PAN OS 7.1 Administrator's Guide

PANOS
Administrators
Guide
Version7.1
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found
at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
RevisionDate:June7,2016
2 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................18
SetUpNetworkAccessforExternalServices......................................22
RegistertheFirewall ...............................................................26
ActivateLicensesandSubscriptions .................................................27
InstallContentandSoftwareUpdates................................................29
SegmentYourNetworkUsingInterfacesandZones ...................................32
NetworkSegmentationforaReducedAttackSurface..............................32
ConfigureInterfacesandZones..................................................33
SetUpaBasicSecurityPolicy .......................................................36
AssessNetworkTraffic ............................................................40
EnableBasicThreatPreventionFeatures .............................................42
EnableBasicWildFireForwarding ...............................................42
ScanTrafficforThreats.........................................................43
ControlAccesstoWebContent.................................................47
EnableAutoFocusThreatIntelligence............................................50
BestPracticesforCompletingtheFirewallDeployment................................52
FirewallAdministration ............................................... 53
ManagementInterfaces ............................................................54
UsetheWebInterface .............................................................55
LaunchtheWebInterface ......................................................55
ConfigureBanners,MessageoftheDay,andLogos ................................55
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............58
ManageandMonitorAdministrativeTasks ........................................60
Commit,Validate,andPreviewFirewallConfigurationChanges......................60
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............62
ManageLocksforRestrictingConfigurationChanges...............................63
ManageConfigurationBackups .....................................................65
BackUpaConfiguration ........................................................65
RestoreaConfiguration ........................................................66
ManageFirewallAdministrators .....................................................68
AdministrativeRoles...........................................................68
AdministrativeAuthentication ...................................................69
ConfigureAdministrativeAccountsandAuthentication .............................70
ConfigureanAdministrativeAccount.............................................70
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......71
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......72
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................74
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 3
TableofContents
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication....... 74
Reference:WebInterfaceAdministratorAccess....................................... 76
WebInterfaceAccessPrivileges ................................................. 76
PanoramaWebInterfaceAccess ................................................115
Reference:PortNumberUsage.....................................................118
PortsUsedforManagementFunctions ..........................................118
PortsUsedforHA ............................................................119
PortsUsedforPanorama ......................................................119
PortsUsedforUserID ........................................................120
ResettheFirewalltoFactoryDefaultSettings ........................................122
BootstraptheFirewall.............................................................123
USBFlashDriveSupport .......................................................123
Sampleinitcfg.txtFiles ........................................................124
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................125
BootstrapaFirewallUsingaUSBFlashDrive .....................................128
Authentication..................................................... 131
ConfigureanAuthenticationProfileandSequence ....................................132
ConfigureKerberosSingleSignOn .................................................135
ConfigureLocalDatabaseAuthentication ............................................136
ConfigureExternalAuthentication ..................................................137
ConfigureAuthenticationServerProfiles.........................................137
ConfigureaRADIUSServerProfile ..............................................137
RADIUSVendorSpecificAttributesSupport .....................................138
ConfigureaTACACS+ServerProfile ............................................139
ConfigureanLDAPServerProfile ...............................................140
ConfigureaKerberosServerProfile.............................................142
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................142
EnableExternalAuthenticationforUsersandServices .............................143
TestAuthenticationServerConnectivity.............................................144
RuntheTestAuthenticationCommand ..........................................144
TestaLocalDatabaseAuthenticationProfile.....................................145
TestaRADIUSAuthenticationProfile ...........................................146
TestaTACACS+AuthenticationProfile ..........................................147
TestanLDAPAuthenticationProfile ............................................149
TestaKerberosAuthenticationProfile...........................................150
TroubleshootAuthenticationIssues .................................................152
CertificateManagement............................................ 153
KeysandCertificates..............................................................154
CertificateRevocation.............................................................156
CertificateRevocationList(CRL) ................................................156
OnlineCertificateStatusProtocol(OCSP) ........................................157
CertificateDeployment............................................................158
SetUpVerificationforCertificateRevocationStatus ..................................159
ConfigureanOCSPResponder .................................................159
TableofContents
ConfigureRevocationStatusVerificationofCertificates ........................... 160

ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption 160
ConfiguretheMasterKey......................................................... 162
ObtainCertificates ............................................................... 163
CreateaSelfSignedRootCACertificate ........................................ 163
GenerateaCertificate ......................................................... 164
ImportaCertificateandPrivateKey............................................. 165
ObtainaCertificatefromanExternalCA ........................................ 166
ExportaCertificateandPrivateKey ................................................ 168
ConfigureaCertificateProfile...................................................... 169
ConfigureanSSL/TLSServiceProfile ............................................... 171
ReplacetheCertificateforInboundManagementTraffic.............................. 172
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 173
RevokeandRenewCertificates .................................................... 174
RevokeaCertificate .......................................................... 174
RenewaCertificate ........................................................... 174
SecureKeyswithaHardwareSecurityModule....................................... 175
SetupConnectivitywithanHSM ............................................... 175
EncryptaMasterKeyUsinganHSM ............................................ 180
StorePrivateKeysonanHSM.................................................. 181
ManagetheHSMDeployment ................................................. 182
HighAvailability....................................................183
HAOverview.................................................................... 184
HAConcepts .................................................................... 185
HAModes ................................................................... 185
HALinksandBackupLinks..................................................... 186
DevicePriorityandPreemption ................................................ 189
Failover ..................................................................... 189
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 190
FloatingIPAddressandVirtualMACAddress.................................... 190
ARPLoadSharing ............................................................ 192
RouteBasedRedundancy ..................................................... 194
HATimers................................................................... 194
SessionOwner............................................................... 197
SessionSetup................................................................ 197
NATinActive/ActiveHAMode ................................................ 199
ECMPinActive/ActiveHAMode ............................................... 200
SetUpActive/PassiveHA ......................................................... 201
PrerequisitesforActive/PassiveHA............................................. 201
ConfigurationGuidelinesforActive/PassiveHA.................................. 202
ConfigureActive/PassiveHA................................................... 204
DefineHAFailoverConditions ................................................. 209
VerifyFailover ............................................................... 209
SetUpActive/ActiveHA .......................................................... 211
PrerequisitesforActive/ActiveHA.............................................. 211
ConfigureActive/ActiveHA ................................................... 211
TableofContents
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy ..............217
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses ..................218
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing .....................219
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimary
Firewall220
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
224
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
227
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT...228
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer
3231
HAFirewallStates................................................................234
Reference:HASynchronization.....................................................236
WhatSettingsDontSyncinActive/PassiveHA?..................................236
WhatSettingsDontSyncinActive/ActiveHA?...................................238
SynchronizationofSystemRuntimeInformation..................................240
Monitoring ........................................................ 243

UsetheDashboard ...............................................................244
UsetheApplicationCommandCenter ...............................................245
ACCFirstLook ..............................................................246
ACCTabs....................................................................247
ACCWidgets .................................................................248
WidgetDescriptions...........................................................249
ACCFilters ...................................................................252
InteractwiththeACC .........................................................254
UseCase:ACCPathofInformationDiscovery ...................................256
AppScope .......................................................................263
SummaryReport ..............................................................264
ChangeMonitorReport........................................................265
ThreatMonitorReport.........................................................266
ThreatMapReport ............................................................267
NetworkMonitorReport.......................................................268
TrafficMapReport ............................................................269
UsetheAutomatedCorrelationEngine ..............................................270
AutomatedCorrelationEngineConcepts .........................................270
ViewtheCorrelatedObjects ...................................................271
InterpretCorrelatedEvents ....................................................272
UsetheCompromisedHostsWidgetintheACC ..................................274
TakePacketCaptures.............................................................275
TypesofPacketCaptures ......................................................275
DisableHardwareOffload......................................................276
TakeaCustomPacketCapture .................................................277
TakeaThreatPacketCapture ..................................................281
TakeanApplicationPacketCapture .............................................282
TakeaPacketCaptureontheManagementInterface..............................285
MonitorApplicationsandThreats...................................................287
TableofContents
MonitorandManageLogs ......................................................... 288

LogTypesandSeverityLevels.................................................. 288
WorkwithLogs .............................................................. 292
ConfigureLogStorageQuotasandExpirationPeriods ............................. 298
ScheduleLogExportstoanSCPorFTPServer ................................... 298
ManageReporting ................................................................ 300
ReportTypes................................................................. 300
ViewReports................................................................. 301
ConfiguretheReportExpirationPeriod.......................................... 301
DisablePredefinedReports.................................................... 302
GenerateCustomReports ..................................................... 302
GenerateBotnetReports...................................................... 307
GeneratetheSaaSApplicationUsageReport ..................................... 309
ManagePDFSummaryReports................................................. 311
GenerateUser/GroupActivityReports.......................................... 312
ManageReportGroups ........................................................ 314
ScheduleReportsforEmailDelivery ............................................ 314
UseExternalServicesforMonitoring ............................................... 316
ConfigureLogForwarding ......................................................... 317
ConfigureEmailAlerts ............................................................ 320
UseSyslogforMonitoring ......................................................... 321
ConfigureSyslogMonitoring ................................................... 321
SyslogFieldDescriptions ...................................................... 323
SNMPMonitoringandTraps....................................................... 339
SNMPSupport............................................................... 339
UseanSNMPManagertoExploreMIBsandObjects.............................. 340
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 344
MonitorStatisticsUsingSNMP ................................................. 344
ForwardTrapstoanSNMPManager ............................................ 346
SupportedMIBs.............................................................. 348
NetFlowMonitoring .............................................................. 355
ConfigureNetFlowExports.................................................... 355
NetFlowTemplates........................................................... 356
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 360
UserID ...........................................................363
UserIDOverview ................................................................ 364
UserIDConcepts................................................................ 366
GroupMapping............................................................... 366
UserMapping ................................................................ 366
EnableUserID................................................................... 370
MapUserstoGroups............................................................. 371
MapIPAddressestoUsers........................................................ 373
ConfigureanActiveDirectoryAccountfortheUserIDAgent ...................... 373
ConfigureUserMappingUsingtheWindowsUserIDAgent....................... 375
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent.............. 380
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender ................. 383
TableofContents
MapIPAddressestoUsernamesUsingCaptivePortal.............................391
ConfigureUserMappingforTerminalServerUsers................................398
SendUserMappingstoUserIDUsingtheXMLAPI ...............................404
EnableUserandGroupBasedPolicy...............................................405
EnablePolicyforUserswithMultipleAccounts.......................................407
VerifytheUserIDConfiguration ...................................................409
DeployUserIDinaLargeScaleNetwork............................................411
DeployUserIDforNumerousMappingInformationSources .......................411
ConfigureFirewallstoRedistributeUserMappingInformation......................415
AppID ........................................................... 421

AppIDOverview .................................................................422
ManageCustomorUnknownApplications ...........................................423
ManageNewAppIDsIntroducedinContentReleases................................424
ReviewNewAppIDs..........................................................424
ReviewNewAppIDsSinceLastContentVersion .................................425
ReviewNewAppIDImpactonExistingPolicyRules ..............................426
DisableorEnableAppIDs .....................................................427
PreparePolicyUpdatesForPendingAppIDs .....................................427
UseApplicationObjectsinPolicy ...................................................429
CreateanApplicationGroup ...................................................429
CreateanApplicationFilter ....................................................430
CreateaCustomApplication ...................................................431
ApplicationswithImplicitSupport ..................................................436
ApplicationLevelGateways ........................................................439
DisabletheSIPApplicationlevelGateway(ALG)......................................440
ThreatPrevention .................................................. 441

SetUpSecurityProfilesandPolicies ................................................442
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection.......................442
SetUpDataFiltering..........................................................445
SetUpFileBlocking ...........................................................448
PreventBruteForceAttacks.......................................................450
CustomizetheActionandTriggerConditionsforaBruteForceSignature................451
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions............454
EnableDNSProxy................................................................459
EnablePassiveDNSCollectionforImprovedThreatIntelligence ........................462
UseDNSQueriestoIdentifyInfectedHostsontheNetwork ...........................463
DNSSinkholing ...............................................................463
ConfigureDNSSinkholingforaListofCustomDomains...........................465
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork ...............467
IdentifyInfectedHosts ........................................................471
ContentDeliveryNetworkInfrastructureforDynamicUpdates ........................473
ThreatPreventionResources.......................................................475
TableofContents
Decryption .........................................................477
DecryptionOverview ............................................................. 478
DecryptionConcepts ............................................................. 479
KeysandCertificatesforDecryptionPolicies..................................... 479
SSLForwardProxy............................................................ 480
SSLInboundInspection........................................................ 481
SSHProxy................................................................... 482
DecryptionExceptions ........................................................ 483
DecryptionMirroring.......................................................... 483
DefineTraffictoDecrypt.......................................................... 485
CreateaDecryptionProfile.................................................... 485
CreateaDecryptionPolicyRule................................................ 487
ConfigureSSLForwardProxy ...................................................... 489
ConfigureSSLInboundInspection .................................................. 493
ConfigureSSHProxy ............................................................. 495
ConfigureDecryptionExceptions................................................... 496
ExcludeTrafficfromDecryption ................................................ 496
ExcludeaServerfromDecryption .............................................. 497
EnableUserstoOptOutofSSLDecryption ......................................... 498
ConfigureDecryptionPortMirroring................................................ 500
TemporarilyDisableSSLDecryption ................................................ 502
URLFiltering.......................................................503
URLFilteringOverview ........................................................... 504
URLFilteringVendors ......................................................... 504
InteractionBetweenAppIDandURLCategories................................. 504
PANDBPrivateCloud........................................................ 505
URLFilteringConcepts............................................................ 508
URLCategories............................................................... 508
URLFilteringProfile .......................................................... 510
URLFilteringProfileActions ................................................... 510
BlockandAllowLists.......................................................... 511
ExternalDynamicListforURLs ................................................. 512
SafeSearchEnforcement ...................................................... 512
ContainerPages .............................................................. 513
HTTPHeaderLogging ......................................................... 514
URLFilteringResponsePages .................................................. 514
URLCategoryasPolicyMatchCriteria .......................................... 516
PANDBCategorization ........................................................... 518
PANDBURLCategorizationComponents ....................................... 518
PANDBURLCategorizationWorkflow ......................................... 519
EnableaURLFilteringVendor ..................................................... 520
EnablePANDBURLFiltering.................................................. 520
EnableBrightCloudURLFiltering............................................... 521
DetermineURLFilteringPolicyRequirements........................................ 524
UseanExternalDynamicListinaURLFilteringProfile ................................ 526
TableofContents
MonitorWebActivity .............................................................528
MonitorWebActivityofNetworkUsers .........................................528
ViewtheUserActivityReport..................................................530
ConfigureCustomURLFilteringReports .........................................532
ConfigureURLFiltering ...........................................................533
CustomizetheURLFilteringResponsePages.........................................535
ConfigureURLAdminOverride.....................................................536
EnableSafeSearchEnforcement ...................................................538
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................538
EnableTransparentSafeSearchEnforcement ....................................540
SetUpthePANDBPrivateCloud..................................................544
SetUpthePANDBPrivateCloud ..............................................544
ConfiguretheFirewallstoAccessthePANDBPrivateCloud .......................548
URLFilteringUseCaseExamples...................................................549
UseCase:ControlWebAccess .................................................549
UseCase:UseURLCategoriesforPolicyMatching ................................552
TroubleshootURLFiltering ........................................................555
ProblemsActivatingPANDB...................................................555
PANDBCloudConnectivityIssues..............................................555
URLsClassifiedasNotResolved ................................................557
IncorrectCategorization.......................................................557
URLDatabaseOutofDate .....................................................558
QualityofService .................................................. 559

QoSOverview ...................................................................560
QoSConcepts....................................................................561
QoSforApplicationsandUsers .................................................561
QoSPolicy...................................................................561
QoSProfile...................................................................562
QoSClasses ..................................................................562
QoSPriorityQueuing ..........................................................562
QoSBandwidthManagement ..................................................563
QoSEgressInterface..........................................................563
QoSforClearTextandTunneledTraffic.........................................564
ConfigureQoS ...................................................................565
ConfigureQoSforaVirtualSystem.................................................570
EnforceQoSBasedonDSCPClassification ..........................................575
QoSUseCases ...................................................................578
UseCase:QoSforaSingleUser ................................................578
UseCase:QoSforVoiceandVideoApplications ..................................580
VPNs ............................................................. 585

VPNDeployments ................................................................586
SitetoSiteVPNOverview ........................................................587
SitetoSiteVPNConcepts .........................................................588
TableofContents
IKEGateway ................................................................. 588

TunnelInterface .............................................................. 588
TunnelMonitoring ............................................................ 589
InternetKeyExchange(IKE)forVPN ............................................ 590
IKEv2 ....................................................................... 592
SetUpSitetoSiteVPN ........................................................... 596
SetUpanIKEGateway ........................................................ 596
DefineCryptographicProfiles.................................................. 602
SetUpanIPSecTunnel........................................................ 605
SetUpTunnelMonitoring ..................................................... 608
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 609
TestVPNConnectivity........................................................ 611
InterpretVPNErrorMessages.................................................. 611
SitetoSiteVPNQuickConfigs .................................................... 613
SitetoSiteVPNwithStaticRouting............................................ 613
SitetoSiteVPNwithOSPF.................................................... 617
SitetoSiteVPNwithStaticandDynamicRouting ................................ 622
LargeScaleVPN(LSVPN)............................................629
LSVPNOverview................................................................. 630
CreateInterfacesandZonesfortheLSVPN.......................................... 631
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 633
AboutCertificateDeployment.................................................. 633
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 633
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 636
ConfigurethePortaltoAuthenticateSatellites ....................................... 639
ConfigureGlobalProtectGatewaysforLSVPN....................................... 641
PrerequisiteTasks ............................................................ 641
ConfiguretheGateway ........................................................ 641
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 644
PrerequisiteTasks ............................................................ 644
ConfigurethePortal .......................................................... 644
DefinetheSatelliteConfigurations.............................................. 645
PreparetheSatellitetoJointheLSVPN ............................................. 649
VerifytheLSVPNConfiguration.................................................... 651
LSVPNQuickConfigs ............................................................. 652
BasicLSVPNConfigurationwithStaticRouting ...................................... 653
AdvancedLSVPNConfigurationwithDynamicRouting ............................... 656
Networking ........................................................659
InterfaceDeployments ............................................................ 660
VirtualWireDeployments ..................................................... 660
Layer2Deployments ......................................................... 663
Layer3Deployments ......................................................... 663
TapModeDeployments ....................................................... 664
ConfigureanAggregateInterfaceGroup ............................................ 665
TableofContents
UseInterfaceManagementProfilestoRestrictAccess.................................668
VirtualRouters...................................................................669
StaticRoutes .....................................................................671
RIP .............................................................................673
OSPF ...........................................................................675
OSPFConcepts ...............................................................675
ConfigureOSPF ..............................................................677
ConfigureOSPFv3............................................................682
ConfigureOSPFGracefulRestart ...............................................684
ConfirmOSPFOperation ......................................................685
BGP.............................................................................687
SessionSettingsandTimeouts .....................................................692
TransportLayerSessions.......................................................692
TCP.........................................................................692
UDP.........................................................................696
ICMP ........................................................................697
ConfigureSessionTimeouts ....................................................697
ConfigureSessionSettings.....................................................699
PreventTCPSplitHandshakeSessionEstablishment ..............................701
DHCP ...........................................................................702
DHCPOverview ..............................................................702
FirewallasaDHCPServerandClient ............................................703
DHCPMessages ..............................................................703
DHCPAddressing .............................................................704
DHCPOptions................................................................705
ConfigureanInterfaceasaDHCPServer ........................................708
ConfigureanInterfaceasaDHCPClient .........................................712
ConfiguretheManagementInterfaceasaDHCPClient ............................713
ConfigureanInterfaceasaDHCPRelayAgent ...................................714
MonitorandTroubleshootDHCP...............................................715
NAT ............................................................................717
NATPolicyRules..............................................................717
SourceNATandDestinationNAT ...............................................719
NATRuleCapacities...........................................................721
DynamicIPandPortNATOversubscription ......................................721
DataplaneNATMemoryStatistics ..............................................723
ConfigureNAT ...............................................................724
NATConfigurationExamples ...................................................730
NPTv6 ..........................................................................739
NPTv6Overview .............................................................739
HowNPTv6Works ...........................................................741
NDPProxy ...................................................................742
NPTv6andNDPProxyExample ................................................744
CreateanNPTv6Policy........................................................745
ECMP ...........................................................................748
ECMPLoadBalancingAlgorithms ...............................................748
ECMPPlatform,Interface,andIPRoutingSupport ................................749
ConfigureECMPonaVirtualRouter ............................................750
TableofContents
EnableECMPforMultipleBGPAutonomousSystems ............................. 751

VerifyECMP ................................................................. 753
LLDP ........................................................................... 754
LLDPOverview .............................................................. 754
SupportedTLVsinLLDP....................................................... 755
LLDPSyslogMessagesandSNMPTraps......................................... 756
ConfigureLLDP .............................................................. 757
ViewLLDPSettingsandStatus ................................................. 759
ClearLLDPStatistics .......................................................... 760
BFD............................................................................ 761
BFDOverview ............................................................... 761
ConfigureBFD............................................................... 764
Reference:BFDDetails ........................................................... 771
Policy..............................................................775
PolicyTypes ..................................................................... 776
SecurityPolicy................................................................... 777
ComponentsofaSecurityPolicyRule........................................... 777
SecurityPolicyActions........................................................ 780
CreateaSecurityPolicyRule ................................................... 780
PolicyObjects ................................................................... 783
SecurityProfiles.................................................................. 784
AntivirusProfiles ............................................................. 785
AntiSpywareProfiles......................................................... 785
VulnerabilityProtectionProfiles................................................ 786
URLFilteringProfiles.......................................................... 786
DataFilteringProfiles......................................................... 787
FileBlockingProfiles .......................................................... 788
WildFireAnalysisProfiles ...................................................... 788
DoSProtectionProfiles........................................................ 788
ZoneProtectionProfiles ....................................................... 789
SecurityProfileGroup ......................................................... 789
BestPracticeInternetGatewaySecurityPolicy....................................... 793
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 793
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 795
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 796
IdentifyWhitelistApplications.................................................. 797
CreateUserGroupsforAccesstoWhitelistApplications .......................... 799
DecryptTrafficforFullVisibilityandThreatInspection ............................ 800
CreateBestPracticeSecurityProfiles ........................................... 802
DefinetheInitialInternetGatewaySecurityPolicy ................................ 806
MonitorandFineTunethePolicyRulebase...................................... 814
RemovetheTemporaryRules.................................................. 815
MaintaintheRulebase......................................................... 816
EnumerationofRulesWithinaRulebase ............................................ 817
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem .................... 818
UseTagstoGroupandVisuallyDistinguishObjects .................................. 819
TableofContents
CreateandApplyTags .........................................................819
ModifyTags ..................................................................820
UsetheTagBrowser..........................................................820
UseanExternalDynamicListinPolicy ..............................................825
ExternalDynamicList .........................................................825
FormattingGuidelinesforanExternalDynamicList ...............................826
EnforcePolicyonEntriesinanExternalDynamicList ..............................827
ViewtheListofEntriesinanExternalDynamicList ...............................830
RetrieveanExternalDynamicListfromtheWebServer ...........................831
RegisterIPAddressesandTagsDynamically .........................................832
MonitorChangesintheVirtualEnvironment .........................................833
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................833
AttributesMonitoredintheAWSandVMwareEnvironments ......................835
UseDynamicAddressGroupsinPolicy..........................................836
CLICommandsforDynamicIPAddressesandTags...................................839
IdentifyUsersConnectedthroughaProxyServer.....................................841
UseXFFValuesforPoliciesandLoggingSourceUsers .............................841
AddXFFValuestoURLFilteringLogs ...........................................842
PolicyBasedForwarding ..........................................................843
PBF.........................................................................843
CreateaPolicyBasedForwardingRule..........................................845
UseCase:PBFforOutboundAccesswithDualISPs ...............................847
DoSProtectionAgainstFloodingofNewSessions....................................854
DoSProtectionAgainstFloodingofNewSessions ................................854
ConfigureDoSProtectionAgainstFloodingofNewSessions.......................857
UsetheCLItoEndaSingleAttackingSession ....................................860
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............860
DiscardaSessionWithoutaCommit ............................................863
VirtualSystems.................................................... 865
VirtualSystemsOverview .........................................................866
VirtualSystemComponentsandSegmentation ...................................866
BenefitsofVirtualSystems .....................................................867
UseCasesforVirtualSystems..................................................867
PlatformSupportandLicensingforVirtualSystems ...............................867
AdministrativeRolesforVirtualSystems .........................................868
SharedObjectsforVirtualSystems ..............................................868
CommunicationBetweenVirtualSystems............................................869
InterVSYSTrafficThatMustLeavetheFirewall..................................869
InterVSYSTrafficThatRemainsWithintheFirewall ..............................870
InterVSYSCommunicationUsesTwoSessions ...................................872
SharedGateway ..................................................................873
ExternalZonesandSharedGateway.............................................873
NetworkingConsiderationsforaSharedGateway.................................874
ServiceRoutesforVirtualSystems ..................................................875
UseCasesforServiceRoutesforaVirtualSystem.................................875
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.876
TableofContents
DNSProxyObject............................................................ 876
DNSServerProfile............................................................ 877
MultiTenantDNSDeployments................................................ 877
ConfigureVirtualSystems ......................................................... 878
ConfigureInterVirtualSystemCommunicationwithintheFirewall..................... 881
ConfigureaSharedGateway....................................................... 882
CustomizeServiceRoutesforaVirtualSystem ....................................... 883
CustomizeServiceRoutestoServicesforVirtualSystems.......................... 883
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem ................ 884
ConfigureaDNSProxyObject................................................. 885
ConfigureaDNSServerProfile ................................................. 888
ConfigureAdministrativeAccessPerVirtualSystemorFirewall..................... 889
DNSResolutionThreeUseCases ................................................. 891
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes ........... 891
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Re
porting,andServiceswithinitsVirtualSystem893
UseCase3:FirewallActsasDNSProxyBetweenClientandServer ................. 895
VirtualSystemFunctionalitywithOtherFeatures .................................... 897
Certifications .......................................................899
EnableFIPSandCommonCriteriaSupport .......................................... 900
FIPSCCSecurityFunctions........................................................ 901
TableofContents
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment
IntegratetheFirewallintoYourManagementNetwork GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
Determine Your Management Strategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
Perform Initial Configuration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
Step1 Gathertherequiredinformationfrom IPaddressforMGTport

yournetworkadministrator. Netmask
Defaultgateway
DNSserveraddress
Step2 Connectyourcomputertothefirewall. Youcanconnecttothefirewallinoneofthefollowingways:

ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.
Step3 Whenprompted,logintothefirewall. Youmustloginusingthedefaultusernameandpassword

(admin/admin).Thefirewallwillbegintoinitialize.
Step4 ConfiguretheMGTinterface. 1. SelectDevice > Setup > Managementandeditthe

ManagementInterfaceSettings.
2. ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP.Tousethismethod,you
mustConfiguretheManagementInterfaceasaDHCP
Client.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
3. SettheSpeedtoauto-negotiate.
4. Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5. ClickOK.
SetUpNetworkAccesstotheFirewall(Continued)
Step5 ConfigureDNS,updateserver,and 1. SelectDevice > Setup > Services.

proxyserversettings. Formultivirtualsystemplatforms,selectGlobalandedit
Youmustmanuallyconfigureat theServicessection.
leastoneDNSserveronthe Forsinglevirtualsystemplatforms,edittheServices
firewalloritwillnotbeableto section.
resolvehostnames;itwillnotuse
2. OntheServicestab,forDNS,clickoneofthefollowing:
DNSserversettingsfrom
anothersource,suchasanISP. ServersEnterthePrimary DNS Serveraddressand
Secondary DNS Server address.
DNS Proxy ObjectFromthedropdown,selecttheDNS
Proxy thatyouwanttousetoconfigureglobalDNS
services,orclickDNS ProxytoconfigureanewDNSproxy
object.
3. ClickOK.
Step6 Configuredateandtime(NTP)settings. 1. SelectDevice > Setup > Services.

Formultivirtualsystemplatforms,selectGlobalandedit
theServicessection.
Forsinglevirtualsystemplatforms,edittheServices
section.
2. OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthePrimary
NTP ServerorentertheIPaddressofyourprimaryNTP
server.
3. (Optional)EnteraSecondary NTP Serveraddress.
4. (Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5. ClickOK.
Step7 (Optional)Configuregeneralfirewall 1. SelectDevice > Setup > ManagementandedittheGeneral

settingsasneeded. Settings.
2. EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3. EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4. EntertheLatitude andLongitude toenableaccurate
placementofthefirewallontheworldmap.
5. ClickOK.
Step8 Setasecurepasswordfortheadmin 1. SelectDevice > Administrators.

account. 2. Selectthe adminrole.
3. Enterthecurrentdefaultpasswordandthenewpassword.
4. ClickOKtosaveyoursettings.
Step9 Commityourchanges. ClickCommitatthetoprightofthewebinterface.Thefirewallcan

Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivity
tothewebinterfacebecausethe
IPaddresshaschanged.
Step10 Connectthefirewalltoyournetwork. 1. Disconnectthefirewallfromyourcomputer.

2. ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.
Step11 OpenanSSHmanagementsessionto Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH

thefirewall. sessiontothefirewallusingthenewIPaddressyouassignedtoit.
Step12 Verifynetworkaccesstoexternal IfyoucabledyourMGTportforexternalnetworkaccess,verify

servicesrequiredforfirewall thatyouhaveaccesstoandfromthefirewallbyusingtheping
management,suchasthePaloAlto utilityfromtheCLI.Makesureyouhaveconnectivitytothedefault
NetworksUpdateServer. gateway,DNSserver,andthePaloAltoNetworksUpdateServer
Youcandothisinoneofthefollowing asshowninthefollowingexample:
ways: admin@PA-200> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
Ifyoudonotwanttoallowexternal bytes of data.
networkaccesstotheMGTinterface, 64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=53.6 ms
youwillneedtosetupadataportto 64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=79.5 ms
retrieverequiredserviceupdates. Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
ContinuetoSetUpNetworkAccess thepings.
forExternalServices.
Ifyoudoplantoallowexternal
networkaccesstotheMGTinterface,
verifythatyouhaveconnectivityand
thenproceedtoRegistertheFirewall
andActivateLicensesand
Subscriptions.
Set Up Network Access for External Services
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
Step1 Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.

accesstoexternalservicesandconnect
ittoyourswitchorrouterport.
Step2 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.
Step3 (Optional)Thefirewallcomes Youmustdeletetheconfigurationinthefollowingorder:

preconfiguredwithadefaultvirtualwire 1. Todeletethedefaultsecuritypolicy,selectPolicies >
interfacebetweenportsEthernet1/1 Security,selecttherule,andclickDelete.
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou 2. Todeletethedefaultvirtualwire,selectNetwork > Virtual
donotplantousethisvirtualwire Wires,selectthevirtualwireandclickDelete.
configuration,youmustmanuallydelete 3. Todeletethedefaulttrustanduntrustzones,selectNetwork
theconfigurationtopreventitfrom > Zones,selecteachzoneandclickDelete.
interferingwithotherinterfacesettings
4. Todeletetheinterfaceconfigurations,selectNetwork >
youdefine.
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5. Committhechanges.
SetUpaDataPortforAccesstoExternalServices(Continued)
Step4 Configuretheinterfaceyouplantouse 1. SelectNetwork > Interfacesandselecttheinterfacethat

forexternalaccesstomanagement correspondstotheportyoucabledinStep1.
services. 2. SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4. IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5. SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6. SelectAdvanced > Other Info,expandtheManagement
Profiledropdown,andselectNew Management Profile.
7. EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8. Tosavetheinterfaceconfiguration,clickOK.
Step5 Configuretheserviceroutes. 1. SelectDevice > Setup > Services > Global andclickService
Bydefault,thefirewallusestheMGT Route Configuration.
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice Forthepurposesofactivatingyourlicensesand
routes. gettingthemostrecentcontentandsoftwareupdates,
Thisexampleshowshowtoset youwillwanttochangetheservicerouteforDNS,
upglobalserviceroutes.For Palo Alto Updates,URL Updates,WildFire,and
informationonsettingup AutoFocus.
networkaccesstoexternal 2. ClicktheCustomizeradiobutton,andselectoneofthe
servicesonavirtualsystembasis following:
ratherthanaglobalbasis,see
Forapredefinedservice,selectIPv4orIPv6andclickthe
PerVirtualSystemService
linkfortheserviceforwhichyouwanttomodifythe
Routes.
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,the Source Address dropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3. ClickOKtosavethesettings.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5. Commityourchanges.
Step6 Configureanexternalfacinginterface 1. SelectNetwork > Interfacesandthenselectthe

andanassociatedzoneandthencreatea externalfacinginterface.SelectLayer3astheInterface Type,
securitypolicyruletoallowthefirewall AddtheIPaddress(ontheIPv4orIPv6tab),andcreatethe
tosendservicerequestsfromthe associatedSecurity Zone(ontheConfigtab),suchasInternet.
internalzonetotheexternalzone. ThisinterfacemusthaveastaticIPaddress;youdonotneed
tosetupmanagementservicesonthisinterface.
2. Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).
Step7 CreateaNATpolicyrule. 1. IfyouareusingaprivateIPaddressontheinternalfacing

interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
Step8 Verifythatyouhaveconnectivityfrom LaunchtheCLIandusethepingutilitytoverifythatyouhave

thedataporttotheexternalservices, connectivity.Keepinmindthatbydefaultpingsaresentfromthe
includingthedefaultgateway,andthe MGTinterface,sointhiscaseyoumustspecifythesource
PaloAltoNetworksUpdateServer. interfaceforthepingrequestsasfollows:
Afteryouverifyyouhavetherequired admin@PA-500> ping source 192.168.1.254 host
updates.paloaltonetworks.com
networkconnectivity,continueto PING updates.paloaltonetworks.com (67.192.236.252) from
RegistertheFirewallandActivate 192.168.1.254 : 56(84) bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=242 time=56.7 ms
LicensesandSubscriptions. 64 bytes from 67.192.236.252: icmp_seq=2 ttl=242 time=47.7 ms
64 bytes from 67.192.236.252: icmp_seq=3 ttl=242 time=47.6 ms
^C
Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
thepings.
GettingStarted RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
Step1 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Step2 Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

theclipboard. Informationsectionofthescreen.
Step3 GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto

Supportportalandlogin. https://www.paloaltonetworks.com/support/tabs/overview.html.
Step4 Registerthefirewall. Ifyoualreadyhaveasupportaccount,loginandregisterthe

Youmusthaveasupportaccount hardwarebasedfirewallasfollows:
toregisterafirewall.Ifyoudonot 1. SelectAssets > Devices.
yethaveasupportaccount,click
2. ClickRegister New Device.
theRegisterlinkonthesupport
loginpageandfollowthe 3. SelectRegister device using Serial Number or Authorization
instructionstogetyouraccount CodeandclickSubmit.
setupandregisterthefirewall. 4. EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5. (Optional)EntertheDevice NameandDevice Tag.
6. Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7. Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.
ActivateLicensesandSubscriptions GettingStarted
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
Step1 Locatetheactivationcodesforthe Whenyoupurchasedyoursubscriptionsyoushouldhavereceived

licensesyoupurchased. anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.
Step2 ActivateyourSupportlicense. 1. LogintothewebinterfaceandthenselectDevice > Support.

Youwillnotbeabletoupdateyour 2. ClickActivate support using authorization code.
PANOSsoftwareifyoudonothavea
3. EnteryourAuthorization CodeandthenclickOK.
validSupportlicense.
GettingStarted ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions(Continued)
Step3 Activateeachlicenseyoupurchased. SelectDevice > Licensesandthenactivateyourlicensesand

subscriptionsinoneofthefollowingways:
Retrieve license keys from license serverUsethisoptionif
youactivatedyourlicenseontheCustomerSupportportal.
Activate feature using authorization codeUsethisoptionto
enablepurchasedsubscriptionsusinganauthorizationcodefor
licensesthathavenotbeenpreviouslyactivatedonthesupport
portal.Whenprompted,entertheAuthorization Codeandthen
clickOK.
Manually upload license keyUsethisoptionifyourfirewall
doesnothaveconnectivitytothePaloAltoNetworksCustomer
Supportwebsite.Inthiscase,youmustdownloadalicensekey
filefromthesupportsiteonanInternetconnectedcomputer
andthenuploadtothefirewall.
Step4 Verifythatthelicensewassuccessfully OntheDevice > Licenses page,verifythatthelicensewas

activated successfullyactivated.Forexample,afteractivatingtheWildFire
license,youshouldseethatthelicenseisvalid:
Step5 (WildFiresubscriptionsonly)Performa AfteractivatingaWildFiresubscription,acommitisrequiredfor

committocompleteWildFire thefirewalltobeginforwardingadvancedfiletypes.Youshould
subscriptionactivation. either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.
InstallContentandSoftwareUpdates GettingStarted
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.
GettingStarted InstallContentandSoftwareUpdates
Step1 Ensurethatthefirewallhasaccesstothe 1. Bydefault,thefirewallaccessestheUpdate Serverat

updateserver. updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2. (Optional)ClickVerify Update Server Identityforanextra
levelofvalidationtoenablethefirewalltocheckthatthe
serversSSLcertificateissignedbyatrustedauthority.
3. (Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step2 Checkforthelatestcontentupdates. SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

thelowerlefthandcornerofthewindow)tocheckforthelatest
updates.ThelinkintheActioncolumnindicateswhetheranupdate
isavailable:
DownloadIndicatesthatanewupdatefileisavailable.Click
thelinktobegindownloadingthefiledirectlytothefirewall.
Aftersuccessfuldownload,thelinkintheActioncolumn
changesfromDownloadtoInstall.
Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
Step3 Installthecontentupdates. ClicktheInstalllinkintheActioncolumn.Whentheinstallation

Installationcantakeupto20 completes,acheckmarkdisplaysintheCurrently Installed
minutesonaPA200,PA500,or column.
PA2000Seriesfirewallandupto
twominutesonaPA3000
Series,PA4000Series,PA5000
Series,PA7000Series,or
VMSeriesfirewall.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
Step4 Scheduleeachcontentupdate. 1. SetthescheduleofeachupdatetypebyclickingtheNonelink.

Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
becausethefirewallcanonly 2. Specifyhowoftenyouwanttheupdatestooccurbyselecting
downloadoneupdateatatime.If avaluefromtheRecurrencedropdown.Theavailablevalues
youscheduletheupdatesto varybycontenttype(WildFireupdatesareavailableEvery
downloadduringthesametime Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
interval,onlythefirstdownload whereasApplicationsandThreatsupdatescanbescheduled
willsucceed. forDailyorWeeklyupdateandAntivirusupdatescanbe
scheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3. SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4. SpecifywhetheryouwantthesystemtoDownload Only or,as
abestpractice,Download And Installtheupdate.
5. Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6. ClickOKtosavetheschedulesettings.
7. ClickCommittosavethesettingstotherunning
configuration.
Step5 UpdatePANOS. 1. ReviewtheReleaseNotes.

Alwaysupdatecontentbefore 2. UpdatethePANOSsoftware.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
Network Segmentation for a Reduced Attack Surface
Thefollowingdiagramshowsaverybasicexampleofhowyoucancreatezonestosegmentyournetwork.
Themoregranularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstraffic
betweenzones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflow
freelywithinazone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyou
defineaSecuritypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhave
assignedittoazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontrolover
accesstosensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishinga
communicationchannelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyour
network.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
Configure Interfaces and Zones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.EachinterfaceonthefirewallsupportsallInterfaceDeploymentsandthe
deploymentyouwillusedependsonthetopologyofeachpartofthenetworkyouareconnectingto.The
followingworkflowshowshowtoconfigureLayer3interfacesandassignthemtozones.Fordetailson
integratingthefirewallusingadifferenttypeofinterfacedeployments(forexampleVirtualWire
DeploymentsorLayer2Deployments),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault

Internetrouter. linktoopentheVirtualRouterdialog.
2. SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3. SelecttheIP AddressradiobuttonintheNext Hopfieldand
thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,203.0.113.1).
4. ClickOKtwicetosavethevirtualrouterconfiguration.
Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

interfacethatconnectstotheInternet). wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/16astheexternalinterface.
2. SelecttheInterface Type.Althoughyourchoiceheredepends
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,selectNew ZonefromtheSecurity Zone
dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleInternet,andthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6. Toenableyoutopingtheinterface,selectAdvanced > Other
Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SetUpInterfacesandZones(Continued)
Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant

yourinternalnetwork. toconfigure.Inthisexample,weareconfiguringEthernet1/15
Inthisexample,theinterface astheinternalinterfaceourusersconnectto.
connectstoanetworksegment 2. SelectLayer3astheInterface Type.
thatusesprivateIPaddresses.
BecauseprivateIPaddresses
selectNew Zone.IntheZonedialog,defineaNamefornew
cannotberoutedexternally,you
zone,forexampleUsers,andthenclickOK.
willhavetoconfigureNAT.
4. SelectthesameVirtualRouteryouusedinStep 2,defaultin
thisexample.
192.168.1.4/24.
6. Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.

yourdatacenterapplications. 2. SelectLayer3fromtheInterface Typedropdown.Inthis
Althoughthisbasicsecurity example,weareconfiguringEthernet1/1astheinterfacethat
policyexampleconfiguration providesaccesstoyourdatacenterapplications.
depictsusingasinglezoneforall
ofyourdatacenterapplications,
asabestpracticeyouwould
zone,forexampleDataCenterApplications,andthenclickOK.
wanttodefinemoregranular
zonestopreventunauthorized 4. SelecttheVirtualRouteryouusedinStep 2,defaultinthis
accesstosensitiveapplications example.
ordataandeliminatethe 5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
possibilityofmalwaremoving clickAddintheIPsection,andentertheIPaddressand
laterallywithinyourdatacenter. networkmasktoassigntotheinterface,forexample
10.1.1.1/24.
Step5 (Optional)Createtagsforeachzone. Tagsallowyoutovisuallyscanpolicyrules.

1. SelectObjects > TagsandAdd.
2. SelectazoneName.
3. SelectatagColorandclickOK.
Step6 Savetheinterfaceconfiguration. ClickCommit.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
Step7 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured

tothecorrespondingswitchorrouteroneachnetworksegment.
Step8 Verifythattheinterfacesareactive. SelectDashboardandverifythattheinterfacesyouconfigured

showasgreenintheInterfaceswidget.
SetUpaBasicSecurityPolicy GettingStarted
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.
DefineBasicSecurityPolicyRules
Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

policyrule. allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2 CreatetheFileBlockingprofilesyouwill 1. ConfigureaFileBlockingprofileforgeneraluse.Youwill

needtopreventupload/downloadof attachthisprofiletomostofyoursecurityprofilestoblock
maliciousfilesandfordrivebydownload filesknowntocarrythreatsorthathavenorealbusinessuse
protection. forupload/download.
2. ConfigureaFileBlockingprofileforriskytraffic.Youwill
attachthisprofiletosecuritypolicyrulesthatallowgeneral
webaccesstopreventusersfromunknowinglydownloading
maliciousfilesfromtheInternet.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step3 Allowaccesstoyournetwork 1. SelectPolicies > SecurityandclickAdd.

infrastructureresources. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoIT
Infrastructure.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
5. IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectdns,ntp,ocsp,ping,smtp.
6. IntheService/URL Categorytab,keeptheServicesetto
application-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9. VerifythatLog at Session Endisenabled.Onlytrafficthat
matchesasecurityrulewillbelogged.
10. ClickOK.
SetUpaBasicSecurityPolicy GettingStarted
Step4 EnableaccesstogeneralInternet 1. SelectPolicies > SecurityandclickAdd.

applications. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
Thisisatemporaryrulethat
allowsyoutogatherinformation
aboutthetrafficonyour 4. IntheDestinationtab,settheDestination ZonetoInternet.
network.Afteryouhavemore 5. IntheApplicationstab,AddanApplication Filterandentera
insightintowhatapplications Name.Tosafelyenableaccesstolegitimatewebbased
yourusersneedaccessto,you applications,settheCategoryintheapplicationfilterto
canmakeinformeddecisions general-internetandthenclickOK.Toenableaccessto
aboutwhatapplicationstoallow encryptedsites,Addthesslapplication.
andcreatemoregranular
applicationbasedrulesforeach 6. IntheService/URL Categorytab,keeptheServicesetto
usergroup. application-default.
File Blockingstrictprofileyouconfiguredforriskytraffic.
10. ClickOK.
Step5 Enableaccesstodatacenter 1. SelectPolicies > SecurityandclickAdd.

applications. 2. EnteradescriptiveNamefortheruleintheGeneraltab.
4. IntheDestinationtab,settheDestination ZonetoData
CenterApplications.
5. IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectactivesync,imap,kerberos,ldap,
ms-exchange,and ms-lync.
6. IntheService/URL Categorytab,keeptheServicesetto
File Blockingprofileyouconfiguredforgeneraltraffic.
10. ClickOK.
GettingStarted SetUpaBasicSecurityPolicy
Step6 Saveyourpoliciestotherunning ClickCommit.

configurationonthefirewall.
Step7 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI

policieseffectively,testwhetheryour command:
securitypolicyrulesarebeingevaluated test security-policy-match source <IP_address>
anddeterminewhichsecuritypolicyrule destination <IP_address> destination port <port_number>
appliestoatrafficflow. application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
admin@PA-3050>test security-policy-match
source 10.35.14.150 destination 10.43.2.2
application dns protocol 53
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
AssessNetworkTraffic GettingStarted
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine. applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges. users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.
WorkwithLogs. Specifically,viewthetrafficandthreatlogs(Monitor > Logs).

Trafficlogsaredependentonhowyoursecuritypolicies
aredefinedandsetuptologtraffic.TheApplicationUsage
widgetintheACC,however,recordsapplicationsand
statisticsregardlessofpolicyconfiguration;itshowsall
trafficthatisallowedonyournetwork,thereforeit
includestheinterzonetrafficthatisallowedbypolicyand
thesamezonetrafficthatisallowedimplicitly.
GettingStarted AssessNetworkTraffic
MonitorNetworkTraffic
ViewAutoFocusThreatDataforLogs. ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers. ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
EnableBasicThreatPreventionFeatures GettingStarted
EnableBasicThreatPreventionFeatures
ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.
Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.
Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
Enable Basic WildFire Forwarding
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,grayware,orbenign.WithWildFireenabled,aPaloAlto
NetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscoveredmalware,
WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactiveWildFire
licenses.Thisenablesglobalfirewallstodetectandpreventmalwarefoundbyasinglefirewall.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifdonothaveaWildFiresubscription,butyoudohaveaThreat
Preventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448hours(as
partoftheantivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
GettingStarted EnableBasicThreatPreventionFeatures
EnableBasicWildFireForwarding
BeforeYouBegin: 1. GotothePaloAltoNetworksCustomerSupportwebsite,log
Confirmthatyourfirewallisregisteredandthat in,andselectMy Devices.
youhaveavalidsupportaccountaswellasany 2. Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
subscriptionsyourequire. theFirewall.
3. (Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
Step1 SettheWildFireforwardingsettings. 1. SelectDevice > Setup > WildFireandedittheGeneral

Settings.
2. SettheWildFire Public Cloudfieldto:
wildfire.paloaltonetworks.com.
3. (Optional)Setthe File Size LimitforPEsthatthefirewallcan
forward.
4. ClickOKtosaveyourchanges.
Step2 EnablethefirewalltoforwardPEsfor 1. SelectObjects > Security Profiles > WildFire Analysis and
analysis. Addanewprofilerule.
2. Namethenewprofilerule.
3. ClickAddtocreateaforwardingruleandenteraname.
4. IntheFile Types column,addpefilestotheforwardingrule.
5. IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6. ClickOK.
Step3 ApplythenewWildFireAnalysisprofile 1. SelectPolicies > Securityandeitherselectanexistingpolicy

totrafficthatthefirewallallows. orcreateanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2. SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3. SelecttheWildFire Analysis profileyoucreatedinStep 2to
applythatprofileruletoalltrafficthispolicyallows.
4. ClickOK.
Step4 ClickCommittosaveyourconfigurationupdates.
Step5 VerifythatthefirewallisforwardingPE SelectMonitor > Logs > WildFire Submissionstoviewlogentries

filestotheWildFirepubliccloud. forPEsthefirewallsuccessfullysubmittedforWildFireanalysis.
TheVerdictcolumndisplayswhetherWildFirefoundthePEtobe
malicious,grayware,orbenign.
Step6 (ThreatPreventionsubscriptiononly)If 1. SelectDevice > Dynamic Updates.

youhaveaThreatPrevention 2. Checkthatthefirewallissettoretrieve,download,andinstall
subscription,butdonothaveaWildFire Antivirusupdates.
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.
Scan Traffic for Threats
SecurityProfilesprovidethreatprotectioninsecuritypolicies.Forexample,youcanapplyanantivirusprofile
toasecuritypolicyandalltrafficthatmatchesthesecuritypolicywillbescannedforviruses.
Thefollowingsectionsprovidestepsforsettingupabasicthreatpreventionconfiguration:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking
EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1 VerifythatyouhaveaThreatPrevention TheThreatPreventionlicensebundlestheAntivirus,

license. AntiSpyware,andtheVulnerabilityProtectionfeaturesinone
license.
SelectDevice > LicensestoverifythattheThreat Prevention
licenseisinstalledandvalid(checktheexpirationdate).
Step2 Downloadthelatestantivirusthreat 1. SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

signatures. bottomofthepagetoretrievethelatestsignatures.
2. IntheActionscolumn,clickDownloadtoinstallthelatest
Antivirus,andApplicationsandThreatssignatures.
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3 Schedulesignatureupdates. 1. FromDevice > Dynamic Updates,clickthetexttotherightof

Performadownload-and-install Scheduletoautomaticallyretrievesignatureupdatesfor
onadailybasisforantivirus AntivirusandApplications and Threats.
updatesandweeklyfor 2. Specifythefrequencyandtimingfortheupdatesandwhether
applicationsandthreatsupdates. theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3. (Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4. InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
Recommendations for HA Configurations:

Active/PassiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewallso
thateachfirewalldownloadsandinstallscontentindependently.Ifthefirewallsareusingadataportforcontent
updates,thepassivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscasesetaschedule
oneachpeerandenableSync To Peertoensurethatcontentupdatesontheactivepeersynctothepassivepeer.
Active/ActiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewall,but
donotenableSync To Peer.Ifthefirewallsareusingadataportforcontentupdates,schedulecontentupdateson
eachfirewallandselectSync To Peertoenabletheactiveprimaryfirewalltodownloadandinstallthecontent
updatesandthenpushthecontentupdatetotheactivesecondarypeer.
Step4 Attachthesecurityprofilestoasecurity 1. SelectPolicies > Security,selectthedesiredpolicytomodify

policy. itandthenclicktheActionstab.
Attachacloneofapredefined 2. InProfile Settings,clickthedropdownnexttoeachsecurity
securityprofiletoyourbasic profileyouwouldliketoenable.Inthisexamplewechoose
Securitypolicyrules.Thatway,if defaultforAntivirusandWildFire Analysis,andstrictfor
youwanttocustomizetheprofileyou Vulnerability Protection and Anti-Spyware.
candosowithoutdeletingthereadonly Ifyoudontseedropdownsforselectingprofiles,
predefinedstrictordefaultprofileand selectProfiles fromtheProfileTypedropdown.
attachingacustomizedprofile.
Step5 Savetheconfiguration. ClickCommit.
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
ConfigureFileBlocking
Step6 ConfigureaFileBlockingprofilefor 1. SelectObjects > Security Profiles > File Blockingandclick

generaluse. Add.
2. EnteraNameforthefileblockingprofile,forexample
generalfileblocking.
3. OptionallyenteraDescription,suchasblockriskyapps.Click
Addtodefinetheprofilesettings.
4. EnteraName,suchasblockrisky.
5. SetFile Types toblock.Forexample,Addthefollowing:bat,
dll, jar, hlp, lnk,andtorrent.
6. LeavetheDirectionsettoboth.
7. SettheActiontoblock.
8. AddasecondruleandenteraName,forexamplecontinueexe
andarchive.
9. SetFile Types tocontinue.Forexample,Addthefollowing:
PE,zipandrar.
10. LeavetheDirectionsettoboth.
11. SettheActiontoblock.
12. ClickOKtosavetheprofile.
Step7 ConfigureaFileBlockingprofileforrisky 1. OntheObjects > Security Profiles > File Blockingpage,

traffic. selectthefileblockingprofileyoujustcreatedforgeneral
Whenusersarewebbrowsingit trafficandclickClone.SelecttheprofiletocloneandclickOK.
ismuchmorelikelythattheywill 2. Selecttheclonedprofileandgiveitanew Name,suchas
downloadamaliciousfile strictblockriskyapps.
unintentionally.Therefore,itis
3. ClickintheFileTypessectionoftheblockruleandAddthePE
importanttoattachastricterfile
filetype.
blockingpolicythanyouwould
attachtoSecuritypolicyrules 4. ClickintheFileTypessectionofthecontinuerule,selectPE
thatallowaccesstoless andclickDelete.
riskproneapplicationtraffic. 5. ClickOKtosavetheprofile.
Step8 Attachthefileblockingprofiletothe 1. SelectPolicies > Securityandeitherselectanexistingpolicy

securitypoliciesthatallowaccessto orcreateanewpolicyasdescribedinSetUpaBasicSecurity
content. Policy.
2. ClicktheActionstabwithinthesecuritypolicy.
3. IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyoucreated.
Ifyoudontseedropdownsforselectingprofiles,
selectProfiles fromtheProfileTypedropdown.
ConfigureFileBlocking(Continued)
Step9 Enableresponsepagesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtand

managementprofileforeachinterface thenselectaninterfaceprofiletoeditorclickAddtocreatea
onwhichyouareattachingfileblocking newprofile.
profilewithacontinueaction. 2. SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3. ClickOKtosavetheinterfacemanagementprofile.
4. SelectNetwork > Interfaces andselecttheinterfacetowhich
toattachtheprofile.
5. OntheAdvanced > Other Infotab,selecttheinterface
managementprofileyoujustcreated.
6. ClickOKtosavetheinterfacesettings.
Step10 Savetheconfiguration. 1. ClickCommit.
Step11 Testthefileblockingconfiguration. FromaclientPCinthetrustzoneofthefirewall,attemptto

downloadan.exefilefromawebsiteintheInternetzone.Make
surethefileisblockedasexpectedbasedontheactionyoudefined
inthefileblockingprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedblockastheaction,theFileBlockingBlockPage
responsepageshoulddisplay.
Ifyouselectedthecontinueaction,theFileBlockingContinue
Pageresponsepageshoulddisplay.ClickContinuetodownload
thefile.ThefollowingshowsthedefaultFileBlockingContinue
Page.
Control Access to Web Content
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormore(fromapproximately60)categories.Youcanthen
createpoliciesthatspecifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichit
belongs.ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,
andattachthemtosecuritypoliciestoenforceabasicURLfilteringpolicy.
ConfigureURLFiltering
Step1 ConfirmlicenseinformationforURL 1. ObtainandinstallaURLFilteringlicense.SeeActivate

Filtering. LicensesandSubscriptionsfordetails.
2. SelectDevice > LicensesandverifythattheURLFiltering
licenseisvalid.
Step2 Downloadtheseeddatabaseand 1. Todownloadtheseeddatabase,clickDownloadnextto

activatethelicense. Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2. Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3. Afterthedownloadcompletes,clickActivate.
Step3 CreateaURLfilteringprofile. 1. SelectObjects > Security Profiles >URL Filtering.

BecausethedefaultURLfiltering 2. SelectthedefaultprofileandthenclickClone.Thenewprofile
profileblocksriskyand willbenameddefault1.
threatpronecontent,clonethis
3. Selectthenewprofileandrenameit.
profilewhencreatinganew
profileinordertopreservethe
defaultsettings.
ConfigureURLFiltering(Continued)
Step4 Definehowtocontrolaccesstoweb 1. Foreachcategorythatyouwantvisibilityintoorcontrolover,

content. selectavaluefromtheActioncolumnasfollows:
Ifyouarenotsurewhattrafficyouwant Ifyoudonotcareabouttraffictoaparticularcategory(that
tocontrol,considersettingthe isyouneitherwanttoblockitnorlogit),selectallow.
categories(exceptforthoseblockedby Forvisibilityintotraffictositesinacategory,selectalert.
default)toalert.Youcanthenusethe Topresentaresponsepagetousersattemptingtoaccessa
visibilitytoolsonthefirewall,suchasthe particularcategorytoalertthemtothefactthatthe
ACCandAppScope,todeterminewhich contenttheyareaccessingmightnotbeworkappropriate,
webcategoriestorestricttospecific selectcontinue.
groupsortoblockentirely.Youcanthen
Topreventaccesstotrafficthatmatchestheassociated
gobackandmodifytheprofiletoblock
policy,selectblock(thisalsogeneratesalogentry).
andallowcategoriesasdesired.
Youcanalsodefinespecificsitesto
alwaysalloworalwaysblockregardless
ofcategoryandenablethesafesearch
optiontofiltersearchresultswhen
definingtheURLFilteringprofile.
2. ClickOKtosavetheURLfilteringprofile.
Step5 AttachtheURLfilteringprofiletoa 1. SelectPolicies > Security.

securitypolicy. 2. Selectthedesiredpolicytomodifyitandthenclickthe
Actionstab.
3. Ifthisisthefirsttimeyouaredefiningasecurityprofile,select
ProfilesfromtheProfile Typedropdown.
4. IntheProfile Settingslist,selecttheprofileyoujustcreated
fromtheURL Filteringdropdown.(Ifyoudontsee
dropdownsforselectingprofiles,selectProfiles fromthe
ProfileTypedropdown.)
6. Committheconfiguration.
ConfigureURLFiltering(Continued)
Step6 Enableresponsepagesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtand

managementprofileforeachinterface thenselectaninterfaceprofiletoeditorclickAddtocreatea
onwhichyouarefilteringwebtraffic. newprofile.
2. SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
4. SelectNetwork > Interfaces andselecttheinterfacetowhich
toattachtheprofile.
5. OntheAdvanced > Other Infotab,selecttheinterface
managementprofileyoujustcreated.
6. ClickOKtosavetheinterfacesettings.
Step8 TesttheURLfilteringconfiguration. AccessaclientPCinthetrustzoneofthefirewallandattemptto

accessasiteinablockedcategory.MakesureURLfilteringis
appliedbasedontheactionyoudefinedintheURLfilteringprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedthecontinueaction,theURLFilteringContinue
andOverridePageresponsepageshoulddisplay.Continueto
thesite.
Ifyouselectedblockastheaction,theURLFilteringand
CategoryMatchBlockPageresponsepageshoulddisplayas
follows:
Enable AutoFocus Threat Intelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
EnableAutoFocusThreatIntelligenceontheFirewall
Step1 VerifythattheAutoFocuslicenseisactivatedon 1. SelectDevice > LicensestoverifythattheAutoFocus

thefirewall. DeviceLicenseisinstalledandvalid(checkthe
expirationdate).
2. Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.
Step2 ConnectthefirewalltoAutoFocus. 1. SelectDevice > Setup > Managementandeditthe

AutoFocussettings.
2. EntertheAutoFocus URL:
https://autofocus.paloaltonetworks.com:1
0443
3. UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4. SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5. ClickOK.
6. CommityourchangestoretaintheAutoFocus
settingsuponreboot.
Step3 ConnectAutoFocustothefirewall. 1. LogintotheAutoFocusportal:

https://autofocus.paloaltonetworks.com
2. SelectSettings.
3. Add newremotesystems.
4. EnteradescriptiveNametoidentifythefirewall.
5. SelectPanOSastheSystemType.
6. EnterthefirewallIPAddress.
7. ClickSave changestoaddtheremotesystem.
8. ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.
Step4 Testtheconnectionbetweenthefirewalland 1. Onthefirewall,selectMonitor > Logs > Traffic.

AutoFocus. 2. VerifythatyoucanViewAutoFocusThreatDatafor
Logs.
GettingStarted BestPracticesforCompletingtheFirewallDeployment
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
BestPracticesforCompletingtheFirewallDeployment GettingStarted
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
ManagementInterfaces FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
FirewallAdministration UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
Launch the Web Interface
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
LaunchtheWebInterface
Step1 LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.
Step2 EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.
Step3 Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.
Step4 Logintothewebinterface.
Step5 ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.
UsetheWebInterface FirewallAdministration
Configure Banners, Message of the Day, and Logos
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
ConfigureBanners,MessageoftheDay,andLogos
Step1 Configuretheloginbanner. 1. SelectDevice > Setup > ManagementandedittheGeneral

Settings.
2. EntertheLogin Banner(upto3,200characters).
3. (Optional)SelectForce Admins to Acknowledge Login
BannertoforceadministratorstoselectanI Accept and
Acknowledge the Statement Belowcheckboxabovethe
bannertexttoactivatetheLoginbutton.
4. ClickOK.
Step2 Setthemessageoftheday. 1. SelectDevice > Setup > ManagementandedittheBanners

andMessagessettings.
2. EnabletheMessage of the Day.
3. EntertheMessage of the Day(upto3,200characters).
AfteryouenterthemessageandclickOK,
administratorswhosubsequentlylogin,andactive
administratorswhorefreshtheirbrowsers,seethe
neworupdatedmessageimmediately;acommitisnt
necessary.Thisenablesyoutoinformother
administratorsofanimpendingcommitthatmight
affecttheirconfigurationchanges.Basedonthe
committimethatyourmessagespecifies,the
administratorscanthendecidewhethertocomplete,
save,orundotheirchanges.
4. (Optional)SelectAllow Do Not Display Again(defaultis
disabled)togiveadministratorstheoptiontosuppressa
messageofthedayafterthefirstloginsession.Each
administratorcansuppressmessagesonlyforhisorherown
loginsessions.Inthemessageofthedaydialog,eachmessage
willhaveitsownsuppressionoption.
5. (Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).
ConfigureBanners,MessageoftheDay,andLogos(Continued)
Step3 Configuretheheaderandfooter 1. EntertheHeader Banner(upto3,200characters).

banners. 2. (Optional)ClearSame Banner Header and Footer(enabledby
Abrightbackgroundcolorand default)tousedifferentheaderandfooterbanners.
contrastingtextcolorcan
3. EntertheFooter Banner(upto3,200characters)iftheheader
increasethelikelihoodthat
andfooterbannersdiffer.
administratorswillnoticeand
readabanner.Youcanalsouse 4. ClickOK.
colorsthatcorrespondto
classificationlevelsinyour
organization.
Step4 Replacethelogosontheloginpageand 1. SelectDevice > Setup > OperationsandclickCustom Logosin

intheheader. theMiscellaneoussection.
Themaximumsizeforanylogo 2. PerformthefollowingstepsforboththeLogin Screenlogo
imageis128KB. andtheMain UI(header)logo:
a. Clickupload .
b. SelectalogoimageandclickOpen.
Youcanpreview theimagetoseehowPANOS
willcropittofit.
c. ClickClose.
Step5 Verifythatthebanners,messageofthe 1. Logouttoreturntotheloginpage,whichdisplaysthenew

day,andlogosdisplayasexpected. logosyouselected.
2. Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktheright orleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3. (Optional)YoucanselectDo not show againforthemessage
youconfiguredandforanymessagesthatPaloAltoNetworks
embedded.
4. Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.
Use the Administrator Login Activity Indicators to Detect Account Misuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
Step1 Viewtheloginactivityindicatorsto 1. LogintothewebinterfaceonyourfirewallorPanorama

monitorrecentactivityonyouraccount. managementserver.
2. Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.
3. Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
4. Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.
Step2 Takethefollowingactionsifyoudetect 1. SelectMonitor > Logs > Configuration andviewthe

anaccountcompromise. configurationchangesandcommithistorytodetermineifyour
accountwasusedtomakechangeswithoutyourknowledge.
2. SelectDevice > Config Audit tocomparethecurrent
configurationandtheconfigurationthatwasrunningjustprior
totheconfigurationyoususpectwaschangedusingyour
credentials.YoucanalsodothisusingPanorama.
Ifyouradministratoraccountwasusedtocreateanew
account,performingaconfigurationaudithelpsyou
detectchangesthatareassociatedwithany
unauthorizedaccounts,aswell.
3. Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.For
example,theconfigurationthatyoureverttomaynot
containrecentchanges,soapplythosechangesafter
youcommitthebackupconfiguration.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
Manage and Monitor Administrative Tasks
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
ManageandMonitorAdministrativeTasks
Step1 ClickTasksatthebottomofthewebinterface.
Step2 ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3 Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit, Validate, and Preview Firewall Configuration Changes
Acommitistheprocessofactivatingchangesthatyoumadetothefirewallconfiguration.Thefirewall
queuescommitoperationsintheorderyouandotheradministratorsinitiatethem.Ifthequeuealreadyhas
themaximumnumberofcommits(whichvariesbyplatform),youmustwaitforthefirewalltoprocessa
pendingcommitbeforeinitiatinganewcommit.Tocancelpendingcommitsorviewdetailsaboutcommits
ofanystatus,seeManageandMonitorAdministrativeTasks.Tocheckwhichchangesacommitwillactivate,
youcanrunacommitpreview.
Fordetailsoncandidateandrunningconfigurations,seeManageConfigurationBackups.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.
Preview,Validate,orCommitFirewallConfigurationChanges
Step1 Configurethecommit,validation,or 1. ClickCommitatthetopofthewebinterface.

previewoptions. 2. (Optional)Excludecertaintypesofconfigurationchanges.
Theseoptionsareincluded(enabled)bydefault.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,ifyourchangesintroduceanewLog
Forwardingprofile(anobject)thatreferencesanew
Syslogserverprofile(adevicesetting),thecommit
mustincludeboththepolicyandobjectconfiguration
andthedeviceandnetworkconfiguration.
Include Device and Network configuration
Include Policy and Object configurationThisisavailable
onlyonfirewallsforwhichmultiplevirtualsystems
capabilityisdisabled.
Include Shared Object configurationThisisavailableonly
onfirewallswithmultiplevirtualsystems.
Include Virtual System configurationThisisavailable
onlyonfirewallswithmultiplevirtualsystems.Select All
virtual systems(default)orSelect one or more virtual
systemsinthelist.
3. (Optional)EnteraDescriptionforthecommit.Abrief
summaryofwhatchangedintheconfigurationisusefulto
otheradministratorswhowanttoknowwhatchangeswere
madewithoutperformingaconfigurationaudit.
Step2 (Optional)Previewthechangesthatthe 1. ClickPreview Changes.

commitwillactivate.Thiscanbeuseful 2. SelecttheLines of Context,whichisthenumberoflinesfrom
if,forexample,youdontrememberall thecomparedconfigurationfilestodisplaybeforeandafter
yourchangesandyourenotsureyou eachhighlighteddifference.Theseadditionallineshelpyou
wanttoactivateallofthem. correlatethepreviewoutputtosettingsinthewebinterface.
Thefirewalldisplaysthechangesina Becausethepreviewresultsdisplayinanewwindow,
newwindowthatshowstherunningand yourbrowsermustallowpopupwindows.Ifthe
candidateconfigurationssidebyside previewwindowdoesnotopen,refertoyourbrowser
usingcolorstohighlightthedifferences documentationforthestepstounblockpopup
linebyline. windows.
3. Closethepreviewwindowwhenyoufinishreviewingthe
changes.
Step3 (Optional)Validatethechangesbefore 1. ClickValidate Changes.Theresultsdisplayalltheerrorsand

youcommittoensurethecommitwill warningsthatanactualcommitwoulddisplay.
succeed. 2. Resolveanyerrorsthatthevalidationresultsidentify.
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
Step4 Commityourconfigurationchanges. ClickCommit.

Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.
Use Global Find to Search the Firewall or Panorama Management Server
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,orapplicationname.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
Watchthevideo.
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemandselectGlobal
Find:
UseGlobalFind(Continued)
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidateconfigurationforeach
locationwherethezoneisreferenced.Thefollowingscreencaptureshowsthesearchresultsforthezone
l3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRolesare
defined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhaspermissions.
ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,thesearch
resultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthelast
20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministratoraccount.
Manage Locks for Restricting Configuration Changes
Lockingthecandidateorrunningconfigurationpreventsotheradministratorsfromchangingthe
configurationuntilyoumanuallyremovethelock,asuperuserremovesthelock,orthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
ManageLocksforRestrictingConfigurationChanges
Viewdetailsaboutcurrentlocks. Clickthelock atthetopofthewebinterface.Anadjacent

Forexample,youcancheckwhetherother numberindicatesthenumberofcurrentlocks.
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.
ManageLocksforRestrictingConfigurationChanges(Continued)
Lockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2. Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3. (Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4. (Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5. ClickOKandClose.
Unlockaconfiguration. 1. Clickthelock atthetopofthewebinterface.

Onlyasuperuserortheadministratorwho 2. Selectthelockentryinthelist.
lockedtheconfigurationcanmanuallyunlockit.
3. ClickRemove Lock,OK,andClose.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
Configurethefirewalltoautomaticallylockthe 1. SelectDevice > Setup > ManagementandedittheGeneral

runningconfigurationwhenyouchangethe Settings.
candidateconfiguration.Thissettingappliesto 2. SelectAutomatically Acquire Commit LockandthenclickOK
alladministrators. andCommit.
FirewallAdministration ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.
BackUpaConfiguration
RestoreaConfiguration
Back Up a Configuration
CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.
ManageConfigurationBackups FirewallAdministration
BackUpaConfiguration
Step1 Savealocalbackupsnapshotofthe Performoneofthefollowingtasksbasedonwhetheryouwantto

candidateconfigurationifitcontains overwritethedefaultsnapshot(.snapshot.xml)orcreateasnapshot
changesthatyouwanttopreservein withacustomname:
theeventthefirewallreboots. OverwritethedefaultsnapshotClickSaveatthetopofthe
Thesearechangesyouarenotreadyto webinterface.
commitforexample,changesyou Createacustomnamedsnapshot:
cannotfinishinthecurrentloginsession. a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. EnteraNameforthesnapshotorselectanexisting
snapshottooverwrite.
c. ClickOKandClose.
Step2 Exportacandidateconfiguration,a SelectDevice > Setup > Operationsandclickanexportoption:

runningconfiguration,orthefirewall Export named configuration snapshotExportthecurrent
stateinformationtoahostexternalto runningconfiguration,anamedcandidateconfiguration
thefirewall. snapshot,orapreviouslyimportedconfiguration(candidateor
running).ThefirewallexportstheconfigurationasanXMLfile
withtheNameyouspecify.
Export configuration versionSelectaVersionoftherunning
configurationtoexportasanXMLfile.Thefirewallcreatesa
versionwheneveryoucommitconfigurationchanges.
Export device stateExportthefirewallstateinformationasa
bundle.Besidestherunningconfiguration,thestateinformation
includesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,the
informationalsoincludescertificateinformation,alistof
satellites,andsatelliteauthenticationinformation.Ifyoureplace
afirewallorportal,youcanrestoretheexportedinformationon
thereplacementbyimportingthestatebundle.
Restore a Configuration
Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).
RestoreaConfiguration
Restorethecurrentrunningconfiguration. 1. SelectDevice > Setup > OperationsandRevert to running

Thisoperationundoesallthechangesyoumade configuration.
tothecandidateconfigurationsincethelast 2. ClickYestoconfirmtheoperation.
commit.
FirewallAdministration ManageConfigurationBackups
RestoreaConfiguration(Continued)
Restorethedefaultsnapshotofthecandidate 1. SelectDevice > Setup > OperationsandRevert to last saved

configuration. configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2. ClickYestoconfirmtheoperation.
whenyouclickSaveatthetoprightoftheweb
3. (Optional)ClickCommittooverwritetherunning
interface.
configurationwiththesnapshot.
Restoreapreviousversionoftherunning 1. SelectDevice > Setup > OperationsandLoad configuration

configurationthatisstoredonthefirewall. version.
Thefirewallcreatesaversionwheneveryou 2. SelectaconfigurationVersionandclickOK.
commitconfigurationchanges.
configurationwiththeversionyoujustrestored.
Restoreoneofthefollowing: 1. SelectDevice > Setup > OperationsandclickLoad named

Currentrunningconfiguration(named configuration snapshot.
runningconfig.xml) 2. SelectthesnapshotNameandclickOK.
Customnamedversionoftherunning 3. (Optional)ClickCommittooverwritetherunning
configurationthatyoupreviouslyimported configurationwiththesnapshot.
Customnamedcandidateconfiguration
snapshot(insteadofthedefaultsnapshot)
Restorearunningorcandidateconfiguration 1. SelectDevice > Setup > Operations,clickImport named

thatyoupreviouslyexportedtoanexternal configuration snapshot,Browsetotheconfigurationfileon
host. theexternalhost,andclickOK.
2. ClickLoad named configuration snapshot,selecttheNameof
theconfigurationfileyoujustimported,andclickOK.
configurationwiththesnapshotyoujustimported.
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall. 1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
ManageFirewallAdministrators FirewallAdministration
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
Administrative Roles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole Privileges
Superuser Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser (read-only) Readonlyaccesstothefirewall.
Virtual system administrator Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtual system administrator (read-only) Readonlyaccesstoaselectedvsysonthefirewall.
Device administrator Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual

systems.
Device administrator (read-only) Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)

andadministratoraccounts(onlytheloggedinaccountisvisible).
FirewallAdministration ManageFirewallAdministrators
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
Step1 SelectDevice > Admin RolesandclickAdd.
Step2 EnteraNametoidentifytherole.
Step3 ForthescopeoftheRole,selectDeviceorVirtual System.
Step4 IntheWeb UIandXML API tabs,clicktheiconforeachfunctionalareatotoggleittothedesiredsetting:

Enable,ReadOnly,orDisable.FordetailsontheWeb UIoptions,seeWebInterfaceAccessPrivileges.
Step5 SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:

Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone
Step6 ClickOKtosavetheprofile.
Step7 Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.
Administrative Authentication
Youcanconfigurethefollowingtypesofadministratorauthentication:
AccountType Authentication Description

Method
Local Local(no Theadministratoraccountcredentialsandtheauthenticationmechanismsarelocal

database) tothefirewall.Youcanfurthersecurelocalaccountsbysettingglobalpassword
complexityandexpirationsettingsforallaccountsorbycreatingapasswordprofile
thatdefinespasswordexpirationsettingsforspecificaccounts.Fordetails,see
ConfigureanAdministrativeAccount.
AccountType Authentication Description

Method
Local Localdatabase Thefirewallusesalocaldatabasetostoretheadministratoraccountcredentialsand

toperformauthentication.IfyournetworksupportsKerberossinglesignon(SSO),
youcanconfigurelocalauthenticationasafallbackincaseSSOfails.Fordetails,see
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators.
Local SSLbased Theadministratoraccountsarelocaltothefirewall,butauthenticationisbasedon

SSHcertificates(forCLIaccess)orclientcertificates(forwebinterfaceaccess).For
details,seeConfigureSSHKeyBasedAdministratorAuthenticationtotheCLIand
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface.
Local Externalservice Theadministratoraccountsarelocaltothefirewall,butexternalservices(LDAP,

Kerberos,TACACS+,orRADIUS)handletheauthenticationfunctions.Ifyour
networksupportsKerberossinglesignon(SSO),youcanconfigureexternal
authenticationasafallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSO
andExternalorLocalAuthenticationforAdministrators.
External Externalservice AnexternalRADIUSserverhandlesaccountmanagementandauthentication.You

mustdefineVendorSpecificAttributes(VSAs)onyourRADIUSserverthatmapto
theadministratorrole,accessdomain,usergroup(ifapplicable),andvirtualsystem(if
applicable).Fordetails,seeConfigureRADIUSVendorSpecificAttributesfor
AdministratorAuthentication.
Configure Administrative Accounts and Authentication
IfyouhavealreadyconfiguredAdministrativeRolesandexternalauthenticationservices(ifapplicable),you
canConfigureanAdministrativeAccount.Otherwise,performoneoftheotherprocedureslistedbelowto
configureadministrativeaccountsforspecifictypesofauthentication.
Administrativeaccountsspecifyhowadministratorsauthenticatetothefirewall.Toconfigurehowthefirewall
authenticatestoadministrators,seeReplacetheCertificateforInboundManagementTraffic.
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication
Configure an Administrative Account
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.
ConfigureanAdministrativeAccount
Step1 (Optional)Definepasswordcomplexity 1. Defineglobalpasswordcomplexityandexpirationsettingsfor

andexpirationsettingsforadministrator alllocaladministrators.
accountsthatarelocaltothefirewall. a. SelectDevice > Setup > Managementandeditthe
Thesesettingscanhelpprotectthe MinimumPasswordComplexitysettings.
firewallagainstunauthorizedaccessby b. SelectEnabled.
makingitharderforattackerstoguess c. DefinethepasswordsettingsandclickOK.
passwords.
2. DefineaPasswordProfileifyouwantcertainlocal
Youcannotconfigurethese
administratorstohavepasswordexpirationsettingsthat
settingsforlocalaccountsthat
overridetheglobalsettings.
usealocaldatabaseorexternal
serviceforauthentication. a. SelectDevice > Password Profiles andAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.
Step2 Addanadministrativeaccount. 1. SelectDevice > AdministratorsandAddanadministrator.

2. EnterauserName.
3. SelectanAuthentication Profileorsequenceifyou
configuredeitherfortheuser.
Thedefaultoption(None)specifiesthatthefirewallwilllocally
manageandauthenticatetheaccountwithoutalocal
database.Inthiscase,youmustenterandconfirma
Password.
4. SelecttheAdministrator Type.Ifyouconfiguredacustomrole
fortheuser,selectRole BasedandselecttheAdminRole
Profile.Otherwise,selectDynamic(default)andselecta
dynamicrole.Ifthedynamicroleisvirtual system
administrator,addoneormorevirtualsystemsthatthe
virtualsystemadministratorisallowedtomanage.
5. (Optional)SelectaPassword Profileforlocaladministrators.
ThisoptionisavailableonlyifyousettheAuthentication
ProfiletoNone.
6. ClickOKandCommit.
Configure Kerberos SSO and External or Local Authentication for

Administrators
YoucanconfigurethefirewalltofirsttryKerberossinglesignon(SSO)authenticationand,ifthatfails,fall
backtoExternalserviceorLocaldatabaseauthentication.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
Step1 ConfigureaKerberoskeytabforthe CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos

firewall. accountinformation(principalnameandhashedpassword)forthe
RequiredforKerberosSSO firewall.
authentication.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)
Step2 Configurealocaldatabaseorexternal LocaldatabaseauthenticationPerformthefollowingtasks:

serverprofile. a. Configuretheuseraccount.
Requiredforlocaldatabaseorexternal b. (Optional)Configureausergroup.
authentication. ExternalauthenticationPerformoneofthefollowingtasks:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
Step3 Configureanauthenticationprofile. ConfigureanAuthenticationProfileandSequence.

Ifyourusersareinmultiple
Kerberosrealms,createan
authenticationprofileforeach
realmandassignalltheprofiles
toanauthenticationsequence.
Youcanthenassignthesame
authenticationsequencetoall
useraccounts(Step 4).
Step4 Configureanadministratoraccount. ConfigureanAdministrativeAccount.

Forlocaldatabaseauthentication,specifytheNameoftheuser
youdefinedinStep 2.
AssigntheAuthentication ProfileorsequenceandtheAdmin
RoleProfilethatyoujustcreated.
Configure Certificate-Based Administrator Authentication to the Web

Interface
AsamoresecurealternativetopasswordbasedauthenticationtothewebinterfaceofaPaloAltoNetworks
firewall,youcanconfigurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothe
firewall.Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinstead
ofapassword.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
Step1 Generateacertificateauthority(CA) CreateaSelfSignedRootCACertificate.

certificateonthefirewall. Alternatively,ImportaCertificateandPrivateKeyfrom
YouwillusethisCAcertificatetosign yourenterpriseCA.
theclientcertificateofeach
administrator.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
Step2 Configureacertificateprofilefor ConfigureaCertificateProfile.

securingaccesstothewebinterface. SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.
Step3 Configurethefirewalltousethe 1. SelectDevice > Setup > Managementandeditthe

certificateprofileforauthenticating AuthenticationSettings.
administrators. 2. SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.
Step4 Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,

useclientcertificateauthentication. ConfigureanAdministrativeAccountandselectUse only client
certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.
Step5 Generateaclientcertificateforeach GenerateaCertificate.IntheSigned Bydropdown,selecta

administrator. selfsignedrootCAcertificate.
Step6 Exporttheclientcertificate. 1. ExportaCertificateandPrivateKey.

2. Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.
Step7 Importtheclientcertificateintothe Refertoyourwebbrowserdocumentation.

clientsystemofeachadministratorwho
willaccessthewebinterface.
Step8 Verifythatadministratorscanaccessthe 1. OpenthefirewallIPaddressinabrowseronthecomputer

webinterface. thathastheclientcertificate.
2. Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3. Addthecertificatetothebrowserexceptionlist.
4. ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.
Configure SSH Key-Based Administrator Authentication to the CLI
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
Step1 UseanSSHkeygenerationtoolto Forthecommandstogeneratethekeypair,refertoyourSSHclient

createanasymmetrickeypaironthe documentation.
clientsystemoftheadministrator. Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
ThesupportedkeyformatsareIETF locationthatthefirewallcanaccess.Foraddedsecurity,entera
SECSHandOpenSSH.Thesupported passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
algorithmsareDSA(1,024bits)andRSA administratorforthispassphraseduringlogin.
(7684,096bits).
Step2 Configuretheadministratoraccountto 1. ConfigureanAdministrativeAccount.

usepublickeyauthentication. Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
Step3 ConfiguretheSSHclienttousethe Performthistaskontheclientsystemoftheadministrator.Forthe

privatekeytoauthenticatetothe steps,refertoyourSSHclientdocumentation.
firewall.
Step4 Verifythattheadministratorcanaccess 1. Useabrowserontheclientsystemoftheadministratortogo

thefirewallCLIusingSSHkey tothefirewallIPaddress.
authentication. 2. LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3. Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.
Configure RADIUS Vendor-Specific Attributes for Administrator

Authentication
ThefollowingprocedureprovidesanoverviewofthetasksrequiredtouseRADIUSVendorSpecific
Attributes(VSAs)foradministratorauthenticationtoPaloAltoNetworksfirewalls.Fordetailedinstructions,
refertothefollowingKnowledgeBasearticles:
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA
Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.
UseRADIUSVendorSpecificAttributesforAccountAuthentication
Step1 Configurethefirewall. 1. ConfigureanAdminRoleProfileiftheadministratorwillusea

customrole.
2. Configureanaccessdomainifthefirewallhasmorethanone
virtualsystem(vsys):
a. SelectDevice > Access Domain,Addanaccessdomain,and
enteraNametoidentifytheaccessdomain.
b. Addeachvsysthattheadministratorwillaccess,andthen
clickOK.
3. ConfigureaRADIUSServerProfile.
4. Configureanauthenticationprofile.Settheauthentication
TypetoRADIUSandassigntheRADIUSServer Profile.
5. Configurethefirewalltousetheauthenticationprofilefor
administratoraccessSelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profile.
Step2 ConfiguretheRADIUSserver. 1. AddthefirewallIPaddressorhostnameastheRADIUSclient.

2. DefinetheVSAsforadministratorauthentication.Youmust
specifythevendorcode(25461forPaloAltoNetworks
firewalls)andtheVSAname,number,andvalue:seeRADIUS
VendorSpecificAttributesSupport.
Reference:WebInterfaceAdministratorAccess FirewallAdministration
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccess
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual Systemlevel;thechoiceismadeintheAdminRole
ProfilebyclickingtheDeviceorVirtual Systemradiobutton.IftheVirtual Systembuttonisselected,theadmin
assignedthisprofileisrestrictedtothevirtualsystem(s)heorsheisassignedto.Furthermore,onlytheDevice
> Setup > Services > Virtual Systems tabisavailabletothatadmin,nottheGlobaltab.
Thefollowingtabledescribesthetablevelaccessprivilegesyoucanassigntotheadminroleprofileatthe
Devicelevel.Italsoprovidescrossreferencestoadditionaltablesthatdetailgranularprivilegeswithinatab.
YoucanalsoconfigureanAdminRoleprofileto:
DefineUserPrivacySettingsintheadministratorRoleProfile
RestrictAdministratorAccesstoCommitFunctions
RestrictAdministratorAccesstoValidateFunctions
ProvideGranularAccesstoGlobalSettings
AccessLevel Description Enable ReadOnly Disable
Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes

thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes

(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
AccesstotheDeviceTab.
YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
AccessLevel Description AdministratorRole Enable Read Disable

Availability Only
Monitor EnablesordisablesaccesstotheMonitor Firewall:Yes Yes No Yes

tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogsor DeviceGroup/Template:Yes
reports.
Logs Enablesordisablesaccesstoalllogfiles. Firewall:Yes Yes No Yes

Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.

Availability Only
Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethetrafficlogs. Panorama:Yes
DeviceGroup/Template:Yes
Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethethreatlogs. Panorama:Yes
URL Filtering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheURLfilteringlogs. Panorama:Yes
WildFire Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Submissions seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire DeviceGroup/Template:Yes
subscription.
Data Filtering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethedatafilteringlogs. Panorama:Yes
HIP Match Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheHIPMatchlogs.HIPMatchlogsare Panorama:Yes
onlyavailableifyouhaveaGlobalProtect DeviceGroup/Template:Yes
portallicenseandgatewaysubscription.
Configuration Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheconfigurationlogs. Panorama:Yes
DeviceGroup/Template:No
System Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethesystemlogs. Panorama:Yes
DeviceGroup/Template:No
Alarms Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seesystemgeneratedalarms. Panorama:Yes
Automated Enablesordisablesaccesstothe Firewall:Yes Yes No Yes

Correlation correlationobjectsandcorrelatedevent Panorama:Yes
Engine logsgeneratedonthefirewall. DeviceGroup/Template:Yes
Correlation Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Objects viewandenable/disablethecorrelation Panorama:Yes
objects. DeviceGroup/Template:Yes
Correlated Specifieswhethertheadministrator Firewall:Yes Yes No Yes

Events Panorama:Yes

Availability Only
Packet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Capture seepacketcaptures(pcaps)fromthe Panorama:No
Monitortab.Keepinmindthatpacket DeviceGroup/Template:No
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.
App Scope Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.
Session Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Browser browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe DeviceGroup/Template:No
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inthesessionbrowserandyoushould
thereforedisabletheSession Browser
privilegeifyouareconcernedaboutuser
privacy.
Botnet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inscheduledbotnetreportsandyou
shouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.
PDF Reports EnablesordisablesaccesstoallPDF Firewall:Yes Yes No Yes

reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF DeviceGroup/Template:Yes
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs And
Reportsoption.

Availability Only
Manage PDF Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Summary view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseePDFsummaryreport
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
canneitherviewthereportdefinitionsnor
add/deletethem.
PDF Summary Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Reports seethegeneratedPDFSummaryreportsin Panorama:Yes
Monitor > Reports.Ifyoudisablethis DeviceGroup/Template:Yes
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.
User Activity Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Report view,addordeleteUserActivityreport Panorama:Yes
definitionsanddownloadthereports. DeviceGroup/Template:Yes
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
cannotseethiscategoryofPDFreport.
SaaS Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Application view,addordeleteaSaaSapplication Panorama:Yes
Usage Report usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotaddor
deletethem.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoraddordeletethem.
Report Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Groups view,addordeletereportgroup Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
cannotseethiscategoryofPDFreport.
Email Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Scheduler schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed DeviceGroup/Template:Yes
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/ortheShow
User Names In Logs And Reportsoptions
andbecausetheymayalsoshowlogdata
towhichtheadministratordoesnothave
access,youshoulddisabletheEmail
Scheduleroptionifyouhaveuserprivacy
requirements.

Availability Only
Manage Enablesordisablesaccesstoallcustom Firewall:Yes Yes No Yes

Custom reportfunctionality.Youcanalsoleavethis Panorama:Yes
Reports privilegeenabledandthendisablespecific DeviceGroup/Template:Yes
customreportcategoriesthatyoudonot
wanttheadministratortobeableto
access.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhilestill
providingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
option.
Reportsthatarescheduledtorun
ratherthanrunondemandwill
showIPaddressanduser
information.Inthiscase,besureto
restrictaccesstothe
correspondingreportareas.In
addition,thecustomreportfeature
doesnotrestricttheabilityto
generatereportsthatcontainlog
datacontainedinlogsthatare
excludedfromtheadministrator
role.
Application Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Statistics createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase. DeviceGroup/Template:Yes
Data Filtering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Log createacustomreportthatincludesdata Panorama:Yes
fromtheDataFilteringlogs. DeviceGroup/Template:Yes
Threat Log Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

createacustomreportthatincludesdata Panorama:Yes
fromtheThreatlogs. DeviceGroup/Template:Yes
Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Summary createacustomreportthatincludesdata Panorama:Yes
fromtheThreatSummarydatabase. DeviceGroup/Template:Yes
Traffic Log Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheTrafficlogs. DeviceGroup/Template:Yes
Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Summary createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficSummarydatabase. DeviceGroup/Template:Yes
URL Log Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheURLFilteringlogs. DeviceGroup/Template:Yes

Availability Only
Hipmatch Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheHIPMatchlogs. DeviceGroup/Template:Yes
WildFire Log Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheWildFirelogs. DeviceGroup/Template:Yes
View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Scheduled viewacustomreportthathasbeen Panorama:Yes
Custom scheduledtogenerate. DeviceGroup/Template:Yes
Reports

Predefined viewApplicationReports.Privacy Panorama:Yes
Application privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

Predefined viewThreatReports.Privacyprivilegesdo Panorama:Yes
Threat notimpactreportsavailableonthe DeviceGroup/Template:Yes
Reports Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.

Predefined viewURLFilteringReports.Privacy Panorama:Yes
URL Filtering privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

Predefined viewTrafficReports.Privacyprivilegesdo Panorama:Yes
Traffic notimpactreportsavailableonthe DeviceGroup/Template:Yes
Reports Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
Security Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.
NAT Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.
QoS Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.
Policy Based Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

Forwarding view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.
Decryption Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeletedecryptionrules.Setthe
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.
Application Override Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingtheapplicationoverriderulebase,disablethis
privilege.
Captive Portal Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteCaptivePortalrules.Setthe
preventtheadministratorfromseeingtheCaptive
Portalrulebase,disablethisprivilege.
DoS Protection Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteDoSprotectionrules.Setthe
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
Addresses Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteaddressobjectsforuseinsecuritypolicy.
Address Groups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteaddressgroupobjectsforuseinsecuritypolicy.
Regions Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.
Applications Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationobjectsforuseinpolicy.
Application Groups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationgroupobjectsforuseinpolicy.
Application Filters Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationfiltersforsimplificationofrepeated
searches.
Services Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.
Service Groups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteservicegroupobjectsforuseinsecuritypolicy.
Tags Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletetagsthathavebeendefinedonthefirewall.
GlobalProtect Specifieswhethertheadministratorcanview,add,or Yes No Yes

deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.
HIP Objects Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.
HIP Profiles Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.
Dynamic Block Lists Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedynamicblocklistsforuseinsecuritypolicy.
Custom Objects Specifieswhethertheadministratorcanseethe Yes No Yes

customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.
Data Patterns Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Spyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.
Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
URL Category Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomURLcategoriesforuseinpolicy.
Security Profiles Specifieswhethertheadministratorcanseesecurity Yes No Yes

profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.
Antivirus Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteantivirusprofiles.
Anti-Spyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteAntiSpywareprofiles.
Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

Protection deleteVulnerabilityProtectionprofiles.
URL Filtering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteURLfilteringprofiles.
File Blocking Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletefileblockingprofiles.
Data Filtering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedatafilteringprofiles.
DoS Protection Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteDoSprotectionprofiles.
Security Profile Groups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletesecurityprofilegroups.
Log Forwarding Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletelogforwardingprofiles.
Decryption Profile Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedecryptionprofiles.
Schedules Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
Interfaces Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteinterfaceconfigurations.
Zones Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletezones.
VLANs Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteVLANs.
Virtual Wires Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletevirtualwires.
Virtual Routers Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modifyordeletevirtualrouters.
IPSec Tunnels Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteIPSecTunnelconfigurations.
DHCP Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteDHCPserverandDHCPrelay
configurations.
DNS Proxy Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteDNSproxyconfigurations.
GlobalProtect Specifieswhethertheadministratorcanview,add, Yes No Yes

modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.
Portals Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectportalconfigurations.
Gateways Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectgateway
configurations.
MDM Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectMDMserver
configurations.
Device Block List Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeletedeviceblocklists.
QoS Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteQoSconfigurations.
LLDP Specifieswhethertheadministratorcanviewadd, Yes Yes Yes

modify,ordeleteLLDPconfigurations.
Network Profiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Networksettingsdescribedbelow.
IKE Gateways ControlsaccesstotheNetwork Profiles >IKE Yes Yes Yes

Gateways node.Ifyoudisablethisprivilege,the
administratorwillnotseetheIKE Gatewaysnodeor
definegatewaysthatincludetheconfiguration
informationnecessarytoperformIKEprotocol
negotiationwithpeergateway.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredIKEGatewaysbutcannot
addoreditgateways.
GlobalProtect IPSec ControlsaccesstotheNetwork Profiles > Yes Yes Yes

Crypto GlobalProtect IPSec Crypto node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethat node,orconfigurealgorithmsfor
authenticationandencryptioninVPNtunnels
betweenaGlobalProtectgatewayandclients.
Ifyousettheprivilegetoreadonly,theadministrator
canviewexistingGlobalProtectIPSecCryptoprofiles
butcannotaddoreditthem.
IPSec Crypto ControlsaccesstotheNetwork Profiles >IPSec Yes Yes Yes

Crypto node.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
IPSec Crypto nodeorspecifyprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPSecSA
negotiation.
thecurrentlyconfiguredIPSecCryptoconfiguration
butcannotaddoreditaconfiguration.
IKE Crypto Controlshowdevicesexchangeinformationtoensure Yes Yes Yes

securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).
Monitor ControlsaccesstotheNetwork Profiles >Monitor Yes Yes Yes

node.Ifyoudisablethisprivilege,theadministrator
willnotseetheNetwork Profiles >Monitor nodeor
beabletocreateoreditamonitorprofilethatisused
tomonitorIPSectunnelsandmonitoranexthop
deviceforpolicybasedforwarding(PBF)rules.
thecurrentlyconfiguredmonitorprofileconfiguration
Interface Mgmt ControlsaccesstotheNetwork Profiles >Interface Yes Yes Yes

Mgmt node.Ifyoudisablethisprivilege,the
Interface Mgmt nodeorbeabletospecifythe
protocolsthatareusedtomanagethefirewall.
thecurrentlyconfiguredInterfacemanagement
profileconfigurationbutcannotaddoredita
configuration.
Zone Protection ControlsaccesstotheNetwork Profiles >Zone Yes Yes Yes

Protection node.Ifyoudisablethisprivilege,the
Zone Protection nodeorbeabletoconfigureaprofile
thatdetermineshowthefirewallrespondstoattacks
fromspecifiedsecurityzones.
thecurrentlyconfiguredZoneProtectionprofile
configurationbutcannotaddoreditaconfiguration.
QoS Profile ControlsaccesstotheNetwork Profiles >QoS node. Yes Yes Yes

seetheNetwork Profiles >QoS nodeorbeableto
configureaQoSprofilethatdetermineshowQoS
trafficclassesaretreated.
thecurrentlyconfiguredQoSprofileconfigurationbut
cannotaddoreditaconfiguration.
LLDP Profile ControlsaccesstotheNetwork Profiles >LLDP node. Yes Yes Yes

seetheNetwork Profiles >LLDP nodeorbeableto
configureanLLDPprofilethatcontrolswhetherthe
interfacesonthefirewallcanparticipateintheLink
LayerDiscoveryProtocol.
thecurrentlyconfiguredLLDPprofileconfiguration
BFD Profile ControlsaccesstotheNetwork Profiles > BFD Profile Yes Yes Yes
willnotseetheNetwork Profiles > BFD Profilenode
orbeabletoconfigureaBFDprofile.ABidirectional
ForwardingDetection(BFD)profileallowsyouto
configureBFDsettingstoapplytooneormorestatic
routesorroutingprotocols.Thus,BFDdetectsafailed
linkorBFDpeerandallowsanextremelyfastfailover.
thecurrentlyconfiguredBFDprofilebutcannotadd
oreditaBFDprofile.
ProvideGranularAccesstotheDeviceTab
Setup ControlsaccesstotheSetupnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
thecurrentconfigurationbutcannotmakeany
changes.
Management ControlsaccesstotheManagementnode.Ifyou Yes Yes Yes

disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panorama,managementinterface,banner,message,
andpasswordcomplexitysettings,andmore.
changes.
Operations ControlsaccesstotheOperationsnode.Ifyoudisable Yes Yes Yes

thisprivilege,theadministratorwillnotbeableto
manageconfigurationfiles,orrebootorshutdown
thefirewall,amongotherthings.
Services ControlsaccesstotheServicesnode.Ifyoudisable Yes Yes Yes

configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
changes.
Content-ID ControlsaccesstotheContent-ID node.Ifyoudisable Yes Yes Yes

configureURLfilteringorContentID.
changes.
WildFire ControlsaccesstotheWildFirenode.Ifyoudisable Yes Yes Yes

configureWildFiresettings.
changes.
Session ControlsaccesstotheSessionnode.Ifyoudisable Yes Yes Yes

configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
changes.
HSM ControlsaccesstotheHSMnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
changes.
Config Audit ControlsaccesstotheConfig Audit node.Ifyou Yes No Yes

disablethisprivilege,theadministratorwillnotseethe
Config Audit nodeorhaveaccesstoanyfirewallwide
configurationinformation.
Admin Roles ControlsaccesstotheAdmin Roles node.This No Yes Yes

functioncanonlybeallowedforreadonlyaccess.
seetheAdmin Roles nodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.
Administrators ControlsaccesstotheAdministrators node.This No Yes Yes

functioncanonlybeallowedforreadonlyaccess.
seetheAdministrators nodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.
Virtual Systems ControlsaccesstotheVirtual Systemsnode.Ifyou Yes Yes Yes

disablethisprivilege,theadministratorwillnotseeor
beabletoconfigurevirtualsystems.
thecurrentlyconfiguredvirtualsystemsbutcannot
addoreditaconfiguration.
Shared Gateways ControlsaccesstotheShared Gatewaysnode.Shared Yes Yes Yes

gatewaysallowvirtualsystemstoshareacommon
interfaceforexternalcommunications.
seeorbeabletoconfiguresharedgateways.
thecurrentlyconfiguredsharedgatewaysbutcannot
addoreditaconfiguration.
User Identification ControlsaccesstotheUser Identification node.Ifyou Yes Yes Yes

User Identificationnodeorhaveaccessto
firewallwideUserIdentificationconfiguration
information,suchasUserMapping,UserIDAgents,
Service,TerminalServicesAgents,GroupMappings
SettingsorCaptivePortalSettings.
canviewconfigurationinformationforthefirewallbut
isnotallowedtoperformanyconfiguration
procedures.
VM Information Source ControlsaccesstotheVM Information Sourcenode Yes Yes Yes

thatallowsyoutoconfigurethefirewall/Windows
UserIDagenttocollectVMinventoryautomatically.
seetheVM Information Source node.
canviewtheVMinformationsourcesconfiguredbut
cannotadd,edit,ordeleteanysources.
ThisprivilegeisnotavailabletoDeviceGroup
andTemplateadministrators.
High Availability ControlsaccesstotheHigh Availability node.Ifyou Yes Yes Yes

High Availabilitynodeorhaveaccesstofirewallwide
highavailabilityconfigurationinformationsuchas
GeneralsetupinformationorLinkandPath
Monitoring.
canviewHighAvailabilityconfigurationinformation
forthefirewallbutisnotallowedtoperformany
configurationprocedures.
Certificate Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Management Certificatesettingsdescribedbelow.
Certificates ControlsaccesstotheCertificates node.Ifyou Yes Yes Yes

Certificates nodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.
Certificate Profile ControlsaccesstotheCertificate Profile node.Ifyou Yes Yes Yes

Certificate Profile nodeorbeabletocreate
certificateprofiles.
canviewCertificateProfilesthatarecurrently
configuredforthefirewallbutisnotallowedtocreate
oreditacertificateprofile.
OCSP Responder ControlsaccesstotheOCSP Responder node.Ifyou Yes Yes Yes

OCSP Responder nodeorbeabletodefineaserver
thatwillbeusedtoverifytherevocationstatusof
certificatesissuesbythefirewall.
canviewtheOCSP Responder configurationforthe
firewallbutisnotallowedtocreateoreditanOCSP
responderconfiguration.
SSL/TLS Service Profile ControlsaccesstotheSSL/TLS Service Profile node. Yes Yes Yes
seethenodeorconfigureaprofilethatspecifiesa
certificateandaprotocolversionorrangeofversions
forfirewallservicesthatuseSSL/TLS.
canviewexistingSSL/TLSServiceprofilesbutcannot
createoreditthem.
SCEP ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
canviewexistingSCEPprofilesbutcannotcreateor
editthem.
Response Pages ControlsaccesstotheResponse Pages node.Ifyou Yes Yes Yes

Response Page nodeorbeabletodefineacustom
HTMLmessagethatisdownloadedanddisplayed
insteadofarequestedwebpageorfile.
canviewtheResponse Page configurationforthe
firewallbutisnotallowedtocreateoreditaresponse
pageconfiguration.
Log Settings Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Logsettingsdescribedbelow.
System ControlsaccesstotheLog Settings > System node.If Yes Yes Yes

youdisablethisprivilege,theadministratorwillnot
seetheLog Settings > System nodeorbeableto
specifytheseveritylevelsofthesystemlogentries
thatareloggedremotelywithPanoramaandsentas
SNMPtraps,syslogmessages,and/oremail
notifications.
canviewtheLog Settings > System configurationfor
thefirewallbutisnotallowedtocreateoredita
configuration.
Config ControlsaccesstotheLog Settings > Config node.If Yes Yes Yes

seetheLog Settings > Config nodeorbeableto
specifytheconfigurationlogentriesthatarelogged
remotelywithPanorama,andsentassyslogmessages
and/oremailnotification.
canviewtheLog Settings > Config configurationfor
configuration.
HIP Match ControlsaccesstotheLog Settings > HIP Match node. Yes Yes Yes
seetheLog Settings > HIP Match nodeorbeableto
specifytheHostInformationProfile(HIP)matchlog
settingsthatareusedtoprovideinformationon
securityrulesthatapplytoGlobalProtectclients
canviewtheLog Settings > HIP configurationforthe
firewallbutisnotallowedtocreateoredita
configuration.
Alarms ControlsaccesstotheLog Settings > Alarms node.If Yes Yes Yes

seetheLog Settings > Alarms nodeorbeableto
configurenotificationsthataregeneratedwhena
securityrule(orgroupofrules)hasbeenhit
repeatedlyinasetperiodoftime.
canviewtheLog Settings > Alarms configurationfor
configuration.
Manage Logs ControlsaccesstotheLog Settings > Manage Logs Yes Yes Yes
willnotseetheLog Settings > Manage Logs nodeor
beabletocleartheindicatedlogs.
canviewtheLog Settings > Manage Logs information
butcannotclearanyofthelogs.
Server Profiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

ServerProfilessettingsdescribedbelow.
SNMP Trap ControlsaccesstotheServer Profiles > SNMP Trap Yes Yes Yes
willnotseetheServer Profiles > SNMP Trap nodeor
beabletospecifyoneormoreSNMPtrap
destinationstobeusedforsystemlogentries.
canviewtheServer Profiles > SNMP Trap Logs
informationbutcannotspecifySNMPtrap
destinations.
Syslog ControlsaccesstotheServer Profiles > Syslog node. Yes Yes Yes

seetheServer Profiles > Syslog nodeorbeableto
specifyoneormoresyslogservers.
canviewtheServer Profiles > Syslog informationbut
cannotspecifysyslogservers.
Email ControlsaccesstotheServer Profiles > Email node. Yes Yes Yes

seetheServer Profiles > Email nodeorbeableto
configureanemailprofilethatcanbeusedtoenable
emailnotificationforsystemandconfigurationlog
entries
canviewtheServer Profiles > Email informationbut
cannotconfigureandemailprofile.
Netflow ControlsaccesstotheServer Profiles > Netflow Yes Yes Yes

willnotseetheServer Profiles > Netflow nodeorbe
abletodefineaNetFlowserverprofile,which
specifiesthefrequencyoftheexportalongwiththe
NetFlowserversthatwillreceivetheexporteddata.
canviewtheServer Profiles > Netflow information
butcannotdefineaNetflowprofile.
RADIUS ControlsaccesstotheServer Profiles > RADIUS Yes Yes Yes

willnotseetheServer Profiles > RADIUS nodeorbe
abletoconfiguresettingsfortheRADIUSserversthat
areidentifiedinauthenticationprofiles.
canviewtheServer Profiles > RADIUS information
butcannotconfiguresettingsfortheRADIUSservers.
TACACS+ ControlsaccesstotheServer Profiles > TACACS+ Yes Yes Yes

node.
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.
LDAP ControlsaccesstotheServer Profiles > LDAP node. Yes Yes Yes

seetheServer Profiles > LDAP nodeorbeableto
configuresettingsfortheLDAPserverstousefor
authenticationbywayofauthenticationprofiles.
canviewtheServer Profiles > LDAP informationbut
cannotconfiguresettingsfortheLDAPservers.
Kerberos ControlsaccesstotheServer Profiles > Kerberos Yes Yes Yes

willnotseetheServer Profiles > Kerberos nodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
canviewtheServer Profiles > Kerberos information
butcannotconfiguresettingsforKerberosservers.
Local User Database Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

LocalUserDatabasesettingsdescribedbelow.
Users Controlsaccesstothe Local User Database > Users Yes Yes Yes
willnotseethe Local User Database > Users nodeor
setupalocaldatabaseonthefirewalltostore
authenticationinformationforremoteaccessusers,
firewalladministrators,andcaptiveportalusers.
canviewtheLocal User Database > Users
informationbutcannotsetupalocaldatabaseonthe
firewalltostoreauthenticationinformation.
User Groups ControlsaccesstotheLocal User Database > Users Yes Yes Yes
willnotseetheLocal User Database > Users nodeor
beabletoaddusergroupinformationtothelocal
database.
canviewtheLocalUser Database > Users
informationbutcannotaddusergroupinformationto
thelocaldatabase.
Authentication Profile ControlsaccesstotheAuthentication Profilenode.If Yes Yes Yes

seetheAuthentication Profile nodeorbeableto
createoreditauthenticationprofilesthatspecifylocal
database,RADIUS,TACACS+,LDAP,orKerberos
settingsthatcanbeassignedtoadministrator
accounts.
canviewtheAuthentication Profile informationbut
cannotcreateoreditanauthenticationprofile.
Authentication Controlsaccesstothe Authentication Sequence Yes Yes Yes

Sequence node.Ifyoudisablethisprivilege,theadministrator
willnotseetheAuthentication Sequence nodeorbe
abletocreateoreditanauthenticationsequence.
canviewtheAuthentication Profile informationbut
cannotcreateoreditanauthenticationsequence.
Access Domain ControlsaccesstotheAccess Domainnode.Ifyou Yes Yes Yes

Access Domainnodeorbeabletocreateoreditan
accessdomain.
canviewtheAccess Domain informationbutcannot
createoreditanaccessdomain.
Scheduled Log Export ControlsaccesstotheScheduled Log Exportnode.If Yes No Yes

seetheScheduled Log Export nodeorbeable
scheduleexportsoflogsandsavethemtoaFile
TransferProtocol(FTP)serverinCSVformatoruse
SecureCopy(SCP)tosecurelytransferdatabetween
thefirewallandaremotehost.
canviewtheScheduled Log Export Profile
informationbutcannotscheduletheexportoflogs.
Software ControlsaccesstotheSoftware node.Ifyoudisable Yes Yes Yes

thisprivilege,theadministratorwillnotseethe
Softwarenodeorviewthelatestversionsofthe
PANOSsoftwareavailablefromPaloAltoNetworks,
readthereleasenotesforeachversion,andselecta
releasetodownloadandinstall.
canviewtheSoftwareinformationbutcannot
downloadorinstallsoftware.
GlobalProtect Client ControlsaccesstotheGlobalProtectClientnode.If Yes Yes Yes

seetheGlobalProtect Client nodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
canviewtheavailableGlobalProtect Client releases
butcannotdownloadorinstalltheagentsoftware.
Dynamic Updates ControlsaccesstotheDynamic Updatesnode.Ifyou Yes Yes Yes

Dynamic Updatesnodeorbeabletoviewthelatest
updates,readthereleasenotesforeachupdate,or
selectanupdatetouploadandinstall.
canviewtheavailableDynamic Updates releases,
readthereleasenotesbutcannotuploadorinstallthe
software.
Licenses Controlsaccesstothe Licensesnode.Ifyoudisable Yes Yes Yes

Licenses nodeorbeabletoviewthelicensesinstalled
oractivatelicenses.
canviewtheinstalledLicenses,butcannotperform
licensemanagementfunctions.
Support ControlsaccesstotheSupportnode.Ifyoudisable Yes Yes Yes

Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
canviewtheSupport nodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.
Master Key and ControlsaccesstotheMaster Key and Diagnostics Yes Yes Yes
Diagnostics node.Ifyoudisablethisprivilege,theadministrator
willnotseetheMaster Key and Diagnostics nodeor
beabletospecifyamasterkeytoencryptprivatekeys
onthefirewall.
canviewtheMaster Key and Diagnostics nodeand
viewinformationaboutmasterkeysthathavebeen
specifiedbutcannotaddoreditanewmasterkey
configuration.
DefineUserPrivacySettingsintheadministratorRoleProfile
Privacy Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes

privacysettingsdescribedbelow.
Show Full IP addresses Whendisabled,fullIPaddressesobtainedbytraffic Yes N/A Yes

runningthroughthePaloAltofirewallarenotshown
inlogsorreports.InplaceoftheIPaddressesthatare
normallydisplayed,therelevantsubnetisdisplayed.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsand
reportsthataresentviascheduledemailswill
stilldisplayfullIPaddresses.Becauseofthis
exception,werecommendthatthefollowing
settingswithintheMonitortabbesetto
disable:CustomReports,ApplicationReports,
ThreatReports,URLFilteringReports,Traffic
ReportsandEmailScheduler.
Show User Names in Whendisabled,usernamesobtainedbytraffic Yes N/A Yes

Logs and Reports runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreports
thataresentviatheemailschedulerwillstilldisplay
usernames.Becauseofthisexception,we
recommendthatthefollowingsettingswithinthe
Monitortabbesettodisable:CustomReports,
ApplicationReports,ThreatReports,URLFiltering
Reports,TrafficReportsandEmailScheduler.
View PCAP Files Whendisabled,packetcapturefilesthatarenormally Yes N/A Yes

availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.
RestrictAdministratorAccesstoCommitFunctions
Commit Whendisabled,anadministratorcannotcommitany Yes N/A Yes

changestoaconfiguration.
RestrictAdministratorAccesstoValidateFunctions
Validate Whendisabled,anadministratorcannotvalidatea Yes N/A Yes

configuration.
ProvideGranularAccesstoGlobalSettings
Global Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes

globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.
System Alarms Whendisabled,anadministratorcannotviewor Yes N/A Yes

acknowledgealarmsthataregenerated.

ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.

Availability Only
Setup Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

vieworeditPanoramasetup DeviceGroup/Template:No
information,suchasManagement,
Operations,Services,WildFire,or
HSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.
High Availability Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

viewandmanagehighavailability(HA) DeviceGroup/Template:No
settingsforthePanoramamanagement
server.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewHA
configurationinformationforthe
Panoramamanagementserverbutcant
managetheconfiguration.
Ifyoudisablethisprivilege,the
administratorcantseeormanageHA
configurationsettingsforthePanorama
managementserver.
Config Audit Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes

runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.


Availability Only
Administrators Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes

viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.
Admin Roles Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes

viewPanoramaadministratorroles. DeviceGroup/Template:No
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
administratorcantseeormanage
Panoramaadministratorroles.
Access Domain Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama Youassignaccess
administrators.(Thisprivilegecontrols domainstoDevice
accessonlytotheconfigurationof GroupandTemplate
accessdomains,notaccesstothe administratorssothey
devicegroups,templates,andfirewall canaccessthe
contextsthatareassignedtoaccess configurationand
domains.) monitoringdatawithin
Ifyousetthisprivilegetoreadonly,the thedevicegroups,
administratorcanviewPanorama templates,andfirewall
accessdomainconfigurationsbutcant contextsthatare
managethem. assignedtothose
Ifyoudisablethisprivilege,the accessdomains.
Panoramaaccessdomain
configurations.


Availability Only
Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationprofilesforPanorama
administrators.
administratorcanviewPanorama
authenticationprofilesbutcant
managethem.
Panoramaauthenticationprofiles.
Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Sequence view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationsequencesforPanorama
administrators.
authenticationsequencesbutcant
managethem.
Panoramaauthenticationsequences.
Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Devices view,add,edit,tag,ordeletefirewallsas DeviceGroup/Template:Yes (Nofor
manageddevices,andinstallsoftware Device
orcontentupdatesonthem. Group
Ifyousetthisprivilegetoreadonly,the and
administratorcanseemanagedfirewalls Templat
butcantadd,delete,tag,orinstall eroles)
updatesonthem.
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
Thisprivilegeappliesonlytothe
Panorama > Managed Devices
page.Anadministratorwith
DeviceDeploymentprivileges
canstillusethePanorama >
Device Deploymentpagesto
installupdatesonmanaged
firewalls.


Availability Only
Templates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes (Nofor
templatestacks. DeviceGroupand Device
Ifyousettheprivilegetoreadonly,the Template Group
administratorcanseetemplateand administratorscansee and
stackconfigurationsbutcantmanage onlythetemplatesand Templat
them. stacksthatarewithin e
Ifyoudisablethisprivilege,the theaccessdomains admins)
administratorcantseeormanage assignedtothose
templateandstackconfigurations. administrators.
Device Groups Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
Ifyousetthisprivilegetoreadonly,the DeviceGroupand
administratorcanseedevicegroup Template
configurationsbutcantmanagethem. administratorscan
Ifyoudisablethisprivilege,the accessonlythedevice
administratorcantseeormanage groupsthatarewithin
devicegroupconfigurations. theaccessdomains
assignedtothose
administrators.
Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Collectors view,edit,add,ordeletemanaged DeviceGroup/Template:No
collectors.
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
Thisprivilegeappliesonlytothe
Panorama > Managed
Collectorspage.An
administratorwithDevice
Deploymentprivilegescanstill
usethePanorama > Device
Deploymentpagestoinstall
updatesonmanagedcollectors.
Collector Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Groups view,edit,add,ordeleteCollector DeviceGroup/Template:No
Groups.
administratorcanseeCollectorGroups
butcantmanagethem.
CollectorGroups.


Availability Only
VMware Service Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Manager viewandeditVMwareServiceManager DeviceGroup/Template:No
settings.
administratorcanseethesettingsbut
cantperformanyrelatedconfiguration
oroperationalprocedures.
administratorcantseethesettingsor
performanyrelatedconfigurationor
operationalprocedures.
Certificate Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

Management disabled,forallofthePanorama DeviceGroup/Template:No
certificatemanagementprivileges.
Certificates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,generate,delete,revoke, DeviceGroup/Template:No
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
PanoramacertificatesorHAkeys.
Certificate Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,deleteorclone DeviceGroup/Template:No
Panoramacertificateprofiles.
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Panoramacertificateprofiles.
SSL/TLS Service Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,deleteorcloneSSL/TLS DeviceGroup/Template:No
Serviceprofiles.
administratorcanseeSSL/TLSService
profilesbutcantmanagethem.
SSL/TLSServiceprofiles.


Availability Only
Log Settings Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

disabled,forallthelogsetting DeviceGroup/Template:No
privileges.
System Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofSystemlogsto
externalservices(syslog,email,or
SNMPtrapservers).
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoSystemlogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoSystemlogs
thatPanoramageneratesandto
SystemlogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
SystemlogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofSystemlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).


Availability Only
Config Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofConfiglogsto
SNMPtrapservers).
administratorcanseetheConfiglog
forwardingsettingsbutcantmanage
them.
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoConfiglogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoConfiglogs
thatPanoramageneratesandto
ConfiglogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
ConfiglogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
forwardingofConfiglogs


Availability Only
HIP Match Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
toexternalservices(syslog,email,or
SNMPtrapservers).
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofHIPMatchlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
forwardingofHIPMatchlogs
Correlation Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofCorrelation
logstoexternalservices(syslog,email,
orSNMPtrapservers).
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
settings.
forwardingofCorrelationlogs
appliance.TheDevice > Log
forwardingofCorrelationlogs


Availability Only
Traffic Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofTrafficlogs
fromaPanoramavirtualapplianceto
SNMPtrapservers).
settingsofTrafficlogsbutcantmanage
them.
settings.
forwardingofTrafficlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
Trafficlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Threat Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofThreatlogs
SNMPtrapservers).
settingsofThreatlogsbutcantmanage
them.
settings.
forwardingofThreatlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
Threatlogsdirectlyfrom
Panorama).


Availability Only
Wildfire Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofWildFirelogs
SNMPtrapservers).
settingsofWildFirelogsbutcant
managethem.
settings.
forwardingofWildFirelogs
appliance.TheObjects > Log
Forwardingpagecontrolsthe
forwardingofWildFirelogs
Server Profiles Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

disabled,foralltheserverprofile DeviceGroup/Template:No
privileges.
Theseprivilegespertainonlyto
theserverprofilesthatareused
forforwardinglogsthat
Panoramageneratesorcollects
fromfirewallsandtheserver
profilesthatareusedfor
authenticatingPanorama
administrators.TheDevice >
Server Profilespagescontrol
theserverprofilesthatareused
forforwardinglogsdirectlyfrom
Panorama)andfor
authenticatingfirewall
administrators.
SNMP Trap Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureSNMPtrapserver DeviceGroup/Template:No
profiles.
administratorcanseeSNMPtrapserver
SNMPtrapserverprofiles.


Availability Only
Syslog Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
administratorcanseeSyslogserver
Syslogserverprofiles.
Email Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureemailserverprofiles. DeviceGroup/Template:No
administratorcanseeemailserver
administratorcantseeormanageemail
serverprofiles.
RADIUS Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
RADIUSserverprofiles.
TACACS+ Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheTACACS+server DeviceGroup/Template:No
administratorcantseethe nodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.


Availability Only
LDAP Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheLDAPserver DeviceGroup/Template:No
administratorcanseetheLDAPserver
LDAPserverprofiles.
Kerberos Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheKerberosserver DeviceGroup/Template:No
administratorcanseetheKerberos
serverprofilesbutcantmanagethem.
Kerberosserverprofiles.
Scheduled Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes

Config Export view,add,edit,delete,orclone DeviceGroup/Template:No
scheduledPanoramaconfiguration
exports.
administratorcanviewthescheduled
exportsbutcantmanagethem.
scheduledexports.


Availability Only
Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewinformationaboutPanorama DeviceGroup/Template:No
softwareupdates;download,upload,or
installtheupdates;andviewthe
associatedreleasenotes.
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
softwareinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Softwarepage
controlsaccesstoPANOS
softwaredeployedonfirewalls
andPanoramasoftware
deployedonDedicatedLog
Collectors.
Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Updates can:viewinformationaboutPanorama DeviceGroup/Template:No
contentupdates(forexample,WildFire
updates);download,upload,install,or
reverttheupdates;andviewthe
administratorcanviewinformation
aboutPanoramacontentupdatesand
cantperformanyrelatedoperations.
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
contentupdatesinstalledona
ThePanorama > Device
Deployment > Dynamic
Updatespagecontrolsaccessto
contentupdatesdeployedon
firewallsandDedicatedLog
Collectors.


Availability Only
Support Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewPanoramasupportlicense DeviceGroup/Template:No
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.
Device Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

Deployment disabled,forallthedevicedeployment DeviceGroup/Template:Yes
privileges.
Theseprivilegepertainonlyto
softwareandcontentupdates
thatPanoramaadministrators
deployonfirewallsand
DedicatedLogCollectors.The
Panorama > Softwareand
Panorama > Dynamic Updates
pagescontrolthesoftwareand
contentupdatesinstalledona
Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewinformationaboutthe DeviceGroup/Template:Yes
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.


Availability Only
SSL VPN Client Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewinformationaboutSSLVPN DeviceGroup/Template:Yes
clientsoftwareupdatesonfirewalls;
download,upload,oractivatethe
updates;andviewtheassociated
releasenotes.
SSLVPNclientsoftwareupdatesand
cantactivatetheupdatesonfirewalls.
aboutSSLVPNclientsoftwareupdates,
seetheassociatedreleasenotes,or
activatetheupdatesonfirewalls.
GlobalProtect Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Client can:viewinformationabout DeviceGroup/Template:Yes
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.


Availability Only
Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Updates can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Licenses Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,refresh,andactivatefirewall DeviceGroup/Template:Yes
licenses.
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
administratorcantview,refresh,or
activatefirewalllicenses.
Master Key and Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Diagnostics viewandconfigureamasterkeyby DeviceGroup/Template:No
whichtoencryptprivatekeyson
Panorama.
administratorcanviewthePanorama
masterkeyconfigurationbutcant
changeit.
administratorcantseeoreditthe
Panoramamasterkeyconfiguration.
PanoramaWebInterfaceAccess
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).

TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI

accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.
Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes

thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes

(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
AccesstotheObjectsTab.

Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
AccesstotheDeviceTab.
YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
Panorama ControlsaccesstothePanoramatab.Ifyoudisable Yes No Yes

Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.
Privacy Controlsaccesstotheprivacysettingsdescribedin Yes No Yes

DefineUserPrivacySettingsintheadministratorRole
Profile.
Validate Whendisabled,anadministratorcannotvalidatea Yes No Yes

configuration.
Commit Setsthedefaultstate(enabledordisabled)forallthe Yes No Yes

commitsettingsdescribedbelow(Panorama,Device
Groups,Templates,ForceTemplateValues,Collector
Groups).
Panorama Whendisabled,anadministratorcannotcommit Yes No Yes

changestothePanoramaconfiguration.
Device Groups Whendisabled,anadministratorcannotcommit Yes No Yes

changestodevicegroups.

Templates Whendisabled,anadministratorcannotcommit Yes No Yes

changestotemplates.
Force Template Values ThisprivilegecontrolsaccesstotheForce Template Yes No Yes

ValuesoptionintheCommitdialog.
Whendisabled,anadministratorcannotreplace
overriddensettingsinlocalfirewallconfigurations
withsettingsthatPanoramapushesfromatemplate.
Collector Groups Whendisabled,anadministratorcannotcommit Yes No Yes

changestoCollectorGroups.
Global Controlsaccesstotheglobalsettings(systemalarms) Yes No Yes

describedinProvideGranularAccesstoGlobal
Settings.

Reference:PortNumberUsage FirewallAdministration
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforUserID
PortsUsedforManagementFunctions
DestinationPort Protocol Description
22 TCP UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80 TCP TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
123 UDP PortthefirewallusesforNTPupdates.
443 TCP Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis

alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.
162 UDP Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP

Manager.
ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)
managertolistenonthisport.Fordetails,refertothedocumentationof
yourSNMPmanagementsoftware.
161 UDP Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP

manager.
514 TCP Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog

514 UDP serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
6514 SSL authenticationsyslogmessagesifyouConfigureUserIDtoReceiveUser
MappingsfromaSyslogSender.
2055 UDP DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif

youConfigureNetFlowExports,butthisisconfigurable.

FirewallAdministration Reference:PortNumberUsage
5008 TCP PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom

theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.
6080 TCP PortsusedforCaptivePortal:6080forNTLANManager(NTLM)authentication,

6081 TCP 6081forCaptivePortalintransparentmode,and6082forCaptivePortalin
redirectmode.
6082 TCP
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
28769 TCP UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer

28260 TCP firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.
28 TCP UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
28770 TCP ListeningportforHA1backuplinks.
28771 TCP Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat

backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.
99 IP UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
29281 UDP associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
22 TCP UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
443 TCP UsedforcommunicationfromaclientsystemtothePanoramawebinterface.

Reference:PortNumberUsage FirewallAdministration
3978 TCP UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged

collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors(MSeriesappliancesinLog
Collectormode).
28769 (5.1 and later) TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers

28260 (5.0 and later) TCP usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.
49160 (5.0 and TCP

earlier)
28 TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
28270 (6.0 and later) TCP UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog

49190 (5.1 and distribution.
earlier)
2049 TCP UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
389 TCP PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport

LayerSecurity(StartTLS)toMapUserstoGroups.
3268 TCP PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver

(plaintextorStartTLS)toMapUserstoGroups.
636 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap

UserstoGroups.

FirewallAdministration Reference:PortNumberUsage
3269 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory

globalcatalogservertoMapUserstoGroups.
514 TCP PortthePANOSintegratedUserIDagentorWindowsbasedUserIDagent

514 UDP listensonforauthenticationsyslogmessagesifyouConfigureUserIDtoReceive
UserMappingsfromaSyslogSender.
6514 SSL
5007 TCP PortthefirewalllistensonforusermappinginformationfromtheUserIDor

TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.
5006 TCP PorttheUserIDagentlistensonforPANOSXMLAPIrequests.Thesourcefor

thiscommunicationistypicallythesystemrunningascriptthatinvokestheAPI.
88 UDP/TCP PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
1812 UDP PorttheUserIDagentusestoauthenticatetoaRADIUSserver.
49 TCP PorttheUserIDagentusestoauthenticatetoaTACACS+server.
135 TCP PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe

MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.
139 TCP PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe

ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).
445 TCP PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using

TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).

ResettheFirewalltoFactoryDefaultSettings FirewallAdministration
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
Step1 Setupaconsoleconnectiontothe 1. ConnectaserialcablefromyourcomputertotheConsoleport

firewall. andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
Ifyourcomputerdoesnothavea9pinserialport,usea
USBtoserialportconnector.
2. Enteryourlogincredentials.
3. EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.
Step2 Resetthesystemtofactorydefault 1. Whenthefirewallreboots,pressEntertocontinuetothe

settings. maintenancemodemenu.
2. SelectFactory ResetandpressEnter.
3. SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.

FirewallAdministration BootstraptheFirewall
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USB Flash Drive Support
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
Silicon Power SiliconPowerJewel32GB(3.0)

SiliconPowerBlaze16GB(3.0)
PNY PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)

BootstraptheFirewall FirewallAdministration
Sample init-cfg.txt Files
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress) Sampleinitcfg.txt(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2 ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field Description
type (Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress (RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.
defaultgateway (RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask (RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address (RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
ipv6defaultgateway (RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
hostname (Optional)Hostnameforthefirewall.

Fieldsintheinitcfg.txtFile
Field Description
panoramaserver (Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2 (Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname (Recommended)Panoramatemplatename.
dgname (Recommended)Panoramadevicegroupname.
dnsprimary (Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary (Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey (VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes (Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
Prepare a USB Flash Drive for Bootstrapping a Firewall
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
PrepareaUSBFlashDriveforBootstrappingaFirewall
Step1 Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.
Step2 RegisterS/Nsofnewfirewallsonthe 1. Gotosupport.paloaltonetworks.com,login,andselect

CustomerSupportportal. Assets > Register New Device > Register device using Serial
Number or Authorization Code.
2. FollowthestepstoRegistertheFirewall.
3. ClickSubmit.

PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step3 Activateauthorizationcodesonthe 1. Gotosupport.paloaltonetworks.com,login,andselectthe

CustomerSupportportal,whichcreates Assets tab.
licensekeys. 2. ForeachS/Nyoujustregistered,clicktheActionlink.
3. SelectActivate Auth-Code.
4. EntertheAuthorization code andclickAgreeandSubmit.
Step4 AddtheS/NsinPanorama. CompleteStep1inAddaFirewallasaManagedDeviceinthe

PanoramaAdministratorsGuide.
Step5 Createtheinitcfg.txtfile. Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap

parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefault
configurationinthenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineach
field;donotaddspacesbecausetheycausefailuresduring
parsingonthemanagementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.
Step6 (Optional)Createthebootstrap.xmlfile. Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration

thatyoucanexportfromanexistingproductionfirewall.
1. SelectDevice > Setup > Operations > Export named
configuration snapshot.
2. SelecttheNameofthesavedortherunningconfiguration.
3. ClickOK.
4. Renamethefileasbootstrap.xml.

Step7 Createanddownloadthebootstrap Useoneofthefollowingmethodstocreateanddownloadthe

bundlefromtheCustomerSupport bootstrapbundle:
portal. UseMethod1tocreateabootstrapbundlespecifictoaremote
Foraphysicalfirewall,thebootstrap site(youhaveonlyoneinitcfg.txtfile).
bundlerequiresonlythe/licenseand UseMethod2tocreateonebootstrapbundleformultiplesites.
/configdirectories.
Method 1
1. Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2. SelectAssets.
3. SelecttheS/Nofthefirewallyouwanttobootstrap.
4. SelectBootstrap Container.
5. ClickSelect.
6. UploadandOpen theinitcfg.txtfileyoucreatedinStep 5.
7. (Optional)Selectthebootstrap.xmlfileyoucreatedinStep 6
andUpload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.
8. SelectBootstrap Container Downloadtodownloadatar.gz

filenamedbootstrap_<S/N>_<date>.tar.gztoyourlocal
system.Thisbootstrapcontainerincludesthelicensekeys
associatedwiththeS/Nofthefirewall.
Method 2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenamesasdescribed
inStep 5.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.
Step8 Importthetar.gzfile(thatyoucreatedin AccesstheCLIandenteroneofthefollowingcommands:

Step 7)toaPANOS7.1firewallusing tftp import bootstrap-bundle file <path and filename>
SecureCopy(SCP)orTFTP. from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
scp import bootstrap-bundle from <<user>@<host>:<path
tofile>>
Forexample:
scp import bootstrap-bundle from
userx@10.1.2.3:/home/userx/bootstrap/devices/pa200_b
ootstrap_bundle.tar.gz

Step9 PreparetheUSBflashdrive. 1. InserttheUSBflashdriveintothefirewallthatyouusedin

Step 8.
2. EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3. Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
4. RemovetheUSBflashdrivefromthefirewall.
5. YoucanprepareasmanyUSBflashdrivesasneeded.
Step10 DelivertheUSBflashdrivetoyour IfyouusedMethod2tocreatethebootstrapbundle,youcanuse

remotesite. thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.
Bootstrap a Firewall Using a USB Flash Drive
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
Step1 Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2 Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3 InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.

Step4 Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > System orbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > Licenses orbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.


Authentication
ManyoftheservicesthatPaloAltoNetworksfirewallsandPanoramaproviderequireauthentication,
includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,GlobalProtect
portals,andGlobalProtectgateways.Theauthenticationmethodsthatyoucanconfigurevarybyservice,
andcanincludeKerberossinglesignon(SSO),externalauthenticationservices,certificatesandcertificate
profiles,localdatabaseaccounts,RADIUSVendorSpecificAttributes(VSAs),andNTLANManager(NTLM).
ThefollowingtopicsdescribeauthenticationmethodsthatarecommontomostfirewallandPanorama
services,procedurestoconfigurethem,howtotestauthenticationprofiles,andhowtotroubleshoot
authenticationissues:
ConfigureanAuthenticationProfileandSequence
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
ConfigureExternalAuthentication
TestAuthenticationServerConnectivity
TroubleshootAuthenticationIssues

ConfigureanAuthenticationProfileandSequence Authentication
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsofan
administratoraccountthatislocaltothefirewallorPanorama.Theauthenticationservicecanbealocal
database(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),orKerberos
singlesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatthefirewallorPanoramamatches
anadministratoragainstduringlogin.ThefirewallorPanoramachecksagainsteachprofileinsequenceuntil
onesuccessfullyauthenticatestheadministrator(thefirewallalwayschecksthelocaldatabasefirstifthe
sequenceincludesone).Anadministratorisdeniedaccessonlyifanauthenticationfailureoccursforallthe
profilesintheauthenticationsequence.
Step1 CreateaKerberoskeytab. CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos

RequiredifthefirewallorPanoramawill accountinformation(principalnameandhashedpassword)forthe
useKerberosSSOauthentication. firewallorPanorama.
Step2 Configurealocaldatabase(firewallonly) LocaldatabaseauthenticationPerformthefollowingtasks:

orexternalserverprofile(firewallor a. Configuretheuseraccount.
Panorama). b. (Optional)Configureausergroup.
Requiredforlocaldatabaseorexternal ExternalauthenticationPerformoneofthefollowingtasks:
authentication.
ConfigureaRADIUSServerProfile.

Authentication ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
Step3 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandAddthe

Defineoneorbothofthefollowing: authenticationprofile.
KerberosSSOThefirewallor 2. EnteraNametoidentifytheauthenticationprofile.
PanoramafirsttriesSSO 3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
authentication.Ifthatfails,itfallsback Location(avsysorShared)wheretheprofileisavailable.
toauthenticationoftheType
specifiedintheprofile. 4. SelecttheauthenticationType.IfyouselectRADIUS,
TACACS+,LDAP,orKerberos,selecttheauthentication
Localdatabaseorexternal
Server Profilefromthedropdown.
authenticationThefirewallor
Panoramapromptstheusertoenter IftheTypeisLDAP,definetheLogin Attribute.For
logincredentials,andusesitslocal ActiveDirectory,entersAMAccountNameasthe
database(firewallsonly)oranexternal value.
servicetoauthenticatetheuser. 5. (Optional)SelecttheUser DomainandUsername Modifier
optionsasfollowstomodifythedomain/usernamestringthat
theuserwillenterduringlogin.Thisisusefulwhenthe
authenticationservicerequiresthestringinaparticularformat
andyoudontwanttorelyonuserstocorrectlyenterthe
domain.
Tosendonlytheunmodifieduserinput,leavetheUser
Domainblank(thedefault)andsettheUsername Modifier
tothevariable%USERINPUT%(thedefault).
Toprependadomaintotheuserinput,enteraUser
DomainandsettheUsername Modifierto
%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
6. IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
7. SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.Youcanselectusersandgroups
fromthelocaldatabaseor,ifyouconfiguredanLDAPserver
profile,fromanLDAPbaseddirectoryservicesuchasActive
Directory.Selectingallallowseveryusertoauthenticate.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsocreateandallowcustomgroupsbasedon
LDAPfilters:seeMapUserstoGroups.
8. EnterthenumberofFailed Attempts(010)tologinthatthe
firewallorPanoramaallowsbeforelockingouttheuser.The
defaultvalue0meansthereisnolimit.
9. EntertheLockout Time(060),whichisthenumberof
minutesforwhichthefirewallorPanoramalocksouttheuser
afterreachingtheFailed Attemptslimit.Thedefaultvalue0
meansthelockoutappliesuntilanadministratorunlocksthe
useraccount.
10. ClickOKtosavetheauthenticationprofile.

ConfigureanAuthenticationProfileandSequence Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step4 Configureanauthenticationsequence. 1. SelectDevice > Authentication SequenceandAddthe

Requiredifyouwantthefirewallor authenticationsequence.
Panoramatotrymultipleauthentication 2. EnteraNametoidentifytheauthenticationsequence.
profilestoauthenticateusers.The
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
firewallorPanoramaevaluatesthe
Location(avsysorShared)wherethesequenceisavailable.
profilesintoptobottomorder
applyingtheKerberosSSO, Toexpeditetheauthenticationprocess,thebest
authenticationservice,allowlist,and practiceistoUse domain to determine authentication
accountlockoutvaluesforeachuntil profile:thefirewallorPanoramawillmatchthe
oneprofilesuccessfullyauthenticates domainnamethatauserentersduringloginwiththe
theuser.ThefirewallorPanorama User DomainorKerberos Realmofanauthentication
deniesaccessonlyifalltheprofilesinthe profileinthesequence,andthenusethatprofileto
sequencefailtoauthenticate. authenticatetheuser.IfthefirewallorPanorama
doesntfindamatch,orifyouclearthecheckbox,it
triestheprofilesinthetoptobottomsequence.
4. Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
5. ClickOKtosavetheauthenticationsequence.
Step5 Assigntheauthenticationprofileor Assigntheauthenticationprofileorsequencetoanadministrator

sequence. accountortoafirewallorPanoramaservice.
TestAuthenticationServerConnectivitytoverifythatan
authenticationprofilecancommunicatewiththebackend
authenticationserverandthattheauthenticationrequest
succeeded.

Authentication ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.
Step1 CreateaKerberoskeytab. 1. LogintotheKDCandopenacommandprompt.

2. Enterthefollowingcommand,where<principal_name>,
<password>,and<algorithm>arevariables.TheKerberos
principalnameandpasswordareofthefirewallorPanorama,
nottheuser.
ktpass /princ <principal_name> /pass
<password> /crypto <algorithm> /ptype
KRB5_NT_PRINCIPAL /out <file_name>.keytab
IfthefirewallisinFIPS/CCmode,thealgorithmmust
beaes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalso
usedes3-cbc-sha1orarcfour-hmac.Tousean
AdvancedEncryptionStandard(AES)algorithm,the
functionalleveloftheKDCmustbeWindowsServer
2008orlaterandyoumustenableAESencryptionfor
thefirewallorPanoramaaccount.
Thealgorithminthekeytabmustmatchthealgorithm
intheserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithms
theserviceticketsuse.
Step2 Importthekeytabintoanauthentication ConfigureanAuthenticationProfileandSequence:

profile. 1. EntertheKerberos Realm(usuallytheDNSdomainofthe
users,exceptthattherealmisuppercase).
2. ImporttheKerberos Keytabthatyoucreatedforthefirewall
orPanorama.
Step3 Assigntheauthenticationprofiletothe Configureanadministratoraccount.

administratoraccountortotheCaptive ConfigureCaptivePortal.
Portalsettings.

ConfigureLocalDatabaseAuthentication Authentication
Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.
IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.
Step1 Configuretheuseraccount. 1. SelectDevice > Local User Database > UsersandclickAdd.

2. EnterauserNamefortheadministrator.
3. EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4. Enabletheaccount(enabledbydefault)andclickOK.
Step2 Configureausergroup. 1. SelectDevice > Local User Database > User Groupsandclick
Requiredifyourusersrequiregroup Add.
membership. 2. EnteraNametoidentifythegroup.
3. AddeachuserwhoisamemberofthegroupandclickOK.
Step3 Configureanauthenticationprofile. SettheauthenticationTypetoLocal Database.
Step4 Assigntheauthenticationprofiletoan AdministratorsConfigureanAdministrativeAccount:

administratoraccountorfirewallservice. SpecifytheNameofauseryoudefinedinStep 1.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForallservices,youmustassigntheAuthentication
Profilethatyouconfiguredfortheaccounts:
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Step5 Verifythatthefirewallcancommunicate TestaLocalDatabaseAuthenticationProfile.

withtheauthenticationserver.

Authentication ConfigureExternalAuthentication
ConfigureExternalAuthentication
PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices
Configure Authentication Server Profiles
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
Configure a RADIUS Server Profile
YoucanconfigurethefirewallorPanoramatouseaRADIUSserverformanagingadministratoraccounts(if
theyarenotlocal).YoucanalsoconfigurethefirewalltouseaRADIUSserverforauthenticatingendusers
andcollectingRADIUSVendorSpecificAttributes(VSAs)fromGlobalProtectclients.TouseaRADIUS
serverformanagingadministratoraccountsorcollectingGlobalProtectclientsVSAs,youmustdefineVSAs
ontheRADIUSserver.Fordetails,seethelistofsupportedRADIUSVendorSpecificAttributesSupport.
Bydefault,whenauthenticatingtotheRADIUSserver,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileis
assignedtoanauthenticationsequencefortheservicethatinitiatestheauthenticationprocess.

ConfigureExternalAuthentication Authentication
ConfigureaRADIUSServerProfile
Step1 AddaRADIUSserverprofile. 1. SelectDevice > Server Profiles > RADIUSandclickAdd.

2. EnteraProfile Nametoidentifytheserverprofile.
3. Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4. FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis130,defaultis3).
5. EnterthenumberofautomaticRetriesfollowingaTimeout
beforetherequestfails(rangeis15,defaultis3).
6. ForeachRADIUSserver,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(RADIUS
Serverfield),Secret/Confirm Secret(akeytoencrypt
passwords),andserverPortforauthenticationrequests
(defaultis1812).
7. ClickOK.
Step2 ImplementtheRADIUSserverprofile. 1. AssigntheRADIUSserverprofiletoanauthenticationprofile

orsequence.
2. TestaRADIUSAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheRADIUSserver.
3. Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
RADIUS Vendor-Specific Attributes Support
PaloAltoNetworksfirewallsandPanoramasupportthefollowingRADIUSVendorSpecificAttributes
(VSAs).TodefineVSAsonaRADIUSserver,youmustspecifythevendorcode(25461forPaloAlto
NetworksfirewallsorPanorama)andtheVSAnameandnumber.SomeVSAsalsorequireavalue.
Name Number Value
VSAs for administrator account management and authentication
PaloAltoAdminRole 1 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain 2 Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole 3 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4 ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup 5 Thenameofausergroupthatanauthenticationprofile
references.

Name Number Value
VSAs forwarded from GlobalProtect clients to the RADIUS server
PaloAltoUserDomain 6 DontspecifyavaluewhenyoudefinetheseVSAs.
PaloAltoClientSourceIP 7
PaloAltoClientOS 8
PaloAltoClientHostname 9
PaloAltoGlobalProtectClientVersion 10
Configure a TACACS+ Server Profile
TerminalAccessControllerAccessControlSystemPlus(TACACS+)protocolprovidesbetterAuthentication
securitythanRADIUSbecauseitencryptsusernamesandpasswords(insteadofjustpasswords),andisalso
morereliable(itusesTCPinsteadofUDP).
Bydefault,whenauthenticatingtotheTACACS+server,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
ConfigureaTACACS+ServerProfile
Step1 AddaTACACS+serverprofile. 1. SelectDevice > Server Profiles > TACACS+andclickAdd.

4. FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis120,defaultis3).
5. SelecttheUse single connection for all authenticationcheck
boxtousethesameTCPsessionforallauthenticationsthat
usethisprofile.Thisoptionimprovesperformancebyavoiding
theneedtostartandendaseparateTCPsessionforeach
authentication.Thecheckboxisclearedbydefault.
6. ForeachTACACS+server,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(TACACS+
Serverfield),Secret/Confirm Secret(akeytoencrypt
usernamesandpasswords),andserverPortforauthentication
requests(defaultis49).
7. ClickOK.

ConfigureaTACACS+ServerProfile(Continued)
Step2 ImplementtheTACACS+serverprofile. 1. AssigntheTACACS+serverprofiletoanauthentication

profileorsequence.
2. TestaTACACS+AuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheTACACS+server.
Configure an LDAP Server Profile
AnLDAPserverprofileenablesyouto:
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.

ConfigureanLDAPServerProfile
Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandclickAdd.

4. ForeachLDAPserver(uptofour),clickAddandenteraName
(toidentifytheserver),serverIPaddress(LDAP Serverfield),
andserverPort(default389).
5. SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6. IfyouwantthefirewallorPanoramatouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(itisselected
bydefault).TheprotocolthatthefirewallorPanoramauses
dependsontheserverPort:
389(default)TLS(Specifically,thefirewallorPanorama
usestheStartTLSoperation,whichupgradestheinitial
plaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallorPanoramafirsttriestouse
TLS.IfthedirectoryserverdoesntsupportTLS,thefirewall
orPanoramafallsbacktoSSL.
7. Toimprovesecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthefirewallorPanoramaverifiesthecertificate
thatthedirectoryserverpresentsforSSL/TLSconnections.If
theverificationfails,theconnectionfails.Toenable
verification,youmustalsoselecttheRequire SSL/TLS
secured connectioncheckbox.ThefirewallorPanorama
verifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewallor
Panoramatotrustthecertificate,itsrootcertificate
authority(CA)andanyintermediatecertificatesmustbein
thecertificatestoreunderDevice > Certificate
Management > Certificates > Device Certificates.Import
thecertificateifnecessary:seeImportaCertificateand
PrivateKey.
ThecertificatenamemustmatchthehostNameofthe
LDAPserver.ThefirewallorPanoramafirstchecksthe
certificateattributeSubjectAltNameformatching,then
triestheattributeSubjectDN.Ifthecertificateusesthe
FQDNofthedirectoryserver,youmustenterthatFQDN
intheLDAP Serverfieldforthenamematchingtosucceed.
8. ClickOK.

ConfigureanLDAPServerProfile(Continued)
Step2 ImplementtheLDAPserverprofile. 1. AssigntheLDAPserverprofiletoanauthenticationprofileor

sequence.
2. TestanLDAPAuthenticationProfiletoverifythatthefirewall
orPanoramacanconnecttotheLDAPserver.
Configure a Kerberos Server Profile
AKerberosserverprofileenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleror
aKerberosV5compliantauthenticationserver.Thisauthenticationmethodisinteractive,requiringusersto
enterusernamesandpasswords,incontrastwithKerberossinglesignon(SSO),whichinvolvestransparent
authentication.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.
IPv6addressesarenotsupported.
ConfigureaKerberosServerProfile
Step1 AddaKerberosserverprofile. 1. SelectDevice > Server Profiles > KerberosandclickAdd.

4. ForeachKerberosserver,clickAddandenteraName(to
identifytheserver),serverIPv4addressorFQDN(Kerberos
Serverfield),andanoptionalPortnumberforcommunication
withtheserver(default88).
5. ClickOK.
Step2 ImplementtheKerberosserverprofile. 1. AssigntheKerberosserverprofiletoanauthenticationprofile

orsequence.
2. TestaKerberosAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheKerberosserver.
Set CHAP or PAP Authentication for RADIUS and TACACS+ Servers
WhenyouconfigureaPaloAltoNetworksfirewallorPanoramatouseRADIUSorTACACS+server
authenticationforaparticularservice(suchasCaptivePortal),itfirsttriestoauthenticatetotheserverusing
ChallengeHandshakeAuthenticationProtocol(CHAP).ThefirewallorPanoramafallsbacktoPassword

AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]
WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.
Enable External Authentication for Users and Services
PaloAltoNetworksfirewallsandPanoramacanuseexternalservicestoauthenticateadministrators,end
users,andotherdevices.
EnableExternalAuthentication
Step1 Configureanexternalserverprofile. ConfigureaRADIUSServerProfile.

Step2 Assigntheserverprofiletoan 1. ConfigureanAuthenticationProfileandSequence.

authenticationprofile. 2. TestAuthenticationServerConnectivity.
Optionally,youcanassignmultiple
authenticationprofilestoan
authenticationsequence.
Step3 Assigntheauthenticationprofileor Administrators:ConfigureanAdministrativeAccount.

sequencetoanadministratoraccountor Endusers:
toafirewallorPanoramaservice. ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Firewall/Panoramaservices:
ConfigureRoutingInformationProtocol(RIP).
ConfigureOpenShortestPathFirst(OSPF).
ConfigureBorderGatewayProtocol(BGP).

TestAuthenticationServerConnectivity Authentication
TestAuthenticationServerConnectivity
AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile
Run the Test Authentication Command
Step1 OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.

Authentication TestAuthenticationServerConnectivity
Step4 Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.
Step5 Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.
Test a Local Database Authentication Profile
ThefollowingexampleshowshowtotestaLocalDatabaseauthenticationprofilenamedLocalDBforauser
namedUser1LocalDBandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LocalDatabaseAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.

LocalDatabaseAuthenticationProfileTestExample
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password
Step5 Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.
Step6 Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"
Test a RADIUS Authentication Profile
ThefollowingexampleshowshowtotestaRADIUSprofilenamedRADIUSProfileforausernamed
User2RADIUSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
RADIUSAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.

RADIUSAuthenticationProfileTestExample
admin@PA-3060> set system setting target-vsys <vsysname>
admin@PA-3060> set system setting target-vsys vsys2
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password
Step5 Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.
Step6 Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"

Test a TACACS+ Authentication Profile
ThefollowingexampleshowshowtotestaTACACS+profilenamedTACACSProfileforausernamed
User3TACACSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
TACACS+AuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password
Step5 Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
TheoutputshowserrorNetwork read timed out, whichindicatesthattheTACACS+servercouldnot
decrypttheauthenticationrequest.Inthiscase,theremaybeanissuewiththesecretdefinedintheTACACS+
serverprofile.
Step6 Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.

TACACS+AuthenticationProfileTestExample
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"
Test an LDAP Authentication Profile
ThefollowingexampleshowshowtotestaLDAPauthenticationprofilenamedLDAPProfileforauser
namedUser4LDAPandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
LDAPAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword

LDAPAuthenticationProfileTestExample
Step5 Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Theoutputshowsparse error of dn and attributes for user User4-LDAP, whichindicatesaBIND
DNvalueissuesintheLDAPserverprofile.Inthiscase,aDomainComponent(DC)valueisincorrect.
Step6 Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"
Test a Kerberos Authentication Profile
ThefollowingexampleshowshowtotestaKerberosprofilenamedKerberosProfileforausernamed
User5Kerberosandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
KerberosAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.

KerberosAuthenticationProfileTestExample
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password
Step5 Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Inthiscase,theoutputshowsWrong realm, whichindicatesthattheKerberosrealmhasanincorrectvalue.
Step6 Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"

TroubleshootAuthenticationIssues Authentication
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task Command
Displaythenumberoflockeduseraccountsassociated show authentication locked-users

withtheauthenticationprofile(auth-profile), {
vsys <value> |
authenticationsequence(is-seq),orvirtualsystem(vsys). auth-profile <value> |
Tounlockusers,usethefollowingoperational is-seq
{yes | no}
command: {auth-profile | vsys} <value>
request authentication [unlock-admin | }
unlock-user]
Usethedebug authenticationcommandto debug authentication

troubleshootauthenticationevents. {
on {debug | dump | error | info | warn} |
Usetheshowoptionstodisplayauthenticationrequest show |
statisticsandthecurrentdebugginglevel: show-active-requests |
show-pending-requests |
showdisplaysthecurrentdebugginglevelforthe connection-show |
authenticationservice(authd). {
connection-id |
show-active-requestsdisplaysthenumberofactive protocol-type
checksforauthenticationrequests,allowlists,and {
Kerberos connection-id <value> |
lockeduseraccounts. LDAP connection-id <value> |
show-pending-requests displaysthenumberof RADIUS connection-id <value> |
TACACS+ connection-id <value> |
pendingchecksforauthenticationrequests,allowlists, }
andlockeduseraccounts. connection-debug-on |
{
connection-showdisplaysauthenticationrequestand connection-id |
responsestatisticsforallauthenticationserversorfora debug-prefix |
protocol-type
specificprotocoltype. {
Usetheconnection-debugoptionstoenableordisable Kerberos connection-id <value> |
LDAP connection-id <value> |
authenticationdebugging: RADIUS connection-id <value> |
Usetheonoptiontoenableortheoffoptiontodisable TACACS+ connection-id <value> |
}
debuggingforauthd. connection-debug-off |
Usetheconnection-debug-onoptiontoenableorthe {
connection-id |
connection-debug-offoptiontodisabledebugging protocol-type
forallauthenticationserversorforaspecificprotocol {
type. Kerberos connection-id <value> |
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on
}

CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule

KeysandCertificates CertificateManagement
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage Description
Administrative Access SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb

interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
Captive Portal IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,

designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
Forward Trust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat

signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
Forward Untrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA

thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSL Inbound Inspection ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For

thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.

CertificateManagement KeysandCertificates
SSL Exclude Certificate CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable

SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.
GlobalProtect AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
Site-to-Site VPNs (IKE) InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)

gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
Master Key Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork

requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
Secure Syslog Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See

SyslogFieldDescriptions.
Trusted Root CA ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall

canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.

CertificateRevocation CertificateManagement
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.

CertificateManagement CertificateRevocation
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.

CertificateDeployment CertificateManagement
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).

CertificateManagement SetUpVerificationforCertificateRevocationStatus
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
Step1 DefineanOCSPresponder. 1. SelectDevice > Certificate Management > OCSP Responder

andclickAdd.
2. EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
Location(vsysorShared)forthecertificate.
4. IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.Fromthisvalue,
PANOSautomaticallyderivesaURLandaddsittothe
certificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices(specifiedinStep 3).
5. ClickOK.
Step2 EnableOCSPcommunicationonthe 1. SelectDevice > Setup > Management.

firewall. 2. IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.

SetUpVerificationforCertificateRevocationStatus CertificateManagement
Step3 (Optional)Toconfigurethefirewallitself 1. SelectNetwork > Network Profiles > Interface Mgmt.

asanOCSPresponder,addanInterface 2. ClickAddtocreateanewprofileorclickthenameofan
ManagementProfiletotheinterface existingprofile.
usedforOCSPservices.
3. SelecttheHTTP OCSPcheckboxandclickOK.
4. SelectNetwork > Interfacesandclickthenameofthe
interfacethatthefirewallwilluseforOCSPservices.The
OCSPHost NamespecifiedinStep 1mustresolvetoanIP
addressinthisinterface.
5. SelectAdvanced > Other infoandselecttheInterface
ManagementProfileyouconfigured.
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
Step1 ConfigureaCertificateProfileforeach AssignoneormorerootCAcertificatestotheprofileandselect

application. howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates
Step2 Assignthecertificateprofilestothe Thestepstoassignacertificateprofiledependontheapplication

relevantapplications. thatrequiresit.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.

CertificateManagement SetUpVerificationforCertificateRevocationStatus
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
Step1 Definetheservicespecifictimeout 1. SelectDevice > Setup > Sessionand,intheSessionFeatures

intervalsforrevocationstatusrequests. section,selectDecryption Certificate Revocation Settings.
2. Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.
Step2 Definethetotaltimeoutintervalfor EntertheCertificate Status Timeout.Thisistheinterval(160

revocationstatusrequests. seconds)afterwhichthefirewallstopswaitingforaresponsefrom
anycertificatestatusserviceandappliesthesessionblockinglogic
youoptionallydefineinStep 3.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthetwo
Receive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:theCertificate
Status TimeoutvalueortheOCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status
TimeoutvalueortheCRLReceive Timeoutvalue.
Step3 Definetheblockingbehaviorfor IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP

unknowncertificatestatusora orCRLservicereturnsacertificaterevocationstatusofunknown,
revocationstatusrequesttimeout. selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.
Step4 Saveandapplyyourentries. ClickOKandCommit.

ConfiguretheMasterKey CertificateManagement
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsprivatekeysand
othersecrets(suchaspasswordsandsharedkeys).Theprivatekeysauthenticateuserswhentheyaccess
administrativeinterfacesonthefirewall.Asabestpracticetosafeguardthekeys,configurethemasterkey
oneachfirewalltobeuniqueandperiodicallychangeit.Foraddedsecurity,useawrappingkeystoredona
hardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,seeEncryptaMasterKeyUsingan
HSM.
Inahighavailability(HA)configuration,ensurebothfirewallsorPanoramamanagementservers
inthepairusethesamemasterkeytoencryptprivatekeysandcertificates.Ifthemasterkeys
differ,HAconfigurationsynchronizationwillnotworkproperly.
WhenyouexportafirewallorPanoramaconfiguration,themasterkeyencryptsthepasswords
ofusersmanagedonexternalservers.Forlocallymanagedusers,thefirewallorPanoramahashes
thepasswordsbutthemasterkeydoesnotencryptthem.
ConfigureaMasterKey
Step1 SelectDevice > Master Key and DiagnosticsandedittheMasterKeysection.
Step2 EntertheCurrent Master Keyifoneexists.
Step3 DefineanewNew Master Key andthenConfirm New Master Key.Thekeymustcontainexactly16

characters.
Step4 (Optional)TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekey

willexpire.Ifyousetalifetime,createanewmasterkeybeforetheoldkeyexpires.
Step5 (Optional)Ifyousetakeylifetime,enteraTime for ReminderthatspecifiesthenumberofDaysandHours

precedingmasterkeyexpirationwhenthefirewallemailsyouareminder.
Step6 (Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7 ClickOKandCommit.

CertificateManagement ObtainCertificates
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
Create a Self-Signed Root CA Certificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step4 EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31

characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill

configuretheservicethatwillusethiscertificate.
Step6 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step7 LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.
Step8 (Required)SelecttheCertificate Authoritycheckbox.
Step9 LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.
Step10 ClickGenerateandCommit.

ObtainCertificates CertificateManagement
Generate a Certificate
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
GenerateaCertificate
Step3 ClickGenerate.
Step4 SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect

clients.
Step5 EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand

useonlyletters,numbers,hyphens,andunderscores.
Step6 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill

configuretheservicethatwillusethiscertificate.
Step7 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step8 IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.
Step9 (Optional)SelectanOCSP Responder.
Step10 ForthekeygenerationAlgorithm,selectRSA(default)orElliptical Curve DSA(ECDSA).ECDSAis

recommendedforclientbrowsersandoperatingsystemsthatsupportit.
FirewallsthatrunPANOS6.1andearlierreleaseswilldeleteanyECDSAcertificatesthatyoupush
fromPanorama,andanyRSAcertificatessignedbyanECDSAcertificateauthority(CA)willbe
invalidonthosefirewalls.
Step11 SelecttheNumber of Bitstodefinethecertificatekeylength.Highernumbersaremoresecurebutrequire

moreprocessingtime.
Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.
Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.
Step14 (Optional)AddtheCertificate Attributestouniquelyidentifythefirewallandtheservicethatwillusethe

certificate.
IfyouaddaHost Name(DNSname)attribute,itisabestpracticeforittomatchtheCommon Name.
ThehostnamepopulatestheSubjectAlternativeNamefieldofthecertificate.
Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.

GenerateaCertificate(Continued)
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslog checkbox.
Import a Certificate and Private Key
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
Step1 FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step4 ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It

mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5 Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step6 EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.
Step7 SelectaFile Format:

Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security ModulecheckboxandskipStep8.Otherwise,selecttheImport Private Keycheck
box,entertheKey FileorBrowsetoit,thenperformStep8.
Step8 Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.

ObtainCertificates CertificateManagement
Step9 ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
Obtain a Certificate from an External CA
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.
Step1 Requestthecertificatefromanexternal 1. SelectDevice > Certificate Management > Certificates >

CA. Device Certificates.
3. ClickGenerate.
4. EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5. IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6. Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7. IntheSigned Byfield,selectExternal Authority (CSR).
8. Ifapplicable,selectanOCSP Responder.
9. (Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatory
forGlobalProtect).Thehostnamepopulatesthe
SubjectAlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.
Step2 SubmittheCSRtotheCA. 1. SelecttheCSRandclickExporttosavethe.csrfiletoalocal

computer.
2. Uploadthe.csrfiletotheCA.

Step3 Importthecertificate. 1. AftertheCAsendsasignedcertificateinresponsetotheCSR,

returntotheDevice CertificatestabandclickImport.
2. EntertheCertificate NameusedtogeneratetheCSRin
Step 14.
3. EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4. ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.
Step4 Configurethecertificate. 1. ClickthecertificateName.

2. Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.

ExportaCertificateandPrivateKey CertificateManagement
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step3 Selectthecertificate,clickExport,andselectaFile Format:

Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.
Step4 EnteraPassphraseandConfirm PassphrasetoencrypttheprivatekeyiftheFile FormatisPKCS12orifit

isPEMandyouselectedtheExport Private Keycheckbox.Youwillusethispassphrasewhenimportingthe
certificateandkeyintoclientsystems.
Step5 ClickOKandsavethecertificate/keyfiletoyourcomputer.

CertificateManagement ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
Step1 Obtainthecertificateauthority(CA) PerformoneofthefollowingstepstoobtaintheCAcertificates

certificatesyouwillassign. youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).
Step2 Identifythecertificateprofile. 1. SelectDevice > Certificate Management > Certificates

ProfileandclickAdd.
2. EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
Step3 Assignoneormorecertificates. PerformthefollowingstepsforeachCAcertificate:

1. IntheCACertificatestable,clickAdd.
2. SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3. (Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4. ClickOK.TheCACertificatestabledisplaystheassigned
certificate.

ConfigureaCertificateProfile CertificateManagement
Step4 Definethemethodsforverifying 1. SelectUse CRLand/orUse OCSP.Ifyouselectboth,the

certificaterevocationstatusandthe firewallfirsttriesOCSPandfallsbacktotheCRLmethodonly
associatedblockingbehavior. iftheOCSPresponderisunavailable.
2. Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3. EntertheCertificate Status Timeout.Thisistheinterval(160
seconds)afterwhichthefirewallstopswaitingforaresponse
fromanycertificatestatusserviceandappliesany
sessionblockinglogicyoudefine.TheCertificate Status
TimeoutrelatestotheOCSP/CRLReceive Timeoutas
follows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthe
twoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheOCSPReceive
Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheCRLReceive
Timeoutvalue.
4. IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5. Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.
Step5 Saveandapplyyourentries. ClickOKandCommit.

CertificateManagement ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
Step1 Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notcertificateauthority(CA)certificates,forSSL/TLSservices.
Step2 SelectDevice > Certificate Management > SSL/TLS Service Profile.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4 ClickAddandenteraNametoidentifytheprofile.
Step5 SelecttheCertificateyoujustobtained.
Step6 Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.

ReplacetheCertificateforInboundManagementTraffic CertificateManagement
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.
Step1 Obtainthecertificatethatwill YoucansimplifyyourCertificateDeploymentbyusingacertificate

authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators. thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetheroot
CAcertificateisnotinthetrustedrootcertificatestoreof
clientsystems.Topreventthis,deploytheselfsignedroot
CAcertificatetoallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.
Step2 ConfigureanSSL/TLSServiceProfile. SelecttheCertificateyoujustobtained.

Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.
Step3 ApplytheSSL/TLSServiceProfileto 1. SelectDevice > Setup > ManagementandedittheGeneral

inboundmanagementtraffic. Settings.
2. SelecttheSSL/TLS Service Profileyoujustconfigured.

CertificateManagement ConfiguretheKeySizeforSSLForwardProxyServerCertificates
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step1 SelectDevice > Setup > Sessionand,intheDecryptionSettingssection,clickSSL Forward Proxy Settings.
Step2 SelectaKey Size:

Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.

RevokeandRenewCertificates CertificateManagement
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step2 Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3 Selectthecertificatetorevoke.
Step4 ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step3 SelectacertificatetorenewandclickRenew.
Step4 EnteraNew Expiration Interval(indays).

CertificateManagement SecureKeyswithaHardwareSecurityModule
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
Set up Connectivity with an HSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
TheIPaddressontheHSMclientfirewallmustbeastaticIPaddress,notadynamicaddressassignedby
DHCP.HSMauthenticatesthefirewallusingtheIPaddressbeforetheHSMconnectioncomesup.
OperationsonHSMwouldstopworkingiftheIPaddressweretochangeduringruntime.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.

SecureKeyswithaHardwareSecurityModule CertificateManagement
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
Step1 Configurethefirewallto 1. LogintothefirewallwebinterfaceandselectDevice > Setup > HSM.

communicatewiththeSafeNet 2. EdittheHardwareSecurityModuleProvidersectionandselect
NetworkHSM. Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4. EntertheIPv4addressoftheHSMmoduleasthe Server Address.
IfyouareconfiguringahighavailabilityHSMconfiguration,enter
modulenamesandIPaddressesfortheadditionalHSMdevices.
5. (Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
Step2 (Optional)Configureaservice 1. SelectDevice > Setup > Services.

routetoenablethefirewallto 2. SelectService Route Configuration fromtheServicesFeaturesarea.
connecttotheHSM.
3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewallusesthe
ManagementInterfaceto 4. SelecttheIPv4tab.
communicatewiththeHSM.To 5. SelectHSMfromtheServicecolumn.
useadifferentinterface,you
mustconfigureaserviceroute. 6. SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
Step3 Configurethefirewallto 1. SelectDevice > Setup > HSM.

authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. SelecttheHSMServer Namefromthedropdown.
4. Enterthe Administrator Password toauthenticatethefirewalltothe
HSM.
5. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6. ClickOK.

SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
Step4 Registerthefirewall(theHSM 1. LogintotheHSMfromaremotesystem.

client)withtheHSMandassign 2. Registerthefirewallusingthefollowingcommand:
ittoapartitionontheHSM.
client register -c <cl-name> -ip <fw-ip-addr>
IftheHSMalreadyhasa where<cl-name>isanamethatyouassigntothefirewallforuseon
firewallwiththesame theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
<cl-name>registered,
beingconfiguredasanHSMclient.ItmustbeastaticIPaddress,not
youmustremovethe anaddressassignedbyDHCP.
duplicateregistration
usingthefollowing 3. Assignapartitiontothefirewallusingthefollowingcommand:
commandbefore client assignpartition -c <cl-name> -p <partition-name>
registrationwillsucceed: where<cl-name>isthenameassignedtothefirewallintheclient
client delete -client register commandand<partition-name>isthenameofa
<cl-name> previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.
Step5 Configurethefirewalltoconnect 1. SelectDevice > Setup > HSM.

totheHSMpartition. 2. ClicktheRefreshicon.
3. SelecttheSetup HSM PartitionintheHardwareSecurityOperations
area.
4. Enterthe Partition Passwordtoauthenticatethefirewalltothe
partitionontheHSM.
5. ClickOK.
Step6 (Optional)Configurean 1. FollowStep 1throughStep 5toaddanadditionalHSMforhigh

additionalHSMforhigh availability(HA).
availability(HA). ThisprocessaddsanewHSMtotheexistingHAgroup.
2. IfyouremoveanHSMfromyourconfiguration,repeatStep 5.
ThiswillremovethedeletedHSMfromtheHAgroup.
Step7 Verifyconnectivitywiththe 1. SelectDevice > Setup > HSM.

HSM. 2. ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.

SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
Step1 ConfiguretheThales 1. Fromthefirewallwebinterface,selectDevice > Setup > HSMandeditthe

nShieldConnectserveras HardwareSecurityModuleProvider section.
thefirewallsHSM 2. SelectThales Nshield ConnectastheProvider Configured.
provider.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto31
charactersinlength.
4. EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5. EntertheIPv4addressoftheRemote Filesystem Address.
Step2 (Optional)Configurea 1. SelectDevice > Setup > Services.

serviceroutetoenable 2. SelectService Route Configuration fromtheServicesFeaturesarea.
thefirewalltoconnectto
theHSM. 3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewall 4. SelecttheIPv4tab.
usestheManagement 5. SelectHSMfromtheServicecolumn.
Interfacetocommunicate
withtheHSM.Tousea 6. SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
differentinterface,you IfyouselectadataplaneconnectedportforHSM,issuingtheclear
mustconfigureaservice session allCLIcommandwillclearallexistingHSMsessions,
route. causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
Step3 Registerthefirewall(the 1. LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.

HSMclient)withtheHSM 2. Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
server. System > System configuration > Client config > New client.
Thisstepbrieflydescribes
3. EntertheIPaddressofthefirewall.ItmustbeastaticIPaddress,notan
theprocedureforusing
addressassignedbyDHCP.
thefrontpanelinterface
oftheThalesnShield 4. SelectSystem > System configuration > Client config > Remote file system
ConnectHSM.Formore andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
details,consulttheThales filesystem.
documentation.

SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
Step4 Setuptheremote 1. Logintotheremotefilesystem(RFS)fromaLinuxclient.

filesystemtoaccept 2. Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
connectionsfromthe KNETIkeyauthenticatesthemoduletoclients:
firewall.
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3. Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4. UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.
Step5 Configurethefirewallto 1. Fromthefirewallwebinterface,selectDevice > Setup > HSM.

authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4. ClickOK.
Step6 Synchronizethefirewall 1. SelecttheDevice > Setup > HSM.

withtheremote 2. SelectSynchronize with Remote Filesystem intheHardwareSecurity
filesystem. Operations section.
Step7 Verifythatthefirewall 1. SelectDevice > Setup > HSM.

canconnecttotheHSM. 2. ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
Name:ThenameoftheHSMattemptingtobeauthenticated.
IP address:TheIPaddressoftheHSMthatwasassignedonthefirewall.
Module State:ThecurrentoperatingstateoftheHSM:Authenticated orNot
Authenticated.

Encrypt a Master Key Using an HSM
AmasterkeyisconfiguredonaPaloAltoNetworksfirewalltoencryptallprivatekeysandpasswords.Ifyou
havesecurityrequirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkey
usinganencryptionkeythatisstoredonanHSM.ThefirewallthenrequeststheHSMtodecryptthemaster
keywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSMislocated
inahighlysecurelocationthatisseparatefromthefirewallforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,thisencryptionkeymust
occasionallybechanged.Forthisreason,acommandisprovidedonthefirewalltorotatethewrappingkey
whichchangesthemasterkeyencryption.Thefrequencyofthiswrappingkeyrotationdependsonyour
application.
MasterkeyencryptionusinganHSMisnotsupportedonfirewallsconfiguredinFIPS/CCmode.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
EncryptaMasterKeyUsinganHSM
Step1 SelectDevice > Master Key and Diagnostics.
Step2 Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3 Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4 SelecttheHSMcheckbox.
Life Time:Thenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for Reminder:Thenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5 ClickOK.

Asabestpractice,refreshthemasterkeyencryptiononaregularbasisbyrotatingthemasterkeywrapping
keyontheHSM.ThiscommandisthesameforboththeSafeNetNetworkandThalesnShieldConnect
HSMs.
Step1 UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
Store Private Keys on an HSM
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLforwardproxyTheHSMcanstoretheprivatekeyoftheCAcertificatethatisusedtosign
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthemtotheclient.
SSLinboundinspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
StorePrivateKeysonanHSM
Step1 OntheHSM,importorgenerate ForinstructionsonimportingorgeneratingaprivatekeyontheHSM,refer

theprivatekeyusedinyourSSL toyourHSMdocumentation.
forwardproxyorSSLinbound
inspectiondeployment.
Step2 (ThalesnShieldConnectonly) 1. AccessthefirewallwebinterfaceandselectDevice > Setup > HSM.

Synchronizethekeydatafrom 2. SelectSynchronize with Remote FilesystemintheHardwareSecurity
theHSMremotefilesystemto Operationssection.
thefirewall.
Step3 Importthecertificatethat 1. SelectDevice > Certificate Management > Certificates > Device
correspondstotheHSMstored CertificatesandclickImport.
keyontothefirewall. 2. EntertheCertificate Name.
3. EnterthefilenameoftheCertificate FileyouimportedtotheHSM.
4. SelectaFile Format.
5. SelectthePrivate Key resides on Hardware Security Modulecheck
box.

StorePrivateKeysonanHSM(Continued)
Step4 (Forwardtrustcertificatesonly) 1. SelectDevice > Certificate Management > Certificates > Device
Enablethecertificateforusein Certificates.
SSL/TLSForwardProxy. 2. OpenthecertificateyouimportedinStep 3forediting.
3. SelecttheForward Trust Certificate checkbox.
Step5 Verifythatyousuccessfully 1. SelectDevice > Certificate Management > Certificates > Device
importedthecertificateontothe Certificates.
firewall. 2. LocatethecertificateyouimportedinStep 3andchecktheiconinthe
Keycolumn:
LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.
Manage the HSM Deployment
ManageHSM
ViewtheHSMconfiguration SelectDevice > Setup > HSM.

settings.
DisplaydetailedHSM SelectShow Detailed InformationfromtheHardwareSecurityOperations

information. section.
InformationregardingtheHSMservers,HSMHAstatus,andHSMhardwareis
displayed.
ExportSupportfile. SelectExport Support FilefromtheHardwareSecurityOperations section.

Atestfileiscreatedtohelpcustomersupportwhenaddressingaproblemwithan
HSMconfigurationonthefirewall.
ResetHSMconfiguration. SelectReset HSM Configuration fromtheHardwareSecurityOperations section.

SelectingthisoptionremovesallHSMconnections.Allauthenticationprocedures
mustberepeatedafterusingthisoption.

HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization

HAOverview HighAvailability
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.

HighAvailability HAConcepts
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HA Modes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.

HAConcepts HighAvailability
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HA Links and Backup Links
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA3000Series,PA4000Series,PA5000Series,and
PA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethededicatedHAportsto
managecommunicationandsynchronizationbetweenthefirewalls.ForfirewallswithoutdedicatedHA
portssuchasthePA200,PA500,andPA2000Seriesfirewalls,asabestpracticeusethemanagementport
fortheHA1linktoallowforadirectconnectionbetweenthemanagementplanesonthefirewalls,andan
inbandportfortheHA2link.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.

HALinksand Description
BackupLinks
Control Link TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and

managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
Data Link TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity

associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
Backup Links ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup

linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
Packet-Forwarding Link InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa

dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.

HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
HALinksand PortsontheSMC Description

BackupLinks
ControlLink HA1A UsedforHAcontrolandsynchronizationinbothHAModes.Connect

Speed:Ethernet thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
10/100/1000 HA1Aonthesecondfirewallinthepair,orconnectthemtogether
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.
ControlLink HA1B UsedforHAcontrolandsynchronizationasabackupforHA1Ain

Backup Speed:Ethernet bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
10/100/1000port thefirstfirewalltotheHA1Bonthesecondfirewallinthepair,or
connectthemtogetherthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.
DataLink HSCIA TheHighSpeedChassisInterconnect(HSCI)portsareQuadPortSFP

(QSFP)interfaceswhichareusedtoconnecttwoPA7000Series
firewallsinanHAconfiguration.Eachportiscomprisedoffour10
gigabitlinksinternallyforacombinedspeedof40gigabits.
TheHSCIportsarenotroutableandmustbeconnecteddirectlyto
DataLink HSCIB
eachother.TheHSCIAonthefirstchassisconnectsdirectlyto
Backup
HSCIAonthesecondchassisandHSCIBonthefirstchassis
connectstoHSCIBonthesecondchassis.Thiswillprovidefull80
gigabittransferrates.Insoftware,bothports(HSCIAandHSCIB)
aretreatedasoneHAinterface.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link;theHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmustusetheHSCI
port.TheHA2linkandHA2backuplinkscanusetheHSCIportor
dataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.

Device Priority and Preemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.FordetailsontheHA
timersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.

LACP and LLDP Pre-Negotiation for Active/Passive HA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,andPA7000Seriesfirewallssupportaprenegotiationconfiguration
dependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,orvirtualwiredeployment.An
HApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
Floating IP Address and Virtual MAC Address
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)

EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.

ARP Load-Sharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.


Route-Based Redundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HA Timers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.

Timers Description PA7000Series PA2000Series PanoramaVirtual

Appliance
PA5000Series PA500Series
Panorama
PA4000Series PA200Series MSeries
PA3000Series
VMSeries
Monitorfailholdup Intervalduringwhichthe 0/0 0/0 0/0

time firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.
Preemptionhold Timethatapassiveor 1/1 1/1 1/1

time activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.
Heartbeatinterval FrequencyatwhichtheHA 1000/1000 2000/1000 2000/1000

peersexchangeheartbeat 2000/1000(only
messagesintheformofan forVMSeriesin
ICMP(ping). AWS)
Promotionholdtime Timethatthepassivefirewall 2000/500 2000/500 2000/500

(inactive/passivemode)or
theactivesecondaryfirewall
(inactive/activemode)will
waitbeforetakingoverasthe
activeoractiveprimary
firewallaftercommunications
withtheHApeerhavebeen
lost.Thisholdtimewillbegin
onlyafterthepeerfailure
declarationhasbeenmade.

Timers Description PA7000Series PA2000Series PanoramaVirtual

Appliance
PA5000Series PA500Series
Panorama
PA4000Series PA200Series MSeries
PA3000Series
VMSeries
Additionalmaster Timeintervalthatisappliedto 500/500 500/500 7000/5000

holduptime thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.
Hellointerval Intervalinmilliseconds 8000/8000 8000/8000 8000/8000

betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.
Maximumno.of Aflapiscountedwhenthe 3/3 3/3 NotApplicable

flaps firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).

Session Owner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
Session Setup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption Description
IP Modulo ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Primary Device Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall

sessionsetupresponsibilities.
First Packet Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.

Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.

Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NAT in Active/Active HA Mode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:

ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMP in Active/Active HA Mode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.

HighAvailability SetUpActive/PassiveHA
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
Prerequisites for Active/Passive HA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
The same modelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
The same PAN-OS versionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
The same type of interfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
The same set of licensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.

SetUpActive/PassiveHA HighAvailability
Configuration Guidelines for Active/Passive HA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingtableliststhesettingsthatyoumustconfigureidenticallyonbothfirewalls:
IdenticalConfigurationSettings
HAmustbeenabledonbothfirewalls.
BothfirewallsmusthavethesameGroupIDvalue.TheGroupIDvalueisusedtocreateavirtualMACaddressfor
alltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMACAddressforinformationaboutvirtualMAC
addresses.
Whenanewactivefirewalltakesover,GratuitousARPmessagesaresentfromeachoftheconnectedinterfaces
ofthenewactivemembertoinformtheconnectedLayer2switchesofthevirtualMACaddressnewlocation.
Ifusinginbandports,theinterfacesfortheHA1andHA2linksmustbesettotypeHA.
TheHAModemustbesettoActive Passive.
Ifrequired,preemptionmustbeenabledonbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onbothfirewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowingrecommendationsto
decidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
Recommendation:DonotenableHeartbeatBackup
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
Independent PeerA PeerB

ConfigurationSettings
ControlLink IPaddressoftheHA1linkconfiguredonthis IPaddressoftheHA1linkconfiguredon

firewall(PeerA). thisfirewall(PeerB).
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.

Independent PeerA PeerB

ConfigurationSettings
DataLink Bydefault,theHA2linkusesEthernet/Layer2. Bydefault,theHA2linkuses

Thedatalink IfusingaLayer3connection,configuretheIP Ethernet/Layer2.
informationis addressforthedatalinkonthisfirewall(PeerA). IfusingaLayer3connection,configure
synchronizedbetween theIPaddressforthedatalinkonthis
thefirewallsafterHA firewall(PeerB).
isenabledandthe
controllinkis
establishedbetween
thefirewalls.
DevicePriority Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority

(required,if lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
preemptionisenabled) istofunctionastheactivefirewall,keepthe onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.
LinkMonitoring Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat

Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
physicalinterfaces condition(allorany)totriggerafailover. anddefinethefailurecondition(allorany)
thathandlevitaltraffic totriggerafailover.
onthisfirewalland
definethefailure
condition.
PathMonitoring Definethefailurecondition(allorany),ping Pickasimilarsetofdevicesordestination

Monitoroneormore intervalandthepingcount.Thisisparticularly IPaddressesthatcanbemonitoredfor
destinationIP usefulformonitoringtheavailabilityofother determiningthefailovertriggerforPeerB.
addressesthatthe interconnectednetworkingdevices.Forexample, Definethefailurecondition(allorany),
firewallcanuseICMP monitortheavailabilityofarouterthatconnects pingintervalandthepingcount.
pingstoascertain toaserver,connectivitytotheserveritself,or
responsiveness. someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.

Configure Active/Passive HA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
ConnectandConfiguretheFirewalls
Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto

physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
Pick a firewall in the pair and complete the following steps:
Step2 Enablepingonthemanagementport. 1. SelectDevice > Setup > Management andeditthe

Enablingpingallowsthemanagement ManagementInterfaceSettings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.
Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.

HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplex settings,asappropriate.

ConnectandConfiguretheFirewalls(Continued)
Step4 SettheHAmodeandgroupID. 1. SelectDevice > High Availability > GeneralandedittheSetup

section.
2. SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3. SetthemodetoActive Passive.
Step5 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,edittheControlLink

Thisexampleshowsaninbandportthat (HA1) section.
issettointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected
Step6 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer

controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key. SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,select Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. SelectDevice > High Availability > General,edittheControl
Link(HA1) section.
3. SelectEncryption Enabled.
Step7 Setupthebackupcontrollink 1. InDevice > High Availability > General,edittheControlLink

connection. (HA1Backup)section.
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.

Step8 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,edittheDataLink

andthebackupHA2connection (HA2)section.
betweenthefirewalls. 2. SelectthePorttouseforthedatalinkconnection.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alive toenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythatfirewall
willsendthekeepalivemessages.Theotherfirewall
willbenotifiedifafailureoccurs.
7. EdittheData Link (HA2 Backup) section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.
Step9 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,edittheElection

linkusesadedicatedHAportoran Settings.
inbandport. 2. SelectHeartbeat Backup.
Youdonotneedtoenableheartbeat Toallowtheheartbeatstobetransmittedbetweenthe
backupifyouareusingthemanagement firewalls,youmustverifythatthemanagementportacross
portforthecontrollink. bothpeerscanroutetoeachother.
Enablingheartbeatbackupalsoallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdowncausingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievesthattheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Whentheheartbeatbackuplinkis
enabled,splitbrainispreventedbecauseredundant
heartbeatsandhellomessagesaretransmittedover
themanagementport.

Step10 Setthedevicepriorityandenable 1. InDevice > High Availability > General,edittheElection

preemption. Settings.
Thissettingisonlyrequiredifyouwishto 2. SetthenumericalvalueinDevice Priority.Makesuretoseta
makesurethataspecificfirewallisthe lowernumericalvalueonthefirewallthatyouwanttoassigna
preferredactivefirewall.For higherpriorityto.
information,seeDevicePriorityand Ifbothfirewallshavethesamedevicepriorityvalue,
Preemption. thefirewallwiththelowestMACaddressontheHA1
controllinkwillbecometheactivefirewall.
3. SelectPreemptive.
Youmustenablepreemptiveonboththeactivefirewalland
thepassivefirewall.
Step11 (Optional)ModifytheHATimers. 1. InDevice > High Availability > General,edittheElection

Bydefault,theHAtimerprofileissetto Settings.
theRecommendedprofileandissuited 2. SelecttheAggressiveprofilefortriggeringfailoverfaster;
formostHAdeployments. selectAdvancedtodefinecustomvaluesfortriggeringfailover
inyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
Step12 (Optional,onlyconfiguredonthepassive SettingthelinkstatetoAutoallowsforreducingtheamountoftime

firewall)ModifythelinkstatusoftheHA ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
portsonthepassivefirewall. anditallowsyoutomonitorthelinkstate.
Thepassivelinkstateis Toenablethelinkstatusonthepassivefirewalltostayupand
shutdown,bydefault.Afteryou reflectthecablingstatusonthephysicalinterface:
enableHA,thelinkstateforthe 1. InDevice > High Availability > General,edittheActivePassive
HAportsontheactivefirewall Settings.
willbegreenandthoseonthe
passivefirewallwillbedownand 2. SetthePassive Link StatetoAuto.
displayasred. Theautooptiondecreasestheamountoftimeittakesforthe
passivefirewalltotakeoverwhenafailoveroccurs.
Althoughtheinterfacedisplaysgreen(ascabledand
up)itcontinuestodiscardalltrafficuntilafailoveris
triggered.
Whenyoumodifythepassivelinkstate,makesurethat
theadjacentdevicesdonotforwardtraffictothe
passivefirewallbasedonlyonthelinkstatusofthe
firewall.

Step13 EnableHA. 1. SelectDevice > High Availability > GeneralandedittheSetup

section.
2. SelectEnable HA.
3. SelectEnable Config Sync.Thissettingenablesthe
synchronizationoftheconfigurationsettingsbetweenthe
activeandthepassivefirewall.
4. EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5. EntertheBackup HA1 IP Address.
Step14 (Optional)EnableLACPandLLDP 1. EnsurethatinStep 12yousetthelinkstatetoAuto.

PreNegotiationforActive/PassiveHA 2. SelectNetwork > Interfaces> Ethernet.
forfasterfailoverifyournetworkuses
LACPorLLDP. 3. ToenableLACPactiveprenegotiation:
EnableLACPandLLDPbefore a. SelectanAEinterfaceinaLayer2orLayer3deployment.
configuringHAprenegotiation b. SelecttheLACPtab.
fortheprotocolifyouwant c. SelectEnable in HA Passive State.
prenegotiationtofunctionin d. ClickOK.
activemode.
YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequires
uniqueinterfaceMACaddressesontheactiveand
passivefirewalls.
4. ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5. ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
IfyouwanttoallowLLDPpassiveprenegotiationfor
avirtualwiredeployment,performStep 5butdonot
enableLLDPitself.
Step15 Saveyourconfigurationchanges. ClickCommit.
Step16 CompleteStep 2throughStep 15ontheotherfirewallintheHApair.

Step17 Afteryoufinishconfiguringboth 1. AccesstheDashboardonbothfirewalls,andviewtheHigh

firewalls,verifythatthefirewallsare Availabilitywidget.
pairedinactive/passiveHA. 2. Ontheactivefirewall,clicktheSync to peerlink.
3. Confirmthatthefirewallsarepairedandsynced,asshown
below:
Onthepassivefirewall:thestateofthelocal Ontheactivefirewall:Thestateofthelocalfirewallshoulddisplay
firewallshoulddisplaypassive andtheRunning active andtheRunningConfigshouldshowassynchronized.
Configshouldshowassynchronized.
Define HA Failover Conditions
ConfiguretheFailoverTriggers
Step1 Toconfigurelinkmonitoring,definethe 1. SelectDevice > High Availability > Link and Path Monitoring
interfacesyouwanttomonitor.A andAddaLinkGroup.
changeinthelinkstateofthese 2. NametheLink Group,Add theinterfacestomonitor,and
interfaceswilltriggerafailover. selectthe Failure Condition forthegroup.TheLinkgroupyou
defineisaddedtothe Link Group section.
Step2 (Optional)Modifythefailurecondition 1. SelecttheLink Monitoringsection.

fortheLinkGroupsthatyouconfigured 2. SettheFailure ConditiontoAll.
(intheprecedingstep)onthefirewall.
ThedefaultsettingisAny.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.
Step3 Toconfigurepathmonitoring,definethe 1. InthePath GroupsectionoftheDevice > High Availability >

destinationIPaddressesthatthefirewall Link and Path Monitoring tab,picktheAdd option for your set
shouldpingtoverifynetwork up: VirtualWire,VLAN,orVirtualRouter.
connectivity. 2. SelecttheappropriateitemfromthedropdownfortheName
and Add theIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
the Path Group section.
Step4 (Optional)Modifythefailurecondition SettheFailure ConditiontoAll.

forallPathGroupsconfiguredonthe ThedefaultsettingisAny.
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.
Step5 Saveyourchanges. ClickCommit.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.

Verify Failover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1 Suspendtheactivefirewall. SelectDevice > High Availability > Operational Commands and
clicktheSuspend local device link.
Step2 Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall

overasactive. changestoactiveintheHighAvailabilitywidget.
Step3 Restorethesuspendedfirewalltoa 1. Onthefirewallyoupreviouslysuspended,selectDevice > High

functionalstate.Waitforacoupleof Availability > Operational Commands andclicktheMake local
minutes,andthenverifythatpreemption device functional link.
hasoccurred,ifPreemptiveisenabled. 2. IntheHighAvailability widgetontheDashboard, confirmthat
thefirewallhastakenoverastheactivefirewallandthatthe
peerisnowinapassivestate.

HighAvailability SetUpActive/ActiveHA
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
Prerequisites for Active/Active HA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
The same modelThefirewallsinthepairmustbeofthesamehardwaremodel.
The same PAN-OS versionThefirewallsshouldberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
The same multi virtual system capabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
The same type of interfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
The same set of licensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.

SetUpActive/ActiveHA HighAvailability
Configure Active/Active HA
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,
orARPLoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ConfigureActive/ActiveHA
Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto

physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
Foreachusecase,thefirewalls other.
couldbeanyhardwareplatform; ForfirewallswithoutdedicatedHAports,selecttwodata
choosetheHA3stepthat interfacesfortheHA2linkandthebackupHA1link.Then,usean
correspondswithyourplatform. EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.
Pick a firewall in the pair and complete the following steps:
Step2 Enablepingonthemanagementport. 1. InDevice > Setup > Management,editManagementInterface

Enablingpingallowsthemanagement Settings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.

ConfigureActive/ActiveHA(Continued)
Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.

HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplex settings,asappropriate.
Step4 Enableactive/activeHAandsetthe 1. InDevice > High Availability > General, editSetup.

groupID. 2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.
Step5 SettheDeviceID,enable 1. InDevice > High Availability > General, editSetup.

synchronization,andidentifythecontrol 2. SelectDevice IDtobe0.
linkonthepeerfirewall
3. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
4. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
5. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
6. ClickOK.
Step6 Determinewhetherornotthefirewall 1. InDevice > High Availability > General,editElectionSettings.

withthelowerDeviceIDpreemptsthe 2. SelectPreemptivetocausethefirewallwiththelowerDevice
activeprimaryfirewalluponrecovery IDtoautomaticallyresumeactiveprimaryoperationafter
fromafailure. eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptive unselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.
Step7 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,editElectionSettings.

linkusesadedicatedHAportoran 2. SelectHeartbeat Backup.
inbandport.
Toallowtheheartbeatstobetransmittedbetweenthe
Youneednotenableheartbeatbackupif firewalls,youmustverifythatthemanagementportacross
youareusingthemanagementportfor bothpeerscanroutetoeachother.
thecontrollink.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.

Step8 (Optional)ModifytheHA Timers. 1. InDevice > High Availability > General,editElectionSettings.

Bydefault,theHAtimerprofileissetto 2. SelectAggressivetotriggerfasterfailover.SelectAdvanced
theRecommendedprofileandissuited todefinecustomvaluesfortriggeringfailoverinyoursetup.
formostHAdeployments. Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
Step9 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,editControlLink

Thisexampleusesaninbandportthatis (HA1).
settointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected.
Step10 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer

controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key. SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,select Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. InDevice > High Availability > General,edittheControlLink
(HA1).
3. SelectEncryption Enabled.
Step11 Setupthebackupcontrollink 1. InDevice > High Availability > General,editControlLink(HA1

connection. Backup).
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.

Step12 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,editDataLink(HA2).

andthebackupHA2connection 2. SelectthePorttouseforthedatalinkconnection.
betweenthefirewalls.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alive toenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythat
firewallwillsendthekeepalivemessages.Theother
firewallwillbenotifiedifafailureoccurs.
7. EdittheData Link (HA2 Backup) section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.
8. ClickOK.
Step13 ConfiguretheHA3linkforpacket 1. InDevice > High Availability > Active/Active Config,edit

forwarding. PacketForwarding.
2. ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3. SelectVR Sync toforcesynchronizationofallvirtualrouters
configuredontheHApeers.Selectwhenthevirtualrouteris
notconfiguredfordynamicroutingprotocols.Bothpeersmust
beconnectedtothesamenexthoprouterthroughaswitched
networkandmustusestaticroutingonly.
4. SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.
Step14 (Optional)ModifytheTentativeHold 1. InDevice > High Availability > Active/Active Config,edit

time. PacketForwarding.
2. ForTentative Hold Time (sec),enterthenumberofseconds
thatafirewallstaysinTentativestateafteritfails(rangeis
10600,defaultis60).

Step15 ConfigureSessionOwnerandSession 1. InDevice > High Availability > Active/Active Config,edit

Setup. PacketForwarding.
2. ForSession Owner Selection,selectoneofthefollowing:
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionisthesessionowner(recommendedsetting).
ThissettingminimizestrafficacrossHA3andloadshares
trafficacrosspeers.
Primary DeviceThefirewallthatisinactiveprimarystate
isthesessionowner.
3. ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4. ClickOK.
Step16 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda

Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
AddressorARPLoadSharing.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 Address orIPv6 Address.
5. ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandproceedtoStep 18.
Step17 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device

unlessyouwanttheactive/activeHApairtobehavelikean
active/passiveHApair.
2. ForDevice 0 Priority andDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
4. ClickOK.

Step18 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:

Thedeviceselectionalgorithm IP ModuloThefirewallthatwillrespondtoARPrequests
determineswhichHAfirewallresponds isbasedontheparityoftheARPrequester'sIPaddress.
totheARPrequeststoprovideload IP HashThefirewallthatwillrespondtoARPrequestsis
sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.
Step19 Enablejumboframesonfirewallsother 1. SelectDevice > Setup > Session.

thanPA7000Seriesfirewalls. 2. IntheSessionSettingssection,selectEnable Jumbo Frames.
SwitchportsthatconnecttheHA3link
3. ClickOK.
mustsupportjumboframestohandle
theoverheadassociatedwiththe 4. Repeatonanyintermediarynetworkingdevices.
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.
Step20 DefineHAfailoverconditions. DefineHAFailoverConditions.
Step22 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.

Use Case: Configure Active/Active HA with Route-Based Redundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step1 PerformStep 1throughStep 15of

ConfigureActive/ActiveHA.
Step2 ConfigureOSPF. SeeOSPF.

Use Case: Configure Active/Active HA with Floating IP Addresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses

Step2 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda

Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
Address.
5. ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.
Step3 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.

2. ForDevice 0 Priority andDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
interfaceisdown.
4. ClickOK.

ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step4 Enablejumboframesonfirewallsother PerformStep 19ofConfigureActive/ActiveHA.

thanPA7000Seriesfirewalls.
Use Case: Configure Active/Active HA with ARP Load-Sharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing


ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
ThevirtualaddressisthesharedIP Virtual Address andclickAdd.
addressthatallowsARPLoadSharing. 2. EnterorselectanInterface.
5. ForType,selectARP Load Sharing,whichallowsbothpeers
tousethevirtualIPaddressforARPLoadSharing.
Step3 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:

sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.

Use Case: Configure Active/Active HA with Floating IP Address Bound to

Active-Primary Firewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper
metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).

ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:

Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall

Step2 (Optional)Disablepreemption. 1. InDevice > High Availability > General,edittheElection

Disablingpreemptionallowsyou Settings.
fullcontroloverwhenthe 2. ClearPreemptiveifitisenabled.
recoveredfirewallbecomesthe
3. ClickOK.
activeprimaryfirewall.


ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)

2. ForSession Owner Selection,werecommendyouselect
Primary Device.Thefirewallthatisinactiveprimarystateis
thesessionowner.
Alternatively,forSession Owner Selection youcanselect
First PacketandthenforSession Setup,selectPrimary
Device orFirst Packet.
3. ForSession Setup,selectPrimary DeviceThe
activeprimaryfirewallsetsupallsessions.Thisisthe
recommendedsettingifyouwantyouractive/active
configurationtobehavelikeanactive/passiveconfiguration
becauseitkeepsallactivityontheactiveprimaryfirewall.
Youmustalsoengineeryournetworktoeliminate
thepossibilityofasymmetrictrafficgoingtotheHA
pair.Ifyoudontdosoandtrafficgoestothe
activesecondaryfirewall,settingSession Owner
SelectionandSession SetuptoPrimary Device
causesthetraffictotraverseHA3togettothe
activeprimaryfirewallforsessionownershipand
sessionsetup.
4. ClickOK.
Virtual Address andclickAdd.
2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandAddanIPv4 Address orIPv6
Address.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5. ClickOK.
Step6 BindthefloatingIPaddresstothe 1. SelectFloating IP bound to the Active-Primary device.

activeprimaryfirewall. 2. SelectFailover address if link state is downtocausethe
interfaceisdown.
3. ClickOK.


Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating
IP Addresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
On PA-3050-2 (Device ID 1), complete the following steps:


ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.

2. SelectEnable HA.
5. SelectDevice ID1.
default).
9. ClickOK.


2. ForSession Owner Selection,selectFirst PacketThe
firewallthatreceivesthefirstpacketofanewsessionisthe
sessionowner.
3. ForSession Setup,selectIP ModuloDistributessession
setuploadbasedonparityofthesourceIPaddress.
4. ClickOK.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAdd anIPv4 Addressof10.1.1.101.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
Step6 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.

interfaceisdown.
3. ClickOK.


Step10 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
Step11 StillonPA30501,createthesource 1. SelectPolicies > NATandclickAdd.

NATruleforDeviceID0. 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.
5. ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
7. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
8. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.100.
9. OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID0.
10. ClickOK.

Step12 CreatethesourceNATrulefor 1. SelectPolicies > NATandclickAdd.

Device ID 1. 2. EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
4. OntheOriginal Packet,forSource Zone,selectAny.For
Destination Zone,selectthezoneyoucreatedfortheexternal
network.
5. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
6. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
7. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.101.
8. OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID1.
9. ClickOK.
Use Case: Configure Separate Source NAT IP Address Pools for

Active/Active HA Firewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
Step1 OnoneHAfirewall,createaddress 1. SelectObjects > AddressesandAddanaddressobjectName,

objects. inthisexample,DynIPPooldev0.
2. ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3. ClickOK.
4. Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.

CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
Step2 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,

Device ID 0. forexample, SrcNATdev0.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6. ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7. ClickOK.
Step3 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,

Device ID 1. forexample,SrcNATdev1.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6. ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7. ClickOK.
Step4 Savetheconfiguration. SelectCommit.
Use Case: Configure Active/Active HA for ARP Load-Sharing with

Destination NAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT

Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.

2. SelectEnable HA.
6. SelectDevice IDtobe1.
default).
10. ClickOK.
Step3 PerformStep 6throughStep 15in


ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectIP Modulo.Thefirewall

Thedeviceselectionalgorithm thatwillrespondtoARPrequestsisbasedontheparityofthe
determineswhichHAfirewallresponds ARPrequester'sIPaddress.
totheARPrequeststoprovideload 2. ClickOK.
sharing.

Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.

thedestinationNATrulesothatthe 2. EnteraNamefortherulethat,inthisexample,identifiesitas
activeprimaryfirewallrespondstoARP adestinationNATruleforLayer2ARP.
requests.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample,
192.168.1.200.
Binding,select primarytobindtheNATruletothefirewallin
activeprimarystate.
11. ClickOK.

Use Case: Configure Active/Active HA for ARP Load-Sharing with

Destination NAT in Layer 3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3


ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2 Enableactive/activeHA. 1. SelectDevice > High Availability > General > Setupandedit.
2. SelectEnable HA.
6. SelectDevice IDtobe1.
default).
10. ClickOK.
Step3 PerformStep 6throughStep 15in

4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing

sharing. basedonahashoftheARPrequester'ssourceIPaddress
anddestinationIPaddress.
2. ClickOK.

Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.

thedestinationNATruleforbothDevice 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
ID0andDeviceID1. destinationNATruleforLayer3ARP.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample
192.168.1.200.
Binding,select bothtobindtheNATruletobothDeviceID0
andDeviceID1.
11. ClickOK.

HighAvailability HAFirewallStates
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
HAFirewallState OccursIn Description
Initial A/P or A/A TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis

stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.
Active A/P Stateoftheactivefirewallinanactive/passiveconfiguration.
Passive A/P Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive

firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.
Active-Primary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID

agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.
Active-Secondary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID

agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.

HAFirewallStates HighAvailability
HAFirewallState OccursIn Description
Tentative A/A Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe

following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.
Non-functional A/P or A/A Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly

onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.
Suspended A/P or A/A Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein

theHAelectionprocess.

HighAvailability Reference:HASynchronization
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Passive?
Management Interface Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach

Settings firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
Multi-vsys Capability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto

enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).

Reference:HASynchronization HighAvailability
ConfigurationItem WhatDoesntSyncinActive/Passive?
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
Authentication Settings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
Panorama Settings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP Device > Setup > Operations > SNMP Setup
Statistics Collection Device > Setup > Operations > Statistics Service Setup
Services Device > Setup > Services
Global Service Routes Device > Setup > Services > Service Route Configuration
Data Protection Device > Setup > Content-ID > Manage Data Protection
Jumbo Frames Device > Setup > Session > Session Settings > Enable Jumbo Frame
Forward Proxy Server Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
Certificate Settings
Master Key Secured by Device > Setup > HSM > Hardware Security Module Provider > Master Key
HSM Secured by HSM
Log Export Settings Device > Scheduled Log Export
Software Updates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach

firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtect Agent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem

Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
Content Updates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach

Device > Dynamic Updates
Licenses/Subscriptions Device > Licenses
Support Subscription Device > Support
Master Key ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust

manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports, logs, and Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot

Dashboard Settings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HA settings Device > High Availability

WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Active?
Management Interface Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:

Settings Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
Multi-vsys Capability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto

enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
Authentication Settings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
Panorama Settings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP Device > Setup > Operations > SNMP Setup
Statistics Collection Device > Setup > Operations > Statistics Service Setup
Services Device > Setup > Services
Global Service Routes Device > Setup > Services > Service Route Configuration
Data Protection Device > Setup > Content-ID > Manage Data Protection
Jumbo Frames Device > Setup > Session > Session Settings > Enable Jumbo Frame
Forward Proxy Server Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
Certificate Settings
HSM Configuration Device > Setup > HSM
Log Export Settings Device > Scheduled Log Export

Software Updates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach

Device > Software
GlobalProtect Agent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem

Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
Content Updates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach

Device > Dynamic Updates
Licenses/Subscriptions Device > Licenses
Support Subscription Device > Support
Ethernet Interface IP AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network

Addresses > Interface > Ethernet).
Loopback Interface IP AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress

Addresses (Network > Interface > Loopback).
Tunnel Interface IP AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >

Addresses Interface > Tunnel).
LACP System Priority EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment

(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
VLAN Interface IP Address AllVLANinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >

Interface > VLAN).
Virtual Routers VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >

High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.
IPSec Tunnels IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave

configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtect Portal GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou

Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
GlobalProtect Gateway GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou

Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.

QoS QoSconfigurationsynchronizesonlyifyouhaveenabledQoS Sync(Device > High

Availability > Active/Active Config > Packet Forwarding).Youmightchoosenotto
syncQoSsettingif,forexample,youhavedifferentbandwidthoneachlinkor
differentlatencythroughyourserviceproviders.
LLDP NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKE Gateways IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave

configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
Master Key ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust

manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports, logs, and Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot

Dashboard Settings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HA settings Device > High Availability

(TheexceptionisDevice > High Availability > Active/Active Configuration >
Virtual Addresses,whichdosync.)
SynchronizationofSystemRuntimeInformation
RuntimeInformation ConfigSynced? HALink Details
A/P A/A
Management Plane
User to Group Mappings Yes Yes HA1
DHCP Lease (as server) Yes Yes HA1
DNS Cache No No N/A
FQDN Refresh No No N/A
IKE Keys (phase 2) Yes Yes HA1
BrightCloud URL Database No No N/A
BrightCloud URL Cache No No N/A Thisfeatureisdisabledbydefaultand

mustbeenabledseparatelyoneachHA
peer.

RuntimeInformation ConfigSynced? HALink Details
A/P A/A
BrightCloud Bloom Filter No No N/A Thisfeatureisdisabledbydefaultand

mustbeenabledseparatelyoneachHA
peer.
PAN-DB URL Cache Yes No HA1 Thisissynchronizedupondatabase

backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.
Content (manual sync) Yes Yes HA1
PPPoE, PPPoE Lease Yes Yes HA1
DHCP Client Settings and Yes Yes HA1

Lease
SSL VPN Logged in User Yes Yes HA1

List
Forward Information Base Yes Yes HA1

(FIB)
Dataplane
Session Table Yes Yes HA2 Active/passivepeersdonotsyncICMP

orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.
ARP Table Yes No HA2 UponupgradetoPANOS7.1,theARP

tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.
Neighbor Discovery (ND) Yes No HA2

Table
MAC Table Yes No HA2
IPSec Sequence Number Yes Yes HA2

(anti-replay)
DoS Protection Yes Yes HA2
User to IP Address Yes Yes HA2

Mappings
Virtual MAC Yes Yes HA2

Monitoring
Inordertoforestallpotentialissues,andaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceontrafficanduserpatternsandcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Youcan,forexample,usethepredefinedtemplatestogeneratereportsonuseractivities,
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtablesthatyoucaninteractwithtofindinformationthatyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
AppScope
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
MonitorandManageLogs
ManageReporting
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
NetFlowMonitoring

UsetheDashboard Monitoring
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts Descriptions
Top Applications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative

numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
Top High Risk Applications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe

mostsessions.
General Information Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and

URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
Interface Status Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
Threat Logs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat

log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Config Logs Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10

entriesintheConfigurationlog.
Data Filtering Logs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URL Filtering Logs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
System Logs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.

AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
System Resources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which

displaysthenumberofsessionsestablishedthroughthefirewall.
Logged In Admins DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach

administratorwhoiscurrentlyloggedin.
ACC Risk Factor Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast

week.Highervaluesindicatehigherrisk.
High Availability Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall

green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks Showsconfigurationlockstakenbyadministrators.

Monitoring UsetheApplicationCommandCenter
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery

UsetheApplicationCommandCenter Monitoring
ACCFirst Look
TakeaquicktouroftheACC.
ACCFirstLook
Tabs TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.

ACCFirstLook(Continued)
Time Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Global Filters TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The

charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.
Risk Factor Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe

applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.
Source Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData Source asPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACC Tabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab Description
Network Activity Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:

Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.

Tab Description
Threat Activity Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:

vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.
Blocked Activity Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin

thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.
ACC Widgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.

Widgets
View Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.
Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Actions MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs > Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
Widget Descriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget Description
Network ActivityDisplays an overview of traffic and user activity on your network.

Widget Description
Application Usage Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining

applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)
User Activity Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe

largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source IP Activity DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated

activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Destination IP Activity DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere

accessedbyusersonthenetwork.
Source Regions Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld

fromwhereusersinitiatedactivityonyournetwork.
Chartsavailable:map,bar
Destination Regions Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe

worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Chartsavailable:map,bar
GlobalProtect Host Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis

Information running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall. IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar
Rule Usage Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis

widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Chartsavailable:line

Widget Description
Ingress Interfaces Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe

network.
Sortattributes:bytes,bytessent,bytesreceived
Egress Interfaces Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.

Sortattributes:bytes,bytessent,bytesreceived
Source Zones Displaysthezonesthataremostusedforallowingtrafficintothenetwork.

Destination Zones Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.

Threat ActivityDisplays an overview of the threats on the network
Compromised Hosts Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget

summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA7000Series,andPanorama.
Sortattributes:severity(bydefault)
Hosts Visiting Malicious Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork

URLs haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Hosts Resolving Malicious DisplaysthetophostsmatchingDNSsignatures;hostsonthenetworkthatare

Domains attemptingtoresolvethehostnameordomainofamaliciousURL.Thisinformation
is gatheredfromananalysisoftheDNSactivityonyournetwork.Itutilizespassive
DNSmonitoring,DNStrafficgeneratedonthenetwork,activityseeninthesandbox
ifyouhaveconfiguredDNSsinkholeonthefirewall,andDNSreportsonmalicious
DNSsourcesthatareavailabletoPaloAltoNetworkscustomers.
Sortattributes:count
Threat Activity Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature

matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column
WildFire Activity by DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget

Application usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line

Widget Description
WildFire Activity by File Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat

Type generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Applications using Non Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If

Standard Ports youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Chartsavailable:treemap,line
Rules Allowing Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The

Applications On Non graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
Standard Ports thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Chartsavailable:treemap,line
Blocked ActivityFocuses on traffic that was prevented from coming into the network
Blocked Application Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview

Activity thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column
Blocked User Activity Displaysuserrequeststhatwereblockedbyamatchonanantivirus,antispyware,

fileblockingorurlfilteringprofileattachedtosecuritypolicy.
Blocked Threats Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats

werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Blocked Content Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent

wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data

Widget Description
Security Policies Blocking Displaysthesecuritypolicyrulesthatblockedorrestrictedtrafficintoyournetwork.

Activity Becausethiswidget displaysthethreats,content,andURLsthatweredeniedaccess
intoyournetwork,youcanuseittoassesstheeffectivenessofyourpolicyrules.This
widgetdoesnotdisplaytrafficthatblockedbecauseofdenyrulesthatyouhave
definedinpolicy.
ACC Filters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.

Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
Interact with the ACC
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkwiththeTabsandWidgets
Addatab. 1. Selectthe iconalongthelistoftabs.

2. AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.
Editatab. Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample .
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Seewhatwidgetsareincludedinatab. 1. Selectthetab,andclickonthepencilicontoeditit.
2. SelecttheAdd Widget dropdownandverifythewidgetsthat
havethecheckboxesselected.

WorkwiththeTabsandWidgets(Continued)
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3. (Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
Deleteataborawidgetgroup/widget. 1. Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2. Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.
Resetthedefaultwidgetsinatab. Onapredefinedtab,suchastheBlocked Activitytab,youcan

deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph. youzoomintoalinegraph,ittriggersarequeryandthefirewall
Watchhowthezoomincapabilityworks. fetchesthedatafortheselectedtimeperiod.Itisnotamere
magnification.
Usethetabledropdowntofindmore 1. Hoveroveranattributeinatabletoseethedropdown.
informationonanattribute. 2. Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
Setawidgetfilter. 1. Selectawidgetandclickthe icon.

Youcanalsoclickanattributeinthe 2. Clickthe icontoaddthefiltersyouwanttoapply.
table(belowthegraph)toapplyitasa
3. ClickApply.Thesefiltersarepersistentacrossreboots.
widgetfilter.
Theactivewidgetfiltersareindicatednexttothe
widgetname.

Negateawidgetfilter 1. Clickthe icontodisplaytheSetupLocalFiltersdialog.

2. Addafilter,andthenclickthe negateicon.
Setaglobalfilterfromatable. Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilterspane. 1. LocatetheGlobal FilterspaneontheleftsideoftheACC.

Watchglobalfiltersinaction.
2. Clickthe icontoviewthelistoffiltersyoucanapply.
Promoteawidgetfiltertoaglobalfilter. 1. Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2. Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Removeafilter. Clickthe icontoremoveafilter.

Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.
Clearallfilters. Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.

Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.

Seewhatfiltersareinuse. Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget. Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
Use Case: ACCPath of Information Discovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activity tab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.

BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.

ToknowwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.

Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
Toinvestigateeachthreatbyname,youcancreateaglobalfilterforsay,Microsoft Works File Converter Field

Length Remote Code Execution Vulnerability.Then,viewtheUser Activity widgetintheNetwork Activitytab.The
tabisautomaticallyfilteredtodisplaythreatactivityforMarsha(noticetheglobalfiltersinthescreenshot).

NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.

Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
BecausethesessioncountfromthisIPaddressishigh,checktheBlocked ContentandBlocked Threats widgets

intheBlocked ActivitytabforeventsrelatedtothisIPaddress.TheBlocked Activitytaballowsyoutovalidate
whetherornotyourpolicyrulesareeffectiveinblockingcontentorthreatswhenahostonyournetworkis
compromised.
UsetheExport PDF capabilityontheACCtoexportthecurrentview(createasnapshotofthedata)andsend
ittoanincidenceresponseteam.Toviewthethreatlogsdirectlyfromthewidget,youcanalsoclickthe
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).

YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.

AppScope Monitoring
AppScope
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport

Monitoring AppScope
Summary Report
TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,

losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.

AppScope Monitoring
Change Monitor Report
TheAppScopeChangeMonitorreport(Monitor > App Scope > Change Monitor)displayschangesovera

specifiedtimeperiod.Forexample,thefollowingchartdisplaysthetopapplicationsthatgainedinuseover
thelasthourascomparedwiththelast24hourperiod.Thetopapplicationsaredeterminedbysessioncount
andsortedbypercent.
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.

Monitoring AppScope
Button Description
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort Determineswhethertosortentriesbypercentageorrawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Compare Specifiestheperiodoverwhichthechangemeasurementsaretaken.
Threat Monitor Report
TheAppScopeThreatMonitorreport(Monitor > App Scope > Threat Monitor)displaysacountofthetop

threatsovertheselectedtimeperiod.Forexample,thefollowingfigureshowsthetop10threattypesover
thelast6hours.
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Threats Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.

AppScope Monitoring
Button Description
Filter Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Specifiestheperiodoverwhichthemeasurementsaretaken.
Threat Map Report
TheAppScopeThreatMapreport(Monitor > App Scope > Threat Map)showsageographicalviewofthreats,

includingseverity.Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.
Thefirewallusesgeolocationforcreatingthreatmaps.Thefirewallisplacedatthebottomofthethreatmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Incoming threats Displaysincomingthreats.
Outdoing threats Displaysoutgoingthreats.
Filer Appliesafiltertodisplayonlytheselectedtypeofitems.
Zoom In and Zoom Out Zoominandzoomoutofthemap.
Indicatestheperiodoverwhichthemeasurementsaretaken.

Monitoring AppScope
Network Monitor Report
TheAppScopeNetworkMonitorreport(Monitor > App Scope > Network Monitor)displaysthebandwidth

dedicatedtodifferentnetworkfunctionsoverthespecifiedperiodoftime.Eachnetworkfunctionis
colorcodedasindicatedinthelegendbelowthechart.Forexample,theimagebelowshowsapplication
bandwidthforthepast7daysbasedonsessioninformation.
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.

AppScope Monitoring
Traffic Map Report
TheAppScopeTrafficMap(Monitor > App Scope > Traffic Map)reportshowsageographicalviewoftraffic

flowsaccordingtosessionsorflows.
Thefirewallusesgeolocationforcreatingtrafficmaps.Thefirewallisplacedatthebottomofthetrafficmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons Description
includedinthechart.
Incoming threats Displaysincomingthreats.
Outgoing threats Displaysoutgoingthreats.
Zoom In and Zoom Out Zoominandzoomoutofthemap.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.

Monitoring UsetheAutomatedCorrelationEngine
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
Automated Correlation Engine Concepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.

UsetheAutomatedCorrelationEngine Monitoring
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
View the Correlated Objects
ViewtheCorrelationObjectsAvailableontheFirewall
Step1 Toviewthecorrelationobjectsthatarecurrentlyavailable,selectMonitor > Automated Correlation

Engine > Correlation Objects.Alltheobjectsinthelistareenabledbydefault.

ViewtheCorrelationObjectsAvailableontheFirewall
Step2 Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
Interpret Correlated Events
YoucanviewandanalyzethelogsgeneratedforeachcorrelatedeventintheMonitor > Automated Correlation

Engine > Correlated Events tab.
CorrelatedEventsincludesthefollowingdetails:
Field Description
Match Time Thetimethecorrelationobjecttriggeredamatch.
Update Time Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthe

firewallcollectsevidenceonpatternorsequenceofeventsdefinedinacorrelation
object,thetimestamponthecorrelatedeventlogisupdated.
Object Name Thenameofthecorrelationobjectthattriggeredthematch.
Source Address TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.
Source User Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.

UsetheAutomatedCorrelationEngine Monitoring
Field Description
Severity Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
To indicatestheextentofdamageorescalationpattern,andthefrequencyof
configure occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
the correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
firewallor andtheseverityimpliesthefollowing:
Panoramatosend CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
alertsusingemail, thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
SNMPorsyslog hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
messagesfora commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
desiredseverity maliciousfile.
level,seeUse HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
ExternalServices betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
forMonitoring. networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:

Tab Description
Match ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Information
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Match Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
Evidence evidencecollectedforeachsession.
Use the Compromised Hosts Widget in the ACC
ThecompromisedhostswidgetonACC >Threat Activity,aggregatestheCorrelatedEventsandsortsthemby

severity.ItdisplaysthesourceIPaddress/userwhotriggeredtheevent,thecorrelationobjectthatwas
matchedandthenumberoftimestheobjectwasmatched.Usethematchcountlinktojumptothematch
evidencedetails.
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.

TakePacketCaptures Monitoring
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
Types of Packet Captures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoexternalservers(LDAPandRADIUSforexample),softwareand
contentupdates,logforwarding,communicationwithSNMPservers,andauthenticationrequestsfor
GlobalProtectandCaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.

Monitoring TakePacketCaptures
Disable Hardware Offload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA2000Series,PA3050,PA4000Series,PA5000Series,
andPA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1 DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2 Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes

Take a Custom Packet Capture
Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
TakeaCustomPacketCapture
Step1 Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
Intheexamplethatfollows,wewilluseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.

TakeaCustomPacketCapture(Continued)
Step2 Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Filterswillmakeiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreducethe
processingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId 1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId 2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3 SetFilteringtoOn.

Step4 Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
2. ContinuetoAdd eachStageyouwanttocapture(receive, firewall,transmit,anddrop)andsetaunique

Filenameforeachstage.
Step5 SetPacket Captureto ON.

NotethewarningthatsystemperformancecanbedegradedandthenclickOK.Ifyoudefinefilters,thepacket
captureshouldhavelittleimpactonperformance,butyoushouldalwaysturnOffpacketcaptureafterthe
firewallcapturesthedatathatyouwanttoanalyze.
Step6 Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55

Step7 TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8 DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9 Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.

Take a Threat Packet Capture
Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
TakeaThreatPacketCapture
Step1 Enablethepacketcaptureoptioninthe 1. SelectObjects > Security Profilesandenablethepacket

securityprofile. captureoptionforthesupportedprofilesasfollows:
Somesecurityprofilesallowyoutodefine AntivirusSelectacustomantivirusprofileandinthe
asinglepacketcapture,or AntivirustabselectthePacket Capturecheckbox.
extendedcapture.Ifyouchoose Anti-SpywareSelectacustomAntiSpywareprofile,
extendedcapture,definethecapture clicktheDNS SignaturestabandinthePacket Capture
length.Thiswillallowthefirewallto dropdown,selectsingle-packetorextended-capture.
capturemorepacketstoprovide Vulnerability ProtectionSelectacustomVulnerability
additionalcontextrelatedtothethreat. ProtectionprofileandintheRulestab,clickAddtoadda
Thefirewallcanonlycapture newrule,orselectanexistingrule.SetPacket Captureto
packetsiftheactionforagiven single-packetorextended-capture.Notethatifthe
threatissettoalloworalert. profilehassignatureexceptionsdefined,clickthe
ExceptionstabandinthePacket Capture columnfora
signature,setsingle-packetorextended-capture.
2. (Optional)Ifyouselectedextended-captureforanyofthe
profiles,definetheextendedpacketcapturelength.
a. SelectDevice > Setup > Content-IDandeditthe
ContentIDSettings.
b. IntheExtended Packet Capture Length (packets)
section,specifythenumberofpacketsthatthefirewall
willcapture(rangeis150;defaultis5).
c. ClickOK.
Step2 Addthesecurityprofile(withpacket 1. SelectPolicies > Securityandselectarule.

captureenabled)toaSecurityPolicyrule. 2. SelecttheActionstab.
3. IntheProfileSettingssection,selectaprofilethathaspacket
captureenabled.
Forexample,clicktheAntivirusdropdownandselecta
profilethathaspacketcaptureenabled.

TakeaThreatPacketCapture(Continued)
Step3 View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
Take an Application Packet Capture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1 Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes

IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2 Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
Step3 Clickthepacketcaptureicon toviewthepacketcaptureorExportittoyourlocalsystem.

YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
Step2 Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3 Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
Rule : rule1
From : any
To : any
Source : any
Destination : any
Protocol : any
Source Port : any
Dest. Port : any
Application : facebook-base
Current APPID Signature
Signature Usage : 21 MB (Max. 32 MB)
TCP 1 C2S : 15503 states
TCP 1 S2C : 5070 states
TCP 2 C2S : 2426 states
TCP 2 S2C : 702 states
UDP 1 C2S : 11379 states
UDP 1 S2C : 2967 states
UDP 2 C2S : 755 states
UDP 2 S2C : 224 states
Step4 AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off

TakeaCustomApplicationPacketCapture(Continued)
Step5 View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
Take a Packet Capture on the Management Interface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200,PA500,andPA2000Series
firewallscapture68bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA4000,
PA5000Series,thePA7000Seriesfirewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.To
definethenumberofpacketsthattcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).
Settingthesnaplento0willcausethefirewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step2 TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3 AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.

TakeaManagementInterfacePacketCapture(Continued)
Step4 Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 89
09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 70
09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
Step5 (Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6 Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.

MonitorApplicationsandThreats Monitoring
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ViewAutoFocusThreatDataforLogstocheckwhetherloggedeventsonthefirewallposeasecurityrisk.
TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,activities,orbehaviorsassociated
withlogsinyournetworkandonaglobalscale,aswellastheWildFireverdictandAutoFocustagslinkedto
them.WithanactiveAutoFocussubscription,youcanusethisinformationtocreatecustomizedAutoFocus
Alertsthattrackspecificthreatsonyournetwork.

Monitoring MonitorandManageLogs
MonitorandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
WorkwithLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
Log Types and Severity Levels
YoucanseethefollowinglogtypesintheMonitor > Logspages.

TrafficLogs
ThreatLogs
URLFilteringLogs
WildFireSubmissionsLogs
DataFilteringLogs
CorrelationLogs
ConfigLogs
SystemLogs
HIPMatchLogs
AlarmsLogs
UnifiedLogs
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.

MonitorandManageLogs Monitoring
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click besideanentrytoaccessthecaptured
packets.
ThefollowingtablesummarizestheThreatseveritylevels:
Severity Description
Critical Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.

WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludetheWildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Benign IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Malicious IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Critical Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.

Medium Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplaysentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Critical Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium Midlevelnotifications,suchasantiviruspackageupgrades.
Low Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.

AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms( )atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries( )inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
Work with Logs
ViewLogs
FilterLogs
ExportLogs
ViewAutoFocusThreatDataforLogs
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.

ViewLogs
Step1 Selectalogtypetoview. 1. SelectMonitor > Logs.

2. Selectalogtypefromthelist.
Thefirewalldisplaysonlythelogsyouhavepermission
tosee.Forexample,ifyouradministrativeaccount
doesnothavepermissiontoviewWildFire
Submissionslogs,thefirewalldoesnotdisplaythatlog
typewhenyouaccessthelogspages.Administrative
Rolesdefinethepermissions.
Step2 (Optional)Customizethelogcolumn 1. Clickthearrowtotherightofanycolumnheader,andselect

display. Columns.
2. Selectcolumnstodisplayfromthelist.Thelogupdates
automaticallytomatchyourselections.
Step3 Viewadditionaldetailsaboutlogentries. Clickthespyglass( )foraspecificlogentry.TheDetailedLog

Viewhasmoreinformationaboutthesourceanddestinationof
thesession,aswellasalistofsessionsrelatedtothelogentry.
(Threatlogonly)Click nexttoanentrytoaccesslocalpacket
capturesofthethreat.Toenablelocalpacketcaptures,seeTake
PacketCaptures.
Next Steps... FilterLogs.

ExportLogs.
ViewAutoFocusThreatDataforLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
Step1 (Unifiedlogonly)Selectthelogtypesto 1. ClickEffectiveQueries( ).

includeintheUnifiedlogdisplay. 2. Selectoneormorelogtypesfromthelist(traffic,threat,url,
data,andwildfire).
3. ClickOK.TheUnifiedlogupdatestoshowonlyentriesfrom
thelogtypesyouhaveselected.

FilterLogs
Step2 Addafiltertothefilterfield. Clickoneormoreartifacts(suchastheapplicationtype

Ifthevalueoftheartifact associatedwithtrafficandtheIPaddressofanattacker)inalog
matchestheoperator(suchas entry.Forexample,clicktheSource10.0.0.25andApplication
hasorin),enclosethevaluein web-browsingofalogentrytodisplayonlyentriesthatcontain
quotationmarkstoavoida bothartifactsinthelog(ANDsearch).
syntaxerror.Forexample,ifyou Tospecifyartifactstoaddtothefilterfield,clickAddFilter( ).
filterbydestinationcountryand Toaddapreviouslysavedfilter,clickLoadFilter( ).
useINasavaluetospecify
INDIA,enterthefilteras
( dstloc eq IN ).
Step3 Applythefiltertothelog. ClickApplyFilter( ).Thelogwillrefreshtodisplayonlylog

entriesthatmatchthecurrentfilter.
Step4 (Optional)Savefrequentlyusedfilters. 1. ClickSaveFilter( ).
2. EnteraNameforthefilter.
3. ClickOK.YoucanviewyoursavedfiltersbyclickingLoadFilter
( ).
Next Steps... ViewLogs.

ExportLogs.
ViewAutoFocusThreatDataforLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
Step1 Setthenumberofrowstodisplayinthe 1. SelectDevice > Setup > Management,thenedittheLogging

report. andReportingSettings.
2. ClicktheLog Export and Reportingtab.
3. EditthenumberofMax Rows in CSV Export(upto100,000
rows).
4. ClickOK.
Step2 Downloadthelog. 1. ClickExporttoCSV( ).Aprogressbarshowingthestatus

ofthedownloadappears.
2. Whenthedownloadiscomplete,clickDownload filetosavea
copyofthelogtoyourlocalfolder.Fordescriptionsofthe
columnheadersinadownloadedlog,refertoSyslogField
Descriptions.
Next Step... ScheduleLogExportstoanSCPorFTPServer.

Traffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogsincludeAutoFocus
threatintelligencedatatoprovidecontextforthefollowingartifactsfoundinthelogentries:
IPaddress
URL
Useragent
Threatname
Filename
SHA256hash
YoucanalsoopenanAutoFocussearchforlogartifacts.
Step1 ConnectthefirewalltoAutoFocustoEnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocusthreatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedtoAutoFocusand/orarerunningPANOS7.0andearlier
releaseversions(Panorama > Setup > Management > AutoFocus).
Step2 Selectalogtypetoview. 1. SelectMonitor > Logs.

2. Selectoneofthefollowinglogtypes:Traffic,Threat,URL
Filtering,WildFire Submissions,Data Filtering,or
Unified.
Step3 OpentheAutoFocusIntelligenceSummary 1. Clickthedropdown( )foranIPaddress,URL,user

foranartifact. agent,threatname,filename,orSHA256hashinanylog
entry.
2. ClickAutoFocus.
Step4 ReviewthelogsandstatisticsintheAutoFocusIntelligenceSummarytoassessthepervasivenessandriskof
theartifact:

ViewrecentpassiveDNShistoryforIPaddress,domain,and
URLartifacts.
Reviewthematchingtagsfortheartifact.AutoFocusTags
indicatewhetheranartifactislinkedtomalwareortargeted
attacks.
CreateAutoFocusAlertsfortagsissuedbyUnit42,the
PaloAltoNetworksthreatresearchteam.Alertsfor
Unit42tagshelpyoudetectadvancedsecuritythreats
andcampaignsastheyoccuronyournetwork.
Viewthenumberofsessionsloggedinyourfirewall(s)where
samplesassociatedwiththeartifactweredetected.
ComparetheWildFireverdicts(benign,malware,grayware)
forglobalandprivatesamplesthatcontaintheartifact.Global
referstosamplesfromallWildFiresubmissions,whileprivate
referstoonlysamplessubmittedtoWildFirebyyour
organization.
ViewthelatestprivatesampleswithwhichWildFirefoundthe
artifact.ArtifactsfoundwiththesamplesincludeSHA256
hash,thefiletype,thedatethatthesamplewasfirstanalyzed
byWildFire,theWildFireverdictforthesample,andthedate
thattheWildFireverdictwasupdated(ifapplicable).

Step5 AddartifactsfromthefirewalltoanAutoFocusSearch.
Clickthelinkforthelogartifact.TheAutoFocussearcheditoropensinanewbrowsertab,withthelog
artifactaddedasasearchcondition.
ClickanylinkedartifactinthetablesorchartstoadditasasearchconditiontoanAutoFocussearch.

Next Step... LearnmoreaboutAutoFocusSearch.
Configure Log Storage Quotas and Expiration Periods
Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
Ifyouwanttomanuallydeletelogs,selectDevice > Log Settingsand,intheManageLogs

section,clickthelinkstoclearlogsbytype.
ConfigureLogStorageQuotasandExpirationPeriods
Step1 SelectDevice > Setup > ManagementandedittheLoggingandReportingSettings.
Step2 SelectLog Storage andenteraQuota (%)foreachlogtype.Whenyouchangeapercentagevalue,thedialog

refreshestodisplaythecorrespondingabsolutevalue(QuotaGB/MBcolumn).
Step3 EntertheMax Days(expirationperiod)foreachlogtype(rangeis12,000).Thefieldsareblankbydefault,

whichmeansthelogsneverexpire.
Thefirewallsynchronizesexpirationperiodsacrosshighavailability(HA)pairs.Becauseonlytheactive
HApeergenerateslogs,thepassivepeerhasnologstodeleteunlessfailoveroccursanditstarts
generatinglogs.
Schedule Log Exports to an SCP or FTP Server
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
Step1 SelectDevice > Scheduled Log ExportandclickAdd.
Step2 EnteraNameforthescheduledlogexportandEnableit.
Step3 SelecttheLog Typetoexport.

Step4 SelectthedailyScheduled Export Start Time.Theoptionsarein15minuteincrementsfora24hourclock

(00:0023:59).
Step5 SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6 EntertheHostnameorIPaddressoftheserver.
Step7 EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
Step8 EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step9 EntertheUsernameand,ifnecessary,thePassword(andConfirm Password)toaccesstheserver.
Step10 (FTPonly)SelectEnable FTP Passive ModeifyouwanttouseFTPpassivemode,inwhichthefirewallinitiates

adataconnectionwiththeFTPserver.Bydefault,thefirewallusesFTPactivemode,inwhichtheFTPserver
initiatesadataconnectionwiththefirewall.ChoosethemodebasedonwhatyourFTPserversupportsand
onyournetworkrequirements.
Step11 (SCPonly)ClickTest SCP server connection.Beforeestablishingaconnection,thefirewallmustacceptthe

hostkeyfortheSCPserver.
IfyouuseaPanoramatemplatetoconfigurethelogexportschedule,youmustcommitthetemplate
configurationtothefirewallsandthenlogintoeachfirewallandclickTest SCP server connection.

Monitoring ManageReporting
ManageReporting
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheReportExpirationPeriod
DisablePredefinedReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroupsScheduleReportsforEmailDelivery
Report Types
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportonthe
applicationuseandURLactivityforaspecificuserorforausergroup.ThereportincludestheURL
categoriesandanestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/Group
ActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.

ManageReporting Monitoring
View Reports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheReportExpirationPeriod:thefirewallwillautomaticallydeletereportsthatexceedthe
period.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolderreportsto
createspaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresourcesonthe
firewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthereports(as
describedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step1 SelectMonitor > Reports.

Thereportsaregroupedintosections(types)ontherighthandsideofthepage:Custom Reports,Application
Reports,Traffic Reports,Threat Reports,URL Filtering Reports,andPDF Summary Reports.
Step2 Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
Step3 Toviewareportoffline,youcanexportthereporttoPDF,CSVortoXMLformats.ClickExport to PDF,

Export to CSV,orExport to XMLatthebottomofthepage,thenprintorsavethefile.
Configure the Report Expiration Period
WhenyousettheReport Expiration Period,itappliestoallReportTypes.Thefirewallautomaticallydeletes

reportsthatexceedtheperiod.
ConfigureReportExpirationPeriods
Step1 SelectDevice > Setup > Management,edittheLoggingandReportingSettings,andselecttheLog Export

and Reportingtab.
Step2 EntertheReport Expiration Periodindays(rangeis12000,defaultisnoexpiration).

Youcantchangethestoragethatthefirewallallocatesforsavingreports:itispredefinedatabout200
MB.Whenthefirewallreachesthestoragemaximum,itautomaticallydeletesolderreportstocreate
spaceevenifyoudontsetaReport Expiration Period.

Disable Predefined Reports
Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
DisablePredefinedReports
Step1 SelectDevice > Setup > Management andedittheLoggingandReportingSettings.
Step2 SelectthePre-Defined Reportstabandclearthecheckboxforeachreportyouwanttodisable.Todisable

allpredefinedreports,clickDeselect All.
Generate Custom Reports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection Description
DataSource Thedatafilethatisusedtogeneratethereport.Thefirewallofferstwotypesofdata
sourcesSummarydatabasesandDetailedlogs.
Summarydatabasesareavailablefortraffic,threat,andapplicationstatistics.The
firewallaggregatesthedetailedlogsontraffic,application,andthreatat15minute
intervals.Thedataiscondensedduplicatesessionsaregroupedtogetherand
incrementedwitharepeatcounter,andsomeattributes(orcolumns)arenotincluded
inthesummarytoallowfasterresponsetimewhengeneratingreports.
Detailedlogsareitemizedandareacompletelistingofalltheattributes(orcolumns)
thatpertaintothelogentry.Reportsbasedondetailedlogstakemuchlongertorun
andarenotrecommendedunlessabsolutelynecessary.
Attributes Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
SortBy/GroupBy TheSort ByandtheGroup Bycriteriaallowyoutoorganize/segmentthedatainthe

report;thesortingandgroupingattributesavailablevarybasedontheselecteddata
source.
TheSortByoptionspecifiestheattributethatisusedforaggregation.Ifyoudonotselect
anattributetosortby,thereportwillreturnthefirstNnumberofresultswithoutany
aggregation.
TheGroupByoptionallowsyoutoselectanattributeanduseitasananchorforgrouping
data;allthedatainthereportisthenpresentedinasetoftop5,10,25or50groups.For
example,whenyouselectHourastheGroupByselectionandwantthetop25groupsfor
a24hrtimeperiod,theresultsofthereportwillbegeneratedonanhourlybasisovera
24hrperiod.Thefirstcolumninthereportwillbethehourandthenextsetofcolumns
willbetherestofyourselectedreportcolumns.

ThefollowingexampleillustrateshowtheSelected ColumnsandSort By/Group By

criteriaworktogetherwhengeneratingreports:
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup By columnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.

Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimePeriod Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromlast15minutestothelast30days.Thereportscanbe
runondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.

Step1 SelectMonitor > Manage Custom Reports.
Step2 ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Template andchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3 SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4 SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step5 Definethefilteringcriteria.SelecttheTime Frame,theSort Byorder,Group Bypreference,andselectthe

columnsthatmustdisplayinthereport.
Step6 (Optional)SelecttheQuery Builderattributesifyouwanttofurtherrefinetheselectioncriteria.Tobuilda

reportquery,specifythefollowingandclickAdd.Repeatasneededtoconstructthefullquery.
ConnectorChoosetheconnector(and/or)toprecedetheexpressionyouareadding.
NegateSelectthecheckboxtointerpretthequeryasanegation.If,forexample,youchoosetomatch
entriesinthelast24hoursand/orareoriginatingfromtheuntrustzone,thenegateoptioncausesamatch
onentriesthatarenotinthepast24hoursand/orarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthechoiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattributeapplies(suchas=).Theavailable
optionsdependonthechoiceofdatabase.
ValueSpecifytheattributevaluetomatch.
Forexample,thefollowingfigure(basedontheTraffic Logdatabase)showsaquerythatmatchesifthe
Trafficlogentrywasreceivedinthepast24hoursandisfromtheuntrustzone.
Step7 Totestthereportsettings,selectRun Now.Modifythesettingsasrequiredtochangetheinformationthatis

displayedinthereport.
Step8 ClickOKtosavethecustomreport.

ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:

Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
Generate Botnet Reports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.

Step1 Definethetypesoftrafficthatindicate 1. SelectMonitor > BotnetandclickConfigurationontheright

possiblebotnetactivity. sideofthepage.
2. EnableanddefinetheCountforeachtypeofHTTPTraffic
thatthereportwillinclude.
TheCountvaluesrepresenttheminimumnumberofeventsof
eachtraffictypethatmustoccurforthereporttolistthe
associatedhostwithahigherconfidencescore(higher
likelihoodofbotnetinfection).Ifthenumberofeventsisless
thantheCount,thereportwilldisplayalowerconfidence
scoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.Forexample,ifyousettheCounttothreeforMalware
URL visit,thenhoststhatvisitthreeormoreknownmalware
URLswillhavehigherscoresthanhoststhatvisitlessthan
three.Fordetails,seeInterpretBotnetReportOutput.
3. Definethethresholdsthatdeterminewhetherthereportwill
includehostsassociatedwithtrafficinvolvingUnknownTCP
orUnknownUDPapplications.
4. SelecttheIRCcheckboxtoincludetrafficinvolvingIRC
servers.
5. ClickOKtosavethereportconfiguration.
Step2 Schedulethereportorrunitondemand. 1. ClickReport Settingontherightsideofthepage.

2. SelectatimeintervalforthereportintheTest Run Time
Frame dropdown.
3. SelecttheNo. of Rows toincludeinthereport.
4. (Optional)AddqueriestotheQueryBuildertofilterthereport
outputbyattributessuchassource/destinationIPaddresses,
users,orzones.
Forexample,ifyouknowinadvancethattrafficinitiatedfrom
theIPaddress10.3.3.15containsnopotentialbotnetactivity,
youcanaddnot (addr.src in 10.0.1.35)asaqueryto
excludethathostfromthereportoutput.Fordetails,see
InterpretBotnetReportOutput.
5. SelectScheduledtorunthereportdailyorclickRun Nowto
runthereportimmediately.
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.

NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
Generate the SaaS Application Usage Report
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications, allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(8pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,andthe
numberofusersusingtheseapplications.ThisfirstpartofthereportalsohighlightsthetopSaaS
applicationsubcategorieslistedinorderbymaximumnumberofapplicationsused,thenumberofusers,
andtheamountofdata(bytes)transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.

GeneratetheSaaSApplicationUsageReport
Step1 Tagapplicationsthatyouapprovefor 1. SelectObject > Applications.

useonyournetworkasSanctioned. 2. ClicktheapplicationNametoeditanapplicationandselect
Theaccuracyofthereport EditintheTagsection.
dependsonwhetheryouhave
3. SelectSanctionedfromtheTagsdropdown.
taggedanapplicationas
Sanctioned.Youcantagboth YoumustusethepredefinedSanctionedtag(withtheazure
SaaSandnonSaaSapplications coloredbackground).Ifyouuseanyothertagtoindicatethat
asSanctioned;thedetailed yousanctionedanapplication,thefirewallwillfailtorecognize
browsingsectionoftheSaaS thetagandthereportwillbeinaccurate.
ApplicationUsagereport
displayswhethertheapplication
isSaaSandwhetheritis
sanctioned.
4. ClickOKandClosetoexitallopendialogs.
Step2 ConfiguretheSaaSApplicationUsage 1. SelectMonitor > PDF Reports > SaaS Application Usage.
report. 2. ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecounttoeightpages.
3. Togeneratethereportondemand,clickRun Now.Makesure
thatthepopupblockerisdisabledonyourbrowserbecause
thereportopensinanewtab.
Step3 ScheduleReportsforEmailDelivery. OnthePA200,PA500,andPA2000Seriesfirewalls,theSaaS

ApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkthatyoumustclicktoopen
thereportinawebbrowser.

Manage PDF Summary Reports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
GeneratePDFSummaryReports
Step1 SetupaPDF Summary Report. 1. SelectMonitor > PDF Reports > Manage PDF Summary.
2. ClickAddandthenenteraNameforthereport.
3. Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
4. ClickOK tosavethereport.

GeneratePDFSummaryReports
Step2 Viewthereport. TodownloadandviewthePDFSummaryReport,seeView

Reports.
Generate User/Group Activity Reports
User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.

GenerateUser/GroupActivityReports
Step1 Configurethebrowsetimesandnumber 1. SelectDevice > Setup > Management,edittheLoggingand

oflogsforUser/GroupActivityreports. ReportingSettings,andselecttheLog Export and Reporting
Requiredonlyifyouwanttochangethe tab.
defaultvalues. 2. FortheMax Rows in User Activity Report,enterthemaximum
numberofrowsthatthedetaileduseractivityreportsupports
(rangeis11048576,defaultis5000).Thisdeterminesthe
numberoflogsthatthereportanalyzes.
3. EntertheAverage Browse Timeinsecondsthatyouestimate
usersshouldtaketobrowseawebpage(rangeis0300,
defaultis60).Anyrequestmadeaftertheaveragebrowse
timeelapsesisconsideredanewbrowsingactivity.The
calculationusesContainerPages(loggedintheURLFiltering
logs)asthebasisandignoresanynewwebpagesthatare
loadedbetweenthetimeofthefirstrequest(starttime)and
theaveragebrowsetime.Forexample,ifyousettheAverage
Browse Timetotwominutesandauseropensawebpageand
viewsthatpageforfiveminutes,thebrowsetimeforthatpage
willstillbetwominutes.Thisisdonebecausethefirewallcant
determinehowlongauserviewsagivenpage.Theaverage
browsetimecalculationignoressitescategorizedasweb
advertisementsandcontentdeliverynetworks.
4. ForthePage Load Threshold,entertheestimatedtimein
secondsforpageelementstoloadonthepage(defaultis20).
Anyrequeststhatoccurbetweenthefirstpageloadandthe
pageloadthresholdareassumedtobeelementsofthepage.
Anyrequeststhatoccuroutsideofthepageloadthresholdare
assumedtobetheuserclickingalinkwithinthepage.
Step2 GeneratetheUser/GroupActivity 1. SelectMonitor > PDF Reports > User Activity Report.
report. 2. ClickAddandthenenteraNameforthereport.
3. Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4. SelecttheTime Periodforthereport.
5. Optionally,selecttheInclude Detailed Browsingcheckbox
(defaultiscleared)toincludedetailedURLlogsinthereport.
Thedetailedbrowsinginformationcanincludealargevolume
oflogs(thousandsoflogs)fortheselecteduserorusergroup
andcanmakethereportverylarge.
6. Torunthereportondemand,clickRun Now.
7. Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.

Manage Report Groups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
SetupReportGroups
Step1 Setupreportgroups. 1. CreateanEmailserverprofile.

YoumustsetupaReport Group 2. DefinetheReport Group.Areportgroupcancompile
toemailreport(s). predefinedreports,PDFSummaryreports,customreports,
andLogViewreportintoasinglePDF.
a. SelectMonitor > Report Group.
b. ClickAddandthenenteraNameforthereportgroup.
c. (Optional)SelectTitle Page andaddaTitleforthePDF
output.
d. SelectreportsfromtheleftcolumnandclickAddtomove
eachreporttothereportgroupontheright.
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.

Schedule Reports for Email Delivery
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.
ScheduleReportsforEmailDelivery
Step1 SelectMonitor > PDF Reports > Email SchedulerandclickAdd.
Step2 EnteraNametoidentifytheschedule.
Step3 SelecttheReport Groupforemaildelivery.Tosetupareportgroup;seeManageReportGroups.
Step4 FortheEmail Profile,selectanEmailserverprofiletousefordeliveringthereports,orclicktheEmail Profile

linktoCreateanEmailserverprofile.
Step5 SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step6 TheOverride Email Addressesfieldallowsyoutosendthisreportexclusivelytothespecifiedrecipients.

Whenyouaddrecipientstothefield,thefirewalldoesnotsendthereporttotherecipientsconfiguredinthe
Emailserverprofile.Usethisoptionforthoseoccasionswhenthereportisfortheattentionofsomeoneother
thantheadministratorsorrecipientsdefinedintheEmailserverprofile.

Monitoring UseExternalServicesforMonitoring
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.

ConfigureLogForwarding Monitoring
TousePanoramaorUseExternalServicesforMonitoringthefirewall,youmustconfigurethefirewallto
forwarditslogs.Beforeforwardingtoexternalservices,thefirewallautomaticallyconvertsthelogstothe
necessaryformat:syslogmessages,SNMPtraps,oremailnotifications.Beforestartingthisprocedure,
ensurethatPanoramaortheexternalserverthatwillreceivethelogdataisalreadysetup.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservices.However,
whenyouusePanoramatomonitorlogsorgeneratereportsforadevicegroupthatincludesa
PA7000Seriesfirewall,PanoramaqueriesthePA7000Seriesfirewallinrealtimetodisplayits
logdata.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoManageReporting,butonlyonaperlogtype
basis,nottheentirelogdatabase.
Step1 Configureaserverprofileforeach CreateanEmailserverprofile.

externalservicethatwillreceivelog ConfigureanSNMPTrapserverprofile.ToenabletheSNMP
data. manager(trapserver)tointerpretfirewalltraps,youmustload
Youcanuseseparateprofilesto thePaloAltoNetworksSupportedMIBsintotheSNMPmanager
sendeachlogtypetoadifferent and,ifnecessary,compilethem.Fordetails,refertoyourSNMP
server.Toincreaseavailability, managementsoftwaredocumentation.
definemultipleserversinasingle ConfigureaSyslogserverprofile.Ifthesyslogserverrequires
profile. clientauthentication,youmustalsoCreateacertificatetosecure
syslogcommunicationoverSSL.
Step2 Createalogforwardingprofile. 1. SelectObjects > Log Forwarding andclickAdd.

Theprofiledefinesthedestinationsfor 2. EnteraNametoidentifytheprofile.Ifyouwantthefirewallto
Traffic,Threat,andWildFireSubmission automaticallyassigntheprofiletonewsecurityrulesand
logs.(ThreatlogsincludeURLFiltering zones,enterdefault.Ifyoudontwantadefaultprofile,or
andDataFilteringlogs.) youwanttooverrideanexistingdefaultprofile,enteraName
thatwillhelpyouidentifytheprofilewhenassigningitto
securityrulesandzones.
Ifnologforwardingprofilenameddefaultexists,the
profileselectionissettoNonebydefaultinnew
securityrules(Log Forwardingfield)andnewsecurity
zones(Log Settingfield),althoughyoucanchangethe
selection.
3. Performthefollowingstepsforeachlogtypeandeach
severitylevelorWildFireverdict:
a. SelectthePanoramacheckboxifyouwanttoaggregate
firewalllogsonPanorama.(Youcanthenconfigure
Panoramatoforwardthelogstoexternalservices.)
b. SelecttheSNMP Trap,Email,orSyslogserverprofileyou
configuredforthislogtype,andclickOK.

Monitoring ConfigureLogForwarding
ConfigureLogForwarding(Continued)
Step3 Assignthelogforwardingprofileto Performthefollowingstepsforeachrulethatwilltriggerlog

securityrules. forwarding:
Totriggerloggenerationandforwarding, 1. SelectPolicies > Securityandclicktherule.
therulesrequirecertainSecurityProfiles
2. SelecttheActionstabandselecttheLog Forwardingprofile
accordingtologtype:
youjustcreated.
TrafficlogsNosecurityprofileis
necessary;thetrafficonlyneedsto 3. IntheProfile Typedropdown,selectProfilesorGroup,and
matchaspecificsecurityrule. thenselectthesecurityprofilesorGroup Profilerequiredto
triggerloggenerationandforwarding.
ThreatlogsThetrafficmustmatch
anysecurityprofileassignedtoa 4. ForTrafficlogs,selectoneorbothoftheLog At Session Start
securityrule. andLog At Session Endcheckboxes,andclickOK.
WildFirelogsThetrafficmustmatch
aWildFireAnalysisprofileassignedto
asecurityrule.
Step4 ConfigurethedestinationsforSystem, 1. SelectDevice > Log Settings.

Config,HIPMatch,andCorrelationlogs. 2. Performthefollowingstepsforeachlogtype.ForSystemand
Correlationlogs,startbyclickingtheSeveritylevel.ForConfig
andHIPMatchlogs,startbyeditingthesection.
a. SelectthePanoramacheckboxifyouwanttoaggregate
System,Config,andHIPMatchlogsonPanorama.
Optionally,youcanthenconfigurePanoramatoforward
thelogstotheexternalservices.
PanoramageneratesCorrelationlogsbasedonthe
firewalllogsitreceives,ratherthanaggregating
Correlationlogsfromfirewalls.
b. SelecttheSNMP Trap,Email,orSyslogserverprofileyou
configuredforthislogtypeandclickOK.
Step5 (PA7000Seriesfirewallsonly) 1. SelectNetwork > Interfaces > EthernetandclickAdd

Configurealogcardinterfacetoperform Interface.
logforwarding. 2. SelecttheSlotandInterface Name.
3. FortheInterface Type,selectLog Card.
4. EntertheIP Address,Default Gateway,and(forIPv4only)
Netmask.
5. SelectAdvancedandspecifytheLink Speed,Link Duplex,and
Link State.
Thesefieldsdefaulttoauto,whichspecifiesthatthe
firewallautomaticallydeterminesthevaluesbasedon
theconnection.However,theminimum
recommendedLink Speedforanyconnectionis1000
(Mbps).

ConfigureLogForwarding Monitoring
ConfigureLogForwarding(Continued)
Step6 Commitandverifyyourchanges. 1. ClickCommittocompletethelogforwardingconfiguration.

2. Verifythelogdestinationsyouconfiguredarereceiving
firewalllogs:
PanoramaIfthefirewallforwardslogstoanMSeries
appliance,youmustconfigureaCollectorGroupbefore
Panoramawillreceivethelogs.Youcanthenverifylog
forwarding.
EmailserverVerifythatthespecifiedrecipientsare
receivinglogsasemailnotifications.
SyslogserverRefertothedocumentationforyoursyslog
servertoverifyitisreceivinglogsassyslogmessages.
SNMPmanagerUseanSNMPManagertoExploreMIBs
andObjectstoverifyitisreceivinglogsasSNMPtraps.

Monitoring ConfigureEmailAlerts
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
Step1 CreateanEmailserverprofile. 1. SelectDevice > Server Profiles > Email.

Youcanuseseparateprofilesto 2. ClickAddandthenenteraNamefortheprofile.
sendemailnotificationsforeach
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
logtypetoadifferentserver.To
theLocation(vsysorShared)wherethisprofileisavailable.
increaseavailability,define
multipleservers(uptofour)ina 4. ForeachSimpleMailTransportProtocol(SMTP)server(email
singleprofile. server),clickAddanddefinethefollowinginformation:
NameNametoidentifytheSMTPserver(131
characters).Thisfieldisjustalabelanddoesnthavetobe
thehostnameofanexistingemailserver.
Email Display NameThenametoshowintheFromfield
oftheemail.
FromTheemailaddressfromwhichthefirewallsends
emails.
ToTheemailaddresstowhichthefirewallsendsemails.
Additional RecipientIfyouwanttosendemailstoa
secondaccount,entertheaddresshere.Youcanaddonly
oneadditionalrecipient.Formultiplerecipients,addthe
emailaddressofadistributionlist.
Email GatewayTheIPaddressorhostnameoftheSMTP
gatewaytouseforsendingemails.
5. (Optional)SelecttheCustom Log Formattabandcustomize
theformatoftheemailmessages.Fordetailsonhowtocreate
customformatsforthevariouslogtypes,refertotheCommon
EventFormatConfigurationGuide.
6. ClickOKtosavetheEmailserverprofile.
Step2 ConfigureemailalertsforTraffic,Threat, 1. Createalogforwardingprofile.

andWildFireSubmissionlogs. a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheEmailserverprofileandclickOK.
2. Assignthelogforwardingprofiletosecurityrules.
Step3 ConfigureemailalertsforSystem, 1. SelectDevice > Log Settings.

Config,HIPMatch,andCorrelationlogs. 2. ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheEmailserverprofile,andclickOK.
3. ForConfigandHIPMatchlogs,editthesection,selectthe
Emailserverprofile,andclickOK.
4. ClickCommit.

UseSyslogforMonitoring Monitoring
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
Configure Syslog Monitoring
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
ConfigureSyslogMonitoring
Step1 ConfigureaSyslogserverprofile. 1. SelectDevice > Server Profiles > Syslog.

Youcanuseseparateprofilesto 2. ClickAddandenteraNamefortheprofile.
sendsyslogsforeachlogtypeto
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
adifferentserver.Toincrease
theLocation(vsysorShared)wherethisprofileisavailable.
availability,definemultiple
servers(uptofour)inasingle 4. Foreachsyslogserver,clickAddandentertheinformation
profile. thatthefirewallrequirestoconnecttoit:
NameUniquenamefortheserverprofile.
Syslog ServerIPaddressorfullyqualifieddomainname
(FQDN)ofthesyslogserver.
TransportSelectTCP,UDP,orSSLasthemethodof
communicationwiththesyslogserver.
PortTheportnumberonwhichtosendsyslogmessages
(defaultisUDPonport514);youmustusethesameport
numberonthefirewallandthesyslogserver.
FormatSelectthesyslogmessageformattouse:BSD(the
default)orIETF.Traditionally,BSDformatisoverUDPand
IETFformatisoverTCPorSSL.
FacilitySelectasyslogstandardvalue(defaultis
LOG_USER)tocalculatethepriority(PRI)fieldinyour
syslogserverimplementation.Selectthevaluethatmapsto
howyouusethePRIfieldtomanageyoursyslogmessages.
5. (Optional)Tocustomizetheformatofthesyslogmessages
thatthefirewallsends,selecttheCustom Log Formattab.For
detailsonhowtocreatecustomformatsforthevariouslog
types,refertotheCommonEventFormatConfiguration
Guide.
6. ClickOKtosavetheserverprofile.

Monitoring UseSyslogforMonitoring
ConfigureSyslogMonitoring(Continued)
Step2 ConfiguresyslogforwardingforTraffic, 1. Createalogforwardingprofile.

Threat,andWildFireSubmissionlogs. a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheSyslogserverprofileandclickOK.
2. Assignthelogforwardingprofiletosecurityrules.
Step3 ConfiguresyslogforwardingforSystem, 1. SelectDevice > Log Settings.

Config,HIPMatch,andCorrelationlogs. 2. ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheSyslogserverprofile,andclickOK.
3. ForConfig,HIPMatch,andCorrelationlogs,editthesection,
selecttheSyslogserverprofile,andclickOK.
Step4 (Optional)Configuretheheaderformat 1. SelectDevice > Setup > ManagementandedittheLoggingand

ofsyslogmessages. ReportingSettings.
Thelogdataincludestheunique 2. SelecttheLog Export and Reportingtabandselectthe Syslog
identifierofthefirewallthatgenerated HOSTNAME Format:
thelog.Choosingtheheaderformat FQDN(default)Concatenatesthehostnameanddomain
providesmoreflexibilityinfilteringand namedefinedonthesendingfirewall.
reportingonthelogdataforsome
hostnameUsesthehostnamedefinedonthesending
SecurityInformationandEvent
firewall.
Management(SIEM)servers.
ipv4-addressUsestheIPv4addressofthefirewall
Thisisaglobalsettingandappliestoall
interfaceusedtosendlogs.Bydefault,thisistheMGT
syslogserverprofilesconfiguredonthe
interface.
firewall.
ipv6-addressUsestheIPv6addressofthefirewall
interfaceusedtosendlogs.Bydefault,thisistheMGT
interface.
noneLeavesthehostnamefieldunconfiguredonthe
firewall.Thereisnoidentifierforthefirewallthatsentthe
logs.

ConfigureSyslogMonitoring(Continued)
Step5 Createacertificatetosecuresyslog 1. SelectDevice> Certificate Management > Certificates >

communicationoverSSL. Device Certificatesandclick Generate.
Requiredonlyifthesyslogserveruses 2. EnteraNameforthecertificate.
clientauthentication.Thesyslogserver
3. IntheCommon Namefield,entertheIPaddressofthefirewall
usesthecertificatetoverifythatthe
sendinglogstothesyslogserver.
firewallisauthorizedtocommunicate
withthesyslogserver. 4. InSigned by,selectthetrustedCAortheselfsignedCAthat
Ensurethefollowingconditionsaremet: thesyslogserverandthesendingfirewallbothtrust.
Theprivatekeymustbeavailableon ThecertificatecantbeaCertificate Authoritynoran
thesendingfirewall;thekeyscant External Authority(certificatesigningrequest[CSR]).
resideonaHardwareSecurity 5. ClickGenerate.Thefirewallgeneratesthecertificateandkey
Module(HSM). pair.
Thesubjectandtheissuerforthe 6. ClickthecertificateNametoeditit,selecttheCertificate for
certificatemustnotbeidentical. Secure Syslogcheckbox,andclickOK.
Thesyslogserverandthesending
firewallmusthavecertificatesthatthe
sametrustedcertificateauthority(CA)
signed.Alternatively,youcan
generateaselfsignedcertificateon
thefirewall,exportthecertificate
fromthefirewall,andimportitinto
thesyslogserver.
Step6 Commityourchangesandreviewthe 1. ClickCommit.

logsonthesyslogserver. 2. Toreviewthelogs,refertothedocumentationofyoursyslog
managementsoftware.YoucanalsoreviewtheSyslogField
Descriptions.
Syslog Field Descriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionlogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogs
ThreatLogs
HIPMatchLogs
ConfigLogs
SystemLogs
CorrelatedEvents(Logs)
CustomLog/EventFormat

EscapeSequences
TrafficLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource
FieldName Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial) Serialnumberofthefirewallthatgeneratedthelog
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(time_generated) Timethelogwasgeneratedonthedataplane
SourceIP(src) OriginalsessionsourceIPaddress
DestinationIP(dst) OriginalsessiondestinationIPaddress
NATSourceIP(natsrc) IfSourceNATperformed,thepostNATSourceIPaddress
NATDestinationIP(natdst) IfDestinationNATperformed,thepostNATDestinationIPaddress
RuleName(rule) Nameoftherulethatthesessionmatched
SourceUser(srcuser) Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser) Usernameoftheusertowhichthesessionwasdestined
Application(app) Applicationassociatedwiththesession
VirtualSystem(vsys) VirtualSystemassociatedwiththesession
SourceZone(from) Zonethesessionwassourcedfrom
DestinationZone(to) Zonethesessionwasdestinedto
IngressInterface(inbound_if) Interfacethatthesessionwassourcedform
EgressInterface(outbound_if) Interfacethatthesessionwasdestinedto

LogForwardingProfile(logset) LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid) Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt) NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly
SourcePort(sport) Sourceportutilizedbythesession
DestinationPort(dport) Destinationportutilizedbythesession
NATSourcePort(natsport) PostNATsourceport
NATDestinationPort(natdport) PostNATdestinationport
Flags(flags) 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptive
portal(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto) IPprotocolassociatedwiththesession
Action(action) Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes(bytes) Numberoftotalbytes(transmitandreceive)forthesession
BytesSent(bytes_sent) Numberofbytesintheclienttoserverdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
BytesReceived(bytes_received) Numberofbytesintheservertoclientdirectionofthesession

Packets(packets) Numberoftotalpackets(transmitandreceive)forthesession
StartTime(start) Timeofsessionstart
ElapsedTime(elapsed) Elapsedtimeofthesession
Category(category) URLcategoryassociatedwiththesession(ifapplicable)
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama
SourceLocation(srcloc) SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes
DestinationLocation(dstloc) DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession
PacketsReceived(pkts_received) Numberofservertoclientpacketsforthesession

SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
(session_end_reason) fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.

DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
(dg_hier_level_1todg_hier_level_4) withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName(vsys_name) Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source) Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
ThreatLogs
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_id,Filedigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName,FUTURE_USE,
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch

Subtype(subtype) Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,grayware,orbenign,
dependingonwhatyouarelogging)isloggedintheWildFireSubmissionslog.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime Timethelogwasgeneratedonthedataplane
(time_generated)
SourceIP(src) OriginalsessionsourceIPaddress
DestinationIP(dst) OriginalsessiondestinationIPaddress
NATSourceIP(natsrc) IfsourceNATperformed,thepostNATsourceIPaddress
NATDestinationIP(natdst) IfdestinationNATperformed,thepostNATdestinationIPaddress
RuleName(rule) Nameoftherulethatthesessionmatched
DestinationUser(dstuser) Usernameoftheusertowhichthesessionwasdestined
Application(app) Applicationassociatedwiththesession
VirtualSystem(vsys) VirtualSystemassociatedwiththesession
SourceZone(from) Zonethesessionwassourcedfrom
DestinationZone(to) Zonethesessionwasdestinedto
IngressInterface Interfacethatthesessionwassourcedfrom
(inbound_if)
EgressInterface Interfacethatthesessionwasdestinedto
(outbound_if)
LogForwardingProfile LogForwardingProfilethatwasappliedtothesession
(logset)
SessionID(sessionid) Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt) NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly
SourcePort(sport) Sourceportutilizedbythesession
DestinationPort(dport) Destinationportutilizedbythesession

NATSourcePort(natsport) PostNATsourceport
NATDestinationPort PostNATdestinationport
(natdport)
Flags(flags) 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto) IPprotocolassociatedwiththesession
Action(action) Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
Miscellaneous(misc) Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire

ThreatID(threatid) PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category(category) ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,grayware,orbenign;Forothersubtypes,thevalueis
any.
Severity(severity) Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical
Direction(direction) Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(srcloc) SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationLocation(dstloc) DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype) ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id) Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest) OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.

URLIndex(url_idx) UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.

DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
HIPMatchLogs
User,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,FUTURE_USE,
FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
ReceiveTime Timethelogwasreceivedatthemanagementplane
(receive_time)
Type(type) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) SubtypeofHIPmatchlog;unused
(time_generated)
VirtualSystem(vsys) VirtualSystemassociatedwiththeHIPmatchlog
MachineName Nameoftheusersmachine
(machinename)
OS Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem)
SourceAddress(src) IPaddressofthesourceuser
HIP(matchname) NameoftheHIPobjectorprofile
RepeatCount(repeatcnt) NumberoftimestheHIPprofilematched
HIPType(matchtype) WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile

SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
APIquery:
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
(vsys_name) formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
(device_name)
ConfigLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Host,
VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,ActionFlags,
BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel
2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
ReceiveTime Timethelogwasreceivedatthemanagementplane
(receive_time)
SerialNumber(serial) Serialnumberofthedevicethatgeneratedthelog
Subtype(subtype) Subtypeofconfigurationlog;unused
(time_generated)
Host(host) HostnameorIPaddressoftheclientmachine
VirtualSystem(vsys) VirtualSystemassociatedwiththeconfigurationlog
Command(cmd) CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin) UsernameoftheAdministratorperformingtheconfiguration
Client(client) ClientusedbytheAdministrator;valuesareWebandCLI

Result(result) Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path) Thepathoftheconfigurationcommandissued;upto512bytesinlength
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
BeforeChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(before_change_detail) Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(after_change_detail) Itcontainsthefullxpathaftertheconfigurationchange.
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
APIquery:
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
(vsys_name) formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
(device_name)
SystemLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
Subtype(subtype) Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn

(time_generated)
EventID(eventid) Stringshowingthenameoftheevent
Object(object) Nameoftheobjectassociatedwiththesystemevent
Module(module) ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity(severity) Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description(opaque) Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
CorrelatedEvents(Logs)
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
LogID(logid) Timethelogwasreceivedatthemanagementplane
ID(id) Serialnumberofthedevicethatgeneratedthelog
MatchOID(match_oid) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch

ObjectID(objectid) Nameoftheobjectassociatedwiththesystemevent
Version(version) TheversionoftheCorrelationobjectscontentupdate,aspushedbyPaloAltoNetworks.
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Window(window)
SourceUser(srcuser) Usernameoftheuserwhoinitiatedtheevent.
Source(src) IPaddressoftheuserwhoinitiatedtheevent.
LastUpdateTime Thelasttimetheeventsinthecorrelatedeventwereupdatedwithmoreinformation.
(last_update_time)
Severity(severity) Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
MatchTime(match_time) Thetimethattheeventmatchwasrecorded.
ObjectName(objectname) Nameofthecorrelationobjectthatwasmatchedon
Summary(summary) Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity SyslogSeverity
Traffic Info
Config Info
Threat/SystemInformational Info
Threat/SystemLow Notice
Threat/SystemMedium Warning
Threat/SystemHigh Error
Threat/SystemCritical Critical

CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.

SNMPMonitoringandTraps Monitoring
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSimpleNetworkManagementProtocol(SNMP),andtheprocedurestoconfigureSNMP
monitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMP Support
YoucanuseaSimpleNetworkManagementProtocol(SNMP)managertomonitoreventdrivenalertsand
operationalstatisticsforthefirewall,Panorama,orWF500applianceandforthetraffictheyprocess.The
statisticsandtrapscanhelpyouidentifyresourcelimitations,systemchangesorfailures,andmalware
attacks.Youconfigurealertsbyforwardinglogdataastraps,andenablethedeliveryofstatisticsinresponse
toGETmessages(requests)fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).
RelatedOIDsareorganizedhierarchicallywithintheManagementInformationBases(MIBs)thatyouload
intotheSNMPmanagertoenablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
SNMP Authentication MessagePrivacy Message MIBAccessGranularity

Version Integrity
SNMPv2c Communitystring No(cleartext) No SNMPcommunityaccessforallMIBsona

device
SNMPv3 EngineID,username,and Privacypasswordfor Yes Useraccessbasedonviewsthatincludeor

authenticationpassword AES128encryption excludespecificOIDs
(SHAhashingforthe ofSNMPmessages
password)

Monitoring SNMPMonitoringandTraps
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
Use an SNMP Manager to Explore MIBs and Objects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.

Step1 LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2 SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3 Optionally,WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:

IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1 ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
Step2 OpentheMIBinatexteditorandperformakeywordsearch.Forexample,usingHardware versionasa

searchstringinPANCOMMONMIBidentifiesthepanSysHwVersionobject:
panSysHwVersion OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}

IdentifytheOIDforaStatisticorTrap(Continued)
Step3 InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.

Enable SNMP Services for Firewall-Secured Network Elements
IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
EnableSNMPServicesforFirewallSecuredNetworkElements
Step1 Createanapplicationgroup. 1. SelectObjects > Application GroupandclickAdd.

2. EnteraNametoidentifytheapplicationgroup.
3. ClickAdd,typesnmp,andselectsnmpandsnmp-trapfrom
thedropdown.
4. ClickOKtosavetheapplicationgroup.
Step2 CreateasecurityruletoallowSNMP 1. SelectPolicies > SecurityandclickAdd.

services. 2. IntheGeneraltab,enteraNamefortherule.
3. IntheSourceandDestinationtabs,clickAddandentera
Source Zone andaDestination Zone forthetraffic.
4. IntheApplicationstab,clickAdd,typethenameofthe
applicationsgroupyoujustcreated,andselectitfromthe
dropdown.
5. IntheActionstab,verifythattheActionissettoAllow,and
thenclickOKandCommit.
Monitor Statistics Using SNMP
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.

MonitorStatisticsUsingSNMP
Step1 ConfiguretheSNMPManagertoget Thefollowingstepsprovideanoverviewofthetasksyouperform

statisticsfromfirewalls. ontheSNMPmanager.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
1. ToenabletheSNMPmanagertointerpretfirewallstatistics,
loadtheSupportedMIBsforPaloAltoNetworksfirewallsand,
ifnecessary,compilethem.
2. ForeachfirewallthattheSNMPmanagerwillmonitor,define
theconnectionsettings(IPaddressandport)and
authenticationsettings(SNMPv2ccommunitystringor
SNMPv3EngineID/username/password)forthefirewall.
NotethatallPaloAltoNetworksfirewallsuseport161.
TheSNMPmanagercanusethesameordifferentconnection
andauthenticationsettingsformultiplefirewalls.Thesettings
mustmatchthoseyoudefinewhenyouconfigureSNMPon
thefirewall(seeStep 3).Forexample,ifyouuseSNMPv2c,the
communitystringyoudefinewhenconfiguringthefirewall
mustmatchthecommunitystringyoudefineintheSNMP
managerforthatfirewall.
3. Determinetheobjectidentifiers(OIDs)ofthestatisticsyou
wanttomonitor.Forexample,tomonitorthesession
utilizationpercentageofafirewall,aMIBbrowsershowsthat
thisstatisticcorrespondstoOID1.3.6.1.4.1.25461.2.1.2.3.1.0
inPANCOMMONMIB.my.Fordetails,seeUseanSNMP
ManagertoExploreMIBsandObjects.
4. ConfiguretheSNMPmanagertomonitorthedesiredOIDs.
Step2 EnableSNMPtrafficonafirewall Performthisstepinthefirewallwebinterface.

interface. ToenableSNMPtrafficontheMGTinterface,selectDevice >
Thisistheinterfacethatwillreceive Setup > Management,edittheManagementInterfaceSettings,
statisticsrequestsfromtheSNMP selectSNMP,andthenclickOKandCommit.
manager. ToenableSNMPtrafficonanyotherinterface,createan
PANOSdoesntsynchronize interfacemanagementprofileforSNMPservicesandassignthe
management(MGT)interface profiletotheinterfacethatwillreceivetheSNMPrequests.The
settingsforfirewallsinahigh interfacetypemustbeLayer3Ethernet.
availability(HA)configuration.
Youmustconfiguretheinterface
foreachHApeer.

MonitorStatisticsUsingSNMP(Continued)
Step3 Configurethefirewalltorespondto 1. SelectDevice > Setup > Operationsand,intheMiscellaneous

statisticsrequestsfromanSNMP section,clickSNMP Setup.
manager. 2. SelecttheSNMPVersionandconfiguretheauthentication
PANOSdoesntsynchronize valuesasfollows.Forversiondetails,seeSNMPSupport.
SNMPresponsesettingsfor V2cEntertheSNMP Community String,whichidentifiesa
firewallsinahighavailability(HA) communityofSNMPmanagersandmonitoreddevices,and
configuration.Youmust servesasapasswordtoauthenticatethecommunity
configurethesesettingsforeach memberstoeachother.
HApeer.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3CreateatleastoneSNMPviewgroupandoneuser.
Useraccountsandviewsprovideauthentication,privacy,
andaccesscontrolwhenfirewallsforwardtrapsandSNMP
managersgetfirewallstatistics.
ViewsEachviewisapairedOIDandbitwisemask:the
OIDspecifiesaMIBandthemask(inhexadecimalformat)
specifieswhichobjectsareaccessiblewithin(include
matching)oroutside(excludematching)thatMIB.Click
AddinthefirstlistandenteraNameforthegroupof
views.Foreachviewinthegroup,clickAddandconfigure
theviewName,OID,matchingOption(includeor
exclude),andMask.
Users:ClickAddinthesecondlist,enterausername
underUsers,selecttheViewgroupfromthedropdown,
entertheauthenticationpassword(Auth Password)used
toauthenticatetotheSNMPmanager,andenterthe
privacypassword(Priv Password)usedtoencryptSNMP
messagestotheSNMPmanager.
Step4 Monitorthefirewallstatisticsinan RefertothedocumentationofyourSNMPmanager.

SNMPmanager. Whenmonitoringstatisticsrelatedtofirewallinterfaces,
youmustmatchtheinterfaceindexesintheSNMP
managerwithinterfacenamesinthefirewallwebinterface.
Fordetails,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
Forward Traps to an SNMP Manager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.

ForwardFirewallTrapstoanSNMPManager
Step1 EnabletheSNMPmanagertointerpret LoadtheSupportedMIBsforPaloAltoNetworksfirewallsand,if

thetrapsitreceives. necessary,compilethem.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
Step2 ConfigureanSNMPTrapserverprofile. 1. Logintothefirewallwebinterface.

Theprofiledefineshowthefirewall 2. SelectDevice > Server Profiles > SNMP Trap.
accessestheSNMPmanagers(trap
3. ClickAddandenteraNamefortheprofile.
servers).YoucandefineuptofourSNMP
managersforeachprofile. 4. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
Optionally,configureseparate theLocation(vsysorShared)wherethisprofileisavailable.
SNMPTrapserverprofilesfor 5. SelecttheSNMPVersionandconfiguretheauthentication
differentlogtypes,severity valuesasfollows.Forversiondetails,seeSNMPSupport.
levels,andWildFireverdicts. V2cForeachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),andCommunity String.The
communitystringidentifiesacommunityofSNMP
managersandmonitoreddevices,andservesasapassword
toauthenticatethecommunitymemberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3Foreachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),SNMPUseraccount(this
mustmatchausernamedefinedintheSNMPmanager),
EngineIDusedtouniquelyidentifythefirewall(youcan
leavethefieldblanktousethefirewallserialnumber),
authenticationpassword(Auth Password)usedto
authenticatetotheserver,andprivacypassword(Priv
Password)usedtoencryptSNMPmessagestotheserver.
6. ClickOKtosavetheserverprofile.
Step3 Configurelogforwarding. 1. ConfigurethedestinationsofTraffic,Threat,andWildFire

traps:
a. Createalogforwardingprofile.Foreachlogtypeandeach
severitylevelorWildFireverdict,selecttheSNMP Trap
serverprofile.
b. Assignthelogforwardingprofiletosecurityrules.Therules
willtriggertrapgenerationandforwarding.
2. ConfigurethedestinationsforSystem,Config,HIPMatch,and
Correlationlogs.Foreachlog(trap)typeandseveritylevel,
selecttheSNMP Trapserverprofile.
3. ClickCommit.
Step4 MonitorthetrapsinanSNMPmanager. RefertothedocumentationofyourSNMPmanager.

Whenmonitoringtrapsrelatedtofirewallinterfaces,you
mustmatchtheinterfaceindexesintheSNMPmanager
withinterfacenamesinthefirewallwebinterface.For
details,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.

Supported MIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF) MIBII
maintainsmoststandardMIBs.Youcandownloadthe IFMIB
MIBsfromtheIETFwebsite. HOSTRESOURCESMIB
PaloAltoNetworksfirewalls,Panorama,and ENTITYMIB
WF500appliancesdontsupporteveryobject
ENTITYSENSORMIB
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe ENTITYSTATEMIB
supportedOIDs. IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationsite. PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup Description
system Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.

IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
hrDevice ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage Providesinformationsuchastheamountofusedstorage.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object Description
entPhysicalIndex Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr Thecomponentdescription.

Object Description
entPhysicalVendorType ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName Thediskmodelnumber.
entPhysicalAlias Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:

ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.

Table Description
Aggregator Configuration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha

Table (dot3adAggTable) firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
Aggregation Port List Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Eachaggregate

Table grouphasoneentry.
(dot3adAggPortListTable) Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
Aggregation Port Table ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan

(dot3adAggPortTable) aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
LACP Statistics Table Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan

(dot3adAggPortStatsTable aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforportsthat
) arenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:

ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
panSys Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector LogCollectorinformationsuchastheloggingrate,logdatabasestorageduration(indays),
andRAIDdiskusage.

PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my > panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.

NetFlowMonitoring Monitoring
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficthat
traversesitsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.The
NetFlowcollectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlow(Version9)exceptthePA4000Series
andPA7000Seriesfirewalls.ThefirewallssupportonlyunidirectionalNetFlow,notbidirectional.Youcan
enableNetFlowexportsonallinterfacetypesexceptHA,logcard,ordecryptmirror.Toidentifyfirewall
interfacesinaNetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
ConfigureNetFlowExports
NetFlowTemplates
Step1 CreateaNetFlowserverprofile. 1. SelectDevice > Server Profiles > NetFlowandclickAdd.

2. EnteraNamefortheprofile.
3. SpecifythefrequencyatwhichthefirewallrefreshesNetFlow
TemplatesinMinutes(defaultis30)orPackets(defaultis20),
accordingtotherequirementsofyourNetFlowcollector.
4. FortheActive Timeout,specifythefrequencyinminutesat
whichthefirewallexportsrecords(defaultis5).
5. SelectthePAN-OS Field Typescheckboxifyouwantthe
firewalltoexportAppIDandUserIDfields.
6. ForeachNetFlowcollector(uptotwoperprofile)thatwill
receivefields,clickAddandenteranidentifyingserverName,
hostnameorIPaddress(NetFlow Server),andaccessPort
(defaultis2055).
Step2 AssigntheNetFlowserverprofiletothe 1. SelectNetwork > Interfaces > Ethernetandclickaninterface

interfacesthatcarrythetrafficyouwant nametoeditit.
toanalyze. 2. IntheNetFlow Profiledropdown,selecttheNetFlowserver
Inthisexample,youassigntheprofileto profileandclickOK.
anexistingEthernetinterface.
3. ClickCommit.
Step3 MonitorthefirewalltrafficinaNetFlow RefertothedocumentationforyourNetFlowcollector.

collector. Whenmonitoringstatistics,youmustmatchtheinterface
indexesintheNetFlowcollectorwithinterfacenamesin
thefirewallwebinterface.Fordetails,seeFirewall
InterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.

Monitoring NetFlowMonitoring
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,yousettherefreshfrequencyaccordingtothe
requirementsofyourNetFlowcollector.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template ID
IPv4Standard 256
IPv4Enterprise 257
IPv6Standard 258
IPv6Enterprise 259
IPv4withNATStandard 260
IPv4withNATEnterprise 261
IPv6withNATStandard 262
IPv6withNATEnterprise 263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
Value Field Description Templates
1 IN_BYTES IncomingcounterwithlengthN*8bitsfor Alltemplates

thenumberofbytesassociatedwithanIP
flow.Bydefault,Nis4.
2 IN_PKTS IncomingcounterwithlengthN*8bitsfor Alltemplates

thenumberofpacketsassociatedwithanIP
glow.Bydefault,Nis4.
4 PROTOCOL IPprotocolbyte. Alltemplates
5 TOS TypeofServicebytesettingwhenentering Alltemplates

theingressinterface.
6 TCP_FLAGS TotalofalltheTCPflagsinthisflow. Alltemplates
7 L4_SRC_PORT TCP/UDPsourceportnumber(forexample, Alltemplates

FTP,Telnet,orequivalent).
8 IPV4_SRC_ADDR IPv4sourceaddress. IPv4standard

IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise

10 INPUT_SNMP Inputinterfaceindex.Thevaluelengthis2 Alltemplates

bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
11 L4_DST_PORT TCP/UDPdestinationportnumber(for Alltemplates

example,FTP,Telnet,orequivalent).
12 IPV4_DST_ADDR IPv4destinationaddress. IPv4standard

IPv4enterprise
IPv4withNATstandard
14 OUTPUT_SNMP Outputinterfaceindex.Thevaluelengthis2 Alltemplates

bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
21 LAST_SWITCHED Systemuptimeinmillisecondswhenthelast Alltemplates

packetofthisflowwasswitched.
22 FIRST_SWITCHED Systemuptimeinmillisecondswhenthefirst Alltemplates

packetofthisflowwasswitched.
27 IPV6_SRC_ADDR IPv6sourceaddress. IPv6standard

IPv6enterprise
IPv6withNATstandard
28 IPV6_DST_ADDR IPv6destinationaddress. IPv6standard

IPv6enterprise
IPv6withNATstandard
32 ICMP_TYPE InternetControlMessageProtocol(ICMP) Alltemplates

packettype.Thisisreportedas:
ICMPType*256+ICMPcode
61 DIRECTION Flowdirection: Alltemplates

0=ingress
1=egress
148 flowId Anidentifierofaflowthatisuniquewithin Alltemplates

anobservationdomain.Youcanusethis
informationelementtodistinguishbetween
differentflowsifflowkeyssuchasIP
addressesandportnumbersarenot
reportedorarereportedinseparaterecords.
TheflowIDcorrespondstothesessionID
fieldinTrafficandThreatlogs.

Monitoring NetFlowMonitoring
233 firewallEvent Indicatesafirewallevent: Alltemplates

0=Ignore(invalid)
1=Flowcreated
2=Flowdeleted
3=Flowdenied
4=Flowalert
5=Flowupdate(thesessionstate
changedfromactivetodeny)
225 postNATSourceIPv4Address Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofsourceIPv4Address, IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
226 postNATDestinationIPv4Address Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofdestinationIPv4Address, IPv4withNATenterprise
227 postNAPTSourceTransportPort Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofsourceTransportPort, IPv4withNATenterprise
addressporttranslationafterthepacket
228 postNAPTDestinationTransportPort Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatof IPv4withNATenterprise
destinationTransportPort,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringnetworkaddressport
translationafterthepackettraversedthe
interface.
281 postNATSourceIPv6Address Thedefinitionofthisinformationelementis IPv6withNATstandard

identicaltothedefinitionofinformation IPv6withNATenterprise
elementsourceIPv6Address,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringNAT64networkaddress
translationafterthepackettraversedthe
interface.SeeRFC2460forthedefinitionof
thesourceaddressfieldintheIPv6header.
SeeRFC6146forNAT64specification.

282 postNATDestinationIPv6Address Thedefinitionofthisinformationelementis IPv6withNATstandard

identicaltothedefinitionofinformation IPv6withNATenterprise
elementdestinationIPv6Address,except
thatitreportsamodifiedvaluethatthe
firewallproducedduringNAT64network
traversedtheinterface.SeeRFC2460for
thedefinitionofthedestinationaddressfield
intheIPv6header.SeeRFC6146forNAT64
specification.
346 privateEnterpriseNumber Thisisauniqueprivateenterprisenumber IPv4enterprise

thatidentifiesPaloAltoNetworks:25461. IPv4withNATenterprise
IPv6enterprise
5670 AppID ThenameofanapplicationthatAppID IPv4enterprise

1 identified.Thenamecanbeupto32bytes. IPv4withNATenterprise
IPv6enterprise
5670 UserID AusernamethatUserIDidentified.The IPv4enterprise

2 namecanbeupto64bytes. IPv4withNATenterprise
IPv6enterprise

Monitoring FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
FirewallPlatform Calculation ExampleInterfaceIndex
Nonchassisbased: MGTport+physicalportoffset PA5000Seriesfirewall,Eth1/4=

VMSeries,PA200,PA500, MGTportThisisaconstantthat 2(MGTport)+4(physicalport)=6
PA2000Series,PA3000Series, dependsontheplatform:
PA4000Series,PA5000Series 2forhardwarebasedfirewalls(for
ThePA4000Series example,thePA5000Series
platformsupportsSNMP firewall)
butnotNetFlow. 1fortheVMSeriesfirewall
PhysicalportoffsetThisisthephysical
portnumber.
Chassisbased: (Max.ports*slot)+physicalportoffset+ PA7000Seriesfirewall,Eth3/9=

PA7000Seriesfirewalls MGTport [64(max.ports)*3(slot)]+9(physical
Thisplatformsupports MaximumportsThisisaconstantof port)+5(MGTport)=206
SNMPbutnotNetFlow. 64.
SlotThisisthechassisslotnumberof
thenetworkinterfacecard.
PhysicalportoffsetThisisthephysical
portnumber.
MGTportThisisaconstantof5for
PA7000Seriesfirewalls.

FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors Monitoring
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
InterfaceType Range Digit9 Digits78 Digits56 Digits14 ExampleInterfaceIndex
Layer 3 101010001 Type: Interface Interface Subinterface: Eth1/5.22=100000000(type)+

subinterface 19999999 1 slot:19 port:19 suffix19999 100000(slot)+50000(port)+
9 (0109) (0109) (00019999) 22(suffix)=101050022
Layer 2 101010001 Type: Interface Interface Subinterface: Eth2/3.6=100000000(type)+

subinterface 19999999 1 slot:19 port:19 suffix19999 200000(slot)+30000(port)+6
9 (0109) (0109) (00019999) (suffix)=102030006
Vwire 101010001 Type: Interface Interface Subinterface: Eth4/2.312=100000000(type)

subinterface 19999999 1 slot:19 port:19 suffix19999 +400000(slot)+20000(port)+
9 (0109) (0109) (00019999) 312(suffix)=104020312
VLAN 200000001 Type: 00 00 VLANsuffix: VLAN.55=200000000(type)+

20000999 2 19999 55(suffix)=200000055
9 (00019999)
Loopback 300000001 Type: 00 00 Loopback Loopback.55=300000000

30000999 3 suffix:19999 (type)+55(suffix)=300000055
9 (00019999)
Tunnel 400000001 Type: 00 00 Tunnelsuffix: Tunnel.55=400000000(type)+

40000999 4 19999 55(suffix)=400000055
9 (00019999)
Aggregate group 500010001 Type: 00 AEsuffix: Subinterface: AE5.99=500000000(type)+

50008999 5 18(0108) suffix19999 50000(AESuffix)+99(suffix)=
9 (00019999) 500050099

UserID
UserIdentification(UserID)ofthePaloAltoNetworksfirewallenablesyoutocreatepoliciesandperform
reportingbasedonusersandgroupsratherthanindividualIPaddresses.
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork

UserIDOverview UserID
UserIDOverview
UserIDseamlesslyintegratesPaloAltoNetworksfirewallswitharangeofenterprisedirectoryandterminal
servicesofferings,enablingyoutotieapplicationactivityandpolicyrulestousersandgroupsnotjustIP
addresses.Furthermore,withUserIDenabled,theApplicationCommandCenter(ACC),AppScope,reports,
andlogsallincludeusernamesinadditiontouserIPaddresses.
PaloAltoNetworksfirewallssupportmonitoringofthefollowingenterpriseservices:
MicrosoftActiveDirectory
LightweightDirectoryAccessProtocol(LDAP)
NovelleDirectory
CitrixMetaframePresentationServerorXenApp
MicrosoftTerminalServices
Foruserandgroupbasedpolicies,thefirewallrequiresalistofallavailableusersandtheircorresponding
groupmappingsthatyoucanselectwhendefiningyourpolicies.ThefirewallcollectsGroupMapping
informationbyconnectingdirectlytoyourLDAPdirectoryserver.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforloginevents,probesclients,andlistensforsyslog
messagesfromauthenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,you
canconfigurethefirewalltoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheuser
mappingmechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsites.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.

UserID UserIDOverview
Figure:UserID
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.

UserIDConcepts UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.NextyoucreateagroupmappingconfigurationtoMapUserstoGroups.
ThenyoucanEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Havingthenamesoftheusersandgroupsisonlyonepieceofthepuzzle.Thefirewallalsoneedstoknow
whichIPaddressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserID
illustratesthedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshow
usermappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.
Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
ClientProbing
PortMapping
Syslog
CaptivePortal
GlobalProtect
PANOSXMLAPI

UserID UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,domaincontrollers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.
Becauseservermonitoringrequiresverylittleoverheadandbecausethemajorityofuserscangenerallybe
mappedusingthismethod,itisrecommendedasthebaseusermappingmethodformostUserID
deployments.SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMapping
UsingthePANOSIntegratedUserIDAgentfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI).TheWindowsbasedUserIDagentcanalsoperform
NetBIOSprobing(notsupportedonthePANOSintegratedUserIDagent).Probingisparticularlyusefulin
environmentswithahighIPaddressturnoverbecausechangeswillbereflectedonthefirewallmorequickly,
enablingmoreaccurateenforcementofuserbasedpolicies.However,ifthecorrelationbetweenIP
addressesandusersisfairlystatic,youprobablydonotneedtoenableclientprobing.Becauseprobingcan
generatealargeamountofnetworktraffic(basedonthetotalnumberofmappedIPaddresses),theagent
thatwillbeinitiatingtheprobesshouldbelocatedascloseaspossibletotheendclients.
Ifprobingisenabled,theagentwillprobeeachlearnedIPaddressperiodically(every20minutesbydefault,
butthisisconfigurable)toverifythatthesameuserisstillloggedin.Inaddition,whenthefirewallencounters
anIPaddressforwhichithasnousermapping,itwillsendtheaddresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.

UserIDConcepts UserID
Syslog
Inenvironmentswithexistingnetworkservicesthatauthenticateuserssuchaswirelesscontrollers,802.1x
devices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccessControl(NAC)mechanisms
thefirewallUserIDagent(eithertheWindowsagentorthePANOSintegratedagentonthefirewall)can
listenforauthenticationsyslogmessagesfromthoseservices.Syslogfilters,whichareprovidedbyacontent
update(integratedUserIDagentonly)orconfiguredmanually,allowtheUserIDagenttoparseandextract
usernamesandIPaddressesfromauthenticationsyslogeventsgeneratedbytheexternalservice,andadd
theinformationtotheUserIDIPaddresstousernamemappingsmaintainedbythefirewall.SeeConfigure
UserIDtoReceiveUserMappingsfromaSyslogSenderforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
CaptivePortal
IfthefirewallortheUserIDagentcantmapanIPaddresstoausernameforexample,iftheuserisnt
loggedinorusesanoperatingsystemsuchasLinuxthatyourdomainserversdontsupportyoucan
configureCaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalpolicyrulerequires
userauthentication.Youcanbasetheauthenticationonatransparentbrowserchallenge(KerberosSingle
SignOn(SSO)orNTLANManager(NTLM)authentication),webform(forRADIUS,TACACS+,LDAP,
Kerberos,orlocaldatabaseauthentication),orclientcertificates.Fordetails,seeMapIPAddressesto
UsernamesUsingCaptivePortal.

UserID UserIDConcepts
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
PANOSXMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtotheUserIDagentordirectlytothefirewall.SeeSend
UserMappingstoUserIDUsingtheXMLAPIfordetails.

EnableUserID UserID
EnableUserID
Youmustcompletethefollowingtaskstosetupthefirewalltouserusersandgroupsinpolicyenforcement,
logging,andreporting:
MapUserstoGroups

UserID MapUserstoGroups
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Usethefollowing
proceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroupMapping
information.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1 AddanLDAPserverprofile. ConfigureanLDAPServerProfile:

Theprofiledefineshowthefirewall 1. SelectDevice > Server Profiles > LDAP,clickAdd,andentera
connectstothedirectoryserversfrom Profile Name.
whichitcollectsgroupmapping
2. ForeachLDAPserver,clickAddandentertheserverName,
information.Youcanadduptofour
IPaddress(LDAP Server),andPort(defaultis389).
serverstotheprofilebuttheymustbe
thesameType. 3. BasedonyourTypeselection(forexample,active-directory),
thefirewallautomaticallypopulatesthecorrectLDAP
attributesinthegroupmappingsettings.However,ifyou
customizedyourLDAPschema,youmightneedtomodifythe
defaultsettings.
4. IntheBase DNfield,entertheDistinguishedName(DN)of
theLDAPtreelocationwhereyouwantthefirewalltobegin
itssearchforuserandgroupinformation.
5. EntertheauthenticationcredentialsforbindingtotheLDAP
treeintheBind DN,Password,andConfirm Passwordfields.
TheBind DNcanbeafullyqualifiedLDAPname(forexample,
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(forexample,administrator@acme.local).

MapUserstoGroups UserID
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthisconfiguration.
3. ClickAddandenterauniqueNametoidentifythegroup
mappingconfiguration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksforgroup
mapping,intheGroupObjectssection,enteraSearch Filter
(LDAPquery),Object Class(groupdefinition),Group Name,
andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomainsin
yourorganizationintheMailDomainssection,Domain List
field.Usecommastoseparatemultipledomains(upto256
characters).AfteryouclickOK,PANOSautomatically
populatestheMail AttributesfieldbasedonyourLDAPserver
type(Sun/RFC,ActiveDirectory,orNovell).Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesuretheEnabledcheckboxisselected.

UserID MapUserstoGroups
MapUserstoGroups(Continued)
Step3 Limitwhichgroupswillbeavailablein 1. Addexistinggroupsfromthedirectoryservice:

policyrules. a. SelecttheGroup Include Listtab.
Requiredonlyifyouwanttolimitpolicy b. IntheAvailableGroupslist,selectthegroupsyouwantto
rulestospecificgroups.Bydefault,ifyou appearinpolicyrulesandclicktheAddicon.
dontspecifygroups,allgroupsare
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
availableinpolicyrules.
matchexistingusergroups,createcustomgroupsbasedon
Anycustomgroupsyoucreate LDAPfilters:
willalsobeavailableintheAllow
a. SelecttheCustom GrouptabandclickAdd.
Listofauthenticationprofiles.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.ThefirewalldoesntvalidateLDAPfilters,so
itsuptoyoutoensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
3. ClickOKandCommit.Acommitisnecessarybeforecustom
groupswillbeavailableinpoliciesandobjects.

MapIPAddressestoUsers UserID
ThetasksyouperformtomapIPaddressestousernamesdependsonthetypeandlocationoftheclient
systemsonyournetwork.Completeasmanyofthefollowingtasksasnecessarytoenablemappingofyour
clientsystems:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
Windowsclients,firstyoumustConfigureanActiveDirectoryAccountfortheUserIDAgent.Thenyou
mustconfiguretheUserIDagenttomonitorserverlogsandprobeclientsystems.Youcaneither
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgentorConfigureUserMappingUsing
theWindowsUserIDAgent.TheWindowsbasedUserIDagentisastandaloneagentthatyouinstall
ononeormorememberserversinthedomainthatcontainstheserversandclientsthattheagentwill
monitor.Forguidanceonwhichagentisappropriateforyournetworkandtherequirednumberand
placementsofagents,refertoArchitectingUserIdentificationDeployments.
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.You
canuseeithertheWindowsagentortheagentlessusermappingfeatureonthefirewalltolistenfor
authenticationsyslogmessagesfromthenetworkservices.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.
Forotherclientsthatyoucantmapusingtheprecedingmethods,youcanSendUserMappingsto
UserIDUsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
Configure an Active Directory Account for the User-ID Agent
ToenableaUserIDagenttoaccesstheservicesandhostsitwillmonitorforcollectingusermapping
information,addanActiveDirectory(AD)serviceaccountfortheagent.Performthistaskononedomain
controllerineachdomainwherethemonitoredservicesandhostsreside.

UserID MapIPAddressestoUsers
ConfigureanActiveDirectoryaccountfortheUserIDAgent
Step1 CreateanADaccountfortheUserID 1. Logintothedomaincontroller.

agent. 2. ),SearchforActive
RightclicktheWindowsicon(
TheUserIDagentrequiresanaccount Directory Users and Computers,andlaunchthe
ononedomaincontrollerineachdomain application.
wheretheagentwillcollectuser
3. Inthenavigationpane,openthedomaintree,rightclick
mappings.
Managed Service AccountsandselectNew > User.
4. EntertheFirst Name,Last Name,andUser logon nameofthe
userandclickNext.
5. EnterthePasswordandConfirm Password,andthenclick
NextandFinish.
Step2 AddtheaccounttotheBuiltingroups 1. RightclicktheserviceaccountyoujustaddedandAdd to a

thathaveprivilegesforaccessingthe group.
servicesandhoststheUserIDagentwill 2. Enter the object names to selectasfollowstoassignthe
monitor. accounttogroups.Separateeachentrywithasemicolon.
Event Log Readersoracustomgroupthathasprivileges
forreadingSecuritylogevents.Theseprivilegesare
requirediftheUserIDagentwillcollectmapping
informationbymonitoringSecuritylogs.
(PANOSintegratedUserIDagentonly)Distributed COM
Usersgroup,whichhasprivilegesforlaunching,activating,
andusingDistributedComponentObjectModel(DCOM)
objects.
Server Operatorsgroup,whichhasprivilegesforopening
sessions.Theaccountrequirestheseprivilegesifthe
UserIDagentmustrefreshexistingmappinginformation
bymonitoringusersessions.
Becausethisgroupalsohasprivilegesforshutting
downandrestartingservers,assigntheaccountto
itonlyifmonitoringusersessionsisveryimportant.
(PANOSintegratedUserIDagentonly)Enterthenameof
agroupthathasadministrativeprivilegestojointhe
domain,writetothevalidatedserviceprincipalname,and
createacomputerobjectwithinthecomputersorganization
unit(ou=computers).Theaccountrequirestheseprivileges
iftheUserIDagentwilluseNTLANManager(NTLM)for
CaptivePortalauthentication.
WerecommendusingKerberosSSOinsteadofNTLM
forCaptivePortalauthentication.
Forafirewallwithmultiplevirtualsystems,onlyvsys1can
jointhedomainbecauseofADrestrictionsonvirtual
systemsrunningonthesamehost.
3. Check NamestovalidateyourentriesandclickOKtwice.

ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
Step3 (WMIprobingonly)Enabletheaccount PerformthistaskoneachclientsystemthattheUserIDagentwill

toreadtheCIMV2namespaceonthe probeforusermappinginformation:
clientsystems. 1. RightclicktheWindowsicon( ),Searchforwmimgmt.msc,
Bydefault,accountsintheServer andlaunchtheWMIManagementConsole.
Operatorsgrouphavethispermission.
2. Intheconsoletree,rightclickWMI Controlandselect
Properties.
3. SelectSecurity,selectRoot > CIMV2,andclickSecurity.
4. Addthenameoftheserviceaccountyoucreated,Check
Namestoverifyyourentry,andclickOK.
YoumighthavetochangetheLocationsorclick
Advancedtoqueryforaccountnames.Seethedialog
helpfordetails.
5. InthePermissionsfor<Username>section,AllowtheEnable
AccountandRead Securitypermissions.
6. ClickOKtwice.
Step4 Nextsteps... Youarenowreadyto:

ConfigureUserMappingUsingtheWindowsUserIDAgent.
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agent.
Configure User Mapping Using the Windows User-ID Agent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,youshouldlocateyourUserID
agentsnearyourmonitoredservers(thatis,themonitoredserversandtheWindowsUserIDagentshould
notbeacrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccurs
betweentheagentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofIPaddress
mappingssincethelastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheUserIDAgent
ConfiguretheUserIDAgentforUserMapping
InstalltheUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.

ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertoOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
InstalltheWindowsUserIDAgent
Step1 AddanActiveDirectoryaccountforthe ConfigureanActiveDirectoryAccountfortheUserIDAgent.

UserIDagenttoaccesstheservicesand
hostsitwillmonitorforcollectinguser
mappinginformation.
Step1 DecidewheretoinstalltheUserID YoumustinstalltheUserIDagentonasystemrunningoneof

agent. thesupportedOSversions:seeOperatingSystem(OS)
TheUserIDagentqueriestheDomain CompatibilityUserIDAgentintheUserIDAgentRelease
ControllerandExchangeserverlogs Notes.
usingMicrosoftRemoteProcedureCalls MakesurethesystemthatwillhosttheUserIDagentisa
(MSRPCs),whichrequireacomplete memberofthesamedomainastheserversitwillmonitor.
transferoftheentirelogateachquery. Asabestpractice,installtheUserIDagentclosetotheservers
Therefore,alwaysinstalloneormore itwillbemonitoring(thereismoretrafficbetweentheUserID
UserIDagentsateachsitethathas agentandthemonitoredserversthanthereisbetweenthe
serverstobemonitored. UserIDagentandthefirewall,solocatingtheagentclosetothe
Formoredetailedinformationon monitoredserversoptimizesbandwidthusage).
wheretoinstallUserIDagents, Toensurethemostcomprehensivemappingofusers,youmust
refertoArchitectingUser monitorallserversthatcontainuserlogininformation.Youmight
Identification(UserID) needtoinstallmultipleUserIDagentstoefficientlymonitorall
Deployments. ofyourresources.
Step2 DownloadtheUserIDagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

Asabestpractice,installtheUserID 2. SelectSoftware UpdatesfromtheManageDevicessection.
agentversionthatisthesameasthe
3. ScrolltotheUserIdentificationAgentsectionofthescreen
PANOSversionrunningonthe
andDownloadtheversionoftheUserIDagentyouwantto
firewalls.
install.
4. SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
whereyouplantoinstalltheagent.
Step3 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4. Whentheinstallationcompletes,Closethesetupwindow.
Step4 LaunchtheUserIDAgentapplication. OpentheWindowsStartmenuandselectUser-ID Agent.

InstalltheWindowsUserIDAgent(Continued)
Step5 (Optional)Changetheserviceaccount Bydefault,theagentusestheadministratoraccountusedtoinstall

thattheUserIDagentusestologin. the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
1. SelectUser Identification > SetupandclickEdit.
2. SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3. EnterthePasswordforthespecifiedaccount.
Step6 (Optional)Assignaccountpermissionsto 1. Givetheserviceaccountpermissionstotheinstallationfolder:

theinstallationfolder. a. FromtheWindowsExplorer,navigatetoC:\Program
Youonlyneedtoperformthisstepifthe Files\Palo Alto Networksandrightclickthefolderand
serviceaccountyouconfiguredforthe selectProperties.
UserIDagentisnotamemberofthe b. OntheSecuritytab,AddtheUserIDagentserviceaccount
administratorsgroupforthedomainora andassignitpermissionstoModify,Read & execute,List
memberofboththeServerOperators folder contents,andReadandthenclickOKtosavethe
andtheEventLogReadersgroups. accountsettings.
2. GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3. Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.

ConfiguretheUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent
Step1 DefinetheserverstheUserIDagent 1. OpentheWindowsStartmenuandselectUser-ID Agent.

willmonitortocollectIPaddresstouser 2. SelectUser Identification > Discovery.
mappinginformation.
3. IntheServerssectionofthescreen,clickAdd.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog 4. EnteraNameandServer Addressfortheservertobe
senders. monitored.ThenetworkaddresscanbeaFQDNoranIP
Tocollectalloftherequired address.
mappings,theUserIDagent 5. SelecttheServer Type(Microsoft Active Directory,Microsoft
mustconnecttoallserversthat Exchange,Novell eDirectory,orSyslog Sender)andthen
youruserslogintoinorderto clickOKtosavetheserverentry.Repeatthisstepforeach
monitorthesecuritylogfileson servertobemonitored.
allserversthatcontainlogin
6. (Optional)Toenablethefirewalltoautomaticallydiscover
events.
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
Theautodiscoverylocatesdomaincontrollersinthe
localdomainonly;youmustmanuallyaddExchange
servers,eDirectoryservers,andsyslogsenders.
7. (Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Asabestpractice,you
shouldincreasethevalueinthisfieldto5secondsin
environmentswitholderDomainControllersorhighlatency
links.ClickOKtosavethechanges.

MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step2 (Optional)Ifyouconfiguredtheagentto 1. SelectUser Identification > SetupandclickEditintheSetup

connecttoaNovelleDirectoryserver, sectionofthewindow.
youmustspecifyhowtheagentshould 2. SelecttheeDirectorytabandthencompletethefollowing
searchthedirectory. fields:
Search BaseThestartingpointorrootcontextforagent
queries,forexample:dc=domain1, dc=example, dc=com.
Bind Distinguished NameTheaccounttousetobindto
thedirectory,forexample:cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThebindaccountpassword.Theagent
savestheencryptedpasswordintheconfigurationfile.
Search FilterThesearchqueryforuserentries(defaultis
objectClass=Person).
Server Domain PrefixAprefixtouniquelyidentifythe
user.Thisisonlyrequiredifthereareoverlappingname
spaces,suchasdifferentuserswiththesamenamefrom
twodifferentdirectories.
Use SSLSelectthecheckboxtouseSSLforeDirectory
binding.
Verify Server CertificateSelectthecheckboxtoverify
theeDirectoryservercertificatewhenusingSSL.
Step3 (Optional)Enableclientprobing. 1. OntheClient Probingtab,selecttheEnable WMI Probing

Clientprobingisusefulinenvironments checkboxand/ortheEnable NetBIOS Probingcheckbox.
whereIPaddressesarenottightlybound Bydefault,WMIprobingexcludesclientsystemswith
tousersbecauseitensuresthat publicIPv4addresses.(PublicIPv4addressesare
previouslymappedaddressesarestill thoseoutsidethescopeofRFC1918andRFC3927).
valid.However,asthetotalnumberof ToenableWMIprobingforsuchaddresses,youmust
learnedIPaddressesgrows,sodoesthe explicitlyincludethemasfollows.However,notethat
amountoftrafficgenerated.Asabest ifyouexplicitlyincludespecificsubnetworks,the
practice,enableprobingonlyonnetwork firewallimplicitlyexcludesallothersubnetworks.
segmentswhereIPaddressturnoveris Therefore,ifyouaddsubnetworksforpublicIPv4
high. addresses,youmustalsoaddalltheother
Formoredetailsontheplacementof subnetworksthatWMIprobingshouldinclude.
UserIDagentsusingclientprobing,refer a. SelectUser Identification > Discovery.
toArchitectingUserIdentification b. AddeachsubnetworkofpublicIPv4addressestothe
(UserID)Deployments. Include/Exclude list of configured networkslist.
c. SetthediscoveryoptiontoInclude specified network.
d. EnteraNametoidentifythesubnetwork.
e. EntertheIPaddressrangeofthesubnetworkinthe
Network Addressfield.
f. ClickOK.
2. MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
ForNetBIOSprobingtoworkeffectively,eachprobed
clientPCmustallowport139intheWindowsfirewall
andmustalsohavefileandprintersharingservices
enabled.WMIprobingisalwayspreferredover
NetBIOSwheneverpossible.

MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step4 Savetheconfiguration. ClickOKtosavetheUserIDagentsetupsettingsandthenclick

CommittorestarttheUserIDagentandloadthenewsettings.
Step5 (Optional)Definethesetofusersfor Createanignore_user_list.txtfileandsaveittotheUserID

whichyoudonotneedtoprovideIP Agentfolderonthedomainserverwheretheagentisinstalled.
addresstousernamemappings,suchas Listtheuseraccountstoignore;thereisnolimittothenumberof
kioskaccounts. accountsyoucanaddtothelist.Eachuseraccountnamemustbe
Youcanalsousethe onaseparateline.Forexample:
ignore-userlisttoidentify SPAdmin
userswhomyouwanttoforceto SPInstall
authenticateusingCaptive
TFSReport
Portal.
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\itadmin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
itadmin.
Step6 Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

UserIDagent. totheUserIDagenttoreceiveusermappings:
1. SelectDevice > User Identification > User-ID Agentsandclick
Add.
2. EnteraNamefortheUserIDagent.
3. EntertheIPaddressoftheWindowsHostonwhichthe
UserIDAgentisinstalled.
4. EnterthePortnumber(165535)onwhichtheagentwill
listenforusermappingrequests.Thisvaluemustmatchthe
valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5. MakesurethattheconfigurationisEnabled,thenclickOK.
7. VerifythattheConnected status displaysasconnected(a
greenlight).
Step7 VerifythattheUserIDagentis 1. LaunchtheUserIDagentandselectUser Identification.

successfullymappingIPaddressesto 2. VerifythattheagentstatusshowsAgent is running.Ifthe
usernamesandthatthefirewallscan Agentisnotrunning,clickStart.
connecttotheagent.
3. ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4. ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5. ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.

Configure User Mapping Using the PAN-OS Integrated User-ID Agent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
Step1 AddanActiveDirectoryaccountforthe Windows2008orlaterdomainserversAddtheaccounttothe

UserIDagenttoaccesstheservicesand EventLogReadersgroup.IfyouareusingthePANOS
hostsitwillmonitorforcollectinguser integratedUserIDagent,theaccountmustalsobeamemberof
mappinginformation. theDistributedCOMUsersGroup.
WMIprobingMakesuretheaccounthasrightstoreadthe
CIMV2namespace;bydefault,DomainAdministratorandServer
Operatoraccountshavethispermission.
NTLMauthenticationBecausethefirewallmustjointhe
domainifyouareusingCaptivePortalNTLMauthenticationwith
aPANOSintegratedUserIDagent,theWindowsaccountyou
createforNTLMaccessmusthaveadministrativeprivileges.
NotethatduetoADrestrictionsonvirtualsystemsrunningon
thesamehost,ifthefirewallhasmultiplevirtualsystems,only
vsys1willbeabletojointhedomain.
ConfigureanActiveDirectoryAccountfortheUserIDAgent.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step2 Definetheserversthatthefirewallwill 1. SelectDevice > User Identification > User Mapping.

monitortocollectusermapping 2. ClickAddintheServerMonitoringsection.
information.
3. EnteraNametoidentifytheserver.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan 4. SelecttheTypeofserver.
definenomorethan50syslogsenders 5. EntertheNetwork Address(anFQDNorIPaddress)ofthe
foranysinglevirtualsystem. server.
Tocollectalltherequired
6. MakesuretheserverprofileisEnabledandclickOK
mappings,thefirewallmust
connecttoallserversthatyour 7. (Optional)ClickDiscoverifyouwantthefirewallto
userslogintosoitcanmonitor automaticallydiscoverdomaincontrollersonyournetwork
theSecuritylogfilesonall usingDNSlookups.
serversthatcontainloginevents. Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
8. Specifythemethodsthatthefirewallusestocollectuser
mappinginformationfromthemonitoredservers:
a. EditthePalo Alto Networks User ID Agent Setup.
b. SelecttheServer MonitortabandthenEnable Security
Logmonitoringand/orEnable Sessionmonitoring.
Fortheprivilegesthatthesemethodsrequire,see
ConfigureanActiveDirectoryAccountfortheUserID
Agent.
9. (Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecified
frequency.
a. EditthePalo Alto Networks User ID Agent Setup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).
Asabestpractice,increasethevalueinthisfieldto
5secondsinenvironmentswitholderdomain
controllersorhighlatencylinks.
c. ClickOKtosavethechanges.
Step3 Setthedomaincredentialsforthe 1. EditthePaloAltoNetworksUserIDAgentSetup.

accountthefirewallwillusetoaccess 2. SelecttheWMI AuthenticationtabandentertheUser Name
Windowsresources.Thisisrequiredfor andPasswordfortheaccountthattheUserIDagentwilluse
monitoringExchangeserversanddomain toprobetheclientsandmonitorservers.Entertheusername
controllersaswellasforWMIprobing. usingthedomain\usernamesyntax.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step4 (Optional)EnableWMIprobing. 1. SelecttheClient ProbingtabandselecttheEnable Probing

ThePANOSintegratedUserID checkbox.
agentdoesnotsupportNetBIOS 2. (Optional)ModifytheProbe Interval(inminutes)ifnecessary
probing;onlythe toensureitislongenoughfortheUserIDagenttoprobeall
WindowsbasedUserIDagent thelearnedIPaddresses(defaultis20,rangeis11440).This
supportsit. istheintervalbetweentheendofthelastproberequestand
thestartofthenextrequest.
Iftherequestloadishigh,theobserveddelaybetween
requestsmightsignificantlyexceedthespecified
interval.
3. (Optional)EnableWMIprobingforpublicIPv4addressesif
desired.(PublicIPv4addressesarethoseoutsidethescopeof
RFC1918andRFC3927).Bydefault,WMIprobingexcludes
clientsystemswithpublicIPv4addresses.
Ifyouincludeanysubnetworksinthe
Include/Exclude Networkslist,thefirewallimplicitly
excludesallsubnetworksthatarenotinthelist.
Therefore,ifyouaddsubnetworksforpublicIPv4
addresses,youmustalsoaddalltheother
subnetworksthatWMIprobingshouldinclude.
a. SelectDevice > User Identification > User Mapping.
b. AddeachsubnetworkofpublicIPv4addressestothe
Include/Exclude Networkslist.
c. EnteraNametoidentifythesubnetwork.
d. SettheDiscoveryoptiontoInclude.
e. EntertheIPaddressrangeofthesubnetworkinthe
Network Addressfield.
f. EnsurethesubnetworkisEnabledandclickOK.
4. MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
Step5 (Optional)Definethesetofusersfor SelecttheIgnore User ListtabandAddeachusernametoexclude

whichyoudontrequireIP fromusermapping.Youcanuseanasteriskasawildcardcharacter
addresstousernamemappings,suchas tomatchmultipleusernames,butonlyasthelastcharacterinthe
kioskaccounts. entry.Forexample,corpdomain\it-admin*wouldmatchall
Youcanalsousetheignoreuser administratorsinthecorpdomaindomainwhoseusernamesstart
listtoidentifyuserswhomyou withthestringit-admin.Youcanaddupto5,000entriesto
wanttoforcetoauthenticate excludefromusermapping.
usingCaptivePortal.
Step6 Activateyourconfigurationchanges. ClickOKandCommit.
Step7 Verifytheconfiguration. 1. AccessthefirewallCLI.

2. Enterthefollowingoperationalcommand:
> show user server-monitor state all
3. OntheDevice > User Identification > User Mapping tabinthe
webinterface,verifythattheStatusofeachserveryou
configuredforservermonitoringisConnected.

Configure User-ID to Receive User Mappings from a Syslog Sender
ThefollowingtopicsdescribehowtoconfigurethePANOSintegratedUserIDagentorWindowsbased
UserIDagentasaSysloglistener:
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigurethePANOSintegratedUserIDagenttoreceivesyslog
messagesfromauthenticatingservices.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,you
mustusecautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocol
andassuchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.
AlthoughyoucanrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstill
spooftheIPaddress,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothe
firewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,ifyoumust
useUDP,makesurethatthesyslogserverandclientarebothonadedicated,secureVLANto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
CollectUserMappingsfromSyslogSenders
Step1 Determinewhetherthereisa 1. VerifythatyourApplicationorApplicationandThreat

predefinedsyslogfilterforyour databaseisuptodate:
particularsyslogsenders. a. SelectDevice > Dynamic Updates.
PaloAltoNetworksprovidesseveral b. ClickCheck Now(locatedinthelowerlefthandcornerof
predefinedsyslogfilters,whichare thewindow)tocheckforthelatestupdates.
deliveredasApplicationcontentupdates c. Ifanewupdateisavailable,DownloadandInstallit.
andarethereforeupdateddynamically
asnewfiltersaredeveloped.The 2. Checktoseewhatpredefinedfiltersareavailable:
predefinedfiltersareglobaltothe a. SelectDevice > User Identification > User Mapping.
firewall,whereasmanuallydefinedfilters b. IntheServerMonitoringsectionofthescreen,clickAdd.
applytoasinglevirtualsystemonly. c. SelectSyslog SenderastheserverType.
Anynewsyslogfiltersinagiven d. SelecttheFilterdropdownandchecktoseeifthereisa
contentreleasewillbe filterforthemanufacturerandproductyouplantoforward
documentedinthe syslogsfrom.Ifthefilteryouneedisavailable,skiptoStep 5
correspondingreleasenote forinstructionsondefiningtheservers.Ifthefilteryou
alongwiththespecificregex needisnotavailable,continuetoStep 2.
usedtodefinethefilter.

CollectUserMappingsfromSyslogSenders(Continued)
Step2 Manuallydefinesyslogfiltersfor 1. Reviewthesyslogsgeneratedbytheauthenticatingserviceto

extractingtheUserIDIP identifythesyntaxoftheloginevents.Thisenablesyouto
addresstousernamemapping createthematchingpatternsthatwillallowthefirewallto
informationfromsyslogmessages. identifyandextracttheauthenticationeventsfromthe
InordertobeparsedbytheUserID syslogs.
agent,syslogmessagesmustmeetthe Whilereviewingthesyslogs,alsodeterminewhether
followingcriteria: thedomainnameisincludedinthelogentries.Ifthe
Eachsyslogmessagemustbea authenticationlogsdonotcontaindomain
singlelinetextstring.Linebreaksare information,considerdefiningadefaultdomainname
delimitedbyacarriagereturnanda whenaddingthesyslogsendertothemonitored
newline(\r\n)oranewline(\n). serverslistinStep 5.
Themaximumallowedsizeofan 2. SelectDevice > User Identification > User Mappingandedit
individualsyslogmessageis2048 thePaloAltoNetworksUserIDAgentSetupsection.
bytes. 3. SelecttheSyslog FilterstabandAddaSyslogParseprofile.
SyslogmessagessentoverUDPmust
4. EnteranamefortheSyslog Parse Profile.
becontainedinasinglepacket;
messagessentoverSSLcanspan 5. SpecifytheTypeofparsingtousetofilterouttheuser
multiplepackets. mappinginformation:
Asinglepacketmaycontainmultiple Regex IdentifierWiththistypeofparsing,youspecify
syslogmessages. regularexpressionstodescribesearchpatternsfor
identifyingandextractingusermappinginformationfrom
syslogmessages.ContinuetoStep 3forinstructionson
creatingtheregexidentifiers.
Field IdentifierWiththistypeofparsing,youspecifya
stringtomatchtheauthenticationevent,andprefixand
suffixstringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.

Step3 IfyouselectedRegex Identifierasthe 1. Specifyhowtomatchsuccessfulauthenticationeventsinthe

parsingType,createtheregexmatching syslogsbyenteringamatchingpatternintheEvent Regex
patternsforidentifyingthe field.Forexample,whenmatchedagainsttheexamplesyslog
authenticationeventsandextractingthe message,thefollowingregexinstructsthefirewalltoextract
usermappinginformation. thefirst{1}instanceofthestringauthentication success.
Thisexampleshowshowtoconfigurea Thebackslashbeforethespaceisastandardregexescape
SyslogParseprofileformatchingsyslog characterthatinstructstheregexenginenottotreatthespace
messageswiththefollowingformat: asaspecialcharacter:(authentication\ success){1}.
[Tue Jul 5 13:15:04 2005 CDT] Administrator 2. Entertheregexforidentifyingthebeginningoftheusername
authentication success User:johndoe1
Source:192.168.3.212 intheauthenticationsuccessmessagesintheUsername
Ifthesyslogcontainsa Regexfield.Forexample,theregex
standalonespaceortabasa User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
delimiter,youmustusean\s(for User:johndoe1intheexamplemessageandextract
aspace)anda\t(foratab)for acme\johndoe1astheUserID.
theagenttoparsethesyslog. Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
3. EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
4. ClickOK.
Step4 IfyouselectedField Identifierasthe 1. Specifyhowtomatchsuccessfulauthenticationeventsinthe

parsingType,definethestringmatching syslogsbyenteringamatchingpatternintheEvent String
patternsforidentifyingthe field.Forexample,whenmatchedagainstthesamplesyslog
authenticationeventsandextractingthe message,youwouldenterthestringauthentication
usermappinginformation. successtoidentifyauthenticationeventsinthesyslog.
Thisexampleshowshowtoconfigurea 2. Enterthematchingstringforidentifyingthebeginningofthe
SyslogParseprofileformatchingsyslog usernamefieldwithintheauthenticationsyslogmessageinthe
messageswiththefollowingformat: Username Prefixfield.Forexample,thestringUser:
[Tue Jul 5 13:15:04 2005 CDT] Administrator identifiesthebeginningoftheusernamefieldinthesample
Source:192.168.3.212 syslog.
Ifthesyslogcontainsa 3. EntertheUsername Delimitertomarktheendofthe
standalonespaceand/ortabasa usernamefieldwithinanauthenticationsyslogmessage.For
delimiter,youmustusean\s(for example,iftheusernameisfollowedbyaspace,youwould
aspace)and/or\t(foratab)in enter\s toindicatethattheusernamefieldisdelimitedbya
orderfortheagenttoparsethe standalonespaceinthesamplelog.
syslog.
4. Enterthematchingstringforidentifyingthebeginningofthe
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
5. EntertheAddress Delimiter tomarktheendoftheIPaddress
fieldwithintheauthenticationsuccessmessagewithinthe
field.Forexample,iftheaddressisfollowedbyalinebreak,
youwouldenter\ntoindicatethattheaddressfieldis
delimitedbyanewline.
6. ClickOK.

Step5 Definetheserversthatwillsendsyslog 1. SelectDevice > User Identification > User Mappingand,inthe

messagestothefirewallforuser ServerMonitoringsection,clickAdd.
mappingpurposes. 2. EnteraNametoidentifytheserver.
Withinthetotalmaximumof100
3. MakesuretheserverprofileisEnabled(default).
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders 4. SelectSyslog SenderastheserverType.
foranysinglevirtualsystem. 5. EntertheNetwork Addressofthesyslogserver(IPaddressor
Thefirewallwilldiscardanysyslog FQDN).
messagesreceivedfromserversthatare
6. SelecttheSyslogParseprofileyouconfiguredasaFilter.
notonthislist.
7. SelectUDPorSSL(default)astheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogserver.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogserverandclientarebothon
adedicated,secureVLANtopreventuntrustedhosts
fromsendingUDPtraffictothefirewall.
ASyslogsenderusingSSLtoconnectwillonlyshowa
StatusofConnected whenthereisanactiveSSL
connection.SyslogsendersusingUDPwillnotshowa
Statusvalue.
8. (Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.

Step6 Enablesysloglistenerservicesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtandedit

managementprofileassociatedwiththe anexistingInterfaceManagementprofileorAddanewprofile.
interfaceusedforusermapping. 2. SelectUser-ID Syslog Listener-SSLand/orUser-ID Syslog
Listener-UDP,dependingontheprotocolsyoudefinedforthe
syslogsendersintheServerMonitoringlist.
OntheWindowsUserIDagent,thedefaultlistening
portforsyslogoverUDPorTCPis514,buttheport
valueisconfigurable.FortheagentlessUserMapping
featureonthefirewall,onlysyslogoverUDPandSSL
aresupportedandthelisteningports(514forUDPand
6514forSSL)arenotconfigurable;theyareenabled
throughthemanagementserviceonly.
EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfacewillonlyacceptsyslog
connectionsfromserversthathaveacorresponding
entryintheUserIDmonitoredserversconfiguration.
Thefirewalldiscardsconnectionsormessagesfrom
serversthatarenotonthelist.
4. IfyoucreatedanewInterfaceManagementprofile,assignitto
theinterfaceusedforusermapping:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
Step7 Savetheconfiguration. ClickCommittosavetheconfiguration.

Step8 VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
To see the status of a particular syslog sender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41)

number of log messages : 1000
number of auth. success messages : 1000
number of active connections : 0
total connections made : 4
To see how many log messages came in from syslog senders and how many entries were successfully mapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
AD AD 10.2.204.43 vsys1 Connected
Syslog Servers:
Name Connection Host Vsys Status
-----------------------------------------------------------------------------
Syslog1 UDP 10.5.204.40 vsys1 N/A
Syslog2 SSL 10.5.204.41 vsys1 Not connected
To see how many user mappings were discovered through syslog senders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP Vsys From User IdleTimeout(s) M

axTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -
192.168.3.8 vsys1 SYSLOG acme\jreddick 2476 2
476
192.168.5.39 vsys1 SYSLOG acme\jdonaldson 2480 2
480
192.168.2.147 vsys1 SYSLOG acme\ccrisp 2476 2
476
192.168.2.175 vsys1 SYSLOG acme\jjaso 2476 2
476
192.168.4.196 vsys1 SYSLOG acme\jblevins 2480 2
480
192.168.4.103 vsys1 SYSLOG acme\bmoss 2480 2
480
192.168.2.193 vsys1 SYSLOG acme\esogard 2476 2
476
192.168.2.119 vsys1 SYSLOG acme\acallaspo 2476 2
476
192.168.3.176 vsys1 SYSLOG acme\jlowrie 2478 2
478
Total: 9 users
ConfiguretheWindowsUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigureaWindowsbasedUserIDagenttolistenforsyslogs
fromauthenticatingservices.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogserverandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.

ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1 Manuallydefinesyslogfilter(s)for 1. OpentheWindowsStartmenuandselectUser-ID Agent.

extractingtheUserIDIPaddressto 2. Reviewthesyslogsgeneratedbytheauthenticatingserviceto
usernamemappinginformationfrom identifythesyntaxoftheloginevents.Thisenablesyouto
syslogmessages. createthematchingpatternsthatwillallowthefirewallto
InordertobeparsedbytheUserID identifyandextracttheauthenticationeventsfromthe
agent,syslogmessagesmustmeetthe syslogs.
followingcriteria: Whilereviewingthesyslogs,alsodeterminewhether
Eachsyslogmessagemustbea thedomainnameisincludedinthelogentries.Ifthe
singlelinetextstring.Linebreaksare authenticationlogsdonotcontaindomain
delimitedbyacarriagereturnanda information,considerdefiningadefaultdomainname
newline(\r\n)oranewline(\n). whenaddingthesyslogsendertothemonitored
Themaximumallowedsizeofan serverslistinStep 5.
individualsyslogmessageis2048 3. SelectUser Identification > SetupandclickEditintheSetup
bytes. sectionofthedialog.
SyslogmessagessentoverUDPmust
4. OntheSyslog tab,AddaSyslogParseprofile.
becontainedinasinglepacket;
messagessentoverSSLcanspan 5. EnteraProfile NameandDescription.
multiplepackets. 6. SpecifytheTypeofparsingtousetofilterouttheuser
Asinglepacketmaycontainmultiple mappinginformationbyselectingoneofthefollowing
syslogmessages. options:
RegexWiththistypeofparsing,youspecifyregular
expressionstodescribesearchpatternsforidentifyingand
extractingusermappinginformationfromsyslogmessages.
ContinuetoStep 3forinstructionsoncreatingtheregex
identifiers.
FieldWiththistypeofparsing,youspecifyastingto
matchtheauthenticationevent,andprefixandsuffix
stringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.

ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step2 IfyouselectedRegex astheparsing 1. Specifyhowtomatchsuccessfulauthenticationeventsinthe

Type,createtheregexmatchingpatterns syslogsbyenteringamatchingpatternintheEvent Regex
foridentifyingtheauthenticationevents field.Forexample,whenmatchedagainsttheexamplesyslog
andextractingtheusermapping message,thefollowingregexinstructsthefirewalltoextract
information. thefirst{1}instanceofthestringauthentication success.
Thisexampleshowshowtoconfigurea Thebackslashbeforethespaceisastandardregexescape
SyslogParseprofileformatchingsyslog characterthatinstructstheregexenginenottotreatthespace
messageswiththefollowingformat: asaspecialcharacter:(authentication\ success){1}.
[Tue Jul 5 13:15:04 2005 CDT] Administrator 2. Entertheregexforidentifyingthebeginningoftheusername
Source:192.168.3.212 intheauthenticationsuccessmessagesintheUsername
Ifthesyslogcontainsa Regexfield.Forexample,theregex
standalonespaceortabasa User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
delimiter,youmustusean\s(for User:johndoe1intheexamplemessageandextract
aspace)and\t(foratab)forthe acme\johndoe1astheUserID.
agenttoparsethesyslog. Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
3. EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
Step3 IfyouselectedField Identifierasthe 1. Specifyhowtomatchsuccessfulauthenticationeventsinthe

parsingType,definethestringmatching syslogsbyenteringamatchingpatternintheEvent String
patternsforidentifyingthe field.Forexample,whenmatchedagainstthesamplesyslog
authenticationeventsandextractingthe message,youwouldenterthestringauthentication
usermappinginformation. successtoidentifyauthenticationeventsinthesyslog.
Thisexampleshowshowtoconfigurea 2. Enterthematchingstringforidentifyingthebeginningofthe
SyslogParseprofileformatchingsyslog usernamefieldwithintheauthenticationsyslogmessagein
messageswiththefollowingformat: theUsername Prefixfield.Forexample,thestringUser:
[Tue Jul 5 13:15:04 2005 CDT] Administrator identifiesthebeginningoftheusernamefieldinthesample
Source:192.168.3.212 syslog.
Ifthesyslogcontainsa 3. EntertheUsername Delimitertomarktheendofthe
standalonespaceortabasa usernamefieldwithinanauthenticationsyslogmessage.For
delimiter,youmustusean\s(for example,iftheusernameisfollowedbyaspace,youwould
aspace)and\t(foratab)forthe enter\s toindicatethattheusernamefieldisdelimitedbya
agenttoparsethesyslog. standalonespaceinthesamplelog.
4. Enterthematchingstringforidentifyingthebeginningofthe
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
5. EntertheAddress Delimiter tomarktheendoftheIPaddress
fieldwithintheauthenticationsuccessmessagewithinthe
field.Forexample,iftheaddressisfollowedbyalinebreak,
youwouldenter\ntoindicatethattheaddressfieldis
delimitedbyanewline.

Step4 Enablethesysloglisteningserviceonthe 1. SelecttheEnable Syslog Servicecheckbox.

agent. 2. (Optional)ModifytheSyslog Service Portnumbertomatch
Asabestpractice,makesurethat theportnumberusedbythesyslogsender(default=514).
thesyslogserverandclientare
3. Tosavetheagentsyslogconfiguration,clickOK.
bothonadedicated,secure
VLANtopreventuntrustedhosts
fromsendingsyslogstothe
UserIDagent.
Step5 Definetheserversthatwillsendsyslog 1. SelectUser Identification > Discovery.

messagestotheUserIDagent. 2. IntheServerssectionofthescreen,clickAdd.
Withinthetotalmaximumof100servers
3. EnteraNameandServer Addressfortheserverthatwillsend
ofalltypesthattheUserIDagentcan
syslogstotheagent.
monitor,upto50canbesyslogsenders.
TheUserIDagentwilldiscardanysyslog 4. SelectSyslog SenderastheServer Type.
messagesreceivedfromserversthatare 5. SelectaFilteryoudefinedinStep 1.
notonthislist.
6. (Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
Step6 Savetheconfiguration. ClickCommittosavetheconfiguration.

Step7 VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
To see the status of a particular syslog sender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41)

number of log messages : 1000
number of auth. success messages : 1000
number of active connections : 0
total connections made : 4
To see how many log messages came in from syslog senders and how many entries were successfully mapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
AD AD 10.2.204.43 vsys1 Connected
Syslog Servers:
Name Connection Host Vsys Status
-----------------------------------------------------------------------------
Syslog1 UDP 10.5.204.40 vsys1 N/A
Syslog2 SSL 10.5.204.41 vsys1 Not connected
To see how many user mappings were discovered through syslog senders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP Vsys From User IdleTimeout(s) M

axTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -
192.168.3.8 vsys1 SYSLOG acme\jreddick 2476 2
476
192.168.5.39 vsys1 SYSLOG acme\jdonaldson 2480 2
480
192.168.2.147 vsys1 SYSLOG acme\ccrisp 2476 2
476
192.168.2.175 vsys1 SYSLOG acme\jjaso 2476 2
476
192.168.4.196 vsys1 SYSLOG acme\jblevins 2480 2
480
192.168.4.103 vsys1 SYSLOG acme\bmoss 2480 2
480
192.168.2.193 vsys1 SYSLOG acme\esogard 2476 2
476
192.168.2.119 vsys1 SYSLOG acme\acallaspo 2476 2
476
192.168.3.176 vsys1 SYSLOG acme\jlowrie 2478 2
478
Total: 9 users
Map IP Addresses to Usernames Using Captive Portal
IfthefirewallreceivesarequestfromasecurityzonethathasUserIDenabledandthesourceIPaddress
doesnothaveanyuserdataassociatedwithityet,thefirewallchecksitsCaptivePortalpolicyrulesfora
matchtodeterminewhethertoperformauthentication.Thisisusefulinenvironmentswhereyouhave
clientsthatarenotloggedintoyourdomainservers,suchasLinuxclients.Thefirewalltriggersthisuser
mappingmethodonlyforwebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalrulebuthasnotbeen
mappedusingadifferentmethod.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal

CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoobtainuserinformationfromtheclientwhenawebrequest
matchesaCaptivePortalrule:
AuthenticationMethod Description
Kerberos SSO ThefirewallusesKerberosSingleSignOn(SSO)totransparentlyobtainuser

credentials.Tousethismethod,yournetworkrequiresaKerberosinfrastructure,
includingakeydistributioncenter(KDC)withanauthenticationserverandticket
grantingservice.ThefirewallmusthaveaKerberosaccount,includingaprincipal
nameandpassword.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourCaptivePortalconfiguration.
NT LAN Manager (NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser

credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourCaptivePortalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
Web Form Thefirewallredirectswebrequeststoawebformforauthentication.Youcan

configureCaptivePortaltousealocaluserdatabase,RADIUSserver,TACACS+
server,LDAPserver,orKerberosservertoauthenticateusers.Althoughthe
firewallalwayspromptsusersforcredentials,thismethodworkswithallbrowsers
andoperatingsystems.
Client Certificate Authentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto

authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.

CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheCaptivePortalruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,youshouldonlyusethismodewhen
absolutelynecessary,suchasinLayer2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtoconfigureCaptivePortalusingthePANOSintegratedUserIDagent
toredirectwebrequeststhatmatchaCaptivePortalruletoaredirecthost.Aredirecthostistheintranet
hostname(ahostnamewithnoperiodinitsname)thatresolvestotheIPaddressoftheLayer3interfaceon
thefirewalltowhichthefirewallwillredirectrequests.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1 Configuretheinterfacesthatthefirewall 1. (MGTinterfaceonly)SelectDevice > Setup > Management,

willuseforredirectingwebrequests, edittheManagementInterfaceSettings,selecttheUser ID
authenticatingusers,and checkbox,andclickOK.
communicatingwithdirectoryserversto 2. (NonMGTinterfaceonly)AssignanInterfaceManagement
mapusernamestoIPaddresses. profiletotheLayer3interfacethatthefirewallwilluseto
Thefirewallusesthemanagement(MGT) redirectwebrequestsandcommunicatewithdirectory
interfaceforallthesefunctionsby servers.YoumustenableResponse PagesandUser IDinthe
default,butyoucanconfigureother InterfaceManagementprofile.
interfaces.Inredirectmode,youmust
3. (NonMGTinterfaceonly)Configureaservicerouteforthe
useaLayer3interfaceforredirecting
interfacethatthefirewallwillusetoauthenticateusers.Ifthe
requests.
firewallhasmorethanonevirtualsystem(vsys),theservice
routecanbeglobalorvsysspecific.Theservicesmustinclude
LDAPandpotentiallythefollowing:
Kerberos,RADIUS,orTACACS+Configureaservice
routeforoneoftheseservicesonlyifyouwilluseitfor
externalauthentication.
UID AgentConfigurethisserviceonlyifyouwillenable
NTLANManager(NTLM)authenticationorifyouwill
EnableUserandGroupBasedPolicy.
4. (Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2 MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:

isconfiguredtoresolveyourdomain admin@PA-200> ping host dc1.acme.com
controlleraddresses.
Step3 CreateaKerberoskeytabfortheredirect CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos

host. accountinformation(principalnameandhashedpassword)forthe
RequiredforKerberosSSO redirecthost(thefirewall).
authentication. TosupportKerberosSSO,yournetworkmusthaveaKerberos
infrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step4 ConfigureclientstotrustCaptivePortal Touseaselfsignedcertificate,createarootCAcertificateanduse

certificates. ittosignthecertificateyouwilluseforCaptivePortal:
Requiredforredirectmodeto 1. SelectDevice > Certificate Management > Certificates >
transparentlyredirectuserswithout Device Certificates.
displayingcertificateerrors.Youcan
2. CreateaSelfSignedRootCACertificateorimportaCA
generateaselfsignedcertificateor
certificate(seeImportaCertificateandPrivateKey).
importacertificatethatanexternal
certificateauthority(CA)signed. 3. GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4. ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5. Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
Step5 Configureanauthenticationserver ConfigureaRADIUSServerProfile.

profile. ConfigureaTACACS+ServerProfile
Requiredforexternalauthentication.If ConfigureanLDAPServerProfile
youenableKerberosSSOorNTLM ConfigureaKerberosServerProfile
authentication,thefirewallusesthe
ThePANOSwebservertimeout(defaultis3seconds)must
externalserviceonlyifthosemethods
bethesameasorgreaterthantheserverprofiletimeout
fail.
multipliedbythenumberofserversintheprofile.For
RADIUSandTACACS+,thedefaultserverprofileTimeout
is3seconds.ForLDAP,thetimeoutisthetotaloftheBind
Timeout(defaultis30seconds)andSearch Timeout
(defaultis30seconds)foreachserver.ForKerberos,the
nonconfigurabletimeoutcantakeupto17secondsfor
eachserver.Also,theCaptivePortalsessiontimeout
(defaultis30seconds)mustbegreaterthanthewebserver
timeout.
Tochangethewebservertimeout,enterthefollowing
firewallCLIcommand,where<value>is330seconds:set
deviceconfig setting l3-service timeout <value>.
TochangetheCaptivePortalsessiontimeout,selectDevice
> Setup > Session,edittheSessionTimeouts,andentera
newCaptive Portalvalueinseconds(rangeis11,599,999).
Keepinmindthatthemoreyouraisethewebserverand
CaptivePortalsessiontimeouts,theslowerCaptivePortal
willrespondtousers.

Step6 Addtheusersandusergroupstothe 1. Configuretheuseraccount.

localdatabaseonthefirewall. 2. (Optional)Configureausergroup.
Requiredforlocaldatabase
authentication.IfyouenableKerberos
SSOand/orNTLMauthentication,the
firewallusesthelocaldatabaseonlyif
thosemethodsfail.
Step7 Addanauthenticationprofile Configureanauthenticationprofile:

Theprofiledefinestheauthentication 1. IftheauthenticationTypeisanexternalservice(RADIUS,
methodstouse(KerberosSSO,external TACACS+,LDAP,orKerberos),selecttheauthentication
service,orlocaldatabase)whena Server Profileyoucreated.
CaptivePortalruleinvokesWebForm
2. IfyouuseKerberosSSO,entertheKerberos Realm(usually
authentication.Evenifyouenable
theDNSdomainoftheusers,exceptthattherealmis
NTLM,youmustdefineasecondary
uppercase),andimporttheKerberos Keytabyoucreated.
authenticationmethodincaseNTLM
authenticationfailsortheUserIDagent 3. SelectAdvancedandAddtheusersandusergroupsthatcan
doesntsupportNTLM. authenticateusingthisprofile.IftheauthenticationTypeis
Ifyousettheauthentication Local Database,addtheCaptivePortalusersorusergroups
TypetoRADIUS,specifya youcreated.Youcanselectalltoalloweveryuserto
RADIUSUser Domainincase authenticate.AftercompletingtheAllowList,clickOK.
usersdontenterthedomainat IfyourusersareinmultipledomainsorKerberos
login. realms,youcancreateanauthenticationprofilefor
eachdomainorrealm,assignalltheprofilestothe
authenticationsequence(Step 8),andassignthe
sequencetotheCaptivePortalconfiguration.
Step8 (Optional)Addanauthentication Configureanauthenticationsequence:

sequence 1. SelectDevice > Authentication Sequence,Addthe
Ifthefirewallisconfiguredtouse authenticationsequence,andenteraNametoidentifyit.
multipleauthenticationprofiles
2. SelectUse domain to determine authentication profile.
inthesequenceforanyoneuser
(forexample,ifsomedirectory Thefirewallwillmatchthedomainnamethatauserenters
serverconnectionsare duringloginwiththeUser DomainorKerberos Realmofan
unreliable),thenthePANOS authenticationprofileinthesequence,andthenusethat
webservertimeoutmustbethe profiletoauthenticatetheuser.
sameasorgreaterthanthe 3. Addeachauthenticationprofile.
timeoutforthesequence,which
4. ClickOKtosavetheauthenticationsequence.
isthetotalofthetimeoutsforall
itsauthenticationprofiles.Also,
thesessiontimeoutforCaptive
Portalmustbegreaterthanthe
webservertimeout.Tochange
thesetimeouts,seethenotein
Step 5.

Step9 ConfigureClientCertificate 1. UsearootCAcertificatetogenerateaclientcertificatefor

Authentication. eachuserwhowillauthenticatetoCaptivePortal.TheCAin
RequiredifCaptivePortalwillusethis thiscaseisusuallyyourenterpriseCA,notthefirewall.
authenticationmethod. 2. ExporttheCAcertificateinPEMformattoasystemthatthe
Youdontneedanauthentication firewallcanaccess.
profileorsequenceforclient 3. ImporttheCAcertificateontothefirewall:seeImporta
certificateauthentication.Ifyou CertificateandPrivateKey.Aftertheimport,clickthe
configurebothanauthentication importedcertificate,selectTrusted Root CA,andclickOK.
profile/sequenceandcertificate
authentication,usersmust 4. ConfigureaCertificateProfile.
authenticateusingboth. IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.
Step10 EnableNTLANManager(NTLM) 1. Ifyouhaventalreadydoneso,createanActiveDirectory(AD)

authentication. accountfortheUserIDagent.
RequiredforNLTMauthentication. 2. SelectDevice > User Identification > User Mappingandedit
WhenusingthePANOS thePaloAltoNetworksUserIDAgentSetupsection.
integratedUserIDagent,the 3. OntheNTLMtab,selecttheEnable NTLM authentication
firewallmustsuccessfullyresolve processingcheckbox.
theDNSnameofyourdomain
controllertojointhedomain 4. EntertheNTLM DomainagainstwhichtheUserIDagenton
(usingthecredentialsyouenter thefirewallwillcheckNTLMcredentials.
inthisstep). 5. IntheAdmin User Name,Password,andConfirm Password
fields,entertheusernameandpasswordoftheActive
DirectoryaccountyoucreatedfortheUserIDagent.
DonotincludethedomainintheAdmin User Name
field.Otherwise,thefirewallwillfailtojointhe
domain.
PaloAltoNetworksrecommendsthatyouusea
UserIDagentaccountthatisseparatefromyour
firewalladministratoraccount.
6. YoudontneedtoconfigureanyothersettingsfortheUserID
agent:clickOK.

Step11 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. MakesuretheEnable Captive Portalcheckboxisselected.
3. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.
4. SelecttheMode(inthisexample,Redirect).
5. (Redirectmodeonly)SpecifytheRedirect Hostnamethat
resolvestotheIPaddressoftheLayer 3interfacefor
redirectedrequests.
6. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
TouseKerberosSSO,anexternalserver,orthelocal
database,selecttheAuthentication Profileor
authenticationsequenceyoucreated.
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
7. ClickOKandCommittosavetheCaptivePortalconfiguration.
Configure User Mapping for Terminal Server Users
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,referto
OperatingSystem(OS)CompatibilityTSAgentintheTerminalServicesAgentReleaseNotes.

Step1 DownloadtheTSagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

2. SelectSoftware UpdatesfromtheManageDevicessection.
3. ScrolltotheTerminal Services AgentsectionandDownload
theversionoftheagentyouwanttoinstall.
4. SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.
Step2 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-6.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4. Whentheinstallationcompletes,Closethesetupwindow.
IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,the
installationwizardpromptsyoutorebootthesystem
afterupgradinginordertousethenewdriver.

ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step3 Definetherangeofportsforthe 1. OpentheWindowsStartmenuandselectTerminal Server

TS Agenttoallocatetoendusers. AgenttolaunchtheTerminalServicesagentapplication.
TheSystem Source Port 2. SelectConfigureinthesidemenu.
Allocation RangeandSystem
3. EntertheSource Port Allocation Range(default
Reserved Source Portsfields
2000039999).Thisisthefullrangeofportnumbersthatthe
specifytherangeofportsthat
TSagentwillallocateforusermapping.Theportrangeyou
willbeallocatedtononuser
specifycannotoverlapwiththeSystem Source Port
sessions.Makesurethevalues
Allocation Range.
specifiedinthesefieldsdonot
overlapwiththeportsyou 4. (Optional)Ifthereareports/portrangeswithinthesourceport
designateforusertraffic.These allocationthatyoudonotwanttheTSAgenttoallocateto
valuescanonlybechangedby usersessions,specifythemasReserved Source Ports.To
editingthecorresponding includemultipleranges,usecommaswithnospaces,for
Windowsregistrysettings. example:2000-3000,3500,4000-5000.
5. Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6. SpecifythePort Allocation Maximum Size Per User,whichis
themaximumnumberofportstheTerminalServicesagent
canallocatetoanindividualuser.
7. Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.
Step4 Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

TerminalServicesagent. totheTerminalServicesagenttoreceiveusermappings:
1. SelectDevice > User Identification > Terminal Server Agents
andclickAdd.
2. EnteraNamefortheTerminalServicesagent.
3. EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4. EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5. MakesurethattheconfigurationisEnabledandthenclickOK.
7. VerifythattheConnected status displaysasconnected(a
greenlight).

ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step5 VerifythattheTerminalServicesagentis 1. OpentheWindowsStartmenuandselectTerminal Server

successfullymappingIPaddressesto Agent.
usernamesandthatthefirewallscan 2. Verifythatthefirewallscanconnectbymakingsurethe
connecttotheagent. Connection StatusofeachfirewallintheConnectionListis
Connected.
3. VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
Step6 (Windows2012R2serversonly)Disable PerformthesestepsontheWindowsServer:

EnhancedProtectedModeinMicrosoft 1. StartInternetExplorer.
InternetExplorerforeachuserwhouses
thatbrowser. 2. SelectInternet options > Advancedandscrolldowntothe
Securitysection.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor 3. ClearEnable Enhanced Protected Mode.
MozillaFirefox. 4. ClickOK.
TodisableEnhancedProtected InInternetExplorer,PaloAltoNetworksrecommendsthat
Modeforallusers,useLocal youdonotdisableProtectedMode,whichdiffersfrom
SecurityPolicy. EnhancedProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIisaRESTfulAPIthatusesstandardHTTPrequeststosendandreceivedata.APIcalls
canbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a

singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1 GeneratetheAPIkeythat Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe

willbeusedtoauthenticate firewall,openanewbrowserwindowandenterthefollowingURL:
theAPIcommunication https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
betweenthefirewallandthe password=<password>
terminalserver.Togenerate Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland

<username> and<password> arethecredentialsfortheadministrativeuser
thekeyyoumustprovide
logincredentialsforan accountonthefirewall.Forexample:
administrativeaccount;the https://10.1.2.5/api/?type=keygen&user=admin&password=admin
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
Anyspecial </response>
charactersinthe
passwordmustbe
URL/
percentencoded.

UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2 (Optional)Generateasetup Thefollowingshowsasamplesetupmessage:

messagethattheterminal <uid-message>
serverwillsendtospecifythe <payload>
portrangeandblocksizeof
<multiusersystem>
portsperuserthatyour
<entry ip="10.1.1.23" startport="20000"
terminalservicesagentuses.
endport="39999" blocksize="100">
Iftheterminalservicesagent
</multiusersystem>
doesnotsendasetup
</payload>
message,thefirewallwill
automaticallycreatea <type>update</type>
TerminalServicesagent <version>1.0</version>
configurationusingthe </uid-message>
followingdefaultsettings whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
uponreceiptofthefirstlogin startportandendportspecifytheportrangetousewhenassigningportsto
message: individualusers,andblocksizespecifiesthenumberofportstoassignto
Defaultportrange:1025 eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
to65534 allocateamaximumof1000blocks.
Peruserblocksize:200 Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
Maximumnumberof
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
multiusersystems:1,000
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
Step3 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:

extractthelogineventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<login>
Makesurethescriptenforces
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
assignmentofportnumber
rangesatfixedboundaries <entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
withnoportoverlaps.For <entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
example,iftheportrangeis </login>
10001999andtheblock </payload>
sizeis200,acceptable
<type>update</type>
blockstartvalueswouldbe
1000,1200,1400,1600,or <version>1.0</version>
1800.Blockstartvaluesof </uid-message>
1001,1300,or1850would Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
beunacceptablebecause themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
someoftheportnumbersin packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
therangewouldbeleft requesttouserjparkerforpolicyenforcement.
unused. Eachmultiusersystemcanallocateamaximumof1,000portblocks.
Theloginevent
payloadthatthe
terminalserversends
tothefirewallcan
containmultiplelogin
events.

Step4 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:

extractthelogouteventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<logout>
Uponreceiptofalogout <entry name="acme\jjaso" ip="10.1.1.23"
eventmessagewitha blockstart="20000">
blockstartparameter,the
<entry name="acme\ccrisp" ip="10.1.1.23">
firewallremovesthe
<entry ip="10.2.5.4">
correspondingIP
</logout>
addressportusermapping.If
thelogoutmessagecontains </payload>
ausernameandIPaddress, <type>update</type>
butnoblockstart <version>1.0</version>
parameter,thefirewall </uid-message>
removesallmappingsforthe Youcanalsoclearthemultiusersystementryfromthefirewallusing
user.Ifthelogoutmessage thefollowingCLIcommand:clear xml-api multiusersystem
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
Step5 Makesurethatthescripts OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions

youcreateincludeawayto behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
dynamicallyenforcethatthe example,toensurethatauserwiththeuserIDjjasoismappedtoasource
portblockrangeallocated networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
usingtheXMLAPImatches scriptyoucreateshouldincludethefollowing:
theactualsourceport [root@ts1 ~]# iptables -t nat -A POSTROUTING -m owner --uid-owner jjaso
assignedtotheuseronthe -p tcp -j SNAT --to-source 10.1.1.23:20000-20099
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
Step6 Definehowtopackagethe Toapplythefilestothefirewallusingwget:

XMLinputfilescontainingthe > wget --post file <filename>
setup,login,andlogout https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&file-name=<inp
ut_filename.xml>&client=wget&vsys=<VSYS_name>
eventsintowgetorcURL Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
messagesfortransmissionto firewallat10.2.5.11usingkey
thefirewall. k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1

Step7 Verifythatthefirewallis VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland

successfullyreceivinglogin thenrunningthefollowingCLIcommands:
eventsfromtheterminal ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
servers. admin@PA-5050> show user xml-api multiusersystem
Host Vsys Users Blocks
----------------------------------------
10.5.204.43 vsys1 5 2
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43

Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
Send User Mappings to User-ID Using the XML API
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtotheUserIDagentordirectlytothefirewall.ThePANOSXMLAPIusesstandard
HTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommandlineutilitiessuchas
cURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGETrequests.
ToenableanexternalsystemtosendusermappinginformationtotheUserIDagentordirectlytothe
firewall,youcancreatescriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothe
PANOSXMLAPIrequest.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall
(usingcURL,forexample)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,
refertothePANOSXMLAPIUsageGuide.

UserID EnableUserandGroupBasedPolicy
Toenablesecuritypolicybasedonusersandusergroups,youmustenableUserIDforeachzonethat
containsusersyouwanttoidentify.Youcanthendefinepolicyrulesthatallowordenytrafficbasedon
usernameorgroupmembership.Additionally,youcancreateCaptivePortalrulestoenableidentificationfor
IPaddressesthatdontyethaveanyuserdataassociatedwiththem.
PA5060andPA7000Seriesfirewallsthathavethemultiplevirtualsystemscapabilitydisabledcanbase
policiesonupto3,200distinctusergroups.Iftheseplatformshavemultiplevirtualsystems,thelimitis640
groups.Allotherfirewallplatformssupportupto640groupspervirtualsystemorperfirewall(ifitdoesnt
havemultiplevirtualsystems).
Foruserswithmultipleusernames,seeEnablePolicyforUserswithMultipleAccounts.
Step1 EnableUserIDonthesourcezonesthat 1. SelectNetwork > ZonesandclicktheNameofthezone.

containtheuserswhowillsendrequests 2. SelecttheEnable User IdentificationcheckboxandclickOK.
thatrequireuserbasedaccesscontrols.
Step2 (Optional)Configurethefirewalltoread 1. SelectDevice > Setup > Content-IDandeditthe

theIPaddressesofusersfromthe XForwardedForHeaderssettings.
XForwardedFor(XFF)headerinclient 2. SelecttheX-Forwarded-For Header in User-IDcheckbox.
requestsforwebserviceswhenthe
SelectingtheStrip-X-Forwarded-For Headercheck
firewallisbetweentheInternetanda
boxdoesntdisabletheuseofXFFheadersforuser
proxyserverthatwouldotherwisehide
attributioninpolicyrules;thefirewallzeroesoutthe
theuserIPaddresses.
XFFvalueonlyafterusingitforuserattribution.
ThefirewallmatchestheIPaddresses
withusernamesthatyourpolicyrules 3. ClickOKtosaveyourchanges.
referencesothatthoserulescancontrol
andlogaccessfortheassociatedusers
andgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.

EnableUserandGroupBasedPolicy UserID
EnableUserandGroupBasedPolicy(Continued)
Step3 Createsecurityrulesbasedonuserand 1. AfterconfiguringUserID,youwillbeabletochooseauser

usergroup. nameorgroupnamewhendefiningthesourceordestination
Asabestpractice,createrules ofasecurityrule:
basedongroupratherthanuser a. SelectPolicies > SecurityandclickAddtocreateanewrule
wheneverpossible.Thisprevents orclickanexistingrulename.
youfromhavingtocontinually b. SelecttheUsertabandspecifywhichusersandgroupsto
updateyourrules(whichrequires matchintheruleinoneofthefollowingways:
acommit)wheneveryouruser Ifyouwanttoselectspecificusers/groupsasmatching
basechanges. criteria,clicktheAddbuttonintheSourceUsersectionto
displayalistofusersandgroupsdiscoveredbythe
firewallgroupmappingfunction.Selecttheusersand/or
groupstoaddtotherule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecific
userorgroupname,selectknown-userorunknownfrom
thedropdownabovetheSourceUserlist.
2. ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
Step4 CreateyourCaptivePortalrules. 1. SelectPolicies > Captive Portal.

2. ClickAddandenteraNamefortherule.
3. Definethematchingcriteriafortherulebycompletingthe
Source,Destination,andService/URL Categorytabsas
appropriatetomatchthetrafficyouwanttoauthenticate.The
matchingcriteriaonthesetabsisthesameasthecriteriayou
definewhencreatingasecurityrule.SeeSetUpaBasic
SecurityPolicyfordetails.
4. DefinetheActiontotakeontrafficthatmatchestherule:
no-captive-portalAllowtraffictopasswithout
presentingaCaptivePortalpageforauthentication.
web-formPresentaCaptivePortalpagefortheuserto
explicitlyenterauthenticationcredentialsoruseclient
certificateauthentication.
browser-challengeTransparentlyobtainuser
authenticationcredentials.Ifyouselectthisaction,you
mustenableKerberosSingleSignOn(SSO)orNTLAN
Manager(NTLM)authenticationwhenyouConfigure
CaptivePortal.IfKerberosSSOauthenticationfails,the
firewallfallsbacktoNTLMauthentication.Ifyoudidnt
configureNTLM,orNTLMauthenticationfails,thefirewall
fallsbacktoweb-formauthentication.

UserID EnablePolicyforUserswithMultipleAccounts
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1 Configureausergroupforeachservice Ifyourorganizationalreadyhasusergroupsthatcanaccessthe

thatrequiresdistinctaccessprivileges. servicesthattheuserrequires,simplyaddtheusernamethatis
Inthisexample,eachgroupisforasingle usedforlessrestrictedservicestothosegroups.Inthisexample,
service(emailorMySQLserver). theemailserverrequireslessrestrictedaccessthantheMySQL
However,itiscommontoconfigureeach server,andcorp_useristheusernameforaccessingemail.
groupforasetofservicesthatrequire Therefore,youaddcorp_usertoagroupthatcanaccessemail
thesameprivileges(forexample,one (corp_employees)andtoagroupthatcanaccesstheMySQLserver
groupforallbasicuserservicesandone (network_services).
groupforalladministrativeservices). Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1. SelectDevice > User Identification > Group Mapping Settings
andAddagroupmappingconfigurationwithauniqueName.
2. SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3. SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4. SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmore
restrictedservices,youcanaddthoseusernamestothe
groupformorerestrictedservices.Thisscenarioismore
commonthantheinverse;auserwithaccesstomore
restrictedservicesusuallyalreadyhasaccesstoless
restrictedservices.

EnablePolicyforUserswithMultipleAccounts UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2 Configuretherulesthatcontroluser EnableUserandGroupBasedPolicy:

accessbasedonthegroupsyoujust 1. Configureasecurityrulethatallowsthecorp_employees
configured. grouptoaccessemail.
2. Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Step3 ConfiguretheignorelistoftheUserID Inthisexample,youaddadmin_usertotheignorelistofthe

agent. WindowsbasedUserIDagenttoensurethatitmapstheclientIP
ThisensuresthattheUserIDagent addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
mapstheclientIPaddressonlytothe inascorp_useroradmin_user,thefirewallidentifiestheuseras
usernamethatisamemberofthegroups corp_userandappliesbothrulesthatyouconfiguredbecause
assignedtotherulesyoujustconfigured. corp_userisamemberofthegroupsthattherulesreference.
Theignorelistmustcontainallthe 1. Createanignore_user_list.txtfile.
usernamesoftheuserthatarenot
2. Openthefileandaddadmin_user.
membersofthosegroups.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3. SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
IfyouusethePANOSintegratedUserIDagent,perform
Step 5underConfigureUserMappingUsingthePANOS
IntegratedUserIDAgenttoconfiguretheignorelist.
Step4 Configureendpointauthenticationfor Inthisexample,youhaveconfiguredafirewallrulethatallows

therestrictedservices. corp_user,asamemberofthenetwork_servicesgroup,tosenda
Thisenablestheendpointtoverifythe servicerequesttotheMySQLserver.Youmustnowconfigurethe
credentialsoftheuserandpreservesthe MySQLservertorespondtoanyunauthorizedusername(suchas
abilitytoenableaccessforuserswith corp_user)bypromptingtheusertoenterthelogincredentialsof
multipleusernames. anauthorizedusername(admin_user).
Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingfor
theadmin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.

UserID VerifytheUserIDConfiguration
AfteryouconfiguregroupmappingandusermappingandenableUserIDonyoursecurityrulesandCaptive
Portalrules,youshouldverifythatitisworkingproperly.
Step1 Verifythatgroupmappingisworking. FromtheCLI,enterthefollowingoperationalcommand:

> show user group-mapping statistics
Step2 Verifythatusermappingisworking. IfyouareusingthePANOSintegratedUserIDagent,youcan

verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
------------------------------------------------------
192.168.201.1 vsys1 UIA acme\george 210
192.168.201.11 vsys1 UIA acme\duane 210
192.168.201.50 vsys1 UIA acme\betsy 210
192.168.201.10 vsys1 UIA acme\administrator 210
192.168.201.100 vsys1 AD acme\administrator 748
Total: 5 users
*: WMI probe succeeded
Step3 Testyoursecurityrule. FromamachineinthezonewhereUserIDisenabled,attempt

toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}

VerifytheUserIDConfiguration UserID
VerifytheUserIDConfiguration(Continued)
Step4 TestyourCaptivePortalconfiguration. 1. Fromthesamezone,gotoamachinethatisnotamemberof

yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2. Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesaCaptivePortal
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3. Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4. YoucanalsotestyourCaptivePortalpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step5 Verifythatthelogfilesdisplay Selectalogspage(forexample,Monitor > Logs > Traffic)andverify

usernames. thattheSourceUsercolumndisplaysusernames.
Step6 Verifythatreportsdisplayusernames. 1. SelectMonitor > Reports.

2. Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.

UserID DeployUserIDinaLargeScaleNetwork
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,
globaldatacenterapplications).
DeployUserIDforNumerousMappingInformationSources
ConfigureFirewallstoRedistributeUserMappingInformation
Deploy User-ID for Numerous Mapping Information Sources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.

DeployUserIDinaLargeScaleNetwork UserID
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersTheymustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersTheymustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.

ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
Step1 ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires

thememberserversthatwillcollect administrativeprivilegesforconfiguringgrouppolicieson
loginevents. Windowsservers.
Step2 InstalltheWindowsbasedUserID InstalltheUserIDAgentonaWindowsserverthatcanaccessthe

agent. memberservers.TheWindowsservercanbeinsideoroutsidethe
ActiveDirectoryforest;itdoesntneedtobeamemberserver
itself.
Step3 ConfiguretheUserIDagenttocollect 1. StarttheWindowsbasedUserIDagent.

usermappinginformationfromthe 2. SelectUser Identification > Discoveryandperformthe
memberservers. followingstepsforeachmemberserverthatwillreceive
eventsfromdomaincontrollers:
a. IntheServerssection,clickAddandenteraNameto
identifythememberserver.
b. IntheServer Addressfield,entertheFQDNorIPaddress
ofthememberserver.
c. FortheServer Type,selectMicrosoft Active Directory.
d. ClickOKtosavetheserverentry.
3. ConfiguretheremainingUserIDagentsettings:see
ConfiguretheUserIDAgentforUserMapping.

ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step4 ConfigureanLDAPserverprofileto 1. SelectDevice > Server Profiles > LDAP,clickAdd,andentera

specifyhowthefirewallconnectstothe Namefortheprofile.
GlobalCatalogservers(uptofour)for 2. IntheServerssection,foreachGlobalCatalog,clickAddand
groupmappinginformation. entertheserverName,IPaddress(LDAP Server),andPort.
Toimproveavailability,useat ForaplaintextorStartTransportLayerSecurity(StartTLS)
leasttwoGlobalCatalogservers connection,usePort3268.ForanLDAPoverSSLconnection,
forredundancy. usePort3269.IftheconnectionwilluseStartTLSorLDAP
Youcancollectgroupmapping overSSL,selecttheRequire SSL/TLS secured connection
informationonlyforuniversal checkbox.
groups,notlocaldomaingroups 3. IntheBase DNfield,entertheDistinguishedName(DN)of
(subdomains). thepointintheGlobalCatalogserverwherethefirewallwill
startsearchingforgroupmappinginformation(forexample,
DC=acbdomain,DC=com).
4. FortheType,selectactive-directory.
5. Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile.
Step5 ConfigureanLDAPserverprofileto ThestepsarethesameasfortheLDAPserverprofileyoucreated

specifyhowthefirewallconnectstothe forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
servers(uptofour)thatcontaindomain LDAP ServerEntertheIPaddressofthedomaincontroller
mappinginformation. thatcontainsthedomainmappinginformation.
UserIDusesthisinformationtomap PortForaplaintextorStartTLSconnection,usePort389.For
DNSdomainnamestoNetBIOSdomain anLDAPoverSSLconnection,usePort636.Iftheconnection
names.Thismappingensuresconsistent willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
domain/usernamereferencesinpolicy secured connectioncheckbox.
rules. Base DNSelecttheDNofthepointinthedomaincontroller
Toimproveavailability,useat wherethefirewallwillstartsearchingfordomainmapping
leasttwoserversforredundancy. information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.

Configure Firewalls to Redistribute User Mapping Information
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.However,alargescale
networkwherenumerousfirewallsdirectlyquerythemappinginformationsourcesrequiresboththe
firewallsandsourcestouseconsiderableresources.Toimproveresourceefficiency,youcanconfiguresome
firewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.Redistribution
alsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesforauthentication
(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,globaldata
centerapplications).
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
Youcanorganizetheredistributionsequenceinlayers,whereeachlayerhasoneormorefirewalls.Inthe
bottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsandWindowsbasedUserIDagents
runningonWindowsserversperformtheIPaddresstousernamemapping.Eachhigherlayerhasfirewalls
thatreceivethemappinginformationfromupto100UserIDagentsinthelayerbeneathit.Thetoplayer
firewallsaggregatethemappinginformationfromalllayers.Thisdeploymentprovidestheoptionto
configureglobalpoliciesforallusers(intoplayerfirewalls)andregionorfunctionspecificpoliciesfora
subsetofusersinthecorrespondingdomains(inlowerlayerfirewalls).
Figure:UserIDRedistributionshowsadeploymentwiththreelayersoffirewallsthatredistributemapping
informationfromlocalinformationsources(directoryservers,inthisexample)toregionalofficesandthen
toaglobaldatacenter.Thedatacenterfirewallthataggregatesallthemappinginformationsharesitwith
otherdatacenterfirewallssothattheycanallenforceglobalpolicy.Onlythebottomlayerfirewallsuse
PANOSintegratedUserIDagentsandWindowsbasedUserIDagentstoquerythedirectoryservers.
TheinformationsourcesfromwhichUserIDagentscollectmappinginformationdonotcounttowardsthe
maximumoftenhopsinthesequence.However,WindowsbasedUserIDagentsthatforwardmapping
informationtofirewallsdocount.Therefore,inthisexample,redistributionfromtheEuropeanregiontoall
thedatacenterfirewallsrequiresonlythreehops,whileredistributionfromtheNorthAmericanregion
requiresfourhops.Alsointhisexample,thetoplayerhastwohops:thefirsttoaggregatemapping
informationinonedatacenterfirewallandthesecondtosharetheinformationwithotherdatacenter
firewalls.

Figure:UserIDRedistribution
Step1 Plantheredistributionarchitecture. DecidewhichUserIDagentsandmethodstouseformapping

IPaddressestousernames.Youcanredistributeusermapping
informationcollectedthroughanymethodexceptTerminal
Services(TS)agents.YoucannotredistributeGroupMapping
orHIPmatchinformation.
DeterminethemostefficientFirewallDeploymentforUserID
Redistribution.Somefactorstoconsiderare:
Whichfirewallswillenforceglobalpoliciesforallusersand
whichfirewallswillenforceregionorfunctionspecific
policiesforasubsetofusers?
Howmanyhopsdoestheredistributionsequencerequireto
aggregatemappinginformationforfirewallsindifferent
functionalorregionallayerstoenforcepolicy?
Howcanyouminimizethenumberoffirewallsthatquery
theinformationsources?Thefewerthenumberofquerying
firewalls,thelowertheprocessingloadisonboththe
firewallsandsources.

ConfigureUserIDRedistribution(Continued)
Step2 ConfiguretheUserIDagentstoperform ConfigureUserMappingUsingthePANOSIntegratedUserID

theusermapping. Agent.
ConfigureUserMappingUsingtheWindowsUserIDAgent.
Step3 Enableeachbottomlayerfirewallto 1. ConfigurethefirewalltofunctionasaUserIDagent.

forwardmappinginformationtofirewalls a. SelectDevice > User Identification > User Mapping.
inthelayerabove. b. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Location.YoumustconfiguretheUserIDsettingsforeach
virtualsystem.
Youcanredistributemappinginformationamong
virtualsystemsondifferentfirewallsoronthesame
firewall.Inbothcases,eachvirtualsystemcountsas
onehopintheredistributionsequence.
c. EditthePaloAltoNetworksUserIDAgentSetupand
selectRedistribution.
d. EnteraCollector NametoidentifythisfirewallasaUserID
agent.
e. EnterandconfirmaPre-Shared Keytosecure
communicationbetweenthisfirewallandthehigherlayer
firewalls.Onamultivsysfirewall,eachvsysrequiresa
uniquepresharedkey.
f. ClickOK.
2. ConfigureanInterfaceManagementprofilewiththeUser-ID
serviceenabledandassigntheprofiletotheinterfaceyou
wantthefirewalltousewhenrespondingtomapping
informationqueriesfromfirewallsinthelayerabove.
3. (Optional)Configurepoliciesthatarespecifictotheuser
accountsforwhichyouwantthisfirewalltocollectmapping
information.

Step4 Enableeachmiddlelayerfirewallto 1. Configurethefirewalltoreceivemappinginformationfrom

receivemappinginformationfromthe firewallsactingasUserIDagentsinthelayerbelow.
layerbelowandforwardittothelayer a. SelectDevice > User Identification > User-ID Agentsand
above. clickAdd.
Youmustalsoperformthistaskforany b. EnteraNametoidentifythelowerlayerfirewall.
firewallthatredistributesmapping c. EntertheHostnameorIPaddressoftheinterfacethatyou
informationtootherfirewallsinthe configuredonthelowerlayerfirewalltorespondto
samelayer.Forexample,Figure: mappinginformationqueries.
UserIDRedistributionshowsonedata
d. EnterthePortnumber(defaultis5007)onwhichthe
centerfirewallthatredistributestoother
lowerlayerfirewallwilllistenforUserIDqueries.
datacenterfirewalls.
e. EntertheCollector Nameyouspecifiedwhenconfiguring
Eachfirewallcanreceivemapping
thelowerlayerfirewalltoactasaUserIDagent.
informationfromupto100UserID
agents. f. EnterandconfirmtheCollector Pre-Shared Keyyou
specifiedonthelowerlayerfirewall.
Figure:UserIDRedistribution
showsonlyonemiddlelayerof g. EnsuretheconfigurationisEnabled(default)andclickOK.
firewallsbutyoucandeployas h. ChecktheConnectedcolumntoconfirmthefirewallyou
manylayersastheredistribution justaddedasaUserIDagentisconnected( ).
limitoftenhopsallows. 2. Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
a. SelectDevice > Setup > Services.
b. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
(forafirewallwideserviceroute)orVirtual Systems(fora
virtualsystemspecificserviceroute).Fordetails,referto
CustomizeServiceRoutestoServicesforVirtualSystems.
c. ClickService Route Configuration,selectCustomize,and
selectIPv4orIPv6dependingonyournetworkprotocols.
Configuretheservicerouteforbothprotocolsifyour
networkusesboth.
d. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
e. ClickOKtwicetosavetheserviceroute.
3. Enablethefirewalltoforwardthemappinginformationto
firewallsinthelayerabove.
a. ConfigurethefirewalltofunctionasaUserIDagent.
b. ConfigureanInterfaceManagementprofilewiththe
User-IDserviceenabledandassigntheprofiletothe
interfaceyouwantthefirewalltousewhenrespondingto
mappinginformationqueriesfromfirewallsinthelayer
above.
4. (Optional)Configurepoliciesspecifictouseraccountsfor
whichyouwantthisfirewalltoaggregatemappinginformation
fromlowerlayers.

Step5 Enableeachtoplayerfirewalltoreceive 1. Configurethefirewalltoreceivemappinginformationfrom

mappinginformationfromallother firewallsactingasUserIDagentsinthelayerbelow.
layers. 2. Configureaservicerouteforthefirewalltouseforsending
Youmustalsoperformthistaskforany mappinginformationqueriestofirewallsinthelayerbelow.
firewallthatisanendpointinthe
3. (Optional)Configurepoliciesthatareglobaltoalluser
redistributionsequencewithinalayer.
accounts.
IntheexampleofFigure:
UserIDRedistribution,youwould 4. Commityourchanges.
performthistaskforthetwodatacenter
firewallsthatreceivemapping
informationfromanotherdatacenter
firewall.
Step6 Verifythatthetoplayerfirewallsare 1. AccesstheCLIofabottomlayerfirewallandrunthefollowing

aggregatingmappinginformationfrom operationalcommand:
allotherlayers. > show user ip-user-mapping all
Thisstepsamplesasingleusermapping 2. RecordtheIPaddressassociatedwithanyusername.
thatiscollectedinabottomlayer
firewallandforwardedtoatoplayer 3. AccesstheCLIofatoplayerfirewallandrunthefollowing
firewall.Repeatthestepforseveraluser command,where<address> istheIPaddressyourecordedin
mappingsandseveralfirewallstoensure thepreviousstep:
yourconfigurationissuccessful. > show user ip-user-mapping ip <address>
Ifthefirewallsuccessfullyreceivedtheusermappingfromthe
bottomlayerfirewall,itdisplaysoutputsimilartothe
followinganddisplaysthesameusernameasyourecordedin
thebottomlayerfirewall.
IP address: 192.0.2.0 (vsys1)
User: corpdomain\username1
From: AD
Idle Timeout: 2643s
Max. TTL: 2643s
Groups that the user belongs to (used in policy)


AppID
Tosafelyenableapplicationsonyournetwork,thePaloAltoNetworksnextgenerationfirewallsprovide
bothanapplicationandwebperspectiveAppIDandURLFilteringtoprotectagainstafullspectrumof
legal,regulatory,productivity,andresourceutilizationrisks.
AppIDenablesvisibilityintotheapplicationsonthenetwork,soyoucanlearnhowtheyworkand
understandtheirbehavioralcharacteristicsandtheirrelativerisk.Thisapplicationknowledgeallowsyouto
createandenforcesecuritypolicyrulestoenable,inspect,andshapedesiredapplicationsandblock
unwantedapplications.Whenyoudefinepolicyrulestoallowtraffic,AppIDbeginstoclassifytraffic
withoutanyadditionalconfiguration.
AppIDOverview
ManageCustomorUnknownApplications
ManageNewAppIDsIntroducedinContentReleases
UseApplicationObjectsinPolicy
ApplicationswithImplicitSupport
ApplicationLevelGateways
DisabletheSIPApplicationlevelGateway(ALG)

AppIDOverview AppID
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.

AppID ManageCustomorUnknownApplications
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.

ManageNewAppIDsIntroducedinContentReleases AppID
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesForPendingAppIDs
Review New App-IDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules

AppID ManageNewAppIDsIntroducedinContentReleases
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step1 SelectDevice > Dynamic Updates andselect Check Nowtorefreshthelistofavailablecontentupdates.

Step2 DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
Step3 ClicktheAppslinkintheFeatures columntoviewdetailsonnewlyidentifiedapplications:
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
Next Steps... DisableorEnableAppIDs.

PreparePolicyUpdatesForPendingAppIDs.

ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step1 SelectDevice > Dynamic Updates.
Step2 Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step3 SelectanewAppIDfromtheApplication dropdowntoviewpolicyrulesthatcurrentlyenforcethe

application.Therulesdisplayedarebasedontheapplicationssignaturesthatmatchtotheapplicationbefore
thenewAppIDisinstalled(viewapplicationdetailstoseethelistofapplicationsignaturesthatanapplication
wasPreviously Identified As beforethenewAppID).
Step4 UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesForPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
Next Steps... DisableorEnableAppIDs.

PreparePolicyUpdatesForPendingAppIDs.

Disable or Enable App-IDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
Disable all App-IDs in a content release or for TodisableallnewAppIDsintroducedinacontentrelease,select

scheduled content updates. Device > Dynamic Updates andInstall anApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
Onthe Device > Dynamic Updatespage,selectSchedule.Choose
to Disable new apps in content updatefordownloadsand
installationsofcontentreleases.
Disable App-IDs for one application or multiple Toquicklydisableasingleapplicationormultipleapplicationsat

applications at a single time. thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applications and
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
Enable App-IDs. EnableAppIDsthatyoupreviouslydisabledbyselectingObjects >

Applications.Selectoneormoreapplicationcheckboxandclick
Enableoropenthedetailsforaspecificapplicationandclick
Enable App-ID.
Prepare Policy Updates For Pending App-IDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.

PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDlistedontheObjects > Applicationspage:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.

PerformSeamlessPolicyUpdatesforNewAppIDs
To install the content release version now and then To update policies now and then install the content
update policies: release version:
Dothistobenefitfromnewthreatsignatures 1. SelectDevice > Dynamic UpdatesandDownloadthe
immediately,whileyoureviewnewapplication latestcontentreleaseversion.
signaturesandupdateyourpolicies.
2. ReviewtheImpactofNewAppIDSignatureson
1. SelectDevice > Dynamic UpdatesandDownloadthe ExistingPolicyRulestoassessthepolicyimpactof
latestcontentreleaseversion. newAppIDs.
2. ReviewtheImpactofNewAppIDSignatureson 3. WhilereviewingthepolicyimpactfornewAppIDs,
ExistingPolicyRulestoassessthepolicyimpactof youcanusethePolicy Review based on candidate
newAppIDs. configurationtoaddanewAppIDtoexistingpolicy
3. Installthelatestcontentreleaseversion.Beforethe rules: .
contentreleaseisinstalled,youarepromptedto 4. ThenewAppIDisaddedtotheexistingrulesasa
Disable new apps in content update.Selectthecheck disabledAppID.
boxandcontinuetoinstallthecontentrelease.Threat
5. ContinuetoreviewthepolicyimpactforallAppIDs
signaturesincludedinthecontentreleasewillbe
includedinthelatestcontentreleaseversionby
installedandeffective,whileneworupdatedAppIDs
selectingAppIDsintheApplicationsdropdown.
aredisabled.
AddthenewAppIDstoexistingpoliciesasneeded.
4. SelectPoliciesandupdateSecurity,QoS,andPolicy ClickOKtosaveyourchanges.
Based Forwardingrulestomatchtoandenforcethe
6. Installthelatestcontentreleaseversion.
nowuniquelyidentifiedapplicationtraffic,usingthe
pendingAppIDs. 7. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
5. SelectObjects > Applicationsandselectoneor
multipledisabledAppIDsandclickEnable.
6. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.

UseApplicationObjectsinPolicy AppID
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
Create an Application Group
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.:insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
insteadupdateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
CreateanApplicationGroup
Step1 SelectObjects > Application Groups.
Step2 AddagroupandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5 Committheconfiguration.

AppID UseApplicationObjectsinPolicy
Create an Application Filter
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
CreateanApplicationFilter
Step1 SelectObjects > Application Filters.
Step2 AddafilterandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.

Create a Custom Application
Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentupdate424:HTTP,
HTTPS,DNS,FTP,IMAPSMTP,Telnet,IRC(InternetRelayChat),Oracle,RTMP,RTSP,SSH,
GNUDebugger,GIOP(GlobalInterORBProtocol),MicrosoftRPC,MicrosoftSMB(alsoknown
asCIFS).
Thefollowingisabasicexampleofhowtocreateacustomapplication.

CreateaCustomApplication
Step1 Gatherinformationaboutthe Captureapplicationpacketssothatyoucanfindunique

applicationthatyouwillbeabletouse characteristicsabouttheapplicationonwhichtobaseyour
towritecustomsignatures. customapplicationsignature.Onewaytodothisistoruna
Todothis,youmusthavean protocolanalyzer,suchasWireshark,ontheclientsystemto
understandingoftheapplicationand capturethepacketsbetweentheclientandtheserver.Perform
howyouwanttocontrolaccesstoit.For differentactionsintheapplication,suchasuploadingand
example,youmaywanttolimitwhat downloading,sothatyouwillbeabletolocateeachtypeof
operationsuserscanperformwithinthe sessionintheresultingpacketcaptures(PCAPs).
application(suchasuploading, Becausethefirewallbydefaulttakespacketcapturesforall
downloading,orlivestreaming).Oryou unknowntraffic,ifthefirewallisbetweentheclientandthe
maywanttoallowtheapplication,but serveryoucanviewthepacketcapturefortheunknowntraffic
enforceQoSpolicing. directlyfromtheTrafficlog.
Usethepacketcapturestofindpatternsorvaluesinthepacket
contextsthatyoucanusetocreatesignaturesthatwilluniquely
matchtheapplicationtraffic.Forexample,lookforstring
patternsinHTTPresponseorrequestheaders,URIpaths,or
hostnames.Forinformationonthedifferentstringcontextsyou
canusetocreateapplicationsignaturesandwhereyoucanfind
thecorrespondingvaluesinthepacket,refertoCreatingCustom
ThreatSignatures.
Step2 Addthecustomapplication. 1. SelectObjects > ApplicationsandclickAdd.

2. OntheConfigurationtab,enteraNameandaDescriptionfor
thecustomapplicationthatwillhelpotheradministrators
understandwhyyoucreatedtheapplication.
3. (Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
4. DefinetheapplicationPropertiesandCharacteristics.

CreateaCustomApplication(Continued)
Step3 Definedetailsabouttheapplication, OntheAdvancedtab,definesettingsthatwillallowthefirewallto

suchastheunderlyingprotocol,theport identifytheapplicationprotocol:
numbertheapplicationrunson,the Specifythedefaultportsorprotocolthattheapplicationuses.
timeoutvalues,andanytypesof Specifythesessiontimeoutvalues.Ifyoudontspecifytimeout
scanningyouwanttobeabletoperform values,thedefaulttimeoutvalueswillbeused.
onthetraffic.
Indicateanytypeofadditionalscanningyouplantoperformon
theapplicationtraffic.
Forexample,tocreateacustomTCPbasedapplicationthatruns
overSSL,butusesport4443(insteadofthedefaultportforSSL,
443),youwouldspecifytheportnumber.Byaddingtheport
numberforacustomapplication,youcancreatepolicyrulesthat
usethedefaultportfortheapplicationratherthanopeningup
additionalportsonthefirewall.Thisimprovesyoursecurity
posture.

Step4 Definethecriteriathatthefirewallwill 1. OntheSignaturestab,clickAddanddefineaSignature Name

usetomatchthetraffictothenew andoptionallyaCommenttoprovideinformationabouthow
application. youintendtousethissignature.
Youwillusetheinformationyou 2. SpecifytheScopeofthesignature:whetheritmatchestoafull
gatheredfromthepacketcapturesto SessionorasingleTransaction.
specifyuniquestringcontextvaluesthat
3. SpecifyconditionstodefinesignaturesbyclickingAdd And
thefirewallcanusetomatchpatternsin
ConditionorAdd Or Condition.
theapplicationtraffic.
4. SelectanOperatortodefinethetypeofmatchconditionsyou
willuse:Pattern MatchorEqual To.
IfyouselectedPattern Match,selecttheContextandthen
usearegularexpressiontodefinethePatterntomatchthe
selectedcontext.Optionally,clickAddtodefinea
qualifier/valuepair.TheQualifierlistisspecifictothe
Contextyouchose.
IfyouselectedEqual To,selecttheContextandthenusea
regularexpressiontodefinethePositionofthebytesinthe
packetheadertousematchtheselectedcontext.Choose
fromfirst-4bytesorsecond-4bytes.Definethe4bytehex
valuefortheMask(forexample,0xffffff00)andValue(for
example,0xaabbccdd).
Forexample,ifyouarecreatingacustomapplicationforone
ofyourinternalapplications,youcouldusethe
ssl-rsp-certificateContexttodefineapatternmatchforthe
certificateresponsemessageofaSSLnegotiationfromthe
serverandcreateaPatterntomatchthecommonNameofthe
serverinthemessageasshownhere:
5. Repeatstep3and4foreachmatchingcondition.
6. Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7. ClickOKtosavethesignaturedefinition.

Step5 Savetheapplication. 1. ClickOKtosavethecustomapplicationdefinition.

2. ClickCommit.
Step6 Validatethattrafficmatchesthecustom 1. SelectPolicies > SecurityandAddasecuritypolicyruleto

applicationasexpected. allowthenewapplication.
2. Runtheapplicationfromaclientsystemthatisbetweenthe
firewallandtheapplicationandthenchecktheTrafficlogs
(Monitor > Traffic)tomakesurethatyouseetrafficmatching
thenewapplication(andthatitisbeinghandledperyour
policyrule).

AppID ApplicationswithImplicitSupport
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
557).
Table:ApplicationswithImplicitSupport
Application ImplicitlySupports
360-safeguard-update http
apple-update http
apt-get http
as2 http
avg-update http
avira-antivir-update http, ssl
blokus rtmp
bugzilla http
clubcooee http
corba http
cubby http, ssl
dropbox ssl
esignal http
evernote http, ssl
ezhelp http
facebook http, ssl
facebook-chat jabber
facebook-social-plugin http
fastviewer http, ssl
forticlient-update http
good-for-enterprise http, ssl
google-cloud-print http, ssl, jabber

ApplicationswithImplicitSupport AppID
google-desktop http
google-talk jabber
google-update http
gotomypc-desktop-sharing citrix-jedi
gotomypc-file-transfer citrix-jedi
gotomypc-printing citrix-jedi
hipchat http
iheartradio ssl, http, rtmp
infront http
instagram http, ssl
issuu http, ssl
java-update http
jepptech-updates http
kerberos rpc
kik http, ssl
lastpass http, ssl
logmein http, ssl
mcafee-update http
megaupload http
metatrader http
mocha-rdp t_120
mount rpc
ms-frs msrpc
ms-rdp t_120
ms-scheduler msrpc
ms-service-controller msrpc
nfs rpc
oovoo http, ssl
paloalto-updates ssl
panos-global-protect http
panos-web-interface http
pastebin http

AppID ApplicationswithImplicitSupport
pastebin-posting http
pinterest http, ssl
portmapper rpc
prezi http, ssl
rdp2tcp t_120
renren-im jabber
roboform http, ssl
salesforce http
stumbleupon http
supremo http
symantec-av-update http
trendmicro http
trillian http, ssl
twitter http
whatsapp http, ssl
xm-radio rtsp

ApplicationLevelGateways AppID
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
AsofContentReleaseversion504,thePaloAltoNetworksfirewallprovidesNATALGsupportforthe
followingprotocols:FTP,H.225,H.248,MGCP,MySQL,Oracle/SQLNet/TNS,RPC,RTSP,SCCP,SIP,and
UNIStim.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefirewallprovidesIPv6toIPv6NetworkPrefixTranslation(NPTv6)ALGsupportforthefollowing
protocols:FTP,Oracle,andRTSP.TheSIPALGisnotsupportedforNPTv6orNAT64.

AppID DisabletheSIPApplicationlevelGateway(ALG)
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step1 SelectObjects > Applications.
Step2 Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3 SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step4 SelecttheDisable ALGcheckboxintheApplicationsipdialogboxandclickOK.
Step5 ClosetheApplicationdialogboxandCommitthechange.

DisabletheSIPApplicationlevelGateway(ALG) AppID

ThreatPrevention
ThePaloAltoNetworksnextgenerationfirewallprotectsanddefendsyournetworkfromcommodity
threatsandadvancedpersistentthreats(APTs).Thefirewallsmultiprongeddetectionmechanismsinclude
asignaturebased(IPS/CommandandControl/Antivirus)approach,heuristicsbased(botdetection)
approach,sandboxbased(WildFire)approach,andLayer7protocolanalysisbased(AppID)approach.
Commoditythreatsareexploitsthatarelesssophisticatedandmoreeasilydetectedandpreventedusinga
combinationoftheantivirus,antispyware,vulnerabilityprotectionandtheURLfiltering/Application
identificationcapabilitiesonthefirewall.
Advancedthreatsareperpetuatedbyorganizedcybercriminalsormaliciousgroupsthatusesophisticated
attackvectorstotargetyournetwork,mostcommonlyforintellectualpropertytheftandfinancialdatatheft.
Thesethreatsaremoreevasiveandrequireintelligentmonitoringmechanismsfordetailedhostandnetwork
forensicsonmalware.ThePaloAltoNetworksnextgenerationfirewallinconjunctionwithWildFireand
Panoramaprovidesacomprehensivesolutionthatinterceptsandbreaktheattackchainandprovides
visibilitytopreventsecurityinfringementonyournetworkincludingmobileandvirtualizedinfrastructure.
SetUpSecurityProfilesandPolicies
PreventBruteForceAttacks
CustomizetheActionandTriggerConditionsforaBruteForceSignature
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
EnableDNSProxy
EnablePassiveDNSCollectionforImprovedThreatIntelligence
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPreventionResources

SetUpSecurityProfilesandPolicies ThreatPrevention
SetUpSecurityProfilesandPolicies
Thefollowingsectionsprovidebasicthreatpreventionconfigurationexamples:
SetUpDataFiltering
SetUpFileBlocking
Forinformationoncontrollingwebaccessaspartofyourthreatpreventionstrategy,seeURLFiltering.
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
ThefollowingdescribesthestepsneededtosetupthedefaultAntivirus,AntiSpyware,andVulnerability
ProtectionSecurityProfiles.
AllantispywareandvulnerabilityprotectionsignatureshaveadefaultactiondefinedbyPaloAlto
Networks.YoucanviewthedefaultactionbynavigatingtoObjects > Security Profiles >
Anti-SpywareorObjects > Security Profiles >Vulnerability Protectionandthen
selectingaprofile.ClicktheExceptionstabandthenclickShow all signaturesandyouwill
seealistofthesignatureswiththedefaultactionintheActioncolumn.Tochangethedefault
action,youmustcreateanewprofileandthencreateruleswithanondefaultaction,and/oradd
individualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1 VerifythatyouhaveaThreatPrevention TheThreatPreventionsubscriptionbundlestheantivirus,

license. antispyware,andthevulnerabilityprotectionfeaturesinone
license.ToverifythatyouhaveanactiveThreatPrevention
subscription,selectDevice > LicensestoverifythattheThreat
Preventionlicenseisinstalledandchecktheexpirationdate.
Step2 Downloadthelatestantivirusthreat 1. SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

signatures. bottomofthepagetoretrievethelatestsignatures.
2. IntheActionscolumn,clickDownloadtoinstallthelatest
AntivirusandApplicationsandThreatssignatures.

ThreatPrevention SetUpSecurityProfilesandPolicies
Step3 Schedulesignatureupdates. 1. FromDevice > Dynamic Updates,clickthetexttotherightof

Scheduletoautomaticallyretrievesignatureupdatesfor
AntivirusandApplications and Threats.
2. Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3. (Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4. InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
Best Practices for Antivirus Schedules

Thegeneralrecommendationforantivirussignatureupdateschedulesistoperformadownload-and-installonadaily
basisforantivirusandweeklyforapplicationsandvulnerabilities.
Recommendations for HA Configurations:
Active/PassiveHAIftheMGTportisusedforantivirussignaturedownloads,youshouldconfigureascheduleon
bothfirewallsandbothfirewallswilldownload/installindependently.Ifyouareusingadataportfordownloads,the
passivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscaseyouwouldsetascheduleon
bothfirewallsandthenselecttheSync To Peeroption.Thiswillensurethatwhicheverfirewallisactive,theupdates
willoccurandwillthenpushtothepassivefirewall.
Active/ActiveHAIftheMGTportisusedforantivirussignaturedownloadsonbothfirewalls,thenschedulethe
download/installonbothfirewalls,butdonotselecttheSync To Peeroption.Ifyouareusingadataport,schedule
thesignaturedownloadsonbothfirewallsandselectSync To Peer.Thiswillensurethatifonefirewallinthe
active/activeconfigurationgoesintotheactivesecondarystate,theactivefirewallwilldownload/installthe
signatureandwillthenpushittotheactivesecondaryfirewall.

Step4 Attachthesecurityprofilestoasecurity 1. SelectPolicies > Security,selectthedesiredpolicytomodify

policy. itandthenclicktheActionstab.
2. InProfile Settings,clickthedropdownnexttoeachsecurity
profileyouwouldliketoenable.Inthisexamplewechoose
defaultforAntivirus, Vulnerability Protection, and
Anti-Spyware.ThedefaultAntiSpywareruleenablesDNS
Sinkholing.
Ifnosecurityprofileshavebeenpreviouslydefined,
selectProfilesfromtheProfile Typedropdown.You
willthenseethelistofoptionstoselectthesecurity
profiles.

Set Up Data Filtering
ThefollowingdescribesthestepsneededtoconfigureadatafilteringprofilethatwilldetectSocialSecurity
Numbersandacustompatternidentifiedin.docand.docxdocuments.
DataFilteringConfigurationExample
Step1 CreateaDataFilteringsecurityprofile. 1. SelectObjects > Security Profiles > Data Filteringandclick

Add.
2. EnteraNameandaDescriptionfortheprofile.Inthisexample
thenameisDF_Profile1withthedescriptionDetectSocial
SecurityNumbers.
3. (Optional)Ifyouwanttocollectdatathatisblockedbythe
filter,selecttheData Capturecheckbox.
YoumustsetapasswordasdescribedinStep 2ifyou
areusingthedatacapturefeature.
Step2 (Optional)Secureaccesstothedata 1. SelectDevice > Setup > Content-ID.

filteringlogstopreventother 2. ClickManage Data ProtectionintheContentIDFeatures
administratorsfromviewingsensitive section.
data.
3. Setthepasswordthatwillberequiredtoviewthedatafiltering
Whenyouenablethisoption,youwillbe
logs.
promptedforthepasswordwhenyou
viewlogsinMonitor > Logs > Data
Filtering.

DataFilteringConfigurationExample(Continued)
Step3 Definethedatapatternthatwillbeused 1. FromtheDataFilteringProfilepageclickAddandselectNew

intheDataFilteringProfile. fromtheData Patterndropdown.Youcanalsoconfiguredata
Inthisexample,wewillusethekeyword patternsfromObjects > Custom Signatures > Data Patterns.
confidentialandwillsettheoptionto 2. Forthisexample,nametheDataPatternsignatureDetectSS
searchforSSNnumberswithdashes NumbersandaddthedescriptionDataPatterntodetect
(Example9876544320). SocialSecuritynumbers.
Itishelpfultosettheappropriate 3. IntheWeightsectionforSSN#enter3.SeeWeightand
thresholdsanddefinekeywords ThresholdValuesformoredetails.
withindocumentstoreducefalse
positives.
4. (Optional)YoucanalsosetCustom Patternsthatwillbe
subjecttothisprofile.Inthiscase,youspecifyapatterninthe
custompatternsRegexfieldandsetaweight.Youcanadd
multiplematchexpressionstothesamedatapatternprofile.In
thisexample,wewillcreateaCustom Patternnamed
SSN_Customwithacustompatternofconfidential(the
patterniscasesensitive)anduseaweightof20.Thereasonwe
usethetermconfidentialinthisexampleisbecauseweknow
thatoursocialsecurityWorddocscontainthisterm,sowe
definethatspecifically.
Step4 Specifywhichapplicationstofilterand 1. SetApplicationstoAny.Thiswilldetectanysupported

setthefiletypes. applicationsuchas:webbrowsing,FTP,orSMTP.Ifyouwant
tonarrowdowntheapplication,youcanselectitfromthelist.
ForapplicationssuchasMicrosoftOutlookWebAppthatuses
SSL,youwillneedtoenabledecryption.Alsomakesureyou
understandthenamingforeachapplication.Forexample,
OutlookWebApp,whichistheMicrosoftnameforthis
applicationisidentifiedastheapplicationoutlookwebinthe
PANOSlistofapplications.Youcancheckthelogsforagiven
applicationtoidentifythenamedefinedinPANOS.
2. SetFile Typestodocanddocxtoonlyscandocanddocxfiles.

Step5 Specifythedirectionoftraffictofilter 1. SettheDirectiontoBoth.Filesthatareuploadedor

andthethresholdvalues. downloadedwillbescanned.
2. SettheAlert Thresholdto35. Inthiscase,analertwillbe
triggeredif5instancesofSocialSecurityNumbersexistand1
instanceofthetermconfidentialexists.Theformulais5SSN
instanceswithaweightof3=15plus1instanceoftheterm
confidentialwithaweightof20=35.
3. SettheBlock Thresholdto50.Thefilewillbeblockedifthe
thresholdof50instancesofaSSNand/ortheterm
confidentialexistsinthefile.Inthiscase,ifthedoccontained
1instanceofthewordconfidentialwithaweightof20that
equals20towardthethreshold,andthedochas15Social
SecurityNumberswithaweightof3thatequals45.Add20
and45andyouhave65,whichwillexceedtheblockthreshold
of50.
Step6 AttachtheDataFilteringprofiletothe 1. SelectPolicies > Securityandselectthesecuritypolicyruleto

securityrule. whichtoapplytheprofile.
2. Clickthesecuritypolicyruletomodifyitandthenclickthe
Actionstab.IntheData Filteringdropdown,selectthenew
datafilteringprofileyoucreatedandthenclickOKtosave.In
thisexample,thedatafilteringrulenameisDF_Profile1.

Step8 Testthedatafilteringconfiguration. Whentesting,youmustuserealSocialSecurityNumbersandeach

IfyouhaveproblemsgettingData numbermustbeunique.Also,whendefiningCustomPatternsas
Filteringtowork,youcanchecktheData wedidinthisexamplewiththewordconfidential,thepatternis
FilteringlogortheTrafficlogtoverify casesensitive.Tokeepyourtestsimple,youmaywanttojusttest
theapplicationthatyouaretestingwith usingadatapatternfirst,thentesttheSSNs.
andmakesureyourtestdocumenthas 1. AccessaclientPCinthetrustzoneofthefirewallandsendan
theappropriatenumberofuniqueSocial HTTPrequesttouploada.docor.docxfilethatcontainsthe
SecurityNumberinstances.Forexample, exactinformationyoudefinedforfiltering.
anapplicationsuchasMicrosoftOutlook
2. CreateaMicrosoftWorddocumentwithoneinstanceofthe
WebApp mayseemtobeidentifiedas
termconfidentialandfiveSocialSecuritynumberswith
webbrowsing,butifyoulookatthelogs,
dashes.
theapplicationisoutlook-web.Also
increasethenumberofSSNs,oryour 3. Uploadthefiletoawebsite.UseanHTTPsiteunlessyouhave
custompatterntomakesureyouare decryptionconfigured,inwhichcaseyoucanuseHTTPS.
hittingthethresholds. 4. SelectMonitoring > Logs > Data Filteringlogs.
5. Locatethelogthatcorrespondstothefileyoujustuploaded.
Tohelpfilterthelogs,usethesourceofyourclientPCandthe
destinationofthewebserver.Theactioncolumninthelogwill
showreset-both.YoucannowincreasethenumberofSocial
SecurityNumbersinthedocumenttotesttheblockthreshold.
Set Up File Blocking
Thisexamplewilldescribethebasicstepsneededtosetupfileblocking.Inthisconfiguration,wewill
configuretheoptionsneededtopromptuserstocontinuebeforedownloading.exefilesfromwebsites.
Whentestingthisexample,beawarethatyoumayhaveothersystemsbetweenyouandthesourcethatmay
beblockingcontent.
ConfigureFileBlocking
Step1 Createthefileblockingprofile. 1. SelectObjects > Security Profiles > File Blockingandclick

Add.
2. EnteraNameforthefileblockingprofile,forexample
Block_EXE.OptionallyenteraDescription,suchasBlockusers
fromdownloadingexefilesfromwebsites.
Step2 Configurethefileblockingoptions. 1. ClickAddtodefinetheprofilesettings.

2. EnteraName,suchasBlockEXE.
3. SettheApplicationsforfiltering,forexamplewebbrowsing.
4. SetFile Types toexe.
5. SettheDirectiontodownload.
6. SettheActiontocontinue.Bychoosingthecontinueoption,
userswillbepromptedwitharesponsepagepromptingthem
toclickcontinuebeforethefilewillbedownloaded.

ConfigureFileBlocking(Continued)
Step3 Applythefileblockingprofiletoa 1. SelectPolicies > Securityandeitherselectanexistingpolicyor

securitypolicy. createanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2. ClicktheActionstabwithinthepolicyrule.
3. IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyouconfigured.Inthiscase,theprofile
nameisBlock_EXE.
Ifnosecurityprofileshavebeenpreviouslydefined,selectthe
ProfileTypedropdownandselectProfiles.Youwillthenseethe
listofoptionstoselectthesecurityprofiles.
Step4 Totestyourfileblockingconfiguration,accessaclientPCinthetrustzoneofthefirewallandattemptto
downloadan.exefilefromawebsiteintheuntrustzone.Aresponsepageshoulddisplay.ClickContinueto
downloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichwillnotprovideacontinuepage
totheuser.ThefollowingshowsthedefaultresponsepageforFileBlocking:
Example:DefaultFileBlockingResponsePage
Step5 (Optional)Definecustomfileblockingresponsepages(Device > Response Pages).Thisallowsyoutoprovide

moreinformationtouserswhentheyseearesponsepage.Youcanincludeinformationsuchascompany
policyinformationandcontactinformationforaHelpdesk.
Whenyoucreateafileblockingprofilewiththeactioncontinue,youcanonlychoosetheapplication
webbrowsing.Ifyouchooseanyotherapplication,trafficthatmatchesthesecuritypolicywillnotflow
throughthefirewallduetothefactthattheuserswillnotbepromptedwithacontinuepage.Also,if
thewebsiteusesHTTPS,youwillneedtohaveadecryptionpolicyinplace.
Youmaywanttocheckyourlogstoconfirmwhatapplicationisbeingusedwhentestingthisfeature.
Forexample,ifyouareusingMicrosoftSharePointtodownloadfiles,eventhoughyouareusinga
webbrowsertoaccessthesite,theapplicationisactuallysharepoint-base,or
sharepoint-document.YoumaywanttosettheapplicationtypetoAnyfortesting.

PreventBruteForceAttacks ThreatPrevention
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,Severityandistriggeredwhenapatternisrecorded.The
patternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;some
signaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthepatternto
matchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthedefaultaction
forthesignature.
Toenforceprotection:
Attachthevulnerabilityprofiletoasecurityrule.SeeSetUpAntivirus,AntiSpyware,andVulnerability
Protection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.

ThreatPrevention CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignatureandchildsignature.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinatimeintervaland
matchthetrafficpatterndefinedinthechildsignature.
Typically,achildsignatureisofdefaultactionallowbecauseasingleeventisnotindicativeofanattack.In
mostcases,theactionforachildsignatureissettoallowsothatlegitimatetrafficisnotblockedandthreat
logsarenotgeneratedfornonnoteworthyevents.Therefore,PaloAltoNetworksrecommendsthatyou
onlychangethedefaultactionaftercarefulconsideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventbecauseofitsrecurrentpattern.Ifyouwould
liketocustomizetheactionforabruteforcesignature,youcandooneofthefollowing:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcandefine
theactiontoallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforaCVEanddefinean
exceptionforit.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature
youcanmodifytheactiononly.
Toeffectivelymitigateanattack,theblockipaddressactionisrecommendedoverthedropor
resetactionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
Step1 CreateanewVulnerabilityProtection 1. SelectObjects > Security Profiles > Vulnerability Protection.

profile. 2. ClickAddandenteraNamefortheVulnerabilityProtection
profile.

CustomizetheActionandTriggerConditionsforaBruteForceSignature ThreatPrevention
Step2 Createarulethatdefinestheactionfor 1. SelectRules,clickAddandenteraNamefortherule.

allsignaturesinacategory. 2. SettheAction.Inthisexample,itissettoBlock IP.
3. SetCategorytobrute-force.
4. (Optional)Ifblocking,specifywhethertoblockbasedonHost
Typeserverorclient,thedefaultisany.
5. SeeStep 3tocustomizetheactionforaspecificsignature.
6. SeeStep 4tocustomizethetriggerthresholdforaparent
signature.
7. ClickOKtosavetheruleandtheprofile.
Step3 (Optional)Customizetheactionfora 1. SelectExceptions andclickShow all signatures tofindthe

specificsignature. signatureyouwanttomodify.
Toviewallthesignaturesinthebruteforcecategory,search
for(categorycontains'bruteforce').
2. Toeditaspecificsignature,clickthepredefineddefaultaction
intheActioncolumn.
3. Settheactiontoallow,alertorblock-ip.
4. Ifyouselectblockip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. IntheTrack Byfield,definewhethertoblocktheIPaddress
byIP source orbyIP source and destination.
5. ClickOK.
6. Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
7. ClickOK.

ThreatPrevention CustomizetheActionandTriggerConditionsforaBruteForceSignature
Step4 Customizethetriggerconditionsfora 1. Click toeditthetimeattributeandtheaggregationcriteria

parentsignature. forthesignature.
Aparentsignaturethatcanbeeditedis 2. TomodifythetriggerthresholdspecifytheNumber of Hitsper
markedwiththisicon: . xseconds.
Inthisexample,thesearchcriteriawas 3. Specifywhethertoaggregatethenumberofhitsbysource,
bruteforcecategoryand destinationorbysource and destination.
CVE20081447.
4. ClickOK.
Step5 Attachthisnewprofiletoasecurityrule. 1. SelectSecurity > Policies.

2. Modifyanexistingsecuritypolicyruleor Add anewrule.
3. SelectActions.
4. IntheProfileSettingsection,settheProfile TypetoProfiles.
5. SelectthenewlycreatedVulnerability Protectionprofile.
6. ClickOK tosavechangestothesecuritypolicyrule.
Step6 Saveyourchanges. 1. ClickCommit.

BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.Forevasionprevention,upgradetoPANOS7.1.1andApplicationsand
Threatscontentreleaseversion579.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
EnableDNSProxy.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcaches
hostnametoIPaddressmappingsinordertoquicklyandefficientlyresolvesfutureDNSqueries.
Enableevasionsignatures.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscanalertwhenaclientconnectstoa
domainotherthanthedomainspecifiedintheoriginalDNSrequest.MakesurethatDNSproxyis
configuredifyouchoosetoenableevasionsignatures.WithoutDNSproxyenabled,evasion
signaturescantriggerwhenaDNSserverinDNSloadbalancingconfigurationreturnsdifferentIP
addresses(forservershostingidenticalresources)tothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoonlyallowtheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserversettheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
youshouldcreateanewcustomservicethatonlyincludesport587andusethatnewserviceinyour
securitypolicyruleinsteadofusingapplicationdefault.Additionally,makesuretorestrictaccessto
specificsourceanddestinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection.
CreateaVulnerabilityProtectionprofiletoblockallvulnerabilitieswithseveritylowandhigher.
CreateanAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
CreateanAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
Blockallunknownapplications/trafficusingSecuritypolicy.Typically,theonlyapplicationsthatare
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetwork,orpotentialthreats.
Becauseunknowntrafficcanbeanoncompliantapplicationorprotocolthatisanomalousorabnormal,
oraknownapplicationthatisusingnonstandardports,unknowntrafficshouldbeblocked.SeeManage
CustomorUnknownApplications.
CreateaFileBlockingprofilethatblocksPortableExecutable(PE)filetypesforInternetbasedSMB
(ServerMessageBlock)trafficfromtraversingthetrusttountrustzones,(msdssmbapplications).

ThreatPrevention BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions

CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
SelecttheoptiontodropMalformedIPpackets(Packet Based Attack Protection > IP Drop).
RemoveTCPtimestampsonSYNpacketsbeforethefirewallforwardsthepacket.Whenyouselect
theRemove TCP TimestampoptioninaSYNpacket,theTCPstackonbothendsoftheTCP
connectionwillnotsupportTCPtimestamps.Therefore,bydisablingtheTCPtimestampforaSYN
packet,youcanpreventanattackthatusesdifferenttimestampsonmultiplepacketsforthesame
sequencenumber.(Packet Based Attack Protection > TCP Drop).
SelecttheoptiontodropMismatched overlapping TCP segment.Bydeliberatelyconstructing
connectionswithoverlappingbutdifferentdatainthem,attackerscanattempttocause
misinterpretationoftheintentoftheconnection.Thiscanbeusedtodeliberatelyinducefalse
positivesorfalsenegatives.AnattackercanuseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecthis/herowndataintotheconnection.Selectingthisoption
causesPANOStodiscardsuchframeswithmismatchedandoverlappingdata.Thescenarioswhere
thereceivedsegmentwillbediscardedarewhenthesegmentreceivediscontainedwithinanother
segment,thesegmentreceivedoverlapswithpartofanothersegment,orthesegmentcompletely
containsanothersegment.

ThreatPrevention BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
VerifythatsupportforIPv6isenabled,ifyouhaveconfiguredIPv6addressesonyournetworkhosts
(Network > Interfaces > Ethernet> IPv6).
ThisallowsaccesstoIPv6hostsandfiltersIPv6packetsthatareencapsulatedin
IPv4packets.EnablingsupportforIPv6preventsIPv6overIPv4multicast
addressesfrombeingleveragedfornetworkreconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyon
multicasttraffic.(Network > Virtual Router > Multicast).
ConfigurethefirewalltoCleartheUrgent Data FlagintheTCPheader(Device > Setup > Session > TCP

Settings).
ManyhostsusetheurgentdataflagintheTCPheadertopromoteapacketforimmediateprocessing,
removingitfromtheprocessingqueueandexpeditingitthroughtheTCP/IPstack.Thisprocessiscalled
outofbandprocessing.However,theimplementationoftheurgentdataflagvariesfromhosttohost.
Configuringthefirewalltoclearthisflageliminatesambiguityinhowthepacketisprocessedonthe
firewallandthehost,allowingthefirewallseesthesamestreamintheprotocolstackasthehostfor
whichthepacketisdestined.Whenthefirewallclearsthisflag,itincludesitinthepayloadandprevents
thepacketfrombeingprocessedurgently.
EnabletheDrop segments without flagoption(Device > Setup > Session > TCP Settings).
IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontentinspection.Whenyouenable
thisoption,thefirewallwilldroppacketsthathavenoflagssetintheTCPheader.
EnabletheDrop segments with null timestampoption(Device > Setup > Session > TCP Settings).
TheTCPtimestamprecordswhenthesegmentwassentandallowsthefirewalltoverifythatthe
timestampisvalidforthatsession,preventingTCPsequencenumberwrapping.TheTCPtimestampis
alsousedtocalculateroundtriptime.WhenaTCPTimestampissetto0(null)itcouldconfuseeitherend
oftheconnection,resultinginanevasion.Thefirewalldropspacketswithnulltimestampswiththis
settingenabled.
DisabletheForward segments exceeding TCP out-of-order queueoption(Device > Setup > Session > TCP
Settings).
Bydefault,thefirewallforwardssegmentsthatexceedtheTCPoutoforderqueuelimitof64per
session.Bydisablingthisoption,thefirewallinsteaddropssegmentsthatexceedtheoutoforderqueue
limit.

DisabletheForward segments exceeding TCP App-ID inspection queueoption(Device > Setup > Content-ID >
Content-ID Settings).
Bydefault,whentheAppIDinspectionqueueisfullthefirewallskipsAppIDinspectionclassifyingthe
applicationasunknowntcpandforwardsthesegments.Bydisablingthisoption,thefirewallinstead
dropssegmentswhentheAppIDinspectionqueueisfull.
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding
TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfullthefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
DisabletheAllow HTTP Header Range Option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPRangeoptionallowsaclienttofetchpartofafileonly.Whenanextgenerationfirewallinthe
pathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithaRSTpacket.If
thewebbrowserimplementstheHTTPRangeoption,itcanstartanewsessiontofetchonlythe
remainingpartofthefile.Thispreventsthefirewallfromtriggeringthesamesignatureagainduetothe
lackofcontextintotheinitialsession,whileatthesametimeallowingthewebbrowsertoreassemble
thefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.

ThreatPrevention EnableDNSProxy
EnableDNSProxy
Domainnamesystem(DNS)serverstranslateuserfriendlydomainstotheassociatedIPaddresseswhich
locateandidentifythecorrespondingresources.APaloAltoNetworksfirewallintermediatetoclientsand
serverscanactasaDNSproxytoresolvedomainnamequeries.
TheDNSproxyfeatureenablesthefirewallto:
Quickly,efficiently,andlocallyresolvedomainnamequeriesbasedonstaticandcachedDNSentries.
ReachouttospecificDNSserverstoresolvecertaintypesofDNSrequests(forexample,thefirewall
canresolvecorporatedomainsbasedonacorporateDNSserverhostnametoIPaddressmappings,and
resolveotherdomainsusingapublicorISPDNSserver).
EnabletheFirewalltoActasaDNSProxy
Step1 Specifytheinterfacesonwhichyou 1. SelectNetwork > DNS ProxyandAddanewobject.

wantthefirewalltolistenforDNS 2. VerifythatEnableisselectedandNametheobject.
requests.
3. Add oneormoreInterfaceonwhichthefirewalllistensfor
DNSrequests.
4. (VirtualSystemsOnly)AllowtheDNSproxyobjecttobe
sharedacrossallvirtualsystems,orsettheLocationtoapply
theDNSproxyobjectsettingstoaspecificvirtualsystem.
Step2 DefinetheDNSserverwithwhichthe IfyouareenablingDNSproxyonavirtualsystem,youmust

firewallshouldcommunicatetoresolve select NewintheServerProfiledropdownfirst,andthen
DNSrequests. continuewitheitherofthefollowingoptions.
SpecifyDNSServers
1. SetInheritance Source tonone.
2. EnterathePrimaryDNSserverIPaddressoraddressobject.
3. EntertheSecondary DNSserverIPaddressoraddressobject.
UseInheritedDNSServers
SelectanInheritance Sourcefromwhichthefirewallcanuse
existingDNSserversettingsfortheDNSproxyobject.
OnlyinterfacesconfiguredtobeDHCPclientinterfacesand
PPPoEclientinterfacesareavailableasinheritancesourcesfor
DNSserversettings.Inthiscase,theDNSserversettingstheclient
interfacedynamicallyreceivesfromaDHCPserverarealsousedto
populatethePrimaryandSecondaryDNSserversettings(just
continuetosetbothofthesefieldstoinherited).

EnableDNSProxy ThreatPrevention
EnabletheFirewalltoActasaDNSProxy(Continued)
Step3 Enablethefirewalltoreachoutto 1. SelectDNS Proxy Rules,Add arule,andgivetherulea

certainDNSserverstoresolvespecific descriptiveName.
domains. 2. Turn on caching of domains resolved by this mappingto
Forexample,thefirewallcanforward enablethefirewalltosaverecentlyresolvedDNSqueriesin
corporatedomainstoacorporateDNS ordertoquicklyresolvefuturematchingqueries.
serverfordomainnameresolution.
3. AddoneormoreDomain Name.
4. EntertheIPaddressesoraddressobjectsforthePrimaryand
SecondaryDNSservers.Thefirewallcommunicateswith
theseserverstoresolveDNSrequestsforthelisteddomain
names.
IfyouareenablingDNSproxyonavirtualsystem,you
caninsteadconfigureaDNSServerProfiletodefine
DNSsettingsforthevirtualsystem,includingthe
primaryandsecondaryDNSserver.
Step4 SetupstaticFQDNtoIPaddressentries 1. SelectStatic Entries.

thatthefirewallcanresolvelocally, 2. AddandNameanewstaticmappingentry.
withouthavingtoreachouttoaDNS
server. 3. EntertheFQDN thatyouwantthefirewalltoresolve.
4. AddoneormoreIPAddresstomaptothedomainyou
enteredinthelaststep.
Step5 Enablecachingforresolved SelectAdvanced andconfiguresettingsto:

hostnametoIPaddressmappings,and StorerecentlyresolvedhostnametoIPaddressmappings.
customizeadditionalDNSsettings. SelectCacheandcontinuetospecifythenumberofentriesfor
thecachetoholdandthenumberofhoursafterwhichallcached
DNSentriesareremoved.
EnableDNSqueriesusingTCP.
SpecifysettingsforUDPqueryretries.

ThreatPrevention EnableDNSProxy
EnabletheFirewalltoActasaDNSProxy(Continued)
Step6 Enableevasionsignatures. 1. InstalltheApplicationsandThreatscontentversion579or

WhenDNSproxyisenabled, later:
evasionsignaturesthatdetect a. SelectDevice > Dynamic Updates.
craftedHTTPorTLSrequests b. Check NowtogetthelatestApplicationsandThreats
canalerttoinstanceswherea contentupdate.
clientconnectstoadomainother c. DownloadandInstallApplicationsandThreatscontent
thanthedomainspecifiedinthe version579.
originalDNSquery.
2. Definehowtrafficmatchedtoevasionsignaturesshouldbe
enforced:
a. SelectObjects > Security Profiles > Anti-SpywareandAdd
ormodifyanAntispywareprofile.
b. Select ExceptionsandselectShow all signatures.
c. Filtersignaturesbasedonthekeywordevasion.
d. Forallevasionsignatures,settheActiontoanysetting
otherthanalloworthedefaultaction(thedefaultactionis
forevasionsignaturesisallow).Forexample,settheaction
toalertonorblock.
e. ClickOK tosavetheupdatedAntispywareprofile.
f. AttachtheAntispywareprofiletoasecuritypolicyrule:
SelectPolicies > Security,selectthedesiredpolicyto
modifyandthenclicktheActions tab.InProfileSettings,
clickthedropdownnexttoAnti-Spyware andselectthe
antispywareprofileyoujustmodifiedtoenforceevasion
signatures.
Step7 Commit yourchanges.
LearnmoreaboutDNSfeatures... UseDNSqueriestoidentifyinfectedhostsonthenetwork.
EnablepassiveDNScollectionforbetterthreatintelligence.
ToworkwithDNSfeaturesandvirtualsystems,seetheseDNS
usecasesforvirtualsystemsandlearnhowtoconfigureaDNS
proxyobjectandDNSserverprofilesforvirtualsystems.

EnablePassiveDNSCollectionforImprovedThreatIntelligence ThreatPrevention
EnablePassiveDNSCollectionforImprovedThreat
Intelligence
PassiveDNSisanoptinfeaturethatenablesthefirewalltoactasapassiveDNSsensorandsendselectDNS
informationtoPaloAltoNetworksforanalysisinordertoimprovethreatintelligenceandthreatprevention
capabilities.Thedatacollectedincludesnonrecursive(i.e.originatingfromthelocalrecursiveresolver,not
individualclients)DNSqueryandresponsepacketpayloads.DatasubmittedviathePassiveDNSMonitoring
featureconsistssolelyofmappingsofdomainnamestoIPaddresses.PaloAltoNetworksretainsnorecord
ofthesourceofthisdataanddoesnothavetheabilitytoassociateitwiththesubmitteratafuturedate.
ThePaloAltoNetworksthreatresearchteamusesthisinformationtogaininsightintomalwarepropagation
andevasiontechniquesthatabusetheDNSsystem.Informationgatheredthroughthisdatacollectionis
usedtoimproveaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrolsignatures,andWildFire.
DNSresponsesareonlyforwardedtothePaloAltoNetworksandwillonlyoccurwhenthefollowing
requirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
PassiveDNSmonitoringisdisabledbydefault,butitisrecommendedthatyouenableittofacilitate
enhancedthreatintelligence.UsethefollowingproceduretoenablePassiveDNS:
EnablePassiveDNS
Step1 SelectObjects > Security Profiles > Anti-Spyware.
Step2 Selectanexistingprofiletomodifyitorconfigureanewprofile.
TheAntiSpywareprofilemustbeattachedtoasecuritypolicythatgovernsyour
DNSserversexternalDNStraffic.
Step3 SelecttheDNS Signatures tabandclicktheEnable Passive DNS Monitoring checkbox.
Step4 ClickOKandthenCommit.

ThreatPrevention UseDNSQueriestoIdentifyInfectedHostsontheNetwork
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNS Sinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.

UseDNSQueriestoIdentifyInfectedHostsontheNetwork ThreatPrevention
Figure:DNSSinkholingExample

Configure DNS Sinkholing for a List of Custom Domains
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanexternaldynamiclistthatincludes
thedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoasecuritypolicy
rule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthedestinationIP
addressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddressforsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallplatformsupportsamaximumof50,000domainnamestotalinoneormoreExternalDynamic
Listbutnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
Step1 EnableDNSsinkholingforthecustom 1. SelectObjects > Security Profiles > Anti-Spyware.

listofdomainsinanexternaldynamic 2. Modifyanexistingprofile,orselectoneoftheexistingdefault
list. profilesandcloneit.
3. NametheprofileandselecttheDNS Signaturestab.
4. ClickAddandselectExternal Dynamic Listsinthedropdown.
Whenyouconfiguretheexternaldynamiclistfromthe
AntiSpywareprofile,theTypeispresettoDomain List.
Ifyouhavealreadycreatedanexternaldynamiclistof
type:DomainList,youcanselectitfromhere.The
dropdowndoesnotdisplayexternaldynamiclistsof
typeURLorIPAddressthatyoumayhavecreated.
5. ConfigureaccesstotheExternalDynamicList.
a. EnteradescriptiveNameforthelist.
b. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthe
list.Forexample,https://1.2.3.4/EDL_IP_2015.
c. Populatethelistwithdomainnames.SeeFormatting
GuidelinesforanExternalDynamicList.
d. ClickTest Source URLtoverifythatthefirewallcanconnect
tothelistonthewebserver.
Ifthewebserverisunreachableaftertheconnectionis
established,thefirewallorPanoramausesthelast
successfullyretrievedlistforenforcingpolicyuntilthe
connectionisrestoredwiththewebserver.
e. (Optional)SpecifytheRepeatfrequencyatwhichthe
firewallretrievesthelist.Bydefault,thelistisretrievedonce
everyhour.
f. ClickOK.
6. (Optional)InthePacket Capturedropdown,select
single-packettocapturethefirstpacketofthesessionor
extended-capture tosetbetween150packets.Youcanthen
usethepacketcapturesforfurtheranalysis.

ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step2 Verifythesinkholingsettingsonthe 7. OntheDNS Signaturestab,verifythattheActionon DNS

AntiSpywareprofile. Queriesissinkhole.
8. IntheSinkholesection,verifythatSinkholeisenabled.For
yourconvenience,thedefaultSinkholeIPaddressissetto
accessaPaloAltoNetworksserver.PaloAltoNetworkscan
automaticallyrefreshthisIPaddressthroughcontentupdates.
IfyouwanttomodifytheSinkhole IPv4orSinkhole IPv6
addresstoalocalserveronyournetworkortoaloopback
address,seeConfiguretheSinkholeIPAddresstoaLocal
ServeronYourNetwork.
9. ClickOKtosavetheAntiSpywareprofile.
Step3 AttachtheAntiSpywareprofiletoa 1. SelectPolicies > Security.

Securitypolicyrule. 2. OntheActionstab,selecttheLog at Session Startcheckbox
toenablelogging.
3. IntheProfileSettingsection,clicktheProfile Typedropdown
toviewallProfiles.FromtheAnti-Spywaredropdownand
selectthenewprofile.
4. ClickOKtosavethepolicyrule.
Step4 Testthatthepolicyactionisenforced. 1. Accessadomainintheexternaldynamiclist.

2. Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theThreatActivityandBlockedActivityforthedomainyou
accessed.
b. SelectMonitor > Logs > Threat andfilterby(action eq
sinkhole)toviewlogsonsinkholeddomains.

ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step5 Verifywhetherentriesintheexternal UsethefollowingCLIcommandonthefirewalltoreviewthedetails

dynamiclistareignoredorskipped. aboutthelist.
InalistoftypeURL,thefirewall request system external-list show type domain name
skipsentriesthatarenotURLsas <list_name>
invalidandignoresentriesthat Forexample:
exceedthemaximumlimitforthe request system external-list show type domain name
platform. My_List_of_Domains_2015
vsys1/EBLDomain:
Next update at : Thu May 21 10:15:39 2015
Source :https://1.2.3.4/My_List_of_Domains_2015
Referenced : Yes
Valid : Yes
Number of entries : 3
domains:
www.example.com
baddomain.com
qqq.abcedfg.com
Step6 (Optional)Retrievetheexternaldynamic Toforcethefirewalltoretrievetheupdatedlistondemandinstead

listondemand. ofatthenextrefreshinterval(theRepeatfrequencyyoudefined
fortheexternaldynamiclist),usethefollowingCLIcommand:
request system external-list refresh type domain name
<list_name>
Configure the Sinkhole IP Address to a Local Server on Your Network
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5

ConfigureSinkholingtoaLocalServeronYourNetwork
Step1 Configurethesinkholeinterfaceand 1. SelectNetwork > Interfacesandselectaninterfaceto

zone. configureasyoursinkholeinterface.
Trafficfromthezonewheretheclient 2. IntheInterface Typedropdown,selectLayer3.
hostsresidemustroutetothezone
3. ToaddanIPv4address,selecttheIPv4tabandselectStatic
wherethesinkholeIPaddressisdefined,
andthenclickAdd.Inthisexample,add10.15.0.20astheIPv4
sotrafficwillbelogged.
DNSsinkholeaddress.
Useadedicatedzonefor
sinkholetraffic,becausethe 4. SelecttheIPv6tabandclickStaticandthenclickAddand
infectedhostwillbesending enteranIPv6addressandsubnetmask.Inthisexample,enter
traffictothiszone. fd97:3dec:4d27:e37c::/64astheIPv6sinkholeaddress.
5. ClickOKtosave.
6. Toaddazoneforthesinkhole,selectNetwork > Zonesand
clickAdd.
7. EnterzoneName.
8. IntheTypedropdownselectLayer3.
9. IntheInterfacessection,clickAddandaddtheinterfaceyou
justconfigured.
10. ClickOK.
Step2 EnableDNSsinkholing. Bydefault,sinkholingisenabledforallPaloAltoNetworksDNS

signatures.Tochangethesinkholeaddresstoyourlocalserver,see
step8inConfigureDNSSinkholingforaListofCustomDomains.
Step3 Editthesecuritypolicyrulethatallows 1. SelectPolicies > Security.

trafficfromclienthostsinthetrustzone 2. Selectanexistingrulethatallowstrafficfromtheclienthost
totheuntrustzonetoincludethe zonetotheuntrustzone.
sinkholezoneasadestinationandattach
theAntiSpywareprofile. 3. OntheDestinationtab,AddtheSinkholezone.Thisallows
clienthosttraffictoflowtothesinkholezone.
Editingthesecurityrule(s)thatallows
trafficfromclienthostsinthetrustzone 4. OntheActionstab,selecttheLog at Session Startcheckbox
totheuntrustzoneensuresthatyouare toenablelogging.Thiswillensurethattrafficfromclienthosts
identifyingtrafficfrominfectedhosts.By intheTrustzonewillbeloggedwhenaccessingtheUntrustor
addingthesinkholezoneasadestination Sinkholezones.
ontherule,youenableinfectedclientsto 5. IntheProfile Settingsection,selecttheAnti-Spywareprofile
sendbogusDNSqueriestotheDNS inwhichyouenabledDNSsinkholing.
sinkhole.
6. ClickOKtosavethesecurityruleandthenCommit.

Step4 Toconfirmthatyouwillbeableto 1. Fromaclienthostinthetrustzone,openacommandprompt

identifyinfectedhosts,verifythattraffic andrunthefollowingcommand:
goingfromtheclienthostintheTrust C:\>ping <sinkhole address>
zonetothenewSinkholezoneisbeing Thefollowingexampleoutputshowsthepingrequesttothe
logged. DNSsinkholeaddressat10.15.0.2andtheresult,whichis
Inthisexample,theinfectedclienthostis Request timed out becauseinthisexamplethesinkholeIP
192.168.2.10andtheSinkholeIPv4 addressisnotassignedtoaphysicalhost:
addressis10.15.0.20. C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2. Onthefirewall,selectMonitor > Logs > Trafficandfindthelog
entrywiththeSource192.168.2.10andDestination
10.15.0.20.ThiswillconfirmthatthetraffictothesinkholeIP
addressistraversingthefirewallzones.
Youcansearchand/orfilterthelogsandonlyshow
logswiththedestination10.15.0.20.Todothis,click
theIPaddress(10.15.0.20)intheDestinationcolumn,
whichwilladdthefilter(addr.dstin10.15.0.20)tothe
searchfield.ClicktheApplyFiltericontotherightof
thesearchfieldtoapplythefilter.

Step5 TestthatDNSsinkholingisconfigured 1. Findamaliciousdomainthatisincludedinthefirewalls

properly. currentAntivirussignaturedatabasetotestsinkholing.
Youaresimulatingtheactionthatan a. SelectDevice > DynamicUpdatesandintheAntivirus
infectedclienthostwouldperformwhen sectionclicktheRelease Noteslinkforthecurrently
amaliciousapplicationattemptstocall installedantivirusdatabase.Youcanalsofindtheantivirus
home. releasenotesthatlisttheincrementalsignatureupdates
underDynamicUpdatesonthePaloAltoNetworkssupport
site.
b. Inthesecondcolumnofthereleasenote,locatealineitem
withadomainextension(forexample,.com,.edu,or.net).
Theleftcolumnwilldisplaythedomainname.Forexample,
Antivirusrelease11171560,includesanitemintheleft
columnnamed"tbsbana"andtherightcolumnlists"net".
Thefollowingshowsthecontentinthereleasenoteforthis
lineitem:
conficker:tbsbana1 variants: net
2. Fromtheclienthost,openacommandprompt.
3. PerformanNSLOOKUPtoaURLthatyouidentifiedasa
knownmaliciousdomain.
Forexample,usingtheURLtrack.bidtrk.com:
C:\>nslookup track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:5
10.15.0.20
Intheoutput,notethattheNSLOOKUPtothemalicious
domainhasbeenforgedusingthesinkholeIPaddressesthat
weconfigured(10.15.0.20).Becausethedomainmatcheda
maliciousDNSsignature,thesinkholeactionwasperformed.
4. SelectMonitor > Logs > Threat andlocatethecorresponding
threatlogentrytoverifythatthecorrectactionwastakenon
theNSLOOKUPrequest.
5. Performapingtotrack.bidtrk.com,whichwillgenerate
networktraffictothesinkholeaddress.

Identify Infected Hosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
UseAppScopetoidentifyinfectedclienthosts. 1. SelectMonitor > App ScopeandselectThreat Monitor.

2. ClicktheShow spywarebuttonalongthetopofthedisplay
page.
3. Selectatimerange.
ThefollowingscreenshotshowsthreeinstancesofSuspicious
DNSqueries,whichweregeneratedwhenthetestclienthost
performedanNSLOOKUPonaknownmaliciousdomain.Click
thegraphtoseemoredetailsabouttheevent.

DNSSinkholeVerificationandReporting(Continued)
Configureacustomreporttoidentifyallclient 1. SelectMonitor > Manage Custom Reports.

hoststhathavesenttraffictothesinkholeIP 2. ClickAddandNamethereport.
address,whichis10.15.0.20inthisexample.
3. Defineacustomreportthatcapturestraffictothesinkhole
ForwardtoanSNMPmanager,Syslog
addressasfollows:
serverand/orPanoramatoenablealerts
ontheseevents. DatabaseSelectTraffic Log.
Inthisexample,theinfectedclienthost ScheduledEnableScheduledandthereportwillrunevery
performedanNSLOOKUPtoaknown night.
maliciousdomainthatislistedinthePalo Time Frame30days
AltoNetworksDNSSignaturedatabase. Selected ColumnsSelectSource addressorSource User
Whenthisoccurred,thequerywassent (ifyouhaveUserIDconfigured),whichwillidentifythe
tothelocalDNSserver,whichthen infectedclienthostinthereport,andDestination address,
forwardedtherequestthroughthe whichwillbethesinkholeaddress.
firewalltoanexternalDNSserver.The Inthesectionatthebottomofthescreen,createacustom
firewallsecuritypolicywiththe queryfortraffictothesinkholeaddress(10.15.0.20inthis
AntiSpywareprofileconfiguredmatched example).Youcaneitherenterthedestinationaddressin
thequerytotheDNSSignaturedatabase, theQuery Builderwindow(addr.dstin10.15.0.20)orselect
whichthenforgedthereplyusingthe thefollowingineachcolumnandclickAdd:Connector=
sinkholeaddressof10.15.0.20and and,Attribute=DestinationAddress,Operator=in,and
fd97:3dec:4d27:e37c:5:5:5:5.Theclient Value=10.15.0.20.ClickAddtoaddthequery.
attemptstostartasessionandthetraffic
logrecordstheactivitywiththesource
hostandthedestinationaddress,whichis
nowdirectedtotheforgedsinkhole
address.
Viewingthetrafficlogonthefirewall
allowsyoutoidentifyanyclienthostthat
issendingtraffictothesinkholeaddress.
Inthisexample,thelogsshowthatthe
sourceaddress192.168.2.10sentthe
maliciousDNSquery.Thehostcanthen
befoundandcleaned.WithouttheDNS
sinkholeoption,theadministratorwould
onlyseethelocalDNSserverasthe
systemthatperformedthequeryand
wouldnotseetheclienthostthatis
infected.Ifyouattemptedtorunareport 4. ClickRun Nowtorunthereport.Thereportwillshowallclient
onthethreatlogusingtheaction hoststhathavesenttraffictothesinkholeaddress,which
Sinkhole,thelogwouldshowthelocal indicatesthattheyaremostlikelyinfected.Youcannowtrack
DNSserver,nottheinfectedhost. downthehostsandcheckthemforspyware.
5. Toviewscheduledreportsthathaverun,selectMonitor >
Reports.

ThreatPrevention ContentDeliveryNetworkInfrastructureforDynamicUpdates
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
Resource URL StaticAddresses(Ifastaticserveris

required)
ApplicationDatabase updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.comortheIP

address199.167.52.15
Threat/AntivirusDatabase updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.comortheIP

downloads.paloaltonetworks.com:443 address199.167.52.15
Asabestpractice,settheupdateserver
toupdates.paloaltonetworks.com.This
allowsthePaloAltoNetworksfirewallto
receivecontentupdatesfromtheserver
closesttoitintheCDNinfrastructure.
PANDBURLFiltering *.urlcloud.paloaltonetworks.com StaticIPaddressesarenotavailable.

ResolvestotheprimaryURL However,youcanmanuallyresolveaURLto
s0000.urlcloud.paloaltonetworks.comand anIPaddressandallowaccesstotheregional
isthenredirectedtotheregionalserver serverIPaddress.
thatisclosest:
s0100.urlcloud.paloaltonetworks.com
BrightCloudURLFiltering database.brightcloud.com:443/80 ContactBrightCloudCustomerSupport.

service.brightcloud.com:80

ContentDeliveryNetworkInfrastructureforDynamicUpdates ThreatPrevention
Resource URL StaticAddresses(Ifastaticserveris

required)
WildFire beta.wildfire.paloaltonetworks.com:443/ mail.wildfire.paloaltonetworks.com:25or

80 theIPaddress54.241.16.83
betas1.wildfire.paloaltonetworks.com:4 wildfire.paloaltonetworks.com:443/80or
43/80 54.241.8.199
Betasitesareonlyaccessedbya TheregionalURL/IPaddressesareasfollows:
firewallrunningaBetarelease cas1.wildfire.paloaltonetworks.com:44or
version. 54.241.34.71
mail.wildfire.paloaltonetworks.com:25 vas1.wildfire.paloaltonetworks.com:443or
wildfire.paloaltonetworks.com:443/80 174.129.24.252
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443or
54.238.53.161
portal3.wildfire.paloaltonetworks.com:443/
80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443or
54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/80
or180.37.183.53

ThreatPrevention ThreatPreventionResources
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofThreatsandApplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.

ThreatPreventionResources ThreatPrevention

Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption

DecryptionOverview Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.

Decryption DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
Keys and Certificates for Decryption Policies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
TocontrolthetrustedCAsthatyourfirewalltrusts,usetheDevice > Certificate

Management > Certificates > Default Trusted Certificate Authoritiestabonthe
firewallwebinterface.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.

DecryptionConcepts Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Forward Trust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient

isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
Forward Untrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient

isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSL Exclude Certificate CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,

ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSL Inbound Inspection ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy

enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSL Forward Proxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.

Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
SSL Inbound Inspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.

Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSH Proxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.

Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
Decryption Exceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.

Decryption Mirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring

Decryption DefineTraffictoDecrypt
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
Create a Decryption Profile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1 SelectObjects > Decryption Profile, Addormodifyadecryptionprofilerule,andgivetheruleadescriptive

Name.
Step2 (Optional)Allowtheprofileruletobe Shared acrosseveryvirtualsystemonafirewalloreveryPanorama

devicegroup.
Step3 (DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe

firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.

DefineTraffictoDecrypt Decryption
ConfigureaDecryptionProfileRule(Continued)
Step4 (Optional)BlockandcontrolSSL SelectSSL Decryption:

tunneledand/orinboundtraffic SelectSSL Forward Proxytoconfiguresettingstoverify
undergoingSSLForwardProxy certificates,enforceprotocolversionsandciphersuites,and
decryptionorSSLInboundInspection. performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step5 (Optional)Blockandcontroltraffic(for SelectNo Decryptionandconfiguresettingstovalidatecertificates

example,aURLcategory)forwhichyou fortrafficthatisexcludedfromdecryption.
havedisableddecryption. Thesesettingareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdisablesdecryptionfor
certaintraffic.
Step6 (Optional)BlockandcontrolSSHtraffic SelectSSH Proxyandconfiguresettingstoenforcesupported

undergoingSSHProxydecryption. protocolversionsand
Thesesettingsareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdecryptsSSHtraffic.
Step7 Addthedecryptionprofileruletoa 1. SelectPolicies > DecryptionandCreateaDecryptionPolicy

decryptionpolicyrule. Ruleormodifyanexistingrule.
Trafficthatthepolicyrulesmatchestois 2. SelectOptions andselectaDecryption Profiletoblockand
enforcedbasedontheadditionalprofile controlvariousaspectsofthetrafficmatchedtotherule.
rulesettings. Theprofilerulesettingsthatareappliedtomatchingtraffic
dependonthepolicyruleAction(DecryptorNoDecrypt)and
thepolicyruleType(SSLForwardProxy,SSLInbound
Inspection,orSSHProxy).Thisallowsyoutousethedefault
decryptionprofile,standarddecryptionprofilecustomizedfor
yourorganization,withdifferenttypesofdecryptionpolicy
rules.
3. ClickOK.

Decryption DefineTraffictoDecrypt
Create a Decryption Policy Rule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step1 SelectPolicies > DecryptionandAddanewdecryptionpolicyrule.
Step2 GivethepolicyruleadescriptiveName.
Step3 Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4 Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:

matchingtraffic:therulecaneither Decrypt matching traffic:
decryptmatchingtrafficorexclude
matchingtrafficfromdecryption. 1. SelectDecrypt.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Exclude matching traffic from decryption:
SelectNo Decrypt.
Step5 (Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea

DecryptionProfile,selectObjects > Decryption Profile).

DefineTraffictoDecrypt Decryption
ConfigureaDecryptionPolicyRule
Step6 ClickOKtosavethepolicy.
Next Steps... Fullyenablethefirewalltodecrypttraffic:

ConfigureSSHProxy

Decryption ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
Step1 Ensurethattheappropriateinterfaces ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

areconfiguredaseithervirtualwire, tab.TheInterface Typecolumndisplaysifaninterfaceisconfigured
Layer2,orLayer3interfaces. tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
aninterfacetomodifyitsconfiguration,includingwhattypeof
interfaceitis.
Step2 Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.

ConfigureSSLForwardProxy Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise 1. GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAsignedcertificateastheforward CAtosignandvalidate:
trustcertificate. a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2. ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3. ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4. ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5. Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6. ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.

Useaselfsignedcertificateasthe 1. Generateanewcertificate:
forwardtrustcertificate. a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2. Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3. ClickOKtosavetheselfsignedforwardtrustcertificate.
Step3 Distributetheforwardtrustcertificateto On a firewall configured as a GlobalProtect portal:

clientsystemcertificatestores. ThisoptionissupportedwithWindowsandMacclientOS
Ifyoudonotinstalltheforward versions,andrequiresGlobalProtectagent3.0.0orlaterto
trustcertificateonclient beinstalledontheclientsystems.
systems,userswillseecertificate
1. SelectNetwork > GlobalProtect > Portalsandthenselectan
warningsforeachSSLsitethey
existingportalconfigurationorAddanewone.
visit.
Ifyouareusingan 2. SelectAgent andthenselectanexistingagentconfigurationor
enterpriseCAsignedcertificate Addanewone.
astheforwardtrustcertificate 3. AddtheSSLForwardProxyforwardtrustcertificatetothe
forSSLForwardProxy TrustedRootCAsection.
decryption,andtheclient
4. Install in Local Root Certificate Storesothatthe
systemsalreadyhavethe
GlobalProtectportalautomaticallydistributesthecertificate
enterpriseCAaddedtothelocal
andinstallsitinthecertificatestoreonGlobalProtectclient
trustedrootCAlist,youcanskip
systems.
thisstep.
5. ClickOKtwice.
Without GlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).

ConfigureSSLForwardProxy Decryption
Step4 Configuretheforwarduntrust 1. ClickGenerateatthebottomofthecertificatespage.

certificate. 2. EnteraCertificate Name,suchasmyfwduntrust.
3. SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4. ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5. ClickGeneratetogeneratethecertificate.
6. ClickOKtosave.
7. Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8. ClickOKtosave.
Step5 (Optional)SetthekeysizeoftheSSL ConfiguretheKeySizeforSSLForwardProxyServerCertificates.

ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6 CreateaDecryptionPolicyRuletodefine 1. SelectPolicies > Decryption,Addormodifyanexistingrule,

trafficforthefirewalltodecrypt. anddefinetraffictobedecrypted.
2. SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3. ClickOK tosave.
Step7 (Optional)Allowthefirewalltoforward On a single firewall:

decryptedtrafficforWildFireanalysis. 1. SelectDevice > Setup > Content-ID.
Thisoptionrequiresanactive
2. EdittheURLFilteringoptionstoAllow Forwarding of
WildFirelicense.Getstartedwith
Decrypted Content.
WildFiretodecidewhatWildFire
deploymentworksforyouandto 3. ClickOK.
enablefileforwardingand On a firewall with virtual systems configured:
signatureprotection.
1. SelectDevice > Virtual Systems.
2. Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3. ClickOK.

Next Steps... EnableUserstoOptOutofSSLDecryption.

ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.

ConfigureSSLInboundInspection Decryption
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.

Layer2,orLayer3interfaces. tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
aninterfacetomodifyitsconfiguration,includingwhattypeof
interfaceitis.
Step2 Ensurethatthetargetedserver Onthewebinterface,selectDevice > Certificate Management >

certificateisinstalledonthefirewall. Certificates > Device Certificatestoviewcertificatesinstalledon
thefirewall.
Toimportthetargetedservercertificateontothefirewall:
1. OntheDevice Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.

SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3. ClickOK tosave.

Decryption ConfigureSSLInboundInspection

Decrypted Content.
3. ClickOK.
Next Steps... EnableUserstoOptOutofSSLDecryption.

ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.

ConfigureSSHProxy Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption

Layer2,orLayer3interfaces. tobeaVirtual WireorLayer 2,orLayer 3interface.Youcanselect
Decryptioncanonlybeperformedon aninterfacetomodifyitsconfiguration,includingwhattypeof
virtualwire,Layer 2,orLayer3 interfaceitis.
interfaces.

SettheruleTypetoSSH Proxy.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3. ClickOK tosave.

Decrypted Content.
3. ClickOK.
Next Step... ConfigureDecryptionExceptionstodisabledecryptionforcertain

typesoftraffic.

Decryption ConfigureDecryptionExceptions
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1 Excludetrafficfromdecryptionbased 1. SelectPolicies > Decryptionandmodify or Create a

matchcriteria. Decryption Policy rule.
Thisexampleshowshowtoexclude 2. Definethetrafficthatyouwanttoexcludefromdecryption.
trafficcategorizedasfinancialor Inthisexample:
healthrelatedfromSSLForwardProxy
a. GivetheruleadescriptiveName,suchas
decryption.
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestinedfor
anexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3. SelectOptionsandsettheruletoNo Decrypt.
4. (Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5. ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
Step2 Placethedecryptionexclusionruleatthe OntheDecryption > Policiespage,selectthepolicy

topofyourdecryptionpolicy. NoDecryptFinanceHealth,andclickMove Upuntilitappearsatthe
Decryptionrulesareenforcedagainst topofthelist(oryoucandraganddroptherule).
incomingtrafficinsequenceandthefirst
ruletomatchtotrafficisenforced
movingtheNo Decryptruletothetopof
therulelistensuresthatthetraffic
matchedtotheruleremainsencrypted,
evenifthetrafficislatermatchedto
otherdecryptionrules.

ConfigureDecryptionExceptions Decryption
ExcludeTrafficfromaDecryptionPolicy
Step3 Commit theconfiguration.
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
Step1 Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2 SelectthetargetedservercertificateontheDevice CertificatestabandenableittobeanSSL Exclude

Certificate.
WhenthetargetedservercertificateisdesignatedasanSSLExcludeCertificate,thefirewalldoesnotdecrypt
theservertrafficevenifthetrafficmatchesdecryptionpolicyrule.

Decryption EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
Step1 (Optional)CustomizetheSSL 1. SelectDevice > Response Pages.

DecryptionOptoutPage. 2. SelecttheSSL Decryption Opt-out Pagelink.
3. SelectthePredefinedpageandclickExport.
4. UsingtheHTMLtexteditorofyourchoice,editthepage.
5. Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6. AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8. Backonthefirewall,selectDevice > Response Pages.
9. SelecttheSSL Decryption Opt-out Pagelink.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2 EnableSSLDecryptionOptOut. 1. OntheDevice > Response Pagespage,clicktheDisabledlink.

2. SelecttheEnable SSL Opt-out PageandclickOK.

EnableUserstoOptOutofSSLDecryption Decryption
Step3 VerifythattheOptOutpagedisplays Fromabrowser,gotoanencryptedsitethatmatchesyour

whenyouattempttobrowsetoasite. decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.

Decryption ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
Step1 Requestalicenseforeachfirewallon 1. LogintothePaloAltoNetworksCustomerSupportwebsite

whichyouwanttoenabledecryption andnavigatetotheAssetstab.
portmirroring. 2. Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3. SelectDecryption Port Mirror.Alegalnoticedisplays.
4. Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5. ClickActivate.
Step2 InstalltheDecryptionPortMirrorlicense 1. Fromthefirewallwebinterface,selectDevice > Licenses.

onthefirewall. 2. ClickRetrieve license keys from license server.
3. Verifythatthelicensehasbeenactivatedonthefirewall.
4. Rebootthefirewall(Device > Setup > Operations).This

featureisnotavailableforconfigurationuntilPANOS
reloads.

ConfigureDecryptionPortMirroring Decryption
ConfigureDecryptionPortMirroring(Continued)
Step3 Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:

traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
1. SelectDevice > Virtual System.
2. SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3. SelecttheAllow forwarding of decrypted contentcheckbox.
4. ClickOKtosave.
Step4 EnableanEthernetinterfacetobeused 1. SelectNetwork > Interfaces > Ethernet.

fordecryptionmirroring. 2. SelecttheEthernetinterfacethatyouwanttoconfigurefor
decryptionportmirroring.
3. SelectDecrypt MirrorastheInterface Type.
ThisinterfacetypewillappearonlyiftheDecryptionPort
Mirrorlicenseisinstalled.
4. ClickOKtosave.
Step5 Enablemirroringofdecryptedtraffic. 1. SelectObjects > Decryption Profile.

2. SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3. Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4. ClickOKtosavethedecryptionprofile.
Step6 Attachthedecryptionprofilerule(with 1. SelectPolicies > Decryption.

decryptionportmirroringenabled)toa 2. ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicyrule.Alltraffic decryptionpolicytoedit.
decryptedbasedonthepolicyruleis
mirrored. 3. IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4. ClickOKtosavethepolicy.

Decryption TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
DisableSSLDecryption set system setting ssl-decrypt skip-ssl-decrypt yes
ReenableSSLDecryption set system setting ssl-decrypt skip-ssl-decrypt no

TemporarilyDisableSSLDecryption Decryption

URLFiltering
ThePaloAltoNetworksURLfilteringsolutionallowsyoutomonitorandcontrolhowusersaccesstheweb
overHTTPandHTTPS.
URLFilteringOverview
URLFilteringConcepts
PANDBCategorization
EnableaURLFilteringVendor
DetermineURLFilteringPolicyRequirements
UseanExternalDynamicListinaURLFilteringProfile
MonitorWebActivity
CustomizetheURLFilteringResponsePages
ConfigureURLAdminOverride
EnableSafeSearchEnforcement
SetUpthePANDBPrivateCloud
URLFilteringUseCaseExamples
TroubleshootURLFiltering

URLFilteringOverview URLFiltering
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintoapproximately6080categories.Youcanuse
theseURLcategoriesasamatchcriteriainpolicies(CaptivePortal,Decryption,Security,andQoS)orattach
themasURLfilteringprofilesinsecuritypolicy,tosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URL Filtering Vendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C&C)communicationstoprotectyournetworkfromcyberthreats.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.andisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.

URLFiltering URLFilteringOverview
Interaction Between App-ID and URL Categories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCaseExamples.
PAN-DB Private Cloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
Internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveInternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.

URLFilteringOverview URLFiltering
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
Differences PANDBPublicCloud PANDBPrivateCloud
Content and Content(regularandcritical)updatesandfull ContentupdatesandfullURLdatabaseupdates

Database databaseupdatesarepublishedmultipletimes areavailableonceadayduringtheworkweek.
Updates duringtheday.Thefirewallchecksforcritical
updateswheneveritqueriesthecloudservers
forURLlookups.

URLFiltering URLFilteringOverview
Differences PANDBPublicCloud PANDBPrivateCloud
URL SubmitURLcategorizationchangerequests SubmitURLcategorizationchangerequestsonly

Categorization usingthefollowingoptions: usingthePaloAltoNetworksTestASite
Requests PaloAltoNetworksTestASitewebsite. website.
URLfilteringprofilesetuppageonthe
firewall.
URLfilteringlogonthefirewall.
Unresolved URL IfthefirewallcannotresolveaURLquery,the Ifthefirewallcannotresolveaquery,the

Queries requestissenttotheserversinthepublic requestissenttotheM500appliance(s)inthe
cloud. PANDBprivatecloud.Ifthereisnomatchfor
theURL,thePANDBprivatecloudsendsa
categoryunknownresponsetothefirewall;the
requestisnotsenttothepubliccloudunlessyou
haveconfiguredtheM500appliancetoaccess
thePANDBpubliccloud.
IftheM500appliance(s)thatconstituteyour
PANDBprivatecloudisconfiguredtobe
completelyoffline,itdoesnotsendanydataor
analyticstothepubliccloud.

URLFilteringConcepts URLFiltering
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URL Categories
EachwebsitedefinedintheURLfilteringdatabaseisassignedoneofapproximately60differentURL
categories.TherearetwowaystomakeuseofURLcategorizationonthefirewall:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
MatchtrafficbasedonURLcategoryforpolicyenforcementIfyouwantaspecificpolicyruletoapply
onlytowebtraffictositesinaspecificcategory,youwouldaddthecategoryasmatchcriteriawhenyou
createthepolicyrule.Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicyto
applybandwidthcontrolstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryas
PolicyMatchCriteriaformoreinformation.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:

URLFiltering URLFilteringConcepts
Category Description
not-resolved IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
private-ip-addresses Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
Change Request Process

PaloAltoNetworkscustomerscansubmitURLcategorizationchangerequestsusingthePaloAltoNetworks
dedicatedwebportal(TestASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlog
onthefirewall.Eachchangerequestisautomaticallyprocessedeveryday,providedthewebsitesprovides
machinereadablecontentthatisinasupportedformatandlanguage.Sometimes,thecategorizationchange
requiresamemberofthePaloAltoNetworksengineeringstafftoperformamanualreview.Insuchcases,the
processmaytakealittlelonger.

URL Filtering Profile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatareappliedtoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile
thatwillhaveallcategoriessettoallowforvisibilityintothetrafficonyournetwork.Youcanthencustomize
thenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowedfor
moregranularcontroloverURLcategories.Forexample,youmaywanttoblocksocialnetworkingsites,but
allowsomewebsitesthatarepartofthesocialnetworkingcategory.
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URL Filtering Profile Actions
TheURLFilteringprofilespecifiesanactionforeachURLcategory.Bydefault,allURLcategoriesaresetto
allowwhenyouCreateanewURLFilteringprofile.Thismeansthattheuserswillbeabletobrowsetoall
sitesfreelyandthetrafficwillnotbelogged.ThefirewallalsocomespredefineddefaultURLfilteringprofile
thatallowsaccesstoallcategoriesexceptthefollowingthreatpronecategories,whichitblocks:
abuseddrugs,adult,gambling,hacking,malware,phishing,questionable,andweapons.
Asabestpractice,ifyouwanttocreateacustomURLFilteringcategory,clonethedefaultURL
filteringprofileandchangetheactioninallallowcategoriestoeitheralertorcontinuesothatyou
havevisibilityintothetraffic.Itisalsoabestpracticetosetthe
proxyavoidanceandanonymizerscategorytoblock.
Action Description
alert ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow Thewebsiteisallowedandnologentryisgenerated.
block Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
continue Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
TheContinuepagewillnotbedisplayedproperlyonclientmachinesthatare
configuredtouseaproxyserver.

Action Description
override Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeConfigureURLAdminOverride.
TheOverridepagedoesnotdisplayproperlyonclientmachinesthatare
configuredtouseaproxyserver.
none ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
Block and Allow Lists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefinewebsitesthatshouldalwaysbeblockedorallowed.
WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningURLs.Forexample,enterwww.paloaltonetworks.com
orpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample:Ifyouwanttopreventauserfromaccessinganywebsitewithinthedomain
paloaltonetworks.com,youwouldalsoadd*.paloaltonetworks.com,sowhateverdomainprefix(http://,
www,orasubdomainprefixsuchasmail.paloaltonetworks.com)isaddedtotheaddress,thespecified
actionwillbetaken.Thesameappliestothesubdomainsuffix;ifyouwanttoblock
paloaltonetworks.com/en/US,youwouldneedtoaddpaloaltonetworks.com/*aswell.
Further,ifyouwanttolimitaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmust
adda/,sothatthematchrestrictsadotthatfollows.com.Inthiscase,youneedtoaddtheentryas
*.paloaltonetworks.com/
Thelistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+

Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.Atokencanbeany
numberofASCIIcharactersthatdoesnotcontainanyseparatorcharacteror*.Forexample,thefollowing
patternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacterinthetoken.
ww*.yahoo.com
www.y*.com
External Dynamic List for URLs
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.
Safe Search Enforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Onthefirewall,youcanEnableSafeSearchEnforcementsothatthefirewallwillblocksearch
resultsiftheenduserisnotusingthestrictestsafesearchsettingsinthesearchquery.Thefirewallcan
enforcesafesearchforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.Thisisa
besteffortsettingandisnotguaranteedbythesearchproviderstoworkwitheverywebsite.
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallwillthenblockanymatchingsearchqueryreturntrafficthatisnot
usingthestrictestsafesearchsettings.Therearetwomethodsforblockingthesearchresults:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettingsWhenanenduserattemptsto
performasearchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearch
queryresultsanddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovidea
URLtothesearchprovidersettingsforconfiguringsafesearch.
EnableTransparentSafeSearchEnforcementWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.

Also,becausemostsearchprovidersnowuseSSLtoreturnsearchresults,youmustalsoconfigurea
Decryptionpolicyruleforthesearchtraffictoenablethefirewalltoinspectthesearchtrafficandenforce
safesearch.
Safesearchenforcementenhancementsandsupportfornewsearchprovidersisperiodically
addedincontentreleases.ThisinformationisdetailedintheApplicationandThreatContent
ReleaseNotes.Howsitesarejudgedtobesafeorunsafeisperformedbyeachsearchprovider,
notbyPaloAltoNetworks.
SafesearchsettingsdifferbysearchproviderasdetailedinTable:SearchProviderSafeSearchSettings.
Table:SearchProviderSafeSearchSettings
SearchProvider SafeSearchSettingDescription
Google/YouTube OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
Safe Search Enforcement for Google Searches on Individual Computers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
Safe Search Enforcement for Google and YouTube Searches using a Virtual IP Address
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.

SearchProvider SafeSearchSettingDescription
Bing OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
Container Pages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
IfyouhaveenabledtheLog container page onlyoption,theremaynotalwaysbeacorrelated

URLlogentryforthreatsdetectedbyantivirusorvulnerabilityprotection.
HTTP Header Logging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute Description
User-Agent ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.

Attribute Description
X-Forwarded-For (XFF) TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof

theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
URL Filtering Response Pages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenSafeSearchEnforcementisenabled:
URLFilteringandCategoryMatchBlockPageAccessblockedbyaURLFilteringProfileorbecausethe
URLcategoryisblockedbyasecuritypolicy.
URLFilteringContinueandOverridePagePagewithinitialblockpolicythatallowsuserstobypassthe
blockbyclickingContinue.WithURLAdminOverrideenabled,(ConfigureURLAdminOverride),after
clickingContinue,theusermustsupplyapasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPageAccessblockedbyasecuritypolicywithaURLfilteringprofile
thathastheSafeSearchEnforcementoptionenabled(seeEnableSafeSearchEnforcement).Theuser
willseethispageifasearchisperformedusingGoogle,Bing,Yahoo,orYandexandtheirbrowseror
searchengineaccountsettingforSafeSearchisnotsettostrict.

Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneofthe
supportedResponsePageReferencestoexternalimages,sounds,orstylesheets.
URLFilteringResponsePageVariables
Variable Usage
<user/> Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/> ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/> ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/> HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
break;
case 'kids':
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.

ResponsePageReferences
ReferenceType ExampleHTMLCode
Image <img src="http://virginiadot.org/images/Stop-Sign-gif.gif">
Sound <embed src="http://simplythebest.net/sounds/WAV/WAV_files/

movie_WAV_files/ do_not_go.wav" volume="100" hidden="true"
autostart="true">
Style Sheet <link href="http://example.com/style.css" rel="stylesheet"

type="text/css" />
Hyperlink <a href="http://en.wikipedia.org/wiki/Acceptable_use_policy">View

Corporate
Policy</a>
URL Category as Policy Match Criteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType Description
Captive Portal Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you

canattachaURLcategoryasamatchcriterionfortheCaptivePortalpolicy.
Decryption DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.Inthis
case,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.

Security InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
AsecurityrulethatallowstheITSecuritygrouptoaccesscontentcategorizedas
hacking.ThesecurityrulereferencesthehackingcategoryintheServices/URL
CategorytabandITSecuritygroupintheUserstab.
Anothersecurityrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.

URLFiltering PANDBCategorization
PANDBCategorization
PANDBURLCategorizationComponents
PANDBURLCategorizationWorkflow
PANDBURLCategorizationComponents
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component Description
URL Filtering Seed Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase

Database thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
Cloud Service ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS

SeeDifferencesBetween providesadistributed,highperformance,andstableenvironmentforseeddatabase
thePANDBPublicCloud downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
andPANDBPrivate performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
Cloud,forinformationon asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
theprivatecloud. mechanismtoupdatethefirewallslocalURLdatabaseiftheversiondoesnotmatch.
EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalsocheckfor
criticalupdates.Iftherehavebeennoqueriestothecloudserversformorethan30
minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.

PANDBCategorization URLFiltering
Component Description
Management Plane (MP) WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase

URL Cache fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothefirewallslocal
driveeveryeighthours,beforethefirewallisrebooted,orwhenthecloudupgrades
theURLdatabaseversiononthefirewall.Afterrebootingthefirewall,thefilethat
wassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecentlyused
(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheisfull.
Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbereplaced
bythenewerURLs.
Dataplane (DP) URL Cache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis

storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftimeandtheexpirationperiodcannotbechanged
bytheadministrator.
PAN-DB URL Categorization Workflow
WhenauserattemptstoaccessaURLandtheURLcategoryneedstobedetermined,thefirewallwill
comparetheURLwiththefollowingcomponents(inorder)untilamatchhasbeenfound:
IfaURLquerymatchesanexpiredentryintheURLDPcache,thecacherespondswiththeexpiredcategory,
butalsosendsaURLcategorizationquerytothemanagementplane.Thisisdonetoavoidunnecessary
delaysintheDP,assumingthatthefrequencyofchangingcategoriesislow.Similarly,intheURLMPcache,
ifaURLqueryfromtheDPmatchesanexpiredentryintheMP,theMPrespondstotheDPwiththeexpired
categoryandwillalsosendaURLcategorizationrequesttothecloudservice.Upongettingtheresponse
fromthecloud,thefirewallwillresendtheupdatedresponsetotheDP.

URLFiltering PANDBCategorization
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabasewillbeupdated.
EachtimethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30
minutes,thedatabaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdate
willbeperformed.

EnableaURLFilteringVendor URLFiltering
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
Enable PAN-DB URL Filtering
EnablePANDBURLFiltering
Step1 ObtainandinstallaPANDBURL 1. SelectDevice > Licensesand,intheLicenseManagement

filteringlicenseandconfirmthatitis section,selectthelicenseinstallationmethod:
installed. Retrieve license keys from license server
Ifthelicenseexpires,PANDB Activate feature using authorization code
URLFilteringcontinuestowork Manually upload license key
basedontheURLcategory
informationthatexistsinthe 2. Afterinstallingthelicense,confirmthatthePANDBURL
dataplaneandmanagement Filteringsection,Date Expiresfield,displaysavaliddate.
planecaches.However,URL
cloudlookupsandother
cloudbasedupdateswillnot
functionuntilyouinstallavalid
license.

URLFiltering EnableaURLFilteringVendor
EnablePANDBURLFiltering(Continued)
Step2 Downloadtheinitialseeddatabaseand 1. InthePANDBURLFilteringsection,Download Statusfield,

activatePANDBURLFiltering. clickDownload Now.
ThefirewallmusthaveInternet 2. Choosearegion(NorthAmerica,Europe,APAC,Japan)and
access;youcannotmanually thenclickOKtostartthedownload.
uploadthePANDBseed
3. Afterthedownloadcompletes,clickActivate.
database.
IfPANDBisalreadytheactiveURLfilteringvendor
andyouclickRe-Download,thiswillreactivate
PANDBbyclearingthedataplaneandmanagement
planecachesandreplacingthemwiththecontentsof
thenewseeddatabase.Youshouldavoiddoingthis
unlessitisnecessary,asyouwillloseyourcache,
whichiscustomizedbasedonthewebtrafficthathas
previouslypassedthroughthefirewallbasedonuser
activity.
Step3 Schedulethefirewalltodownload 1. SelectDevice > Dynamic Updates.

dynamicupdatesforApplicationsand 2. IntheSchedulefieldintheApplicationsandThreatssection,
Threats. clicktheNonelinktoscheduleperiodicupdates.
AThreatPreventionlicenseis Youcanonlyscheduledynamicupdatesifthefirewall
requiredtoreceivecontent hasdirectInternetaccess.Ifupdatesarealready
updates,whichcoversAntivirus scheduledinasection,thelinktextdisplaysthe
andApplicationsandThreats. schedulesettings.
TheApplicationsandThreatsupdatessometimescontain
updatesforURLfilteringrelatedtotheSafe Search
EnforcementoptionintheURLfilteringprofile(Objects >
Security Profiles > URL Filtering).Forexample,ifPaloAlto
Networksaddssupportforanewsearchprovidervendororif
themethodusedtodetecttheSafeSearchsettingforan
existingvendorchanges,theApplicationandThreatsupdates
willincludethatupdate.
Enable BrightCloud URL Filtering
EnableBrightCloudURLFiltering
Step1 ObtainandinstallaBrightCloudURL 1. SelectDevice > Licensesand,intheLicense Management

filteringlicenseandconfirmthatitis section,selectthelicenseinstallationmethod:
installed. Activate feature using authorization code
BrightCloudhasanoptioninthe Retrieve license keys from license server
URLfilteringprofile(Objects > Manually upload license key
Security Profiles > URL
Filtering)toeitherallowall 2. Afterinstallingthelicense,confirmthattheBrightCloudURL
categoriesorblockallcategories Filteringsection,Date Expiresfield,displaysavaliddate.
ifthelicenseexpires.

EnableaURLFilteringVendor URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step2 InstalltheBrightClouddatabase. FirewallwithDirectInternetAccess

Thewayyoudothisdependsonwhether SelectDevice > LicensesandintheBrightCloudURLFiltering
ornotthefirewallhasdirectInternet section,Activefield,clicktheActivatelinktoinstallthe
access. BrightClouddatabase.Thisoperationautomaticallyinitiatesa
systemreset.
FirewallwithoutDirectInternetAccess
1. DownloadtheBrightClouddatabasetoahostthathas
Internetaccess.Thefirewallmusthaveaccesstothehost:
a. OnahostwithInternetaccess,gotothePaloAlto
NetworksCustomerSupportwebsite,
www.paloaltonetworks.com/support/tabs/overview.html,
andlogin.
b. IntheResourcessection,clickDynamic Updates.
c. IntheBrightCloudDatabasesection,clickDownloadand
savethefiletothehost.
2. Uploadthedatabasetothefirewall:
a. Logintothefirewall,selectDevice > Dynamic Updatesand
clickUpload.
b. FortheType,selectURL Filtering.
c. EnterthepathtotheFileonthehostorclickBrowseto
findit,thenclickOK.WhentheStatusisCompleted,click
Close.
3. Installthedatabase:
a. SelectDevice > Dynamic UpdatesandclickInstall From
File.
b. FortheType,selectURL Filtering.Thefirewall
automaticallyselectsthefileyoujustuploaded.
c. ClickOKand,whentheResultisSucceeded,clickClose.
Step3 Enablecloudlookupsfordynamically 1. AccessthePANOSCLI.

categorizingaURLifthecategoryisnot 2. EnterthefollowingcommandstoenabledynamicURL
availableonthelocalBrightCloud filtering:
database.
configure
set deviceconfig setting url dynamic-url yes
commit

URLFiltering EnableaURLFilteringVendor
EnableBrightCloudURLFiltering(Continued)
Step4 Schedulethefirewalltodownload 1. SelectDevice > Dynamic Updates.

dynamicupdatesforApplicationsand 2. IntheApplicationsandThreatssection,Schedulefield,click
ThreatssignaturesandURLfiltering. theNonelinktoscheduleperiodicupdates.
Youcanonlyscheduledynamicupdates
3. IntheURLFilteringsection,Schedulefield,clicktheNonelink
ifthefirewallhasdirectInternetaccess.
toscheduleperiodicupdates.
TheApplicationsandThreatsupdates
Ifupdatesarealreadyscheduledinasection,thelink
mightcontainupdatesforURLfiltering
textdisplaystheschedulesettings.
relatedtotheSafe Search Enforcement
optionintheURLfilteringprofile.For
example,ifPaloAltoNetworksadds
supportforanewsearchprovider
vendororifthemethodusedtodetect
theSafeSearchsettingforanexisting
vendorchanges,theApplicationand
Threatsupdateswillincludethatupdate.
BrightCloudupdatesincludeadatabase
ofapproximately20millionwebsites
thatarestoredlocallyonthefirewall.
YoumustscheduleURLfilteringupdates
toreceiveBrightClouddatabase
updates.
AThreatPreventionlicenseis
requiredtoreceiveAntivirusand
ApplicationsandThreats
updates.

DetermineURLFilteringPolicyRequirements URLFiltering
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
Step1 CreateanewURLFilteringprofile. 1. SelectObjects > Security Profiles >URL Filtering.

2. SelectthedefaultprofileandthenclickClone.Thenewprofile
willbenameddefault-1.
3. Selectthedefault-1profileandrenameit.Forexample,
renameittoURLMonitoring.
Step2 Configuretheactionforallcategoriesto 1. InthesectionthatlistsallURLcategories,selectallcategories.

alert,exceptforthreatpronecategories, 2. TotherightoftheActioncolumnheading,mouseoverand
whichshouldremainblocked. selectthedownarrowandthenselectSet Selected Actions
Toselectallitemsinthecategory andchoosealert.
listfromaWindowssystem,click
thefirstcategory,thenhold
downtheshiftkeyandclickthe
lastcategorythiswillselectall
categories.Holdthecontrolkey
(ctrl)downandclickitemsthat
shouldbedeselected.OnaMac,
dothesameusingtheshiftand
commandkeys.Youcouldalso
justsetallcategoriestoalertand
manuallychangethe
recommendedcategoriesbackto
3. Toensurethatyoublockaccesstothreatpronesites,select
block.
thefollowingcategoriesandthensettheactiontoblock:
abuseddrugs,adult,gambling,hacking,malware.phishing,
questionable,weapons.
Step3 ApplytheURLFilteringprofiletothe 1. SelectPolicies > Security andselecttheappropriatesecurity

securitypolicyrule(s)thatallowsweb policytomodifyit.
trafficforusers. 2. SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselectthenewprofile.
3. ClickOKtosave.

URLFiltering DetermineURLFilteringPolicyRequirements
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
Step5 ViewtheURLfilteringlogstodetermine SelectMonitor > Logs > URL Filtering.Alogentrywillbecreated

allofthewebsitecategoriesthatyour foranywebsitethatexistsintheURLfilteringdatabasethatisina
usersareaccessing.Inthisexample, categorythatissettoanyactionotherthanallow.
somecategoriesaresettoblock,so
thosecategorieswillalsoappearinthe
logs.
Forinformationonviewingthelogsand
generatingreports,seeMonitorWeb
Activity.

UseanExternalDynamicListinaURLFilteringProfile URLFiltering
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenyouupdatethelistonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicListandEnforcePolicyonEntriesinanExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
Step1 Createtheexternaldynamiclistfor CreateatextfileandentertheURLsinthefile;eachURLmustbe

URLsandhostitonawebserver. onaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-fo
r-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeeBlockandAllowListsforformattingguidelines.
Step2 Configurethefirewalltoaccessthe 1. SelectObjects > External Dynamic Lists.

externaldynamiclist. 2. ClickAddandenteradescriptiveNameforthelist.
3. (Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4. IntheTypedropdown,selectURL List.Ensurethatthelist
doesnotincludeIPaddressesordomainnames;thefirewall
skipsnonURLentries.
5. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2016.
6. ClickTest Source URLtoverifythatthefirewallcanconnect
tothewebserver.
Ifthewebserverisunreachableaftertheconnection
isestablished,thefirewallusesthelastsuccessfully
retrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.
7. (Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhour.
8. ClickOK.

URLFiltering UseanExternalDynamicListinaURLFilteringProfile
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
Step3 UsetheexternaldynamiclistinaURL 1. SelectObjects > Security Profiles > URL Filtering.

Filteringprofile. 2. AddormodifyanexistingURLFilteringprofile.
3. Nametheprofileand,intheCategoriestab,selectthe
externaldynamiclistfromtheCategorylist.
4. ClickActiontoselectamoregranularactionfortheURLsin
theexternaldynamiclist.
IfaURLthatisincludedinanexternaldynamiclistis
alsoincludedinacustomURLcategory,orBlockand
AllowLists,theactionspecifiedinthecustomcategory
ortheblockandallowlistwilltakeprecedenceover
theexternaldynamiclist.
5. ClickOK.
6. AttachtheURLFilteringprofiletoaSecuritypolicyrule.
a. SelectPolicies > Security.
b. SelecttheActionstaband,intheProfileSettingsection,
selectthenewprofileintheURL Filteringdropdown.
c. ClickOKandCommit.
Step4 Testthatthepolicyactionisenforced. 1. AttempttoaccessaURLthatisincludedintheexternal

dynamiclist.
2. Verifythattheactionyoudefinedisenforcedinthebrowser.
3. Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
b. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
Step5 Verifywhetherentriesintheexternal UsethefollowingCLIcommandonafirewalltoreviewthedetails

dynamiclistwereignoredorskipped. foralist.
InalistoftypeURL,thefirewallskips request system external-list show type url list_name
nonURLentriesasinvalidandignores For example:
entriesthatexceedthemaximumlimit request system external-list show type url
fortheplatform. EBL_ISAC_Alert_List

MonitorWebActivity URLFiltering
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
Monitor Web Activity of Network Users
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostwidgetsintheNetworkActivitytab,allowsyoutosortonURLs.Forexample,intheApplicationUsage
widget,youcanseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencrypted
tunnel,andssl.YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
FromtheACC,youcandirectly Jump to the LogsoryoucannavigatetoMonitor > Logs > URL filtering toview
theURLfilteringlogs.ThefollowingbulletpointsshowexamplesoftheURLfilteringlogs().
AlertlogInthislog,thecategoryisshoppingandtheactionisalert.

URLFiltering MonitorWebActivity
BlocklogInthislog,thecategorymalwarewassettoblock,sotheactionisblockurlandtheuserwill
seearesponsepageindicatingthatthewebsitewasblocked.
AlertlogonencryptedwebsiteInthisexample,thecategoryissocialnetworkingandtheapplicationis
facebookbase,whichisrequiredtoaccesstheFacebookwebsiteandotherFacebookapplications.
Becausefaceboook.comisalwaysencryptedusingSSL,thetrafficwasdecryptedbythefirewall,which
allowsthewebsitetoberecognizedandcontrolledifneeded.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarebasedona24hourperiodandthedayisselectedbychoosingadayinthecalendar
section.YoucanalsoexportthereporttoPDF,CSV,orXML.

View the User Activity Report
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1 ConfigureaUserActivityReport. 1. SelectMonitor > PDF Reports > User Activity Report.
2. EnterareportNameandselectthereporttype.SelectUserto
generateareportforoneperson,orselectGroupforagroup
ofusers.
YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,you
canselectthetypeUserandentertheIPaddressofthe
userscomputer.
3. EntertheUsername/IPaddressforauserreportorenterthe
groupnameforausergroupreport.
4. Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
5. SelecttheInclude Detailed Browsingcheckbox,sobrowsing
informationisincludedinthereport.

URLFiltering MonitorWebActivity
GenerateaUserActivityReport(Continued)
Step2 Runtheuseractivityreportandthen 1. ClickRun Now.

downloadthereport. 2. Afterthereportisgenerated,clicktheDownload User Activity
Reportlink.
3. Afterthereportisdownloaded,clickCancelandthenclickOK
tosavethereport.
Step3 ViewtheuseractivityreportbyopeningthePDFfilethatwasdownloaded.Thetopofthereportwillcontain
atableofcontentssimilartothefollowing:
Step4 Clickaniteminthetableofcontentstoviewdetails.Forexample,clickTraffic Summary by URL Categoryto

viewstatisticsfortheselecteduserorgroup.

Configure Custom URL Filtering Reports
Togenerateadetailedreportthatcanalsobescheduled,youcanconfigureacustomreportandselectfrom
alistofallavailableURLfilteringlogfields.
ConfigureaCustomURLFilteringReport
Step1 Addanewcustomreport. 1. SelectMonitor > Manage Custom ReportsandclickAdd.

2. EnterareportName,forexample,MyURLCustomReport.
3. FromtheDatabasedropdown,selectURL Log.
Step2 Configurereportoptions. 1. SelecttheTime Framedropdownandselectarange.

2. (Optional)Tocustomizehowthereportissortedandgrouped,
selectSort Byandchosethenumberofitemstodisplay(top
25forexample)andthenselectGroup Byandselectanoption
suchasCategory,andthenselecthowmanygroupswillbe
defined.
3. IntheAvailable Columnslist,selectthefieldstoincludethe
report.ThefollowingcolumnsaretypicallyusedforaURL
report:
Action
Category
DestinationCountry
SourceUser
URL
Step3 Runthereporttochecktheresults.Ifthe 1. ClicktheRun Nowicontoimmediatelygeneratethereport

resultsaresatisfactory,setascheduleto thatwillappearinanewtab.
runthereportautomatically. 2. (Optional)ClicktheSchedulecheckboxtorunthereportonce
perday.Thiswillgenerateadailyreportthatdetailsweb
activityoverthelast24hours.Toaccessthereport,select
Monitor > ReportandthenexpandCustom Reportsonthe
rightcolumnandselectthereport.

URLFiltering ConfigureURLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
ConfigureWebsiteControls
Step1 CreateaURLFilteringprofileorselect 1. SelectObjects > Security Profiles >URL Filtering.

anexistingone. SelectthedefaultprofileandthenclickClone.Thenewprofile
BecausethedefaultURLfiltering willbenameddefault1.
profileblocksriskyand 2. Selectthenewprofileandrenameit.
threatpronecontent,itisabest
practicetoclonethisprofileto
preservethesedefaultsettings,
ratherthancreatinganew
profile.
Step2 Definehowtocontrolaccesstoweb IntheCategoriestab,foreachcategorythatyouwantvisibility

content. intoorcontrolover,selectavaluefromtheAction columnas
follows:
Ifyoudonotcareabouttraffictoaparticularcategory(thatis
youneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Todenyaccesstotrafficthatmatchesthecategoryandto
enableloggingoftheblockedtraffic, selectblock.
TorequireuserstoclickContinuetoproceedtoaquestionable
site,selectcontinue.
Toonlyallowaccessifusersprovideaconfiguredpassword,
selectoverride.Formoredetailsonthissetting,seeConfigure
URLAdminOverride.
Step3 Definewebsitesthatshouldalwaysbe 1. IntheURLfilteringprofile,enterURLsorIPaddressesinthe

blockedorallowed. Block List andselectanaction:
Forexample,toreduceURLfilteringlogs, blockBlocktheURL.
youmaywantaddyoucorporate continuePromptusersclickContinue toproceedtothe
websitesintheallowlist,sonologswill webpage.
begeneratedforthosesites.Or,ifthere overrideTheuserwillbeapromptedforapasswordto
isawebsitethisisbeingoverlyusedand continuetothewebsite.
isnotworkrelatedinanyway,youcan
alertAllowtheusertoaccessthewebsiteandaddanalert
addittotheblocklist.
logentryintheURLlog.
Itemsintheblocklistwillalwaysbe
blockedregardlessoftheactionforthe 2. FortheAllow list,enterIPaddressesorURLsthatshould
associatedcategory,andURLsinthe alwaysbeallowed.Eachrowmustbeseparatedbyanewline.
allowlistwillalwaysbeallowed. 3. (Optional)EnableSafeSearchEnforcement.
Formoreinformationontheproper
formatandwildcardsusage,seeBlock
andAllowLists.

ConfigureURLFiltering URLFiltering
ConfigureWebsiteControls
Step4 ModifythesettingtologContainer The Log container page only optionisenabledbydefaultsothat

Pagesonly. onlythemainpagethatmatchesthecategoryislogged,not
subsequentpages/categoriesthatmaybeloadedwithinthe
containerpage.Toenableloggingforallpages/categories,clear
theLog container page onlycheckbox.
Step5 EnableHTTPHeaderLoggingforoneor TologanHTTPheaderfield,selectoneormoreofthefollowing

moreofthesupportedHTTPheader fieldstolog:
fields. User-Agent
Referer
X-Forwarded-For
Step6 SavetheURLfilteringprofile. 1. ClickOK.

2. (Optional)CustomizetheURLFilteringResponsePages.
3. ClickCommit.
TotesttheURLfilteringconfiguration,simplyaccessa
websiteinacategorythatissettoblockorcontinueto
seeiftheappropriateactionisperformed.

URLFiltering CustomizetheURLFilteringResponsePages
ThefirewallprovidesthreepredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser
attemptstobrowsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFiltering
Profile(block,continue,oroverride)orwhenSafeSearchEnforcementblocksasearchattempt.However,
youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableusepolicies,links
toyourinternalresourcesasfollows:
Step1 Exportthedefaultresponsepage(s). 1. SelectDevice > Response Pages.

2. SelectthelinkfortheURLfilteringresponsepageyouwantto
modify.
3. Clicktheresponsepage(predefinedorshared)andthenclick
theExportlinkandsavethefiletoyourdesktop.
Step2 Edittheexportedpage. 1. UsingtheHTMLtexteditorofyourchoice,editthepage:

Ifyouwanttheresponsepagetodisplaycustom
informationaboutthespecificuser,URL,orcategorythat
wasblocked,addoneormoreofthesupportedURL
FilteringResponsePageVariables.
Ifyouwanttoincludecustomimages(suchasyour
corporatelogo),asound,orstylesheet,orlinktoanother
URL,forexampletoadocumentdetailingyouracceptable
webusepolicy,includeoneormoreofthesupported
ResponsePageReferences.
2. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.Forexample,inNotepadyou
wouldselectUTF-8fromtheEncodingdropdownintheSave
Asdialog.
Step3 Importthecustomizedresponsepage. 1. SelectDevice > Response Pages.

2. SelectthelinkthatcorrespondstotheURLFilteringresponse
pageyouedited.
Step4 Savethenewresponsepage(s). Committhechanges.
Step5 Verifythatthenewresponsepage Fromabrowser,gototheURLthatwilltriggertheresponsepage.

displays. Forexample,toseeamodifiedURLFilteringandCategoryMatch
responsepage,browsetoURLthatyourURLfilteringpolicyisset
toblock.

ConfigureURLAdminOverride URLFiltering
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
Step1 SettheURLadminoverridepassword. 1. SelectDevice > Setup > Content ID.

2. IntheURL Admin Overridesection,clickAdd.
3. IntheLocationfield,selectthevirtualsystemtowhichthis
passwordapplies.
4. EnterthePasswordandConfirm Password.
5. SelectanSSL/TLS Service Profile.Theprofilespecifiesthe
certificatethatthefirewallpresentstotheuserifthesitewith
theoverrideisanHTTPSsite.Fordetails,seeConfigurean
SSL/TLSServiceProfile.
6. SelecttheModeforpromptingtheuserforthepassword:
TransparentThefirewallinterceptsthebrowsertraffic
destinedforsiteinaURLcategoryyouhavesettooverride
andimpersonatestheoriginaldestinationURL,issuingan
HTTP401topromptforthepassword.Notethattheclient
browserwilldisplaycertificateerrorsifitdoesnottrustthe
certificate.
RedirectThefirewallinterceptsHTTPorHTTPStrafficto
aURLcategorysettooverrideandredirectstherequestto
aLayer3interfaceonthefirewallusinganHTTP302
redirectinordertopromptfortheoverridepassword.If
youselectthisoption,youmustprovidetheAddress(IP
addressorDNShostname)towhichtoredirectthetraffic.
7. ClickOK.
Step2 (Optional)Setacustomoverrideperiod. 1. EdittheURLFilteringsection.

2. Tochangetheamountoftimeuserscanbrowsetoasiteina
categoryforwhichtheyhavesuccessfullyenteredthe
overridepassword,enteranewvalueintheURL Admin
Override Timeout field.Bydefault,userscanaccesssites
withinthecategoryfor15minuteswithoutreenteringthe
password.
3. Tochangetheamountoftimeusersareblockedfrom
accessingasitesettooverrideafterthreefailedattemptsto
entertheoverridepassword,enteranewvalueintheURL
Admin Lockout Timeoutfield.Bydefault,usersareblocked
for30minutes.
4. ClickOK.

URLFiltering ConfigureURLAdminOverride
ConfigureURLAdminOverride(Continued)
Step3 (Redirectmodeonly)CreateaLayer3 1. Createamanagementprofiletoenabletheinterfacetodisplay

interfacetowhichtoredirectweb theURLFilteringContinueandOverridePageresponsepage:
requeststositesinacategoryconfigured a. SelectNetwork > Interface MgmtandclickAdd.
foroverride. b. EnteraNamefortheprofile,selectResponse Pages,and
thenclickOK.
2. CreatetheLayer3interface.Besuretoattachthe
managementprofileyoujustcreated(ontheAdvanced >
Other InfotaboftheEthernetInterfacedialog).
Step4 (Redirectmodeonly)Totransparently Touseaselfsignedcertificate,youmustfirstcreatearootCA

redirectuserswithoutdisplaying certificateandthenusethatCAtosignthecertificateyouwilluse
certificateerrors,installacertificatethat forURLadminoverrideasfollows:
matchestheIPaddressoftheinterface 1. TocreatearootCAcertificate,selectDevice > Certificate
towhichyouareredirectingweb Management > Certificates > Device Certificates andthen
requeststoasiteinaURLcategory clickGenerate.EnteraCertificate Name,suchasRootCA.Do
configuredforoverride.Youcaneither notselectavalueintheSigned Byfield(thisiswhatindicates
generateaselfsignedcertificateor thatitisselfsigned).MakesureyouselecttheCertificate
importacertificatethatissignedbyan AuthoritycheckboxandthenclickGeneratethecertificate.
externalCA.
2. TocreatethecertificatetouseforURLadminoverride,click
Generate.EnteraCertificate NameandentertheDNS
hostnameorIPaddressoftheinterfaceastheCommon
Name.IntheSigned Byfield,selecttheCAyoucreatedinthe
previousstep.AddanIPaddressattributeandspecifytheIP
addressoftheLayer 3interfacetowhichyouwillbe
redirectingwebrequeststoURLcategoriesthathavethe
overrideaction.
3. Generatethecertificate.
4. Toconfigureclientstotrustthecertificate,selecttheCA
certificateontheDevice CertificatestabandclickExport.
YoumustthenimportthecertificateasatrustedrootCAinto
allclientbrowsers,eitherbymanuallyconfiguringthebrowser
orbyaddingthecertificatetothetrustedrootsinanActive
DirectoryGroupPolicyObject(GPO).
Step5 SpecifywhichURLcategoriesrequirean 1. SelectObjects > URL Filteringandeitherselectanexisting

overridepasswordtoenableaccess. URLfilteringprofileorAddanewone.
2. OntheCategoriestab,settheActiontooverrideforeach
categorythatrequiresapassword.
3. CompleteanyremainingsectionsontheURLfilteringprofile
andthenclickOKtosavetheprofile.
Step6 ApplytheURLFilteringprofiletothe 1. SelectPolicies > Security andselecttheappropriatesecurity

securitypolicyrule(s)thatallowsaccess policytomodifyit.
tothesitesrequiringpasswordoverride 2. SelecttheActionstabandintheProfile Settingsection,click
foraccess. thedropdownforURL Filteringandselecttheprofile.
3. ClickOKtosave.

EnableSafeSearchEnforcement URLFiltering
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosforsearchquery
returntraffic.YoucanconfigureSafeSearchEnforcementthePaloAltoNetworksnextgenerationfirewall
topreventsearchrequeststhatdonothavethestrictestsafesearchsettingsenabled.
TheSafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddressisnot
compatiblewithSafeSearchEnforcementonthefirewall.
TherearetwowaystoenforceSafeSearchonthefirewall:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
EnableTransparentSafeSearchEnforcement
Block Search Results that are not Using Strict Safe Search Settings
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.SeeTable:SearchProviderSafeSearchSettingsfordetailsonhoweachsearchprovider
implementssafesearch.ThedefaultURLFilteringSafeSearchBlockPageprovidesalinktothesearch
settingsforthecorrespondingsearchprovider.YoucanoptionallyCustomizetheURLFilteringResponse
Pages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoEnableTransparentSafeSearchEnforcement.

URLFiltering EnableSafeSearchEnforcement
Step1 EnableSafeSearchEnforcementinthe 1. SelectObjects > Security Profiles > URL Filtering.

URLFilteringprofile. 2. Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewprofile.
3. OntheSettingstab,selecttheSafe Search Enforcement
checkboxtoenableit.
4. (Optional)Restrictuserstospecificsearchengines:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5. Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
Step2 AddtheURLFilteringprofiletothe 1. SelectPolicies > Securityandselectaruletowhichtoapply

securitypolicyrulethatallowstraffic theURLfilteringprofilethatyoujustenabledforSafeSearch
fromclientsinthetrustzonetothe Enforcement.
Internet. 2. OntheActionstab,selecttheURL Filteringprofile.
3. ClickOKtosavethesecuritypolicyrule.
Step3 EnableSSLForwardProxydecryption. 1. AddacustomURLcategoryforthesearchsites:

Becausemostsearchenginesencrypt a. SelectObjects > Custom Objects > URL CategoryandAdd
theirsearchresults,youmustenableSSL acustomcategory.
forwardproxydecryptionsothatthe b. EnteraNameforthecategory,suchas
firewallcaninspectthesearchtrafficand SearchEngineDecryption.
detectthesafesearchsettings. c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2. FollowthestepstoConfigureSSLForwardProxy.
3. OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.

EnableSafeSearchEnforcement(Continued)
Step4 (Optional,butrecommended)BlockBing 1. AddacustomURLcategoryforBing:

searchtrafficrunningoverSSL. a. SelectObjects > Custom Objects > URL CategoryandAdd
BecausetheBingSSLsearchenginedoes acustomcategory.
notadheretothesafesearchsettings, b. EnteraNameforthecategory,suchas
forfullsafesearchenforcement,you EnableBingSafeSearch.
mustdenyallBingsessionsthatrunover c. AddthefollowingtotheSiteslist:
SSL.
www.bing.com/images/*
www.bing.com/videos/*
2. CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. LocatethecustomcategoryintheCategorylistandsetitto
block.
d. ClickOKtosavetheURLfilteringprofile.
3. AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocolandsettheDestination Portto
443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.

EnableSafeSearchEnforcement(Continued)
Step6 VerifytheSafeSearchEnforcement 1. Fromacomputerthatisbehindthefirewall,disablethestrict

configuration. searchsettingsforoneofthesupportedsearchproviders.For
Thisverificationsteponlyworks example,onbing.com,clickthePreferencesiconontheBing
ifyouareusingblockpagesto menubar.
enforcesafesearch.Ifyouare
usingtransparentsafesearch
enforcement,thefirewallblock
pagewillinvokeaURLrewrite
withthesafesearchparameters 2. SettheSafeSearchoptiontoModerateorOffandclickSave.
inthequerystring.
3. PerformaBingsearchandverifythattheURLFilteringSafe
SearchBlockpagedisplaysinsteadofthesearchresults:
4. Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5. PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
Enable Transparent Safe Search Enforcement
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
EnableTransparentSafeSearchEnforcement
Step1 Makesurethefirewallisrunning 1. SelectDevice > Dynamic Updates.

ContentReleaseversion475orlater. 2. ChecktheApplications and Threatssectiontodetermine
whatupdateiscurrentlyrunning.
3. Ifthefirewallisnotrunningtherequiredupdateorlater,click
Check Nowtoretrievealistofavailableupdates.
4. LocatetherequiredupdateandclickDownload.
5. Afterthedownloadcompletes,clickInstall.

EnableTransparentSafeSearchEnforcement(Continued)
Step1 EnableSafeSearchEnforcementinthe 1. SelectObjects > Security Profiles > URL Filtering.

URLFilteringprofile. 2. Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewone.
3. OntheSettingstab,selecttheSafe Search Enforcement
checkboxtoenableit.
4. (Optional)Allowaccesstospecificsearchenginesonly:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5. Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
Step2 AddtheURLFilteringprofiletothe 1. SelectPolicies > Securityandselectaruletowhichtoapply

securitypolicyrulethatallowstraffic theURLfilteringprofilethatyoujustenabledforSafeSearch
fromclientsinthetrustzonetothe Enforcement.
Internet. 2. OntheActionstab,selecttheURL Filteringprofile.
3. ClickOKtosavethesecuritypolicyrule.

Step3 (Optional,butrecommended)BlockBing 1. AddacustomURLcategoryforBing:

searchtrafficrunningoverSSL. a. SelectObjects > Custom Objects > URL CategoryandAdd
BecausetheBingSSLsearchenginedoes acustomcategory.
notadheretothesafesearchsettings, b. EnteraNameforthecategory,suchas
forfullsafesearchenforcement,you EnableBingSafeSearch.
mustdenyallBingsessionsthatrunover c. AddthefollowingtotheSiteslist:
SSL.
www.bing.com/images/*
www.bing.com/videos/*
2. CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. Locatethecustomcategoryyoujustcreatedinthe
Categorylistandsetittoblock.
d. ClickOKtosavetheURLfilteringprofile.
3. AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocol,settheDestination Portto443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
Step4 EdittheURLFilteringSafeSearchBlock 1. SelectDevice > Response Pages > URL Filtering Safe Search
Page,replacingtheexistingcodewith Block Page.
theJavaScriptforrewritingsearchquery 2. SelectPredefinedandthenclickExporttosavethefilelocally.
URLstoenforcesafesearch
transparently. 3. UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththetexthereandthensavethefile.
Copythetransparentsafesearchscriptandpasteit
intotheHTMLeditor,replacingtheentireblockpage.
Step5 ImporttheeditedURLFilteringSafe 1. Toimporttheeditedblockpage,selectDevice > Response

SearchBlockpageontothefirewall. Pages > URL Filtering Safe Search Block Page.

Step6 EnableSSLForwardProxydecryption. 1. AddacustomURLcategoryforthesearchsites:

Becausemostsearchenginesencrypt a. SelectObjects > Custom Objects > URL CategoryandAdd
theirsearchresults,youmustenableSSL acustomcategory.
forwardproxydecryptionsothatthe b. EnteraNameforthecategory,suchas
firewallcaninspectthesearchtrafficand SearchEngineDecryption.
detectthesafesearchsettings. c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
2. FollowthestepstoConfigureSSLForwardProxy.
3. OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.

URLFiltering SetUpthePANDBPrivateCloud
TodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyournetworkordatacenter,
youmustcompletethefollowingtasks:
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step1 RackmounttheM500appliance. RefertotheM500HardwareReferenceGuideforinstructions.
Step2 RegistertheM500appliance. ForinstructionsonregisteringtheM500appliance,seeRegisterthe

Firewall.
Step3 PerformInitialConfigurationof 1. ConnecttotheM500applianceinoneofthefollowingways:

theM500Appliance. AttachaserialcablefromacomputertotheConsoleporton
TheM500appliancein theM500applianceandconnectusingaterminalemulation
PANDBmodeusestwo software(96008N1).
portsMGT(Eth0)and AttachanRJ45EthernetcablefromacomputertotheMGT
Eth1;Eth2isnotusedin portontheM500appliance.Fromabrowser,goto
PANDBmode.The https://192.168.1.1.EnablingaccesstothisURLmightrequire
managementportisused changingtheIPaddressonthecomputertoanaddressinthe
foradministrativeaccess 192.168.1.0network(forexample,192.168.1.2).
totheapplianceandfor
2. Whenprompted,logintotheappliance.Loginusingthedefault
obtainingthelatest
usernameandpassword(admin/admin).Theappliancewillbegin
contentupdatesfromthe
toinitialize.
PANDBpubliccloud.For
communicationbetween 3. ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theappliance(PANDB theMGTinterface:
server)andthefirewallson set deviceconfig system ip-address <server-IP> netmask
thenetwork,youcanuse <netmask> default-gateway <gateway-IP> dns-setting
theMGTportorEth1. servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothe
managementinterfaceoftheserver,<netmask>isthesubnet
mask,<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheprimaryDNSserver.
4. ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theEth1interface:
set deviceconfig system eth1 ip-address <server-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothedata
interfaceoftheserver,<netmask>isthesubnetmask,
<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheDNSserver.
5. SaveyourchangestothePANDBserver.
commit

SetUpthePANDBPrivateCloud URLFiltering
Step4 SwitchtoPANDBprivatecloud 1. ToswitchtoPANDBmode,usetheCLIcommand:

mode. requestsystemsystemmodepanurldb
YoucanswitchfromPanoramamodetoPANDBmode
andback;andfromPanoramamodetoLogCollectormode
andback.SwitchingdirectlyfromPANDBmodetoLog
Collectormodeorviceversaisnotsupported.When
switchingoperationalmode,adataresetistriggered.With
theexceptionofmanagementaccesssettings,allexisting
configurationandlogswillbedeletedonrestart.
2. Usethefollowingcommandtoverifythatthemodeischanged:
show pan-url-cloud-status
hostname: M-500
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
time: Mon Apr 27 13:43:59 2015
uptime: 10 days, 1:51:28
family: m
model: M-500
serial: 0073010000xxx
sw-version: 7.0.0
app-version: 492-2638
app-release-date: 2015/03/19 20:05:33
av-version: 0
av-release-date: unknown
wf-private-version: 0
wf-private-release-date: unknown
logdb-version: 7.0.9
platform-family: m
pan-url-db: 20150417-220
system-mode: Pan-URL-DB
operational-mode: normal
3. Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status: Up
URL database version: 20150417-220

Step5 Installcontentanddatabase Pickoneofthefollowingmethodsofinstallingthecontentand

updates. databaseupdates:
Theapplianceonlystores IfthePANDBserverhasdirectInternetaccessusethefollowing
thecurrentlyrunning commands:
versionofthecontentand a. Tocheckwhetheranewversionispublisheduse:
oneearlierversion. request pan-url-db upgrade check
b. Tochecktheversionthatiscurrentlyinstalledonyourserver
use:
request pan-url-db upgrade info
c. Todownloadandinstallthelatestversion:
request pan-url-db upgrade download latest
request pan-url-db upgrade install <version latest
| file>
d. ToscheduletheM500appliancetoautomaticallycheckfor
updates:
set deviceconfig system update-schedule pan-url-db
recurring weekly action download-and-install
day-of-week <day of week> at <hr:min>
IfthePANDBserverisoffline,accessthePaloAltoNetworks
CustomerSupportwebsitetodownloadandsavethecontent
updatestoanSCPserveronyournetwork.Youcanthenimportand
installtheupdatesusingthefollowingcommands:
scp import pan-url-db remote-port <port-number> from
username@host:path
request pan-url-db upgrade install file <filename>

SetUpthePANDBPrivateCloud URLFiltering
Step6 Setupadministrativeaccesstothe TosetupalocaladministrativeuseronthePANDBserver:

PANDBprivatecloud. a. configure
Theappliancehasadefault b. set mgt-config users <username> permissions
adminaccount.Any role-based <superreader | superuser> yes
additionaladministrative c. set mgt-config users <username> password
usersthatyoucreatecan Enter password:xxxxx
eitherbesuperusers(with Confirm password:xxxxx
fullaccess)orsuperusers d. commit
withreadonlyaccess. TosetupanadministrativeuserwithRADIUSauthentication:
PANDBprivatecloud a. CreateRADIUSserverprofile.
doesnotsupporttheuseof set shared server-profile radius
RADIUSVSAs.IftheVSAs <server_profile_name> server <server_name>
usedonthefirewallor ip-address <ip_address> port <port_no> secret
Panoramaareusedfor <shared_password>
enablingaccesstothe b. Createauthenticationprofile.
PANDBprivatecloud,an set shared authentication-profile
authenticationfailurewill <auth_profile_name> user-domain
occur. <domain_name_for_authentication> allow-list <all>
method radius server-profile <server_profile_name>
c. Attachtheauthenticationprofiletotheuser.
set mgt-config users <username>
authentication-profile <auth_profile_name>
d. Committhechanges.
commit
Toviewthelistofusers:.
show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
Step7 ConfiguretheFirewallstoAccess
thePANDBPrivateCloud.

WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
a. ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
setdeviceconfigsettingpanurldbcloudstaticlist<IPaddresses>enable
Or,inthewebinterfaceforeachfirewall,
1. SelectDevice > Setup >Content-ID, edittheURLFilteringsection.
2. EnterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
b. ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstotheprivate
cloud:
debug device-server pan-url-db cloud-static-list-enable <IP addresses> enable
TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothe
PANDBpubliccloud,usethecommand:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthe
firewall.ThefirewallfirstchecksforthelistofPANDBprivatecloudserversandwhenitcannot
findone,thefirewallaccessesthePANDBserversintheAWScloudtodownloadthelistofeligible
serverstowhichitcanconnect.
Step2 Commityourchanges.
Step3 Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status: Up
URL database version: 20150417-220

URLFilteringUseCaseExamples URLFiltering
URLFilteringUseCaseExamples
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
TheUserIDfeatureisrequiredtoimplementpoliciesbasedonusersandgroupsanda
DecryptionpolicyisrequiredtoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
Thissectionincludestwousescases:
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
Use Case: Control Web Access
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstsecurityrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
Step1 ConfirmthatURLfilteringislicensed. 1. SelectDevice > Licensesandconfirmthatavaliddateappears

fortheURLfilteringdatabasethatwillused.Thiswilleitherbe
PANDBorBrightCloud.
2. Ifavalidlicenseisnotinstalled,seeEnablePANDBURL
Filtering.

URLFiltering URLFilteringUseCaseExamples
ControlWebAccess(Continued)
Step2 ConfirmthatUserIDisworking.UserID 1. TocheckGroupMappingfromtheCLI,enterthefollowing

isrequiredtocreatepoliciesbasedon command:
usersandgroups. showusergroupmappingstatistics
2. TocheckUserMappingfromtheCLI,enterthefollowing
command:
showuseripusermappingmpall
3. Ifstatisticsdonotappearand/orIPaddresstousermapping
informationisnotdisplayed,seeUserID.
Step3 SetupaURLfilteringprofilebycloning 1. SelectObjects > Security Profiles > URL Filteringandselect

thedefaultprofile. thedefaultprofile.
2. ClicktheCloneicon.Anewprofileshouldappearnamed
default-1.
3. Selectthenewprofileandrenameit.
Step4 ConfiguretheURLfilteringprofileto 1. ModifythenewURLfilteringprofileandintheCategorylist

blocksocialnetworkingandallow scrolltosocial-networkingandintheActioncolumnclickon
Facebook. allowandchangetheactiontoblock.
2. IntheAllow List,enterfacebook.com,pressentertostarta
newlineandthentype*.facebook.com.Bothofthese
formatsarerequired,soallURLvariantsausermayusewillbe
identified,suchasfacebook.com,www.facebook.com,and
https://facebook.com.
Step5 ApplythenewURLfilteringprofiletothe 1. SelectPolicies > Security andclickonthepolicyrulethat

securitypolicyrulethatallowsweb allowswebaccess.
accessfromtheusernetworktothe 2. OntheActionstab,selecttheURLprofileyoujustcreated
Internet. fromtheURL Filteringdropdown.
3. ClickOKtosave.

Step6 Createthesecuritypolicyrulethatwill 1. SelectPolicies > Security andclickAdd.

allowmarketingaccesstheFacebook 2. EnteraNameandoptionallyaDescriptionandTag(s).
websiteandallFacebookapplications.
3. OntheSourcetabaddthezonewheretheusersare
Thisrulemustprecedeotherrules
connected.
because:
Itisaspecificrule.Morespecificrules 4. OntheUsertabintheSource UsersectionclickAdd.
mustprecedeotherrules. 5. Selectthedirectorygroupthatcontainsyourmarketingusers.
Allowrulewillterminatewhena 6. OntheDestinationtab,selectthezonethatisconnectedto
trafficmatchoccurs. theInternet.
7. OntheApplicationstab,clickAddandaddthefacebook
AppIDsignature.
8. OntheActionstab,addthedefaultprofilesforAntivirus,
Vulnerability Protection,andAnti-Spyware.
9. ClickOKtosavethesecurityprofile.
ThefacebookAppIDsignatureusedinthispolicyrule
encompassesallFacebookapplications,suchas
facebookbase,facebookchat,andfacebookmail,sothisis
theonlyAppIDsignaturerequiredinthisrule.
Withthisruleinplace,whenamarketingemployeeattempts
toaccesstheFacebookwebsiteoranyFacebookapplication,
therulematchesbasedontheuserbeingpartofthemarketing
group.Fortrafficfromanyuseroutsideofmarketing,therule
willbeskippedbecausetherewouldnotbeatrafficmatchand
ruleprocessingwouldcontinue.

Step7 Configurethesecuritypolicytoblockall 1. FromPolicies > Security clickthemarketingFacebookallow

otherusersfromusinganyFacebook policyyoucreatedearliertohighlightitandthenclickthe
applicationsotherthansimpleweb Cloneicon.
browsing.Theeasiestwaytodothisisto 2. EnteraNameandoptionallyenteraDescriptionandTag(s).
clonethemarketingallowpolicyand
thenmodifyit. 3. OntheUsertabhighlightthemarketinggroupanddeleteit
andinthedropdownselectany.
4. OntheApplicationstab,clickthefacebookAppIDsignature
anddeleteit.
5. ClickAddandaddthefollowingAppIDsignatures:
facebookapps
facebookchat
facebookfilesharing
facebookmail
facebookposting
facebooksocialplugin
6. OntheActionstabintheAction Settingsection,selectDeny.
Theprofilesettingsshouldalreadybecorrectbecausethisrule
wascloned.
7. ClickOKtosavethesecurityprofile.
8. Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9. ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.

Use Case: Use URL Categories for Policy Matching
URLcategoriescanalsobeusedasmatchcriteriainthefollowingpolicytypes:CaptivePortal,Decryption,
Security,andQoS.Inthisusecase,URLcategorieswillbeusedinDecryptionpolicyrulestocontrolwhich
webcategoriesshouldbedecryptedornotdecrypted.Thefirstruleisanodecryptrulethatwillnotdecrypt
usertrafficifthewebsitecategoryisfinancialservicesorhealthandmedicineandthesecondrulewilldecrypt
allothertraffic.Thedecryptionpolicytypeissslforwardproxy,whichisusedforcontrollingdecryptionfor
alloutboundconnectionsperformedbyusers.
ConfigureaDecryptionPolicyBasedonURLCategory
Step1 Createthenodecryptrulethatwillbe 1. SelectPolicies > Decryption andclickAdd.

listedfirstinthedecryptionpolicieslist. 2. EnteraNameandoptionallyenteraDescription andTag(s).
Thiswillpreventanywebsitethatisin
thefinancialservicesor 3. OntheSourcetab,addthezonewheretheusersare
healthandmedicineURLcategoriesfrom connected.
beingdecrypted. 4. OntheDestinationtab,enterthezonethatisconnectedtothe
Internet.
5. OntheURL Categorytab,clickAddandselectthe
financialservicesandhealthandmedicineURLcategories.
6. OntheOptionstab,settheactiontoNo Decrypt.
7. (Optional)Althoughthefirewalldoesnotdecryptandinspect
thetrafficforthesession,youcanattachaDecryption profile
ifyouwanttoenforcetheservercertificatesusedduringthe
session.Thedecryptionprofileallowsyoutoconfigurethe
firewalltoterminatetheSSLconnectioneitherwhenthe
servercertificatesareexpiredorwhentheservercertificates
areissuesbyanuntrustedissuer.

ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
Step2 Createthedecryptionpolicyrulethat 1. Selectthenodecryptpolicyyoucreatedpreviouslyandthen

willdecryptallothertraffic. clickClone.
2. EnteraNameandoptionallyenteraDescriptionandTag(s).
3. OntheURL Categorytab,selectfinancialservicesand
healthandmedicineandthenclicktheDeleteicon.
4. OntheOptionstab,settheactiontoDecryptandtheTypeto
SSL Forward Proxy.
5. (Optional)AttachaDecryption profiletospecifytheserver
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
6. Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
Step3 (BrightCloudonly)Enablecloudlookups 1. AccesstheCLIonthefirewall.

fordynamicallycategorizingaURLwhen 2. EnterthefollowingcommandstoenableDynamicURL
thecategoryisnotavailableonthelocal Filtering:
databaseonthefirewall.
a. configure
b. setdeviceconfigsettingurldynamicurlyes
c. commit
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesorhealthandmedicine
URLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.

TroubleshootURLFiltering URLFiltering
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
ThefollowingtabledescribesproceduresthatyoucanusetoresolveissueswithactivatingPANDB.
TroubleshootPANDBActivationIssues
Step1 AccessthePANOSCLI.
Step2 VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
admin@PA-200> show system setting url-database
Iftheresponseispaloaltonetworks,thenPANDBistheactivevendor.
Step3 VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
admin@PA-200> request license info
YoushouldseethelicenseentryFeature:PAN_DBURLFiltering.Ifthelicenseisnotinstalled,youwillneed
toobtainandinstallalicense.SeeConfigureURLFiltering.
Step4 Afterthelicenseisinstalled,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region>
3. Checkthedownloadstatusbyrunningthefollowingcommand:
admin@PA-200> request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloudConnectivity
Issues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedtheURL
seeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
4. Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.

URLFiltering TroubleshootURLFiltering
PANDBCloudConnectivityIssues
Tocheckcloudconnectivity,runthefollowingcommand:
admin@pa-200> show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : s0000.urlcloud.paloaltonetworks.com
Cloud connection : connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Ifthecloudisnoteaccessible,theexpectedresponseissimilartothefollowing:
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible

Thefollowingtabledescribesproceduresthatyoucanusetoresolveissuesbasedontheoutputoftheshow
url-cloud statuscommand,howtopingtheURLcloudservers,andwhattocheckifthefirewallisina
HighAvailability(HA)configuration.
TroubleshootCloudConnectivityIssues
PANDBURLFilteringlicensefieldshowsinvalidObtainandinstallavalidPANDBlicense.
URLdatabasestatusisoutofdateDownloadanewseeddatabasebyrunningthefollowingcommand:
admin@pa-200> request url-filtering download paloaltonetworks region <region>
URLprotocolversionshowsnotcompatibleUpgradePANOStothelatestversion.
AttempttopingthePANDBcloudserverfromthefirewallbyrunningthefollowingcommand:
admin@pa-200> ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
admin@pa-200> ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IfthefirewallisinanHAconfiguration,verifythattheHAstateofthefirewallssupportsconnectivitytothecloud
systems.YoucandeterminetheHAstatebyrunningthefollowingcommand:
admin@pa-200> show high-availability state
Connectiontothecloudwillbeblockedifthefirewallisnotinoneofthefollowingstates:
active
activeprimary
activesecondary
Iftheproblempersists,contactPaloAltoNetworkssupport.
URLsClassifiedasNotResolved
ThefollowingtabledescribesproceduresyoucanusetoresolveissueswheresomeoralloftheURLsbeing
identifiedbyPANDBareclassifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1 CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2 Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
admin@PA-200> showsystemresources
YoucanalsoviewsystemresourcesfromthefirewallswebinterfacesbyclickingtheDashboard tab
andviewingtheSystem Resources section.
Step3 Iftheproblempersist,contactPaloAltoNetworkssupport.

URLFiltering TroubleshootURLFiltering
IncorrectCategorization
ThefollowingstepsdescribetheproceduresyoucanuseifyouidentifyaURLthatdoesnothavethecorrect
categorization.Forexample,iftheURLpaloaltonetworks.comwascategorizedasalcoholandtobacco,the
categorizationisnotcorrect;thecategoryshouldbecomputerandinternetinfo.
TroubleshootIncorrectCategorizationIssues
Step1 Verifythecategoryinthedataplanebyrunningthefollowingcommand:
admin@PA-200> show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
admin@PA-200> show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2 Verifyifthecategoryinthemanagementplanebyrunningthecommand:
admin@PA-200> test url-info-host <URL>
Forexample:
admin@PA-200> test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
admin@PA-200> clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3 Verifythecategoryinthecloudbyrunningthefollowingcommand:
admin@PA-200> test url-info-cloud <URL>
Step4 IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
admin@PA-200> clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
admin@PA-200> delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5 Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
Step6 ClicktheRequest Categorizationchangelinkandfollowinstructions.Youcanalsorequestacategorychange

fromthePaloAltoNetworksTestASitewebsitebysearchingfortheURLandthenclickingtheRequest
Changeicon.Toviewalistofallavailablecategorieswithdescriptionsofeachcategory,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Ifyourchangerequestisapproved,youwillreceiveanemailnotification.Youthenhavetwooptionstoensure
thattheURLcategoryisupdatedonthefirewall:
WaituntiltheURLinthecacheexpiresandthenexttimetheURLisaccessedbyauser,thenew
categorizationupdatewillbeputinthecache.
Runthefollowingcommandtoforceanupdateinthecache:
admin@PA-200> request url-filtering update url <URL>

URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltotheURLCloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewallis
tooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youwillneedtoredownloadaninitialseeddatabasefromthe
cloud(thisoperationisnotblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
Fromthewebinterface,selectDevice > LicensesandinthePAN-DB URL Filtering sectionclickthe
Re-Downloadlink.
FromtheCLI,runthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region_name>
RedownloadingtheseeddatabasecausestheURLcacheinthemanagementplaneanddataplane
tobepurged.Themanagementplanecachewillthenberepopulatedwiththecontentsofthe
newseeddatabase.

QualityofService
QualityofService(QoS)isasetoftechnologiesthatworkonanetworktoguaranteeitsabilitytodependably
runhighpriorityapplicationsandtrafficunderlimitednetworkcapacity.QoStechnologiesaccomplishthis
byprovidingdifferentiatedhandlingandcapacityallocationtospecificflowsinnetworktraffic.Thisenables
thenetworkadministratortoassigntheorderinwhichtrafficishandled,andtheamountofbandwidth
affordedtotraffic.
PaloAltoNetworksApplicationQualityofService(QoS)providesbasicQoSappliedtonetworksand
extendsittoprovideQoStoapplicationsandusers.
UsethefollowingtopicstolearnaboutandconfigurePaloAltoNetworksapplicationbasedQoS:
QoSOverview
QoSConcepts
ConfigureQoS
ConfigureQoSforaVirtualSystem
EnforceQoSBasedonDSCPClassification
QoSUseCases
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
PA3000Series,andPA2000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.

QoSOverview QualityofService
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureQoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwithQoS
enabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheQoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoSpolicy
ruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.The
matchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.

QualityofService QoSOverview
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.

QoSConcepts QualityofService
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoS for Applications and Users
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoS Policy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.

QualityofService QoSConcepts
QoS Profile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoS Classes
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
QoS Priority Queuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil

QoSConcepts QualityofService
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoS Bandwidth Management
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.

QualityofService QoSConcepts
QoS Egress Interface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoS for Clear Text and Tunneled Traffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.

ConfigureQoS QualityofService
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Step1 Identifythetrafficyouwanttomanage Select ACC toviewtheApplication Command Centerpage.Usethe

withQoS. settingsandchartsontheACCpagetoviewtrendsandtraffic
ThisexampleshowshowtouseQoSto relatedtoApplications,URLfiltering,ThreatPrevention,Data
limitwebbrowsing. Filtering,andHIPMatches.
Clickanyapplicationnametodisplaydetailedapplication
information.
Step2 Identifytheegressinterfacefor SelectMonitor > Logs > TraffictoviewtheTrafficlogs.

applicationsthatyouwanttoreceive Tofilterandonlyshowlogsforaspecificapplication:
QoStreatment. Ifanentryisdisplayedfortheapplication,clicktheunderlined
Theegressinterfacefortraffic linkintheApplicationcolumnthenclicktheSubmiticon.
dependsonthetrafficflow.Ifyou Ifanentryisnotdisplayedfortheapplication,clicktheAddLog
areshapingincomingtraffic,the iconandsearchfortheapplication.
egressinterfaceisthe
TheEgress I/Finthetrafficlogsdisplayseachapplicationsegress
internalfacinginterface.Ifyou
interface.TodisplaytheEgress I/F columnifitisnotdisplayedby
areshapingoutgoingtraffic,the
default:
egressinterfaceisthe
externalfacinginterface. Clickanycolumnheadertoaddacolumntothelog:
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:

QualityofService ConfigureQoS
ConfigureQoS(Continued)
Step3 AddaQoSpolicyrule. 1. SelectPolicies > QoS andAddanewpolicyrule.

AQoSpolicyruledefinesthetrafficto 2. OntheGeneral tab,givetheQoSPolicyRuleadescriptive
receiveQoStreatment.Thefirewall Name.
assignsaQoSclassofservicetothe
3. SpecifytraffictoreceiveQoStreatmentbasedonSource,
trafficmatchedtothepolicyrule.
Destination,Application,Service/URL Category, and
DSCP/ToS values(theDSCP/ToS settingsallowyoutoEnforce
QoSBasedonDSCPClassification).
Forexample,selecttheApplication,clickAdd,andselect
webbrowsingtoapplyQoStowebbrowsingtraffic.
4. (Optional)Continuetodefineadditionalparameters.For
example,selectSourceandAdd asourceusertoprovideQoS
foraspecificuserswebtraffic.
5. SelectOther SettingsandassignaQoS Class totraffic
matchingthepolicyrule.Forexample,assignClass2tothe
user1swebtraffic.
6. ClickOK.

Step4 AddaQoSprofilerule. 1. SelectNetwork > Network Profiles > QoS Profile andAdda
AQoSprofileruleallowsyoutodefine newprofile.
theeightclassesofservicethattraffic 2. EnteradescriptiveProfile Name.
canreceive,includingpriority,and
3. SettheoverallbandwidthlimitsfortheQoSprofilerule:
enablesQoSBandwidthManagement.
EnteranEgress Maxvaluetosettheoverallbandwidth
YoucaneditanyexistingQoSprofile,
allocationfortheQoSprofilerule.
includingthedefault,byclickingtheQoS
profilename. EnteranEgress Guaranteed valuetosettheguaranteed
bandwidthfortheQoSProfile.
AnytrafficthatexceedstheEgressGuaranteed
valueisbesteffortandnotguaranteed.Bandwidth
thatisguaranteedbutisunusedcontinuestoremain
availableforalltraffic.
4. IntheClassessection,specifyhowtotreatuptoeight
individualQoSclasses:
a. AddaclasstotheQoSProfile.
b. SelectthePriority fortheclass:realtime,high,medium,
andlow.
c. EntertheEgress Max andEgress Guaranteedbandwidth
fortrafficassignedtoeachQoSclass.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.

QualityofService ConfigureQoS
Step5 EnableQoSonaphysicalinterface. 1. SelectNetwork > QoSandAdd aQoSinterface.

Partofthisstepincludestheoptionto 2. SelectPhysical Interface andchoose theInterface Nameof
selectcleartextandtunneledtrafficfor theinterfaceonwhichtoenableQoS.
uniqueQoStreatment. Intheexample,Ethernet1/1istheegressinterfacefor
Checkiftheplatformyoureusing webbrowsingtraffic(seeStep 2).
supportsenablingQoSona
3. SettheEgress Maxbandwidthforalltrafficexitingthis
subinterfacebyreviewinga
interface.
summaryoftheProduct
Specifications. ItisabestpracticetoalwaysdefinetheEgressMax
valueforaQoSinterface.Ensurethatthecumulative
guaranteedbandwidthfortheQoSprofilerules
attachedtotheinterfacedoesnotexceedthetotal
bandwidthallocatedtotheinterface.
4. SelectTurn on QoS feature on this interface.
5. IntheDefaultProfilesection,selectaQoSprofileruletoapply
toallClear Text trafficexitingthephysicalinterface.
6. (Optional)SelectadefaultQoSprofileruletoapplytoall
tunneledtrafficexitingtheinterface.
Forexample,enableQoSonethernet1/1andapplythebandwidth
andprioritysettingsyoudefinedfortheQoSprofileruleLimitWeb
Browsing(Step 4)tobeusedasthedefaultsettingsforcleartext
egresstraffic.
7. (Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8. ClickOK.

Step7 VerifyaQoSconfiguration. SelectNetwork > QoSandthenStatistics toviewQoSbandwidth,

activesessionsofaselectedQoSclass,andactiveapplicationsfor
theselectedQoSclass.
Forexample,seethestatisticsforethernet1/1withQoSenabled:
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.

QualityofService ConfigureQoSforaVirtualSystem
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertotheVirtualSystems(VSYS)technoteforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
Step1 Confirmthattheappropriateinterfaces, Toviewconfiguredinterfaces,selectNetwork > Interface.

virtualrouters,andsecurityzonesare Toviewconfiguredzones,selectNetwork > Zones.
associatedwitheachvirtualsystem. Toviewinformationondefinedvirtualrouters,selectNetwork >
Virtual Routers.

ConfigureQoSforaVirtualSystem QualityofService
Step2 IdentifytraffictoapplyQoSto. Select ACC toviewtheApplication Command Centerpage.Usethe

settingsandchartsontheACCpagetoviewtrendsandtraffic
relatedtoApplications,URLfiltering,ThreatPrevention,Data
Filtering,andHIPMatches.
Toviewinformationforaspecificvirtualsystem,selectthevirtual
systemfromtheVirtual Systemdropdown:
Clickanyapplicationnametodisplaydetailedapplication
information.
Step3 Identifytheegressinterfacefor SelectMonitor > Logs > Traffictoviewtrafficlogs.Eachentryhas

applicationsthatyouidentifiedas theoptiontodisplaycolumnswithinformationnecessaryto
needingQoStreatment. configureQoSinavirtualsystemenvironment:
Inavirtualsystemenvironment,QoSis virtualsystem
appliedtotrafficonthetrafficsegress egressinterface
pointonthevirtualsystem.Depending ingressinterface
theconfigurationandQoSpolicyfora
sourcezone
virtualsystem,theegresspointofQoS
trafficcouldbeassociatedwitha destinationzone
physicalinterfaceorcouldbeazone. Todisplayacolumnifitisnotdisplayedbydefault:
Thisexampleshowshowtolimit Clickanycolumnheadertoaddacolumntothelog:
webbrowsingtrafficonvsys1.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.

Step4 CreateaQoSProfile. 1. SelectNetwork > Network Profiles > QoS Profile andclickAdd
YoucaneditanyexistingQoSProfile, toopentheQoSProfiledialog.
includingthedefault,byclickingthe 2. EnteradescriptiveProfile Name.
profilename.
3. EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4. EnteranEgress Guaranteed tosettheguaranteedbandwidth
fortheQoSprofile.
AnytrafficthatexceedstheQoSprofilesegress
guaranteedlimitisbesteffortbutisnotguaranteed.
5. IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6. ClickOKtosavetheQoSprofile.

ConfigureQoSforaVirtualSystem QualityofService
Step5 CreateaQoSpolicy. 1. SelectPolicies > QoS andAddaQoSPolicyRule.

Inanenvironmentwithmultiplevirtual 2. SelectGeneral andgivetheQoSPolicyRuleadescriptive
systems,trafficspansmorethanone Name.
virtualsystem.Becauseofthis,whenyou
3. SpecifythetraffictowhichtheQoSpolicyrulewillapply.Use
areenablingQoSforavirtualsystem,
theSource,Destination,Application,andService/URL
youmustdefinetraffictoreceiveQoS
Categorytabstodefinematchingparametersforidentifying
treatmentbasedonsourceand
traffic.
destinationzones.Thisensuresthatthe
trafficisprioritizedandshapedonlyfor Forexample,selectApplicationandAddwebbrowsingto
thatvirtualsystem(andnotforother applytheQoSpolicyruletothatapplication:
virtualsystemsthroughwhichthetraffic
mightflow).
4. SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5. SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
6. SelectOther SettingsandselectaQoS Classtoassigntothe

QoSpolicyrule.Forexample,assignClass2towebbrowsing
trafficonvsys1:
7. ClickOKtosavetheQoSpolicyrule.

Step6 EnabletheQoSProfileonaphysical 1. SelectNetwork > QoSandclickAdd toopentheQoSInterface

interface. dialog.
Itisabestpracticetoalways 2. EnableQoSonthephysicalinterface:
definetheEgress Max valuefora a. OnthePhysical Interfacetab,selecttheInterface Nameof
QoSinterface. theinterfacetoapplytheQoSProfileto.
Inthisexample,ethernet1/1istheegressinterfacefor
webbrowsingtrafficonvsys1(seeStep 2).
b. SelectTurn on QoS feature on this interface.

3. OnthePhysical Interfacetab,selectthedefaultQoSprofileto
applytoallClear Texttraffic.
(Optional)UsetheTunnel Interfacefieldtoapplyadefault
QoSprofiletoalltunneledtraffic.
4. (Optional)OntheClear Text Traffictab,configureadditional
QoSsettingsforcleartexttraffic:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
cleartexttraffic.
ClickAddtoapplyaQoSProfiletoselectedcleartexttraffic,
furtherselectingthetrafficforQoStreatmentaccordingto
sourceinterfaceandsourcesubnet(creatingaQoSnode).
5. (Optional)Onthe Tunneled Traffic tab,configureadditional
QoSsettingsfortunnelinterfaces:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
tunneledtraffic.
ClickAddtoassociateaselectedtunnelinterfacewithaQoS
Profile.
6. ClickOK tosavechanges.
Step7 VerifyQoSconfiguration. SelectNetwork > QoStoviewthe QoSPoliciespage.TheQoS

Policies pageverifiesthatQoSisenabledandincludesa
Statisticslink.ClicktheStatisticslinktoviewQoSbandwidth,
activesessionsofaselectedQoSnodeorclass,andactive
applicationsfortheselectedQoSnodeorclass.
Inamultivsysenvironment,sessionscannotspanmultiple
systems.Multiplesessionsarecreatedforonetrafficflowifthe
trafficpassesthroughmorethanonevirtualsystem.Tobrowse
sessionsrunningonthefirewallandviewappliedQoSRulesand
QoSClasses,selectMonitor > Session Browser.

EnforceQoSBasedonDSCPClassification QualityofService
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
Expedited Forwarding (EF):Canbeusedtorequestlowloss,lowlatencyandguaranteedbandwidthfor
traffic.PacketswithEFcodepointsaretypicallyguaranteedhighestprioritydelivery.
Assured Forwarding (AF):Canbeusedtoprovidereliabledeliveryforapplications.PacketswithAF
codepointindicatearequestforthetraffictoreceivehigherprioritytreatmentthanbesteffortservice
provides(thoughpacketswithanEFcodepointwillcontinuetotakeprecedenceoverthosewithanAF
codepoint).
Class Selector (CS):CanbeusedtoprovidebackwardcompatibilitywithnetworkdevicesthatusetheIP
precedencefieldtomarkprioritytraffic.
IP Precedence (ToS):Canbeusedbylegacynetworkdevicestomarkprioritytraffic(theIPPrecedence
headerfieldwasusedtoindicatethepriorityforapacketbeforetheintroductionoftheDSCP
classification).
Custom Codepoint:CreateacustomcodepointtomatchtotrafficbyenteringaCodepoint NameandBinary
Value.
Forexample,selecttheAssured Forwarding (AF)toensuretrafficmarkedwithanAFcodepointvaluehas
higherpriorityforreliabledeliveryoverapplicationsmarkedtoreceivelowerpriority.Usethefollowingsteps
toenableSessionBasedDSCPClassification.StartbyconfiguringQoSbasedonDSCPmarkingdetectedat
thebeginningofasession.Youcanthencontinuetoenablethefirewalltomarkthereturnflowforasession
withthesameDSCPvalueusedtoenforceQoSfortheinitialoutboundflow.

QualityofService EnforceQoSBasedonDSCPClassification
ApplyQoSBasedonDSCP/ToSMarking
BeforeYouBegin Makesurethatyouhaveperformedthepreliminarystepsto
ConfigureQoS.
Step1 DefinethetraffictoreceiveQoS 1. SelectPolicies > QoS andAddormodifyanexistingQoSrule

treatmentbasedonDSCPvalue. andpopulaterequiredfields.
2. Select DSCP/ToS and select Codepoints.
3. AddaDSCP/ToScodepointsforwhichyouwanttoenforce
QoS.
4. SelecttheTypeofDSCP/ToSmarkingfortheQoSruleto
matchtotraffic:
ItisabestpracticetouseasingleDSCPtypetomanage
andprioritizeyournetworktraffic.
5. MatchtheQoSpolicytotrafficonamoregranularscaleby
specifyingtheCodepoint value.Forexample,withAssured
Forwarding(AF)selectedastheTypeofDSCPvalueforthe
policytomatch,furtherspecifyanAFCodepoint valuesuchas
AF11.
WhenExpeditedForwarding(EF)isselectedasthe
TypeofDSCPmarking,agranularCodepointvalue
cannotbespecified.TheQoSpolicyrulematchesto
trafficmarkedwithanyEFcodepointvalue.
6. SelectOther SettingsandassignaQoS Classtotraffic
matchedtotheQoSrule.Inthisexample,assignClass1to
sessionswhereaDSCPmarkingofAF11isdetectedforthe
firstpacketinthesession.
7. ClickOKtosavetheQoSrule.
Step2 DefinetheQoSpriorityfortrafficto 1. SelectNetwork > Network Profiles > QoS Profile andAddor
receivewhenitismatchedtoaQoSrule modifyanexistingQoSprofile.Fordetailsonprofileoptions
basedtheDSCPmarkingdetectedatthe tosetpriorityandbandwidthfortraffic,seeQoSConcepts
beginningofasession. andConfigureQoS.
2. Add ormodifyaprofileclass.Forexample,because Step 1
showedstepstoclassifyAF11trafficasClass1traffic,you
couldaddormodifyaclass1entry.
3. SelectaPriority fortheclassoftraffic,suchashigh.
4. ClickOKtosavetheQoSProfile.
Step3 EnableQoSonaninterface. SelectNetwork > QoSandAdd ormodifyanexistinginterfaceand

Turn on QoS feature on this interface.
Inthisexample,trafficwithanAF11DSCPmarkingismatchedto
theQoSruleandassignedClass1.TheQoSprofileenabledonthe
interfaceenforceshighprioritytreatmentforClass1trafficasit
egressesthefirewall(thesessionoutboundtraffic).

EnforceQoSBasedonDSCPClassification QualityofService
ApplyQoSBasedonDSCP/ToSMarking
Step4 EnableDSCPMarking. 1. SelectPolicies > SecurityandAddormodifyasecuritypolicy.

MarkreturntrafficwithaDSCPvalue, 2. SelectActionsandintheQoS Markingdropdown,choose
enablingtheinboundflowforasession Follow-Client-to-Server-Flow.
tobemarkedwiththesameDSCPvalue
detectedfortheoutboundflow.
Completingthisstepenablesthefirewalltomarktrafficwiththe
sameDSCPvaluethatwasdetectedatthebeginningofasession
(inthisexample,thefirewallwouldmarkreturntrafficwiththe
DSCPAF11value).WhileconfiguringQoSallowsyoutoshape
trafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewall
andtheclienttocontinuetoenforcepriorityforDSCPmarked
traffic.
Step5 Savetheconfiguration. Commityourchanges.

QualityofService QoSUseCases
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
Use Case: QoS for a Single User
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1 TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.

QoSUseCases QualityofService
ApplyQoStoaSingleUser(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
TheadminassociatestheCEOstrafficwithClass1(Other Settings tab)andthencontinuestopopulatethe

remainingrequiredpolicyfields;theadmingivesthepolicyadescriptiveName(Generaltab)andselectsAny
fortheSource Zone(Sourcetab)andDestination Zone(Destination tab):
Step3 NowthatClass1isassociatedwiththeCEOstraffic,theadminenablesQoSbycheckingTurn on QoS feature

on interface andselectingthetrafficflowsegressinterface.TheegressinterfacefortheCEOstrafficflowis
theexternalfacinginterface,inthiscase,ethernet1/2:
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.

ApplyQoStoaSingleUser(Continued)
Step4 AftercommittingtheQoSconfiguration,theadminnavigatestotheNetwork > QoSpagetoconfirmthatthe

QoSprofileCEO_trafficisenabledontheexternalfacinginterface,ethernet1/2:
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation,asshowninStep 2)and
thenenableQoSonthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadofthe
externalfacinginterface,asshowninStep 3.)
Use Case: QoS for Voice and Video Applications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.

Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1 TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.

EnsureQualityforVoiceandVideoApplications(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:

EnsureQualityforVoiceandVideoApplications(Continued)
Step3 BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreatedinStep 1,ensurevoicevideotraffic(Class2inthis
profileisassociatedwithpolicycreatedinStep 2,VoiceVideo)ontheexternalfacinginterface,inthiscase,
ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
Step4 TheadminselectsNetwork > QoStoconfirmthatQoSisenabledforbothincomingandoutgoingvoiceand

videotraffic:
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.

VPNs
Virtualprivatenetworks(VPNs)createtunnelsthatallowusers/systemstoconnectsecurelyoverapublic
network,asiftheywereconnectingoveralocalareanetwork(LAN).TosetupaVPNtunnel,youneedapair
ofdevicesthatcanauthenticateeachotherandencrypttheflowofinformationbetweenthem.Thedevices
canbeapairofPaloAltoNetworksfirewalls,oraPaloAltoNetworksfirewallalongwithaVPNcapable
devicefromanothervendor.
VPNDeployments
SitetoSiteVPNOverview
SitetoSiteVPNConcepts
SetUpSitetoSiteVPN
SitetoSiteVPNQuickConfigs

VPNDeployments VPNs
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments

VPNs SitetoSiteVPNOverview
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN

SitetoSiteVPNConcepts VPNs
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.Eachtunnelinterfacecanhaveamaximumof10IPSectunnels;this
meansthatupto10networkscanbeassociatedwiththesametunnelinterfaceonthefirewall.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.

VPNs SitetoSiteVPNConcepts
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
Thedefaultmonitoringprofileisconfiguredtowaitforthetunneltorecover;thepollingintervalis3seconds
andthefailurethresholdis5.
SeeSetUpTunnelMonitoringforconfigurationdetails.

InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes

IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP AH
Diffie Hellman (DH) exchange options supported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryption algorithms supported
3des TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc AESusingCBCwithasecuritystrengthof192bits
aes256cbc AESusingCBCwithasecuritystrengthof256bits
aes128ccm AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm AESusingGCMwithasecuritystrengthof256bits
des DataEncryptionStandard(DES)withasecuritystrengthof56bits

ESP AH
Authentication algorithms supported
md5 md5
sha1 sha1
sha256 sha256
sha384 sha384
sha512 sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.

ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
TheCookie Activation Threshold isaglobalVPNsessionsettingthatlimitsthenumberofsimultaneous
halfopenedIKESAs(defaultis500).WhenthenumberofhalfopenedIKESAsexceedstheCookie
Activation Threshold,theResponderwillrequestacookie,andtheInitiatormustrespondwithan
IKE_SA_INITcontainingacookietovalidatetheconnection.Ifthecookievalidationissuccessful,another
SAcanbeinitiated.Avalueof0meansthatcookievalidationisalwayson.
TheResponderdoesnotmaintainastateoftheInitiator,nordoesitperformaDiffieHellmankey
exchange,untiltheInitiatorreturnsthecookie.IKEv2cookievalidationmitigatesaDoSattackthatwould
trytoleavenumerousconnectionshalfopen.
TheCookie Activation ThresholdmustbelowerthantheMaximum Half Opened SAsetting.IfyouChangethe
CookieActivationThresholdforIKEv2toaveryhighnumber(forexample,65534)andtheMaximum Half
Opened SAsettingremainedatthedefaultvalueof65535,cookievalidationisessentiallydisabled.

YoucanenableStrict Cookie ValidationifyouwantcookievalidationperformedforeverynewIKEv2SAa

gatewayreceives,regardlessoftheglobalthreshold.Strict Cookie ValidationaffectsonlytheIKEgateway
beingconfiguredandisdisabledbydefault.IfStrict Cookie Validation isdisabled,thesystemusesthe
Cookie Activation Threshold todeterminewhetheracookieisneededornot.
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.

HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
InIKEv2,twoIKEcryptoprofilevalues,Key LifetimeandIKEv2 Authentication Multiple,controlthe

establishmentofIKEv2IKESAs.ThekeylifetimeisthelengthoftimethatanegotiatedIKESAkeyis
effective.Beforethekeylifetimeexpires,theSAmustberekeyed;otherwise,uponexpiration,theSAmust
beginanewIKEv2IKESArekey.Thedefaultvalueis8hours.
ThereauthenticationintervalisderivedbymultiplyingtheKey LifetimebytheIKEv2Authentication Multiple.
Theauthenticationmultipledefaultsto0,whichdisablesthereauthenticationfeature.
Therangeoftheauthenticationmultipleis050.So,ifyouweretoconfigureanauthenticationmultipleof
20,forexample,thesystemwouldperformreauthenticationevery20rekeys,whichisevery160hours.
ThatmeansthegatewaycouldperformChildSAcreationfor160hoursbeforethegatewaymust
reauthenticatewithIKEtorecreatetheIKESAfromscratch.
InIKEv2,theInitiatorandRespondergatewayshavetheirownkeylifetimevalue,andthegatewaywiththe
shorterkeylifetimeistheonethatwillrequestthattheSAberekeyed.

SetUpSitetoSiteVPN VPNs
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
Set Up an IKE Gateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
Step1 DefinetheIKEGateway. 1. SelectNetwork > Network Profiles > IKE Gateways,clickAdd,

andontheGeneraltab,entertheNameofthegateway.
2. ForVersion,selectIKEv1 only mode,IKEv2 only mode,or
IKEv2 preferred mode.TheIKEgatewaybeginsits
negotiationwithitspeerinthemodespecifiedhere.Ifyou
selectIKEv2 preferred mode,thetwopeerswilluseIKEv2if
theremotepeersupportsit;otherwisetheywilluseIKEv1.
(TheVersionselectionalsodetermineswhichoptionsare
availableontheAdvanced Optionstab.)

VPNs SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step2 Establishthelocalendpointofthetunnel 1. ForAddress Type,clickIPv4orIPv6.

(gateway). 2. Selectthephysical,outgoingInterface onthefirewallwhere
thelocalgatewayresides.
3. FromtheLocal IP Address dropdown,selecttheIPaddress
thatwillbeusedastheendpointfortheVPNconnection.This
istheexternalfacinginterfacewithapubliclyroutableIP
addressonthefirewall.
Step3 Establishthepeeratthefarendofthe 1. SelectthePeer IP TypetobeaStaticorDynamicaddress

tunnel(gateway). assignment.
2. IfthePeer IP Addressisstatic,entertheIPaddressofthe
peer.
Step4 Specifyhowthepeerisauthenticated. SelecttheAuthenticationmethod:Pre-Shared KeyorCertificate.

IfyouchoosePreSharedKey,proceedtoStep 5.Ifyouchoose
Certificate,proceedtoStep 6.
Step5 Configureapresharedkey. 1. EnteraPre-shared Key,whichisthesecuritykeytousefor

authenticationacrossthetunnel.Reenterthevalueto
Confirm Pre-shared Key.
Generateakeythatisdifficulttocrackwithdictionary
attacks;useapresharedkeygenerator,ifnecessary.
2. ForLocal Identification,choosefromthefollowingtypesand
enteravaluethatyoudetermine:FQDN (hostname),IP
address,KEYID (binary format ID string in HEX),User FQDN
(email address).Localidentificationdefinestheformatand
identificationofthelocalgateway.Ifnovalueisspecified,the
localIPaddresswillbeusedasthelocalidentificationvalue.
3. ForPeer Identification,choosefromthefollowingtypesand
enterthevalue:FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), User FQDN (email address). Peer
identificationdefinestheformatandidentificationofthepeer
gateway.Ifnovalueisspecified,thepeerIPaddresswillbe
usedasthepeeridentificationvalue.
4. ProceedtoStep 7andcontinuefromthere.

Step6 Configurecertificatebased 1. SelectaLocal Certificatethatisalreadyonthefirewallfrom

authentication.Performtheremaining thedropdown,orImportacertificate,orGeneratetocreate
stepsinthisprocedureifyouselected anewcertificate.
Certificateasthemethodof IfyouwanttoImportacertificate,ImportaCertificatefor
authenticatingthepeergatewayatthe IKEv2GatewayAuthenticationandthenreturntothistask.
oppositeendofthetunnel. IfyouwanttoGenerateanewcertificate,generatea
certificateonthefirewallandthenreturntothistask.
2. ClicktheHTTP Certificate Exchange checkboxifyouwantto
configureHashandURL(IKEv2only).ForanHTTPcertificate
exchange,entertheCertificate URL.Formoreinformation,
seeHashandURLCertificateExchange.
3. SelecttheLocal Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Localidentificationdefinestheformatandidentificationof
thelocalgateway.
4. SelectthePeer Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Peeridentificationdefinestheformatandidentificationofthe
peergateway.
5. SelectonetypeofPeer ID Check:
ExactCheckthistoensurethatthelocalsettingandpeer
IKEIDpayloadmatchexactly.
WildcardCheckthistoallowthepeeridentificationto
matchaslongaseverycharacterbeforethewildcard(*)
matches.Thecharactersafterthewildcardneednotmatch.
6. ClickPermit peer identification and certificate payload
identification mismatchifyouwanttoallowasuccessfulIKE
SAevenwhenthepeeridentificationdoesnotmatchthepeer
identificationinthecertificate.
7. ChooseaCertificate Profilefromthedropdown.A
certificateprofilecontainsinformationabouthowto
authenticatethepeergateway.
8. ClickEnable strict validation of peers extended key useif
youwanttostrictlycontrolhowthekeycanbeused.

Step7 Configureadvancedoptionsforthe 1. SelecttheAdvanced Optionstab.

gateway. 2. IntheCommonOptionssection,Enable Passive Modeifyou
wantthefirewalltoonlyrespondtoIKEconnectionrequests
andneverinitiatethem.
3. Enable NAT TraversalifyouhaveadeviceperformingNAT
betweenthegateways,tohaveUDPencapsulationusedon
IKEandUDPprotocols,enablingthemtopassthrough
intermediateNATdevices.
4. IfyouchoseIKEv1 only mode earlier,ontheIKEv1tab:
Chooseauto,aggressive,ormainfortheExchange Mode.
Whenadeviceissettouseautoexchangemode,itcan
acceptbothmainmodeandaggressivemodenegotiation
requests;however,wheneverpossible,itinitiates
negotiationandallowsexchangesinmainmode.
Iftheexchangemodeisnotsettoauto,youmust
configurebothpeerswiththesameexchangemode
toalloweachpeertoacceptnegotiationrequests.
Selectanexistingprofileorkeepthedefaultprofilefrom
IKE Crypto Profiledropdown.Fordetailsondefiningan
IKECryptoprofile,seeDefineIKECryptoProfiles.
(Onlyifusingcertificatebasedauthenticationandthe
exchangemodeisnotsettoaggressivemode)ClickEnable
Fragmentation toenablethefirewalltooperatewithIKE
Fragmentation.
ClickDead Peer DetectionandenteranInterval(rangeis
2100seconds).ForRetry, definethetimetodelay(range
is2100seconds)beforeattemptingtorecheck
availability.Deadpeerdetectionidentifiesinactiveor
unavailableIKEpeersbysendinganIKEphase1
notificationpayloadtothepeerandwaitingforan
acknowledgment.
5. IfyouchoseIKEv2 only mode orIKEv2 preferred mode in
Step 1,ontheIKEv2tab:
SelectanIKE Crypto Profilefromthedropdown,which
configuresIKEPhase1optionssuchastheDHgroup,hash
algorithm,andESPauthentication.Forinformationabout
IKEcryptoprofiles,seeIKEPhase1.
EnableStrict Cookie Validationifyouwanttoalways
enforcecookievalidationonIKEv2SAsforthisgateway.
SeeCookieActivationThresholdandStrictCookie
Validation.
Enable Liveness CheckandenteranInterval (sec) (default
is5) ifyouwanttohavethegatewaysendamessage
requesttoitsgatewaypeer,requestingaresponse.If
necessary,theInitiatorattemptsthelivenesscheckupto
10times.Ifitdoesntgetaresponse,theInitiatorclosesand
deletestheIKE_SAandCHILD_SA.TheInitiatorwillstart
overbysendingoutanotherIKE_SA_INIT.
Step8 Savethechanges. ClickOKandCommit.

ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
ExportacertificateforapeertoaccessusingHash 1. SelectDevice > Certificates,andifyourplatformsupports

andURLcertificateexchange. multiplevirtualsystems,forLocation,selecttheappropriate
virtualsystem.
2. OntheDevice Certificatestab,selectthecertificatetoExport
totheserver.
Thestatusofthecertificateshouldbevalid,notexpired.
Thefirewallwillnotstopyoufromexportinganinvalid
certificate.
3. ForFile Format,selectBinary Encoded Certificate (DER).
4. LeaveExport private keyclear.Exportingtheprivatekeyis
unnecessaryforHashandURL.
5. ClickOK.
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.

Step1 Importacertificate. 1. SelectNetwork > IKE Gateways,Addagateway,andonthe

Generaltab,forAuthentication,selectCertificate.ForLocal
Certificate,clickImport.
2. IntheImportCertificatewindow,enteraCertificate Namefor
thecertificateyouareimporting.
3. SelectSharedifthiscertificateistobesharedamongmultiple
virtualsystems.
4. ForCertificate File,Browsetothecertificatefile.Clickonthe
filenameandclickOpen,whichpopulatestheCertificate File
field.
5. ForFile Format,selectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthe
certificate,butnotthekey.Itiscleartext.
Encrypted Private Key and Certificate (PKCS12)
Containsboththecertificateandthekey.
6. SelectImport private keyifthekeyisinadifferentfilefrom
thecertificatefile.Thekeyisoptional,withthefollowing
exception:
YoumustimportakeyifyousettheFile FormattoPEM.
EnteraKey filebyclickingBrowseandnavigatingtothe
keyfiletoimport.
EnteraPassphraseandConfirm Passphrase.
7. ClickOK.
Step2 Afteryouperformthistask,returnto
ConfigureanIKEv2Gatewayandresume
Step 6.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
Step1 ChangetheSAkeylifetimeor 1. SelectNetwork > Network Profiles > IKE Cryptoandselect

authenticationintervalforanIKECrypto theIKECryptoprofilethatappliestothelocalgateway.
profile. 2. FortheKey Lifetime,selectaunit(Seconds,Minutes,Hours,
orDays)andenteravalue.Theminimumisthreeminutes.
3. ForIKE Authentication Multiple,enteravalue,whichis
multipliedbythelifetimetodeterminethereauthentication
interval.
Step2 Savetheconfiguration. ClickOKandCommit.

ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
Step1 ChangetheCookieActivation 1. SelectDevice > Setup> SessionandedittheVPNSession

Threshold. Settings.ForCookie Activation Threshold,enterthe
maximumnumberofhalfopenedSAsthatareallowedbefore
theresponderrequestsacookiefromtheinitiator(rangeis
065535;default:is500).
2. ClickOK.
Step2 Savetheconfiguration ClickOKandCommit.
ConfigureIKEv2TrafficSelectors
ConfigureTrafficSelectorsforIKEv2
Step1 ConfigureTrafficSelectors. 1. SelectNetwork > IPSec Tunnels > Proxy IDs.

2. SelecttheIPv4orIPv6tab.
3. ClickAddandentertheNameintheProxy IDfield.
4. IntheLocalfield,entertheSource IP Address.
5. IntheRemotefield,entertheDestination IP Address.
6. IntheProtocolfield,selectthetransportprotocol(TCPor
UDP)fromthedropdown.
7. ClickOK.
Define Cryptographic Profiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatisreadyforuse.
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles

DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1 CreateanewIKEprofile. 1. SelectNetwork > Network Profiles > IKE Crypto andselect
Add.
2. EnteraName forthenewprofile.
Step2 SpecifytheDHGroup(DiffieHellman ClickAddinthecorrespondingsections(DHGroup,

group)forkeyexchange,andthe Authentication,andEncryption)andselectfromthedropdowns.
AuthenticationandEncryption IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
algorithms. groupsoralgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupportedgroupor
algorithmtoestablishthetunnel:
DHGroupgroup20,group19,group14,group5,group2,and
group1.
Authenticationsha512,sha384,sha256,sha1,md5.
Encryptionaes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
des.
DESisavailabletoprovidebackwardcompatibilitywith
legacydevicesthatdonotsupportstrongerencryption,
butasabestpracticealwaysuseastrongerencryption
algorithm,suchas3DESorAESifthepeercansupport
it.
Step3 Specifythedurationforwhichthekeyis 1. IntheKey Lifetimefields,specifytheperiod(inseconds,

validandthereauthenticationinterval. minutes,hours,ordays)forwhichthekeyisvalid.(Rangeis3
Fordetails,seeSAKeyLifetimeand minutesto365days;defaultis8hours.)Whenthekey
ReAuthenticationInterval. expires,thefirewallrenegotiatesanewkey.Alifetimeisthe
periodbetweeneachrenegotiation.
2. FortheIKEv2 Authentication Multiple,specifyavalue(range
is050)thatismultipliedbytheKey Lifetimetodeterminethe
authenticationcount.Thedefaultvalueof0disablesthe
reauthenticationfeature.
Step4 SaveyourIKECryptoprofile. ClickOKandclickCommit.
Step5 AttachtheIKECryptoprofiletotheIKE SeeStep 7inSetUpanIKEGateway.

Gatewayconfiguration.

DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1 CreateanewIPSecprofile. 1. SelectNetwork > Network Profiles > IPSec Crypto andselect
Add.
2. EnteraName forthenewprofile.
3. SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4. ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
Step2 SelecttheDHGrouptousefortheIPSec SelectthekeystrengththatyouwanttousefromtheDH Group

SAnegotiationsinIKEphase2. dropdown.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsintheorderofmosttoleastsecureasfollows;thepeers
negotiatethestrongestsupportedgrouptoestablishthetunnel:
group20,group19,group14,group5,group2,andgroup1.
Selectno-pfsifyoudonotwanttorenewthekeythatwascreated
atphase1;thecurrentkeyisreusedfortheIPSECSAnegotiations.
Step3 Specifythedurationofthekeytimeand Usingacombinationoftimeandtrafficvolumeallowsyouto

volumeoftraffic. ensuresafetyofdata.
SelecttheLifetimeortimeperiodforwhichthekeyisvalidin
seconds,minutes,hours,ordays(rangeis3minutesto365days).
Whenthespecifiedtimeexpires,thefirewallwillrenegotiateanew
setofkeys.
SelecttheLifesizeorvolumeofdataafterwhichthekeysmustbe
renegotiated.
Step4 SaveyourIPSecprofile. ClickOKandclickCommit.
Step5 AttachtheIPSecProfiletoanIPSec SeeStep 4inSetUpanIPSecTunnel.

tunnelconfiguration.

Set Up an IPSec Tunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
Step1 SelectNetwork > IPSec Tunnels> General andenteraName forthenewtunnel.
Step2 SelecttheTunnel interfacethatwillbeusedtosetuptheIPSectunnel.

Tocreateanewtunnelinterface:
1. SelectNetwork > Interfaces > Tunnel andclickAdd.
2. IntheInterface Name field,specifyanumericsuffix,suchas.2.
3. OntheConfig tab,expandtheSecurity Zone dropdowntodefinethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthetunnel,selectthezonefromthedropdown.
Associatingthetunnelinterfacewiththesamezone(andvirtualrouter)astheexternalfacinginterfaceon
whichthepacketsenterthefirewall,mitigatestheneedtocreateinterzonerouting.
(Recommended)TocreateaseparatezoneforVPNtunneltermination,clickNew Zone.IntheZonedialog,
defineaName fornewzone(forexamplevpncorp),andclickOK.
4. IntheVirtual Router dropdown,selectdefault.
5. (Optional)IfyouwanttoassignanIPv4addresstothetunnelinterface,selecttheIPv4 tab,clickAdd inthe
IPsection,andentertheIPaddressandnetworkmasktoassigntotheinterface,forexample10.31.32.1/32.
6. IfyouwanttoassignanIPv6addresstothetunnelinterface,seeStep 3.

SetUpanIPSecTunnel(Continued)
Step3 (Optional)EnableIPv6onthetunnel 1. SelecttheIPv6tabonNetwork > Interfaces > Tunnel > IPv6.

interface. 2. SelectthecheckboxtoEnable IPv6 on the interface.
ThisoptionallowsyoutorouteIPv6trafficoveranIPv4IPSec
tunnelandwillprovideconfidentialitybetweenIPv6networks.
TheIPv6trafficisencapsulatedbyIPv4andthenESP.Toroute
IPv6traffictothetunnel,youcanuseastaticroutetothe
tunnel,oruseOSPFv3,oruseaPolicyBasedForwarding(PBF)
ruletodirecttraffictothetunnel.
3. Enterthe64bitextendeduniqueInterface IDinhexadecimal
format,forexample,00:26:08:FF:FE:DE:4E:29.Bydefault,the
firewallwillusetheEUI64generatedfromthephysical
interfacesMACaddress.
4. ToenteranIPv6Address,clickAddandenteranIPv6address
andprefixlength,forexample2001:400:f00::1/64.IfPrefixis
notselected,theIPv6addressassignedtotheinterfacewillbe
whollyspecifiedintheaddresstextbox.
a. SelectUse interface ID as host portiontoassignanIPv6
addresstotheinterfacethatwillusetheinterfaceIDasthe
hostportionoftheaddress.
b. SelectAnycasttoincluderoutingthroughthenearestnode.
Step4 Selectthetypeofkeythatwillbeusedto Continuetooneofthefollowingsteps,dependingonwhattypeof

securetheIPSectunnel. keyexchangeyouareusing:
SetupAutoKeyexchange.
SetupaManualKeyexchange.
SetupAutoKeyexchange. 1. SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2. (Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
SetupaManualKeyexchange. 1. Setuptheparametersforthelocalfirewall:
a. SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
b. SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
c. SelecttheprotocoltobeusedAHorESP.
d. ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
e. ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
2. SetuptheparametersthatpertaintotheremoteVPNpeer.
a. SpecifytheSPIfortheremotepeer.
b. EntertheRemote Address,theIPaddressoftheremote
peer.

SetUpanIPSecTunnel(Continued)
Step5 Protectagainstareplayattack. SelecttheShow Advanced Optionscheckbox,selectEnable

Areplayattackoccurswhenapacketis Replay Protectiontodetectandneutralizeagainstreplayattacks.
maliciouslyinterceptedand
retransmittedbytheinterceptor.
Step6 (Optional)PreservetheTypeofService IntheShow Advanced Options section,selectCopy TOS Header.

headerforthepriorityortreatmentofIP ThiscopiestheTypeofService(TOS)headerfromtheinnerIP
packets. headertotheouterIPheaderoftheencapsulatedpacketsinorder
topreservetheoriginalTOSinformation.
Iftherearemultiplesessionsinsidethetunnel(eachwitha
differentTOSvalue),copyingtheTOSheadercancausethe
IPSecpacketstoarriveoutoforder.
Step7 EnableTunnelMonitoring. Toalertthedeviceadministratortotunnelfailuresandtoprovide

YouneedtoassignanIPaddress automaticfailovertoanothertunnelinterface:
tothetunnelinterfacefor 1. SpecifyaDestination IPaddressontheothersideofthetunnel
monitoring. todetermineifthetunnelisworkingproperly.
2. SelectaProfiletodeterminetheactionontunnelfailure.To
createanewprofile,seeDefineaTunnelMonitoringProfile.
Step8 (RequiredonlyiftheVPNpeeruses 1. Select Network > IPSec Tunnels andclickAdd.

policybasedVPN).CreateaProxyIDto 2. SelecttheProxy IDstab.
identifytheVPNpeers.
4. ClickAddandentertheProxy IDname.
5. EntertheLocalIPaddressorsubnetfortheVPNgateway.
6. EntertheRemoteaddressfortheVPNgateway.
7. SelecttheProtocolfromthedropdown:
NumberSpecifytheprotocolnumber(usedfor
interoperabilitywiththirdpartydevices).
AnyAllowsTCPand/orUDPtraffic.
TCPSpecifytheLocalPortandRemotePortnumbers.
UDPSpecifytheLocalPortandRemotePortnumbers.
8. ClickOK.
Step9 Saveyourchanges. ClickOKandCommit.

Set Up Tunnel Monitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
Step1 SelectNetwork > Network Profiles > Monitor.Adefaulttunnelmonitoringprofileisavailableforuse.
Step2 ClickAdd,andenteraNamefortheprofile.
Step3 SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4 SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5 AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.

ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
Step1 SelectNetwork > IPSec Tunnels.
Step2 ViewtheTunnel Status.

GreenindicatesavalidIPSecSAtunnel.
RedindicatesthatIPSecSAisnotavailableorhasexpired.
Step3 ViewtheIKE Gateway Status.

GreenindicatesavalidIKEphase1SA.
RedindicatesthatIKEphase1SAisnotavailableorhasexpired.
Step4 Viewthe Tunnel Interface Status.

Greenindicatesthatthetunnelinterfaceisup.
Redindicatesthatthetunnelinterfaceisdown,becausetunnelmonitoringisenabledandthestatusis
down.
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorTunnel
EnableordisableanIKEgateway. 1. SelectNetwork > Network Profiles > IKE Gateways andselect

thegatewayyouwanttoenableordisable.
2. Atthebottomofthescreen,clickEnableorDisable.
EnableordisableanIPSectunnel. 1. SelectNetwork > IPSec Tunnels andselectthetunnelyou

wanttoenableordisable.
2. Atthebottomofthescreen,clickEnableorDisable.

TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Phase Refresh Restart
IKE Gateway Updatestheonscreenstatisticsfortheselected RestartstheselectedIKEgateway.

(IKE Phase 1) IKEgateway. IKEv2:AlsorestartsanyassociatedchildIPSec
Equivalenttoissuingasecondshowcommand securityassociations(SAs).
intheCLI(afteraninitialshowcommand). IKEv1:DoesnotrestarttheassociatedIPSecSAs.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
IPSec Tunnel Updatestheonscreenstatisticsfortheselected RestartstheIPSectunnel.

(IKE Phase 2) IPSectunnel. Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingasecondshowcommand Equivalenttoissuingaclear, test, show
intheCLI(afteraninitialshowcommand). commandsequenceintheCLI.
Asthetableaboveindicates,restartinganIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1
gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorrestartanIKEgateway. 1. SelectNetwork > IPSec Tunnels andselectthetunnelforthe

gatewayyouwanttorefreshorrestart.
2. Intherowforthattunnel,undertheStatuscolumn,clickIKE
Info.
3. AtthebottomoftheIKEInfoscreen,clicktheactionyouwant:
RefreshUpdatesthestatisticsonthescreen.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
RefreshorrestartanIPSectunnel. 1. SelectNetwork > IPSec Tunnels andselectthetunnelyou

Youmightdeterminethatthetunnelneedstobe wanttorefreshorrestart.
refreshedorrestartedbecauseyouusethetunnel 2. Intherowforthattunnel,undertheStatuscolumn,click
monitortomonitorthetunnelstatus,oryouuse Tunnel Info.
anexternalnetworkmonitortomonitornetwork
3. AtthebottomoftheTunnelInfoscreen,clicktheactionyou
connectivitythroughtheIPSectunnel.
want:
RefreshUpdatestheonscreenstatistics.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.

Test VPN Connectivity
TestConnectivity
InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLIcommand:
test vpn ipsec-sa tunnel <tunnel_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
admin@PA-500> show vpn flow
total tunnels configured: 1
filter - type IPSec, state any
total IPSec tunnel configured: 1
total IPSec tunnel shown: 1
name id state local-ip peer-ip tunnel-i/f

-----------------------------------------------------------------------------
vpn-to-siteB 5 active 100.1.1.1 200.1.1.1 tunnel.41
Interpret VPN Error Messages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis: Trythis:
IKE phase-1 negotiation VerifythatthepublicIPaddressforeachVPNpeerisaccurateintheIKEGateway

is failed as initiator, configuration.
main mode. Failed SA: VerifythattheIPaddressescanbepingedandthatroutingissuesarenotcausing
x.x.x.x[500]-y.y.y.y[50 theconnectionfailure.
0]
cookie:84222f276c2fa2e9
:0000000000000000 due to
timeout.
or
IKE phase 1 negotiation
is failed. Couldnt find
configuration for IKE
phase-1 request for peer
IP x.x.x.x[1929]

Iferroristhis: Trythis:
Received unencrypted ChecktheIKECryptoprofileconfigurationtoverifythattheproposalsonbothsides

notify payload (no haveacommonencryption,authentication,andDHGroupproposal.
proposal chosen) from IP
x.x.x.x[500] to
y.y.y.y[500], ignored...
or
IKE phase-1 negotiation
is failed. Unable to
process peers SA
payload.
pfs group mismatched:my: ChecktheIPSecCryptoprofileconfigurationtoverifythat:

2peer: 0 pfsiseitherenabledordisabledonbothVPNpeers
or theDHGroupsproposedbyeachpeerhasatleastoneDHGroupincommon
IKE phase-2 negotiation
failed when processing
SA payload. No suitable
proposal found in peers
SA payload.
IKE phase-2 negotiation TheVPNpeerononeendisusingpolicybasedVPN.YoumustconfigureaProxyID

failed when processing onthePaloAltoNetworksfirewall.SeeStep 8.
Proxy ID. Received local
id x.x.x.x/x type IPv4
address protocol 0 port
0, received remote id
y.y.y.y/y type IPv4
address protocol 0 port
0.

VPNs SitetoSiteVPNQuickConfigs
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
Site-to-Site VPN with Static Routing
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.

SitetoSiteVPNQuickConfigs VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting
Step1 ConfigureaLayer3interface. 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

ThisinterfaceisusedfortheIKEphase1 interfaceyouwanttoconfigureforVPN.
tunnel. 2. SelectLayer3 fromtheInterface Typedropdown.
3. OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4. SelecttheVirtual Routertouse.
192.168.210.26/24.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.26/24
TheconfigurationforVPNPeerBis:
IPv4192.168.210.120/24

QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step2 Createatunnelinterfaceandattachitto 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,suchas.1.
3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4. SelecttheVirtual Router.
5. (Optional)AssignanIPaddresstothetunnelinterface,select
theIPv4orIPv6tab,clickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface.
Withstaticroutes,thetunnelinterfacedoesnotrequireanIP
address.Fortrafficthatisdestinedtoaspecifiedsubnet/IP
address,thetunnelinterfacewillautomaticallybecomethe
nexthop.ConsideraddinganIPaddressifyouwanttoenable
tunnelmonitoring.
Interfacetunnel.11
Security Zonevpn_tun
IPv4172.19.9.2/24
Interfacetunnel.12
IPv4192.168.69.2/24
Step3 Configureastaticroute,onthevirtual 1. SelectNetwork > Virtual Routerandclicktherouteryou

router,tothedestinationsubnet. definedinthepriorstep.
2. SelectStatic Route,clickAdd,andenteranewroutetoaccess
thesubnetthatisattheotherendofthetunnel.
Destination192.168.69.0/24
Interfacetunnel.11
Destination172.19.9.0/24
Interfacetunnel.12
Step4 SetuptheCryptoprofiles(IKECrypto 1. SelectNetwork > Network Profiles > IKE Crypto.Inthis

profileforphase1andIPSecCrypto example,weusethedefaultprofile.
profileforphase2). 2. SelectNetwork > Network Profiles > IPSec Crypto.Inthis
Completethistaskonbothpeersand example,weusethedefaultprofile.
makesuretosetidenticalvalues.

QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step5 SetuptheIKEGateway. 1. SelectNetwork > Network Profiles > IKE Gateway.

2. Click Add andconfiguretheoptionsintheGeneraltab.
Local IP address192.168.210.26/24
Peer IP type/addressstatic/192.168.210.120
Preshared keysenteravalue
Local identificationNone;thismeansthatthelocalIP
addresswillbeusedasthelocalidentificationvalue.
Peer IP type/addressstatic/192.168.210.26
Preshared keysentersamevalueasonPeerA
Local identificationNone
3. SelectAdvanced Phase 1 OptionsandselecttheIKECrypto
profileyoucreatedearliertouseforIKEphase1.
Step6 SetuptheIPSecTunnel. 1. SelectNetwork > IPSec Tunnels.

Tunnel Interfacetunnel.11
TypeAutoKey
IKE GatewaySelecttheIKEGatewaydefinedabove.
IPSec Crypto ProfileSelecttheIPSecCryptoprofile
definedinStep 4.
TypeAutoKey
IPSec Crypto ProfileSelecttheIPSecCryptodefined
inStep 4.
3. (Optional)SelectShow Advanced Options,selectTunnel
Monitor,andspecifyaDestinationIPaddresstopingfor
verifyingconnectivity.Typically,thetunnelinterfaceIP
addressfortheVPNPeerisused.
4. (Optional)Todefinetheactiononfailuretoestablish
connectivity,seeDefineaTunnelMonitoringProfile.
Step7 Createpoliciestoallowtrafficbetween 1. SelectPolicies > Security.

thesites(subnets). 2. Createrulestoallowtrafficbetweentheuntrustandthe
vpntunzoneandthevpntunandtheuntrustzonefortraffic
originatingfromspecifiedsourceanddestinationIPaddresses.
Step8 Saveanypendingconfigurationchanges. ClickCommit.
Step9 TestVPNconnectivity. SeeViewtheStatusoftheTunnels.

Site-to-Site VPN with OSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.

QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
Step1 ConfiguretheLayer3interfacesoneach 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

firewall. interfaceyouwanttoconfigureforVPN.
2. SelectLayer3 fromtheInterface Typedropdown.
interfacebelongs:
zoneandthenclickOK.
192.168.210.26/24.
IPv4100.1.1.1/24
IPv4200.1.1.1/24

QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)

avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,say,.11.
5. AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedasthenexthopIPaddresstoroute
traffictothetunnelandcanalsobeusedtomonitorthestatus
ofthetunnel.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.40
IPv42.1.1.140/24


Step4 SetuptheOSPFconfigurationonthe 1. SelectNetwork > Virtual Routers,andselectthedefault

virtualrouterandattachtheOSPFareas routeroraddanewrouter.
withtheappropriateinterfacesonthe 2. SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
firewall.
3. Inthisexample,theOSPFconfigurationforVPNPeerAis:
FormoreinformationontheOSPF
optionsthatareavailableonthefirewall, Router ID:192.168.100.141
seeConfigureOSPF. Area ID:0.0.0.0thatisassignedtothetunnel.1interface
UseBroadcastasthelinktypewhen withLinktype:p2p
therearemorethantwoOSPFrouters Area ID:0.0.0.10thatisassignedtotheinterface
thatneedtoexchangerouting Ethernet1/1andLinkType:Broadcast
information. TheOSPFconfigurationforVPNPeerBis:
Router ID:192.168.100.140
Area ID:0.0.0.0thatisassignedtothetunnel.1interface
withLinktype:p2p
Area ID:0.0.0.20thatisassignedtotheinterface
Ethernet1/15andLinkType:Broadcast

ThisexamplesusesstaticIPaddresses 2. Click Add andconfiguretheoptionsintheGeneraltab.
forbothVPNpeers.Typically,the Inthisexample,theconfigurationforVPNPeerAis:
corporateofficeusesastatically
configuredIPaddress,andthebranch
sidecanbeadynamicIPaddress; Local IP address100.1.1.1/24
dynamicIPaddressesarenotbestsuited Peer IP address200.1.1.1/24
forconfiguringstableservicessuchas Preshared keysenteravalue
VPN. TheconfigurationforVPNPeerBis:
Peer IP address100.1.1.1/24
3. SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.


TypeAutoKey
IPSec Crypto ProfileSelecttheIKEGatewaydefined
above.
TypeAutoKey
above.
3. SelectShow Advanced Options,selectTunnel Monitor,and
specifyaDestinationIPaddresstopingforverifying
connectivity.
4. Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.


Step8 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith

theCLI. fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
show routing route type ospf
Step9 TestVPNconnectivity. SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.

Site-to-Site VPN with Static and Dynamic Routing
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.

QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
Step1 ConfiguretheLayer3interfacesoneach 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

firewall. interfaceyouwanttoconfigureforVPN.
2. SelectLayer3 fromtheInterface Typedropdown.
interfacebelongs:
zoneandthenclickOK.
192.168.210.26/24.
IPv4100.1.1.1/24
IPv4200.1.1.1/24


QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)

Withpresharedkeys,toadd 2. Click Add andconfiguretheoptionsintheGeneraltab.
authenticationscrutinywhensettingup Inthisexample,theconfigurationforVPNPeerAis:
theIKEphase1tunnel,youcansetup
LocalandPeerIdentificationattributes
andacorrespondingvaluethatis Local IP address100.1.1.1/24
matchedintheIKEnegotiationprocess. Peer IP typedynamic
Preshared keysenteravalue
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerA.
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerB
Peer IP addressdynamic
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerB
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerA
3. SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.


avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,say,.41.
5. AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedtoroutetraffictothetunnelandto
monitorthestatusofthetunnel.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.42
IPv42.1.1.140/24
Step5 Specifytheinterfacetoroutetraffictoa 1. OnVPNPeerA,selectthevirtualrouter.

destinationonthe192.168.x.xnetwork. 2. SelectStatic Routes,andAddtunnel.41astheInterfacefor
routingtrafficwithaDestinationinthe192.168.x.xnetwork.
Step6 SetupthestaticrouteandtheOSPF 1. OnVPNPeerB,selectNetwork > Virtual Routers,andselect

configurationonthevirtualrouterand thedefaultrouteroraddanewrouter.
attachtheOSPFareaswiththe 2. SelectStatic Routes andAddthetunnelIPaddressasthenext
appropriateinterfacesonthefirewall. hopfortrafficinthe172.168.x.x.network.
Assignthedesiredroutemetric;usingalowerthevaluemakes
theahigherpriorityforrouteselectionintheforwardingtable.
3. SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
4. Inthisexample,theOSPFconfigurationforVPNPeerBis:
RouterID:192.168.100.140
AreaID:0.0.0.0isassignedtotheinterfaceEthernet1/12
Linktype:Broadcast
AreaID:0.0.0.10thatisassignedtotheinterface
Ethernet1/1andLinkType:Broadcast
AreaID:0.0.0.20isassignedtotheinterfaceEthernet1/15
andLinkType:Broadcast

Step7 Createaredistributionprofiletoinject 1. CreatearedistributionprofileonVPNPeerB.

thestaticroutesintotheOSPF a. SelectNetwork > Virtual Routers,andselecttherouteryou
autonomoussystem. usedabove.
b. SelectRedistribution Profiles, andclick Add.
c. EnteraNamefortheprofileandselectRedistandassigna
Priorityvalue.Ifyouhaveconfiguredmultipleprofiles,the
profilewiththelowestpriorityvalueismatchedfirst.
d. SetSource Type as static,andclickOK.Thestaticroute
definedinStep 62willbeusedfortheredistribution.
2. InjectthestaticroutesintotheOSPFsystem.
a. SelectOSPF> Export Rules (forIPv4) or OSPFv3> Export
Rules (forIPv6).
b. ClickAdd,andselecttheredistributionprofilethatyoujust
created.
c. SelecthowtheexternalroutesarebroughtintotheOSPF
system.Thedefaultoption,Ext2 calculatesthetotalcostof
therouteusingonlytheexternalmetrics.Touseboth
internalandexternalOSPFmetrics,use Ext1.
d. AssignaMetric (costvalue)fortheroutesinjectedintothe
OSPFsystem.Thisoptionallowsyoutochangethemetric
fortheinjectedrouteasitcomesintotheOSPFsystem.
e. ClickOKtosavethechanges.

TypeAutoKey
above.
TypeAutoKey
above.
3. SelectShow Advanced Options,selectTunnel Monitor,and
specifyaDestinationIPaddresstopingforverifying
connectivity.
4. Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.


Step10 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith

theCLI. fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
Step11 TestVPNconnectivity. SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.

LargeScaleVPN(LSVPN)
TheGlobalProtectLargeScaleVPN(LSVPN)featureonthePaloAltoNetworksnextgenerationfirewall
simplifiesthedeploymentoftraditionalhubandspokeVPNs,enablingyoutoquicklydeployenterprise
networkswithseveralbranchofficeswithaminimumamountofconfigurationrequiredontheremote
satellites.ThissolutionusescertificatesforfirewallauthenticationandIPSectosecuredata.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs

LSVPNOverview LargeScaleVPN(LSVPN)
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.

LargeScaleVPN(LSVPN) CreateInterfacesandZonesfortheLSVPN
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
Step1 ConfigureaLayer3interface. 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

Theportalandeachgatewayand interfaceyouwanttoconfigureforGlobalProtectLSVPN.
satelliteallrequireaLayer3interfaceto 2. SelectLayer3 fromtheInterface Typedropdown.
enabletraffictoberoutedbetweensites.
Ifthegatewayandportalareonthesame interfacebelongs:
firewall,youcanuseasingleinterfacefor
bothcomponents.
IPv6addressesarenotsupported forvisibilityandcontroloveryourVPNtraffic.
withLSVPN.
zoneandthenclickOK.
203.0.11.100/24.

CreateInterfacesandZonesfortheLSVPN LargeScaleVPN(LSVPN)
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect 3. OntheConfigtab,expandtheSecurity Zonedropdownto
satellites. definethezoneasfollows:
IPaddressesarenotrequiredon Touseyourtrustzoneastheterminationpointforthe
thetunnelinterfaceunlessyou tunnel,selectthezonefromthedropdown.
plantousedynamicrouting. (Recommended)TocreateaseparatezoneforVPNtunnel
However,assigninganIPaddress termination,clickNew Zone.IntheZonedialog,definea
tothetunnelinterfacecanbe Namefornewzone(forexamplelsvpntun),selectthe
usefulfortroubleshooting Enable User Identificationcheckbox,andthenclickOK.
connectivityissues. 4. SelecttheVirtual Router.
MakesuretoenableUserIDin
5. (Optional)IfyouwanttoassignanIPaddresstothetunnel
thezonewheretheVPNtunnels
interface,selecttheIPv4tab,clickAddintheIPsection,and
terminate.
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample203.0.11.33/24.
Step3 Ifyoucreatedaseparatezonefortunnel Forexample,apolicyruleenablestrafficbetweenthelsvpntun

terminationofVPNconnections,create zoneandtheL3Trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.

LargeScaleVPN(LSVPN) EnableSSLBetweenGlobalProtectLSVPNComponents
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:

EnableSSLBetweenGlobalProtectLSVPNComponents LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents
Step1 Onthefirewallhostingthe CreateaSelfSignedRootCACertificate:

GlobalProtectportal,createtherootCA 1. SelectDevice > Certificate Management > Certificates >
certificateforsigningthecertificatesof Device Certificates andclickGenerate.
theGlobalProtectcomponents.
2. EnteraCertificate Name,suchasLSVPN_CA.
3. DonotselectavalueintheSigned Byfield(thisiswhat
indicatesthatitisselfsigned).
4. SelecttheCertificate AuthoritycheckboxandthenclickOK
togeneratethecertificate.
Step2 CreateSSL/TLSserviceprofilesforthe 1. UsetherootCAontheportaltoGenerateaCertificatefor

GlobalProtectportalandgateways. eachgatewayyouwilldeploy:
Fortheportalandeachgateway,you a. SelectDevice > Certificate Management > Certificates >
mustassignanSSL/TLSserviceprofile Device Certificates andclickGenerate.
thatreferencesauniqueselfsigned b. EnteraCertificate Name.
servercertificate. c. EntertheFQDN(recommended)orIPaddressofthe
Thebestpracticeistoissueallof interfacewhereyouplantoconfigurethegatewayinthe
therequiredcertificatesonthe Common Namefield.
portal,sothatthesigning d. IntheSigned Byfield,selecttheLSVPN_CAcertificateyou
certificate(withtheprivatekey) justcreated.
doesnthavetobeexported.
e. IntheCertificateAttributessection,clickAddanddefine
IftheGlobalProtectportaland theattributestouniquelyidentifythegateway.Ifyouadda
gatewayareonthesamefirewall Host Nameattribute(whichpopulatestheSANfieldofthe
interface,youcanusethesame certificate),itmustexactlymatchthevalueyoudefinedfor
servercertificateforboth theCommon Name.
components.
f. Generatethecertificate.
2. ConfigureanSSL/TLSServiceProfilefortheportalandeach
gateway:
a. SelectDevice > Certificate Management > SSL/TLS
Service ProfileandclickAdd.
b. EnteraNametoidentifytheprofileandselecttheserver
Certificateyoujustcreatedfortheportalorgateway.
c. DefinetherangeofTLSversions(Min VersiontoMax
Version)allowedforcommunicatingwithsatellitesand
clickOK.

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step3 Deploytheselfsignedservercertificates 1. Ontheportal,selectDevice > Certificate Management >

tothegateways. Certificates > Device Certificates,selectthegateway
BestPractices: certificateyouwanttodeploy,andclickExport.
Exporttheselfsignedserver 2. SelectEncrypted Private Key and Certificate (PKCS12)from
certificatesissuedbytherootCA theFile Formatdropdown.
fromtheportalandimportthem 3. Enter(andreenter)aPassphrasetoencrypttheprivatekey
ontothegateways. associatedwiththecertificateandthenclickOKtodownload
Besuretoissueauniqueserver thePKCS12filetoyourcomputer.
certificateforeachgateway.
4. Onthegateway,selectDevice > Certificate Management >
TheCommonName(CN)and,if Certificates > Device CertificatesandclickImport.
applicable,theSubject
AlternativeName(SAN)fieldsof 5. EnteraCertificate Name.
thecertificatemustmatchtheIP 6. EnterthepathandnametotheCertificate Fileyoujust
addressorfullyqualifieddomain downloadedfromtheportal,orBrowsetofindthefile.
name(FQDN)oftheinterface
7. SelectEncrypted Private Key and Certificate (PKCS12)asthe
whereyouconfigurethe
File Format.
gateway.
8. EnterthepathandnametothePKCS12fileintheKey File
fieldorBrowsetofindit.
9. EnterandreenterthePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportalandthen
clickOKtoimportthecertificateandkey.
Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificatefromtheportal.

issueservercertificatesfortheLSVPN a. SelectDevice > Certificate Management > Certificates >
components. Device Certificates.
YoumustimporttherootCAcertificate b. SelecttherootCAcertificateusedtoissuecertificatesfor
ontoallgatewaysandsatellites.For theLSVPNcomponentsandclickExport.
securityreasons,makesureyouexport c. SelectBase64 Encoded Certificate (PEM)fromtheFile
thecertificateonly,andnotthe FormatdropdownandclickOKtodownloadthe
associatedprivatekey. certificate.(Donotexporttheprivatekey.)
2. Onthefirewallshostingthegatewaysandsatellites,import
therootCAcertificate.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
g. Committhechanges.

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step5 Createacertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile

TheGlobalProtectLSVPNportaland andclickAddandenteraprofileName.
eachgatewayrequireacertificateprofile 2. MakesureUsername FieldissettoNone.
thatspecifieswhichcertificatetouseto
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
authenticatethesatellites.
CAcertificateyouimportedinStep 4.
4. (Optional,butrecommended)EnableuseofCRLand/orOCSP
toenablecertificatestatusverification.
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserver(forexample,
Afteryouconfigurethismechanism,its http://10.200.101.1/CertSrv/mscep_admin/)inthePKI
operationisinvisible,andnofurther infrastructureandthencopyorenterthepasswordintothe
inputfromyouisnecessary. Passwordfield.
TocomplywiththeU.S.Federal DynamicEntertheSCEPServer URLwheretheportalclient
InformationProcessingStandard(FIPS), submitsthesecredentials(forexample,
useaDynamicSCEPchallengeand http://10.200.101.1/CertSrv/mscep_admin/),anda
specifyaServer URLthatusesHTTPS usernameandOTPofyourchoice.Theusernameandpassword
(seeStep 7). canbethecredentialsofthePKIadministrator.

DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand http://10.200.101.1/certsrv/mscep/).
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Toidentifythesatellite,theportal NamefieldtoidentifytheSCEPserver.
automaticallyincludesthedeviceserial
3. SelecttheSubject Alternative Name Type:
numberintheCSRrequesttotheSCEP
server.BecausetheSCEPprofile RFC 822 NameEntertheemailnameinacertificates
requiresavalueintheSubjectfield,you subjectorSubjectAlternativeNameextension.
canleavethedefault$USERNAMEtoken DNS NameEntertheDNSnameusedtoevaluate
eventhoughthevalueisnotusedin certificates.
clientcertificatesforLSVPN. Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.Ifthe

settingsforthecertificate. firewallisinFIPSCCmodeandthekeygenerationalgorithmis
RSA.TheRSAkeysmustbe2048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):SHA1,SHA256,SHA384,or
SHA512.
Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor signature checkbox.Thisenablestheendpointusetheprivate
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.
Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

connectingtothecorrectSCEPserver, example,http://<hostname or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.
Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan

betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicated
onthefirewallloginpageandin
itsstatusbar.
Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.

DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate Name.Thisnamecannotcontainspaces.
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.

LargeScaleVPN(LSVPN) ConfigurethePortaltoAuthenticateSatellites
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.

ConfigurethePortaltoAuthenticateSatellites LargeScaleVPN(LSVPN)
SetUpSatelliteAuthentication
Step1 (Externalauthenticationonly)Createa Configureaserverprofilefortheauthenticationservicetype:

serverprofileontheportal. ConfigureaRADIUSServerProfile.
Theserverprofiledefineshowthe ConfigureaTACACS+ServerProfile.
firewallconnectstoanexternal ConfigureanLDAPServerProfile.IfyouuseLDAPtoconnect
authenticationservicetovalidatethe toActiveDirectory(AD),createaseparateLDAPserverprofile
authenticationcredentialsthatthe foreveryADdomain.
satelliteadministratorenters.
Ifyouuselocalauthentication,
skipthisstepandinsteadadda
localuserforthesatellite
administrator:seeConfigurethe
useraccount.
Step2 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandclickAdd.

Theauthenticationprofiledefineswhich 2. EnteraNamefortheprofileandthenselectthe
serverprofiletousetoauthenticate authenticationType.IftheTypeisanexternalservice,select
satellites. theServer ProfileyoucreatedinStep 1.Ifyouaddedalocal
userinstead,settheTypetoLocal Database.

LargeScaleVPN(LSVPN) ConfigureGlobalProtectGatewaysforLSVPN
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
PrerequisiteTasks
ConfiguretheGateway
PrerequisiteTasks
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfiguretheGateway
AfteryouhavecompletedthePrerequisiteTasks,configureeachGlobalProtectgatewaytoparticipateinthe
LSVPNasfollows:
ConfiguretheGatewayforLSVPN
Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

2. IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatsatelliteswilluseforingressaccess

enablessatellitedevicestoconnectto tothegateway.
thegateway. 2. SelecttheIP Addressforgatewayaccess.
Ifyouhaventcreatedthenetwork
3. ClickOKtosavechanges.
interfaceforthegateway,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.

ConfigureGlobalProtectGatewaysforLSVPN LargeScaleVPN(LSVPN)
ConfiguretheGatewayforLSVPN(Continued)
Step3 Specifyhowthegatewayauthenticates OntheGlobalProtectGatewayConfigurationdialog,select

satellitesattemptingtoestablishtunnels. Authenticationandthenconfigureanyofthefollowing:
IfyouhaventyetcreatedanSSL/TLS Tosecurecommunicationbetweenthegatewayandthe
Serviceprofileforthegateway,see satellites,selecttheSSL/TLS Service Profileforthegateway.
DeployServerCertificatestothe Tospecifytheauthenticationprofiletousetoauthenticate
GlobalProtectLSVPNComponents. satellites,AddaClientAuthentication.Then,enteraNameto
Ifyouhaventsetuptheauthentication identifytheconfiguration,selectOS:Satellitetoapplythe
profilesorcertificateprofiles,see configurationtoallsatellites,andspecifytheAuthentication
ConfigurethePortaltoAuthenticate Profiletousetoauthenticatethesatellite.Youcanalsoselecta
Satellitesforinstructions. Certificate Profileforthegatewaytousetoauthenticate
Ifyouhavenotyetsetupthecertificate satellitedevicesattemptingtoestablishtunnels.
profile,seeEnableSSLBetween
GlobalProtectLSVPNComponentsfor
instructions.
Step4 Configurethetunnelparametersand 1. OntheGlobalProtectGatewayConfigurationdialog,select

enabletunneling. Satellite > Tunnel Settings.
2. SelecttheTunnel Configurationcheckboxtoenable
tunneling.
3. SelecttheTunnel InterfaceyoudefinedinStep 2inCreate
InterfacesandZonesfortheLSVPN.
4. (Optional)IfyouwanttopreservetheTypeofService(ToS)
informationintheencapsulatedpackets,selectCopy TOS.
Iftherearemultiplesessionsinsidethetunnel(each
withadifferentTOSvalue),copyingtheTOSheader
cancausetheIPSecpacketstoarriveoutoforder.
Step5 (Optional)Enabletunnelmonitoring. 1. SelecttheTunnel Monitoringcheckbox.

Tunnelmonitoringenablessatellitesto 2. SpecifytheDestination IPaddressthesatellitesshoulduseto
monitoritsgatewaytunnelconnection, determineifthegatewayisactive.Alternatively,ifyou
allowingittofailovertoabackup configuredanIPaddressforthetunnelinterface,youcan
gatewayiftheconnectionfails.Failover leavethisfieldblankandthetunnelmonitorwillinsteaduse
toanothergatewayistheonlytypeof thetunnelinterfacetodetermineiftheconnectionisactive.
tunnelmonitoringprofilesupportedwith
3. SelectFailoverfromtheTunnel Monitor Profiledropdown
LSVPN.
(thisistheonlysupportedtunnelmonitorprofileforLSVPN).
Step6 SelecttheIPSecCryptoprofiletouse IntheIPSec Crypto Profiledropdown,selectdefaulttousethe

whenestablishingtunnelconnections. predefinedprofileorselectNew IPSec Crypto Profiletodefinea
TheprofilespecifiesthetypeofIPSec newprofile.Fordetailsontheauthenticationandencryption
encryptionandtheauthentication options,seeDefineIPSecCryptoProfiles.
methodforsecuringthedatathatwill
traversethetunnel.Becausebothtunnel
endpointsinanLSVPNaretrusted
firewallswithinyourorganization,you
cantypicallyusethedefault(predefined)
profile,whichusesESPastheIPSec
protocol,group2fortheDHgroup,
AES128CBCforencryption,and
SHA1forauthentication.

LargeScaleVPN(LSVPN) ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
Step7 Configurethenetworksettingstoassign 1. OntheGlobalProtectGatewayConfigurationdialog,select

thesatellitesduringestablishmentofthe Satellite > Network Settings.
IPSectunnel. 2. (Optional)Ifclientslocaltothesatelliteneedtoresolve
Youcanalsoconfigurethe FQDNsonthecorporatenetwork,configurethegatewayto
satellitetopushtheDNSsettings pushDNSsettingstothesatellitesinoneofthefollowing
toitslocalclientsbyconfiguringa ways:
DHCPserveronthefirewall Ifthegatewayhasaninterfacethatisconfiguredasa
hostingthesatellite.Inthis DHCPclient,youcansettheInheritance Sourcetothat
configuration,thesatellitewill interfaceandassignthesamesettingsreceivedbythe
pushDNSsettingsitlearnsfrom DHCPclienttoGlobalProtectsatellites.Youcanalsoinherit
thegatewaytotheDHCPclients. theDNSsuffixfromthesamesource.
ManuallydefinethePrimary DNS,Secondary DNS,and
DNS Suffixsettingstopushtothesatellites.
3. TospecifytheIP Poolofaddressestoassignthetunnel
interfaceonthesatelliteswhentheVPNisestablished,click
AddandthenspecifytheIPaddressrange(s)touse.
4. Todefinewhatdestinationsubnetstoroutethroughthe
tunnelclickAddintheAccess Routeareaandthenenterthe
routesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthrough
thetunnel,leavethisfieldblank.Notethatinthiscase,all
trafficexcepttrafficdestinedforthelocalsubnetwillbe
tunneledtothegateway.
Torouteonlysometrafficthroughthegateway(calledsplit
tunneling),specifythedestinationsubnetsthatmustbe
tunneled.Inthiscase,thesatellitewillroutetrafficthatis
notdestinedforaspecifiedaccessrouteusingitsown
routingtable.Forexample,youmaychoosetoonlytunnel
trafficdestinedforyourcorporatenetwork,andusethe
localsatellitetosafelyenableInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthe
summaryrouteforthenetworkprotectedbyeachsatellite.
Step8 (Optional)Definewhatroutes,ifany,the 1. Toenablethegatewaytoacceptroutesadvertisedby

gatewaywillacceptfromsatellites. satellites,selectSatellite > Route Filter.
Bydefault,thegatewaywillnotaddany 2. SelecttheAccept published routescheckbox.
routessatellitesadvertisetoitsrouting
3. Tofilterwhichoftheroutesadvertisedbythesatellitestoadd
table.Ifyoudonotwantthegatewayto
tothegatewayroutingtable,clickAddandthendefinethe
acceptroutesfromsatellites,youdonot
subnetstoinclude.Forexample,ifallthesatellitesare
needtocompletethisstep.
configuredwithsubnet192.168.x.0/24ontheLANside,
configuringapermittedrouteof192.168.0.0/16toenablethe
gatewaytoonlyacceptroutesfromthesatelliteifitisinthe
192.168.0.0/16subnet.
Step9 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

GatewayConfigurationdialog.

ConfiguretheGlobalProtectPortalforLSVPN LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
PrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedthePrerequisiteTasks,configuretheGlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > PortalsandclickAdd.

2. OntheGeneral tab,enteraNamefortheportal.Theportal
nameshouldnotcontainanyspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Step2 Specifythenetworkinformationto 1. SelecttheInterfacethatsatelliteswilluseforingressaccess

enablesatellitestoconnecttotheportal. totheportal.
Ifyouhaventyetcreatedthenetwork 2. SelecttheIP Addressforsatelliteaccesstotheportal.
interfacefortheportal,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.

LargeScaleVPN(LSVPN) ConfiguretheGlobalProtectPortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
Step3 SpecifyanSSL/TLSServiceprofiletouse 1. OntheGlobalProtectPortalConfigurationdialog,select

toenablethesatellitetoestablishan Authentication.
SSL/TLSconnectiontotheportal. 2. SelecttheSSL/TLS Service Profile.
IfyouhaventyetcreatedanSSL/TLS
serviceprofilefortheportalandissued
gatewaycertificates,seeDeployServer
CertificatestotheGlobalProtectLSVPN
Components.
Step4 Specifyanauthenticationprofileand AddaClientAuthentication,andthenenteraNametoidentifythe

optionalcertificateprofilefor configuration,selectOS:Satellitetoapplytheconfigurationtoall
authenticatingsatellites. satellites,andspecifytheAuthentication Profiletouseto
Iftheportalcantvalidatethe authenticatesatellitedevices.YoucanalsospecifyaCertificate
serialnumbersofconnecting Profilefortheportaltousetoauthenticatesatellitedevices.
satellites,itwillfallbacktothe
authenticationprofile.Therefore,
beforeyoucansavetheportal
configuration(byclickingOK),
youmustConfigurean
authenticationprofile.
Step5 Continuewithdefiningthe ClickOKtosavetheportalconfigurationorcontinuetoDefinethe

configurationstopushtothesatellites SatelliteConfigurations.
or,ifyouhavealreadycreatedthe
satelliteconfigurations,savetheportal
configuration.
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.

Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
Step1 Addasatelliteconfiguration. 1. SelectNetwork > GlobalProtect > Portalsandselectthe

Thesatelliteconfigurationspecifiesthe portalconfigurationforwhichyouwanttoaddasatellite
GlobalProtectLSVPNconfiguration configurationandthenselecttheSatellitetab.
settingstodeploytotheconnecting 2. IntheSatellitesection,clickAdd
satellites.Youmustdefineatleastone
3. EnteraNamefortheconfiguration.
satelliteconfiguration.
Ifyouplantocreatemultipleconfigurations,makesurethe
nameyoudefineforeachisdescriptiveenoughtoallowyou
todistinguishthem.
4. Tochangehowoftenasatelliteshouldchecktheportalfor
configurationupdatesspecifyavalueintheConfiguration
Refresh Interval (hours)field(rangeis148;defaultis24).
Step2 Specifythesatellitestowhichtodeploy Specifythematchcriteriaforthesatelliteconfigurationasfollows:

thisconfiguration. Torestrictthisconfigurationtosatelliteswithspecificserial
TheportalusestheEnrollment numbers,selecttheDevicestab,clickAdd,andenterserial
User/User Groupsettingsand/or number(youdonotneedtoenterthesatellitehostname;itwill
Devicesserialnumberstomatcha beautomaticallyaddedwhenthesatelliteconnects).Repeatthis
satellitetoaconfiguration.Therefore,if stepforeachsatelliteyouwanttoreceivethisconfiguration.
youhavemultipleconfigurations,besure SelecttheEnrollment User/User Grouptab,clickAdd,andthen
toorderthemproperly.Assoonasthe selecttheuserorgroupyouwanttoreceivethisconfiguration.
portalfindsamatch,itwilldeliverthe Satellitesthatdonotmatchonserialnumberwillberequiredto
configuration.Therefore,morespecific authenticateasauserspecifiedhere(eitheranindividualuseror
configurationsmustprecedemore groupmember).
generalones.SeeStep 5forinstructions Beforeyoucanrestricttheconfigurationtospecific
onorderingthelistofsatellite groups,youmustMapUserstoGroups.
configurations.

LargeScaleVPN(LSVPN) ConfiguretheGlobalProtectPortalforLSVPN
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step3 Specifythegatewaysthatsatelliteswith 1. OntheGatewaystab,clickAdd.

thisconfigurationcanestablishVPN 2. EnteradescriptiveNameforthegateway.Thenameyou
tunnelswith. enterhereshouldmatchthenameyoudefinedwhenyou
Routespublishedbythegateway configuredthegatewayandshouldbedescriptiveenough
areinstalledonthesatelliteas identifythelocationofthegateway.
staticroutes.Themetricforthe
3. EntertheFQDNorIPaddressoftheinterfacewherethe
staticrouteis10xtherouting
gatewayisconfiguredintheGatewaysfield.Theaddressyou
priority.Ifyouhavemorethan
specifymustexactlymatchtheCommonName(CN)inthe
onegateway,makesuretoalso
gatewayservercertificate.
settheroutingprioritytoensure
thatroutesadvertisedbybackup 4. (Optional)Ifyouareaddingtwoormoregatewaystothe
gatewayshavehighermetrics configuration,theRouting Priorityhelpsthesatellitepickthe
comparedtothesameroutes preferredgateway.Enteravalueintherangeof125,with
advertisedbyprimarygateways. lowernumbershavingthehigherpriority(thatis,thegateway
Forexample,ifyousetthe thesatellitewillconnecttoifallgatewaysareavailable).The
routingpriorityfortheprimary satellitewillmultiplytheroutingpriorityby10todetermine
gatewayandbackupgatewayto theroutingmetric.
1and10respectively,the
satellitewilluse10asthemetric
fortheprimarygatewayand100
asthemetricforthebackup
gateway.
Step4 Savethesatelliteconfiguration. 1. ClickOKtosavethesatelliteconfiguration.

2. Ifyouwanttoaddanothersatelliteconfiguration,repeat
Step 1throughStep 4.
Step5 Arrangethesatelliteconfigurationsso Tomoveasatelliteconfigurationuponthelistofconfigurations,

thattheproperconfigurationisdeployed selecttheconfigurationandclickMove Up.
toeachsatellite. Tomoveasatelliteconfigurationdownonthelistof
configurations,selecttheconfigurationandclickMove Down.

CreateaGlobalProtectSatelliteConfiguration(Continued)
Step6 Specifythecertificatesrequiredto 1. IntheTrusted Root CAfield,clickAddandthenselecttheCA

enablesatellitestoparticipateinthe certificateusedtoissuethegatewayservercertificates.The
LSVPN. portalwilldeploytherootCAcertificateyouaddheretoall
satellitesaspartoftheconfigurationtoenablethesatelliteto
establishanSSLconnectionwiththegateways.Asabest
practice,allofyourgatewaysshouldusethesameissuer.
2. SelectthemethodofClient Certificatedistribution:
TostoretheclientcertificatesontheportalselectLocal
andselecttheRootCAcertificatethattheportalwilluseto
issueclientcertificatestosatellitesuponsuccessfully
authenticatingthemfromtheIssuing Certificate
dropdown.
IftherootCAcertificateusedtoissueyourgateway
servercertificatesisnotontheportal,youcan
Importitnow.SeeEnableSSLBetween
GlobalProtectLSVPNComponentsfordetailson
howtoimportarootCAcertificate.
ToenabletheportaltoactasaSCEPclienttodynamically
requestandissueclientcertificatesselectSCEPandthen
selecttheSCEPprofileusedtogenerateCSRstoyourSCEP
server.
Iftheyouhavenotyetsetuptheportaltoactasa
SCEPclient,youcanaddaNewSCEPprofilenow.
SeeDeployClientCertificatestotheGlobalProtect
SatellitesUsingSCEPfordetails.
Step7 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.

LargeScaleVPN(LSVPN) PreparetheSatellitetoJointheLSVPN
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
Step1 ConfigureaLayer3interface. Thisisthephysicalinterfacethesatellitewillusetoconnecttothe

portalandthegateway.Thisinterfacemustbeinazonethatallows
accessoutsideofthelocaltrustnetwork.Asabestpractice,create
adedicatedzoneforVPNconnectionsforvisibilityandcontrol
overtrafficdestinedforthecorporategateways.
Step2 Configurethelogicaltunnelinterfacefor 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

thetunneltousetoestablishVPN 2. IntheInterface Namefield,specifyanumericsuffix,suchas
tunnelswiththeGlobalProtect .2.
gateways.
IPaddressesarenotrequiredon
selectanexistingzoneorcreateaseparatezoneforVPN
thetunnelinterfaceunlessyou
tunneltrafficbyclickingNew ZoneanddefiningaNamefor
plantousedynamicrouting.
newzone(forexamplelsvpnsat).
However,assigninganIPaddress
tothetunnelinterfacecanbe 4. IntheVirtual Routerdropdown,selectdefault.
usefulfortroubleshooting 5. (Optional)IfyouwanttoassignanIPaddresstothetunnel
connectivityissues. interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample2.2.2.11/24.
Step3 Ifyougeneratedtheportalserver 1. DownloadtheCAcertificatethatwasusedtogeneratethe

certificateusingaRootCAthatisnot portalservercertificates.Ifyouareusingselfsigned
trustedbythesatellites(forexample,if certificates,exporttherootCAcertificatefromtheportalas
youusedselfsignedcertificates),import follows:
therootCAcertificateusedtoissuethe a. SelectDevice > Certificate Management > Certificates >
portalservercertificate. Device Certificates.
TherootCAcertificateisrequiredto b. SelecttheCAcertificate,andclickExport.
enablethesatellitetoestablishtheinitial c. SelectBase64 Encoded Certificate (PEM)fromtheFile
connectionwiththeportaltoobtainthe FormatdropdownandclickOKtodownloadthe
LSVPNconfiguration. certificate.(Youdonotneedtoexporttheprivatekey.)
2. ImporttherootCAcertificateyoujustexportedontoeach
satelliteasfollows.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.

PreparetheSatellitetoJointheLSVPN LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step4 ConfiguretheIPSectunnel 1. SelectNetwork > IPSec TunnelsandclickAdd.

configuration. 2. OntheGeneraltab,enteradescriptiveNamefortheIPSec
configuration.
3. SelecttheTunnel Interfaceyoucreatedforthesatellite.
4. SelectGlobalProtect SatelliteastheType.
5. EntertheIPaddressorFQDNoftheportalasthePortal
Address.
6. SelecttheLayer3Interfaceyouconfiguredforthesatellite.
7. SelecttheLocal IP Addresstouseontheselectedinterface.
Step5 (Optional)Configurethesatelliteto 1. Toenablethesatellitetopushroutestothegateway,onthe

publishlocalroutestothegateway. AdvancedtabselectPublish all static and connected routes
Pushingroutestothegatewayenables to Gateway.
traffictothesubnetslocaltothesatellite Ifyouselectthischeckbox,thefirewallwillforwardallstatic
viathegateway.However,youmustalso andconnectedroutesfromthesatellitetothegateway.
configurethegatewaytoacceptthe However,topreventthecreationofroutingloops,thefirewall
routesasdetailedinStep 8inConfigure willapplysomeroutefilters,suchasthefollowing:
theGateway. Defaultroutes
Routeswithinavirtualrouterotherthanthevirtualrouter
associatedwiththetunnelinterface
Routesusingthetunnelinterface
Routesusingthephysicalinterfaceassociatedwiththe
tunnelinterface
2. (Optional)Ifyouonlywanttopushroutesforspecificsubnets
ratherthanallroutes,clickAddintheSubnetsectionand
specifywhichsubnetroutestopublish.
Step6 Savethesatelliteconfiguration. 1. ClickOKtosavetheIPSectunnelsettings.

2. ClickCommit.
Step7 Ifrequired,providethecredentialsto 1. SelectNetwork > IPSec TunnelsandclicktheGateway Info

allowthesatellitetoauthenticatetothe linkintheStatuscolumnofthetunnelconfigurationyou
portal. createdfortheLSVPN.
Thisstepisonlyrequirediftheportal 2. Clicktheenter credentialslinkinthePortal Statusfieldand
wasunabletofindaserialnumbermatch usernameandpasswordrequiredtoauthenticatethesatellite
initsconfigurationoriftheserialnumber totheportal.
didntwork.Inthiscase,thesatellitewill Aftertheportalsuccessfullyauthenticatestotheportal,itwill
notbeabletoestablishthetunnelwith receiveitssignedcertificateandconfiguration,whichitwill
thegateway(s). usetoconnecttothegateway(s).Youshouldseethetunnel
establishandtheStatuschangetoActive.

LargeScaleVPN(LSVPN) VerifytheLSVPNConfiguration
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
Step1 Verifysatelliteconnectivitywithportal. Fromthefirewallhostingtheportal,verifythatsatellitesare

successfullyconnectingbyselectingNetwork > GlobalProtect >
PortalandclickingSatellite InfointheInfocolumnoftheportal
configurationentry.
Step2 Verifysatelliteconnectivitywiththe Oneachfirewallhostingagateway,verifythatsatellitesareableto

gateway(s). establishVPNtunnelsbyselectingNetwork > GlobalProtect >
GatewaysandclickSatellite InfointheInfocolumnofthegateway
configurationentry.Satellitesthathavesuccessfullyestablished
tunnelswiththegatewaywilldisplayontheActive Satellitestab.
Step3 VerifyLSVPNtunnelstatusonthe Oneachfirewallhostingasatellite,verifythetunnelstatusby

satellite. selectingNetwork > IPSec Tunnels andverifyactiveStatusas
indicatedbyagreenicon.

LSVPNQuickConfigs LargeScaleVPN(LSVPN)
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting

LargeScaleVPN(LSVPN) BasicLSVPNConfigurationwithStaticRouting
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step1 ConfigureaLayer3interface. Inthisexample,theLayer3interfaceontheportal/gateway

requiresthefollowingconfiguration:
Security Zonelsvpnunt
IPv4203.0.113.11/24
Step2 Onthefirewall(s)hostingGlobalProtect Inthisexample,theTunnelinterfaceontheportal/gateway

gateway(s),configurethelogicaltunnel requiresthefollowingconfiguration:
interfacethatwillterminateVPNtunnels Interfacetunnel.1
establishedbytheGlobalProtect Security Zonelsvpntun
satellites.
Toenablevisibilityintousersand
groupsconnectingovertheVPN,
enableUserIDinthezone
wheretheVPNtunnels
terminate.
Step3 Createthesecuritypolicyruletoenable
trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).

BasicLSVPNConfigurationwithStaticRouting LargeScaleVPN(LSVPN)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step4 AssignanSSL/TLSServiceprofiletothe 1. OnthefirewallhostingtheGlobalProtectportal,createthe

portal/gateway.Theprofilemust rootCAcertificateforsigningthecertificatesofthe
referenceaselfsignedservercertificate. GlobalProtectcomponents.Inthisexample,therootCA
Thecertificatesubjectnamemustmatch certificate,lsvpn-CA,willbeusedtoissuetheserver
theFQDNorIPaddressoftheLayer3 certificatefortheportal/gateway.Inaddition,theportalwill
interfaceyoucreateforthe usethisrootCAcertificatetosigntheCSRsfromthesatellites.
portal/gateway. 2. CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.
Becausetheportalandgatewayareonthesameinterfacein
thisexample,theycanshareanSSL/TLSServiceprofilethat
usesthesameservercertificate.Inthisexample,theprofileis
namedlsvpnserver.
Step5 Createacertificateprofile. Inthisexample,thecertificateprofilelsvpn-profile,references

therootCAcertificatelsvpn-CA.Thegatewaywillusethis
certificateprofiletoauthenticatesatellitesattemptingtoestablish
VPNtunnels.
Step6 Configureanauthenticationprofilefor 1. Createonetypeofserverprofileontheportal:

theportaltouseifthesatelliteserial ConfigureaRADIUSServerProfile.
numberisnotavailable. ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.IfyouuseLDAPto
connecttoActiveDirectory(AD),createaseparateLDAP
serverprofileforeveryADdomain.
2. Configureanauthenticationprofile.Inthisexample,the
profilelsvpn-satisusedtoauthenticatesatellites.
Step7 ConfiguretheGatewayforLSVPN. SelectNetwork > GlobalProtect > GatewaysandAdda

configuration.Thisexamplerequiresthefollowinggateway
configuration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Certificate Profilelsvpnprofile
Primary DNS/Secondary DNS4.2.2.1/4.2.2.2
IP Pool2.2.2.1112.2.2.120
Access Route10.2.10.0/24
Step8 ConfigurethePortalforLSVPN. SelectNetwork > GlobalProtect > PortalandAddaconfiguration.

Thisexamplerequiresthefollowingportalconfiguration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Authentication Profilelsvpnsat

LargeScaleVPN(LSVPN) BasicLSVPNConfigurationwithStaticRouting
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step9 CreateaGlobalProtectSatellite OntheSatellite tabintheportalconfiguration,AddaSatellite

Configuration. configurationandaTrustedRootCAandspecifytheCAtheportal
willusetoissuecertificatesforthesatellites.Inthisexamplethe
requiredsettingsareasfollowing:
Gateway203.0.113.11
Issuing CertificatelsvpnCA
Trusted Root CAlsvpnCA
Step10 PreparetheSatellitetoJointheLSVPN. Thesatelliteconfigurationinthisexamplerequiresthefollowing

settings:
Interface Configuration
Layer3interfaceethernet1/1,203.0.113.13/24
Tunnelinterfacetunnel.2
Zonelsvpnsat
Root CA Certificate from Portal
lsvpnCA
IPSec Tunnel Configuration
Portal Address203.0.113.11
Local IP Address203.0.113.13/24
Publish all static and connected routes to Gatewayenabled

AdvancedLSVPNConfigurationwithDynamicRouting LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.

LargeScaleVPN(LSVPN) AdvancedLSVPNConfigurationwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting
Step1 AddanIPaddresstothetunnelinterface Completethefollowingstepsoneachgatewayandeachsatellite:

configurationoneachgatewayandeach 1. SelectNetwork > Interfaces > Tunnelandselectthetunnel
satellite. configurationyoucreatedfortheLSVPNtoopentheTunnel
Interfacedialog.
Ifyouhavenotyetcreatedthetunnelinterface,seeStep 2in
QuickConfig:BasicLSVPNwithStaticRouting.
2. OntheIPv4tab,clickAddandthenenteranIPaddressand
subnetmask.Forexample,toaddanIPaddressforthe
gatewaytunnelinterfaceyouwouldenter2.2.2.100/24.
3. ClickOKtosavetheconfiguration.
Step2 Configurethedynamicroutingprotocol ToconfigureOSPFonthegateway:

onthegateway. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2. OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3. Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4. OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5. Selectp2mpastheLink Type.
6. ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachsatellite,forexample2.2.2.111.
7. ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8. Repeatthisstepeachtimeyouaddanewsatellitetothe
LSVPN.
Step3 Configurethedynamicroutingprotocol ToconfigureOSPFonthesatellite:

onthesatellite. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2. OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3. Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4. OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5. Selectp2mpastheLink Type.
6. ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachGlobalProtectgateway,for
example2.2.2.100.
7. ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8. Repeatthisstepeachtimeyouaddanewgateway.

AdvancedLSVPNConfigurationwithDynamicRouting LargeScaleVPN(LSVPN)
QuickConfig:LSVPNwithDynamicRouting(Continued)
Step4 Verifythatthegatewaysandsatellites Oneachsatelliteandeachgateway,confirmthatpeer

areabletoformrouteradjacencies. adjacencieshaveformedandthatroutingtableentrieshave
beencreatedforthepeers(thatis,thesatelliteshaveroutesto
thegatewaysandthegatewayshaveroutestothesatellites).
SelectNetwork > Virtual RouterandclicktheMore Runtime
StatslinkforthevirtualrouteryouareusingfortheLSVPN.On
theRoutingtab,verifythattheLSVPNpeerhasaroute.
OntheOSPF > Interfacetab,verifythattheTypeisp2mp.
OntheOSPF > Neighbortab,verifythatthefirewallshosting
yourgatewayshaveestablishedrouteradjacencieswiththe
firewallshostingyoursatellitesandviceversa.Alsoverifythat
theStatusisFull,indicatingthatfulladjacencieshavebeen
established.

Networking
AllPaloAltoNetworksnextgenerationfirewallsprovideaflexiblenetworkingarchitecturethatincludes
supportfordynamicrouting,switching,andVPNconnectivity,andenablesyoutodeploythefirewallinto
nearlyanynetworkingenvironment.WhenconfiguringtheEthernetportsonyourfirewall,youcanchoose
fromvirtualwire,Layer2,orLayer3interfacedeployments.Inaddition,toallowyoutointegrateintoa
varietyofnetworksegments,youcanconfiguredifferenttypesofinterfacesondifferentports.The
InterfaceDeploymentssectionprovidesbasicinformationoneachtypeofdeployment.Formoredetailed
deploymentinformation,refertoDesigningNetworkswithPaloAltoNetworksFirewalls.
ThefollowingtopicsdescribenetworkingconceptsandhowtointegratePaloAltoNetworks
nextgenerationfirewallsintoyournetwork.
InterfaceDeployments
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
VirtualRouters
StaticRoutes
RIP
OSPF
BGP
SessionSettingsandTimeouts
DHCP
NAT
NPTv6
ECMP
LLDP
BFD
Forinformationonroutedistribution,refertoUnderstandingRouteRedistributionandFiltering.

InterfaceDeployments Networking
InterfaceDeployments
APaloAltoNetworksfirewallcanoperateinmultipledeploymentsatoncebecausethedeploymentsoccur
attheinterfacelevel.Thefollowingsectionsdescribethesupporteddeployments.
VirtualWireDeployments
Layer2Deployments
Layer3Deployments
TapModeDeployments
Virtual Wire Deployments
Inavirtualwiredeployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwo
portstogetherandshouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeploymentallowsthefollowingconveniences:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.

Networking InterfaceDeployments
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
Step1 ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
Step2 CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethat
theVLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisis
essentialbecauseavirtualwiredoesnotswitchVLANtags.
Step3 CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoadd
additionalsubinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthe
combinationofVLANtagsandaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewith
thevlantag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.

Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
Customer Vsys Vwire Zone VLANTag IPClassifier

Subinterfaces
A 2 e1/1.1(ingress) Zone3 100 None

e1/2.1(egress) Zone4 100
2 e1/1.2(ingress) Zone5 100 IPsubnet

e1/2.2(egress) Zone6 100 192.1.0.0/16
2 e1/1.3(ingress) Zone7 100 IPsubnet

e1/2.3(egress) Zone8 100 192.2.0.0/16
B 3 e1/1.4(ingress) Zone9 200 None

e1/2.4(egress) Zone10 200
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.

Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Layer 2 Deployments
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Youmustassigna
groupofinterfacestoaVLANobjectinorderforthefirewalltoswitchbetweenthem.Thefirewallperforms
VLANtagswitchingwhenLayer2subinterfacesareattachedtoacommonVLANobject.Choosethisoption
whenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
TheCiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
Layer 3 Deployments
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.Thisdeploymentrequiresthat
youassignanIPaddresstoeachinterfaceandconfigureVirtualRouterstoroutethetraffic.Choosethis
optionwhenroutingisrequired.
Figure:Layer3Deployment

ThefollowingLayer3interfacedeploymentsarealsosupported:
PointtoPointProtocoloverEthernetSupport
DHCPClient
PointtoPointProtocoloverEthernetSupport
YoucanconfigurethefirewalltobeaPointtoPointProtocoloverEthernet(PPPoE)terminationpointto
supportconnectivityinaDigitalSubscriberLine(DSL)environmentwherethereisaDSLmodembutno
otherPPPoEdevicetoterminatetheconnection.
YoucanchoosethePPPoEoptionandconfiguretheassociatedsettingswhenaninterfaceisdefinedasa
Layer 3interface.
PPPoEisnotsupportedinHAactive/activemode.
DHCPClient
YoucanconfigurethefirewallinterfacetoactasaDHCPclientandreceiveadynamicallyassignedIP
address.ThefirewallalsoprovidesthecapabilitytopropagatesettingsreceivedbytheDHCPclientinterface
intoaDHCPserveroperatingonthefirewall.ThisismostcommonlyusedtopropagateDNSserversettings
fromanInternetserviceprovidertoclientmachinesoperatingonthenetworkprotectedbythefirewall.
DHCPclientisnotsupportedinHAactive/activemode.
Formoreinformation,seeDHCP.
Tap Mode Deployments
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.

TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.

ConfigureanAggregateInterfaceGroup Networking
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesplatformssupportaggregategroups.Youcanadduptoeightaggregategroups
perfirewallandeachgroupcanhaveuptoeightinterfaces.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,
PA4000Series,andPA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
Step1 Configurethegeneralinterfacegroup 1. SelectNetwork > Interfaces > EthernetandAdd Aggregate

parameters. Group.
2. InthefieldadjacenttothereadonlyInterface Name,entera
number(18)toidentifytheaggregategroup.
3. FortheInterface Type,selectHA,Virtual Wire,Layer2,or
Layer3.
4. ConfiguretheremainingparametersfortheInterface Type
youselected.

Networking ConfigureanAggregateInterfaceGroup
ConfigureanAggregateInterfaceGroup(Continued)
Step2 ConfiguretheLACPsettings. 1. SelecttheLACPtabandEnable LACP.

Performthissteponlyifyouwantto 2. SettheModeforLACPstatusqueriestoPassive(thefirewall
enableLACPfortheaggregategroup. justrespondsthedefault)orActive(thefirewallqueriespeer
YoucannotenableLACPfor devices).
virtualwireinterfaces. Asabestpractice,setoneLACPpeertoactiveandthe
othertopassive.LACPcannotfunctionifbothpeers
arepassive.Thefirewallcannotdetectthemodeofits
peerdevice.
3. SettheTransmission RateforLACPqueryandresponse
exchangestoSlow(every30secondsthedefault)orFast
(everysecond).BaseyourselectiononhowmuchLACP
processingyournetworksupportsandhowquicklyLACP
peersmustdetectandresolveinterfacefailures.
4. SelectFast Failoverifyouwanttoenablefailovertoastandby
interfaceinlessthanonesecond.Bydefault,theoptionis
disabledandthefirewallusestheIEEE802.1axstandardfor
failoverprocessing,whichtakesatleastthreeseconds.
Asabestpractice,useFast Failoverindeployments
whereyoumightlosecriticaldataduringthestandard
failoverinterval.
5. EntertheMax Ports(numberofinterfaces)thatareactive
(18)intheaggregategroup.Ifthenumberofinterfacesyou
assigntothegroupexceedstheMax Ports,theremaining
interfaceswillbeinstandbymode.ThefirewallusestheLACP
Port Priorityofeachinterfaceyouassign(Step 3)to
determinewhichinterfacesareinitiallyactiveandto
determinetheorderinwhichstandbyinterfacesbecome
activeuponfailover.IftheLACPpeershavenonmatching
portpriorityvalues,thevaluesofthepeerwiththelower
System Prioritynumber(defaultis32,768;rangeis165,535)
willoverridetheotherpeer.
6. (Optional)Foractive/passivefirewallsonly,selectEnable in
HA Passive StateifyouwanttoenableLACPprenegotiation
forthepassivefirewall.LACPprenegotiationenablesquicker
failovertothepassivefirewall(fordetails,seeLACPandLLDP
PreNegotiationforActive/PassiveHA).
Ifyouselectthisoption,youcannotselectSame
System MAC Address for Active-Passive HA;
prenegotiationrequiresuniqueinterfaceMAC
addressesoneachHAfirewall.
7. (Optional)Foractive/passivefirewallsonly,selectSame
System MAC Address for Active-Passive HAandspecifya
singleMAC AddressforbothHAfirewalls.Thisoption
minimizesfailoverlatencyiftheLACPpeersarevirtualized
(appearingtothenetworkasasingledevice).Bydefault,the
optionisdisabled:eachfirewallinanHApairhasaunique
MACaddress.
IftheLACPpeersarenotvirtualized,useuniqueMAC
addressestominimizefailoverlatency.

ConfigureanAggregateInterfaceGroup Networking
ConfigureanAggregateInterfaceGroup(Continued)
Step3 Assigninterfacestotheaggregategroup. Performthefollowingstepsforeachinterface(18)thatwillbea

memberoftheaggregategroup.
1. SelectNetwork > Interfaces > Ethernetandclicktheinterface
nametoeditit.
2. SettheInterface TypetoAggregate Ethernet.
3. SelecttheAggregate Groupyoujustdefined.
4. SelecttheLink Speed,Link Duplex,andLink State.
Asabestpractice,setthesamelinkspeedandduplex
valuesforeveryinterfaceinthegroup.For
nonmatchingvalues,thefirewalldefaultstothe
higherspeedandfullduplex.
5. (Optional)EnteranLACP Port Priority(defaultis32,768;
rangeis165,535)ifyouenabledLACPfortheaggregate
group.IfthenumberofinterfacesyouassignexceedstheMax
Portsvalueofthegroup,theportprioritiesdeterminewhich
interfacesareactiveorstandby.Theinterfaceswiththelower
numericvalues(higherpriorities)willbeactive.
6. ClickOK.
Step4 Ifthefirewallshaveanactive/active 1. SelectDevice > High Availability > Active/Active Configand

configurationandyouareaggregating editthePacketForwardingsection.
HA3interfaces,enablepacket 2. SelecttheaggregategroupyouconfiguredfortheHA3
forwardingfortheaggregategroup. InterfaceandclickOK.
Step5 Commityourchangesandverifythe 1. ClickCommit.

aggregategroupstatus. 2. SelectNetwork > Interfaces > Ethernet.
3. VerifythattheLinkStatecolumndisplaysagreeniconforthe
aggregategroup,indicatingthatallmemberinterfacesareup.
Iftheiconisyellow,atleastonememberisdownbutnotall.If
theiconisred,allmembersaredown.
4. IfyouconfiguredLACP,verifythattheFeaturescolumn
displaystheLACPenabledicon fortheaggregategroup.

Networking UseInterfaceManagementProfilestoRestrictAccess
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
Step1 ConfiguretheInterfaceManagement 1. SelectNetwork > Network Profiles > Interface Mgmtand

profile. clickAdd.
2. Selecttheprotocolsthattheinterfacepermitsfor
managementtraffic:Ping,Telnet,SSH,HTTP,HTTP OCSP,
HTTPS,orSNMP.
3. Selecttheservicesthattheinterfacepermitsformanagement
traffic:
Response PagesUsetoenableresponsepagesfor:
CaptivePortalToserveCaptivePortalresponsepages,
thefirewallleavesportsopenonLayer3interfaces:port
6080forNTLANManager(NTLM),6081forCaptive
Portalintransparentmode,and6082forCaptivePortal
inredirectmode.Fordetails,seeConfigureCaptive
Portal.
URLAdminOverrideFordetails,seeConfigureURL
AdminOverride.
User-IDUsetoConfigureFirewallstoRedistributeUser
MappingInformation.
User-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPUsetoConfigureUserIDtoReceiveUser
MappingsfromaSyslogSenderoverSSLorUDP.
4. (Optional)AddthePermittedIPAddressesthatcanaccessthe
interface.Ifyoudontaddentriestothelist,theinterfacehas
noIPaddressrestrictions.
5. ClickOK.

UseInterfaceManagementProfilestoRestrictAccess Networking
ConfigureandAssignanInterfaceManagementProfile(Continued)
Step2 AssigntheInterfaceManagementprofile 1. SelectNetwork > Interfaces,selectthetypeofinterface

toaninterface. (Ethernet,VLAN,Loopback,orTunnel),andselectthe
interface.
2. SelectAdvanced > Other infoandselecttheInterface
Management Profileyoujustadded.

Networking VirtualRouters
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningaroute(staticroutes)
orthroughparticipationinLayer3routingprotocols(dynamicroutes).Thebestroutesobtainedthrough
thesemethodsareusedtopopulatethefirewallsIProutetable.Whenapacketisdestinedforadifferent
subnet,theVirtualRouterobtainsthebestroutefromthisIProutetableandforwardsthepackettothenext
hoprouterdefinedinthetable.
TheEthernetinterfacesandVLANinterfacesdefinedonthefirewallreceiveandforwardtheLayer3traffic.
Thedestinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andpolicyrules
areconsultedtoidentifythesecuritypoliciestobeapplied.Inadditiontoroutingtoothernetworkdevices,
virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthopisspecifiedtopointto
anothervirtualrouter.
Youcanconfigurethevirtualroutertoparticipatewithdynamicroutingprotocols(BGP,OSPF,orRIP)as
wellasaddingstaticroutes.Youcanalsocreatemultiplevirtualrouters,eachmaintainingaseparatesetof
routesthatarenotsharedbetweenvirtualrouters,enablingyoutoconfiguredifferentroutingbehaviorsfor
differentinterfaces.
EachLayer3interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociated
withavirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,multipleroutingprotocols
andstaticroutescanbeconfiguredforavirtualrouter.Regardlessofthestaticroutesanddynamicrouting
protocolsconfiguredforavirtualrouter,acommongeneralconfigurationisrequired.Thefirewalluses
EthernetswitchingtoreachotherdevicesonthesameIPsubnet.
ThefollowingLayer3routingprotocolsaresupportedfromVirtualRouters:
RIP
OSPF
OSPFv3
BGP
DefineaVirtualRouterGeneralConfiguration
Step1 Gathertherequiredinformationfrom Interfacesthatyouwanttoroute

yournetworkadministrator. Administrativedistancesforstatic,OSPFinternal,OSPF
external,IBGP,EBGPandRIP
Step2 Createthevirtualrouterandnameit. 1. SelectNetwork > Virtual Routers.

2. ClickAddandenteranameforthevirtualrouter.
3. Selectinterfacestoapplytothevirtualrouter.
4. ClickOK.
Step3 Selectinterfacestoapplytothevirtual 1. ClickAddintheInterfacesbox.

router. 2. Selectanalreadydefinedinterfacefromthedropdown.
3. RepeatStep2forallinterfacesthatyouwanttoaddtothe
virtualrouter.

VirtualRouters Networking
DefineaVirtualRouterGeneralConfiguration(Continued)
Step4 SetAdministrativeDistancesforstatic SetAdministrativeDistancesasrequired.

anddynamicrouting. StaticRangeis10240;defaultis10.
OSPF InternalRangeis10240;defaultis30.
OSPF ExternalRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
Step5 Savevirtualroutergeneralsettings. ClickOKtosaveyoursettings.
Step6 Commityourchanges. ClickCommit.Thefirewallcantakeupto90secondstosaveyour

changes.

Networking StaticRoutes
StaticRoutes
Thefollowingprocedureshowshowtointegratethefirewallintothenetworkusingstaticrouting.
SetUpInterfacesandZones
Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault

Internetrouter. linktoopentheVirtualRouterdialog.
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3. SelecttheIP AddressradiobuttonintheNext Hopfieldand
thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,208.80.56.1).
Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

interfacethatconnectstotheInternet). wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/3astheexternalinterface.
2. SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3. IntheVirtual Routerdropdown,selectdefault.
4. OntheConfigtab,selectNew ZonefromtheSecurity Zone
dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleUntrust,andthenclickOK.
5. ToassignanIPaddresstotheinterface,selecttheIPv4taband
Staticradiobutton.ClickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface,for
example208.80.56.100/24.
6. Toenableyoutopingtheinterface,selectAdvanced > Other
Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.

StaticRoutes Networking
Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant

yourinternalnetwork. toconfigure.Inthisexample,weareconfiguringEthernet1/4
Inthisexample,theinterface astheinternalinterface.
connectstoanetworksegment 2. SelectLayer3fromtheInterface Typedropdown.
thatusesprivateIPaddresses.
BecauseprivateIPaddresses
cannotberoutedexternally,you
zone,forexampleTrust,andthenclickOK.
willhavetoconfigureNAT.See
ConfigureNATfordetails. 4. SelectthesameVirtualRouteryouusedinStep 2,defaultin
thisexample.
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example192.168.1.4/24.
Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.

theDMZ. 2. SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/13astheDMZ
interface.
zone,forexampleDMZ,andthenclickOK.
4. SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example10.1.1.1/24.
Step5 Savetheinterfaceconfiguration. ClickCommit.
Step6 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured

tothecorrespondingswitchorrouteroneachnetworksegment.
Step7 Verifythattheinterfacesareactive. Fromthewebinterface,selectNetwork > Interfacesandverify

thaticonintheLinkStatecolumnisgreen.Youcanalsomonitorlink
statefromtheInterfaceswidgetontheDashboard.

Networking RIP
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
Step1 Configuregeneralvirtualrouter SeeVirtualRoutersfordetails.

configurationsettings.
Step2 ConfiguregeneralRIPconfiguration 1. SelecttheRIPtab.

settings. 2. SelectEnabletoenabletheRIPprotocol.
3. SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughRIP.Thisistherecommendeddefault
setting.
4. DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughRIP.
Step3 ConfigureinterfacesfortheRIP 1. OntheInterfaces tab,selectaninterfacefromthedropdown

protocol. intheInterfaceconfigurationsection.
2. Selectanalreadydefinedinterface.
3. SelectEnable.
4. SelectAdvertisetoadvertiseadefaultroutetoRIPpeerswith
thespecifiedmetricvalue.
5. (Optional)SelectaprofilefromtheAuth Profiledropdown.
SeeStep 5fordetails.
6. Selectnormal,passiveorsendonlyfromtheModedropdown.
7. ClickOK.
Step4 ConfigureRIPtimers. 1. OntheTimerstab,enteravalueforInterval Seconds (sec).

ThissettingdefinesthelengthofthefollowingRIPtimer
intervalsinseconds(rangeis160;defaultis1).
2. SpecifytheUpdate Intervalstodefinethenumberofintervals
betweenrouteupdateannouncements(rangeis13600;
defaultis30).
3. SpecifytheDelete Intervalstodefinethenumberofintervals
betweenthetimethattherouteexpirestoitsdeletion(range
is13600;defaultis180).
4. SpecifytheExpire Intervals todefinethenumberofintervals
betweenthetimethattheroutewaslastupdatedtoits
expiration(rangeis13600;defaultis120).

RIP Networking
ConfigureRIP(Continued)
Step5 (Optional)ConfigureAuthProfiles. Bydefault,thefirewalldoesnotuseRIPauthenticationforthe

exchangebetweenRIPneighbors.Optionally,youcanconfigure
RIPauthenticationbetweenRIPneighborsbyeitherasimple
passwordorusingMD5authentication.
Simple Password RIP authentication
1. SelectAuth ProfilesandclickAdd.
2. EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3. SelectSimple Password asthePassword Type.
4. Enterasimplepasswordandthenconfirm.
MD5 RIP authentication
1. SelectAuth Profiles andclickAdd.
2. EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3. SelectMD5 asthePassword Type.
4. ClickAdd.
5. Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
6. (Optional)SelectPreferred status.
7. ClickOKtospecifythekeytobeusedtoauthenticateoutgoing
message.
8. ClickOKagainintheVirtualRouterRIPAuthProfiledialog
box.

Networking OSPF
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
AlsorefertoHowtoConfigureOSPFTechNote.
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes

OSPF Networking
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType Description
Backbone Area Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare

connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.

Networking OSPF
OSPFAreaType Description
Normal OSPF Area InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
Stub OSPF Area Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom

thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSA Area TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,

withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF

Step2 EnableOSPF. 1. SelecttheOSPFtab.

2. SelectEnabletoenabletheOSPFprotocol.
3. (Optional)EntertheRouter ID.
4. SelectReject Default Route ifyoudonotwanttolearnany
defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughOSPF.

OSPF Networking
ConfigureOSPF(Continued)
Step3 ConfigureAreasTypefortheOSPF 1. OntheAreas tab,clickAdd.

protocol. 2. EnteranAreaIDfortheareainx.x.x.xformat.Thisisthe
identifierthateachneighbormustaccepttobepartofthe
samearea.
3. OntheTypetab,selectoneofthefollowingfromtheareaType
dropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanleavethe
areaonlybyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
4. PriorityEntertheOSPFpriorityforthisinterface(0255).
Thisisthepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)accordingtotheOSPF
protocol.Whenthevalueiszero,therouterwillnotbeelected
asaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
NeighborsForp2pmpinterfaces,entertheneighborIP
addressforallneighborsthatarereachablethroughthis
interface.
5. Selectnormal,passiveorsend-onlyastheMode.
6. ClickOK.
Step4 ConfigureAreasRangefortheOSPF 1. OntheRangetab,clickAddtoaggregateLSAdestination

protocol addressesintheareaintosubnets.
2. AdvertiseorSuppressadvertisingLSAsthatmatchthe
subnet,andclickOK.Repeattoaddadditionalranges.

Networking OSPF
Step5 ConfigureAreasInterfacesforthe 1. OntheInterfacetab,clickAddandenterthefollowing

OSPFprotocol informationforeachinterfacetobeincludedinthearea:
InterfaceSelectaninterfacefromthedropdown.
EnableSelectingthisoptioncausestheOSPFinterface
settingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfaceto
sendorreceiveOSPFpackets.AlthoughOSPFpacketsare
notsentorreceivedifyouchoosethisoption,theinterface
isincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthat
areaccessiblethroughtheinterfacetobediscovered
automaticallybymulticastingOSPFhellomessages,suchas
anEthernetinterface.Choosep2p(pointtopoint)to
automaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefined
manually.Definingneighborsmanuallyisallowedonlyfor
p2mpmode.
MetricEnteranOSPFmetricforthisinterface(rangeis
065535;defaultis10).
PriorityEnteranOSPFpriorityforthisinterface.Thisis
thepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)(rangeis0255;default
is1).Ifzeroisconfigured,therouterwillnotbeelectedasa
DRorBDR.
profile.
TimingThefollowingOSPFtimingsettingscanbeset.Palo
AltoNetworksrecommendsthatyouretainthedefault
timingsettings.
Hello Interval (sec)Interval(inseconds)atwhichthe
OSPFprocesssendshellopacketstoitsdirectly
connectedneighbors(rangeis03600;defaultis10).
Dead CountsNumberoftimesthehellointervalcan
occurforaneighborwithoutOSPFreceivingahello
packetfromtheneighbor,beforeOSPFconsidersthat
neighbordown(rangeis320;defaultis4).TheHello
Interval multipliedbytheDead Countsequalsthevalueof
thedeadtimer.
Retransmit Interval (sec)Lengthoftime(inseconds)
thatOSPFwaitstoreceivealinkstateadvertisement
(LSA)fromaneighborbeforeOSPFretransmitstheLSA
(rangeis03600;defaultis10).
Transit Delay (sec)Lengthoftime(inseconds)thatan
LSAisdelayedbeforeitissentoutofaninterface(range
is03600;defaultis1).

OSPF Networking
Graceful Restart Hello Delay (sec)AppliestoanOSPF

interfacewhenActive/PassiveHighAvailabilityis
configured.Graceful Restart Hello Delayisthelengthof
time(inseconds)duringwhichthefirewallsendsGrace
LSApacketsat1secondintervals(rangeis110;defaultis
10).Duringthistime,nohellopacketsaresentfromthe
restartingfirewall.Duringtherestart,thedeadtimer
(whichistheHello IntervalmultipliedbytheDead
Counts)isalsocountingdown.Ifthedeadtimeristoo
short,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itis
recommendedthatthedeadtimerbeatleastfourtimes
thevalueoftheGraceful Restart Hello Delay.For
example,aHello Intervalof10secondsandaDead
Countsof4yieldadeadtimerof40seconds.Ifthe
Graceful Restart Hello Delayissetto10seconds,that
10seconddelayofhellopacketsiscomfortablywithinthe
40seconddeadtimer,sotheadjacencywillnottimeout
duringagracefulrestart.
Ifp2mpisselectedforLink Typeinterfaces,enterthe
neighborIPaddressesforallneighborsthatarereachable
throughthisinterface.
2. ClickOK
Step6 ConfigureAreasVirtualLinks. 1. OntheVirtual Linktab,clickAddandenterthefollowing

informationforeachvirtuallinktobeincludedinthebackbone
area:
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)on
theothersideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathat
physicallycontainsthevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
profile.
2. ClickOK.

Networking OSPF
Step7 (Optional)ConfigureAuthProfiles. Bydefault,thefirewalldoesnotuseOSPFauthenticationforthe

exchangebetweenOSPFneighbors.Optionally,youcanconfigure
OSPFauthenticationbetweenOSPFneighborsbyeitherasimple
passwordorusingMD5authentication.
SimplePasswordOSPFauthentication
1. OntheAuth Profilestab,clickAdd.
2. Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3. SelectSimple Passwordasthe Password Type.
4. Enterasimplepasswordandthenconfirm.
MD5OSPFauthentication
1. OntheAuth Profiles tab,clickAdd.
OSPFmessages.
3. SelectMD5asthe Password Type.
4. ClickAdd.
5. Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
SelectthePreferredoptiontospecifythatthekeybeused
toauthenticateoutgoingmessages.
6. ClickOK.
7. ClickOKagainintheVirtualRouterOSPFAuthProfiledialog
box.
Step8 ConfigureAdvancedOSPFoptions. 1. OntheAdvancedtab,selectRFC 1583 Compatibility toensure

compatibilitywithRFC1583.
2. ConfigureavaluefortheSPF Calculation Delay(sec)timer.
Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3. ConfigureavaluefortheLSA Interval (sec) time.Thistimer
specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.

OSPF Networking
ConfigureOSPFv3
ConfigureOSPFv3

Step2 ConfiguregeneralOSPFconfiguration 1. SelecttheOSPFtab.

settings. 2. SelectEnabletoenabletheOSPFprotocol.
3. SelectReject Default Route ifyoudonotwanttolearnany
defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
4. ClearReject Default Routeifyouwanttopermitredistribution
ofdefaultroutesthroughOSPF.
Step3 ConfiguregeneralOSPFv3configuration 1. SelecttheOSPFv3tab.

settings. 2. SelectEnabletoenabletheOSPFprotocol.
3. SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughOSPFv3Thisistherecommended
defaultsetting.
DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughOSPFv3.
Step4 ConfigureAuthProfilefortheOSPFv3 Whenconfiguringanauthenticationprofile,youmustuse

protocol. EncapsulatingSecurityPayload(ESP)orIPv6Authentication
WhileOSPFv3doesn'tincludeany Header(AH).
authenticationcapabilitiesofitsown,it ESPOSPFv3authentication
reliesentirelyonIPsectosecure 1. OntheAuth Profilestab,clickAdd.
communicationsbetweenneighbors.
OSPFv3messages.
3. SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4. SelectESPforProtocol.
5. SelectaCrypto Algorithmfromthedropdown.
Youcanenternoneoroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6. IfaCrypto Algorithmotherthannonewasselected,entera
valueforKeyandthenconfirm.

Networking OSPF
ConfigureOSPFv3(Continued)
AHOSPFv3authentication
1. OntheAuth Profilestab,clickAdd.
OSPFv3messages.
3. SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4. SelectAHforProtocol.
5. SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6. EnteravalueforKeyandthenconfirm.
7. ClickOK.
8. ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.
Step5 ConfigureAreasTypefortheOSPF 1. OntheAreastab,clickAdd.

protocol. 2. EnteranAreaID.Thisistheidentifierthateachneighbormust
accepttobepartofthesamearea.
3. OntheGeneraltab,selectoneofthefollowingfromthearea
Typedropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanonlyleave
theareabyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.

OSPF Networking
ConfigureOSPFv3(Continued)
Step6 AssociateanOSPFv3authentication ToanArea

profiletoanareaoraninterface. 1. OntheAreastab,selectanexistingareafromthetable.
2. OntheGeneraltab,selectapreviouslydefinedAuthentication
ProfilefromtheAuthenticationdropdown.
3. ClickOK.
ToanInterface
1. OntheAreastab,selectanexistingareafromthetable.
2. SelecttheInterfacetabandclickAdd.
3. Selecttheauthenticationprofileyouwanttoassociatewith
theOSPFinterfacefromtheAuth Profiledropdown.
Step7 (Optional)ConfigureExportRules 1. OntheExporttab,clickAdd.

2. SelectAllow Redistribute Default Routetopermit
redistributionofdefaultroutesthroughOSPFv3.
3. Selectthenameofaredistributionprofile.Thevaluemustbe
anIPsubnetorvalidredistributionprofilename.
4. SelectametrictoapplyforNew Path Type.
5. SpecifyaNew Tagforthematchedroutethathasa32bit
value.
6. Assignametricforthenewrule(rangeis165535).
7. ClickOK.
Step8 ConfigureAdvancedOSPFv3options. 1. OntheAdvancedtab,selectDisable Transit Routing for SPF

CalculationifyouwantthefirewalltoparticipateinOSPF
topologydistributionwithoutbeingusedtoforwardtransit
traffic.
2. ConfigureavaluefortheSPF Calculation Delay(sec)timer.
Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3. ConfigureavaluefortheLSA Interval (sec) time.Thistimer
specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.
4. (Optional)ConfigureOSPFGracefulRestart.
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.

Networking OSPF
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGracePeriod.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMaxNeighborRestartTime.Whenthefirewall
receivestheGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborand
advertiseroutesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.
Ifneitherexpiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithout
networkdisruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexit
helpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypass
theneighbor.
1. SelectNetwork > Virtual Routersandselectthevirtualrouteryouwanttoconfigure.
2. SelectOSPF > Advanced.
3. Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
4. ConfigureaGrace Periodinseconds.
5. ConfigureaMax Neighbor Restart Timeinseconds.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished

OSPF Networking
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
show routing route
show routing fib
Thefollowingproceduredescribeshowtousethewebinterfacetoviewtheroutingtable.
ViewtheRoutingTable
1. SelectNetwork > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2. SelectRouting > Route TableandexaminetheFlagscolumnoftheroutingtableforroutesthatwerelearnedby

OSPF.
ConfirmOSPFAdjacencies
ByviewingtheNeighbortabasdescribedinthefollowingprocedure,youcanconfirmthatOSPFadjacencies
havebeenestablished.
ViewtheNeighborTabtoConfirmOSPFAdjacencies
1. Select Network > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2. SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished.
ConfirmthatOSPFConnectionsareEstablished
Byviewingthesystemlog,youcanconfirmthatOSPFconnectionshavebeenestablished,asdescribedin
thefollowingprocedure:
ExaminetheSystemLog
1. SelectMonitor > System andlookformessagestoconfirmthatOSPFadjacencieshavebeenestablished.
2. SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished

(arefull).

Networking BGP
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
Intheroutingprocess,connectionsareestablishedbetweenBGPpeers(orneighbors).Ifarouteispermitted
bythepolicy,itisstoredintheroutinginformationbase(RIB).EachtimethelocalfirewallRIBisupdated,
thefirewalldeterminestheoptimalroutesandsendsanupdatetotheexternalRIB,ifexportisenabled.
ConditionaladvertisementisusedtocontrolhowBGProutesareadvertised.TheBGProutesmustsatisfy
conditionaladvertisementrulesbeforebeingadvertisedtopeers.
BGPsupportsthespecificationofaggregates,whichcombinemultipleroutesintoasingleroute.Duringthe
aggregationprocess,thefirststepistofindthecorrespondingaggregationrulebyperformingalongest
matchthatcomparestheincomingroutewiththeprefixvaluesforotheraggregationrules.
FormoreinformationonBGP,refertoHowtoConfigureBGPTechNote.
ThefirewallprovidesacompleteBGPimplementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
Routingpoliciesbasedonroutemaptocontrolimport,exportandadvertisement,prefixbasedfiltering,
andaddressaggregation.
AdvancedBGPfeaturesthatincluderoutereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
BGPconfigurationconsistsofthefollowingelements:
Perroutinginstancesettings,whichincludebasicparameterssuchaslocalrouteIDandlocalASand
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflap,anddampening
profiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteASandadvancedoptions
suchasneighborattributesandconnections.
Routingpolicy,whichspecifiesrulesetsthatpeergroupsandpeersusetoimplementimports,exports,
conditionaladvertisements,andaddressaggregationcontrols.
PerformthefollowingproceduretoconfigureBGP.
ConfigureBGP

Step2 ConfigurestandardBGPconfiguration 1. SelecttheBGPtab.

settings. 2. SelectEnabletoenabletheBGPprotocol.
3. ForRouter ID,assignanIPaddresstothevirtualrouter.
4. ForAS Number,enterthenumberoftheAStowhichthe
virtualrouterbelongs,basedontherouterID.Rangeis
14294967295.

BGP Networking
ConfigureBGP(Continued)
Step3 ConfiguregeneralBGPconfiguration 1. SelectBGP> General.

settings. 2. SelectReject Default Routetoignoreanydefaultroutesthat
areadvertisedbyBGPpeers.
3. SelectInstall Route toinstallBGProutesintheglobalrouting
table.
4. SelectAggregate MED toenablerouteaggregationevenwhen
routeshavedifferentMultiExitDiscriminator(MED)values.
5. EnteravaluefortheDefault Local Preferencethatspecifiesa
valuethancanbeusedtodeterminepreferencesamong
differentpaths.
6. SelectoneofthefollowingvaluesfortheASformatfor
interoperabilitypurposes:
2Byte(defaultvalue)
4Byte
7. EnableordisableeachofthefollowingvaluesforPath
Selection:
Always Compare MEDEnablethiscomparisontochoose
pathsfromneighborsindifferentautonomoussystems.
Deterministic MED ComparisonEnablethiscomparison
tochoosebetweenroutesthatareadvertisedbyIBGPpeers
(BGPpeersinthesameautonomoussystem).
8. ClickAddtoincludeanewauthenticationprofileandconfigure
thefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphrasefor
BGPpeercommunications.

Networking BGP
Step4 (Optional)ConfigureBGPAdvanced 1. OntheAdvancedtab,selectGraceful Restart andconfigure

settings. thefollowingtimers:
Stale Route Time (sec)Specifiesthelengthoftimein
secondsthataroutecansayinthestalestate(rangeis1
3600;defaultis120).
Local Restart Time (sec)Specifiesthelengthoftimein
secondsthatthelocaldevicewaitstorestart.Thisvalueis
advertisedtopeers(rangeis13600defaultis120).
Max Peer Restart Time (sec)Specifiesthemaximum
lengthoftimeinsecondsthatthelocaldeviceacceptsasa
graveperiodrestarttimeforpeerdevices(rangeis13600;
defaultis120).
2. SpecifyanIPv4identifiertorepresentthereflectorclusterin
theReflector Cluster ID box.
3. SpecifytheidentifierfortheASconfederationtobepresented
asasingleAStoexternalBGPpeersintheConfederation
Member AS box.
4. ClickAddandenterthefollowinginformationforeach
DampeningProfilethatyouwanttoconfigure,selectEnable,
andclickOK:
Profile NameEnteranametoidentifytheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicha
routeadvertisementissuppressed(rangeis0.01000.0;
defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhicha
suppressedrouteisusedagain(rangeis0.01000.0;default
is 5).
Max Hold Time (sec)Specifythemaximumlengthoftime
insecondsthataroutecanbesuppressed,regardlessof
howunstableithasbeen(rangeis03600seconds;default
is900).
Decay Half Life Reachable (sec)Specifythelengthoftime
insecondsafterwhicharoutesstabilitymetricishalvedif
therouteisconsideredreachable(rangeis03600seconds;
defaultis300).
Decay Half Life Unreachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredunreachable(rangeis
03600;defaultis300).
5. ClickOK.

BGP Networking
Step5 ConfiguretheBGPpeergroup. 1. SelectthePeer GrouptabandclickAdd.

2. EnteraNameforthepeergroupandselectEnable.
3. SelectAggregated Confed AS Pathtoincludeapathtothe
configuredaggregatedconfederationAS.
4. SelectSoft Reset with Stored Infotoperformasoftresetof
thefirewallafterupdatingthepeersettings.
5. SpecifythetypeofpeerorgroupfromtheTypedropdown
andconfiguretheassociatedsettings(seebelowinthistable
fordescriptionsofImportNextHopandExportNextHop).
IBGPExport Next Hop: SpecifyOriginalorUse self
EBGP ConfedExport Next Hop:Specify OriginalorUse
self
EBGP ConfedExport Next Hop:SpecifyOriginalorUse
self
EBGPImport Next Hop:SpecifyOriginalorUse self,
Export Next Hop:SpecifyResolveorUse self.Select
Remove Private AS ifyouwanttoforceBGPtoremove
privateASnumbers.
6. ClickOKtosave.
Step6 ConfigureImportandExportrules. 1. SelecttheImporttabandthenclickAddandenteranamein

Theimport/exportrulesareusedto theRulesfieldandselectEnable.
import/exportroutesfrom/toother 2. ClickAdd andselectthePeer Grouptowhichtherouteswillbe
routers.Forexample,importingthe importedfrom.
defaultroutefromyourInternetService
3. ClicktheMatchtabanddefinetheoptionsusedtofilter
Provider.
routinginformation.YoucanalsodefinetheMultiExit
Discriminator(MED)valueandanexthopvaluetoroutersor
subnetsforroutefiltering.TheMEDoptionisanexternal
metricthatletsneighborsknowaboutthepreferredpathinto
anAS.Alowervalueispreferredoverahighervalue.
4. ClicktheActiontabanddefinetheactionthatshouldoccur
(allow/deny)basedonthefilteringoptionsdefinedinthe
Matchtab.IfDenyisselected,nofurtheroptionsneedtobe
defined.IftheAllowactionisselected,definetheother
attributes.
5. ClicktheExporttabanddefineexportattributes,whichare
similartotheImportsettings,butareusedtocontrolroute
informationthatisexportedfromthefirewalltoneighbors.
6. ClickOKtosave.

Networking BGP
Step7 Configureconditionaladvertising,which 1. SelecttheConditional Advtab,clickAddandenteranamein

allowsyoutocontrolwhatrouteto thePolicyfield.
advertiseintheeventthatadifferent 2. SelectEnable.
routeisnotavailableinthelocalBGP
routingtable(LocRIB),indicatinga 3. ClickAddandintheUsed By sectionenterthepeergroup(s)
peeringorreachabilityfailure. thatwillusetheconditionaladvertisementpolicy.
Thisisusefulincaseswhereyouwantto 4. SelecttheNon Exist Filtertabanddefinethenetwork
trytoforceroutestooneASover prefix(es)ofthepreferredroute.Thisspecifiestheroutethat
another,forexampleifyouhavelinksto youwanttoadvertise,ifitisavailableinthelocalBGProuting
theInternetthroughmultipleISPsand table.IfaprefixisgoingtobeadvertisedandmatchesaNon
youwanttraffictoberoutedtoone Existfilter,theadvertisementwillbesuppressed.
providerinsteadoftheotherunless 5. SelecttheAdvertise Filterstabanddefinetheprefix(es)ofthe
thereisalossofconnectivitytothe routeintheLocalRIBroutingtablethatshouldbeadvertised
preferredprovider. intheeventthattherouteinthenonexistfilterisnotavailable
inthelocalroutingtable.Ifaprefixisgoingtobeadvertised
anddoesnotmatchaNonExistfilter,theadvertisementwill
occur.
Step8 Configureaggregateoptionsto 1. SelecttheAggregatetab,clickAddandenteranameforthe

summariesroutesintheBGP aggregateaddress.
configuration. 2. InthePrefixfield,enterthenetworkprefixthatwillbethe
BGProuteaggregationisusedtocontrol primaryprefixfortheaggregatedprefixes.
howBGPaggregatesaddresses.Each
3. SelecttheSuppress Filters tabanddefinetheattributesthat
entryinthetableresultsinoneaggregate
willcausethematchedroutestobesuppressed.
addressbeingcreated.Thiswillresultin
anaggregateentryintheroutingtable 4. SelecttheAdvertise Filters tabanddefinetheattributesthat
whenatleastoneormorespecificroute willcausethematchedroutestoalwaysbeadvertisedtopeers.
matchingtheaddressspecifiedis
learned.
Step9 Configureredistributionrules. 1. SelecttheRedist RulestabandclickAdd.

Thisruleisusedtoredistributehost 2. IntheNamefield,enteranIPsubnetorselectaredistribution
routesandunknownroutesthatarenot profile.Youcanalsoconfigureanewredistributionprofile
onthelocalRIBtothepeersrouters. fromthedropdownifneeded.
3. ClickEnabletoenabletherule.
4. IntheMetricfield,entertheroutemetricthatwillbeusedfor
therule.
5. IntheSet Origindropdown,selectincomplete,igp,oregp.
6. (Optional)SetMED,localpreference,ASpathlimitand
communityvalues.

SessionSettingsandTimeouts Networking
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andcaptiveportalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
Transport Layer Sessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop

Networking SessionSettingsandTimeouts
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.

TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.

ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit Handshake optioninaZoneProtectionprofilewillpreventaTCPsessionfrombeingestablishedif

thesessionestablishmentproceduredoesnotusethewellknownthreewayhandshake,butinsteadusesa
variation,suchasafourwayorfivewaysplithandshakeorasimultaneousopen.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessionsandallLayer7processesforsplit
handshakeandsimultaneousopensessionestablishmentwithoutenablingtheSplit Handshakeoption.
Nevertheless,theSplit Handshake option(whichcausesaTCPsplithandshakedrop) ismadeavailable.When
theSplit Handshake optionisconfiguredforaZoneProtectionprofileandthatprofileisappliedtoazone,
TCPsessionsforinterfacesinthatzonemustbeestablishedusingthestandardthreewayhandshake;
variationsarenotallowed.
TheSplit Handshake optionisdisabledbydefault.
ThefollowingillustratesthestandardthreewayhandshakeusedtoestablishaTCPsessionwithaPANOS
firewallbetweentheinitiator(typicallyaclient)andthelistener(typicallyaserver).
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.

YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN

ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 8inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AlthoughUDPusesachecksumfordataintegrity,itperformsnoerrorcheckingatthenetworkinterface
level.ErrorcheckingisassumedtobeunnecessaryorisperformedbytheapplicationratherthanUDPitself.
UDPhasnomechanismtohandleflowcontrolofpackets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.ICMPv4andICMPv6errorpacketscanbe
controlledbyconfiguringasecuritypolicyforazone,andselectingtheicmporipv6-icmpapplicationinthe
policy.Additionally,theICMPv6errorpacketratecanbecontrolledthroughthesessionsettings,as
describedinthesectionConfigureSessionSettings.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdonotfloodthenetworksegmentsprotectedbythefirewall.

FirsttheglobalICMPv6errorpacketratecontrolstherateatwhichICMPerrorpacketsareallowedthrough
thefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.Ifthe
firewallreachestheICMPerrorpacketrate,thenthetokenbucketcomesintoplayandthrottlingoccurs,as
follows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPmessagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPmessageissent;whenthebucketreacheszero
tokens,nomoreICMPmessagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsizeof
thetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
Configure Session Timeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
Step1 AccesstheSessionSettings. SelectDevice > Setup > SessionandedittheSessionTimeouts.

ChangeSessionTimeouts(Continued)
Step2 (Optional)Changemiscellaneous DefaultMaximumlengthoftimethatanonTCP/UDPornonICMP

timeouts. sessioncanbeopenwithoutaresponse(rangeis11599999;default
is30).
Discard DefaultMaximumlengthoftimethatanonTCP/UDP
sessionremainsopenafterPANOSdeniesasessionbasedonsecurity
policiesconfiguredonthefirewall(rangeis11599999;defaultis60).
ScanMaximumlengthoftimethatanysessionremainsopenafterit
isconsideredinactive;anapplicationisregardedasinactivewhenit
exceedstheapplicationtricklingthresholddefinedfortheapplication
Captive PortalAuthenticationsessiontimeoutfortheCaptivePortal
webform.Toaccesstherequestedcontent,theusermustenterthe
authenticationcredentialsinthisformandbesuccessfully
authenticated(rangeis11599999;defaultis30).
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,select
Device > User Identification > Captive Portal Settings.SeeConfigure
CaptivePortalinUserID.
Step3 (Optional)ChangeTCPtimeouts. Discard TCPMaximumlengthoftimethataTCPsessionremains

openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:90.Range:11599999.
TCPMaximumlengthoftimethataTCPsessionremainsopen
withoutaresponse,afteraTCPsessionisintheEstablishedstate(after
thehandshakeiscompleteand/ordataisbeingtransmitted).
Default: 3600.Range:11599999.
TCP HandshakeMaximumlengthoftimepermittedbetween
receivingtheSYNACKandthesubsequentACKtofullyestablishthe
session.Default:10.Range:160.
TCP initMaximumlengthoftimepermittedbetweenreceivingthe
SYNandSYNACKpriortostartingtheTCPhandshaketimer.Default:
5.Range:160.
TCP Half ClosedMaximumlengthoftimebetweenreceivingthefirst
FINandreceivingthesecondFINoraRST.Default:120.
Range: 1604800.
TCP Time WaitMaximumlengthoftimeafterreceivingthesecond
FINoraRST.Default:15.Range:1600.
Unverified RSTMaximumlengthoftimeafterreceivingaRSTthat
cannotbeverified(theRSTiswithintheTCPwindowbuthasan
unexpectedsequencenumber,ortheRSTisfromanasymmetricpath).
Default:30.Range:1600.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step4 (Optional)ChangeUDPtimeouts. Discard UDPMaximumlengthoftimethataUDPsessionremains

openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:60.Range:11599999.
UDPMaximumlengthoftimethataUDPsessionremainsopen
withoutaUDPresponse.Default:30.Range:11599999.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.

ChangeSessionTimeouts(Continued)
Step5 (Optional)ChangeICMPtimeouts. ICMPMaximumlengthoftimethatanICMPsessioncanbeopen

withoutanICMPresponse.Default:6.Range:11599999.
SeealsotheDiscard Default andScantimeoutinthesection(Optional)
Changemiscellaneoustimeouts.
Step6 Committhechanges. ClickOKandCommitthechanges.
Configure Session Settings
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
ConfigureSessionSettings
Step1 Changethesessionsettings. SelectDevice > Setup > SessionandedittheSessionSettings.
Step2 Specifywhethertoapply SelectRematch all sessions on config policy change to applynewly

newlyconfiguredSecurity configuredSecuritypolicyrulestosessionsthatarealreadyinprogress.This
policyrulestosessionsthat capabilityisenabledbydefault.Ifyouclearthischeckbox,anypolicyrule
areinprogress. changesyoumakeapplyonlytosessionsinitiatedafteryoucommitthepolicy
change.
Forexample,ifaTelnetsessionstartedwhileanassociatedpolicyrulewas
configuredthatallowedTelnet,andyousubsequentlycommittedapolicy
changetodenyTelnet,thefirewallappliestherevisedpolicytothecurrent
sessionandblocksit.
Step3 ConfigureIPv6settings. ICMPv6 Token Bucket SizeDefault:100tokens.SeethesectionICMPv6

RateLimiting.
ICMPv6 Error Packet Rate (per sec)Default:100.SeethesectionICMPv6
RateLimiting.
Enable IPv6 FirewallingEnablesfirewallcapabilitiesforIPv6.All
IPv6basedconfigurationsareignoredifIPv6isnotenabled.EvenifIPv6is
enabledforaninterface,theIPv6 Firewallingsettingmustalsobeenabled
forIPv6tofunction.
Step4 Enablejumboframesandset 1. SelectEnable Jumbo FrametoenablejumboframesupportonEthernet

theMTU. interfaces.Jumboframeshaveamaximumtransmissionunit(MTU)of
9216bytesandareavailableoncertainplatforms.
2. SettheGlobal MTU,dependingonwhetherornotyouenabledjumbo
frames:
Ifyoudidnotenablejumboframes,theGlobal MTUdefaultsto1500
bytes;therangeis576to1500 bytes.
Ifyouenabledjumboframes,theGlobal MTUdefaultsto9192 bytes;
therangeis9192to9216 bytes.
Ifyouenablejumboframesandyouhaveinterfaceswherethe
MTUisnotspecificallyconfigured,thoseinterfaceswill
automaticallyinheritthejumboframesize.Therefore,beforeyou
enablejumboframes,ifyouhaveanyinterfacethatyoudonot
wanttohavejumboframes,youmustsettheMTUforthat
interfaceto1500bytesoranothervalue.

ConfigureSessionSettings(Continued)
Step5 TuneNATsessionsettings. NAT64 IPv6 Minimum Network MTUSetstheglobalMTUforIPv6

translatedtraffic.Thedefaultof1280 bytesisbasedonthestandard
minimumMTUforIPv6traffic.
NAT Oversubscription RateIfNATisconfiguredtobeDynamicIPand
Port(DIPP)translation,anoversubscriptionratecanbeconfiguredto
multiplythenumberoftimesthatthesametranslatedIPaddressandport
paircanbeusedconcurrently.Therateis1,2,4,or8.Thedefaultsettingis
basedonthefirewallplatform.
Arateof1meansnooversubscription;eachtranslatedIPaddressand
portpaircanbeusedonlyonceatatime.
IfthesettingisPlatform Default,userconfigurationoftherateis
disabledandthedefaultoversubscriptionratefortheplatformapplies.
Reducingtheoversubscriptionratedecreasesthenumberofsourcedevice
translations,butprovideshigherNATrulecapacities.
Step6 Tuneacceleratedaging SelectAccelerated Aging to enablefasteragingoutofidlesessions.Youcan

settings. alsochangethethreshold(%)andscalingfactor:
Accelerated Aging ThresholdPercentageofthesessiontablethatis
fullwhenacceleratedagingbegins.Thedefaultis80%.Whenthe
sessiontablereachesthisthreshold(%full),PANOSappliesthe
AcceleratedAgingScalingFactortotheagingcalculationsforall
sessions.
Accelerated Aging Scaling FactorScalingfactorusedinthe
acceleratedagingcalculations.Thedefaultscalingfactoris2,meaning
thattheacceleratedagingoccursataratetwiceasfastasthe
configuredidletime.Theconfiguredidletimedividedby2resultsina
fastertimeoutofonehalfthetime.Tocalculatethesessions
acceleratedaging,PANOSdividestheconfiguredidletime(forthat
typeofsession)bythescalingfactortodetermineashortertimeout.
Forexample,ifthescalingfactoris10,asessionthatwouldnormally
timeoutafter3600secondswouldtimeout10timesfaster(in1/10of
thetime),whichis360seconds.
3. ClickOK.

ConfigureSessionSettings(Continued)
Step7 Enablebufferingofmulticast 1. SelectMulticast Route Setup Bufferingtoenablethefirewalltopreserve

routesetuppackets. thefirstpacketinamulticastsessionwhenthemulticastrouteor
forwardinginformationbase(FIB)entrydoesnotyetexistforthe
correspondingmulticastgroup.Bydefault,thefirewalldoesnotbufferthe
firstmulticastpacketinanewsession;instead,itusesthefirstpacketto
setupthemulticastroute.Thisisexpectedbehaviorformulticasttraffic.
Youonlyneedtoenablemulticastroutesetupbufferingifyourcontent
serversaredirectlyconnectedtothefirewallandyourcustomapplication
cannotwithstandthefirstpacketinthesessionbeingdropped.This
optionisdisabledbydefault.
2. Ifyouenablebuffering,youcanalsotunetheBuffer Size,whichspecifies
thebuffersizeperflow.Thefirewallcanbufferamaximumof5,000
packets.
Youcanalsotunetheduration,inseconds,forwhichamulticast
routeremainsintheroutingtableonthefirewallafterthesession
endsbyconfiguringthemulticastsettingsonthevirtualrouter
thathandlesyourvirtualrouter(settheMulticast Route Age Out
Time (sec)ontheMulticast > Advancedtabinthevirtualrouter
configuration.
Step8 TunetheMaximumSegment 1. SelectNetwork > Interfaces,selectEthernet,VLAN,orLoopback,and

Size(MSS)adjustmentsize selectaLayer3interface.
settingsforaLayer3 2. SelectAdvanced.
interface.
3. SelectOther Info.
4. SelectAdjust TCP MSS andenteravalueforoneorbothofthefollowing:
IPv4 MSS Adjustment Size (rangeis40300bytes;defaultis40 bytes).
IPv6 MSS Adjustment Size(rangeis60300 bytes;defaultis60bytes).
5. ClickOK.
Step9 Savethechanges. ClickCommit.
Prevent TCP Split Handshake Session Establishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step1 ConfigureaZoneProtectionprofileto 1. SelectNetwork > Network Profiles > Zone Protectionand

preventTCPsessionsthatuseanything clickAddtocreateanewprofile(orselectanexistingprofile).
otherthanathreewayhandshaketo 2. Ifcreatinganewprofile,enteraNamefortheprofileandan
establishasession. optionalDescription.
3. SelectPacket Based Attack Protection > TCP Dropandselect
Split Handshake.
4. ClickOK.

ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step2 Applytheprofiletooneormoresecurity 1. SelectNetwork > Zonesandselectthezonewhereyouwant

zones. toassignthezoneprotectionprofile.
2. IntheZonewindow,fromtheZone Protection Profile
dropdown,selecttheprofileyouconfiguredinStep 1.
Alternatively,youcouldstartcreatinganewprofilehereby
clickingZone Protection Profile,inwhichcaseyouwould
continueaccordingly.
3. ClickOK.
4. (Optional)Repeatsteps13toapplytheprofiletoadditional
zones.

DHCP Networking
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCP Overview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallsinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.

Networking DHCP
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
Firewall as a DHCP Server and Client
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCP Messages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.

DHCP Networking
DHCPMessage Description
DHCPDISCOVER ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCP Addressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.

Networking DHCP
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface value expired-only commandtoclearexpiredleases,
makingthoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface
value ipip commandtoreleaseaparticularIPaddress.Usetheclear dhcp lease interface
value mac mac_address commandtoreleaseaparticularMACaddress.

DHCP Networking
DHCP Options
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption DHCPOptionName
51 Leaseduration
3 Gateway
1 IPPoolSubnet(mask)
6 DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44 WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41 NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42 NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70 PostOfficeProtocolVersion3(POP3)serveraddress
69 SimpleMailTransferProtocol(SMTP)serveraddress

Networking DHCP
DHCPOption DHCPOptionName
15 DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
YoucanentermultipleoptionvaluesforanOption CodewiththesameOption Name,butallvaluesfora

particularcodeandnamecombinationmustbethesametype(IPaddress,ASCII,orhexadecimal).Ifonetype
isinheritedorentered,andlateradifferenttypeisenteredforthesamecodeandnamecombination,the
secondtypewilloverwritethefirsttype.
YoucanenteranOption CodemorethanoncebyusingadifferentOption Name.Inthiscase,theOption Type
fortheOptionCodecandifferamongthemultipleoptionnames.Forexample,ifoptionCoastalServer
(optioncode6)isconfiguredwithIPaddresstype,optionServerXYZ(optioncode6)withASCIItypeisalso
allowed.
Thefirewallsendsmultiplevaluesforanoption(strungtogether)toaclientinorderfromtoptobottom.
Therefore,whenenteringmultiplevaluesforanoption,enterthevaluesintheorderofpreference,orelse
movetheoptionstoachieveyourpreferredorderinthelist.Theorderofoptionsinthefirewallconfiguration
determinestheorderthattheoptionsappearinDHCPOFFERandDHCPACKmessages.
Youcanenteranoptioncodethatalreadyexistsasapredefinedoptioncode,andthecustomizedoption
codewilloverridethepredefinedDHCPoption;thefirewallissuesawarning.
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
Option OptionName OptionDescription/Behavior

Code
43 VendorSpecific Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
Information beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55 ParameterRequestList Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.

DHCP Networking
Option OptionName OptionDescription/Behavior

Code
60 VendorClassIdentifier Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
(VCI) DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
Configure an Interface as a DHCP Server
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
ConfigureanInterfaceasaDHCPServer
Step1 SelectaninterfacetobeaDHCPServer. 1. SelectNetwork > DHCP > DHCP ServerandclickAdd.

2. EnteranInterfacenameorselectonefromthedropdown.
3. ForMode,selectenabledorautomode.Automodeenables
theserveranddisablesitifanotherDHCPserverisdetected
onthenetwork.Thedisabledsettingdisablestheserver.
4. (Optional)SelectPing IP when allocating new IPifyouwant
theservertopingtheIPaddressbeforeitassignsthataddress
toitsclient.
Ifthepingreceivesaresponse,thatmeansadifferent
devicealreadyhasthataddress,soitisnotavailable.
Theserverassignsthenextaddressfromthepool
instead.ThisbehaviorissimilartoOptimistic
DuplicateAddressDetection(DAD)forIPv6,RFC
4429.
AfteryousetoptionsandreturntotheDHCPserver
tab,theProbe IPcolumnfortheinterfaceindicatesif
Ping IP when allocating new IPwasselected.

Networking DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step2 ConfigurethepredefinedDHCPOptions IntheOptionssection,selectaLeasetype:

thattheserversendstoitsclients. UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIP Pools andassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionallythenumberof
Minutes.
Inheritance SourceLeaveNoneorselectasourceDHCPclient
interfaceorPPPoEclientinterfacetopropagatevariousserver
settingsintotheDHCPserver.IfyouspecifyanInheritance
Source,selectoneormoreoptionsbelowthatyouwant
inheritedfromthissource.
Specifyinganinheritancesourceallowsthefirewalltoquickly
addDHCPoptionsfromtheupstreamserverreceivedbythe
DHCPclient.Italsokeepstheclientoptionsupdatedifthe
sourcechangesanoption.Forexample,ifthesourcereplacesits
NTPserver(whichhadbeenidentifiedasthePrimary NTP
server),theclientwillautomaticallyinheritthenewaddressasits
Primary NTPserver.
WheninheritingDHCPoption(s)thatcontainmultipleIP
addresses,thefirewallusesonlythefirstIPaddress
containedintheoptiontoconservecachememory.If
yourequiremultipleIPaddressesforasingleoption,
configuretheDHCPoptionsdirectlyonthatfirewall
ratherthanconfigureinheritance.
Check inheritance source statusIfyouselectedanInheritance
Source,clickingthislinkopenstheDynamic IP Interface Status
window,whichdisplaystheoptionsthatwereinheritedfromthe
DHCPclient.
GatewayIPaddressofthenetworkgateway(aninterfaceon
thefirewall)thatisusedtoreachanydevicenotonthesameLAN
asthisDHCPserver.
Subnet MaskNetworkmaskusedwiththeaddressesintheIP
Pools.

DHCP Networking
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
Step3 (Optional)Configureavendorspecificor 1. IntheCustomDHCPOptionssection,clickAddandentera

customDHCPoptionthattheDHCP descriptiveNametoidentifytheDHCPoption.
serversendstoitsclients. 2. EntertheOption Code youwanttoconfiguretheserverto
offer(rangeis1254).(SeeRFC2132foroptioncodes.)
3. IftheOption Codeis43,theVendor Class Identifierfield
appears.EnteraVCI,whichisastringorhexadecimalvalue
(with0xprefix)usedasamatchagainstavaluethatcomes
fromtheclientRequestcontainingoption60.Theserverlooks
uptheincomingVCIinitstable,findsit,andreturnsOption43
andthecorrespondingoptionvalue.
4. Inherit from DHCP server inheritance sourceSelectitonly
ifyouspecifiedanInheritance Source fortheDHCPServer
predefinedoptionsandyouwantthevendorspecificand
customoptionsalsotobeinheritedfromthissource.
5. Check inheritance source statusIfyouselectedan
Inheritance Source,clickingthislinkopensDynamic IP
Interface Status,whichdisplaystheoptionsthatwere
inheritedfromtheDHCPclient.
6. IfyoudidnotselectInherit from DHCP server inheritance
source,selectanOption Type:IP Address,ASCII,or
Hexadecimal.Hexadecimalvaluesmuststartwiththe0x
prefix.
7. EntertheOption ValueyouwanttheDHCPservertoofferfor
thatOption Code.Youcanentermultiplevaluesonseparate
lines.
8. ClickOK.

Networking DHCP
Step4 (Optional)Addanothervendorspecific 1. RepeatStep 3toenteranothercustomDHCPOption.

orcustomDHCPoption. YoucanentermultipleoptionvaluesforanOption Code
withthesameOption Name,butallvaluesforanOption
Codemustbethesametype(IP Address,ASCII,or
Hexadecimal).Ifonetypeisinheritedorenteredanda
differenttypeisenteredforthesameOption Codeandthe
sameOption Name,thesecondtypewilloverwritethefirst
type.
Whenenteringmultiplevaluesforanoption,enterthe
valuesintheorderofpreference,orelsemovetheCustom
DHCPOptionstoachievethepreferredorderinthelist.
SelectanoptionandclickMove Up orMove Down.
YoucanenteranOption Codemorethanoncebyusinga
differentOption Name.Inthiscase,theOption Typeforthe
OptionCodecandifferamongthemultipleoptionnames.
2. ClickOK.
Step5 IdentifythestatefulpoolofIPaddresses 1. IntheIP Poolsfield,clickAddandentertherangeofIP

fromwhichtheDHCPserverchoosesan addressesfromwhichthisserverassignsanaddresstoaclient.
addressandassignsittoaDHCPclient. EnteranIPsubnetandsubnetmask(forexample,
Ifyouarenotthenetwork 192.168.1.0/24)orarangeofIPaddresses(forexample,
administratorforyournetwork, 192.168.1.10192.168.1.20).
askthenetworkadministratorfor AnIPPooloraReserved Addressismandatoryfor
avalidpoolofIPaddressesfrom dynamicIPaddressassignment.
thenetworkplanthatcanbe AnIPPoolisoptionalforstaticIPaddressassignmentas
designatedtobeassignedby longasthestaticIPaddressesthatyouassignfallintothe
yourDHCPserver. subnetthatthefirewallinterfaceservices.
2. (Optional)RepeatStep 1tospecifyanotherIPaddresspool.
Step6 (Optional)SpecifyanIPaddressfromthe 1. IntheReserved Address field,clickAdd.

IPpoolsthatwillnotbeassigned 2. EnteranIPaddressfromtheIP Pools(formatx.x.x.x)thatyou
dynamically.IfyoualsospecifyaMAC donotwanttobeassigneddynamicallybytheDHCPserver.
Address,theReserved Addressis
assignedtothatdevicewhenthedevice 3. (Optional)SpecifytheMAC Address(formatxx:xx:xx:xx:xx:xx)
requestsanIPaddressthroughDHCP. ofthedevicetowhichyouwanttopermanentlyassigntheIP
addressspecifiedinStep 2.
SeetheDHCPAddressing
sectionforanexplanationof 4. (Optional)RepeatStep 2andStep 3toreserveanother
allocationofaReserved address.
Address.
Step7 Savetheconfiguration. ClickOKandCommitthechange.

DHCP Networking
Configure an Interface as a DHCP Client
BeforeconfiguringafirewallinterfaceasaDHCPClient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
ToconfigurethemanagementinterfaceasaDHCPclient,seeConfiguretheManagementInterfaceasa
DHCPClient.
ConfigureanInterfaceasaDHCPClient
Step1 ConfigureaninterfaceasaDHCPclient. 1. SelectNetwork>Interfaces.

2. OntheEthernettabortheVLANtab,clickAddandenteran
interface,orclickaconfiguredinterface,thatyouwanttobea
DHCPclient.
3. ClicktheIPv4tab;forType,selectDHCP Client.
4. SelectEnable.
5. (Optional)SelectAutomatically create default route pointing
to default gateway provided by server.Thiscausesthe
firewalltocreateastaticroutetoadefaultgatewaythatwill
beusefulwhenclientsaretryingtoaccessmanydestinations
thatdonotneedtohaveroutesmaintainedinaroutingtable
onthefirewall.
6. (Optional)EnteraDefault Route Metric(prioritylevel)forthe
routebetweenthefirewallandtheDHCPserver(rangeis
165535;thereisnodefaultmetric).Aroutewithalower
numberhashigherpriorityduringrouteselection.For
example,aroutewithametricof10isusedbeforearoute
withametricof100.
7. (Optional)SelectShow DHCP Client Runtime Infotoseeallof
thesettingstheclienthasinheritedfromitsDHCPserver.

NowtheEthernetinterfaceindicatesDynamic-DHCP Clientinits
IP AddressfieldontheEthernettab.
Step3 (Optional)Seewhichinterfacesonthe 1. SelectNetwork > Interfaces > EthernetandlookintheIP

firewallareconfiguredasDHCPclients. AddressfieldtoseewhichinterfacesindicateDHCPClient.
2. SelectNetwork > Interfaces > VLANandlookintheIP
AddressfieldtoseewhichinterfacesindicateDHCPClient.

Networking DHCP
Configure the Management Interface as a DHCP Client
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramaplatformsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallplatforms(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingrestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
YoucannotusethedynamicIPaddressofthemanagementinterfacetoconnecttoaHardwareSecurity
Module(HSM).TheIPaddressontheHSMclientfirewallmustbeastaticIPaddressbecauseHSM
authenticatesthefirewallusingtheIPaddress,andoperationsonHSMwouldstopworkingiftheIP
addressweretochangeduringruntime.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
ConfiguretheManagementInterfaceasaDHCPClient
Step1 ConfiguretheManagementinterfaceas 1. SelectDevice > Setup > ManagementandeditManagement

aDHCPclientsothatitcanreceiveits InterfaceSettings.
IPaddress(IPv4),netmask(IPv4),and 2. ForIP Type,selectDHCP Client.
defaultgatewayfromaDHCPserver.
3. (Optional)Selectoneorbothoptionsforthefirewalltosend
Optionally,youcanalsosendthe
totheDHCPserverinDHCPDiscoverorRequestmessages:
hostnameandclientidentifierofthe
managementinterfacetotheDHCP Send HostnameSendstheHostname(asdefinedin
serveriftheorchestrationsystemyou Device > Setup > Management)aspartofDHCPOption12.
useacceptsthisinformation. Send Client IDSendstheclientidentifieraspartofDHCP
Option61.AclientidentifieruniquelyidentifiesaDHCP
client,andtheDHCPServerusesittoindexits
configurationparameterdatabase.
4. ClickOK.

DHCP Networking
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
Step2 (Optional)Configurethefirewallto 1. SelectDevice > Setup > ManagementandeditGeneral

acceptthehostnameanddomainfrom Settings.
theDHCPserver. 2. Selectoneorbothoptions:
Accept DHCP server provided HostnameAllowsthe
firewalltoacceptthehostnamefromtheDHCPserver(if
valid).Whenenabled,thehostnamefromtheDHCPserver
overwritesanyexistingHostnamespecifiedinDevice >
Setup > Management.Donotselectthisoptionifyouwant
tomanuallyconfigureahostname.
Accept DHCP server provided DomainAllowsthefirewall
toacceptthedomainfromtheDHCPServer.Thedomain
(DNSsuffix)fromtheDHCPServeroverwritesanyexisting
DomainspecifiedinDevice > Setup > Management.Donot
selectthisoptionifyouwanttomanuallyconfigurea
domain.
3. ClickOK.
Step4 ViewDHCPclientinformation. 1. SelectDevice > Setup > ManagementandManagement

InterfaceSettings.
2. ClickShow DHCP Client Runtime Info.
Step5 (Optional)RenewtheDHCPleasewith 1. SelectDevice > Setup > ManagementandeditManagement

theDHCPserver,regardlessofthelease InterfaceSettings.
term. 2. ClickShow DHCP Client Runtime Info.
Thisoptionisconvenientifyouare
3. ClickRenew.
testingortroubleshootingnetwork
issues.
Step6 (Optional)ReleasethefollowingDHCP UsetheCLIoperationalcommandrequest dhcp client

optionsthatcamefromtheDHCP management-interface release.
server:
IPAddress
Netmask
DefaultGateway
DNSServer(primaryandsecondary)
NTPServer(primaryandsecondary)
Domain(DNSSuffix)
AreleasefreestheIPaddress,
whichdropsyournetwork
connectionandrendersthe
firewallunmanageableifno
otherinterfaceisconfiguredfor
managementaccess.

Networking DHCP
Configure an Interface as a DHCP Relay Agent
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
ConfigureanInterfaceasaDHCPRelayAgent
Step1 SelectDHCPRelay. SelectNetwork>DHCP > DHCP Relay.
Step2 SpecifytheIPaddressofeachDHCP 1. IntheInterfacefield,selectfromthedropdowntheinterface

serverwithwhichtheDHCPrelayagent youwanttobetheDHCPrelayagent.
willcommunicate. 2. SelecteitherIPv4orIPv6,indicatingthetypeofDHCPserver
addressyouwillspecify.
3. IfyoucheckedIPv4,intheDHCP Server IP Address field,click
Add.EntertheaddressoftheDHCPservertoandfromwhich
youwillrelayDHCPmessages.
4. IfyoucheckedIPv6,intheDHCP Server IPv6 Address field,
clickAdd.EntertheaddressoftheDHCPservertoandfrom
whichyouwillrelayDHCPmessages.Ifyouspecifyamulticast
address,alsospecifyanoutgoingInterface.
5. (Optional)RepeatSteps24toenteramaximumofeight
DHCPserveraddressesperIPaddressfamily.
Monitor and Troubleshoot DHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheserverhasassigned,thecorrespondingMACaddress,state
anddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all

DHCP Networking
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip mac state duration lease_time
192.168.3.11 f0:2f:af:42:70:cf committed 0 Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface GW DNS1 DNS2 DNS-Suffix Inherit source
-------------------------------------------------------------------------------------
ethernet1/2 192.168.3.1 10.43.2.10 10.44.2.10 ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state interface_namecommandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface State IP Gateway Leased-until
---------------------------------------------------------------------------
ethernet1/1 Bound 10.43.14.80 10.43.14.1 70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd

Networking NAT
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NAT Policy Rules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.

NAT Networking
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destinationDestination IP address
+ destination-portDestination port
+ fromFrom zone
+ ha-device-idHA Active/Active device ID
+ protocolIP protocol value
+ sourceSource IP address
+ source-portSource port
+ toTo Zone
+ to-interfaceEgress interface to use
|Pipe through a command
<Enter>Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443

Networking NAT
NATAddressPoolsIdentifiedasAddressObjects
WhenconfiguringaDynamic IPorDynamic IP and PortNATaddresspoolinaNATpolicyrule,itistypicalto

configurethepooloftranslatedaddresseswithaddressobjects.EachaddressobjectcanbeahostIP
address,IPaddressrange,orIPsubnet.
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.

NAT Networking
Source NAT and Destination NAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.

Networking NAT
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NAT Rule Capacities
ThenumberofNATrulesallowedisbasedonthefirewallplatform.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
platformspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,eveniftheplatformsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
Dynamic IP and Port NAT Oversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedontheplatform.Theoversubscriptionrateisglobal;
itappliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionratefortheplatformapplies,asshowninthetablebelow.ThePlatform Defaultsetting
allowsforanupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachplatform.
Platform DefaultOversubscriptionRate
PA-200 2
PA-500 2
PA-2020 2

NAT Networking
Platform DefaultOversubscriptionRate
PA-2050 2
PA-3020 2
PA-3050 2
PA-3060 2
PA-4020 4
PA-4050 8
PA-4060 8
PA-5020 4
PA-5050 8
PA-5060 8
PA-7050 8
PA-7080 8
VM-100 1
VM-200 1
VM-300 2
VM-1000-HV 2
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachplatformsupports
amaximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesfortheplatform,thecommitwillfail.

Networking NAT
Dataplane NAT Memory Statistics
Theshow running global-ippoolcommanddisplaysstatisticsrelatedtoNATmemoryconsumptionfora

pool.TheSizecolumndisplaysthenumberofbytesofmemorythattheresourcepoolisusing.TheRatio
columndisplaystheoversubscriptionratio(forDIPPpoolsonly).Thelinesofpoolandmemorystatisticsare
explainedinthefollowingsampleoutput:
ForNATpoolstatisticsforavirtualsystem,theshow running ippoolcommandhascolumnsindicating

thememorysizeusedperNATruleandtheoversubscriptionratioused(forDIPPrules).Thefollowingis
sampleoutputforthecommand.
Afieldintheoutputoftheshow running nat-rule-ippool rulecommandshowsthememory

(bytes)usedperNATrule.Thefollowingissampleoutputforthecommand,withthememoryusageforthe
ruleencircled.

NAT Networking
Configure NAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology,whichwasalsousedinGettingStarted
forsettingupinterfacesandzones:
BasedonthetopologyinitiallyusedinGettingStartedtocreatetheinterfacesandzones,therearethree
NATpoliciesweneedtocreateasfollows:

Networking NAT
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).

NAT Networking
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
Step1 Createanaddressobjectfortheexternal 1. SelectObjects > AddressesandthenclickAdd.

IPaddressyouplantouse. 2. EnteraNameandoptionalDescriptionfortheobject.
3. SelectIP NetmaskfromtheTypedropdownandthenenter
theIPaddressoftheexternalinterfaceonthefirewall,
203.0.113.100inthisexample.
4. Tosavetheaddressobject,clickOK.
Althoughyoudonothavetouseaddressobjectsin
yourpolicies,itisabestpracticebecauseitsimplifies
administrationbyallowingyoutomakeupdatesinone
placeratherthanhavingtoupdateeverypolicywhere
theaddressisreferenced.
Step2 CreatetheNATpolicy. 1. SelectPolicies > NATandclickAdd.

2. OntheGeneraltab,enteradescriptiveNameforthepolicy.
3. (Optional)Enteratag,whichisakeywordorphrasethatallows
youtosortorfilterpolicies.
5. OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
6. OntheTranslated Packettab,selectDynamic IP And Port
fromtheTranslation TypedropdownintheSourceAddress
Translationsectionofthescreen.
7. ForAddress Type,therearetwochoices.Youcouldselect
Translated AddressandthenclickAdd.Selecttheaddress
objectyoujustcreated.
AnalternativeAddress TypeisInterface Address,inwhich
casethetranslatedaddresswillbetheIPaddressofthe
interface.Forthischoice,youwouldselectanInterfaceand
optionallyanIP AddressiftheinterfacehasmorethanoneIP
address.
8. ClickOKtosavetheNATpolicy.

Networking NAT
ConfigureSourceNAT(Continued)
Step4 (Optional)AccesstheCLItoverifythe 1. Usetheshow session all commandtoviewthesession

translation. table,whereyoucanverifythesourceIPaddressandportand
thecorrespondingtranslatedIPaddressandport.
2. Usetheshow session id <id_number> toviewmoredetails
aboutasession.
3. IfyouconfiguredDynamicIPNAT,usetheshow counter
global filter aspect session severity drop | match
nat commandtoseeifanysessionsfailedduetoNATIP
allocation.IfalloftheaddressesintheDynamicIPNATpool
areallocatedwhenanewconnectionissupposedtobe
translated,thepacketwillbedropped.
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
Step1 Createanaddressobjectfortheweb 1. SelectObjects > AddressesandclickAdd.

server. 2. EnteraNameandoptionalDescriptionfortheobject.
3. SelectIP NetmaskfromtheTypedropdownandenterthe
publicIPaddressofthewebserver,203.0.113.11inthis
example.
4. ClickOK.

2. OntheGeneraltab,enteradescriptiveNamefortheNATrule.
4. IntheDestination Addresssection,clickAddandselectthe
addressobjectyoucreatedforyourpublicwebserver.
5. OntheTranslated Packettab,selectDestination Address
Translation andthenentertheIPaddressthatisassignedto
thewebserverinterfaceontheDMZnetwork,10.1.1.11in
thisexample.

NAT Networking
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
Step1 Createanaddressobjectfortheweb 1. SelectObjects > AddressesandclickAdd.

serversinternalIPaddress. 2. EnteraNameandoptionalDescriptionfortheobject.
3. SelectIP NetmaskfromtheTypedropdownandentertheIP
addressofthewebserverontheDMZnetwork,10.1.1.11in
thisexample.
4. ClickOK.
Ifyoudidnotalreadycreateanaddressobjectforthe
publicaddressofyourwebserver,youshouldcreate
thatobjectnow.

2. OntheGeneraltab,enteradescriptiveNamefortheNATrule.
yourDMZintheSource Zonesection(clickAddandthen
selectthezone)andthezoneyoucreatedfortheexternal
networkfromtheDestination Zonedropdown.
4. IntheSource Addresssection,clickAddandselecttheaddress
objectyoucreatedforyourinternalwebserveraddress.
5. OntheTranslated Packettab,selectStatic IPfromthe
Translation TypedropdownintheSource Address
Translationsectionandthenselecttheaddressobjectyou
createdforyourexternalwebserveraddressfromthe
Translated Addressdropdown.
6. IntheBi-directionalfield,selectYes.

Networking NAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1 ViewtheDIPPNAToversubscription 1. SelectDevice > Setup > Session > Session Settings.Viewthe
rate. NAT Oversubscription Ratesetting.
Step2 SettheDIPPNAToversubscriptionrate. 1. EdittheSessionSettingssection.

2. IntheNAT Oversubscription Ratedropdown,select1x,2x,
4x,or8x, dependingonwhichratioyouwant.
ThePlatform Default settingappliesthedefault
oversubscriptionsettingfortheplatform.Ifyouwant
nooversubscription,select1x.
3. ClickOKandCommitthechange.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption

2. EnteradescriptiveNameforthepolicy.
4. ForSource Address,clickAddandenterthehostaddress.
ClickOK.
5. OntheTranslated Packettab,selectNonefromthe
Translation TypedropdownintheSourceAddress
Translationsectionofthescreen.
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.

NAT Networking
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddressesforaFirewall
Step1 user@device1# set setting nat reserve-ip yes
Step2 user@device1# set setting nat reserve-time <1-604800 secs>
ReserveDynamicIPNATAddressesforaVirtualSystem
Step1 user@device1# set vsys <vsysid> setting nat reserve-ip yes
Step2 user@device1# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
setting nat reserve-ip no commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.

Networking NAT
NAT Configuration Examples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).

NAT Networking
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:

Networking NAT
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
Usetheshow session allCLIcommandtoverifythetranslation.

NAT Networking
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:

Networking NAT
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.

NAT Networking
Toverifythetranslations,usetheCLIcommandshow session all filter destination 80.80.80.80. Note

thataclientaddress192.168.1.11anditsportnumberaretranslatedto10.16.1.103andaportnumber.The
destinationaddress80.80.80.80istranslatedto10.2.133.15.
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination NextHop
3.1.1.0/24 2.1.1.2

Networking NAT
RouteonR2:
Destination NextHop
1.1.1.0/24 2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination NextHop
2.1.1.8/29 2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1

NAT Networking
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1

Networking NPTv6
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6 Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
PlatformSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6

NPTv6 Networking
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
PlatformSupportforNPTv6
NPTv6issupportedonthefollowingplatforms(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5000Series,PA4000Series,PA3060firewall,PA3050firewall,andPA2000
Series.Platformssupportedwithnoabilitytohavehardwareperformasessionlookup:PA3020firewall,
PA500firewall,PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivate
network,andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavethe
convenienceofprivateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.

Networking NPTv6
How NPTv6 Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping

NPTv6 Networking
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDP Proxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.

Networking NPTv6
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).

NPTv6 Networking
NPTv6 and NDP Proxy Example
ThefollowingfigureandtextillustratehowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.

Networking NPTv6
TheNPTv6TranslationinNPTv6Example
Inthisexample,theOriginal PacketisconfiguredwithaSource AddressofFDD4:7A3E::0andaDestinationof

Any.TheTranslated PacketisconfiguredwiththeTranslated Addressof2001:DB8::0.
Therefore,outgoingpacketswithasourceofFDD4:7A3E::0aretranslatedto2001:DB8::0.Incoming
packetswithadestinationprefixinthenetwork2001:DB8::0aretranslatedtoFDD4:7A3E::0.
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
Create an NPTv6 Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
Step1 CreateanewNPTv6policy. 1. SelectPolicies>NATandclickAdd.

2. OntheGeneraltab,enteradescriptiveNamefortheNPTv6
policyrule.
3. (Optional)EnteraDescriptionandTag.
4. ForNAT Type,selectNPTv6.

NPTv6 Networking
ConfigureanNPTv6Policy(Continued)
Step2 Specifythematchcriteriaforincoming 1. OntheOriginal Packet tab,forSource Zone,leaveAnyorclick

packets;packetsthatmatchallofthe Addtoenterthesourcezonetowhichthepolicyapplies.
criteriaaresubjecttotheNPTv6 2. EntertheDestination Zonetowhichthepolicyapplies.
translation.
3. (Optional)SelectaDestination Interface.
Zonesarerequiredforbothtypesof
translation. 4. (Optional)SelectaService torestrictwhattypeofpacketsare
translated.
5. Ifyouaredoingsourcetranslation,enteraSource Addressor
selectAny.Theaddresscouldbeanaddressobject.The
followingconstraintsapplytoSource Address andDestination
Address:
PrefixesofSource AddressandDestination Addressfor
theOriginal Packet andTranslated Packetmustbeinthe
formatxxxx:xxxx::/yy,althoughleadingzerosintheprefix
canbedropped.
TheIPv6addresscannothaveaninterfaceidentifier(host)
portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TheSource AddressandDestination Addresscannotboth
besettoAny.
6. Ifyouaredoingsourcetranslation,youcanoptionallyentera
Destination Address.Ifyouaredoingdestinationtranslation,
theDestination Addressisrequired.Seetheconstraintslisted
inthepriorstep.
Step3 Specifythetranslatedpacket. 1. OntheTranslated Packettab,ifyouwanttodosource

translation,intheSourceAddressTranslationsection,for
Translation Type,selectStatic IP.Ifyoudonotwanttodo
sourcetranslation,selectNone.
2. IfyouchoseStatic IP,theTranslated Addressfieldappears.
EnterthetranslatedIPv6prefixoraddressobject.Seethe
constraintslistedinStep 5.
ItisabestpracticetoconfigureyourTranslated
Addresstobetheprefixoftheuntrustinterface
addressofyourfirewall.Forexample,ifyouruntrust
interfacehastheaddress2001:1a:1b:1::99/64,make
yourTranslated Address 2001:1a:1b:1::0/64.
3. (Optional)SelectBi-directional ifyouwantthefirewallto
createacorrespondingNPTv6translationintheopposite
directionofthetranslationyouconfigure.
IfyouenableBi-directionaltranslation,itisvery
importanttomakesureyouhaveSecuritypolicyrules
inplacetocontrolthetrafficinbothdirections.
Withoutsuchpolicyrules,Bi-directionaltranslation
allowspacketstobeautomaticallytranslatedinboth
directions,whichyoumightnotwant.
4. Ifyouwanttododestinationtranslation,selectDestination
Address Translation.IntheTranslated Addressfield,choose
anaddressobjectfromthedropdownorenteryourinternal
destinationaddress.
5. ClickOK.

Networking NPTv6
ConfigureanNPTv6Policy(Continued)
Step4 ConfigureNDPProxy. 1. SelectNetwork > Interfaces > Ethernet andselectan

Whenyouconfigurethefirewalltoactas interface.
anNDPProxyforaddresses,itallowsthe 2. OntheAdvanced>NDP Proxytab,selectEnable NDP Proxy
firewalltosendNeighborDiscovery(ND) andclickAdd.
advertisementsandrespondtoND
3. EntertheIP Address(es)forwhichNDPProxyisenabled.It
solicitationsfrompeersthatareasking
canbeanaddress,arangeofaddresses,oraprefixandprefix
forMACaddressesofIPv6prefixes
length.TheorderofIPaddressesdoesnotmatter.These
assignedtodevicesbehindthefirewall.
addressesareideallythesameastheTranslatedAddresses
thatyouconfiguredinanNPTv6policy.
Iftheaddressisasubnet,theNDPProxywillrespond
toalladdressesinthesubnet,soyoushouldlistthe
neighborsinthatsubnetwithNegateselected,as
describedinthenextstep.
4. (Optional)Enteroneormoreaddressesforwhichyoudonot
wantNDPProxyenabled,andselectNegate.Forexample,
fromanIPaddressrangeorprefixrangeconfiguredintheprior
step,youcouldnegateasmallersubsetofaddresses.Itis
recommendedthatyounegatetheaddressesoftheneighbors
ofthefirewall.

ECMP Networking
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPPlatform,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMP Load-Balancing Algorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
HashbasedalgorithmsprioritizesessionstickinessTheIP ModuloandIP Hashalgorithmsusehashes
basedoninformationinthepacketheader,suchassourceanddestinationaddress.Becausetheheader
ofeachflowinagivensessioncontainsthesamesourceanddestinationinformation,theseoptions

Networking ECMP
prioritizesessionstickiness.IfyouchoosetheIP Hashalgorithm,youcanoptionallysetaHash Seedvalue

tofurtherrandomizeloadbalancingifyouhavealargenumberofsessionstothesamedestinationand
theyrenotbeingdistributedevenlyovertheECMPlinks.
BalancedalgorithmprioritizesloadbalancingTheBalanced Round Robinalgorithmdistributesincoming
sessionsequallyacrossthelinks,favoringloadbalancingoversessionstickiness.(Roundrobinindicates
asequenceinwhichtheleastrecentlychosenitemischosen.)Inaddition,ifnewroutesareaddedor
removedfromanECMPgroup(forexampleifapathinthegroupgoesdown),thevirtualrouterwill
rebalancethesessionsacrosslinksinthegroup.Additionally,iftheflowsinasessionhavetoswitch
routesduetoanoutage,whentheoriginalrouteassociatedwiththesessionbecomesavailableagain,the
flowsinthesessionwillreverttotheoriginalroutewhenthevirtualrouteronceagainrebalancesthe
load.
Weightedalgorithmprioritizeslinkcapacityand/orspeedAsanextensiontotheECMPprotocol
standard,thePaloAltoNetworksimplementationprovidesforaWeighted Round Robinloadbalancing
optionthattakesintoaccountdifferinglinkcapacitiesandspeedsontheegressinterfacesofthefirewall.
Withthisoption,youcanassignECMP Weights(rangeis1255;defaultis100)totheinterfacesbasedon
linkperformanceusingfactorssuchaslinkcapacity,speed,andlatencytoensurethatloadsarebalanced
tofullyleveragetheavailablelinks.
Forexample,supposethefirewallhasredundantlinkstoanISP:ethernet1/1(100Mbps)and
ethernet1/8(200Mbps).Althoughtheseareequalcostpaths,thelinkviaethernet1/8providesgreater
bandwidthandthereforecanhandleagreaterloadthantheethernet1/1link.Therefore,toensurethat
theloadbalancingfunctionalitytakesintoaccountlinkcapacityandspeed,youmightassignethernet1/8
aweightof200andethernet1/1aweightof100.The2:1weightratiocausesthevirtualroutertosend
twiceasmanysessionstoethernet1/8asitsendstoethernet1/1.However,becausetheECMPprotocol
isinherentlysessionbased,whenusingtheWeighted Round Robinalgorithm,thefirewallwillbeableto
loadbalanceacrosstheECMPlinksonlyonabesteffortbasis.
Assignlowerspeedorlowercapacitylinkswithalowerweight.Assignhigherspeedor
highercapacitylinkswithahigherweight.Inthismanner,thefirewallcandistributesessions
basedontheseratios,ratherthanoverdrivealowcapacitylinkthatisoneoftheequalcostpaths.
KeepinmindthatECMPweightsareassignedtointerfacestodetermineloadbalancing(toinfluence
whichequalcostpathischosen),notforrouteselection(aroutechoicefromroutesthatcouldhave
differentcosts).
ECMP Platform, Interface, and IP Routing Support
ECMPissupportedonallPaloAltoNetworksfirewallplatforms,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.

ECMP Networking
ECMPhasthefollowingrestrictions:
PA2000SeriesfirewallsandPA4000SeriesfirewallswithECMPenabledmightnotbeabletooffload
sessionstohardwareforforwarding.PacketsmatchingECMProuteswillbesenttosoftware,while
packetsmatchingnonECMProutescanstillbeforwardedbyhardware.
ForthePA4000Seriesfirewalls,packetstobeforwardedbyECMProuteswillbesenttosoftwarefor
routelookupandforwarding,eventhoughthesessionisinoffloadedstate.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
Configure ECMP on a Virtual Router
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
ConfigureECMPonaVirtualRouter
Step1 EnableECMPforavirtualrouter. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

onwhichtoenableECMP.
2. SelectRouter Settings > ECMPandselectEnable.
Step2 (Optional)Enablesymmetricreturnof (Optional)SelectSymmetric Return tocausereturnpacketsto

packetsfromservertoclient. egressoutthesameinterfaceonwhichtheassociatedingress
packetsarrived.Thatis,thefirewallwillusetheingressinterfaceon
whichtosendreturnpackets,ratherthanusetheECMPinterface.
TheSymmetric Returnsettingoverridesloadbalancing.This
behavioroccursonlyfortrafficflowsfromtheservertotheclient.
Step3 Specifythemaximumnumberof ForMax Pathallowed,enter2,3,or4.Default:2.

equalcostpaths(toadestination
network)thatcanbecopiedfromthe
RoutingInformationBase(RIB)tothe
ForwardingInformationBase(FIB).
Step4 Selecttheloadbalancingalgorithmfor ForLoad Balance,selectoneofthefollowingoptionsfromthe

thevirtualrouter.Formoreinformation Methoddropdown:
onloadbalancingmethodsandhowthey IP Modulo (default)Usesahashofthesourceanddestination
differ,seeECMPLoadBalancing IPaddressesinthepacketheadertodeterminewhichECMP
Algorithms. routetouse.
IP HashUsesahashofthesourceanddestinationIPaddresses
andoptionallythesourceanddestinationportnumbersinthe
packetheadertodeterminewhichECMProutetouse.Specify
optionsinStep 5below.
Balanced Round RobinUsesroundrobinamongtheECMP
pathsandrebalancespathswhenthenumberofpathschanges.
Weighted Round RobinUsesroundrobinandarelativeweight
toselectfromamongECMPpaths.SpecifytheweightsinStep 6
below.

Networking ECMP
ConfigureECMPonaVirtualRouter(Continued)
Step5 (IP Hashonly)ConfigureIPHashoptions. IfyouselectedIP HashastheMethod:

1. SelectUse Source/Destination Portsifyouwanttousesource
ordestinationportnumbersintheIP Hashcalculation.
2. EnteraHash Seed value(anintegerwithamaximumofnine
digits).SpecifyaHash Seedvaluetofurtherrandomizeload
balancing.Specifyingahashseedvalueisusefulifyouhavea
largenumberofsessionswiththesametupleinformation.
Step6 (Weighted Round Robinonly)Definea IfyouselectedWeighted Round RobinastheMethod,definea

weightforeachinterfaceintheECMP weightforeachoftheinterfacesthataretheegresspointsfor
group. traffictoberoutedtothesamedestinations(thatis,interfacesthat
arepartofanECMPgroup,suchastheinterfacesthatprovide
redundantlinkstoyourISPorinterfacestothecorebusiness
applicationsonyourcorporatenetwork).
Thehighertheweight,themoreoftenthatequalcostpathwillbe
selectedforanewsession.
Givehigherspeedlinksahigherweightthanaslower
linkssothatmoreoftheECMPtrafficgoesoverthe
fasterlink.
1. CreateanECMPgroupbyclickingAddandselectingan
Interfacefromthedropdown.
2. AddtheotherinterfacesintheECMPgroup.
3. ClickonWeightandspecifytherelativeweightforeach
interface(rangeis1255;defaultis100).
Step7 Savetheconfiguration. 1. Click OK.

2. AttheECMPConfigurationChangeprompt,clickYestorestart
thevirtualrouter.Restartingthevirtualroutermightcause
existingsessionstobeterminated.
Thismessagedisplaysonlyifyouaremodifyingan
existingvirtualrouterwithECMP.
Step8 Savetheconfiguration. Committheconfiguration.
Enable ECMP for Multiple BGP Autonomous Systems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.

ECMP Networking
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
Step1 ConfigureECMP. SeeConfigureECMPonaVirtualRouter.

Networking ECMP
EnableECMPforBGPAutonomousSystems(Continued)
Step2 ForBGProuting,enableECMPover 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

multipleautonomoussystems. onwhichtoenableECMPformultipleBGPautonomous
systems.
2. SelectBGP > AdvancedandselectECMP Multiple AS Support.
Step3 Savetheconfiguration. ClickOKandCommittheconfiguration.
Verify ECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.
ConfirmThatRoutesAreEqualCostMultiplePaths
LookattheFIBandconfirmthatsomeroutesare 1. SelectNetwork > Virtual Routers.

equalcostmultiplepaths. 2. IntherowofthevirtualrouterforwhichyouenabledECMP,
clickMore Runtime Stats.
3. SelectRouting>Forwarding TabletoseetheFIB.Inthe
table,notethatmultipleroutestothesameDestination(outa
differentInterface)havetheEflag.
Anasterisk*denotesthepreferredpathfortheECMPgroup.

LLDP Networking
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDP Overview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
ThePA2000SeriesplatformisnotsupportedduetothehardwarelimitationofhowAggregatedEthernet
interfacesfunction.Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireapplianceare
alsonotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:

Networking LLDP
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
Supported TLVs in LLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
MandatoryTLVs TLVType Description
Chassis ID TLV 1 Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis

ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksplatformswill
usetheMACaddressofEth0toensureuniqueness.
Port ID TLV 2 IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID

foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Time-to-live (TTL) 3 Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris

TLV retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
End of LLDPDU 0 IndicatestheendoftheTLVsintheLLDPEthernetframe.

TLV

LLDP Networking
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
OptionalTLVs TLVType PurposeandNotesRegardingFirewallImplementation
Port Description TLV 4 Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis

used.
System Name TLV 5 Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis

used.
System Description 6 Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.

TLV
System Capabilities 7 Describesthedeploymentmodeoftheinterface,asfollows:

AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management 8 OneormoreIPaddressesusedforfirewallmanagement,asfollows:
Address IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDP Syslog Messages and SNMP Traps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.

Networking LLDP
Configure LLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
Step1 EnableLLDPonthefirewall. SelectNetwork > LLDP andedittheLLDPGeneralsection;select

Enable.
Step2 (Optional)ChangeLLDPglobalsettings. 1. ForTransmit Interval (sec),specifytheinterval(inseconds)at

whichLLDPDUsaretransmitted.Default:30seconds.Range:
13600seconds.
2. ForTransmit Delay (sec),specifythedelaytime(inseconds)
betweenLLDPtransmissionssentafterachangeismadeina
TLVelement.Thedelayhelpstopreventfloodingthesegment
withLLDPDUsifmanynetworkchangesspikethenumberof
LLDPchanges,oriftheinterfaceflaps.TheTransmit Delay
mustbelessthantheTransmit Interval.Default:2seconds.
Range:1600seconds.
3. ForHold Time Multiple,specifyavaluethatismultipliedby
theTransmit IntervaltodeterminethetotalTTLHoldTime.
Default:4.Range:1100.ThemaximumTTLHoldTimeis
65535seconds,regardlessofthemultipliervalue.
4. ForNotification Interval,specifytheinterval(inseconds)at
whichLLDPSyslogMessagesandSNMPTrapsaretransmitted
whenMIBchangesoccur.Default:5seconds.Range:13600
seconds.
5. ClickOK.

LLDP Networking
ConfigureLLDP(Continued)
Step3 CreateanLLDPprofile. 1. SelectNetwork > Network Profiles > LLDP Profile andclick
FordescriptionsoftheoptionalTLVs, Add.
seeSupportedTLVsinLLDP. 2. EnteraNamefortheLLDPprofile.
3. ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
4. SelectSNMP Syslog Notification toenableSNMPnotifications
andsyslogmessages.Ifenabled,theglobalNotification
Intervalisused.ThefirewallwillsendbothanSNMPtrapand
asyslogeventasconfiguredintheDevice > Log Settings >
System > SNMP Trap ProfileandSyslog Profile.
5. ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
6. (Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
7. SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
8. SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
9. ClickOK.
10. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
11. ClickOK.
Step4 AssignanLLDPprofiletoaninterface. 1. SelectNetwork > Interfaces andselecttheinterfacewhere

youwillassignanLLDPprofile.
2. SelectAdvanced > LLDP.
3. SelectEnable LLDPtoassignanLLDPprofiletotheinterface.
4. ForProfile,selecttheprofileyoucreated.SelectingNone
enablesLLDPwithbasicfunctionality:sendsthethree
mandatoryTLVsandenablestransmit-receivemode.
Ifyouwanttocreateanewprofile,clickLLDP Profileand
followtheinstructionsinStep 4.
5. ClickOK.

Networking LLDP
View LLDP Settings and Status
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
ViewLLDPSettingsandStatus
Step1 ViewLLDPglobalsettings. 1. SelectNetwork > LLDP.

OntheLLDPGeneralscreen,Enableindicateswhether
LLDPisenabledornot.
IfLLDPisenabled,theconfiguredglobalsettings
(TransmitInterval,TransmitDelay,HoldTimeMultiple,
andNotificationInterval)aredisplayed.
IfLLDPisnotenabled,thedefaultvaluesoftheglobal
settingsaredisplayed.
Fordescriptionsofthesevalues,see(Optional)Change
LLDPglobalsettings.
Step2 ViewtheLLDPstatusinformation. 1. SelecttheStatustab.

2. (Optional)Enterafiltertorestricttheinformationthatis
displayed.
InterfaceInformation:
InterfaceNameoftheinterfacesthathaveLLDPprofiles
assignedtothem.
LLDPLLDPstatus:enabledordisabled.
ModeLLDPmodeoftheinterface:Tx/Rx,TxOnly,orRx
Only.
ProfileNameoftheprofileassignedtotheinterface.
TransmissionInformation:
Total TransmittedCountofLLDPDUstransmittedoutthe
interface.
Dropped TransmitCountofLLDPDUsthatwerenot
transmittedouttheinterfacebecauseofanerror.For
example,alengtherrorwhenthesystemisconstructingan
LLDPDUfortransmission.
ReceivedInformation:
Total ReceivedCountofLLDPframesreceivedonthe
interface.
Dropped TLVCountofLLDPframesdiscardedupon
receipt.
ErrorsCountofTLVsthatwerereceivedontheinterface
andcontainederrors.TypesofTLVerrorsinclude:oneor
moremandatoryTLVsmissing,outoforder,containing
outofrangeinformation,orlengtherror.
UnrecognizedCountofTLVsreceivedontheinterface
thatarenotrecognizedbytheLLDPlocalagent.For
example,theTLVtypeisinthereservedTLVrange.
Aged OutCountofitemsdeletedfromtheReceiveMIB
duetoproperTTLexpiration.

LLDP Networking
ViewLLDPSettingsandStatus(Continued)
Step3 ViewsummaryLLDPinformationfor 1. SelectthePeerstab.

eachneighborseenonaninterface. 2. (Optional)Enterafiltertorestricttheinformationbeing
displayed.
LocalInterfaceInterfaceonthefirewallthatdetectedthe
neighboringdevice.
RemoteChassisIDChassisIDofthepeer.TheMAC
addresswillbeused.
PortIDPortIDofthepeer.
NameNameofpeer.
MoreinfoProvidesthefollowingremotepeerdetails,
whicharebasedontheMandatoryandOptionalTLVs:
ChassisType:MACaddress.
MACAddress:MACaddressofthepeer.
SystemName:Nameofthepeer.
SystemDescription:Descriptionofthepeer.
PortDescription:Portdescriptionofthepeer.
PortType:Interfacename.
PortID:Thefirewallusestheinterfacesifname.
SystemCapabilities:Capabilitiesofthesystem.O=Other,
P=Repeater,B=Bridge,W=WirelessLAN,R=Router,
T=Telephone
EnabledCapabilities:Capabilitiesenabledonthepeer.
ManagementAddress:Managementaddressofthepeer.
Clear LLDP Statistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
Step1 ClearLLDPstatisticsforspecific 1. SelectNetwork > LLDP > Statusandinthelefthandcolumn,

interfaces. selectoneormoreinterfacesforwhichyouwanttoclearLLDP
statistics.
2. ClickClear LLDP Statistics atthebottomofthescreen.

Networking BFD
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFD Overview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDPlatform,Interface,andClientSupport

BFD Networking
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDPlatform,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA7000Series,andVMSeriesfirewalls.Each
platformsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.

Networking BFD
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.

BFD Networking
Configure BFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
Configuredavirtualrouter.
ConfiguredoneormorestaticroutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.

Networking BFD
ConfigureBFD
Step1 CreateaBFDprofile. 1. SelectNetwork > Network Profiles > BFD Profile andAdda
IfyouchangeasettinginaBFD NamefortheBFDprofile.Thenameiscasesensitiveand
profilethatanexistingBFD mustbeuniqueonthefirewall.Useonlyletters,numbers,
sessionisusingandyoucommit spaces,hyphens,andunderscores.
thechange,beforethefirewall 2. SelecttheMode inwhichBFDoperates:
deletesthatBFDsessionand ActiveBFDinitiatessendingcontrolpacketstopeer
recreatesitwiththenewsetting, (default).AtleastoneoftheBFDpeersmustbeActive;
thefirewallsendsaBFDpacket bothcanbeActive.
withthelocalstatesettoadmin
PassiveBFDwaitsforpeertosendcontrolpacketsand
down.Thepeerdevicemayor
respondsasrequired.
maynotflaptheroutingprotocol
orstaticroute,dependingonthe 3. EntertheDesired Minimum Tx Interval (ms).Thisisthe
peersimplementationof minimuminterval,inmilliseconds,atwhichyouwanttheBFD
RFC 5882,Section3.2. protocol(referredtoasBFD)tosendBFDcontrolpackets;you
arethusnegotiatingthetransmitintervalwiththepeer.
MinimumonPA7000andPA5000Seriesfirewallsis50;
minimumonPA3000Seriesfirewallis100;minimumon
VMSeriesfirewallis200.Maximumis2000;defaultis1000.
Ifyouhavemultipleroutingprotocolsthatuse
differentBFDprofilesonthesameinterface,configure
theBFDprofileswiththesameDesired Minimum Tx
Interval.
4. EntertheRequired Minimum Rx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichBFDcanreceive
BFDcontrolpackets.MinimumonPA7000andPA5000
Seriesfirewallsis50;minimumonPA3000Seriesfirewallis
100;minimumonVMSeriesfirewallis200.Maximumis
2000;defaultis1000.
5. EntertheDetection Time Multiplier.Thetransmitinterval
(negotiatedfromtheDesired Minimum Tx Interval)multiplied
bytheDetection Time Multiplierequalsthedetectiontime.If
BFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.
Rangeis250;defaultis3.
Forexample,atransmitintervalof300msx3(DetectionTime
Multiplier)=900msdetectiontime.
WhenconfiguringaBFDprofile,takeinto
considerationthatthefirewallisasessionbased
devicetypicallyattheedgeofanetworkordatacenter
andmayhaveslowerlinksthanadedicatedrouter.
Therefore,thefirewalllikelyneedsalongerinterval
andahighermultiplierthanthefastestsettings
allowed.Adetectiontimethatistooshortcancause
falsefailuredetectionswhentheissueisreallyjust
trafficcongestion.

BFD Networking
ConfigureBFD(Continued)
6. EntertheHold Time (ms).Thisisthedelay,inmilliseconds,

afteralinkcomesupbeforeBFDtransmitsBFDcontrol
packets.Hold Time appliestoBFDActivemodeonly.IfBFD
receivesBFDcontrolpacketsduringtheHold Time,itignores
them.Rangeis0120000.Thedefaultis0,whichmeansno
transmitHold Time isused;BFDsendsandreceivesBFD
controlpacketsimmediatelyafterthelinkisestablished.
7. (Optional)ForaBGPIPv4implementationonly,configure
hoprelatedsettingsfortheBFDprofile:
SelectMultihoptoenableBFDoverBGPmultihop.
EntertheMinimum Rx TTL.Thisistheminimum
TimetoLivevalue(numberofhops)BFDwillaccept
(receive)inaBFDcontrolpacketwhenBGPsupports
multihopBFD.(Rangeis1254;thereisnodefault).
ThefirewalldropsthepacketifitreceivesasmallerTTL
thanitsconfiguredMinimum Rx TTL.Forexample,ifthe
peeris5hopsaway,andthepeertransmitsaBFDpacket
withaTTLof100tothefirewall,andiftheMinimum Rx
TTLforthefirewallissetto96orhigher,thefirewalldrops
thepacket.
8. ClickOK.
Step2 (Optional)EnableBFDforastaticroute. 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

Boththefirewallandthepeeratthe wherethestaticrouteisconfigured.
oppositeendofthestaticroutemust 2. SelecttheStatic Routestab.
supportBFDsessions.
4. SelectthestaticroutewhereyouwanttoapplyBFD.
5. SelectanInterface(evenifyouareusingaDHCPaddress).
TheInterfacesettingcannotbeNone.
6. ForNext Hop,selectIP AddressandentertheIPaddressifnot
alreadyspecified.
7. ForBFD Profile,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforthis
staticroute.
8.ClickOK.
ABFDcolumnontheIPv4orIPv6tabindicatestheBFDprofile
configuredforthestaticroute.

Networking BFD
Step3 (Optional)EnableBFDforallBGP 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

interfacesorforasingleBGPpeer. whereBGPisconfigured.
IfyouenableordisableBFD 2. SelecttheBGPtab.
globally,allinterfacesrunning
3. (Optional)ToapplyBFDtoallBGPinterfacesonthevirtual
BGPwillbetakendownand
router,intheBFDdropdown,selectoneofthefollowingand
broughtbackupwiththeBFD
clickOK:
function.ThiscandisruptallBGP
traffic.WhenyouenableBFDon defaultUsesonlydefaultsettings.
theinterface,thefirewallstops ABFDprofileyouconfiguredSeeCreateaBFDprofile.
theBGPconnectiontothepeer New BFD ProfileAllowsyoutoCreateaBFDprofile.
toprogramBFDontheinterface. SelectingNone (Disable BFD) disablesBFDforallBGP
ThepeerdeviceseestheBGP interfacesonthevirtualrouter;youcannotenableBFD
connectiondrop,whichcan forasingleBGPinterface.
resultinareconvergence.Enable
BFDforBGPinterfacesduringan 4. (Optional)ToenableBFDforasingleBGPpeerinterface
offpeaktimewhena (therebyoverridingtheBFD settingforBGPaslongasitisnot
reconvergencewillnotimpact disabled),performthefollowingtasks:
productiontraffic. a. SelectthePeer Group tab.
b. Selectapeergroup.
c. Selectapeer.
d. IntheBFD dropdown,selectoneofthefollowing:
Inherit-vr-global-setting(default)TheBGPpeer
inheritstheBFDprofilethatyouselectedgloballyforBGP
forthevirtualrouter.
SelectingDisable BFD disablesBFDfortheBGPpeer.
e. ClickOK.
5. ClickOK.
ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
profileconfiguredfortheinterface.

BFD Networking
Step4 (Optional)EnableBFDforOSPFor 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

OSPFv3globallyorforanOSPF whereOSPForOSPFv3isconfigured.
interface. 2. SelecttheOSPForOSPFv3 tab.
3. (Optional)IntheBFDdropdown,selectoneofthefollowing
toenableBFDforallOSPForOSPFv3interfacesandclickOK:
SelectingNone (Disable BFD) disablesBFDforall
OSPFinterfacesonthevirtualrouter;youcannot
enableBFDforasingleOSPFinterface.
4. (Optional)ToenableBFDonasingleOSPFpeerinterface(and
therebyoverridetheBFDsettingforOSPF,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheAreastabandselectanarea.
b. OntheInterfacetab,selectaninterface.
c. IntheBFD dropdown,selectoneofthefollowingto
configureBFDforthespecifiedOSPFpeer:
Inherit-vr-global-setting(default)OSPFpeerinherits
theBFDsettingforOSPForOSPFv3forthevirtual
router.
SelectingDisable BFDdisablesBFDfortheOSPFor
OSPFv3interface.
d. ClickOK.
5. ClickOK.
ABFDcolumnontheOSPFInterfacetabindicatestheBFDprofile
configuredfortheinterface.

Networking BFD
Step5 (Optional)EnableBFDforRIPgloballyor 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

forasingleRIPinterface. whereRIPisconfigured.
2. SelecttheRIP tab.
3. (Optional)IntheBFD dropdown,selectoneofthefollowing
toenableBFDforallRIPinterfacesonthevirtualrouterand
clickOK:
SelectingNone (Disable BFD) disablesBFDforallRIP
interfacesonthevirtualrouter;youcannotenable
BFDforasingleRIPinterface.
4. (Optional)ToenableBFDforasingleRIPinterface(and
therebyoverridetheBFDsettingforRIP,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheInterfacestabandselectaninterface.
b. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings).
Inherit-vr-global-setting(default)RIPinterface
inheritstheBFDprofilethatyouselectedforRIPglobally
forthevirtualrouter.
SelectingNone (Disable BFD)disablesBFDfortheRIP
interface.
c. ClickOK.
5. ClickOK.
TheBFDcolumnontheInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Step7 ViewBFDsummaryanddetails. 1. SelectNetwork > Virtual Routers,findthevirtualrouteryou

areinterestedin,andclickMore Runtime Stats.
2. SelecttheBFD Summary Information tabtoseesummary
information,suchasBFDstateandruntimestatistics.
3. (Optional)Selectdetailsintherowoftheinterfaceyouare
interestedintoviewReference:BFDDetails.
Step8 MonitorBFDprofilesreferencedbya UsethefollowingCLIoperationalcommands:

routingconfiguration;monitorBFD show routing bfd active-profile [<name>]
statistics,status,andstate. show routing bfd details [interface <name>] [local-ip
<ip>] [multihop] [peer-ip <ip>] [session-id]
[virtual-router <name>]
show routing bfd drop-counters session-id
<session-id>
show counter global | match bfd
Step9 (Optional)ClearBFDtransmit,receive, clear routing bfd counters session-id all | <1-1024>

anddropcounters.

BFD Networking
Step10 (Optional)ClearBFDsessionsfor clear routing bfd session-state session-id all |

debugging. <1-1024>

Networking Reference:BFDDetails
Reference:BFDDetails
Toseethefollowinginformationforavirtualrouter,youcanViewBFDsummaryanddetails.
Name Value(Example) Description
SessionID 1 IDnumberoftheBFDsession.
Interface ethernet1/12 InterfaceyouselectedwhereBFDisrunning.
Protocol STATIC(IPV4)OSPF Staticroute(IPaddressfamilyofstaticroute)and/ordynamic

routingprotocolthatisrunningBFDontheinterface.
LocalIPAddress 10.55.55.2 IPaddressofinterface.
NeighborIPAddress 10.55.55.1 IPaddressofBFDneighbor.
BFDProfile default*(ThisBFD NameofBFDprofileappliedtotheinterface.

sessionhasmultiple BecausethesampleinterfacehasbothastaticrouteandOSPF
BFDprofiles.Lowest runningBFDwithdifferentprofiles,thefirewallusestheprofile
DesiredMinimumTx withthelowestDesired Minimum Tx Interval.Inthisexample,
Interval(ms)isusedto theprofileusedisthedefaultprofile.
selecttheeffective
profile.)
State(local/remote) up/up BFDstatesofthelocalandremoteBFDpeers.Possiblestates

areadmindown,down,init,andup.
UpTime 2h36m21s419ms LengthoftimeBFDhasbeenup(hours,minutes,seconds,and

milliseconds).
Discriminator 1391591427/ DiscriminatorsforlocalandremoteBFDpeers.

(local/remote) 1
Mode Active ModeinwhichBFDisconfiguredontheinterface:Activeor

Passive.
DemandMode Disabled PANOSdoesnotsupportBFDDemandMode,soitisalwaysin

Disabledstate.
Multihop Disabled BFDmultihop:EnabledorDisabled.
MultihopTTL TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
LocalDiagCode 0(NoDiagnostic) Diagnosticcodesindicatingthereasonforthelocalsystemslast

changeinstate:
0NoDiagnostic
1ControlDetectionTimeExpired
2EchoFunctionFailed
3NeighborSignaledSessionDown
4ForwardingPlaneReset
5PathDown
6ConcatenatedPathDown
7AdministrativelyDown
8ReverseConcatenatedPathDown

Reference:BFDDetails Networking
LastReceivedRemoteDiag 0(NoDiagnostic) DiagnosticcodelastreceivedfromBFDpeer.

Code
TransmitHoldTime 0ms Holdtime(inmilliseconds)afteralinkcomesupbeforeBFD

transmitsBFDcontrolpackets.Aholdtimeof0msmeansto
transmitimmediately.Rangeis0120000ms.
ReceivedMinRxInterval 1000ms MinimumRxintervalreceivedfromthepeer;theintervalat

whichtheBFDpeercanreceivecontrolpackets.Maximumis
2000ms.
NegotiatedTransmit 1000ms Transmitinterval(inmilliseconds)thattheBFDpeershave

Interval agreedtosendBFDcontrolpacketstoeachother.Maximumis
2000ms.
ReceivedMultiplier 3 DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
DetectTime(exceeded) 3000ms(0) Calculateddetectiontime(NegotiatedTransmitInterval

multipliedbyMultiplier)andthenumberofmillisecondsthe
detectiontimeisexceeded.
TxControlPackets(last) 9383(420msago) NumberofBFDcontrolpacketstransmitted(andlengthoftime

sinceBFDtransmittedthemostrecentcontrolpacket).
RxControlPackets(last) 9384(407msago) NumberofBFDcontrolpacketsreceived(andlengthoftime

sinceBFDreceivedthemostrecentcontrolpacket).
AgentDataPlane Slot1DP0 OnPA7000Seriesfirewalls,thedataplaneCPUthatisassigned

tohandlepacketsforthisBFDsession.
Errors 0 NumberofBFDerrors.
Last Packet Causing State Change
Version 1 BFDversion.
PollBit 0 BFDpollbit;0indicatesnotset.
DesiredMinTxInterval 1000ms Desiredminimumtransmitintervaloflastpacketcausingstate

change.
RequiredMinRxInterval 1000ms Requiredminimumreceiveintervaloflastpacketcausingstate

change.
DetectMultiplier 3 DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator 1 Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
YourDiscriminator 1391591427 Localdiscriminator.Adiscriminatorisaunique,nonzerovalue

thepeersusetodistinguishmultipleBFDsessionsbetween
them.
DiagnosticCode 0(NoDiagnostic) Diagnosticcodeoflastpacketcausingstatechange.

Networking Reference:BFDDetails
Length 24 LengthofBFDcontrolpacketinbytes.
DemandBit 0 PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit 0 PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit 0 Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1 Ifsetto1,thetransmittingsystemsBFDimplementationdoes
Bit notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0 PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
RequiredMinEchoRx 0ms PANOSdoesnotsupporttheBFDEchofunction,sothiswill

Interval alwaysbe0ms.

Policy
Policiesallowyoutoenforcerulesandtakeaction.Thedifferenttypesofpolicyrulesthatyoucancreateon
thefirewallare:Security,NAT,QualityofService(QoS),PolicyBasedForwarding(PBF),Decryption,
ApplicationOverride,CaptivePortal,DenialofService(DoS),andZoneprotectionpolicies.Allthese
differentpoliciesworktogethertoallow,deny,prioritize,forward,encrypt,decrypt,makeexceptions,
authenticateaccess,andresetconnectionsasneededtohelpsecureyournetwork.Thefollowingtopics
describehowtoworkwithpolicy:
PolicyTypes
SecurityPolicy
PolicyObjects
SecurityProfiles
BestPracticeInternetGatewaySecurityPolicy
EnumerationofRulesWithinaRulebase
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
UseTagstoGroupandVisuallyDistinguishObjects
UseanExternalDynamicListinPolicy
RegisterIPAddressesandTagsDynamically
MonitorChangesintheVirtualEnvironment
CLICommandsforDynamicIPAddressesandTags
IdentifyUsersConnectedthroughaProxyServer
PolicyBasedForwarding
DoSProtectionAgainstFloodingofNewSessions

PolicyTypes Policy
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
Security Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
Policy Based Forwarding Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould

normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
Application Override IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa

Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
Captive Portal Identifytrafficthatrequirestheusertobeknown.Thecaptiveportalpolicyisonly

triggeredifotherUserIDmechanismsdidnotidentifyausertoassociatewiththe
sourceIPaddress.Formoredetails,seeCaptivePortal.
DoS Protection Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin

responsetorulematches.DoSProtectionProfiles.

Policy SecurityPolicy
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualsecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
securitypolicy.Whenasessionmatchoccurs,thesecuritypolicyisappliedtobidirectionaltraffic(clientto
serverandservertoclient)inthatsession.Fortrafficthatdoesntmatchanydefinedrules,thedefaultrules
apply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebasearepredefinedtoallowall
intrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.Althoughtheserulesare
partofthepredefinedconfigurationandarereadonlybydefault,youcanoverridethemandchangea
limitednumberofsettings,includingthetags,action(alloworblock),logsettings,andsecurityprofiles.
Securitypoliciesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirstrule
thatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.Therefore,
themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatchcriteria.Traffic
thatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,ifloggingisenabledfor
thatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfiguredtologatthe
startofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
Components of a Security Policy Rule
Thesecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields

SecurityPolicy Policy
RequiredFields
RequiredField Description
Name Alabelthatsupportsupto31characters,usedtoidentifytherule.
Rule Type Specifieswhethertheruleappliestotrafficwithinazone,betweenzones,orboth:

universal(default)Appliestheruletoallmatchinginterzoneandintrazonetrafficinthe
specifiedsourceanddestinationzones.Forexample,ifyoucreateauniversalrolewith
sourcezonesAandBanddestinationzonesAandB,therulewouldapplytoalltraffic
withinzoneA,alltrafficwithinzoneB,andalltrafficfromzoneAtozoneBandalltraffic
fromzoneBtozoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthespecifiedsourcezones(you
cannotspecifyadestinationzoneforintrazonerules).Forexample,ifyousetthesource
zonetoAandB,therulewouldapplytoalltrafficwithinzoneAandalltrafficwithin
zoneB,butnottotrafficbetweenzonesAandB.
interzoneAppliestheruletoallmatchingtrafficbetweenthespecifiedsourceand
destinationzones.Forexample,ifyousetthesourcezonetoA,B,andCandthe
destinationzonetoAandB,therulewouldapplytotrafficfromzoneAtozoneB,from
zoneBtozoneA,fromzoneCtozoneA,andfromzoneCtozoneB,butnottraffic
withinzonesA,B,orC.
Source Zone Thezonefromwhichthetrafficoriginates.
Destination Zone Thezoneatwhichthetrafficterminates.IfyouuseNAT,makesuretoalwaysreferencethe

postNATzone.
Application Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField Description
Tag Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description Atextfield,upto255characters,usedtodescribetherule.
Source IP Address DefinehostIPorFQDN,subnet,namedgroups,orcountrybasedenforcement.Ifyouuse

NAT,makesuretoalwaysrefertotheoriginalIPaddressesinthepacket(i.e.thepreNAT
IPaddress).
Destination IP Address Thelocationordestinationforthetraffic.IfyouuseNAT,makesuretoalwaysrefertothe

originalIPaddressesinthepacket(i.e.thepreNATIPaddress).

OptionalField Description(Continued)
User Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
URL Category UsingtheURLCategoryasmatchcriteriaallowsyoutocustomizesecurityprofiles

(Antivirus,AntiSpyware,Vulnerability,FileBlocking,DataFiltering,andDoS)ona
perURLcategorybasis.Forexample,youcanprevent.exefiledownload/uploadforURL
categoriesthatrepresenthigherriskwhileallowingthemforothercategories.This
functionalityalsoallowsyoutoattachschedulestospecificURLcategories(allow
socialmediawebsitesduringlunch&afterhours),markcertainURLcategorieswithQoS
(financial,medical,andbusiness),andselectdifferentlogforwardingprofilesona
perURLcategorybasis.
AlthoughyoucanmanuallyconfigureURLcategoriesonyourfirewall,totakeadvantageof
thedynamicURLcategorizationupdatesavailableonthePaloAltoNetworksfirewalls,you
mustpurchaseaURLfilteringlicense.
ToblockorallowtrafficbasedonURLcategory,youmustapplyaURLFiltering
profiletothesecuritypolicyrules.DefinetheURLCategoryasAnyandattacha
URLFilteringprofiletothesecuritypolicy.SeeDefineBasicSecurityPolicyRules
forinformationonusingthedefaultprofilesinyoursecuritypolicyandseeControl
AccesstoWebContentformoredetails.
Service AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsand
protocols.Applicationdefaultisthedefaultoption;whilethefirewallstillchecksfor
allapplicationsonallports,withthisconfiguration,applicationsareonlyallowedon
theirstandardports/protocols.
Security Profiles Provideadditionalprotectionfromthreats,vulnerabilities,anddataleaks.Securityprofiles

areonlyevaluatedforrulesthathaveanallowaction.
HIP Profile(for AllowsyoutoidentifyclientswithHostInformationProfile(HIP)andthenenforceaccess

GlobalProtect) privileges.
Options Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.

Security Policy Actions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action Description
Allow (default action) Allowsthetraffic.
Deny BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthatis
beingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client SendsaTCPresettotheclientsidedevice.
Reset server SendsaTCPresettotheserversidedevice.
Reset both SendsaTCPresettoboththeclientsideandserversidedevices.
Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbefore
a3wayhandshakeiscompleted,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMP
Unreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheck
boxisselected,thefirewallsendsanICMPmessagetotheclient.
Create a Security Policy Rule
CreateaSecurityPolicyRule
Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

policyrule. allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2 Addarule. 1. SelectPolicies > SecurityandclickAdd.

2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. SelectaRule Type.
Step3 Definethematchingcriteriaforthe 1. IntheSourcetab,selectaSource Zone.

sourcefieldsinthepacket. 2. SpecifyaSource IP Addressorleavethevaluesettoany.
3. SpecifyaSourceUserorleavethevaluesettoany.

CreateaSecurityPolicyRule(Continued)
Step4 Definethematchingcriteriaforthe 4. IntheDestinationtab,settheDestination Zone.

destinationfieldsinthepacket. 5. SpecifyaDestination IP Addressorleavethevaluesettoany.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
Step5 Specifytheapplicationtherulewillallow 1. IntheApplicationstab,AddtheApplicationtosafelyenable.

orblock. Youcanselectmultipleapplications,oruseapplicationgroups
Asabestpractice,alwaysuse orapplicationfilters.
applicationbasedsecuritypolicy 2. IntheService/URL Categorytab,keeptheServicesetto
rulesinsteadofportbasedrules application-defaulttoensurethatanyapplicationstherule
andalwayssettheServiceto allowsareonlyallowedontheirstandardports.
applicationdefaultunlessyou
areusingamorerestrictivelistof
portsthanthestandardportsfor
anapplication.
Step6 (Optional)SpecifyaURLcategoryas IntheService/URL Categorytab,selecttheURL Category.

matchcriteriafortherule. IfyouselectaURLcategory,onlywebtrafficwillmatchtherule
andonlyifthetrafficistothespecifiedcategory.
Step7 Definewhatactionyouwantthefirewall IntheActionstab,selectanAction.SeeSecurityPolicyActionsfor

totakefortrafficthatmatchestherule. adescriptionofeachaction.
Step8 Configurethelogsettings. Bydefault,theruleissettoLog at Session End.Youcanclear

thissettingifyoudontwantanylogsgeneratedwhentraffic
matchesthisrule,orselectLog at Session Startformore
detailedlogging.
SelectaLog Forwardingprofile.
Step9 Attachsecurityprofilestoenablethe IntheActionstab,selectProfilesfromtheProfile Typedropdown

firewalltoscanallallowedtrafficfor andthenselecttheindividualsecurityprofilestoattachtotherule.
threats. Alternatively,selectGroupfromtheProfile Typedropdownand
SeeCreateBestPracticeSecurity selectasecurityGroup Profiletoattach.
Profilestolearnhowtocreate
securityprofilesthatprotect
yournetworkfrombothknown
andunknownthreats.
Step10 Savethepolicyruletotherunning ClickCommit.


CreateaSecurityPolicyRule(Continued)
Step11 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI

policieseffectively,testwhetheryour command:
securitypolicyrulesarebeingevaluated testsecuritypolicymatchsource<IP_address>destination
anddeterminewhichsecuritypolicyrule <IP_address>destinationport<port_number>protocol
appliestoatrafficflow. <protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedfora
serverinthedatacenterwiththeIPaddress208.90.56.11whenit
accessestheMicrosoftupdateserver:
test security-policy-match source 208.80.56.11
destination 176.9.45.70 destination-port 80 protocol 6
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;

Policy PolicyObjects
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddressgroup
policyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject Description
Address/Address Group, Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame

Region policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/User Group Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand

groupthem.
Application Group and AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto

Application Filter filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/Service Groups Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan

use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.

SecurityProfiles Policy
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,spyware,
andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurityprofile(s)
thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecksanddata
filtering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeScanTrafficforThreatsformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup

Policy SecurityProfiles
Antivirus Profiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action Description
Default ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow Permitstheapplicationtraffic.
Alert Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop Dropstheapplicationtraffic.
Reset Client ForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset Server ForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset Both ForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe

connection.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheinternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
Anti-Spyware Profiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasinternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.

StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionformedium
andinformationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
Vulnerability Protection Profiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URL Filtering Profiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.

Data Filtering Profiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
Youcanusedefaultprofiles,orcreatecustomdatapatterns.Therearetwodefaultprofiles:
CC#(CreditCard)Identifiescreditcardnumbersusingahashalgorithm.Thecontentmustmatchthe
hashalgorithminorderfordatatobedetectedasacreditcardnumber.Thismethodwillreducefalse
positives.
SSN#(SocialSecurityNumber)Usesanalgorithmtodetectninedigitnumbers,regardlessofformat.
Therearetwofields:SSN#andSSN#(nodash).
WeightandThresholdValues
Itisimportanttounderstandhowtheweightofanobject(SSN,CC#,pattern)iscalculatedinordertosetthe
appropriatethresholdforaconditionyouaretryingtofilter.Eachoccurrencemultipliedbytheweightvalue
willbeaddedtogetherinordertoreachanactionthreshold(alertorblock).
Example:FilterforSocialSecurityNumbersOnly
Forsimplicity,ifyouonlywanttofilterfileswithSocialSecurityNumbers(SSN)andyoudefineaweightof
3forSSN#,youwouldusethefollowingformula:eachinstanceofaSSNxweight=thresholdincrement.In
thiscase,ifaWorddocumenthas10socialsecuritynumbersyoumultiplythatbytheweightof3,so10x
3=30.Inordertotakeactionforafilethatcontains10socialsecuritynumbersyouwouldsetthethreshold
to30.Youmaywanttosetanalertat30andthenblockat60.Youmayalsowanttosetaweightinthefield
SSN#(nodash)forSocialSecurityNumbersthatdonotcontaindashes.Ifmultiplesettingsareused,they
willaccumulatetoreachagiventhreshold.
Example:FilterforSocialSecurityNumbersandaCustomPattern
Inthisexample,wewillfilteronfilesthatcontainSocialSecurityNumbersandthecustompattern
confidential.Inotherwords,ifafilehasSocialSecurityNumbersinadditiontothewordconfidentialandthe
combinedinstancesofthoseitemshitthethreshold,thefilewilltriggeranalertorblock,dependingonthe
actionsetting.
SSN#weight=3
CustomPatternconfidentialweight=20
Thecustompatterniscasesensitive.
Ifthefilecontains20SocialSecurityNumbersandaweightof3isconfigured,thatis20x3=60.Ifthefile
alsocontainsoneinstanceofthetermconfidentialandaweightof20isconfigured,thatis1x20=20for
atotalof80.Ifyourthresholdforblockissetto80,thisscenariowouldblockthefile.Thealertorblock
actionwillbetriggeredassoonasthethresholdishit.

File Blocking Profiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
WildFire Analysis Profiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoS Protection Profiles
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.

TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.Formoreinformation,refertotheThreatPreventionTechNote.
Zone Protection Profiles
Zoneprotectionprofilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.Formoreinformation,refertothe
ThreatPreventionTechNote.
Security Profile Group
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup

Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
Step1 Createasecurityprofilegroup. 1. SelectObjects > Security Profile GroupsandAddanew

Ifyounamethegroupdefault, securityprofilegroup.
thefirewallwillautomatically 2. GivetheprofilegroupadescriptiveName,forexample,
attachittoanynewrulesyou Threats.
create.Thisisatimesaverifyou
3. IfthefirewallisinMultipleVirtualSystemMode,enablethe
haveapreferredsetofsecurity
profiletobeSharedbyallvirtualsystems.
profilesthatyouwanttomake
suregetattachedtoeverynew 4. Addexistingprofilestothegroup.
rule.
5. ClickOKtosavetheprofilegroup.
Step2 Addasecurityprofilegrouptoasecurity 1. SelectPolicies > Security andAddormodifyasecuritypolicy

policy. rule.
2. SelecttheActionstab.
3. IntheProfileSettingsection,selectGroup fortheProfile Type.
4. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selectthebestpracticegroup):
5. ClickOK tosavethepolicyandCommityourchanges.
Step3 Saveyourchanges. Click Commit.

Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
Createasecurityprofilegroup. 1. SelectObjects > Security Profile GroupsandAddanew

securityprofilegroup.
2. GivetheprofilegroupadescriptiveName,forexample,
Threats.
3. IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4. Addexistingprofilestothegroup.Fordetailsoncreating
profiles,seeSecurityProfiles.
5. ClickOKtosavetheprofilegroup.
6. Addthesecurityprofilegrouptoasecuritypolicy.
7. AddormodifyasecuritypolicyruleandselecttheActionstab.
8. SelectGroup fortheProfile Type.
9. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selecttheThreatsgroup):
10. ClickOK tosavethepolicyandCommityourchanges.

Setupadefaultsecurityprofilegroup. 1. SelectObjects > Security Profile Groupsandaddanew

securityprofilegroupormodifyanexistingsecurityprofile
group.
2. Namethesecurityprofilegroupdefault:
4. Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup. Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).

Policy BestPracticeInternetGatewaySecurityPolicy
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheinternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeinternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
Thefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeinternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
What Is a Best Practice Internet Gateway Security Policy?
Abestpracticeinternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateither
blockeverythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,
abestpracticesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeinternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeinternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:

BestPracticeInternetGatewaySecurityPolicy Policy
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology Whyisthisimportant?
Inspect All Traffic for Visibility Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou

havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
Reduce the Attack Surface Afteryouhavecontextintothetrafficonyournetworkapplications,their

associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,attachFileBlockingandURLFilteringprofiles
toallrulesthatallowapplicationtraffictopreventusersfromvisitingthreatprone
websitesandpreventthemfromuploadingordownloadingdangerousfiletypes
(eitherknowinglyorunknowingly).
Prevent Known Threats Enablethefirewalltoscanallallallowedtrafficforknownthreatsbyattaching

securityprofilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.

BestPracticeMethodology Whyisthisimportant?
Detect Unknown Threats ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor

targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithinfiles
bydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWF500appliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifmalwareisfound,itautomaticallydevelopsa
signatureanddeliversittoyouinaslittleas5minutes(andnowthatunknownthreat
isaknownthreat).
Why Do I Need a Best Practice Internet Gateway Security Policy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.

How Do I Deploy a Best Practice Internet Gateway Security Policy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeinternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateaninternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,APTsarealldeliveredvialegitimateapplications.Toprotectagainstknownand
unknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallowrules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincludetemporaryrules

topreventotherapplicationsyoumightnothaveknownaboutfrombreakingandtoidentifypolicygaps
andsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeinternetgatewaysecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
Identify Whitelist Applications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceinternetgatewaysecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess

(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.

ApplicationType BestPracticeforSecuring
Sanctioned Applications ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse

withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inaninternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionand
administerforyourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
General Types of Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour

Applications userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,and
webservices,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
Custom Applications Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon

Specific to Your nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
Environment youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.

Create User Groups for Access to Whitelist Applications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
Decrypt Traffic for Full Visibility and Threat Inspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:

BestPracticeDecryptionProfile
ConfiguretheSSL Decryption > SSL Forward ProxysettingstoblockexceptionsduringSSLnegotiationand

blocksessionsthatcantbedecrypted:
ConfiguretheSSL Decryption > SSL Protocol SettingstoblockuseofvulnerableSSL/TLSversions(TLS1.0

andSSLv3)andtoavoidweakalgorithms(MD5,RC4,and3DES):

BestPracticeDecryptionProfile(Continued)
Fortrafficthatyouarenotdecrypting,configuretheNo Decryption settingstotoblockencryptedsessions

tositeswithexpiredcertificatesoruntrustedissuers:
Create Best Practice Security Profiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.

SecurityProfile BestPracticeSettings
File Blocking CreateaFileBlockingprofilethatblocksfilesthatarecommonlyincludedinmalwareattack

campaignsorthathavenorealusecaseforupload/download.Currently,theseincludebatch
files,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfilesaswellas
WindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,.ocx,.sys,.scr,.drv,.efi,.fon,
and.piffiles.Youcanallowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),but
forceuserstoclickcontinuebeforetransferringafiletogivethempause.Finally,alertonall
otherfiletypesforvisibilityintowhatotherfiletransfersarehappeningsothatyoucan
determineifyouneedtomakepolicychanges.
Why do I need this profile?

Therearemanywaysforattackerstodelivermaliciousfiles:Asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.AttachingaFileBlockingprofile
reducesyourattacksurfacebypreventingthesetypesofattacks.
What if I cant block all of the recommended file types?
IfyoucannotblockallPEfilespertherecommendation,makesureyousendallunknownfiles
toWildFireforanalysis.Additionally,settheActiontocontinuetopreventdrivebydownloads.
Adrivebydownloadiswhenanenduserdownloadscontentthatinstallsmaliciousfiles,such
asJavaappletsorexecutables,withoutknowingtheyaredoingit.Drivebydownloadscan
occurwhenusersvisitwebsites,viewemailmessages,orclickintopopupwindowsmeantto
deceivethem.Educateyourusersthatiftheyarepromptedtocontinuewithafiletransferthey
didntknowinglyinitiate,theymaybesubjecttoamaliciousdownload.
Antivirus AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.

ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.

Vulnerability AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
Protection overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.

Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.
Anti-Spyware AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNS
sinkholeandpacketcapturetohelpyoutrackdowntheendpointthatattemptedto
resolvethemaliciousdomain.Forthebestpossibleprotection,enablepassiveDNS
monitoring,whichenablesthefirewalltoactasapassiveDNSsensorandsendselect
DNSinformationtoPaloAltoNetworksforanalysisinordertoimprovethreat
intelligenceandthreatpreventioncapabilities.

URL Filtering Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat

highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,andparked.Failuretoblockthesedangerouscategoriesputsyouatriskfor
exploitinfiltration,malwaredownload,commandandcontrolactivity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
What if I cant block all of the recommended categories?

Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Allowingtraffictoarecommended
blockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatinfringesoncopyrightsor
thatallowsillegaldownloadofsoftwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.

WildFire Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
Analysis yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
Define the Initial Internet Gateway Security Policy
Theoverallgoalofabestpracticeinternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockbadapplicationsaswellassometemporaryallowrulesthatare
designedtohelpyourefineyourpolicyandpreventapplicationsyourusersmayneedfrombreakingwhile
youtransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreatetheApplicationWhitelistRules
Step2:CreatetheApplicationBlockRules
Step3:CreatetheTemporaryTuningRules
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules

Step1:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethefirstpartofthebestpracticeinternet
gatewaysecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1 AllowaccesstoyourcorporateDNSservers.
Why do I need this rule? Rule Highlights

AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly rulebase.
exploitedbyattackers. Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface. center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2 AllowaccesstootherrequiredITinfrastructureresources.

Enabletheapplicationsthatprovideyour Becausetheseapplicationsrunonthedefaultport,allowaccess
networkinfrastructureandmanagement toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
functions,suchasNTP,OCSP,STUN,and theseservicesareneeded),andallhaveadestinationaddressof
ping. any,containtheminasingleapplicationgroupandcreatea
WhileDNStrafficallowedinthepreceding singleruletoenableaccesstoallofthem.
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore accesstoanyuser.
requireaseparaterule.

CreatetheApplicationWhitelistRules(Continued)
Step3 AllowaccesstoITsanctionedSaaSapplications.

WithSaaSapplications,yourproprietarydata GroupallsanctionedSaaSapplicationsinanapplicationgroup.
isinthecloud.Thisruleensuresthatonly SaaSapplicationsshouldalwaysrunontheapplicationdefault
yourknownusershaveaccesstothese port.
applications(andtheunderlyingdata). Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
ScanallowedSaaStrafficforthreats. AccesstoWhitelistApplications.
Step4 AllowaccesstoITprovisionedonpremiseapplications.

Businesscriticaldatacenterapplicationsare Groupalldatacenterapplicationsinanapplicationgroup.
oftenleveragedinattacksduringthe Createanaddressgroupforyourdatacenterserveraddresses.
exfiltrationstage,usingapplicationssuchas Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
FTP,orinthelateralmovementstageby AccesstoWhitelistApplications.
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5 Allowaccesstoapplicationsyouradministrativeusersneed.

Toreduceyourattacksurface,CreateUser ThisrulerestrictsaccesstousersintheIT_adminsgroup.
GroupsforAccesstoWhitelistApplications. Createcustomapplicationsforinternalapplicationsor
Becauseadministratorsoftenneedaccessto applicationsthatrunonnonstandardportssothatyoucan
sensitiveaccountdataandremoteaccessto enforcethemontheirdefaultportsratherthanopening
othersystems(forexampleRDP),youcan additionalportsonyournetwork.
greatlyreduceyourattacksurfacebyonly Ifyouhavedifferentusergroupsfordifferentapplications,
allowingaccesstotheadministratorswho createseparaterulesforgranularcontrol.
haveabusinessneed.

Step6 Allowaccesstogeneralbusinessapplications.

Beyondtheapplicationsyousanctionforuse Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
andadministerforyourusers,therearea AccesstoWhitelistApplications.
varietyofapplicationsthatusersmay Forvisibility,createseparateapplicationfiltersforeachtypeof
commonlyuseforbusinesspurposes,for applicationyouwanttoallow.
exampletointeractwithpartners,suchas Attachthebestpracticesecurityprofilestoensurethatalltraffic
WebEx,Adobeonlineservices,orEvernote, isfreeofknownandunknownthreats.SeeCreateBestPractice
butwhichyoumaynotofficiallysanction. SecurityProfiles.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.
Step7 (Optional)Allowaccesstopersonalapplications.

Asthelinesblurbetweenworkandpersonal Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
devices,youwanttoensurethatall AccesstoWhitelistApplications.
applicationsyourusersaccessaresafely Forvisibility,createseparateapplicationfiltersforeachtypeof
enabledandfreeofthreats. applicationyouwanttoallow.
Byusingapplicationfilters,youcansafely Scanalltrafficforthreatsbyattachingyourbestpractice
enableaccesstopersonalapplicationswhen securityprofilegroup.SeeCreateBestPracticeSecurity
youcreatethisinitialrulebase.Afteryou Profiles.
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.

Step8 Allowgeneralwebbrowsing.

Whilethepreviousruleallowedaccessto Thisruleusesthesamebestpracticesecurityprofilesastherest
personalapplications(manyofthem oftherules,exceptfortheFileBlockingprofile,whichismore
browserbased),thisruleallowsgeneralweb stringentbecausegeneralwebbrowsingtrafficismore
browsing. vulnerabletothreats.
Generalwebbrowsingismoreriskprone Thisruleallowsonlyknownuserstopreventdeviceswith
thanothertypesofapplicationtraffic.You malwareorembeddeddevicesfromreachingtheinternet.
mustCreateBestPracticeSecurityProfiles Useapplicationfilterstoallowaccesstogeneraltypesof
andattachthemtothisruleinordertosafely applications.
enablewebbrowsing. MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
Becausethreatsoftenhideinencrypted youwanttoallowuserstobeabletobrowsetoHTTPSsites.
traffic,youmustDecryptTrafficforFull thatareexcludedfromdecryption.
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.
Step2:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep3:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.

CreatetheApplicationBlockRules
Step1 Blockapplicationsthatdonothavealegitimateusecase.

Blocknefariousapplicationssuchas UsetheDropActiontosilentlydropthetrafficwithoutsending
encryptedtunnelsandpeertopeerfile asignaltotheclientortheserver.
sharing,aswellaswebbasedfilesharing Enableloggingfortrafficmatchingthisrulesothatyoucan
applicationsthatarenotITsanctioned. investigatemisuseofapplicationsandpotentialthreatsonyour
Becausethetuningrulesthatfolloware network.
designedtoallowtrafficwithmaliciousintent Becausethisruleisintendedtocatchmalicioustraffic,it
orlegitimatetrafficthatisnotmatchingyour matchestotrafficfromanyuserrunningonanyport.
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2 BlockpublicDNSandSMTPapplications.

BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
DNStunneling,commandandcontroltraffic, messagetoboththeclientsideandserversidedevices.
andremoteadministration. Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.
Step3:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.

CreateTemporaryTuningRules
Step1 AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.

Thisrulehelpsyoudetermineifyouhaveany Unlikethewhitelistrulesthatallowapplicationsonthedefault
gapsinyourpolicywhereusersareunableto portonly,thisruleallowswebbrowsingandSSLtrafficonany
accesslegitimateapplicationsbecausethey portsothatyoucanfindgapsinyourwhitelist.
arerunningonnonstandardports. Becausethisruleisintendedtofindgapsinpolicy,limititto
Youmustmonitoralltrafficthatmatchesthis knownusersonyournetwork.SeeCreateUserGroupsfor
rule.Foranytrafficthatislegitimate,you AccesstoWhitelistApplications.
shouldtunetheappropriateallowruleto MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
includetheapplication,perhapscreatinga youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
customapplicationwhereappropriate. arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
Step2 AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.

Thisrulehelpsyoudeterminewhetheryou Whilethemajorityoftheapplicationwhitelistrulesapplyto
havegapsinyourUserIDcoverage. knownusersorspecificusergroups,thisruleexplicitlymatches
Thisrulealsohelpsyouidentifycompromised trafficfromunknownusers.
orembeddeddevicesthataretryingtoreach Notethatthisrulemustgoabovetheapplicationblockrulesor
theinternet. trafficwillneverhitit.
Itisimportanttoblocknonstandardport Becauseitisanallowrule,youmustattachthebestpractice
usage,evenforwebbrowsingtraffic, securityprofilestoscanforthreats.
becauseitisusuallyanevasiontechnique.
Step3 Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.

Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
thatyouwerentawarewererunningonyour theapplicationblockrulestopreventbadapplicationsfrom
networksothatyoucanfinetuneyour runningonyournetwork.
applicationwhitelist. IfyouarerunningPANOS7.0.xorearlier,toappropriately
Monitoralltrafficmatchingthisruleto identifyunexpectedapplications,youmustuseanapplication
determinewhetheritrepresentsapotential filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour allowanyapplication.
whitelistrulestoallowthetraffic.

CreateTemporaryTuningRules
Step4 Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.

Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
applicationsrunningonunknownports. fromanyuseronanyport,itmustcomeattheendofyour
Thisrulealsohelpsyouidentifyunknown rulebase.
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
customapplicationtoaddtoyourapplication investigateformisuseofapplicationsandpotentialthreatson
whitelist. yournetworkoridentifylegitimateapplicationsthatrequirea
Anytrafficmatchingthisruleisactionable customapplication.
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1 SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2 Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step3 OntheActionstab,selectLog at Session EndandclickOK.
Step4 Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5 Committhechangesyoumadetotherulebase.

Monitor and Fine Tune the Policy Rulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.
IdentifyPolicyGaps
Step1 Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')

IdentifyPolicyGaps(Continued)
Step2 Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
Remove the Temporary Rules
Afterseveralmonthsofmonitoringyourinitialinternetgatewaybestpracticesecuritypolicy,youshouldsee
lessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
RemovetheTemporaryRules
Step1 SelectPolicies > Security.
Step2 SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3 Committhechanges.

Maintain the Rulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1 Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2 DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3 TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.

Policy EnumerationofRulesWithinaRulebase
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.

MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem Policy
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step1 Selectthepolicytype(forexample,Policy > Security)orobjecttype(forexample,Objects > Addresses).
Step2 SelecttheVirtual System andselectoneormorepolicyrulesorobjects.
Step3 Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4 IntheDestinationdropdown,selectthenewvirtualsystemorShared.ThedefaultistheVirtual System

selectedinStep 2.
Step5 (Policyrulesonly)SelecttheRule order:

Move top(default)Therulewillcomebeforeallotherrules.
Move bottomTherulewillcomeafterallotherrules.
Before ruleIntheadjacentdropdown,selecttherulethatcomesaftertheSelectedRules.
After ruleIntheadjacentdropdown,selecttherulethatcomesbeforetheSelectedRules.
Step6 TheError out on first detected error in validationcheckboxisselectedbydefault.Thefirewallstops

performingthechecksforthemoveorcloneactionwhenitfindsthefirsterror,anddisplaysjustthiserror.
Forexample,ifanerroroccurswhentheDestinationvsysdoesnthaveanobjectthatthepolicyruleyouare
movingreferences,thefirewallwilldisplaytheerrorandstopanyfurthervalidation.Whenyoumoveorclone
multipleitemsatonce,selectingthischeckboxwillallowyoutofindoneerroratatimeandtroubleshootit.
Ifyouclearthecheckbox,thefirewallcollectsanddisplaysalistoferrors.Ifthereareanyerrorsinvalidation,
theobjectisnotmovedorcloneduntilyoufixalltheerrors.
Step7 ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.

Policy UseTagstoGroupandVisuallyDistinguishObjects
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
Create and Apply Tags
CreateandApplyTags
Step1 Createtags. 1. SelectObjects > Tags.

Totagazone,youmustcreatea 2. OnPanoramaoramultiplevirtualsystemfirewall,selectthe
tagwiththesamenameasthe Device GrouportheVirtual Systemtotomakethetag
zone.Whenthezoneisattached available.
inpolicyrules,thetagcolor
3. ClickAddandenteraNametoidentifythetag,orselecta
automaticallydisplaysasthe
zonenamefromthedropdowntocreateatagforazone.The
backgroundcoloragainstthe
maximumlengthis127characters.
zonename.
4. (Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
5. (Optional)Assignoneofthe17predefinedcolorstothetag.
Bydefault,ColorisNone.
6. ClickOKandCommittosavethechanges.

UseTagstoGroupandVisuallyDistinguishObjects Policy
CreateandApplyTags(Continued)
Step2 Applytagstopolicy. 1. SelectPoliciesandanyrulebaseunderit.

2. ClickAddtocreateapolicyruleandusethetaggedobjects
youcreatedinStep1.
3. Verifythatthetagsareinuse.
Step3 Applytagstoanaddressobject,address 1. Createtheobject.

group,service,orservicegroup. Forexampletocreateaservicegroup,selectObjects >
Service Groups > Add.
2. SelectatagfromtheTagsdropdownorenteranameinthe
fieldtocreateanewtag.
Toeditatagoraddcolortothetag,see ModifyTags.
Modify Tags
ModifyTags
SelectObjects > Tagstoperformanyofthefollowingoperationswithtags:

ClickthelinkintheNamecolumntoeditthepropertiesofatag.
Selectataginthetable,andclickDeletetoremovethetagfromthefirewall.
ClickClone tocreateaduplicatetagwiththesameproperties.Anumericalsuffixisaddedtothetagname.
Forexample,FTP1.
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
Use the Tag Browser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orinternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.


UsetheTagBrowser
Explorethetagbrowser. 1. AccesstheTag BrowserontheleftpaneofthePolicies > tab.

Thetagbrowserdisplaysthetagsthathavebeenusedinthe
rulesfortheselectedrulebase,forexamplePolicies >
Security.
2. Tag (#)Displaysthelabelandtherulenumberorrangeof
numbersinwhichthetagisusedcontiguously.Hoveroverthe
labeltoseethelocationwheretherulewasdefined,itcanbe
inheritedfromasharedlocation,adevicegroup,oravirtual
system.
3. RuleListstherulenumberorrangeofnumbersassociated
withthetags.
4. Sortthetags.
Filter by first tag in ruleSortsrulesusingthefirsttag
appliedtoeachruleintherulebase.Thisviewisparticularly
usefulifyouwanttonarrowthelistandviewrelatedrules
thatmightbespreadaroundtherulebase.Forexampleif
thefirsttagineachruledenotesitsfunctionbest
practices,administration,webaccess,datacenteraccess,
proxyyoucannarrowtheresultandscantherulesbased
onfunction.
Rule OrderSortsthetagsintheorderofappearance
withintheselectedrulebase.Whendisplayedinorderof
appearance,tagsusedincontiguousrulesaregrouped.The
rulenumberwithwhichthetagisassociatedisdisplayed
alongwiththetagname.
AlphabeticalSortsthetagsinalphabeticalorderwithin
theselectedrulebase.Thedisplayliststhetagnameand
color(ifacolorisassigned)andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoes
notdisplayrulenumbersforuntaggedrules.Whenyou
selectNone,therightpaneisfilteredtodisplayrulesthat
havenotagsassignedtothem.
5. ClearClearsthefilteronthecurrentlyselectedtagsinthe
searchbar.
6. Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7. Expandorcollapsethetagbrowser.

UsetheTagBrowser(Continued)
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,selectoneormore
YoucanfilterrulesbasedontagswithanAND tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
oranORoperator. includeanyofthecurrentlyselectedtags.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags. Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule. HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.

UsetheTagBrowser(Continued)
Reorderrulesusingtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.

Policy UseanExternalDynamicListinPolicy
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouhostonanexternalweb
serversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforcepolicyontheentries
inthelist.Asyouupdatethelist,thefirewalldynamicallyimportsthelistattheconfiguredintervaland
enforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthefirewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
External Dynamic List
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.Toretrievetheexternaldynamiclist,thefirewallusestheinterfaceattached
totheserviceroutethatitusestoaccessthePaloAltoUpdatesservice.
Thefirewallsupportsthreetypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall.IfyouneedagilityinenforcingpolicyforalistofsourceordestinationIP
addressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIPaddressasasourceor
destinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyorallowaccesstotheIP
addresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.Thefirewalltreatsan
externaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddressesincludedinalistare
handledasoneaddressobject.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule.
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligenceandwanttoprotectyournetworkfromnewsourcesofthreatormalware
assoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamiclist,the
firewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.The
DNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora

UseanExternalDynamicListinPolicy Policy
ListofCustomDomains.
Oneachfirewallplatform,youcanconfigureamaximumof30uniquesourcesforexternaldynamiclists;
theselimitsarenotapplicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledfor
multiplevirtualsystems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.A
sourceisaURLthatincludestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamic
list.ThefirewallmatchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000SeriesandthePA7000Seriesfirewallssupportamaximumof150,000total
IPaddresses;allotherplatformssupportamaximumof50,000totalIPaddresses.Nolimitsareenforced
forthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitisreachedonthe
firewall,thefirewallgeneratesasyslogmessage.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachplatform,with
nolimitsenforcedonthenumberofentriesperlist.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedfortheplatform.
Formatting Guidelines for an External Dynamic List
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Ifyouadd
comments,thecommentmustbeonthesamelineastheIPaddress/range/subnet.Thespaceattheendof
theIPaddressisthedelimiterthatseparatesacommentfromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.

DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
Enforce Policy on Entries in an External Dynamic List
EnforcePolicyonEntriesinanExternalDynamicList
Step1 Createtheexternaldynamiclistand CreateatextfileandentertheURLs,domains,orIPaddressesin

hostitonawebserversothatthe thefile.
firewallcanretrievethelistforpolicy Topreventcommiterrorsandinvalidentries,donotprefix
evaluation. http://orhttps://toanyoftheentries.SeeFormatting
GuidelinesforanExternalDynamicList.

EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step2 Configurethefirewalltoaccessthe 1. SelectObjects > External Dynamic Lists.

externaldynamiclist. 2. ClickAddandenteradescriptiveNameforthelist.
3. (Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4. (Panoramaonly)SelectDisable overridetoensurethata
firewalladministratorcannotoverridesettingslocallyona
firewallthatinheritsthisconfigurationthroughaDevice
GroupcommitfromPanorama.
5. IntheTypedropdown,selectthelisttype,forexample,URL
List.
Ensurethatthelistonlyincludesentriesforthelisttype.See
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
6. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2015.
7. ClickTest Source URLtoverifythatthefirewall(notavailable
onPanorama)canconnecttothewebserver.
Ifthewebserverisunreachableaftertheconnection
isestablished,thefirewallusesthelastsuccessfully
retrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.
8. (Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhourandcommitsthechanges.
Theintervalisrelativetothelastcommit.So,forthe
fiveminuteinterval,thecommitoccursin5minutesif
thelastcommitwasanhourago.Toretrievethelist
immediately,seeRetrieveanExternalDynamicList
fromtheWebServer.
9. ClickOK.
10. Usetheexternaldynamiclistinasecurityprofileordirectlyin
apolicyrule,assupported.Seethefollowing:
UseanExternalDynamicListinaURLFilteringProfile.
ConfigureDNSSinkholingforaListofCustomDomains
UseanExternalDynamicListofTypeURLasMatchCriteria
inaSecurityPolicyRule.
UseanExternalDynamicListofTypeIPasaSourceor
DestinationAddressObjectinaSecurityPolicyRule.

Use an External Dynamic List of Type URL as 1. SelectPolicies > Security.

Match Criteria in a Security Policy Rule. 2. ClickAddandenteradescriptiveNamefortherule.
YoucanalsoUse an External Dynamic List in a 3. IntheSourcetab,selecttheSource Zone.
URL Filtering Profile.
4. IntheDestinationtab,selecttheDestination Zone.
5. IntheService/URL Categorytab,clickAddtoselectthe
appropriateexternaldynamiclistfromtheURLCategorylist.
6. IntheActionstab,settheAction SettingtoAlloworDeny.
8. Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
UsethefollowingCLIcommandonafirewalltoreviewthe
detailsforalist.
request system external-list show type <domain | ip
| url>name_of_ list
For example:
request system external-list show type url
EBL_ISAC_Alert_List
9. Testthatthepolicyactionisenforced.
a. AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
b. Verifythattheactionyoudefinedisenforcedinthe
browser.
c. Tomonitortheactivityonthefirewall:
d. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
e. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.

Use an External Dynamic List of Type IP as a 1. SelectPolicies > Security.

Source or Destination Address Object in a 2. ClickAdd andgivetheruleadescriptivenameintheGeneral
Security Policy Rule. tab.
Thiscapabilityisusefulifyoudeploynewservers
3. IntheSource tab,selecttheSource Zoneandoptionallyselect
andwanttoallowaccesstothenewlydeployed
theexternaldynamiclistastheSourceAddress.
serverswithoutrequiringafirewallcommit.
4. IntheDestination tab,selecttheDestination Zone and
optionallyselecttheexternaldynamiclistastheDestination
Address.
5. IntheService/ URL Category tab,makesuretheService isset
toapplication-default.
6. IntheActions tab,settheAction Setting toAlloworDeny.
Createseparateexternaldynamiclistsifyouwantto
specifyallowanddenyactionsforspecificIPaddresses.
7. Leavealltheotheroptionsatthedefaultvalues.
8. ClickOKtosavethechanges.
10. Testthatthepolicyactionisenforced.
a. AccessaIPaddressthatisincludedintheexternaldynamic
listandverifythatactionyoudefinedisenforced.
b. SelectMonitor > Logs > Traffic andviewthelogentryfor
thesession.
c. Toverifythepolicyrulethatmatchesaflow,usethe
followingCLIcommand:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
protocol <protocol_number>
View the List of Entries in an External Dynamic List
ViewtheListofEntriesinanExternalDynamicList
ToviewthelistofentriesthatthefirewallhasretrievedfromthewebserverenterthefollowingCLIcommand:
request system external-list show name <name>
Forexample,foralistnamedcaseDBL_2014oftypeIPaddress,theoutputis:
vsys1/DBL_2014:
Next update at: Wed Aug 27 16:00:00 2014
IPs:
1.1.1.1
1.2.2.2/20 #test China
192.168.255.0; test internal
192.168.254.0/24 test internal range

Retrieve an External Dynamic List from the Web Server
YoucanconfigurethefirewalltoretrievetheExternalDynamicListfromthewebserveronanhourly,daily,
weekly,ormonthlybasis.IfyouhaveaddedordeletedIPaddressesonthelistandneedtotriggeran
immediaterefresh,usethefollowingprocess:
RetrieveanExternalDynamicList
1. Toretrievethelistondemand,selectObjects > External Dynamic Lists.

2. Selectthelistthatyouwanttorefresh,andclickImport Now.Thejobtoimportthelistwillbeaddedtoqueue.
ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.

RegisterIPAddressesandTagsDynamically Policy
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedplatformsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowing
options:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPC
toretrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.

Policy MonitorChangesintheVirtualEnvironment
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
Enable VM Monitoring to Track Changes on the Virtual Network
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.

MonitorChangesintheVirtualEnvironment Policy
SetuptheVMMonitoringAgent
Step1 EnabletheVMMonitoringAgent. 1. SelectDevice > VM Information Sources.

Youcanconfigureupto10VM 2. ClickAddandenterthefollowinginformation:
informationsourcesforeach A NametoidentifytheVMwareESX(i)orvCenterServer
firewall,orforeachvirtual thatyouwanttomonitor.
systemonamultiplevirtual
Enterthe Host information for the serverhostname orIP
systemscapablefirewall.
addressandthePortonwhichitislistening.
Ifyourfirewallsareconfiguredinahigh
SelecttheTypetoindicatewhetherthesourceisaVMware
availabilityconfiguration:
ESX(i)serveroraVMware vCenterServer.
Inanactive/passivesetup,onlythe
Addthecredentials(UsernameandPassword)to
activefirewallmonitorstheVM
authenticatetotheserverspecifiedabove.
sources.
Usethecredentialsofanadministrativeusertoenable
Inanactive/activesetup,onlythe
access.
firewallwiththepriorityvalueof
primarymonitorstheVMsources. (Optional)ModifytheUpdate intervaltoavaluebetween
5600seconds.Bydefault,thefirewallpollsevery5
seconds.TheAPIcallsarequeuedandretrievedwithin
every60seconds,soupdatesmaytakeupto60seconds
plustheconfiguredpollinginterval.
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatus displaysasconnected .

SetuptheVMMonitoringAgent(Continued)
Step2 Verifytheconnectionstatus. VerifythattheconnectionStatus displaysas connected.
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource Interface fortheVM
Monitor service).
Attributes Monitored in the AWS and VMware Environments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation InstanceState
Version InstanceType
NetworkVirtualSwitchName,PortGroup KeyName
Name,andVLANID
ContainerNamevCenterName,DataCenter PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress. PublicDNSName
SubnetID
Tag(key,value)(upto5tagssupportedperinstance
VPCID

Use Dynamic Address Groups in Policy
Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachplatformisdifferent.Usethefollowing
tableforspecificsonyourplatform:
Platform MaximumnumberofdynamicallyregisteredIP addresses
PA7000Series,PA5060,VM1000HV 100,000
PA5050 50,000
PA5020 25,000
PA4000Series,PA3000Series 5,000
PA2000Series,PA500,PA200,VM300, 1,000
VM200,VM100
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.

ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
UseDynamicAddressGroupsinPolicy
Step1 EnableVMSourceMonitoring. SeeEnableVMMonitoringtoTrackChangesontheVirtual

Network.
Step2 Createdynamicaddressgroupsonthe 1. Logintothewebinterfaceofthefirewall.

firewall. 2. SelectObject > Address Groups.
Viewthetutorialtoseeabig
3. Click AddandenteraNameandaDescriptionfortheaddress
pictureviewofthefeature.
group.
4. SelectType as Dynamic.
5. Definethematchcriteria.Youcanselectdynamicandstatic
tagsasthematchcriteriatopopulatethemembersofthe
group.ClickAdd Match Criteria,andselecttheAndorOr
operatorandselecttheattributesthatyouwouldliketofilter
forormatchagainst.andthenclickOK.
6. ClickCommit.
Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.UbuntuLinux64bit'
and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthenameofthe
serverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or'black')

UseDynamicAddressGroupsinPolicy(Continued)
Step3 Usedynamicaddressgroupsinpolicy. 1. SelectPolicies > Security.

Viewthetutorial. 2. ClickAddandenteraNameandaDescriptionforthepolicy.
3. AddtheSource Zone tospecifythezonefromwhichthetraffic
originates.
4. AddtheDestination Zone atwhichthetrafficisterminating.
5. FortheDestination Address,selecttheDynamicaddress
groupyoucreatedinStep 2above.
6. SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilestotherule.
7. RepeatsSteps1through6abovetocreateanotherpolicyrule.
8. ClickCommit.
Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccesstoweb
servers.
Step4 Validatethatthemembersofthe 1. SelectPolicies > Security,andselecttherule.

dynamicaddressgrouparepopulatedon 2. Selectthedropdownarrownexttotheaddressgrouplink,and
thefirewall. selectInspect.Youcanalsoverifythatthematchcriteriais
accurate.
3. ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongto
thisaddressgroup,andaredisplayedhere.

Policy CLICommandsforDynamicIPAddressesandTags
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example CLICommand
ViewallregisteredIPaddressesthatmatchthe show log iptag tag_name equal state.poweredOn

tag,state.poweredOnorthatarenottaggedas show log iptag tag_name not-equal
vSwitch0 switch.vSwitch0
ViewalldynamicallyregisteredIPaddressesthat show vm-monitor source source-name vmware1 tag
weresourcedbyVMInformationSourcewith state.poweredOn registered-ip all
namevmware1andtaggedaspoweredOn
registered IP Tags
----------------------------- -----------------
fe80::20c:29ff:fe69:2f76 "state.poweredOn"
10.1.22.100 "state.poweredOn"
2001:1890:12f2:11:20c:29ff:fe69:2f76
"state.poweredOn"
fe80::20c:29ff:fe69:2f80 "state.poweredOn"
2001:1890:12f2:11:2cf8:77a9:5435:c0d
"state.poweredOn"
fe80::2cf8:77a9:5435:c0d "state.poweredOn"
ClearallIPaddressesandtagslearnedfroma debug vm-monitor clear source-name <name>
specificVMMonitoringsourcewithout
disconnectingthesource.
DisplayIPaddressesregisteredfromallsources. show object registered-ip all

DisplaythecountforIPaddressesregisteredfrom show object registered-ip all option count
allsources.
ClearIPaddressesregisteredfromallsources debug object registered-ip clear all

AddordeletetagsforagivenIPaddressthatwas debug object test registered-ip
registeredusingtheXMLAPI. [<register/unregister>] <ip/netmask> <tag>

CLICommandsforDynamicIPAddressesandTags Policy
Example CLICommand
Viewalltagsregisteredfromaspecificinformation show vm-monitor source source-name vmware1

source. tag all
vlanId.4095
vswitch.vSwitch1
host-ip.10.1.5.22
portgroup.TOBEUSED
hostname.panserver22
portgroup.VM Network 2
datacenter.ha-datacenter
vlanId.0
state.poweredOn
vswitch.vSwitch0
vmname.Ubuntu22-100
vmname.win2k8-22-105
resource-pool.Resources
vswitch.vSwitch2
guestos.Ubuntu Linux 32-bit
guestos.Microsoft Windows Server 2008 32-bit
annotation.
version.vmx-08
portgroup.VM Network
vm-info-source.vmware1
uuid.564d362c-11cd-b27f-271f-c361604dfad7
uuid.564dd337-677a-eb8d-47db-293bd6692f76
Total: 22
Viewalltagsregisteredfromaspecificdata ToviewtagsregisteredfromtheCLI:
source,forexamplefromtheVMMonitoring show log iptag datasource_type equal unknown
Agentonthefirewall,theXMLAPI,Windows ToviewtagsregisteredfromtheXMLAPI:
UserIDAgentortheCLI.
show log iptag datasource_type equal xml-api
ToviewtagsregisteredfromVMInformationsources:
show log iptag datasource_type equal vm-monitor
ToviewtagsregisteredfromtheWindowsUserIDagent:
show log iptag datasource_type equal xml-api
datasource_subtype equal user-id-agent
ViewalltagsthatareregisteredforaspecificIP debug object registered-ip show tag-source ip
address(acrossallsources). ip_address tag all

Policy IdentifyUsersConnectedthroughaProxyServer
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoMapIPAddressestoUsers,MapUserstoGroups(ifyouhave
groupbasedpolicies),andconfigurepoliciesbasedonusersorgroups.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
Step1 EnablethefirewalltouseXFFvaluesin 1. SelectDevice > Setup > Content-IDandeditthe

policiesandinthesourceuserfieldsof XForwardedForHeaderssettings.
logs. 2. SelecttheUse X-Forwarded-For Header in User-ID check
box.

IdentifyUsersConnectedthroughaProxyServer Policy
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
Step2 RemoveXFFvaluesfromoutgoingweb 1. SelecttheStrip X-Forwarded-For Headercheckbox.

requests. 2. ClickOKandCommit.
Step3 Verifythefirewallispopulatingthe 1. Selectalogtypethathasasourceuserfield(forexample,

sourceuserfieldsoflogs. Monitor > Logs > Traffic).
2. VerifythattheSourceUsercolumndisplaystheusernamesof
userswhoaccesstheweb.
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
Step1 ConfigureaURLFilteringprofile. 1. SelectObjects > Security Profiles > URL Filtering.

2. SelectanexistingprofileorAddanewprofileandentera
descriptiveName.
YoucantenableXFFlogginginthedefaultURLFiltering
profile.
3. IntheCategoriestab,Definehowtocontrolaccesstoweb
content.
4. SelecttheSettingstabandselecttheX-Forwarded-Forcheck
box.
Step2 AttachtheURLFilteringprofiletoa 1. SelectPolicies > Securityandclicktherule.

policyrule. 2. SelecttheActionstab,settheProfile TypetoProfiles,and
selecttheURL Filteringprofileyoujustcreated.
Step3 VerifythefirewallisloggingXFFvalues. 1. SelectMonitor > Logs > URL Filtering.

2. DisplaytheXFFvaluesinoneofthefollowingways:
TodisplaytheXFFvalueforasinglelogClickthe icon
forthelogtodisplaysitsdetails.TheHTTPHeaderssection
displaystheXForwardedForvalue.
TodisplaytheXFFvaluesforalllogsOpenthedropdown
inanycolumnheader,selectColumns,andselectthe
X-Forwarded-Forcheckbox.Thepagethendisplaysan
XForwardedForcolumn.

Policy PolicyBasedForwarding
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperinternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheinternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,
connectivityissuesoccurwhentrafficarrivesatoneinterfaceonthe
firewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsare
different,thefirewallisunabletotrackthestateoftheentiresession
andthiscausesaconnectionfailure.Toensurethatthetrafficusesa
symmetricalpath,whichmeansthatthetrafficarrivesatandleaves
fromthesameinterfaceonwhichthesessionwascreated,youcan
enabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupfor
returntrafficandinsteaddirectstheflowbacktotheMACaddressfrom
whichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egress
interfacesIPaddress,aroutelookupisperformedandsymmetricreturn
isnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.

PolicyBasedForwarding Policy
PathMonitoringforPBF
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
Behaviorofasessionona Iftherulestaysenabledwhenthe IfruleisdisabledwhenthemonitoredIP

monitoringfailure monitoredIPaddressisunreachable addressisunreachable
For an established session wait-recoverContinuetouseegress wait-recoverContinuetouseegress

interfacespecifiedinthePBFrule interfacespecifiedinthePBFrule
fail-overUsepathdeterminedby fail-overUsepathdeterminedbyrouting
routingtable(noPBF) table(noPBF)
For a new session wait-recoverUsepathdeterminedby wait-recoverChecktheremainingPBF

routingtable(noPBF) rules.Ifnomatch,usetheroutingtable
fail-overUsepathdeterminedby fail-overChecktheremainingPBFrules.If
routingtable(noPBF) nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,

RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
Youcannotusecustomapplications,applicationfiltersorapplicationgroupsinPBFrules.

Create a Policy-Based Forwarding Rule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
Step1 CreateaPBFrule. 1. SelectPolicies > Policy Based ForwardingandclickAdd.

WhencreatingaPBFruleyoumust 2. GivetheruleadescriptivenameintheGeneraltab.
specifyanamefortherule,asourcezone
3. IntheSourcetab,selectthefollowing:
orinterface,andanegressinterface.All
othercomponentsareeitheroptionalor a. SelecttheTypeZone or Interfacetowhichthe
haveadefaultvalueprovided. forwardingpolicywillbeapplied,andtherelevantzoneor
interface.
Youcanspecifythesourceand
destinationaddressesusinganIP PBFisonlysupportedonLayer3interfaces.
address,anaddressobject,ora
FQDN.Forthenexthop,
however,youmustspecifyanIP b. (Optional)SpecifytheSource AddresstowhichPBFwill
address. apply.Forexample,aspecificIPaddressorsubnetIP
addressfromwhichyouwanttoforwardtraffictothe
interfaceorzonespecifiedinthisrule.
UsetheNegateoptiontoexcludeaoneormore
sourceIPaddressesfromthePBFrule.Forexample,
ifyourPBFruledirectsalltrafficfromthespecified
zonetotheinternet,Negateallowsyoutoexclude
internalIPaddressesfromthePBFrule.
Theevaluationorderistopdown.Apacketis
matchedagainstthefirstrulethatmeetsthe
definedcriteria;afteramatchistriggeredthe
subsequentrulesarenotevaluated.
c. (Optional)AddandselecttheSource Userorgroupsof
userstowhomthepolicyapplies.
4. IntheDestination/Application/Service tab,selectthe
following:
a. Destination Address.BydefaulttheruleappliestoAnyIP
address.UsetheNegateoptiontoexcludeoneormore
destinationIPaddressesfromthePBFrule.
b. SelecttheApplication(s)orService(s)thatyouwantto
controlusingPBF.
Applicationspecificrulesarenotrecommendedfor
usewithPBF.Wheneverpossible,useaservice
object,whichistheLayer4port(TCPorUDP)used
bytheprotocolorapplication.Formoredetails,see
ServiceVersusApplicationsinPBF.

CreateaPBFRule(Continued)
Step2 Specifyhowtoforwardtrafficthat 1. IntheForwardingtab,selectthefollowing:

matchestherule. a. SettheAction. Theoptionsareasfollows:
IfyouareconfiguringPBFina ForwardDirectsthepackettoaspecificEgress
multiVSYSenvironment,you Interface.EntertheNext Hop IPaddressforthepacket
mustcreateseparatePBFrules (youcannotuseadomainnameforthenexthop).
foreachvirtualsystem(and Forward To VSYS(Onafirewallenabledformultiple
createtheappropriateSecurity virtualsystems)Selectthevirtualsystemtowhichto
policyrulestoenablethetraffic). forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattacha
Schedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheinternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheinternet.
Step3 Savethepoliciestotherunning ClickCommit.

configurationonthefirewall. ThePBFruleisineffect.

Use Case: PBF for Outbound Access with Dual ISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantinternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantinternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.

PBFforOutboundAccesswithDualISPs
Step1 Configuretheingressandtheegress 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

interfacesonthefirewall. wanttoconfigure,forexample,Ethernet1/1andEthernet1/3.
Egressinterfacescanbeinthesame Theinterfaceconfigurationonthefirewallusedinthisexample
zone.Inthisexampleweassignthe isasfollows:
egressinterfacestodifferentzones. Ethernet1/1connectedtotheprimaryISP:
Zone:ISPEast
IPAddress:1.1.1.2/30
VirtualRouter:Default
Ethernet1/3connectedtothebackupISP:
Zone:ISPWest
IPAddress:2.2.2.2/30
Ethernet1/2istheingressinterface,usedbythenetwork
clientstoconnecttotheinternet:
Zone:Trust
IPAddress:192.168.54.1/24
Step2 Onthevirtualrouter,addastaticroute 1. SelectNetwork > Virtual Routerandthenselectthedefault

tothebackupISP. linktoopentheVirtualRouterdialog.
therouteandspecifytheDestinationIPaddressforwhichyou
aredefiningthestaticroute.Inthisexample,weuse0.0.0.0/0
foralltraffic.
3. SelecttheIP AddressradiobuttonandsettheNext HopIP
addressforyourrouterthatconnectstothebackupinternet
gateway(youcannotuseadomainnameforthenexthop).In
thisexample,2.2.2.1.
4. Specifyacostmetricfortheroute.Inthisexample,weuse10.

PBFforOutboundAccesswithDualISPs(Continued)
Step3 CreateaPBFrulethatdirectstrafficto 1. SelectPolicies > Policy Based Forwarding andclickAdd.

theinterfacethatisconnectedtothe 2. GivetheruleadescriptiveNameintheGeneraltab.
primaryISP.
3. IntheSourcetab,settheSource Zone toTrust.
Makesuretoexcludetrafficdestinedto
internalservers/IPaddressesfromPBF. 4. IntheDestination/Application/Servicetab,setthefollowing:
Defineanegaterulesothattraffic a. IntheDestinationAddresssection,AddtheIPaddressesor
destinedtointernalIPaddressesisnot addressrangeforserversontheinternalnetworkorcreate
routedthroughtheegressinterface anaddressobjectforyourinternalservers.SelectNegateto
definedinthePBFrule. excludetheIPaddressesoraddressobjectlistedabovefrom
usingthisrule.
b. IntheServicesection,Addtheservice-httpand
service-httpsservicestoallowHTTPandHTTPStrafficto
usethedefaultports.Forallothertrafficthatisallowedby
securitypolicy,thedefaultroutewillbeused.
ToforwardalltrafficusingPBF,settheServiceto
Any.
5. IntheForwardingtab,specifytheinterfacetowhichyouwant
toforwardtrafficandenablepathmonitoring.
a. Toforwardtraffic,settheActiontoForward,andselectthe
Egress Interface andspecifytheNext Hop.Inthisexample,
theegressinterfaceisethernet1/1,andthenexthopIP
addressis1.1.1.1(youcannotuseaFQDNforthenexthop).

b. EnableMonitorandattachthedefaultmonitoringprofile,to
triggerafailovertothebackupISP.Inthisexample,wedo
notspecifyatargetIPaddresstomonitor.Thefirewallwill
monitorthenexthopIPaddress;ifthisIPaddressis
unreachablethefirewallwilldirecttraffictothedefault
routespecifiedonthevirtualrouter.
c. (Requiredifyouhaveasymmetricroutes).SelectEnforce
Symmetric Returntoensurethatreturntrafficfromthe
trustzonetotheinternetisforwardedoutonthesame
interfacethroughwhichtrafficingressedfromtheinternet.
NATensuresthatthetrafficfromtheinternetisreturnedto
thecorrectinterface/IPaddressonthefirewall.
d. ClickOKtosavethechanges.
Step4 CreateNATrulesbasedontheegress 1. SelectPolicies > NATandclickAdd.

interfaceandISP.Theserulesensure 2. Inthisexample,theNATrulewecreateforeachISPisas
thatthecorrectsourceIPaddressisused follows:
foroutboundconnections.
NATforPrimaryISP
IntheOriginal Packettab,
Source Zone:trust
Destination Zone:ISPWest
IntheTranslated Packettab,underSourceAddress
Translation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/1
IP Address:1.1.1.2/30
NATforBackupISP
IntheOriginal Packet tab,
Source Zone:trust
Destination Zone:ISPEast
IntheTranslated Packet tab,underSourceAddress
Translation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/2
IP Address:2.2.2.2/30

Step5 Createsecuritypolicytoallowoutbound Tosafelyenableapplications,createasimplerulethatallowsaccess

accesstotheinternet. totheinternetandattachthesecurityprofilesavailableonthe
firewall.
1. SelectPolicies > SecurityandclickAdd.
2. GivetheruleadescriptiveNameintheGeneraltab.
3. IntheSourcetab,settheSource Zone totrust.
4. IntheDestinationtab,SettheDestination ZonetoISPEast
andISPWest.
5. IntheService/ URL Categorytab,leavethedefault
6. IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. AttachthedefaultprofilesforAntivirus,AntiSpyware,
VulnerabilityProtectionandURLFiltering,underProfile
Setting.
7. UnderOptions,verifythatloggingisenabledattheendofa
session.Onlytrafficthatmatchesasecurityruleislogged.
Step6 Savethepoliciestotherunning ClickCommit.


Step7 VerifythatthePBFruleisactiveandthat 1. Launchawebbrowserandaccessawebserver.Onthefirewall

theprimaryISPisusedforinternet checkthetrafficlogforwebbrowsingactivity.
access.
2. Fromaclientonthenetwork,usethepingutilitytoverify
connectivitytoawebserverontheinternet.andcheckthe
trafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3. ToconfirmthatthePBFruleisactive,usetheCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
Step8 VerifythatthefailovertothebackupISP 1. UnplugtheconnectiontotheprimaryISP.

occursandthattheSourceNATis 2. ConfirmthatthePBFruleisinactivewiththeCLIcommand
correctlyapplied. show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1 Disabled Forward ethernet1/1 1.1.1.1
3. Accessawebserver,andcheckthetrafficlogtoverifythat
trafficisbeingforwardedthroughthebackupISP.

4. ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
---------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
---------------------------------------------------------
87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5. Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session 87212
c2s flow:
source: 192.168.54.56 [Trust]
dst: 204.79.197.200
proto: 6
sport: 53236 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 204.79.197.200 [ISP-East]
dst: 2.2.2.2
proto: 6
sport: 443 dport: 12896
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Nov5 11:16:10 2014
timeout : 1800 sec
time to live : 1757 sec
total byte count(c2s) : 1918
total byte count(s2c) : 4333
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 7
vsys : vsys1
application : ssl
rule : Trust2ISP
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source
nat-rule : NAT-Backup ISP(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : search-engines
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/3
session QoS rule : N/A (class 4)

Policy DoSProtectionAgainstFloodingofNewSessions
ThefollowingtopicsdescribehowtoconfigureDoSprotectiontobetterblockIPaddressesinorderto
handlehighvolumeattacksmoreefficiently.
ConfigureDoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
DoS Protection Against Flooding of New Sessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsonlyagainstDoSattacksofnewsessions,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
MultipleSessionDoSAttack
SingleSessionDoSAttack
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheprotectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheMaxRateallowed,thefirewalltakes
theactionspecifiedintheDoSProtectionpolicyrule.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.

DoSProtectionAgainstFloodingofNewSessions Policy
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port 53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamicallyputtheDoS
ProtectionProfilesettingsintoeffect.TheDoSProtectionProfilespecifiesthataMaxRateof3000packets
persecondisallowed.WhenincomingpacketsmatchtheDoSrule,newconnectionspersecondarecounted
towardtheAlert,Activate,andMaxRatethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMaxRatethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlockDurationisspecified,and
ClassifiedissettoincludessourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.

Everyonesecond,thefirewallallowstheIPaddresstocomeofftheBlockListsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdonotmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheBlockListwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrulesuntiltheBlock
Durationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
validation.YoumustconfigureaSecuritypolicyrulebecausewithoutone,animplicitdenyruledeniesall
traffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatexactlymatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlock
Durationexpires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblocked
again.

Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyrulein
place.Hence,asinglesessionattackrequiresaSecuritypolicydenyruleinorderforeachpacket
tocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivity.QuarantiningtheIPaddress
fromallactivityprotectsagainstamodernattackerwhoattemptsarotatingapplicationattack,inwhichthe
attackersimplychangesapplicationstostartanewattackorusesacombinationofdifferentattacksina
hybridDoSattack.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
totheSecuritypolicyrules.TheattacktrafficthatmatchedtheDoSProtectionprofileandDoS
ProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyUsetheCLItoEndaSingleAttackingSession.
Configure DoS Protection Against Flooding of New Sessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
Step1 (Requiredforsinglesessionattack ComponentsofaSecurityPolicyRule

mitigationorattacksthathavenot CreateaSecurityPolicyRule
triggeredtheDoSProtectionpolicy
threshold;optionalformultiplesession
attackmitigation)
ConfigureSecuritypolicyrulestodeny
trafficfromtheattackersIPaddressand
allowothertrafficbasedonyour
networkneeds.Youcanspecifyanyof
thematchcriteriainaSecuritypolicy
rule,suchassourceIPaddress.
Thisstepisoneofthesteps
typicallyperformedtostopan
existingattack.SeeUsetheCLIto
EndaSingleAttackingSession.

ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step2 ConfigureaDoSProtectionprofilefor 1. SelectObjects > Security Profiles > DoS ProtectionandAdda

floodprotection. profileName.
Becausefloodattackscanoccur 2. SelectClassified astheType.
overmultipleprotocols,asabest
3. ForFlood Protection,selectalltypesoffloodprotection:
practice,activateprotectionfor
allofthefloodtypesintheDoS SYN Flood
Protectionprofile. UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
4. (Optional)Oneachofthefloodtabs,changethefollowing
thresholdstosuityourenvironment:
Alarm Rate (packets/s)Specifythethresholdrate
(packetspersecond[pps])abovewhichaDoSalarmis
generated.(Rangeis02000000;defaultis10000.)
Activate Rate (packets/s)Specifythethresholdrate(pps)
abovewhichaDoSresponseisactivated.TheDoS
responseisconfiguredintheActionfieldoftheDoSpolicy
wherethisprofileisreferenced.WhentheActivate Rate
thresholdisreached,Random Early Dropoccurs.(Rangeis
02000000;defaultis10000.)
Max Rate (packets/s)Specifythethresholdrateof
incomingpacketspersecondthatthefirewallallows.When
thethresholdisexceeded,newpacketsthatarriveare
droppedandtheActionspecifiedintheDoSPolicyruleis
triggered.(Rangeis22000000;defaultis40000.)
Thedefaultthresholdvaluesinthisstepareonly
startingpointsandmightnotbeappropriateforyour
network.Youmustanalyzethebehaviorofyour
networktoproperlysetinitialthresholdvalues.
5. Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121600;defaultis300.)
SetalowBlockDurationvalueifyouareconcerned
thatpacketsyouincorrectlyidentifiedasattacktraffic
willbeblockedunnecessarily.
SetahighBlockDurationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarenotpart
ofanattack.
6. ClickOK.

ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step3 ConfigureaDoSProtectionpolicyrule 1. SelectPolicies > DoS ProtectionandAddaName onthe

thatspecifiesthecriteriaformatching Generaltab.Thenameiscasesensitiveandcanbea
theincomingtraffic. maximumof31characters,includingletters,numbers,spaces,
hyphens,andunderscores.
2. OntheSourcetab,choosetheTypetobeaZoneorInterface,
andthenAddthezone(s)orinterface(s).
3. (Optional)ForSource Address,selectAnyforanyincomingIP
addresstomatchtheruleorAddanaddressobjectsuchasa
geographicalregion.
4. (Optional)ForSource User,selectanyorspecifyauser.
5. (Optional)SelectNegatetomatchanysourcesexceptthose
youspecify.
6. (Optional)OntheDestinationtab,choosetheTypetobea
ZoneorInterface,andthenAddthedestinationzone(s)or
interface(s).Forexample,enterthesecurityzoneyouwantto
protect.
7. (Optional)ForDestination Address,selectAnyorentertheIP
addressofthedeviceyouwanttoprotect.
8. (Optional)OntheOption/Protection tab,AddaService.Select
aserviceorclickServiceandenteraName.SelectTCPor
UDP.EnteraDestination Port.Notspecifyingaparticular
serviceallowstheruletomatchafloodofanyprotocoltype
withoutregardtoanapplicationspecificport.
9. OntheOption/Protection tab,forAction,selectProtect.
10. SelectClassified.
11. ForProfile,selectthenameoftheDoS Protectionprofileyou
created.
12. ForAddress,selectsource-ip-onlyorsrc-dest-ip-both,
whichdeterminesthetypeofIPaddresstowhichtherule
applies.Choosethesettingbasedonhowyouwantthe
firewalltoidentifyoffendingtraffic.
Specifysource-ip-onlyifyouwantthefirewalltoclassify
onlyonthesourceIPaddress.Becauseattackersoftentest
theentirenetworkforhoststoattack,source-ip-onlyisthe
typicalsettingforawiderexamination.
Specifysrc-dest-ip-bothifyouwanttoprotectonly
againstDoSattacksontheserverthathasaspecific
destinationaddressandalsoensurethateverysourceIP
addresswillnotsurpassaspecificconnectionspersecond
thresholdtothatserver.
13. ClickOK.

Use the CLI to End a Single Attacking Session
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
UsetheCLItoEndaSingleAttackingSession
Step1 IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,inPANOS7.0andlater,youcanuseACCtofilteron
destinationaddresstoviewtheactivitytothetargethostbeingattacked.
Step2 CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3 CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Step4 EndanyexistingattacksfromtheattackingsourceIPaddressbyexecutingtheclear session all filter

source <ip-address>operationalcommand.
Alternatively,ifyouknowthesessionID,youcanexecutetheclear session id <value> commandto
endthatsessiononly.
Ifyouusetheclear session all filter source <ip-address> command,allsessionsmatching
thesourceIPaddressarediscarded,whichcanincludebothgoodandbadsessions.
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
Identify Sessions That Use an Excessive Percentage of the Packet Buffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallplatform(notaVMSeriesfirewall)toidentify,
foreachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.

ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1 Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> showrunningresourcemonitoringressbacklogs
-- SLOT:s1, DP:dp1 --
USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:
SESS-ID PCT GRP-ID COUNT
6 92% 1 156
7 1732
SESSION DETAILS
SESS-ID PROTO SZONE SRC SPORT DST DPORT IGR-IF EGR-IF APP
6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesplatform,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1dpdp1
OnaPA5000Seriesplatform,youcanlimitoutputtoadataplane.Forexample:
admin@PA-5060> showrunningresourcemonitoringressbacklogsdpdp1

ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step2 UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanUsetheCLIto
EndaSingleAttackingSession.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNew
Sessions.
Onahardwareplatformthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstrafficto
theFPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthe
sessiondoesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshould
insteadDiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usethe show session id <session-id> operational
commandintheCLIasshowninthefollowingexample.The layer7 processing valueindicates completed
forsessionsoffloadedor enabled forsessionsnotoffloaded.

Discard a Session Without a Commit
Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
DiscardaSessionWithoutaCommit
Step1 IntheCLI,executethefollowingoperationalcommandonanyhardwareplatform:
admin@PA-7050> requestsessiondiscard[timeout<seconds>][reason<reasonstring>]id<sessionid>
Thedefaulttimeoutis3600seconds.
Step2 Verifythatsessionshavebeendiscarded.
admin@PA-7050> showsessionallfilterstatediscard

VirtualSystems
Thistopicdescribesvirtualsystems,theirbenefits,typicalusecases,andhowtoconfigurethem.Italso
provideslinkstoothertopicswherevirtualsystemsaredocumentedastheyfunctionwithotherfeatures.
VirtualSystemsOverview
CommunicationBetweenVirtualSystems
SharedGateway
ConfigureVirtualSystems
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
ServiceRoutesforVirtualSystems
CustomizeServiceRoutesforaVirtualSystem
DNSResolutionThreeUseCases
VirtualSystemFunctionalitywithOtherFeatures

VirtualSystemsOverview VirtualSystems
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(security,NAT,QoS,policybasedforwarding,decryption,application
override,captiveportal,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement

VirtualSystems VirtualSystemsOverview
Serverprofiles
Logging,reporting,andvisibilityfunctions
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.

VirtualSystemsOverview VirtualSystems
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA2000,PA3000,PA4000,PA5000,andPA7000Seriesfirewalls.
Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.AVirtual
Systemslicenseisrequiredinthefollowingcases:
TosupportmultiplevirtualsystemsonPA2000orPA3000Seriesfirewalls.
Tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA500orVMSeriesfirewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.

VirtualSystems CommunicationBetweenVirtualSystems
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
Inter-VSYS Traffic That Must Leave the Firewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.

CommunicationBetweenVirtualSystems VirtualSystems
Inter-VSYS Traffic That Remains Within the Firewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.

VirtualSystems CommunicationBetweenVirtualSystems
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.

CommunicationBetweenVirtualSystems VirtualSystems
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
Inter-VSYS Communication Uses Two Sessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.

VirtualSystems SharedGateway
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.

SharedGateway VirtualSystems
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportsecurity,DoSpolicies,QoS,decryption,applicationoverride,orcaptiveportalpolicies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.

VirtualSystems ServiceRoutesforVirtualSystems
ServiceRoutesforVirtualSystems
ThefirewallusestheMGTinterface(bydefault)toaccessexternalservices,suchasDNSservers,software
updates,andsoftwarelicenses.AnalternativetousingtheMGTinterfaceistoconfigureadataport(a
regularinterface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknown
asaserviceroute.Serviceroutescanbeconfiguredforthefirewallorforindividualvirtualsystems.Each
serviceallowsredirectionofmanagementservicestotherespectivevirtualsystemownerthroughoneofthe
interfacesassociatedwiththatvirtualsystem.
Theabilitytoconfigureserviceroutespervirtualsystemprovidestheflexibilitytocustomizeserviceroutes
fornumeroustenantsordepartmentsonasinglefirewall.Theservicepacketsexitthefirewallonaportthat
isassignedtoaspecificvirtualsystem,andtheserversendsitsresponsetotheconfiguredsourceinterface
andsourceIPaddress.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticular
serviceinheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
UseCasesforServiceRoutesforaVirtualSystem
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
Toconfigureserviceroutesforavirtualsystem,seeCustomizeServiceRoutesforaVirtualSystem.
Use Cases for Service Routes for a Virtual System
Oneusecaseforconfiguringserviceroutesatthevirtualsystemleveliswhenalargecustomer(suchasan
ISP)needstosupportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.TheISPhas
configuredvirtualsystemsonthefirewall,andwantstohaveseparateserviceroutesforeachvirtualsystem,
ratherthanservicesroutesconfiguredatthegloballevel.Eachtenantrequiresserviceroutecapabilitiesso
thatitcancustomizeservicerouteparametersforDNS,email,Kerberos,LDAP,NetFlow,RADIUS,SNMP
trap,syslog,TACACS+,UserIDAgent,andVMMonitor.
AnotherusecaseisanITorganizationthatwantstoprovidefullautonomytogroupsthatsetserversfor
services.Eachgroupcanhaveavirtualsystemanddefineitsownserviceroutes.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Anorganizationcanhavemultiplevirtualsystems,butuseaglobalservicerouteforaserviceratherthan
differentserviceroutesforeachvirtualsystem.Forexample,thefirewallcanuseasharedemailserverto
originateemailalertstoitsvirtualsystems.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.
ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.
Afteryouselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewall
selectstheegressinterfacebasedonthedestinationIPaddress.Therefore:

ServiceRoutesforVirtualSystems VirtualSystems
Ifavirtualsystemhasmultiplevirtualrouters,packetstoalloftheserversforaservicemustegressout
ofonlyonevirtualrouter.
Apacketwithaninterfacesourceaddressmayegressadifferentinterface,butthereturntrafficwould
beontheinterfacethathasthesourceIPaddress,creatingasymmetrictraffic.
PA-7000 Series Firewall LPC Support for Per-Virtual System Paths to

Logging Servers
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.
ToconfiguretheLPCforpervirtualsystemloggingservices,seeConfigureaPA7000SeriesFirewallfor
LoggingPerVirtualSystem.ForinformationabouttheLPCitself,seethePA7000SeriesHardware
ReferenceGuide.
DNS Proxy Object
DomainNameSystem(DNS)serversperformtheserviceofresolvingadomainnametoanIPaddress,and
viceversa.DNSproxyisaroleinwhichthefirewallisanintermediarybetweenDNSclientsandservers;it
actsasaDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifthedomainnameisnotfound
intheDNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthe
specificDNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived),andforwardsthequerytoa
DNSserverbasedonthematchresults.Ifnomatchisfound,thedefaultDNSserversareused.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
WhenconfiguringtenantswithDNSservices,eachtenantshouldhaveitsownDNSproxy
defined,whichkeepsthetenantsDNSserviceseparatefromothertenantsservices.

VirtualSystems ServiceRoutesforVirtualSystems
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
YoucansupplytheDNSproxywithstaticFQDNtoaddressmappings.YoucancreateDNSproxyrulesthat
controltowhichDNSserverthespecifieddomainnamequeriesaredirected.ADNSproxyhasother
options;toconfigureaDNSproxy,seeConfigureaDNSProxyObject.Amaximumof256DNSproxy
objectscanbeconfiguredonafirewall.
DNS Server Profile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutingtableofthevirtualrouterwherethesourceinterfaceisassigned.Itispossiblethat
theresultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegress
outofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddress
wouldbetheaddressconfigured.Thesourceaddressisusedasthedestinationaddressinthereplyfromthe
DNSserver.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
ADNSserverprofileisforavirtualsystemonly;itisnotforaglobalSharedlocation.ToconfigureaDNS
serverprofile,seeConfigureaDNSServerProfile.
FormoreinformationonDNSserverprofiles,seeDNSResolutionThreeUseCases.
Multi-Tenant DNS Deployments
TherearethreeusecasesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,whentherequestiscomingfromthemanagementplanetoresolveanFQDNinasecurity
policy.ThefirewallusestheserviceroutetogettoaDNSserverbecausethereisnoincomingvirtual
router.TheDNSserverisconfiguredinDevice > Setup > Services > Global,andServersareconfiguredby
enteringaprimaryandsecondaryDNSserver.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesthatneedtoberesolved
fromasecuritypolicyorareport,youcanspecifyasetofDNSserversspecifictothevirtualsystem
(tenant)oryoucandefaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNS
serverspervirtualsystem,theDNSserverisconfiguredinDevice > Virtual Systems > General > DNS Proxy.
TheDNSproxyobjectisconfiguredinNetwork > DNS Proxy.Theresolutionisspecifictothevirtualsystem
towhichtheDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtual
systemandwanttousetheglobalDNSsetting,theglobalDNSserverstakeprecedence.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe

ServiceRoutesforVirtualSystems VirtualSystems
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoitsDNS
servers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryandsecondary
DNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethedefaultDNS
settings.
FormoreinformationonDNSdeployments,seeDNSResolutionThreeUseCases.

VirtualSystems ConfigureVirtualSystems
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA2000orPA3000Seriesfirewall,orifyouare
creatingmorethanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupport
andLicensingforVirtualSystems.
ConfigureaVirtualSystem
Step1 Enablevirtualsystems. 1. SelectDevice > Setup > ManagementandedittheGeneral

Settings.
2. SelecttheMulti Virtual System Capabilitycheckboxandclick
OK.Thisactiontriggersacommitifyouapproveit.
OnlyafterenablingvirtualsystemswilltheDevicetabdisplay
theVirtual Systems andShared Gatewaysoptions.
Step2 Createavirtualsystem. 1. SelectDevice > Virtual Systems,clickAddandenteravirtual

systemID,whichisappendedtovsys(rangeis1255).
ThedefaultIDis1,whichmakesthedefaultvirtual
systemvsys1.Thisdefaultappearsevenonplatforms
thatdonotsupportmultiplevirtualsystems.
2. ChecktheAllow forwarding of decrypted contentcheckbox
ifyouwanttoallowthefirewalltoforwarddecryptedcontent
toanoutsideservice.Forexample,youmustenablethis
optionforthefirewalltobeabletosenddecryptedcontentto
WildFireforanalysis.
3. EnteradescriptiveNameforthevirtualsystem.Amaximum
of31alphanumeric,space,andunderscorecharactersis
allowed.

ConfigureVirtualSystems VirtualSystems
Step3 Assigninterfacestothevirtualsystem. 1. OntheGeneraltab,selectaDNS Proxy objectifyouwantto

Thevirtualrouters,vwires,orVLANscan applyDNSproxyrulestotheinterface.
eitherbeconfiguredalreadyoryoucan 2. IntheInterfacesfield,clickAddtoentertheinterfacesor
configurethemlater,atwhichpointyou subinterfacestoassigntothevirtualsystem.Aninterfacecan
specifythevirtualsystemassociated belongtoonlyonevirtualsystem.
witheach.Theproceduretoconfigurea
3. Doanyofthefollowing,basedonthedeploymenttype(s)you
virtualrouter,forexample,isinStep6
needinthevirtualsystem:
below.
IntheVLANsfield,clickAddtoentertheVLAN(s)toassign
tothevsys.
IntheVirtual Wires field,clickAddtoenterthevirtual
wire(s)toassigntothevsys.
IntheVirtual Routers field,clickAddtoenterthevirtual
router(s)toassigntothevsys.
4. IntheVisible Virtual System field,checkallvirtualsystems
thatshouldbemadevisibletothevirtualsystembeing
configured.Thisisrequiredforvirtualsystemsthatneedto
communicatewitheachother.
Inamultitenancyscenariowherestrictadministrative
boundariesarerequired,novirtualsystemswouldbechecked.
5. ClickOK.
Step4 (Optional)Limittheresourceallocations 1. OntheResourcetab,optionallysetlimitsforavirtualsystem.

forsessions,rules,andVPNtunnels Therearenodefaultvalues.
allowedforthevirtualsystem.The Sessions LimitRangeis1262144.
flexibilityofbeingabletoallocatelimits Security RulesRangeis02500.
pervirtualsystemallowsyouto
NAT RulesRangeis03000.
effectivelycontrolfirewallresources.
Decryption RulesRangeis0250.
QoS RulesRangeis01000.
Application Override RulesRangeis0250.
Policy Based Forwarding RulesRangeis0500.
Captive Portal RulesRangeis01000.
DoS Protection RulesRangeis01000.
Site to Site VPN TunnelsRangeis01024.
Concurrent SSL VPN TunnelsRangeis01024.
2. ClickOK.
Step5 Savetheconfiguration. ClickCommitandOK.Thevirtualsystemisnowanobject

accessiblefromtheObjectstab.
Step6 Createatleastonevirtualrouterforthe 1. SelectNetwork > Virtual RoutersandAddavirtualrouterby

virtualsysteminordertomakethe Name.
virtualsystemcapableofnetworking 2. ForInterfaces,clickAddandfromthedropdown,selectthe
functions,suchasstaticanddynamic interfacesthatbelongtothevirtualrouter.
routing.
3. ClickOK.
Alternatively,yourvirtualsystemmight
useaVLANoravirtualwire,depending
onyourdeployment.
Step7 Configureasecurityzoneforeach Foratleastoneinterface,createaLayer3securityzone.See

interfaceinthevirtualsystem. ConfigureInterfacesandZones.

VirtualSystems ConfigureVirtualSystems
Step8 Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.

ordenyingtraffictoandfromthezones
inthevirtualsystem.
Step9 Savetheconfiguration. ClickCommitandOK.

Aftercreatingavirtualsystem,youcanusetheCLIto
commitaconfigurationforonlyaspecificvirtualsystem:
commit partial vsys vsys<id>
Step10 (Optional)Viewthesecuritypolicies OpenanSSHsessiontousetheCLI.Toviewthesecuritypolicies

configuredforavirtualsystem. foravirtualsystem,inoperationalmode,usethefollowing
commands:
set system setting target-vsys <vsys-id>
show running security-policy

ConfigureInterVirtualSystemCommunicationwithintheFirewall VirtualSystems
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
Step1 Configureanexternalzoneforeach 1. SelectNetwork > Zones andAddanewzonebyName.

virtualsystem. 2. ForLocation,selectthevirtualsystemforwhichyouare
creatinganexternalzone.
3. ForType,selectExternal.
4. ForVirtual Systems,clickAddandenterthevirtualsystem
thattheexternalzonecanreach.
5. Zone Protection ProfileOptionallyselectazoneprotection
profile(orconfigureonelater)thatprovidesflood,
reconnaissance,orpacketbasedattackprotection.
6. Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
7. OptionallyselecttheEnable User Identificationcheckboxto
enableUserIDfortheexternalzone.
8. ClickOK.
Step2 Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.

ordenyingtrafficfromtheinternalzones SeeInterVSYSTrafficThatRemainsWithintheFirewall.
totheexternalzoneofthevirtual
system,andviceversa.

VirtualSystems ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
Step1 ConfigureaSharedGateway. 1. SelectDevice > Shared Gateway,clickAdd andenteranID.

2. EnterahelpfulName,preferablyincludingtheIDofthe
gateway.
3. IntheDNS Proxy field,selectaDNSproxyobjectifyouwant
toapplyDNSproxyrulestotheinterface.
4. AddanInterfacethatconnectstotheoutsideworld.
5. ClickOK.
Step2 Configurethezonefortheshared 1. SelectNetwork > Zones andAddanewzonebyName.

gateway. 2. ForLocation,selectthesharedgatewayforwhichyouare
Whenaddingobjectssuchas creatingazone.
zonesorinterfacestoashared
3. ForType,selectLayer3.
gateway,thesharedgateway
itselfwillbelistedasanavailable 4. Zone Protection ProfileOptionallyselectazoneprotection
vsysintheVSYSdropdown profile(orconfigureonelater)thatprovidesflood,
menu. reconnaissance,orpacketbasedattackprotection.
5. Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
6. OptionallyselecttheEnable User Identificationcheckboxto
enableUserIDforthesharedgateway.
7. ClickOK.

CustomizeServiceRoutesforaVirtualSystem VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
Priortoperformingthistask,inordertoseetheGlobalandVirtual Systemstabs,youmustenableMulti
Virtual System Capability.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Thefirewallsupportssyslogforwardingonavirtualsystembasis.Whenmultiplevirtualsystems
onafirewallareconnectingtoasyslogserverusingSSLtransport,thefirewallcangenerateonly
onecertificateforsecurecommunication.Thefirewalldoesnotsupporteachvirtualsystem
havingitsowncertificate.
Inthefollowingusecase,youareconfiguringindividualservicesroutesforafirewallwithmultiplevirtual
systems.

VirtualSystems CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1 Customizeserviceroutesforavirtual 1. SelectDevice > Setup > Services > Virtual Systems,andselect
system. thevirtualsystemyouwanttoconfigure.
2. ClicktheService Route Configurationlink.
3. Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4. IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5. ClickOK.
6. Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7. ClickOK.

Ifyouareconfiguringpervirtualsystemserviceroutesforlogging
servicesforaPA7000Seriesfirewall,continuetothetask
ConfigureaPA7000SeriesFirewallforLoggingPerVirtual
System.

ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
YoumusthaveenabledMulti Virtual System Capability(Device > Setup > Management)inordertoaccessthe

LPCsubinterfaceconfiguration.
PerformthistaskonyourPA7000Seriesfirewalltoconfigureloggingfordifferentvirtualsystems.Formore
information,seePA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
Step1 CreateaLogCardsubinterface. 1. SelectNetwork > Interfaces > Ethernetandselectthe

interfacethatwillbetheLogCardinterface.
2. EntertheInterface Name.
3. ForInterface Type,selectLog Cardfromthedropdown.
4. ClickOK.
Step2 Addasubinterfaceforeachtenanton 1. HighlighttheEthernetinterfacethatisaLogCardinterface

theLPCsphysicalinterface. typeandclickAdd Subinterface.
2. ForInterface Name,aftertheperiod,enterthesubinterface
assignedtothetenantsvirtualsystem.
3. ForTag,enteraVLANtagvalue.
Makethetagthesameasthesubinterfacenumberfor
easeofuse,butitcouldbeadifferentnumber.
4. (Optional)EnteraComment.
5. OntheConfigtab,intheAssign Interface to Virtual System
field,selectthevirtualsystemtowhichtheLPCsubinterface
isassigned(fromthedropdown).Alternatively,youcanclick
Virtual Systemstoaddanewvirtualsystem.
6. ClickOK.
Step3 Entertheaddressesassignedtothe 1. SelecttheLog Card Forwardingtab,anddooneorbothofthe

subinterface,andconfigurethedefault following:
gateway. FortheIPv4section,entertheIP Address and
Netmask assignedtothesubinterface.Enterthe
Default Gateway(thenexthopwherepacketswillbe
sentthathavenoknownnexthopaddressinthe
RoutingInformationBase[RIB]).
FortheIPv6section,entertheIPv6 Addressassigned
tothesubinterface.EntertheIPv6 Default Gateway.
2. ClickOK.
Step4 Savetheconfiguration. ClickOK and Commit.
Step5 Ifyouhaventalreadydoneso,configure CustomizeServiceRoutesforaVirtualSystem.

theremainingserviceroutesforthe
virtualsystem.

IfyourfirewallistoactasaDNSproxyforavirtualsystem,performthistasktoconfigureaDNSProxy
Object.Theproxyobjectcaneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtual
system.
Step1 ConfigurethebasicsettingsforaDNS 1. SelectNetwork > DNS ProxyandAddanewobject.

Proxyobject. 2. VerifythatEnableisselected.
3. EnteraNamefortheobject.
4. ForLocation,selectthevirtualsystemtowhichtheobject
applies.IfyouselectShared,youmustspecifyatleasta
PrimaryDNSserveraddress.,andoptionallyaSecondary
address.
5. Ifyouselectedavirtualsystem,forServer Profile,selecta
DNSServerprofileorelseclickDNS Server Profileto
configureanewprofile.seeConfigureaDNSServerProfile.
6. ForInterface,clickAddandspecifytheinterfacestowhichthe
DNSProxyobjectapplies.
IfyouusetheDNSProxyobjectforperformingDNS
lookups,aninterfaceisrequired.Thefirewallwilllistenfor
DNSrequestsonthisinterface,andthenproxythem.
IfyouusetheDNSProxyobjectforaserviceroute,the
interfaceisoptional.
Step2 (Optional)SpecifyDNSProxyrules. 1. OntheDNS Proxy Rulestab,clickAddandenteraNamefor

therule.
2. Turn on caching of domains resolved by this mappingifyou
wantthefirewalltocachetheresolveddomains.
3. ForDomain Name,clickAddandenteroneormoredomains,
oneentryperrow.Eachdomainnamecancontain*asa
wildcard.Thenumberoftokensinawildcardstringmust
matchthenumberoftokensintherequesteddomain.For
example,*.engineering.localwillnotmatch
engineering.local.Bothentriesmustbespecifiedifyouwant
both.
4. InStep 4above,forLocation:
Ifyouchoseavirtualsystem,selectaDNS Server profile
here.
IfyouchoseShared,enteraPrimaryaddresshere.
5. ClickOK.
Step3 (Optional)SupplytheDNSProxywith 1. OntheStatic Entriestab,clickAddandenteraName.

staticFQDNtoaddressentries.Static 2. EntertheFullyQualifiedDomainName(FQDN).
DNSentriesallowthefirewalltoresolve
theFQDNtoanIPaddresswithoutgoing 3. ForAddress,clickAddandentertheIPaddresstowhichthe
outtotheDNSserver. FQDNshouldbemapped.
4. Repeatsteps13toprovideadditionalstaticentries.
5. ClickOK.

ConfigureaDNSProxyObject(Continued)
Step4 (Optional)Enablecachingandconfigure 1. OntheAdvancedtab,clickCachetoenablethefirewallto

otheradvancedsettingsfortheDNS cacheFQDNtoaddressmappingsthatthefirewalllearns.
Proxy. SizeEnterthemaximumnumberofentriesthefirewall
cancache(rangeis102410240;defaultis1024).
TimeoutEnterthenumberofhoursafterwhichallcached
entriesareremoved(rangeis424;defaultis4).DNS
timetolivevaluesareusedtoremovecacheentrieswhen
theyhavebeenstoredforlessthantheconfiguredtimeout
period.Afteratimeout,newDNSrequestsmustbe
resolvedandcachedagain.
2. SelectTCP QueriestoenableDNSqueriesusingTCP.
Max Pending RequestsEnterthemaximumnumberof
concurrent,pendingTCPDNSrequeststhatthefirewallwill
support(rangeis64256;defaultis64).
3. ForUDP Queries Retries,enterthefollowing:
IntervalEnterthelengthoftime(inseconds)afterwhich
anotherrequestissentifnoresponsehasbeenreceived.
AttemptsEnterthemaximumnumberofUDPquery
attempts(excludingthefirstattempt)afterwhichthenext
DNSserverisqueried(rangeis130;defaultis5.)

PerformthistasktoconfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.The
Primary DNSorSecondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstothe
DNSserver.
Step1 NametheDNSserverprofile,selectthe 1. SelectDevice > Server Profiles > DNSandclickAdd.

virtualsystemtowhichitapplies,and 2. EnteraNamefortheDNSserverprofile.
specifytheprimaryandsecondaryDNS
serveraddresses. 3. ForLocation,selectthevirtualsystemtowhichtheprofile
applies.
4. ForInheritance Source,fromthedropdown,selectNoneif
theDNSserveraddressesarenotinherited.Otherwise,
specifytheDNSserverfromwhichtheprofileshouldinherit
settings.IfyouchooseaDNSserver,clickCheck inheritance
source statustoseethatinformation.
5. SpecifytheIPaddressofthePrimary DNSserver,orleaveas
inheritedifyouchoseanInheritance Source.
KeepinmindthatifyouspecifyanFQDNinstead
ofanIPaddress,theDNSforthatFQDNis
resolvedinDevice > Virtual Systems > DNS
Proxy.
6. SpecifytheIPaddressoftheSecondary DNSserver,orleave
asinheritedifyouchoseanInheritance Source.
Step2 Configuretheserviceroutethatthe 1. ClickService Route IPv4toenablethesubsequentinterface

firewallautomaticallyuses,basedon andIPv4addresstobeusedastheserviceroute,ifthetarget
whetherthetargetDNSServerhasanIP DNSaddressisanIPv4address.
addressfamilytypeofIPv4orIPv6. 2. SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
3. SpecifytheIPv4Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
4. ClickService Route IPv6toenablethesubsequentinterface
andIPv6addresstobeusedastheserviceroute,ifthetarget
DNSaddressisanIPv6address.
5. SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
6. SpecifytheIPv6Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
7. ClickOK.

ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,younowhavetheabilitytocreateandconfiguremore
granularpermissionsforavsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
Step1 CreateanAdminRoleProfilethatgrants 1. SelectDevice > Admin RolesandAddanAdmin Role Profile.

ordisablespermissiontoan 2. EnteraNameandoptionalDescriptionoftheprofile.
Administratortoconfigureorreadonly
variousareasofthewebinterface. 3. ForRole,specifywhichlevelofcontroltheprofileaffects:
DeviceTheprofileallowsthemanagementoftheglobal
settingsandanyvirtualsystems.
Virtual SystemTheprofileallowsthemanagementofonly
thevirtualsystem(s)assignedtotheadministrator(s)who
havethisprofile.(Theadministratorwillbeabletoaccess
Device > Setup > Services > Virtual Systems,butnotthe
Globaltab.)
4. OntheWeb UItabfortheAdminRoleProfile,scrolldownto
Device,andleavethegreencheckmark(Enable).
UnderDevice,enableSetup.UnderSetup,enabletheareas
towhichthisprofilewillgrantconfigurationpermissionto
theadministrator,asshownbelow.(TheReadOnlylockicon
appearsintheEnable/DisablerotationifReadOnlyis
allowedforthatsetting.)
ManagementAllowsanadminwiththisprofileto
configuresettingsontheManagementtab.
OperationsAllowsanadminwiththisprofileto
configuresettingsontheOperationstab.
ServicesAllowsanadminwiththisprofiletoconfigure
settingsontheServicestab.Anadminmusthave
ServicesenabledinordertoaccesstheDevice > Setup
Services > Virtual Systemstab.IftheRolewasspecified
asVirtual Systeminthepriorstep,Servicesistheonly
settingthatcanbeenabledunderDevice > Setup.
Content-IDAllowsanadminwiththisprofileto
configuresettingsontheContent-IDtab.
WildFireAllowsanadminwiththisprofiletoconfigure
settingsontheWildFiretab.
SessionAllowsanadminwiththisprofiletoconfigure
settingsontheSessiontab.
HSMAllowsanadminwiththisprofiletoconfigure
settingsontheHSMtab.
5. ClickOK.
6. (Optional)RepeattheentiresteptocreateanotherAdminRole
profilewithdifferentpermissions,asnecessary.

CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
Step2 ApplytheAdminroleprofiletoan 1. SelectDevice > Administrators,clickAddandentertheName

administrator. toaddanAdministrator.
2. (Optional)SelectanAuthentication Profile.
3. (Optional)Select Use only client certificate authentication
(Web)tohavebidirectionalauthentication;togettheserver
toauthenticatetheclient.
4. EnteraPasswordandConfirm Password.
5. (Optional)SelectUse Public Key Authentication (SSH) ifyou
wanttouseamuchstronger,keybasedauthentication
methodusinganSSHpublickeyratherthanjustapassword.
6. ForAdministrator Type,selectRole Based.
7. ForProfile,selecttheprofilethatyoujustcreated.
8. (Optional)SelectaPassword Profile.
9. ClickOK.

DNSResolutionThreeUseCases VirtualSystems
DNSResolutionThreeUseCases
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.Thissection
illustratesthreetypesofDNSresolution,whicharelistedinthefollowingtable.Thebindinglocation
determineswhichDNSproxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshow
howaserviceprovidermightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueries
requiredonthefirewallandfortenant(subscriber)virtualsystems.
ResolutionType Location:Shared Location:SpecificVsys
FirewallDNSresolutionperformed Binding:Global N/A

bymanagementplane IllustratedinUseCase1
Securityprofile,reporting,andserver Binding:Global Binding:Specificvsys

profileresolutionperformedby SamebehaviorasUseCase1 IllustratedinUseCase2
managementplane
DNSproxyresolutionforDNSclient Binding:Interface
hostsconnectedtointerfaceon ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequestwas
firewall,goingthroughthefirewallto received.
aDNSServerperformedby IllustratedinUseCase3
dataplane
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.

VirtualSystems DNSResolutionThreeUseCases
ConfigureDNSServicesfortheFirewall
Step1 Configuretheprimaryandsecondary 1. SelectDevice > Setup > Services > Global andEdit.(For
DNSserversyouwantthefirewallto firewallsthatdonotsupportmultiplevirtualsystems,thereis
useforitsmanagementDNS noGlobaltab;simplyedittheServices.)
resolutions. 2. OntheServicestab,forDNS,clickServersandenterthe
Youmustmanuallyconfigureat Primary DNS ServeraddressandSecondary DNS Server
leastoneDNSserveronthe address.
firewalloritwillnotbeableto
resolvehostnames;itwillnotuse
DNSserversettingsfrom
anothersource,suchasanISP.
Step2 Alternatively,youcanconfigureaDNS 1. OntheServicestab,forDNS,clickDNS Proxy Object.

ProxyObjectifyouwanttoconfigure 2. FromtheDNS Proxydropdown,selecttheDNSproxy that
advancedDNSfunctionssuchassplit youwanttousetoconfigureglobalDNSservices,orclickDNS
DNS,DNSproxyoverrides,DNSproxy ProxytoconfigureanewDNSproxyobject,asshowninthe
rules,staticentries,orDNSinheritance. subsequentsteps.
3. Tocreateanewproxyobject,clickEnableandenteraName
fortheDNSproxyobject.
4. ForLocation,selectSharedforglobal,firewallwideDNS
proxyservices.
SharedDNSproxyobjectsdonotuseDNSserver
profilesbecausetheydonotrequireaspecificservice
routebelongingtoatenantvirtualsystem.
5. ForPrimary,entertheprimaryDNSserverIPaddress.
OptionallyenteraSecondaryDNSserverIPaddress.Inthe
ISPexampleinthescreenshotabove,theDNSproxydefines
theprimaryandsecondaryDNSserversthatareusedto
resolvethefirewallmanagementservices.

UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
objecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Anyservice
withaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminetheprimary(or
secondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.

ConfigureaDNSProxyforaVirtualSystem
Step1 Foreachvirtualsystem,specifytheDNS 1. SelectDevice > Virtual Systems andclickAdd.

Proxytouse. 2. EntertheIDofthevirtualsystem(rangeis1255),andan
optionalName,inthisexample,Corp1Corporation.
3. OntheGeneraltab,chooseaDNS Proxyorcreateanewone.
Inthisexample,Corp1DNSProxyisselectedastheproxyfor
Corp1Corporationsvirtualsystem.
(IfyouneedtocreateanewDNSProxy,Step 2belowshows
howtocreateaDNSProxyandaServerProfile.)
4. ForInterfaces,clickAdd.Inthisexample,Ethernet1/20is
dedicatedtothistenant.
5. ForVirtual Routers,clickAdd.AvirtualrouternamedCorp1
VRisassignedtothevirtualsysteminordertoseparate
routingfunctions.
6. ClickOKtosavetheconfiguration.
Step2 ConfigureaDNSProxyandaserver 1. SelectNetwork > DNS ProxyandclickAdd.

profiletosupportDNSresolutionfora 2. ClickEnableandenteraNamefortheDNSProxy.
virtualsystem.
3. ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).(Youcouldchoosethe
SharedDNSProxyresourceinstead.)
4. ForServer Profile,chooseorcreateaprofiletocustomize
DNSserverstouseforDNSresolutionsforthistenants
securitypolicy,reporting,andserverprofileservices.
Iftheprofileisnotalreadyconfigured,intheServer Profile
field,clickDNS Server ProfiletoConfigureaDNSServer
Profile.
TheDNSserverprofileidentifiestheIPaddressesofthe
primaryandsecondaryDNSservertouseformanagement
DNSresolutionsforthisvirtualsystem.
5. Alsoforthisserverprofile,optionallyconfigureaService
Route IPv4 and/oraService Route IPv6 toinstructthefirewall
whichSource InterfacetouseinitsDNSrequests.Ifthat
interfacehasmorethanoneIPaddress,configuretheSource
Addressalso.
6. ClickOK tosavetheDNSServerProfile.
7. ClickOK and Commit tosavetheDNSProxy.
OptionaladvancedfeaturessuchassplitDNScanbeconfiguredusingDNS Proxy Rules.A

separateDNSserverprofilecanbeusedtoredirectDNSresolutionsmatchingtheDomain
NameinaDNS Proxy RuletoanothersetofDNSservers,ifrequired.UseCase3illustrates
splitDNS.
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.

IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
ThisscenariohappenstousesplitDNS,aconfigurationwhereDNS Proxy RulesareconfiguredtoredirectDNS

requeststoasetofDNSserversbasedonadomainnamematch.Ifthereisnomatch,theServer Profile
determinestheDNSserverstowhichtherequestissent,hencethetwo,splitDNSresolutionmethods.
FordataplaneDNSresolutions,thesourceIPaddressfromtheDNSproxyinPANOStothe
outsideDNSserverwouldbetheaddressoftheproxy(thedestinationIPoftheoriginalrequest).
AnyserviceroutesdefinedintheDNSServerProfilearenotused.Forexample,iftherequestis
fromhost1.1.1.1totheDNSproxyat2.2.2.2,thentherequesttotheDNSserver(at3.3.3.3)
woulduseasourceof2.2.2.2andadestinationof3.3.3.3.

ConfigureaDNSProxyandDNSProxyRules
Step1 ConfigureaDNSProxyandDNSproxy 1. SelectNetwork > DNS ProxyandclickAdd.

rules. 2. ClickEnableandenteraNamefortheDNSProxy.
3. ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).
4. ForInterface,selecttheinterfacethatwillreceivetheDNS
requestsfromthetenantshosts,inthisexample,
Ethernet1/20.
5. ChooseorcreateaServer ProfiletocustomizeDNSservers
toresolveDNSrequestsforthistenant.
6. OntheDNS Proxy Rulestab,clickAddandenteraNamefor
therule.
7. OptionallyselectTurn on caching of domains resolved by this
mapping.
8. ClickAddandenteroneormoreDomain Name(s),oneentry
perrow.
Eachdomainnamecancontain*asawildcard.Thenumberof
charactersinawildcardstringmustequalthenumberof
charactersintherequesteddomaintomatch.Forexample,
*.engineering.localdoesnotmatchengineering.local.Both
domainnamesmustbespecifiedinorderforbothtobe
matched.
9. ForDNS Server profile,selectaprofilefromthedropdown.
ThefirewallcomparesthedomainnameintheDNSrequestto
thedomainname(s)definedintheDNS Proxy Rules.Ifthereis
amatch,theDNS Server profiledefinedintheruleisusedto
determinetheDNSserver.
Inthisexample,ifthedomainintherequestmatches
myweb.corp1.com,theDNSserverdefinedinthemywebDNS
ServerProfileisused.Ifthereisnomatch,theDNSserver
definedintheServer Profile(Corp1DNSServerProfile)is
used.
10. ClickOKtosavetherule.
11. ClickOKtosavetheDNSProxy.

VirtualSystemFunctionalitywithOtherFeatures VirtualSystems
VirtualSystemFunctionalitywithOtherFeatures
Manyofthefirewallsfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreported
pervirtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthe
documentationandthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seetheVirtualWireSubinterfacesinInterfaceDeployments.

Certifications
ThefollowingtopicsdescribehowtoconfigurethefirewalltosupporttheCommonCriteriaandtheFederal
InformationProcessingStandard1402(FIPS1402),whicharesecuritycertificationsthatensureastandard
setofsecurityassurancesandfunctionalities.ThesecertificationsareoftenrequiredbycivilianU.S.
governmentagenciesandgovernmentcontractors.
EnableFIPSandCommonCriteriaSupport
FIPSCCSecurityFunctions

EnableFIPSandCommonCriteriaSupport Certifications
EnableFIPSandCommonCriteriaSupport
UsethefollowingproceduretoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
EnableFIPSCCMode
Step1 Bootthefirewallintomaintenancemodeasfollows:
1. Establishaserialconnectiontotheconsoleportonthefirewall.
2. EnterthefollowingCLIcommand:
debug system maintenance-mode
3. PressEntertocontinue.
Youcanalsorebootthefirewallandenter maint atthemaintenancemode
prompt.
Step2 SelectSet FIPS-CC Modefromthemenu.
Step3 SelectEnable FIPS-CC Modefromthemenu.
Step4 Whenprompted,selectReboot.
AftersuccessfullyswitchingtoFIPSCCmode,thefollowingstatusdisplays:FIPS-CC mode
enabled successfully.Inaddition,thefollowingchangeswilltakeplace:
FIPS-CCwilldisplayatalltimesinthestatusbaratthebottomofthewebinterface.
Theconsoleportfunctionsasastatusoutputportonly.
Thedefaultadminlogincredentialschangetoadmin/paloalto.

Certifications FIPSCCSecurityFunctions
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforced:
Tologintothefirewall,thebrowsermustbeTLS1.0(orlater)compatible.OnaWF500appliance,you
managetheapplianceusingtheCLIonlyandyoumustconnectusinganSSHv2compatibleclient
application.
Allpasswordsonthefirewallmustbeatleastsixcharacters.
YoumustenforceaFailed AttemptsandLockout Time (min) valuethatisgreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustenforceanIdle Timeoutvaluegreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedvalue,theaccountisautomaticallyloggedout.
Thefirewallautomaticallydeterminestheappropriatelevelofselftestingandenforcestheappropriate
levelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPS/CCalgorithmsarenotdecryptedandarethusignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2048bits(or
more)orECDSA256bits(ormore)andyoumustuseadigestofSHA256orgreater.
TheserialconsoleportisonlyavailableasastatusoutputportwhenFIPSCCmodeisenabled.
Telnet,TFTP,andHTTPmanagementconnectionsareunavailable.
Highavailability(HA)portencryptionisrequired.

FIPSCCSecurityFunctions Certifications

PAN OS 7.1 Administrator's Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN OS 7.1 Administrator's Guide

Uploaded by

Copyright:

Available Formats

PANOS

Palo Alto Networks, Inc.

ConfigureRevocationStatusVerificationofCertificates ........................... 160

Monitoring ........................................................ 243

MonitorandManageLogs ......................................................... 288

AppID ........................................................... 421

ThreatPrevention .................................................. 441

QualityofService .................................................. 559

VPNs ............................................................. 585

IKEGateway ................................................................. 588

EnableECMPforMultipleBGPAutonomousSystems ............................. 751

Determine Your Management Strategy

Perform Initial Configuration

Step1 Gathertherequiredinformationfrom IPaddressforMGTport

Step2 Connectyourcomputertothefirewall. Youcanconnecttothefirewallinoneofthefollowingways:

Step3 Whenprompted,logintothefirewall. Youmustloginusingthedefaultusernameandpassword

Step4 ConfiguretheMGTinterface. 1. SelectDevice > Setup > Managementandeditthe

Step5 ConfigureDNS,updateserver,and 1. SelectDevice > Setup > Services.

Step6 Configuredateandtime(NTP)settings. 1. SelectDevice > Setup > Services.

Step7 (Optional)Configuregeneralfirewall 1. SelectDevice > Setup > ManagementandedittheGeneral

Step8 Setasecurepasswordfortheadmin 1. SelectDevice > Administrators.

Step9 Commityourchanges. ClickCommitatthetoprightofthewebinterface.Thefirewallcan

Step10 Connectthefirewalltoyournetwork. 1. Disconnectthefirewallfromyourcomputer.

Step11 OpenanSSHmanagementsessionto Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH

Step12 Verifynetworkaccesstoexternal IfyoucabledyourMGTportforexternalnetworkaccess,verify

Set Up Network Access for External Services

Step1 Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.

Step2 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

Step3 (Optional)Thefirewallcomes Youmustdeletetheconfigurationinthefollowingorder:

Step4 Configuretheinterfaceyouplantouse 1. SelectNetwork > Interfacesandselecttheinterfacethat

Step6 Configureanexternalfacinginterface 1. SelectNetwork > Interfacesandthenselectthe

Step7 CreateaNATpolicyrule. 1. IfyouareusingaprivateIPaddressontheinternalfacing

Step8 Verifythatyouhaveconnectivityfrom LaunchtheCLIandusethepingutilitytoverifythatyouhave

Step1 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

Step2 Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

Step3 GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto

Step4 Registerthefirewall. Ifyoualreadyhaveasupportaccount,loginandregisterthe

Step1 Locatetheactivationcodesforthe Whenyoupurchasedyoursubscriptionsyoushouldhavereceived

Step2 ActivateyourSupportlicense. 1. LogintothewebinterfaceandthenselectDevice > Support.

Step3 Activateeachlicenseyoupurchased. SelectDevice > Licensesandthenactivateyourlicensesand

Step4 Verifythatthelicensewassuccessfully OntheDevice > Licenses page,verifythatthelicensewas

Step5 (WildFiresubscriptionsonly)Performa AfteractivatingaWildFiresubscription,acommitisrequiredfor

Step1 Ensurethatthefirewallhasaccesstothe 1. Bydefault,thefirewallaccessestheUpdate Serverat

Step2 Checkforthelatestcontentupdates. SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

Step3 Installthecontentupdates. ClicktheInstalllinkintheActioncolumn.Whentheinstallation

Step4 Scheduleeachcontentupdate. 1. SetthescheduleofeachupdatetypebyclickingtheNonelink.

Step5 UpdatePANOS. 1. ReviewtheReleaseNotes.

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault

Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant

Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.

Step5 (Optional)Createtagsforeachzone. Tagsallowyoutovisuallyscanpolicyrules.

Step6 Savetheinterfaceconfiguration. ClickCommit.

Step7 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured

Step8 Verifythattheinterfacesareactive. SelectDashboardandverifythattheinterfacesyouconfigured

Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

Step2 CreatetheFileBlockingprofilesyouwill 1. ConfigureaFileBlockingprofileforgeneraluse.Youwill

Step3 Allowaccesstoyournetwork 1. SelectPolicies > SecurityandclickAdd.

Step4 EnableaccesstogeneralInternet 1. SelectPolicies > SecurityandclickAdd.

Step5 Enableaccesstodatacenter 1. SelectPolicies > SecurityandclickAdd.

Step6 Saveyourpoliciestotherunning ClickCommit.