Configuration Articles

Featured Article
Details For this example, the rule created blocks downloading the file "wrar39b4.exe" Use a packet capture tool to identify a signature for the custom application Create custom application in Objects > Application > New Define specifics in the custom application, specifically the transport layer (TCP/80) and signature (screenshot for details) Create a security policy that denies the custom defined application Commit Review traffic to log to confirm denial for the application   Wireshark Packet Capture   To create a Custom Application from the WebGUI, go to Objects > Applications > New. Give the application a name and a description. Edit the properties of the object and assign it an appropriate category, subcategory, technology, risk class and any characteristics that may apply. Choose the correct port (tcp/80 for this example): In the Signatures tab, create a new signature: and add an OR condition: Define the signature context (http-req-uri-path for this example), with a pattern of "wrar39b4.exe", and a qualifier of "http-method" "GET". Create a security rule to block the application. Monitor the new rule in the traffic log.   owner: panagent
View full article
nrice ‎09-14-2018 10:28 AM
7,217 Views
0 Replies
Symptoms Packet drop is observed after DoS Protection Rule is applied. Threat logs for DoS Protection are not generated.   This tends to happen when the DoS Protection Rule is created with Classified setting and "src-dest-ip-both" is selected for the Address setting.   The issue can happen even if the number of active sessions is much lower than the max session number that the platform supports and also lower than the "Maximum Concurrent Sessions" setting in DoS Protection Profile.     During that time, the following global counters are incremented. flow_dos_rule_drop             Packets dropped: Rate limited or IP blocked flow_dos_rule_drop_classified  Packets dropped: due to classified rate limiting flow_dos_no_empty_entp         Unable to find empty classified entry during insertion   Cause If those counters above show the same value, it indicates that hash insertion to classification table failed thus packets were dropped. Hash insertion fails when the classification table is full or when hash collision happens. By the setting of  "src-dest-ip-both", the firewall has to track the sessions based on the source IP and the destination IP pair which results in utilizing more entries in classification table. When more entries are created, there're more chances for the hash collision to happen.   Solution - Select "source-ip-only" or "destination-ip-only" instead of using  "src-dest-ip-both" in Classified setting. - Use Aggregate setting instead of Classified. - "debug dataplane reset dos classification-table" command can be used as a temporal workaround to clear the classification table. Note: This is not a permanent fix. - Configure DoS Protection rule to be more specific, for example, reduce the number of Zones to apply the policy instead of selecting all existing Zones.      
View full article
ymiyashita ‎08-21-2018 07:52 AM
960 Views
0 Replies
Domains There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.    Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.  To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.   The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device. This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.   Applications In PAN-OS 7.1 and older, applications were used instead of domains.   These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them. # Application 1 adobe-echosign 2 aerofs 3 aim 4 airdroid 5 amazon-aws-console 6 anydesk 7 appguru 8 apple-game-center 9 apple-push-notifications 10 asana 11 authentic8-silo 12 bluejeans 13 cryptocat 14 daum-mypeople 15 discord 16 dnf 17 efolder 18 evault 19 filesanywhere 20 finch 21 google-plus-posting 22 gotoassist 23 gotomeeting 24 gotomypc 25 hbo 26 hp-virtual-rooms 27 icloud 28 informatica-cloud 29 itunes 30 itunes-appstore 31 itunes-mediastore 32 itwin 33 jungledisk 34 kakaotalk 35 kakaotalk-audio-chat 36 kakaotalk-file-transfer 37 lantern 38 linkedin 39 live-mesh 40 logentries 41 logmein 42 logmeinrescue 43 meerkat 44 megachat 45 metatrader 46 minecraft 47 ms-lync-online 48 ms-product-activation 49 ms-spynet 50 ms-update 51 naver-line 52 norton-zone 53 ntr-support 54 odrive 55 office-on-demand 56 okta 57 onepagecrm 58 onlive 59 opera-vpn 60 packetix-vpn 61 paloalto-wildfire-cloud 62 pando 63 pathview 64 periscope 65 proofhq 66 puffin 67 rift 68 second-life 69 signal 70 silent-circle 71 simplify 72 sophos-rms 73 springcm 74 sugarsync 75 telex 76 tigertext 77 ubuntu-one 78 ultrasurf 79 vagrant 80 via3 81 vmware-view 82 vudu 83 wallcooler-vpn 84 webroot-secureanywhere 85 wetransfer 86 whatsapp 87 winamax 88 wiredrive 89 yunpan360-file-transfer 90 yuuguu 91 zoom 92 zumodrive
View full article
nrice ‎07-27-2018 03:49 PM
277,803 Views
76 Replies
3 Likes
Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.   Here is how to do that: Create a loopback   Make sure the untrust interface can ping the loopback. Assign the loopback as the portal address and the gateway address     In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)   Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443 Create a security policy with destination address as the untrust interface and services as 7000 and 443 With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1 .Download and install the GlobalProtect client software.   Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.             owner: mvenkatesan
View full article
mvenkatesan ‎07-19-2018 06:07 AM
49,419 Views
17 Replies
4 Likes
How to Allow a Single YouTube Video and Block All Other Videos In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube.  Please follow these steps to accomplish this.   Steps Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use. URL Filtering Profile detail showing Streaming-Media being set to Block. Create a Custom URL Category from Objects > Custom Objects > URL Category. Your Custom URL Category must include the following entries: *.youtube.com *.googlevideo.com www.youtube-nocookie.com www.youtube.com/yts/jsbin/ www.youtube.com/yts/cssbin/ ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  Go to your URL Filtering profile, in the Allow list add the following URL's: www.youtube.com/watch?v=hHiRb8t2hLM *.googlevideo.com ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com . Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile. URL filtering profile detail showing the allowed URL List. Commit and test.   Thanks to Milvaldi for the contribution. owner: jdelio    
View full article
‎07-12-2018 11:51 PM
97,433 Views
28 Replies
Ever wonder how to globally block URLs without having to use a URL filtering policy in the rule?  The problem when using a URL filtering policy is that URL traffic is either blocked or allowed on a single rule. Because of matching on a single rule, none of the URL traffic is scanned by the rest of the security policy.
View full article
‎04-26-2018 08:23 AM
19,499 Views
5 Replies
1 Like
Overview PAN-OS can decrypt and inspect inbound and outbound SSL connections going through the Palo Alto Networks firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode by using the SSL rulebase to configure which traffic to decrypt. In particular, decryption can be based upon URL categories and source user and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats, URL filtering, file blocking, or data filtering. Decrypted traffic is never sent off the device.   Inbound SSL Decryption In the case of inbound traffic to an internal Web Server or device, the administrator imports a copy of the protected server’s certificate and key. When the SSL server certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound traffic, the device then decrypts and reads the traffic as it forwards it. No changes are made to the packet data, and the secure channel is from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.   Outbound SSL Decryption (SSL Forward Proxy) In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests and generating a certificate on the fly for the site the user wants to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, then the client receives a warning when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is using a second “untrusted” Certificate Authority (CA) key to ensure the user is warned of any subsequent man-in-the-middle attacks.   To configure SSL decryption: Configure the firewall to handle traffic and place it in the network. Make sure the proper Certificate Authority (CA) is on the firewall. Configure SSL decryption rules. Enable SSL decryption notification page (optional). Commit changes and test decryption.   Steps 1. Configure the firewall to handle traffic and place it in the network Make sure the Palo Alto Networks firewall is already configured with working Interfaces (Virtual Wire, Layer 2 or Layer 3), Zones, Security Policy and already passing traffic.   2. Load or Generate a CA certificate on the Palo Alto Networks firewall A Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Create a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Select "Forward Trust Certificate" and "Forward Untrust Certificate" on one or more certificates to enable the firewall to decrypt traffic. Note: Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.   From the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection or outbound (forward proxy) inspection.   Generating a Self-Signed Certificate Using a Self-Signed Certificate is recommended. For information on generating a Self-Signed Certificate, please see: How to Generate a New Self-Signed SSL Certificate   Generating and Importing a Certificate from Microsoft Certificate Server On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert. After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12). To extract the certificate, use this openSSL[4] command: openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys To extract the key, use this openSSL command: openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen. In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.   The "Forward Trust" and "Forward Untrust" certificates:     Note: If using a self-signed CA, export the public CA Certificate from the firewall and install the certificate as a Trusted Root CA on each machine's browser to avoid Untrusted Certificate error messages inside your browser. Network administrators usually use GPO to push out this certificate to each workstation.   Examples of browser errors if the self-signed CA Certificate is not trusted:   Firefox untrusted CA error:   Chrome untrusted CA error:   Internet Explorer untrusted CA error:   3. Configure SSL Decryption Rules The network administrator determines what needs to be decrypted. A few suggestions for configuring SSL decryption rules: Implement rules in a phased approach. Start with specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device. Avoid decrypting the following URL categories, as users may consider this an invasion of privacy: Financial services Health and medicine Do not decrypt applications where the server requires client-side certificates (for identification). You can either block or allow connections requiring client authentication via the decryption profile feature introduced in PAN-OS 5.0.   An example of an outbound rulebase following suggestions for decryption. 4. Enable SSL Decryption Notification web page (optional) The user can be notified that their SSL connection will be decrypted using the response page found on the Device tab > Response Pages screen. Click "Disabled," check the "Enable SSL Opt-out Page" option and click OK.   The default SSL Opt-out page page can be exported, edited via an html editor, and imported to provide company-specific information: 5. Test Outbound Decryption To test outbound decryption: Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet capture on that anti-virus security profile. Commit any changes made. On a PC internal to the firewall, go to www.eicar.org. In the top right corner: Click “Download anti-malware testfile." In the screen that appears, scroll to the bottom. Download the eicar test virus using http. Any of the these four files will be detected. Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file. Click the green arrow in the column on the left to view the captured packets. Click the magnifying class in the far left column to see the log detail. Scroll to the bottom, and look for the field “Decrypted.” The session was not decrypted:   Go back to the www.eicar.org downloads page. This time use SSL enabled protocol HTTPS to download the test virus. Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A log message that shows Eicar was detected in web browsing on port 443 will be visible. View the packet capture (optional) by clicking the green arrow. To the left of that log entry, click the magnifying class. Scroll to the bottom. Under Flags, check to see that “Decrypted” is checked:   The virus was successfully detected in an SSL-encrypted session.   To test the “no-decrypt” rule, first determine what URLs fall into financial services, shopping, or health and medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx. For PAN-DB, use Palo Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is. Once web sites that are classified into categories that will not be decrypted are found, use a browser to go to those sites using https. There should be no certificate error when going to those sites. The web pages will be displayed properly. Traffic logs will show the sessions where application SSL traverses port 443, as expected.   To Test Inbound Decryption: Examine the traffic logs dated before enabling SSL for inbound decryption on the firewall. Look at traffic targeted for the internal servers. In those logs, the application detected should be “ssl" going over port 443. From a machine outside of the network, connect via SSL to a server in the DMZ. There will be no certificate errors, as the connection is not being proxied, just inspected. Examine the logs for this inbound connection. The applications will not be “ssl" but the actual applications found inside the SSL tunnel. Click the magnifying glass icon in those log entries to confirm decrypted connections.   Helpful CLI Commands: To see how many existing SSL decryption sessions are going through the device: > debug dataplane pool statistics | match proxy   Output from a PA-2050, where the first command shows 1024 available sessions, and the output of the second command shows five SSL sessions being decrypted (1024–1019=5): admin@test> debug dataplane pool statistics | match proxy [18] proxy session            :    1019/1024    0x7f00723f1ee0   To see the active sessions that have been decrypted: > show session all filter ssl-decrypt yes state active Maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and 6.1 (both directions combined): Hardware SSL Decypted Session Limit VM-100 1,024 sessions VM-200 1,024 sessions VM-300 1,024 sessions PA-200 1,024 sessions PA-500 1,024 sessions PA-2020 1,024 sessions PA-2050 1,024 sessions PA-3020 7,936 sessions PA-3050 15,360 sessions PA-3060 15,360 sessions PA-4020 7,936 sessions PA-4050 23,808 sessions PA-4060 23,808 sessions PA-5020 15,872 sessions PA-5050 47,616 sessions PA-5060 90,112 sessions PA-7000-20G-NPC 131,072 sessions PA-7050 786,432 sessions   If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions beyond the session limit of the device: > set deviceconfig setting ssl-decrypt deny-setup-failure yes To check if there are any sessions hitting the limit of the device: > show counter global name proxy_flow_alloc_failure To view the SSL decryption certificate: > show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8  f7                      ...~.... . rsa key size 2048 siglen 2048 basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8  f7                      ...~.... . rsa key size 2048 siglen 2048 basic constraints extension CA 1   To view SSL decryption settings: > show system setting ssl-decrypt setting vsys                          : vsys1 Forward Proxy Ready          : yes Inbound Proxy Ready          : no Disable ssl                  : no Disable ssl-decrypt          : no Notify user                  : no Proxy for URL                : no Wait for URL                  : no Block revoked Cert            : yes Block timeout Cert            : no Block unknown Cert            : no Cert Status Query Timeout    : 5 URL Category Query Timeout    : 5 Fwd proxy server cert's key size: 0 Use Cert Cache                : yes Verify CRL                    : no Verify OCSP                  : no CRL Status receive Timeout    : 5 OCSP Status receive Timeout  : 5 Block unknown Cert            : no For a list of resources about SSL Decryption, please refer to the following: SSL Decryption Quick Reference - Resources   For more information on supported Cipher Suites for SSL Decryption, please refer to the following: SSL Decryption Not Working Due to Unsupported Cipher Suites Limitations and Recommendations While Implementing SSL Decryption How to Identify Root Cause for SSL Decryption Failure Issues   Note: If anything else needs to be added to this document, please comment below.   owner: jdelio
View full article
nrice ‎01-25-2018 02:32 AM
866,810 Views
71 Replies
6 Likes
Up to PAN-OS 6.1, for later OS versions, see this article   Overview This document describes how to correctly configure group-mapping to avoid inconsistencies in username format for cross-domain users in a multi-domain Active Directory Domain Services (AD DS) forest. If fetching all objects (user or groups) from any other domain in the forest, use AD server defined as Global Catalog in group-mapping. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain members of the forest.   Important! If not configured properly, there can be issues where some users in group-mapping are formatted as fqdn-domain-name/username (dummy.example.com/username) instead of netbios/domain-name (dummydomain/username), leading to inconsistencies with ip-user-mapping fetched from User-ID Agent or by the agentless User-ID service.   Steps AD server configured as Global Catalog role (usually the root domain) needs to be configured under LDAP server profiles. Connect to this server on port 3268 (or 3269 for SSL). As usual, configure the Domain field to have PAN-OS replace the domain name. Leave it blank otherwise. Note: Be aware that doing this on Global Catalog will replace domain name for ALL users and groups fetched from this server, including those from other domains (members of the forest). Only add a domain name into this field if keeping it blank causes problems. For example, if the domain is "acme.local" but "acme" is needed, then enter "acme" in the Domain field. Use this profile to configure the Group-Mapping (and configured included list if needed) If the Domain Name was not configured manually in step 2, it is mandatory to configure an additional group-mapping using another LDAP server profile, querying the same AD server on regular port 389 (or 636 for SSL). This operation is mandatory to correctly populate domain-map used to normalize user format as netbios_domain_name/username This profile will only be using to fetch domain-map; configuring Domain field is not necessary and may be left blank. The AD server used here can be another Domain Controller of your forest and the partition container we query for domain-map is replicated through all Domain Controllers. Please see the note on Step 2. If Active Directory contains a large number of users and groups, you are advised to configure some search filters for users and groups in the GM-AD setting. This is to mitigate the impact of LDAP query results on the Management-Plane resources for this Group-Mapping. As this Group-Mapping is only used to determine the domain-map, getting and handling the results for users and group is not necessary.   In this example, search filters are configured with a 'Dummy' string that must be contained in the description field of users and groups to guarantee LDAP query results in 0.   See Also: LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama     owner: nbilly
View full article
nbilly ‎12-01-2017 03:23 AM
43,340 Views
12 Replies
5 Likes
Symptoms After enabling SSL Decryption and adding ‘No-Decrypt’ rules, all traffic is still showing as decrypted in the logs. Decryption certificate is being presented for the site(s) in question rather than the original source certificate.   Running test decryption-policy-match application ssl shows the correct no-decrypt rule is matched.   Issue If the site was accessed after creating the SSL-Decryption rule, but before the No-decrypt rule was configured, this issue is likely to happen. This is a result of the certificate being found in the SSL-Decryption cache.   Resolution Clear this cache use the following command: debug dataplane reset ssl-decrypt certificate-cache   owner: ppolizzi
View full article
ppolizzi ‎11-10-2017 05:42 AM
8,353 Views
0 Replies
3 Likes
Overview This document describes the CLI commands for adding/removing URLs to/from the SSL-exclude-list for exclusion from the SSL decryption.   Details For example, if there is a policy to decrypt sessions for the category "shopping", but the wish is to exclude and not decrypt sessions to a site categorized as shopping (such as www.amazon.com), the single URL can be excluded by entering the following commands: > configure # set shared ssl-decrypt ssl-exclude-cert www.amazon.com # commit   The result will create an exclude rule for a single URL. The browser may need to be refreshed after adding the exclusion rule to have it recognize the actual server certificate, as opposed to the self-signed certificate from the Palo Alto Networks device.   The command configuration mode command, show shared ssl-decrypt , will display the entries in the exclude cache: # show shared ssl-decrypt ssl-decrypt {   ssl-exclude-cert [ www.amazon.com www.yahoo.com];   Note: In the event that adding these entries traffic is still reflected as decrypted in the traffic logs after making the above changes, it may be required to clear the SSL Decryption certificate cache to enforce the change. > debug dataplane reset ssl-decrypt certificate-cache   To revert, run the following commands: > configure # delete shared ssl-decrypt ssl-exclude-cert www.amazon.com # commit   owner: hmistry
View full article
nrice ‎11-10-2017 04:16 AM
21,082 Views
3 Replies
2 Likes
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,676 Views
3 Replies
3 Likes
Note: The following article outlines additional steps required in the event an app-override needs to be enabled for an active FTP connection. It is not required if app-override is not needed in the first place.     Overview FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.   Details Active FTP: In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)   Passive FTP: From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)   Steps The Palo Alto Networks firewall supports application overrides and helps with applications that have special requirements. To configure override for the FTP protocol the following could apply: Create a custom application that uses the FTP ports: 20,21 and the dynamic ports greater than 1024. Create an Application override Rule Make sure that there is a Security policy allowing the newly defined traffic  ( custom-ftp ) otherwise traffic for this application will be dropped.
View full article
bbolovan ‎08-24-2017 02:34 AM
30,174 Views
7 Replies
6 Likes
Details The IPv6 firewalling can be enabled or disabled through the WebUI or the CLI. In PAN-OS 5.0 and greater, this feature is enabled by default.   WebUI The IPv6 firewalling can be enabled under Device > Setup > Session:   PAN-OS 7.0:   PAN-OS 8 and up   CLI > configure # set deviceconfig setting session ipv6-firewalling [yes|no] # commit   Interface configuration example:   To enable or disable IPv6 on an interface via CLI: # set network interface ethernet ethernet1/3 layer3 ipv6 enabled [yes|no] # commit   owner: sraghunandan
View full article
sraghunandan ‎05-23-2017 07:41 AM
19,305 Views
0 Replies
  This article is outdated. Please see the following page with the most accurate information in it here:   Getting Started: Custom applications and app override     Please feel free to visit this new page for the latest info and to comment on this.
View full article
gsamuels ‎03-28-2017 04:05 PM
71,015 Views
0 Replies
3 Likes
Topology Main Site: Dual ISPs Single PAN firewall with dual Virtual Routers and dual VPNs. One ISP is used for all VPN traffic and the other is used for Internet traffic, as well as a backup for the VPN traffic. Remote Site: Single PAN firewall with a single VR and a single ISP. Tunnel156 (in VR2) will be the main VPN tunnel. The workstation will ping the remote site from VR1.  The PBF rule will route the packet to the interface of Tunnel156 in VR2. When the PBF monitor fails the packet uses the default route of the VPN network (tunnel.56) in VR1.   VR1 Setup Configure an IP address on the tunnel interface for PBR monitoring. Setup the static route for VPN/tunnel monitoring traffic.   VR2 Setup Configure IP address for tunnel monitoring. Setup the static route for VPN/tunnel monitoring traffic. Create a return route for the source (route back to the other VR).   PBF Policy   Security Policy   admin@lab‐56‐PA500(active)> show pbf rule all Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status ====       == ========== ======  ============== ============== ============== VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 UP Session Flow:   admin@lab‐56‐PA500(active)> show session id 29290 Session 29290   c2s flow:     source: 192.168.56.30[Trust]     dst:    192.168.57.1     proto:  6     sport:  3045    dport:  443     state:   ACTIVE    type:  FLOW     src user: unknown     dst user: unknown     pbf rule: VPNtraffic 4   s2c flow:     source: 192.168.57.1[vr2-vpn]     dst:    192.168.56.30     proto:  6     sport:  443    dport:  3045     state:  ACTIVE  type:  FLOW     src user: unknown     dst user: unknown   start time          : Mon Aug 8 10:16:58 2011   timeout              : 1800 sec   time to live        : 1767 sec   total byte count    : 47632   layer7 packet count  : 129   vsys                : vsys1   application          : ssl   rule                : TrafficVPN   session to be logged at end : True   session in session ager : True   session synced from HA peer : False   layer7 processing    : completed   URL filtering enabled: False   session via syn‐cookies: False   session terminated on host : False   session traverses tunnel : True   captive portal session : False   ingress interface : ethernet1/6   egress interface : tunnel.156   session QoS rule : N/A(class 4)   admin@lab‐56‐PA500(active)> show pbf rule all Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status ====       == ========== ======  ============== ============== ============== VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 DOWN   admin@lab‐56‐PA500(active)> show session id 61386 Session 61386   c2s flow:     source: 192.168.56.30[Trust]     dst:    192.168.57.1     proto:  6     sport:  512    dport:  55042     state:   INIT    type:  FLOW     src user: unknown     dst user: unknown     s2c flow:     source: 192.168.57.1[vpn]     dst:    192.168.56.30     proto:  1     sport:  55042  dport:  512     state:  INIT    type:  FLOW     src user: unknown     dst user: unknown     start time          : Mon Aug 8 10:49:18 2011   timeout              : 6 sec   total byte count    : 74   layer7 packet count  : 1   vsys                : vsys1   application          : ping   rule                : TrafficVPN   session to be logged at end : True   session in session ager : False     session synced from HA peer : False   layer7 processing    : enabled   URL filtering enabled: False   session via syn‐cookies: False   session terminated on host : False   session traverses tunnel : True   captive portal session : False   ingress interface : ethernet1/6   egress interface : tunnel.56   session QoS rule : N/A(class 4)   owner: panagent
View full article
panagent ‎01-27-2017 03:25 AM
28,961 Views
3 Replies
Details This document describes how to configure the Palo Alto Networks device to serve a URL response page over an HTTPS session without SSL decryption.   Requirements Create a URL Filtering profile that blocks the unwanted HTTP and HTTPS websites. Create a Security Policy with an action of "allow" and then link the URL Filtering profile to it. Response pages must be enabled. This cannot be performed on a VWire interface, VWire requires SSL decryption to be able to serve a response page Network > Network Profiles > Interface-Mgmt Create an interface management profile with response pages enabled Network > Interfaces > Ethernet?/? > Advanced > Management Profile Select your management profile A certificate to be used for Forward Trust on the Palo Alto Networks device. where it is one of the following: A self-signed/self-generated certificate with which the box for "Certificate Authority" has been checked  Note: if using a self-signed/sef-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA. A certificate to be used for Forward Untrust, which is a self-sign/self-generated cetificate with which the box for "Certificate Authority" has been checked. This certificate is NOT to be trusted by any client that receives it Note: If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the following command: # set deviceconfig setting url dynamic-url yes The above command will work only if the firewall is licensed for BrightCloud URL Filtering. It does not work for PAN-DB URL filtering.   Once the above requirements have been met, enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter: # set deviceconfig setting ssl-decrypt url-proxy yes   Client machines browsing through the Palo Alto Networks device will now be served a URL filtering response within an HTTPS session as dictated by URL Filtering policy.   Caveats with Continue and Override Today's websites server content comes from many sources, if serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.   Note: After you replace the certificate to renew expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.   owner:  bvandivier
View full article
bvandivier ‎10-19-2016 09:15 AM
68,716 Views
24 Replies
4 Likes
Symptoms Security Rule has been configured to block Facebook-Chat Application, in the traffic log firewall seems to successfully blocked the Facebook-Chat; however, the user can continue to use Facebook-chat over the web. Diagnosis When we use Facebook-Chat in a web page, the web client will open multiple sessions towards the server. Since Facebook integrated chat and messages into one service, half of the sessions will have a chat structure and the other half will have a mail structure. So in order to successfully and consistently block Facebook chat, you  need to block both facebook-chat and also facebook-mail applications. Solution Step 1. Enable decryption. For more information about Decryption, please refer to "How to Implement and Test SSL Decryption".   Step 2. Configure your security rule to block "facebook-chat" and "facebook-mail" applications.   Step 3. Create another security rule that allows "facebook-base" application. Add this security rule below the rule created in Step 2 above.   With the above configuration, the user still can browse to Facebook, but will not be able to use Facebook-Chat.
View full article
hsanada ‎09-30-2016 05:05 PM
3,757 Views
0 Replies
  There is a newer version of this document here: Getting Started: Preparing the Firewall for Its First Use   See Also Getting Started: The Series
View full article
Teresa ‎08-30-2016 09:14 AM
37,144 Views
2 Replies
Overview It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.   Steps Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. Note: - The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface.            - The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface Configure custom services for the non-default ports that will allow access to the firewall. In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access. Configure individual destination NAT policies to translate the custom ports to the default access ports. Configure a security policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included. Commit the changes. After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.   owner: tasonibare
View full article
tasonibare ‎08-24-2016 06:33 AM
30,978 Views
10 Replies
This document describes how to create and view NAT rules on the CLI (command line interface).     Use the following command to create a NAT rule on the CLI: # set rulebase nat rules <NAT Rule Name> description <Description of NAT rule> from <Source Zone> to <Destination Zone> service <Service Type> source <Source IP Address>  destination <Destination IP address> source-translation <Type of Source Translation> interface-address interface <Interface Port number>   The example below create static NAT translation with dynamic IP and port and uses interface ethernet1/4. > configure # set rulebase nat rules StaticNAT description staticNAT from DMZ to L3-Untrust service any source any destination any source-translation dynamic-ip-and-port interface-address interface ethernet1/4 # commit # exit   Once committed, use the following command to confirm creation of the NAT rule. > show running nat-policy   StaticNAT {         from DMZ;         source any;         to L3-Untrust;         to-interface  ;         destination any;         service  any/any/any;         translate-to "src: ethernet1/4 10.46.40.56 (dynamic-ip-and-port) (pool idx: 2)";         terminal no; }   owner: rupalekar
View full article
rupalekar ‎07-25-2016 12:26 PM
21,926 Views
10 Replies
Issue In some instances, File Blocking profile rules are not following a top-down order of operations when applying actions.   Cause Overlapping File Blocking Profile rules exist with different actions.  The File Blocking Profile rulebase does not follow a normal "top-down" approach when applying rule actions. When a file is seen in a traffic flow matching a Security policy with a File Blocking Profile applied, it will be checked against the configured File Blocking policy.  When there is a single match, action is taken accordingly. In the case of multiple matches, the highest precedence action will be used.  The options to move rules up/down the list are used purely for organization and cosmetic reason.   Action Precedence There are five actions that can be applied to File Blocking Profile rules. The order of precedence among the actions in PAN-OS 6.1 and earlier is as follows: continue-forward forward continue block alert For example, if you configure rules with "alert" and "continue-forward", the "continue-forward" action takes precedence and will be the action that is applied.   Having said that let us say, for example, if an e-mail contains both email-link and PNG/JPG file, email-link will take the continue-and-forward Action and PNG/JPG file will take the alert Action, as the firewall can forward only the following file formats to WildFire cloud. apk—Android Application Package (APK) email-link—HTTP/HTTPS flash—Adobe Flash applets jar—Java applets ms-office—Microsoft Office files pe—Portable Executable (PE) files pdf—Portable Document Format   owner: sspringer
View full article
panagent ‎05-31-2016 02:09 PM
21,738 Views
10 Replies
2 Likes
Overview This document describes how to enable, configure, and verify the DNS Proxy feature on a Palo Alto Networks firewall.   Steps   On the Web UI: Navigate to Network > DNS Proxy. Click Add to bring up the DNS Proxy dialog. Select the interfaces on which DNS proxy should be enabled. In the below figure the DNS proxy is enabled on interfaces ethernet 1/2 and 1/3. Select the primary and secondary servers where the firewall should forward DNS queries. The example shows a configuration where DNS proxy is enabled on the ethernet 1/2 and 1/3 interfaces. The primary DNS server is configured with 10.0.0.246. Static entries can be added to the DNS proxy. Enter the FQDN and associated address information in the Static Entries tab. The Palo Alto Networks firewall can be configured to cache the results obtained from the DNS servers. For information on configuring DNS caching, refer to How to Configure Caching for the DNS Proxy. Note: If a DNS entry is not found in the cache, then the domain is matched against the static entries list. If a match occurs, then the corresponding address is served. If there is no match, the DNS request is forwarded to the configured Primary or Secondary DNS servers. The source of the DNS query is the ingress interface of DNS request which, in this case, would be either ethernet1/2 or ethernet1/3. By configuring rules under the DNS Proxy Rules tab, the Palo Alto Networks firewall can forward selective domains to DNS servers different from the configured primary and secondary. The example shows a DNS proxy rule where techcrunch.com is forwarded to a DNS server at 10.0.0.36. Note: The Palo Alto Networks firewall can also perform reverse DNS proxy lookup. On the client side, configure the DNS server settings on the clients with the IP addresses of the interfaces where DNS proxy is enabled.   On the CLI: > configure # set network dns-proxy dnsruletest interface ethernet1/2 enabled yes # set network dns-proxy dnsruletest default primary 10.0.0.246 # set network dns-proxy dnsruletest static-entries tss domain xyx.com address 1.1.1.1 # set network dns-proxy dnsruletest domain-servers test cacheable no primary 10.0.0.246 domain-name yahoo.com # commit     Verification Verify the DNS proxy using the following commands: > show dns-proxy statistics all   Name: dnsruletest Interfaces: ethernet1/2 ethernet1/3 ethernet1/4 Counters:   Queries received from hosts:12   Responses returned to hosts:12   Queries forwarded to servers:6   Responses received from servers:6   Queries pending:0     TCP:0     UDP:0 --------------------------------------   > show dns-proxy cache all   Name: dnsruletest Cache settings:   Size:1024 entries   Timeout:14400 seconds                               Domain                 IP/Name                 Type  Class     TTL       Hits ------------------------------------------------------------------------------ 2.2.2.4.in-addr.arpa   b.resolvers.l evel3.net   PTR    IN      60598      1   For more debugging information, look at the dnsproxyd.log: > tail follow yes mp-log dnsproxyd.log   By default, same zone traffic is allowed, however, if there is a "deny all" rule set, then a security rule is required to allow traffic.  Add a security rule to allow DNS traffic.   Note: DNS proxy rules do not apply to traffic initiated from the firewall's management interface.  For example: From the management interface, an attempt to ping something defined in the DNS proxy does not use the DNS proxy rule, but rather the DNS values from the server instead.   See Also Can Management Interface use DNS Proxy Rules And Static Entries through DNS Proxy Object? Blocking Suspicious DNS Queries with DNS Proxy Enabled   owner: sdurga
View full article
sdurga ‎05-23-2016 06:53 AM
61,827 Views
4 Replies
1 Like
By default, a Palo Alto Networks firewall will not block multicast traffic when configured in VWire Mode. To block multicast packets: Configure a VWire with multicast firewalling enabled Configure the ports to use for the VWire and the zones Configure the policies to allow viewing the VWire traffic and block the unwanted multicast. The block policy needs to be above the allowed policy. The allow policy will allow the administrator to view the multicast traffic. Connect the prots to the VWire. The port from the switch on one port, connect the port on the Palo Alto Networks to the other side of the VWire Commit the changes and confirm that multicast is blocked by looking at the traffic logs   ownew: nayubi
View full article
npare ‎04-20-2016 05:32 AM
4,465 Views
0 Replies
PAN-OS 6.0   Details This document describes how to setup log forwarding from Log Collector in logger mode to Syslog Server. An M-100 log collector is always managed by a Panorama managment server. The Panorama managment server can either be a VM or an M-100 in Panorama mode.   To access the Panorama Management server, perform the steps outlined below: Create a Syslog Profile, go to Panorama > Server Profiles > Syslog, click Add and create a syslog profile, as shown below: Add a Collector Group, go to Panorama > Collector Groups and click Add. There are four tabs in the Collector Group window, but for this configuration go to Collector Log Forwarding. For details on adding devices to Collector Group and adding collectors to the group, please refer to this document How to Configure an M-100 to Function as Both a Log Collector and Panorama. The Syslog Server profile can also be associated with Config, HIP Match, Traffic, Threat and WildFire. After the above step is done, proceed with the commit. First commit the changes to Panorama and then commit to the Collector Group. This is shown in the screenshot below.            owner: sodhegba
View full article
sodhegba ‎04-20-2016 02:17 AM
11,864 Views
4 Replies
2 Likes
Question How do we Allow Googlebot and other web crawlers through the Palo Alto Networks firewall?   What is Googlebot or a  Web Crawler ? A  web crawler is a program that visits web sites and reads their pages and other information in order to create entries for a search engine index.   Details When websites are protected by a Palo Alto Networks firewall, allowing port 80 is enough for Google's web crawlers (spiders) or any other web crawler to access to the website to index the content and add that to search results, but when using applications as part of the security policy, there are more requirements.   Answer To allow Googlebot or any other web crawler through the firewall, in addition to applications already allowed (web-browsing, ping, flash etc.), the 'web-crawler' application needs to be allowed as well.  In order for 'web-crawler' to work properly, 'web-browsing' also needs to be allowed as well.  See the 'Depends on Applications:' area in the application area pic below. Web-Crawler detail screen from Objects > Applications Note: If your security policy needs to restrict the web crawling  from a specific web crawler , the admin needs to use the source IP in the security policy. At this time, Palo Alto Networks does not have a separate application for "Googlebot".   owner: acamacho
View full article
npare ‎04-19-2016 07:15 PM
9,140 Views
4 Replies
Overview Yes, but the only way to use URL filtering profiles without licenses is to create the custom URL categories and manually assign list of URLs into the custom category.   Steps Go to Objects > Custom Objects > URL category. Click 'Add' to create a new profile. Manually enter the list of URLs that needs to be included. - Go to Objects > Security Profiles > URL Filtering. Create a URL filtering profile and browse through the custom category. Marked with an asterisk. Mark an action block. Go to Policies > Security. In the security rule select the URL profile to the one created in above steps. Commit the configuration. The URLs that are listed in the custom category will be blocked per specified action above.   Note: You can not use the default URL categories listed on the device without licenses. You would get "No valid URL filtering license" warnings when you commit.   Alternate Solution :   Instead of creating URL profile:   1.Create a custom object under Objects >> Custom Objects >> URL Category 2. Create an object called  with string or pattern that you would want to block. Ex: "*.example.com" etc. 3. In the security policy call the above-created Category with action "deny". Example: T-U-Url { from L3-Trust; source any; source-region none; to L3-Untrust; destination any; destination-region none; user any; category Example; application/service any/any/any/any; action deny; terminal no; } 4. With this you would not  get the warning message  about"No valid URL filtering license"     
View full article
ppatel ‎04-19-2016 07:42 AM
12,109 Views
3 Replies
1 Like
PBF monitoring probes are generated by the dataplane to verify connectivity to a target IP address or to the next hop IP address. If target IP address is reachable, the PBF rule is applied else the traffic goes through normal route lookup phase.    Similarly Tunnel Monitoring probes is a keepalive mechanism for Phase 2 of IPSEC tunnels to monitor a remote IP over the tunnel. If the monitored IP is down, then the Phase 2 SA is deleted and renegotiated if monitor profile is configured as “Fail Over"   Read the following document for the basic use cases of PBF monitoring: Policy Based Forwarding   Read the following document to understand how to select an IP for PBF or Tunnel Monitoring :  Selecting an IP Address for PBF or Tunnel Monitoring   Note: PBF does not apply for traffic sourced from the firewall. Read the following document for the same: Policy-based forwarding doesn't work for traffic sourced from the Palo Alto Networks firewall     Tips to remember while using PBF monitoring: Probes use ICMP echo requests with the source IP address of the egress interface as configured under the Forwarding tab of the PBF rule. Probes do not go through flow module. Route lookup/ policy lookup/ nat lookup etc. do not apply on these probes on the firewall where monitoring is configured. Probes are sent out of the same egress interface as configured in the PBF rule, either via the next hop mentioned, or in case of a tunnel interface, via the same tunnel. Further down the network, these probes should be treated as normal ICMP echo requests and for probes to be successful, proper Access Lists, routes should be configured. Probes are NOT sent out using the interface as returned by route lookup, so pinging the monitored target IP address from dataplane using CLI is not always a valid test to troubleshoot monitoring probe failures. Probes do not create sessions, or traffic logs or data plane debug logs or packet captures on the source firewall, so to check them the most appropriate place to check is outside firewall. If no IP address is specified for PBF monitoring, then the next hop router is monitored.   See the example of Verification of Monitoring probes in a case where egress interface is a tunnel interface:   Topology PA1 (tunnel.1:100.1.1.1/32) =========== IPSEC Tunnel ==========(tunnel.1:100.1.1.2/32)PA2 (eth1/4: 30.1.1.1/24)   In the above scenario, there is a PBF rule on the PA1 to forward some traffic via tunnel.1. PBF monitoring is enabled with target IP address is 30.1.1.1, which is the ethernet1/4 interface IP on the remote peer.     Tunnel Interface configuration on PA1: (Must have an IP address)       Forwarding tab configuration on PFB rule on PA1:       Routing table on PA1 (No explicit route for target IP 30.1.1.1):       Security Policy to allow the probes on PA2:       Management Profile on ethernet1/4 to allow ping on PA2:       Reverse route for 100.1.1.1/32 (Source IP of probes) on PA2:     Verification:   PBF rule status on PA1 when target is reachable:   admin@PA-200> show pbf rule name Test-pbf   Rule:               Test-pbf(2) Rule State:         Active         <<<<<<<<<<<<< Action:             Forward Symmetric Return:   No Egress IF/VSYS:     tunnel.1 NextHop:             0.0.0.0 Monitor Slot:       1 Monitor IP:         30.1.1.1 NextHop Status:     UP            <<<<<<<<<<<<< Monitor:             Action:Monitor, Interval:3, Threshold:5 Stats:               KA sent:1559, KA got:287, Packet Matched:0     Traffic logs on PA2 showing probe traffic as ping: (Look at the Packets send and received counter)       PBF rule status on PA1 when target is unreachable:   admin@PA-200> show pbf rule name Test-pbf   Rule:               Test-pbf(2) Rule State:         Disabled      <<<<<<<<<<<<< Action:             Forward Symmetric Return:   No Egress IF/VSYS:     tunnel.1 NextHop:             0.0.0.0 Monitor Slot:       1 Monitor IP:         30.1.1.1 NextHop Status:     DOWN           <<<<<<<<<<<<< Monitor:             Action:Monitor, Interval:3, Threshold:5 Stats:               KA sent:1675, KA got:342, Packet Matched:0   Traffic logs still showing on PA2 (Look at the Packets received counter):     Related Articles:   Policy Based Forwarding Rule is Not Applied when the Monitoring Host is Unreachable PBF Rule is not Working When PBF Monitoring is Enabled for the IPAcross the Tunnel How to Configure a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover    
View full article
abjain ‎04-15-2016 12:41 AM
33,947 Views
3 Replies
2 Likes
For Internal Eyes Only!   Here you can learn how to configure a security policy from CLI in configuration mode.   set rulebase security rules <name_of_security_policy> rule-type universal description <" Comments should be withing quotes "> source <[ip addresss/subnets]> from < [zone/zones] > to Untrust-L3 destination <[ip addresss/subnets]> application <[ any or specific application/applications ]> service <[any or specific service/services]> category <[any or specific category]> action <allow or deny> log-end <yes or no> log-start <yes or no> profile-setting <profiles or groups> <specify profiles or group>   set rulebase security rules <name_of_security_policy> option disable-server-response-inspection <yes or no>   Here is an example PA> configure PA#set rulebase security rules TrustL3_UntrustL3 rule-type universal description "Allow traffic from LAN to Internet" source [ any ] from [ Trust-L3 DMZ-L3 ] to Untrust-L3 destination [ 8.8.8.8 4.2.2.2 ] application [ ping ssl ] service [ service-http service-https ] category [ streaming-media entertainment-and-arts ] action allow log-end yes log-start no profile-setting profiles url-filtering default spyware default vulnerability default virus default The next step is optional. PA#set rulebase security rules TrustL3_UntrustL3 option disable-server-response-inspection no    
View full article
pankaku ‎02-22-2016 05:47 PM
6,414 Views
0 Replies
Overview A policy based forwarding (PBF) rule is not applied to a session when the monitoring host is unreachable. If no IP address is specified for monitoring, then the next hop router is monitored.   Details When a PBF rule is configured with monitoring enabled ("Monitor" option is checked), the egress interface sends keepalives (KA) to the monitoring IP address or next hop router to ensure that the link is up as shown below.   > show pbf rule name test_PBF Rule: test_PBF(1) Rule State: Active Action: Forward Symmetric Return: No Egress IF/VSYS: ethernetl/3 NextHop: 10.66.24.1 Monitor IP: 4.2.2.2 NextHop Status: UP Monitor: Action:Monitor, Interva1:3, Thresho1d:5 Stats: KA sent:198, KA got:198, Packet Matched:9871   If the keepalives are not received ("KA got"), then the next hop status will show DOWN and the PBF rule is not applied: > show pbf rule all Rule       ID   Rule State Action   Egress IF/VSYS NextHop      NextHop Status ---------- ---- ---------- -------- -------------- ------------ -------------- test_PBF   1    Active     Forward  ethernet1/3    10.66.24.1   DOWN   Note: The 'Rule State' will show Disabled if the option "Disable this rule if nexthop/monitor ip is unreachable" is checked in the PBF rule.   For the PBF rule to be applied, always ensure that the monitoring IP address or next hop router is reachable from the forwarding egress interface. If monitoring is disabled in the PBF configuration ("Monitor" option is unchecked), then the PBF rule should be applied.   owner: gchandrasekaran
View full article
gchandrasekaran ‎01-13-2016 11:28 AM
8,502 Views
5 Replies
Definitions ISP Load Balancing is used when more than one internet provider is connected to the firewall. Policy-Based Forwarding (PBF) is used to forward traffic based on the source subnet. ISP Redundancy is used when one service provider is down and all traffic needs to be routed to the remaining service provider.   Normally, the firewall uses the destination IP address in a packet to determine the outgoing interface. The firewall uses the routing table associated with the virtual router to which the interface is connected to perform the route lookup. Policy-Based Forwarding (PBF) allows the user to override the routing table, and specify the outgoing or egress interface based on specific parameters such as source or destination IP address, or type of traffic.   The following topology includes: Two internal subnets Subnet1: 192.168.1.0/24 Subnet2: 172.16.1.0/24 Two ISP gateways ISP1: 10.30.6.254 ISP2: 10.30.1.254   Two important items to remember: PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). Application-specific rules are not recommended for use with PBF. Address translation (NAT) rules are not applied unless a security rule matched the connection, which is why security rules need to be in place for the address translation to work.   Configuring Redundancy Primary ISP configuration: Create a PBF rule that forwards traffic to the default gateway. Attach a tunnel monitoring profile and set the action as "disable on failure." Monitoring Profile:   This configuration forces all traffic coming from the 192.168.1.0/24 subnet to egress out of Ethernet 1/3. A Monitor Profile is set up to monitor an IP address. In the test config, monitor profile "multiple isp" is used to monitor a public DNS 8.8.8.8.   When the monitor can no longer reach this IP address, the defined action (fail-over), takes place. The PBF rule is disabled and the firewall falls back to the static route created in the virtual router, as shown below. P ath monitoring verifies connectivity to an IP address so the firewall can direct traffic through an alternate route. The firewall uses ICMP pings as heartbeats to verify that the specified IP address is reachable.   A monitoring profile allows specifying the threshold number of heartbeats to determine whether the IP address is reachable. When the monitored IP address is unreachable, the user can either disable the PBF rule or specify a fail-over or wait-recover action. Disabling the PBF rule allows the virtual router to take over the routing decisions.   Secondary ISP configuration Create a static route with a normal metric   Configuring Load Sharing   Example 1: Load balancing with no backup In this case, PBF is used to force traffic from different subnets through the respective ISP.  In this scenario, all traffic from subnet 192.168.1.0/24 is forwarded out of Ethernet 1/3, and subnet 172.16.1.0/24 is forced out of Ethernet 1/4.   Rules: Rule 1: Subnet 192.168.1.0/24 going to 0.0.0.0/0 next hop is ISP 1 Rule 2: Subnet 172.16.1.0/24 going to 0.0.0.0/0 next hop is ISP 2   Example 2: Load balancing and redundancy In this case, PBF is used to forward traffic out of a particular interface based on the source A backup is configured if the ISP goes down.   Rules: Rule 1: Subnet 192.168.0.0/24 going to 0.0.0.0/0 next hop is ISP 1 Rule 2: Subnet 172.16.0.0/24 going to 0.0.0.0/0 next hop is ISP 2 Backup for Rule 1: Subnet 192.168.0.0/24 going to 0.0.0.0/0 next hop is ISP 2 Backup for Rule 2: Subnet 172.16.0.0/24 going to 0.0.0.0/0 next hop is ISP 1 Rule 1 and Rule 2 perform the same action as Example 1. The backup rules allow traffic to go through the ISP that has connectivity in case either were to fail.   If VPNs are configured (IPSec or GlobalProtect), refer to the following documents for information on how to configure the VPNs: GlobalProtect Client Issues with Multiple ISPs How to Configure Dual VPNs with Dual ISPs from a Single Firewall to a Remote Site Administrator Guide: PBF Section PBF Step by Step configuration Use Case for PBF   owner: dpalani
View full article
dpalani ‎12-28-2015 04:22 PM
94,630 Views
8 Replies
5 Likes
Ask Questions Get Answers Join the Live Community