Configuration Articles

Featured Article
QRADAR LEEF syntax for your Syslog needs in PAN-OS 8.0
View full article
taddair ‎09-11-2018 01:14 AM
6,943 Views
2 Replies
1 Like
In PAN-OS 8.0 and later, the security policy rule creation window will not show a legend for each Region Code.    We have created the following table for your reference:  Organized by Region Code A1 Anonymous Proxy A2 Satellite ISPs ISO 3166-1-alpha-2 code Country names AD ANDORRA AE UNITED ARAB EMIRATES AF AFGHANISTAN AG ANTIGUA AND BARBUDA AI ANGUILLA AL ALBANIA AM ARMENIA AO ANGOLA AQ ANTARCTICA AR ARGENTINA AS AMERICAN SAMOA AT AUSTRIA AU AUSTRALIA AW ARUBA AX ALAND ISLANDS AZ AZERBAIJAN BA BOSNIA AND HERZEGOVINA BB BARBADOS BD BANGLADESH BE BELGIUM BF BURKINA FASO BG BULGARIA BH BAHRAIN BI BURUNDI BJ BENIN BL SAINT BARTHELEMY BM BERMUDA BN BRUNEI DARUSSALAM BO BOLIVIA, PLURINATIONAL STATE OF BQ BONAIRE, SAINT EUSTATIUS AND SABA BR BRAZIL BS BAHAMAS BT BHUTAN BV BOUVET ISLAND BW BOTSWANA BY BELARUS BZ BELIZE CA CANADA CC COCOS (KEELING) ISLANDS CD CONGO, THE DEMOCRATIC REPUBLIC OF THE CF CENTRAL AFRICAN REPUBLIC CG CONGO CH SWITZERLAND CI COTE D'IVOIRE CK COOK ISLANDS CL CHILE CM CAMEROON CN CHINA CO COLOMBIA CR COSTA RICA CU CUBA CV CAPE VERDE CW CURACAO CX CHRISTMAS ISLAND CY CYPRUS CZ CZECH REPUBLIC DE GERMANY DJ DJIBOUTI DK DENMARK DM DOMINICA DO DOMINICAN REPUBLIC DZ ALGERIA EC ECUADOR EE ESTONIA EG EGYPT EH WESTERN SAHARA ER ERITREA ES SPAIN ET ETHIOPIA FI FINLAND FJ FIJI FK FALKLAND ISLANDS (MALVINAS) FM MICRONESIA, FEDERATED STATES OF FO FAROE ISLANDS FR FRANCE GA GABON GB UNITED KINGDOM GD GRENADA GE GEORGIA GF FRENCH GUIANA GG GUERNSEY GH GHANA GI GIBRALTAR GL GREENLAND GM GAMBIA GN GUINEA GP GUADELOUPE GQ EQUATORIAL GUINEA GR GREECE GS SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS GT GUATEMALA GU GUAM GW GUINEA-BISSAU GY GUYANA HK HONG KONG HM HEARD ISLAND AND MCDONALD ISLANDS HN HONDURAS HR CROATIA HT HAITI HU HUNGARY ID INDONESIA IE IRELAND IL ISRAEL IM ISLE OF MAN IN INDIA IO BRITISH INDIAN OCEAN TERRITORY IQ IRAQ IR IRAN, ISLAMIC REPUBLIC OF IS ICELAND IT ITALY JE JERSEY JM JAMAICA JO JORDAN JP JAPAN KE KENYA KG KYRGYZSTAN KH CAMBODIA KI KIRIBATI KM COMOROS KN SAINT KITTS AND NEVIS KP KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF KR KOREA, REPUBLIC OF KW KUWAIT KY CAYMAN ISLANDS KZ KAZAKHSTAN LA LAO PEOPLE'S DEMOCRATIC REPUBLIC LB LEBANON LC SAINT LUCIA LI LIECHTENSTEIN LK SRI LANKA LR LIBERIA LS LESOTHO LT LITHUANIA LU LUXEMBOURG LV LATVIA LY LIBYAN ARAB JAMAHIRIYA MA MOROCCO MC MONACO MD MOLDOVA, REPUBLIC OF ME MONTENEGRO MF SAINT MARTIN (FRENCH PART) MG MADAGASCAR MH MARSHALL ISLANDS MK MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF ML MALI MM MYANMAR MN MONGOLIA MO MACAO MP NORTHERN MARIANA ISLANDS MQ MARTINIQUE MR MAURITANIA MS MONTSERRAT MT MALTA MU MAURITIUS MV MALDIVES MW MALAWI MX MEXICO MY MALAYSIA MZ MOZAMBIQUE NA NAMIBIA NC NEW CALEDONIA NE NIGER NF NORFOLK ISLAND NG NIGERIA NI NICARAGUA NL NETHERLANDS NO NORWAY NP NEPAL NR NAURU NU NIUE NZ NEW ZEALAND OM OMAN PA PANAMA PE PERU PF FRENCH POLYNESIA PG PAPUA NEW GUINEA PH PHILIPPINES PK PAKISTAN PL POLAND PM SAINT PIERRE AND MIQUELON PN PITCAIRN PR PUERTO RICO PS PALESTINIAN TERRITORY, OCCUPIED PT PORTUGAL PW PALAU PY PARAGUAY QA QATAR RE REUNION RO ROMANIA RS SERBIA RU RUSSIAN FEDERATION RW RWANDA SA SAUDI ARABIA SB SOLOMON ISLANDS SC SEYCHELLES SD SUDAN SE SWEDEN SG SINGAPORE SH SAINT HELENA, ASCENSION AND TRISTAN DA CUNHA SI SLOVENIA SJ SVALBARD AND JAN MAYEN SK SLOVAKIA SL SIERRA LEONE SM SAN MARINO SN SENEGAL SO SOMALIA SR SURINAME ST SAO TOME AND PRINCIPE SV EL SALVADOR SX SINT MAARTEN (DUTCH PART) SY SYRIAN ARAB REPUBLIC SZ SWAZILAND TC TURKS AND CAICOS ISLANDS TD CHAD TF FRENCH SOUTHERN TERRITORIES TG TOGO TH THAILAND TJ TAJIKISTAN TK TOKELAU TL TIMOR-LESTE TM TURKMENISTAN TN TUNISIA TO TONGA TR TURKEY TT TRINIDAD AND TOBAGO TV TUVALU TW TAIWAN, PROVINCE OF CHINA TZ TANZANIA, UNITED REPUBLIC OF UA UKRAINE UG UGANDA UM UNITED STATES MINOR OUTLYING ISLANDS US UNITED STATES UY URUGUAY UZ UZBEKISTAN VA HOLY SEE (VATICAN CITY STATE) VA VATICAN CITY STATE VC SAINT VINCENT AND THE GRENADINES VE VENEZUELA, BOLIVARIAN REPUBLIC OF VG VIRGIN ISLANDS, BRITISH VI VIRGIN ISLANDS, U.S. VN VIET NAM VU VANUATU WF WALLIS AND FUTUNA WS SAMOA YE YEMEN YT MAYOTTE ZA SOUTH AFRICA ZM ZAMBIA ZW ZIMBABWE   This reference can also be used to determine the meaning for each code:  http://www.ip2country.net/ip2country/country_code.html
View full article
mdensley ‎12-04-2017 05:17 PM
9,933 Views
7 Replies
Symptoms Captive portal will not work if an Authentication Sequence is referenced as the Authentication Profile in an Authentication Enforcement object, as shown below:    Diagnosis Authentication Enforcement objects do not support Authentication Sequence. Only Authentication Profiles with additional factors can be used.  If an auth-sequence is added to the Auth Enforcement object it is treated as no-captive-portal behaviour. Solution Authentication sequence CAN be used if a default web-form Authentication Enforcement object is used in an Authentication policy and if the Authentication sequence is referenced in Captive Portal Settings under Device -> User Identification, as seen below:  
View full article
nkajgana ‎11-07-2017 12:49 AM
2,507 Views
1 Reply
1 Like
The following list of supported ciphers for PAN-OS 7.1 include ciphers for FIPS and non-FIPS mode with supported curvesa and limitations.
View full article
‎10-05-2017 10:56 PM
43,565 Views
10 Replies
7 Likes
Pre-requisites  You should have a working knowledge of:   Active Directory   User-id feature on the Palo Alto Networks firewall   Components Used The information in this document is based on these software and hardware versions:   Palo Alto Networks VM firewall running PANOS 7.1   Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller   The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.   Background  Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name). It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format. For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'   In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.   Details  Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.   For the sake of simplicity and ease of illustration we'll break the work flow into three phases.     PHASE 1   Retrieving the netbios domain name    Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file   Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269) All Domain Controllers should have this info    Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>, DC=<local|com> ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)       Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :   Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com  FQDN - 'test.kunaldc.com' Netbios domain name - 'test'        PHASE 2    Storing the netbios domain name    The ‘dnsnetbios.map’  file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall   You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'     The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain   Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’     PHASE 3   Apply the netbios domain name to user groups and members of these groups    The objective of the netbios name is to    1.   Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format    Eg: Username test is a member of the active directory domain 'test.kunaldc.com'           It's fqdn name format is 'test.kunaldc.com\testuser'    Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats        Hence the fqdn username format of 'test.kunaldc.com\testuser'  is converted to 'test\testuser'     2.   Normalize the groups from full dn to short name format In absence of the domain maps all AD groups are recognized in their full domain name format   A group named sme_group  whose full dn name format is 'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com'  is converted into  'test\sme_group' Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'         NOTE   1.  PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP    2.  Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query 
View full article
kbiswas ‎05-08-2017 05:11 AM
20,420 Views
1 Reply
5 Likes
Details In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.   Review the example below of a list of address objects: Notice the tag on some objects. This will be relevant later. Now, if we were to create a static address object, we'd choose the ones we want to add.    This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.   Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.   This is where 'Dynamic' address groups can shine.   With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched! Let's look at the following demonstration.   Using the same address objects list as before, we'll create a Dynamic address group.   Commit the changes and then click on 'more' to the entries in the group: Only the objects with tags specified as 'Intranet' got included in this group This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags. You can type in a new tag or choose an already created one using the drop-down option. You can create tags on the fly, (see above image) or via Objects->Tags   Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.   Hopefully, this document helped you in making a smarter and more efficient configuration design.    
View full article
ansharma ‎04-07-2017 06:15 AM
8,673 Views
0 Replies
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent. NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).   In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.     Here's a step-by-setup walkthrough to configure this:   1. Launch the UIA, you should see a new option called 'Server Certificate':   2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).   3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.    4. Create a new certificate profile and use the CA used to sign the UIA's CSR.   5. You should see a new tab under Device >User Identification, called 'Connection Security':   6. Choose the certificate profile created in step 4.   7. If the commit goes well, you should see the UIA connected successfully with the firewall.     Failure Scenario   If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs: For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):   Hope this helped. Stay safe!
View full article
ansharma ‎03-13-2017 05:02 AM
5,145 Views
1 Reply
Ask Questions Get Answers Join the Live Community