Configuration Articles

Featured Article
Enabling SSO on Aperture requires information from your IDP.  The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
View full article
ptarra ‎04-23-2018 08:33 AM
7,152 Views
3 Replies
In PAN-OS 8.0 and later, the security policy rule creation window will not show a legend for each Region Code.    We have created the following table for your reference:  Organized by Region Code A1 Anonymous Proxy A2 Satellite ISPs ISO 3166-1-alpha-2 code Country names AD ANDORRA AE UNITED ARAB EMIRATES AF AFGHANISTAN AG ANTIGUA AND BARBUDA AI ANGUILLA AL ALBANIA AM ARMENIA AO ANGOLA AQ ANTARCTICA AR ARGENTINA AS AMERICAN SAMOA AT AUSTRIA AU AUSTRALIA AW ARUBA AX ALAND ISLANDS AZ AZERBAIJAN BA BOSNIA AND HERZEGOVINA BB BARBADOS BD BANGLADESH BE BELGIUM BF BURKINA FASO BG BULGARIA BH BAHRAIN BI BURUNDI BJ BENIN BL SAINT BARTHELEMY BM BERMUDA BN BRUNEI DARUSSALAM BO BOLIVIA, PLURINATIONAL STATE OF BQ BONAIRE, SAINT EUSTATIUS AND SABA BR BRAZIL BS BAHAMAS BT BHUTAN BV BOUVET ISLAND BW BOTSWANA BY BELARUS BZ BELIZE CA CANADA CC COCOS (KEELING) ISLANDS CD CONGO, THE DEMOCRATIC REPUBLIC OF THE CF CENTRAL AFRICAN REPUBLIC CG CONGO CH SWITZERLAND CI COTE D'IVOIRE CK COOK ISLANDS CL CHILE CM CAMEROON CN CHINA CO COLOMBIA CR COSTA RICA CU CUBA CV CAPE VERDE CW CURACAO CX CHRISTMAS ISLAND CY CYPRUS CZ CZECH REPUBLIC DE GERMANY DJ DJIBOUTI DK DENMARK DM DOMINICA DO DOMINICAN REPUBLIC DZ ALGERIA EC ECUADOR EE ESTONIA EG EGYPT EH WESTERN SAHARA ER ERITREA ES SPAIN ET ETHIOPIA FI FINLAND FJ FIJI FK FALKLAND ISLANDS (MALVINAS) FM MICRONESIA, FEDERATED STATES OF FO FAROE ISLANDS FR FRANCE GA GABON GB UNITED KINGDOM GD GRENADA GE GEORGIA GF FRENCH GUIANA GG GUERNSEY GH GHANA GI GIBRALTAR GL GREENLAND GM GAMBIA GN GUINEA GP GUADELOUPE GQ EQUATORIAL GUINEA GR GREECE GS SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS GT GUATEMALA GU GUAM GW GUINEA-BISSAU GY GUYANA HK HONG KONG HM HEARD ISLAND AND MCDONALD ISLANDS HN HONDURAS HR CROATIA HT HAITI HU HUNGARY ID INDONESIA IE IRELAND IL ISRAEL IM ISLE OF MAN IN INDIA IO BRITISH INDIAN OCEAN TERRITORY IQ IRAQ IR IRAN, ISLAMIC REPUBLIC OF IS ICELAND IT ITALY JE JERSEY JM JAMAICA JO JORDAN JP JAPAN KE KENYA KG KYRGYZSTAN KH CAMBODIA KI KIRIBATI KM COMOROS KN SAINT KITTS AND NEVIS KP KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF KR KOREA, REPUBLIC OF KW KUWAIT KY CAYMAN ISLANDS KZ KAZAKHSTAN LA LAO PEOPLE'S DEMOCRATIC REPUBLIC LB LEBANON LC SAINT LUCIA LI LIECHTENSTEIN LK SRI LANKA LR LIBERIA LS LESOTHO LT LITHUANIA LU LUXEMBOURG LV LATVIA LY LIBYAN ARAB JAMAHIRIYA MA MOROCCO MC MONACO MD MOLDOVA, REPUBLIC OF ME MONTENEGRO MF SAINT MARTIN (FRENCH PART) MG MADAGASCAR MH MARSHALL ISLANDS MK MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF ML MALI MM MYANMAR MN MONGOLIA MO MACAO MP NORTHERN MARIANA ISLANDS MQ MARTINIQUE MR MAURITANIA MS MONTSERRAT MT MALTA MU MAURITIUS MV MALDIVES MW MALAWI MX MEXICO MY MALAYSIA MZ MOZAMBIQUE NA NAMIBIA NC NEW CALEDONIA NE NIGER NF NORFOLK ISLAND NG NIGERIA NI NICARAGUA NL NETHERLANDS NO NORWAY NP NEPAL NR NAURU NU NIUE NZ NEW ZEALAND OM OMAN PA PANAMA PE PERU PF FRENCH POLYNESIA PG PAPUA NEW GUINEA PH PHILIPPINES PK PAKISTAN PL POLAND PM SAINT PIERRE AND MIQUELON PN PITCAIRN PR PUERTO RICO PS PALESTINIAN TERRITORY, OCCUPIED PT PORTUGAL PW PALAU PY PARAGUAY QA QATAR RE REUNION RO ROMANIA RS SERBIA RU RUSSIAN FEDERATION RW RWANDA SA SAUDI ARABIA SB SOLOMON ISLANDS SC SEYCHELLES SD SUDAN SE SWEDEN SG SINGAPORE SH SAINT HELENA, ASCENSION AND TRISTAN DA CUNHA SI SLOVENIA SJ SVALBARD AND JAN MAYEN SK SLOVAKIA SL SIERRA LEONE SM SAN MARINO SN SENEGAL SO SOMALIA SR SURINAME ST SAO TOME AND PRINCIPE SV EL SALVADOR SX SINT MAARTEN (DUTCH PART) SY SYRIAN ARAB REPUBLIC SZ SWAZILAND TC TURKS AND CAICOS ISLANDS TD CHAD TF FRENCH SOUTHERN TERRITORIES TG TOGO TH THAILAND TJ TAJIKISTAN TK TOKELAU TL TIMOR-LESTE TM TURKMENISTAN TN TUNISIA TO TONGA TR TURKEY TT TRINIDAD AND TOBAGO TV TUVALU TW TAIWAN, PROVINCE OF CHINA TZ TANZANIA, UNITED REPUBLIC OF UA UKRAINE UG UGANDA UM UNITED STATES MINOR OUTLYING ISLANDS US UNITED STATES UY URUGUAY UZ UZBEKISTAN VA HOLY SEE (VATICAN CITY STATE) VA VATICAN CITY STATE VC SAINT VINCENT AND THE GRENADINES VE VENEZUELA, BOLIVARIAN REPUBLIC OF VG VIRGIN ISLANDS, BRITISH VI VIRGIN ISLANDS, U.S. VN VIET NAM VU VANUATU WF WALLIS AND FUTUNA WS SAMOA YE YEMEN YT MAYOTTE ZA SOUTH AFRICA ZM ZAMBIA ZW ZIMBABWE   This reference can also be used to determine the meaning for each code:  http://www.ip2country.net/ip2country/country_code.html
View full article
mdensley ‎12-04-2017 05:17 PM
9,933 Views
7 Replies
Overview PAN-OS 6.0 introduced a feature to create a copy of decrypted traffic and send it to a mirror port, which enables raw packet captures of the decrypted traffic for archiving and analysis. Note: This feature is available on the Palo Alto Networks PA-3000 Series and PA-5000 Series devices.   Steps Activate the "Decryption Port Mirror" license. Go to Device > Licenses: Reboot the device. After the reboot completes, choose a free interface. Go to Network > Interfaces to use as port mirror interface: Create a Decryption Profile. Go to Objects > Decryption Profile. In this profile, specify which interface the decrypted traffic needs to send: Apply the decryption profile to the SSL Decryption Policy or Policies: Allow forwarding of Decrypted Content. Go to Device > Setup > Content-ID: Commit the configuration. All traffic that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above example.   Multi-VSYS Configuration When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the configuration is the same as for a single VSYS environment.   Verification After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port. This can be verified in the session table by filtering all the sessions that are decrypt-mirrored:   > show session all filter decrypt-mirror yes   -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 33557112     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55193]/Untrust/6  (10.193.88.91[28832]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557161     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55241]/Untrust/6  (10.193.88.91[6770]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557106     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55190]/Untrust/6  (10.193.88.91[1490]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557131     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55207]/Untrust/6  (10.193.88.91[44665]) vsys1                                          74.125.71.94[443]/Untrust  (74.125.71.94[443]) 33557084     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55170]/Untrust/6  (10.193.88.91[34083]) vsys1                                          204.79.197.203[443]/Untrust  (204.79.197.203[443]) 33557166     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55244]/Untrust/6  (10.193.88.91[50576]) vsys1                                          216.58.209.226[443]/Untrust  (216.58.209.226[443]) 33557086     facebook-social-plugin ACTIVE  FLOW *NS   10.193.91.111[55172]/Untrust/6  (10.193.88.91[55838]) vsys1                                          31.13.93.3[443]/Untrust  (31.13.93.3[443]) 33557135     youtube-base   ACTIVE  FLOW *NS   10.193.91.111[55210]/Untrust/6  (10.193.88.91[31302]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557118     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55195]/Untrust/6  (10.193.88.91[33260]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443]) 33557141     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55215]/Untrust/6  (10.193.88.91[50351]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557116     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55194]/Untrust/6  (10.193.88.91[15099]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557127     flash          ACTIVE  FLOW *NS   10.193.91.111[55202]/Untrust/6  (10.193.88.91[9829]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557091     twitter-base   ACTIVE  FLOW *NS   10.193.91.111[55179]/Untrust/6  (10.193.88.91[28557]) vsys1                                          199.16.157.105[443]/Untrust  (199.16.157.105[443]) 33557143     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55216]/Untrust/6  (10.193.88.91[54633]) 7316         http-video     ACTIVE  FLOW *NS   10.193.91.111[55238]/Untrust/6  (10.193.88.91[26068]) vsys1                                          173.194.129.178[443]/Untrust  (173.194.129.178[443]) 7238         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55184]/Untrust/6  (10.193.88.91[28250]) vsys1                                          74.125.195.113[443]/Untrust  (74.125.195.113[443]) 7307         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55233]/Untrust/6  (10.193.88.91[44945]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443])   owner: rvanderveken
View full article
rvanderveken ‎11-09-2017 06:44 AM
31,546 Views
4 Replies
2 Likes
This article shows how to configure DNS proxy for GlobalProtect clients.   For information on how to configure GlobalProtect on the firewall, please click here. For the video link, please click here.     Details DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used.      1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:         2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:     Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.     3. Navigate to Network > Global Protect > Gateways. Configure this IP address as the Primary DNS server IP for Global Protect Clients:   7.0.x 7.1.x                                       4. Navigate to Network > Global Protect > Gateways. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:   7.0.x   7.1.x                                     5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. (There is no change in location in the 7.1 version.)   7.0.x   Note: If a DNS query comes to the firewall tunnel interface for, let's say, paloalto.panvmlab.com, the firewall will send the DNS request to 192.168.243.221. However, if a DNS request comes for, let's say, google.com, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers 8.8.8.8 or 4.2.2.2.   Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:   7.0.x 6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:   Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.         Verification       Testing-proxy.com resolved to 1.1.1.1 ,which is the static entry configured in DNS proxy paloalto.panvmlab.com resolved to internal IP address using internal DNS server since the domain name matched google.com resolved to its IP address using external primary DNS server since the domain name did not match Following are the sessions created for internal and external DNS queries:       Note: To enable DNS Proxy in a multi-vsys environment, please read instructions for PAN-OS 7.0 here: Configure Virtual Systems    
View full article
hagarwal ‎06-02-2017 03:33 PM
13,411 Views
0 Replies
Details In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.   Review the example below of a list of address objects: Notice the tag on some objects. This will be relevant later. Now, if we were to create a static address object, we'd choose the ones we want to add.    This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.   Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.   This is where 'Dynamic' address groups can shine.   With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched! Let's look at the following demonstration.   Using the same address objects list as before, we'll create a Dynamic address group.   Commit the changes and then click on 'more' to the entries in the group: Only the objects with tags specified as 'Intranet' got included in this group This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags. You can type in a new tag or choose an already created one using the drop-down option. You can create tags on the fly, (see above image) or via Objects->Tags   Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.   Hopefully, this document helped you in making a smarter and more efficient configuration design.    
View full article
ansharma ‎04-07-2017 06:15 AM
8,673 Views
0 Replies
In order to recognize an application, the Palo Alto Network firewall needs to capture data to match a pattern contained in an application signature.   To compromise between application identification (App-ID) and security, we will be inspecting a limited amount of data before finally deciding if application is known or not.   Wait for a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake). In most cases, the application will be recognized before receiving that amount of data.   If an application is decided as unknown, it will appear as "unknown-tcp" or "unknown-udp."
View full article
nbilly ‎12-21-2016 07:51 AM
3,999 Views
0 Replies
5 Likes
This article explains important considerations while setting up the QoS profile and relationship between different parameters in QoS profiles.   This article makes the following assumptions:   Maximum bandwidth of an interface (ethernet1/1) is 1000Mbps Out of 1000Mbps, clear text traffic should have guaranteed bandwidth of 980Mbps The rest should be assigned to tunneled traffic Total number of tunnel interfaces on device is 16 Number of tunnels terminating on ethernet1/1 interface is 15   Details There are 16 gateways i.e. 16 tunnels/tunnel interfaces on the device however, 15 of these tunnels terminate on interface ethernet1/1 and 1 tunnel on ethernet1/3:                                       QoS setting on egress interface ethernet1/1 is as follows:       1. Egress Max of Tunneled Traffic + Egress guaranteed of Clear(Regular) Text Traffic <= Egress Max of Interface   Egress Max of Interface = 1000Mbps Egress guaranteed of clear text traffic = 980Mbps   Therefore, Egress Max of Tunneled Traffic = (1000-980)Mbps = 20Mbps   This means, "ClearText" profile applied to Clear Text of Interface could have Egress Max=1000Mbps and Egress Guaranteed = 980Mbps.  Also, "Tunnel" profile applied to Tunnel Interface could have Egress Max=20Mbps only     We cannot specify Egress Max of Tunneled Traffic profile to be more than 20Mbps now. If we specify it to be more than 20Mbps, there would be a validation error as "Tunnel-traffic-group max bandwidth is smaller than tunnel.X (profile Tunnel) max bandwidth"   This error means tunnel traffic profile can be max of 20Mbps but in "Tunnel" Profile, we have specified Egress Max as more than 20Mbps. This error message would be listed for each of 15 tunnel interfaces on ethernet1/1 interface.       Similarly, we cannot specify Tunnel Traffic Egress Max to be more than 20Mbps under Network > QoS also. Validation would give an error, "Max tunnel traffic bandwidth plus guaranteed regular traffic bandwidth cannot exceed interface bandwidth"         2. Tunnel Traffic Egress Guaranteed <= Tunnel Egress Max / Number of tunnels on the physical interface   Tunnel Egress Max (as calculated above) = 20Mbps Number of tunnels/tunnel Interaces that terminates on ethernet1/1 = 15   Therefore, in "Tunnel" profile applied to Tunnel interface, Egress Guaranteed bandwidth <= (20/15)Mbps ~ 1.3Mbps   If we specify Egress Guaranteed to be more than ~1.3Mbps, validation would give an error "tunnel-traffic-group max bandwidth is smaller than its guaranteed bandwidth"                                   3. Sum of Egress Guranteed bandwidth of classes in a profile <= Egress Guaranteed of the profile.   Egress guaranteed of Tunnel profile = 1.3 Mbps  (as calculated above) Sum of Egress guaranteed bandwidth of all 8 classes in this Tunnel profile <= 1.3Mbps   If the sum is not <= Egress guaranteed of the profile, validation would fail with an error, "tunnel.X (profile Tunnel) guaranteed bandwidth is smaller than the sum of guaranteed bandwidth of its children"   This error message would be printed for each of the tunnel interface terminating on the egress physical interface.        
View full article
hagarwal ‎11-22-2016 10:59 AM
7,031 Views
1 Reply
Equal Cost Multipath Routing (ECMP), new for PAN/OS version 7.1, enables the firewall to use up to four equal-cost routes to the same destination. Without this feature, the virtual router uses only one route if if there are multiple equal-cost routes to the same destination, unless there is a failure. Learn the benefits of deploying ECMP, and review a basic topology to configure ECMP in your network.
View full article
‎10-21-2016 05:52 PM
5,540 Views
2 Replies
2 Likes
Issue In some instances, File Blocking profile rules are not following a top-down order of operations when applying actions.   Cause Overlapping File Blocking Profile rules exist with different actions.  The File Blocking Profile rulebase does not follow a normal "top-down" approach when applying rule actions. When a file is seen in a traffic flow matching a Security policy with a File Blocking Profile applied, it will be checked against the configured File Blocking policy.  When there is a single match, action is taken accordingly. In the case of multiple matches, the highest precedence action will be used.  The options to move rules up/down the list are used purely for organization and cosmetic reason.   Action Precedence There are five actions that can be applied to File Blocking Profile rules. The order of precedence among the actions in PAN-OS 6.1 and earlier is as follows: continue-forward forward continue block alert For example, if you configure rules with "alert" and "continue-forward", the "continue-forward" action takes precedence and will be the action that is applied.   Having said that let us say, for example, if an e-mail contains both email-link and PNG/JPG file, email-link will take the continue-and-forward Action and PNG/JPG file will take the alert Action, as the firewall can forward only the following file formats to WildFire cloud. apk—Android Application Package (APK) email-link—HTTP/HTTPS flash—Adobe Flash applets jar—Java applets ms-office—Microsoft Office files pe—Portable Executable (PE) files pdf—Portable Document Format   owner: sspringer
View full article
panagent ‎05-31-2016 02:09 PM
21,737 Views
10 Replies
2 Likes
Overview The Palo Alto Networks implementation of the RR (Route Reflector) for iBGP is based on RFC 2796/4456. The later one superseded RFC 2796. http://www.ietf.org/rfc/rfc2796.txt http://tools.ietf.org/html/rfc4456   Details The Reflector Route types are configured in the web UI to define what the “peer” iBGP router is in relationship to the local router. The supported peer types are: Non-Client iBGP peer must be fully meshed. When the Route Reflector sees a route from the Non-Client, it must reflect to all clients. Client iBGP peer is only connected to the Route Reflector (not fully meshed). A route seen from this client type is reflected to all the Non-Client peers and also the Client peers. Meshed-Client iBGP peer is a reflector client and it is fully meshed with all other reflector clients. Routes received from a meshed client are reflected to all neighbors except for other meshed-client iBGP peers.   A fundamental point in Route Reflector is the loop avoidance. In RR there are 2 attribute for this: Originator-ID Cluster ID Ensure that both are configured in the BGP tab on the web UI. The Router ID field is for Originator-ID and Reflector Cluster ID is for the Cluster ID:   If the firewall is acting as the Route Reflector, make sure that the peers are defined properly by navigating to Network > Virtual-Routers. Then, click open the intended Virtual Router and go to BGP >Peer Group > Peer > Reflector Client :   owner: rvanderveken
View full article
rvanderveken ‎09-08-2015 05:32 PM
4,943 Views
0 Replies
Pre PAN-OS 7.0 Overview There are two default rules on the Palo Alto Networks firewall regarding security policies: Deny cross zone traffic Allow same zone traffic By default, traffic that hits default policies will not get logged into traffic logs. Sometimes, troubleshooting traffic is required when it has the same source and destination zone, or see what traffic is being denied by the default rules before allowing the traffic.  To temporarily log the implied block rule, issue the following command: > set system setting logging default-policy-logging <value>   (Value is 0-300 seconds) Note: Beginning in PAN-OS 6.1, the two default policies are now displayed with a green background under Policies > Security. Now rule matches intrazone traffic, interzone traffic, or both (called universal).  PANOS New Features Details There are a few ways to see the traffic in the traffic logs: For Same Zone Traffic Go to Policies > Security and create security policies that allow traffic sourced and destined for the Same Zone as the example below indicates: For Cross Zone Traffic Go to Policies > Security and create an open rule that allows the crossing of the zones wanted in order to see the traffic. Important:  It may not be desired to allow all Untrusted traffic into the Trusted zones of the network, as the above policies indicate since the goal is to keep the network secure. Therefore, using a Deny All policy would log off all traffic that is not allowed by the policy, in a clean up rule as denied, to see what rules would need to be specifically created without allowing it initially. The following point is an example of a Deny All policy. Deny All The example shown below indicate specifically allowing only GlobalProtect in from the outside. It would allow all trust and DMZ traffic out, all internally trusted cross traffic and allowing for Same Zone traffic when using a Deny All policy. Any traffic that does not match the policies above the Deny All rule will get caught by the Deny All policy and logged as denied. See the denied traffic in the traffic logs and view traffic that would specifically need to be allowed according to the traffic logs of what is denied, without allowing anything new into the network and compromising the network with unwanted traffic. Note: Creating a Deny All policy will override the default policy that allows Same Zone traffic. For more information, review the following document: Any/Any/Deny Security Rule Changes Default Behavior. Post PAN-OS 7.0 Starting from PAN-OS 7.0 intrazone and interzone security policy has been made visible in the security policy and can be edited to enable logging owner: glasater
View full article
glasater ‎04-21-2014 11:30 AM
29,073 Views
2 Replies
1 Like
This document covers strategies and tactics for deploying User Identification in large and complex environments. It also acts as a primer on the nuances of User-ID design. It is applicable for PAN-OS 5.0 and later. owner: ialeksov
View full article
npiagentini ‎10-01-2013 11:42 AM
113,058 Views
3 Replies
3 Likes
Symptoms OSPF Neighborship stuck in extstart state. Resolution In the majority of cases, a mismatch in MTU is the cause of this issue. Every router participating in the OSPF network needs to be configured with the exact same MTU value. If a "deny all" rule is part of the firewall's policy, it is also possible that the OSPF unicast packets get dropped by that rule. Examine the logs to determine if those packets are rejected. If it's the case, add a rule to the OSPF protocol. The new Cisco Nexus have the option  VPC, this option reduce the TTL by one affecting OSPF unicast. This will also cause the firewall to be stuck in the exstart state. owner: sraghunandan
View full article
sraghunandan ‎05-25-2012 11:21 AM
7,337 Views
2 Replies
1 Like
This document gives step-by-step instructions for configuring and testing OSPF using Palo Alto Networks devices in both an Active/Passive and Active/Active scenario. The configuration examples were performed on devices running PAN-OS 4.0. For a similiar tech note on BGP, look here: Tech Note: How to Configure BGP owner: tlozano
View full article
Teresa ‎10-17-2011 01:52 PM
59,004 Views
0 Replies
2 Likes
Palo Alto Networks devices are designed and built with security in mind but as with any network computing device it is important to avoid certain pitfalls when performing configuration tasks. Below are a few guidelines that will assist the administrator in ensuring that their Palo Alto Networks device is properly configured for secure operation. Change the default admin password before connecting firewall to any network. Enable admin profiles and groups to limit access to other administrators. Enable password profile to enforce tough passwords.  Change passwords on a regular scheduled base. Set up notifications for system and configuration log messages that indicate modifications of the firewall's operational parameters (these notifications can be sent via email, syslog and/or snmp traps) Set an SNMP community string that is not easy to guess and is preferably not shared by other network equipment. Only enable SNMP on internal interfaces that you need them on. Interface management profiles: do not enable ping, ssh, htttp/s, etc on firewall interfaces that don't require these service. Also note that the "response pages" may not be necessary on certain interfaces. These are the pages the firewall uses for URL filtering notification, virus block messages, SSL VPN and captive portal. Set up IP based access control on all interfaces that have management profiles. Obviously this includes the management interface, but also includes any other interfaces that have interface management profiles. Place the management interface into a management VLAN that limits access to authorized personnel. Do not turn on management profiles on interfaces that are accessed by non-authorized personnel. Monitor system and configuration logs on a regular bases to monitor for unauthorized login attempts or changes to configuration settings. owner: bpappas
View full article
nrice ‎03-24-2011 01:18 PM
9,889 Views
1 Reply
1 Like
This document gives step-by-step instructions for configuring and testing full-mesh, multi-homed eBGP using Palo Alto Networks devices in both an Active/Passive and Active/Active scenario. The configuration examples were performed on devices running PAN-OS 4.0. For a similiar tech note on OSPF, look here: How to Configure OSPF owner: tlozano
View full article
nrice ‎07-28-2010 10:56 AM
67,283 Views
6 Replies
4 Likes
Steps Create a management profile (Named MAN for this example, allowing SSH, HTTPS and Pings) >  Configure # set network profiles interface-management-profile man ssh yes # set network profiles interface-management-profile man https yes # set network profiles interface-management-profile man ping  yes Add interface management profile ”MAN” to an interface (L3 interface, ethernet 1/3 for this example): # set network interface ethernet ethernet1/3 layer3 interface-management-profile man # commit owner: panagent
View full article
nrice ‎05-15-2010 05:20 PM
7,860 Views
1 Reply
2 Likes
Ask Questions Get Answers Join the Live Community