffic taking from the internal network can be trusted.

EDU-110 Page 9
Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter -centric strategies by
removing the assumption of trust.

In Zero trust there is no default trust for any entity including users, devices, application and packets regardless of what it is,
its location on or relative to corporate network.

Zero trust is a promising alternative model for IT security to follow.

It is intended to remedy the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to
implement them by promoting "never trust, always verify" as guiding principle. This approach differs substantial from
conventional security models that operates on basis of trust but verify.

Thus security policy can be enforced regardless of the point of origin or communication traffic associated.

Trust boundaries need to do more than provide only initial authorization and access control levels of enforcement the
concept of always verify also requires continuous monitoring and inspection of the associated communications traffic.

EDU-110 Page 10
EDU-110 Page 11
EDU-110 Page 12
Firewall Offerings
Friday, 08-May-2020 6:19 PM

PA 7050 and PA 7080 are chassis architecture.

EDU-110 Page 13
The operating system is consistent across all platform so the look and feel of the interface is the same.

Each virtual system an independent separately managed firewall with its traffic kept separate from the
traffic of other virtual systems.

EDU-110 Page 14
EDU-110 Page 15
EDU-110 Page 16
Initial Configuration
Friday, 08-May-2020 8:38 PM

You can configure firewall to allow management traffic over the normal in band traffic interfaces.

EDU-110 Page 17
You can also configure the management port of any firewall model to use dhcp.

Serial Console is RJ45 connection on all firewall. It has default configuration value 9600 -8-N-1

Local password is stored in the firewall XML configuration file but is encrypted using firewall master key.

EDU-110 Page 18
EDU-110 Page 19
External systems and application can execute commands remotely on a Palo Alto networks firewall.

EDU-110 Page 20
XML API reference document is available at paloaltonetworks.com/documentations

XML API integration is available at live.paloaltonetworks.com

The PAN OS web interface consistently the same across all firewall hardware platform and virtual
platform.

Red scribbly line under the name of a tab indicates there is a value or field on that tab that you have to
populate.

Fields that are required are highlighted in yellow.

EDU-110 Page 21
Initial System Access
Wednesday, 13-May-2020 2:28 PM

EDU-110 Page 22
Hostname: max 31 characters, can be mix of alphanumeric, hyphen and underscore.

Factory default name is the firewall model name.

Domain can be max 31 characters, can be mix of alphanumeric, hyphen and dot.

EDU-110 Page 23
Factory default domain is empty.

Hostname is labelled as device name in reports and logs, also filter log entries by device name.

If management interface is configured by DHCP, then

becomes available.

For message before login.

The information you provide on the latitude and longitude fields enables the geographical placement of the firewall on ACC
tab source region and destination region maps.

When SSL TLS is used the firewall requires a digital certificate that is trusted by the clients.
Firewall and clients must also negotiate protocol SSL TLS version to use for communication.

SSL/TLS Service profile is configured to specify the certificate and acceptable protocol version that can be used by the clie nts
when connecting to firewall services.

EDU-110 Page 24
EDU-110 Page 25
If Verify update server identity is selected the firewall will verifies the SSL certificate of update server from which softw are
or the threat database update is downloaded.

EDU-110 Page 26
EDU-110 Page 27
Configuration Management
Wednesday, 13-May-2020 4:31 PM

EDU-110 Page 28
EDU-110 Page 29
> At boot time the latest configuration on disk is loaded to the candidate configuration in control plane memory.
> Auto commit copies the candidate configuration to the running configuration in control plane memory.
> Running configuration in control plane memory is then push to data plane memory where it is used to inspect and
control traffic traversing the firewall.
> Administrator make changes to the candidate configuration, the commit operation writes the changes to running
configuration in control and data plane memory.
> Firewall creates a date and time stamped version of running configuration whenever you perform a commit.
> To restore a previous version of running configuration click load configuration version.

EDU-110 Page 30
In version prior to PAN OS 8.0 a commit operation used to commit all changes by all operators.

You must have necessary privileges to perform Commit All Changes.

EDU-110 Page 31
You commit just your changes or changes of a select group of other admins.

You changes made by admin user will be committed, However if you click on admin user name the web interface offers
the choice to select additional administrators.

Changes from admin and Zone admin will committed to running configuration.

In every version of PAN OS software changes made to current candidate configuration can be saved to a default xml file
on the firewall. This capability enables you to save your current progress and continue your work later without having to
commit a partially completed configuration change.

EDU-110 Page 32
In every version of PAN OS software you can revert to the last saved configuration in the default xml file on firewalls disk.
This capability enables you to remove the most recent changes made since the last saved candidate configuration.

EDU-110 Page 33
- Determines whether the configuration is accurate and complete.
- Displays all errors and warnings.
- Warnings do not prevent a commit but errors do.
- Warnings include rule shadowing and application dependency warning.
- Errors include invalid route destination, missing account and password.

EDU-110 Page 34
Web interface supports multiple administrators, administrator can choose take a commit lock that prevents commit
operation by another administrator, or config lock that prevents changes to the candidate configuration.

You can use admin level commit rather than take locks.

If you want administrator to automatic acquire commit lock when they login in go to

Configure this behavior.

Before you take lock, display a lock or remove a lock first open the locks window which displays any open locks and
provide choice to take or remove lock.

Commit and config locks are released automatically when a commit operation is completed.

EDU-110 Page 35
EDU-110 Page 36
Licensing and software updates
Friday, 15-May-2020 2:56 PM

EDU-110 Page 37
After the new account is verified and registration is complete you can login and download the software package that is
needed to install the VM series firewall.

EDU-110 Page 38
Activation of wildfire subscription requires commit.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/subscriptions/activate-subscription-licenses

Palo Alto firewall regularly updates its threats and application databases.

EDU-110 Page 39
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGRCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSgCAK

EDU-110 Page 40
Management interfaces can be used to acquire these updates or an in band traffic interface can be configured to acquire
these updates.

Support license is required for download.

Software updates require a firewall reboot.

Before you upgrade the firewall software the firewall must be running the most recent version of the application and threats
updates. Software installation process fails if it does not have a current update and a prompt indicates that an update to
application and threats file is required.

EDU-110 Page 41
application and threats file is required.

Dependencies

Before you upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum
requirement of the new PAN-OS (see release notes). We recommend always running the latest version of content to ensure
the most accurate and effective protections are being applied.

PAN-OS UPGRADE PATH FROM 8.0/8.1 TO 9.0

SOFTWARE UPDATES DEVICE MANAGEMENT INSTALLATION 8.1 8.0 9.0 PAN-OS
Environment
First lets understand the PAN-OS versions naming:

Release Type What it offers How to identify

Major Features & fixes 8.0.0
Minor Features & fixes 8.1.0
Maintenance Fixes 8.1.1
We will address PAN-OS upgrade from 8.0.X to 9.0.X and also the same from 8.1.X to 9.0.X where X is maintenance release
version that is is not 0.

Procedure
From PAN-OS 8.0.X to 9.0.N :
Prerequisite : Firewall is running 8.0.0 or 8.0.X where X is maintenance release version that is not 0.
1- Download 8.1.0 (To go from Major/Minor release to another Major/Minor release (Ex. from 8.0.X to 8.1.X) you need the
firewall to already have Major release base image which has Y.Z.X where X is 0.)
2- Download and install 8.1.n where n is the latest Maintenance release version available for example at the day 5th of July
2019 the latest Maintenance release was 8.1.9.
Note: Its best practice to go to the latest Maintenance release as explained in step 2 but it can work fine by
downloading and installing 8.1.0 and skipping step 2.
3- Reboot the firewall.
4- Download 9.0.0 as we explained in step 1
5- Download 9.0.N where N is the targeted maintenance release version.

From PAN-OS 8.1.X to 9.0.N :

Prerequisite : Firewall is running 8.1.0 or 8.1.X where X is maintenance release version that is is not 0.
1- Download 9.0.0 (To go from Major/Minor release to another Major/Minor release (Ex. from 8.1.X to 9.0.X) you need the
firewall to already have Major release base image which has Y.Z.X where X is 0.)
2- Download 9.0.N where N is the targeted maintenance release version.

Additional Information
For PAN-OS upgrade best practice refer to below article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

EDU-110 Page 42
Account Administration
Friday, 15-May-2020 11:54 PM

By default only the predefined admin has the access to the firewall.
However you can add administrator accounts to the firewall for delegation and auditing purposes.
Each additional administrative account you create can have its own set of administrative privileges.

Specify administrative privileges by creating one or more admin role profile with specific sets of privileges and then assign an
admin role profile to each administrator account.

PAN OS provides flexibility when administrative accounts and admin role are created.

You can create and manage accounts and admin role locally on firewall or incorporate a supported authentication
authorization and accounting service.

No matter which user makes changes to the running configuration all changes are logged in the firewall configuration and
the system logs.
The system log records the time when an administrator logs in, and the configuration logs records any changes that they
make.

Creating an administrator and local administrator role.

EDU-110 Page 43
If you need to allow different level of permission for different firewall administrators in your organization you can do so in
two ways. You can use the predefined permission sets (DYNAMIC PROFILE) or you can create your own custom role based
administrator profile (CUSTOM PROFILE).

Creating administrator account

Device --> Administrators

If administrator type is selected Dynamic, from the drop down choose one of the four predefined dynamic role.

If you need to be more granular with the access you give to the different administrator you can create one or more role
based administrator profile.

By default there are three predefined roles are available.

EDU-110 Page 44
If you intend to use XML API to send or receive information to and from the firewall including configuration changes.
We create a account or role for different aspects of XML API configuration.

We can also set different levels of permission to command line for any account placed in to this role.

EDU-110 Page 45
None no access to command line.

We have create the account role, now create a account for our intern user.

EDU-110 Page 46
1) Create Server profile:

EDU-110 Page 47
2) You then create authentication profile.

EDU-110 Page 48
3) Create administrator account

EDU-110 Page 49
Note there is no need to enter password as that information is in radius itself.

EDU-110 Page 50
Firewall connects to each external services until either the user account is located or no authentication profiles are left.

If no authentication profiles are left then the login attempt fails.

EDU-110 Page 51
EDU-110 Page 52
EDU-110 Page 53
If the sequence include authentication profile that specifies local database authentication then the firewall checks that
profile first regardless of the order in the sequence.

A user is denied access only if authentication fails for all the profiles in the sequence.

EDU-110 Page 54
Viewing and filtering logs
Sunday, 17-May-2020 2:10 PM

You can view details for all firewall logs under the monitor tab.

It is very easy to create a filter in any of the log screen.

Example if we need to see logs for a specific source IP.

Click on that address the interface builds a filter for us.

Then click the apply filter button.

We can also manual change the filter details in the field.

We can build more complex filters by clicking several of these fields.

EDU-110 Page 55
Attributes corresponds to the column on top of the monitor tab.

Click add to add it to filter.

EDU-110 Page 56
Click Apply to add it to the filter window.

To Export the filter details

And then download the file.

Frequently used filter can be saved.

When we have to load the filter.

EDU-110 Page 57
Select filter and apply it.

EDU-110 Page 58
Interface Configuration
Tuesday, 19-May-2020 11:13 AM

High level Traffic processing logic,

First is ingress stage where go through packet processing, defragmentation, VPN decapsulation.
Next we will get into session setup phase which is often called as slow path, This is where the firewall does forwarding
lookup and determines destination zones and employees some flood threshold like SYN flood, UDP flood. Session setup is a
very important step.

After that we get into fast path or the security processing step also referred as inspection and enforcement stage this is
where the rubber meets road for most of the traffic.

Then we get into egress phase where we do QOS egress shaping, fragmentation (for low MTU links), VPN encapsulation.

One thing we wont be talking about in great detail is session offload also referred as hardware offload this is where the
firewall can take certain types of traffic that’s not subject to application shift or we cant inspection inside various types of
threats we will send it off through the network processor inside your data plane cut through fast processing it is important
to understand that it is a feature within the firewall, so when you do some of this diagnostic you want to turn this feature
off so traffic goes through full series of processes for the entire session (Session offload can be turned off only for hardware
models and only for troubleshooting only if necessary).

EDU-110 Page 59
Traffic comes in firewall does a flow key lookup this is a hash taken of source IP, source port, destination IP, destination port
Ingress interface that information is all hashed together in compared to flow lookup table and if that hash is not found in
flow lookup table the firewall says this must be a first packet of a new session so we will send that traffic through session
setup process.

So we don’t have a flow lookup so we go and infer with the source zone based on association it has with ingress interface
and then we apply any zone protection profile threshold for floods, reconnaissance or denial of service protection, session
exhaustion after that we do our forwarding lookup this may be a routing decision if layer 3 interface, layer 2 or vWire
interface we do a lookup on those interfaces and decide where this traffic will egress from aka egress interface which must
be associated with egress zone. We can also do a policy based forwarding rules where you can take actions and override the
default forwarding logic by the virtual router or the other types of forward logic mechanism. In the destination zone we will
also do a check to see if this traffic be network address translated and this effect how traffic will later be compared to
security policy (May you have heard the term the statement Post NAT destination zone pre NAT everything else, Firewall
says what is the true destination zone of this traffic after it will be natted and that destination zone will put in our security
rule that every other security policy aspect will match on the pre NAT values of that traffic).

Next step is security policy check, but we haven't done any application labelling or inspection.

What's the deal with this policy check during sessions setup?

This security policy check is done here to check the traffic is on an authorized destination port or it is not coming from a
blocked source IP or going to a block destination IP.

Blocked malicious IP, external dynamic list this were the deny rule will actually be enforced. We don’t need to do an
application inspection we know it is coming from bad IP.

Things like Protocol, Source IP, Destination IP, Source port, Destination port we check five things at very early stage.

One symptom you use to know when the traffic is denied in the session setup versus in inspection and enforcement stage if
you look at the traffic log the application column will say not applicable that’s your indicator that this session was killed
during session setup.

Known malicious IP - surely BAD IP's

High Risk IP - told as bad by other members of cyber threat alliance.
Bullet proof IP - IP often used by malicious actors.

EDU-110 Page 60
Bullet proof IP - IP often used by malicious actors.

If we pass the security policy check we are assigned a session id and we move down to inspection and enforcement process.

Now in inspection and enforcement stage also known as fast path.

You got your first inspection step where we do deep packet inspection the signature match processor will Identify what
application is and it will identify any kind of content (threat, force attacks, URL that you don’t want).

APP ID can identify difference between HTTPs traffic and Bit torrent traffic versus Content-ID does require some capabilities
to understand language being spoken so when you listen in to foreign language and you are listening to each word being
said the context of the conversation (listening for threat) that is very analogous content-ID.

As you into data sheet you will see that APP ID has one throughput and Content or threat throughput is about half of that
because it is much more intensive and labor some for the firewall to listen in on conversation versus just identify what the
language is.

After we do that inspection there is one check that the firewall will do to see if this traffic is either SSH or
SSL encrypted and if it is it will do a check to see do you have decryption policy rule and if you do have one of those rules
and it matches this traffic we will do decryption in the inspection and enforcement stage and then we will send traffic back
to inspection again because firewall will reinspect it to see what's really inside to inspect the threats.

Then we get to the enforcement step this will be done based to the way you have written security policy and applied
security profiles and if the traffic is allowed by the security policy and security profiles then it will be allowed to go out if the
traffic was denied by security policy or by security profiles it will be dropped or take some other action based on the way
firewall is configured.

Security policy and security profiles are the enforcement portion of the rule, if we had a file blocking profiles that had a rule
in it said executables are blocked and that's what content id detected there is some exe in the traffic then we would have
from enforcement staged.

Never do a packet diagnostic capture without first doing a capture filter as it is VERY INTENSE FOR FIREWALL, you can do it
in CLI or Web GUI.

debug dataplane packet-diag show setting - Validate filters are in place and logging capture is turned off.

EDU-110 Page 61
debug dataplane packet-diag show setting - Validate filters are in place and logging capture is turned off.

debug dataplane packet-diag set log feature flow basic

debug dataplane packet-diag show setting

EDU-110 Page 62
debug dataplane packet-diag show setting

debug dataplane packet-diag set log on

Now generate the traffic and don’t spend to much time as it is very intensive for firewall.
show session all filter source 10.0.0.3

Then turnoff the log filter - debug dataplane packet-diag set log off

On firewall with multiple data plane CPU, we use the below command to single unified document
debug dataplane packet-diag aggregate-logs

We can see the logs using the following commands:

less mp-logs pan_packet_diag.log (now take this output from cli and paste to notepad.)

EDU-110 Page 63
EDU-110 Page 64
EDU-110 Page 65
Troubleshooting Packet Flows (Episode 26) Learning Happy Hour

EDU-110 Page 66
In tap mode firewall does not block any traffic.

EDU-110 Page 67
Security Zones and Interfaces
Saturday, 23-May-2020 5:23 PM

EDU-110 Page 68
Questions
Sunday, 17-May-2020 3:09 PM

EDU-110 Page 69
EDU-110 Page 70