Configuration Articles

Featured Article
Issue There are instances where we want to source NAT IP addresses to a pool of addresses (Dynamic Pool) and not perform IP and port translations (Dynamic IP and port). The Source NAT would work fine with no traffic issues for the originating sources, until the IP pool is exhausted (no more IP's available to use for NAT). After the pool is exhausted, any session for a new originating source will not be established and this will cause packet drops for this new traffic.   Resolution PAN-OS has a feature called "Fallback Dynamic IP translation" to help resolve this issue. Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. Addresses can be defined for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.*   Steps The fallback translating method can be configured to use an alternate way to translate the source IP addresses for the new originating sources, once the pool is exhausted. The fallback is configured under the "Advanced (Dynamic IP/Port Fallback) setting, as follows: Go to the Translated Packet tab of the NAT policy rule. Select "Translated Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)". Configure another address pool for Dynamic IP. Select "Interface Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)" Configure Interface-based port translation (Dynamic IP and Port ) Note: When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.   *Sourced from the Help Guide > Policies and Security Profiles > Table 148. NAT Rule Settings (Translated Packet Tab)   owner: kprakash
View full article
kprakash ‎09-24-2018 02:34 PM
4,865 Views
0 Replies
1 Like
Overview When configuring BGP with the option to configure Export/Import rules based on the Next Hop entry from the routing table, the next hop entry cannot be just an IP address. The next hop entry must have the /32 prefix; a different prefix will not match the rule.   Steps Export the Rule. This configuration will filter the BGP routes based on the next hop IP address. If routes have 1.1.1.1 as a next hop they will be advertised through BGP. Other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default" . B. Select BGP > click on the "Export" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   Import the rule. This configuration will filter the BGP routes based on the next hop IP address. Routes with 1.1.1.1 as a next hop will be received through BGP and other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default." B. Select "BGP" > click on "Import" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   owner: aciobanu
View full article
aciobanu ‎09-24-2018 02:11 PM
9,671 Views
0 Replies
To configure a Palo Alto Networks firewall as a DHCP server: Begin by opening a new WebUI management session Navigate to Network > DHCP > DHCP Server  Click the Add button at the bottom of the window. The DHCP Server configuration window will open and the DHCP server options will be displayed. Note: The sections shaded in yellow are the minimum fields necessary for a working DHCP deployment, however additional options may be configured as needed. Select the interface which will be sourcing DHCP leases Specify the default gateway and primary DNS Specify the desired lease range in the 'IP Pools' section. Address ranges may be entered using CIDR notation, or by entering the start and end IP addresses in the range separated by a "-" dash. Click 'OK' Commit the changes to enable DHCP services.   owner: ggarrison
View full article
ggarrison ‎09-17-2018 09:38 AM
12,119 Views
0 Replies
Overview This document describes how to configure NAT64 on a Palo Alto Networks firewall.   Details NAT64 enables IPv6 hosts to communicate with IPv4 hosts. A NAT64 equivalent address for an IPv4 destination is formed by combining the 32 bit IPv4 address with the Well-Known Prefix 64:ff9b::/n for NAT64 as outlined in RFC 6052.   This implementation needs a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records. The DNS64 server is responsible for doing an IPv4 lookup for the destination and then returning an equivalent IPv6 address (AAAA) to the client by appending the well known prefix. The client then sends the packet with: Src IP = Configured IPv6 address Dst IP = IPv4 embedded IPv6 address returned by DNS64 server When the firewall receives this packet, both the Src IP and Dst IP are translated into IPv4 addresses.          Note:    Though this example shows how to implement NAT64 with a DNS64 server, the firewall is capable of performing the translation from IPv6 to IPv4 regardless of if this was done by a DNS64 server or by some other method, as long as the IPv4 address is embedded into the IPv6 address as described below.               Note: The NAT64 feature supports RFC6052 compatible prefix, which covers Well-Known Prefix and network-specific prefix (For example: all or a part of the customer's global address prefix). This document explains the scenario of Well-Known Prefix with 96.  This can apply to Network-SpecifIc Prefix as well. The following table is the mapping rule from IPv6 to IPv4. The mapping varies with the length of prefix:   Steps The following network topology is used for the configuration example: Bind 9 was used as the DNS64 server for this setup. The following configuration needs to be added to the /etc/bind/named.conf.options file. options { dns64 64:ff9b::/96 { }; listen-on-v6 { any; }; allow-query { any; }; }; Assign the 64:ff9b::/96 network to the interface assigned to 'Untrust' zone. This is to ensure that zone lookups for destination IPs in this network matches the Untrust Zone. Configure the NAT64 rule as follows: On the client, open a browser and try to navigate to a website. We will use www.w3schools.com an example site. The website www.w3schools.com resolves to 66.29.212.73 When the PC does a AAAA record lookup for the hostname www.w3schools.com, the DNS64 server returns the IP address as: 64:ff9b::421d:d449 where 421d:d449 is the hex equivalent of 66.29.212.73.   Verification Check the sessions on the firewall for the DNS and the following web browsing sessions: DNS session:         c2s flow:                 source:      2005:db4:40:0:0:0:0:31 [trust-L3]                 dst:         2005:db4:31:0:0:0:0:200                 proto:       17                 sport:       58674           dport:      53                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      2005:db4:31:0:0:0:0:200 [untrust-L3]                 dst:         2005:db4:40:0:0:0:0:31                 proto:       17                 sport:       53              dport:      58674                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Wed Nov 13 13:04:31 2013         timeout                       : 30 sec         time to live                  : 15 sec         total byte count(c2s)         : 100         total byte count(s2c)         : 524         layer7 packet count(c2s)      : 1         layer7 packet count(s2c)      : 1         vsys                          : vsys1         application                   : dns         rule                          : allow_all         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         layer7 processing             : enabled         URL filtering enabled         : False         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/4         egress interface              : ethernet1/3         session QoS rule              : N/A (class 4)   Web Browsing session:         c2s flow:        ( Notice IPv6 addresses in c2s flow )                 source:      2005:db4:40:0:0:0:0:31 [trust-L3]                 dst:         64:ff9b:0:0:0:0:421d:d449                 proto:       6                 sport:       49381           dport:      80                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:       (Notice IPv4 addresses in s2c flow )                 source:      66.29.212.73 [untrust-L3]            dst:     10.66.24.80                 proto:       6                 sport:       80              dport:      65144                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Wed Nov 13 13:04:31 2013         timeout                       : 3600 sec         time to live                  : 3568 sec         total byte count(c2s)         : 758         total byte count(s2c)         : 5439         layer7 packet count(c2s)      : 6         layer7 packet count(s2c)      : 6         vsys                          : vsys1         application                   : web-browsing         rule                          : allow_all         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : nat6_4(vsys1)      <<<< NAT64 rule is applied         layer7 processing             : enabled         URL filtering enabled         : False         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/4         egress interface              : ethernet1/3         session QoS rule              : N/A (class 4)   Troubleshooting The following command can be used to view counters for NAT64 at the drop/warn level: > show counter global filter value all | match nat64   Example: click to enlarge   Note: IPv6 firewalling needs to be enabled under Device > Setup > Session > Ipv6 Firewalling.   owner: achitwadgi
View full article
kadak ‎05-09-2018 10:21 AM
32,663 Views
1 Reply
1 Like
To configure Multicast L3 with PIM Sparse Mode when not the rendezvous point: Go to Network > Virtual Routers and select desired virtual router. Click Multicast. Enable Multicast globally by checking the box. 3a. Next, add the Remote Rendenvouz Point by clicking "Add". Go to Interfaces and click Add. Add the interfaces to participate in Multicast. Under Group Permissions, add the multicast groups for which the traffic is permitted. Make sure to enable IGMP on the interface facing the client. Make sure PIM is enabled on the interface connecting to the RP. Configure a security policy to allow the traffic. The destination zone should be 'multicast' and the destination address can be the multicast group addresses. Commit the configuration.   owner: nayubi  
View full article
npare ‎04-20-2018 02:24 PM
18,855 Views
3 Replies
Overview This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.   Details Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.   For example The screenshot below shows devices 198.51.100.1 and 203.0.113.1 (10.0.0.1 internally)  as the vpn peers. T he application, "ipsec", is specified under the Application column.     The ipsec application contains the following sub-apps: ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.   owner: saryan
View full article
saryan ‎02-23-2018 03:49 AM
65,235 Views
9 Replies
In Virtual Wire mode, the Palo Alto Networks device can pass Cisco Link Aggregation Control Protocol traffic in vwire only when the links are not aggregated on the PAN-fw.  In V-wire if  the Links are aggregated then the firewall could forward the packets to the other ports in AE , that will cause the LACP to not come between peers.     Topology example   Switch 1 Configuration Switch 2 Configuration port-channel load-balance dst-ip interface Port-channel5 switchport access vlan 10 switchport mode access   interface GigabitEthernet0/1 switchport access vlan 10 switchport mode access channel-group 5 mode active ! interface GigabitEthernet0/2 switchport access vlan 10 switchport mode access channel-group 5 mode active ! interface GigabitEthernet0/3 switchport access vlan 10 switchport mode access !   port-channel load-balance dst-ip interface Port-channel10 switchport access vlan 10 switchport mode access !   interface GigabitEthernet0/13 switchport access vlan 10 switchport mode access channel-group 10 mode active ! interface GigabitEthernet0/14 switchport access vlan 10 switchport mode access channel-group 10 mode active ! interface GigabitEthernet0/15 switchport access vlan 10  switchport mode access !   Firewall configuration       This is the expected behavior in 7.1.x and 8.0.x     More information on 802.3ad link aggregation can be found on wikipedia's Link aggregation page.   owner: mchandrase
View full article
migration ‎02-22-2018 09:57 AM
52,093 Views
9 Replies
PAN-OS 6.0 and later   Details Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.   The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met: DNS response bit is set DNS truncated bit is not set DNS recursive bit is not set DNS response code is 0 or 3 (NX) DNS question count bigger than 0 DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX) DNS query record type are "A,NS,CNAME, AAAA, MX"   To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:   To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry     owner: achalla
View full article
achalla ‎02-09-2018 04:50 AM
12,854 Views
5 Replies
1 Like
Overview   Equal Cost Multipath (ECMP) is a new feature introduced in PAN-OS 7.0. It provides multipath support for "equal cost" routes going to the same destination. There is a max of 4 equal cost paths supported   Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route.   ECMP load balancing is done at the session level, not at the packet level—the start of a new session is when the firewall (ECMP) chooses an equal-cost path   This article focusses on basic configuration to achieve ECMP on the firewall   Details   Topology used for this article: =======================       Interface configuration:     Note: ethernet1/1 and ethernet1/11 are ISP interfaces configured in different zones L3-Untrust and VPN respectively. However, these interfaces can be configured in same zone also     Route configuration with both default routes having "equal-cost":     NAT policy to be able to route traffic over internet:     Note: If both ISP interfaces are in the same zone, then destination interfaces need to be added to the NAT policy as in the following screenshot:       Security policy configuration to allow the traffic: (covers both scenario when interfaces are in same or different zone)       Enabling ECMP on the firewall:       Note: - Max Path 2 means that only 2 equal cost paths will be installed in FIB table. If there are more than 2 equal-cost paths that need to be installed in FIB table, change Max Path value. Max supported value is 4. - Load balance method can be selected according to the requirement. For more information about load balance algorithm, please click here - Enable Symmetric Return if reply packet should be sent out the same interface that the request packet came in.     Verify ECMP is working:   Monitor > Traffic Logs (with different zone)       Monitor > Traffic Logs (with same zone)       Route installed for ECMP has a "E" flag in it:         Note: For detailed information on ECMP, please click here
View full article
hagarwal ‎01-16-2018 06:08 AM
25,522 Views
10 Replies
7 Likes
Issue When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues. For example: A remote employee is connecting from a hotel room where the IP address received locally was in the 10.0.0.0/8 range. The IP pool available for GlobalProtect clients is 10.1.1.0/24. This will cause issues since the IP pool is part of the local subnet. In this case, the following error is generated in System logs on the firewall: "Assign Private IP address failed".   Resolution The recommended solution for this issue is to create a new IP pool in a different subnet and leave that new pool lower on the list. IP pools are used from the top down, but if the client is in a subnet that conflicts with the first IP pool, the firewall will assign an IP address from the second pool automatically. owner: tpiens
View full article
npare ‎12-20-2017 12:45 AM
26,335 Views
4 Replies
2 Likes
Overview This document describes how to set the default route for IPv6 traffic.   Steps Go to Network > Virtual Router Add a Virtual Router and go to Static Routes > IPv6. Add a Static Route: Set destination (example, IPV4 0.0.0.0/0) as ::/0 Select the Interface Set the Next Hop IP address Commit the changes.   Note: Make sure IPV6 is enabled on firewall. See How to Enable and Disable IPv6 Firewalling.   owner: ukhapre
View full article
ukhapre ‎12-15-2017 08:26 AM
10,979 Views
0 Replies
This article can still be used as a reference but I strongly recommend to check out the newer versions out there specifically created to cover newer PAN-OS versions :   Basic-GlobalProtect-Configuration-with-Pre-logon   Overview This document describes how to configure GlobalProtect SSO with the Pre-Logon access method using self-signed certificates.   Steps The example configuration below is for one portal and one gateway residing on the same Palo Alto Networks device but can be expanded to reflect multiple gateways. Local Database authentication is used for this example but other authentication methods (LDAP, Kerberos, Radius, etc.) can be applied. Generate the root Certificate Authority (CA) certificate on the Palo Alto Networks device. This will be used to sign the server certificates for for both GlobalProtect Portal and Gateway, as well as the machine certificate that will be deployed to the client machines. Generate the server and machine certificates. Each certificate should be signed by the CA certificate created in Step 1. Device certificates associated with GlobalProtect should appear as follows: Create a Certificate Profile. This will be used to confirm machine certificate validity when cross-checking with the CA Certificate. Make sure to select the CA Certificate when adding 'CA Certificates'. Create your GP Portal as follows: Under Portal Configuration, configure the network and authentication settings. Select the server certificate generated in Step 3 above. For Certificate Profile, select the profile created in Step 4. Under Client Configuration, create a config file. This will be pushed to GlobalProtect clients during initial connection and rediscover network attempts. Configure the pre-logon client config with pre-logon access method. Configure another config with 'any' user so that all users including pre-logon will get the same config. In the Trusted Root CA section, add the root CA created in Step 1. This certificate will be pushed out to the connecting agents. A sample GlobalProtect Gateway configuration is shown below. Make sure to use the same server certificate and certificate profile used in the GlobalProtect Portal configuration. The image below shows a GlobalProtect Gateway configuration that terminates users to tunnel.1 (L3-Trust Zone) and uses the 192.168.200.0/24 scope with access route only to the Internal Trust Network (192.168.144.0/24) Next step is to export the machine certificate which will then be added to the trusted certificate store on the local computer. Use the PKCS12 file format and provide a passphrase. On the client machine, import the previously exported machine certificate. The image below demonstrates the use of the MMC certificate snap in for the local computer. This will execute the Certificate Import Wizard. Follow the steps to complete the import. The certificate for this example was exported in pkcs12 file format. Make sure to confirm the correct cert is detected. Install the certificate into the local computer personal certificate store and then confirm the installation. Here, syslog indicates the initial connection with the agent using the user credentials to successfully connect. Subsequently, log off the machine and verify that the machine is still able to make a successful connection to both GlobalProtect Portal and Gateway as a 'pre-logon' user with the machine certificate validated by the CA certificate.   owner: rkalugdan
View full article
gswcowboy ‎11-22-2017 05:22 AM
43,237 Views
4 Replies
1 Like
Overview PAN-OS 6.0 introduced a feature to create a copy of decrypted traffic and send it to a mirror port, which enables raw packet captures of the decrypted traffic for archiving and analysis. Note: This feature is available on the Palo Alto Networks PA-3000 Series and PA-5000 Series devices.   Steps Activate the "Decryption Port Mirror" license. Go to Device > Licenses: Reboot the device. After the reboot completes, choose a free interface. Go to Network > Interfaces to use as port mirror interface: Create a Decryption Profile. Go to Objects > Decryption Profile. In this profile, specify which interface the decrypted traffic needs to send: Apply the decryption profile to the SSL Decryption Policy or Policies: Allow forwarding of Decrypted Content. Go to Device > Setup > Content-ID: Commit the configuration. All traffic that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above example.   Multi-VSYS Configuration When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the configuration is the same as for a single VSYS environment.   Verification After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port. This can be verified in the session table by filtering all the sessions that are decrypt-mirrored:   > show session all filter decrypt-mirror yes   -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 33557112     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55193]/Untrust/6  (10.193.88.91[28832]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557161     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55241]/Untrust/6  (10.193.88.91[6770]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557106     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55190]/Untrust/6  (10.193.88.91[1490]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557131     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55207]/Untrust/6  (10.193.88.91[44665]) vsys1                                          74.125.71.94[443]/Untrust  (74.125.71.94[443]) 33557084     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55170]/Untrust/6  (10.193.88.91[34083]) vsys1                                          204.79.197.203[443]/Untrust  (204.79.197.203[443]) 33557166     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55244]/Untrust/6  (10.193.88.91[50576]) vsys1                                          216.58.209.226[443]/Untrust  (216.58.209.226[443]) 33557086     facebook-social-plugin ACTIVE  FLOW *NS   10.193.91.111[55172]/Untrust/6  (10.193.88.91[55838]) vsys1                                          31.13.93.3[443]/Untrust  (31.13.93.3[443]) 33557135     youtube-base   ACTIVE  FLOW *NS   10.193.91.111[55210]/Untrust/6  (10.193.88.91[31302]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557118     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55195]/Untrust/6  (10.193.88.91[33260]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443]) 33557141     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55215]/Untrust/6  (10.193.88.91[50351]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557116     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55194]/Untrust/6  (10.193.88.91[15099]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557127     flash          ACTIVE  FLOW *NS   10.193.91.111[55202]/Untrust/6  (10.193.88.91[9829]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557091     twitter-base   ACTIVE  FLOW *NS   10.193.91.111[55179]/Untrust/6  (10.193.88.91[28557]) vsys1                                          199.16.157.105[443]/Untrust  (199.16.157.105[443]) 33557143     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55216]/Untrust/6  (10.193.88.91[54633]) 7316         http-video     ACTIVE  FLOW *NS   10.193.91.111[55238]/Untrust/6  (10.193.88.91[26068]) vsys1                                          173.194.129.178[443]/Untrust  (173.194.129.178[443]) 7238         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55184]/Untrust/6  (10.193.88.91[28250]) vsys1                                          74.125.195.113[443]/Untrust  (74.125.195.113[443]) 7307         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55233]/Untrust/6  (10.193.88.91[44945]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443])   owner: rvanderveken
View full article
rvanderveken ‎11-09-2017 06:44 AM
31,546 Views
4 Replies
2 Likes
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,675 Views
3 Replies
3 Likes
Overview Static ARP (Address Resolution Protocol) entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.   Steps Navigate to the ARP entry configuration: On the WebGUI, go to Network > Interfaces > Ethernet. Select the appropriate L3 interface. Click Advanced. Click ARP Entries.   From the CLI > configure # set network interface ethernet ethernet1/5 layer3 arp 10.101.10.10 hw-address F0:1F:AF:02:96:36 # commit   Note: It's not possible to change the Palo Alto Networks interface MAC address.   owner: panagent
View full article
nrice ‎07-10-2017 12:58 AM
24,500 Views
2 Replies
BGP sessions are established with the peer, and the routes advertised from the peers are present on the BGP local-rib. However, these routes aren’t injected into the global routing table. 
View full article
kprakash ‎06-26-2017 05:46 PM
19,503 Views
0 Replies
1 Like
This article shows how to configure DNS proxy for GlobalProtect clients.   For information on how to configure GlobalProtect on the firewall, please click here. For the video link, please click here.     Details DNS proxy is a role in which the firewall is an intermediary between DNS clients and servers; it acts as a DNS server itself by resolving queries from its DNS proxy cache. If the domain name is not found in the DNS proxy cache, the firewall searches for a match to the domain name among the entries in the specific DNS proxy object (on the interface on which the DNS query arrived), and forwards the query to a DNS server based on the match results. If no match is found, the default DNS servers are used.      1. Identify what is the tunnel interface referred to in the GlobalProtect Gateway configuration. Network > Global Protect > Gateways:         2. Navigate to Network > Interfaces > Tunnel and add the IP address to the tunnel interface identified from the preceding step:     Note: This IP address could be any random IP address. Also, make sure there is a proper routing and security rule in place to allow communication between this IP address and the DNS server.     3. Navigate to Network > Global Protect > Gateways. Configure this IP address as the Primary DNS server IP for Global Protect Clients:   7.0.x 7.1.x                                       4. Navigate to Network > Global Protect > Gateways. Configure this IP address in the access route table so that global protect clients gets the route for this IP through tunnel:   7.0.x   7.1.x                                     5. Navigate to Network > DNS Proxy. Configure the tunnel interface to act as DNS proxy. Configure primary and secondary DNS servers to be used. DNS proxy rules can be configured to send a DNS query to the internal DNS server for internal domains. If the domain is not matched, default DNS servers would be used. (There is no change in location in the 7.1 version.)   7.0.x   Note: If a DNS query comes to the firewall tunnel interface for, let's say, paloalto.panvmlab.com, the firewall will send the DNS request to 192.168.243.221. However, if a DNS request comes for, let's say, google.com, since the domain name does not match the name in proxy rule, the firewall sends the DNS request to default servers 8.8.8.8 or 4.2.2.2.   Similarly, static entries can be created on the firewall so that DNS requests for that FQDN responds with a configured static IP address:   7.0.x 6- Configure security policy and NAT rules as required for communication with internal or external DNS servers. Source IP of DNS requests would be the tunnel interface IP address:   Tunnel interface is Trust-Wifi zone, Internal DNS server in Trust zone and External DNS server in Untrust zone.         Verification       Testing-proxy.com resolved to 1.1.1.1 ,which is the static entry configured in DNS proxy paloalto.panvmlab.com resolved to internal IP address using internal DNS server since the domain name matched google.com resolved to its IP address using external primary DNS server since the domain name did not match Following are the sessions created for internal and external DNS queries:       Note: To enable DNS Proxy in a multi-vsys environment, please read instructions for PAN-OS 7.0 here: Configure Virtual Systems    
View full article
hagarwal ‎06-02-2017 03:33 PM
13,411 Views
0 Replies
Details The IPv6 firewalling can be enabled or disabled through the WebUI or the CLI. In PAN-OS 5.0 and greater, this feature is enabled by default.   WebUI The IPv6 firewalling can be enabled under Device > Setup > Session:   PAN-OS 7.0:   PAN-OS 8 and up   CLI > configure # set deviceconfig setting session ipv6-firewalling [yes|no] # commit   Interface configuration example:   To enable or disable IPv6 on an interface via CLI: # set network interface ethernet ethernet1/3 layer3 ipv6 enabled [yes|no] # commit   owner: sraghunandan
View full article
sraghunandan ‎05-23-2017 07:41 AM
19,305 Views
0 Replies
In this video tutorial, Ion demonstrates how to configure Cisco ISE 2.1 with RADIUS vendor ID for Palo Alto Networks and its associated VSAs.
View full article
Ion.Ermurachi ‎03-15-2017 08:34 AM
17,705 Views
3 Replies
2 Likes
Details To check for CRC errors across the interfaces on a Palo Alto Networks device, run the following CLI command: > show system state filter sys.s1.* | match crc   If there are any CRC errors on an interface, the "bad_crc" counter will appear in the output. The following sample output shows that the s1.p6 (ethernet1/6) interface experienced bad_crc: sys.s1.p6.detail: {'bad crc': 0x6c1, ...   If the command does not return an output, none of the interfaces experienced bad_crc errors.   owner: mvenkatesan
View full article
mvenkatesan ‎03-03-2017 10:05 AM
54,458 Views
2 Replies
Overview By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama  etc. Service routes are used so that the communication between the firewall and servers go through the dataplane.   Details On the Web UI Go to Device > Setup > Services > Service Route Configuration > Customize and configure the appropriate service routes.   To configure service routes for non-predefined services, the destination addresses can be manually entered in the Destination section: In the example above, the service routes for 192.168.27.33 and 192.168.27.34 are configured to source from 192.168.27.254 on a dataplane interface and the management interface, respectively.   On the CLI Run the following commands to show the options for the command, set deviceconfig system route service :   > configure # set deviceconfig system route service   autofocus                     AutoFocus Cloud   crl-status                   CRL servers   deployments                   Panorama pushed updates   dns                           DNS server(s)   edl-updates                   External Dynamic List update server   email                         SMTP gateway(s)   http                         HTTP Forwarding server(s)   kerberos                     Kerberos server   ldap                         LDAP server   mdm                           MDM servers   mfa                           Multi-Factor Authentication   netflow                       Netflow server(s)   ntp                           NTP server(s)   paloalto-networks-services   Palo Alto Networks Services   panorama                     Panorama server   proxy                         Proxy server   radius                       RADIUS server   scep                         SCEP   snmp                         SNMP server(s)   syslog                       Syslog server(s)   tacplus                       TACACS+ server   uid-agent                     UID agent(s)   url-updates                   URL update server   vmmonitor                     VM monitor   wildfire-private             WildFire Appliance   <value>                       Service name   Command to display available dataplane interfaces that can be used for a service route to receive Palo Alto Networks updates:   # set deviceconfig system route service paloalto-networks-services source address   10.0.0.1/24         ip 10.0.0.1/24   172.16.0.1/24       ip 172.16.0.1/24   192.168.0.230/24     ip 192.168.0.230/24   192.168.27.254/24   ip 192.168.27.254/24   192.168.27.5         mgmt 192.168.27.5   198.51.100.1/24     ip 198.51.100.1/24   <value>             Source IP address to use to reach destination Example command to set a service route for receiving Palo Alto Networks updates using one of the available dataplane interfaces: # set deviceconfig system route service paloalto-networks-services source address 198.51.100.1/24   Non-predefined service routes can also be configured through CLI. For example: # set deviceconfig system route destination 192.168.27.33 source address 192.168.27.254/24   Note: Explicit policies are required in the security rule base to log and allow traffic.   Owner: pchanda
View full article
pchanda ‎02-01-2017 01:52 AM
40,642 Views
6 Replies
2 Likes
Symptoms This article describes blocking a source IP or traffic from a particular source and destination IP for a specific period of time when port scan or host sweep is detected. Diagnosis Using the Reconnaissance Protection settings, we can track and block a port scan or host sweep based on a source IP or combination of source IP and destination IP for a specific period. When a port scan or host sweep is detected for a particular source IP or combination source and destination IP, further traffic from that source IP or from that particular source IP and destination IP is dropped for the specified interval. Solution To configure block IP feature in  Reconnaissance Protection:   Inside of the WebGUI Go To: Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection. Change the Action from Alert to Block IP and select Track By either Source or Source and Destination IP based on your requirement. After the Track By field is selected, select the duration (in secs)--minimum value is 1 second and maximum value is 3600 seconds. When the port scan/host sweep protection is triggered, all further traffic from that source IP or from that source to destination IP( based on the option selected in Tthe rack By field) is blocked for the specified period. Then Commit the changes to make this active.    
View full article
rashobana ‎01-20-2017 04:11 AM
19,388 Views
4 Replies
1 Like
Steps The following steps describe how to configure the Netflow Server Profile: Go to Device > Server Profiles > Netflow Click Add to bring up the Netflow Server Profile Add a Name for the Netflow settings Click Add and fill the Name (name to identify the server) and Server (host name or IP address of the server) field The port is automatically populated as 2055, but can be edited if needed, as shown below:   The profile can be assigned to an existing Palo Alto Networks firewall interface, so that all traffic flowing over that interface is exported to the specified server above.   To assign the profile created above to the interface, follow the steps below: Click on Network > Interfaces, go to either Ethernet, VLAN, Loopback or Tunnel tabs Select any interface and assign the above created Netflow Server Profile ( Netflow_Profile1) in the Netflow Profile field:   Commit changes   Note :   PAN-OS 6.0 and after: NetFlow works with logical sub-interface and can be exported directly.   Prior to PAN-OS 6.0: NetFlow data cannot be exported on a per-subinterface basis. Data can only be exported using physical ingress and egress interface numbers.   owner: achalla
View full article
achalla ‎01-03-2017 06:50 AM
12,426 Views
0 Replies
1 Like
Overview The ability to disable SIP ALG was introduced in PAN-OS 6.0. SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG. Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.   Steps Inside of the WebGUI Disabling this feature will prevent the firewall from translating the payload. Go to Objects > Applications and perform a search for the SIP application, as shown below: Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display. Click on Customize to bring up the settings dialog and check Disable ALG:   On the CLI Use the following command to disable the SIP ALG : > configure # set shared alg -override application sip alg -disabled yes|no   If issues still occur with SIP after disabling the ALG, testing can be performed setting up filters with packet captures and running the following CLI commands to gather additional information: > debug dataplane packet- diag set : log feature flow basic log feature ctd basic   Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.   For more information see :  How to Create an Application Override   owner : rvanderveken
View full article
rvanderveken ‎12-19-2016 01:19 PM
54,629 Views
9 Replies
3 Likes
We can assign more than 2 DNS servers to the DHCP clients with the help of DHCP option 6.   DHCP option 6 carries the IP address(es) of the DNS servers that the client uses for name resolution.   We have to add all the DNS servers in the DHCP option. If you specify DNS server in  the Primary DNS Secondary DNS, they will not be assigned to the client. Whatever we specify in DHCP option will take preference.     Following is the screenshot of the DHCP client showing all three DNS servers.  
View full article
pankaku ‎12-06-2016 01:46 PM
2,457 Views
0 Replies
This article explains important considerations while setting up the QoS profile and relationship between different parameters in QoS profiles.   This article makes the following assumptions:   Maximum bandwidth of an interface (ethernet1/1) is 1000Mbps Out of 1000Mbps, clear text traffic should have guaranteed bandwidth of 980Mbps The rest should be assigned to tunneled traffic Total number of tunnel interfaces on device is 16 Number of tunnels terminating on ethernet1/1 interface is 15   Details There are 16 gateways i.e. 16 tunnels/tunnel interfaces on the device however, 15 of these tunnels terminate on interface ethernet1/1 and 1 tunnel on ethernet1/3:                                       QoS setting on egress interface ethernet1/1 is as follows:       1. Egress Max of Tunneled Traffic + Egress guaranteed of Clear(Regular) Text Traffic <= Egress Max of Interface   Egress Max of Interface = 1000Mbps Egress guaranteed of clear text traffic = 980Mbps   Therefore, Egress Max of Tunneled Traffic = (1000-980)Mbps = 20Mbps   This means, "ClearText" profile applied to Clear Text of Interface could have Egress Max=1000Mbps and Egress Guaranteed = 980Mbps.  Also, "Tunnel" profile applied to Tunnel Interface could have Egress Max=20Mbps only     We cannot specify Egress Max of Tunneled Traffic profile to be more than 20Mbps now. If we specify it to be more than 20Mbps, there would be a validation error as "Tunnel-traffic-group max bandwidth is smaller than tunnel.X (profile Tunnel) max bandwidth"   This error means tunnel traffic profile can be max of 20Mbps but in "Tunnel" Profile, we have specified Egress Max as more than 20Mbps. This error message would be listed for each of 15 tunnel interfaces on ethernet1/1 interface.       Similarly, we cannot specify Tunnel Traffic Egress Max to be more than 20Mbps under Network > QoS also. Validation would give an error, "Max tunnel traffic bandwidth plus guaranteed regular traffic bandwidth cannot exceed interface bandwidth"         2. Tunnel Traffic Egress Guaranteed <= Tunnel Egress Max / Number of tunnels on the physical interface   Tunnel Egress Max (as calculated above) = 20Mbps Number of tunnels/tunnel Interaces that terminates on ethernet1/1 = 15   Therefore, in "Tunnel" profile applied to Tunnel interface, Egress Guaranteed bandwidth <= (20/15)Mbps ~ 1.3Mbps   If we specify Egress Guaranteed to be more than ~1.3Mbps, validation would give an error "tunnel-traffic-group max bandwidth is smaller than its guaranteed bandwidth"                                   3. Sum of Egress Guranteed bandwidth of classes in a profile <= Egress Guaranteed of the profile.   Egress guaranteed of Tunnel profile = 1.3 Mbps  (as calculated above) Sum of Egress guaranteed bandwidth of all 8 classes in this Tunnel profile <= 1.3Mbps   If the sum is not <= Egress guaranteed of the profile, validation would fail with an error, "tunnel.X (profile Tunnel) guaranteed bandwidth is smaller than the sum of guaranteed bandwidth of its children"   This error message would be printed for each of the tunnel interface terminating on the egress physical interface.        
View full article
hagarwal ‎11-22-2016 10:59 AM
7,031 Views
1 Reply
  There is a newer version of this document here: Getting Started: Preparing the Firewall for Its First Use   See Also Getting Started: The Series
View full article
Teresa ‎08-30-2016 09:14 AM
37,144 Views
2 Replies
Issue From the WebGUI, under Network > Interfaces > Ethernet, the DHCP enabled interface gets the /32 IP address regardless of the mask configured on the DHCP server. In the following diagram, ethernet 1/3 is acting as a DHCP client:   As shown below, the DHCP server is configured with /24 mask, still the interface gets the IP address in the /32 range:   Resolution When the interface gets the IP from the DHCP, it shows the mask as /32, regardless of the actual mask. The only way to view the actual mask is to use the following CLI command: >  show routing route The command installs the correct subnet.   The following diagram shows the right subnet installed in the routing table, which is /24:   owner: hshah
View full article
hshah ‎07-25-2016 07:39 AM
2,075 Views
0 Replies
Configured Palo Alto Networks firewalls can  establish peer relationships between BGP instances running on separate Virtual Routers (VR) within a single device or a cluster. This enables the firewall to advertise prefixes between Virtual Routers, and direct traffic accordingly.   The two BGP instances must have network communication between two interfaces where each interface is on a different Virtual Router. This can be accomplished by having both VRs connected to the same physical network and ensuring that they belong to the same IP subnet. Communication between the instances leaves the firewall from one interface on one VR onto the physical network and returns on a different interface on the other VR. Another possibility is to have internal communication occur between the BGP instances.   Internal communication between Virtual Routers can be accomplished by configuring two loopback interfaces, each with a /32 network address on each VR. Then configure a static host route (/32 route) on each VR to reach the address of the other loopback interface using the other VR as the next-hop. When configuring the static routes, choose the Next-VR option as the Next-Hop and then give the other VR. The routes accepted by a BGP peer and installed in the routing table will have a next-hop IP address of the other VR loopback interface IP address. Since a route exists to reach that next-hop through the next VR, the packet will be routed into the other VR.   Notes: If the loopback interfaces are set to different zones,  then security policies must allow communication between those interfaces in those zones or communication between the peers will fail. The destination zone determined for sessions where the first packet is routed from one VR to the other is delayed until the routing decision in the next VR is made and the final destination interface is determined.   Snapshots depicting the configuration:   Loopback interfaces: (We can use any /32 IP address for loopback interfaces)       Routing required for BGP to come up:       Security policies required to allow BGP traffic since interfaces are in different zone:         Monitor traffic logs for BGP traffic:  
View full article
npare ‎07-11-2016 06:17 PM
16,103 Views
1 Reply
2 Likes
Steps The custom URL category feature allows the user to create their own lists of URLs that can be selected in any URL filtering profile. This document review the commands to create a Custom-URL category from command line interface, as shown below:   > configure # set profiles custom-url-category Palo_Test description "How to configure Custom URL Category" # set profiles custom-url-category Palo_Test list [ example.com example.com/* *.example.com ] # commit   The example below displays how the scenario will appear on the web interface after doing a commit: the set command will append hosts/fqds/regex to the list, to remove an entry the 'delete' command can be used: # delete profiles custom-url-category Palo_Test list example.com       owner: asharma
View full article
asharma1 ‎06-23-2016 06:29 AM
7,392 Views
2 Replies
Ask Questions Get Answers Join the Live Community