About rkim

Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.   As a general recommendation, management interfaces for Panorama and Log Collectors should not have direct Internet access without a security device such as a Palo Alto Networks firewall inline. It is important to understand what traffic and protocols are expected to and from Panorama and Log Collectors to ensure proper firewalls rules can be applied in order to provide protection bi-directionally and block unexpected traffic. This post outlines what are expected protocols and ports for Panorama and Log Collectors. Expected Communications from Panorama and Log Collectors   It is generally suggested to allow Panorama or Log Collector communication ports and applications to or from specific IP Address(es) if known and deny all else. If certain ports or protocols are not leveraged, then it is not necessary to allow such traffic. Below is a table of all inbound and outbound communication to and from Panorama or Log Collectors. Please note, ports for user-defined services like external authentication and syslog servers are user-controlled. The default ports for these services are listed in the table below. Please review your server profile configurations to determine if non-standard ports are used in your environment.   Destination Port(s) Protocol Inbound/ Outbound Palo Alto Networks App-id Description 22 TCP Inbound and Outbound ssh Used for communication from a client system to the Panorama CLI interface and for SCP outbound. 25, 587 TCP Outbound smtp-base Used when email log alerts are configured from Panorama. Should only allow to trusted mail services. 28 TCP Inbound and Outbound ssh * Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer. Used for communication between Log Collectors in a Collector Group for log distribution. 49 TCP Outbound tacacs-plus Used when TACACS+ authentication is configured on Panorama. Should only allow to trusted TACACS+ services. 53 UDP Outbound dns Port used for DNS lookups. 80, 443, 444 TCP Outbound paloalto-shared-services Used for all common traffic shared by various services from Palo Alto Network 88 TCP Outbound kerberos Used when Kerberos authentication is configured on Panorama. Should only allow to trusted Kerberos services. 123 UDP Outbound ntp Port used for NTP updates. 161 UDP Inbound snmp-base Port the Panorama listens on for polling requests (GET messages) from the SNMP manager. 162 UDP Outbound snmp-trap Port used to Forward SNMP traps to an SNMP Manager . 389,636 TCP Outbound ldap Used when LDAP authentication is configured on Panorama. Should only allow to trusted LDAP services. 443 TCP Inbound and Outbound ssl paloalto-updates + most ‘paloalto- ‘ applications Used for communication from a client system to the Panorama web interface. Also used for outbound communications from Panorama such as for content updates. 443 TCP Outbound paloalto-zero-touch-provision ZTP service traffic for Palo Alto Networks devices. 444 TCP Outbound paloalto-logging-service Panorama uses port 444 to connect to Cortex Data Lake for other log query and validity checks. 514 514 6514 TCP UDP SSL Outbound syslog Port used to send logs to a syslog server if you Configure Syslog Monitoring , and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages. 1812 UDP Outbound radius Used when RADIUS authentication is configured on Panorama. Should only allow to trusted RADIUS services. 2049 TCP Outbound nfs Used by the Panorama virtual appliance to write logs to the NFS datastore. 3978 TCP Inbound and Outbound panorama Used for communication between Panorama and managed firewalls or managed collectors, as well as for communication among managed collectors in a Collector Group: For communication between Panorama and firewalls. This connection is initiated from the managed firewall to Panorama and facilitates a bi-directional data exchange on which the firewalls forward logs to Panorama and Panorama pushes configuration changes to the firewalls. Context switching commands are sent over the same connection. Log Collectors use this destination port to forward logs to Panorama. For communication with the default Log Collector on an M-Series appliance in Panorama mode and with Dedicated Log Collectors. 10443 SSL Outbound paloalto-autofocus Port that Panorama uses to provide contextual information about a threat or to seamlessly shift your threat investigation to the Threat Vault and AutoFocus. 23000 to 23999 TCP, UDP, SSL Inbound syslog Used for Syslog communication between Panorama and the Traps ESM components. 28270 TCP Inbound and Outbound panorama Used for communication among Log Collectors in a Collector Group for log distribution. 28443 TCP Inbound paloalto-updates panorama Used for managed devices (firewalls and Log Collectors) to retrieve software and content updates from Panorama. 28769 TCP Inbound and Outbound panorama Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer. 44443 TCP Inbound and Outbound panorama-interconnect Port used for websocket communication between Panorama Controller and Nodes *  If this traffic is passing through Palo Alto Networks Firewall, 'ssh’ App-ID needs to be allowed using Custom Service object in the Security Policy Rule     Example Security Rules Configuration:   Create an application group with Panorama applications. Create rules to allow Panorama/Log Collector applications and a deny rule for all other unexpected applications for Panorama/Log Collector. Note that some communications may not be using application-default ports. The example below is an aggregation of App-IDs for all communication expected from the Panorama/Log Collector system. The next step of best practice would be to define discreet rules wherever possible from the Panorama/Log Collector system to external or untrusted/managed systems.   References:  Ports Used for Management Functions Ports Used for Panorama   What’s Next?  Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security Policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the Security Profiles that you should attach to every Security Policy rule on your internet gateway policy rulebase. By tuning the rule base and increasing the visibility by following the best practices for Security Profiles you reduce the ability for attackers to easily traverse the environment and compromise additional hosts. Refer to the Best Practice Security Profiles for the Internet Gateway for more information   Security Advisories For available security advisories for Palo Alto Networks products, reference https://security.paloaltonetworks.com/ .   ... View more