Pan-Os 8.0

PANOS
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:March30,2017
2 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 19
IntegratetheFirewallintoYourManagementNetwork.................................20
DetermineYourManagementStrategy ...........................................20
PerformInitialConfiguration ....................................................21
SetUpNetworkAccessforExternalServices......................................25
RegistertheFirewall ...............................................................29
ActivateLicensesandSubscriptions .................................................30
InstallContentandSoftwareUpdates................................................32
SegmentYourNetworkUsingInterfacesandZones ...................................36
NetworkSegmentationforaReducedAttackSurface..............................36
ConfigureInterfacesandZones..................................................37
SetUpaBasicSecurityPolicy .......................................................40
AssessNetworkTraffic ............................................................45
EnableBasicWildFireForwarding...................................................47
ControlAccesstoWebContent .....................................................49
EnableAutoFocusThreatIntelligence ................................................52
BestPracticesforCompletingtheFirewallDeployment................................54
FirewallAdministration ............................................... 55
ManagementInterfaces ............................................................56
UsetheWebInterface .............................................................57
LaunchtheWebInterface ......................................................57
ConfigureBanners,MessageoftheDay,andLogos ................................58
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............60
ManageandMonitorAdministrativeTasks ........................................62
Commit,Validate,andPreviewFirewallConfigurationChanges......................62
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............64
ManageLocksforRestrictingConfigurationChanges...............................66
ManageConfigurationBackups .....................................................67
SaveandExportFirewallConfigurations ..........................................67
RevertFirewallConfigurationChanges...........................................69
ManageFirewallAdministrators .....................................................71
AdministrativeRoles...........................................................71
AdministrativeAuthentication ...................................................72
ConfigureAdministrativeAccountsandAuthentication .............................73
ConfigureaFirewallAdministratorAccount .......................................74
ConfigureLocalorExternalAuthenticationforFirewallAdministrators...............74
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
Reference:WebInterfaceAdministratorAccess .......................................79
WebInterfaceAccessPrivileges .................................................79
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 3
TableofContents
PanoramaWebInterfaceAccessPrivileges .......................................123
Reference:PortNumberUsage.....................................................126
PortsUsedforManagementFunctions ..........................................126
PortsUsedforHA ............................................................127
PortsUsedforPanorama ......................................................127
PortsUsedforGlobalProtect...................................................128
PortsUsedforUserID ........................................................129
ResettheFirewalltoFactoryDefaultSettings ........................................131
BootstraptheFirewall.............................................................132
USBFlashDriveSupport .......................................................132
Sampleinitcfg.txtFiles ........................................................133
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................134
BootstrapaFirewallUsingaUSBFlashDrive .....................................137
Authentication..................................................... 139
AuthenticationTypes .............................................................140
ExternalAuthenticationServices ................................................140
MultiFactorAuthentication ....................................................140
SAML .......................................................................141
Kerberos .....................................................................142
TACACS+ ....................................................................143
RADIUS......................................................................144
LDAP........................................................................145
LocalAuthentication ..........................................................145
PlanYourAuthenticationDeployment...............................................147
ConfigureMultiFactorAuthentication..............................................148
ConfigureSAMLAuthentication ....................................................152
ConfigureKerberosSingleSignOn .................................................157
ConfigureKerberosServerAuthentication ...........................................158
ConfigureTACACS+Authentication ................................................159
ConfigureRADIUSAuthentication ..................................................161
ConfigureLDAPAuthentication....................................................164
ConfigureLocalDatabaseAuthentication ............................................165
ConfigureanAuthenticationProfileandSequence ....................................166
TestAuthenticationServerConnectivity.............................................169
AuthenticationPolicy .............................................................170
AuthenticationTimestamps ....................................................170
ConfigureAuthenticationPolicy ................................................171
TroubleshootAuthenticationIssues .................................................174
CertificateManagement............................................ 177
KeysandCertificates..............................................................178
CertificateRevocation.............................................................180
CertificateRevocationList(CRL) ................................................180
TableofContents
OnlineCertificateStatusProtocol(OCSP)........................................ 181
CertificateDeployment ........................................................... 182
SetUpVerificationforCertificateRevocationStatus.................................. 183
ConfigureanOCSPResponder................................................. 183
ConfigureRevocationStatusVerificationofCertificates ........................... 184
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption 184
ConfiguretheMasterKey......................................................... 186
ObtainCertificates ............................................................... 187
CreateaSelfSignedRootCACertificate ........................................ 187
GenerateaCertificate ......................................................... 188
ImportaCertificateandPrivateKey............................................. 189
ObtainaCertificatefromanExternalCA ........................................ 190
ExportaCertificateandPrivateKey ................................................ 192
ConfigureaCertificateProfile...................................................... 193
ConfigureanSSL/TLSServiceProfile ............................................... 195
ReplacetheCertificateforInboundManagementTraffic.............................. 196
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 197
RevokeandRenewCertificates .................................................... 198
RevokeaCertificate .......................................................... 198
RenewaCertificate ........................................................... 198
SecureKeyswithaHardwareSecurityModule....................................... 199
SetupConnectivitywithanHSM ............................................... 199
EncryptaMasterKeyUsinganHSM ............................................ 204
StorePrivateKeysonanHSM.................................................. 205
ManagetheHSMDeployment ................................................. 206
HighAvailability....................................................207
HAOverview.................................................................... 208
HAConcepts .................................................................... 209
HAModes ................................................................... 209
HALinksandBackupLinks..................................................... 210
DevicePriorityandPreemption ................................................ 213
Failover ..................................................................... 213
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 214
FloatingIPAddressandVirtualMACAddress.................................... 214
ARPLoadSharing ............................................................ 216
RouteBasedRedundancy ..................................................... 218
HATimers................................................................... 218
SessionOwner............................................................... 221
SessionSetup................................................................ 221
NATinActive/ActiveHAMode ................................................ 223
ECMPinActive/ActiveHAMode ............................................... 224
SetUpActive/PassiveHA ......................................................... 225
PrerequisitesforActive/PassiveHA............................................. 225
ConfigurationGuidelinesforActive/PassiveHA.................................. 226
ConfigureActive/PassiveHA................................................... 228
TableofContents
DefineHAFailoverConditions..................................................233
VerifyFailover ................................................................233
SetUpActive/ActiveHA..........................................................235
PrerequisitesforActive/ActiveHA ..............................................235
ConfigureActive/ActiveHA ....................................................236
DetermineYourActive/ActiveUseCase .........................................241
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy ..............242
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses ..................243
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing .....................244
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimary
Firewall245
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
249
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
252
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT...253
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer
3256
HAFirewallStates................................................................259
Reference:HASynchronization.....................................................261
WhatSettingsDontSyncinActive/PassiveHA?..................................261
WhatSettingsDontSyncinActive/ActiveHA?...................................263
SynchronizationofSystemRuntimeInformation..................................265
Monitoring ........................................................ 269

UsetheDashboard ...............................................................270
UsetheApplicationCommandCenter ...............................................271
ACCFirstLook ..............................................................272
ACCTabs....................................................................273
ACCWidgets .................................................................274
WidgetDescriptions...........................................................276
ACCFilters ...................................................................279
InteractwiththeACC .........................................................280
UseCase:ACCPathofInformationDiscovery ...................................284
UsetheAppScopeReports ........................................................290
SummaryReport ..............................................................291
ChangeMonitorReport........................................................292
ThreatMonitorReport.........................................................293
ThreatMapReport ............................................................294
NetworkMonitorReport.......................................................295
TrafficMapReport ............................................................296
UsetheAutomatedCorrelationEngine ..............................................297
AutomatedCorrelationEngineConcepts .........................................297
ViewtheCorrelatedObjects ...................................................298
InterpretCorrelatedEvents ....................................................299
UsetheCompromisedHostsWidgetintheACC ..................................301
TakePacketCaptures.............................................................302
TypesofPacketCaptures ......................................................302
TableofContents
DisableHardwareOffload..................................................... 303
TakeaCustomPacketCapture ................................................. 304
TakeaThreatPacketCapture.................................................. 308
TakeanApplicationPacketCapture............................................. 309
TakeaPacketCaptureontheManagementInterface ............................. 312
MonitorApplicationsandThreats .................................................. 314
ViewandManageLogs............................................................ 315
LogTypesandSeverityLevels.................................................. 315
ViewLogs ................................................................... 320
FilterLogs ................................................................... 321
ExportLogs .................................................................. 322
ConfigureLogStorageQuotasandExpirationPeriods ............................. 323
ScheduleLogExportstoanSCPorFTPServer ................................... 323
MonitorBlockList ................................................................ 325
ViewandManageReports......................................................... 326
ReportTypes................................................................. 326
ViewReports................................................................. 327
ConfiguretheExpirationPeriodandRunTimeforReports ......................... 327
DisablePredefinedReports.................................................... 328
CustomReports.............................................................. 328
GenerateCustomReports ..................................................... 331
GenerateBotnetReports...................................................... 333
GeneratetheSaaSApplicationUsageReport ..................................... 335
ManagePDFSummaryReports................................................. 338
GenerateUser/GroupActivityReports.......................................... 340
ManageReportGroups ........................................................ 341
ScheduleReportsforEmailDelivery ............................................ 342
UseExternalServicesforMonitoring ............................................... 344
ConfigureLogForwarding ......................................................... 345
ConfigureEmailAlerts ............................................................ 348
UseSyslogforMonitoring ......................................................... 349
ConfigureSyslogMonitoring ................................................... 349
SyslogFieldDescriptions ...................................................... 351
SNMPMonitoringandTraps....................................................... 376
SNMPSupport............................................................... 376
UseanSNMPManagertoExploreMIBsandObjects.............................. 377
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 381
MonitorStatisticsUsingSNMP ................................................. 381
ForwardTrapstoanSNMPManager ............................................ 383
SupportedMIBs.............................................................. 385
ForwardLogstoanHTTP(S)Destination............................................ 393
NetFlowMonitoring .............................................................. 397
ConfigureNetFlowExports.................................................... 397
NetFlowTemplates........................................................... 398
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 403
UserID ............................................................405
TableofContents
UserIDOverview ................................................................406
UserIDConcepts.................................................................408
GroupMapping ...............................................................408
UserMapping ................................................................408
EnableUserID ...................................................................413
MapUserstoGroups .............................................................417
MapIPAddressestoUsers ........................................................420
CreateaDedicatedServiceAccountfortheUserIDAgent.........................421
ConfigureUserMappingUsingtheWindowsUserIDAgent .......................424
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent...............432
ConfigureUserIDtoMonitorSyslogSendersforUserMapping....................434
MapIPAddressestoUsernamesUsingCaptivePortal.............................444
ConfigureUserMappingforTerminalServerUsers................................451
SendUserMappingstoUserIDUsingtheXMLAPI ...............................459
EnableUserandGroupBasedPolicy...............................................460
EnablePolicyforUserswithMultipleAccounts.......................................461
VerifytheUserIDConfiguration ...................................................463
DeployUserIDinaLargeScaleNetwork............................................465
DeployUserIDforNumerousMappingInformationSources .......................465
RedistributeUserMappingsandAuthenticationTimestamps.......................469
AppID ........................................................... 473

AppIDOverview .................................................................474
ManageCustomorUnknownApplications ...........................................475
ManageNewAppIDsIntroducedinContentReleases................................476
ReviewNewAppIDs..........................................................476
ReviewNewAppIDsSinceLastContentVersion .................................477
ReviewNewAppIDImpactonExistingPolicyRules ..............................478
DisableorEnableAppIDs .....................................................479
PreparePolicyUpdatesforPendingAppIDs.....................................480
UseApplicationObjectsinPolicy ...................................................482
CreateanApplicationGroup ...................................................482
CreateanApplicationFilter ....................................................483
CreateaCustomApplication ...................................................484
ApplicationswithImplicitSupport ..................................................489
ApplicationLevelGateways ........................................................492
DisabletheSIPApplicationlevelGateway(ALG)......................................494
ThreatPrevention .................................................. 495

SetUpAntivirus,AntiSpyware,andVulnerabilityProtection ...........................496
CreateThreatExceptions ..........................................................499
SetUpDataFiltering ..............................................................501
SetUpFileBlocking...............................................................504
PreventBruteForceAttacks.......................................................507
TableofContents
CustomizetheActionandTriggerConditionsforaBruteForceSignature ............... 508

BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions ............ 511
EnableEvasionSignatures ......................................................... 516
PreventCredentialPhishing ....................................................... 517
MethodstoCheckforCorporateCredentialSubmissions.......................... 517
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent............ 518
SetUpCredentialPhishingPrevention .......................................... 521
ShareThreatIntelligencewithPaloAltoNetworks.................................... 525
WhatTelemetryDataDoestheFirewallCollect? ................................. 525
PassiveDNSMonitoring ....................................................... 526
EnableTelemetry ............................................................. 527
UseDNSQueriestoIdentifyInfectedHostsontheNetwork .......................... 530
DNSSinkholing............................................................... 530
ConfigureDNSSinkholingforaListofCustomDomains........................... 532
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork............... 534
IdentifyInfectedHosts........................................................ 538
MonitorBlockedIPAddresses ..................................................... 540
LearnMoreAboutandAssessThreats.............................................. 542
AssessFirewallArtifactswithAutoFocus........................................ 542
LearnMoreAboutThreatSignatures ............................................ 546
MonitorActivityandCreateCustomReportsBasedonThreatCategories ........... 549
ContentDeliveryNetworkInfrastructureforDynamicUpdates........................ 551
ThreatPreventionResources ...................................................... 553
Decryption .........................................................555
DecryptionOverview ............................................................. 556
DecryptionConcepts ............................................................. 557
KeysandCertificatesforDecryptionPolicies..................................... 557
SSLForwardProxy............................................................ 558
SSLInboundInspection........................................................ 560
SSHProxy................................................................... 561
DecryptionMirroring.......................................................... 562
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates ................. 562
PerfectForwardSecrecy(PFS)SupportforSSLDecryption ........................ 563
DefineTraffictoDecrypt.......................................................... 564
CreateaDecryptionProfile.................................................... 564
CreateaDecryptionPolicyRule................................................ 566
ConfigureSSLForwardProxy ...................................................... 568
ConfigureSSLInboundInspection .................................................. 572
ConfigureSSHProxy ............................................................. 574
DecryptionExclusions ............................................................ 575
PaloAltoNetworksPredefinedDecryptionExclusions ............................ 575
ExcludeaServerfromDecryption .............................................. 576
CreateaPolicyBasedDecryptionExclusion ..................................... 576
EnableUserstoOptOutofSSLDecryption ......................................... 578
TableofContents
ConfigureDecryptionPortMirroring ................................................580
TemporarilyDisableSSLDecryption ................................................582
URLFiltering ...................................................... 583

URLFilteringOverview............................................................584
URLFilteringVendors.........................................................584
InteractionBetweenAppIDandURLCategories .................................585
PANDBPrivateCloud ........................................................585
URLFilteringConcepts ............................................................588
URLCategories ...............................................................588
URLFilteringProfile ...........................................................590
URLFilteringProfileActions....................................................590
BlockandAllowLists ..........................................................591
ExternalDynamicListforURLs.................................................592
ContainerPages ..............................................................593
HTTPHeaderLogging.........................................................593
URLFilteringResponsePages ..................................................594
URLCategoryasPolicyMatchCriteria...........................................596
PANDBCategorization...........................................................598
EnableaURLFilteringVendor......................................................600
EnablePANDBURLFiltering ..................................................600
EnableBrightCloudURLFiltering ...............................................601
DetermineURLFilteringPolicyRequirements ........................................604
ConfigureURLFiltering ...........................................................606
UseanExternalDynamicListinaURLFilteringProfile ................................609
CustomizetheURLFilteringResponsePages.........................................611
AllowPasswordAccesstoCertainSites .............................................612
SafeSearchEnforcement ..........................................................614
SafeSearchSettingsforSearchProviders........................................614
BlockSearchResultswhenStrictSafeSearchisnotEnabled........................615
TransparentlyEnableSafeSearchforUsers ......................................618
MonitorWebActivity .............................................................622
MonitorWebActivityofNetworkUsers .........................................622
ViewtheUserActivityReport..................................................625
ConfigureCustomURLFilteringReports .........................................627
SetUpthePANDBPrivateCloud..................................................630
ConfigurethePANDBPrivateCloud............................................630
ConfiguretheFirewallstoAccessthePANDBPrivateCloud .......................635
URLFilteringUseCases...........................................................636
UseCase:ControlWebAccess .................................................636
UseCase:UseURLCategoriesforPolicyMatching ................................640
TroubleshootURLFiltering ........................................................642
ProblemsActivatingPANDB...................................................642
PANDBCloudConnectivityIssues..............................................643
URLsClassifiedasNotResolved ................................................644
IncorrectCategorization.......................................................644
TableofContents
URLDatabaseOutofDate..................................................... 645
QualityofService ...................................................647
QoSOverview................................................................... 648
QoSConcepts ................................................................... 650
QoSforApplicationsandUsers................................................. 650
QoSPolicy ................................................................... 650
QoSProfile .................................................................. 651
QoSClasses.................................................................. 651
QoSPriorityQueuing ......................................................... 652
QoSBandwidthManagement.................................................. 652
QoSEgressInterface .......................................................... 653
QoSforClearTextandTunneledTraffic ......................................... 653
ConfigureQoS ................................................................... 654
ConfigureQoSforaVirtualSystem ................................................. 659
EnforceQoSBasedonDSCPClassification.......................................... 664
QoSUseCases................................................................... 667
UseCase:QoSforaSingleUser................................................ 667
UseCase:QoSforVoiceandVideoApplications.................................. 669
VPNs ..............................................................673
VPNDeployments................................................................ 674
SitetoSiteVPNOverview........................................................ 675
SitetoSiteVPNConcepts ........................................................ 676
IKEGateway ................................................................. 676
TunnelInterface .............................................................. 676
TunnelMonitoring ............................................................ 677
InternetKeyExchange(IKE)forVPN ............................................ 678
IKEv2 ....................................................................... 680
SetUpSitetoSiteVPN ........................................................... 684
SetUpanIKEGateway ........................................................ 684
DefineCryptographicProfiles.................................................. 690
SetUpanIPSecTunnel........................................................ 693
SetUpTunnelMonitoring ..................................................... 696
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 697
TestVPNConnectivity........................................................ 699
InterpretVPNErrorMessages.................................................. 700
SitetoSiteVPNQuickConfigs .................................................... 701
SitetoSiteVPNwithStaticRouting............................................ 701
SitetoSiteVPNwithOSPF.................................................... 705
SitetoSiteVPNwithStaticandDynamicRouting ................................ 711
LargeScaleVPN(LSVPN)............................................717
LSVPNOverview................................................................. 718
CreateInterfacesandZonesfortheLSVPN.......................................... 719
TableofContents
EnableSSLBetweenGlobalProtectLSVPNComponents...............................721
AboutCertificateDeployment ..................................................721
DeployServerCertificatestotheGlobalProtectLSVPNComponents ................721
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP................724
ConfigurethePortaltoAuthenticateSatellites .......................................727
ConfigureGlobalProtectGatewaysforLSVPN........................................729
ConfiguretheGlobalProtectPortalforLSVPN........................................732
GlobalProtectPortalforLSVPNPrerequisiteTasks ................................732
ConfigurethePortal ...........................................................732
DefinetheSatelliteConfigurations ..............................................733
PreparetheSatellitetoJointheLSVPN..............................................737
VerifytheLSVPNConfiguration ....................................................740
LSVPNQuickConfigs.............................................................741
BasicLSVPNConfigurationwithStaticRouting .......................................742
AdvancedLSVPNConfigurationwithDynamicRouting................................745
AdvancedLSVPNConfigurationwithiBGP...........................................748
Networking ....................................................... 753

ConfigureInterfaces ..............................................................754
TapInterfaces................................................................754
VirtualWireInterfaces.........................................................754
Layer2Interfaces .............................................................758
Layer3Interfaces .............................................................762
ConfigureLayer3Interfaces ...................................................762
ManageIPv6HostsUsingNDP.................................................768
ConfigureanAggregateInterfaceGroup .........................................772
UseInterfaceManagementProfilestoRestrictAccess .............................775
VirtualRouters...................................................................777
ServiceRoutes ...................................................................779
StaticRoutes .....................................................................780
StaticRouteOverview .........................................................780
StaticRouteRemovalBasedonPathMonitoring ..................................781
ConfigureaStaticRoute.......................................................782
ConfigurePathMonitoringforaStaticRoute .....................................784
RIP .............................................................................788
OSPF ...........................................................................790
OSPFConcepts ...............................................................790
ConfigureOSPF ..............................................................792
ConfigureOSPFv3............................................................796
ConfigureOSPFGracefulRestart ...............................................799
ConfirmOSPFOperation ......................................................800
BGP.............................................................................802
BGPOverview................................................................802
MPBGP .....................................................................802
ConfigureBGP ...............................................................804
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast.......................810
TableofContents
ConfigureaBGPPeerwithMPBGPforIPv4Multicast............................ 813
RouteRedistribution .............................................................. 815
DHCP........................................................................... 818
DHCPOverview.............................................................. 818
FirewallasaDHCPServerandClient............................................ 819
DHCPMessages.............................................................. 819
DHCPAddressing ............................................................ 820
DHCPOptions............................................................... 822
ConfigureanInterfaceasaDHCPServer........................................ 824
ConfigureanInterfaceasaDHCPClient......................................... 828
ConfiguretheManagementInterfaceasaDHCPClient ........................... 829
ConfigureanInterfaceasaDHCPRelayAgent................................... 831
MonitorandTroubleshootDHCP ............................................... 831
DNS ............................................................................ 833
DNSOverview............................................................... 833
DNSProxyObject............................................................ 834
DNSServerProfile............................................................ 835
MultiTenantDNSDeployments................................................ 835
ConfigureaDNSProxyObject................................................. 836
ConfigureaDNSServerProfile ................................................. 838
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes ........... 839
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Re
porting,andServiceswithinitsVirtualSystem841
UseCase3:FirewallActsasDNSProxyBetweenClientandServer ................. 843
Reference:DNSProxyRuleandFQDNMatching ................................. 844
NAT............................................................................ 848
NATPolicyRules............................................................. 848
SourceNATandDestinationNAT .............................................. 851
NATRuleCapacities .......................................................... 852
DynamicIPandPortNATOversubscription...................................... 852
DataplaneNATMemoryStatistics.............................................. 854
ConfigureNAT............................................................... 855
NATConfigurationExamples................................................... 862
NPTv6 .......................................................................... 870
NPTv6Overview............................................................. 870
HowNPTv6Works........................................................... 872
NDPProxy................................................................... 873
NPTv6andNDPProxyExample ................................................ 875
CreateanNPTv6Policy ....................................................... 876
NAT64 .......................................................................... 879
NAT64Overview ............................................................. 879
IPv4EmbeddedIPv6Address .................................................. 880
DNS64Server................................................................ 880
PathMTUDiscovery .......................................................... 881
IPv6InitiatedCommunication .................................................. 881
ConfigureNAT64forIPv6InitiatedCommunication .............................. 883
ConfigureNAT64forIPv4InitiatedCommunication .............................. 885
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation ........... 887
ECMP........................................................................... 891
TableofContents
ECMPLoadBalancingAlgorithms ...............................................891
ECMPModel,Interface,andIPRoutingSupport ..................................892
ConfigureECMPonaVirtualRouter ............................................893
EnableECMPforMultipleBGPAutonomousSystems.............................894
VerifyECMP .................................................................896
LLDP............................................................................897
LLDPOverview ...............................................................897
SupportedTLVsinLLDP .......................................................898
LLDPSyslogMessagesandSNMPTraps .........................................899
ConfigureLLDP...............................................................900
ViewLLDPSettingsandStatus .................................................902
ClearLLDPStatistics ..........................................................903
BFD.............................................................................904
BFDOverview................................................................904
ConfigureBFD ...............................................................907
SessionSettingsandTimeouts .....................................................914
TransportLayerSessions.......................................................914
TCP.........................................................................914
UDP.........................................................................919
ICMP ........................................................................919
ControlSpecificICMPorICMPv6TypesandCodes...............................921
ConfigureSessionTimeouts ....................................................922
ConfigureSessionSettings.....................................................923
PreventTCPSplitHandshakeSessionEstablishment ..............................926
TunnelContentInspection .........................................................928
TunnelContentInspectionOverview ............................................928
ConfigureTunnelContentInspection ............................................931
ViewInspectedTunnelActivity.................................................937
ViewTunnelInformationinLogs ................................................938
CreateaCustomReportBasedonTaggedTunnelTraffic ..........................939
Reference:BFDDetails............................................................940
Policy............................................................. 943
PolicyTypes .....................................................................944
SecurityPolicy ...................................................................945
ComponentsofaSecurityPolicyRule ...........................................945
SecurityPolicyActions ........................................................948
CreateaSecurityPolicyRule...................................................948
PolicyObjects ....................................................................951
SecurityProfiles ..................................................................952
AntivirusProfiles..............................................................953
AntiSpywareProfiles .........................................................953
VulnerabilityProtectionProfiles ................................................954
URLFilteringProfiles ..........................................................954
DataFilteringProfiles .........................................................955
FileBlockingProfiles ..........................................................955
WildFireAnalysisProfiles......................................................956
DoSProtectionProfiles ........................................................956
TableofContents
ZoneProtectionProfiles ....................................................... 957

SecurityProfileGroup ......................................................... 957
BestPracticeInternetGatewaySecurityPolicy....................................... 962
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 962
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 964
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 966
IdentifyWhitelistApplications.................................................. 967
CreateUserGroupsforAccesstoWhitelistApplications .......................... 970
DecryptTrafficforFullVisibilityandThreatInspection ............................ 970
CreateBestPracticeSecurityProfiles ........................................... 972
DefinetheInitialInternetGatewaySecurityPolicy ................................ 977
MonitorandFineTunethePolicyRulebase...................................... 986
RemovetheTemporaryRules.................................................. 988
MaintaintheRulebase......................................................... 989
EnumerationofRulesWithinaRulebase ............................................ 990
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem .................... 992
UseTagstoGroupandVisuallyDistinguishObjects .................................. 993
CreateandApplyTags ........................................................ 993
ModifyTags ................................................................. 994
UsetheTagBrowser .......................................................... 995
UseanExternalDynamicListinPolicy.............................................. 999
ExternalDynamicList......................................................... 999
FormattingGuidelinesforanExternalDynamicList.............................. 1000
PaloAltoNetworksMaliciousIPAddressFeeds ................................. 1001
ConfiguretheFirewalltoAccessanExternalDynamicList........................ 1002
RetrieveanExternalDynamicListfromtheWebServer.......................... 1004
ViewExternalDynamicListEntries ............................................ 1004
ExcludeEntriesfromanExternalDynamicList .................................. 1005
EnforcePolicyonanExternalDynamicList ..................................... 1006
FindExternalDynamicListsThatFailedAuthentication........................... 1008
DisableAuthenticationforanExternalDynamicList ............................. 1009
RegisterIPAddressesandTagsDynamically ........................................ 1011
MonitorChangesintheVirtualEnvironment........................................ 1012
EnableVMMonitoringtoTrackChangesontheVirtualNetwork.................. 1012
AttributesMonitoredintheAWSandVMwareEnvironments ..................... 1014
UseDynamicAddressGroupsinPolicy ......................................... 1015
CLICommandsforDynamicIPAddressesandTags .................................. 1018
IdentifyUsersConnectedthroughaProxyServer ................................... 1020
UseXFFValuesforPoliciesandLoggingSourceUsers ........................... 1020
AddXFFValuestoURLFilteringLogs.......................................... 1021
PolicyBasedForwarding ......................................................... 1022
PBF ........................................................................ 1022
CreateaPolicyBasedForwardingRule ......................................... 1024
UseCase:PBFforOutboundAccesswithDualISPs.............................. 1026
VirtualSystems ................................................... 1033

VirtualSystemsOverview........................................................ 1034
TableofContents
VirtualSystemComponentsandSegmentation ................................. 1034

BenefitsofVirtualSystems ................................................... 1035
UseCasesforVirtualSystems................................................ 1035
PlatformSupportandLicensingforVirtualSystems ............................. 1036
AdministrativeRolesforVirtualSystems ....................................... 1036
SharedObjectsforVirtualSystems ............................................ 1036
CommunicationBetweenVirtualSystems.......................................... 1037
InterVSYSTrafficThatMustLeavetheFirewall................................ 1037
InterVSYSTrafficThatRemainsWithintheFirewall ............................ 1038
InterVSYSCommunicationUsesTwoSessions ................................. 1040
SharedGateway ................................................................ 1041
ExternalZonesandSharedGateway........................................... 1041
NetworkingConsiderationsforaSharedGateway............................... 1042
ConfigureVirtualSystems ....................................................... 1043
ConfigureInterVirtualSystemCommunicationwithintheFirewall ................... 1046
ConfigureaSharedGateway ..................................................... 1047
CustomizeServiceRoutesforaVirtualSystem..................................... 1048
CustomizeServiceRoutestoServicesforVirtualSystems ........................ 1048
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem ............... 1050
ConfigureAdministrativeAccessPerVirtualSystemorFirewall ................... 1051
VirtualSystemFunctionalitywithOtherFeatures ................................... 1054
ZoneProtectionandDoSProtection ................................ 1055

NetworkSegmentationUsingZones .............................................. 1056
HowDoZonesProtecttheNetwork?............................................. 1057
ZoneDefense .................................................................. 1058
ZoneDefenseTools ......................................................... 1058
HowDotheZoneDefenseToolsWork? ....................................... 1059
ZoneProtectionProfiles..................................................... 1060
PacketBufferProtection ..................................................... 1062
DoSProtectionProfilesandPolicyRules ....................................... 1063
ConfigureZoneProtectiontoIncreaseNetworkSecurity............................ 1066
ConfigureReconnaissanceProtection ......................................... 1066
ConfigurePacketBasedAttackProtection ..................................... 1067
ConfigureProtocolProtection ................................................ 1067
ConfigurePacketBufferProtection ........................................... 1071
DoSProtectionAgainstFloodingofNewSessions.................................. 1073
MultipleSessionDoSAttack ................................................. 1074
SingleSessionDoSAttack ................................................... 1076
ConfigureDoSProtectionAgainstFloodingofNewSessions..................... 1077
EndaSingleSessionDoSAttack.............................................. 1081
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer .......... 1082
DiscardaSessionWithoutaCommit .......................................... 1084
Certifications ..................................................... 1085

EnableFIPSandCommonCriteriaSupport......................................... 1085
TableofContents
AccesstheMaintenanceRecoveryTool(MRT) .................................. 1086

ChangetheOperationalModetoFIPSCCMode ................................ 1088
FIPSCCSecurityFunctions....................................................... 1089
TableofContents
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicWildFireForwarding
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
BestPracticesforCompletingtheFirewallDeployment
IntegratetheFirewallintoYourManagementNetwork GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
DetermineYourManagementStrategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
PerformInitialConfiguration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
Step1 Gathertherequiredinformationfrom IPaddressforMGTport

yournetworkadministrator. Netmask
Defaultgateway
DNSserveraddress
Step2 Connectyourcomputertothefirewall. Youcanconnecttothefirewallinoneofthefollowingways:

ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.
Step3 Whenprompted,logintothefirewall. Youmustloginusingthedefaultusernameandpassword

(admin/admin).Thefirewallwillbegintoinitialize.
Step4 ConfiguretheMGTinterface. 1. SelectDevice > Setup > InterfacesandedittheManagement

interface.
2. ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP Client.Tousethis
method,youmustConfiguretheManagementInterfaceas
aDHCPClient.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
3. SettheSpeedtoauto-negotiate.
4. Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5. ClickOK.
SetUpNetworkAccesstotheFirewall(Continued)
Step5 ConfigureDNS,updateserver,and 1. SelectDevice > Setup > Services.

proxyserversettings. Formultivirtualsystemplatforms,selectGlobalandedit
NOTE:Youmustmanuallyconfigureat theServicessection.
leastoneDNSserveronthefirewallorit Forsinglevirtualsystemplatforms,edittheServices
willnotbeabletoresolvehostnames;it section.
willnotuseDNSserversettingsfrom
2. OntheServicestab,forDNS,clickoneofthefollowing:
anothersource,suchasanISP.
ServersEnterthePrimary DNS Serveraddressand
Secondary DNS Serveraddress.
DNS Proxy ObjectFromthedropdown,selecttheDNS
ProxythatyouwanttousetoconfigureglobalDNS
services,orclickDNS ProxytoconfigureanewDNSproxy
object.
3. ClickOK.
Step6 Configuredateandtime(NTP)settings. 1. SelectDevice > Setup > Services.

Formultivirtualsystemplatforms,selectGlobalandedit
theServicessection.
Forsinglevirtualsystemplatforms,edittheServices
section.
2. OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthe
Primary NTP ServerorentertheIPaddressofyourprimary
NTPserver.
3. (Optional)EnteraSecondary NTP Serveraddress.
4. (Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5. ClickOK.
Step7 (Optional)Configuregeneralfirewall 1. SelectDevice > Setup > ManagementandedittheGeneral

settingsasneeded. Settings.
2. EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3. EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4. EntertheLatitude andLongitude toenableaccurate
placementofthefirewallontheworldmap.
5. ClickOK.
Step8 Setasecurepasswordfortheadmin 1. SelectDevice > Administrators.

account. 2. Selecttheadminrole.
3. Enterthecurrentdefaultpasswordandthenewpassword.
4. ClickOKtosaveyoursettings.
Step9 Commityourchanges. ClickCommitatthetoprightofthewebinterface.Thefirewallcan

NOTE:Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivitytothe
webinterfacebecausetheIPaddresshas
changed.
Step10 Connectthefirewalltoyournetwork. 1. Disconnectthefirewallfromyourcomputer.

2. ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.
Step11 OpenanSSHmanagementsessionto Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH

thefirewall. sessiontothefirewallusingthenewIPaddressyouassignedtoit.
Step12 Verifynetworkaccesstoexternal 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

servicesrequiredforfirewall AltoNetworksUpdateserverasshowninthefollowing
management,suchasthePaloAlto example.VerifythatDNSresolutionoccursandtheresponse
NetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
Youcandothisinoneofthefollowing serverdoesnotrespondtoapingrequest.
ways: admin@PA-200 > ping host
Ifyoudonotwanttoallowexternal updates.paloaltonetworks.com
networkaccesstotheMGTinterface, PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
youwillneedtosetupadataportto
From 192.168.1.1 icmp_seq=1 Destination Host
retrieverequiredserviceupdates.
Unreachable
ContinuetoSetUpNetworkAccess
forExternalServices. Unreachable
Ifyoudoplantoallowexternal From 192.168.1.1 icmp_seq=3 Destination Host
networkaccesstotheMGTinterface, Unreachable
verifythatyouhaveconnectivityand From 192.168.1.1 icmp_seq=4 Destination Host
thenproceedtoRegistertheFirewall Unreachable
andActivateLicensesand NOTE:AfterverifyingDNSresolution,pressCtrl+Ctostopthe
Subscriptions. pingrequest.
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
SetUpNetworkAccessforExternalServices
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
Step1 Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.

accesstoexternalservicesandconnect
ittoyourswitchorrouterport.
Step2 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.
Step3 (Optional)Thefirewallcomes Youmustdeletetheconfigurationinthefollowingorder:

preconfiguredwithadefaultvirtualwire 1. Todeletethedefaultsecuritypolicy,selectPolicies >
interfacebetweenportsEthernet1/1 Security,selecttherule,andclickDelete.
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou 2. Todeletethedefaultvirtualwire,selectNetwork > Virtual
donotplantousethisvirtualwire Wires,selectthevirtualwireandclickDelete.
configuration,youmustmanuallydelete 3. Todeletethedefaulttrustanduntrustzones,selectNetwork
theconfigurationtopreventitfrom > Zones,selecteachzoneandclickDelete.
interferingwithotherinterfacesettings
4. Todeletetheinterfaceconfigurations,selectNetwork >
youdefine.
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5. Committhechanges.
SetUpaDataPortforAccesstoExternalServices(Continued)
Step4 Configuretheinterfaceyouplantouse 1. SelectNetwork > Interfacesandselecttheinterfacethat

forexternalaccesstomanagement correspondstotheportyoucabledinStep1.
services. 2. SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4. IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5. SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6. SelectAdvanced > Other Info,expandtheManagement
Profiledropdown,andselectNew Management Profile.
7. EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8. Tosavetheinterfaceconfiguration,clickOK.
Step5 ConfiguretheServiceRoutes. 1. SelectDevice > Setup > Services > GlobalandclickService

Bydefault,thefirewallusestheMGT Route Configuration.
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice NOTE:Forthepurposesofactivatingyourlicensesand
routes. gettingthemostrecentcontentandsoftwareupdates,you
NOTE:Thisexampleshowshowtoset willwanttochangetheservicerouteforDNS,Palo Alto
upglobalserviceroutes.Forinformation Networks Services,URL Updates,andAutoFocus.
onsettingupnetworkaccesstoexternal 2. ClicktheCustomizeradiobutton,andselectoneofthe
servicesonavirtualsystembasisrather following:
thanaglobalbasis,seeCustomize
Forapredefinedservice,selectIPv4orIPv6andclickthe
ServiceRoutestoServicesforVirtual
linkfortheserviceforwhichyouwanttomodifythe
Systems.
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,theSource Addressdropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3. ClickOKtosavethesettings.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5. Commityourchanges.
Step6 Configureanexternalfacinginterface 1. SelectNetwork > Interfacesandthenselectthe

andanassociatedzoneandthencreatea externalfacinginterface.SelectLayer3astheInterface Type,
securitypolicyruletoallowthefirewall AddtheIPaddress(ontheIPv4orIPv6tab),andcreatethe
tosendservicerequestsfromthe associatedSecurity Zone(ontheConfigtab),suchasInternet.
internalzonetotheexternalzone. ThisinterfacemusthaveastaticIPaddress;youdonotneed
tosetupmanagementservicesonthisinterface.
2. Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).
Step7 CreateaNATpolicyrule. 1. IfyouareusingaprivateIPaddressontheinternalfacing

interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
Step8 Verifythatyouhaveconnectivityfrom 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

thedataporttotheexternalservices, AltoNetworksUpdateserverasshowninthefollowing
includingthedefaultgateway,andthe example.VerifythatDNSresolutionoccursandtheresponse
PaloAltoNetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
Afteryouverifyyouhavetherequired serverdoesnotrespondtoapingrequest.
networkconnectivity,continueto admin@PA-200 > ping host
RegistertheFirewallandActivate updates.paloaltonetworks.com
LicensesandSubscriptions. PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
Unreachable
Unreachable
Unreachable
Unreachable
NOTE:AfterverifyingDNSresolution,pressCtrl+Ctostop
thepingrequest.
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
GettingStarted RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
Step1 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Step2 Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

theclipboard. Informationsectionofthescreen.
Step3 GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto

Supportportalandlogin. https://www.paloaltonetworks.com/support/tabs/overview.html.
Step4 Registerthefirewall. Ifyoualreadyhaveasupportaccount,loginandregisterthe

Youmusthaveasupportaccount hardwarebasedfirewallasfollows:
toregisterafirewall.Ifyoudonot 1. SelectAssets > Devices.
yethaveasupportaccount,click
2. ClickRegister New Device.
theRegisterlinkonthesupport
loginpageandfollowthe 3. SelectRegister device using Serial Number or Authorization
instructionstogetyouraccount CodeandclickSubmit.
setupandregisterthefirewall. 4. EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5. (Optional)EntertheDevice NameandDevice Tag.
6. Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7. Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.
ActivateLicensesandSubscriptions GettingStarted
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringProvidestheabilitytocreatesecuritypolicythatallowsorblocksaccesstothewebbased
ondynamicURLcategories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURL
filteringdatabases:PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpublic
cloudortothePANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccessto
WebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA3000Series
firewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincreasethenumberof
virtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000Series,
PA5200Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA800 Series,
PA500,PA200,PA220,andVMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoanonpremiseWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.Ifyouwanttouse
advancedGlobalProtectfeatures(HIPchecksandrelatedcontentupdates,theGlobalProtectMobile
App,IPv6connections,oraGlobalProtectClientlessVPN)youwillneedaGlobalProtectlicense
(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
Step1 Locatetheactivationcodesforthe Whenyoupurchasedyoursubscriptionsyoushouldhavereceived

licensesyoupurchased. anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.
Step2 ActivateyourSupportlicense. 1. LogintothewebinterfaceandthenselectDevice > Support.

Youwillnotbeabletoupdateyour 2. ClickActivate support using authorization code.
PANOSsoftwareifyoudonothavea
3. EnteryourAuthorization CodeandthenclickOK.
validSupportlicense.
GettingStarted ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions(Continued)
Step3 Activateeachlicenseyoupurchased. SelectDevice > Licensesandthenactivateyourlicensesand

subscriptionsinoneofthefollowingways:
Retrieve license keys from license serverUsethisoptionif
youactivatedyourlicenseontheCustomerSupportportal.
Activate feature using authorization codeUsethisoptionto
enablepurchasedsubscriptionsusinganauthorizationcodefor
licensesthathavenotbeenpreviouslyactivatedonthesupport
portal.Whenprompted,entertheAuthorization Codeandthen
clickOK.
Manually upload license keyUsethisoptionifyourfirewall
doesnothaveconnectivitytothePaloAltoNetworksCustomer
Supportwebsite.Inthiscase,youmustdownloadalicensekey
filefromthesupportsiteonanInternetconnectedcomputer
andthenuploadtothefirewall.
Step4 Verifythatthelicensewassuccessfully OntheDevice > Licensespage,verifythatthelicensewas

activated successfullyactivated.Forexample,afteractivatingtheWildFire
license,youshouldseethatthelicenseisvalid:
Step5 (WildFiresubscriptionsonly)Performa AfteractivatingaWildFiresubscription,acommitisrequiredfor

committocompleteWildFire thefirewalltobeginforwardingadvancedfiletypes.Youshould
subscriptionactivation. either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.
InstallContentandSoftwareUpdates GettingStarted
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingWildFiresignaturesand
automaticallygeneratedcommandandcontrol(C2)signatures.WildFiresignaturesdetectmalwarefirst
seenbyfirewallsfromaroundtheworld.AutomaticallygeneratedC2detectcertainpatternsinC2traffic
(insteadoftheC2serversendingmaliciouscommandstoacompromisedsystem);thesesignatures
enablethefirewalltodetectC2activityevenwhentheC2hostisunknownorchangesrapidly.Youmust
haveaThreatPreventionsubscriptiontogettheseupdates.Newantivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures,includingthose
thatdetectspywareandvulnerabilities.ThisupdateisavailableifyouhaveaThreatPrevention
subscription(andyougetitinsteadoftheApplicationsupdate).NewApplicationsandThreatsupdates
arepublishedweekly,andthefirewallcanretrievethelatestupdatewithin30minutesofavailability.To
reviewthepolicyimpactofnewapplicationupdates,seeManageNewAppIDsIntroducedinContent
Releases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectlicense
(subscription)andcreateanupdatescheduleinordertoreceivetheseupdates.
GlobalProtectClientlessVPNContainsnewandupdatedapplicationsignaturestoenableClientless
VPNaccesstocommonwebapplicationsfromtheGlobalProtectportal.YoumusthaveaGlobalProtect
license(subscription)andcreateanupdatescheduleinordertoreceivetheseupdatesandenable
ClientlessVPNtofunction.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheantivirusupdate.
WFPrivateProvidesmalwaresignaturesgeneratedbyanonpremiseWildFireappliance.
GettingStarted InstallContentandSoftwareUpdates
Step1 Ensurethatthefirewallhasaccesstothe 1. Bydefault,thefirewallaccessestheUpdate Serverat

updateserver. updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2. (Optional)ClickVerify Update Server Identityforanextra
levelofvalidationtoenablethefirewalltocheckthatthe
serversSSLcertificateissignedbyatrustedauthority.Thisis
enabledbydefault.
3. (Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step2 Checkforthelatestcontentupdates. SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

thelowerlefthandcornerofthewindow)tocheckforthelatest
updates.ThelinkintheActioncolumnindicateswhetheranupdate
isavailable:
DownloadIndicatesthatanewupdatefileisavailable.Click
thelinktobegindownloadingthefiledirectlytothefirewall.
Aftersuccessfuldownload,thelinkintheActioncolumn
changesfromDownloadtoInstall.
NOTE:Youcannotdownloadtheantivirusupdateuntilyouhave
installedtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
Step3 Installthecontentupdates. ClicktheInstalllinkintheActioncolumn.Whentheinstallation

NOTE:Installationcantakeupto20 completes,acheckmarkdisplaysintheCurrently Installed
minutesonaPA200orPA500firewall column.
anduptotwominutesonaPA5000
Series,PA7000Series,orVMSeries
firewall.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
Step4 Scheduleeachcontentupdate. 1. SetthescheduleofeachupdatetypebyclickingtheNonelink.

Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
becausethefirewallcanonly 2. Specifyhowoftenyouwanttheupdatestooccurbyselecting
downloadoneupdateatatime.If avaluefromtheRecurrencedropdown.Theavailablevalues
youscheduletheupdatesto varybycontenttype(WildFireupdatesareavailableEvery
downloadduringthesametime Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
interval,onlythefirstdownload whereasApplicationsandThreatsupdatescanbescheduled
willsucceed. forWeekly,Daily,Hourly,orEvery 30 MinutesandAntivirus
updatescanbescheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3. SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4. SpecifywhetheryouwantthesystemtoDownload Onlyor,as
abestpractice,Download And Installtheupdate.
5. Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6. ClickOKtosavetheschedulesettings.
7. ClickCommittosavethesettingstotherunning
configuration.
Step5 UpdatePANOS. 1. ReviewtheReleaseNotes.

Alwaysupdatecontentbefore 2. UpdatethePANOSsoftware.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
NetworkSegmentationforaReducedAttackSurface
ThefollowingdiagramshowsaverybasicexampleofNetworkSegmentationUsingZones.Themore
granularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstrafficbetween
zones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflowfreelywithin
azone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyoudefinea
Securitypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhaveassignedit
toazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontroloveraccessto
sensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishingacommunication
channelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyournetwork.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
ConfigureInterfacesandZones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.ConfigureInterfacesonthefirewallthetosupportthetopologyofeachpartof
thenetworkyouareconnectingto.ThefollowingworkflowshowshowtoconfigureLayer3interfacesand
assignthemtozones.Fordetailsonintegratingthefirewallusingadifferenttypeofinterfacedeployments
(forexampleasVirtualWireInterfacesorasLayer2Interfaces),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault

Internetrouter. linktoopentheVirtualRouterdialog.
2. SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3. SelecttheIP AddressradiobuttonintheNext Hopfieldand
thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,203.0.113.1).
4. ClickOKtwicetosavethevirtualrouterconfiguration.
Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

interfacethatconnectstotheInternet). wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/16astheexternalinterface.
2. SelecttheInterface Type.Althoughyourchoiceheredepends
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3. OntheConfigtab,selectNew ZonefromtheSecurity Zone
dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleInternet,andthenclickOK.
4. IntheVirtual Routerdropdown,selectdefault.
5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6. Toenableyoutopingtheinterface,selectAdvanced > Other
Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SetUpInterfacesandZones(Continued)
Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant

yourinternalnetwork. toconfigure.Inthisexample,weareconfiguringEthernet1/15
NOTE:Inthisexample,theinterface astheinternalinterfaceourusersconnectto.
connectstoanetworksegmentthatuses 2. SelectLayer3astheInterface Type.
privateIPaddresses.BecauseprivateIP
addressescannotberoutedexternally,
selectNew Zone.IntheZonedialog,defineaNamefornew
youwillhavetoconfigureNAT.
zone,forexampleUsers,andthenclickOK.
4. SelectthesameVirtualRouteryouusedpreviously,defaultin
thisexample.
192.168.1.4/24.
6. Toenableyoutopingtheinterface,selectthemanagement
profilethatyoujustcreated.
Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.

yourdatacenterapplications. 2. SelectLayer3fromtheInterface Typedropdown.Inthis
Althoughthisbasicsecurity example,weareconfiguringEthernet1/1astheinterfacethat
policyexampleconfiguration providesaccesstoyourdatacenterapplications.
depictsusingasinglezoneforall
ofyourdatacenterapplications,
selectNew Zone.IntheZonedialog,defineaNamefornew
asabestpracticeyouwould
zone,forexampleDataCenterApplications,andthenclickOK.
wanttodefinemoregranular
zonestopreventunauthorized 4. SelectthesameVirtualRouteryouusedpreviously,defaultin
accesstosensitiveapplications thisexample.
ordataandeliminatethe 5. ToassignanIPaddresstotheinterface,selecttheIPv4tab,
possibilityofmalwaremoving clickAddintheIPsection,andentertheIPaddressand
laterallywithinyourdatacenter. networkmasktoassigntotheinterface,forexample
10.1.1.1/24.
6. Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreated.
Step5 (Optional)Createtagsforeachzone. Tagsallowyoutovisuallyscanpolicyrules.

1. SelectObjects > TagsandAdd.
2. SelectazoneName.
3. SelectatagColorandclickOK.
Step6 Savetheinterfaceconfiguration. ClickCommit.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
SetUpInterfacesandZones(Continued)
Step7 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured

tothecorrespondingswitchorrouteroneachnetworksegment.
Step8 Verifythattheinterfacesareactive. SelectDashboardandverifythattheinterfacesyouconfigured

showasgreenintheInterfaceswidget.
SetUpaBasicSecurityPolicy GettingStarted
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
Eventhoughasecuritypolicyruleallowsapacket,thisdoesnotmeanthatthetrafficisfreeofthreats.To
enablethefirewalltoscanthetrafficthatitallowsbasedonasecuritypolicyrule,youmustalsoattach
SecurityProfilesincludingURLFiltering,Antivirus,AntiSpyware,FileBlocking,andWildFireAnalysisto
eachrule(notethattheprofilesyoucanusedependonwhatsubscriptionsyouhavepurchased).When
creatingyourbasicsecuritypolicy,usethepredefinedsecurityprofilestoensurethatthetrafficyouallow
intoyournetworkisbeingscannedforthreats.Youcancustomizetheseprofileslaterasneededforyour
environment.
Usefollowingworkflowsetupaverybasicsecuritypolicythatenablesaccesstothenetworkinfrastructure,
todatacenterapplications,andtotheInternet.Thiswillenableyoutogetthefirewallupandrunningsothat
youcanverifythatyouhavesuccessfullyconfiguredthefirewall.Thispolicyisnotcomprehensiveenough
toprotectyournetwork.Afteryouverifythatyouhavesuccessfullyconfiguredthefirewallandintegrated
itintoyournetwork,proceedwithcreatingaBestPracticeInternetGatewaySecurityPolicythatwillsafely
enableapplicationaccesswhileprotectingyournetworkfromattack.
DefineBasicSecurityPolicyRules
Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

policyrule. allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step1 Allowaccesstoyournetworkinfrastructureresources.
1. SelectPolicies > SecurityandclickAdd.
2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoITInfrastructure.
Asabestpractice,considerusingaddressobjectsintheDestination Addressfieldtoenableaccess
tospecificserversorgroupsofserversonly,particularlyforservicessuchasDNSandSMTPthat
arecommonlyexploited.Byrestrictinguserstospecificdestinationserveraddressesyoucan
preventdataexfiltrationandcommandandcontroltrafficfromestablishingcommunication
throughtechniquessuchasDNStunneling.
5. IntheApplicationstab,Addtheapplicationsthatcorrespondtothenetworkservicesyouwanttosafely
enable.Forexample,selectdns,ntp,ocsp,ping,smtp.
6. IntheService/URL Categorytab,keeptheServicesettoapplication-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SetProfile TypetoProfilesandselectthefollowingsecurityprofilestoattachtothepolicyrule:
ForAntivirusselectdefault
ForVulnerability Protection selectstrict
ForAnti-Spywareselectstrict
ForURL Filteringselectdefault
ForFile Blocking selectbasic file blocking
ForWildFire Analysis selectdefault
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecuritypolicyrulewillbelogged.
10.ClickOK.
Step2 EnableaccesstogeneralInternetapplications.
Thisisatemporaryrulethatallowsyoutogatherinformationaboutthetrafficonyournetwork.After
youhavemoreinsightintowhatapplicationsyourusersneedaccessto,youcanmakeinformed
decisionsaboutwhatapplicationstoallowandcreatemoregranularapplicationbasedrulesforeach
usergroup.
4. IntheDestinationtab,settheDestination ZonetoInternet.
5. IntheApplicationstab,AddanApplication FilterandenteraName.Tosafelyenableaccesstolegitimate
webbasedapplications,settheCategoryintheapplicationfiltertogeneral-internetandthenclickOK.To
enableaccesstoencryptedsites,Addthesslapplication.
ForFile Blocking selectstrict file blocking
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecurityrulewillbelogged.
10.ClickOK.
GettingStarted SetUpaBasicSecurityPolicy
Step3 Enableaccesstodatacenterapplications.
4. IntheDestinationtab,settheDestination ZonetoDataCenterApplications.
5. IntheApplicationstab,Addtheapplicationsthatcorrespondtothenetworkservicesyouwanttosafely
enable.Forexample,selectactivesync,imap,kerberos,ldap,ms-exchange,and ms-lync.
ForFile Blocking selectbasic file blocking
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecurityrulewillbelogged.
10.ClickOK.
Step4 Saveyourpoliciestotherunning ClickCommit.

configurationonthefirewall.
Step5 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI

policieseffectively,testwhetheryour command:
securitypolicyrulesarebeingevaluated test security-policy-match source <IP_address>
anddeterminewhichsecuritypolicyrule destination <IP_address> destination port <port_number>
appliestoatrafficflow. application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
test security-policy-match source 10.35.14.150
destination 10.43.2.2 application dns protocol 53
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
GettingStarted AssessNetworkTraffic
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine. applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges. users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeCreateaSecurityPolicyRuleand
SecurityProfiles.
ViewLogs. Specifically,viewthetrafficandthreatlogs(Monitor > Logs).

NOTE:Trafficlogsaredependentonhowyoursecuritypoliciesare
definedandsetuptologtraffic.TheApplicationUsagewidgetin
theACC,however,recordsapplicationsandstatisticsregardlessof
policyconfiguration;itshowsalltrafficthatisallowedonyour
network,thereforeitincludestheinterzonetrafficthatisallowed
bypolicyandthesamezonetrafficthatisallowedimplicitly.
AssessNetworkTraffic GettingStarted
MonitorNetworkTraffic
ConfigureLogStorageQuotasandExpiration ReviewtheAutoFocusintelligencesummaryforartifactsinyour
Periods. logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers. ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
GettingStarted EnableBasicWildFireForwarding
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,phishing,grayware,orbenign.WithWildFireenabled,a
PaloAltoNetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscovered
malware,WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactive
WildFiresubscriptionwithinminutes.ThisenablesallPaloAltonextgenerationfirewallsworldwideto
detectandpreventmalwarefoundbyasinglefirewall.WhenyouenableWildFireforwarding,thefirewall
alsoforwardsfilesthatwereblockedbyAntivirussignatures,inadditiontounknownsamples.Malware
signaturesoftenmatchmultiplevariantsofthesamemalwarefamily,andassuch,blocknewmalware
variantsthatthefirewallhasneverseenbefore.ThePaloAltoNetworksthreatresearchteamusesthethreat
intelligencegatheredfrommalwarevariantstoblockmaliciousIPaddresses,domains,andURLs.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifyoudonothaveaWildFiresubscription,butyoudohavea
ThreatPreventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448
hours(aspartoftheAntivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
Step1 Confirmthatyourfirewallisregistered 1. GotothePaloAltoNetworksCustomerSupportwebsite,log

andthatyouhaveavalidsupport in,andselectMy Devices.
accountaswellasanysubscriptionsyou 2. Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
require. theFirewall.
3. (Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
Step2 ConfigureWildFireforwardingsettings. 1. SelectDevice > Setup > WildFireandedittheGeneral

Settings.
2. SettheWildFire Public Cloudfieldtoforwardfilestothe
WildFireglobalcloudat:
wildfire.paloaltonetworks.com.
Youcanalsoforwardfilestoaregionalcloudora
privatecloudbasedonyourlocationandyour
organizationalrequirements.
3. ReviewtheFile Size LimitsforPEsthefirewallforwardsfor
WildFireanalysis.settheSize LimitforPEsthatthefirewall
canforwardtothemaximumavailablelimitof10MB.
AsaWildFirebestpractice,settheSize LimitforPEs
tothemaximumavailablelimitof10MB.
4.ClickOKtosaveyourchanges.
EnableBasicWildFireForwarding GettingStarted
EnableBasicWildFireForwarding(Continued)
Step3 EnablethefirewalltoforwardPEsfor 1. SelectObjects > Security Profiles > WildFire Analysisand

analysis. Addanewprofilerule.
2. Namethenewprofilerule.
3. AddaforwardingruleandenteraNameforit.
4. IntheFile Typescolumn,addpefilestotheforwardingrule.
5. IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6. ClickOK.
Step4 ApplythenewWildFireAnalysisprofile 1. SelectPolicies > Securityandeitherselectanexistingpolicy

totrafficthatthefirewallallows. ruleorcreateanewpolicyruleasdescribedinSetUpaBasic
SecurityPolicy.
2. SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3. SelecttheWildFire Analysisprofileyoujustcreatedtoapply
thatprofileruletoalltrafficthispolicyruleallows.
4. ClickOK.
Step5 EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
Step6 ReviewandimplementWildFirebestpracticestoensurethatyouaregettingthemostofWildFiredetection
andpreventioncapabilities.
Step7 Commityourconfigurationupdates.
Step8 VerifythatthefirewallisforwardingPE SelectMonitor > Logs > WildFire Submissionstoviewlogentries

filestotheWildFirepubliccloud. forPEsthefirewallsuccessfullysubmittedforWildFireanalysis.
TheVerdictcolumndisplayswhetherWildFirefoundthePEtobe
malicious,grayware,orbenign.(WildFireonlyassignsthephishing
verdicttoemaillinks).
Step9 (ThreatPreventionsubscriptiononly)If 1. SelectDevice > Dynamic Updates.

youhaveaThreatPrevention 2. Checkthatthefirewallisscheduledtodownload,andinstall
subscription,butdonothaveaWildFire Antivirusupdates.
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.
GettingStarted ControlAccesstoWebContent
ControlAccesstoWebContent
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormoreURLcategories.Youcanthencreatepoliciesthat
specifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichitbelongs.Togetherwith
UserID,youcanalsouseURLFilteringtoPreventCredentialPhishingbasedonURLcategory.
ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,andattach
themtoSecuritypolicyrulestoenforceabasicURLfilteringpolicy.
ConfigureURLFiltering
Step1 ConfirmthatyouhaveaURLFiltering 1. ObtainandinstallaURLFilteringlicense.SeeActivate

license. LicensesandSubscriptionsfordetails.
2. SelectDevice > LicensesandverifythattheURLFiltering
licenseisvalid.
Step2 Downloadtheseeddatabaseand 1. Todownloadtheseeddatabase,clickDownloadnextto

activatethelicense. Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2. Choosearegion(APAC,Europe,Japan,LatinAmerica,
NorthAmerica,orRussia)andthenclickOKtostartthe
download.
3. Afterthedownloadcompletes,clickActivate.TheActivefield
nowshowsthatPANDBisnowactive.
ControlAccesstoWebContent GettingStarted
ConfigureURLFiltering(Continued)
Step3 ConfigureURLFiltering. SelectObjects > Security Profiles > URL FilteringandAddor

ConfigureabestpracticeURL modifyaURLFilteringprofile.
Filteringprofiletoensure SelectCategoriestoallow,alert,continue,orblockaccessto.If
protectionagainstURLsthat youarenotsurewhatsitesorcategoriesyouwanttocontrol
havebeenobservedhosting accessto,considersettingthecategories(exceptforthose
malwareorexploitivecontent. blockedbydefault)toalert.Youcanthenusethevisibilitytools
onthefirewall,suchastheACCandAppScope,todetermine
whichwebcategoriestorestricttospecificgroupsortoblock
entirely.SeeURLFilteringProfileActionsfordetailsonthesite
accesssettingsyoucanenforceforeachURLcategory.
SelectCategories toPreventCredentialPhishingbasedonURL
category.
SelectOverridestoAllowPasswordAccesstoCertainSites.
EnableSafeSearchEnforcementtoensurethatusersearch
resultsarebasedonsearchenginesafesearchsettings.
Step4 AttachtheURLfilteringprofiletoa 1. SelectPolicies > Security.

Securitypolicyrule. 2. SelectaSecuritypolicyrulethatallowswebaccesstoeditit
andselecttheActionstab.
3. IntheProfile Settingslist,selecttheURL Filteringprofileyou
justcreated.(Ifyoudontseedropdownsforselecting
profiles,settheProfile TypetoProfiles.)
4. ClickOKtosavetheprofile.
Step5 Enableresponsepagesinthe 1. SelectNetwork > Network Profiles > Interface Mgmtand

managementprofileforeachinterface thenselectaninterfaceprofiletoeditorclickAddtocreatea
onwhichyouarefilteringwebtraffic. newprofile.
2. SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3. ClickOKtosavetheinterfacemanagementprofile.
4. SelectNetwork > Interfaces andselecttheinterfacetowhich
toattachtheprofile.
5. OntheAdvanced > Other Infotab,selecttheinterface
managementprofileyoujustcreated.
6. ClickOKtosavetheinterfacesettings.
Step6 Committheconfiguration.
GettingStarted ControlAccesstoWebContent
ConfigureURLFiltering(Continued)
Step7 TesttheURLfilteringconfiguration. Fromanendpointinatrustedzone,attempttoaccesssitesin

variouscategoriesandmakesureyouseetheexpectedresult
basedonthecorrespondingSiteAccesssettingyouselected:
IfyousetSiteAccesstoalertforthecategory,checktheURL
Filteringlogtomakesureyouseealogentryfortherequest.
IfyousetSiteAccesstocontinueforthecategory,verifythat
theURLFilteringContinueandOverridePageresponsepage
displays.Continuetothesite.
IfyousetSiteAccesstoblockforthecategory,verifythatthe
URLFilteringandCategoryMatchBlockPageresponsepage
displays:
EnableAutoFocusThreatIntelligence GettingStarted
EnableAutoFocusThreatIntelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
EnableAutoFocusThreatIntelligenceontheFirewall
Step1 VerifythattheAutoFocuslicenseisactivatedon 1. SelectDevice > LicensestoverifythattheAutoFocus

thefirewall. DeviceLicenseisinstalledandvalid(checkthe
expirationdate).
2. Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.
Step2 ConnectthefirewalltoAutoFocus. 1. SelectDevice > Setup > Managementandeditthe

AutoFocussettings.
2. EntertheAutoFocus URL:
https://autofocus.paloaltonetworks.com:1044
3
3. UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4. SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5. ClickOK.
6. CommityourchangestoretaintheAutoFocus
settingsuponreboot.
GettingStarted EnableAutoFocusThreatIntelligence
EnableAutoFocusThreatIntelligenceontheFirewall
Step3 ConnectAutoFocustothefirewall. 1. LogintotheAutoFocusportal:

https://autofocus.paloaltonetworks.com
2. SelectSettings.
3. Add newremotesystems.
4. EnteradescriptiveNametoidentifythefirewall.
5. SelectPanOSastheSystemType.
6. EnterthefirewallIPAddress.
7. ClickSave changestoaddtheremotesystem.
8. ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.
Step4 Testtheconnectionbetweenthefirewalland 1. Onthefirewall,selectMonitor > Logs > Traffic.

AutoFocus. 2. VerifythatyoucanConfigureLogStorageQuotasand
ExpirationPeriods.
BestPracticesforCompletingtheFirewallDeployment GettingStarted
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.However,ifyouusePanorama,youmustuse
thesamemasterkeyonPanoramaandallmanagedfirewalls.Otherwise,Panoramacannotpush
configurationstothefirewalls.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
ShareThreatIntelligencewithPaloAltoNetworksPermitthefirewalltoperiodicallycollectandsend
informationaboutapplications,threats,anddevicehealthtoPaloAltoNetworks.Telemetryincludes
optionstoenablepassiveDNSmonitoringandtoallowexperimentaltestsignaturestoruninthe
backgroundwithnoimpacttoyoursecuritypolicyrules,firewalllogs,orfirewallperformance.AllPalo
AltoNetworkscustomersbenefitfromtheintelligencegatheredfromtelemetry,whichPaloAlto
Networksusestoimprovethethreatpreventioncapabilitiesofthefirewall.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
ManagementInterfaces FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewall:
UsetheWebInterfacetoperformconfigurationandmonitoringtaskswithrelativeease.Thisgraphical
interfaceallowsyoutoaccessthefirewallusingHTTPS(recommended)orHTTPanditisthebestway
toperformadministrativetasks.
UsetheCommandLineInterface(CLI)toperformaseriesoftasksbyenteringcommandsinrapid
successionoverSSH(recommended),Telnet,ortheconsoleport.TheCLIisanofrillsinterfacethat
supportstwocommandmodes,operationalandconfigure,eachwithadistincthierarchyofcommands
andstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntaxofthecommands,the
CLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
UsePanoramatoperformwebbasedmanagement,reporting,andlogcollectionformultiplefirewalls.
ThePanoramawebinterfaceresemblesthefirewallwebinterfacebutwithadditionalfunctionsfor
centralizedmanagement.
FirewallAdministration UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
Step1 LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > InterfacesandedittheManagementinterface.
Step2 Logintothefirewallaccordingtothetypeofauthenticationusedforyouraccount.Ifloggingintothefirewall
forthefirsttime,usethedefaultvalueadminforyourusernameandpassword.
SAMLClickUse Single Sign-On(SSO).Ifthefirewallperformsauthorization(roleassignment)for
administrators,enteryourUsernameandContinue.IftheSAMLidentityprovider(IdP)performs
authorization,ContinuewithoutenteringaUsername.Inbothcases,thefirewallredirectsyoutotheIdP,
whichpromptsyoutoenterausernameandpassword.AfteryouauthenticatetotheIdP,thefirewallweb
interfacedisplays.
AnyothertypeofauthenticationEnteryouruserNameandPassword.Readtheloginbannerandselect
I Accept and Acknowledge the Statement Belowiftheloginpagehasthebannerandcheckbox.Thenclick
Login.
Step3 ReadandClosethemessagesoftheday.
UsetheWebInterface FirewallAdministration
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
Step1 Configuretheloginbanner. 1. SelectDevice > Setup > ManagementandedittheGeneral

Settings.
2. EntertheLogin Banner(upto3,200characters).
3. (Optional)SelectForce Admins to Acknowledge Login
BannertoforceadministratorstoselectanI Accept and
Acknowledge the Statement Belowcheckboxabovethe
bannertexttoactivatetheLoginbutton.
4. ClickOK.
Step2 Setthemessageoftheday. 1. SelectDevice > Setup > ManagementandedittheBanners

andMessagessettings.
2. EnabletheMessage of the Day.
3. EntertheMessage of the Day(upto3,200characters).
AfteryouenterthemessageandclickOK,
administratorswhosubsequentlylogin,andactive
administratorswhorefreshtheirbrowsers,seethe
neworupdatedmessageimmediately;acommitisnt
necessary.Thisenablesyoutoinformother
administratorsofanimpendingcommitthatmight
affecttheirconfigurationchanges.Basedonthe
committimethatyourmessagespecifies,the
administratorscanthendecidewhethertocomplete,
save,orundotheirchanges.
4. (Optional)SelectAllow Do Not Display Again(defaultis
disabled)togiveadministratorstheoptiontosuppressa
messageofthedayafterthefirstloginsession.Each
administratorcansuppressmessagesonlyforhisorherown
loginsessions.Inthemessageofthedaydialog,eachmessage
willhaveitsownsuppressionoption.
5. (Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).
ConfigureBanners,MessageoftheDay,andLogos(Continued)
Step3 Configuretheheaderandfooter 1. EntertheHeader Banner(upto3,200characters).

banners. 2. (Optional)ClearSame Banner Header and Footer(enabledby
Abrightbackgroundcolorand default)tousedifferentheaderandfooterbanners.
contrastingtextcolorcan
3. EntertheFooter Banner(upto3,200characters)iftheheader
increasethelikelihoodthat
andfooterbannersdiffer.
administratorswillnoticeand
readabanner.Youcanalsouse 4. ClickOK.
colorsthatcorrespondto
classificationlevelsinyour
organization.
Step4 Replacethelogosontheloginpageand 1. SelectDevice > Setup > OperationsandclickCustom Logosin

intheheader. theMiscellaneoussection.
NOTE:Themaximumsizeforanylogo 2. PerformthefollowingstepsforboththeLogin Screenlogo
imageis128KB. andtheMain UI(header)logo:
a. Clickupload .
b. SelectalogoimageandclickOpen.
YoucanpreviewtheimagetoseehowPANOSwill
cropittofitbyclickingthemagnifyingglassicon.
c.ClickClose.
Step5 Verifythatthebanners,messageofthe 1. Logouttoreturntotheloginpage,whichdisplaysthenew

day,andlogosdisplayasexpected. logosyouselected.
2. Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktherightorleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3. (Optional)YoucanselectDo not show againforthemessage
youconfiguredandforanymessagesthatPaloAltoNetworks
embedded.
4. Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
Step1 Viewtheloginactivityindicatorsto 1. LogintothewebinterfaceonyourfirewallorPanorama

monitorrecentactivityonyouraccount. managementserver.
2. Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.
3. Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
NOTE:Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillseenewfailed
logindetails,ifany,thenexttimeyoulogin.
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
Step2 Locatehoststhatarecontinually 1. Clickthefailedlogincautionsymboltoviewthefailedlogin

attemptingtologintoyourfirewallor attemptssummary.
Panoramamanagementserver. 2. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigureshows
multiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
3. Workwithyournetworkadministratortolocatetheuserand
hostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccounttoprevent
futureattacks.
Step3 Takethefollowingactionsifyoudetect 1. SelectMonitor > Logs > Configurationandviewthe

anaccountcompromise. configurationchangesandcommithistorytodetermineifyour
accountwasusedtomakechangeswithoutyourknowledge.
2. SelectDevice > Config Audittocomparethecurrent
configurationandtheconfigurationthatwasrunningjustprior
totheconfigurationyoususpectwaschangedusingyour
credentials.YoucanalsodothisusingPanorama.
NOTE:Ifyouradministratoraccountwasusedtocreateanew
account,performingaconfigurationaudithelpsyoudetect
changesthatareassociatedwithanyunauthorizedaccounts,
aswell.
3. Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
NOTE:Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.Forexample,
theconfigurationthatyoureverttomaynotcontainrecent
changes,soapplythosechangesafteryoucommitthebackup
configuration.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
Step1 ClickTasksatthebottomofthewebinterface.
Step2 ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3 Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit,Validate,andPreviewFirewallConfigurationChanges
Acommitistheprocessofactivatingpendingchangestothefirewallconfiguration.Youcanfilterpending
changesbyadministratororlocationandthenpreview,validate,orcommitonlythosechanges.Thelocations
canbespecificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.Tocancelpendingcommitsorviewdetailsaboutcommitsofanystatus,
seeManageandMonitorAdministrativeTasks.
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknow
(warnings).Forexample,validationcouldindicateaninvalidroutedestinationthatyouneedtofixforthe
committosucceed.Thevalidationprocessenablesyoutofindandfixerrorsbeforeyoucommit(itmakesno
changestotherunningconfiguration).Thisisusefulifyouhaveafixedcommitwindowandwanttobesure
thecommitwillsucceedwithouterrors.
Thecommit,validate,preview,save,andrevertoperationsapplyonlytochangesmadeafterthelastcommit.To
restoreconfigurationstothestatetheywereinbeforethelastcommit,youmustloadapreviouslybackedup
configuration.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
Preview,Validate,orCommitFirewallConfigurationChanges
Step1 Configurethescopeofconfiguration 1. ClickCommitatthetopofthewebinterface.

changesthatyouwillcommit,validate, 2. Selectoneofthefollowingoptions:
orpreview.
Commit All Changes(default)Appliesthecommittoall
changesforwhichyouhaveadministrativeprivileges.You
cannotmanuallyfilterthecommitscopewhenyouselect
thisoption.Instead,theadministratorroleassignedtothe
accountyouusedtologindeterminesthecommitscope.
Commit Changes Made ByEnablesyoutofilterthe
commitscopebyadministratororlocation.The
administrativeroleassignedtotheaccountyouusedtolog
indetermineswhichchangesyoucanfilter.
NOTE:Tocommitthechangesofotheradministrators,the
accountyouusedtologinmustbeassignedtheSuperuser
roleoranAdminRoleprofilewiththeCommit For Other
Adminsprivilegeenabled.
3. (Optional)Tofilterthecommitscopebyadministrator,select
Commit Changes Made By,clicktheadjacentlink,selectthe
administrators,andclickOK.
4. (Optional)Tofilterbylocation,selectCommit Changes Made
Byandclearanychangesthatyouwanttoexcludefromthe
CommitScope.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,whenyoucommitchangestoavirtual
system,youmustincludethechangesofall
administratorswhoadded,deleted,orrepositioned
rulesforthesamerulebaseinthatvirtualsystem.
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
Step2 Previewthechangesthatthecommitwill Preview ChangesandselecttheLines of Context,whichisthe

activate. numberoflinesfromthecomparedconfigurationfilestodisplay
Thiscanbeusefulif,forexample,you beforeandaftereachhighlighteddifference.Theseadditionallines
dontrememberallyourchangesand helpyoucorrelatethepreviewoutputtosettingsintheweb
yourenotsureyouwanttoactivateall interface.Closethepreviewwindowwhenyoufinishreviewingthe
ofthem. changes.
Thefirewallcomparestheconfigurations Becausethepreviewresultsdisplayinanewbrowser
youselectedintheCommitScopetothe window,yourbrowsermustallowpopups.Ifthepreview
runningconfiguration.Thepreview windowdoesnotopen,refertoyourbrowser
windowdisplaystheconfigurations documentationforthestepstoallowpopups.
sidebysideandusescolorcodingto
indicatewhichchangesareadditions
(green),modifications(yellow),or
deletions(red).
Step3 Previewtheindividualsettingsforwhich 1. ClickChange Summary.

youarecommittingchanges. 2. (Optional)Group Byacolumnname(suchastheTypeof
Thiscanbeusefulifyouwanttoknow setting).
detailsaboutthechanges,suchasthe
3. ClosetheChangeSummarydialogwhenyoufinishreviewing
typesofsettingsandwhochangedthem.
thechanges.
Step4 Validatethechangesbeforeyoucommit 1. Validate Changes.

toensurethecommitwillsucceed. Theresultsdisplayalltheerrorsandwarningsthatanactual
commitwoulddisplay.
2. Resolveanyerrorsthatthevalidationresultsidentify.
Step5 Commityourconfigurationchanges. Commityourchangestovalidateandactivatethem.

Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,applicationname.Inadditionto
searchingforconfigurationobjectsandsettings,youcansearchbyjobIDorjobtypeformanualcommits
thatadministratorsperformedorautocommitsthatthefirewallorPanoramaperformed.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
Watchthevideo.
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
Youcanuseconfigurationlockstopreventotheradministratorsfromchangingthecandidateconfiguration
orfromcommittingconfigurationchangesuntilyoumanuallyremovethelockorthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
Viewdetailsaboutcurrentlocks. Clickthelock atthetopofthewebinterface.Anadjacent

Forexample,youcancheckwhetherother numberindicatesthenumberofcurrentlocks.
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.
Lockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
NOTE:Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2. Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.
3. (Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4. (Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5. ClickOKandClose.
Unlockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
Onlyasuperuserortheadministratorwho 2. Selectthelockentryinthelist.
lockedtheconfigurationcanmanuallyunlockit.
3. ClickRemove Lock,OK,andClose.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
Configurethefirewalltoautomaticallyapplya 1. SelectDevice > Setup > ManagementandedittheGeneral

commitlockwhenyouchangethecandidate Settings.
configuration.Thissettingappliestoall 2. SelectAutomatically Acquire Commit LockandthenclickOK
administrators. andCommit.
FirewallAdministration ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationonthefirewallcomprisesallsettingsyouhavecommittedandthataretherefore
active,suchaspolicyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.The
candidateconfigurationisacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafter
thelastcommit.Savingbackupversionsoftherunningorcandidateconfigurationenablesyoutolater
restorethoseversions.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfiguration
hasmoreerrorsthanyouwanttofix,youcanrestoreapreviouscandidateconfiguration.Youcanalsorevert
tothecurrentrunningconfigurationwithoutsavingabackupfirst.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesfordetailsaboutcommitoperations.
SaveandExportFirewallConfigurations
RevertFirewallConfigurationChanges
Savingabackupofthecandidateconfigurationtopersistentstorageonthefirewallenablesyoutolater
reverttothatbackup(seeRevertFirewallConfigurationChanges).Thisisusefulforpreservingchangesthat
wouldotherwisebelostifasystemeventoradministratoractioncausesthefirewalltoreboot.After
rebooting,PANOSautomaticallyrevertstothecurrentversionoftherunningconfiguration,whichthe
firewallstoresinafilenamedrunningconfig.xml.Savingbackupsisalsousefulifyouwanttoreverttoa
firewallconfigurationthatisearlierthanthecurrentrunningconfiguration.Thefirewalldoesnot
automaticallysavethecandidateconfigurationtopersistentstorage.Youmustmanuallysavethecandidate
configurationasadefaultsnapshotfile(.snapshot.xml)orasacustomnamedsnapshotfile.Thefirewall
storesthesnapshotfilelocallybutyoucanexportittoanexternalhost.
Youdonthavetosaveaconfigurationbackuptorevertthechangesmadesincethelastcommit
orreboot;justselectConfig > Revert Changes(seeRevertFirewallConfigurationChanges).
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
PaloAltoNetworksrecommendsthatyoubackupanyimportantconfigurationtoahostexternal
tothefirewall.
ManageConfigurationBackups FirewallAdministration
Step1 Savealocalbackupsnapshotofthe Tooverwritethedefaultsnapshotfile(.snapshot.xml)withallthe

candidateconfigurationifitcontains changesthatalladministratorsmade,performoneofthe
changesthatyouwanttopreservein followingsteps:
theeventthefirewallreboots. SelectDevice > Setup > OperationsandSave candidate
Thesearechangesyouarenotreadyto configuration.
commitforexample,changesyou Logintothefirewallwithanadministrativeaccountthatis
cannotfinishinthecurrentloginsession. assignedtheSuperuserroleoranAdminRoleprofilewith
theSave For Other Adminsprivilegeenabled.Thenselect
Config > Save Changesatthetopofthewebinterface,
selectSave All ChangesandSave.
Tocreateasnapshotthatincludesallthechangesthatall
administratorsmadebutwithoutoverwritingthedefault
snapshotfile:
a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. SpecifytheNameofaneworexistingconfigurationfile.
c. ClickOKandClose.
Tosaveonlyspecificchangestothecandidateconfiguration
withoutoverwritinganypartofthedefaultsnapshotfile:
a. Logintothefirewallwithanadministrativeaccountthathas
theroleprivilegesrequiredtosavethedesiredchanges.
b. SelectConfig > Save Changesatthetopoftheweb
interface.
c. SelectSave Changes Made By.
d. TofiltertheSaveScopebyadministrator,click
<administrator-name>,selecttheadministrators,andclick
OK.
e. TofiltertheSaveScopebylocation,clearanylocationsthat
youwanttoexclude.Thelocationscanbespecificvirtual
systems,sharedpoliciesandobjects,orshareddeviceand
networksettings.
f. ClickSave,specifytheNameofaneworexisting
configurationfile,andclickOK.
Step2 Exportacandidateconfiguration,a SelectDevice > Setup > Operationsandclickanexportoption:

runningconfiguration,orthefirewall Export named configuration snapshotExportthecurrent
stateinformationtoahostexternalto runningconfiguration,anamedcandidateconfiguration
thefirewall. snapshot,orapreviouslyimportedconfiguration(candidateor
running).ThefirewallexportstheconfigurationasanXMLfile
withtheNameyouspecify.
Export configuration versionSelectaVersionoftherunning
configurationtoexportasanXMLfile.Thefirewallcreatesa
versionwheneveryoucommitconfigurationchanges.
Export device stateExportthefirewallstateinformationasa
bundle.Besidestherunningconfiguration,thestateinformation
includesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,the
informationalsoincludescertificateinformation,alistof
satellites,andsatelliteauthenticationinformation.Ifyoureplace
afirewallorportal,youcanrestoretheexportedinformationon
thereplacementbyimportingthestatebundle.
FirewallAdministration ManageConfigurationBackups
Revertoperationsreplacesettingsinthecurrentcandidateconfigurationwithsettingsfromanother
configuration.Revertingchangesisusefulwhenyouwanttoundochangestomultiplesettingsasasingle
operationinsteadofmanuallyreconfiguringeachsetting.
Youcanrevertpendingchangesthatweremadetothefirewallconfigurationsincethelastcommit.The
firewallprovidestheoptiontofilterthependingchangesbyadministratororlocation.Thelocationscanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.Ifyousaveda
snapshotfileforacandidateconfigurationthatisearlierthanthecurrentrunningconfiguration(seeSave
andExportFirewallConfigurations),youcanalsoreverttothatsnapshot.Revertingtoasnapshotenables
youtorestoreacandidateconfigurationthatexistedbeforethelastcommit.Thefirewallautomaticallysaves
anewversionoftherunningconfigurationwheneveryoucommitchanges,andyoucanrestoreanyofthose
versions.
Reverttothecurrentrunningconfiguration(file Torevertallthechangesthatalladministratorsmade,perform
namedrunningconfig.xml). oneofthefollowingsteps:
Thisoperationundoeschangesyoumadetothe SelectDevice > Setup > Operations,Revert to running
candidateconfigurationsincethelastcommit. configuration,andclickYestoconfirmtheoperation.
Logintothefirewallwithanadministrativeaccountthatis
assignedtheSuperuserroleoranAdminRoleprofilewith
theCommit For Other Adminsprivilegeenabled.Then
selectConfig > Revert Changesatthetopoftheweb
interface,selectRevert All ChangesandRevert.
Torevertonlyspecificchangestothecandidateconfiguration:
a. Logintothefirewallwithanadministrativeaccountthathas
theroleprivilegesrequiredtorevertthedesiredchanges.
NOTE:Theprivilegesthatcontrolcommitoperationsalso
controlrevertoperations.
b. SelectConfig > Revert Changesatthetopoftheweb
interface.
c. SelectRevert Changes Made By.
d. TofiltertheRevertScopebyadministrator,click
<administrator-name>,selecttheadministrators,andclick
OK.
e. TofiltertheRevertScopebylocation,clearanylocations
thatyouwanttoexclude.
f. Revertthechanges.
Reverttothedefaultsnapshotofthecandidate 1. SelectDevice > Setup > OperationsandRevert to last saved

configuration. configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2. ClickYestoconfirmtheoperation.
whenyouclickConfig > Save Changesatthe
3. (Optional)ClickCommittooverwritetherunning
topofthewebinterface.
configurationwiththesnapshot.
Reverttoapreviousversionoftherunning 1. SelectDevice > Setup > OperationsandLoad configuration

configurationthatisstoredonthefirewall. version.
Thefirewallcreatesaversionwheneveryou 2. SelectaconfigurationVersionandclickOK.
commitconfigurationchanges.
configurationwiththeversionyoujustrestored.
ManageConfigurationBackups FirewallAdministration
RevertFirewallConfigurationChanges(Continued)
Reverttooneofthefollowing: 1. SelectDevice > Setup > OperationsandclickLoad named

Customnamedversionoftherunning configuration snapshot.
configurationthatyoupreviouslyimported 2. SelectthesnapshotNameandclickOK.
Customnamedcandidateconfiguration 3. (Optional)ClickCommittooverwritetherunning
snapshot(insteadofthedefaultsnapshot) configurationwiththesnapshot.
Reverttoarunningorcandidateconfiguration 1. SelectDevice > Setup > Operations,clickImport named

thatyoupreviouslyexportedtoanexternal configuration snapshot,Browsetotheconfigurationfileon
host. theexternalhost,andclickOK.
2. ClickLoad named configuration snapshot,selecttheNameof
theconfigurationfileyoujustimported,andclickOK.
configurationwiththesnapshotyoujustimported.
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall. 1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
FirewallAdministration ManageFirewallAdministrators
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
AdministrativeRoles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onafirewallwithmultiplevirtualsystems,youcanselectwhether
theroledefinesaccessforallvirtualsystemsorspecificvirtualsystems.Whennewfeaturesareadded
totheproduct,youmustupdatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnot
automaticallyaddnewfeaturestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigure
forcustomadministratorroles,seeReference:WebInterfaceAdministratorAccess.
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole Privileges
Superuser Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser(readonly) Readonlyaccesstothefirewall.
ManageFirewallAdministrators FirewallAdministration
DynamicRole Privileges
Virtualsystemadministrator Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.
Deviceadministrator Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Deviceadministrator(readonly) Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
Step1 SelectDevice > Admin RolesandclickAdd.
Step2 EnteraNametoidentifytherole.
Step3 ForthescopeoftheRole,selectDeviceorVirtual System.
Step4 IntheWeb UIandXML API tabs,clicktheiconforeachfunctionalareatotoggleittothedesiredsetting:

Enable,ReadOnly,orDisable.FordetailsontheWeb UIoptions,seeWebInterfaceAccessPrivileges.
Step5 SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:

Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone
Step6 ClickOKtosavetheprofile.
Step7 Assigntheroletoanadministrator.SeeConfigureaFirewallAdministratorAccount.
AdministrativeAuthentication
Youcanconfigurethefollowingtypesofauthenticationandauthorization(roleandaccessdomain
assignment)forfirewalladministrators:
Authentication Authorization Description

Method Method
Local Local Theadministrativeaccountcredentialsandauthenticationmechanismsarelocalto

thefirewall.Youcandefinetheaccountswithorwithoutauserdatabasethatis
localtothefirewallseeLocalAuthenticationfortheadvantagesand
disadvantagesofusingalocaldatabase.Youusethefirewalltomanagerole
assignmentsbutaccessdomainsarenotsupported.Fordetails,seeConfigureLocal
orExternalAuthenticationforFirewallAdministrators.
SSHKeys Local Theadministrativeaccountsarelocaltothefirewall,butauthenticationtotheCLI

isbasedonSSHkeys.Youusethefirewalltomanageroleassignmentsbutaccess
domainsarenotsupported.Fordetails,seeConfigureSSHKeyBased
AdministratorAuthenticationtotheCLI.
Certificates Local Theadministrativeaccountsarelocaltothefirewall,butauthenticationtotheweb

interfaceisbasedonclientcertificates.Youusethefirewalltomanagerole
assignmentsbutaccessdomainsarenotsupported.Fordetails,seeConfigure
CertificateBasedAdministratorAuthenticationtotheWebInterface.
Externalservice Local Theadministrativeaccountsyoudefinelocallyonthefirewallserveasreferences

totheaccountsdefinedonanexternalMultiFactorAuthentication,SAML,
Kerberos,TACACS+,RADIUS,orLDAPserver.Theexternalserverperforms
authentication.Youusethefirewalltomanageroleassignmentsbutaccess
domainsarenotsupported.Fordetails,seeConfigureLocalorExternal
AuthenticationforFirewallAdministrators.
Externalservice Externalservice TheadministrativeaccountsaredefinedonlyonanexternalSAML,TACACS+,or

RADIUSserver.Theserverperformsbothauthenticationandauthorization.For
authorization,youdefineVendorSpecificAttributes(VSAs)ontheTACACS+or
RADIUSserver,orSAMLattributesontheSAMLserver.PANOSmapsthe
attributestoadministratorroles,accessdomains,usergroups,andvirtualsystems
thatyoudefineonthefirewall.Fordetails,see:
ConfigureSAMLAuthentication
ConfigureTACACS+Authentication
ConfigureRADIUSAuthentication
ConfigureAdministrativeAccountsandAuthentication
Ifyouhavealreadyconfiguredanauthenticationprofile(seeConfigureanAuthenticationProfileand
Sequence)oryoudontrequireonetoauthenticateadministrators,youarereadytoConfigureaFirewall
AdministratorAccount.Otherwise,performoneoftheotherprocedureslistedbelowtoconfigure
administrativeaccountsforspecifictypesofauthentication.
ConfigureaFirewallAdministratorAccount
ConfigureLocalorExternalAuthenticationforFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
Administrativeaccountsspecifyrolesandauthenticationmethodsforfirewalladministrators.Theservice
thatyouusetoassignrolesandperformauthenticationdetermineswhetheryouaddtheaccountsonthe
firewall,onanexternalserver,orboth(seeAdministrativeAuthentication).Iftheauthenticationmethod
reliesonalocalfirewalldatabaseoranexternalservice,youmustconfigureanauthenticationprofilebefore
addinganadministrativeaccount(seeConfigureAdministrativeAccountsandAuthentication).Ifyoualready
configuredtheauthenticationprofileoryouwilluseLocalAuthenticationwithoutafirewalldatabase,
performthefollowingstepstoaddanadministrativeaccountonthefirewall.
Step1 SelectDevice > AdministratorsandAddanaccount.
Step2 EnterauserName.
Ifthefirewallusesalocaluserdatabasetoauthenticatetheaccount,enterthenamethatyouspecifiedfor
theaccountinthedatabase(seeAddtheuseraccounttothelocaldatabase.)
Step3 SelectanAuthentication Profileorsequenceifyouconfiguredeitherfortheadministrator.

IfthefirewallusesLocalAuthenticationwithoutalocaluserdatabasefortheaccount,selectNone(default)
andenteraPassword.
Step4 SelecttheAdministrator Type.

Ifyouconfiguredacustomrolefortheuser,selectRole BasedandselecttheAdminRoleProfile.Otherwise,
selectDynamic(default)andselectadynamicrole.Ifthedynamicroleisvirtual system administrator,add
oneormorevirtualsystemsthatthevirtualsystemadministratorisallowedtomanage.
Step5 (Optional)SelectaPassword Profileforadministratorsthatthefirewallauthenticateslocallywithoutalocal

userdatabase.Fordetails,seeDefineaPasswordProfile.
Step6 ClickOKandCommit.
YoucanuseLocalAuthenticationorExternalAuthenticationServicestoauthenticateadministratorswho
accessthefirewall.Theseauthenticationmethodspromptadministratorstorespondtooneormore
authenticationchallenges,suchasaloginpageforenteringausernameandpassword.
Ifyouuseanexternalservicetomanagebothauthenticationandauthorization(roleandaccessdomain
assignments),see:
Toauthenticateadministratorswithoutachallengeresponsemechanism,youcanConfigureCertificateBased
AdministratorAuthenticationtotheWebInterfaceandConfigureSSHKeyBasedAdministratorAuthentication
totheCLI.
Step1 (Externalauthenticationonly)Enable 1. Configureaserverprofile:

thefirewalltoconnecttoanexternal AddaRADIUSserverprofile.
serverforauthenticatingadministrators. IfthefirewallintegrateswithaMultiFactorAuthentication
(MFA)servicethroughRADIUS,youmustaddaRADIUS
serverprofile.Inthiscase,theMFAserviceprovidesallthe
authenticationfactors(challenges).Ifthefirewallintegrates
withanMFAservicethroughavendorAPI,youcanstilluse
aRADIUSserverprofileforthefirstfactorbutMFAserver
profilesarerequiredforadditionalfactors.
AddanMFAserverprofile.
AddaTACACS+serverprofile.
AddaSAMLIdPserverprofile.Youcannotcombine
Kerberossinglesignon(SSO)withSAMLSSO;youcanuse
onlyonetypeofSSOservice.
AddaKerberosserverprofile.
AddanLDAPserverprofile.
Step2 (Localdatabaseauthenticationonly) 1. Addtheuseraccounttothelocaldatabase.

Configureauserdatabasethatislocalto 2. (Optional)Addtheusergrouptothelocaldatabase.
thefirewall.
Step3 (Localauthenticationonly)Define 1. Defineglobalpasswordcomplexityandexpirationsettingsfor

passwordcomplexityandexpiration alllocaladministrators.Thesettingsdontapplytolocal
settings. databaseaccountsforwhichyouspecifiedapasswordhash
Thesesettingshelpprotectthefirewall insteadofapassword(seeLocalAuthentication).
againstunauthorizedaccessbymakingit a. SelectDevice > Setup > Managementandeditthe
harderforattackerstoguesspasswords. MinimumPasswordComplexitysettings.
b. SelectEnabled.
c. DefinethepasswordsettingsandclickOK.
2. DefineaPasswordProfile.
Youassigntheprofiletoadministratoraccountsforwhichyou
wanttooverridetheglobalpasswordexpirationsettings.The
profilesareavailableonlytoaccountsthatarenotassociated
withalocaldatabase(seeLocalAuthentication).
a. SelectDevice > Password ProfilesandAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.
Step4 (KerberosSSOonly)CreateaKerberos AkeytabisafilethatcontainsKerberosaccountinformationfor

keytab. thefirewall.TosupportKerberosSSO,yournetworkmusthavea
Kerberosinfrastructure.
Step5 Configureanauthenticationprofile. ConfigureanAuthenticationProfileandSequence.Inthe

Ifyouradministrativeaccounts authenticationprofile,specifytheTypeofauthenticationservice
arestoredacrossmultipletypes andrelatedsettings:
ofservers,youcancreatean ExternalserviceSelecttheTypeofexternalserviceandselect
authenticationprofileforeach theServer Profileyoucreatedforit.
typeandaddalltheprofilestoan LocaldatabaseauthenticationSettheTypetoLocal Database.
authenticationsequence. LocalauthenticationwithoutadatabaseSettheTypetoNone.
KerberosSSOSpecifytheKerberos RealmandImportthe
Kerberos Keytab.
ConfigureLocalorExternalAuthenticationforFirewallAdministrators(Continued)
Step6 Assigntheauthenticationprofileor 1. ConfigureaFirewallAdministratorAccount.

sequencetoanadministratoraccount. AssigntheAuthentication Profileorsequencethatyou
configured.
(Localdatabaseauthenticationonly)SpecifytheNameof
theuseraccountyouaddedtothelocaldatabase.
3. (Optional)TestAuthenticationServerConnectivitytoverify
thatthefirewallcanusetheauthenticationprofileto
authenticateadministrators.
ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface
Asamoresecurealternativetopasswordbasedauthenticationtothefirewallwebinterface,youcan
configurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothefirewall.
Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinsteadofa
password.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
Step1 Generateacertificateauthority(CA) CreateaSelfSignedRootCACertificate.

certificateonthefirewall. Alternatively,ImportaCertificateandPrivateKeyfrom
YouwillusethisCAcertificatetosign yourenterpriseCAorathirdpartyCA.
theclientcertificateofeach
administrator.
Step2 Configureacertificateprofilefor ConfigureaCertificateProfile.

securingaccesstothewebinterface. SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.
Step3 Configurethefirewalltousethe 1. SelectDevice > Setup > Managementandeditthe

certificateprofileforauthenticating AuthenticationSettings.
administrators. 2. SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.
Step4 Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,

useclientcertificateauthentication. ConfigureaFirewallAdministratorAccountandselectUse only
client certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.
Step5 Generateaclientcertificateforeach GenerateaCertificate.IntheSigned Bydropdown,selecta

administrator. selfsignedrootCAcertificate.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
Step6 Exporttheclientcertificate. 1. ExportaCertificateandPrivateKey.

2. Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.
Step7 Importtheclientcertificateintothe Refertoyourwebbrowserdocumentation.

clientsystemofeachadministratorwho
willaccessthewebinterface.
Step8 Verifythatadministratorscanaccessthe 1. OpenthefirewallIPaddressinabrowseronthecomputer

webinterface. thathastheclientcertificate.
2. Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3. Addthecertificatetothebrowserexceptionlist.
4. ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
Step1 UseanSSHkeygenerationtoolto Forthecommandstogeneratethekeypair,refertoyourSSHclient

createanasymmetrickeypaironthe documentation.
clientsystemoftheadministrator. Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
ThesupportedkeyformatsareIETF locationthatthefirewallcanaccess.Foraddedsecurity,entera
SECSHandOpenSSH.Thesupported passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
algorithmsareDSA(1,024bits)andRSA administratorforthispassphraseduringlogin.
(7684,096bits).
Step2 Configuretheadministratoraccountto 1. ConfigureaFirewallAdministratorAccount.

usepublickeyauthentication. Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
Step3 ConfiguretheSSHclienttousethe Performthistaskontheclientsystemoftheadministrator.Forthe

privatekeytoauthenticatetothe steps,refertoyourSSHclientdocumentation.
firewall.
Step4 Verifythattheadministratorcanaccess 1. Useabrowserontheclientsystemoftheadministratortogo

thefirewallCLIusingSSHkey tothefirewallIPaddress.
authentication. 2. LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3. Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureaFirewallAdministrator
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccessPrivileges
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual SystemlevelasdefinedbytheDeviceorVirtual System
radiobutton.IfyouselectVirtual System,theadminassignedthisprofileisrestrictedtothevirtualsystem(s)
heorsheisassignedto.Furthermore,onlytheDevice > Setup > Services > Virtual Systemstabisavailableto
thatadmin,nottheGlobaltab.
Thefollowingtopicsdescribehowtosetadminroleprivilegestothedifferentpartsofthewebinterface:
DefineAccesstotheWebInterfaceTabs
ProvideGranularAccesstotheMonitorTab
ProvideGranularAccesstothePolicyTab
ProvideGranularAccesstotheObjectsTab
ProvideGranularAccesstotheNetworkTab
ProvideGranularAccesstotheDeviceTab
DefineUserPrivacySettingsintheAdminRoleProfile
RestrictAdministratorAccesstoCommitandValidateFunctions
ProvideGranularAccesstoGlobalSettings
Reference:WebInterfaceAdministratorAccess FirewallAdministration
DefineAccesstotheWebInterfaceTabs
Thefollowingtabledescribesthetoplevelaccessprivilegesyoucanassigntoanadminroleprofile(Device
> Admin Roles).Youcanenable,disable,ordefinereadonlyaccessprivilegesatthetopleveltabsintheweb
interface.
AccessLevel Description Enable ReadOnly Disable
Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes

thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes

(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
AccesstotheDeviceTab.
NOTE:YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccesstothe
Devicetab.
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
AccessLevel Description AdministratorRole Enable Read Disable

Availability Only
Monitor EnablesordisablesaccesstotheMonitor Firewall:Yes Yes No Yes

tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogs DeviceGroup/Template:Yes
orreports.

Availability Only
Logs Enablesordisablesaccesstoalllogfiles. Firewall:Yes Yes No Yes

Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.
Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethetrafficlogs. Panorama:Yes
DeviceGroup/Template:Yes
Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethethreatlogs. Panorama:Yes
URLFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheURLfilteringlogs. Panorama:Yes
WildFire Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Submissions seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire DeviceGroup/Template:Yes
subscription.
DataFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethedatafilteringlogs. Panorama:Yes
HIPMatch Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheHIPMatchlogs.HIPMatchlogs Panorama:Yes
areonlyavailableifyouhavea DeviceGroup/Template:Yes
GlobalProtectportallicenseandgateway
subscription.
UserID Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheUserIDlogs. Panorama:Yes
Tunnel Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Inspection seetheTunnelInspectionlogs. Panorama:Yes
Configuration Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheconfigurationlogs. Panorama:Yes
DeviceGroup/Template:No
System Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seethesystemlogs. Panorama:Yes

Availability Only
Alarms Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seesystemgeneratedalarms. Panorama:Yes
Authentication Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheAuthenticationlogs. Panorama:Yes
Automated Enablesordisablesaccesstothe Firewall:Yes Yes No Yes

Correlation correlationobjectsandcorrelatedevent Panorama:Yes
Engine logsgeneratedonthefirewall. DeviceGroup/Template:Yes
Correlation Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Objects viewandenable/disablethecorrelation Panorama:Yes
objects. DeviceGroup/Template:Yes
Correlated Specifieswhethertheadministrator Firewall:Yes Yes No Yes

Events Panorama:Yes
Packet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Capture seepacketcaptures(pcaps)fromthe Panorama:No
Monitortab.Keepinmindthatpacket DeviceGroup/Template:No
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.
AppScope Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.
Session Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Browser browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe DeviceGroup/Template:No
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIP
addressinthesessionbrowserandyou
shouldthereforedisabletheSession
Browserprivilegeifyouareconcerned
aboutuserprivacy.
BlockIPList Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

viewtheblocklist(EnableorReadOnly) Panorama:underContext
anddeleteentriesfromthelist(Enable).If SwitchUI:Yes
youdisablethesetting,theadministrator Template:Yes
wontbeabletoviewordeleteentries
fromtheblocklist.

Availability Only
Botnet Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIP
addressinscheduledbotnetreportsand
youshouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.
PDFReports EnablesordisablesaccesstoallPDF Firewall:Yes Yes No Yes

reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF DeviceGroup/Template:Yes
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs
And Reportsoption.
ManagePDF Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Summary view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseePDFsummary
reportdefinitions,butnotaddordelete
them.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoradd/deletethem.
PDFSummary Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Reports seethegeneratedPDFSummaryreports Panorama:Yes
inMonitor > Reports.Ifyoudisablethis DeviceGroup/Template:Yes
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.
UserActivity Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Report view,addordeleteUserActivityreport Panorama:Yes
definitionsanddownloadthereports. DeviceGroup/Template:Yes
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
SaaS Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Application view,addordeleteaSaaSapplication Panorama:Yes
UsageReport usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotadd
ordeletethem.Ifyoudisablethisoption,
theadministratorcanneitherviewthe
reportdefinitionsnoraddordeletethem.

Availability Only
ReportGroups Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

view,addordeletereportgroup Panorama:Yes
definitions.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
Email Specifieswhethertheadministratorcan Firewall:Yes Yes Yes Yes

Scheduler schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed DeviceGroup/Template:Yes
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
optionsandbecausetheymayalsoshow
logdatatowhichtheadministratordoes
nothaveaccess,youshoulddisablethe
Email Scheduleroptionifyouhaveuser
privacyrequirements.
Manage Enablesordisablesaccesstoallcustom Firewall:Yes Yes No Yes

Custom reportfunctionality.Youcanalsoleave Panorama:Yes
Reports thisprivilegeenabledandthendisable DeviceGroup/Template:Yes
specificcustomreportcategoriesthatyou
donotwanttheadministratortobeable
toaccess.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhile
stillprovidingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/or
theShow User Names In Logs And
Reportsoption.
NOTE:Reportsthatarescheduledtorun
ratherthanrunondemandwillshowIP
addressanduserinformation.Inthiscase,
besuretorestrictaccesstothe
correspondingreportareas.Inaddition,
thecustomreportfeaturedoesnot
restricttheabilitytogeneratereportsthat
containlogdatacontainedinlogsthatare
excludedfromtheadministratorrole.
Application Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Statistics createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase. DeviceGroup/Template:Yes
DataFiltering Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Log createacustomreportthatincludesdata Panorama:Yes
fromtheDataFilteringlogs. DeviceGroup/Template:Yes

Availability Only
ThreatLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

createacustomreportthatincludesdata Panorama:Yes
fromtheThreatlogs. DeviceGroup/Template:Yes
Threat Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Summary createacustomreportthatincludesdata Panorama:Yes
fromtheThreatSummarydatabase. DeviceGroup/Template:Yes
TrafficLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheTrafficlogs. DeviceGroup/Template:Yes
Traffic Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Summary createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficSummarydatabase. DeviceGroup/Template:Yes
URLLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheURLFilteringlogs. DeviceGroup/Template:Yes
Hipmatch Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheHIPMatchlogs. DeviceGroup/Template:Yes
WildFireLog Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheWildFirelogs. DeviceGroup/Template:Yes
Userid Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheUserIDlogs. DeviceGroup/Template:Yes
Auth Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

fromtheAuthenticationlogs. DeviceGroup/Template:Yes
View Specifieswhethertheadministratorcan Firewall:Yes Yes No Yes

Scheduled viewacustomreportthathasbeen Panorama:Yes
Custom scheduledtogenerate. DeviceGroup/Template:Yes
Reports

Predefined viewApplicationReports.Privacy Panorama:Yes
Application privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

Availability Only

Predefined viewThreatReports.Privacyprivilegesdo Panorama:Yes
ThreatReports notimpactreportsavailableonthe DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.

Predefined viewURLFilteringReports.Privacy Panorama:Yes
URLFiltering privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
Reports ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.

Predefined viewTrafficReports.Privacyprivilegesdo Panorama:Yes
TrafficReports notimpactreportsavailableonthe DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
Security Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.
NAT Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.
QoS Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.
PolicyBased Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

Forwarding view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.
Decryption Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeletedecryptionrules.Setthe
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.
TunnelInspection Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteTunnelInspectionrules.Set
theprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
seeingtheTunnelInspectionrulebase,disablethis
privilege.
ApplicationOverride Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
seeingtheapplicationoverriderulebase,disablethis
privilege.
Authentication Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteAuthenticationpolicyrules.
Settheprivilegetoreadonlyifyouwantthe
seeingtheAuthenticationrulebase,disablethis
privilege.
DoSProtection Enablethisprivilegetoallowtheadministratorto Yes Yes Yes

view,add,and/ordeleteDoSprotectionrules.Setthe
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
Addresses Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteaddressobjectsforuseinsecuritypolicy.
AddressGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteaddressgroupobjectsforuseinsecuritypolicy.
Regions Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.
Applications Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationobjectsforuseinpolicy.
ApplicationGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationgroupobjectsforuseinpolicy.
ApplicationFilters Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteapplicationfiltersforsimplificationofrepeated
searches.
Services Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.
ServiceGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteservicegroupobjectsforuseinsecuritypolicy.
Tags Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletetagsthathavebeendefinedonthefirewall.
GlobalProtect Specifieswhethertheadministratorcanview,add,or Yes No Yes

deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.
HIPObjects Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.
ClientlessApps Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectVPNClientless
applications.
ClientlessAppGroups Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectVPNClientless
applicationgroups.
HIPProfiles Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.
DynamicBlockLists Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedynamicblocklistsforuseinsecuritypolicy.
CustomObjects Specifieswhethertheadministratorcanseethe Yes No Yes

customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.
DataPatterns Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Spyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.
Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
URLCategory Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletecustomURLcategoriesforuseinpolicy.
SecurityProfiles Specifieswhethertheadministratorcanseesecurity Yes No Yes

profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.
Antivirus Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteantivirusprofiles.
AntiSpyware Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteAntiSpywareprofiles.
Vulnerability Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

Protection deleteVulnerabilityProtectionprofiles.
URLFiltering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteURLfilteringprofiles.
FileBlocking Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletefileblockingprofiles.
DataFiltering Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedatafilteringprofiles.
DoSProtection Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteDoSprotectionprofiles.
SecurityProfileGroups Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletesecurityprofilegroups.
LogForwarding Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletelogforwardingprofiles.
Authentication Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteauthenticationenforcementobjects.
DecryptionProfile Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletedecryptionprofiles.
Schedules Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
Interfaces Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteinterfaceconfigurations.
Zones Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletezones.
VLANs Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deleteVLANs.
VirtualWires Specifieswhethertheadministratorcanview,add,or Yes Yes Yes

deletevirtualwires.
VirtualRouters Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modifyordeletevirtualrouters.
IPSecTunnels Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteIPSecTunnelconfigurations.
DHCP Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteDHCPserverandDHCPrelay
configurations.
DNSProxy Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteDNSproxyconfigurations.
GlobalProtect Specifieswhethertheadministratorcanview,add, Yes No Yes

modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.
Portals Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectportalconfigurations.
Gateways Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectgateway
configurations.
MDM Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectMDMserver
configurations.
DeviceBlockList Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeletedeviceblocklists.
ClientlessApps Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectClientlessVPN
applications.
ClientlessAppGroups Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteGlobalProtectClientlessVPN
applicationgroups.
QoS Specifieswhethertheadministratorcanview,add, Yes Yes Yes

modify,ordeleteQoSconfigurations.
LLDP Specifieswhethertheadministratorcanviewadd, Yes Yes Yes

modify,ordeleteLLDPconfigurations.
NetworkProfiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Networksettingsdescribedbelow.
IKEGateways ControlsaccesstotheNetwork Profiles > IKE Yes Yes Yes

Gatewaysnode.Ifyoudisablethisprivilege,the
administratorwillnotseetheIKE Gatewaysnodeor
definegatewaysthatincludetheconfiguration
informationnecessarytoperformIKEprotocol
negotiationwithpeergateway.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredIKEGatewaysbutcannot
addoreditgateways.
GlobalProtectIPSec ControlsaccesstotheNetwork Profiles > Yes Yes Yes

Crypto GlobalProtect IPSec Crypto node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethatnode,orconfigurealgorithmsfor
authenticationandencryptioninVPNtunnels
betweenaGlobalProtectgatewayandclients.
Ifyousettheprivilegetoreadonly,theadministrator
canviewexistingGlobalProtectIPSecCryptoprofiles
butcannotaddoreditthem.
IPSecCrypto ControlsaccesstotheNetwork Profiles > IPSec Yes Yes Yes

Cryptonode.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
IPSec Cryptonodeorspecifyprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPSecSA
negotiation.
thecurrentlyconfiguredIPSecCryptoconfiguration
butcannotaddoreditaconfiguration.
IKECrypto Controlshowdevicesexchangeinformationtoensure Yes Yes Yes

securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).
Monitor ControlsaccesstotheNetwork Profiles > Monitor Yes Yes Yes

node.Ifyoudisablethisprivilege,theadministrator
willnotseetheNetwork Profiles > Monitornodeor
beabletocreateoreditamonitorprofilethatisused
tomonitorIPSectunnelsandmonitoranexthop
deviceforpolicybasedforwarding(PBF)rules.
thecurrentlyconfiguredmonitorprofileconfiguration
InterfaceMgmt ControlsaccesstotheNetwork Profiles > Interface Yes Yes Yes

Mgmtnode.Ifyoudisablethisprivilege,the
Interface Mgmtnodeorbeabletospecifythe
protocolsthatareusedtomanagethefirewall.
thecurrentlyconfiguredInterfacemanagement
profileconfigurationbutcannotaddoredita
configuration.
ZoneProtection ControlsaccesstotheNetwork Profiles > Zone Yes Yes Yes

Protectionnode.Ifyoudisablethisprivilege,the
Zone Protectionnodeorbeabletoconfigureaprofile
thatdetermineshowthefirewallrespondstoattacks
fromspecifiedsecurityzones.
thecurrentlyconfiguredZoneProtectionprofile
configurationbutcannotaddoreditaconfiguration.
QoSProfile ControlsaccesstotheNetwork Profiles > QoSnode. Yes Yes Yes

seetheNetwork Profiles > QoSnodeorbeableto
configureaQoSprofilethatdetermineshowQoS
trafficclassesaretreated.
thecurrentlyconfiguredQoSprofileconfigurationbut
cannotaddoreditaconfiguration.
LLDPProfile ControlsaccesstotheNetwork Profiles > LLDPnode. Yes Yes Yes

seetheNetwork Profiles > LLDPnodeorbeableto
configureanLLDPprofilethatcontrolswhetherthe
interfacesonthefirewallcanparticipateintheLink
LayerDiscoveryProtocol.
thecurrentlyconfiguredLLDPprofileconfiguration
BFDProfile ControlsaccesstotheNetwork Profiles > BFD Profile Yes Yes Yes

willnotseetheNetwork Profiles > BFD Profilenode
orbeabletoconfigureaBFDprofile.ABidirectional
ForwardingDetection(BFD)profileallowsyouto
configureBFDsettingstoapplytooneormorestatic
routesorroutingprotocols.Thus,BFDdetectsafailed
linkorBFDpeerandallowsanextremelyfastfailover.
thecurrentlyconfiguredBFDprofilebutcannotadd
oreditaBFDprofile.
ProvideGranularAccesstotheDeviceTab
TodefinegranularaccessprivilegesfortheDevicetab,whencreatingoreditinganadminroleprofile(Device
> Admin Roles),scrolldowntotheDevicenodeontheWebUItab.
Setup ControlsaccesstotheSetupnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
thecurrentconfigurationbutcannotmakeany
changes.
Management ControlsaccesstotheManagementnode.Ifyou Yes Yes Yes

disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panoramaconnections,banner,message,and
passwordcomplexitysettings,andmore.
changes.
Operations ControlsaccesstotheOperationsandTelemetry and Yes Yes Yes

Threat Intelligencenodes.Ifyoudisablethis
privilege,theadministratorcannot:
Loadfirewallconfigurations.
Saveorrevertthefirewallconfiguration.
NOTE:ThisprivilegeappliesonlytotheDevice >
Operationsoptions.TheSaveandCommit
privilegescontrolwhethertheadministratorcan
saveorconfigurationsthroughtheConfig > Save
andConfig > Revertoptions.
Createcustomlogos.
ConfigureSNMPmonitoringoffirewallsettings.
ConfiguretheStatisticsServicefeature.
ConfigureTelemetry and Threat Intelligence
settings.
NOTE:Onlyadministratorswiththepredefined
Superuserrolecanexportorimportfirewall
configurationsandshutdownthefirewall.
OnlyadministratorswiththepredefinedSuperuseror
DeviceAdministratorrolecanrebootthefirewallor
restartthedataplane.
Administratorswitharolethatallowsaccessonlyto
specificvirtualsystemscannotload,save,orrevert
firewallconfigurationsthroughtheDevice >
Operationsoptions.
Services ControlsaccesstotheServicesnode.Ifyoudisable Yes Yes Yes

thisprivilege,theadministratorwillnotbeableto
configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
changes.
ContentID ControlsaccesstotheContent-IDnode.Ifyoudisable Yes Yes Yes

configureURLfilteringorContentID.
changes.
WildFire ControlsaccesstotheWildFirenode.Ifyoudisable Yes Yes Yes

configureWildFiresettings.
changes.
Session ControlsaccesstotheSessionnode.Ifyoudisable Yes Yes Yes

configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
changes.
HSM ControlsaccesstotheHSMnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
changes.
ConfigAudit ControlsaccesstotheConfig Auditnode.Ifyou Yes No Yes

disablethisprivilege,theadministratorwillnotseethe
Config Auditnodeorhaveaccesstoanyfirewallwide
configurationinformation.
AdminRoles ControlsaccesstotheAdmin Rolesnode.This No Yes Yes

functioncanonlybeallowedforreadonlyaccess.
seetheAdmin Rolesnodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.
Administrators ControlsaccesstotheAdministratorsnode.This No Yes Yes

functioncanonlybeallowedforreadonlyaccess.
seetheAdministratorsnodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.
VirtualSystems ControlsaccesstotheVirtual Systemsnode.Ifyou Yes Yes Yes

disablethisprivilege,theadministratorwillnotseeor
beabletoconfigurevirtualsystems.
thecurrentlyconfiguredvirtualsystemsbutcannot
addoreditaconfiguration.
SharedGateways ControlsaccesstotheShared Gatewaysnode.Shared Yes Yes Yes

gatewaysallowvirtualsystemstoshareacommon
interfaceforexternalcommunications.
seeorbeabletoconfiguresharedgateways.
thecurrentlyconfiguredsharedgatewaysbutcannot
addoreditaconfiguration.
UserIdentification ControlsaccesstotheUser Identificationnode.Ifyou Yes Yes Yes

User Identificationnodeorhaveaccessto
firewallwideUserIdentificationconfiguration
information,suchasUserMapping,Connection
Security,UserIDAgents,TerminalServicesAgents,
GroupMappingsSettings,orCaptivePortalSettings.
canviewconfigurationinformationforthefirewallbut
isnotallowedtoperformanyconfiguration
procedures.
VMInformationSource ControlsaccesstotheVM Information Sourcenode Yes Yes Yes

thatallowsyoutoconfigurethefirewall/Windows
UserIDagenttocollectVMinventoryautomatically.
seetheVM Information Sourcenode.
canviewtheVMinformationsourcesconfiguredbut
cannotadd,edit,ordeleteanysources.
NOTE:ThisprivilegeisnotavailabletoDeviceGroup
andTemplateadministrators.
HighAvailability ControlsaccesstotheHigh Availabilitynode.Ifyou Yes Yes Yes

High Availabilitynodeorhaveaccesstofirewallwide
highavailabilityconfigurationinformationsuchas
GeneralsetupinformationorLinkandPath
Monitoring.
canviewHighAvailabilityconfigurationinformation
forthefirewallbutisnotallowedtoperformany
configurationprocedures.
Certificate Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Management Certificatesettingsdescribedbelow.
Certificates ControlsaccesstotheCertificatesnode.Ifyou Yes Yes Yes

Certificatesnodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.
CertificateProfile ControlsaccesstotheCertificate Profilenode.Ifyou Yes Yes Yes

Certificate Profilenodeorbeabletocreate
certificateprofiles.
canviewCertificateProfilesthatarecurrently
configuredforthefirewallbutisnotallowedtocreate
oreditacertificateprofile.
OCSPResponder ControlsaccesstotheOCSP Respondernode.Ifyou Yes Yes Yes

OCSP Respondernodeorbeabletodefineaserver
thatwillbeusedtoverifytherevocationstatusof
certificatesissuesbythefirewall.
canviewtheOCSP Responderconfigurationforthe
firewallbutisnotallowedtocreateoreditanOCSP
responderconfiguration.
SSL/TLSServiceProfile ControlsaccesstotheSSL/TLS Service Profilenode. Yes Yes Yes

seethenodeorconfigureaprofilethatspecifiesa
certificateandaprotocolversionorrangeofversions
forfirewallservicesthatuseSSL/TLS.
canviewexistingSSL/TLSServiceprofilesbutcannot
createoreditthem.
SCEP ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes Yes Yes

privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
canviewexistingSCEPprofilesbutcannotcreateor
editthem.
SSLDecryption ControlsaccesstotheSSL Decryption Exclusion Yes Yes Yes

Exclusion node.Ifyoudisablethisprivilege,theadministrator
willnotseethenodeorbeableseetheSSLdecryption
addcustomexclusions.
canviewexistingSSLdecryptionexceptionsbut
cannotcreateoreditthem.
ResponsePages ControlsaccesstotheResponse Pagesnode.Ifyou Yes Yes Yes

Response Pagenodeorbeabletodefineacustom
HTMLmessagethatisdownloadedanddisplayed
insteadofarequestedwebpageorfile.
canviewtheResponse Pageconfigurationforthe
firewallbutisnotallowedtocreateoreditaresponse
pageconfiguration.
LogSettings Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

Logsettingsdescribedbelow.
System ControlsaccesstotheLog Settings > Systemnode.If Yes Yes Yes

youdisablethisprivilege,theadministratorcannotsee
theLog Settings > Systemnodeorspecifywhich
SystemlogsthefirewallforwardstoPanoramaor
externalservices(suchasasyslogserver).
canviewtheLog Settings > Systemsettingsforthe
firewallbutcannotadd,edit,ordeletethesettings.
Config ControlsaccesstotheLog Settings > Confignode.If Yes Yes Yes

theLog Settings > Confignodeorspecifywhich
ConfigurationlogsthefirewallforwardstoPanorama
orexternalservices(suchasasyslogserver).
canviewtheLog Settings > Configsettingsforthe
UserID ControlsaccesstotheLog Settings > User-IDnode.If Yes Yes Yes

theLog Settings > User-IDnodeorspecifywhich
UserIDlogsthefirewallforwardstoPanoramaor
externalservices(suchasasyslogserver).
canviewtheLog Settings > User-IDsettingsforthe
HIPMatch ControlsaccesstotheLog Settings > HIP Matchnode. Yes Yes Yes

Ifyoudisablethisprivilege,theadministratorcannot
seetheLog Settings > HIP Matchnodeorspecify
whichHostInformationProfile(HIP)matchlogsthe
firewallforwardstoPanoramaorexternalservices
(suchasasyslogserver).HIPmatchlogsprovide
informationonSecuritypolicyrulesthatapplyto
GlobalProtectclients
canviewtheLog Settings > HIPsettingsforthe
Correlation ControlsaccesstotheLog Settings > Correlation Yes Yes Yes

cannotseetheLog Settings > Correlationnodeor
add,delete,ormodifycorrelationlogforwarding
settingsortagsourceordestinationIPaddresses.
canviewtheLog Settings > Correlationsettingsfor
thefirewallbutcannotadd,edit,ordeletethesettings.
Alarms ControlsaccesstotheLog Settings > Alarmsnode.If Yes Yes Yes

theLog Settings > Alarmsnodeorconfigure
notificationsthatthefirewallgenerateswhena
Securitypolicyrule(orgroupofrules)ishitrepeatedly
withinaconfigurabletimeperiod.
canviewtheLog Settings > Alarmssettingsforthe
firewallbutcannoteditthesettings.
ManageLogs ControlsaccesstotheLog Settings > Manage Logs Yes Yes Yes

cannotseetheLog Settings > Manage Logsnodeor
cleartheindicatedlogs.
canviewtheLog Settings > Manage Logsinformation
butcannotclearanyofthelogs.
ServerProfiles Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

ServerProfilessettingsdescribedbelow.

SNMPTrap ControlsaccesstotheServer Profiles > SNMP Trap Yes Yes Yes

willnotseetheServer Profiles > SNMP Trapnodeor
beabletospecifyoneormoreSNMPtrap
destinationstobeusedforsystemlogentries.
canviewtheServer Profiles > SNMP Trap Logs
informationbutcannotspecifySNMPtrap
destinations.
Syslog ControlsaccesstotheServer Profiles > Syslognode. Yes Yes Yes

seetheServer Profiles > Syslognodeorbeableto
specifyoneormoresyslogservers.
canviewtheServer Profiles > Sysloginformationbut
cannotspecifysyslogservers.
Email ControlsaccesstotheServer Profiles > Emailnode. Yes Yes Yes

seetheServer Profiles > Emailnodeorbeableto
configureanemailprofilethatcanbeusedtoenable
emailnotificationforsystemandconfigurationlog
entries.
canviewtheServer Profiles > Emailinformationbut
cannotconfigureanemailserverprofile.
HTTP ControlsaccesstotheServer Profiles > HTTPnode. Yes Yes Yes

seetheServer Profiles > HTTPnodeorbeableto
configureanHTTPserverprofilethatcanbeusedto
enablelogforwardingtoHTTPdestinationsanylog
entries.
canviewtheServer Profiles > HTTPinformationbut
cannotconfigureanHTTPserverprofile.
Netflow ControlsaccesstotheServer Profiles > Netflow Yes Yes Yes

willnotseetheServer Profiles > Netflownodeorbe
abletodefineaNetFlowserverprofile,which
specifiesthefrequencyoftheexportalongwiththe
NetFlowserversthatwillreceivetheexporteddata.
canviewtheServer Profiles > Netflowinformation
butcannotdefineaNetflowprofile.

RADIUS ControlsaccesstotheServer Profiles > RADIUS Yes Yes Yes

willnotseetheServer Profiles > RADIUSnodeorbe
abletoconfiguresettingsfortheRADIUSserversthat
areidentifiedinauthenticationprofiles.
canviewtheServer Profiles > RADIUSinformation
butcannotconfiguresettingsfortheRADIUSservers.
TACACS+ ControlsaccesstotheServer Profiles > TACACS+ Yes Yes Yes

node.
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.
LDAP ControlsaccesstotheServer Profiles > LDAPnode. Yes Yes Yes

seetheServer Profiles > LDAPnodeorbeableto
configuresettingsfortheLDAPserverstousefor
authenticationbywayofauthenticationprofiles.
canviewtheServer Profiles > LDAPinformationbut
cannotconfiguresettingsfortheLDAPservers.
Kerberos ControlsaccesstotheServer Profiles > Kerberos Yes Yes Yes

willnotseetheServer Profiles > Kerberosnodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
canviewtheServer Profiles > Kerberosinformation
butcannotconfiguresettingsforKerberosservers.
SAMLIdentityProvider ControlsaccesstotheServer Profiles > SAML Yes Yes Yes

Identity Providernode.Ifyoudisablethisprivilege,
theadministratorcannotseethenodeorconfigure
SAMLidentityprovider(IdP)serverprofiles.
canviewtheServer Profiles > SAML Identity
ProviderinformationbutcannotconfigureSAMLIdP
serverprofiles.
MultiFactor ControlsaccesstotheServer Profiles > Multi Factor

Authentication Authenticationnode.Ifyoudisablethisprivilege,the
administratorcannotseethenodeorconfigure
multifactorauthentication(MFA)serverprofiles.
canviewtheServer Profiles > SAML Identity
ProviderinformationbutcannotconfigureMFA
serverprofiles.

LocalUserDatabase Setsthedefaultstatetoenableordisableforallofthe Yes No Yes

LocalUserDatabasesettingsdescribedbelow.
Users ControlsaccesstotheLocal User Database > Users Yes Yes Yes

willnotseetheLocal User Database > Usersnodeor
setupalocaldatabaseonthefirewalltostore
authenticationinformationforremoteaccessusers,
firewalladministrators,andCaptivePortalusers.
canviewtheLocal User Database > Users
informationbutcannotsetupalocaldatabaseonthe
firewalltostoreauthenticationinformation.
UserGroups ControlsaccesstotheLocal User Database > Users Yes Yes Yes

willnotseetheLocal User Database > Usersnodeor
beabletoaddusergroupinformationtothelocal
database.
canviewtheLocal User Database > Users
informationbutcannotaddusergroupinformationto
thelocaldatabase.
AuthenticationProfile ControlsaccesstotheAuthentication Profilenode.If Yes Yes Yes

youdisablethisprivilege,theadministratorwillnot
seetheAuthentication Profilenodeorbeableto
createoreditauthenticationprofilesthatspecify
RADIUS,TACACS+,LDAP,Kerberos,SAML,
multifactorauthentication(MFA),orlocaldatabase
authenticationsettings.PANOSusesauthentication
profilestoauthenticatefirewalladministratorsand
CaptivePortalorGlobalProtectendusers.
canviewtheAuthentication Profileinformationbut
cannotcreateoreditauthenticationprofiles.
Authentication Controlsaccesstothe Authentication Sequence Yes Yes Yes

Sequence node.Ifyoudisablethisprivilege,theadministrator
willnotseetheAuthentication Sequencenodeorbe
abletocreateoreditanauthenticationsequence.
canviewtheAuthentication Profileinformationbut
cannotcreateoreditanauthenticationsequence.
AccessDomain ControlsaccesstotheAccess Domainnode.Ifyou Yes Yes Yes

Access Domainnodeorbeabletocreateoreditan
accessdomain.
canviewtheAccess Domaininformationbutcannot
createoreditanaccessdomain.

ScheduledLogExport ControlsaccesstotheScheduled Log Exportnode.If Yes No Yes

seetheScheduled Log Exportnodeorbeable
scheduleexportsoflogsandsavethemtoaFile
TransferProtocol(FTP)serverinCSVformatoruse
SecureCopy(SCP)tosecurelytransferdatabetween
thefirewallandaremotehost.
canviewtheScheduled Log Export Profile
informationbutcannotscheduletheexportoflogs.
Software ControlsaccesstotheSoftwarenode.Ifyoudisable Yes Yes Yes

thisprivilege,theadministratorwillnotseethe
Softwarenodeorviewthelatestversionsofthe
PANOSsoftwareavailablefromPaloAltoNetworks,
readthereleasenotesforeachversion,andselecta
releasetodownloadandinstall.
canviewtheSoftwareinformationbutcannot
downloadorinstallsoftware.
GlobalProtectClient ControlsaccesstotheGlobalProtect Clientnode.If Yes Yes Yes

seetheGlobalProtect Clientnodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
canviewtheavailableGlobalProtect Clientreleases
butcannotdownloadorinstalltheagentsoftware.
DynamicUpdates ControlsaccesstotheDynamic Updatesnode.Ifyou Yes Yes Yes

Dynamic Updatesnodeorbeabletoviewthelatest
updates,readthereleasenotesforeachupdate,or
selectanupdatetouploadandinstall.
canviewtheavailableDynamic Updatesreleases,
readthereleasenotesbutcannotuploadorinstallthe
software.
Licenses Controlsaccesstothe Licensesnode.Ifyoudisable Yes Yes Yes

Licensesnodeorbeabletoviewthelicensesinstalled
oractivatelicenses.
canviewtheinstalledLicenses,butcannotperform
licensemanagementfunctions.

Support ControlsaccesstotheSupportnode.Ifyoudisable Yes Yes Yes

Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
canviewtheSupportnodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.
MasterKeyand ControlsaccesstotheMaster Key and Diagnostics Yes Yes Yes

Diagnostics node.Ifyoudisablethisprivilege,theadministrator
willnotseetheMaster Key and Diagnosticsnodeor
beabletospecifyamasterkeytoencryptprivatekeys
onthefirewall.
canviewtheMaster Key and Diagnosticsnodeand
viewinformationaboutmasterkeysthathavebeen
specifiedbutcannotaddoreditanewmasterkey
configuration.
DefineUserPrivacySettingsintheAdminRoleProfile
Todefinewhatprivateenduserdataanadministratorhasaccessto,whencreatingoreditinganadminrole
profile(Device > Admin Roles),scrolldowntothePrivacyoptionontheWebUItab.
Privacy Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes

privacysettingsdescribedbelow.
ShowFullIPaddresses Whendisabled,fullIPaddressesobtainedbytraffic Yes N/A Yes

runningthroughthePaloAltofirewallarenotshown
inlogsorreports.InplaceoftheIPaddressesthatare
normallydisplayed,therelevantsubnetisdisplayed.
NOTE:Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsandreportsthat
aresentviascheduledemailswillstilldisplayfullIP
addresses.Becauseofthisexception,werecommend
thatthefollowingsettingswithintheMonitortabbe
settodisable:CustomReports,ApplicationReports,
ThreatReports,URLFilteringReports,TrafficReports
andEmailScheduler.

ShowUserNamesin Whendisabled,usernamesobtainedbytraffic Yes N/A Yes

LogsandReports runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
NOTE:Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreportsthat
aresentviatheemailschedulerwillstilldisplayuser
names.Becauseofthisexception,werecommend
thatthefollowingsettingswithintheMonitortabbe
settodisable:CustomReports,ApplicationReports,
ThreatReports,URLFilteringReports,TrafficReports
andEmailScheduler.
ViewPCAPFiles Whendisabled,packetcapturefilesthatarenormally Yes N/A Yes

availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.
RestrictAdministratorAccesstoCommitandValidateFunctions
Torestrictaccesstocommit(andrevert),save,andvalidatefunctionswhencreatingoreditinganAdminRole
profile(Device > Admin Roles),scrolldowntotheCommit,Save,andValidateoptionsontheWebUItab.
Commit Setsthedefaultstatetoenabledordisabledforallof Yes N/A Yes

thecommitandrevertprivilegesdescribedbelow.
Device Whendisabled,anadministratorcannotcommitor Yes N/A Yes

revertchangesthatanyadministratormadetothe
firewallconfiguration,includinghisorherown
changes.
CommitForOther Whendisabled,anadministratorcannotcommitor Yes N/A Yes

Admins revertchangesthatotheradministratorsmadetothe
firewallconfiguration.
Save Setsthedefaultstatetoenabledordisabledforallof Yes N/A Yes

thesaveoperationprivilegesdescribedbelow.
Partialsave Whendisabled,anadministratorcannotsavechanges Yes N/A Yes

thatanyadministratormadetothefirewall
configuration,includinghisorherownchanges.
SaveForOther Whendisabled,anadministratorcannotsavechanges Yes N/A Yes

Admins thatotheradministratorsmadetothefirewall
configuration.
Validate Whendisabled,anadministratorcannotvalidatea Yes N/A Yes

configuration.

ProvideGranularAccesstoGlobalSettings
Todefinewhatglobalsettingsandadministratorhasaccessto,whencreatingoreditinganadminroleprofile
(Device > Admin Roles),scrolldowntotheGlobaloptionontheWebUItab.
Global Setsthedefaultstatetoenableordisableforallofthe Yes N/A Yes

globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.
SystemAlarms Whendisabled,anadministratorcannotviewor Yes N/A Yes

acknowledgealarmsthataregenerated.
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.

Availability Only
Setup Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

vieworeditPanoramasetup DeviceGroup/Template:No
information,includingManagement,
Operations and Telemetry,Services,
ContentID,WildFire,Session,orHSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.
HighAvailability Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

viewandmanagehighavailability(HA) DeviceGroup/Template:No
settingsforthePanoramamanagement
server.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewHA
configurationinformationforthe
Panoramamanagementserverbutcant
managetheconfiguration.
Ifyoudisablethisprivilege,the
administratorcantseeormanageHA
configurationsettingsforthePanorama
managementserver.
ConfigAudit Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes

runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.


Availability Only
Administrators Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes

viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.
AdminRoles Specifieswhethertheadministratorcan Panorama:Yes No Yes Yes

viewPanoramaadministratorroles. DeviceGroup/Template:No
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
administratorcantseeormanage
Panoramaadministratorroles.
AccessDomain Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama NOTE:Youassignaccess
administrators.(Thisprivilegecontrols domainstoDeviceGroupand
accessonlytotheconfigurationof Templateadministratorsso
accessdomains,notaccesstothe theycanaccessthe
devicegroups,templates,andfirewall configurationandmonitoring
contextsthatareassignedtoaccess datawithinthedevicegroups,
domains.) templates,andfirewall
Ifyousetthisprivilegetoreadonly,the contextsthatareassignedto
administratorcanviewPanorama thoseaccessdomains.
accessdomainconfigurationsbutcant
managethem.
Panoramaaccessdomain
configurations.


Availability Only
Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationprofilesforPanorama
administrators.
administratorcanviewPanorama
authenticationprofilesbutcant
managethem.
Panoramaauthenticationprofiles.
Authentication Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Sequence view,add,edit,delete,orclone DeviceGroup/Template:No
authenticationsequencesforPanorama
administrators.
authenticationsequencesbutcant
managethem.
Panoramaauthenticationsequences.
User Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Identification configureUserIDconnectionsecurity DeviceGroup/Template:No
andview,add,edit,ordeleteUserID
redistributionpoints(suchasUserID
agents).
administratorcanviewsettingsfor
UserIDconnectionsecurityand
redistributionpointsbutcantmanage
thesettings.
settingsforUserIDconnectionsecurity
orredistributionpoints.


Availability Only
Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Devices view,add,edit,ordeletefirewallsas DeviceGroup/Template:Yes (Nofor
manageddevices,andinstallsoftware Device
orcontentupdatesonthem. Group
Ifyousetthisprivilegetoreadonly,the and
administratorcanseemanagedfirewalls Templat
butcantadd,delete,tag,orinstall eroles)
updatesonthem.
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
NOTE:AnadministratorwithDevice
Deploymentprivilegescanstillselect
Panorama > Device Deploymentto
installupdatesonmanagedfirewalls.
Templates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes (Nofor
templatestacks. NOTE:DeviceGroupand Device
Ifyousettheprivilegetoreadonly,the Templateadministratorscan Group
administratorcanseetemplateand seeonlythetemplatesand and
stackconfigurationsbutcantmanage stacksthatarewithinthe Templat
them. accessdomainsassignedto e
Ifyoudisablethisprivilege,the thoseadministrators. admins)
templateandstackconfigurations.
DeviceGroups Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
Ifyousetthisprivilegetoreadonly,the NOTE:DeviceGroupand
administratorcanseedevicegroup Templateadministratorscan
configurationsbutcantmanagethem. accessonlythedevicegroups
Ifyoudisablethisprivilege,the thatarewithintheaccess
administratorcantseeormanage domainsassignedtothose
devicegroupconfigurations. administrators.


Availability Only
Managed Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Collectors view,edit,add,ordeletemanaged DeviceGroup/Template:No
collectors.
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
NOTE:AnadministratorwithDevice
Deploymentprivilegescanstillusethe
Panorama > Device Deployment
optionstoinstallupdatesonmanaged
collectors.
Collector Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Groups view,edit,add,ordeleteCollector DeviceGroup/Template:No
Groups.
administratorcanseeCollectorGroups
butcantmanagethem.
CollectorGroups.
VMwareService Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Manager viewandeditVMwareServiceManager DeviceGroup/Template:No
settings.
administratorcanseethesettingsbut
cantperformanyrelatedconfiguration
oroperationalprocedures.
administratorcantseethesettingsor
performanyrelatedconfigurationor
operationalprocedures.
Certificate Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

Management disabled,forallofthePanorama DeviceGroup/Template:No
certificatemanagementprivileges.


Availability Only
Certificates Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,edit,generate,delete,revoke, DeviceGroup/Template:No
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
PanoramacertificatesorHAkeys.
Certificate Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,deleteorclone DeviceGroup/Template:No
Panoramacertificateprofiles.
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Panoramacertificateprofiles.
SSL/TLSService Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Profile view,add,edit,deleteorcloneSSL/TLS DeviceGroup/Template:No
Serviceprofiles.
administratorcanseeSSL/TLSService
profilesbutcantmanagethem.
SSL/TLSServiceprofiles.
LogSettings Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

disabled,forallthelogsetting DeviceGroup/Template:No
privileges.


Availability Only
System Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigurethesettingsthat DeviceGroup/Template:No
controltheforwardingofSystemlogsto
externalservices(syslog,email,SNMP
trap,orHTTPservers).
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
administratorcantseeormanagethe
settings.
NOTE:Thisprivilegepertainsonlyto
SystemlogsthatPanoramaandLog
Collectorsgenerate.TheCollector
Groupsprivilege(Panorama > Collector
Groups)controlsforwardingforSystem
logsthatLogCollectorsreceivefrom
firewalls.TheDevice > Log Settings>
Systemprivilegecontrolslog
forwardingfromfirewallsdirectlyto
externalservices(withoutaggregation
onLogCollectors).
Config Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofConfiglogsto
externalservices(syslog,email,SNMP
trap,orHTTPservers).
administratorcanseetheConfiglog
them.
settings.
ConfiglogsthatPanoramaandLog
Collectorsgenerate.TheCollector
Groupsprivilege(Panorama > Collector
Groups)controlsforwardingforConfig
Configprivilegecontrolslogforwarding
fromfirewallsdirectlytoexternal
services(withoutaggregationonLog
Collectors).


Availability Only
UserID Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofUserIDlogs
toexternalservices(syslog,email,
SNMPtrap,orHTTPservers).
administratorcanseetheConfiglog
them.
settings.
UserIDlogsthatPanoramagenerates.
TheCollectorGroupsprivilege
(Panorama > Collector Groups)
controlsforwardingforUserIDlogs
thatLogCollectorsreceivefrom
UserIDprivilegecontrolslog
onLogCollectors).
HIPMatch Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
inLegacymodetoexternalservices
(syslog,email,SNMPtrap,orHTTP
servers).
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
settings.
NOTE:TheCollectorGroupsprivilege
controlsforwardingforHIPMatchlogs
thatLogCollectorsreceivefrom
HIPMatchprivilegecontrolslog
onLogCollectors).


Availability Only
Correlation Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofCorrelation
logsfromaPanoramavirtualappliance
inLegacymodetoexternalservices
servers).
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
settings.
controlsforwardingofCorrelationlogs
fromaPanoramaMSeriesapplianceor
PanoramavirtualapplianceinPanorama
mode.
Traffic Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofTrafficlogs
fromaPanoramavirtualappliancein
Legacymodetoexternalservices
servers).
settingsofTrafficlogsbutcantmanage
them.
settings.
controlsforwardingforTrafficlogsthat
LogCollectorsreceivefromfirewalls.
TheLogForwardingprivilege(Objects >
Log Forwarding)controlsforwarding
Collectors).


Availability Only
Threat Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofThreatlogs
servers).
settingsofThreatlogsbutcantmanage
them.
settings.
controlsforwardingforThreatlogsthat
LogCollectorsreceivefromfirewalls.
TheLogForwardingprivilege(Objects >
Log Forwarding)controlsforwarding
Collectors).
Wildfire Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

controltheforwardingofWildFirelogs
servers).
settingsofWildFirelogsbutcant
managethem.
settings.
controlstheforwardingforWildFire
firewalls.TheLogForwardingprivilege
(Objects > Log Forwarding)controls
onLogCollectors).


Availability Only
ServerProfiles Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

disabled,foralltheserverprofile DeviceGroup/Template:No
privileges.
NOTE:Theseprivilegespertainonlyto
theserverprofilesthatareusedfor
forwardinglogsfromPanoramaorLog
Collectorsandtheserverprofilesthat
areusedforauthenticatingPanorama
administrators.TheDevice > Server
Profilesprivilegescontrolaccesstothe
serverprofilesthatareusedfor
forwardinglogsdirectlyfromfirewalls
toexternalservicesandfor
authenticatingfirewalladministrators.
SNMPTrap Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureSNMPtrapserver DeviceGroup/Template:No
profiles.
administratorcanseeSNMPtrapserver
SNMPtrapserverprofiles.
Syslog Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
administratorcanseeSyslogserver
Syslogserverprofiles.
Email Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfigureemailserverprofiles. DeviceGroup/Template:No
administratorcanseeemailserver
administratorcantseeormanageemail
serverprofiles.
RADIUS Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
RADIUSserverprofiles.


Availability Only
TACACS+ Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheTACACS+server DeviceGroup/Template:No
administratorcantseethenodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.
LDAP Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheLDAPserver DeviceGroup/Template:No
administratorcanseetheLDAPserver
LDAPserverprofiles.
Kerberos Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

seeandconfiguretheKerberosserver DeviceGroup/Template:No
administratorcanseetheKerberos
Kerberosserverprofiles.
SAMLIdentity Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Provider seeandconfiguretheSAMLIdentity DeviceGroup/Template:No
Provider(IdP)serverprofilesthatare
usedtoauthenticatePanorama
administrators.
administratorcanseetheSAMLIdP
SAMLIdPserverprofiles.


Availability Only
Scheduled Specifieswhethertheadministratorcan Panorama:Yes Yes No Yes

ConfigExport view,add,edit,delete,orclone DeviceGroup/Template:No
scheduledPanoramaconfiguration
exports.
administratorcanviewthescheduled
exportsbutcantmanagethem.
scheduledexports.
Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewinformationaboutsoftware DeviceGroup/Template:No
updatesinstalledonthePanorama
managementserver;download,upload,
orinstalltheupdates;andviewthe
associatedreleasenotes.
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
NOTE:ThePanorama>Device
Deployment>Softwareprivilege
controlsaccesstoPANOSsoftware
deployedonfirewallsandPanorama
softwaredeployedonDedicatedLog
Collectors.


Availability Only
Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Updates can:viewinformationaboutcontent DeviceGroup/Template:No
updatesinstalledonthePanorama
managementserver(forexample,
WildFireupdates);download,upload,
install,orreverttheupdates;andview
theassociatedreleasenotes.
administratorcanviewinformation
aboutPanoramacontentupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
NOTE:ThePanorama>Device
Deployment>DynamicUpdates
privilegecontrolsaccesstocontent
updatesdeployedonfirewallsand
DedicatedLogCollectors.
Support Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewPanoramasupportlicense DeviceGroup/Template:No
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.
Device Setsthedefaultstate,enabledor Panorama:Yes Yes No Yes

Deployment disabled,foralltheprivilegesassociated DeviceGroup/Template:Yes
withdeployinglicensesandsoftwareor
contentupdatestofirewallsandLog
Collectors.
NOTE:ThePanorama>Softwareand
Panorama>DynamicUpdates
privilegescontrolthesoftwareand
contentupdatesinstalledona
Panoramamanagementserver.


Availability Only
Software Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

can:viewinformationaboutthe DeviceGroup/Template:Yes
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
GlobalProtect Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Client can:viewinformationabout DeviceGroup/Template:Yes
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.


Availability Only
Dynamic Specifieswhethertheadministrator Panorama:Yes Yes Yes Yes

Updates can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Licenses Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

view,refresh,andactivatefirewall DeviceGroup/Template:Yes
licenses.
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
administratorcantview,refresh,or
activatefirewalllicenses.
MasterKeyand Specifieswhethertheadministratorcan Panorama:Yes Yes Yes Yes

Diagnostics viewandconfigureamasterkeyby DeviceGroup/Template:No
whichtoencryptprivatekeyson
Panorama.
administratorcanviewthePanorama
masterkeyconfigurationbutcant
changeit.
administratorcantseeoreditthe
Panoramamasterkeyconfiguration.

PanoramaWebInterfaceAccessPrivileges
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI
accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.
Dashboard ControlsaccesstotheDashboardtab.Ifyoudisable Yes No Yes

thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
ACC ControlsaccesstotheApplicationCommandCenter Yes No Yes

(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
Monitor ControlsaccesstotheMonitortab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
Policies ControlsaccesstothePoliciestab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
Objects ControlsaccesstotheObjectstab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
AccesstotheObjectsTab.

Network ControlsaccesstotheNetworktab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
Device ControlsaccesstotheDevicetab.Ifyoudisablethis Yes No Yes

privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
AccesstotheDeviceTab.
NOTE:YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebasedadministrator
evenifyouenablefullaccesstotheDevicetab.
Panorama ControlsaccesstothePanoramatab.Ifyoudisable Yes No Yes

Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.
Privacy Controlsaccesstotheprivacysettingsdescribedin Yes No Yes

DefineUserPrivacySettingsintheAdminRole
Profile.
Validate Whendisabled,anadministratorcannotvalidatea Yes No Yes

configuration.
Save Setsthedefaultstate(enabledordisabled)forallthe Yes No Yes

saveprivilegesdescribedbelow(PartialSaveandSave
ForOtherAdmins).
PartialSave Whendisabled,anadministratorcannotsavechanges Yes No Yes

thatanyadministratormadetothePanorama
configuration.
SaveForOther Whendisabled,anadministratorcannotsavechanges Yes No Yes

Admins thatotheradministratorsmadetothePanorama
configuration.

Commit Setsthedefaultstate(enabledordisabled)forallthe Yes No Yes

commit,push,andrevertprivilegesdescribedbelow
(Panorama,DeviceGroups,Templates,Force
TemplateValues,CollectorGroups,WildFire
ApplianceClusters).
Panorama Whendisabled,anadministratorcannotcommitor Yes No Yes

revertconfigurationchangesthatanyadministrators
made,includinghisorherownchanges.
CommitforOther Whendisabled,anadministratorcannotcommitor Yes No Yes

Admins revertconfigurationchangesthatother
administratorsmade.
DeviceGroups Whendisabled,anadministratorcannotpushchanges Yes No Yes

todevicegroups.
Templates Whendisabled,anadministratorcannotpushchanges Yes No Yes

totemplates.
ForceTemplateValues ThisprivilegecontrolsaccesstotheForce Template Yes No Yes

ValuesoptioninthePushScopeSelectiondialog.
Whendisabled,anadministratorcannotreplace
overriddensettingsinlocalfirewallconfigurations
withsettingsthatPanoramapushesfromatemplate.
CollectorGroups Whendisabled,anadministratorcannotpushchanges Yes No Yes

toCollectorGroups.
WildFireAppliance Whendisabled,anadministratorcannotpushchanges Yes No Yes

Clusters toWildFireapplianceclusters.
Tasks Whendisabled,anadministratorcannotaccessthe Yes No Yes

TaskManager.
Global Controlsaccesstotheglobalsettings(systemalarms) Yes No Yes

describedinProvideGranularAccesstoGlobal
Settings.

Reference:PortNumberUsage FirewallAdministration
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforGlobalProtect
PortsUsedforUserID
PortsUsedforManagementFunctions
ThefirewallandPanoramausethefollowingportsformanagementfunctions.
DestinationPort Protocol Description
22 TCP UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80 TCP TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
123 UDP PortthefirewallusesforNTPupdates.
443 TCP Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis

alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.
162 UDP Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP

Manager.
NOTE:ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)managerto
listenonthisport.Fordetails,refertothedocumentationofyourSNMP
managementsoftware.
161 UDP Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP

manager.
514 TCP Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog

514 UDP serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
6514 SSL authenticationsyslogmessages.
2055 UDP DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif

youConfigureNetFlowExports,butthisisconfigurable.

FirewallAdministration Reference:PortNumberUsage
5008 TCP PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom

theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.
6080 TCP PortsusedforUserIDCaptivePortal:6080forNTLANManager(NTLM)

6081 TCP authentication,6081forCaptivePortalintransparentmode,and6082for
CaptivePortalinredirectmode.
6082 TCP
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
28769 TCP UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer

28260 TCP firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.
28 TCP UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
28770 TCP ListeningportforHA1backuplinks.
28771 TCP Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat

backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.
99 IP UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
29281 UDP associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
Panoramausesthefollowingports.
22 TCP UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.

443 TCP UsedforcommunicationfromaclientsystemtothePanoramawebinterface.
3978 TCP UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged

collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors.
28443 TCP Usedformanageddevices(firewallsandLogCollectors)toretrievesoftwareand

contentupdatesfromPanorama.
NOTE:OnlydevicesthatrunPANOS8.xandlaterreleasesretrieveupdatesfrom
Panoramaoverthisport.Fordevicesrunningearlierreleases,Panoramapushes
theupdatepackagesoverport3978.
28769(5.1andlater) TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers

28260(5.0andlater) TCP usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.
49160(5.0and TCP
earlier)
28 TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
28270(6.0andlater) TCP UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog

49190(5.1and distribution.
earlier)
2049 TCP UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.
PortsUsedforGlobalProtect
GlobalProtectusesthefollowingports.
443 TCP UsedforcommunicationbetweenGlobalProtectagentsandportals,or

GlobalProtectagentsandgatewaysandforSSLtunnelconnections.
GlobalProtectgatewaysalsousethisporttocollecthostinformationfrom
GlobalProtectagentsandperformhostinformationprofile(HIP)checks.
4501 UDP UsedforIPSectunnelconnectionsbetweenGlobalProtectagentsandgateways.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsand
addresses,refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?.

FirewallAdministration Reference:PortNumberUsage
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
389 TCP PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport

LayerSecurity(StartTLS)toMapUserstoGroups.
3268 TCP PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver

(plaintextorStartTLS)toMapUserstoGroups.
636 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap

UserstoGroups.
3269 TCP PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory

globalcatalogservertoMapUserstoGroups.
514 TCP PorttheUserIDagentlistensonforauthenticationsyslogmessagesifyou

6514 UDP ConfigureUserIDtoMonitorSyslogSendersforUserMapping.Theport
dependsonthetypeofagentandprotocol:
SSL
PANOSintegratedUserIDagentPort6514forSSLandport514forUDP.
WindowsbasedUserIDagentPort514forbothTCPandUDP.
5007 TCP PortthefirewalllistensonforusermappinginformationfromtheUserIDor

TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.
5006 TCP PorttheUserIDagentlistensonforXMLAPIrequests.Thesourceforthis

communicationistypicallythesystemrunningascriptthatinvokestheAPI.
88 UDP/TCP PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
1812 UDP PorttheUserIDagentusestoauthenticatetoaRADIUSserver.
49 TCP PorttheUserIDagentusestoauthenticatetoaTACACS+server.
135 TCP PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe

MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.

139 TCP PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe

ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).
445 TCP PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using

TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).

FirewallAdministration ResettheFirewalltoFactoryDefaultSettings
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
Step1 Setupaconsoleconnectiontothe 1. ConnectaserialcablefromyourcomputertotheConsoleport

firewall. andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
NOTE:Ifyourcomputerdoesnothavea9pinserialport,use
aUSBtoserialportconnector.
2. Enteryourlogincredentials.
3. EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.
Step2 Resetthesystemtofactorydefault 1. Whenthefirewallreboots,pressEntertocontinuetothe

settings. maintenancemodemenu.
2. SelectFactory ResetandpressEnter.
3. SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.

BootstraptheFirewall FirewallAdministration
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USBFlashDriveSupport
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
SiliconPower SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)

FirewallAdministration BootstraptheFirewall
Sampleinitcfg.txtFiles
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress) Sampleinitcfg.txt(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2 ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field Description
type (Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress (RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignores
thisfieldifthetypeisdhcpclient.
defaultgateway (RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask (RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address (RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthof
themanagementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
ipv6defaultgateway (RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
hostname (Optional)Hostnameforthefirewall.

Fieldsintheinitcfg.txtFile
Field Description
panoramaserver (Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2 (Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname (Recommended)Panoramatemplatename.
dgname (Recommended)Panoramadevicegroupname.
dnsprimary (Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary (Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey (VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes (Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
Step1 Obtainserialnumbers(S/Ns)andauthcodesforsupportsubscriptionsfromyourorderfulfillmentemail.
Step2 RegisterS/Nsofnewfirewallsonthe 1. Gotosupport.paloaltonetworks.com,login,andselectAssets

CustomerSupportportal. > Register New Device > Register device using Serial
Number or Authorization Code.
2. FollowthestepstoRegistertheFirewall.
3. ClickSubmit.
Step3 Activateauthorizationcodesonthe 1. Gotosupport.paloaltonetworks.com,login,andselectthe

CustomerSupportportal,whichcreates Assetstab.
licensekeys. 2. ForeachS/Nyoujustregistered,clicktheActionlink.
3. SelectActivate Auth-Code.
4. EntertheAuthorization codeandclickAgreeandSubmit.

PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step4 AddtheS/NsinPanorama. CompleteStep1inAddaFirewallasaManagedDeviceinthe

PanoramaAdministratorsGuide.
Step5 Createtheinitcfg.txtfile. Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap

parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
NOTE:Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefaultconfigurationin
thenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineachfield;donot
addspacesbecausetheycausefailuresduringparsingonthe
managementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.
Step6 (Optional)Createthebootstrap.xmlfile. Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration

thatyoucanexportfromanexistingproductionfirewall.
1. SelectDevice > Setup > Operations > Export named
configuration snapshot.
2. SelecttheNameofthesavedortherunningconfiguration.
3. ClickOK.
4. Renamethefileasbootstrap.xml.

Step7 Createanddownloadthebootstrap Useoneofthefollowingmethodstocreateanddownloadthe

bundlefromtheCustomerSupport bootstrapbundle:
portal. UseMethod1tocreateabootstrapbundlespecifictoaremote
Foraphysicalfirewall,thebootstrap site(youhaveonlyoneinitcfg.txtfile).
bundlerequiresonlythe/licenseand UseMethod2tocreateonebootstrapbundleformultiplesites.
/configdirectories.
Method1
1. Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2. SelectAssets.
3. SelecttheS/Nofthefirewallyouwanttobootstrap.
4. SelectBootstrap Container.
5. ClickSelect.
6. UploadandOpen theinitcfg.txtfileyoucreated.
7. (Optional)Selectthebootstrap.xmlfileyoucreatedand
Upload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.
8. SelectBootstrap Container Downloadtodownloadatar.gz
filenamedbootstrap_<S/N>_<date>.tar.gztoyourlocal
system.Thisbootstrapcontainerincludesthelicensekeys
associatedwiththeS/Nofthefirewall.
Method2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenames.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.
Step8 Importthetar.gzfileyoucreatedtoa AccesstheCLIandenteroneofthefollowingcommands:

PANOS7.1firewallusingSecureCopy tftp import bootstrap-bundle file <path and filename>
(SCP)orTFTP. from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
scp import bootstrap-bundle from <<user>@<host>:<path
tofile>>
Forexample:
scp import bootstrap-bundle from
userx@10.1.2.3:/home/userx/bootstrap/devices/pa200_b
ootstrap_bundle.tar.gz

Step9 PreparetheUSBflashdrive. 1. InserttheUSBflashdriveintothefirewallthatyouusedin

Step 8.
2. EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3. Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
4. RemovetheUSBflashdrivefromthefirewall.
5. YoucanprepareasmanyUSBflashdrivesasneeded.
Step10 DelivertheUSBflashdrivetoyour IfyouusedMethod2tocreatethebootstrapbundle,youcanuse

remotesite. thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
Step1 Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2 Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3 InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.

Step4 Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > SystemorbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > LicensesorbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.

Authentication
Authenticationisamethodforprotectingservicesandapplicationsbyverifyingtheidentitiesofuserssothat
onlylegitimateusershaveaccess.SeveralfirewallandPanoramafeaturesrequireauthentication.
Administratorsauthenticatetoaccessthewebinterface,CLI,orXMLAPIofthefirewallandPanorama.End
usersauthenticatethroughCaptivePortalorGlobalProtecttoaccessvariousservicesandapplications.You
canchoosefromseveralauthenticationservicestoprotectyournetworkandtoaccommodateyourexisting
securityinfrastructurewhileensuringasmoothuserexperience.
Ifyouhaveapublickeyinfrastructure,youcandeploycertificatestoenableauthenticationwithoutusers
havingtomanuallyrespondtologinchallenges(seeCertificateManagement).Alternatively,orinadditionto
certificates,youcanimplementinteractiveauthentication,whichrequiresuserstoauthenticateusingoneor
moremethods.Thefollowingtopicsdescribehowtoimplement,test,andtroubleshootthedifferenttypes
ofinteractiveauthentication:
AuthenticationTypes
PlanYourAuthenticationDeployment
ConfigureMultiFactorAuthentication
ConfigureKerberosSingleSignOn
ConfigureKerberosServerAuthentication
ConfigureLDAPAuthentication
ConfigureLocalDatabaseAuthentication
ConfigureanAuthenticationProfileandSequence
TestAuthenticationServerConnectivity
AuthenticationPolicy
TroubleshootAuthenticationIssues

AuthenticationTypes Authentication
AuthenticationTypes
ExternalAuthenticationServices
MultiFactorAuthentication
SAML
Kerberos
TACACS+
RADIUS
LDAP
LocalAuthentication
ExternalAuthenticationServices
ThefirewallandPanoramacanuseexternalserverstocontroladministrativeaccesstothewebinterfaceand
enduseraccesstoservicesorapplicationsthroughCaptivePortalandGlobalProtect.Inthiscontext,any
authenticationservicethatisnotlocaltothefirewallorPanoramaisconsideredexternal,regardlessof
whethertheserviceisinternal(suchasKerberos)orexternal(suchasaSAMLidentityprovider)relativeto
yournetwork.TheservertypesthatthefirewallandPanoramacanintegratewithincludeMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,andLDAP.AlthoughyoucanalsousetheLocal
AuthenticationservicesthatthefirewallandPanoramasupport,usuallyexternalservicesarepreferable
becausetheyprovide:
Centralmanagementofalluseraccountsinanexternalidentitystore.Allthesupportedexternalservices
providethisoptionforendusersandadministrators.
Centralmanagementofaccountauthorization(roleandaccessdomainassignments).SAML,TACACS+,
andRADIUSsupportthisoptionforadministrators.
Singlesignon(SSO),whichenablesuserstoauthenticateonlyonceforaccesstomultipleservicesand
applications.SAMLandKerberossupportSSO.
Multipleauthenticationchallengesofdifferenttypes(factors)toprotectyourmostsensitiveservicesand
applications.MFAservicessupportthisoption.
Authenticationthroughanexternalservicerequiresaserverprofilethatdefineshowthefirewallconnects
totheservice.Youassigntheserverprofiletoauthenticationprofiles,whichdefinesettingsthatyou
customizeforeachapplicationandsetofusers.Forexample,youcanconfigureoneauthenticationprofile
foradministratorswhoaccessthewebinterfaceandanotherprofileforenduserswhoaccessa
GlobalProtectportal.Fordetails,seeConfigureanAuthenticationProfileandSequence.
MultiFactorAuthentication
YoucanConfigureMultiFactorAuthentication(MFA)toensurethateachuserauthenticatesusingmultiple
methods(factors)whenaccessinghighlysensitiveservicesandapplications.Forexample,youcanforce
userstoenteraloginpasswordandthenenteraverificationcodethattheyreceivebyphonebeforeallowing
accesstoimportantfinancialdocuments.Thisapproachhelpstopreventattackersfromaccessingevery

Authentication AuthenticationTypes
serviceandapplicationinyournetworkjustbystealingpasswords.Ofcourse,noteveryserviceand
applicationrequiresthesamedegreeofprotection,andMFAmightnotbenecessaryforlesssensitive
servicesandapplicationsthatusersaccessfrequently.Toaccommodateavarietyofsecurityneeds,youcan
ConfigureAuthenticationPolicyrulesthattriggerMFAorasingleauthenticationfactor(suchaslogin
credentialsorcertificates)basedonspecificservices,applications,andendusers.
Whenchoosinghowmanyandwhichtypesofauthenticationfactorstoenforce,itsimportanttounderstand
howpolicyevaluationaffectstheuserexperience.Whenauserrequestsaserviceorapplication,thefirewall
firstevaluatesAuthenticationpolicy.IftherequestmatchesanAuthenticationpolicyrulewithMFAenabled,
thefirewalldisplaysaCaptivePortalwebformsothatuserscanauthenticateforthefirstfactor.If
authenticationsucceeds,thefirewalldisplaysanMFAloginpageforeachadditionalfactor.SomeMFA
servicesprompttheusertochooseonefactoroutoftwotofour,whichisusefulwhensomefactorsare
unavailable.Ifauthenticationsucceedsforallfactors,thefirewallevaluatesSecuritypolicyfortherequested
serviceorapplication.
Toreducethefrequencyofauthenticationchallengesthatinterrupttheuserworkflow,youcanconfigurethe
firstfactortouseKerberosorSAMLsinglesignon(SSO)butnotNTLANManager(NTLM)authentication.
ToimplementMFAforGlobalProtect,refertoConfigureGlobalProtecttoDisplayMultiFactorAuthentication
Notifications.
YoucannotuseMFAauthenticationprofilesinauthenticationsequences.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywithseveralMFA
platforms(Duov2,OktaAdaptive,andPingID)andintegratingthroughRADIUSwithallotherMFA
platforms.ThefirewallsupportsthefollowingMFAfactors:
Factor Description
Push Anendpointdevice(suchasaphoneortablet)promptstheusertoallowordeny
authentication.
Shortmessageservice AnSMSmessageontheendpointdevicepromptstheusertoallowordeny
(SMS) authentication.Insomecases,theendpointdeviceprovidesacodethattheusermust
enterintheMFAloginpage.
Voice Anautomatedphonecallpromptstheusertoauthenticatebypressingakeyonthe
phoneorenteringacodeintheMFAloginpage.
Onetimepassword(OTP) Anendpointdeviceprovidesanautomaticallygeneratedalphanumericstring,which
theuserentersintheMFAloginpagetoenableauthenticationforasingle
transactionorsession.
SAML
YoucanuseSecurityAssertionMarkupLanguage(SAML)2.0toauthenticateadministratorswhoaccessthe
firewallorPanoramawebinterfaceandenduserswhoaccesswebapplicationsthatareinternalorexternal
toyourorganization.Inenvironmentswhereeachuseraccessesmanyapplicationsandauthenticatingfor
eachonewouldimpedeuserproductivity,youcanconfigureSAMLsinglesignon(SSO)toenableonelogin
toaccessmultipleapplications.Likewise,SAMLsinglelogout(SLO)enablesausertoendsessionsfor
multipleapplicationsbyloggingoutofjustonesession.SSOisavailabletoadministratorswhoaccessthe
webinterfaceandtoenduserswhoaccessapplicationsthroughGlobalProtectorCaptivePortal.SLOis
availabletoadministratorsandGlobalProtectendusers,butnottoCaptivePortalendusers.Whenyou
configureSAMLauthenticationonthefirewalloronPanorama,youcanspecifySAMLattributesfor

administratorauthorization.SAMLattributesenableyoutoquicklychangetheroles,accessdomains,and
usergroupsofadministratorsthroughyourdirectoryservice,whichisofteneasierthanreconfiguring
settingsonthefirewallorPanorama.
AdministratorscannotuseSAMLtoauthenticatetothefirewallorPanoramaCLI.
YoucannotuseSAMLauthenticationprofilesinauthenticationsequences.
SAMLauthenticationrequiresaserviceprovider(thefirewallorPanorama),whichcontrolsaccessto
applications,andanidentityprovider(IdP)suchasPingFederate,whichauthenticatesusers.Whenauser
requestsaserviceorapplication,thefirewallorPanoramainterceptstherequestandredirectstheuserto
theIdPforauthentication.TheIdPthenauthenticatestheuserandreturnsaSAMLassertion,whichindicates
authenticationsucceededorfailed.Figure:SAMLAuthenticationforCaptivePortalEndUsersillustrates
SAMLauthenticationforanenduserwhoaccessesapplicationsthroughCaptivePortal.
Figure:SAMLAuthenticationforCaptivePortalEndUsers
Kerberos
Kerberosisanauthenticationprotocolthatenablesasecureexchangeofinformationbetweenpartiesover
aninsecurenetworkusinguniquekeys(calledtickets)toidentifytheparties.ThefirewallandPanorama
supporttwotypesofKerberosauthenticationforadministratorsandendusers:
KerberosserverauthenticationAKerberosserverprofileenablesuserstonativelyauthenticatetoan
ActiveDirectorydomaincontrolleroraKerberosV5compliantauthenticationserver.This
authenticationmethodisinteractive,requiringuserstoenterusernamesandpasswords.Forthe
configurationsteps,seeConfigureKerberosServerAuthentication.

Kerberossinglesignon(SSO)AnetworkthatsupportsKerberosV5SSOpromptsausertologinonly
forinitialaccesstothenetwork(suchasloggingintoMicrosoftWindows).Afterthisinitiallogin,theuser
canaccessanybrowserbasedserviceinthenetwork(suchasthefirewallwebinterface)withouthaving
tologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsetsthedurationofSSO
sessions.)IfyouenablebothKerberosSSOandanotherexternalauthenticationservice(suchasa
TACACS+server),thefirewallfirsttriesSSOand,onlyifthatfails,fallsbacktotheexternalservicefor
authentication.TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver
(AS)andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequired
tocreateaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordof
thefirewallorPanorama.TheSSOprocessrequiresthekeytab.
Fortheconfigurationsteps,seeConfigureKerberosSingleSignOn.
KerberosSSOisavailableonlyforservicesandapplicationsthatareinternaltoyourKerberosenvironment.To
enableSSOforexternalservicesandapplications,useSAML.
TACACS+
TerminalAccessControllerAccessControlSystemPlus(TACACS+)isafamilyofprotocolsthatenable
authenticationandauthorizationthroughacentralizedserver.TACACS+encryptsusernamesand
passwords,makingitmoresecurethanRADIUS,whichencryptsonlypasswords.TACACS+isalsomore
reliablebecauseitusesTCP,whereasRADIUSusesUDP.YoucanconfigureTACACS+authenticationfor
endusersoradministratorsonthefirewallandforadministratorsonPanorama.Optionally,youcanuse
TACACS+VendorSpecificAttributes(VSAs)tomanageadministratorauthorization.TACACS+VSAsenable
youtoquicklychangetheroles,accessdomains,andusergroupsofadministratorsthroughyourdirectory
serviceinsteadofreconfiguringsettingsonthefirewallandPanorama.
IfyouuseTACACS+tomanageadministratorauthorization,youcannothaveadministrativeaccountsthatare
localtothefirewallorPanorama;youmustdefinetheaccountsonlyontheTACACS+server.
ThefirewallandPanoramasupportthefollowingTACACS+attributesandVSAs.RefertoyourTACACS+
serverdocumentationforthestepstodefinetheseVSAsontheTACACS+server.
Name Value
service ThisattributeisrequiredtoidentifytheVSAsasspecifictoPalo
AltoNetworks.Youmustsetthevaluetopaloalto.
protocol ThisattributeisrequiredtoidentifytheVSAsasspecifictoPalo
AltoNetworksdevices.Youmustsetthevaluetofirewall.
PaloAltoAdminRole Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.

Name Value
PaloAltoPanoramaAdminRole Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup ThenameofausergroupintheAllowListofanauthentication
profile.
RADIUS
RemoteAuthenticationDialInUserService(RADIUS)isabroadlysupportednetworkingprotocolthat
providescentralizedauthenticationandauthorization.YoucanconfigureRADIUSauthenticationforend
usersoradministratorsonthefirewallandforadministratorsonPanorama.Optionally,youcanuseRADIUS
VendorSpecificAttributes(VSAs)tomanageadministratorauthorization.RADIUSVSAsenableyouto
quicklychangetheroles,accessdomains,andusergroupsofadministratorsthroughyourdirectoryservice
insteadofreconfiguringsettingsonthefirewallandPanorama.Youcanalsoconfigurethefirewalltousea
RADIUSserverfor:
CollectingVSAsfromGlobalProtectclients.
ImplementingMultiFactorAuthentication.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileisassignedto
anauthenticationsequencefortheservice(suchasadministrativeaccesstothewebinterface)thatinitiates
theauthenticationprocess.
ThefirewallandPanoramasupportthefollowingRADIUSVSAs.TodefineVSAsonaRADIUSserver,you
mustspecifythevendorcode(25461forPaloAltoNetworksfirewallsorPanorama)andtheVSAnameand
number.SomeVSAsalsorequireavalue.RefertoyourRADIUSserverdocumentationforthestepstodefine
theseVSAs.
IfyouuseRADIUStomanageadministratorauthorization,youcannothaveadministrative
accountsthatarelocaltothefirewallorPanorama;youmustdefinetheaccountsonlyonthe
RADIUSserver.
WhenconfiguringtheadvancedvendoroptionsonaCiscoSecureAccessControlServer(ACS),
youmustsetboththeVendor Length Field SizeandVendor Type Field Sizeto1.
Otherwise,authenticationwillfail.
Name Number Value
VSAs for administrator account management and authentication
PaloAltoAdminRole 1 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain 2 Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.

Name Number Value
PaloAltoPanoramaAdminRole 3 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4 ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup 5 Thenameofausergroupthatanauthenticationprofile
references.
VSAs forwarded from GlobalProtect clients to the RADIUS server
PaloAltoUserDomain 6 DontspecifyavaluewhenyoudefinetheseVSAs.
PaloAltoClientSourceIP 7
PaloAltoClientOS 8
PaloAltoClientHostname 9
PaloAltoGlobalProtectClientVersion 10
LDAP
LightweightDirectoryAccessProtocol(LDAP)isastandardprotocolforaccessinginformationdirectories.
YoucanConfigureLDAPAuthenticationforendusersandforfirewallandPanoramaadministrators.
ConfiguringthefirewalltoconnecttoanLDAPserveralsoenablesyoutodefinepolicyrulesbasedonusers
andusergroupsinsteadofjustIPaddresses.Forthesteps,seeMapUserstoGroupsandEnableUserand
GroupBasedPolicy.
LocalAuthentication
AlthoughthefirewallandPanoramaprovidelocalauthenticationforadministratorsandendusers,External
AuthenticationServicesarepreferableinmostcasesbecausetheyprovidecentralaccountmanagement.
However,youmightrequirespecialuseraccountsthatyoudontmanagethroughthedirectoryserversthat
yourorganizationreservesforregularaccounts.Forexample,youmightdefineasuperuseraccountthatis
localtothefirewallsothatyoucanaccessthefirewallevenifthedirectoryserverisdown.Insuchcases,
youcanusethefollowinglocalauthenticationmethods:
(Firewallonly)LocaldatabaseauthenticationToConfigureLocalDatabaseAuthentication,youcreatea
databasethatrunslocallyonthefirewallandcontainsuseraccounts(usernamesandpasswordsor
hashedpasswords)andusergroups.Thistypeofauthenticationisusefulforcreatinguseraccountsthat
reusethecredentialsofexistingUnixaccountsincaseswhereyouknowonlythehashedpasswords,not
theplaintextpasswords.Becauselocaldatabaseauthenticationisassociatedwithauthenticationprofiles,
youcanaccommodatedeploymentswheredifferentsetsofusersrequiredifferentauthentication
settings,suchasKerberossinglesignon(SSO)orMultiFactorAuthentication(MFA).(Fordetails,see
ConfigureanAuthenticationProfileandSequence).Foraccountsthatuseplaintextpasswords,youcan
also(Localauthenticationonly)Definepasswordcomplexityandexpirationsettings.Thisauthentication
methodisavailabletoadministratorswhoaccessthefirewall(butnotPanorama)andenduserswho

accessservicesandapplicationsthroughCaptivePortalorGlobalProtect.
LocalauthenticationwithoutadatabaseYoucanconfigurefirewalladministrativeaccountsor
Panoramaadministrativeaccountswithoutcreatingadatabaseofusersandusergroupsthatrunslocally
onthefirewallorPanorama.Becausethismethodisnotassociatedwithauthenticationprofiles,you
cannotcombineitwithKerberosSSOorMFA.However,thisistheonlyauthenticationmethodthat
allowspasswordprofiles,whichenableyoutoassociateindividualaccountswithpasswordexpiration
settingsthatdifferfromtheglobalsettings.(Fordetails,see(Localauthenticationonly)Definepassword
complexityandexpirationsettings.)

Authentication PlanYourAuthenticationDeployment
PlanYourAuthenticationDeployment
Thefollowingarekeyquestionstoconsiderbeforeyouimplementanauthenticationsolutionfor
administratorswhoaccessthefirewallandenduserswhoaccessservicesandapplicationsthroughCaptive
Portal.
Forbothendusersandadministrators,consider:
Howcanyouleverageyourexistingsecurityinfrastructure?Usually,integratingthefirewallwithan
existinginfrastructureisfasterandcheaperthansettingupanew,separatesolutionjustforfirewall
services.ThefirewallcanintegratewithMultiFactorAuthentication,SAML,Kerberos,TACACS+,
RADIUS,andLDAPservers.Ifyourusersaccessservicesandapplicationsthatareexternaltoyour
network,youcanuseSAMLtointegratethefirewallwithanidentityprovider(IdP)thatcontrolsaccess
tobothexternalandinternalservicesandapplications.
Howcanyouoptimizetheuserexperience?Ifyoudontwantuserstoauthenticatemanuallyandyou
haveapublickeyinfrastructure,youcanimplementcertificateauthentication.Anotheroptionisto
implementKerberosorSAMLsinglesignon(SSO)sothatuserscanaccessmultipleservicesand
applicationsafterloggingintojustone.Ifyournetworkrequiresadditionalsecurity,youcancombine
certificateauthenticationwithinteractive(challengeresponse)authentication.
Doyourequirespecialuseraccountsthatyoudontmanagethroughthedirectoryserversthatyour
organizationreservesforregularaccounts?Forexample,youmightdefineasuperuseraccountthatis
localtothefirewallsothatyoucanaccessthefirewallevenifthedirectoryserverisdown.Youcan
configureLocalAuthenticationforthesespecialpurposeaccounts.
ExternalAuthenticationServicesareusuallypreferabletolocalauthenticationbecausetheyprovidecentral
accountmanagement.
Forendusersonly,consider:
Whichservicesandapplicationsaremoresensitivethanothers?Forexample,youmightwantstronger
authenticationforkeyfinancialdocumentsthanforsearchengines.Toprotectyourmostsensitive
servicesandapplications,youcanconfigureMultiFactorAuthentication(MFA)toensurethateachuser
authenticatesusingmultiplemethods(factors)whenaccessingthoseservicesandapplications.To
accommodateavarietyofsecurityneeds,ConfigureAuthenticationPolicyrulesthattriggerMFAor
singlefactorauthentication(suchaslogincredentialsorcertificates)basedonspecificservices,
applications,andendusers.Otherwaystoreduceyourattackserviceincludenetworksegmentation
andusergroupsforwhitelistapplications.
Foradministratorsonly,consider:
Doyouuseanexternalservertocentrallymanageauthorizationforalladministrativeaccounts?By
definingVendorSpecificAttributes(VSAs)ontheexternalserver,youcanquicklychange
administrativeroleassignmentsthroughyourdirectoryserviceinsteadofreconfiguringsettingsonthe
firewall.VSAsalsoenableyoutospecifyaccessdomainsforadministratorsoffirewallswithmultiple
virtualsystems.SAML,TACACS+,andRADIUSsupportexternalauthorization.
IfyouuseRADIUSorTACACS+tomanageadministratorauthorization,youcannothaveadministrativeaccounts
thatarelocaltothefirewall;youmustdefinetheaccountsonlyontheRADIUSorTACACS+server.SAML
authorizationallowsbothlocalandexternalaccounts.

ConfigureMultiFactorAuthentication Authentication
TouseMultiFactorAuthentication(MFA)forprotectingsensitiveservicesandapplications,youmust
configureCaptivePortaltodisplayawebformforthefirstauthenticationfactorandtorecord
AuthenticationTimestamps.ThefirewallusesthetimestampstoevaluatethetimeoutsforAuthentication
Policyrules.Toenableadditionalauthenticationfactors,youcanintegratethefirewallwithMFAvendors
throughRADIUSorvendorAPIs.AfterevaluatingAuthenticationpolicy,thefirewallevaluatesSecurity
policy,soyoumustconfigurerulesforbothpolicytypes.
PaloAltoNetworksprovidessupportforMFAvendorsthroughApplicationscontentupdates.Thismeansthatif
youusePanoramatopushdevicegroupconfigurationstofirewalls,youmustinstallthesameApplications
updatesonthefirewallsasonPanoramatoavoidmismatchesinvendorsupport.
Step1 ConfigureCaptivePortaltodisplay ConfigureCaptivePortalinRedirectmodesothatthefirewallcan

awebformforthefirst recordauthenticationtimestampsandupdateusermappings.
authenticationfactorandtorecord
authenticationtimestamps.
Step2 Configureaserverprofilethat Performoneofthefollowingsteps:

defineshowthefirewallwill AddaRADIUSserverprofile.Thisisrequiredifthefirewallintegrates
connecttotheservicethat withanMFAvendorthroughRADIUS.Inthiscase,theMFAvendor
authenticatesusersforthefirst providesthefirstandalladditionalauthenticationfactors,soyoucan
authenticationfactor. skipthenextstep(configuringanMFAserverprofile).Ifthefirewall
integrateswithanMFAvendorthroughanAPI,youcanstillusea
RADIUSserverprofileforthefirstfactorbutMFAserverprofilesare
requiredfortheadditionalfactors.
AddaSAMLIdPserverprofile.
Inmostcases,anexternalserviceisrecommendedforthefirst
authenticationfactor.However,youcanconfigureConfigure
LocalDatabaseAuthenticationasanalternative.
Step3 AddanMFAserverprofile. 1. SelectDevice > Server Profiles > Multi Factor Authenticationand
Theprofiledefineshowthefirewall Addaprofile.
connectstotheMFAserver.Adda 2. EnteraNametoidentifytheMFAserver.
separateprofileforeach
3. SelecttheCertificate Profilethatthefirewallwillusetovalidatethe
authenticationfactorafterthefirst
MFAservercertificatewhenestablishingasecureconnectiontothe
factor.Thefirewallintegrateswith
MFAserver.
theseMFAserversthroughvendor
APIs.Youcanspecifyuptothree 4. SettheTypetotheMFAvendoryoudeployed.
additionalfactors.EachMFA 5. ConfiguretheValueofeachvendorattribute.
vendorprovidesonefactor,though
TheattributesdefinehowthefirewallconnectstotheMFAserver.
somevendorsletuserschooseone
EachvendorTyperequiresdifferentattributesandvalues;referto
factoroutofseveral.
yourvendordocumentationfordetails.

Authentication ConfigureMultiFactorAuthentication
ConfigureMultiFactorAuthentication(Continued)
Step4 Configureanauthentication 1. SelectDevice > Authentication ProfileandAddaprofile.

profile. 2. EnteraNametoidentifytheauthenticationprofile.
Theprofiledefinestheorderofthe
3. SelecttheTypeforthefirstauthenticationfactorandselectthe
authenticationfactorsthatusers
correspondingServer Profile.
mustrespondto.
4. SelectFactors,Enable Additional Authentication Factors,andAdd
theMFAserverprofilesyouconfigured.
ThefirewallwillinvokeeachMFAserviceinthelistedorder,from
toptobottom.
5. ClickOKtosavetheauthenticationprofile.
Step5 Configureanauthentication SelecttheAuthentication ProfileyouconfiguredandenteraMessage

enforcementobject. thattellsusershowtoauthenticateforthefirstfactor.Themessage
Theobjectassociateseach displaysintheCaptivePortalwebform.
authenticationprofilewitha IfyousettheAuthentication Methodtobrowser-challenge,the
CaptivePortalmethod.The CaptivePortalwebformdisplaysonlyifKerberosSSO
methoddetermineswhetherthe authenticationfails.Otherwise,authenticationforthefirstfactor
firstauthenticationchallenge isautomatic;userswontseethewebform.
(factor)istransparentorrequiresa
userresponse.
Step6 ConfigureanAuthenticationpolicy 1. SelectPolicies > AuthenticationandAddarule.

rule. 2. EnteraNametoidentifytherule.
Therulemustmatchtheservices
3. SelectSourceandAddspecificzonesandIPaddressesorselectAny
andapplicationsyouwantto
zonesorIPaddresses.
protectandtheuserswhomust
authenticate. TheruleappliesonlytotrafficcomingfromthespecifiedIP
addressesorfrominterfacesinthespecifiedzones.
4. SelectUserandselectorAddthesourceusersandusergroupsto
whichtheruleapplies(defaultisany).
5. SelectDestinationandAddspecificzonesandIPaddressesorselect
anyzonesorIPaddresses.
TheIPaddressescanberesources(suchasservers)forwhichyou
wanttocontrolaccess.
6. SelectService/URL CategoryandselectorAddtheservicesand
servicegroupsforwhichtherulecontrolsaccess(defaultis
service-http).
7. SelectorAddtheURLCategoriesforwhichtherulecontrolsaccess
(defaultisany).Forexample,youcancreateacustomURLcategory
thatspecifiesyourmostsensitiveinternalsites.
8. SelectActionsandselecttheAuthentication Enforcementobject
youcreated.
9. SpecifytheTimeoutperiodinminutes(default60)duringwhichthe
firewallpromptstheusertoauthenticateonlyonceforrepeated
accesstoservicesandapplications.
10. ClickOKtosavetherule.

ConfigureMultiFactorAuthentication Authentication
Step7 CustomizetheMFAloginpage. 1. SelectDevice > Response PagesandselectMFA Login Page.

Thefirewalldisplaysthispageto 2. SelectthePredefinedresponsepageandExportthepagetoyour
tellusershowtoauthenticatefor clientsystem.
MFAfactorsandtoindicatethe
3. Onyourclientsystem,useanHTMLeditortocustomizethe
authenticationstatus(inprogress,
downloadedresponsepageandsaveitwithauniquefilename.
succeeded,orfailed).
4. ReturntotheMFALoginPagedialogonthefirewall,Importyour
customizedpage,BrowsetoselecttheImport File,selectthe
Destination(virtualsystemorsharedlocation),clickOK,andclick
Close.
Step8 ConfigureaSecuritypolicyrule 1. CreateaSecurityPolicyRule.

thatallowsuserstoaccessthe 2. Commityourchanges.
servicesandapplicationsthat
Theautomatedcorrelationengineonthefirewallusesseveral
requireauthentication.
correlationobjectstodetecteventsonyournetworkthatcould
indicatecredentialabuserelatingtoMFA.Toreviewtheevents,
selectMonitor > Automated Correlation Engine > Correlated
Events.

Authentication ConfigureMultiFactorAuthentication
Step9 Verifythatthefirewallenforces 1. Logintoyournetworkasoneofthesourceusersspecifiedinthe

MFA. Authenticationrule.
2. Requestaserviceorapplicationthatmatchesoneoftheservicesor
applicationsspecifiedintherule.
ThefirewalldisplaystheCaptivePortalwebformforthefirst
authenticationfactor.Thepagecontainsthemessageyouentered
intheauthenticationenforcementobject.Forexample:
3. Enteryourusercredentialsforthefirstauthenticationchallenge.
ThefirewallthendisplaysanMFAloginpageforthenext
authenticationfactor.Forexample,theMFAservicemightprompt
youtoselecttheVoice,SMS,push,orPINcode(OTP)
authenticationmethod.Ifyouselectpush,yourphonepromptsyou
toapprovetheauthentication.
4. Authenticateforthenextfactor.
Thefirewalldisplaysanauthenticationsuccessorfailuremessage.If
authenticationsucceeded,thefirewalldisplaysanMFAloginpage
forthenextauthenticationfactor,ifany.
RepeatthisstepforeachMFAfactor.Afteryouauthenticateforall
thefactors,thefirewallevaluatesSecuritypolicytodetermine
whethertoallowaccesstotheserviceorapplication.
5. Endthesessionfortheserviceorapplicationyoujustaccessed.
6. Startanewsessionforthesameserviceorapplication.Besureto
performthisstepwithintheTimeoutperiodyouconfiguredinthe
Authenticationrule.
Thefirewallallowsaccesswithoutreauthenticating.
7. WaituntiltheTimeoutperiodexpiresandrequestthesameservice
orapplication.
Thefirewallpromptsyoutoreauthenticate.

ConfigureSAMLAuthentication Authentication
ToconfigureSAMLsinglesignon(SSO)andsinglelogout(SLO),youmustregisterthefirewallandtheIdP
witheachothertoenablecommunicationbetweenthem.IftheIdPprovidesametadatafilecontaining
registrationinformation,youcanimportitontothefirewalltoregistertheIdPandtocreateanIdPserver
profile.TheserverprofiledefineshowtoconnecttotheIdPandspecifiesthecertificatethattheIdPusesto
signSAMLmessages.YoucanalsouseacertificateforthefirewalltosignSAMLmessages.Usingcertificates
isoptionalbutrecommendedtosecurecommunicationsbetweenthefirewallandtheIdP.
ThefollowingproceduredescribeshowtoconfigureSAMLauthenticationforendusersandfirewall
administrators.YoucanalsoconfigureSAMLauthenticationforPanoramaadministrators.
SSOisavailabletoadministratorsandtoGlobalProtectandCaptivePortalendusers.SLOisavailableto
administratorsandGlobalProtectendusers,butnottoCaptivePortalendusers.
AdministratorscanuseSAMLtoauthenticatetothefirewallwebinterface,butnottotheCLI.
Step1 (Recommended)Obtainthecertificates Ifthecertificatesdontspecifykeyusageattributes,allusagesare

thattheIdPandfirewallwillusetosign allowedbydefault,includingsigningmessages.Inthiscase,youcan
SAMLmessages. ObtainCertificatesbyanymethod.
Ifthecertificatesdospecifykeyusageattributes,oneofthe
attributesmustbeDigitalSignature,whichisnotavailableon
certificatesthatyougenerateonthefirewallorPanorama.Inthis
case,youmustimportthecertificates:
CertificatethefirewallusestosignSAMLmessagesImport
thecertificatefromyourenterprisecertificateauthority(CA)or
athirdpartyCA.
CertificatetheIdPusestosignSAMLmessagesImporta
metadatafilecontainingthecertificatefromtheIdP(seethe
nextstep).TheIdPcertificateislimitedtothefollowing
algorithms:
PublickeyalgorithmsRSA(1,024bitsorlarger)and
ECDSA(allsizes).AfirewallinFIPS/CCmodesupportsRSA
(2,048bitsorlarger)andECDSA(allsizes).
SignaturealgorithmsSHA1,SHA256,SHA384,and
SHA512.AfirewallinFIPS/CCmodesupportsSHA256,
SHA384,andSHA512.

Authentication ConfigureSAMLAuthentication
Step2 AddaSAMLIdPserverprofile. Inthisexample,youimportaSAMLmetadatafilefromtheIdPso

TheserverprofileregisterstheIdPwith thatthefirewallcanautomaticallycreateaserverprofileand
thefirewallanddefineshowthey populatetheconnection,registration,andIdPcertificate
connect. information.
IftheIdPdoesntprovideametadatafile,selectDevice >
Server Profiles > SAML Identity Provider,Addtheserver
profile,andmanuallyentertheinformation(consultyour
IdPadministratorforthevalues).
1. ExporttheSAMLmetadatafilefromtheIdPtoaclientsystem
thatthefirewallcanaccess.
Thecertificatespecifiedinthefilemustmeetthe
requirementslistedintheprecedingstep.RefertoyourIdP
documentationforinstructionsonexportingthefile.
2. SelectDevice > Server Profiles > SAML Identity Providerand
Importthemetadatafileontothefirewall.
3. EnteraProfile Nametoidentifytheserverprofile.
4. BrowsetotheIdentity Provider Metadatafile.
5. (Recommended)SelectValidate Identity Provider Certificate
(default)tohavethefirewallvalidatetheIdentity Provider
Certificate.
Validationoccursonlyafteryouassigntheserverprofiletoan
authenticationprofileandCommit.Thefirewallusesthe
Certificate Profileintheauthenticationprofiletovalidatethe
certificate.
Validatingthecertificateisabestpracticefor
improvedsecurity.
6. EntertheMaximum Clock Skew,whichistheallowed
differenceinsecondsbetweenthesystemtimesoftheIdPand
thefirewallatthemomentwhenthefirewallvalidatesIdP
messages(defaultis60;rangeis1to900).Ifthedifference
exceedsthisvalue,authenticationfails.
7. ClickOKtosavetheserverprofile.
8. ClicktheserverprofileNametodisplaytheprofilesettings.
Verifythattheimportedinformationiscorrectandedititif
necessary.

Step3 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandAddaprofile.

Theprofiledefinesauthentication 2. EnteraNametoidentifytheprofile.
settingsthatarecommontoasetof
3. SettheTypetoSAML.
users.
4. SelecttheIdP Server Profileyouconfigured.
5. SelecttheCertificate for Signing Requests.
Thefirewallusesthiscertificatetosignmessagesitsendsto
theIdP.
6. (Optional)Enable Single Logout(disabledbydefault).
7. SelecttheCertificate Profilethatthefirewallwilluseto
validatetheIdentity Provider Certificate.
8. EntertheUsername AttributethatIdPmessagesuseto
identifyusers(defaultusername).
NOTE:IfyoumanageadministratorauthorizationintheIdP
identitystore,specifytheAdmin Role AttributeandAccess
Domain Attributealso.
9. SelectAdvancedandAddtheusersandusergroupsthatare
allowedtoauthenticatewiththisauthenticationprofile.
Step4 Assigntheauthenticationprofileto 1. Assigntheauthenticationprofileto:

firewallapplicationsthatrequire Administratoraccountsthatyoumanagelocallyonthe
authentication. firewall.Inthisexample,ConfigureaFirewallAdministrator
AccountbeforeyouverifytheSAMLconfigurationlaterin
thisprocedure.
Administratoraccountsthatyoumanageexternallyinthe
IdPidentitystore.SelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profileyouconfigured.
Authenticationpolicyrulesthatsecuretheservicesand
applicationsthatendusersaccessthroughCaptivePortal.
SeeConfigureAuthenticationPolicy.
GlobalProtectportalsandgatewaysthatendusersaccess.
ThefirewallvalidatestheIdentity Provider Certificatethat
youassignedtotheSAMLIdPserverprofile.

Authentication ConfigureSAMLAuthentication
Step5 CreateaSAMLmetadatafiletoregister 1. SelectDevice > Authentication Profileand,inthe

thefirewallapplication(management Authenticationcolumnfortheauthenticationprofileyou
access,CaptivePortal,orGlobalProtect) configured,clickMetadata.
ontheIdP. 2. IntheCommandsdropdown,selecttheapplicationyouwant
toregister:
management(default)Administrativeaccesstotheweb
interface.
captive-portalEnduseraccesstoservicesand
applicationsthroughCaptivePortal.
global-protectEnduseraccesstoservicesand
applicationsthroughGlobalProtect.
3. (CaptivePortalorGlobalProtectonly)fortheVsysname
Combo,selectthevirtualsysteminwhichtheCaptivePortal
settingsorGlobalProtectportalaredefined.
4. Entertheinterface,IPaddress,orhostnamebasedonthe
applicationyouwillregister:
managementFortheManagement Choice,select
Interface(default)andselectaninterfacethatisenabled
formanagementaccesstothewebinterface.Thedefault
selectionistheIPaddressoftheMGTinterface.
captive-portalFortheIP Hostname,entertheIPaddress
orhostnameoftheRedirect Host(seeDevice > User
Identification > Captive Portal Settings).
global-protectFortheIP Hostname,enterthehostname
orIPaddressoftheGlobalProtectportalorgateway.
5. ClickOKandsavethemetadatafiletoyourclientsystem.
6. ImportthemetadatafileintotheIdPservertoregisterthe
firewallapplication.RefertoyourIdPdocumentationfor
instructions.

Step6 Verifythatuserscanauthenticateusing Forexample,toverifythatSAMLisworkingforaccesstotheweb

SAMLSSO. interfaceusingalocaladministratoraccount:
1. GototheURLofthefirewallwebinterface.
2. ClickUse Single Sign-On.
3. Entertheusernameoftheadministrator.
4. ClickContinue.
ThefirewallredirectsyoutoauthenticatetotheIdP,which
displaysaloginpage.Forexample:
5. LoginusingyourSSOusernameandpassword.
AfteryousuccessfullyauthenticateontheIdP,itredirectsyou
backtothefirewall,whichdisplaysthewebinterface.
6. Useyourfirewalladministratoraccounttorequestaccessto
anotherSSOapplication.
SuccessfulaccessindicatesSAMLSSOauthentication
succeeded.

Authentication ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.WithKerberosSSOenabled,theuser
needstologinonlyforinitialaccesstoyournetwork(suchasloggingintoMicrosoftWindows).Afterthis
initiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(suchasthefirewallwebinterface)
withouthavingtologinagainuntiltheSSOsessionexpires.
Step1 CreateaKerberoskeytab. 1. CreateKerberosaccountforthefirewall.Refertoyour

Thekeytabisafilethatcontainsthe Kerberosdocumentationforthesteps.
principalnameandpasswordofthe 2. LogintotheKDCandopenacommandprompt.
firewall,andisrequiredfortheSSO
3. Enterthefollowingcommand,where<principal_name>,
process.
<password>,and<algorithm>arevariables.
ktpass /princ <principal_name> /pass
<password> /crypto <algorithm> /ptype
KRB5_NT_PRINCIPAL /out <file_name>.keytab
IfthefirewallisinFIPS/CCmode,thealgorithmmustbe
aes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalsouse
des3-cbc-sha1orarcfour-hmac.TouseanAdvanced
EncryptionStandard(AES)algorithm,thefunctionallevelof
theKDCmustbeWindowsServer2008orlaterandyou
mustenableAESencryptionforthefirewallaccount.
Thealgorithminthekeytabmustmatchthealgorithmin
theserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithmsthe
serviceticketsuse.
Step2 Configureanauthenticationprofile. ConfigureanAuthenticationProfileandSequence:

TheprofiledefinesKerberossettingsand EntertheKerberos Realm(usuallytheDNSdomainofthe
otherauthenticationoptionsthatare users,exceptthattherealmisuppercase).
commontoasetofusers. ImporttheKerberos Keytabthatyoucreatedforthefirewall.
Step3 Assigntheauthenticationprofiletothe AdministrativeaccesstothewebinterfaceConfigureaFirewall

firewallapplicationthatrequires AdministratorAccountandassigntheauthenticationprofileyou
authentication. configured.
EnduseraccesstoservicesandapplicationsAssignthe
authenticationprofileyouconfiguredtoanauthentication
enforcementobject.Whenconfiguringtheobject,setthe
Authentication Methodtobrowser-challenge.Assigntheobject
toAuthenticationpolicyrules.Forthefullproceduretoconfigure
authenticationforendusers,seeConfigureAuthentication
Policy.

ConfigureKerberosServerAuthentication Authentication
ConfigureKerberosServerAuthentication
YoucanuseKerberostonativelyauthenticateendusersandfirewallorPanoramaadministratorstoan
ActiveDirectorydomaincontrolleroraKerberosV5compliantauthenticationserver.Thisauthentication
methodisinteractive,requiringuserstoenterusernamesandpasswords.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.IPv6addresses
arenotsupported.
ConfigureKerberosAuthentication
Step1 AddaKerberosserverprofile. 1. SelectDevice > Server Profiles > KerberosandAddaserver

Theprofiledefineshowthefirewall profile.
connectstotheKerberosserver. 2. EnteraProfile Nametoidentifytheserverprofile.
3. AddeachserverandspecifyaName(toidentifytheserver),
IPv4addressorFQDNoftheKerberos Server,andoptional
Portnumberforcommunicationwiththeserver(default88).
4. ClickOKtosaveyourchangestotheprofile.
Step2 Assigntheserverprofiletoan ConfigureanAuthenticationProfileandSequence.

authenticationprofile.
Theauthenticationprofiledefines
authenticationsettingsthatarecommon
toasetofusers.

EnduseraccesstoservicesandapplicationsAssignthe
authenticationprofileyouconfiguredtoanauthentication
enforcementobjectandassigntheobjecttoAuthentication
policyrules.Forthefullproceduretoconfigureauthentication
forendusers,seeConfigureAuthenticationPolicy.
Step4 Verifythatthefirewallcanconnectto TestAuthenticationServerConnectivity.

theKerberosservertoauthenticate
users.

Authentication ConfigureTACACS+Authentication
YoucanconfigureTACACS+authenticationforendusersandfirewallorPanoramaadministrators.Youcan
alsouseaTACACS+servertomanageadministratorauthorization(roleandaccessdomainassignments)by
definingVendorSpecificAttributes(VSAs).Forallusers,youmustconfigureaTACACS+serverprofilethat
defineshowthefirewallorPanoramaconnectstotheserver(Step 1below).Youthenassigntheserver
profiletoanauthenticationprofileforeachsetofuserswhorequirecommonauthenticationsettings(Step 2
below).WhatyoudowiththeauthenticationprofiledependsonwhichuserstheTACACS+server
authenticates:
EndusersAssigntheauthenticationprofiletoanauthenticationenforcementobjectandassignthe
objecttoAuthenticationpolicyrules.Forthefullprocedure,seeConfigureAuthenticationPolicy.
AdministrativeaccountswithauthorizationmanagedlocallyonthefirewallorPanoramaAssignthe
authenticationprofiletofirewalladministratororPanoramaadministratoraccounts.
AdministrativeaccountswithauthorizationmanagedontheTACACS+serverThefollowingprocedure
describeshowtoconfigureTACACS+authenticationandauthorizationforfirewalladministrators.For
Panoramaadministrators,refertoConfigureTACACS+AuthenticationforPanoramaAdministrators.
ConfigureTACACS+AuthenticationandAuthorizationforAdministrators
Step1 AddaTACACS+serverprofile. 1. SelectDevice > Server Profiles > TACACS+andAddaprofile.

Theprofiledefineshowthefirewall 2. EnteraProfile Nametoidentifytheserverprofile.
connectstotheTACACS+server.
3. EnteraTimeoutintervalinsecondsafterwhichan
authenticationrequesttimesout(defaultis3;rangeis120).
4. SelecttheAuthentication Protocol(defaultisCHAP)thatthe
firewallusestoauthenticatetotheTACACS+server.
SelectCHAPiftheTACACS+serversupportsthat
protocol;itismoresecurethanPAP.
5. AddeachTACACS+serverandenterthefollowing:
Nametoidentifytheserver
TACACS+ ServerIPaddressorFQDN
Secret/Confirm Secret(akeytoencryptusernamesand
passwords)
ServerPortforauthenticationrequests(defaultis49)
Step2 AssigntheTACACS+serverprofiletoan 1. SelectDevice > Authentication ProfileandAddaprofile.

authenticationprofile. 2. EnteraNametoidentifytheprofile.
3. SettheTypetoTACACS+.
toasetofusers. 4. SelecttheServer Profileyouconfigured.
5. SelectRetrieve user group from TACACS+tocollectuser
groupinformationfromVSAsdefinedontheTACACS+server.
Thefirewallmatchesthegroupinformationagainstthegroups
youspecifyintheAllowListoftheauthenticationprofile.
6. SelectAdvancedand,intheAllowList,Addtheusersand
groupsthatareallowedtoauthenticatewiththis

ConfigureTACACS+Authentication Authentication
ConfigureTACACS+AuthenticationandAuthorizationforAdministrators(Continued)

authenticationprofileforall AuthenticationSettings.
administrators. 2. SelecttheAuthentication ProfileyouconfiguredandclickOK.
Step4 Configuretherolesandaccessdomains 1. ConfigureanAdminRoleProfileiftheadministratorwillusea

thatdefineauthorizationsettingsfor customroleinsteadofapredefined(dynamic)role.
administrators. 2. Configureanaccessdomainifthefirewallhasmorethanone
IfyoualreadydefinedTACACS+VSAs virtualsystem:
ontheTACACS+server,thenamesyou a. SelectDevice > Access Domain,Addanaccessdomain,and
specifyforrolesandaccessdomainson enteraNametoidentifytheaccessdomain.
thefirewallmustmatchtheVSAvalues.
b. Addeachvirtualsystemthattheadministratorwillaccess,
andthenclickOK.
Step5 Commityourchanges. Commityourchangestoactivatethemonthefirewall.
Step6 ConfiguretheTACACS+serverto RefertoyourTACACS+serverdocumentationforthespecific

authenticateandauthorize instructionstoperformthesesteps:
administrators. 1. AddthefirewallIPaddressorhostnameastheTACACS+
client.
2. Addtheadministratoraccounts.
IfyouselectedCHAPastheAuthentication Protocol,
youmustdefineaccountswithreversiblyencrypted
passwords.Otherwise,CHAPauthenticationwillfail.
3. DefineTACACS+VSAsfortherole,accessdomain,anduser
groupofeachadministrator.
Step7 VerifythattheTACACS+server 1. Loginthefirewallwebinterfaceusinganadministrator

performsauthenticationand accountthatyouaddedtotheTACACS+server.
authorizationforadministrators. 2. Verifythatyoucanaccessonlythewebinterfacepagesthat
areallowedfortheroleyouassociatedwiththeadministrator.
3. IntheMonitor,Policies,andObjectstabs,verifythatyoucan
accessonlythevirtualsystemsthatareallowedfortheaccess
domainyouassociatedwiththeadministrator.

Authentication ConfigureRADIUSAuthentication
YoucanconfigureRADIUSauthenticationforendusersandfirewallorPanoramaadministrators.For
administrators,youcanuseRADIUStomanageauthorization(roleandaccessdomainassignments)by
definingVendorSpecificAttributes(VSAs).YoucanalsouseRADIUStoimplementMultiFactor
Authentication(MFA)foradministratorsandendusers.ToenableRADIUSauthentication,youmust
configureaRADIUSserverprofilethatdefineshowthefirewallorPanoramaconnectstotheserver(Step 1
below).Youthenassigntheserverprofiletoanauthenticationprofileforeachsetofuserswhorequire
commonauthenticationsettings(Step 2below).Whatyoudowiththeauthenticationprofiledependson
whichuserstheRADIUSserverauthenticates:
EndusersAssigntheauthenticationprofiletoanauthenticationenforcementobjectandassignthe
objecttoAuthenticationpolicyrules.Forthefullprocedure,seeConfigureAuthenticationPolicy.
YoucanalsoconfigureclientsystemstosendRADIUSVendorSpecificAttributes(VSAs)totheRADIUSserver
byassigningtheauthenticationprofiletoaGlobalProtectportalorgateway.RADIUSadministratorscanthen
performadministrativetasksbasedonthoseVSAs.
AdministrativeaccountswithauthorizationmanagedlocallyonthefirewallorPanoramaAssignthe
authenticationprofiletofirewalladministratororPanoramaadministratoraccounts.
AdministrativeaccountswithauthorizationmanagedontheRADIUSserverThefollowingprocedure
describeshowtoconfigureRADIUSauthenticationandauthorizationforfirewalladministrators.For
Panoramaadministrators,refertoConfigureRADIUSAuthenticationforPanoramaAdministrators.
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators
Step1 AddaRADIUSserverprofile. 1. SelectDevice > Server Profiles > RADIUSandAddaprofile.

Theprofiledefineshowthefirewall 2. EnteraProfile Nametoidentifytheserverprofile.
connectstotheRADIUSserver.
3. EnteraTimeoutintervalinsecondsafterwhichan
authenticationrequesttimesout(defaultis3;rangeis120).
Ifyouusetheserverprofiletointegratethefirewall
withanMFAservice,enteranintervalthatgivesusers
enoughtimetoauthenticate.Forexample,iftheMFA
servicepromptsforaonetimepassword(OTP),users
needtimetoseetheOTPontheirendpointdeviceand
thenentertheOTPintheMFAloginpage.
4. SelecttheAuthentication Protocol(defaultisCHAP)thatthe
firewallusestoauthenticatetotheRADIUSserver.
SelectCHAPiftheRADIUSserversupportsthat
protocol;itismoresecurethanPAP.
5. AddeachRADIUSserverandenterthefollowing:
Nametoidentifytheserver
RADIUS ServerIPaddressorFQDN
Secret/Confirm Secret(akeytoencryptusernamesand
passwords)
ServerPortforauthenticationrequests(defaultis1812)

ConfigureRADIUSAuthentication Authentication
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators(Continued)
Step2 AssigntheRADIUSserverprofiletoan 1. SelectDevice > Authentication ProfileandAddaprofile.

authenticationprofile. 2. EnteraNametoidentifytheauthenticationprofile.
3. SettheTypetoRADIUS.
toasetofusers. 4. SelecttheServer Profileyouconfigured.
5. SelectRetrieve user group from RADIUStocollectusergroup
informationfromVSAsdefinedontheRADIUSserver.
Thefirewallmatchesthegroupinformationagainstthegroups
youspecifyintheAllowListoftheauthenticationprofile.
6. SelectAdvancedand,intheAllowList,Addtheusersand
groupsthatareallowedtoauthenticatewiththis

authenticationprofileforall AuthenticationSettings.
administrators. 2. SelecttheAuthentication ProfileyouconfiguredandclickOK.
Step4 Configuretherolesandaccessdomains 1. ConfigureanAdminRoleProfileiftheadministratorusesa

thatdefineauthorizationsettingsfor customroleinsteadofapredefined(dynamic)role.
administrators. 2. Configureanaccessdomainifthefirewallhasmorethanone
IfyoualreadydefinedRADIUSVSAson virtualsystem:
theRADIUSserver,thenamesyou a. SelectDevice > Access Domain,Addanaccessdomain,and
specifyforrolesandaccessdomainson enteraNametoidentifytheaccessdomain.
thefirewallmustmatchtheVSAvalues.
b. Addeachvirtualsystemthattheadministratorwillaccess,
andthenclickOK.
Step5 Commityourchanges. Commityourchangestoactivatethemonthefirewall.
Step6 ConfiguretheRADIUSserverto RefertoyourRADIUSserverdocumentationforthespecific

authenticateandauthorize instructionstoperformthesesteps:
administrators. 1. AddthefirewallIPaddressorhostnameastheRADIUSclient.
2. Addtheadministratoraccounts.
IftheRADIUSserverprofilespecifiesCHAPasthe
Authentication Protocol,youmustdefineaccounts
withreversiblyencryptedpasswords.Otherwise,
CHAPauthenticationwillfail.
3. Definethevendorcodeforthefirewall(25461)anddefinethe
RADIUSVSAsfortherole,accessdomain,andusergroupof
eachadministrator.
Fordetailedinstructions,refertothefollowingKnowledge
Basearticles:
ForWindows2003Server,Windows2008(andlater),and
CiscoSecureAccessControlServer(ACS)4.0RADIUS
VendorSpecificAttributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewith
PaloAltoVSA
Whenconfiguringtheadvancedvendoroptionsonthe
ACS,youmustsetboththeVendor Length Field Size
andVendor Type Field Sizeto1.Otherwise,
authenticationwillfail.

Authentication ConfigureRADIUSAuthentication
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators(Continued)
Step7 VerifythattheRADIUSserverperforms 1. Loginthefirewallwebinterfaceusinganadministrator

authenticationandauthorizationfor accountthatyouaddedtotheRADIUSserver.
administrators. 2. Verifythatyoucanaccessonlythewebinterfacepagesthat
areallowedfortheroleyouassociatedwiththeadministrator.
3. IntheMonitor,Policies,andObjectstabs,verifythatyoucan
accessonlythevirtualsystemsthatareallowedfortheaccess
domainyouassociatedwiththeadministrator.

ConfigureLDAPAuthentication Authentication
YoucanuseLDAPtoauthenticateenduserswhoaccessapplicationsorservicesthroughCaptivePortaland
authenticatefirewallorPanoramaadministratorswhoaccessthewebinterface.
YoucanalsoconnecttoanLDAPservertodefinepolicyrulesbasedonusergroups.Fordetails,
seeMapUserstoGroups.
Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandAddaserver

connectstotheLDAPserver. 2. EnteraProfile Nametoidentifytheserverprofile.
3. AddtheLDAPservers(uptofour).Foreachserver,entera
Name(toidentifytheserver),LDAP ServerIPaddressor
FQDN,andserverPort(default389).
4. SelecttheserverType.
5. EntertheBind TimeoutandSearch Timeoutinseconds
(defaultis30forboth).
Step2 Assigntheserverprofiletoan ConfigureanAuthenticationProfileandSequence.

authenticationprofiletodefinevarious
authenticationsettings.

EnduseraccesstoservicesandapplicationsForthefull
proceduretoconfigureauthenticationforendusers,see
ConfigureAuthenticationPolicy.
Step4 Verifythatthefirewallcanconnectto TestAuthenticationServerConnectivity.

theLDAPservertoauthenticateusers.

Authentication ConfigureLocalDatabaseAuthentication
Youcanconfigureauserdatabasethatislocaltothefirewalltoauthenticateadministratorswhoaccessthe
firewallwebinterfaceandtoauthenticateenduserswhoaccessapplicationsthroughCaptivePortalor
GlobalProtect.PerformthefollowingstepstoconfigureLocalAuthenticationwithalocaldatabase.
ExternalAuthenticationServicesareusuallypreferabletolocalauthenticationbecausethey
providethebenefitofcentralaccountmanagement.
Youcanalsoconfigurelocalauthenticationwithoutadatabase,butonlyforfirewallorPanorama
administrators.
Step1 Addtheuseraccounttothelocal 1. SelectDevice > Local User Database > UsersandclickAdd.

database. 2. EnterauserNamefortheadministrator.
3. EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4. Enabletheaccount(enabledbydefault)andclickOK.
Step2 Addtheusergrouptothelocaldatabase. 1. SelectDevice > Local User Database > User Groupsandclick
Requiredifyourusersrequiregroup Add.
membership. 2. EnteraNametoidentifythegroup.
3. AddeachuserwhoisamemberofthegroupandclickOK.
Step3 Configureanauthenticationprofile. SettheauthenticationTypetoLocal Database.

toasetofusers.
Step4 Assigntheauthenticationprofiletoan AdministratorsConfigureaFirewallAdministratorAccount:

administratoraccountortoan SpecifytheNameofauseryoudefinedearlierinthis
Authenticationpolicyruleforendusers. procedure.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForthefullproceduretoconfigureauthenticationfor
endusers,seeConfigureAuthenticationPolicy.
Step5 Verifythatthefirewallcanuseitslocal TestAuthenticationServerConnectivity.

databasetoauthenticateusers.

ConfigureanAuthenticationProfileandSequence Authentication
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsof
administratorswhoaccessthefirewallwebinterfaceandenduserswhoaccessapplicationsthroughCaptive
PortalorGlobalProtect.TheservicecanbeLocalAuthenticationthatthefirewallprovidesorExternal
AuthenticationServices.TheauthenticationprofilealsodefinesoptionssuchasKerberossinglesignon
(SSO).
Somenetworkshavemultipledatabases(suchasTACACS+andLDAP)fordifferentusersandusergroups.
Toauthenticateusersinsuchcases,configureanauthenticationsequencearankedorderofauthentication
profilesthatthefirewallmatchesauseragainstduringlogin.Thefirewallchecksagainsteachprofilein
sequenceuntilonesuccessfullyauthenticatestheuser.Ifthesequenceincludesanauthenticationprofile
thatspecifieslocaldatabaseauthentication,thefirewallalwayschecksthatprofilefirstregardlessofthe
orderinthesequence.Auserisdeniedaccessonlyifauthenticationfailsforalltheprofilesinthesequence.
Thesequencecanspecifyauthenticationprofilesthatarebasedonanyauthenticationservicethatthe
firewallsupportsexceptsMultiFactorAuthentication(MFA)andSAML.
Step1 (Externalserviceonly)Enablethe 1. Setuptheexternalserver.Refertoyourserver

firewalltoconnecttoanexternalserver documentationforinstructions.
forauthenticatingusers: 2. Configureaserverprofileforthetypeofauthentication
serviceyouuse.
AddaRADIUSserverprofile.
NOTE:IfthefirewallintegrateswithanMFAservice
throughRADIUS,youmustaddaRADIUSserverprofile.In
thiscase,theMFAserviceprovidesalltheauthentication
factors.IfthefirewallintegrateswithanMFAservice
throughavendorAPI,youcanstilluseaRADIUSserver
profileforthefirstfactorbutMFAserverprofilesare
requiredforadditionalfactors.
AddanMFAserverprofile.
Step2 (Localdatabaseauthenticationonly) Performthesestepsforeachuserandusergroupforwhichyou

Configureauserdatabasethatislocalto wanttoconfigureLocalAuthenticationbasedonauseridentity
thefirewall. storethatislocaltothefirewall:
1. Addtheuseraccounttothelocaldatabase.
2. (Optional)Addtheusergrouptothelocaldatabase.
Step3 (KerberosSSOonly)CreateaKerberos CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos

keytabforthefirewallifKerberossingle accountinformationforthefirewall.TosupportKerberosSSO,
signon(SSO)istheprimary yournetworkmusthaveaKerberosinfrastructure.
authenticationservice.

Authentication ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
Step4 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandAddthe

Defineoneorbothofthefollowing: authenticationprofile.
KerberosSSOThefirewallfirsttries 2. EnteraNametoidentifytheauthenticationprofile.
SSOauthentication.Ifthatfails,itfalls 3. SelecttheTypeofauthenticationservice.
backtothespecifiedauthentication
IfyouuseMultiFactorAuthentication,theselectedtype
Type.
appliesonlytothefirstauthenticationfactor.Youselect
Externalauthenticationorlocal servicesforadditionalMFAfactorsintheFactorstab.
databaseauthenticationThe
IfyouselectRADIUS,TACACS+,LDAP,orKerberos,selectthe
firewallpromptstheusertoenter
Server Profile.
logincredentials,andusesanexternal
serviceorlocaldatabaseto IfyouselectLDAP,selecttheServer Profileanddefinethe
authenticatetheuser. Login Attribute.ForActiveDirectory,enter
sAMAccountNameasthevalue.
IfyouselectSAML,selecttheIdP Server Profile.
4. IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
5. (MFAonly)SelectFactors,Enable Additional Authentication
Factors,andAddtheMFAserverprofilesyouconfigured.
ThefirewallwillinvokeeachMFAserviceinthelistedorder,
fromtoptobottom.
6. SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.
Youcanselectusersandgroupsfromthelocaldatabaseor,if
youconfiguredthefirewalltoMapUserstoGroups,froman
LDAPbaseddirectoryservicesuchasActiveDirectory.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsoselectcustomgroupsdefinedinagroup
mappingconfiguration.
Step5 Configureanauthenticationsequence. 1. SelectDevice > Authentication SequenceandAddthe

Requiredifyouwantthefirewalltotry authenticationsequence.
multipleauthenticationprofilesto 2. EnteraNametoidentifytheauthenticationsequence.
authenticateusers.Thefirewall Toexpeditetheauthenticationprocess,Use domain to
evaluatestheprofilesintoptobottom determine authentication profile:thefirewall
orderuntiloneprofilesuccessfully matchesthedomainnamethatauserentersduring
authenticatestheuser. loginwiththeUser DomainorKerberos Realmofan
authenticationprofileinthesequence,andthenuses
thatprofiletoauthenticatetheuser.Ifthefirewall
doesnotfindamatch,orifyoudisabletheoption,the
firewalltriestheprofilesinthetoptobottom
sequence.
3. Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
4. ClickOKtosavetheauthenticationsequence.

ConfigureanAuthenticationProfileandSequence Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step6 Assigntheauthenticationprofileor AdministratorsAssigntheauthenticationprofilebasedonhow

sequencetoanadministrativeaccount youmanageradministratorauthorization:
forfirewalladministratorsorto AuthorizationmanagedlocallyonthefirewallConfigurea
Authenticationpolicyforendusers. FirewallAdministratorAccount.
AuthorizationmanagedonaSAML,TACACS+,orRADIUS
serverSelectDevice > Setup > Management,editthe
AuthenticationSettings,andselecttheAuthentication
Profile.
EndusersForthefullproceduretoconfigureauthenticationfor
endusers,seeConfigureAuthenticationPolicy.
Step7 Verifythatthefirewallcanusethe TestAuthenticationServerConnectivity.

authenticationprofileorsequenceto
authenticateusers.

Authentication TestAuthenticationServerConnectivity
ThetestauthenticationfeatureenablesyoutoverifywhetherthefirewallorPanoramacancommunicate
withtheauthenticationserverspecifiedinanauthenticationprofileandwhetheranauthenticationrequest
succeedsforaspecificuser.Youcantestauthenticationprofilesthatauthenticateadministratorswho
accessthewebinterfaceorthatauthenticateenduserswhoaccessapplicationsthroughGlobalProtector
CaptivePortal.Youcanperformauthenticationtestsonthecandidateconfigurationtoverifythe
configurationiscorrectbeforecommitting.
Step1 Configureanauthenticationprofile.Youdonotneedtocommittheauthenticationprofileorserverprofile
configurationbeforetesting.
Step2 LogintothefirewallCLI.
Step3 (Firewallswithmultiplevirtualsystems)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystemssothatthetestauthenticationcommandcanlocate
theuseryouwilltest.
Definethetargetvirtualsystembyentering:
admin@PA-3060> set system setting target-vsys <vsys-name>
Forexample,iftheuserisdefinedinvsys2,enter:
admin@PA-3060> set system setting target-vsys vsys2
NOTE:Thetarget-vsys optionisperloginsession;thefirewallclearstheoptionwhenyoulogoff.
Step4 Testtheauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> test authentication authentication-profile <authentication-profile-name>
username <username> password
Forexample,totestanauthenticationprofilenamedmy-profileforausernamedbsimpson,enter:
admin@PA-3060> test authentication authentication-profile my-profile username bsimpson
password
NOTE:Whenrunningthetestcommand,thenamesofauthenticationprofilesandserverprofilesarecase
sensitive.Also,ifanauthenticationprofilehasausernamemodifierdefined,youmustenterthemodifierwith
theusername.Forexample,ifyouaddtheusernamemodifier%USERINPUT%@%USERDOMAIN%forauser
namedbsimpsonandthedomainnameismydomain.com,enterbsimpson@mydomain.comastheusername.
Thisensuresthatthefirewallsendsthecorrectcredentialstotheauthenticationserver.Inthisexample,
mydomain.comisthedomainthatyoudefineintheUser Domainfieldintheauthenticationprofile.
Step5 Viewthetestoutput.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
NOTE:Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,sothesame
issuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisanetworkproblem,such
asusinganincorrectportorIPaddressintheauthenticationserverprofile,theoutputerrorisnotspecific.
Thisisbecausethetestcommandcannotperformtheinitialhandshakebetweenthefirewallandthe
authenticationservertodeterminedetailsabouttheissue.

AuthenticationPolicy Authentication
AuthenticationPolicy
Authenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessservicesand
applications.Wheneverauserrequestsaserviceorapplication(suchasbyvisitingawebpage),thefirewall
evaluatesAuthenticationpolicy.BasedonthematchingAuthenticationpolicyrule,thefirewallthenprompts
theusertoauthenticateusingoneormoremethods(factors),suchasloginandpassword,Voice,SMS,Push,
orOnetimePassword(OTP)authentication.Forthefirstfactor,usersauthenticatethroughaCaptivePortal
webform.Foranyadditionalfactors,usersauthenticatethroughaMultiFactorAuthentication(MFA)login
page.
ToimplementAuthenticationpolicyforGlobalProtect,refertoAuthenticationPolicyandMultiFactor
AuthenticationforGlobalProtect.
Aftertheuserauthenticatesforallfactors,thefirewallevaluatesSecurityPolicytodeterminewhetherto
allowaccesstotheserviceorapplication.
Toreducethefrequencyofauthenticationchallengesthatinterrupttheuserworkflow,youcanspecifya
timeoutperiodduringwhichauserauthenticatesonlyforinitialaccesstoservicesandapplications,notfor
subsequentaccess.AuthenticationpolicyintegrateswithCaptivePortaltorecordthetimestampsusedto
evaluatethetimeoutandtoenableuserbasedpoliciesandreports.
Basedonuserinformationthatthefirewallcollectsduringauthentication,UserIDcreatesanewIP
addresstousernamemappingorupdatestheexistingmappingforthatuser(ifthemappinginformationhas
changed).ThefirewallgeneratesUserIDlogstorecordtheadditionsandupdates.Thefirewallalso
generatesanAuthenticationlogforeachrequestthatmatchesanAuthenticationrule.Ifyoufavor
centralizedmonitoring,youcanconfigurereportsbasedonUserIDorAuthenticationlogsandforwardthe
logstoPanoramaorexternalservicesasyouwouldforanyotherlogtypes.
AuthenticationTimestamps
ConfigureAuthenticationPolicy
AuthenticationTimestamps
WhenconfiguringanAuthenticationpolicyrule,youcanspecifyatimeoutperiodduringwhichauser
authenticatesonlyforinitialaccesstoservicesandapplications,notforsubsequentaccess.Yourgoalisto
specifyatimeoutthatstrikesabalancebetweentheneedtosecureservicesandapplicationsandtheneed
tominimizeinterruptionstotheuserworkflow.Whenauserauthenticates,thefirewallrecordsatimestamp
forthefirstauthenticationchallenge(factor)andatimestampforanyadditionalMultiFactorAuthentication
(MFA)factors.WhentheusersubsequentlyrequestsservicesandapplicationsthatmatchanAuthentication
rule,thefirewallevaluatesthetimeoutspecifiedintherulerelativetoeachtimestamp.Thismeansthe
firewallreissuesauthenticationchallengesonaperfactorbasiswhentimeoutsexpire.IfyouRedistribute
UserMappingsandAuthenticationTimestamps,allyourfirewallswillenforceAuthenticationpolicy
timeoutsconsistentlyforallusers.
ThefirewallrecordsaseparatetimestampforeachMFAvendor.Forexample,ifyouuseDuov2andPingID
serverstoissuechallengesforMFAfactors,thefirewallrecordsonetimestampfortheresponsetotheDuo
factorandonetimestampfortheresponsetothePingIDfactor.

Authentication AuthenticationPolicy
Withinthetimeoutperiod,auserwhosuccessfullyauthenticatesforoneAuthenticationrulecanaccess
servicesorapplicationsthatotherrulesprotect.However,thisportabilityappliesonlytorulesthattrigger
thesameauthenticationfactors.Forexample,auserwhosuccessfullyauthenticatesforarulethattriggers
TACACS+authenticationmustauthenticateagainforarulethattriggersSAMLauthentication,evenifthe
accessrequestsarewithinthetimeoutperiodforbothrules.
WhenevaluatingthetimeoutineachAuthenticationruleandtheglobaltimerdefinedintheCaptivePortal
settings(seeConfigureCaptivePortal),thefirewallpromptstheusertoreauthenticateforwhichever
settingexpiresfirst.Uponreauthenticating,thefirewallrecordsnewauthenticationtimestampsforthe
rulesandresetsthetimecountfortheCaptivePortaltimer.Therefore,toenabledifferenttimeoutperiods
fordifferentAuthenticationrules,settheCaptivePortaltimertoavaluethatisthesameasorhigherthan
thetimeoutinanyrule.
PerformthefollowingstepstoconfigureAuthenticationpolicyforenduserswhoaccessservicesthrough
CaptivePortal.Beforestarting,ensurethatyourSecurityPolicyallowsuserstoaccesstheservicesandURL
categoriesthatrequireauthentication.
Step1 ConfigureCaptivePortal. ConfigureCaptivePortal.IfyouuseMultiFactorAuthentication(MFA)

servicestoauthenticateusers,youmustsettheModetoRedirect.
Step2 Configuretheservicesthat Configurethefirewalltouseoneofthefollowingauthentication

authenticateusers. services.
ExternalAuthenticationServicesConfigureaserverprofiletodefine
howthefirewallconnectstotheservice.
LocaldatabaseauthenticationAddeachuseraccounttothelocal
userdatabaseonthefirewall.
Kerberossinglesignon(SSO)CreateaKerberoskeytabforthe
firewall.Optionally,youcanconfigurethefirewalltouseKerberos
SSOastheprimaryauthenticationserviceand,ifSSOfailuresoccur,
fallbacktoanexternalserviceorlocaldatabaseauthentication.
Step3 Configureanauthentication ConfigureanAuthenticationProfileandSequence.Intheauthentication

profile. profile,selecttheTypeofauthenticationserviceandrelatedsettings:
Createaprofileforeachsetof ExternalserviceSelecttheTypeofexternalserverandselectthe
usersandAuthenticationpolicy Server Profileyoucreatedforit.
rulesthatrequirethesame LocaldatabaseauthenticationSettheTypetoLocal Database.In
authenticationservicesand theAdvancedsettings,AddtheCaptivePortalusersandusergroups
settings. youcreated.
KerberosSSOSpecifytheKerberos RealmandImportthe
Kerberos Keytab.

AuthenticationPolicy Authentication
ConfigureAuthenticationPolicy(Continued)
Step4 Configureanauthentication 1. SelectObjects > AuthenticationandAddanobject.

enforcementobject. 2. EnteraNametoidentifytheobject.
Theobjectassociateseach
3. SelectanAuthentication Methodfortheauthenticationservice
authenticationprofilewitha
Typeyouspecifiedintheauthenticationprofile:
CaptivePortalmethod.The
methoddetermineswhetherthe browser-challengeSelectthismethodifyouwanttheclient
firstauthenticationchallenge browsertorespondtothefirstauthenticationfactorinsteadof
(factor)istransparentorrequiresa havingtheuserenterlogincredentials.Forthismethod,youmust
userresponse. haveconfiguredKerberosSSOintheauthenticationprofileor
NTLANManager(NTLM)authenticationintheCaptivePortal
settings.Ifthebrowserchallengefails,thefirewallfallsbackto
theweb-formmethod.
web-formSelectthismethodifyouwantthefirewalltodisplay
aCaptivePortalwebformforuserstoenterlogincredentials.
4. SelecttheAuthentication Profileyouconfigured.
5. EntertheMessagethattheCaptivePortalwebformwilldisplayto
tellusershowtoauthenticateforthefirstauthenticationfactor.
6. ClickOKtosavetheobject.
Step5 ConfigureanAuthenticationpolicy 1. SelectPolicies > AuthenticationandAddarule.

rule. 2. EnteraNametoidentifytherule.
Createaruleforeachsetofusers,
3. SelectSourceandAddspecificzonesandIPaddressesorselectAny
services,andURLcategoriesthat
zonesorIPaddresses.
requirethesameauthentication
servicesandsettings. TheruleappliesonlytotrafficcomingfromthespecifiedIP
addressesorfrominterfacesinthespecifiedzones.
4. SelectUserandselectorAddthesourceusersandusergroupsto
whichtheruleapplies(defaultisany).
5. SelectorAddtheHostInformationProfilestowhichtheruleapplies
(defaultisany).
6. SelectDestinationandAddspecificzonesandIPaddressesorselect
anyzonesorIPaddresses.
TheIPaddressescanberesources(suchasservers)forwhichyou
wanttocontrolaccess.
7. SelectService/URL CategoryandselectorAddtheservicesand
servicegroupsforwhichtherulecontrolsaccess(defaultis
service-http).
8. SelectorAddtheURLCategoriesforwhichtherulecontrolsaccess
(defaultisany).Forexample,youcancreateacustomURLcategory
thatspecifiesyourmostsensitiveinternalsites.
9. SelectActionsandselecttheAuthentication Enforcementobject
youcreated.
10. SpecifytheTimeoutperiodinminutes(default60)duringwhichthe
firewallpromptstheusertoauthenticateonlyonceforrepeated
accesstoservicesandapplications.
Step6 (MFAonly)CustomizetheMFA Configuretheloginpagewhereusesauthenticateforanyadditional

loginpage. MFAfactors.

Authentication AuthenticationPolicy
ConfigureAuthenticationPolicy(Continued)
Step7 Verifythatthefirewallenforces 1. Logintoyournetworkasoneofthesourceusersspecifiedinan

Authenticationpolicy. Authenticationpolicyrule.
2. RequestaserviceorURLcategorythatmatchesonespecifiedinthe
rule.
ThefirewalldisplaystheCaptivePortalwebformforthefirst
authenticationfactor.Forexample:
NOTE:IfyouconfiguredthefirewalltouseoneormoreMFA
services,authenticatefortheadditionalauthenticationfactors.
3. EndthesessionfortheserviceorURLyoujustaccessed.
4. Startanewsessionforthesameserviceorapplication.Besureto
performthisstepwithintheTimeoutperiodyouconfiguredinthe
Authenticationrule.
Thefirewallallowsaccesswithoutreauthenticating.
5. WaituntiltheTimeoutperiodexpiresandrequestthesameservice
orapplication.
Thefirewallpromptsyoutoreauthenticate.
Step8 (Optional)RedistributeUser Youcanredistributeauthenticationtimestampstootherfirewallsthat

MappingsandAuthentication enforceAuthenticationpolicytoensuretheyallapplythetimeouts
Timestamps. consistentlyforallusers.

TroubleshootAuthenticationIssues Authentication
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task Command
Displaythenumberoflockeduseraccountsassociated show authentication locked-users

withtheauthenticationprofile(auth-profile), {
authenticationsequence(is-seq),orvirtualsystem(vsys). vsys <value> |
Tounlockusers,usethefollowingoperational auth-profile <value> |
command: is-seq
request authentication [unlock-admin | {yes | no}
unlock-user]
{auth-profile | vsys} <value>
}

Authentication TroubleshootAuthenticationIssues
Task Command
Usethedebug authenticationcommandto debug authentication

troubleshootauthenticationevents. {
Usetheshowoptionstodisplayauthenticationrequest on {debug | dump | error | info | warn} |
statisticsandthecurrentdebugginglevel: show |
showdisplaysthecurrentdebugginglevelforthe show-active-requests |
authenticationservice(authd). show-pending-requests |
show-active-requestsdisplaysthenumberofactive connection-show |
checksforauthenticationrequests,allowlists,locked {
useraccounts,andMultiFactorAuthentication(MFA) connection-id |
requests. protocol-type
show-pending-requests displaysthenumberof {
pendingchecksforauthenticationrequests,allowlists, Kerberos connection-id <value> |
lockeduseraccounts,andMFArequests.
LDAP connection-id <value> |
connection-showdisplaysauthenticationrequestand RADIUS connection-id <value> |
responsestatisticsforallauthenticationserversorfora
TACACS+ connection-id <value> |
specificprotocoltype.
}
Usetheconnection-debugoptionstoenableordisable
connection-debug-on |
authenticationdebugging:
{
Usetheonoptiontoenableortheoffoptiontodisable
connection-id |
debuggingforauthd.
debug-prefix |
Usetheconnection-debug-onoptiontoenableorthe
protocol-type
connection-debug-offoptiontodisabledebugging
{
forallauthenticationserversorforaspecificprotocol
Kerberos connection-id <value> |
type.
RADIUS connection-id <value> |
}
connection-debug-off |
{
connection-id |
protocol-type
{
Kerberos connection-id <value> |
RADIUS connection-id <value> |
}
connection-debug-on
}

TroubleshootAuthenticationIssues Authentication

CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule

KeysandCertificates CertificateManagement
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage Description
AdministrativeAccess SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
CaptivePortal IndeploymentswhereAuthenticationpolicyidentifiesuserswhoaccessHTTPS
resources,designateaservercertificatefortheCaptivePortalinterface.Ifyouconfigure
CaptivePortaltousecertificatesforidentifyingusers(insteadof,orinadditionto,
interactiveauthentication),deployclientcertificatesalso.Formoreinformationon
CaptivePortal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
ForwardTrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
ForwardUntrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSLInboundInspection ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.

CertificateManagement KeysandCertificates
SSLExcludeCertificate CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
DecryptionExclusions.
GlobalProtect AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
SitetoSiteVPNs(IKE) InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
MasterKey Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
SecureSyslog Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
TrustedRootCA ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
InterDevice Bydefault,Panorama,firewalls,andLogCollectorsuseasetofpredefinedcertificatesfor
Communication theSSL/TLSconnectionsusedformanagementandlogforwarding.However,youcan
enhancetheseconnectionbydeployingcustomcertificatestothedevicesinyour
deployment.ThesecertificatescanalsobeusedtosecuretheSSL/TLSconnection
betweenPanoramaHApeers.

CertificateRevocation CertificateManagement
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.

CertificateManagement CertificateRevocation
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.

CertificateDeployment CertificateManagement
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).

CertificateManagement SetUpVerificationforCertificateRevocationStatus
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
Step1 DefineanOCSPresponder. 1. SelectDevice > Certificate Management > OCSP Responder

andclickAdd.
2. EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
4. IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.YoucanenteranIPv4
orIPv6address.Fromthisvalue,PANOSautomatically
derivesaURLandaddsittothecertificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices.
5. ClickOK.
Step2 EnableOCSPcommunicationonthe 1. SelectDevice > Setup > Management.

firewall. 2. IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.

SetUpVerificationforCertificateRevocationStatus CertificateManagement
Step3 (Optional)Toconfigurethefirewallitself 1. SelectNetwork > Network Profiles > Interface Mgmt.

asanOCSPresponder,addanInterface 2. ClickAddtocreateanewprofileorclickthenameofan
ManagementProfiletotheinterface existingprofile.
usedforOCSPservices.
3. SelecttheHTTP OCSPcheckboxandclickOK.
4. SelectNetwork > Interfacesandclickthenameofthe
interfacethatthefirewallwilluseforOCSPservices.The
OCSPHost NamespecifiedinStep 1mustresolvetoanIP
addressinthisinterface.
5. SelectAdvanced > Other infoandselecttheInterface
ManagementProfileyouconfigured.
6. ClickOKandCommit.
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
Step1 ConfigureaCertificateProfileforeach AssignoneormorerootCAcertificatestotheprofileandselect

application. howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates
Step2 Assignthecertificateprofilestothe Thestepstoassignacertificateprofiledependontheapplication

relevantapplications. thatrequiresit.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.

CertificateManagement SetUpVerificationforCertificateRevocationStatus
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
Step1 Definetheservicespecifictimeout 1. SelectDevice > Setup > Sessionand,intheSessionFeatures

intervalsforrevocationstatusrequests. section,selectDecryption Certificate Revocation Settings.
2. Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.
Step2 Definethetotaltimeoutintervalfor EntertheCertificate Status Timeout.Thisistheinterval(160

revocationstatusrequests. seconds)afterwhichthefirewallstopswaitingforaresponsefrom
anycertificatestatusserviceandappliesthesessionblockinglogic
youoptionallydefineinStep 3.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthetwo
Receive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:theCertificate
Status TimeoutvalueortheOCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status
TimeoutvalueortheCRLReceive Timeoutvalue.
Step3 Definetheblockingbehaviorfor IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP

unknowncertificatestatusora orCRLservicereturnsacertificaterevocationstatusofunknown,
revocationstatusrequesttimeout. selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.
Step4 Saveandapplyyourentries. ClickOKandCommit.

ConfiguretheMasterKey CertificateManagement
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsalltheprivatekeys
andpasswordsintheconfigurationtosecurethem(suchastheprivatekeyusedforSSLForwardProxy
Decryption).Forthebestsecurityposture,configureanewmasterkeyandchangeitperiodically.
Ifahighavailability(HA)configuration,youmustusethesamemasterkeyonbothfirewallsorPanoramain
thepair.Otherwise,HAsynchronizationwillnotworkproperly.
Additionally,ifyouareusingPanoramatomanageyourfirewalls,youmustusethesamemasterkeyon
PanoramaandallmanagedfirewallssothatPanoramacanpushconfigurationstothefirewalls.
Foraddedsecurity,EncryptaMasterKeyUsinganHSM.
Besuretostorethemasterkeyinasafelocation.Youcannotrecoverthemasterkeyandtheonlywayto
restorethedefaultmasterkeyistoResettheFirewalltoFactoryDefaultSettings.
ConfigureaMasterKey
Step1 SelectDevice > Master Key and DiagnosticsandedittheMasterKeysection.
Step2 EntertheCurrent Master Keyifoneexists.
Step3 DefineanewNew Master KeyandthenConfirm New Master Key.Thekeymustcontainexactly16

characters.
Step4 TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekeywillexpire.

Youmustconfigureanewmasterkeybeforethecurrentkeyexpires.Ifthemasterkeyexpires,the
firewallorPanoramaautomaticallyrebootsinMaintenancemode.YoumustthenResettheFirewall
toFactoryDefaultSettings.
Step5 EnteraTime for ReminderthatspecifiesthenumberofDaysandHoursbeforethemasterkeyexpireswhen

thefirewallgeneratesanexpirationalarm.ThefirewallautomaticallyopenstheSystemAlarmsdialogto
displaythealarm.
Toensuretheexpirationalarmdisplays,selectDevice > Log Settings,edittheAlarmSettings,and
Enable Alarms.
Step6 (Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.

CertificateManagement ObtainCertificates
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
CreateaSelfSignedRootCACertificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step4 EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31

characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill

configuretheservicethatwillusethiscertificate.
Step6 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step7 LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.
Step8 (Required)SelecttheCertificate Authoritycheckbox.
Step9 LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.
Step10 ClickGenerateandCommit.

ObtainCertificates CertificateManagement
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
Step3 ClickGenerate.
Step4 SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect

clients.
Step5 EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand

useonlyletters,numbers,hyphens,andunderscores.
Step6 IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill

configuretheservicethatwillusethiscertificate.
Step7 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step8 IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.
Step9 (Optional)SelectanOCSP Responder.
Step10 ForthekeygenerationAlgorithm,selectRSA(default)orElliptical Curve DSA(ECDSA).ECDSAis

recommendedforclientbrowsersandoperatingsystemsthatsupportit.
FirewallsthatrunPANOS6.1andearlierreleaseswilldeleteanyECDSAcertificatesthatyoupush
fromPanorama,andanyRSAcertificatessignedbyanECDSAcertificateauthority(CA)willbe
invalidonthosefirewalls.
Youcannotuseahardwaresecuritymodule(HSM)tostoreECDSAkeysusedforSSL/TLSDecryption.
Step11 SelecttheNumber of Bitstodefinethecertificatekeylength.Highernumbersaremoresecurebutrequire

moreprocessingtime.
Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.
ClientcertificatesthatareusedwhenrequestingfirewallservicesthatrelyonTLSv1.2(suchas
administratoraccesstothewebinterface)cannothavesha512asadigestalgorithm.Theclient
certificatesmustusealowerdigestalgorithm(suchassha384)oryoumustlimittheMax Versionto
TLSv1.1whenyouConfigureanSSL/TLSServiceProfileforthefirewallservices.
Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.
Step14 (Optional)AddtheCertificate Attributestouniquelyidentifythefirewallandtheservicethatwillusethe

certificate.
IfyouaddaHost Name(DNSname)attribute,itisabestpracticeforittomatchtheCommon Name.
ThehostnamepopulatestheSubjectAlternativeNamefieldofthecertificate.

GenerateaCertificate(Continued)
Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
NOTE:Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslogcheckbox.
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
Step1 FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step4 ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It

mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5 Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step6 EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.

ObtainCertificates CertificateManagement
Step7 SelectaFile Format:

Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security Modulecheckboxandskipthenextstep.Otherwise,selecttheImport Private Key
checkbox,entertheKey FileorBrowsetoit,thencontinuetothenextstep.
Step8 Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
Step9 ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.

Step1 Requestthecertificatefromanexternal 1. SelectDevice > Certificate Management > Certificates >

CA. Device Certificates.
3. ClickGenerate.
4. EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5. IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6. Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7. IntheSigned Byfield,selectExternal Authority (CSR).
8. Ifapplicable,selectanOCSP Responder.
9. (Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
NOTE:IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatoryfor
GlobalProtect).ThehostnamepopulatestheSubject
AlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.
Step2 SubmittheCSRtotheCA. 1. SelecttheCSRandclickExporttosavethe.csrfiletoalocal

computer.
2. Uploadthe.csrfiletotheCA.
Step3 Importthecertificate. 1. AftertheCAsendsasignedcertificateinresponsetotheCSR,

returntotheDevice CertificatestabandclickImport.
2. EntertheCertificate NameusedtogeneratetheCSR.
3. EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4. ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.
Step4 Configurethecertificate. 1. ClickthecertificateName.

2. Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.

ExportaCertificateandPrivateKey CertificateManagement
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step3 Selectthecertificate,clickExport,andselectaFile Format:

Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.
Step4 EnteraPassphraseandConfirm PassphrasetoencrypttheprivatekeyiftheFile FormatisPKCS12orifit

isPEMandyouselectedtheExport Private Keycheckbox.Youwillusethispassphrasewhenimportingthe
certificateandkeyintoclientsystems.
Step5 ClickOKandsavethecertificate/keyfiletoyourcomputer.

CertificateManagement ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
Step1 Obtainthecertificateauthority(CA) PerformoneofthefollowingstepstoobtaintheCAcertificates

certificatesyouwillassign. youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).
Step2 Identifythecertificateprofile. 1. SelectDevice > Certificate Management > Certificates

ProfileandclickAdd.
2. EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
Step3 Assignoneormorecertificates. PerformthefollowingstepsforeachCAcertificate:

1. IntheCACertificatestable,clickAdd.
2. SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3. (Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4. ClickOK.TheCACertificatestabledisplaystheassigned
certificate.

ConfigureaCertificateProfile CertificateManagement
Step4 Definethemethodsforverifying 1. SelectUse CRLand/orUse OCSP.Ifyouselectboth,the

certificaterevocationstatusandthe firewallfirsttriesOCSPandfallsbacktotheCRLmethodonly
associatedblockingbehavior. iftheOCSPresponderisunavailable.
2. Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3. EntertheCertificate Status Timeout.Thisistheinterval(160
seconds)afterwhichthefirewallstopswaitingforaresponse
fromanycertificatestatusserviceandappliesany
sessionblockinglogicyoudefine.TheCertificate Status
TimeoutrelatestotheOCSP/CRLReceive Timeoutas
follows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthe
twoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheOCSPReceive
Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheCRLReceive
Timeoutvalue.
4. IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5. Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.
Step5 Saveandapplyyourentries. ClickOKandCommit.

CertificateManagement ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
Intheclientsystemsthatrequestfirewallservices,thecertificatetrustlist(CTL)mustincludethecertificate
authority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,userswill
seeacertificateerrorwhenrequestingfirewallservices.MostthirdpartyCAcertificatesarepresentbydefault
inclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythatCA
certificatetotheCTLinclientbrowsers.
Step1 Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notCAcertificates,inSSL/TLSserviceprofiles.
Step2 SelectDevice > Certificate Management > SSL/TLS Service Profile.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4 ClickAddandenteraNametoidentifytheprofile.
Step5 SelecttheCertificateyoujustobtained.
Step6 Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
ClientcertificatesthatareusedwhenrequestingfirewallservicesthatrelyonTLSv1.2cannothave
SHA512asadigestalgorithm.Theclientcertificatesmustusealowerdigestalgorithm(suchas
SHA384)oryoumustlimittheMax VersiontoTLSv1.1forthefirewallservices.

ReplacetheCertificateforInboundManagementTraffic CertificateManagement
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Tosecuremanagementtraffic,youmustalsoConfigureAdministrativeAccountsandAuthentication.
Step1 Obtainthecertificatethatwill YoucansimplifyyourCertificateDeploymentbyusingacertificate

authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators. thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
NOTE:IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetherootCA
certificateisnotinthetrustedrootcertificatestoreofclient
systems.Topreventthis,deploytheselfsignedrootCAcertificate
toallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.
Step2 ConfigureanSSL/TLSServiceProfile. SelecttheCertificateyoujustobtained.

Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.
Step3 ApplytheSSL/TLSServiceProfileto 1. SelectDevice > Setup > ManagementandedittheGeneral

inboundmanagementtraffic. Settings.
2. SelecttheSSL/TLS Service Profileyoujustconfigured.

CertificateManagement ConfiguretheKeySizeforSSLForwardProxyServerCertificates
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step1 SelectDevice > Setup > Sessionand,intheDecryptionSettingssection,clickSSL Forward Proxy Settings.
Step2 SelectaKey Size:

Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.

RevokeandRenewCertificates CertificateManagement
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step2 Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3 Selectthecertificatetorevoke.
Step4 ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step3 SelectacertificatetorenewandclickRenew.
Step4 EnteraNew Expiration Interval(indays).

CertificateManagement SecureKeyswithaHardwareSecurityModule
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SetupConnectivitywithanHSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
TheIPaddressontheHSMclientfirewallmustbeastaticIPaddress,notadynamicaddressassignedby
DHCP.HSMauthenticatesthefirewallusingtheIPaddressbeforetheHSMconnectioncomesup.
OperationsonHSMwouldstopworkingiftheIPaddressweretochangeduringruntime.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.

SecureKeyswithaHardwareSecurityModule CertificateManagement
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
Step1 Configurethefirewallto 1. LogintothefirewallwebinterfaceandselectDevice > Setup > HSM.

communicatewiththeSafeNet 2. EdittheHardwareSecurityModuleProvidersectionandselect
NetworkHSM. Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4. EntertheIPv4addressoftheHSMmoduleasthe Server Address.
IfyouareconfiguringahighavailabilityHSMconfiguration,enter
modulenamesandIPaddressesfortheadditionalHSMdevices.
5. (Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
Step2 (Optional)Configureaservice 1. SelectDevice > Setup > Services.

routetoenablethefirewallto 2. SelectService Route ConfigurationfromtheServicesFeaturesarea.
connecttotheHSM.
3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewallusesthe
ManagementInterfaceto 4. SelecttheIPv4tab.
communicatewiththeHSM.To 5. SelectHSMfromtheServicecolumn.
useadifferentinterface,you
mustconfigureaserviceroute. 6. SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
Step3 Configurethefirewallto 1. SelectDevice > Setup > HSM.

authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. SelecttheHSMServer Namefromthedropdown.
4. Enterthe Administrator Passwordtoauthenticatethefirewalltothe
HSM.
5. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6. ClickOK.

SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
Step4 Registerthefirewall(theHSM 1. LogintotheHSMfromaremotesystem.

client)withtheHSMandassign 2. Registerthefirewallusingthefollowingcommand:
ittoapartitionontheHSM.
client register -c <cl-name> -ip <fw-ip-addr>
IftheHSMalreadyhasa where<cl-name>isanamethatyouassigntothefirewallforuseon
firewallwiththesame theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
<cl-name>registered,
beingconfiguredasanHSMclient.ItmustbeastaticIPaddress,not
youmustremovethe anaddressassignedbyDHCP.
duplicateregistration
usingthefollowing 3. Assignapartitiontothefirewallusingthefollowingcommand:
commandbefore client assignpartition -c <cl-name> -p <partition-name>
registrationwillsucceed: where<cl-name>isthenameassignedtothefirewallintheclient
client delete -client register commandand<partition-name>isthenameofa
<cl-name> previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.
Step5 Configurethefirewalltoconnect 1. SelectDevice > Setup > HSM.

totheHSMpartition. 2. ClicktheRefreshicon.
3. SelecttheSetup HSM PartitionintheHardwareSecurityOperations
area.
4. Enterthe Partition Passwordtoauthenticatethefirewalltothe
partitionontheHSM.
5. ClickOK.
Step6 (Optional)Configurean 1. RepeatthepreviousstepstoaddanadditionalHSMforhigh

additionalHSMforhigh availability(HA).
availability(HA). ThisprocessaddsanewHSMtotheexistingHAgroup.
2. IfyouremoveanHSMfromyourconfiguration,repeattheprevious
step.
ThiswillremovethedeletedHSMfromtheHAgroup.
Step7 Verifyconnectivitywiththe 1. SelectDevice > Setup > HSM.

HSM. 2. ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.

SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
Step1 ConfiguretheThales 1. Fromthefirewallwebinterface,selectDevice > Setup > HSMandeditthe

nShieldConnectserveras HardwareSecurityModuleProvidersection.
thefirewallsHSM 2. SelectThales Nshield ConnectastheProvider Configured.
provider.
3. ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto31
charactersinlength.
4. EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5. EntertheIPv4addressoftheRemote Filesystem Address.
Step2 (Optional)Configurea 1. SelectDevice > Setup > Services.

serviceroutetoenable 2. SelectService Route ConfigurationfromtheServicesFeaturesarea.
thefirewalltoconnectto
theHSM. 3. SelectCustomizefromtheServiceRouteConfigurationarea.
Bydefault,thefirewall 4. SelecttheIPv4tab.
usestheManagement 5. SelectHSMfromtheServicecolumn.
Interfacetocommunicate
withtheHSM.Tousea 6. SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
differentinterface,you IfyouselectadataplaneconnectedportforHSM,issuingtheclear
mustconfigureaservice session allCLIcommandwillclearallexistingHSMsessions,
route. causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
Step3 Registerthefirewall(the 1. LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.

HSMclient)withtheHSM 2. Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
server. System > System configuration > Client config > New client.
Thisstepbrieflydescribes
3. EntertheIPaddressofthefirewall.ItmustbeastaticIPaddress,notan
theprocedureforusing
addressassignedbyDHCP.
thefrontpanelinterface
oftheThalesnShield 4. SelectSystem > System configuration > Client config > Remote file system
ConnectHSM.Formore andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
details,consulttheThales filesystem.
documentation.

SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
Step4 Setuptheremote 1. Logintotheremotefilesystem(RFS)fromaLinuxclient.

filesystemtoaccept 2. Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
connectionsfromthe KNETIkeyauthenticatesthemoduletoclients:
firewall.
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3. Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4. UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.
Step5 Configurethefirewallto 1. Fromthefirewallwebinterface,selectDevice > Setup > HSM.

authenticatetotheHSM. 2. SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3. ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4. ClickOK.
Step6 Synchronizethefirewall 1. SelecttheDevice > Setup > HSM.

withtheremote 2. SelectSynchronize with Remote FilesystemintheHardwareSecurity
filesystem. Operationssection.
Step7 Verifythatthefirewall 1. SelectDevice > Setup > HSM.

canconnecttotheHSM. 2. ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3. ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
NameThenameoftheHSMattemptingtobeauthenticated.
IP addressTheIPaddressoftheHSMthatwasassignedonthefirewall.
Module StateThecurrentoperatingstateoftheHSM:Authenticatedor
Not Authenticated.

AmasterkeyencryptsallprivatekeysandpasswordsonthefirewallandPanorama.Ifyouhavesecurity
requirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkeyusingan
encryptionkeythatisstoredonanHSM.ThefirewallorPanoramathenrequeststheHSMtodecryptthe
masterkeywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSM
isinahighlysecurelocationthatisseparatefromthefirewallorPanoramaforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,youmustoccasionallychange
(refresh)thiswrappingkey.
FirewallsconfiguredinFIPS/CCmodedonotsupportmasterkeyencryptionusinganHSM.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
Step1 SelectDevice > Master Key and Diagnostics.
Step2 Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3 Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4 SelecttheHSMcheckbox.
Life TimeThenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for ReminderThenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5 ClickOK.

Asabestpractice,periodicallyrefreshthemasterkeyencryptionbyrotatingthewrappingkeythatencrypts
it.Thefrequencyoftherotationdependsonyourapplication.ThewrappingkeyresidesonyourHSM.The
followingcommandisthesameforSafeNetNetworkandThalesnShieldConnectHSMs.
Step1 LogintothefirewallCLI.
Step2 UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLForwardProxyTheHSMcanstoretheprivatekeyoftheForwardTrustcertificatethatsigns
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthecertificatestotheclient.
SSLInboundInspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
IfyouusetheDHEorECDHEkeyexchangealgorithmstoenablePerfectForwardSecrecy(PFS)
SupportforSSLDecryption,youcannotuseanHSMtostoretheprivatekeysforSSLInbound
Inspection.YoualsocannotuseanHSMtostoreECDSAkeysusedforForwardProxyorInbound
Inspectiondecryption.
Step1 OntheHSM,importorgenerate Forinstructionsonimportingorgeneratingacertificateandprivatekeyon

thecertificateandprivatekey theHSM,refertoyourHSMdocumentation.
usedinyourdecryption
deployment.
Step2 (ThalesnShieldConnectonly) 1. AccessthefirewallwebinterfaceandselectDevice > Setup > HSM.

Synchronizethekeydatafrom 2. SelectSynchronize with Remote FilesystemintheHardwareSecurity
theThalesnShieldremotefile Operationssection.
systemtothefirewall.
NOTE:Synchronizationwiththe
SafeNetNetworkHSMis
automatic.

StorePrivateKeysonanHSM(Continued)
Step3 Importthecertificatethat 1. SelectDevice > Certificate Management > Certificates > Device
correspondstotheHSMstored CertificatesandclickImport.
keyontothefirewall. 2. EntertheCertificate Name.
3. BrowsetotheCertificate FileontheHSM.
4. SelectaFile Format.
5. SelectPrivate Key resides on Hardware Security Module.
Step4 (ForwardTrustcertificatesonly) 1. OpenthecertificateyouimportedinStep 3forediting.

Enablethecertificateforusein 2. SelectForward Trust Certificate.
SSL/TLSForwardProxy.
Step5 Verifythatyousuccessfully LocatethecertificateyouimportedinStep 3andchecktheiconintheKey

importedthecertificateontothe column:
firewall. LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.
ManagetheHSMDeployment
ManageHSM
ViewtheHSMconfiguration SelectDevice > Setup > HSM.

settings.
DisplaydetailedHSM SelectShow Detailed InformationfromtheHardwareSecurityOperations

information. section.
InformationregardingtheHSMservers,HSMHAstatus,andHSMhardwareis
displayed.
ExportSupportfile. SelectExport Support FilefromtheHardwareSecurityOperationssection.

Atestfileiscreatedtohelpcustomersupportwhenaddressingaproblemwithan
HSMconfigurationonthefirewall.
ResetHSMconfiguration. SelectReset HSM ConfigurationfromtheHardwareSecurityOperations section.

SelectingthisoptionremovesallHSMconnections.Allauthenticationprocedures
mustberepeatedafterusingthisoption.

HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization

HAOverview HighAvailability
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.

HighAvailability HAConcepts
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HAModes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.

HAConcepts HighAvailability
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HALinksandBackupLinks
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA800Series,PA3000Series,PA5000Series,
PA5200Series,andPA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethe
dedicatedHAportstomanagecommunicationandsynchronizationbetweenthefirewalls.
ForfirewallswithoutdedicatedHAportssuchasthePA200,PA220,andPA500firewalls,asabest
practiceusethedataplaneportfortheHAport,andusethemanagementportastheHA1backup.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.

HALinksand Description
BackupLinks
ControlLink TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
DataLink TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
BackupLinks ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
PacketForwardingLink InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA800Series,PA3000Series,PA5000Series,andPA5200
Seriesfirewalls,youcanconfigureaggregateinterfacesasanHA3link.Theaggregate
interfacescanalsoprovideredundancyfortheHA3link;youcannotconfigure
backuplinksfortheHA3link.OnPA5200andPA7000Seriesfirewalls,the
dedicatedHSCIportssupporttheHA3link.Thefirewalladdsaproprietarypacket
headertopacketstraversingtheHA3link,sotheMTUoverthislinkmustbegreater
thanthemaximumpacketlengthforwarded.

HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
HALinksand PortsontheSMC Description

BackupLinks
ControlLink HA1A UsedforHAcontrolandsynchronizationinbothHAModes.Connect

Speed:Ethernet thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
10/100/1000 HA1Aonthesecondfirewallinthepair,orconnectthemtogether
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.
ControlLink HA1B UsedforHAcontrolandsynchronizationasabackupforHA1Ain

Backup Speed:Ethernet bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
10/100/1000port thefirstfirewalltotheHA1Bonthesecondfirewallinthepair,or
connectthemtogetherthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.
DataLink HSCIA TheHighSpeedChassisInterconnect(HSCI)portsarelayer1Quad

PortSFP+(QSFP+)interfaceswhichareusedtoconnecttwo
PA7000SeriesfirewallsinanHAconfiguration.Eachportis
comprisedoffour10gigabitchannelsmultiplexedforacombined
speedof40gigabits.
DataLink HSCIB
ThetrafficcarriedontheHSCIportsisrawlayer1,whichisnot
Backup
routableorswitchable;thereforetheHSCIportsmustbeconnected
directlytoeachother.TheHSCIAonthefirstchassisconnects
directlytoHSCIAonthesecondchassisandHSCIBonthefirst
chassisconnectstoHSCIBonthesecondchassis.Thiswillprovide
full80gigabittransferrates.Insoftware,bothports(HSCIAand
HSCIB)aretreatedasoneHAinterface.
ThePA5200SeriesfirewallsalsoutilizeHSCI,buthasonlyoneHSCI
port.ThePA5220hasoneQSFP40GbpsportandthePA5250and
PA5260firewallshaveoneQSFP2840/100Gbpsport.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link.TheHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport;theHA3traffic
cannotbeconfiguredondataports.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmayuseonlytheHSCI
ports.TheHA2linkandHA2backuplinkscanusetheHSCIports
ordataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.

DevicePriorityandPreemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.Bydefault,theinterval
fortheheartbeatis1000milliseconds.Apingissentevery1000millisecondsandiftherearethree
consecutiveheartbeatlosses,afailoversoccurs.FordetailsontheHAtimersthattriggerafailover,see
HATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls,afailovercanoccur
whenaninternalhealthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecritical
components,suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatform,causing
failover.

LACPandLLDPPreNegotiationforActive/PassiveHA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewallssupporta
prenegotiationconfigurationdependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,or
virtualwiredeployment.AnHApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
FloatingIPAddressandVirtualMACAddress
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)

EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.

ARPLoadSharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.


RouteBasedRedundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HATimers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvalues
(Recommended/Aggressive)acrossthedifferenthardwaremodels;thesevaluesareforcurrentreference
onlyandcanchangeinasubsequentrelease.

Timers Description PA7000Series PA800Series PanoramaVirtual

Appliance
PA5200Series PA500
PanoramaMSeries
PA5000Series PA220
PA3000Series PA200
VMSeries
MonitorFailHold Intervalduringwhichthe 0/0 0/0 0/0

UpTime(ms) firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.
PreemptionHold Timethatapassiveor 1/1 1/1 1/1

Time(min) activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.
HeartbeatInterval FrequencyatwhichtheHA 1000/1000 2000/1000 2000/1000

(ms) peersexchangeheartbeat 2000/1000(only
messagesintheformofan forVMSeriesin
ICMP(ping). AWS)
PromotionHold Timethatthepassivefirewall 2000/500 2000/500 2000/500

Time(ms) (inactive/passivemode)or
theactivesecondaryfirewall
(inactive/activemode)will
waitbeforetakingoverasthe
activeoractiveprimary
firewallaftercommunications
withtheHApeerhavebeen
lost.Thisholdtimewillbegin
onlyafterthepeerfailure
declarationhasbeenmade.

Timers Description PA7000Series PA800Series PanoramaVirtual

Appliance
PA5200Series PA500
PanoramaMSeries
PA5000Series PA220
PA3000Series PA200
VMSeries
AdditionalMaster Timeintervalthatisappliedto 500/500 500/500 7000/5000

HoldUpTime(ms) thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.
HelloInterval(ms) Intervalinmilliseconds 8000/8000 8000/8000 8000/8000

betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.
MaximumNo.of Aflapiscountedwhenthe 3/3 3/3 NotApplicable

Flaps firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).

SessionOwner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
SessionSetup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption Description
IP Modulo ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Primary Device Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall

sessionsetupresponsibilities.
First Packet Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.

Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.

Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NATinActive/ActiveHAMode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:

ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMPinActive/ActiveHAMode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.

HighAvailability SetUpActive/PassiveHA
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
PrerequisitesforActive/PassiveHA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfigurationResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.

SetUpActive/PassiveHA HighAvailability
ConfigurationGuidelinesforActive/PassiveHA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingchecklistdetailsthesettingsthatyoumustconfigureidenticallyonbothfirewalls:
YoumustenableHAonbothfirewalls.
YoumustconfigurethesameGroupIDvalueonbothfirewalls.ThefirewallusestheGroupIDvalueto
createavirtualMACaddressforalltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMAC
AddressforinformationaboutvirtualMACaddresses.Whenanewactivefirewalltakesover,itsends
GratuitousARPmessagesfromeachofitsconnectedinterfacestoinformtheconnectedLayer2
switchesofthevirtualMACaddressnewlocation.
IfyouareusinginbandportsasHAlinks,youmustsettheinterfacesfortheHA1andHA2linkstotype
HA.
SettheHAModetoActivePassiveonbothfirewalls.
Ifrequired,enablepreemptiononbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onboth
firewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowing
recommendationstodecidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
Recommendation:DonotenableHeartbeatBackup

ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
Independent PeerA PeerB

ConfigurationSettings
ControlLink IPaddressoftheHA1linkconfiguredonthis IPaddressoftheHA1linkconfiguredon

firewall(PeerA). thisfirewall(PeerB).
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
DataLink Bydefault,theHA2linkusesEthernet/Layer2. Bydefault,theHA2linkuses

Thedatalink IfusingaLayer3connection,configuretheIP Ethernet/Layer2.
informationis addressforthedatalinkonthisfirewall(PeerA). IfusingaLayer3connection,configure
synchronizedbetween theIPaddressforthedatalinkonthis
thefirewallsafterHA firewall(PeerB).
isenabledandthe
controllinkis
establishedbetween
thefirewalls.
DevicePriority Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority

(required,if lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
preemptionisenabled) istofunctionastheactivefirewall,keepthe onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.
LinkMonitoring Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat

Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
physicalinterfaces condition(allorany)totriggerafailover. anddefinethefailurecondition(allorany)
thathandlevitaltraffic totriggerafailover.
onthisfirewalland
definethefailure
condition.
PathMonitoring Definethefailurecondition(allorany),ping Pickasimilarsetofdevicesordestination

Monitoroneormore intervalandthepingcount.Thisisparticularly IPaddressesthatcanbemonitoredfor
destinationIP usefulformonitoringtheavailabilityofother determiningthefailovertriggerforPeerB.
addressesthatthe interconnectednetworkingdevices.Forexample, Definethefailurecondition(allorany),
firewallcanuseICMP monitortheavailabilityofarouterthatconnects pingintervalandthepingcount.
pingstoascertain toaserver,connectivitytotheserveritself,or
responsiveness. someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.

ConfigureActive/PassiveHA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
Toconfigureanactive/passiveHApair,firstcompletethefollowingworkflowonthefirstfirewallandthen
repeatthestepsonthesecondfirewall.
ConnectandConfiguretheFirewalls
Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto

physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
Step2 Enablepingonthemanagementport. 1. SelectDevice > Setup > Managementandeditthe

Enablingpingallowsthemanagement ManagementInterfaceSettings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.
Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.

HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplexsettings,asappropriate.

ConnectandConfiguretheFirewalls(Continued)
Step4 SettheHAmodeandgroupID. 1. SelectDevice > High Availability > GeneralandedittheSetup

section.
2. SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3. SetthemodetoActive Passive.
Step5 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,edittheControlLink

Thisexampleshowsaninbandportthat (HA1)section.
issettointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected
Step6 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer

controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key.SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,selectDevice > Certificate
Management > Certificates,andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. SelectDevice > High Availability > General,edittheControl
Link(HA1)section.
3. SelectEncryption Enabled.
Step7 Setupthebackupcontrollink 1. InDevice > High Availability > General,edittheControlLink

connection. (HA1Backup)section.
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.

Step8 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,edittheDataLink

andthebackupHA2connection (HA2)section.
betweenthefirewalls. 2. SelectthePorttouseforthedatalinkconnection.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIPorUDPasthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alivetoenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
NOTE:YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Iftheoptionisonly
enabledononefirewall,onlythatfirewallwillsendthe
keepalivemessages.Theotherfirewallwillbenotifiedifa
failureoccurs.
7. EdittheData Link (HA2 Backup)section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.
Step9 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,edittheElection

linkusesadedicatedHAportoran Settings.
inbandport. 2. SelectHeartbeat Backup.
Youdonotneedtoenableheartbeat Toallowtheheartbeatstobetransmittedbetweenthe
backupifyouareusingthemanagement firewalls,youmustverifythatthemanagementportacross
portforthecontrollink. bothpeerscanroutetoeachother.
Enablingheartbeatbackupalsoallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdowncausingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievesthattheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Whentheheartbeatbackuplinkis
enabled,splitbrainispreventedbecauseredundant
heartbeatsandhellomessagesaretransmittedover
themanagementport.

Step10 Setthedevicepriorityandenable 1. InDevice > High Availability > General,edittheElection

preemption. Settings.
Thissettingisonlyrequiredifyouwishto 2. SetthenumericalvalueinDevice Priority.Makesuretoseta
makesurethataspecificfirewallisthe lowernumericalvalueonthefirewallthatyouwanttoassigna
preferredactivefirewall.For higherpriorityto.
information,seeDevicePriorityand NOTE:Ifbothfirewallshavethesamedevicepriorityvalue,the
Preemption. firewallwiththelowestMACaddressontheHA1controllink
willbecometheactivefirewall.
3. SelectPreemptive.
Youmustenablepreemptiveonboththeactivefirewalland
thepassivefirewall.
Step11 (Optional)ModifytheHATimers. 1. InDevice > High Availability > General,edittheElection

Bydefault,theHAtimerprofileissetto Settings.
theRecommendedprofileandissuited 2. SelecttheAggressiveprofilefortriggeringfailoverfaster;
formostHAdeployments. selectAdvancedtodefinecustomvaluesfortriggeringfailover
inyoursetup.
NOTE:Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvaluesfor
yourhardwaremodelwillbedisplayedonscreen.
Step12 (Optional,onlyconfiguredonthepassive SettingthelinkstatetoAutoallowsforreducingtheamountoftime

firewall)ModifythelinkstatusoftheHA ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
portsonthepassivefirewall. anditallowsyoutomonitorthelinkstate.
NOTE:Thepassivelinkstateis Toenablethelinkstatusonthepassivefirewalltostayupand
shutdown,bydefault.Afteryouenable reflectthecablingstatusonthephysicalinterface:
HA,thelinkstatefortheHAportsonthe 1. InDevice > High Availability > General,edittheActivePassive
activefirewallwillbegreenandthoseon Settings.
thepassivefirewallwillbedownand
displayasred. 2. SetthePassive Link StatetoAuto.
Theautooptiondecreasestheamountoftimeittakesforthe
passivefirewalltotakeoverwhenafailoveroccurs.
NOTE:Althoughtheinterfacedisplaysgreen(ascabledandup)
itcontinuestodiscardalltrafficuntilafailoveristriggered.
Whenyoumodifythepassivelinkstate,makesurethatthe
adjacentdevicesdonotforwardtraffictothepassivefirewall
basedonlyonthelinkstatusofthefirewall.
Step13 EnableHA. 1. SelectDevice > High Availability > GeneralandedittheSetup

section.
2. SelectEnable HA.
3. SelectEnable Config Sync.Thissettingenablesthe
synchronizationoftheconfigurationsettingsbetweenthe
activeandthepassivefirewall.
4. EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5. EntertheBackup HA1 IP Address.

Step14 (Optional)EnableLACPandLLDP 1. EnsurethatinStep 12yousetthelinkstatetoAuto.

PreNegotiationforActive/PassiveHA 2. SelectNetwork > Interfaces > Ethernet.
forfasterfailoverifyournetworkuses
LACPorLLDP. 3. ToenableLACPactiveprenegotiation:
NOTE:EnableLACPandLLDPbefore a. SelectanAEinterfaceinaLayer2orLayer3deployment.
configuringHAprenegotiationforthe b. SelecttheLACPtab.
protocolifyouwantprenegotiationto c. SelectEnable in HA Passive State.
functioninactivemode. d. ClickOK.
NOTE:YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequiresunique
interfaceMACaddressesontheactiveandpassivefirewalls.
4. ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5. ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
NOTE:IfyouwanttoallowLLDPpassiveprenegotiationfora
virtualwiredeployment,performStep 5butdonotenable
LLDPitself.
Step15 Saveyourconfigurationchanges. ClickCommit.
Step16 Afteryoufinishconfiguringboth 1. AccesstheDashboardonbothfirewalls,andviewtheHigh

firewalls,verifythatthefirewallsare Availabilitywidget.
pairedinactive/passiveHA. 2. Ontheactivefirewall,clicktheSync to peerlink.
3. Confirmthatthefirewallsarepairedandsynced,asshownas
follows:
Onthepassivefirewall:thestateofthelocalfirewallshould
displaypassiveandtheRunningConfigshouldshowas
synchronized.
Ontheactivefirewall:Thestateofthelocalfirewallshould
displayactiveandtheRunningConfigshouldshowas
synchronized.

DefineHAFailoverConditions
ConfiguretheFailoverTriggers
Step1 Toconfigurelinkmonitoring,definethe 1. SelectDevice > High Availability > Link and Path Monitoring
interfacesyouwanttomonitor.A andAddaLinkGroup.
changeinthelinkstateofthese 2. NametheLink Group,Addtheinterfacestomonitor,and
interfaceswilltriggerafailover. selecttheFailure Conditionforthegroup.TheLinkgroupyou
defineisaddedtotheLink Groupsection.
Step2 (Optional)Modifythefailurecondition 1. SelecttheLink Monitoringsection.

fortheLinkGroupsthatyouconfigured 2. SettheFailure ConditiontoAll.
(intheprecedingstep)onthefirewall.
ThedefaultsettingisAny.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.
Step3 Toconfigurepathmonitoring,definethe 1. InthePath GroupsectionoftheDevice > High Availability >

destinationIPaddressesthatthefirewall Link and Path Monitoringtab,picktheAdd option for your set
shouldpingtoverifynetwork up:VirtualWire,VLAN,orVirtualRouter.
connectivity. 2. SelecttheappropriateitemfromthedropdownfortheName
andAddtheIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
thePath Groupsection.
Step4 (Optional)Modifythefailurecondition SettheFailure ConditiontoAll.

forallPathGroupsconfiguredonthe ThedefaultsettingisAny.
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.
Step5 Saveyourchanges. ClickCommit.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
VerifyFailover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1 Suspendtheactivefirewall. SelectDevice > High Availability > Operational Commandsand

clicktheSuspend local devicelink.
Step2 Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall

overasactive. changestoactiveintheHighAvailabilitywidget.

VerifyFailover
Step3 Restorethesuspendedfirewalltoa 1. Onthefirewallyoupreviouslysuspended,selectDevice > High

functionalstate.Waitforacoupleof Availability > Operational CommandsandclicktheMake local
minutes,andthenverifythatpreemption device functionallink.
hasoccurred,ifPreemptiveisenabled. 2. IntheHighAvailabilitywidgetontheDashboard,confirmthat
thefirewallhastakenoverastheactivefirewallandthatthe
peerisnowinapassivestate.

HighAvailability SetUpActive/ActiveHA
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
DetermineYourActive/ActiveUseCase
PrerequisitesforActive/ActiveHA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsmustberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.ThePA5200SeriesandPA7000Series
firewallsusetheHSCIportforHA3.Ontheremainingplatforms,youcanconfigureaggregate
interfacesastheHA3linkforredundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.

SetUpActive/ActiveHA HighAvailability
Thefollowingproceduredescribesthebasicworkflowforconfiguringyourfirewallsinanactive/active
configuration.However,beforeyoubegin,DetermineYourActive/ActiveUseCaseforconfiguration
examplesmoretailoredtoyourspecificnetworkenvironment.
Toconfigureactive/active,firstcompletethefollowingstepsononepeerandthencompletethemonthe
secondpeer,ensuringthatyousettheDeviceIDtodifferentvalues(0or1)oneachpeer.
Step1 ConnecttheHAportstosetupa ForfirewallswithdedicatedHAports,useanEthernetcableto

physicalconnectionbetweenthe connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls. Useacrossovercableifthepeersaredirectlyconnectedtoeach
NOTE:Foreachusecase,thefirewalls other.
couldbeanyhardwareplatform;choose ForfirewallswithoutdedicatedHAports,selecttwodata
theHA3stepthatcorrespondswithyour interfacesfortheHA2linkandthebackupHA1link.Then,usean
platform. EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.OnaPA5200
Seriesfirewall(whichhasoneHSCIport),connecttheHSCI
portonthefirstchassistotheHSCIportonthesecond
chassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.
Step2 Enablepingonthemanagementport. 1. InDevice > Setup > Management,editManagementInterface

Enablingpingallowsthemanagement Settings.
porttoexchangeheartbeatbackup 2. SelectPingasaservicethatispermittedontheinterface.
information.
Step3 Ifthefirewalldoesnothavededicated 1. SelectNetwork > Interfaces.

HAports,setupthedataportsto 2. Confirmthatthelinkisupontheportsthatyouwanttouse.
functionasHAports.
3. SelecttheinterfaceandsetInterface TypetoHA.
ForfirewallswithdedicatedHAports
continuetothenextstep. 4. SettheLink SpeedandLink Duplexsettings,asappropriate.
Step4 Enableactive/activeHAandsetthe 1. InDevice > High Availability > General,editSetup.

groupID. 2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.

ConfigureActive/ActiveHA(Continued)
Step5 SettheDeviceID,enable 1. InDevice > High Availability > General,editSetup.

synchronization,andidentifythecontrol 2. SelectDevice IDasfollows:
linkonthepeerfirewall
Whenconfiguringthefirstpeer,settheDevice IDto0.
Whenconfiguringthesecondpeer,settheDevice IDto1.
3. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
4. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
5. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
6. ClickOK.
Step6 Determinewhetherornotthefirewall 1. InDevice > High Availability > General,editElectionSettings.

withthelowerDeviceIDpreemptsthe 2. SelectPreemptivetocausethefirewallwiththelowerDevice
activeprimaryfirewalluponrecovery IDtoautomaticallyresumeactiveprimaryoperationafter
fromafailure. eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptiveunselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.
Step7 Enableheartbeatbackupifyourcontrol 1. InDevice > High Availability > General,editElectionSettings.

linkusesadedicatedHAportoran 2. SelectHeartbeat Backup.
inbandport.
Toallowtheheartbeatstobetransmittedbetweenthe
Youneednotenableheartbeatbackupif firewalls,youmustverifythatthemanagementportacross
youareusingthemanagementportfor bothpeerscanroutetoeachother.
thecontrollink.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.
Step8 (Optional)ModifytheHA Timers. 1. InDevice > High Availability > General,editElectionSettings.

Bydefault,theHAtimerprofileissetto 2. SelectAggressivetotriggerfasterfailover.SelectAdvanced
theRecommendedprofileandissuited todefinecustomvaluesfortriggeringfailoverinyoursetup.
formostHAdeployments. Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.

Step9 Setupthecontrollinkconnection. 1. InDevice > High Availability > General,editControlLink

Thisexampleusesaninbandportthatis (HA1).
settointerfacetypeHA. 2. SelectthePortthatyouhavecabledforuseastheHA1link.
Forfirewallsthatusethemanagement 3. SettheIPv4/IPv6 AddressandNetmask.
portasthecontrollink,theIPaddress
IftheHA1interfacesareonseparatesubnets,entertheIP
informationisautomatically
addressoftheGateway.Donotaddagatewayaddressifthe
prepopulated.
firewallsaredirectlyconnected.
Step10 (Optional)Enableencryptionforthe 1. ExporttheHAkeyfromonefirewallandimportitintothepeer

controllinkconnection. firewall.
Thisistypicallyusedtosecurethelinkif a. SelectDevice > Certificate Management > Certificates.
thetwofirewallsarenotdirectly b. SelectExport HA key.SavetheHAkeytoanetwork
connected,thatisiftheportsare locationthatthepeercanaccess.
connectedtoaswitchorarouter. c. Onthepeerfirewall,selectDevice > Certificate
Management > Certificates,andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2. InDevice > High Availability > General,edittheControlLink
(HA1).
3. SelectEncryption Enabled.
Step11 Setupthebackupcontrollink 1. InDevice > High Availability > General,editControlLink(HA1

connection. Backup).
2. SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.
Step12 Setupthedatalinkconnection(HA2) 1. InDevice > High Availability > General,editDataLink(HA2).

andthebackupHA2connection 2. SelectthePorttouseforthedatalinkconnection.
betweenthefirewalls.
3. SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIPorUDPasthetransportmode.
4. IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5. VerifythatEnable Session Synchronizationisselected.
6. SelectHA2 Keep-alivetoenablemonitoringontheHA2data
linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
NOTE:YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Iftheoptionisonly
enabledononefirewall,onlythatfirewallwillsendthe
keepalivemessages.Theotherfirewallwillbenotifiedifa
failureoccurs.
7. EdittheData Link (HA2 Backup)section,selecttheinterface,
andaddtheIPv4/IPv6 AddressandNetmask.
8. ClickOK.

Step13 ConfiguretheHA3linkforpacket 1. InDevice > High Availability > Active/Active Config,edit

forwarding. PacketForwarding.
2. ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3. SelectVR Synctoforcesynchronizationofallvirtualrouters
configuredontheHApeers.Selectwhenthevirtualrouteris
notconfiguredfordynamicroutingprotocols.Bothpeersmust
beconnectedtothesamenexthoprouterthroughaswitched
networkandmustusestaticroutingonly.
4. SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.
Step14 (Optional)ModifytheTentativeHold 1. InDevice > High Availability > Active/Active Config,edit

time. PacketForwarding.
2. ForTentative Hold Time (sec),enterthenumberofseconds
thatafirewallstaysinTentativestateafteritfails(rangeis
10600,defaultis60).
Step15 ConfigureSessionOwnerandSession 1. InDevice > High Availability > Active/Active Config,edit

Setup. PacketForwarding.
2. ForSession Owner Selection,selectoneofthefollowing:
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionisthesessionowner(recommendedsetting).
ThissettingminimizestrafficacrossHA3andloadshares
trafficacrosspeers.
Primary DeviceThefirewallthatisinactiveprimarystate
isthesessionowner.
3. ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4. ClickOK.

Step16 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda

Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
AddressorARPLoadSharing.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 Address orIPv6 Address.
5. ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandskiptoConfigureARP
LoadSharing.
Step17 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device

unlessyouwanttheactive/activeHApairtobehavelikean
active/passiveHApair.
2. ForDevice 0 PriorityandDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3. SelectFailover address if link state is downtocausethe
firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
4. ClickOK.
Step18 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:

Thedeviceselectionalgorithm IP ModuloThefirewallthatwillrespondtoARPrequests
determineswhichHAfirewallresponds isbasedontheparityoftheARPrequester'sIPaddress.
totheARPrequeststoprovideload IP HashThefirewallthatwillrespondtoARPrequestsis
sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.
Step19 Enablejumboframesonfirewallsother 1. SelectDevice > Setup > Session.

thanPA7000Seriesfirewalls. 2. IntheSessionSettingssection,selectEnable Jumbo Frames.
SwitchportsthatconnecttheHA3link
3. ClickOK.
mustsupportjumboframestohandle
theoverheadassociatedwiththe 4. Repeatonanyintermediarynetworkingdevices.
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.
Step20 DefineHAFailoverConditions.
Step21 Savetheconfiguration. ClickCommit.
Step22 Rebootthefirewallafterchangingthe 1. SelectDevice > Setup > Operations.

jumboframeconfiguration. 2. ClickReboot Device.

DetermineYourActive/ActiveUseCase
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.
IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,orARP
LoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3

UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step1 ConfigureActive/ActiveHA. PerformStep 1throughStep 15.
Step2 ConfigureOSPF. SeeOSPF.
Step3 DefineHAfailoverconditions. DefineHAFailoverConditions.
Step5 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.

UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses
Step2 ConfigureanHAvirtualaddress. 1. InDevice > High Availability > Active/Active Config,Adda

Youneedavirtualaddresstousea VirtualAddress.
FloatingIPAddressandVirtualMAC 2. EnterorselectanInterface.
Address.
4. EnteranIPv4 AddressorIPv6 Address.
5. ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.
Step3 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.

2. ForDevice 0 PriorityandDevice 1 Priority,enterapriorityfor
thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
interfaceisdown.
4. ClickOK.

ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step4 Enablejumboframesonfirewallsother PerformStep 19ofConfigureActive/ActiveHA.

thanPA7000Seriesfirewalls.
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing
Step1 PerformStep 1throughStep 15of

ConfigureActive/ActiveHA.

ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
ThevirtualaddressisthesharedIP Virtual AddressandclickAdd.
addressthatallowsARPLoadSharing. 2. EnterorselectanInterface.
4. EnteranIPv4 AddressorIPv6 Address.
5. ForType,selectARP Load Sharing,whichallowsbothpeers
tousethevirtualIPaddressforARPLoadSharing.
Step3 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing:

sharing. basedonahashoftheARPrequester'sIPaddress.
2. ClickOK.
Step4 Enablejumboframesonfirewallsother EnablejumboframesonfirewallsotherthanPA7000Series

thanPA7000Seriesfirewalls. firewalls.
Device ID.
forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper

metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.

BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall

Step2 (Optional)Disablepreemption. 1. InDevice > High Availability > General,edittheElection

Disablingpreemptionallowsyou Settings.
fullcontroloverwhenthe 2. ClearPreemptiveifitisenabled.
recoveredfirewallbecomesthe
3. ClickOK.
activeprimaryfirewall.


ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)

2. ForSession Owner Selection,werecommendyouselect
Primary Device.Thefirewallthatisinactiveprimarystateis
thesessionowner.
Alternatively,forSession Owner Selectionyoucanselect
First PacketandthenforSession Setup,selectPrimary
DeviceorFirst Packet.
3. ForSession Setup,selectPrimary DeviceThe
activeprimaryfirewallsetsupallsessions.Thisisthe
recommendedsettingifyouwantyouractive/active
configurationtobehavelikeanactive/passiveconfiguration
becauseitkeepsallactivityontheactiveprimaryfirewall.
NOTE:Youmustalsoengineeryournetworktoeliminatethe
possibilityofasymmetrictrafficgoingtotheHApair.Ifyou
dontdosoandtrafficgoestotheactivesecondaryfirewall,
settingSession Owner SelectionandSession Setupto
Primary DevicecausesthetraffictotraverseHA3togetto
theactiveprimaryfirewallforsessionownershipandsession
setup.
4. ClickOK.
Virtual AddressandclickAdd.
2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandAddanIPv4 AddressorIPv6
Address.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5. ClickOK.
Step6 BindthefloatingIPaddresstothe 1. SelectFloating IP bound to the Active-Primary device.

activeprimaryfirewall. 2. SelectFailover address if link state is downtocausethe
interfaceisdown.
3. ClickOK.
Step7 Enablejumboframesonfirewallsother EnablejumboframesonfirewallsotherthanPA7000Series

thanPA7000Seriesfirewalls. firewalls.
Device ID.
forthepeerfirewall.

UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.

ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.

2. SelectEnable HA.
5. SettheDevice IDto1.
default).
9. ClickOK.
Step3 ConfigureActive/ActiveHA. CompleteStep 6throughStep 14.

2. ForSession Owner Selection,selectFirst PacketThe
firewallthatreceivesthefirstpacketofanewsessionisthe
sessionowner.
3. ForSession Setup,selectIP ModuloDistributessession
setuploadbasedonparityofthesourceIPaddress.
4. ClickOK.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.101.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
Step6 ConfigurethefloatingIPaddress. 1. DonotselectFloating IP bound to the Active-Primary device.

interfaceisdown.
3. ClickOK.
EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
DefineHAFailoverConditions.

Step8 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
Step9 StillonPA30501,createthesource 1. SelectPolicies > NATandclickAdd.

NATruleforDeviceID0. 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3. ForNAT Type,selectipv4(default).
4. OntheOriginal Packet,forSource Zone,selectAny.
5. ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
7. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
8. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.100.
9. OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select0tobindtheNATruletoDeviceID0.
10. ClickOK.

Step10 CreatethesourceNATrulefor 1. SelectPolicies > NATandclickAdd.

Device ID 1. 2. EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
4. OntheOriginal Packet,forSource Zone,selectAny.For
Destination Zone,selectthezoneyoucreatedfortheexternal
network.
5. AllowDestination Interface,Service,Source Address,and
Destination AddresstoremainsettoAny.
6. FortheTranslated Packet,selectDynamic IP And Portfor
Translation Type.
7. ForAddress Type,selectInterface Address,inwhichcasethe
translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.101.
8. OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select1tobindtheNATruletoDeviceID1.
9. ClickOK.
UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
Step1 OnoneHAfirewall,createaddress 1. SelectObjects > AddressesandAddanaddressobjectName,

objects. inthisexample,DynIPPooldev0.
2. ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3. ClickOK.
4. Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.

CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
Step2 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,

Device ID 0. forexample,SrcNATdev0.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6. ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7. ClickOK.
Step3 CreatethesourceNATrulefor 1. SelectPolicies > NATandAddaNATpolicyrulewithaName,

Device ID 1. forexample,SrcNATdev1.
2. ForOriginal Packet,forSource Zone,selectAny.
3. ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4. ForTranslated Packet,forTranslation Type,selectDynamic
IP and Port.
5. ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6. ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7. ClickOK.
Step4 Savetheconfiguration. SelectCommit.
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
Active/ActiveHA.
Step2 Enableactive/activeHA. 1. InDevice > High Availability > General,editSetup.

2. SelectEnable HA.
6. SelectDevice IDtobe1.
default).
10. ClickOK.
Step3 PerformStep 6throughStep 15in


ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectIP Modulo.Thefirewall

Thedeviceselectionalgorithm thatwillrespondtoARPrequestsisbasedontheparityofthe
determineswhichHAfirewallresponds ARPrequester'sIPaddress.
totheARPrequeststoprovideload 2. ClickOK.
sharing.
Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.

thedestinationNATrulesothatthe 2. EnteraNamefortherulethat,inthisexample,identifiesitas
activeprimaryfirewallrespondstoARP adestinationNATruleforLayer2ARP.
requests.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample,
192.168.1.200.
Binding,selectprimarytobindtheNATruletothefirewallin
activeprimarystate.
11. ClickOK.

UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
Active/ActiveHA.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2 Enableactive/activeHA. 1. SelectDevice > High Availability > General > Setupandedit.
2. SelectEnable HA.
6. SelectDevice IDtobe1.
default).
10. ClickOK.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step5 ConfigureARPLoadSharing. 1. ForDevice Selection Algorithm,selectoneofthefollowing

sharing. basedonahashoftheARPrequester'ssourceIPaddress
anddestinationIPaddress.
2. ClickOK.
Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptsettheDevice IDto0insteadof1.

ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step10 StillonPA30501(DeviceID0),create 1. SelectPolicies > NATandclickAdd.

thedestinationNATruleforbothDevice 2. EnteraNamefortherulethatinthisexampleidentifiesitasa
ID0andDeviceID1. destinationNATruleforLayer3ARP.
5. ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6. AllowDestination Interface,Service,andSource Addressto
remainsettoAny.
7. ForDestination Address,specify10.1.1.200.
8. FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9. ForDestination Address Translation,entertheprivateIP
addressofthedestinationserver,inthisexample
192.168.1.200.
Binding,selectbothtobindtheNATruletobothDeviceID0
andDeviceID1.
11. ClickOK.

HighAvailability HAFirewallStates
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
HAFirewallState OccursIn Description
Initial A/PorA/A TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis

stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.
Active A/P Stateoftheactivefirewallinanactive/passiveconfiguration.
Passive A/P Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive

firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.
ActivePrimary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID

agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.
ActiveSecondary A/A Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID

agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.

HAFirewallStates HighAvailability
HAFirewallState OccursIn Description
Tentative A/A Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe

following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.
Nonfunctional A/PorA/A Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly

onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.
Suspended A/PorA/A Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein

theHAelectionprocess.

HighAvailability Reference:HASynchronization
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Passive?
ManagementInterface Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
Settings firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
NOTE:TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)issynchronized.Itis
justthesettingofwhichSSL/TLSServiceProfiletouseontheManagement
interfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability YoumustactivatetheVirtualSystemslicenseoneachfirewallinthepairtoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaulton
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).

Reference:HASynchronization HighAvailability
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP Device > Setup > Operations > SNMP Setup
Services Device > Setup > Services
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
TelemetryandThreat Device > Setup > Telemetry and Threat Intelligence

IntelligenceSettings
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
MasterKeySecuredby Device > Setup > HSM > Hardware Security Module Provider > Master Key
HSM Secured by HSM
LogExportSettings Device > Scheduled Log Export
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Dynamic Updates
Licenses/Subscriptions Device > Licenses
SupportSubscription Device > Support
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.

HAsettings Device > High Availability
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Active?
ManagementInterface Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Settings Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
NOTE:TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)issynchronized.Itis
justthesettingofwhichSSL/TLSServiceProfiletouseontheManagement
interfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability YoumustactivatetheVirtualSystemslicenseoneachfirewallinthepairtoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaulton
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP Device > Setup > Operations > SNMP Setup
Services Device > Setup > Services
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
TelemetryandThreat Device > Setup > Telemetry and Threat Intelligence

IntelligenceSettings
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame

ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
HSMConfiguration Device > Setup > HSM
LogExportSettings Device > Scheduled Log Export
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Dynamic Updates
Licenses/Subscriptions Device > Licenses
SupportSubscription Device > Support
EthernetInterfaceIP AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
Addresses > Interface > Ethernet).
LoopbackInterfaceIP AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
Addresses (Network > Interface > Loopback).
TunnelInterfaceIP AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >

Addresses Interface > Tunnel).
LACPSystemPriority EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
VLANInterfaceIPAddress AllVLANinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >

Interface > VLAN).
VirtualRouters VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >

High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.
IPSecTunnels IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtectPortal GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.

GlobalProtectGateway GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
QoS QoSconfigurationsynchronizesonlyifyouhaveenabledQoS Sync(Device > High

Availability > Active/Active Config > Packet Forwarding).Youmightchoosenotto
syncQoSsettingif,forexample,youhavedifferentbandwidthoneachlinkor
differentlatencythroughyourserviceproviders.
LLDP NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKEGateways IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HAsettings Device > High Availability

(TheexceptionisDevice > High Availability > Active/Active Configuration > Virtual
Addresses,whichdosync.)
SynchronizationofSystemRuntimeInformation
ThefollowingtablesummarizeswhatsystemruntimeinformationissynchronizedbetweenHApeers.
RuntimeInformation ConfigSynced? HALink Details
A/P A/A
ManagementPlane
UsertoGroupMappings Yes Yes HA1
DHCPLease(asserver) Yes Yes HA1
DNSCache No No N/A
FQDNRefresh No No N/A

A/P A/A
IKEKeys(phase2) Yes Yes HA1
BrightCloudURLDatabase No No N/A
BrightCloudURLCache No No N/A Thisfeatureisdisabledbydefaultand

mustbeenabledseparatelyoneachHA
peer.
BrightCloudBloomFilter No No N/A Thisfeatureisdisabledbydefaultand

mustbeenabledseparatelyoneachHA
peer.
PANDBURLCache Yes No HA1 Thisissynchronizedupondatabase

backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.
Content(manualsync) Yes Yes HA1
PPPoE,PPPoELease Yes Yes HA1
DHCPClientSettingsand Yes Yes HA1

Lease
SSLVPNLoggedinUser Yes Yes HA1

List
ForwardInformationBase Yes Yes HA1

(FIB)
Dataplane
SessionTable Yes Yes HA2 Active/passivepeersdonotsyncICMP

orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.
ARPTable Yes No HA2 UponupgradetoPANOS7.1,theARP

tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.
NeighborDiscovery(ND) Yes No HA2

Table
MACTable Yes No HA2
IPSecSequenceNumber Yes Yes HA2

(antireplay)
DoSBlockListEntries No No N/A

A/P A/A
UsertoIPAddress Yes Yes HA2

Mappings
VirtualMAC Yes Yes HA2


Monitoring
Toforestallpotentialissuesandtoaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceabouttrafficanduserpatternsusingcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Forexample,youcanusethepredefinedtemplatestogeneratereportsonuseractivities
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtableswithwhichyoucaninteracttofindtheinformationyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
UsetheAppScopeReports
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
ViewandManageLogs
MonitorBlockList
ViewandManageReports
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
ForwardLogstoanHTTP(S)Destination
NetFlowMonitoring

UsetheDashboard Monitoring
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts Descriptions
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
GeneralInformation Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
InterfaceStatus Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
ConfigLogs Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
ACCRiskFactor Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
HighAvailability Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks Showsconfigurationlockstakenbyadministrators.

Monitoring UsetheApplicationCommandCenter
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery

UsetheApplicationCommandCenter Monitoring
ACCFirstLook
TakeaquicktouroftheACC.
ACCFirstLook
Tabs TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.

ACCFirstLook(Continued)
Time Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Global Filters TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The

charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.
Application View TheapplicationviewallowsyoufiltertheACCviewbyeitherthesanctionedand

unsanctionedapplicationsinuseonyournetwork,orbytherisklevelofthe
applicationsinuseonyournetwork.Greenindicatessanctionedapplications,blue
unsanctionedapplications,andyellowindicatesapplicationsthatarepartially
sanctioned.Partiallysanctionedapplicationsarethosethathaveamixedsanctioned
state;itindicatesthattheapplicationisinconsistentlytaggedassanctioned,for
exampleitmightbesanctionedononeormorevirtualsystemsonafirewallenabled
formultiplevirtualsystemsoracrossoneormorefirewallswithinadevicegroupon
Panorama.
Risk Factor Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe

applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.
Source ThedatausedfortheACCdisplay.TheoptionsvaryonthefirewallandonPanorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludedatafromallvirtualsystems
orjustaselectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData SourceasPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACCTabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.

Tab Description
Network Activity Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:

Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.
Threat Activity Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:

vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.
Blocked Activity Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin

thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.
Tunnel Activity Displaystheactivityoftunneltrafficthatthefirewallinspectedbasedonyourtunnel

inspectionpolicies.InformationincludestunnelusagebasedontunnelID,monitor
tag,user,andtunnelprotocolssuchasGenericRoutingEncapsulation(GRE),General
PacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU),and
nonencryptedIPSec.
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds,exportthetabandsharewithanotheradministrator.
ACCWidgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.

Widgets
View Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,applications,data,profiles,objects,users.Theavailableoptionsvaryby
widget.
Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.

Widgets
Actions MaximizeviewAllowsyouenlargethewidgetandviewthetableinalargerscreen
spaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
WidgetDescriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget Description
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.
Application Usage Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining

applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)
User Activity Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe

largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source IP Activity DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated

activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Destination IP Activity DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere

accessedbyusersonthenetwork.

Widget Description
Source Regions Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld

fromwhereusersinitiatedactivityonyournetwork.
Chartsavailable:map,bar
Destination Regions Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe

worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Chartsavailable:map,bar
GlobalProtect Host Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis

Information running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall.IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar
Rule Usage Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis

widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Chartsavailable:line
Ingress Interfaces Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe

network.
Sortattributes:bytes,bytessent,bytesreceived
Egress Interfaces Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.

Sortattributes:bytes,bytessent,bytesreceived
Source Zones Displaysthezonesthataremostusedforallowingtrafficintothenetwork.

Destination Zones Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.

Threat ActivityDisplaysanoverviewofthethreatsonthenetwork
Compromised Hosts Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget

summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA5200Series,PA7000Series,
andPanorama.
Sortattributes:severity(bydefault)

Widget Description
Hosts Visiting Malicious Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork

URLs haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Hosts Resolving Malicious DisplaysthetophostsmatchingDNSsignatures;hostsonthenetworkthatare

Domains attemptingtoresolvethehostnameordomainofamaliciousURL.Thisinformation
isgatheredfromananalysisoftheDNSactivityonyournetwork.Itutilizespassive
DNSmonitoring,DNStrafficgeneratedonthenetwork,activityseeninthesandbox
ifyouhaveconfiguredDNSsinkholeonthefirewall,andDNSreportsonmalicious
DNSsourcesthatareavailabletoPaloAltoNetworkscustomers.
Sortattributes:count
Threat Activity Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature

matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column
WildFire Activity by DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget

Application usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line
WildFire Activity by File Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat

Type generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Applications using Non Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If

Standard Ports youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Chartsavailable:treemap,line
Rules Allowing Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The

Applications On Non graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
Standard Ports thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Chartsavailable:treemap,line

Widget Description
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork
Blocked Application Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview

Activity thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column
Blocked User Activity DisplaysuserrequeststhatwereblockedbyamatchonanAntivirus,Antispyware,

FileBlockingorURLFilteringprofileattachedtoSecuritypolicyrule.
Blocked Threats Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats

werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Blocked Content Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent

wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data
Security Policies Blocking Displaysthesecuritypolicyrulesthatblockedorrestrictedtrafficintoyournetwork.

Activity Becausethiswidget displaysthethreats,content,andURLsthatweredeniedaccess
intoyournetwork,youcanuseittoassesstheeffectivenessofyourpolicyrules.This
widgetdoesnotdisplaytrafficthatblockedbecauseofdenyrulesthatyouhave
definedinpolicy.
ACCFilters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.

GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotherightof
theattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplytheattribute
globallytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
InteractwiththeACC
TocustomizeandrefinetheACCdisplay,youcanadd,delete,exportandimporttabs,addanddelete
widgets,setlocalandglobalfilters,andinteractwiththewidgets.

WorkwiththeTabsandWidgets
Addatab. 1. Selectthe iconalongthelistoftabs.

2. AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.
Editatab. Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample .
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Tosavethetabasthedefaulttab,select .
ExportandImporttabs. 1. Selectthetab,andclickthepenciliconnexttothetabname,
toeditthetab.
2. Selectthe icontoexportthecurrenttabasa.txtfile.You
cansharethis.txtfilewithanotheradministrator.
3. Toimportthetabasanewtabonanotherfirewall,selectthe
iconalongthelistoftabs,andaddanameandclickthe
importicon,browsetoselectthe.txtfile.
Seewhatwidgetsareincludedinatab. 1. Selectthetab,andclickonthepencilicontoeditit.
2. SelecttheAdd Widget dropdownandverifythewidgetsthat
havethecheckboxesselected.
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3. (Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
Deleteataborawidgetgroup/widget. 1. Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2. Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.

WorkwiththeTabsandWidgets(Continued)
Resetthedefaultwidgetsinatab. Onapredefinedtab,suchastheBlocked Activitytab,youcan

deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph. youzoomintoalinegraph,ittriggersarequeryandthefirewall
Watchhowthezoomincapabilityworks. fetchesthedatafortheselectedtimeperiod.Itisnotamere
magnification.
Usethetabledropdowntofindmore 1. Hoveroveranattributeinatabletoseethedropdown.
informationonanattribute. 2. Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
Setawidgetfilter. 1. Selectawidgetandclickthe icon.

Youcanalsoclickanattributeinthe 2. Clickthe icontoaddthefiltersyouwanttoapply.
table(belowthegraph)toapplyitasa
3. ClickApply.Thesefiltersarepersistentacrossreboots.
widgetfilter.
Theactivewidgetfiltersareindicatednexttothe
widgetname.
Negateawidgetfilter 1. Clickthe icontodisplaytheSetupLocalFiltersdialog.

2. Addafilter,andthenclickthe negateicon.
Setaglobalfilterfromatable. Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.

WorkwiththeTabsandWidgets(Continued)
SetaglobalfilterusingtheGlobalFilterspane. 1. LocatetheGlobal FilterspaneontheleftsideoftheACC.

Watchglobalfiltersinaction.
2. Clickthe icontoviewthelistoffiltersyoucanapply.
Promoteawidgetfiltertoaglobalfilter. 1. Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2. Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Removeafilter. Clickthe icontoremoveafilter.

Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.
Clearallfilters. Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.

Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.
Seewhatfiltersareinuse. Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget. Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.

UseCase:ACCPathofInformationDiscovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activitytab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.

TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
TofindoutwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.

TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
Toinvestigateeachthreatbyname,youcancreateaglobalfilterforsay,Microsoft Works File Converter Field

Length Remote Code Execution Vulnerability.Then,viewtheUser Activity widgetintheNetwork Activitytab.The
tabisautomaticallyfilteredtodisplaythreatactivityforMarsha(noticetheglobalfiltersinthescreenshot).

NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.

Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
BecausethesessioncountfromthisIPaddressishigh,checktheBlocked ContentandBlocked Threatswidgets

intheBlocked ActivitytabforeventsrelatedtothisIPaddress.TheBlocked Activitytaballowsyoutovalidate
whetherornotyourpolicyrulesareeffectiveinblockingcontentorthreatswhenahostonyournetworkis
compromised.
UsetheExport PDFcapabilityontheACCtoexportthecurrentview(createasnapshotofthedata)andsend
ittoanincidenceresponseteam.Toviewthethreatlogsdirectlyfromthewidget,youcanalsoclickthe
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).

YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.

UsetheAppScopeReports Monitoring
UsetheAppScopeReports
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport

Monitoring UsetheAppScopeReports
SummaryReport
TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,

losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.

ChangeMonitorReport
TheAppScopeChangeMonitorreport(Monitor > App Scope > Change Monitor)displayschangesovera

specifiedtimeperiod.Forexample,thefollowingchartdisplaysthetopapplicationsthatgainedinuseover
thelasthourascomparedwiththelast24hourperiod.Thetopapplicationsaredeterminedbysessioncount
andsortedbypercent.
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.

Button Description
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort Determineswhethertosortentriesbypercentageorrawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Compare Specifiestheperiodoverwhichthechangemeasurementsaretaken.
ThreatMonitorReport
TheAppScopeThreatMonitorreport(Monitor > App Scope > Threat Monitor)displaysacountofthetop

threatsovertheselectedtimeperiod.Forexample,thefollowingfigureshowsthetop10threattypesover
thelast6hours.
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Threats Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.

Button Description
Filter Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheAppScopeThreatMapreport(Monitor > App Scope > Threat Map)showsageographicalviewofthreats,

includingseverity.Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.
Thefirewallusesgeolocationforcreatingthreatmaps.Thefirewallisplacedatthebottomofthethreatmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management,GeneralSettings
section)onthefirewall.
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Incoming threats Displaysincomingthreats.
Outdoing threats Displaysoutgoingthreats.
Filer Appliesafiltertodisplayonlytheselectedtypeofitems.
Zoom In and Zoom Out Zoominandzoomoutofthemap.
Indicatestheperiodoverwhichthemeasurementsaretaken.

NetworkMonitorReport
TheAppScopeNetworkMonitorreport(Monitor > App Scope > Network Monitor)displaysthebandwidth

dedicatedtodifferentnetworkfunctionsoverthespecifiedperiodoftime.Eachnetworkfunctionis
colorcodedasindicatedinthelegendbelowthechart.Forexample,theimagebelowshowsapplication
bandwidthforthepast7daysbasedonsessioninformation.
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button Description
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.

TrafficMapReport
TheAppScopeTrafficMap(Monitor > App Scope > Traffic Map)reportshowsageographicalviewoftraffic

flowsaccordingtosessionsorflows.
Thefirewallusesgeolocationforcreatingtrafficmaps.Thefirewallisplacedatthebottomofthetrafficmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons Description
includedinthechart.
Incoming threats Displaysincomingthreats.
Outgoing threats Displaysoutgoingthreats.
Zoom In and Zoom Out Zoominandzoomoutofthemap.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.

Monitoring UsetheAutomatedCorrelationEngine
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Thefollowingmodelssupporttheautomatedcorrelationengine:
PanoramaMSeriesappliancesandvirtualappliances
PA7000Seriesfirewalls
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
AutomatedCorrelationEngineConcepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.

UsetheAutomatedCorrelationEngine Monitoring
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetworkor
activityseenbyaTrapsprotectedendpointonPanorama.Forexample,whenahostsubmitsafiletothe
WildFirecloudandtheverdictismalicious,thecorrelationobjectlooksforotherhostsorclientsonthe
networkthatexhibitthesamebehaviorseeninthecloud.IfthemalwaresamplehadperformedaDNSquery
andbrowsedtoamalwaredomain,thecorrelationobjectwillparsethelogsforasimilarevent.Whenthe
activityonahostmatchestheanalysisinthecloud,ahighseveritycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ViewtheCorrelatedObjects
ViewtheCorrelationObjectsAvailableontheFirewall
Step1 Toviewthecorrelationobjectsthatarecurrentlyavailable,selectMonitor > Automated Correlation

Engine > Correlation Objects.Alltheobjectsinthelistareenabledbydefault.

ViewtheCorrelationObjectsAvailableontheFirewall
Step2 Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
InterpretCorrelatedEvents
YoucanviewandanalyzethelogsgeneratedforeachcorrelatedeventintheMonitor > Automated Correlation

Engine > Correlated Eventstab.
CorrelatedEventsincludesthefollowingdetails:
Field Description
Match Time Thetimethecorrelationobjecttriggeredamatch.
Update Time Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthefirewall

collectsevidenceonpatternorsequenceofeventsdefinedinacorrelationobject,the
timestamponthecorrelatedeventlogisupdated.
Object Name Thenameofthecorrelationobjectthattriggeredthematch.
Source Address TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.
Source User Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.

UsetheAutomatedCorrelationEngine Monitoring
Field Description
Severity Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevelindicates
Toconfigurethe theextentofdamageorescalationpattern,andthefrequencyofoccurrence.Because
firewallorPanorama correlationobjectsareprimarilyfordetectingthreats,thecorrelatedeventstypically
tosendalertsusing relatetoidentifyingcompromisedhostsonthenetworkandtheseverityimpliesthe
email,SNMPorsyslog following:
messagesfora CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
desiredseveritylevel, thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhenahost
seeUseExternal thatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
Servicesfor commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
Monitoring. maliciousfile.
HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthenetwork
thatmatchesthecommandandcontrolactivitygeneratedbyaparticularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasrepeatedvisitstoknownmaliciousURLs,which
suggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofoneor
multiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:

Tab Description
Match ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Information
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Match Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
Evidence evidencecollectedforeachsession.
UsetheCompromisedHostsWidgetintheACC
ThecompromisedhostswidgetonACC >Threat Activity,aggregatestheCorrelatedEventsandsortsthemby

severity.ItdisplaysthesourceIPaddress/userwhotriggeredtheevent,thecorrelationobjectthatwas
matchedandthenumberoftimestheobjectwasmatched.Usethematchcountlinktojumptothematch
evidencedetails.
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.

TakePacketCaptures Monitoring
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
TypesofPacketCaptures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoExternalAuthenticationServices,softwareandcontentupdates,
logforwarding,communicationwithSNMPservers,andauthenticationrequestsforGlobalProtectand
CaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.

Monitoring TakePacketCaptures
DisableHardwareOffload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA3050,PA3060,PA5000Series,PA5200Series,and
PA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1 DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2 Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes

Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
Step1 Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
ThefollowingexampleshowshowtouseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.

TakeaCustomPacketCapture(Continued)
Step2 Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Usingfiltersmakesiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreduce
theprocessingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3 SetFilteringtoOn.

Step4 Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
2. ContinuetoAddeachStageyouwanttocapture(receive, firewall,transmit,anddrop)andsetaunique
Filenameforeachstage.
Step5 SetPacket CapturetoON.

Thefirewallorappliancewarnsyouthatsystemperformancecanbedegraded;acknowledgethewarningby
clickingOK.Ifyoudefinefilters,thepacketcaptureshouldhavelittleimpactonperformance,butyoushould
alwaysturnOffpacketcaptureafterthefirewallcapturesthedatathatyouwanttoanalyze.
Step6 Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55

Step7 TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8 DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9 Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.

Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
Step1 Enablethepacketcaptureoptioninthe 1. SelectObjects > Security Profilesandenablethepacket

securityprofile. captureoptionforthesupportedprofilesasfollows:
Somesecurityprofilesallowyoutodefine AntivirusSelectacustomantivirusprofileandinthe
asinglepacketcapture,or AntivirustabselectthePacket Capturecheckbox.
extendedcapture.Ifyouchoose Anti-SpywareSelectacustomAntiSpywareprofile,
extendedcapture,definethecapture clicktheDNS SignaturestabandinthePacket Capture
length.Thiswillallowthefirewallto dropdown,selectsingle-packetorextended-capture.
capturemorepacketstoprovide Vulnerability ProtectionSelectacustomVulnerability
additionalcontextrelatedtothethreat. ProtectionprofileandintheRulestab,clickAddtoadda
Thefirewallcanonlycapture newrule,orselectanexistingrule.SetPacket Captureto
packetsiftheactionforagiven single-packetorextended-capture.Notethatifthe
threatissettoalloworalert. profilehassignatureexceptionsdefined,clickthe
ExceptionstabandinthePacket Capturecolumnfora
signature,setsingle-packetorextended-capture.
2. (Optional)Ifyouselectedextended-captureforanyofthe
profiles,definetheextendedpacketcapturelength.
a. SelectDevice > Setup > Content-IDandeditthe
ContentIDSettings.
b. IntheExtended Packet Capture Length (packets)
section,specifythenumberofpacketsthatthefirewall
willcapture(rangeis150;defaultis5).
c. ClickOK.
Step2 Addthesecurityprofile(withpacket 1. SelectPolicies > Securityandselectarule.

captureenabled)toaSecurityPolicyrule. 2. SelecttheActionstab.
3. IntheProfileSettingssection,selectaprofilethathaspacket
captureenabled.
Forexample,clicktheAntivirusdropdownandselecta
profilethathaspacketcaptureenabled.

TakeaThreatPacketCapture(Continued)
Step3 View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeanApplicationPacketCapture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1 Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes

IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2 Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
Step3 Clickthepacketcaptureicon toviewthepacketcaptureorExportittoyourlocalsystem.

YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3 Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
Rule : rule1
From : any
To : any
Source : any
Destination : any
Protocol : any
Source Port : any
Dest. Port : any
Application : facebook-base
Current APPID Signature
Signature Usage : 21 MB (Max. 32 MB)
TCP 1 C2S : 15503 states
TCP 1 S2C : 5070 states
TCP 2 C2S : 2426 states
TCP 2 S2C : 702 states
UDP 1 C2S : 11379 states
UDP 1 S2C : 2967 states
UDP 2 C2S : 755 states
UDP 2 S2C : 224 states
Step4 AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off

TakeaCustomApplicationPacketCapture(Continued)
Step5 View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaPacketCaptureontheManagementInterface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200andPA500firewallscapture68
bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA5000Series,thePA7000Series
firewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.Todefinethenumberofpacketsthat
tcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).Settingthesnaplento0willcausethe
firewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3 AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.

TakeaManagementInterfacePacketCapture(Continued)
Step4 Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 89
09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 70
09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
Step5 (Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6 Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.

MonitorApplicationsandThreats Monitoring
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ContentDeliveryNetworkInfrastructureforDynamicUpdatestocheckwhetherloggedeventsonthe
firewallposeasecurityrisk.TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,
activities,orbehaviorsassociatedwithlogsinyournetworkandonaglobalscale,aswellastheWildFire
verdictandAutoFocustagslinkedtothem.WithanactiveAutoFocussubscription,youcanusethis
informationtocreatecustomizedAutoFocusAlertsthattrackspecificthreatsonyournetwork.

Monitoring ViewandManageLogs
ViewandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
ViewLogs
FilterLogs
ExportLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
LogTypesandSeverityLevels
YoucanseethefollowinglogtypesintheMonitor > Logspages.

TrafficLogs
ThreatLogs
URLFilteringLogs
WildFireSubmissionsLogs
DataFilteringLogs
CorrelationLogs
TunnelInspectionLogs
ConfigLogs
SystemLogs
HIPMatchLogs
UserIDLogs
AlarmsLogs
AuthenticationLogs
UnifiedLogs

ViewandManageLogs Monitoring
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click besideanentrytoaccessthecaptured
packets.
ThefollowingtablesummarizestheThreatseveritylevels:
Severity Description
Critical Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.

Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludethefirewallActionforthesample(alloworblock)the
WildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Benign IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Phishing IndicatesthatWildFireassignedalinkananalysisverdictofphishing.Aphishingverdictindicatesthat
thesitetowhichthelinkdirectsusersdisplayedcredentialphishingactivity.
Malicious IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.

CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Critical Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
Medium Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
TunnelInspectionLogs
Tunnelinspectionlogsareliketrafficlogsfortunnelsessions;theydisplayentriesofnonencryptedtunnel
sessions.Topreventdoublecounting,thefirewallsavesonlytheinnerflowsintrafficlogs,andsendstunnel
sessionstothetunnelinspectionlogs.ThetunnelinspectionlogentriesincludeReceiveTime(dateandtime
thelogwasreceived),thetunnelID,monitortag,sessionID,theSecurityruleappliedtothetunnelsession,
numberofbytesinthesession,parentsessionID(sessionIDforthetunnelsession),sourceaddress,source
userandsourcezone,destinationaddress,destinationuser,anddestinationzone.
ClicktheDetailedLogviewtoseedetailsforanentry,suchasthetunnelprotocolused,andtheflag
indicatingwhetherthetunnelcontentwasinspectedornot.Onlyasessionthathasaparentsessionwill
havetheTunnelInspectedflagset,whichmeansthesessionisinatunnelintunnel(twolevelsof
encapsulation).ThefirstouterheaderofatunnelwillnothavetheTunnelInspectedflagset.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.

SystemLogs
Systemlogsdisplayentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Critical Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium Midlevelnotifications,suchasantiviruspackageupgrades.
Low Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)matchingenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
UserIDLogs
UserIDlogsdisplayinformationaboutIPaddresstousernamemappingsandAuthenticationTimestamps,
suchasthesourcesofthemappinginformationandthetimeswhenusersauthenticated.Youcanusethis
informationtohelptroubleshootUserIDandauthenticationissues.Forexample,ifthefirewallisapplying
thewrongpolicyruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothecorrect
IPaddressandwhetherthegroupassociationsarecorrect.
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms( )atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.

AuthenticationLogs
Authenticationlogsdisplayinformationaboutauthenticationeventsthatoccurwhenenduserstrytoaccess
networkresourcesforwhichaccessiscontrolledbyAuthenticationPolicyrules.Youcanusethisinformation
tohelptroubleshootaccessissuesandtoadjustyourAuthenticationpolicyasneeded.Inconjunctionwith
correlationobjects,youcanalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,such
asbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestologtimeoutevents.Thesetimeoutsrelatetotheperiod
whenauserneedauthenticateforaresourceonlyoncebutcanaccessitrepeatedly.Seeinginformation
aboutthetimeoutshelpsyoudecideifandhowtoadjustthem(fordetails,seeAuthenticationTimestamps).
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandtoadministratoraccesstotheweb
interface.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries( )inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
ViewLogs
Step1 Selectalogtypetoview. 1. SelectMonitor > Logs.

2. Selectalogtypefromthelist.
Thefirewalldisplaysonlythelogsyouhavepermission
tosee.Forexample,ifyouradministrativeaccount
doesnothavepermissiontoviewWildFire
Submissionslogs,thefirewalldoesnotdisplaythatlog
typewhenyouaccessthelogspages.Administrative
Rolesdefinethepermissions.

ViewLogs
Step2 (Optional)Customizethelogcolumn 1. Clickthearrowtotherightofanycolumnheader,andselect

display. Columns.
2. Selectcolumnstodisplayfromthelist.Thelogupdates
automaticallytomatchyourselections.
Step3 Viewadditionaldetailsaboutlogentries. Clickthespyglass( )foraspecificlogentry.TheDetailedLog

Viewhasmoreinformationaboutthesourceanddestinationof
thesession,aswellasalistofsessionsrelatedtothelogentry.
(Threatlogonly)Click nexttoanentrytoaccesslocalpacket
capturesofthethreat.Toenablelocalpacketcaptures,seeTake
PacketCaptures.
(Traffic,Threat,URLFiltering,WildFireSubmissions,Data
Filtering,andUnifiedlogsonly)ViewAutoFocusthreatdatafora
logentry.
a. EnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocus
threatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedto
AutoFocusand/orarerunningPANOS7.0and
earlierreleaseversions(Panorama > Setup >
Management > AutoFocus).
b. HoveroveranIPaddress,URL,useragent,threatname
(subtype:virusandwildfirevirusonly),filename,or
SHA256hash.
c. Clickthedropdown( )andselectAutoFocus.
d. ContentDeliveryNetworkInfrastructureforDynamic
Updates.
NextSteps... FilterLogs.
ExportLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
Step1 (Unifiedlogsonly)Selectthelogtypesto 1. ClickEffectiveQueries( ).

includeintheUnifiedlogdisplay. 2. Selectoneormorelogtypesfromthelist(traffic,threat,url,
data,andwildfire).
3. ClickOK.TheUnifiedlogupdatestoshowonlyentriesfrom
thelogtypesyouhaveselected.

FilterLogs
Step2 Addafiltertothefilterfield. Clickoneormoreartifacts(suchastheapplicationtype

Ifthevalueoftheartifact associatedwithtrafficandtheIPaddressofanattacker)inalog
matchestheoperator(suchas entry.Forexample,clicktheSource10.0.0.25andApplication
hasorin),enclosethevaluein web-browsingofalogentrytodisplayonlyentriesthatcontain
quotationmarkstoavoida bothartifactsinthelog(ANDsearch).
syntaxerror.Forexample,ifyou Tospecifyartifactstoaddtothefilterfield,clickAddFilter( ).
filterbydestinationcountryand Toaddapreviouslysavedfilter,clickLoadFilter( ).
useINasavaluetospecify
INDIA,enterthefilteras
( dstloc eq IN ).
Step3 Applythefiltertothelog. ClickApplyFilter( ).Thelogwillrefreshtodisplayonlylog

entriesthatmatchthecurrentfilter.
Step4 (Optional)Savefrequentlyusedfilters. 1. ClickSaveFilter( ).
2. EnteraNameforthefilter.
3. ClickOK.YoucanviewyoursavedfiltersbyclickingLoadFilter
( ).
NextSteps... ViewLogs.
ExportLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
Step1 Setthenumberofrowstodisplayinthe 1. SelectDevice > Setup > Management,thenedittheLogging

report. andReportingSettings.
2. ClicktheLog Export and Reportingtab.
3. EditthenumberofMax Rows in CSV Export(upto100,000
rows).
4. ClickOK.
Step2 Downloadthelog. 1. ClickExporttoCSV( ).Aprogressbarshowingthestatus

ofthedownloadappears.
2. Whenthedownloadiscomplete,clickDownload filetosavea
copyofthelogtoyourlocalfolder.Fordescriptionsofthe
columnheadersinadownloadedlog,refertoSyslogField
Descriptions.
NextStep... ScheduleLogExportstoanSCPorFTPServer.

Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
Ifyouwanttomanuallydeletelogs,selectDevice > Log Settingsand,intheManageLogs

section,clickthelinkstoclearlogsbytype.
Step1 SelectDevice > Setup > ManagementandedittheLoggingandReportingSettings.
Step2 SelectLog StorageandenteraQuota (%)foreachlogtype.Whenyouchangeapercentagevalue,thedialog

refreshestodisplaythecorrespondingabsolutevalue(QuotaGB/MBcolumn).
Step3 EntertheMax Days(expirationperiod)foreachlogtype(rangeis12,000).Thefieldsareblankbydefault,

whichmeansthelogsneverexpire.
Thefirewallsynchronizesexpirationperiodsacrosshighavailability(HA)pairs.Becauseonlytheactive
HApeergenerateslogs,thepassivepeerhasnologstodeleteunlessfailoveroccursanditstarts
generatinglogs.
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
Step1 SelectDevice > Scheduled Log ExportandclickAdd.
Step2 EnteraNameforthescheduledlogexportandEnableit.
Step3 SelecttheLog Typetoexport.
Step4 SelectthedailyScheduled Export Start Time.Theoptionsarein15minuteincrementsfora24hourclock

(00:0023:59).
Step5 SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6 EntertheHostnameorIPaddressoftheserver.
Step7 EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.

Step8 EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step9 EntertheUsernameand,ifnecessary,thePassword(andConfirm Password)toaccesstheserver.
Step10 (FTPonly)SelectEnable FTP Passive ModeifyouwanttouseFTPpassivemode,inwhichthefirewallinitiates

adataconnectionwiththeFTPserver.Bydefault,thefirewallusesFTPactivemode,inwhichtheFTPserver
initiatesadataconnectionwiththefirewall.ChoosethemodebasedonwhatyourFTPserversupportsand
onyournetworkrequirements.
Step11 (SCPonly)ClickTest SCP server connection.Beforeestablishingaconnection,thefirewallmustacceptthe

hostkeyfortheSCPserver.
IfyouuseaPanoramatemplatetoconfigurethelogexportschedule,youmustperformthisstepafter
committingthetemplateconfigurationtothefirewalls.Afterthetemplatecommit,logintoeach
firewall,openthelogexportschedule,andclickTest SCP server connection.

Monitoring MonitorBlockList
MonitorBlockList
TherearetwowaysyoucancausethefirewalltoplaceanIPaddressontheblocklist:
ConfigureaVulnerabilityProtectionprofilewitharuletoBlockIPconnectionsandapplytheprofiletoa
Securitypolicy,whichyouapplytoazone.
ConfigureaDoSProtectionpolicyrulewiththeProtectactionandaClassifiedDoSProtectionprofile,
whichspecifiesamaximumrateofconnectionspersecondallowed.Whenincomingpacketsmatchthe
DoSProtectionpolicyandexceedtheMaxRate,andifyouspecifiedaBlockDurationandaClassified
policyruletoincludesourceIPaddress,thefirewallputstheoffendingsourceIPaddressontheblocklist.
Inthecasesdescribedabove,thefirewallautomaticallyblocksthattrafficinhardwarebeforethosepackets
useCPUorpacketbufferresources.Ifattacktrafficexceedstheblockingcapacityofthehardware,the
firewallusesIPblockingmechanismsinsoftwaretoblockthetraffic.
ThefirewallautomaticallycreatesahardwareblocklistentrybasedonyourVulnerabilityProtectionprofile
orDoSProtectionpolicyrule;thesourceaddressfromtheruleisthesourceIPaddressinthehardwareblock
list.
EntriesontheblocklistindicateintheTypecolumnwhethertheywereblockedbyhardware(hw)or
software(sw).Thebottomofthescreendisplays:
CountofTotal Blocked IPsoutofthenumberofblockedIPaddressesthefirewallsupports.
Percentageoftheblocklistthatthefirewallhasused.
Toviewdetailsaboutanaddressontheblocklist,hoveroveraSourceIPaddressandclickthedownarrow
link.ClicktheWhoIslink,whichdisplaystheNetworkSolutionsWhoIsfeature,providinginformationabout
theaddress.
ForinformationonconfiguringaVulnerabilityProtectionprofile,seeCustomizetheActionandTrigger
ConditionsforaBruteForceSignature.FormoreinformationonblocklistandDosProtectionprofiles,see
DoSProtectionAgainstFloodingofNewSessions.

ViewandManageReports Monitoring
ViewandManageReports
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheExpirationPeriodandRunTimeforReports
DisablePredefinedReports
CustomReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroups
ScheduleReportsforEmailDelivery
ReportTypes
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportontheapplication
useandURLactivityforaspecificuserorforausergroup.ThereportincludestheURLcategoriesand
anestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/GroupActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.

Monitoring ViewandManageReports
ViewReports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheExpirationPeriodandRunTimeforReportstoallowthefirewalltodeletereportsthat
exceedtheperiod.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolder
reportstocreatespaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresources
onthefirewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthe
reports(asdescribedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step1 SelectMonitor > Reports.

Thereportsaregroupedintosections(types)ontherighthandsideofthepage:Custom Reports,Application
Reports,Traffic Reports,Threat Reports,URL Filtering Reports,andPDF Summary Reports.
Step2 Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
Step3 Toviewareportoffline,youcanexportthereporttoPDF,CSVortoXMLformats.ClickExport to PDF,

Export to CSV,orExport to XMLatthebottomofthepage,thenprintorsavethefile.
TheexpirationperiodandruntimeareglobalsettingsthatapplytoallReportTypes.Afterrunningnew
reports,thefirewallautomaticallydeletesreportsthatexceedtheexpirationperiod.
Step1 SelectDevice > Setup > Management,edittheLoggingandReportingSettings,andselecttheLog Export

and Reportingtab.
Step2 SettheReport Runtimetoanhourinthe24hourclockschedule(defaultis02:00;rangeis00:00[midnight]

to23:00).
Step3 EntertheReport Expiration Periodindays(defaultisnoexpiration;rangeis1is2,000).

Youcantchangethestoragethatthefirewallallocatesforsavingreports:itispredefinedatabout200
MB.Whenthefirewallreachesthestoragemaximum,itautomaticallydeletesolderreportstocreate
spaceevenifyoudontsetaReport Expiration Period.

Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
Step1 SelectDevice > Setup > ManagementandedittheLoggingandReportingSettings.
Step2 SelectthePre-Defined Reportstabandclearthecheckboxforeachreportyouwanttodisable.Todisable

allpredefinedreports,clickDeselect All.
CustomReports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection Description
Database Youcanbasethereportononeofthefollowingdatabasetypes:
SummarydatabasesThesedatabasesareavailableforApplicationStatistics,Traffic,
Threat,URLFiltering,andTunnelInspectionlogs.Thefirewallaggregatesthedetailed
logsat15minuteintervals.Toenablefasterresponsetimewhengeneratingreports,
thefirewallcondensesthedata:duplicatesessionsaregroupedandincrementedwith
arepeatcounter,andsomeattributes(columns)areexcludedfromthesummary.
DetailedlogsThesedatabasesitemizethelogsandlistalltheattributes(columns)for
eachlogentry.
Reportsbasedondetailedlogstakemuchlongertorunandarenot
recommendedunlessabsolutelynecessary.
Attributes Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).

SortBy/GroupBy TheSort ByandtheGroup Bycriteriaallowyoutoorganize/segmentthedatainthe

report;thesortingandgroupingattributesavailablevarybasedontheselecteddata
source.
TheSortByoptionspecifiestheattributethatisusedforaggregation.Ifyoudonotselect
anattributetosortby,thereportwillreturnthefirstNnumberofresultswithoutany
aggregation.
TheGroupByoptionallowsyoutoselectanattributeanduseitasananchorforgrouping
data;allthedatainthereportisthenpresentedinasetoftop5,10,25or50groups.For
example,whenyouselectHourastheGroupByselectionandwantthetop25groupsfor
a24hrtimeperiod,theresultsofthereportwillbegeneratedonanhourlybasisovera
24hrperiod.Thefirstcolumninthereportwillbethehourandthenextsetofcolumns
willbetherestofyourselectedreportcolumns.
ThefollowingexampleillustrateshowtheSelected ColumnsandSort By/Group By

criteriaworktogetherwhengeneratingreports:
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup BycolumnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.

Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimeFrame Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromthelast15minutestothelast30days.Thereportscan
berunondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.

Step1 SelectMonitor > Manage Custom Reports.
Step2 ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Templateandchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3 SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4 SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step5 Definethefilteringcriteria.SelecttheTime Frame,theSort Byorder,Group Bypreference,andselectthe

columnsthatmustdisplayinthereport.
Step6 (Optional)SelecttheQuery Builderattributesifyouwanttofurtherrefinetheselectioncriteria.Tobuilda

reportquery,specifythefollowingandclickAdd.Repeatasneededtoconstructthefullquery.
ConnectorChoosetheconnector(and/or)toprecedetheexpressionyouareadding.
NegateSelectthecheckboxtointerpretthequeryasanegation.If,forexample,youchoosetomatch
entriesinthelast24hoursand/orareoriginatingfromtheuntrustzone,thenegateoptioncausesamatch
onentriesthatarenotinthepast24hoursand/orarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthechoiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattributeapplies(suchas=).Theavailable
optionsdependonthechoiceofdatabase.
ValueSpecifytheattributevaluetomatch.
Forexample,thefollowingfigure(basedontheTraffic Logdatabase)showsaquerythatmatchesifthe
Trafficlogentrywasreceivedinthepast24hoursandisfromtheuntrustzone.
Step7 Totestthereportsettings,selectRun Now.Modifythesettingsasrequiredtochangetheinformationthatis

displayedinthereport.
Step8 ClickOKtosavethecustomreport.

ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:

Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
GenerateBotnetReports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.

Step1 Definethetypesoftrafficthatindicate 1. SelectMonitor > BotnetandclickConfigurationontheright

possiblebotnetactivity. sideofthepage.
2. EnableanddefinetheCountforeachtypeofHTTPTraffic
thatthereportwillinclude.
TheCountvaluesrepresenttheminimumnumberofeventsof
eachtraffictypethatmustoccurforthereporttolistthe
associatedhostwithahigherconfidencescore(higher
likelihoodofbotnetinfection).Ifthenumberofeventsisless
thantheCount,thereportwilldisplayalowerconfidence
scoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.Forexample,ifyousettheCounttothreeforMalware
URL visit,thenhoststhatvisitthreeormoreknownmalware
URLswillhavehigherscoresthanhoststhatvisitlessthan
three.Fordetails,seeInterpretBotnetReportOutput.
3. Definethethresholdsthatdeterminewhetherthereportwill
includehostsassociatedwithtrafficinvolvingUnknownTCP
orUnknownUDPapplications.
4. SelecttheIRCcheckboxtoincludetrafficinvolvingIRC
servers.
5. ClickOKtosavethereportconfiguration.
Step2 Schedulethereportorrunitondemand. 1. ClickReport Settingontherightsideofthepage.

2. SelectatimeintervalforthereportintheTest Run Time
Frame dropdown.
3. SelecttheNo. of Rowstoincludeinthereport.
4. (Optional)AddqueriestotheQueryBuildertofilterthereport
outputbyattributessuchassource/destinationIPaddresses,
users,orzones.
Forexample,ifyouknowinadvancethattrafficinitiatedfrom
theIPaddress10.3.3.15containsnopotentialbotnetactivity,
addnot (addr.src in 10.0.1.35)asaquerytoexclude
thathostfromthereportoutput.Fordetails,seeInterpret
BotnetReportOutput.
5. SelectScheduledtorunthereportdailyorclickRun Nowto
runthereportimmediately.
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.

NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications,allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(10pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,thenumber
ofusersusingtheseapplications,topusergroupsthatusethelargestnumberofSaaSapplications,and
thetopusergroupsthattransferthelargestvolumeofdatathroughsanctionedandunsanctionedSaaS
applications.ThisfirstpartofthereportalsohighlightsthetopSaaSapplicationsubcategorieslistedin
orderbymaximumnumberofapplicationsused,thenumberofusers,andtheamountofdata(bytes)
transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.

Step1 Tagapplicationsthatyouapprovefor 1. SelectObject > Applications.

useonyournetworkasSanctioned. 2. ClicktheapplicationNametoeditanapplicationandselect
Forgeneratinganaccurateand EditintheTagsection.
informativereport,youneedto
3. SelectSanctionedfromtheTagsdropdown.
tagthesanctionedapplications
consistentlyacrossfirewallswith YoumustusethepredefinedSanctionedtag(withthegreen
multiplevirtualsystems,and coloredbackground).Ifyouuseanyothertagtoindicatethat
acrossfirewallsthatbelongtoa yousanctionedanapplication,thefirewallwillfailtorecognize
devicegrouponPanorama.Ifthe thetagandthereportwillbeinaccurate.
sameapplicationistaggedas
sanctionedinonevirtualsystem
andisnotsanctionedinanother
or,onPanorama,ifanapplication
isunsanctionedinaparent
devicegroupbutistaggedas
sanctionedinachilddevice
group(orviceversa),theSaaS
ApplicationUsagereportwill
reporttheapplicationaspartially
sanctionedandwillhave
overlappingresults.
Example:IfBoxissanctionedon
vsys1andGoogleDriveis 4. ClickOKandClosetoexitallopendialogs.
sanctionedonvsys2,Google
Driveusersinvsys1willbe
countedasusersofan
unsanctionedSaaSapplication
andBoxusersinvsys2willbe
countedasusersofan
unsanctionedSaaSapplication.
Thekeyfindinginthereportwill
highlightthatatotaloftwo
uniqueSaaSapplicationsare
discoveredonthenetworkwith
twosanctionedapplicationsand
twounsanctionedapplications.

GeneratetheSaaSApplicationUsageReport(Continued)
Step2 ConfiguretheSaaSApplicationUsage 1. SelectMonitor > PDF Reports > SaaS Application Usage.
report. 2. ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecountto10pages.
3. SelectwhetheryouwantthereporttoInclude logs from:
All User Groups and ZonesThereportincludesdataonall
securityzonesandusergroupsavailableinthelogs.
Ifyouwanttoincludespecificusergroupsinthereport,
selectInclude user group information in the reportand
clickthemanage groupslinktoselectthegroupsyouwant
toinclude.Youmustaddbetweenoneanduptoa
maximumof25usergroups,sothatthefirewallor
Panoramacanfilterthelogsfortheselectedusergroups.If
youdoselectthegroupstoinclude,thereportwill
aggregateallusergroupsintoonegroupcalledOthers.
Selected ZoneThereportfiltersdataforthespecified
securityzone,andincludesdataonthatzoneonly.
Ifyouwanttoincludespecificusergroupsinthereport,
selectInclude user group information in the reportand
clickthemanage groups for selected zone linktoselectthe
usergroupswithinthiszonethatyouwanttoincludeinthe
report.Youmustaddbetweenoneanduptoamaximumof
25usergroups,sothatthefirewallorPanoramacanfilter
thelogsfortheselectedusergroupswithinthesecurity
zone.Ifyoudoselectthegroupstoinclude,thereportwill
aggregateallusergroupsintoonegroupcalledOthers.
Selected User GroupThereportfiltersdataforthe
specifiedusergrouponly,andincludesSaaSapplication
usageinformationfortheselectedusergrouponly.

GeneratetheSaaSApplicationUsageReport(Continued)
4. Selectwhetheryouwanttoincludealltheapplication
subcategoriesinthereport(thedefault)orLimit the max
subcategories in the report tothetop10,15,20or25
categories(defaultisallsubcategories).
5. ClickRun Nowtogeneratethereportondemandforthelast
7dayandthelast30daytimeperiod.Makesurethatthe
popupblockerisdisabledonyourbrowserbecausethereport
opensinanewtab.
6. ClickOKtosaveyourchanges.
Step3 ScheduleReportsforEmailDelivery. OnthePA200,PA220,andPA500firewalls,theSaaS

Thelast90daysreportmustbe ApplicationUsagereportisnotsentasaPDFattachmentinthe
scheduledforemaildelivery. email.Instead,theemailincludesalinkthatyoumustclicktoopen
thereportinawebbrowser.
ManagePDFSummaryReports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.

GeneratePDFSummaryReports
Step1 SetupaPDF Summary Report. 1. SelectMonitor > PDF Reports > Manage PDF Summary.
2. ClickAddandthenenteraNameforthereport.
3. Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
4. ClickOK tosavethereport.
Step2 Viewthereport. TodownloadandviewthePDFSummaryReport,seeView

Reports.

User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.
Step1 Configurethebrowsetimesandnumber 1. SelectDevice > Setup > Management,edittheLoggingand

oflogsforUser/GroupActivityreports. ReportingSettings,andselecttheLog Export and Reporting
Requiredonlyifyouwanttochangethe tab.
defaultvalues. 2. FortheMax Rows in User Activity Report,enterthemaximum
numberofrowsthatthedetaileduseractivityreportsupports
(rangeis11048576,defaultis5000).Thisdeterminesthe
numberoflogsthatthereportanalyzes.
3. EntertheAverage Browse Timeinsecondsthatyouestimate
usersshouldtaketobrowseawebpage(rangeis0300,
defaultis60).Anyrequestmadeaftertheaveragebrowse
timeelapsesisconsideredanewbrowsingactivity.The
calculationusesContainerPages(loggedintheURLFiltering
logs)asthebasisandignoresanynewwebpagesthatare
loadedbetweenthetimeofthefirstrequest(starttime)and
theaveragebrowsetime.Forexample,ifyousettheAverage
Browse Timetotwominutesandauseropensawebpageand
viewsthatpageforfiveminutes,thebrowsetimeforthatpage
willstillbetwominutes.Thisisdonebecausethefirewallcant
determinehowlongauserviewsagivenpage.Theaverage
browsetimecalculationignoressitescategorizedasweb
advertisementsandcontentdeliverynetworks.
4. ForthePage Load Threshold,entertheestimatedtimein
secondsforpageelementstoloadonthepage(defaultis20).
Anyrequeststhatoccurbetweenthefirstpageloadandthe
pageloadthresholdareassumedtobeelementsofthepage.
Anyrequeststhatoccuroutsideofthepageloadthresholdare
assumedtobetheuserclickingalinkwithinthepage.

GenerateUser/GroupActivityReports(Continued)
Step2 GeneratetheUser/GroupActivity 1. SelectMonitor > PDF Reports > User Activity Report.
report. 2. ClickAddandthenenteraNameforthereport.
3. Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4. SelecttheTime Periodforthereport.
5. (Optional)SelecttheInclude Detailed Browsingcheckbox
(defaultiscleared)toincludedetailedURLlogsinthereport.
Thedetailedbrowsinginformationcanincludealargevolume
oflogs(thousandsoflogs)fortheselecteduserorusergroup
andcanmakethereportverylarge.
6. Torunthereportondemand,clickRun Now.
7. Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
ManageReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.

SetupReportGroups
Step1 Setupreportgroups. 1. CreateanEmailserverprofile.

YoumustsetupaReport Grouptoemail 2. DefinetheReport Group.Areportgroupcancompile
report(s). predefinedreports,PDFSummaryreports,customreports,
andLogViewreportintoasinglePDF.
a. SelectMonitor > Report Group.
b. ClickAddandthenenteraNameforthereportgroup.
c. (Optional)SelectTitle PageandaddaTitleforthePDF
output.
d. SelectreportsfromtheleftcolumnandclickAddtomove
eachreporttothereportgroupontheright.
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.

Step1 SelectMonitor > PDF Reports > Email SchedulerandclickAdd.
Step2 EnteraNametoidentifytheschedule.
Step3 SelecttheReport Groupforemaildelivery.Tosetupareportgroup;seeManageReportGroups.
Step4 FortheEmail Profile,selectanEmailserverprofiletousefordeliveringthereports,orclicktheEmail Profile

linktoCreateanEmailserverprofile.
Step5 SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step6 TheOverride Email Addressesfieldallowsyoutosendthisreportexclusivelytothespecifiedrecipients.

Whenyouaddrecipientstothefield,thefirewalldoesnotsendthereporttotherecipientsconfiguredinthe
Emailserverprofile.Usethisoptionforthoseoccasionswhenthereportisfortheattentionofsomeoneother
thantheadministratorsorrecipientsdefinedintheEmailserverprofile.

UseExternalServicesforMonitoring Monitoring
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
TosendanHTTPbasedAPIrequestdirectlytoanythirdpartyservicethatexposesanAPItoautomate
aworkfloworanaction.Youcan,forexample,forwardlogsthatmatchadefinedcriteriatocreatean
incidenceticketonServiceNowinsteadofrelyingonanexternalsystemtoconvertsyslogmessagesor
SNMPtrapstoanHTTPrequest.YoucanmodifytheURL,HTTPheader,parameters,andthepayloadin
theHTTPrequesttotriggeranactionbasedontheattributesinafirewalllog.SeeForwardLogstoan
HTTP(S)Destination.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.

Monitoring ConfigureLogForwarding
Inanenvironmentwhereyouusemultiplefirewallstocontrolandanalyzenetworktraffic,anysinglefirewall
candisplaylogsandreportsonlyforthetrafficitmonitors.Becauseloggingintomultiplefirewallscanmake
monitoringacumbersometask,youcanmoreefficientlyachieveglobalvisibilityintonetworkactivityby
forwardingthelogsfromallfirewallstoPanoramaorexternalservices.IfyouUseExternalServicesfor
Monitoring,thefirewallautomaticallyconvertsthelogstothenecessaryformat:syslogmessages,SNMP
traps,emailnotifications,orasanHTTPpayloadtosendthelogdetailstoanHTTP(S)server.Incaseswhere
someteamsinyourorganizationcanachievegreaterefficiencybymonitoringonlythelogsthatarerelevant
totheiroperations,youcancreateforwardingfiltersbasedonanylogattributes(suchasthreattypeor
sourceuser).Forexample,asecurityoperationsanalystwhoinvestigatesmalwareattacksmightbe
interestedonlyinThreatlogswiththetypeattributesettowildfirevirus.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoViewandManageReports,butonlyonaperlog
typebasis,notfortheentirelogdatabase.
Step1 Configureaserverprofileforeach Configureoneormoreofthefollowingserverprofiles:

externalservicethatwillreceivelog CreateanEmailserverprofile.
information. ConfigureanSNMPTrapserverprofile.ToenabletheSNMP
Youcanuseseparateprofilesto manager(trapserver)tointerpretfirewalltraps,youmustload
senddifferentsetsoflogs, thePaloAltoNetworksSupportedMIBsintotheSNMP
filteredbylogattributes,toa managerand,ifnecessary,compilethem.Fordetails,referto
differentserver.Toincrease yourSNMPmanagementsoftwaredocumentation.
availability,definemultiple ConfigureaSyslogserverprofile.Ifthesyslogserverrequires
serversinasingleprofile. clientauthentication,youmustalsoCreateacertificateto
securesyslogcommunicationoverSSL.
ConfigureanHTTPserverprofile(seeForwardLogstoan
HTTP(S)Destination).

ConfigureLogForwarding Monitoring
ConfigureLogForwarding(Continued)
Step2 CreateaLogForwardingprofile. 1. SelectObjects > Log Forwarding andAddaprofile.

Theprofiledefinesthedestinationsfor 2. EnteraNametoidentifytheprofile.
Traffic,Threat,WildFireSubmission, Ifyouwantthefirewalltoautomaticallyassigntheprofileto
URLFiltering,DataFiltering,Tunneland newsecurityrulesandzones,enterdefault.Ifyoudontwant
Authenticationlogs. adefaultprofile,oryouwanttooverrideanexistingdefault
profile,enteraNamethatwillhelpyouidentifytheprofile
whenassigningittosecurityrulesandzones.
Ifnologforwardingprofilenameddefaultexists,the
profileselectionissettoNonebydefaultinnew
securityrules(Log Forwardingfield)andnewsecurity
zones(Log Settingfield),althoughyoucanchangethe
selection.
3. Addoneormorematchlistprofiles.
Theprofilesspecifylogqueryfilters,forwardingdestinations,
andautomaticactionssuchastagging.Foreachmatchlist
profile:
a. EnteraNametoidentifytheprofile.
b. SelecttheLog Type.
c. IntheFilterdropdown,selectFilter Builder.Specifythe
followingandthenAddeachquery:
Connectorlogic(and/or)
LogAttribute
Operatortodefineinclusionorexclusionlogic
AttributeValueforthequerytomatch
d. SelectPanoramaifyouwanttoforwardlogstoLog
CollectorsorthePanoramamanagementserver.
e. Foreachtypeofexternalservicethatyouusefor
monitoring(SNMP,Email,Syslog,andHTTP),Addoneor
moreserverprofiles.
4. ClickOKtosavetheLogForwardingprofile.
Step3 AssigntheLogForwardingprofileto Performthefollowingstepsforeachrulethatyouwanttotrigger

policyrulesandnetworkzones. logforwarding:
Security,Authentication,andDoS 1. SelectPolicies > Securityandedittherule.
Protectionrulessupportlogforwarding.
2. SelectActionsandselecttheLog Forwardingprofileyou
Inthisexample,youassigntheprofileto
created.
aSecurityrule.
3. SettheProfile TypetoProfilesorGroup,andthenselectthe
securityprofilesorGroup Profilerequiredtotriggerlog
generationandforwardingfor:
ThreatlogsTrafficmustmatchanysecurityprofile
assignedtotherule.
WildFireSubmissionlogsTrafficmustmatchaWildFire
Analysisprofileassignedtotherule.
4. ForTrafficlogs,selectLog At Session Startand/orLog At
Session End.

Monitoring ConfigureLogForwarding
ConfigureLogForwarding(Continued)
Step4 ConfigurethedestinationsforSystem, 1. SelectDevice > Log Settings.

Configuration,UserID,HIPMatch,and 2. Foreachlogtypethatthefirewallwillforward,Addoneor
Correlationlogs. morematchlistprofiles.
PanoramageneratesCorrelation
logsbasedonthefirewalllogsit
receives,ratherthanaggregating
Correlationlogsfromfirewalls.
Step5 (PA7000Seriesfirewallsonly) 1. SelectNetwork > Interfaces > EthernetandclickAdd

Configurealogcardinterfacetoperform Interface.
logforwarding. 2. SelecttheSlotandInterface Name.
3. SettheInterface TypetoLog Card.
4. EntertheIP Address,Default Gateway,and(forIPv4only)
Netmask.
5. SelectAdvancedandspecifytheLink Speed,Link Duplex,and
Link State.
Thesefieldsdefaulttoauto,whichspecifiesthatthe
firewallautomaticallydeterminesthevaluesbasedon
theconnection.However,theminimum
recommendedLink Speedforanyconnectionis1000
(Mbps).
Step6 Commitandverifyyourchanges. 1. Commityourchanges.

2. Verifythelogdestinationsyouconfiguredarereceiving
firewalllogs:
PanoramaIfthefirewallforwardslogstoaPanorama
virtualapplianceinPanoramamodeortoanMSeries
appliance,youmustconfigureaCollectorGroupbefore
Panoramawillreceivethelogs.Youcanthenverifylog
forwarding.
EmailserverVerifythatthespecifiedrecipientsare
receivinglogsasemailnotifications.
SyslogserverRefertoyoursyslogserverdocumentation
toverifyitsreceivinglogsassyslogmessages.
SNMPmanagerUseanSNMPManagertoExploreMIBs
andObjectstoverifyitsreceivinglogsasSNMPtraps.
HTTPserverForwardLogstoanHTTP(S)Destination.

ConfigureEmailAlerts Monitoring
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
Step1 CreateanEmailserverprofile. 1. SelectDevice > Server Profiles > Email.

Youcanuseseparateprofilesto 2. ClickAddandthenenteraNamefortheprofile.
sendemailnotificationsforeach
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
logtypetoadifferentserver.To
theLocation(vsysorShared)wherethisprofileisavailable.
increaseavailability,define
multipleservers(uptofour)ina 4. ForeachSimpleMailTransportProtocol(SMTP)server(email
singleprofile. server),clickAddanddefinethefollowinginformation:
NameNametoidentifytheSMTPserver(131
characters).Thisfieldisjustalabelanddoesnthavetobe
thehostnameofanexistingemailserver.
Email Display NameThenametoshowintheFromfield
oftheemail.
FromTheemailaddressfromwhichthefirewallsends
emails.
ToTheemailaddresstowhichthefirewallsendsemails.
Additional RecipientIfyouwanttosendemailstoa
secondaccount,entertheaddresshere.Youcanaddonly
oneadditionalrecipient.Formultiplerecipients,addthe
emailaddressofadistributionlist.
Email GatewayTheIPaddressorhostnameoftheSMTP
gatewaytouseforsendingemails.
5. (Optional)SelecttheCustom Log Formattabandcustomize
theformatoftheemailmessages.Fordetailsonhowtocreate
customformatsforthevariouslogtypes,refertotheCommon
EventFormatConfigurationGuide.
6. ClickOKtosavetheEmailserverprofile.
Step2 ConfigureemailalertsforTraffic,Threat, 1. CreateaLogForwardingprofile.

andWildFireSubmissionlogs. a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheEmailserverprofileandclickOK.
2. AssigntheLogForwardingprofiletopolicyrulesandnetwork
zones.
Step3 ConfigureemailalertsforSystem, 1. SelectDevice > Log Settings.

Config,HIPMatch,andCorrelationlogs. 2. ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheEmailserverprofile,andclickOK.
3. ForConfigandHIPMatchlogs,editthesection,selectthe
Emailserverprofile,andclickOK.
4. ClickCommit.

Monitoring UseSyslogforMonitoring
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
Step1 ConfigureaSyslogserverprofile. 1. SelectDevice > Server Profiles > Syslog.

Youcanuseseparateprofilesto 2. ClickAddandenteraNamefortheprofile.
sendsyslogsforeachlogtypeto
3. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
adifferentserver.Toincrease
theLocation(vsysorShared)wherethisprofileisavailable.
availability,definemultiple
servers(uptofour)inasingle 4. Foreachsyslogserver,clickAddandentertheinformation
profile. thatthefirewallrequirestoconnecttoit:
NameUniquenamefortheserverprofile.
Syslog ServerIPaddressorfullyqualifieddomainname
(FQDN)ofthesyslogserver.
TransportSelectTCP,UDP,orSSLasthemethodof
communicationwiththesyslogserver.
PortTheportnumberonwhichtosendsyslogmessages
(defaultisUDPonport514);youmustusethesameport
numberonthefirewallandthesyslogserver.
FormatSelectthesyslogmessageformattouse:BSD(the
default)orIETF.Traditionally,BSDformatisoverUDPand
IETFformatisoverTCPorSSL.
FacilitySelectasyslogstandardvalue(defaultis
LOG_USER)tocalculatethepriority(PRI)fieldinyour
syslogserverimplementation.Selectthevaluethatmapsto
howyouusethePRIfieldtomanageyoursyslogmessages.
5. (Optional)Tocustomizetheformatofthesyslogmessages
thatthefirewallsends,selecttheCustom Log Formattab.For
detailsonhowtocreatecustomformatsforthevariouslog
types,refertotheCommonEventFormatConfiguration
Guide.

UseSyslogforMonitoring Monitoring
ConfigureSyslogMonitoring(Continued)
Step2 ConfiguresyslogforwardingforTraffic, 1. CreateaLogForwardingprofile.

Threat,andWildFireSubmissionlogs. a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheSyslogserverprofileandclickOK.
2. AssigntheLogForwardingprofiletopolicyrulesandnetwork
zones.
Step3 ConfiguresyslogforwardingforSystem, 1. SelectDevice > Log Settings.

Config,HIPMatch,andCorrelationlogs. 2. ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheSyslogserverprofile,andclickOK.
3. ForConfig,HIPMatch,andCorrelationlogs,editthesection,
selecttheSyslogserverprofile,andclickOK.
Step4 (Optional)Configuretheheaderformat 1. SelectDevice > Setup > ManagementandedittheLoggingand

ofsyslogmessages. ReportingSettings.
Thelogdataincludestheunique 2. SelecttheLog Export and Reportingtabandselectthe Syslog
identifierofthefirewallthatgenerated HOSTNAME Format:
thelog.Choosingtheheaderformat FQDN(default)Concatenatesthehostnameanddomain
providesmoreflexibilityinfilteringand namedefinedonthesendingfirewall.
reportingonthelogdataforsome
hostnameUsesthehostnamedefinedonthesending
SecurityInformationandEvent
firewall.
Management(SIEM)servers.
ipv4-addressUsestheIPv4addressofthefirewall
Thisisaglobalsettingandappliestoall
interfaceusedtosendlogs.Bydefault,thisistheMGT
syslogserverprofilesconfiguredonthe
interface.
firewall.
ipv6-addressUsestheIPv6addressofthefirewall
interfaceusedtosendlogs.Bydefault,thisistheMGT
interface.
noneLeavesthehostnamefieldunconfiguredonthe
firewall.Thereisnoidentifierforthefirewallthatsentthe
logs.

ConfigureSyslogMonitoring(Continued)
Step5 Createacertificatetosecuresyslog 1. SelectDevice> Certificate Management > Certificates >

communicationoverSSL. Device CertificatesandclickGenerate.
Requiredonlyifthesyslogserveruses 2. EnteraNameforthecertificate.
clientauthentication.Thesyslogserver
3. IntheCommon Namefield,entertheIPaddressofthefirewall
usesthecertificatetoverifythatthe
sendinglogstothesyslogserver.
firewallisauthorizedtocommunicate
withthesyslogserver. 4. InSigned by,selectthetrustedCAortheselfsignedCAthat
Ensurethefollowingconditionsaremet: thesyslogserverandthesendingfirewallbothtrust.
Theprivatekeymustbeavailableon ThecertificatecantbeaCertificate Authoritynoran
thesendingfirewall;thekeyscant External Authority(certificatesigningrequest[CSR]).
resideonaHardwareSecurity 5. ClickGenerate.Thefirewallgeneratesthecertificateandkey
Module(HSM). pair.
Thesubjectandtheissuerforthe 6. ClickthecertificateNametoeditit,selecttheCertificate for
certificatemustnotbeidentical. Secure Syslogcheckbox,andclickOK.
Thesyslogserverandthesending
firewallmusthavecertificatesthatthe
sametrustedcertificateauthority(CA)
signed.Alternatively,youcan
generateaselfsignedcertificateon
thefirewall,exportthecertificate
fromthefirewall,andimportitinto
thesyslogserver.
Step6 Commityourchangesandreviewthe 1. ClickCommit.

logsonthesyslogserver. 2. Toreviewthelogs,refertothedocumentationofyoursyslog
managementsoftware.YoucanalsoreviewtheSyslogField
Descriptions.
SyslogFieldDescriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionslogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogFields
ThreatLogFields
HIPMatchLogFields
UserIDLogFields
TunnelInspectionLogFields
ConfigLogFields
AuthenticationLogFields

SystemLogFields
CorrelatedEventsLogFields
CustomLog/EventFormat
EscapeSequences
TrafficLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Threat/ContentType,FUTURE_USE,Generated
Time,SourceIP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,Destination
User,Application,VirtualSystem,SourceZone,DestinationZone,InboundInterface,OutboundInterface,
LogForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource,SourceVMUUID,DestinationVMUUID,Tunnel
ID/IMSI,MonitorTag/IMEI,ParentSessionID,ParentStartTime,TunnelType
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(GenerateTime) Timethelogwasgeneratedonthedataplane.
SourceAddress OriginalsessionsourceIPaddress.
DestinationAddress OriginalsessiondestinationIPaddress.
NATSourceIP IfSourceNATperformed,thepostNATSourceIPaddress.
NATDestinationIP IfDestinationNATperformed,thepostNATDestinationIPaddress.
RuleName(Rule) Nameoftherulethatthesessionmatched.
SourceUser Usernameoftheuserwhoinitiatedthesession.
DestinationUser Usernameoftheusertowhichthesessionwasdestined.
Application Applicationassociatedwiththesession.
VirtualSystem VirtualSystemassociatedwiththesession.
SourceZone Zonethesessionwassourcedfrom.

DestinationZone Zonethesessionwasdestinedto.
InboundInterface Interfacethatthesessionwassourcedfrom.
OutboundInterface Interfacethatthesessionwasdestinedto.
LogAction LogForwardingProfilethatwasappliedtothesession.
SessionID Aninternalnumericalidentifierappliedtoeachsession.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly.
SourcePort Sourceportutilizedbythesession.
DestinationPort Destinationportutilizedbythesession.
NATSourcePort PostNATsourceport.
NATDestinationPort PostNATdestinationport.
Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedthrough
CaptivePortal
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
IPProtocol IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes Numberoftotalbytes(transmitandreceive)forthesession.

BytesSent Numberofbytesintheclienttoserverdirectionofthesession.
AvailableonallmodelsexceptthePA4000Series.
BytesReceived Numberofbytesintheservertoclientdirectionofthesession.
Packets Numberoftotalpackets(transmitandreceive)forthesession.
StartTime Timeofsessionstart.
ElapsedTime(sec) Elapsedtimeofthesession.
Category URLcategoryassociatedwiththesession(ifapplicable).
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceCountry SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes.
DestinationCountry DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes.
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession.
PacketsReceived(pkts_received) Numberofservertoclientpacketsforthesession.

SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
(session_end_reason) fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.

DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
(dg_hier_level_1todg_hier_level_4) withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source) Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
SourceVMUUID Identifiesthesourceuniversaluniqueidentifierforaguestvirtualmachinein
theVMwareNSXenvironment.
DestinationVMUUID Identifiesthedestinationuniversaluniqueidentifierforaguestvirtualmachine
intheVMwareNSXenvironment.
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity
(IMSI)IDofthemobileuser.
MonitorTag/IMEI MonitornameyouconfiguredfortheTunnelInspectionpolicyruleorthe
InternationalMobileEquipmentIdentity(IMEI)IDofthemobiledevice.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwo
levelsoftunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime(parent_start_time) Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
TunnelType(Tunnel) Typeoftunnel,suchasGREorIPSec.
ThreatLogFields
Time,SourceIP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,Destination
User,Application,VirtualSystem,SourceZone,DestinationZone,InboundInterface,OutboundInterface,
LogForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_ID,FileDigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel4,VirtualSystemName,DeviceName,FUTURE_USE,
SourceVMUUID,DestinationVMUUID,HTTPMethod,TunnelID/IMSI,MonitorTag/IMEI,ParentSession
ID,ParentStartTime,TunnelType,ThreatCategory,ContentVersion,FUTURE_USE

SerialNumber(serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,phishing,grayware,or
benign,dependingonwhatyouarelogging)isloggedintheWildFireSubmissions
log.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
SourceAddress OriginalsessionsourceIPaddress.
DestinationAddress OriginalsessiondestinationIPaddress.
NATSourceIP IfsourceNATperformed,thepostNATsourceIPaddress.
NATDestinationIP IfdestinationNATperformed,thepostNATdestinationIPaddress.
RuleName(rule) Nameoftherulethatthesessionmatched.
DestinationUser Usernameoftheusertowhichthesessionwasdestined.
Application Applicationassociatedwiththesession.
SourceZone Zonethesessionwassourcedfrom.
DestinationZone Zonethesessionwasdestinedto.
SessionID Aninternalnumericalidentifierappliedtoeachsession.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Content/ThreatTypeseenwithin5seconds;usedforICMPonly.

Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x00200000userinformationforthesessionwascapturedthroughCaptive
Portal
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
IPProtocol IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
URL/Filename Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire

ThreatContentName PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,phishing,grayware,orbenign;Forothersubtypes,the
valueisany.
Severity Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical.
Direction Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
SourceCountry SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationCountry DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype) ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id) Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest) OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.

URLIndex(url_idx) UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.

DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
SourceVMUUID Identifiesthesourceuniversaluniqueidentifierforaguestvirtualmachineinthe
VMwareNSXenvironment.
DestinationVMUUID Identifiesthedestinationuniversaluniqueidentifierforaguestvirtualmachineinthe
VMwareNSXenvironment.
HTTPMethod OnlyinURLfilteringlogs.DescribestheHTTPMethodusedinthewebrequest.Only
thefollowingmethodsarelogged:Connect,Delete,Get,Head,Options,Post,Put.
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity
(IMSI)IDofthemobileuser.
MonitorTag/IMEI Theuserdefinedvaluethatgroupssimilartraffictogetherforloggingandreporting.
Thisvalueisgloballydefined.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwo
levelsoftunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
(parent_start_time)
ThreatCategory(thr_category) Describesthreatcategoriesusedtoclassifydifferenttypesofthreatsignatures.
ContentVersion(contentver) ApplicationsandThreatsversiononyourfirewallwhenthelogwasgenerated.
HIPMatchLogFields
Time,SourceUser,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,
FUTURE_USE,FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,Device
GroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystem
Name,DeviceName,VirtualSystemID,IPv6SourceAddress

Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType SubtypeofHIPmatchlog;unused.
Time)
VirtualSystem VirtualSystemassociatedwiththeHIPmatchlog.
MachineName Nameoftheusersmachine.
(machinename)
OS Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem).
SourceAddress IPaddressofthesourceuser.
HIP(matchname) NameoftheHIPobjectorprofile.
RepeatCount NumberoftimestheHIPprofilematched.
HIPType(matchtype) WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile.
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
APIquery:
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
VirtualSystemID AuniqueidentifierforavirtualsystemonaPaloAltoNetworksfirewall.
IPv6SystemAddress IPv6addressoftheusersmachineordevice.

UserIDLogFields
Format:FUTURE_USER,ReceiveTime,SerialNumber,SequenceNumber,ActionFlags,Type,
Threat/ContentType,FUTURE_USE,GeneratedTime,DeviceGroupHierarchyLevel1,DeviceGroup
HierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel4,VirtualSystemName,
DeviceName,VirtualSystemID,VirtualSystem,SourceIP,User,DataSourceName,EventID,Repeat
Count,TimeOutThreshold,SourcePort,DestinationPort,DataSource,DataSourceType,FUTURE_USE,
FUTURE_USE,FactorType,FactorCompletionTime,FactorNumber
(receive_time)
SequenceNumber Serialnumberofthefirewallthatgeneratedthelog.
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
"Startsessionstarted
"Endsessionended
"Dropsessiondroppedbeforetheapplicationisidentifiedandthereisnorulethat
allowsthesession.
"Denysessiondroppedaftertheapplicationisidentifiedandthereisaruletoblock
ornorulethatallowsthesession.
GeneratedTime(Generate Thetimethelogwasgeneratedonthedataplane.
Time)
APIquery:
enabledformultiplevirtualsystems.
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog.
SourceIP OriginalsessionsourceIPaddress.

User Identifiestheenduser.
DataSourceName UserIDsourcethatsendstheIP(Port)UserMapping.
EventID Stringshowingthenameoftheevent.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly.
TimeOut(timeout) TimeoutafterwhichtheIP/UserMappingsarecleared.
SourcePort(beginport) Sourceportutilizedbythesession.
DestinationPort(endport) Destinationportutilizedbythesession.
DataSource Sourcefromwhichmappinginformationiscollected.
DataSourceType MechanismusedtoidentifytheIP/Usermappingswithinadatasource.
FactorType VendorusedtoauthenticateauserwhenMultiFactorauthenticationispresent.
FactorCompletionTime Timetheauthenticationwascompleted.
FactorNumber Indicatestheuseofprimaryauthentication(1)oradditionalfactors(2,3).
TunnelInspectionLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,LogAction,
FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSourcePort,NATDestination
Port,Flags,Protocol,Action,Severity,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,DeviceGroupHierarchyLevel1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel
3,DeviceGroupHierarchyLevel4,VirtualSystemName,DeviceName,TunnelID/IMSI,MonitorTag/IMEI,
ParentSessionID,ParentStartTime,Tunnel,Bytes,BytesSent,BytesReceived,Packets,PacketsSent,
MaximumEncapsulation,UnknownProtocol,StrictCheck,TunnelFragment,SessionsCreated,Sessions
Closed,SessionEndReason,ActionSource,StartTime,ElapsedTime
ReceiveTime Month,day,andtimethelogwasreceivedatthemanagementplane.
Type Typeoflogasitpertainstothesession:startorend.
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisnorulethat
allowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisaruletoblockor
norulethatallowsthesession.

Time)
SourceAddress SourceIPaddressofpacketsinthesession.
DestinationAddress DestinationIPaddressofpacketsinthesession.
NATSourceIP IfSourceNATperformed,thepostNATSourceIPaddress.
NATDestinationIP IfDestinationNATperformed,thepostNATDestinationIPaddress.
RuleName(Rule) NameoftheSecuritypolicyruleineffectonthesession.
SourceUser SourceUserIDofpacketsinthesession.
DestinationUser DestinationUserIDofpacketsinthesession.
Application Tunnelingprotocolusedinthesession.
SourceZone Sourcezoneofpacketsinthesession.
DestinationZone Destinationzoneofpacketsinthesession.
SessionID SessionIDofthesessionbeinglogged.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtypeseen
within5seconds;usedforICMPonly.

Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove.
Protocol(IPProtocol) IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachablemessagetothe
hostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesidesofthe
connection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical.
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
SourceLocation(source SourcecountryorInternalregionforprivateaddresses;maximumlengthis32bytes.
country)
DestinationLocation DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
(destinationcountry)

methods:
APIquery:
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity(IMSI)ID
ofthemobileuser.
MonitorTag/IMEI MonitornameyouconfiguredfortheTunnelInspectionpolicyruleortheInternational
MobileEquipmentIdentity(IMEI)IDofthemobiledevice.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwolevelsof
tunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
(parent_start_time)
Bytes Numberofbytesinthesession.
BytesSent Numberofbytesintheclienttoserverdirectionofthesession.
BytesReceived Numberofbytesintheservertoclientdirectionofthesession.
Packets Numberoftotalpackets(transmitandreceive)forthesession.
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession.
PacketsReceived Numberofservertoclientpacketsforthesession.
(pkts_received) AvailableonallmodelsexceptthePA4000Series.
MaximumEncapsulation Numberofpacketsthefirewalldroppedbecausethepacketexceededthemaximum
(max_encap) numberofencapsulationlevelsconfiguredintheTunnelInspectionpolicyrule(Drop
packetifovermaximumtunnelinspectionlevel).
UnknownProtocol Numberofpacketsthefirewalldroppedbecausethepacketcontainsanunknown
(unknown_proto) protocol,asenabledintheTunnelInspectionpolicyrule(Droppacketifunknownprotocol
insidetunnel).
StrictChecking Numberofpacketsthefirewalldroppedbecausethetunnelprotocolheaderinthepacket
(strict_check) failedtocomplywiththeRFCforthetunnelprotocol,asenabledintheTunnelInspection
policyrule(Drop packet if tunnel protocol fails strict header check).

TunnelFragment Numberofpacketsthefirewalldroppedbecauseoffragmentationerrors.
(tunnel_fragment)
SessionsCreated Numberofinnersessionscreated.
(sessions_created)
SessionsClosed Numberofcompleted/closedsessionscreated.
(sessions_closed)

SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,thisfielddisplays
(session_end_reason) onlythehighestpriorityreason.Thepossiblesessionendreasonvaluesareasfollows,in
orderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock(IP
address)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfiguredthefirewallto
blockSSLforwardproxydecryptionorSSLinboundinspectionwhenthesessionuses
clientauthenticationorwhenthesessionusesaservercertificatewithanyofthe
followingconditions:expired,untrustedissuer,unknownstatus,orstatusverification
timeout.Thissessionendreasonalsodisplayswhentheservercertificateproducesa
fatalerroralertoftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfiguredthe
firewalltoblockSSLforwardproxydecryptionorSSLinboundinspectionwhenthe
sessionusesanunsupportedprotocolversion,cipher,orSSHalgorithm.Thissession
endreasonisdisplayswhenthesessionproducesafatalerroralertoftype
unsupported_extension,unexpected_message,orhandshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewalltoblock
SSLforwardproxydecryptionorSSLinboundinspectionwhenfirewallresourcesorthe
hardwaresecuritymodule(HSM)wereunavailable.Thissessionendreasonisalso
displayedwhenyouconfiguredthefirewalltoblockSSLtrafficthathasSSHerrorsor
thatproducedanyfatalerroralertotherthanthoselistedforthe
decryptcertvalidationanddecryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresourcelimitation.
Forexample,thesessioncouldhaveexceededthenumberofoutoforderpackets
allowedperflowortheglobaloutoforderpacketqueue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessagetoclosethe
session.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(suchas
HTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(forexample,a
clear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthesessionend
reasonfield(releasesolderthanPANOS6.1),thevaluewillbeunknownafteran
upgradetothecurrentPANOSreleaseorafterthelogsareloadedontothe
firewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversiondoesnot
supportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
ActionSource Specifieswhethertheactiontakentoalloworblockanapplicationwasdefinedinthe
(action_source) applicationorinpolicy.Theactionscanbeallow,deny,drop,resetserver,resetclientor
resetbothforthesession.

StartTime(start) Year/month/dayhours:minutes:secondsthatthesessionbegan.
ElapsedTime(sec) Elapsedtimeofthesession.
AuthenticationLogFields
Time,VirtualSystem,SourceIP,User,NormalizeUser,Object,AuthenticationPolicy,RepeatCount,
AuthenticationID,Vendor,LogAction,ServerProfile,desc,ClientType,EventType,FactorNumber,Action
Flags,DeviceGroupHierarchy1,DeviceGroupHierarchy2,DeviceGroupHierarchy3,DeviceGroup
Hierarchy4,VirtualSystemName,DeviceName
SerialNumber(Serial#) Serialnumberofthedevicethatgeneratedthelog.
Threat/ContentType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;values
arecrypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,
pppoe,ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
Time)
SourceIP OriginalsessionsourceIPaddress.
User Enduserbeingauthenticated.
NormalizeUser Normalizedversionofusernamebeingauthenticated(suchasappendingadomain
nametotheusername).
Object Nameoftheobjectassociatedwiththesystemevent.
AuthenticationPolicy Policyinvokedforauthenticationbeforeallowingaccesstoaprotectedresource.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly.
AuthenticationID UniqueIDgivenacrossprimaryauthenticationandadditional(multifactor)
authentication.
Vendor Vendorprovidingadditionalfactorauthentication.
ServerProfile Authenticationserverusedforauthentication.
(serverprofile)
Description(desc) Additionalauthenticationinformation.
ClientType Typeofclientusedtocompleteauthentication(suchasauthenticationportal).

EventType Resultoftheauthenticationattempt.
FactorNumber Indicatestheuseofprimaryauthentication(1)oradditionalfactors(2,3).
SequenceNumber A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
APIquery:
ConfigLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Content/ThreatType,FUTURE_USE,Generated
Time,Host,VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,Action
Flags,BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
Content/ThreatType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
Time)
Host HostnameorIPaddressoftheclientmachine
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog

Command(cmd) CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin) UsernameoftheAdministratorperformingtheconfiguration
Client(client) ClientusedbytheAdministrator;valuesareWebandCLI
Result(result) Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path) Thepathoftheconfigurationcommandissued;upto512bytesinlength
BeforeChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(before_change_detail) Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(after_change_detail) Itcontainsthefullxpathaftertheconfigurationchange.
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
methods:
APIquery:
SystemLogFields
Time,VirtualSystem,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,
SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,Device
GroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
ReceiveTime Timethelogwasreceivedatthemanagementplane
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch

GeneratedTime(Generate Timethelogwasgeneratedonthedataplane
Time)
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog
EventID Stringshowingthenameoftheevent
Object Nameoftheobjectassociatedwiththesystemevent
Module(module) ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:
CorrelatedEventsLogFields
Time,SourceAddress.SourceUser,VirtualSystem,Category,Severity,DeviceGroupHierarchyLevel 1,
DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,Virtual
SystemName,DeviceName,VirtualSystemID,ObjectName,ObjectID,Evidence

Time)
SourceAddress IPaddressoftheuserwhoinitiatedtheevent.
SourceUser Usernameoftheuserwhoinitiatedtheevent.
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog.
Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical.
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
ObjectName(objectname) Nameofthecorrelationobjectthatwasmatchedon.
ObjectID Nameoftheobjectassociatedwiththesystemevent.
Evidence Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity SyslogSeverity
Traffic Info
Config Info

LogType/Severity SyslogSeverity
Threat/SystemInformational Info
Threat/SystemLow Notice
Threat/SystemMedium Warning
Threat/SystemHigh Error
Threat/SystemCritical Critical
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.

SNMPMonitoringandTraps Monitoring
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSNMP,andtheprocedurestoconfigureSNMPmonitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMPSupport
YoucanuseanSNMPmanagertomonitoreventdrivenalertsandoperationalstatisticsforthefirewall,
Panorama,orWF500applianceandforthetraffictheyprocess.Thestatisticsandtrapscanhelpyou
identifyresourcelimitations,systemchangesorfailures,andmalwareattacks.Youconfigurealertsby
forwardinglogdataastraps,andenablethedeliveryofstatisticsinresponsetoGETmessages(requests)
fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).RelatedOIDsareorganized
hierarchicallywithintheManagementInformationBases(MIBs)thatyouloadintotheSNMPmanagerto
enablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
SNMP Authentication MessagePrivacy Message MIBAccessGranularity

Version Integrity
SNMPv2c Communitystring No(cleartext) No SNMPcommunityaccessforallMIBsona

device
SNMPv3 EngineID,username,and Privacypasswordfor Yes Useraccessbasedonviewsthatincludeor

authenticationpassword AES128encryption excludespecificOIDs
(SHAhashingforthe ofSNMPmessages
password)

Monitoring SNMPMonitoringandTraps
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
UseanSNMPManagertoExploreMIBsandObjects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.

Step1 LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2 SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3 (Optional)WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:

IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1 ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
Step2 OpentheMIBinatexteditorandperformakeywordsearch.Forexample,usingHardware versionasa

searchstringinPANCOMMONMIBidentifiesthepanSysHwVersionobject:
panSysHwVersion OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}

IdentifytheOIDforaStatisticorTrap(Continued)
Step3 InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.

IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
Step1 Createanapplicationgroup. 1. SelectObjects > Application GroupandclickAdd.

2. EnteraNametoidentifytheapplicationgroup.
3. ClickAdd,typesnmp,andselectsnmpandsnmp-trapfrom
thedropdown.
4. ClickOKtosavetheapplicationgroup.
Step2 CreateasecurityruletoallowSNMP 1. SelectPolicies > SecurityandclickAdd.

services. 2. IntheGeneraltab,enteraNamefortherule.
3. IntheSourceandDestinationtabs,clickAddandentera
Source ZoneandaDestination Zoneforthetraffic.
4. IntheApplicationstab,clickAdd,typethenameofthe
applicationsgroupyoujustcreated,andselectitfromthe
dropdown.
5. IntheActionstab,verifythattheActionissettoAllow,and
thenclickOKandCommit.
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.

Step1 ConfiguretheSNMPManagertoget Thefollowingstepsprovideanoverviewofthetasksyouperform

statisticsfromfirewalls. ontheSNMPmanager.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
1. ToenabletheSNMPmanagertointerpretfirewallstatistics,
loadtheSupportedMIBsforPaloAltoNetworksfirewallsand,
ifnecessary,compilethem.
2. ForeachfirewallthattheSNMPmanagerwillmonitor,define
theconnectionsettings(IPaddressandport)and
authenticationsettings(SNMPv2ccommunitystringor
SNMPv3EngineID/username/password)forthefirewall.
NotethatallPaloAltoNetworksfirewallsuseport161.
TheSNMPmanagercanusethesameordifferentconnection
andauthenticationsettingsformultiplefirewalls.Thesettings
mustmatchthoseyoudefinewhenyouconfigureSNMPon
thefirewall(seeStep 3).Forexample,ifyouuseSNMPv2c,the
communitystringyoudefinewhenconfiguringthefirewall
mustmatchthecommunitystringyoudefineintheSNMP
managerforthatfirewall.
3. Determinetheobjectidentifiers(OIDs)ofthestatisticsyou
wanttomonitor.Forexample,tomonitorthesession
utilizationpercentageofafirewall,aMIBbrowsershowsthat
thisstatisticcorrespondstoOID1.3.6.1.4.1.25461.2.1.2.3.1.0
inPANCOMMONMIB.my.Fordetails,seeUseanSNMP
ManagertoExploreMIBsandObjects.
4. ConfiguretheSNMPmanagertomonitorthedesiredOIDs.
Step2 EnableSNMPtrafficonafirewall Performthisstepinthefirewallwebinterface.

interface. ToenableSNMPtrafficontheMGTinterface,selectDevice >
Thisistheinterfacethatwillreceive Setup > Interfaces,edittheManagementinterface,select
statisticsrequestsfromtheSNMP SNMP,andthenclickOKandCommit.
manager. ToenableSNMPtrafficonanyotherinterface,createan
PANOSdoesntsynchronize interfacemanagementprofileforSNMPservicesandassignthe
management(MGT)interface profiletotheinterfacethatwillreceivetheSNMPrequests.The
settingsforfirewallsinahigh interfacetypemustbeLayer3Ethernet.
availability(HA)configuration.
Youmustconfiguretheinterface
foreachHApeer.

MonitorStatisticsUsingSNMP(Continued)
Step3 Configurethefirewalltorespondto 1. SelectDevice > Setup > Operationsand,intheMiscellaneous

statisticsrequestsfromanSNMP section,clickSNMP Setup.
manager. 2. SelecttheSNMPVersionandconfiguretheauthentication
PANOSdoesntsynchronize valuesasfollows.Forversiondetails,seeSNMPSupport.
SNMPresponsesettingsfor V2cEntertheSNMP Community String,whichidentifiesa
firewallsinahighavailability(HA) communityofSNMPmanagersandmonitoreddevices,and
configuration.Youmust servesasapasswordtoauthenticatethecommunity
configurethesesettingsforeach memberstoeachother.
HApeer.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3CreateatleastoneSNMPviewgroupandoneuser.
Useraccountsandviewsprovideauthentication,privacy,
andaccesscontrolwhenfirewallsforwardtrapsandSNMP
managersgetfirewallstatistics.
ViewsEachviewisapairedOIDandbitwisemask:the
OIDspecifiesaMIBandthemask(inhexadecimalformat)
specifieswhichobjectsareaccessiblewithin(include
matching)oroutside(excludematching)thatMIB.Click
AddinthefirstlistandenteraNameforthegroupof
views.Foreachviewinthegroup,clickAddandconfigure
theviewName,OID,matchingOption(includeor
exclude),andMask.
UsersClickAddinthesecondlist,enterausername
underUsers,selecttheViewgroupfromthedropdown,
entertheauthenticationpassword(Auth Password)used
toauthenticatetotheSNMPmanager,andenterthe
privacypassword(Priv Password)usedtoencryptSNMP
messagestotheSNMPmanager.
Step4 Monitorthefirewallstatisticsinan RefertothedocumentationofyourSNMPmanagerfordetails.

SNMPmanager. Whenmonitoringstatisticsrelatedtofirewallinterfaces,
youmustmatchtheinterfaceindexesintheSNMP
managerwithinterfacenamesinthefirewallwebinterface.
Fordetails,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
ForwardTrapstoanSNMPManager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.

ForwardFirewallTrapstoanSNMPManager
Step1 EnabletheSNMPmanagertointerpret LoadtheSupportedMIBsforPaloAltoNetworksfirewallsand,if

thetrapsitreceives. necessary,compilethem.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
Step2 ConfigureanSNMPTrapserverprofile. 1. Logintothefirewallwebinterface.

Theprofiledefineshowthefirewall 2. SelectDevice > Server Profiles > SNMP Trap.
accessestheSNMPmanagers(trap
3. ClickAddandenteraNamefortheprofile.
servers).YoucandefineuptofourSNMP
managersforeachprofile. 4. Ifthefirewallhasmorethanonevirtualsystem(vsys),select
Optionally,configureseparate theLocation(vsysorShared)wherethisprofileisavailable.
SNMPTrapserverprofilesfor 5. SelecttheSNMPVersionandconfiguretheauthentication
differentlogtypes,severity valuesasfollows.Forversiondetails,seeSNMPSupport.
levels,andWildFireverdicts. V2cForeachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),andCommunity String.The
communitystringidentifiesacommunityofSNMP
managersandmonitoreddevices,andservesasapassword
toauthenticatethecommunitymemberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3Foreachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),SNMPUseraccount(this
mustmatchausernamedefinedintheSNMPmanager),
EngineIDusedtouniquelyidentifythefirewall(youcan
leavethefieldblanktousethefirewallserialnumber),
authenticationpassword(Auth Password)usedto
authenticatetotheserver,andprivacypassword(Priv
Password)usedtoencryptSNMPmessagestotheserver.
Step3 Configurelogforwarding. 1. ConfigurethedestinationsofTraffic,Threat,andWildFire

traps:
a. CreateaLogForwardingprofile.Foreachlogtypeandeach
severitylevelorWildFireverdict,selecttheSNMP Trap
serverprofile.
b. AssigntheLogForwardingprofiletopolicyrulesand
networkzones.Therulesandzoneswilltriggertrap
generationandforwarding.
2. ConfigurethedestinationsforSystem,Configuration,
UserID,HIPMatch,andCorrelationlogs.Foreachlog(trap)
typeandseveritylevel,selecttheSNMP Trapserverprofile.
3. ClickCommit.
Step4 MonitorthetrapsinanSNMPmanager. RefertothedocumentationofyourSNMPmanager.

Whenmonitoringtrapsrelatedtofirewallinterfaces,you
mustmatchtheinterfaceindexesintheSNMPmanager
withinterfacenamesinthefirewallwebinterface.For
details,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.

SupportedMIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF) MIBII
maintainsmoststandardMIBs.Youcandownloadthe IFMIB
MIBsfromtheIETFwebsite. HOSTRESOURCESMIB
PaloAltoNetworksfirewalls,Panorama,and ENTITYMIB
WF500appliancesdontsupporteveryobject
ENTITYSENSORMIB
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe ENTITYSTATEMIB
supportedOIDs. IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationportal. PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup Description
system Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.

IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
hrDevice ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage Providesinformationsuchastheamountofusedstorage.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object Description
entPhysicalIndex Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr Thecomponentdescription.

Object Description
entPhysicalVendorType ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName Thediskmodelnumber.
entPhysicalAlias Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:

ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.

Table Description
AggregatorConfiguration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
Table(dot3adAggTable) firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
AggregationPortListTable Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Each
(dot3adAggPortListTable) aggregategrouphasoneentry.
Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
AggregationPortTable ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
(dot3adAggPortTable) aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
LACPStatisticsTable Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan
(dot3adAggPortStatsTable) aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:

ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
panSys Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector LoggingstatisticsforeachLogCollector,includingloggingrate,logquotas,diskusage,
retentionperiods,logredundancy(enabledordisabled),theforwardingstatusfrom
firewallstoLogCollectors,theforwardingstatusfromLogCollectorstoexternalservices,
andthestatusoffirewalltoLogCollectorconnections.

panDeviceLogging Loggingstatisticsforeachfirewall,includingloggingrate,diskusage,retentionperiods,
theforwardingstatusfromindividualfirewallstoPanoramaandexternalservers,andthe
statusoffirewalltoLogCollectorconnections.
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).

PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my> panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.

Monitoring ForwardLogstoanHTTP(S)Destination
ForwardLogstoanHTTP(S)Destination
ThefirewallandPanoramacanforwardlogstoanHTTPserver.Youcanchoosetoforwardalllogsor
selectivelyforwardlogstotriggeranactiononanexternalHTTPbasedservicewhenaneventoccurs.When
forwardinglogstoanHTTPserver,youcanchoosethefollowingoptions:
ConfigurethefirewalltosendanHTTPbasedAPIrequestdirectlytoathirdpartyservicetotriggeran
actionbasedontheattributesinafirewalllog.Youcanconfigurethefirewalltoworkwithany
HTTPbasedservicethatexposesanAPI,andmodifytheURL,HTTPheader,parameters,andthepayload
intheHTTPrequesttomeetyourintegrationneeds.
TagthesourceordestinationIPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremoteUserIDagentsothatyoucan
respondtoaneventanddynamicallyenforcesecuritypolicy.Toenforcepolicy,youmustUseDynamic
AddressGroupsinPolicy.
ForwardLogstoanHTTPDestinationandEnableTagging
Step1 CreateanHTTPserverprofiletoforwardlogstoanHTTP(S)destination.
TheHTTPserverprofileallowsyoutospecifyhowtoaccesstheserveranddefinetheformatinwhichto
forwardlogstotheHTTP(S)destination.Bydefault,thefirewallusesthemanagementporttoforwardthese
logs.Youcanhowever,assignadifferentsourceinterfaceandIPaddressinDevice > Setup > Services >
Service Route Configuration.
1. SelectDevice > Server Profiles > HTTP,addaNamefortheserverprofile,andselecttheLocation.The
profilecanbeSharedacrossallvirtualsystemsorcanbelongtoaspecificvirtualsystem.
2. ClickAdd toprovidethedetailsforeachserver. Eachprofilecanhaveamaximumof4servers.
3. EnteraNameandIPAddress.
4. SelecttheProtocol(HTTPorHTTPS).ThedefaultPortis80or443respectively;youcanmodifytheport
numbertomatchtheportonwhichyourHTTPserverlistens.
5. SelecttheHTTP MethodthatthethirdpartyservicesupportsPUT,POST(default),GETand
DELETE.
6. EntertheUsernameandPasswordforauthenticatingtotheserver,ifneeded.ClickOK.
7. SelectTest Server ConnectiontoverifynetworkconnectivitybetweenthefirewallandtheHTTP(S)
server.

ForwardLogstoanHTTP(S)Destination Monitoring
ForwardLogstoanHTTPDestinationandEnableTagging(Continued)
Step2 SelectthePayload FormatfortheHTTPrequest.

1. SelecttheLog TypelinkforeachlogtypeforwhichyouwanttodefinetheHTTPrequestformat.
2. SelectthePre-defined Formatsdropdowntoviewtheformatsavailablethroughcontentupdates,or
createacustomformat.
Ifyoucreateacustomformat,theURIistheresourceendpointontheHTTPservice.Thefirewall
appendstheURItotheIPaddressyoudefinedearliertoconstructtheURLfortheHTTPrequest.Ensure
thattheURIandpayloadformatmatchesthesyntaxthatyourthirdpartyvendorrequires.Youcanuse
anyattributesupportedontheselectedlogtypewithintheHTTPHeader,ParameterandValuepairs,
andintherequestpayload.
3. Send Test Log toverifythattheHTTPserverreceivestherequest.Whenyouinteractivelysendatest

log,thefirewallusestheformatasisanddoesnotreplacethevariablewithavaluefromafirewalllog.If
yourHTTPserversendsa404response,providevaluesfortheparameterssothattheservercanprocess
therequestsuccessfully.

Monitoring ForwardLogstoanHTTP(S)Destination
Step3 DefinethematchcriteriaforwhenthefirewallwillforwardlogstotheHTTPserver,andattachtheHTTP
serverprofiletouse.
1. Selectthelogtypesforwhichyouwanttotriggeraworkflow:
AddaLogForwardingProfile(Objects > Log Forwarding Profile)forlogsthatpertaintouseractivity.
Forexample,Traffic,Threat,orAuthenticationlogs.
SelectDevice > Log Settingsforlogsthatpertaintosystemevents,suchasConfigurationorSystem
logs.
2. SelecttheLogTypeandusethenewFilter Buildertodefinethematchcriteria.
3. AddtheHTTPserverprofileforforwardinglogstotheHTTPdestination.
4. AddatagtothesourceordestinationIPaddressinthelogentry.Thiscapabilityallowsyoutouse
dynamicaddressgroupsandsecuritypolicyrulestolimitnetworkaccessorisolatetheIPaddressuntil
youcantriagetheaffecteduserdevice.
SelectAddintheBuiltinActionssectionandselecttheTarget, Action: Add Tag, and Registrationto
registerthetagtothelocalUserIDonafirewallortothePanoramathatismanagingthefirewall.
IfyouwanttoregisterthetagtoaremoteUserIDagent,seeStep 4.

ForwardLogstoanHTTP(S)Destination Monitoring
Step4 RegisterorunregisteratagonasourceordestinationIPaddressinalogentrytoaremoteUserIDagent.
1. SelectDevice > Server Profiles > HTTP,addaNamefortheserverprofile,andselecttheLocation.The
profilecanbeSharedacrossallvirtualsystemsorcanbelongtoaspecificvirtualsystem.
2. SelectTag RegistrationtoenablethefirewalltoregistertheIPaddressandtagmappingwiththe
UserIDagentonaremotefirewall.Withtagregistrationenabled,youcannotspecifythepayload
format.
3. AddtheconnectiondetailstoaccesstheremoteUserIDagent.
4. Selectthelogtype(Objects > Log Forwarding Profile or Device > Log Settings)forwhichyouwantto

addatagtothesourceordestinationIPaddressinthelogentry.
5. SelectAddintheBuiltinActionssectionandNametheaction.Selectthefollowingoptionstoregister
thetagontheremoteUserIDagent:
Target: Select sourceordestinationIPaddress.
Action: AddTagorRemoveTag.
Registration: RemoteUserIDagent.
HTTP Profile:SelecttheprofileyoucreatedwithTagRegistrationenabled.
Tag:Enteranewtagorselectfromthedropdown.
Fordynamicpolicyenforcement,UseDynamicAddressGroupsinPolicy.

Monitoring NetFlowMonitoring
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficon
itsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.TheNetFlow
collectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlowVersion9.Thefirewallssupportonly
unidirectionalNetFlow,notbidirectional.ThefirewallsperformNetFlowprocessingonallIPpacketsonthe
interfacesanddonotsupportsampledNetFlow.YoucanexportNetFlowrecordsforLayer3,Layer2,virtual
wire,tap,VLAN,loopback,andtunnelinterfaces.ForaggregateEthernetinterfaces,youcanexportrecords
fortheaggregategroupbutnotforindividualinterfaceswithinthegroup.Toidentifyfirewallinterfacesina
NetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors.The
firewallssupportstandardandenterprise(PANOSspecific)NetFlowTemplates,whichNetFlowcollectors
usetodeciphertheNetFlowfields.
ConfigureNetFlowExports
NetFlowTemplates
TouseaNetFlowcollectorforanalyzingthenetworktrafficonfirewallinterfaces,performthefollowing
stepstoconfigureNetFlowrecordexports.
Step1 CreateaNetFlowserverprofile. 1. SelectDevice > Server Profiles > NetFlowandAddaprofile.

TheprofiledefineswhichNetFlow 2. EnteraNametoidentifytheprofile.
collectorswillreceivetheexported
3. SpecifytherateatwhichthefirewallrefreshesNetFlow
recordsandspecifiesexportparameters.
TemplatesinMinutes(defaultis30)andPackets(exported
recordsdefaultis20),accordingtotherequirementsofyour
NetFlowcollector.Thefirewallrefreshesthetemplatesafter
eitherthresholdispassed.
4. SpecifytheActive Timeout,whichisthefrequencyinminutes
atwhichthefirewallexportsrecords(defaultis5).
5. SelectPAN-OS Field Typesifyouwantthefirewalltoexport
AppIDandUserIDfields.
6. AddeachNetFlowcollector(uptotwoperprofile)thatwill
receiverecords.Foreachcollector,specifythefollowing:
Nametoidentifythecollector.
NetFlow ServerhostnameorIPaddress.
AccessPort(default2055).

NetFlowMonitoring Monitoring
ConfigureNetFlowExports(Continued)
Step2 AssigntheNetFlowserverprofiletothe 1. SelectNetwork > Interfaces > Ethernetandclickaninterface

firewallinterfacesthatconveythetraffic nametoeditit.
youwanttoanalyze. YoucanexportNetFlowrecordsforLayer3,Layer2,
Inthisexample,youassigntheprofileto virtualwire,tap,VLAN,loopback,andtunnel
anexistingEthernetinterface. interfaces.ForaggregateEthernetinterfaces,youcan
exportrecordsfortheaggregategroupbutnotfor
individualinterfaceswithinthegroup.
2.SelecttheNetFlowserverprofile(NetFlow Profile)
youconfiguredandclickOK.
Step3 (PA7000SeriesandPA5200Series 1. SelectDevice > Setup > Services.

firewallsonly)Configureaserviceroute 2. (Firewallwithmultiplevirtualsystems)Selectoneofthe
fortheinterfacethatthefirewallwilluse following:
tosendNetFlowrecords.
GlobalSelectthisoptioniftheservicerouteappliestoall
Theinterfacethatsendsrecordsdoes virtualsystemsonthefirewall.
nothavetobethesameastheinterface
Virtual SystemsSelectthisoptioniftheserviceroute
forwhichthefirewallcollectsthe
appliestoaspecificvirtualsystem.SettheLocationtothe
records.Youcannotusethe
virtualsystem.
management(MGT)interfacetosend
NetFlowrecordsfromthePA7000 3. SelectService Route Configurationandselecttheprotocol
SeriesandPA5200Seriesfirewalls. (IPv4orIPv6)thattheinterfaceuses.Youcanconfigurethe
servicerouteforbothprotocolsifnecessary.
4. ClickNetflowandselecttheSource InterfaceandSource
Address(IPaddress).
5. ClickOKtwicetosaveyourchanges.
Step4 Commityourchanges. ClickCommittoactivateyourchanges.
Step5 MonitorthefirewalltrafficinaNetFlow RefertoyourNetFlowcollectordocumentation.

collector. Whenmonitoringstatistics,youmustmatchtheinterface
indexesintheNetFlowcollectorwithinterfacenamesin
thefirewallwebinterface.Fordetails,seeFirewall
InterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.
TotroubleshootNetFlowdeliveryissues,usetheoperationalCLI
commanddebug log-receiver netflow statistics.
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,settherefreshratebasedonatimeintervaland
anumberofexportedrecordsaccordingtotherequirementsofyourNetFlowcollector.Thefirewall
refreshesthetemplatesaftereitherthresholdispassed.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:

Template ID
IPv4Standard 256
IPv4Enterprise 257
IPv6Standard 258
IPv6Enterprise 259
IPv4withNATStandard 260
IPv4withNATEnterprise 261
IPv6withNATStandard 262
IPv6withNATEnterprise 263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
Value Field Description Templates
1 IN_BYTES IncomingcounterwithlengthN*8bitsfor Alltemplates

thenumberofbytesassociatedwithanIP
flow.Bydefault,Nis4.
2 IN_PKTS IncomingcounterwithlengthN*8bitsfor Alltemplates

thenumberofpacketsassociatedwithanIP
glow.Bydefault,Nis4.
4 PROTOCOL IPprotocolbyte. Alltemplates
5 TOS TypeofServicebytesettingwhenentering Alltemplates

theingressinterface.
6 TCP_FLAGS TotalofalltheTCPflagsinthisflow. Alltemplates
7 L4_SRC_PORT TCP/UDPsourceportnumber(forexample, Alltemplates

FTP,Telnet,orequivalent).
8 IPV4_SRC_ADDR IPv4sourceaddress. IPv4standard

IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
10 INPUT_SNMP Inputinterfaceindex.Thevaluelengthis2 Alltemplates

bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
11 L4_DST_PORT TCP/UDPdestinationportnumber(for Alltemplates

example,FTP,Telnet,orequivalent).

12 IPV4_DST_ADDR IPv4destinationaddress. IPv4standard

IPv4enterprise
IPv4withNATstandard
14 OUTPUT_SNMP Outputinterfaceindex.Thevaluelengthis2 Alltemplates

bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
21 LAST_SWITCHED Systemuptimeinmillisecondswhenthelast Alltemplates

packetofthisflowwasswitched.
22 FIRST_SWITCHED Systemuptimeinmillisecondswhenthefirst Alltemplates

packetofthisflowwasswitched.
27 IPV6_SRC_ADDR IPv6sourceaddress. IPv6standard

IPv6enterprise
IPv6withNATstandard
28 IPV6_DST_ADDR IPv6destinationaddress. IPv6standard

IPv6enterprise
IPv6withNATstandard
32 ICMP_TYPE InternetControlMessageProtocol(ICMP) Alltemplates

packettype.Thisisreportedas:
ICMPType*256+ICMPcode
61 DIRECTION Flowdirection: Alltemplates

0=ingress
1=egress
148 flowId Anidentifierofaflowthatisuniquewithin Alltemplates

anobservationdomain.Youcanusethis
informationelementtodistinguishbetween
differentflowsifflowkeyssuchasIP
addressesandportnumbersarenot
reportedorarereportedinseparaterecords.
TheflowIDcorrespondstothesessionID
fieldinTrafficandThreatlogs.
233 firewallEvent Indicatesafirewallevent: Alltemplates

0=Ignore(invalid)
1=Flowcreated
2=Flowdeleted
3=Flowdenied
4=Flowalert
5=Flowupdate(thesessionstate
changedfromactivetodeny)

225 postNATSourceIPv4Address Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofsourceIPv4Address, IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
226 postNATDestinationIPv4Address Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofdestinationIPv4Address, IPv4withNATenterprise
227 postNAPTSourceTransportPort Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatofsourceTransportPort, IPv4withNATenterprise
addressporttranslationafterthepacket
228 postNAPTDestinationTransportPort Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatof IPv4withNATenterprise
destinationTransportPort,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringnetworkaddressport
translationafterthepackettraversedthe
interface.
281 postNATSourceIPv6Address Thedefinitionofthisinformationelementis IPv6withNATstandard

identicaltothedefinitionofinformation IPv6withNATenterprise
elementsourceIPv6Address,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringNAT64networkaddress
translationafterthepackettraversedthe
interface.SeeRFC2460forthedefinitionof
thesourceaddressfieldintheIPv6header.
SeeRFC6146forNAT64specification.
282 postNATDestinationIPv6Address Thedefinitionofthisinformationelementis IPv6withNATstandard

identicaltothedefinitionofinformation IPv6withNATenterprise
elementdestinationIPv6Address,except
thatitreportsamodifiedvaluethatthe
firewallproducedduringNAT64network
traversedtheinterface.SeeRFC2460for
thedefinitionofthedestinationaddressfield
intheIPv6header.SeeRFC6146forNAT64
specification.
346 privateEnterpriseNumber Thisisauniqueprivateenterprisenumber IPv4enterprise

thatidentifiesPaloAltoNetworks:25461. IPv4withNATenterprise
IPv6enterprise

5670 AppID ThenameofanapplicationthatAppID IPv4enterprise

1 identified.Thenamecanbeupto32bytes. IPv4withNATenterprise
IPv6enterprise
5670 UserID AusernamethatUserIDidentified.The IPv4enterprise

2 namecanbeupto64bytes. IPv4withNATenterprise
IPv6enterprise

Monitoring FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
FirewallPlatform Calculation ExampleInterfaceIndex
Nonchassisbased: MGTport+physicalportoffset PA5000Seriesfirewall,Eth1/4=

VMSeries,PA200,PA220, MGTportThisisaconstantthat 2(MGTport)+4(physicalport)=6
PA500,PA800,PA3000 dependsontheplatform:
Series,PA5000Series,PA5200 2forhardwarebasedfirewalls(for
Series example,thePA5000Series
firewall)
1fortheVMSeriesfirewall
PhysicalportoffsetThisisthephysical
portnumber.
Chassisbased: (Max.ports*slot)+physicalportoffset+ PA7000Seriesfirewall,Eth3/9=

PA7000Seriesfirewalls MGTport [64(max.ports)*3(slot)]+9(physical
Thisplatformsupports MaximumportsThisisaconstantof port)+5(MGTport)=206
SNMPbutnotNetFlow. 64.
SlotThisisthechassisslotnumberof
thenetworkinterfacecard.
PhysicalportoffsetThisisthephysical
portnumber.
MGTportThisisaconstantof5for
PA7000Seriesfirewalls.

FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors Monitoring
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
InterfaceType Range Digit9 Digits78 Digits56 Digits14 ExampleInterfaceIndex
Layer3 101010001 Type: Interface Interface Subinterface: Eth1/5.22=100000000(type)+

subinterface 19999999 1 slot:19 port:19 suffix19999 100000(slot)+50000(port)+
9 (0109) (0109) (00019999) 22(suffix)=101050022
Layer2 101010001 Type: Interface Interface Subinterface: Eth2/3.6=100000000(type)+

subinterface 19999999 1 slot:19 port:19 suffix19999 200000(slot)+30000(port)+6
9 (0109) (0109) (00019999) (suffix)=102030006
Vwire 101010001 Type: Interface Interface Subinterface: Eth4/2.312=100000000(type)

subinterface 19999999 1 slot:19 port:19 suffix19999 +400000(slot)+20000(port)+
9 (0109) (0109) (00019999) 312(suffix)=104020312
VLAN 200000001 Type: 00 00 VLANsuffix: VLAN.55=200000000(type)+

20000999 2 19999 55(suffix)=200000055
9 (00019999)
Loopback 300000001 Type: 00 00 Loopback Loopback.55=300000000

30000999 3 suffix:19999 (type)+55(suffix)=300000055
9 (00019999)
Tunnel 400000001 Type: 00 00 Tunnelsuffix: Tunnel.55=400000000(type)+

40000999 4 19999 55(suffix)=400000055
9 (00019999)
Aggregategroup 500010001 Type: 00 AEsuffix: Subinterface: AE5.99=500000000(type)+

50008999 5 18(0108) suffix19999 50000(AESuffix)+99(suffix)=
9 (00019999) 500050099

UserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthensecuritypoliciesandreduceincidentresponse
times.UserID,astandardfeatureonthePaloAltoNetworksfirewall,enablesyoutoleverageuser
informationstoredinawiderangeofrepositories.ThefollowingtopicsprovidemoredetailsaboutUserID
andhowtoconfigureit:
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork

UserIDOverview UserID
UserIDOverview
UserIDenablesyoutoidentifyallusersonyournetworkusingavarietyoftechniquestoensurethatyou
canidentifyusersinalllocationsusingavarietyofaccessmethodsandoperatingsystems,including
MicrosoftWindows,AppleiOS,MacOS,Android,andLinux/UNIX.Knowingwhoyourusersareinstead
ofjusttheirIPaddressesenables:
VisibilityImprovedvisibilityintoapplicationusagebasedonusersgivesyouamorerelevantpictureof
networkactivity.ThepowerofUserIDbecomesevidentwhenyounoticeastrangeorunfamiliar
applicationonyournetwork.UsingeitherACCorthelogviewer,yoursecurityteamcandiscernwhatthe
applicationis,whotheuseris,thebandwidthandsessionconsumption,alongwiththesourceand
destinationoftheapplicationtraffic,aswellasanyassociatedthreats.
PolicycontrolTyinguserinformationtoSecuritypolicyrulesimprovessafeenablementofapplications
traversingthenetworkandensuresthatonlythoseuserswhohaveabusinessneedforanapplication
haveaccess.Forexample,someapplications,suchasSaaSapplicationsthatenableaccesstoHuman
Resourcesservices(suchasWorkdayorServiceNow)mustbeavailabletoanyknownuseronyour
network.However,formoresensitiveapplicationsyoucanreduceyourattacksurfacebyensuringthat
onlyuserswhoneedtheseapplicationscanaccessthem.Forexample,whileITsupportpersonnelmay
legitimatelyneedaccesstoremotedesktopapplications,themajorityofyourusersdonot.
Logging,reporting,forensicsIfasecurityincidentoccurs,forensicsanalysisandreportingbasedonuser
informationratherthanjustIPaddressesprovidesamorecompletepictureoftheincident.Forexample,
youcanusethepredefinedUser/GroupActivitytoseeasummaryofthewebactivityofindividualusers
orusergroups,ortheSaaSApplicationUsagereporttoseewhichusersaretransferringthemostdata
overunsanctionedSaaSapplications.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforlogineventsandlistensforsyslogmessagesfrom
authenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,youcanconfigure
AuthenticationPolicytoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheusermapping
mechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsitestoensurethat
youaresafelyenablingaccesstoapplicationsforallusers,inalllocations,allthetime.
Figure:UserID

UserID UserIDOverview
Toenableuserandgroupbasedpolicyenforcement,thefirewallrequiresalistofallavailableusersand
theircorrespondinggroupmembershipssothatyoucanselectgroupswhendefiningyourpolicyrules.The
firewallcollectsGroupMappinginformationbyconnectingdirectlytoyourLDAPdirectoryserver,orusing
XMLAPIintegrationwithyourdirectoryserver.
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.

UserIDConcepts UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.Ifyouareusingadirectoryserverthatisnotnativelysupportedbythe
firewall,youcanintegratethegroupmappingfunctionusingtheXMLAPI.Youcanthencreateagroup
mappingconfigurationtoMapUserstoGroupsandEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Knowinguserandgroupsnamesisonlyonepieceofthepuzzle.ThefirewallalsoneedstoknowwhichIP
addressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserIDillustrates
thedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshowuser
mappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
PortMapping
Syslog
XFFHeaders
AuthenticationPolicyandCaptivePortal
GlobalProtect
XMLAPI
ClientProbing

UserID UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,DomainControllers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.See
ConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthePANOS
IntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
XFFHeaders
UserIDcanreadtheIPv4orIPv6addressesofusersfromtheXForwardedFor(XFF)headerinHTTPclient
requestswhenthefirewallisdeployedbetweentheInternetandaproxyserverthatwouldotherwisehide
theuserIPaddresses.UserIDmatchesthetrueuserIPaddresseswithusernames.SeeConfigurethe
firewalltoobtainuserIPaddressesfromXForwardedFor(XFF)headers.
AuthenticationPolicyandCaptivePortal
Insomecases,theUserIDagentcantmapanIPaddresstoausernameusingservermonitoringorother
methodsforexample,iftheuserisntloggedinorusesanoperatingsystemsuchasLinuxthatyourdomain
serversdontsupport.Inothercases,youmightwantuserstoauthenticatewhenaccessingsensitive
applicationsregardlessofwhichmethodstheUserIDagentusestoperformusermapping.Forallthese
cases,youcanconfigureConfigureAuthenticationPolicyandMapIPAddressestoUsernamesUsing
CaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationpolicyrulepromptsthe
usertoauthenticatethroughCaptivePortal.YoucanusethefollowingCaptivePortalAuthentication
Methods:
BrowserchallengeUseKerberossinglesignon(recommended)orNTLANManager(NTLM)
authenticationifyouwanttoreducethenumberofloginpromptsthatusersmustrespondto.
WebformUseMultiFactorAuthentication,SAMLsinglesignon,Kerberos,TACACS+,RADIUS,LDAP,
orLocalAuthentication.
ClientCertificateAuthentication.

Syslog
Yourenvironmentmighthaveexistingnetworkservicesthatauthenticateusers.Theseservicesinclude
wirelesscontrollers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,andotherNetwork
AccessControl(NAC)mechanisms.Youcanconfiguretheseservicestosendsyslogmessagesthatcontain
informationaboutloginandlogouteventsandconfiguretheUserIDagenttoparsethosemessages.The
UserIDagentparsesforlogineventstomapIPaddressestousernamesandparsesforlogouteventsto
deleteoutdatedmappings.DeletingoutdatedmappingsisparticularlyusefulinenvironmentswhereIP
addressassignmentschangeoften.
BoththePANOSintegratedUserIDagentandWindowsbasedUserIDagentuseSyslogParseprofilesto
parsesyslogmessages.Inenvironmentswhereservicessendthemessagesindifferentformats,youcan
createacustomprofileforeachformatandassociatemultipleprofileswitheachsyslogsender.Ifyouuse
thePANOSintegratedUserIDagent,youcanalsousepredefinedSyslogParseprofilesthatPaloAlto
NetworksprovidesthroughApplicationscontentupdates.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Thealloweddelimitersforlinebreaksareanewline(\n)
oracarriagereturnplusanewline(\r\n).
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
SeeConfigureUserIDtoMonitorSyslogSendersforUserMappingforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog

UserID UserIDConcepts
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
XMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtothePANOSintegratedUserIDagent.SeeSendUser
MappingstoUserIDUsingtheXMLAPIfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI)and/orNetBIOSprobingatregularintervalstoverifythatan
existingusermappingisstillvalidortoobtaintheusernameforanIPaddressthatisnotyetmapped.
NetBIOSprobingisonlysupportedontheWindowsbasedUserIDagent;itisnotsupportedonthePANOS
integratedUserIDagent.
ClientprobingwasdesignedforlegacynetworkswheremostuserswereonWindowsworkstationsonthe
internalnetwork,butisnotidealfortodaysmoremodernnetworksthatsupportaroamingandmobileuser
baseonavarietyofdevicesandoperatingsystems.Additionally,clientprobingcangeneratealargeamount
ofnetworktraffic(basedonthetotalnumberofmappedIPaddresses)andcanposeasecuritythreatwhen
misconfigured.Therefore,clientprobingisnolongerarecommendedmethodforusermapping.Instead
collectusermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollersand
throughintegrationswithSyslogortheXMLAPI,whichallowyoutosafelycaptureusermapping
informationfromanydevicetypeoroperatingsystem.Ifyouhavesensitiveapplicationsthatrequireyouto
knowexactlywhoauseris,configureAuthenticationPolicyandCaptivePortaltoensurethatyouareonly
allowingaccesstoauthorizedusers.
BecauseWMIprobingtrustsdatareportedbackfromtheendpoint,itisnotarecommendedmethodofobtaining
UserIDinformationinahighsecuritynetwork.IfyouareusingtheUserIDagenttoparseADsecurityevent
logs,syslogmessages,ortheXMLAPItoobtainUserIDmappings,PaloAltoNetworksrecommendsdisabling
WMIprobing.
IfyoudochoosetouseWMIprobing,donotenableitonexternal,untrustedinterfaces,asthiswouldcausethe
agenttosendWMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpassword
hashoftheUserIDagentserviceaccountoutsideofyournetwork.Thisinformationcouldpotentiallybe
exploitedbyanattackertopenetratethenetworktogainfurtheraccess.

Ifyoudochoosetoenableprobinginyourtrustedzones,theagentwillprobeeachlearnedIPaddress
periodically(every20minutesbydefault,butthisisconfigurable)toverifythatthesameuserisstilllogged
in.Inaddition,whenthefirewallencountersanIPaddressforwhichithasnousermapping,itwillsendthe
addresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.

UserID EnableUserID
EnableUserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthenyoursecuritypolicyandreduceincidentresponse
times.UserIDenablesyoutoleverageuserinformationstoredinawiderangeofrepositoriesforvisibility,
userandgroupbasedpolicycontrol,andimprovedlogging,reporting,andforensics:
ConfigureUserID
Step1 EnableUserIDonthesourcezonesthat 1. SelectNetwork > ZonesandclicktheNameofthezone.

containtheuserswhowillsendrequests 2. Enable User IdentificationandclickOK.
thatrequireuserbasedaccesscontrols.
EnableUserIDontrustedzones
only.IfyouenableUserIDand
clientprobingonanexternal
untrustedzone(suchasthe
internet),probescouldbesent
outsideyourprotectednetwork,
resultinginaninformation
disclosureoftheUserIDagent
serviceaccountname,domain
name,andencryptedpassword
hash,whichcouldallowan
attackertogainunauthorized
accesstoprotectedservicesand
applications.
Step2 CreateaDedicatedServiceAccountfor ThisisrequiredifyouplantousetheWindowsbasedUserID

theUserIDAgent. agentorthePANOSintegratedUserIDagenttomonitordomain
Asabestpractice,createa controllers,MicrosoftExchangeservers,orWindowsclientsfor
serviceaccountwiththe userloginandlogoutevents.
minimumsetofpermissions
requiredtosupporttheUserID
optionsyouenabletoreduce
yourattacksurfaceintheevent
thattheserviceaccountis
compromised.
Step3 MapUserstoGroups. ThisenablesthefirewalltoconnecttoyourLDAPdirectoryand

retrieveGroupMappinginformationsothatyouwillbeableto
selectusernamesandgroupnameswhencreatingpolicy.

EnableUserID UserID
ConfigureUserID(Continued)
Step4 MapIPAddressestoUsers. Thewayyoudothisdependsonwhereyourusersarelocatedand

Asabestpractice,donotenable whattypesofsystemstheyareusing,andwhatsystemsonyour
clientprobingasausermapping networkarecollectingloginandlogouteventsforyourusers.You
methodonhighsecurity mustconfigureoneormoreUserIDagentstoenableUser
networks.Clientprobingcan Mapping:
generatealargeamountof ConfigureUserMappingUsingtheWindowsUserIDAgent.
networktrafficandcanposea ConfigureUserMappingUsingthePANOSIntegratedUserID
securitythreatwhen Agent.
misconfigured. ConfigureUserIDtoMonitorSyslogSendersforUserMapping.
ConfigureUserMappingforTerminalServerUsers.
SendUserMappingstoUserIDUsingtheXMLAPI.
Step5 Specifythenetworkstoincludeand Configureeachagentthatyouconfiguredforusermappingas

excludefromusermapping. follows:
Asabestpractice,alwaysspecify SpecifythesubnetworkstheWindowsUserIDagentshould
whichnetworkstoincludeand includeinorexcludefromUserID.
excludefromUserID.This SpecifythesubnetworksthePANOSintegratedUserIDagent
allowsyoutoensurethatonly shouldincludeinorexcludefromusermapping.
yourtrustedassetsareprobed
andthatunwanteduser
mappingsarenotcreated
unexpectedly.
Step6 ConfigureAuthenticationPolicyand 1. ConfigureCaptivePortal.

CaptivePortal. 2. ConfigureAuthenticationPolicy.
ThefirewallusesCaptivePortalto
authenticateenduserswhenthey
requestservices,applications,orURL
categoriesthatmatchAuthentication
Policyrules.Basedonuserinformation
collectedduringauthentication,the
firewallcreatesnewusermappingsor
updatesexistingmappings.Themapping
informationcollectedduring
authenticationoverridesinformation
collectedthroughotherUserID
methods.

UserID EnableUserID
Step7 Enableuserandgroupbasedpolicy AfterconfiguringUserID,youwillbeabletochooseausername

enforcement. orgroupnamewhendefiningthesourceordestinationofa
Createrulesbasedongroup securityrule:
ratherthanuserwhenever 1. SelectPolicies > SecurityandAddanewruleorclickan
possible.Thispreventsyoufrom existingrulenametoedit.
havingtocontinuallyupdateyour
2. SelectUserandspecifywhichusersandgroupstomatchin
rules(whichrequiresacommit)
theruleinoneofthefollowingways:
wheneveryouruserbase
changes. Ifyouwanttoselectspecificusersorgroupsasmatching
criteria,clickAddintheSourceUsersectiontodisplayalist
ofusersandgroupsdiscoveredbythefirewallgroup
mappingfunction.Selecttheusersorgroupstoaddtothe
rule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecificuser
orgroupname,selectknown-userorunknownfromthe
dropdownabovetheSourceUserlist.
3. ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
Step8 CreatetheSecuritypolicyrulestosafely FollowtheBestPracticeInternetGatewaySecurityPolicyto

enableUserIDwithinyourtrustedzones ensurethattheUserIDapplication(paloaltouseridagent)isonly
andpreventUserIDtrafficfrom allowedinthezoneswhereyouragents(bothyourWindows
egressingyournetwork. agentsandyourPANOSintegratedagents)aremonitoring
servicesanddistributingmappingstofirewalls.Specifically:
Allowthepaloaltouseridagentapplicationbetweenthezones
whereyouragentsresideandthezoneswherethemonitored
serversreside(orevenbetter,betweenthespecificsystemsthat
hosttheagentandthemonitoredservers).
Allowthepaloaltouseridagentapplicationbetweentheagents
andthefirewallsthatneedtheusermappingsandbetween
firewallsthatareredistributingusermappingsandthefirewalls
theyareredistributingtheinformationto.
Denythepaloaltouseridagentapplicationtoanyexternal
zone,suchasyourinternetzone.
Step9 ConfigurethefirewalltoobtainuserIP 1. SelectDevice > Setup > Content-IDandeditthe

addressesfromXForwardedFor(XFF) XForwardedForHeaderssettings.
headers. 2. SelectX-Forwarded-For Header in User-ID.
Whenthefirewallisbetweenthe NOTE:SelectingStrip-X-Forwarded-For Headerdoesnt
Internetandaproxyserver,theIP disabletheuseofXFFheadersforuserattributioninpolicy
addressesinthepacketsthatthefirewall rules;thefirewallzeroesouttheXFFvalueonlyafterusingit
seesarefortheproxyserverratherthan foruserattribution.
users.ToenablevisibilityofuserIP
addressesinstead,configurethefirewall 3. ClickOKtosaveyourchanges.
tousetheXFFheadersforusermapping.
Withthisoptionenabled,thefirewall
matchestheIPaddresseswith
usernamesreferencedinpolicytoenable
controlandvisibilityfortheassociated
usersandgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.

EnableUserID UserID
Step10 Commityourchanges. Commityourchangestoactivatethem.
Step11 VerifytheUserIDConfiguration. Afteryouconfigureusermappingandgroupmapping,verifythat

theconfigurationworksproperlyandthatyoucansafelyenable
andmonitoruserandgroupaccesstoyourapplicationsand
services.

UserID MapUserstoGroups
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Thenumberofdistinct
usergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesbymodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
UsethefollowingproceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroup
Mappinginformation.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1 AddanLDAPserverprofile. 1. SelectDevice > Server Profiles > LDAPandAddaserver

connectstothedirectoryserversfrom 2. EnteraProfile Nametoidentifytheserverprofile.
whichitcollectsgroupmapping
3. AddtheLDAPservers.Youcanadduptofourserverstothe
information.
profilebuttheymustbethesameType.Foreachserver,enter
aName(toidentifytheserver),LDAP ServerIPaddressor
FQDN,andserverPort(default389).
4. SelecttheserverType.
Basedonyourselection(suchasactive-directory),thefirewall
automaticallypopulatesthecorrectLDAPattributesinthe
groupmappingsettings.However,ifyoucustomizedyour
LDAPschema,youmightneedtomodifythedefaultsettings.
5. FortheBase DN,entertheDistinguishedName(DN)ofthe
LDAPtreelocationwhereyouwantthefirewalltostart
searchingforuserandgroupinformation.
6. FortheBind DN,PasswordandConfirm Password,enterthe
authenticationcredentialsforbindingtotheLDAPtree.
TheBind DNcanbeafullyqualifiedLDAPname(suchas
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(suchasadministrator@acme.local).
7. EntertheBind TimeoutandSearch Timeoutinseconds
(defaultis30forboth).

MapUserstoGroups UserID
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Addthegroupmappingconfiguration.
3. EnterauniqueNametoidentifythegroupmapping
configuration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksfor
groupmapping,intheGroupObjectssection,enteraSearch
Filter(LDAPquery),Object Class(groupdefinition),Group
Name,andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomains
(Domain List)inyourorganization.Usecommastoseparate
multipledomains(upto256characters).
AfteryouclickOK(laterinthisprocedure),PANOS
automaticallypopulatestheMail Attributesbasedonthetype
ofLDAPserverspecifiedintheServer Profile.Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesurethegroupmappingconfigurationisEnabled
(defaultisenabled).

UserID MapUserstoGroups
MapUserstoGroups(Continued)
Step3 Limitwhichgroupswillbeavailablein 1. Addexistinggroupsfromthedirectoryservice:

policyrules. a. SelectGroup Include List.
Requiredonlyifyouwanttolimitpolicy b. SelecttheAvailableGroupsyouwanttoappearinpolicy
rulestospecificgroups.Thecombined rulesandadd( )themtotheIncludedGroups.
maximumfortheGroup Include Listand
2. Ifyouwanttobasepolicyrulesonuserattributesthatdont
Custom Grouplistis640entriesper
matchexistingusergroups,createcustomgroupsbasedon
groupmappingconfiguration.Eachentry
LDAPfilters:
canbeasinglegrouporalistofgroups.
Bydefault,ifyoudontspecifygroups,all a. SelectCustom GroupandAddthegroup.
groupsareavailableinpolicyrules. b. EnteragroupName thatisuniqueinthegroupmapping
Anycustomgroupsyoucreate configurationforthecurrentfirewallorvirtualsystem.
willalsobeavailableintheAllow IftheNamehasthesamevalueastheDistinguishedName
Listofauthenticationprofiles (DN)ofanexistingADgroupdomain,thefirewallusesthe
(ConfigureanAuthentication customgroupinallreferencestothatname(suchasin
ProfileandSequence). policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.
ThefirewalldoesntvalidateLDAPfilters,soitsuptoyou
toensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
Acommitisnecessarybeforecustomgroupswillbeavailable
inpoliciesandobjects.

MapIPAddressestoUsers UserID
MapIPAddressestoUsers
UserIDprovidesmanydifferentmethodsformappingIPaddressestousernames.Beforeyoubegin
configuringusermapping,considerwhereyourusersarelogginginfrom,whatservicestheyareaccessing,
andwhatapplicationsanddatayouneedtocontrolaccessto.Thiswillinformwhichtypesofagentsor
integrationswouldbestallowyoutoidentifyyourusers.Forguidance,refertoArchitectingUser
IdentificationDeployments.
Onceyouhaveyourplan,youcanbeginconfiguringusermappingusingoneormoreofthefollowing
methodsasneededtoenableuserbasedaccessandvisibilitytoapplicationsandresources:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
WindowsclientsyoumustconfigureaUserIDagent:
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ConfigureUserMappingUsingtheWindowsUserIDAgent
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoMonitorSyslogSendersforUserMapping.
WhileyoucanconfigureeithertheWindowsagentorthePANOSintegratedUserIDagenton
thefirewalltolistenforauthenticationsyslogmessagesfromthenetworkservices,becauseonly
thePANOSintegratedagentsupportssysloglisteningoverTLS,itisthepreferredconfiguration.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.UsingCaptivePortalinconjunctionwithAuthenticationPolicyalsoensuresthatallusers
authenticatetoaccessyourmostsensitiveapplicationsanddata.
Forotherclientsthatyoucantmapusingtheothermethods,youcanSendUserMappingstoUserID
UsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.

UserID MapIPAddressestoUsers
CreateaDedicatedServiceAccountfortheUserIDAgent
IfyouplantouseeithertheWindowsbasedUserIDagentorthePANOSintegratedUserIDagenttomap
usersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,orWindowsclients,
youmustcreateadedicatedserviceaccountfortheUserIDagentonadomaincontrollerineachdomain
thattheagentwillmonitor.
Therequiredpermissionsfortheserviceaccountdependonwhatusermappingmethodsandsettingsyou
plantouse.ToreducetheriskassociatedwithcompromiseoftheUserIDserviceaccount,alwaysconfigure
theaccountwiththeminimumsetofpermissionsnecessaryfortheagenttofunctionproperly.
UserIDprovidesmanymethodsforsafelycollectingusermappinginformation.Someofthelegacyfeatures,
whichweredesignedforenvironmentsthatonlyrequiredmappingofusersonWindowsdesktopsattachedto
thelocalnetwork,requireprivilegedserviceaccounts.Intheeventthattheprivilegedserviceaccountis
compromised,thiswouldopenyournetworktoattack.Asabestpractice,avoidusingtheselegacyfeaturessuch
asclientprobing,NTLMauthentication,andsessionmonitoringthatrequireprivilegesthatwouldposeathreat
ifcompromised.ThefollowingworkflowdetailsallprivilegesrequiredandprovideguidanceastowhichUserID
featuresrequireprivilegesthatcouldposeathreatsothatyoucandecidehowtobestidentifyuserswithout
compromisingyouroverallsecurityposture.
ConfigureanActiveDirectoryaccountfortheUserIDAgent
Step1 CreateanADaccountfortheUserID 1. Logintothedomaincontroller.

agent. 2. RightclicktheWindowsicon(
),SearchforActive
Youmustcreateaserviceaccountin Directory Users and Computers,andlaunchthe
eachdomaintheagentwillmonitor. application.
3. Inthenavigationpane,openthedomaintree,rightclick
Managed Service AccountsandselectNew > User.
4. EntertheFirst Name,Last Name,andUser logon nameofthe
userandclickNext.
5. EnterthePasswordandConfirm Password,andthenclick
NextandFinish.

ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
Step2 AddtheaccounttotheBuiltingroups 1. RightclicktheserviceaccountyoujustaddedandAdd to a

thathaveprivilegesforaccessingthe group.
servicesandhoststheUserIDagentwill 2. Enter the object names to selectasfollowstoassignthe
monitor. accounttogroups.Separateeachentrywithasemicolon.
Event Log Readersoracustomgroupthathasprivileges
forreadingSecuritylogevents.Theseprivilegesare
requirediftheUserIDagentwillcollectmapping
informationbymonitoringSecuritylogs.
(PANOSintegratedagentonly)Distributed COM Users
group,whichhasprivilegesforlaunching,activating,and
usingDistributedComponentObjectModel(DCOM)
objects.
(Notrecommended) Server Operatorsgroup,whichhas
privilegesforopeningsessions.Theagentonlyrequires
theseprivilegesifyouplantoconfigureittorefreshexisting
mappinginformationbymonitoringusersessions.
Becausethisgroupalsohasprivilegesforshutting
downandrestartingservers,assigntheaccountto
itonlyifmonitoringusersessionsisveryimportant.
(PANOSintegratedagentonly)Ifyouplantoconfigure
NTLMauthenticationforCaptivePortal,thefirewallwhere
youveconfiguredtheagentwillneedtojointhedomain.To
enablethis,enterthenameofagroupthathas
administrativeprivilegestojointhedomain,writetothe
validatedserviceprincipalname,andcreateacomputer
objectwithinthecomputersorganizationunit
(ou=computers).
ThePANOSintegratedagentrequiresprivileged
operationstojointhedomain,whichposesa
securitythreatiftheaccountiscompromised.
ConsiderconfiguringKerberossinglesignon(SSO)
orSAMLSSOauthenticationforCaptivePortal
insteadofNTLM.KerberosandSAMLarestronger,
moresecureauthenticationmethodsanddonot
requirethefirewalltojointhedomain.
Forafirewallwithmultiplevirtualsystems,onlyvsys1can
jointhedomainbecauseofADrestrictionsonvirtual
systemsrunningonthesamehost.
3. Check NamestovalidateyourentriesandclickOKtwice.

ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
Step3 IfyouplantouseWMIprobing,enable PerformthistaskoneachclientsystemthattheUserIDagentwill

theaccounttoreadtheCIMV2 probeforusermappinginformation:
namespaceontheclientsystems. 1. RightclicktheWindowsicon( ),Searchforwmimgmt.msc,
Bydefault,accountsintheServer andlaunchtheWMIManagementConsole.
Operatorsgrouphavethispermission.
2. Intheconsoletree,rightclickWMI Controlandselect
Donotenableclientprobingon Properties.
highsecuritynetworks.Client
probingcangeneratealarge 3. SelectSecurity,selectRoot > CIMV2,andclickSecurity.
amountofnetworktrafficand 4. Addthenameoftheserviceaccountyoucreated,Check
canposeasecuritythreatwhen Namestoverifyyourentry,andclickOK.
misconfigured.Insteadcollect NOTE:YoumighthavetochangetheLocationsorclick
usermappinginformationfrom Advancedtoqueryforaccountnames.Seethedialoghelpfor
moreisolatedandtrusted details.
sources,suchasdomain
controllersandthrough 5. InthePermissionsfor<Username>section,AllowtheEnable
integrationswithSyslogorthe AccountandRead Securitypermissions.
XMLAPI,whichhavetheadded 6. ClickOKtwice.
benefitofallowingyoutosafely
captureusermapping
informationfromanydevicetype
oroperatingsystem,insteadof
justWindowsclients.
Step4 Turnoffaccountprivilegesthatarenot ToensurethattheUserIDaccounthastheminimumprivileges

necessary. necessary,denythefollowingprivilegesontheaccount:
ByensuringthattheUserIDservice DenyinteractivelogonfortheUserIDserviceaccountWhile
accounthastheminimumsetofaccount theUserIDserviceaccountdoesneedpermissiontoreadand
privileges,youcanreducetheattack parseActiveDirectorysecurityeventlogs,itdoesnotrequire
surfaceshouldtheaccountbe theabilitytologontoserversordomainsystemsinteractively.
compromised. YoucanrestrictthisprivilegeusingGroupPoliciesorbyusinga
ManagedServiceaccount(refertoMicrosoftTechNetformore
information).
DenyremoteaccessfortheUserIDserviceaccountThis
preventsanattackerfromusingtheaccounttoaccessyour
networkfromtheoutsidethenetwork.
Step5 Nextsteps... Youarenowreadyto:

ConfigureUserMappingUsingtheWindowsUserIDAgent.
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agent.

ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,locateyourUserIDagentsnear
theserversitwillmonitor(thatis,themonitoredserversandtheWindowsUserIDagentshouldnotbe
acrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccursbetweenthe
agentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofusermappingssincethe
lastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheWindowsBasedUserIDAgent
ConfiguretheWindowsBasedUserIDAgentforUserMapping
InstalltheWindowsBasedUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertothePaloAltoNetworks
CompatibilityMatrix.
InstalltheWindowsUserIDAgent
Step1 CreateadedicatedActiveDirectory CreateaDedicatedServiceAccountfortheUserIDAgent.

serviceaccountfortheUserIDagentto
accesstheservicesandhostsitwill
monitortocollectusermappings.
Step2 DecidewheretoinstalltheUserID YoumustinstalltheUserIDagentonasystemrunningoneof

agent. thesupportedOSversions:seeOperatingSystem(OS)
TheUserIDagentqueriestheDomain CompatibilityUserIDAgentintheUserIDAgentRelease
ControllerandExchangeserverlogs Notes.
usingMicrosoftRemoteProcedureCalls MakesurethesystemthatwillhosttheUserIDagentisa
(MSRPCs),whichrequireacomplete memberofthesamedomainastheserversitwillmonitor.
transferoftheentirelogateachquery. Asabestpractice,installtheUserIDagentclosetotheservers
Therefore,alwaysinstalloneormore itwillbemonitoring(thereismoretrafficbetweentheUserID
UserIDagentsateachsitethathas agentandthemonitoredserversthanthereisbetweenthe
serverstobemonitored. UserIDagentandthefirewall,solocatingtheagentclosetothe
NOTE:Formoredetailedinformationon monitoredserversoptimizesbandwidthusage).
wheretoinstallUserIDagents,referto Toensurethemostcomprehensivemappingofusers,youmust
ArchitectingUserIdentification monitorallserversthatcontainuserlogininformation.Youmight
(UserID)Deployments. needtoinstallmultipleUserIDagentstoefficientlymonitorall
ofyourresources.

InstalltheWindowsUserIDAgent(Continued)
Step3 DownloadtheUserIDagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

InstalltheUserIDagentversion 2. SelectSoftware UpdatesfromtheManageDevicessection.
thatisthesameasthePANOS
3. ScrolltotheUserIdentificationAgentsectionofthescreen
versionrunningonthefirewalls.
andDownloadtheversionoftheUserIDagentyouwantto
IfthereisnotaUserIDagent
install.
versionthatmatchesthe
PANOSversion,installthe 4. SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
latestversionthatisclosestto whereyouplantoinstalltheagent.
thePANOSversion.For
example,ifyouarerunning
PANOS7.1onyourfirewalls,
installUserIDagentversion7.0.
Step4 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4. Whentheinstallationcompletes,Closethesetupwindow.
Step5 LaunchtheUserIDAgentapplication. OpentheWindowsStartmenuandselectUser-ID Agent.
Step6 (Optional)Changetheserviceaccount Bydefault,theagentusestheadministratoraccountusedtoinstall

thattheUserIDagentusestologin. the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
1. SelectUser Identification > SetupandclickEdit.
2. SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3. EnterthePasswordforthespecifiedaccount.

Step7 (Optional)Assignaccountpermissionsto 1. Givetheserviceaccountpermissionstotheinstallationfolder:

theinstallationfolder. a. FromtheWindowsExplorer,navigatetoC:\Program
Youonlyneedtoperformthisstepifthe Files\Palo Alto Networksandrightclickthefolderand
serviceaccountyouconfiguredforthe selectProperties.
UserIDagentisnotamemberofthe b. OntheSecuritytab,AddtheUserIDagentserviceaccount
administratorsgroupforthedomainora andassignitpermissionstoModify,Read & execute,List
memberofboththeServerOperators folder contents,andReadandthenclickOKtosavethe
andtheEventLogReadersgroups. accountsettings.
2. GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3. Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.

Step8 (Optional)Assignyourowncertificates 1. ObtainyourcertificatefortheWindowsUserIDagent.The

formutualauthenticationbetweenthe Privatekeyoftheservercertificatemustbeencryptedand
WindowsUserIDagentandthefirewall. uploadedusingthePFXorP12bundles.
GenerateaCertificateandexportitforuploadtothe
WindowsUserIDagent.
Exportacertificatefromyourenterprisecertificate
authority(CA)andtheuploadittotheWindowsUserID
agent.
2. AddaservercertificatetoWindowsUserIDagent.
a. OntheWindowsUserIDagent,selectServer Certificate
andclickAdd.
b. Enterthepathandnameofthecertificatefilereceivedfrom
theCAorbrowsetothecertificatefile.
c. Entertheprivatekeypassword.
d. ClickOKandthenCommit.
3. UploadacertificatetothefirewalltovalidatetheWindows
UserIDagentsidentity.
4. Configurethecertificateprofilefortheclientdevice.The
clientdevice(firewallorPanorama)
a. SelectDevice > Certificate Management > Certificate
Profile.
b. ConfigureaCertificateProfile.
Youcanonlyassignonecertificateprofilefor
WindowsUserIDagentsandTerminalServices(TS)
agents.Therefore,yourcertificateprofilemust
includeallcertificateauthoritiesthatissued
certificatesuploadedtoconnectedUserIDandTS
agents.
5. Assignthecertificateprofileonthefirewall.
a. SelectDevice > User Identification > Connection Security
andclicktheeditbutton.
b. Selectthecertificateprofileyouconfiguredintheprevious
stepfromtheUserIDCertificateProfiledropdown.
c. ClickOK.
Step9 ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent.
TousetheWindowsbasedUserIDagenttodetectcredentialsubmissionsandPreventCredentialPhishing,
youmustinstalltheUserIDcredentialserviceontheWindowsbasedUserIDagent.Youcanonlyinstallthis
addononareadonlydomaincontroller(RODC).

ConfiguretheWindowsBasedUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT
Step1 DefinetheserverstheUserIDagent 1. OpentheWindowsStartmenuandselectUser-ID Agent.

willmonitortocollectIPaddresstouser 2. SelectUser Identification > Discovery.
mappinginformation.
3. IntheServerssectionofthescreen,clickAdd.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog 4. EnteraNameandServer Addressfortheservertobe
senders. monitored.ThenetworkaddresscanbeaFQDNoranIP
NOTE:Tocollectalloftherequired address.
mappings,theUserIDagentmust 5. SelecttheServer Type(Microsoft Active Directory,Microsoft
connecttoallserversthatyouruserslog Exchange,Novell eDirectory,orSyslog Sender)andthen
intoinordertomonitorthesecuritylog clickOKtosavetheserverentry.Repeatthisstepforeach
filesonallserversthatcontainlogin servertobemonitored.
events.
6. (Optional)Toenablethefirewalltoautomaticallydiscover
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
NOTE:Autodiscoverylocatesdomaincontrollersinthelocal
domainonly;youmustmanuallyaddExchangeservers,
eDirectoryservers,andsyslogsenders.
7. (Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Increasethevalueinthis
fieldto5secondsinenvironmentswitholderDomain
Controllersorhighlatencylinks.
EnsurethattheEnable Server Session Readsettingis
notselected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadallusersessions.
Instead,useasyslogorXMLAPIintegrationto
monitorsourcesthatcaptureloginandlogoutevents
foralldevicetypesandoperatingsystems(insteadof
justWindows),suchaswirelesscontrollersand
NetworkAccessControllers(NACs).

MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
Step2 SpecifythesubnetworkstheWindows 1. SelectUser Identification > Discovery.

UserIDagentshouldincludeinor 2. AddanentrytotheInclude/Excludelistofconfigured
excludefromUserID. networksandenteraNamefortheentryandentertheIP
Bydefault,theUserIDmapsallusers addressrangeofthesubnetworkinastheNetwork Address.
accessingtheserversyouaremonitoring.
3. Selectwhethertoincludeorexcludethenetwork:
Asabestpractice,alwaysspecify
Include specified networkSelectthisoptionifyouwant
whichnetworkstoincludeand
tolimitusermappingtousersloggedintothespecified
excludefromUserIDtoensure
subnetworkonly.Forexample,ifyouinclude10.0.0.0/8,
thattheagentisonly
theagentmapstheusersonthatsubnetworkandexcludes
communicatingwithinternal
allothers.Ifyouwanttheagenttomapusersinother
resourcesandtoprevent
subnetworks,youmustrepeatthesestepstoaddadditional
unauthorizedusersfrombeing
networkstothelist.
mapped.Youshouldonlyenable
UserIDonthesubnetworks Exclude specified networkSelectthisoptiononlyifyou
whereusersinternaltoyour wanttheagenttoexcludeasubsetofthesubnetworksyou
organizationareloggingin. addedforinclusion.Forexample,ifyouinclude10.0.0.0/8
andexclude10.2.50.0/22,theagentwillmapusersonall
thesubnetworksof10.0.0.0/8except10.2.50.0/22,and
willexcludeallsubnetworksoutsideof10.0.0.0/8.
Ifyouaddsubnetworksforexclusionwithout
addinganyforinclusion,theagentwillnotperform
usermappinginanysubnetwork.
4. ClickOK.
Step3 (Optional)Ifyouconfiguredtheagentto 1. SelectUser Identification > SetupandclickEditintheSetup

connecttoaNovelleDirectoryserver, sectionofthewindow.
youmustspecifyhowtheagentshould 2. SelecttheeDirectorytabandthencompletethefollowing
searchthedirectory. fields:
Search BaseThestartingpointorrootcontextforagent
queries,forexample:dc=domain1, dc=example, dc=com.
Bind Distinguished NameTheaccounttousetobindto
thedirectory,forexample:cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThebindaccountpassword.Theagent
savestheencryptedpasswordintheconfigurationfile.
Search FilterThesearchqueryforuserentries(defaultis
objectClass=Person).
Server Domain PrefixAprefixtouniquelyidentifythe
user.Thisisonlyrequiredifthereareoverlappingname
spaces,suchasdifferentuserswiththesamenamefrom
twodifferentdirectories.
Use SSLSelectthecheckboxtouseSSLforeDirectory
binding.
Verify Server CertificateSelectthecheckboxtoverify
theeDirectoryservercertificatewhenusingSSL.

Step4 (Optional,notrecommended)Configure 1. OntheClient Probingtab,selecttheEnable WMI Probing

clientprobing. checkboxand/ortheEnable NetBIOS Probingcheckbox.
Donotenableclientprobingon 2. MakesuretheWindowsfirewallwillallowclientprobingby
highsecuritynetworks.Client addingaremoteadministrationexceptiontotheWindows
probingcangeneratealarge firewallforeachprobedclient.
amountofnetworktrafficand NOTE:ForNetBIOSprobingtoworkeffectively,eachprobed
canposeasecuritythreatwhen clientPCmustallowport139intheWindowsfirewalland
misconfigured. mustalsohavefileandprintersharingservicesenabled.
Althoughclientprobingisnotrecommended,ifyouplanto
enableit,WMIprobingispreferredoverNetBIOSwhenever
possible.
Step5 Savetheconfiguration. ClickOKtosavetheUserIDagentsetupsettingsandthenclick

CommittorestarttheUserIDagentandloadthenewsettings.
Step6 (Optional)Definethesetofusersfor Createanignore_user_list.txtfileandsaveittotheUserID

whichyoudonotneedtoprovideIP Agentfolderonthedomainserverwheretheagentisinstalled.
addresstousernamemappings,suchas Listtheuseraccountstoignore;thereisnolimittothenumberof
kioskaccounts. accountsyoucanaddtothelist.Eachuseraccountnamemustbe
Youcanalsousethe onaseparateline.Forexample:
ignore-userlisttoidentify SPAdmin
userswhomyouwanttoforceto SPInstall
authenticateusingCaptive
TFSReport
Portal.
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\it-admin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
it-admin.
Step7 Configurethefirewalltoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

UserIDagent. totheUserIDagenttoreceiveusermappings:
NOTE:Thefirewallcanconnecttoonly 1. SelectDevice > User Identification > User-ID Agentsandclick
oneWindowsbasedUserIDagentthat Add.
isusingtheUserIDcredentialservice
2. EnteraNamefortheUserIDagent.
addontodetectcorporatecredential
submissions.SeeConfigureCredential 3. EntertheIPaddressoftheWindowsHostonwhichthe
DetectionwiththeWindowsbased UserIDAgentisinstalled.
UserIDAgentformoredetailsonhow 4. EnterthePortnumber(165535)onwhichtheagentwill
tousethisserviceforcredentialphishing listenforusermappingrequests.Thisvaluemustmatchthe
prevention. valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5. MakesurethattheconfigurationisEnabled,thenclickOK.
7. VerifythattheConnected statusdisplaysasconnected(a
greenlight).

Step8 VerifythattheUserIDagentis 1. LaunchtheUserIDagentandselectUser Identification.

successfullymappingIPaddressesto 2. VerifythattheagentstatusshowsAgent is running.Ifthe
usernamesandthatthefirewallscan Agentisnotrunning,clickStart.
connecttotheagent.
3. ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4. ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5. ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.

ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
Step1 CreateanActiveDirectoryservice CreateaDedicatedServiceAccountfortheUserIDAgent.

accountfortheUserIDagenttoaccess
theservicesandhostsitwillmonitorfor
collectingusermappinginformation.
Step2 Definetheserversthatthefirewallwill 1. SelectDevice > User Identification > User Mapping.

monitortocollectusermapping 2. ClickAddintheServerMonitoringsection.
information.
3. EnteraNametoidentifytheserver.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan 4. SelecttheTypeofserver.
definenomorethan50syslogsenders 5. EntertheNetwork Address(anFQDNorIPaddress)ofthe
foranysinglevirtualsystem. server.
NOTE:Tocollectalltherequired
6. MakesuretheserverprofileisEnabledandclickOK.
mappings,thefirewallmustconnectto
allserversthatyouruserslogintosoit 7. (Optional)ClickDiscoverifyouwantthefirewallto
canmonitortheSecuritylogfilesonall automaticallydiscoverdomaincontrollersonyournetwork
serversthatcontainloginevents. usingDNSlookups.
NOTE:Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
8. (Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
NOTE:Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecifiedfrequency.
a. EditthePaloAltoNetworksUserIDAgentSetup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).Increasethevalueinthisfieldto5secondsin
environmentswitholderdomaincontrollersorhighlatency
links.
EnsurethattheEnable Sessionsettingisnot
selected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadalluser
sessions.Instead,useaSyslogorXMLAPI
integrationtomonitorsourcesthatcapturelogin
andlogouteventsforalldevicetypesandoperating
systems(insteadofjustWindows),suchaswireless
controllersandNACs.
c. ClickOKtosavethechanges.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step3 SpecifythesubnetworksthePANOS 1. SelectDevice > User Identification > User Mapping.

integratedUserIDagentshouldinclude 2. AddanentrytotheInclude/ExcludeNetworksandentera
inorexcludefromusermapping. NamefortheentryandmakesuretokeeptheEnabledcheck
Bydefault,theUserIDmapsallusers boxselected.
accessingtheserversyouaremonitoring.
3. EntertheNetwork Addressandthenselectwhetherto
Asabestpractice,alwaysspecify includeorexcludeit:
whichnetworkstoincludeand,
IncludeSelectthisoptionifyouwanttolimituser
optionally,toexcludefrom
mappingtousersloggedintothespecifiedsubnetwork
UserIDtoensurethattheagent
only.Forexample,ifyouinclude10.0.0.0/8,theagentmaps
isonlycommunicatingwith
theusersonthatsubnetworkandexcludesallothers.Ifyou
internalresourcesandtoprevent
wanttheagenttomapusersinothersubnetworks,you
unauthorizedusersfrombeing
mustrepeatthesestepstoaddadditionalnetworkstothe
mapped.Youshouldonlyenable
list.
usermappingonthe
subnetworkswhereusers ExcludeSelectthisoptiononlyifyouwanttheagentto
internaltoyourorganizationare excludeasubsetofthesubnetworksyouaddedfor
loggingin. inclusion.Forexample,ifyouinclude10.0.0.0/8and
exclude10.2.50.0/22,theagentwillmapusersonallthe
subnetworksof10.0.0.0/8except10.2.50.0/22,andwill
excludeallsubnetworksoutsideof10.0.0.0/8.
Ifyouaddsubnetworksforexclusionwithout
addinganyforinclusion,theagentwillnotperform
usermappinginanysubnetwork.
4. ClickOK.
Step4 Setthedomaincredentialsforthe 1. EditthePaloAltoNetworksUserIDAgentSetup.

accountthefirewallwillusetoaccess 2. SelecttheWMI AuthenticationtabandentertheUser Name
Windowsresources.Thisisrequiredfor andPasswordfortheaccountthattheUserIDagentwilluse
monitoringExchangeserversanddomain toprobetheclientsandmonitorservers.Entertheusername
controllersaswellasforWMIprobing. usingthedomain\usernamesyntax.
Step5 (Optional,notrecommended)Configure 1. SelecttheClient ProbingtabandselecttheEnable Probing

WMIprobing(thePANOSintegrated checkbox.
UserIDagentdoesnotsupportNetBIOS 2. (Optional)ModifytheProbe Interval(inminutes)ifnecessary
probing). toensureitislongenoughfortheUserIDagenttoprobeall
DonotenableWMIprobingon thelearnedIPaddresses(defaultis20,rangeis11440).This
highsecuritynetworks.Client istheintervalbetweentheendofthelastproberequestand
probingcangeneratealarge thestartofthenextrequest.
amountofnetworktrafficand NOTE:Iftherequestloadishigh,theobserveddelaybetween
canposeasecuritythreatwhen requestsmightsignificantlyexceedthespecifiedinterval.
misconfigured.
3. ClickOK.
4. MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
Step6 (Optional)Definethesetofusersfor SelecttheIgnore User ListtabandAddeachusernametoexclude

whichyoudontrequireIP fromusermapping.Youcanuseanasteriskasawildcardcharacter
addresstousernamemappings,suchas tomatchmultipleusernames,butonlyasthelastcharacterinthe
kioskaccounts. entry.Forexample,corpdomain\it-admin*wouldmatchall
Youcanalsousetheignoreuser administratorsinthecorpdomaindomainwhoseusernamesstart
listtoidentifyuserswhomyou withthestringit-admin.Youcanaddupto5,000entriesto
wanttoforcetoauthenticate excludefromusermapping.
usingCaptivePortal.

MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step7 Activateyourconfigurationchanges. ClickOKandCommit.
Step8 Verifytheconfiguration. 1. AccessthefirewallCLI.

2. Enterthefollowingoperationalcommand:
> show user server-monitor state all
3. OntheDevice > User Identification > User Mappingtabinthe
webinterface,verifythattheStatusofeachserveryou
configuredforservermonitoringisConnected.
ConfigureUserIDtoMonitorSyslogSendersforUserMapping
ToobtainIPaddresstousernamemappingsfromexistingnetworkservicesthatauthenticateusers,youcan
configurethePANOSintegratedUserIDagentorWindowsbasedUserIDagenttoparseSyslogmessages
fromthoseservices.Tokeepusermappingsuptodate,youcanalsoconfiguretheUserIDagenttoparse
syslogmessagesforlogouteventssothatthefirewallautomaticallydeletesoutdatedmappings.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfigurethePANOSIntegratedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
Logoutevents[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1

Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifysyslogsendersfortheUserIDagenttomonitor.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,youmustusecaution
whenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandassuchthereisnowayto
verifythatamessagewassentfromatrustedsyslogsender.Althoughyoucanrestrictsyslogmessagestospecific
sourceIPaddresses,anattackercanstillspooftheIPaddress,potentiallyallowingtheinjectionofunauthorized
syslogmessagesintothefirewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,if
youmustuseUDP,makesurethatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.

Step1 Determinewhetherthereisa 1. InstallthelatestApplicationsorApplicationsandThreats

predefinedSyslogParseprofileforyour update:
particularsyslogsenders. a. SelectDevice > Dynamic UpdatesandCheck Now.
PaloAltoNetworksprovidesseveral b. DownloadandInstallanynewupdate.
predefinedprofilesthroughApplication
2. DeterminewhichpredefinedSyslogParseprofilesare
contentupdates.Thepredefinedprofiles
available:
areglobaltothefirewall,whereas
customprofilesapplytoasinglevirtual a. SelectDevice > User Identification > User Mappingclick
systemonly. AddintheServerMonitoringsection.
NOTE:AnynewSyslogParseprofilesin b. SettheTypetoSyslog SenderandclickAddintheFilter
agivencontentreleaseisdocumentedin section.IftheSyslogParseprofileyouneedisavailable,skip
thecorrespondingreleasenotealong thestepsfordefiningcustomprofiles.
withthespecificregexusedtodefinethe
filter.
Step2 DefinecustomSyslogParseprofilesto 1. Reviewthesyslogmessagesthatthesyslogsendergenerates

createanddeleteusermappings. toidentifythesyntaxforloginandlogoutevents.Thisenables
Eachprofilefilterssyslogmessagesto youtodefinethematchingpatternswhencreatingSyslog
identifyeitherloginevents(tocreate Parseprofiles.
usermappings)orlogoutevents(to Whilereviewingsyslogmessages,alsodetermine
deletemappings),butnosingleprofile whethertheyincludethedomainname.Iftheydont,
candoboth. andyourusermappingsrequiredomainnames,enter
theDefault Domain Namewhendefiningthesyslog
sendersthattheUserIDagentmonitors(laterinthis
procedure).
2. SelectDevice > User Identification > User Mappingandedit
thePaloAltoNetworksUserIDAgentSetup.
3. SelectSyslog FiltersandAddaSyslogParseprofile.
4. EnteranametoidentifytheSyslog Parse Profile.
5. SelecttheTypeofparsingtofindloginorlogouteventsin
syslogmessages:
Regex IdentifierRegularexpressions.
Field IdentifierTextstrings.
Thefollowingstepsdescribehowtoconfiguretheseparsing
types.

ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
Step3 (RegexIdentifierparsingonly)Define 1. EntertheEvent Regexforthetypeofeventsyouwanttofind:

theregexmatchingpatterns. LogineventsFortheexamplemessage,theregex
NOTE:Ifthesyslogmessagecontainsa (authentication\ success){1}extractsthefirst{1}
standalonespaceortabasadelimiter, instanceofthestringauthentication success.
use\sforaspaceand\tforatab. LogouteventsFortheexamplemessage,theregex
(logout\ successful){1}extractsthefirst{1}instance
ofthestringlogout successful.
Thebackslash(\)beforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter.
2. EntertheUsername Regextoidentifythestartofthe
username.
Intheexamplemessage,theregex
User:([a-zA-Z0-9\\\._]+)matchesthestring
User:johndoe1andidentifiesjohndoe1astheusername.
3. EntertheAddress RegextoidentifytheIPaddressportionof
syslogmessages.
Intheexamplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
ThefollowingisanexampleofacompletedSyslogParse
profilethatusesregextoidentifyloginevents:
4. ClickOKtwicetosavetheprofile.

Step4 (FieldIdentifierparsingonly)Define 1. EnteranEvent Stringtoidentifythetypeofeventsyouwant

stringmatchingpatterns. tofind.
LogineventsFortheexamplemessage,thestring
authentication successidentifiesloginevents.
LogouteventsFortheexamplemessage,thestring
logout successfulidentifieslogoutevents.
2. EnteraUsername Prefixtoidentifythestartoftheusername
fieldinsyslogmessages.Thefielddoesnotsupportregex
expressionssuchas\s(foraspace)or\t(foratab).
Intheexamplemessages,User:identifiesthestartofthe
usernamefield.
3. EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4. EnteranAddress PrefixtoidentifythestartoftheIPaddress
Intheexamplemessages,Source:identifiesthestartofthe
addressfield.
5. EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.
Forexample,enter\ntoindicatethedelimiterisalinebreak.
profilethatusesstringmatchingtoidentifyloginevents:

Step5 Specifythesyslogsendersthatthe 1. SelectDevice > User Identification > User MappingandAdd

firewallmonitors. anentrytotheServerMonitoringlist.
Withinthetotalmaximumof100 2. EnteraNametoidentifythesender.
monitoredserversperfirewall,youcan
3. MakesurethesenderprofileisEnabled(defaultisenabled).
definenomorethan50syslogsenders
foranysinglevirtualsystem. 4. SettheTypetoSyslog Sender.
Thefirewalldiscardsanysyslog 5. EntertheNetwork Addressofthesyslogsender(IPaddressor
messagesreceivedfromsendersthatare FQDN).
notonthislist.
6. SelectSSL(default)orUDPastheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogsender.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogsenderandclientarebothon
adedicated,securenetworktopreventuntrusted
hostsfromsendingUDPtraffictothefirewall.
AsyslogsenderusingSSLtoconnectwillshowa
StatusofConnectedonlywhenthereisanactiveSSL
connection.SyslogsendersusingUDPwillnotshowa
Statusvalue.
7. Foreachsyslogformatthatthesendersupports,AddaSyslog
ParseprofiletotheFilterlist.SelecttheEvent Typethateach
profileisconfiguredtoidentify:login(default)orlogout.
8. (Optional)Ifthesyslogmessagesdontcontaindomain
informationandyourusermappingsrequiredomainnames,
enteraDefault Domain Nametoappendtothemappings.

Step6 Enablesysloglistenerservicesonthe 1. SelectNetwork > Network Profiles > Interface Mgmtandedit

interfacethatthefirewallusestocollect anexistingInterfaceManagementprofileorAddanewprofile.
usermappings. 2. SelectUser-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPorboth,basedontheprotocolsyoudefinedfor
thesyslogsendersintheServerMonitoringlist.
NOTE:Thelisteningports(514forUDPand6514forSSL)are
notconfigurable;theyareenabledthroughthemanagement
serviceonly.
3. ClickOKtosavetheinterfacemanagementprofile.
NOTE:EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfaceonlyacceptssyslogconnections
fromsendersthathaveacorrespondingentryintheUserID
monitoredserversconfiguration.Thefirewalldiscards
connectionsormessagesfromsendersthatarenotonthelist.
4. AssigntheInterfaceManagementprofiletotheinterfacethat
thefirewallusestocollectusermappings:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
Step7 Verifythatthefirewalladdsanddeletes 1. Logintoaclientsystemforwhichamonitoredsyslogsender

usermappingswhenusersloginandout. generatesloginandlogouteventmessages.
YoucanuseCLIcommandsto 2. LogintothefirewallCLI.
seeadditionalinformationabout
3. Verifythatthefirewallmappedtheloginusernametothe
syslogsenders,syslogmessages,
clientIPaddress:
andusermappings.
> show user ip-user-mapping ip <ip-address>
IP address: 192.0.2.1 (vsys1)
User: localdomain\username
From: SYSLOG
4. Logoutoftheclientsystem.
5. Verifythatthefirewalldeletedtheusermapping:
No matched record
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfiguretheWindowsbasedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
Logoutevents[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1

Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifythesyslogsendersthattheUserIDagentmonitors.

TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogsender.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogsenderandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1 DeploytheWindowsbasedUserID 1. InstalltheWindowsBasedUserIDAgent.

agentsifyouhaventalready. 2. ConfigurethefirewalltoconnecttotheUserIDagent.
Step2 DefinecustomSyslogParseprofilesto 1. Reviewthesyslogmessagesthatthesyslogsendergenerates

createanddeleteusermappings. toidentifythesyntaxforloginandlogoutevents.Thisenables
Eachprofilefilterssyslogmessagesto youtodefinethematchingpatternswhencreatingSyslog
identifyeitherloginevents(tocreate Parseprofiles.
usermappings)orlogoutevents(to Whilereviewingsyslogmessages,alsodetermine
deletemappings),butnosingleprofile whethertheyincludethedomainname.Iftheydont,
candoboth. andyourusermappingsrequiredomainnames,enter
theDefault Domain Namewhendefiningthesyslog
sendersthattheUserIDagentmonitors(laterinthis
procedure).
2. OpentheWindowsStartmenuandselectUser-ID Agent.
3. SelectUser Identification > SetupandEdittheSetup.
4. SelectSyslog,Enable Syslog Service,andAddaSyslogParse
profile.
5. EnteraProfile NameandDescription.
6. SelecttheTypeofparsingtofindloginandlogouteventsin
syslogmessages:
RegexRegularexpressions.
FieldTextstrings.
Thefollowingstepsdescribehowtoconfiguretheseparsing
types.

ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step3 (Regexparsingonly)Definetheregex 1. EntertheEvent Regexforthetypeofeventsyouwanttofind:

matchingpatterns. LogineventsFortheexamplemessage,theregex
Ifthesyslogmessagecontainsa (authentication\ success){1}extractsthefirst{1}
standalonespaceortabasadelimiter, instanceofthestringauthentication success.
use\sforaspaceand\tforatab. LogouteventsFortheexamplemessage,theregex
(logout\ successful){1}extractsthefirst{1}instance
ofthestringlogout successful.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter.
2. EntertheUsername Regextoidentifythestartofthe
username.
Intheexamplemessage,theregex
User:([a-zA-Z0-9\\\._]+)matchesthestring
User:johndoe1andidentifiesjohndoe1astheusername.
3. EntertheAddress RegextoidentifytheIPaddressportionof
syslogmessages.
Intheexamplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
profilethatusesregextoidentifyloginevents:

Step4 (FieldIdentifierparsingonly)Define 1. EnteranEvent Stringtoidentifythetypeofeventsyouwant

stringmatchingpatterns. tofind.
LogineventsFortheexamplemessage,thestring
authentication successidentifiesloginevents.
LogouteventsFortheexamplemessage,thestring
logout successfulidentifieslogoutevents.
2. EnteraUsername Prefixtoidentifythestartoftheusername
Intheexamplemessages,User:identifiesthestartofthe
usernamefield.
3. EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4. EnteranAddress PrefixtoidentifythestartoftheIPaddress
Intheexamplemessages,Source:identifiesthestartofthe
addressfield.
5. EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.
Forexample,enter\ntoindicatethedelimiterisalinebreak.
profilethatusesstringmatchingtoidentifyloginevents:

Step5 Specifythesyslogsendersthatthe 1. SelectUser Identification > DiscoveryandAddanentrytothe

UserIDagentmonitors. Serverslist.
Withinthetotalmaximumof100servers 2. EnteraNametoidentifythesender.
ofalltypesthattheUserIDagentcan
3. EntertheServer Addressofthesyslogsender(IPaddressor
monitor,upto50canbesyslogsenders.
FQDN).
TheUserIDagentdiscardsanysyslog
messagesreceivedfromsendersthatare 4. SettheServer TypetoSyslog Sender.
notonthislist. 5. (Optional)Ifthesyslogmessagesdontcontaindomain
informationandyourusermappingsrequiredomainnames,
enteraDefault Domain Nametoappendtothemappings.
6. Foreachsyslogformatthatthesendersupports,AddaSyslog
ParseprofiletotheFilterlist.SelecttheEvent Typethatyou
configuredeachprofiletoidentifylogin(default)orlogout
andthenclickOK.
8. CommityourchangestotheUserIDagentconfiguration.
Step6 VerifythattheUserIDagentaddsand 1. Logintoaclientsystemforwhichamonitoredsyslogsender

deletesusermappingswhenuserslogin generatesloginandlogouteventmessages.
andout. 2. VerifythattheUserIDagentmappedtheloginusernameto
YoucanuseCLIcommandsto theclientIPaddress:
seeadditionalinformationabout a. IntheUserIDagent,selectMonitoring.
syslogsenders,syslogmessages,
b. EntertheusernameorIPaddressinthefilterfield,Search,
andusermappings.
andverifythatthelistdisplaysthemapping.
3. Verifythatthefirewallreceivedtheusermappingfromthe
UserIDagent:
a. LogintothefirewallCLI.
b. Runthefollowingcommand:
Ifthefirewallreceivedtheusermapping,theoutput
resemblesthefollowing:
User: localdomain\username
From: SYSLOG
4. Logoutoftheclientsystem.
5. VerifythattheUserIDagentremovedtheusermapping:
a. IntheUserIDagent,selectMonitoring.
b. EntertheusernameorIPaddressinthefilterfield,Search,
andverifythatthelistdoesnotdisplaythemapping.
6. Verifythatthefirewalldeletedtheusermapping:
a. AccessthefirewallCLI.
b. Runthefollowingcommand:
Ifthefirewalldeletedtheusermapping,theoutput
displays:
No matched record

MapIPAddressestoUsernamesUsingCaptivePortal
Whenauserinitiateswebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationPolicyrule,thefirewall
promptstheusertoauthenticatethroughCaptivePortal.Thisensuresthatyouknowexactlywhois
accessingyourmostsensitiveapplicationsanddata.Basedonuserinformationcollectedduring
authentication,thefirewallcreatesanewIPaddresstousernamemappingorupdatestheexistingmapping
forthatuser.Thismethodofusermappingisusefulinenvironmentswherethefirewallcannotlearn
mappingsthroughothermethodssuchasmonitoringservers.Forexample,youmighthaveuserswhoare
notloggedintoyourmonitoreddomainservers,suchasusersonLinuxclients.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoauthenticateuserswhosewebrequestsmatchAuthentication
Policyrules:
AuthenticationMethod Description
KerberosSSO ThefirewallusesKerberossinglesignon(SSO)totransparentlyobtainuser
credentialsfromthebrowser.Tousethismethod,yournetworkrequiresa
Kerberosinfrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.Thefirewallmusthavea
Kerberosaccount.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourAuthenticationpolicyandCaptivePortalconfiguration.
KerberosSSOispreferabletoNTLMauthentication.Kerberosisa
stronger,morerobustauthenticationmethodthanNTLManditdoesnot
requirethefirewalltohaveanadministrativeaccounttojointhedomain.
NTLANManager(NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourAuthenticationpolicyandCaptive
Portalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.

AuthenticationMethod Description
WebForm Thefirewallredirectswebrequeststoawebformforauthentication.Forthis
method,youcanconfigureAuthenticationpolicytouseMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,orLDAP
authentication.Althoughusershavetomanuallyentertheirlogincredentials,this
methodworkswithallbrowsersandoperatingsystems.
ClientCertificateAuthentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.

CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheAuthenticationpolicyruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,usethismodeonlywhenabsolutely
necessary,suchasinLayer 2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.Redirectmode
isalsorequiredifyouuseMultiFactorAuthenticationtoauthenticateCaptive
Portalusers.

ConfigureCaptivePortal
ThefollowingprocedureshowshowtosetupCaptivePortalauthenticationbyconfiguringthePANOS
integratedUserIDagenttoredirectwebrequeststhatmatchanAuthenticationPolicyruletoafirewall
interface(redirecthost).Basedontheirsensitivity,theapplicationsthatusersaccessthroughCaptivePortal
requiredifferentauthenticationmethodsandsettings.Toaccommodateallauthenticationrequirements,
youcanusedefaultandcustomauthenticationenforcementobjects.Eachobjectassociatesan
AuthenticationrulewithanauthenticationprofileandaCaptivePortalauthenticationmethod.
DefaultauthenticationenforcementobjectsUsethedefaultobjectsifyouwanttoassociatemultiple
Authenticationruleswiththesameglobalauthenticationprofile.Youmustconfigurethisauthentication
profilebeforeconfiguringCaptivePortal,andthenassignitintheCaptivePortalSettings.For
AuthenticationrulesthatrequireMultiFactorAuthentication(MFA),youcannotusedefault
authenticationenforcementobjects.
CustomauthenticationenforcementobjectsUseacustomobjectforeachAuthenticationrulethat
requiresanauthenticationprofilethatdiffersfromtheglobalprofile.Customobjectsaremandatoryfor
AuthenticationrulesthatrequireMFA.Tousecustomobjects,createauthenticationprofilesandassign
themtotheobjectsafterconfiguringCaptivePortalwhenyouConfigureAuthenticationPolicy.
KeepinmindthatauthenticationprofilesarenecessaryonlyifusersauthenticatethroughaCaptivePortal
WebForm,KerberosSSO,orNTLANManager(NTLM).Alternatively,orinadditiontothesemethods,the
followingprocedurealsodescribeshowtoimplementClientCertificateAuthentication.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1 Configuretheinterfacesthatthefirewall 1. (MGTinterfaceonly)SelectDevice > Setup > Interfaces,edit

willuseforincomingwebrequests, theManagementinterface,selectUser-ID,andclickOK.
authenticatingusers,and 2. (NonMGTinterfaceonly)AssignanInterfaceManagement
communicatingwithdirectoryserversto profiletotheLayer3interfacethatthefirewallwillusefor
mapusernamestoIPaddresses. incomingwebrequestsandcommunicationwithdirectory
Thefirewallusesthemanagement(MGT) servers.YoumustenableResponse PagesandUser-IDinthe
interfaceforallthesefunctionsby InterfaceManagementprofile.
default,butyoucanconfigureother
3. (NonMGTinterfaceonly)Configureaservicerouteforthe
interfaces.Inredirectmode,youmust
interfacethatthefirewallwillusetoauthenticateusers.Ifthe
useaLayer3interfaceforredirecting
firewallhasmorethanonevirtualsystem(vsys),theservice
requests.
routecanbeglobalorvsysspecific.Theservicesmustinclude
LDAPandpotentiallythefollowing:
Kerberos,RADIUS,TACACS+,orMulti-Factor
AuthenticationConfigureaservicerouteforany
authenticationservicesthatyouuse.
UID AgentConfigurethisserviceonlyifyouwillenableNT
LANManager(NTLM)authenticationorifyouwillEnable
UserandGroupBasedPolicy.
4. (Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2 MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:

isconfiguredtoresolveyourdomain admin@PA-200> ping host dc1.acme.com
controlleraddresses.

ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step3 ConfigureclientstotrustCaptivePortal Touseaselfsignedcertificate,createarootCAcertificateanduse

certificates. ittosignthecertificateyouwilluseforCaptivePortal:
Requiredforredirectmodeto 1. SelectDevice > Certificate Management > Certificates >
transparentlyredirectuserswithout Device Certificates.
displayingcertificateerrors.Youcan
2. CreateaSelfSignedRootCACertificateorimportaCA
generateaselfsignedcertificateor
certificate(seeImportaCertificateandPrivateKey).
importacertificatethatanexternal
certificateauthority(CA)signed. 3. GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4. ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5. Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
Step4 (Optional)ConfigureClientCertificate 1. UsearootCAcertificatetogenerateaclientcertificatefor

Authentication. eachuserwhowillauthenticatethroughCaptivePortal.The
NOTE:Youdontneedanauthentication CAinthiscaseisusuallyyourenterpriseCA,notthefirewall.
profileorsequenceforclientcertificate 2. ExporttheCAcertificateinPEMformattoasystemthatthe
authentication.Ifyouconfigurebothan firewallcanaccess.
authenticationprofile/sequenceand
3. ImporttheCAcertificateontothefirewall:seeImporta
certificateauthentication,usersmust
CertificateandPrivateKey.Aftertheimport,clickthe
authenticateusingboth.
importedcertificate,selectTrusted Root CA,andclickOK.
4. ConfigureaCertificateProfile.
IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.

Step5 (Optional)EnableNTLANManager 1. Ifyouhaventalreadydoneso,CreateaDedicatedService

(NTLM)authentication. AccountfortheUserIDAgent.
Asabestpractice,choose Asabestpractice,youuseaUserIDagentaccount
Kerberossinglesignon(SSO)or thatisseparatefromyourfirewalladministrator
SAMLSSOauthenticationover account.
NTLMauthentication.Kerberos 2. SelectDevice > User Identification > User Mappingandedit
andSAMLarestronger,more thePaloAltoNetworksUserIDAgentSetupsection.
robustauthenticationmethods
thanNTLManddonotrequire 3. SelectNTLMandEnable NTLM authentication processing.
thefirewalltohavean 4. EntertheNTLM DomainagainstwhichtheUserIDagenton
administrativeaccounttojointhe thefirewallwillcheckNTLMcredentials.
domain.Ifyoudoconfigure
5. EntertheAdmin User NameandPasswordoftheActive
NTLM,thePANOSintegrated
DirectoryaccountyoucreatedfortheUserIDagent.
UserIDagentmustbeableto
successfullyresolvetheDNS DonotincludethedomainintheAdmin User Name
nameofyourdomaincontroller field.Otherwise,thefirewallwillfailtojointhe
tojointhedomain. domain.
6. ClickOKtosaveyoursettings.

Step6 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. Enable Captive Portal(defaultisenabled).
3. SpecifytheTimer,whichisthemaximumtimeinminutesthat
thefirewallretainsanIPaddresstousernamemappingfora
userafterthatuserauthenticatesthroughCaptivePortal
(defaultis60;rangeis1to1,440).AftertheTimerexpires,the
firewallremovesthemappingandanyassociated
AuthenticationTimestampsusedtoevaluatetheTimeoutin
Authenticationpolicyrules.
WhenevaluatingtheCaptivePortalTimerandthe
TimeoutvalueineachAuthenticationpolicyrule,the
firewallpromptstheusertoreauthenticatefor
whicheversettingexpiresfirst.Upon
reauthenticating,thefirewallresetsthetimecount
fortheCaptivePortalTimerandrecordsnew
authenticationtimestampsfortheuser.Therefore,to
enabledifferentTimeoutperiodsfordifferent
Authenticationrules,settheCaptivePortalTimertoa
valuethesameasorhigherthananyruleTimeout.
4. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.SeeConfigureanSSL/TLSServiceProfile.
5. SelecttheMode(inthisexample,Redirect).
6. (Redirectmodeonly)SpecifytheRedirect Host,whichisthe
intranethostname(ahostnamewithnoperiodinitsname)
thatresolvestotheIPaddressoftheLayer3interfaceonthe
firewalltowhichwebrequestsareredirected.
7. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
TouseglobalsettingsforinteractiveorSSOauthentication,
selecttheAuthentication Profileyouconfigured.
TouseAuthenticationpolicyrulespecificsettingsfor
interactiveorSSOauthentication,assignauthentication
profilestoauthenticationenforcementobjectswhenyou
8. ClickOKandCommittheCaptivePortalconfiguration.
Step7 Nextsteps... ThefirewalldoesnotdisplaytheCaptivePortalwebformtousers

untilyouConfigureAuthenticationPolicyrulesthattrigger
authenticationwhenusersrequestservicesorapplications.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)

allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,refertothe
PaloAltoNetworksCompatibilityMatrix.
Step1 DownloadtheTSagentinstaller. 1. LogintothePaloAltoNetworksCustomerSupportwebsite.

2. SelectSoftware UpdatesfromtheManageDevicessection.
3. ScrolltotheTerminal Services AgentsectionandDownload
theversionoftheagentyouwanttoinstall.
4. SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.
Step2 Runtheinstallerasanadministrator. 1. OpentheWindowsStartmenu,rightclicktheCommand

Promptprogram,andselectRun as administrator.
2. Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-8.0.
0-1.msi
3. Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4. Whentheinstallationcompletes,Closethesetupwindow.
NOTE:IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,theinstallation
wizardpromptsyoutorebootthesystemafterupgradingin
ordertousethenewdriver.

ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step3 Definetherangeofportsforthe 1. OpentheWindowsStartmenuandselectTerminal Server

TS Agenttoallocatetoendusers. AgenttolaunchtheTerminalServicesagentapplication.
NOTE:TheSystem Source Port 2. SelectConfigureinthesidemenu.
Allocation RangeandSystem Reserved
3. EntertheSource Port Allocation Range(default
Source Portsfieldsspecifytherangeof
2000039999).Thisisthefullrangeofportnumbersthatthe
portsthatwillbeallocatedtononuser
TSagentwillallocateforusermapping.Theportrangeyou
sessions.Makesurethevaluesspecified
specifycannotoverlapwiththeSystem Source Port
inthesefieldsdonotoverlapwiththe
Allocation Range.
portsyoudesignateforusertraffic.
Thesevaluescanonlybechangedby 4. (Optional)Ifthereareports/portrangeswithinthesource
editingthecorrespondingWindows portallocationthatyoudonotwanttheTSAgenttoallocate
registrysettings. tousersessions,specifythemasReserved Source Ports.To
includemultipleranges,usecommaswithnospaces,for
example:2000-3000,3500,4000-5000.
5. Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6. SpecifythePort Allocation Maximum Size Per User,whichis
themaximumnumberofportstheTerminalServicesagent
canallocatetoanindividualuser.
7. Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.

Step4 (Optional)Assignyourowncertificates 1. ObtainyourcertificatefortheTSagentforyourenterprise

formutualauthenticationbetweenthe PKIorgenerateoneonyourfirewall.Theprivatekeyofthe
TSagentandthefirewall. servercertificatemustbeencrypted.Thecertificatemustbe
uploadedinPEMfileformat.
GenerateaCertificateandexportitforuploadtotheTS
agent.
Exportacertificatefromyourenterprisecertificate
authority(CA)andtheuploadittotheTSagent.
2. AddaservercertificatetoTSagent.
a. OntheTSagent,selectServer CertificateandclickAdd.
b. Enterthepathandnameofthecertificatefilereceived
fromtheCAorbrowsetothecertificatefile.
c. Entertheprivatekeypassword.
d. ClickOKandthenCommit.
3. Configureandassignthecertificateprofileforthefirewall.
a. SelectDevice > Certificate Management > Certificate
ProfiletoConfigureaCertificateProfile.
Youcanonlyassignonecertificateprofilefor
WindowsUserIDagentsandTSagents.Therefore,
yourcertificateprofilemustincludeallcertificate
authoritiesthatissuedcertificatesuploadedto
connectedWindowsUserIDandTSagents.
b. SelectDevice > User Identification > Connection Security
andclicktheeditbuttontoassignthecertificateprofile.
c. Selectthecertificateprofileyouconfiguredintheprevious
stepfromtheUserIDCertificateProfiledropdown.
d. ClickOK.
e. Commityourchanges.
Step5 Configurethefirewalltoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect

TerminalServicesagent. totheTerminalServicesagenttoreceiveusermappings:
1. SelectDevice > User Identification > Terminal Server Agents
andclickAdd.
2. EnteraNamefortheTerminalServicesagent.
3. EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4. EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5. MakesurethattheconfigurationisEnabledandthenclickOK.
7. VerifythattheConnected statusdisplaysasconnected(a
greenlight).

Step6 VerifythattheTerminalServicesagentis 1. OpentheWindowsStartmenuandselectTerminal Server

successfullymappingIPaddressesto Agent.
usernamesandthatthefirewallscan 2. Verifythatthefirewallscanconnectbymakingsurethe
connecttotheagent. Connection StatusofeachfirewallintheConnectionListis
Connected.
3. VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
Step7 (Windows2012R2serversonly)Disable PerformthesestepsontheWindowsServer:

EnhancedProtectedModeinMicrosoft 1. StartInternetExplorer.
InternetExplorerforeachuserwhouses
thatbrowser. 2. SelectInternet options > Advancedandscrolldowntothe
Securitysection.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor 3. ClearEnable Enhanced Protected Mode.
MozillaFirefox. 4. ClickOK.
TodisableEnhancedProtected NOTE:InInternetExplorer,PaloAltoNetworksrecommendsthat
Modeforallusers,useLocal youdonotdisableProtectedMode,whichdiffersfromEnhanced
SecurityPolicy. ProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectly
fromcommandlineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupports
RESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a

singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1 GeneratetheAPIkeythat Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe

willbeusedtoauthenticate firewall,openanewbrowserwindowandenterthefollowingURL:
theAPIcommunication https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
betweenthefirewallandthe password=<password>
terminalserver.Togenerate Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland

<username> and<password> arethecredentialsfortheadministrativeuser
thekeyyoumustprovide
logincredentialsforan accountonthefirewall.Forexample:
administrativeaccount;the https://10.1.2.5/api/?type=keygen&user=admin&password=admin
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
NOTE:Anyspecialcharacters </response>
inthepasswordmustbe
URL/percentencoded.

UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2 (Optional)Generateasetup Thefollowingshowsasamplesetupmessage:

messagethattheterminal <uid-message>
serverwillsendtospecifythe <payload>
portrangeandblocksizeof
<multiusersystem>
portsperuserthatyour
<entry ip="10.1.1.23" startport="20000"
terminalservicesagentuses.
endport="39999" blocksize="100">
Iftheterminalservicesagent
</multiusersystem>
doesnotsendasetup
</payload>
message,thefirewallwill
automaticallycreatea <type>update</type>
TerminalServicesagent <version>1.0</version>
configurationusingthe </uid-message>
followingdefaultsettings whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
uponreceiptofthefirstlogin startportandendportspecifytheportrangetousewhenassigningportsto
message: individualusers,andblocksizespecifiesthenumberofportstoassignto
Defaultportrange:1025 eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
to65534 allocateamaximumof1000blocks.
Peruserblocksize:200 Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
Maximumnumberof
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
multiusersystems:1,000
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
Step3 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:

extractthelogineventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<login>
Makesurethescriptenforces
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
assignmentofportnumber
rangesatfixedboundaries <entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
withnoportoverlaps.For <entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
example,iftheportrangeis </login>
10001999andtheblock </payload>
sizeis200,acceptable
<type>update</type>
blockstartvalueswouldbe
1000,1200,1400,1600,or <version>1.0</version>
1800.Blockstartvaluesof </uid-message>
1001,1300,or1850would Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
beunacceptablebecause themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
someoftheportnumbersin packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
therangewouldbeleft requesttouserjparkerforpolicyenforcement.
unused. NOTE:Eachmultiusersystemcanallocateamaximumof1,000portblocks.
NOTE:Theloginevent
payloadthattheterminal
serversendstothefirewall
cancontainmultiplelogin
events.

Step4 Createascriptthatwill ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:

extractthelogouteventsand <uid-message>
createtheXMLinputfileto <payload>
sendtothefirewall.
<logout>
Uponreceiptofalogout <entry name="acme\jjaso" ip="10.1.1.23"
eventmessagewitha blockstart="20000">
blockstartparameter,the
<entry name="acme\ccrisp" ip="10.1.1.23">
firewallremovesthe
<entry ip="10.2.5.4">
correspondingIP
</logout>
addressportusermapping.If
thelogoutmessagecontains </payload>
ausernameandIPaddress, <type>update</type>
butnoblockstart <version>1.0</version>
parameter,thefirewall </uid-message>
removesallmappingsforthe NOTE:Youcanalsoclearthemultiusersystementryfromthefirewallusing
user.Ifthelogoutmessage thefollowingCLIcommand:clear xml-api multiusersystem
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
Step5 Makesurethatthescripts OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions

youcreateincludeawayto behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
dynamicallyenforcethatthe example,toensurethatauserwiththeuserIDjjasoismappedtoasource
portblockrangeallocated networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
usingtheXMLAPImatches scriptyoucreateshouldincludethefollowing:
theactualsourceport [root@ts1 ~]# iptables -t nat -A POSTROUTING -m owner --uid-owner jjaso
assignedtotheuseronthe -p tcp -j SNAT --to-source 10.1.1.23:20000-20099
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
Step6 Definehowtopackagethe Toapplythefilestothefirewallusingwget:

XMLinputfilescontainingthe > wget --post file <filename>
setup,login,andlogout https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&file-name=<inp
ut_filename.xml>&client=wget&vsys=<VSYS_name>
eventsintowgetorcURL Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
messagesfortransmissionto firewallat10.2.5.11usingkey
thefirewall. k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1

Step7 Verifythatthefirewallis VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland

successfullyreceivinglogin thenrunningthefollowingCLIcommands:
eventsfromtheterminal ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
servers. admin@PA-5050> show user xml-api multiusersystem
Host Vsys Users Blocks
----------------------------------------
10.5.204.43 vsys1 5 2
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43

Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtothePANOSintegratedUserIDagentordirectlytothefirewall.ThePANOSXML
APIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommand
lineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGET
requests.
ToenableanexternalsystemtosendusermappinginformationtothePANOSintegratedUserIDagent,
createscriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothePANOSXMLAPI
request.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall(usingcURL,for
example)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,refertothe
PANOSXMLAPIUsageGuide.

EnableUserandGroupBasedPolicy UserID
EnableUserandGroupBasedPolicy
AfteryouEnableUserID,youwillbeabletoconfigureSecurityPolicythatappliestospecificusersand
groups.Userbasedpolicycontrolscanalsoincludeapplicationinformation(includingwhichcategoryand
subcategoryitbelongsin,itsunderlyingtechnology,orwhattheapplicationcharacteristicsare).Youcan
definepolicyrulestosafelyenableapplicationsbasedonusersorgroupsofusers,ineitheroutboundor
inbounddirections.
Examplesofuserbasedpoliciesinclude:
EnableonlytheITdepartmenttousetoolssuchasSSH,telnet,andFTPonstandardports.
AllowtheHelpDeskServicesgrouptouseSlack.
AllowalluserstoreadFacebook,butblocktheuseofFacebookapps,andrestrictpostingtoemployees
inmarketing.

UserID EnablePolicyforUserswithMultipleAccounts
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1 Configureausergroupforeachservice Ifyourorganizationalreadyhasusergroupsthatcanaccessthe

thatrequiresdistinctaccessprivileges. servicesthattheuserrequires,simplyaddtheusernamethatis
Inthisexample,eachgroupisforasingle usedforlessrestrictedservicestothosegroups.Inthisexample,
service(emailorMySQLserver). theemailserverrequireslessrestrictedaccessthantheMySQL
However,itiscommontoconfigureeach server,andcorp_useristheusernameforaccessingemail.
groupforasetofservicesthatrequire Therefore,youaddcorp_usertoagroupthatcanaccessemail
thesameprivileges(forexample,one (corp_employees)andtoagroupthatcanaccesstheMySQLserver
groupforallbasicuserservicesandone (network_services).
groupforalladministrativeservices). Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1. SelectDevice > User Identification > Group Mapping Settings
andAddagroupmappingconfigurationwithauniqueName.
2. SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3. SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4. SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
NOTE:Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmorerestricted
services,youcanaddthoseusernamestothegroupformore
restrictedservices.Thisscenarioismorecommonthantheinverse;
auserwithaccesstomorerestrictedservicesusuallyalreadyhas
accesstolessrestrictedservices.

EnablePolicyforUserswithMultipleAccounts UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2 Configuretherulesthatcontroluser Enableuserandgroupbasedpolicyenforcement.

accessbasedonthegroupsyoujust 1. Configureasecurityrulethatallowsthecorp_employees
configured. grouptoaccessemail.
2. Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Step3 ConfiguretheignorelistoftheUserID Inthisexample,youaddadmin_usertotheignorelistofthe

agent. WindowsbasedUserIDagenttoensurethatitmapstheclientIP
ThisensuresthattheUserIDagent addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
mapstheclientIPaddressonlytothe inascorp_useroradmin_user,thefirewallidentifiestheuseras
usernamethatisamemberofthegroups corp_userandappliesbothrulesthatyouconfiguredbecause
assignedtotherulesyoujustconfigured. corp_userisamemberofthegroupsthattherulesreference.
Theignorelistmustcontainallthe 1. Createanignore_user_list.txtfile.
usernamesoftheuserthatarenot
2. Openthefileandaddadmin_user.
membersofthosegroups.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3. SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
NOTE:IfyouusethePANOSintegratedUserIDagent,see
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agentforinstructionsonhowtoconfiguretheignorelist.
Step4 Configureendpointauthenticationfor Inthisexample,youhaveconfiguredafirewallrulethatallows

therestrictedservices. corp_user,asamemberofthenetwork_servicesgroup,tosenda
Thisenablestheendpointtoverifythe servicerequesttotheMySQLserver.Youmustnowconfigurethe
credentialsoftheuserandpreservesthe MySQLservertorespondtoanyunauthorizedusername(suchas
abilitytoenableaccessforuserswith corp_user)bypromptingtheusertoenterthelogincredentialsof
multipleusernames. anauthorizedusername(admin_user).
NOTE:Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingforthe
admin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.

UserID VerifytheUserIDConfiguration
Afteryouconfigureuserandgroupmapping,enableUserIDinyourSecuritypolicy,andconfigure
Authenticationpolicy,youshouldverifythatUserIDworksproperly.
Step1 AccessthefirewallCLI.
Step2 Verifythatgroupmappingisworking. FromtheCLI,enterthefollowingoperationalcommand:

> show user group-mapping statistics
Step3 Verifythatusermappingisworking. IfyouareusingthePANOSintegratedUserIDagent,youcan

verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP Vsys From User Timeout (sec)
------------------------------------------------------
192.168.201.1 vsys1 UIA acme\george 210
192.168.201.11 vsys1 UIA acme\duane 210
192.168.201.50 vsys1 UIA acme\betsy 210
192.168.201.10 vsys1 UIA acme\administrator 210
192.168.201.100 vsys1 AD acme\administrator 748
Total: 5 users
*: WMI probe succeeded
Step4 TestyourSecuritypolicyrule. FromamachineinthezonewhereUserIDisenabled,attempt

toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}

VerifytheUserIDConfiguration UserID
VerifytheUserIDConfiguration(Continued)
Step5 TestyourAuthenticationpolicyand 1. Fromthesamezone,gotoamachinethatisnotamemberof

CaptivePortalconfiguration. yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2. Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesanAuthentication
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3. Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4. YoucanalsotestyourAuthenticationpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step6 Verifythatthelogfilesdisplay Selectalogspage(suchasMonitor > Logs > Traffic)andverifythat

usernames. theSourceUsercolumndisplaysusernames.
Step7 Verifythatreportsdisplayusernames. 1. SelectMonitor > Reports.

2. Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.

UserID DeployUserIDinaLargeScaleNetwork
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesandapplications(such
asglobaldatacenterapplications).
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
associatedwithuserresponsestoauthenticationchallenges.Firewallsusethetimestampstoevaluatethe
timeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwhosuccessfullyauthenticatestolater
requestservicesandapplicationswithoutauthenticatingagainwithinthetimeoutperiods.Redistributing
timestampsenablesyoutoenforceconsistenttimeoutsforeachuserevenifthefirewallthatinitiallygrants
auseraccessisnotthesamefirewallthatlatercontrolsaccessforthatuser.
DeployUserIDforNumerousMappingInformationSources
RedistributeUserMappingsandAuthenticationTimestamps
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.

DeployUserIDinaLargeScaleNetwork UserID
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:

DomaincontrollersMustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersMustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
Step1 ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires

thememberserversthatwillcollect administrativeprivilegesforconfiguringgrouppolicieson
loginevents. Windowsservers.
Step2 InstalltheWindowsbasedUserID InstalltheWindowsBasedUserIDAgentonaWindowsserver

agent. thatcanaccessthememberservers.Makesurethesystemthatwill
hosttheUserIDagentisamemberofthesamedomainasthe
serversitwillmonitor.

ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step3 ConfiguretheUserIDagenttocollect 1. StarttheWindowsbasedUserIDagent.

usermappinginformationfromthe 2. SelectUser Identification > Discoveryandperformthe
memberservers. followingstepsforeachmemberserverthatwillreceive
eventsfromdomaincontrollers:
a. IntheServerssection,clickAddandenteraNameto
identifythememberserver.
b. IntheServer Addressfield,entertheFQDNorIPaddress
ofthememberserver.
c. FortheServer Type,selectMicrosoft Active Directory.
d. ClickOKtosavetheserverentry.
3. ConfiguretheremainingUserIDagentsettings:see
ConfiguretheWindowsBasedUserIDAgentforUser
Mapping.
Step4 ConfigureanLDAPserverprofileto 1. SelectDevice > Server Profiles > LDAP,clickAdd,andentera

specifyhowthefirewallconnectstothe Namefortheprofile.
GlobalCatalogservers(uptofour)for 2. IntheServerssection,foreachGlobalCatalog,clickAddand
groupmappinginformation. entertheserverName,IPaddress(LDAP Server),andPort.
Toimproveavailability,useat ForaplaintextorStartTransportLayerSecurity(StartTLS)
leasttwoGlobalCatalogservers connection,usePort3268.ForanLDAPoverSSLconnection,
forredundancy. usePort3269.IftheconnectionwilluseStartTLSorLDAP
Youcancollectgroupmapping overSSL,selecttheRequire SSL/TLS secured connection
informationonlyforuniversalgroups, checkbox.
notlocaldomaingroups(subdomains). 3. IntheBase DNfield,entertheDistinguishedName(DN)of
thepointintheGlobalCatalogserverwherethefirewallwill
startsearchingforgroupmappinginformation(forexample,
DC=acbdomain,DC=com).
4. FortheType,selectactive-directory.
5. Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile..
Step5 ConfigureanLDAPserverprofileto ThestepsarethesameasfortheLDAPserverprofileyoucreated

specifyhowthefirewallconnectstothe forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
servers(uptofour)thatcontaindomain LDAP ServerEntertheIPaddressofthedomaincontroller
mappinginformation. thatcontainsthedomainmappinginformation.
UserIDusesthisinformationtomap PortForaplaintextorStartTLSconnection,usePort389.For
DNSdomainnamestoNetBIOSdomain anLDAPoverSSLconnection,usePort636.Iftheconnection
names.Thismappingensuresconsistent willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
domain/usernamereferencesinpolicy secured connectioncheckbox.
rules. Base DNSelecttheDNofthepointinthedomaincontroller
Toimproveavailability,useat wherethefirewallwillstartsearchingfordomainmapping
leasttwoserversforredundancy. information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).

ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
RedistributeUserMappingsandAuthenticationTimestamps
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.Inalargescalenetwork,
insteadofconfiguringallyourfirewallstodirectlyquerythemappinginformationsources,youcan
streamlineresourceusagebyconfiguringsomefirewallstocollectmappinginformationthrough
redistribution.Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyon
localsourcesforauthentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesand
applications(suchasglobaldatacenterapplications).
YoucanredistributeusermappinginformationcollectedthroughanymethodexceptTerminalServices(TS)
agents.YoucannotredistributeGroupMappingorHIPmatchinformation.
IfyouusePanoramaandDedicatedLogCollectorstomanagefirewallsandaggregatefirewalllogs,youcanuse
PanoramatomanageUserIDredistribution.LeveragingPanoramaandyourdistributedlogcollection
infrastructureisasimplersolutionthancreatingextraconnectionsbetweenfirewallstoredistributeUserID
information.
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
thataregeneratedwhenusersauthenticatetoaccessapplicationsandservices.Firewallsusethe
timestampstoevaluatethetimeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwho
successfullyauthenticatestolaterrequestservicesandapplicationswithoutauthenticatingagainwithinthe
timeoutperiods.Redistributingtimestampsenablesyoutoenforceconsistenttimeoutsacrossallthe
firewallsinyournetwork.
Firewallsshareusermappingsandauthenticationtimestampsaspartofthesameredistributionflow;you
donthavetoconfigureredistributionforeachinformationtypeseparately.
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution

FirewallDeploymentforUserIDRedistribution
ToaggregateUserIDinformation,organizetheredistributionsequenceinlayers,whereeachlayerhasone
ormorefirewalls.Inthebottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsand
WindowsbasedUserIDagentsrunningonWindowsserversmapIPaddressestousernames.Eachhigher
layerhasfirewallsthatreceivethemappinginformationandauthenticationtimestampsfromupto100
redistributionpointsinthelayerbeneathit.Thetoplayerfirewallsaggregatethemappingsandtimestamps
fromalllayers.Thisdeploymentprovidestheoptiontoconfigurepoliciesforallusersintoplayerfirewalls
andregionorfunctionspecificpoliciesforasubsetofusersinthecorrespondingdomainsservedby
lowerlayerfirewalls.
Figure:UserIDandTimestampRedistributionshowsadeploymentwiththreelayersoffirewallsthat
redistributemappingsandtimestampsfromlocalofficestoregionalofficesandthentoaglobaldatacenter.
Thedatacenterfirewallthataggregatesalltheinformationsharesitwithotherdatacenterfirewallssothat
theycanallenforcepolicyandgeneratereportsforusersacrossyourentirenetwork.Onlythebottomlayer
firewallsuseUserIDagentstoquerythedirectoryservers.
TheinformationsourcesthattheUserIDagentsquerydonotcounttowardsthemaximumoftenhopsin
thesequence.However,WindowsbasedUserIDagentsthatforwardmappinginformationtofirewallsdo
count.Therefore,inthisexample,redistributionfromtheEuropeanregiontoallthedatacenterfirewalls
requiresonlythreehops,whileredistributionfromtheNorthAmericanregionrequiresfourhops.Alsointhis
example,thetoplayerhastwohops:thefirsttoaggregateinformationinonedatacenterfirewallandthe
secondtosharetheinformationwithotherdatacenterfirewalls.
Figure:UserIDandTimestampRedistribution

BeforeyouconfigureUserIDredistribution:
Plantheredistributionarchitecture.Somefactorstoconsiderare:
Whichfirewallswillenforcepoliciesforallusersandwhichfirewallswillenforceregionor
functionspecificpoliciesforasubsetofusers?
HowmanyhopsdoestheredistributionsequencerequiretoaggregateallUserIDinformation?The
maximumallowednumberofhopsisten.
Howcanyouminimizethenumberoffirewallsthatquerytheusermappinginformationsources?
Thefewerthenumberofqueryingfirewalls,thelowertheprocessingloadisonboththefirewalls
andsources.
ConfigureusermappingusingPANOSIntegratedUserIDagentsorWindowsbasedUserIDAgents.
PerformthefollowingstepsonthefirewallsintheUserIDredistributionsequence.
Step1 Configurethefirewalltoredistribute 1. SelectDevice > User Identification > User Mapping.

UserIDinformation. 2. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Skipthisstepifthefirewallreceivesbut Location.YoumustconfiguretheUserIDsettingsforeach
doesnotredistributeUserID virtualsystem.
information. Youcanredistributeinformationamongvirtual
systemsondifferentfirewallsoronthesamefirewall.
Inbothcases,eachvirtualsystemcountsasonehopin
theredistributionsequence.
3. EditthePaloAltoNetworksUserIDAgentSetupandselect
Redistribution.
4. EnteraCollector NameandPre-Shared Keytoidentifythis
firewallorvirtualsystemasaUserIDagent.
Step2 Configuretheserviceroutethatthe 1. SelectDevice > Setup > Services.

firewallusestoqueryotherfirewallsfor 2. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
UserIDinformation. (forafirewallwideserviceroute)orVirtual Systems(fora
Skipthisstepifthefirewallreceivesuser virtualsystemspecificserviceroute),andthenconfigurethe
mappinginformationfrom serviceroute.
WindowsbasedUserIDagentsor
3. ClickService Route Configuration,selectCustomize,and
directlyfromtheinformationsources
selectIPv4orIPv6basedonyournetworkprotocols.
(suchasdirectoryservers)insteadof
Configuretheservicerouteforbothprotocolsifyournetwork
fromotherfirewalls.
usesboth.
4. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
5. ClickOKtwicetosavetheserviceroute.
Step3 Enablethefirewalltorespondwhen ConfigureanInterfaceManagementprofilewiththeUser-ID

otherfirewallsqueryitforUserID serviceenabledandassigntheprofiletoafirewallinterface.
information.
Skipthisstepifthefirewallreceivesbut
doesnotredistributeUserID
information.

ConfigureUserIDRedistribution(Continued)
Step4 Commitandverifyyourchanges. 1. Commityourchangestoactivatethem.

2. AccesstheCLIofafirewallthatredistributesUserID
information.
3. Displayalltheusermappingsbyrunningthefollowing
command:
> show user ip-user-mapping all
4. RecordtheIPaddressassociatedwithanyusername.
5. AccesstheCLIofafirewallthatreceivesredistributedUserID
information.
6. Displaythemappinginformationandauthentication
timestampforthe<IP-address> yourecorded:
> show user ip-user-mapping ip <address>
User: corpdomain\username1
From: UIA
Idle Timeout: 10229s
Max. TTL: 10229s
MFA Timestamp: first(1) - 2016/12/09 08:35:04
Group(s): corpdomain\groupname(621)
NOTE:Thisexampleoutputshowstheauthentication
timestampforoneresponsetoanauthenticationchallenge
(factor).ForAuthenticationpolicyrulesthatuseMultiFactor
Authentication(MFA),theoutputshowsmultiple
AuthenticationTimestamps.

AppID
Tosafelyenableapplicationsonyournetwork,thePaloAltoNetworksnextgenerationfirewallsprovide
bothanapplicationandwebperspectiveAppIDandURLFilteringtoprotectagainstafullspectrumof
legal,regulatory,productivity,andresourceutilizationrisks.
AppIDenablesvisibilityintotheapplicationsonthenetwork,soyoucanlearnhowtheyworkand
understandtheirbehavioralcharacteristicsandtheirrelativerisk.Thisapplicationknowledgeallowsyouto
createandenforcesecuritypolicyrulestoenable,inspect,andshapedesiredapplicationsandblock
unwantedapplications.Whenyoudefinepolicyrulestoallowtraffic,AppIDbeginstoclassifytraffic
withoutanyadditionalconfiguration.
AppIDOverview
ManageCustomorUnknownApplications
ManageNewAppIDsIntroducedinContentReleases
UseApplicationObjectsinPolicy
ApplicationswithImplicitSupport
ApplicationLevelGateways
DisabletheSIPApplicationlevelGateway(ALG)

AppIDOverview AppID
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.

AppID ManageCustomorUnknownApplications
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.

ManageNewAppIDsIntroducedinContentReleases AppID
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesforPendingAppIDs
ReviewNewAppIDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules

AppID ManageNewAppIDsIntroducedinContentReleases
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step1 SelectDevice > Dynamic Updates andselect Check Nowtorefreshthelistofavailablecontentupdates.
Step2 DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
Step3 ClicktheAppslinkintheFeatures columntoviewdetailsonnewlyidentifiedapplications:
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.

ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step1 SelectDevice > Dynamic Updates.
Step2 Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step3 SelectanewAppIDfromtheApplication dropdowntoviewpolicyrulesthatcurrentlyenforcethe

application.Therulesdisplayedarebasedontheapplicationssignaturesthatmatchtotheapplicationbefore
thenewAppIDisinstalled(viewapplicationdetailstoseethelistofapplicationsignaturesthatanapplication
wasPreviously Identified As beforethenewAppID).
Step4 UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesforPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.

DisableorEnableAppIDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
DisableallAppIDsinacontentreleaseorfor TodisableallnewAppIDsintroducedinacontentrelease,select
scheduledcontentupdates. Device > Dynamic UpdatesandInstallanApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
OntheDevice > Dynamic Updatespage,selectSchedule.
ChoosetoDisable new apps in content updatefordownloads
andinstallationsofcontentreleases.
DisableAppIDsforoneapplicationor Toquicklydisableasingleapplicationormultipleapplicationsat
multipleapplicationsatasingletime. thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applicationsand
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
EnableAppIDs. EnableAppIDsthatyoupreviouslydisabledbyselectingObjects >

Applications.Selectoneormoreapplicationcheckboxandclick
Enableoropenthedetailsforaspecificapplicationandclick
Enable App-ID.

PreparePolicyUpdatesforPendingAppIDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.
PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDlistedontheObjects > Applicationspage:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.

PerformSeamlessPolicyUpdatesforNewAppIDs
Toinstallthecontentreleaseversionnowandthen 1. SelectDevice > Dynamic UpdatesandDownloadthe

updatepolicies: latestcontentreleaseversion.
Dothistobenefitfromnewthreatsignatures 2. ReviewtheImpactofNewAppIDSignatureson
immediately,whileyoureviewnewapplication ExistingPolicyRulestoassessthepolicyimpactof
signaturesandupdateyourpolicies. newAppIDs.
3. Installthelatestcontentreleaseversion.Beforethe
contentreleaseisinstalled,youarepromptedto
Disable new apps in content update.Selectthecheck
boxandcontinuetoinstallthecontentrelease.Threat
signaturesincludedinthecontentreleasewillbe
installedandeffective,whileneworupdatedAppIDs
aredisabled.
4. SelectPoliciesandupdateSecurity,QoS,andPolicy
Based Forwardingrulestomatchtoandenforcethe
nowuniquelyidentifiedapplicationtraffic,usingthe
pendingAppIDs.
5. SelectObjects > Applicationsandselectoneor
multipledisabledAppIDsandclickEnable.
6. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
Updatepoliciesnowandtheninstallthecontent 1. SelectDevice > Dynamic UpdatesandDownloadthe

releaseversion. latestcontentreleaseversion.
2. ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3. WhilereviewingthepolicyimpactfornewAppIDs,
youcanusethePolicy Review based on candidate
configurationtoaddanewAppIDtoexistingpolicy
rules: .ThenewAppIDisaddedtotheexisting
rulesasadisabledAppID.
4. ContinuetoreviewthepolicyimpactforallAppIDs
includedinthelatestcontentreleaseversionby
selectingAppIDsintheApplicationsdropdown.
AddthenewAppIDstoexistingpoliciesasneeded.
ClickOKtosaveyourchanges.
5. Installthelatestcontentreleaseversion.
6. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.

UseApplicationObjectsinPolicy AppID
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.Insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
updateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
Step1 SelectObjects > Application Groups.
Step2 AddagroupandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 AddtheapplicationsyouwantinthegroupandthenclickOK.

AppID UseApplicationObjectsinPolicy
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
Step1 SelectObjects > Application Filters.
Step2 AddafilterandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.

Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentreleaseversion609:
FTP,HTTP,IMAP,POP3,SMB,andSMTP.
Thefollowingisabasicexampleofhowtocreateacustomapplication.

Step1 Gatherinformationaboutthe Captureapplicationpacketssothatyoucanfindunique

applicationthatyouwillbeabletouse characteristicsabouttheapplicationonwhichtobaseyour
towritecustomsignatures. customapplicationsignature.Onewaytodothisistoruna
Todothis,youmusthavean protocolanalyzer,suchasWireshark,ontheclientsystemto
understandingoftheapplicationand capturethepacketsbetweentheclientandtheserver.Perform
howyouwanttocontrolaccesstoit.For differentactionsintheapplication,suchasuploadingand
example,youmaywanttolimitwhat downloading,sothatyouwillbeabletolocateeachtypeof
operationsuserscanperformwithinthe sessionintheresultingpacketcaptures(PCAPs).
application(suchasuploading, Becausethefirewallbydefaulttakespacketcapturesforall
downloading,orlivestreaming).Oryou unknowntraffic,ifthefirewallisbetweentheclientandthe
maywanttoallowtheapplication,but serveryoucanviewthepacketcapturefortheunknowntraffic
enforceQoSpolicing. directlyfromtheTrafficlog.
Usethepacketcapturestofindpatternsorvaluesinthepacket
contextsthatyoucanusetocreatesignaturesthatwilluniquely
matchtheapplicationtraffic.Forexample,lookforstring
patternsinHTTPresponseorrequestheaders,URIpaths,or
hostnames.Forinformationonthedifferentstringcontextsyou
canusetocreateapplicationsignaturesandwhereyoucanfind
thecorrespondingvaluesinthepacket,refertoCreatingCustom
ThreatSignatures.
Step2 Addthecustomapplication. 1. SelectObjects > ApplicationsandclickAdd.

2. OntheConfigurationtab,enteraNameandaDescriptionfor
thecustomapplicationthatwillhelpotheradministrators
understandwhyyoucreatedtheapplication.
3. (Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
4. DefinetheapplicationPropertiesandCharacteristics.

CreateaCustomApplication(Continued)
Step3 Definedetailsabouttheapplication, OntheAdvancedtab,definesettingsthatwillallowthefirewallto

suchastheunderlyingprotocol,theport identifytheapplicationprotocol:
numbertheapplicationrunson,the Specifythedefaultportsorprotocolthattheapplicationuses.
timeoutvalues,andanytypesof Specifythesessiontimeoutvalues.Ifyoudontspecifytimeout
scanningyouwanttobeabletoperform values,thedefaulttimeoutvalueswillbeused.
onthetraffic.
Indicateanytypeofadditionalscanningyouplantoperformon
theapplicationtraffic.
Forexample,tocreateacustomTCPbasedapplicationthatruns
overSSL,butusesport4443(insteadofthedefaultportforSSL,
443),youwouldspecifytheportnumber.Byaddingtheport
numberforacustomapplication,youcancreatepolicyrulesthat
usethedefaultportfortheapplicationratherthanopeningup
additionalportsonthefirewall.Thisimprovesyoursecurity
posture.

Step4 Definethecriteriathatthefirewallwill 1. OntheSignaturestab,clickAddanddefineaSignature Name

usetomatchthetraffictothenew andoptionallyaCommenttoprovideinformationabouthow
application. youintendtousethissignature.
Youwillusetheinformationyou 2. SpecifytheScopeofthesignature:whetheritmatchestoafull
gatheredfromthepacketcapturesto SessionorasingleTransaction.
specifyuniquestringcontextvaluesthat
3. SpecifyconditionstodefinesignaturesbyclickingAdd And
thefirewallcanusetomatchpatternsin
ConditionorAdd Or Condition.
theapplicationtraffic.
4. SelectanOperatortodefinethetypeofmatchconditionsyou
willuse:Pattern MatchorEqual To.
IfyouselectedPattern Match,selecttheContextandthen
usearegularexpressiontodefinethePatterntomatchthe
selectedcontext.Optionally,clickAddtodefinea
qualifier/valuepair.TheQualifierlistisspecifictothe
Contextyouchose.
IfyouselectedEqual To,selecttheContextandthenusea
regularexpressiontodefinethePositionofthebytesinthe
packetheadertousematchtheselectedcontext.Choose
fromfirst-4bytesorsecond-4bytes.Definethe4bytehex
valuefortheMask(forexample,0xffffff00)andValue(for
example,0xaabbccdd).
Forexample,ifyouarecreatingacustomapplicationforone
ofyourinternalapplications,youcouldusethe
ssl-rsp-certificateContexttodefineapatternmatchforthe
certificateresponsemessageofaSSLnegotiationfromthe
serverandcreateaPatterntomatchthecommonNameofthe
serverinthemessageasshownhere:
5. Repeatstep3and4foreachmatchingcondition.
6. Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7. ClickOKtosavethesignaturedefinition.

Step5 Savetheapplication. 1. ClickOKtosavethecustomapplicationdefinition.

2. ClickCommit.
Step6 Validatethattrafficmatchesthecustom 1. SelectPolicies > SecurityandAddasecuritypolicyruleto

applicationasexpected. allowthenewapplication.
2. Runtheapplicationfromaclientsystemthatisbetweenthe
firewallandtheapplicationandthenchecktheTrafficlogs
(Monitor > Traffic)tomakesurethatyouseetrafficmatching
thenewapplication(andthatitisbeinghandledperyour
policyrule).

AppID ApplicationswithImplicitSupport
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
595).
Table:ApplicationswithImplicitSupport
Application ImplicitlySupports
360safeguardupdate http
appleupdate http
aptget http
as2 http
avgupdate http
aviraantivirupdate http,ssl
blokus rtmp
bugzilla http
clubcooee http
corba http
cubby http,ssl
dropbox ssl
esignal http
evernote http,ssl
ezhelp http
facebook http,ssl
facebookchat jabber
facebooksocialplugin http
fastviewer http,ssl
forticlientupdate http
goodforenterprise http,ssl
googlecloudprint http,ssl,jabber

ApplicationswithImplicitSupport AppID
googledesktop http
googletalk jabber
googleupdate http
gotomypcdesktopsharing citrixjedi
gotomypcfiletransfer citrixjedi
gotomypcprinting citrixjedi
hipchat http
iheartradio ssl,http,rtmp
infront http
instagram http,ssl
issuu http,ssl
javaupdate http
jepptechupdates http
kerberos rpc
kik http,ssl
lastpass http,ssl
logmein http,ssl
mcafeeupdate http
megaupload http
metatrader http
mochardp t_120
mount rpc
msfrs msrpc
msrdp t_120
msscheduler msrpc
msservicecontroller msrpc
nfs rpc
oovoo http,ssl
paloaltoupdates ssl
panosglobalprotect http
panoswebinterface http
pastebin http

AppID ApplicationswithImplicitSupport
pastebinposting http
pinterest http,ssl
portmapper rpc
prezi http,ssl
rdp2tcp t_120
renrenim jabber
roboform http,ssl
salesforce http
stumbleupon http
supremo http
symantecavupdate http
trendmicro http
trillian http,ssl
twitter http
whatsapp http,ssl
xmradio rtsp

ApplicationLevelGateways AppID
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
H.323(H.225andH.248)ALGisnotsupportedingatekeeperroutedmode.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefollowingtablelistsIPv4,NAT,IPv6,NPTv6andNAT64ALGsandindicateswithacheckmarkwhether
theALGsupportseachprotocol(suchasSIP).
AppID IPv4 NAT IPv6 NPTv6 NAT64
SIP
SCCP
MGCP
FTP
RTSP
MySQL
Oracle/SQLNet/
TNS

AppID ApplicationLevelGateways
AppID IPv4 NAT IPv6 NPTv6 NAT64
RPC
RSH
UNIStim
H.225
H.248

DisabletheSIPApplicationlevelGateway(ALG) AppID
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step1 SelectObjects > Applications.
Step2 Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3 SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step4 SelecttheDisable ALGcheckboxintheApplicationsipdialogboxandclickOK.
Step5 ClosetheApplicationdialogboxandCommitthechange.

ThreatPrevention
ThePaloAltoNetworksnextgenerationfirewallprotectsanddefendsyournetworkfromcommodity
threatsandadvancedpersistentthreats(APTs).Themultiprongeddetectionmechanismsofthefirewall
includeasignaturebased(IPS/CommandandControl/Antivirus)approach,heuristicsbased(botdetection)
approach,sandboxbased(WildFire)approach,andLayer7protocolanalysisbased(AppID)approach.
Commoditythreatsareexploitsthatarelesssophisticatedandmoreeasilydetectedandpreventedusinga
combinationofantivirus,antispyware,andvulnerabilityprotectionfeaturesalongwithURLfilteringand
Applicationidentificationcapabilitiesonthefirewall.
Advancedthreatsareperpetuatedbyorganizedcyberadversarieswhousesophisticatedattackvectorsto
targetyournetwork,mostcommonlyforintellectualpropertytheftandfinancialdatatheft.Thesethreats
aremoreevasiveandrequireintelligentmonitoringmechanismsfordetailedhostandnetworkforensicson
malware.ThePaloAltoNetworksnextgenerationfirewalltogetherwithWildFireandPanoramaprovide
acomprehensivesolutionthatinterceptsandbreakstheattackchainandprovidesvisibilitytoprevent
securityinfringementonyournetworkinfrastructurebothmobileandvirtualized.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
CreateThreatExceptions
SetUpDataFiltering
SetUpFileBlocking
PreventBruteForceAttacks
CustomizetheActionandTriggerConditionsforaBruteForceSignature
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
EnableEvasionSignatures
PreventCredentialPhishing
ShareThreatIntelligencewithPaloAltoNetworks
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
MonitorBlockedIPAddresses
LearnMoreAboutandAssessThreats
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPreventionResources

SetUpAntivirus,AntiSpyware,andVulnerabilityProtection ThreatPrevention
SetUpAntivirus,AntiSpyware,andVulnerability
Protection
EveryPaloAltoNetworksnextgenerationfirewallcomeswithpredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtoSecuritypolicyrules.Thereisonepredefined
Antivirusprofile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtraffic
andalertonSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerability
Protectionprofiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
UsethefollowingworkflowtosetupthedefaultAntivirus,AntiSpyware,andVulnerabilityProtection
SecurityProfiles.
PaloAltoNetworksdefinesadefaultactionforallantispywareandvulnerabilityprotection
signatures.Toseethedefaultaction,selectObjects > Security Profiles > Anti-Spywareor
Objects > Security Profiles > Vulnerability Protectionandthenselectaprofile.Clickthe
ExceptionstabandthenclickShowallsignaturestoviewthelistofthesignaturesandthe
correspondingdefaultAction.Tochangethedefaultaction,createanewprofileandspecifyan
Action,and/oraddindividualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1 VerifythatyouhaveaThreatPrevention TheThreatPreventionsubscriptionbundlestheantivirus,

subscription. antispyware,andvulnerabilityprotectionfeaturesinonelicense.
ToverifythatyouhaveanactiveThreatPreventionsubscription,
selectDevice > LicensesandverifythattheThreat Prevention
expirationdateisinthefuture.
Step2 Downloadthelatestcontent. 1. SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

bottomofthepagetoretrievethelatestsignatures.
2. IntheActionscolumn,clickDownloadandinstallthelatest
AntivirusupdatesandthendownloadandthenInstallthe
latestApplicationsandThreatsupdates.

ThreatPrevention SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3 Schedulecontentupdates. 1. SelectDevice > Dynamic UpdatesandthenclickScheduleto

Asabestpractice,schedulethe automaticallyretrievesignatureupdatesforAntivirusand
firewalltodownloadandinstall Applications and Threats.
Antivirusupdatesdailyand 2. Specifythefrequencyandtimingfortheupdates:
ApplicationsandThreatsupdates download-onlyThefirewallautomaticallydownloadsthe
weekly. latestupdatesperthescheduleyoudefinebutyoumust
manuallyInstallthem.
download-and-installThefirewallautomatically
downloadsandinstallstheupdatesperthescheduleyou
define.
3. ClickOKtosavetheupdateschedule;acommitisnot
required.
4. (Optional)DefineaThresholdtoindicatetheminimum
numberofhoursafteranupdatebecomesavailablebeforethe
firewallwilldownloadit.Forexample,settingtheThreshold
to10meansthefirewallwillnotdownloadanupdateuntilitis
atleast10hoursoldregardlessoftheschedule.
5. (HAonly)DecidewhethertoSync To Peer,whichenables
peerstosynchronizecontentupdatesafterdownloadand
install(theupdatescheduledoesnotsyncacrosspeers;you
mustmanuallyconfigurethescheduleonbothpeers).
Thereareadditionalconsiderationsfordecidingifandhowto
Sync To PeerdependingonyourHAdeployment:
Active/PassiveHAIfthefirewallsareusingtheMGTport
forcontentupdates,thenschedulebothfirewallsto
downloadandinstallupdatesindependently.However,if
thefirewallsareusingadataportforcontentupdates,then
thepassivefirewallwillnotdownloadorinstallupdates
unlessanduntilitbecomesactive.Tokeeptheschedulesin
synconbothfirewallswhenusingadataportforupdates,
scheduleupdatesonbothfirewallsandthenenableSync To
Peersothatwhicheverfirewallisactivedownloadsand
installstheupdatesandalsopushestheupdatestothe
passivefirewall.
Active/ActiveHAIfthefirewallsareusingtheMGT
interfaceforcontentupdates,thenselect
download-and-installonbothfirewallsbutdonotenable
Sync To Peer.However,ifthefirewallsareusingadata
port,thenselectdownload-and-installonbothfirewalls
andenableSync To Peersothatifonefirewallgoesintothe
activesecondarystate,theactiveprimaryfirewallwill
downloadandinstalltheupdatesandpushthemtothe
activesecondaryfirewall.
Step4 (Optional)Createcustomsecurity TocreatecustomAntivirusProfiles,selectObjects > Security

profilesforantivirus,antispyware,and Profiles > AntivirusandAddanewprofile.
vulnerabilityprotection. TocreatecustomAntiSpywareProfiles,selectObjects >
Alternatively,youcanusethepredefined Security Profiles > Anti-SpywareandAddanewprofile.
defaultorstrictprofiles. TocreatecustomVulnerabilityProtectionProfiles,select
CreateBestPracticeSecurity Objects > Security Profiles > Vulnerability ProtectionandAdda
Profilesforthebestsecurity newprofile.
posture.

SetUpAntivirus,AntiSpyware,andVulnerabilityProtection ThreatPrevention
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step5 AttachsecurityprofilestoyourSecurity 1. SelectPolicies > Securityandselecttheruleyouwantto

policyrules. modify.
NOTE:Whenyouconfigurethefirewall 2. IntheActionstab,selectProfilesastheProfile Type.
withaSecuritypolicyrulethatusesa
3. SelectthesecurityprofilesyoucreatedforAntivirus,
VulnerabilityProtectionprofiletoblock
Anti-Spyware,andVulnerability Protection.
connections,thefirewallautomatically
blocksthattrafficinhardware(see
MonitorBlockedIPAddresses).
Step6 Commityourchanges.

ThreatPrevention CreateThreatExceptions
CreateThreatExceptions
PaloAltoNetworksdefinesarecommendeddefaultaction(suchasblockoralert)forthreatsignatures.You
canuseathreatIDtoexcludeathreatsignaturefromenforcementormodifytheactionthefirewallenforces
forthatthreatsignature.Forexample,youcanmodifytheactionforthreatsignaturesthataretriggering
falsepositivesonyournetwork.
Configurethreatexceptionsforantivirus,vulnerability,spyware,andDNSsignaturestoChangeFirewall
EnforcementforaThreat.However,beforeyoubegin,makesurethefirewallisdetectingandenforcing
threatsbasedonthedefaultsignaturesettings:
GetthelatestAntivirus,ThreatsandApplications,andWildFiresignatureupdates.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtectionandapplythesesecurityprofilestoyour
securitypolicy.
ChangeFirewallEnforcementforaThreat
Excludeantivirussignaturesfromenforcement. 1. SelectObjects > Security Profiles > Antivirus.

NOTE:WhileyoucanuseanAntivirusprofileto 2. Add ormodifyanexistingAntivirusprofilefromwhichyou
excludeantivirussignaturesfromenforcement, wanttoexcludeathreatsignatureandselectVirus Exception.
youcannotchangetheactionthefirewall
3. AddtheThreat ID forthethreatsignatureyouwanttoexclude
enforcesforaspecificantivirussignature.
fromenforcement.
However,youcandefinetheactionforthe
firewalltoenforceforvirusesfoundindifferent
typesoftrafficbyeditingtheDecoders(Objects
> Security Profiles > Antivirus>
<antivirus-profile> > Antivirus).
4. ClickOK tosavetheAntivirusprofile.

CreateThreatExceptions ThreatPrevention
ChangeFirewallEnforcementforaThreat(Continued)
Modifyenforcementforvulnerabilityand 1. SelectObjects > Security Profiles > Anti-SpywareorObjects

spywaresignatures(exceptDNSsignatures; > Security Profiles > Vulnerability Protection.
skiptothenextoptiontomodifyenforcement 2. Add ormodifyanexistingAntiSpywareorVulnerability
forDNSsignatures,whichareatypeofspyware Protectionprofilefromwhichyouwanttoexcludethethreat
signature). signatureandthenselectExceptions.
3. Show all signaturesandthenfiltertoselectthesignaturefor
whichyouwanttomodifyenforcementrules.
4. SelecttheActionyouwantthefirewalltoenforceforthis
threatsignature.
Forsignaturesthatyouwanttoexcludefromenforcement
becausetheytriggerfalsepositives,settheActiontoAllow.
5. ClickOKtosaveyournewormodifiedAntiSpywareor
VulnerabilityProtectionprofile.
ModifyenforcementforDNSsignatures. 1. SelectObjects > Security Profiles > Anti-Spyware.

Bydefault,theDNSlookupstomalicious 2. Add ormodifytheAntiSpywareprofilefromwhichyouwant
hostnamesthatDNSsignaturesaredetectare toexcludethethreatsignature,andselectDNS Signatures.
sinkholed.
3. AddtheDNS Threat IDfortheDNSsignaturethatyouwantto
excludefromenforcement:
4. ClickOKtosaveyournewormodifiedAntiSpywareprofile.

ThreatPrevention SetUpDataFiltering
SetUpDataFiltering
UseDataFilteringProfilestopreventsensitive,confidential,andproprietaryinformationfromleavingyour
network.First,createadatapatterntodefinetheinformationtypesforwhichyouwantthefirewalltofilter.
Predefinedpatternsandbuiltinsettingsmakeiteasyforyoutocreatecustompatternsforfilteringonsocial
securityandcreditcardnumbersoronfileproperties,suchasadocumenttitleorauthor.Continuetoadd
oneormoredatapatterntoaDataFilteringprofileandthenattachtheprofiletoaSecuritypolicyruleto
enabledatafiltering.
Ifyoureusingathirdparty,endpointdatalossprevention(DLP)solutionthatpopulatesfilepropertiesto
indicatesensitivecontent,thendatafilteringenablesthefirewalltoenforceyourDLPpolicy.Tosecurethis
confidentialdata,createacustomdatapatterntoidentifythefilepropertiesandvaluestaggedbyyourDLP
solutionandthenlogorblockthefilesthatyourDataFilteringprofiledetectsbasedonthatpattern.

SetUpDataFiltering ThreatPrevention
EnableDataFiltering
Step1 Defineanewdatapatternobjectto 1. SelectObjects > Custom Objects > Data PatternsandAdda

detecttheinformationyouwantto newobject.
filter. 2. ProvideadescriptiveNameforthenewobject.
3. (Optional)SelectSharedifyouwantthedatapatterntobe
availableto:
Everyvirtualsystem(vsys)onamultivsysfirewallIf
cleared(disabled),thedatapatternisavailableonlytothe
VirtualSystemselectedintheObjectstab.
EverydevicegrouponPanoramaIfcleared(disabled),the
datapatternisavailableonlytotheDeviceGroupselected
intheObjectstab.
4. (OptionalPanoramaonly)SelectDisable overrideto
preventadministratorsfromoverridingthesettingsofthis
datapatternobjectindevicegroupsthatinherittheobject.
Thisselectionisclearedbydefault,whichmeans
administratorscanoverridethesettingsforanydevicegroup
thatinheritstheobject.
5. (OptionalPanoramaonly)SelectData Captureto
automaticallycollectthedatathatisblockedbythefilter.
SpecifyapasswordforManageDataProtectiononthe
Settingspagetoviewyourcaptureddata(Device >
Setup > Content-ID > Manage Data Protection).
6. SetthePattern Typetooneofthefollowing:
PredefinedFilterforcreditcardandsocialsecurity
numbers.
Regular ExpressionFilterforcustomdatapatterns.
File PropertiesFilterbasedonfilepropertiesandthe
associatedvalues.
7. Add anewruletothedatapatternobject.
8. SpecifythedatapatternaccordingtothePattern Typeyou
selectedforthisobject:
PredefinedSelecttheName:eitherCredit Card Numbers
orSocial Security Numbers(withorwithoutdash
separator).
RegularExpressionSpecifyadescriptiveName,selectthe
File Type(ortypes)youwanttoscan,andthenenterthe
specificData Patternyouwantthefirewalltodetect.
File PropertiesSpecifyadescriptiveName,selectthe
File TypeandFile Propertyyouwanttoscan,andenter
thespecificProperty Valuethatyouwantthefirewallto
detect.
9. ClickOKtosavethedatapattern.

ThreatPrevention SetUpDataFiltering
EnableDataFiltering(Continued)
Step2 Addthedatapatternobjecttoadata 1. SelectObjects > Security Profiles > Data FilteringandAddor

filteringprofile. modifyadatafilteringprofile.
2. Add anewprofileruleandselecttheDataPatternyoucreated
inStep 1.
3. SpecifyApplications,File Types,andwhatDirectionoftraffic
(uploadordownload)youwanttofilterbasedonthedata
pattern.
Thefiletypeyouselectmustbethesamefiletypeyou
definedforthedatapatterninStep 1oritmustbea
filetypethatincludesthedatapatternfiletype.For
example,youcoulddefineboththedatapatternobject
andthedatafilteringprofiletoscanallMicrosoft
Officedocuments.Or,youcoulddefinethedata
patternobjecttomatchtoonlyMicrosoftPowerPoint
Presentationswhilethedatafilteringprofilescanall
MicrosoftOfficedocuments.
Ifadatapatternobjectisattachedtoadatafiltering
profileandtheconfiguredfiletypesdonotalign
betweenthetwo,theprofilewillnotcorrectlyfilter
documentsmatchedtothedatapatternobject.
4. SettheAlert Threshold tospecifythenumberoftimesthe
datapatternmustbedetectedinafiletotriggeranalert.
5. SettheBlock Thresholdtoblockfilesthatcontainatleastthis
manyinstancesofthedatapattern.
6. SettheLog Severityrecordedforfilesthatmatchthisrule.
7. ClickOKtosavethedatafilteringprofile.
Step3 Applythedatafilteringsettingstotraffic. 1. SelectPolicies > SecurityandAddormodifyasecuritypolicy

rule.
2. SelectActionsandsettheProfileTypetoProfiles.
3. AttachtheDataFilteringprofileyoucreatedinStep 2tothe
securitypolicyrule.
4. ClickOK.
Step4 (Recommended)Preventwebbrowsers 1. SelectDevice > Setup > Content-IDandeditContentID

fromresumingsessionsthatthefirewall Settings.
hasterminated. 2. CleartheAllow HTTP header range option.
Thisoptionensuresthatwhen
3. ClickOK.
thefirewalldetectsandthen
dropsasensitivefile,aweb
browsercannotresumethe
sessioninanattempttoretrieve
thefile.
Step5 Monitorfilesthatthefirewallisfiltering. SelectMonitor > Data Filteringtoviewthefilesthatthefirewall

hasdetectedandblockedbasedonyourdatafilteringsettings.

SetUpFileBlocking ThreatPrevention
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
YoucandefineyourowncustomFileBlockingprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingfileblockingtoaSecuritypolicyrule.Thepredefinedprofiles,whichareavailablewith
contentreleaseversion653andlater,allowyoutoquicklyenablebestpracticefileblockingsettings:
basic file blockingAttachthisprofiletotheSecuritypolicyrulesthatallowtraffictoandfromless
sensitiveapplicationstoblockfilesthatarecommonlyincludedinmalwareattackcampaignsorthathave
norealusecaseforupload/download.ThisprofileblocksuploadanddownloadofPEfiles(.scr,.cpl,.dll,
.ocx,.pif,.exe),Javafiles(.class,.jar),Helpfiles(.chm,.hlp)andotherpotentiallymaliciousfiletypes,
including.vbe,.hta,.wsf,.torrent,.7z,.rar,.bat.Additionally,itpromptsuserstoacknowledgewhenthey
attempttodownloadencryptedrarorencryptedzipfiles.Thisrulealertsonallotherfiletypestogive
youcompletevisibilityintoallfiletypescominginandoutofyournetwork.
strict file blockingUsethisstricterprofileontheSecuritypolicyrulesthatallowaccesstoyourmost
sensitiveapplications.Thisprofileblocksthesamefiletypesastheotherprofile,andadditionallyblocks
flash,.tar,multilevelencoding,.cab,.msi,encryptedrar,andencryptedzipfiles.
Thesepredefinedprofilesaredesignedtoprovidethemostsecurepostureforyournetwork.However,if
youhavebusinesscriticalapplicationsthatrelyonsomeoftheapplicationsthatareblockedinthesedefault
profiles,youcanclonetheprofilesandmodifythemasnecessary.Makesurethatyouonlyusethemodified
profilesforthoseuserswhoneedtouploadand/ordownloadariskyfiletype.Additionally,toreduceyour
attacksurface,makesureyouareusingothersecuritymeasurestoensurethatthefilesyourusersare
uploadinganddownloadingdonotposeathreattoyourorganization.Forexample,ifyoumustallow
downloadofPEfiles,makesureyouaresendingallunknownPEfilestoWildFireforanalysis.Additionally,
maintainastrictURLfilteringpolicytoensurethatuserscannotdownloadcontentfromwebsitesthathave
beenknowntohostmaliciouscontent.

ThreatPrevention SetUpFileBlocking
ConfigureFileBlocking
Step1 Createthefileblockingprofile. 1. SelectObjects > Security Profiles > File BlockingandAdda

profile.
2. EnteraNameforthefileblockingprofilesuchasBlock_EXE.
3. (Optional)EnteraDescription,suchasBlock users from
downloading exe files from websites.
4. (Optional)SpecifythattheprofileisSharedwith:
cleared(disabled),theprofileisavailableonlytotheVirtual
SystemselectedintheObjectstab.
profileisavailableonlytotheDeviceGroupselectedinthe
Objectstab.
5. (OptionalPanoramaonly)SelectDisable overridetoprevent
administratorsfromoverridingthesettingsofthisfileblocking
profileindevicegroupsthatinherittheprofile.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheprofile.
Step2 Configurethefileblockingoptions. 1. Addanddefinearulefortheprofile.

2. EnteraNamefortherule,suchasBlockEXE.
3. SelectAnyorspecifyoneormorespecificApplicationsfor
filtering,suchaswebbrowsing.
Onlywebbrowserscandisplaytheresponsepage
(continueprompt)thatallowsuserstoconfirmtheir
Choosinganyotherapplicationresultsinblocked
trafficforthoseapplicationsbecausethereisno
promptdisplayedtoallowuserstocontinue.
4. SelectAnyorspecifyoneormorespecificFile Types,suchas
exe.
5. SpecifytheDirection,suchasdownload.
6. SpecifytheAction(alert,block,orcontinue).Forexample,
selectcontinuetopromptusersforconfirmationbeforethey
areallowedtodownloadanexecutable(.exe)file.
Alternatively,youcouldblockthespecifiedfilesoryoucould
configurethefirewalltosimplytriggeranalertwhenauser
downloadsanexecutablefile.
Step3 Applythefileblockingprofiletoa 1. SelectPolicies > Securityandeitherselectanexistingpolicy

securitypolicyrule. ruleorAddanewruleasdescribedinSetUpaBasicSecurity
Policy.
2. OntheActionstab,selectthefileblockingprofileyou
configuredinthepreviousstep.Inthisexample,theprofile
nameisBlock_EXE.
3. Commityourconfiguration.

SetUpFileBlocking ThreatPrevention
ConfigureFileBlocking(Continued)
Step4 Totestyourfileblockingconfiguration,accessanendpointPCinthetrustzoneofthefirewallandattemptto
downloadanexecutablefilefromawebsiteintheuntrustzone;aresponsepageshoulddisplay.ClickContinue
toconfirmthatyoucandownloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichdonot
provideanoptionfortheusertocontinuethedownload.Thefollowingshowsthedefaultresponsepagefor
FileBlocking:
Step5 (Optional)Definecustomfileblockingresponsepages(Device > Response Pages).Thisallowsyoutoprovide

moreinformationtouserswhentheyseearesponsepage.Youcanincludeinformationsuchascompany
policyinformationandcontactinformationforaHelpdesk.
Whenyoucreateafileblockingprofilewiththecontinueaction,youcanchooseonlythe
web-browsingapplication.Ifyouchooseanyotherapplication,trafficthatmatchesthesecuritypolicy
willnotflowthroughthefirewallbecauseusersarenotpromptedwithanoptiontocontinue.
Additionally,youneedtoconfigureandenableadecryptionpolicyforHTTPSwebsites.
Checkyourlogstodeterminetheapplicationusedwhenyoutestthisfeature.Forexample,ifyouare
usingMicrosoftSharePointtodownloadfiles,eventhoughyouareusingawebbrowsertoaccessthe
site,theapplicationisactuallysharepoint-base,orsharepoint-document.(Itcanhelptosetthe
applicationtypetoAnyfortesting.)

ThreatPrevention PreventBruteForceAttacks
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,andSeverityandistriggeredwhenapatternisrecorded.
Thepatternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;
somesignaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthe
patterntomatchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthe
defaultactionforthesignature.
Toenforceprotection:
AttachtheVulnerabilityProtectionprofiletoaSecuritypolicyrule.SeeSetUpAntivirus,AntiSpyware,
andVulnerabilityProtection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.

CustomizetheActionandTriggerConditionsforaBruteForceSignature ThreatPrevention
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignaturesandchildsignatures.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinaspecifiedtimeinterval
andthatmatchesthetrafficpatterndefinedinthechildsignature.
Typically,thedefaultactionforachildsignatureisallowbecauseasingleeventisnotindicativeofanattack.
Thisensuresthatlegitimatetrafficisnotblockedandavoidsgeneratingthreatlogsfornonnoteworthy
events.PaloAltoNetworksrecommendsthatyoudonotchangethedefaultactionwithoutcareful
consideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventduetoitsrecurrentpattern.Ifneeded,you
candooneofthefollowingtocustomizetheactionforabruteforcesignature:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcanchoose
toallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforanddefineanexceptionfor
aCVE.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature,you
canmodifyonlytheaction.
Toeffectivelymitigateanattack,specifytheblockipaddressactioninsteadofthedroporreset
actionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
Step1 CreateanewVulnerabilityProtection 1. SelectObjects > Security Profiles > Vulnerability Protection

profile. andAddaprofile.
2. EnteraNamefortheVulnerabilityProtectionprofile.
4. (Optional)SpecifythattheprofileisSharedwith:
cleared(disabled),theprofileisavailableonlytotheVirtual
SystemselectedintheObjectstab.
profileisavailableonlytotheDeviceGroupselectedinthe
Objectstab.
5. (OptionalPanoramaonly)SelectDisable overridetoprevent
administratorsfromoverridingthesettingsofthisVulnerability
Protectionprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscan
overridethesettingsforanydevicegroupthatinheritsthe
profile.

ThreatPrevention CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheThresholdandActionforaSignature(Continued)
Step2 Createarulethatdefinestheactionfor 1. OntheRulestab,AddandenteraRule Nameforanewrule.

allsignaturesinacategory. 2. (Optional)Specifyaspecificthreatname(defaultisany).
3. SettheAction.Inthisexample,itissettoBlock IP.
NOTE:IfyousetaVulnerabilityProtectionprofiletoBlockIP,
thefirewallfirstuseshardwaretoblockIPaddresses.Ifattack
trafficexceedstheblockingcapacityofthehardware,the
firewallthenusessoftwareblockingmechanismstoblockthe
remainingIPaddresses.
4. SetCategorytobrute-force.
5. (Optional)Ifblocking,specifytheHost Typeonwhichtoblock:
serverorclient(defaultisany).
6. SeeStep 3tocustomizetheactionforaspecificsignature.
7. SeeStep 4tocustomizethetriggerthresholdforaparent
signature.
8. ClickOKtosavetheruleandtheprofile.

CustomizetheActionandTriggerConditionsforaBruteForceSignature ThreatPrevention
CustomizetheThresholdandActionforaSignature(Continued)
Step3 (Optional)Customizetheactionfora 1. OntheExceptions tab,Show all signatures tofindthe

specificsignature. signatureyouwanttomodify.
Toviewallthesignaturesinthebruteforcecategory,search
forcategory contains 'brute-force'.
2. Toeditaspecificsignature,clickthepredefineddefaultaction
intheActioncolumn.
3. Settheaction:Allow,Alert,Block Ip,orDrop.Ifyouselect
Block Ip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. SpecifywhethertoTrack ByandblocktheIPaddressusing
theIP source ortheIP source and destination.
4. ClickOK.
5. Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
6. ClickOK.
Step4 Customizethetriggerconditionsfora 1. Edit( )thetimeattributeandtheaggregationcriteriafor

parentsignature. thesignature.
Aparentsignaturethatcanbeeditedis 2. Tomodifythetriggerthreshold,specifytheNumber of Hits
markedwiththisicon: . pernumberofseconds.
Inthisexample,thesearchcriteriawas 3. Specifywhethertoaggregatethenumberofhits(Aggregation
bruteforcecategoryand Criteria)bysource,destination,orsource-and-destination.
CVE20081447.
4. ClickOK.
Step5 AttachthisnewprofiletoaSecurity 1. SelectPolicies > SecurityandAddormodifyaSecuritypolicy

policyrule. rule.
2. OntheActionstab,selectProfilesastheProfile Typeforthe
ProfileSetting.
3. SelectyourVulnerability Protectionprofile.
4. ClickOK.
Step6 Commityourchanges. 1. ClickCommit.

ThreatPrevention BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
ConfigureaDNSProxyObject.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcacheshostnametoIPaddress
mappingstoquicklyandefficientlyresolvefutureDNSqueries.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscansendalertswhenclientsconnect
toadomainotherthanthedomainspecifiedintheoriginalDNSrequest.Makesuretoconfigure
DNSproxybeforeyouenableevasionsignatures.WithoutDNSproxy,evasionsignaturescan
triggeralertswhenaDNSserverintheDNSloadbalancingconfigurationreturnsdifferentIP
addressesforservershostingidenticalresourcestothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoallowonlytheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserver,settheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
createanewcustomservicethatincludesonlyport587andusethatnewserviceinyoursecuritypolicy
ruleinsteadofapplicationdefault.Additionally,makesureyourestrictaccesstospecificsourceand
destinationszonesandsetsofIPaddresses.

BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions ThreatPrevention
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection:
AVulnerabilityProtectionprofiletoblockallvulnerabilitieswithlowandhigherseverity.
AnAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
AnAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
BlockallunknownapplicationsandtrafficusingtheSecuritypolicy.Typically,theonlyapplications
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetworkandpotentialthreats.
Unknowntrafficcanbeeithernoncompliantapplicationsorprotocolsthatareanomalousorabnormal
oritcanbeknownapplicationsthatareusingnonstandardports,bothofwhichshouldbeblocked.See
ManageCustomorUnknownApplications.
SetUpFileBlockingtoblockPortableExecutable(PE)filetypesforinternetbasedSMB(Server
MessageBlock)trafficfromtraversingtrusttountrustzones(msdssmbapplications).
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
SelecttheoptiontodropMalformedIPpackets(Packet Based Attack Protection > IP Drop).

EnablethedropMismatched overlapping TCP segmentoption(Packet Based Attack Protection > TCP

Drop).
Bydeliberatelyconstructingconnectionswithoverlappingbutdifferentdatainthem,attackers
attempttocausemisinterpretationoftheintentoftheconnectionanddeliberatelyinducefalse
positivesorfalsenegatives.AttackersalsouseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecttheirowndataintothatconnection.Selectingthe
Mismatched overlapping TCP segmentoptionspecifiesthatPANOSdiscardsframeswithmismatched
andoverlappingdata.Receivedsegmentsarediscardedwhentheyarecontainedwithinanother
segment,whentheyoverlapwithpartofanothersegment,orwhentheycontainanothercomplete
segment.
EnablethedropTCP SYN with Data anddropTCP SYNACK with Dataoptions(Packet Based Attack
Protection > TCP Drop).
DroppingSYNandSYNACKpacketsthatcontaindatainthepayloadduringathreewayhandshake
increasessecuritybyblockingmalwarecontainedinthepayloadandpreventingitfromextracting
unauthorizeddatabeforetheTCPhandshakeiscompleted.
StripTCPtimestampsfromSYNpacketsbeforethefirewallforwardsthepacket(Packet Based Attack
Protection > TCP Drop).
WhenyouenabletheStrip TCP Options - TCP Timestampoption,theTCPstackonbothendsofthe
TCPconnectionwillnotsupportTCPtimestamps.Thispreventsattacksthatusedifferent
timestampsonmultiplepacketsforthesamesequencenumber.
IfyouconfigureIPv6addressesonyournetworkhosts,besuretoenablesupportforIPv6ifnotalready
enabled(Network > Interfaces > Ethernet> IPv6).
EnablingsupportforIPv6allowsaccesstoIPv6hostsandalsofiltersIPv6packetsencapsulatedinIPv4
packets,whichpreventsIPv6overIPv4multicastaddressesfrombeingleveragedfornetwork
reconnaissance.

BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions ThreatPrevention
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyonmulticasttraffic(Network >
Virtual Router > Multicast).
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding

TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfull,thefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
Disablingtheseoptionscanresultinperformancedegradationandsomeapplicationsmayincur
lossoffunctionality,particularlyinhighvolumetrafficsituations.
DisabletheAllow HTTP header range option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPheaderrangeoptionallowsaclienttofetchonlypartofafile.Whenanextgenerationfirewall
inthepathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithanRST
packet.IfthewebbrowserimplementstheHTTPheaderrangeoption,itcanstartanewsessiontofetch
onlytheremainingpartofthefile,whichpreventsthefirewallfromtriggeringthesamesignatureagain
duetothelackofcontextintotheinitialsessionand,atthesametime,allowsthewebbrowserto
reassemblethefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.
Disablingthisoptionshouldnotimpactdeviceperformance.However,HTTPfiletransfer
interruptionrecoverymaybeimpaired.Inaddition,disablingthisoptioncanimpactstreaming
mediaservices,suchasNetflix,WindowsServerUpdatesServices(WSUS),andPaloAlto
Networkscontentupdates.


EnableEvasionSignatures ThreatPrevention
PaloAltoNetworksevasionsignaturesdetectcraftedHTTPorTLSrequests,andcanalerttoinstances
whereaclientconnectstoadomainotherthanthedomainspecifiedinaDNSquery.Evasionsignaturesare
effectiveonlywhenthefirewallisalsoenabledtotoactasaDNSproxyandresolvedomainnamequeries.
Asabestpractice,takethefollowingstepstoenableevasionsignatures.
Step1 Enableafirewallintermediatetoclients ConfigureaDNSProxyObject,including:

andserverstoactasaDNSproxy. Specifytheinterfacesonwhichyouwantthefirewalltolisten
forDNSqueries.
DefinetheDNSserverswithwhichthefirewallcommunicates
toresolveDNSrequests.
SetupstaticFQDNtoIPaddressentriesthatthefirewallcan
resolvelocally,withoutreachingouttoDNSservers.
EnablecachingforresolvedhostnametoIPaddressmappings.
Step2 GetthelatestApplicationsandThreats 1. SelectDevice > Dynamic Updates.

contentversion(atleastcontentversion 2. Check NowtogetthelatestApplicationsandThreatscontent
579orlater). update.
3. DownloadandInstallApplicationsandThreatscontent
version579(orlater).
Step3 Definehowthefirewallshouldenforce 1. SelectObjects > Security Profiles > Anti-SpywareandAddor

trafficmatchedtoevasionsignatures. modifyanAntispywareprofile.
2. Select ExceptionsandselectShow all signatures.
3. Filtersignaturesbasedonthekeywordevasion.
4. Forallevasionsignatures,settheActiontoanysettingother
thanalloworthedefaultaction(thedefaultactionisfor
evasionsignaturesisallow).Forexample,settheActionfor
signatureIDs14978and14984toalertordrop.
5. ClickOK tosavetheupdatedAntispywareprofile.
6. AttachtheAntispywareprofiletoasecuritypolicyrule:Select
Policies > Security,selectthedesiredpolicytomodifyand
thenclicktheActions tab.InProfileSettings,clickthe
dropdownnexttoAnti-Spyware andselecttheantispyware
profileyoujustmodifiedtoenforceevasionsignatures.
Step4 Commit yourchanges.

ThreatPrevention PreventCredentialPhishing
PreventCredentialPhishing
Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtostealuserinformation,
especiallythecredentialsthatprovideaccesstoyournetwork.Whenaphishingemailentersanetwork,it
takesjustasingleusertoclickthelinkandentercredentialstosetabreachintomotion.Youcandetectand
preventinprogressphishingattacksbycontrollingsitestowhichuserscansubmitcorporatecredentials
basedonthesitesURLcategory.Thisallowsyoutoblockusersfromsubmittingcredentialstountrusted
siteswhileallowinguserstocontinuetosubmitcredentialstocorporateandsanctionedsites.
Credentialphishingpreventionworksbyscanningusernameandpasswordsubmissionstowebsitesand
comparingthosesubmissionsagainstvalidcorporatecredentials.Youcanchoosewhatwebsitesyouwant
toeitheralloworblockcorporatecredentialsubmissionstobasedontheURLcategoryofthewebsite.When
thefirewalldetectsauserattemptingtosubmitcredentialstoasiteinacategoryyouhaverestricted,it
eitherdisplaysablockresponsepagethatpreventstheuserfromsubmittingcredentials,orpresentsa
continuepagethatwarnsusersagainstsubmittingcredentialstositesclassifiedincertainURLcategories,
butstillallowsthemtocontinuewiththecredentialsubmission.Youcancustomizetheseblockpagesto
educateusersagainstreusingcorporatecredentials,evenonlegitimate,nonphishingsites.
ToenableCredentialphishingpreventionyoumustconfigurebothUserIDtodetectwhenuserssubmit
validcorporatecredentialstoasite(asopposedtopersonalcredentials)andURLFilteringtospecifytheURL
categoriesinwhichyouwanttopreventusersfromenteringtheircorporatecredentials.Thefollowingtopics
describethedifferentmethodsyoucanusetodetectcredentialsubmissionsandprovideinstructionsfor
configuringcredentialphishingprotection.
MethodstoCheckforCorporateCredentialSubmissions
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent
SetUpCredentialPhishingPrevention
MethodstoCheckforCorporateCredentialSubmissions
BeforeyouSetUpCredentialPhishingPrevention,decidewhichmethodyouwantthefirewalltouseto
checkifcredentialssubmittedtoawebpagearevalid,corporatecredentials.
MethodtoCheck UserID Howdoesthismethoddetectcorporateusernamesand/or

SubmittedCredentials Configuration passwordsasuserssubmitthemtowebsites?
Requirements
GroupMapping GroupMapping Thefirewalldeterminesiftheusernameausersubmitstoarestricted

configurationonthe sitematchesanyvalidcorporateusername.
firewall Todothis,thefirewallmatchesthesubmittedusernametothelistof
usernamesinitsusertogroupmappingtabletodetectwhenusers
submitacorporateusernamestoasiteinarestrictedcategory.
Thismethodonlychecksforcorporateusernamesubmissionsbased
onLDAPgroupmembership,whichmakesitsimpletoconfigure,but
morepronetofalsepositives.

PreventCredentialPhishing ThreatPrevention
MethodtoCheck UserID Howdoesthismethoddetectcorporateusernamesand/or

SubmittedCredentials Configuration passwordsasuserssubmitthemtowebsites?
Requirements
IPUserMapping IPaddressto Thefirewalldeterminesiftheusernameausersubmitstoarestricted

usernamemappings sitemapstotheIPaddressoftheloggedinuser.
identifiedthrough Todothis,thefirewallmatchestheIPaddressoftheloggedinuser
UserMapping, andtheusernamesubmittedtoawebsitetoitsIPaddresstouser
GlobalProtect,or mappingtabletodetectwhenuserssubmittheircorporate
AuthenticationPolicy usernamestoasiteinarestrictedcategory.
andCaptivePortal. BecausethismethodmatchestheIPaddressoftheloggedinuser
associatedwiththesessionagainsttheIPaddresstousername
mappingtable,itisaneffectivemethodfordetectingcorporate
usernamesubmissions,butitdoesnotdetectcorporatepassword
submission.Ifyouwanttodetectcorporateusernameandpassword
submission,youmustusetheDomainCredentialFiltermethod.
DomainCredential Windowsbased Thefirewalldeterminesiftheusernameandpasswordausersubmits

Filter UserIDagent matchesthesameuserscorporateusernameandpassword.
configuredwiththe Todothis,thefirewallmustabletomatchcredentialsubmissionsto
UserIDcredential validcorporateusernamesandpasswordsandverifythatthe
serviceaddon usernamesubmittedmapstotheIPaddressoftheloggedinuseras
AND follows:
IPaddressto TodetectcorporateusernamesandpasswordsThefirewall
usernamemappings retrievesasecurebitmask,calledabloomfilter,froma
identifiedthrough WindowsbasedUserIDagentequippedwiththeUserID
UserMapping, credentialserviceaddon.Thisaddonservicescansyourdirectory
GlobalProtect,or forusernamesandpasswordhashesanddeconstructsthemintoa
AuthenticationPolicy securebitmaskthebloomfilteranddeliversittotheWindows
andCaptivePortal. agent.ThefirewallretrievesthebloomfilterfromtheWindows
agentatregularintervalsand,wheneveritdetectsauser
submittingcredentialstoarestrictedcategory,itreconstructsthe
bloomfilterandlooksforamatchingusernameandpassword
hash.ThefirewallcanonlyconnecttooneWindowsbased
UserIDagentrunningtheUserIDcredentialserviceaddon.
ToverifythatthecredentialsbelongtotheloggedinuserThe
firewalllooksforamappingbetweentheIPaddressofthe
loggedinuserandthedetectedusernameinits
IPaddresstousernamemappingtable.
Tolearnmorehowthedomaincredentialmethodworks,andthe
requirementsforenablingthistypeofdetection,seeConfigure
CredentialDetectionwiththeWindowsbasedUserIDAgent.
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent
DomainCredentialFilterdetectionenablesthefirewalltodetectpasswordssubmittedtowebpages.This
credentialdetectionmethodrequirestheWindowsbasedUserIDagentandtheUserIDcredentialservice,
anaddontotheUserIDagent,tobeinstalledonareadonlydomaincontroller(RODC).
AnRODCisaMicrosoftWindowsserverthatmaintainsareadonlycopyofanActiveDirectorydatabase
thatadomaincontrollerhosts.Whenthedomaincontrollerislocatedatacorporateheadquarters,for
example,RODCscanbedeployedinremotenetworklocationstoprovidelocalauthenticationservices.
InstallingtheUserIDagentonanRODCcanbeusefulforafewreasons:accesstothedomaincontroller

directoryisnotrequiredtoenablecredentialdetectionandyoucansupportcredentialdetectionforalimited
ortargetedsetofusers.BecausethedirectorytheRODChostsisreadonly,thedirectorycontentsremain
secureonthedomaincontroller.
AfteryouinstalltheUserIDagentonanRODC,theUserIDcredentialservicerunsinthebackgroundand
scansthedirectoryfortheusernamesandpasswordhashesofgroupmembersthatarelistedintheRODC
passwordreplicationpolicy(PRP)youcandefinewhoyouwanttobeonthislist.TheUserIDcredential
servicethentakesthecollectedusernamesandpasswordhashesanddeconstructsthedataintoatypeof
bitmaskcalledabloomfilter.Bloomfiltersarecompactdatastructuresthatprovideasecuremethodto
checkifanelement(ausernameorapasswordhash)isamemberofasetofelements(thesetsofcredentials
youhaveapprovedforreplicationtotheRODC).TheUserIDcredentialserviceforwardsthebloomfilterto
theUserIDagent;thefirewallretrievesthelatestbloomfilterfromtheUserIDagentatregularintervals
andusesittodetectusernamesandpasswordhashsubmissions.Dependingonyoursettings,thefirewall
thenblocks,alerts,orallowsonvalidpasswordsubmissionstowebpages,ordisplaysaresponsepageto
userswarningthemofthedangersofphishing,butallowingthemtocontinuewiththesubmission.
Throughoutthisprocess,theUserIDagentdoesnotstoreorexposeanypasswordhashes,nordoesit
forwardpasswordhashestothefirewall.Oncethepasswordhashesaredeconstructedintoabloomfilter,
thereisnowaytorecoverthem.
SetUpCredentialDetectionwithaUserIDAgentonanRODC
Step1 ConfigureUserMappingUsingthe ImportantitemstorememberwhensettingupUserIDtoenable

WindowsUserIDAgent. DomainCredentialFilterdetection:
Toenablecredentialdetection, Becausetheeffectivenessofcredentialphishingdetectionis
youmustinstallthe dependentonyourRODCsetup,makesurethatyoualso
WindowsbasedUserIDagent reviewbestpracticesandrecommendationsforRODC
onanRODC(requiresMicrosoft Administration.
Windows2008r264orlater). DownloadUserIDsoftwareupdates:
UserIDAgentWindowsinstallerUaInstallx.x.xx.msi.
UserIDAgentCredentialServiceWindowsinstaller
UaCredInstall64x.x.xx.msi.
InstalltheUserIDagentandtheUserAgentCredential
serviceonanRODCusinganaccountthathasprivilegesto
readActiveDirectoryviaLDAP(theUserIDagentalso
requiresthisprivilege).

SetUpCredentialDetectionwithaUserIDAgentonanRODC(Continued)
Step2 EnabletheUserIDagentandtheUserAgentCredentialservice(whichrunsinthebackgroundtoscan
permittedcredentials)toshareinformation.
1. OntheRODCserver,launchtheUserIDAgent.
2. SelectSetupandedittheSetupsection.
3. SelecttheCredentialstab.ThistabonlydisplaysifyouhavealreadyinstalledtheUserIDAgentCredential
Service.
4. SelectImport from User-ID Credential Agent.ThisenablestheUserIDagenttoimportthebloomfilter

thattheUserIDcredentialagentcreatestorepresentusersandthecorrespondingpasswordhashes.
5. ClickOK,Saveyoursettings,andCommit.
Step3 IntheRODCdirectory,definethegroup Confirmthatthegroupsthatshouldreceivecredential

ofusersforwhichyouwanttosupport submissionenforcementareaddedtotheAllowedRODC
credentialsubmissiondetection. PasswordReplicationGroup.
CheckthatnoneofthegroupsintheAllowedRODCPassword
ReplicationGrouparealsointheDeniedRODCPassword
ReplicationGroupbydefault.Groupslistedinbothwillnotbe
subjecttocredentialphishingenforcement.

SetUpCredentialDetectionwithaUserIDAgentonanRODC(Continued)
Step4 ContinuetoSetUpCredentialPhishingPreventiononthefirewall.
SetUpCredentialPhishingPrevention
AfteryouhavedecidedwhichoftheMethodstoCheckforCorporateCredentialSubmissionsyouwantto
use,takethefollowingstepstoenablethefirewalltodetectwhenuserssubmitcorporatecredentialstoweb
pagesandeitheralertonthisaction,blockthecredentialsubmission,orrequireuserstoacknowledgethe
dangersofphishingbeforecontinuingwithcredentialsubmission.
EnableCredentialPhishingPrevention
Step1 Ifyouhavenotdonesoalready,Enable EachoftheMethodstoCheckforCorporateCredential

UserID. SubmissionsrequiresadifferentUserIDconfigurationtocheckfor
corporatecredentialsubmissions:
Ifyouplantousethegroupmappingmethod,whichdetects
whetherauserissubmittingavalidcorporateusername,Map
UserstoGroups.
IfyouplantousetheIPusermappingmethod,whichdetects
whetherauserissubmittingavalidcorporateusernameand
thatthatusernamebelongstotheloggedinuser,MapIP
AddressestoUsers.
Ifyouplantousethedomaincredentialfiltermethod,which
detectswhetherauserissubmittingavalidusernameand
passwordandthatthosecredentialsbelongtotheloggedin
user,ConfigureCredentialDetectionwiththeWindowsbased
UserIDAgentandMapIPAddressestoUsers.
Step2 Ifyouhavenotdonesoalready, 1. SelectObjects > Security Profiles > URL FilteringandAdd or

configureabestpracticeURLFiltering modifyaURLFilteringprofile.
profiletoensureprotectionagainstURLs 2. BlockaccesstoallknowndangerousURLcategories:malware,
thathavebeenobservedhosting phishing,dynamicDNS,unknown,questionable,extremism,
malwareorexploitivecontent. copyrightinfringement,proxyavoidanceandanonymizers,
andparked.

Step3 ConfiguretheURLFilteringprofileto 1. SelectUser Credential Detection.

detectcorporatecredentialsubmissions 2. SelectoneoftheMethodstoCheckforCorporateCredential
towebsitesthatareinallowedURL SubmissionstowebpagesfromtheUser Credential
categories. Detectiondropdown:
NOTE:Thefirewallautomaticallyskips Use IP User MappingChecksforvalidcorporate
checkingcredentialsubmissionsfor usernamesubmissionsandverifiesthattheloginusername
AppIDsassociatedwithsitesthathave mapstothesourceIPaddressofthesession.Todothis,the
neverbeenobservedhostingmalwareor firewallmatchesthesubmittedusernameandsourceIP
phishingcontenttoensurethebest addressofthesessionagainstitsIPaddresstousername
performanceevenifyouenablechecks mappingtable.Tousethismethodyoucanuseanyofthe
inthecorrespondingcategory.Thelistof usermappingmethodsdescribedinMapIPAddressesto
sitesonwhichthefirewallwillskip Users.
credentialcheckingisautomatically
Use Domain Credential FilterChecksforvalidcorporate
updatedviaApplicationandThreat
usernamesandpasswordsubmissionsverifiesthatthe
contentupdates.
usernamemapstotheIPaddressoftheloggedinuser.See
ConfigureCredentialDetectionwiththeWindowsbased
UserIDAgentforinstructionsonhowtosetupUserIDto
enablethismethod.
Use Group MappingChecksforvalidusername
submissionsbasedontheusertogroupmappingtable
populatedwhenyouconfigurethefirewalltoMapUsersto
Groups.
Withgroupmapping,youcanapplycredentialdetectionto
anypartofthedirectory,orspecificgroup,suchasgroups
likeITthathaveaccesstoyourmostsensitiveapplications.
Thismethodispronetofalsepositivesin
environmentsthatdonothaveuniquelystructured
usernames.Becauseofthis,youshouldonlyuse
thismethodtoprotectyourhighvalueuser
accounts.
3. SettheValid Username Detected Log Severitythefirewall
usestologdetectionofcorporatecredentialsubmissions.By
default,thefirewalllogstheseeventsasmediumseverity.
Step4 Block(oralert)oncredentialsubmissions 1. SelectCategories.

toallowedsites. 2. ForeachCategorytowhichSite Accessisallowed,selecthow
youwanttotreatUser Credential Submissions:
alertAllowuserstosubmitcredentialstothewebsite,but
generateaURLFilteringlogeachtimeausersubmits
credentialstositesinthisURLcategory.
allow(default)Allowuserstosubmitcredentialstothe
website.
blockBlockusersfromsubmittingcredentialstothe
website.Whenausertriestosubmitcredentials,the
firewalldisplaystheAntiPhishingBlockPage,preventing
thecredentialsubmission.
continuePresenttheAntiPhishingContinuePage
responsepagetouserswhentheyattempttosubmit
credentials.UsersmustselectContinueontheresponse
pagetocontinuewiththesubmission.
3. SelectOKtosavetheURLFilteringprofile.

Step5 ApplytheURLFilteringprofilewiththe 1. SelectPolicies > SecurityandAdd ormodifyaSecuritypolicy

credentialdetectionsettingstoyour rule.
Securitypolicyrules. 2. OntheActionstab,settheProfile TypetoProfiles.
3. SelecttheneworupdatedURL Filteringprofiletoattachitto
theSecuritypolicyrule.
4. SelectOK tosavetheSecuritypolicyrule.
Step7 Monitorcredentialsubmissionsthe SelectMonitor > Logs > URL Filtering.

firewalldetects. ThenewCredential Detected columnindicateseventswherethe
SelectACC > Hosts Visiting firewalldetectedaHTTPpostrequestthatincludedavalid
Malicious URLstoseethe credential:
numberofuserswhohave
visitedmalwareandphishing
sites.
(Todisplaythiscolumn,hoveroveranycolumnheaderandclickthe
arrowtoselectthecolumnsyoudliketodisplay).
Logentrydetailsalsoindicatecredentialsubmissions:

Step8 Validateandtroubleshootcredential UsethefollowingCLIcommandtoviewcredentialdetection

submissiondetection. statistics:
> show user credential-filter statistics
Theoutputforthiscommandvariesdependingonthemethod
configuredforthefirewalltodetectcredentialsubmissions.For
example,iftheDomainCredentialFiltermethodisconfiguredin
anyURLFilteringprofile,alistofUserIDagentsthathave
forwardedabloomfiltertothefirewallisdisplayed,alongwith
thenumberofcredentialscontainedinthebloomfilter.
(GroupMappingmethodonly)UsethefollowingCLIcommandto
viewgroupmappinginformation,includingthenumberofURL
FilteringprofileswithGroupMappingcredentialdetection
enabledandtheusernamesofgroupmembersthathave
attemptedtosubmitcredentialstoarestrictedsite.
> show user group-mapping statistics
(DomainCredentialFiltermethodonly)UsethefollowingCLI
commandtoseeallWindowsbasedUSerIDagentsthatare
sendingmappingstothefirewall:
> show user user-id-agent state
Thecommandoutputnowdisplaysbloomfiltercountsthat
includethenumberofbloomfilterupdatesthefirewallhas
receivedfromeachagent,ifanybloomfilterupdatesfailedto
process,andhowmanysecondshavepassedsincethelastbloom
filterupdate.
(DomainCredentialFiltermethodonly)TheWindowsbased
UserIDagentdisplayslogmessagesthatreferenceBF(bloom
filter)pushestothefirewall.IntheUserIDagentinterface,select
Monitoring > Logs.

ThreatPrevention ShareThreatIntelligencewithPaloAltoNetworks
ShareThreatIntelligencewithPaloAltoNetworks
Telemetryistheprocessofcollectingandtransmittingdataforanalysis.Whenyouenabletelemetryonthe
firewall,thefirewallperiodicallycollectsandsendsinformationthatincludesapplications,threats,and
devicehealthtoPaloAltoNetworks.Sharingthreatintelligenceprovidesthefollowingbenefits:
Enhancedvulnerabilityandspywaresignaturesdeliveredtoyouandothercustomersworldwide.For
example,whenathreateventtriggersvulnerabilityorspywaresignatures,thefirewallsharestheURLs
associatedwiththethreatwiththePaloAltoNetworksthreatresearchteam,sotheycanproperlyclassify
theURLsasmalicious.
Rapidtestingandevaluationofexperimentalthreatsignatureswithnoimpacttoyournetwork,sothat
criticalthreatpreventionsignaturescanbereleasedtoallPaloAltoNetworkscustomersfaster.
ImprovedaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrol(C2)signatures,andWildFire.
PaloAltoNetworksusesthethreatintelligenceextractedfromtelemetrytodeliverthesebenefitstoyou
andotherPaloAltoNetworksusers.AllPaloAltoNetworksusersbenefitfromthetelemetrydatasharedby
eachuser,makingtelemetryacommunitydrivenapproachtothreatprevention.PaloAltoNetworksdoes
notshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.
WhatTelemetryDataDoestheFirewallCollect?
PassiveDNSMonitoring
EnableTelemetry
WhatTelemetryDataDoestheFirewallCollect?
ThefirewallcollectsandforwardsdifferentsetsoftelemetrydatatoPaloAltoNetworksbasedonthe
Telemetrysettingsyouenable.Thefirewallcollectsthedatafromfieldsinyourlogentries(seeLogTypes
andSeverityLevels);thelogtypeandcombinationoffieldsvarybasedonthesetting.Reviewthefollowing
tablebeforeyouEnableTelemetry.
Setting Description
ApplicationReports Thenumberandsizeofknownapplicationsbydestinationport,unknownapplicationsby
destinationport,andunknownapplicationsbydestinationIPaddress.Thefirewall
generatesthesereportsfromTrafficlogsandforwardsthemevery4hours.
ThreatPreventionReports Attackerinformation,thenumberofthreatsforeachsourcecountryanddestination
port,andthecorrelationobjectsthatthreateventstriggered.Thefirewallgeneratesthese
reportsfromThreatlogsandforwardsthemevery4hours.
URLReports URLswiththefollowingPANDBURLcategories:malware,phishing,dynamicDNS,
proxyavoidance,questionable,parked,andunknown(URLsthatPANDBhasnotyet
categorized).ThefirewallgeneratesthesereportsfromURLFilteringlogs.
URLReportsalsoincludePANDBstatisticssuchastheversionoftheURLfiltering
databaseonthefirewallandonthePANDBcloud,thenumberofURLsinthose
databases,andthenumberofURLsthatthefirewallcategorized.Thesestatisticsare
basedonthetimethatthefirewallforwardedtheURLReports.
ThefirewallforwardsURLReportsevery4hours.

ShareThreatIntelligencewithPaloAltoNetworks ThreatPrevention
Setting Description
FileTypeIdentification Informationaboutfilesthatthefirewallhasblockedorallowedbasedondatafiltering
Reports andfileblockingsettings.ThefirewallgeneratesthesereportsfromDataFilteringlogs
andforwardsthemevery4hours.
ThreatPreventionData LogdatafromthreateventsthattriggeredsignaturesthatPaloAltoNetworksis
evaluatingforefficacy.ThreatPreventionDataprovidesPaloAltoNetworksmore
visibilityintoyournetworktrafficthanothertelemetrysettings.Whenenabled,the
firewallmaycollectinformationsuchassourceorvictimIPaddresses.
EnablingThreatPreventionDataalsoallowsunreleasedsignaturesthatPaloAlto
Networksiscurrentlytestingtoruninthebackground.Thesesignaturesdonotaffect
yoursecuritypolicyrulesandfirewalllogs,andhavenoimpacttoyourfirewall
performance.
ThefirewallforwardsThreatPreventionDataevery5minutes.
ThreatPreventionPacket Packetcaptures(ifyouhaveenabledyourfirewalltoTakeaThreatPacketCapture)of
Captures threateventsthattriggeredsignaturesthatPaloAltoNetworksisevaluatingforefficacy.
ThreatPreventionPacketCapturesprovidePaloAltoNetworksmorevisibilityintoyour
networktrafficthanothertelemetrysettings.Whenenabled,thefirewallmaycollect
informationsuchassourceorvictimIPaddresses.
ThefirewallforwardsThreatPreventionPacketCapturesevery5minutes.
ProductUsageStatistics Backtracesoffirewallprocessesthathavefailed,aswellasinformationaboutthe
firewallstatus.Backtracesoutlinetheexecutionhistoryofthefailedprocesses.These
reportsincludedetailsaboutthefirewallmodelandthePANOSandcontentrelease
versionsinstalledonyourfirewall.
ThefirewallforwardsProductUsageStatisticsevery5minutes.
PassiveDNSMonitoring DomaintoIPaddressmappingsbasedonfirewalltraffic.WhenyouenablePassiveDNS
Monitoring,thefirewallactsasapassiveDNSsensorandsendDNSinformationtoPalo
AltoNetworksforanalysis.
ThefirewallforwardsdatafromPassiveDNSMonitoringin1MBbatches.
PassiveDNSMonitoring
PassiveDNSmonitoringenablesthefirewalltoactasapassiveDNSsensorandsendDNSinformationto
PaloAltoNetworksforanalysistoimprovethreatintelligenceandthreatpreventioncapabilities.Thedata
collectedincludesnonrecursiveDNSquery(thatis,thewebbrowsersendsaquerytoaDNSserverto
translateadomaintoanIPaddress,andtheserverreturnsaresponsewithoutqueryingotherDNSservers)
andresponsepacketpayloads.SeeDNSOverviewformorebackgroundinformationaboutDNS.
ThethreatintelligencethatthefirewallcollectsfrompassiveDNSmonitoringconsistssolelyofdomaintoIP
addressmappings.PaloAltoNetworksretainsnorecordofthesourceofthisdataanddoesnothavethe
abilitytoassociateitwiththesubmitteratafuturedate.ThePaloAltoNetworksthreatresearchteamuses
passiveDNSinformationtogaininsightintomalwarepropagationandevasiontechniquesthatabusethe
DNSsystem.InformationgatheredthroughthisdatacollectionisusedtoimprovePANDBURLcategory
andDNSbasedC2signatureaccuracyandWildFiremalwaredetection.
ThefirewallforwardsDNSresponsesonlywhenthefollowingrequirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset

DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
EnableTelemetry
Whenyouenabletelemetry,youdefinewhatdatathefirewallcollectsandshareswithPaloAltoNetworks.
Forsometelemetrysettings,youcanpreviewwhatthedatathatyourfirewallsendswilllooklikebefore
committing.ThefirewallusesthePaloAltoNetworksServicesserviceroutetosendthedatayousharefrom
telemetrytoPaloAltoNetworks.
EnableTelemetry
Step1 SelectDevice > Setup > Telemetry,andedittheTelemetrysettings.
Step2 SelectthetelemetrydatayouwanttosharewithPaloAltoNetworks.Formorespecificdescriptionsofthis
data,seeWhatTelemetryDataDoestheFirewallCollect?Bydefault,alltelemetrysettingsaredisabled.
ToenableThreatPreventionPacketCaptures,youmustalsoenableThreatPreventionData.

ShareThreatIntelligencewithPaloAltoNetworks ThreatPrevention
EnableTelemetry(Continued)
Step3 Openareportsample( )toviewthetypeofdatathatthefirewallcollectsforApplicationReports,Threat

PreventionReports,URLReports,andFileTypeIdentificationReports.
Thereportsample,formattedinXML,isbasedonyourfirewallactivityinthefirst4hourssinceyoufirst
viewedthereportsample.Areportsampledoesnotdisplayanyentriesifthefirewalldidnotfindany
matchingtrafficforthereport.Thefirewallonlycollectsnewinformationforareportsamplewhenyourestart
thefirewallandopenareportsample.
ThefigurebelowshowsareportsampleforThreatPreventionReports:
ApplicationReports,ThreatPreventionReports,URLReports,andFileTypeIdentificationReportseach
consistofmultiplereports.Inthereportsample,Typedescribesthenameofareport.Aggregateliststhelog
fieldsthatthefirewallcollectsforthereport(refertoSyslogFieldDescriptionstodeterminethenameofthe
fieldsastheyappearinthefirewalllogs).Valuesindicatestheunitsofmeasureusedinthereport(forexample,
thevaluecountfortheAttackers(threat)reportreferstothenumberoftimesthefirewalldetectedathreat
associatedwithaparticularthreatID).
Step4 ViewthetypeofdatathatthefirewallcollectsforProductUsageStatistics.
EnterthefollowingoperationalCLIcommand:show system info
Step5 ClickOKandCommityourchanges.

EnableTelemetry(Continued)
Step6 IfyouenabledThreatPreventionDataandThreatPreventionPacketCaptures,viewthedatathatthefirewall
collected.
1. EdittheTelemetrysettings.
2. ClickDownload Threat Prevention Data( )todownloadatarballfile(.tar.gz)withthemostrecent100
foldersofdatathatthefirewallcollectedforThreatPreventionDataandThreatPreventionPacket
Captures.Ifyouneverenabledthesesettingsorifyouenabledthembutnothreateventshavematched
theconditionsforthesesettings,thefirewalldoesnotgenerateafileandinsteadreturnsanerrormessage.
ThereiscurrentlynowaytoviewtheDNSinformationthatthefirewallcollectsthroughpassiveDNS
monitoring.

UseDNSQueriestoIdentifyInfectedHostsontheNetwork ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNSSinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.

ThreatPrevention UseDNSQueriestoIdentifyInfectedHostsontheNetwork
Figure:DNSSinkholingExample

ConfigureDNSSinkholingforaListofCustomDomains
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanExternalDynamicListthat
includesthedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoa
securitypolicyrule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthe
destinationIPaddressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddress
forsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallmodelsupportsamaximumof50,000domainnamestotalinoneormoreexternaldynamiclists
butnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
Step1 EnableDNSsinkholingforthecustom 1. SelectObjects > Security Profiles > Anti-Spyware.

listofdomainsinanexternaldynamic 2. Modifyanexistingprofile,orselectoneoftheexistingdefault
list. profilesandcloneit.
3. NametheprofileandselecttheDNS Signaturestab.
4. ClickAddandselectExternal Dynamic Listsinthedropdown.
Ifyouhavealreadycreatedanexternaldynamiclistof
type:Domain List,youcanselectitfromhere.The
dropdowndoesnotdisplayexternaldynamiclistsof
typeURLorIPAddressthatyoumayhavecreated.
5. ConfiguretheexternaldynamiclistfromtheAntiSpyware
profile(seeConfiguretheFirewalltoAccessanExternal
DynamicList).TheTypeispresettoDomain List.
6. (Optional)InthePacket Capturedropdown,select
single-packettocapturethefirstpacketofthesessionor
extended-capture tosetbetween150packets.Youcanthen
usethepacketcapturesforfurtheranalysis.

ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step2 Verifythesinkholingsettingsonthe 1. OntheDNS Signaturestab,verifythattheActionon DNS

AntiSpywareprofile. Queriesissinkhole.
2. IntheSinkholesection,verifythatSinkholeisenabled.For
yourconvenience,thedefaultSinkholeIPaddressissetto
accessaPaloAltoNetworksserver.PaloAltoNetworkscan
automaticallyrefreshthisIPaddressthroughcontentupdates.
IfyouwanttomodifytheSinkhole IPv4orSinkhole IPv6
addresstoalocalserveronyournetworkortoaloopback
address,seeConfiguretheSinkholeIPAddresstoaLocal
ServeronYourNetwork.
3. ClickOKtosavetheAntiSpywareprofile.
Step3 AttachtheAntiSpywareprofiletoa 1. SelectPolicies > Security.

Securitypolicyrule. 2. OntheActionstab,selecttheLog at Session Startcheckbox
toenablelogging.
3. IntheProfileSettingsection,clicktheProfile Typedropdown
toviewallProfiles.FromtheAnti-Spywaredropdownand
selectthenewprofile.
4. ClickOKtosavethepolicyrule.
Step4 Testthatthepolicyactionisenforced. 1. ViewExternalDynamicListEntriesthatbelongtothedomain

list,andaccessadomainfromthelist.
2. Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theThreatActivityandBlockedActivityforthedomainyou
accessed.
b. SelectMonitor > Logs > Threat andfilterby(action eq
sinkhole)toviewlogsonsinkholeddomains.

ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step5 Verifywhetherentriesintheexternal UsethefollowingCLIcommandonthefirewalltoreviewthedetails

dynamiclistareignoredorskipped. aboutthelist.
request system external-list show type domain name
<list_name>
Forexample:
request system external-list show type domain name
My_List_of_Domains_2015
vsys1/EBLDomain:
Next update at : Thu May 21 10:15:39 2015
Source :https://1.2.3.4/My_List_of_Domains_2015
Referenced : Yes
Valid : Yes
Number of entries : 3
domains:
www.example.com
baddomain.com
qqq.abcedfg.com
Step6 (Optional)Retrievetheexternaldynamic Toforcethefirewalltoretrievetheupdatedlistondemandinstead

listondemand. ofatthenextrefreshinterval(theRepeatfrequencyyoudefined
fortheexternaldynamiclist),usethefollowingCLIcommand:
request system external-list refresh type domain name
<list_name>
Asanalternative,youcanusethefirewallinterfaceto
RetrieveanExternalDynamicListfromtheWebServer.
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5

ConfigureSinkholingtoaLocalServeronYourNetwork
Step1 Configurethesinkholeinterfaceand 1. SelectNetwork > Interfacesandselectaninterfaceto

zone. configureasyoursinkholeinterface.
Trafficfromthezonewheretheclient 2. IntheInterface Typedropdown,selectLayer3.
hostsresidemustroutetothezone
3. ToaddanIPv4address,selecttheIPv4tabandselectStatic
wherethesinkholeIPaddressisdefined,
andthenclickAdd.Inthisexample,add10.15.0.20astheIPv4
sotrafficwillbelogged.
DNSsinkholeaddress.
Useadedicatedzonefor
sinkholetraffic,becausethe 4. SelecttheIPv6tabandclickStaticandthenclickAddand
infectedhostwillbesending enteranIPv6addressandsubnetmask.Inthisexample,enter
traffictothiszone. fd97:3dec:4d27:e37c::/64astheIPv6sinkholeaddress.
5. ClickOKtosave.
6. Toaddazoneforthesinkhole,selectNetwork > Zonesand
clickAdd.
7. EnterzoneName.
8. IntheTypedropdownselectLayer3.
9. IntheInterfacessection,clickAddandaddtheinterfaceyou
justconfigured.
10. ClickOK.
Step2 EnableDNSsinkholing. Bydefault,sinkholingisenabledforallPaloAltoNetworksDNS

signatures.Tochangethesinkholeaddresstoyourlocalserver,see
step2inConfigureDNSSinkholingforaListofCustomDomains.
Step3 Editthesecuritypolicyrulethatallows 1. SelectPolicies > Security.

trafficfromclienthostsinthetrustzone 2. Selectanexistingrulethatallowstrafficfromtheclienthost
totheuntrustzonetoincludethe zonetotheuntrustzone.
sinkholezoneasadestinationandattach
theAntiSpywareprofile. 3. OntheDestinationtab,AddtheSinkholezone.Thisallows
clienthosttraffictoflowtothesinkholezone.
EditingtheSecuritypolicyrule(s)that
allowstrafficfromclienthostsinthe 4. OntheActionstab,selecttheLog at Session Startcheckbox
trustzonetotheuntrustzoneensures toenablelogging.Thiswillensurethattrafficfromclienthosts
thatyouareidentifyingtrafficfrom intheTrustzonewillbeloggedwhenaccessingtheUntrustor
infectedhosts.Byaddingthesinkhole Sinkholezones.
zoneasadestinationontherule,you 5. IntheProfile Settingsection,selecttheAnti-Spywareprofile
enableinfectedclientstosendbogus inwhichyouenabledDNSsinkholing.
DNSqueriestotheDNSsinkhole.
6. ClickOKtosavetheSecuritypolicyruleandthenCommit.

Step4 Toconfirmthatyouwillbeableto 1. Fromaclienthostinthetrustzone,openacommandprompt

identifyinfectedhosts,verifythattraffic andrunthefollowingcommand:
goingfromtheclienthostintheTrust C:\>ping <sinkhole address>
zonetothenewSinkholezoneisbeing Thefollowingexampleoutputshowsthepingrequesttothe
logged. DNSsinkholeaddressat10.15.0.2andtheresult,whichis
Inthisexample,theinfectedclienthostis Request timed out becauseinthisexamplethesinkholeIP
192.168.2.10andtheSinkholeIPv4 addressisnotassignedtoaphysicalhost:
addressis10.15.0.20. C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2. Onthefirewall,selectMonitor > Logs > Trafficandfindthelog
entrywiththeSource192.168.2.10andDestination
10.15.0.20.ThiswillconfirmthatthetraffictothesinkholeIP
addressistraversingthefirewallzones.
Youcansearchand/orfilterthelogsandonlyshow
logswiththedestination10.15.0.20.Todothis,click
theIPaddress(10.15.0.20)intheDestinationcolumn,
whichwilladdthefilter(addr.dstin10.15.0.20)tothe
searchfield.ClicktheApplyFiltericontotherightof
thesearchfieldtoapplythefilter.

Step5 TestthatDNSsinkholingisconfigured 1. Findamaliciousdomainthatisincludedinthefirewalls

properly. currentAntivirussignaturedatabasetotestsinkholing.
Youaresimulatingtheactionthatan a. SelectDevice > DynamicUpdatesandintheAntivirus
infectedclienthostwouldperformwhen sectionclicktheRelease Noteslinkforthecurrently
amaliciousapplicationattemptstocall installedantivirusdatabase.Youcanalsofindtheantivirus
home. releasenotesthatlisttheincrementalsignatureupdates
underDynamicUpdatesonthePaloAltoNetworkssupport
site.
b. Inthesecondcolumnofthereleasenote,locatealineitem
withadomainextension(forexample,.com,.edu,or.net).
Theleftcolumnwilldisplaythedomainname.Forexample,
Antivirusrelease11171560,includesanitemintheleft
columnnamed"tbsbana"andtherightcolumnlists"net".
Thefollowingshowsthecontentinthereleasenoteforthis
lineitem:
conficker:tbsbana1 variants: net
2. Fromtheclienthost,openacommandprompt.
3. PerformanNSLOOKUPtoaURLthatyouidentifiedasa
knownmaliciousdomain.
Forexample,usingtheURLtrack.bidtrk.com:
C:\>nslookup track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:5
10.15.0.20
Intheoutput,notethattheNSLOOKUPtothemalicious
domainhasbeenforgedusingthesinkholeIPaddressesthat
weconfigured(10.15.0.20).Becausethedomainmatcheda
maliciousDNSsignature,thesinkholeactionwasperformed.
4. SelectMonitor > Logs > Threat andlocatethecorresponding
threatlogentrytoverifythatthecorrectactionwastakenon
theNSLOOKUPrequest.
5. Performapingtotrack.bidtrk.com,whichwillgenerate
networktraffictothesinkholeaddress.

IdentifyInfectedHosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
UseAppScopetoidentifyinfectedclienthosts. 1. SelectMonitor > App ScopeandselectThreat Monitor.

2. ClicktheShow spywarebuttonalongthetopofthedisplay
page.
3. Selectatimerange.
ThefollowingscreenshotshowsthreeinstancesofSuspicious
DNSqueries,whichweregeneratedwhenthetestclienthost
performedanNSLOOKUPonaknownmaliciousdomain.Click
thegraphtoseemoredetailsabouttheevent.

DNSSinkholeVerificationandReporting(Continued)
Configureacustomreporttoidentifyallclient 1. SelectMonitor > Manage Custom Reports.

hoststhathavesenttraffictothesinkholeIP 2. ClickAddandNamethereport.
address,whichis10.15.0.20inthisexample.
3. Defineacustomreportthatcapturestraffictothesinkhole
ForwardtoanSNMPmanager,Syslog
addressasfollows:
serverand/orPanoramatoenablealerts
ontheseevents. DatabaseSelectTraffic Log.
Inthisexample,theinfectedclienthost ScheduledEnableScheduledandthereportwillrunevery
performedanNSLOOKUPtoaknown night.
maliciousdomainthatislistedinthePalo Time Frame30days
AltoNetworksDNSSignaturedatabase. Selected ColumnsSelectSource addressorSource User
Whenthisoccurred,thequerywassent (ifyouhaveUserIDconfigured),whichwillidentifythe
tothelocalDNSserver,whichthen infectedclienthostinthereport,andDestination address,
forwardedtherequestthroughthe whichwillbethesinkholeaddress.
firewalltoanexternalDNSserver.The Inthesectionatthebottomofthescreen,createacustom
firewallsecuritypolicywiththe queryfortraffictothesinkholeaddress(10.15.0.20inthis
AntiSpywareprofileconfiguredmatched example).Youcaneitherenterthedestinationaddressin
thequerytotheDNSSignaturedatabase, theQuery Builderwindow(addr.dstin10.15.0.20)orselect
whichthenforgedthereplyusingthe thefollowingineachcolumnandclickAdd:Connector=
sinkholeaddressof10.15.0.20and and,Attribute=DestinationAddress,Operator=in,and
fd97:3dec:4d27:e37c:5:5:5:5.Theclient Value=10.15.0.20.ClickAddtoaddthequery.
attemptstostartasessionandthetraffic
logrecordstheactivitywiththesource
hostandthedestinationaddress,whichis
nowdirectedtotheforgedsinkhole
address.
Viewingthetrafficlogonthefirewall
allowsyoutoidentifyanyclienthostthat
issendingtraffictothesinkholeaddress.
Inthisexample,thelogsshowthatthe
sourceaddress192.168.2.10sentthe
maliciousDNSquery.Thehostcanthen
befoundandcleaned.WithouttheDNS
sinkholeoption,theadministratorwould
onlyseethelocalDNSserverasthe
systemthatperformedthequeryand
wouldnotseetheclienthostthatis
infected.Ifyouattemptedtorunareport 4. ClickRun Nowtorunthereport.Thereportwillshowallclient
onthethreatlogusingtheaction hoststhathavesenttraffictothesinkholeaddress,which
Sinkhole,thelogwouldshowthelocal indicatesthattheyaremostlikelyinfected.Youcannowtrack
DNSserver,nottheinfectedhost. downthehostsandcheckthemforspyware.
5. Toviewscheduledreportsthathaverun,selectMonitor >
Reports.

MonitorBlockedIPAddresses ThreatPrevention
MonitorBlockedIPAddresses
ThefirewallmaintainsablocklistofsourceIPaddressesthatitsblocking.Whenthefirewallblocksasource
IPaddress,suchaswhenyouconfigureeitherofthefollowingpolicyrules,thefirewallblocksthattrafficin
hardwarebeforethosepacketsuseCPUorpacketbufferresources:
AclassifiedDoSProtectionpolicyrulewiththeactiontoProtect(aclassifiedDoSProtectionpolicy
specifiesthatincomingconnectionsmatchasourceIPaddress,destinationIPaddress,orsourceand
destinationIPaddresspair,andisassociatedwithaClassifiedDoSProtectionprofile,asdescribedinDoS
ProtectionAgainstFloodingofNewSessions)
ASecurityPolicyrulethatusesaVulnerabilityProtectionprofile
HardwareIPaddressblockingissupportedonPA3060firewalls,PA3050firewalls,andPA5000Series,
PA5200Series,andPA7000Seriesfirewalls.
Youcanviewtheblocklist,getdetailedinformationaboutanIPaddressontheblocklist,orviewcountsof
addressesthathardwareandsoftwareareblocking.YoucandeleteanIPaddressfromthelistifyouthinkit
shouldntbeblocked.Youcanchangethesourceofdetailedinformationaboutaddressesonthelist.You
canalsochangehowlonghardwareblocksIPaddresses.
MonitorIPAddressBlocking
Viewblocklistentries.
1. SelectMonitor > Block IP List.
EntriesontheblocklistindicateintheTypecolumnwhethertheywereblockedbyhardware(hw)orsoftware(sw).
2. Viewatthebottomofthescreen:
CountofTotal Blocked IPsoutofthenumberofblockedIPaddressesthefirewallsupports.
Percentageoftheblocklistthefirewallhasused.
3. Tofiltertheentriesdisplayed,selectavalueinacolumn(whichcreatesafilterintheFiltersfield)andApplyFilter
( ).Otherwise,thefirewalldisplaysthefirst1,000entries.
4. EnteraPagenumberorclickthearrowsatthebottomofthescreentoadvancethroughpagesofentries.
5. Toviewdetailsaboutanaddressontheblocklist,hoveroveraSourceIPaddressandclickthedownarrowlink.
ClicktheWho Islink,whichdisplaysNetworkSolutionsWhoIsinformationabouttheaddress.
Deleteblocklistentries. 1. SelectMonitor > Block IP List.

Youmightwanttodeleteanentryifyou 2. SelectoneormoreentriesandclickDelete.
determineanIPaddressshouldntbe
3. (Optional)SelectClear All toremoveallentriesfromthelist.
blocked.Youshouldthenrevisethepolicy
rulethatcausedthefirewalltoblockthe
address.

ThreatPrevention MonitorBlockedIPAddresses
MonitorIPAddressBlocking(Continued)
DisableorreenablehardwareIPaddress > set system setting hardware-acl-blocking <enable |

blockingfortroubleshootingpurposes. disable>
NOTE:WhilehardwareIPaddress .LeavehardwareIPaddressblockingenabledunlessPalo
blockingisdisabled,thefirewallstill AltoNetworkstechnicalsupportasksyoutodisableit,for
example,iftheyaredebuggingatrafficflow.
performsanysoftwareIPaddressblocking
youhaveconfigured.
TunethenumberofsecondsthatIPaddresses > set system setting hardware-acl-blocking duration
blockedbyhardwareremainontheblocklist <seconds>
(rangeis13,600;defaultis1). Maintainashorterdurationforhardwareblocklistentries
thansoftwareblocklistentriestoreducethelikelihoodof
exceedingtheblockingcapacityofthehardware.
Changethedefaultwebsiteforfindingmore # set deviceconfig system ip-address-lookup-url <url>

informationaboutanIPaddressfromNetwork
SolutionsWhoIstoadifferentwebsite.
ViewcountsofsourceIPaddressesblockedby ViewthetotalsumofIPaddressentriesonthehardwareblock
hardwareandsoftware,forexampletoseethe tableandblocklist(blockedbyhardwareandsoftware):
rateofanattack. > show counter global name flow_dos_blk_num_entries
ViewthecountofIPaddressentriesonthehardwareblocktable
thatwereblockedbyhardware:
> show counter global name flow_dos_blk_hw_entries
ViewthecountofIPaddressentriesontheblocklistthatwere
blockedbysoftware:
> show counter global name flow_dos_blk_sw_entries
Viewblocklistinformationperslotona > show dos-block-table software filter slot

PA7000Seriesfirewall. <slot-number>

LearnMoreAboutandAssessThreats ThreatPrevention
LearnMoreAboutandAssessThreats
FeaturesofThreatVaultandAutoFocusareintegratedintothefirewalltoprovidevisibilityintothenature
ofthethreatsthefirewalldetectsandtogiveamorecompletepictureofhowanartifactfitsintoyour
organizationsnetworktraffic(anartifactisproperty,activity,orbehaviorassociatedwithafile,emaillink,
orsession).Thesefeaturesduallyallowyougetimmediate,contextualinformationaboutathreatorto
seamlesslyshiftyourthreatinvestigationfromthefirewalltotheThreatVaultandAutoFocus.
Additionally,youcanusethreatcategorieswhichclassifytypesofthreateventstonarrowyourviewinto
acertaintypeofthreatactivityortobuildcustomreports.
AssessFirewallArtifactswithAutoFocus
LearnMoreAboutThreatSignatures
MonitorActivityandCreateCustomReportsBasedonThreatCategories
AssessFirewallArtifactswithAutoFocus
UsetheAutoFocusIntelligenceSummaryforanartifacttoassessitspervasivenessinyournetworkandthe
threatsassociatedwithit.
AutoFocusIntelligenceSummary
ViewandActonAutoFocusIntelligenceSummaryData
TheAutoFocusIntelligenceSummaryoffersacentralizedviewofinformationaboutanartifactthat
AutoFocushasextractedfromthreatintelligencegatheredfromotherAutoFocususers,WildFire,the
PANDBURLfilteringdatabase,Unit42,andopensourceintelligence.

ThreatPrevention LearnMoreAboutandAssessThreats
AnalysisInformation TheAnalysisInformationtabdisplaysthefollowinginformation:
SessionsThenumberofsessionsloggedinyourfirewall(s)inwhichthefirewall
detectedsamplesassociatedwiththeartifact.
SamplesAcomparisonoforganizationandglobalsamplesassociatedwiththe
artifactandgroupedbyWildFireverdict(benign,malware,orgrayware).Globalrefers
tosamplesfromallWildFiresubmissions,whileorganizationrefersonlytosamples
submittedtoWildFirebyyourorganization.
MatchingTagsTheAutoFocustagsmatchedtotheartifact.AutoFocusTagsindicate
whetheranartifactislinkedtomalwareortargetedattacks.
PassiveDNS ThePassiveDNStabdisplayspassiveDNShistorythatincludestheartifact.Thispassive
DNShistoryisbasedonglobalDNSintelligenceinAutoFocus;itisnotlimitedtotheDNS
activityinyournetwork.PassiveDNShistoryconsistsof:
Thedomainrequest
TheDNSrequesttype
TheIPaddressordomaintowhichtheDNSrequestresolved(privateIPaddressesare
notdisplayed)
Thenumberoftimestherequestwasmade
Thedateandtimetherequestwasfirstseenandlastseen

MatchingHashes TheMatchingHashestabdisplaysthe5mostrecentlydetectedmatchingsamples.
Sampleinformationincludes:
TheSHA256hashofthesample
Thesamplefiletype
ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdictto
it
TheWildFireverdictforthesample
ThedateandtimethatWildFireupdatedtheWildFireverdictforthesample(if
applicable)
InteractwiththeAutoFocusIntelligenceSummarytodisplaymoreinformationaboutanartifactorextend
yourartifactresearchtoAutoFocus.AutoFocustagsrevealiftheartifactisassociatedwithcertaintypesof
malwareormaliciousbehavior.
Step1 Confirmthatthefirewallisconnectedto EnableAutoFocusThreatIntelligenceonthefirewall(active

AutoFocus. AutoFocussubscriptionrequired).
Step2 Findartifactstoinvestigate. YoucanviewanAutoFocusIntelligenceSummaryforartifacts

whenyou:
ViewLogs(Traffic,Threat,URLFiltering,WildFireSubmissions,
DataFiltering,andUnifiedlogsonly).
ViewExternalDynamicListEntries.
Step3 Hoveroveranartifacttoopenthedropdown,andclickAutoFocus.
TheAutoFocusIntelligenceSummaryisonlyavailableforthefollowingtypesofartifacts:
IPaddress
URL
Domain
Useragent
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash

Step4 LaunchanAutoFocussearchforthe ClicktheSearch AutoFocus for...linkatthetopoftheAutoFocus

artifactforwhichyouopenedthe IntelligenceSummarywindow.Thesearchresultsincludeall
AutoFocusIntelligenceSummary. samplesassociatedwiththeartifact.TogglebetweentheMy
SamplesandAll Samplestabsandcomparethenumberof
samplestodeterminethepervasivenessoftheartifactinyour
organization.
Step5 LaunchanAutoFocussearchforother Clickonthefollowingartifactstodeterminetheirpervasivenessin

artifactsintheAutoFocusIntelligence yourorganization:
Summary. WildFireverdictsintheAnalysisInformationtab
URLsandIPaddressesinthePassiveDNStab
TheSHA256hashesintheMatchingHashestab
Step6 Viewthenumberofsessionsassociated Hoveroverthesessionbars.

withtheartifactinyourorganizationper
month.
Step7 Viewthenumberofsamplesassociated Hoveroverthesamplesbars.

withtheartifactbyscopeandWildFire
verdict.

Step8 Viewmoredetailsaboutmatching Hoveroveramatchingtagtoviewthetagdescriptionandother

AutoFocus.tags. tagdetails.
Step9 Viewothersamplesassociatedwitha ClickamatchingtagtolaunchanAutoFocussearchforthattag.

matchingtag. Thesearchresultsincludeallsamplesmatchedtothetag.
Unit42tagsidentifythreatsandcampaignsthatposeadirect
securityrisk.ClickonaUnit42matchingtagtoseehowmany
samplesinyournetworkareassociatedwiththethreatthetag
identifies.
Step10 Findmorematchingtagsforanartifact. Clicktheellipsis(...)tolaunchanAutoFocussearchfortheartifact.

TheTagscolumninthesearchresultsdisplaysmorematchingtags
fortheartifact,whichgiveyouanideaofothermalware,malicious
behavior,threatactors,exploits,orcampaignswheretheartifactis
commonlydetected.
LearnMoreAboutThreatSignatures
FirewallThreatlogsrecordallthreatsthefirewalldetectsbasedonthreatsignatures(SetUpAntivirus,
AntiSpyware,andVulnerabilityProtection)andtheACCdisplaysanoverviewofthetopthreatsonyour
network.EacheventthefirewallrecordsincludesanIDthatidentifiestheassociatedthreatsignature.
YoucanusethethreatIDfoundwithaThreatlogorACCentryto:
Easilycheckifathreatsignatureisconfiguredasanexceptiontoyoursecuritypolicy(CreateThreat
Exceptions).
FindthelatestThreatVaultinformationaboutaspecificthreat.BecausetheThreatVaultisintegrated
withthefirewall,youcanviewthreatdetailsdirectlyinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforathreatthefirewalllogged.

FindDetailsforDetectedThreats
Step1 Confirmthefirewallisconnectedtothe SelectDevice > Setup > ManagementandedittheLogging and

ThreatVault. Reporting settingtoEnable Threat Vault Access.Threatvault
accessisenabledbydefault.
Step2 FindthethreatIDforthreatsthefirewalldetects.
Toseeeachthreateventthefirewalldetectsbasedonthreatsignatures,selectMonitor > Logs > Threat.
YoucanfindtheIDforathreatentrylistedintheIDcolumn,orselectthelogentrytoviewlogdetails,
includingtheThreatID.
Toseeanoverviewoftopthreatsonthenetwork,select ACC > Threat ActivityandtakealookattheThreat
Activitywidget.TheIDcolumndisplaysthethreatIDforeachthreatdisplayed.
Toseedetailsforthreatsthatyoucanconfigureasthreatexceptions(meaning,thefirewallenforcesthe
threatdifferentlythanthedefaultactiondefinedforthethreatsignature),selectObjects > Security
Profiles > Anti-Spyware/Vulnerability Protection.Add ormodifyaprofileandclickthe Exceptions tabto
viewconfiguredexceptions.Ifnoexceptionsareconfigured,youcanfilterforthreatsignaturesorselect
Show all signatures.

Step3 HoveroveraThreat NameorthethreatIDtoopenthedropdown,andclick Exceptiontoreviewboththe

threatdetailsandhowthefirewallisconfiguredtoenforcethethreat.
Forexample,findoutmoreaboutatopthreatchartedontheACC:
Step4 ReviewthelatestThreat Details forthe ThreatdetailsdisplayedincludethelatestThreatVault

threatandlaunchaThreatVaultsearch informationforthethreat,resourcesyoucanusetolearnmore
basedonthethreatID. aboutthethreat,andCVEsassociatedwiththethreat.
SelectView in Threat VaulttoopenaThreatVaultsearchina
newwindowandlookupthelatestinformationthePaloAlto
Networksthreatdatabasehasforthisthreatsignature.

Step5 Checkifathreatsignatureisconfigured IftheUsed in current security rule columnisclear,thefirewall

asanexceptiontoyoursecuritypolicy. isenforcingthethreatbasedontherecommendeddefault
signatureaction(forexample,blockoralert).
AcheckmarkanywhereintheUsed in current security rule
columnindicatesthatasecuritypolicyruleisconfiguredto
enforceanondefaultactionforthethreat(forexample,allow),
basedontheassociatedExempt Profilessettings.
NOTE:TheUsed in security rule columndoesnotindicateifthe
Securitypolicyruleisenabled,onlyiftheSecuritypolicyruleis
configuredwiththethreatexception.SelectPolicies > Securityto
checkifanindicatedsecuritypolicyruleisenabled.
Step6 AddanIPaddressonwhichtofilterthe ConfigureanexemptIPaddresstoenforceathreatexceptiononly

threatexceptionorviewexisting whentheassociatedsessionhaseitheramatchingsourceor
Exempt IP Addresses. destinationIPaddress;forallothersessions,thethreatisenforced
basedonthedefaultsignatureaction.
Threatcategoriesclassifydifferenttypesofthreatsignaturestohelpyouunderstandanddrawconnections
betweeneventsthreatsignaturesdetect.Threatcategoriesaresubsetsofthemorebroadthreatsignature
types:spyware,vulnerability,antivirus,andDNSsignatures.ThreatlogentriesdisplaytheThreat Categoryfor
eachrecordedevent.
FilterThreatlogsbythreatcategory. 1. SelectMonitor > Logs > Threat.

2. AddtheThreatCategorycolumnsoyoucanviewtheThreat
Categoryforeachlogentry:
3. TofilterbasedonThreatCategory:
Usethelogquerybuildertoaddafilterwiththe Attribute
ThreatCategoryandintheValuefield,enteraThreat
Category.
SelecttheThreatCategoryofanylogentrytoaddthat
categorytothefilter:

FilterACCactivitybythreatcategory. 1. Select ACCandaddThreatCategoryasaglobalfilter:
2. SelecttheThreatCategorytofilterallACCtabs.
Createcustomreportsbasedonthreat 1. SelectMonitor > Manage Custom reportstoaddanewcustom

categoriestoreceiveinformationaboutspecific reportormodifyanexistingone.
typesofthreatsthatthefirewallhasdetected. 2. ChoosetheDatabase touseasthesourceforthecustom
reportinthiscase,selectThreatfromeitherofthetwotypes
ofdatabasesources,summarydatabasesandDetailedlogs.
Summarydatabasedataiscondensedtoallowafaster
responsetimewhengeneratingreports.Detailedlogstake
longertogeneratebutprovideanitemizedandcompleteset
ofdataforeachlogentry.
3. IntheQueryBuilder,addareportfilterwiththeAttribute
Threat CategoryandintheValuefield,selectathreat
categoryonwhichtobaseyourreport.
4. Totestthenewreportsettings,clickRun Now.
5. ClickOKtosavethereport.

ThreatPrevention ContentDeliveryNetworkInfrastructureforDynamicUpdates
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
Resource URL StaticAddresses(Ifastaticserveris

required)
ApplicationDatabase updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.comortheIP

address199.167.52.15
Threat/AntivirusDatabase updates.paloaltonetworks.com:443 staticupdates.paloaltonetworks.comortheIP

downloads.paloaltonetworks.com:443 address199.167.52.15
Asabestpractice,settheupdateserver
toupdates.paloaltonetworks.com.This
allowsthePaloAltoNetworksfirewallto
receivecontentupdatesfromtheserver
closesttoitintheCDNinfrastructure.
PANDBURLFiltering *.urlcloud.paloaltonetworks.com StaticIPaddressesarenotavailable.

ResolvestotheprimaryURL However,youcanmanuallyresolveaURLto
s0000.urlcloud.paloaltonetworks.comand anIPaddressandallowaccesstotheregional
isthenredirectedtotheregionalserver serverIPaddress.
thatisclosest:
s0100.urlcloud.paloaltonetworks.com
BrightCloudURLFiltering database.brightcloud.com:443/80 ContactBrightCloudCustomerSupport.

service.brightcloud.com:80

ContentDeliveryNetworkInfrastructureforDynamicUpdates ThreatPrevention
Resource URL StaticAddresses(Ifastaticserveris

required)
WildFire beta.wildfire.paloaltonetworks.com:443/ mail.wildfire.paloaltonetworks.com:25or

80 theIPaddress54.241.16.83
betas1.wildfire.paloaltonetworks.com:4 wildfire.paloaltonetworks.com:443/80or
43/80 54.241.8.199
NOTE:Betasitesareonlyaccessedbya
ThePaloAltoNetworksupdateserver
firewallrunningaBetareleaseversion.
deliversWildFirecontentupdatestothe
mail.wildfire.paloaltonetworks.com:25 firewall:
wildfire.paloaltonetworks.com:443/80 staticupdates.paloaltonetworks.comortheIP
address199.167.52.15
TheregionalURL/IPaddressesforWildFire
submissionqueuesareasfollows:
cas1.wildfire.paloaltonetworks.com:44or
54.241.34.71
vas1.wildfire.paloaltonetworks.com:443or
174.129.24.252
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443
or54.238.53.161
portal3.wildfire.paloaltonetworks.com:443
/80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443
or54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/8
0or180.37.183.53

ThreatPrevention ThreatPreventionResources
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofthreatsandapplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.

ThreatPreventionResources ThreatPrevention

Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
DecryptionExclusions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption

DecryptionOverview Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoacorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.

Decryption DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionMirroring
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates
PerfectForwardSecrecy(PFS)SupportforSSLDecryption
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
TocontrolthetrustedCAsthatyourfirewalltrusts,usetheDevice > Certificate

Management > Certificates > Default Trusted Certificate Authoritiestabonthe
firewallwebinterface.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.

DecryptionConcepts Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
ForwardTrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheprivatekey
associatedwiththeforwardtrustcertificateonahardwaresecuritymodule(see
StorePrivateKeysonanHSM).
ForwardUntrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSLInboundInspection ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificatesand
privatekeysfortheserversforwhichyouareperformingSSLinboundinspection.For
addedsecurity,storetheprivatekeysonanHSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.

Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.

UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandprivatekeyonto
thefirewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,inmostcasesthe
firewallisabletoaccesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffic
transparently,ratherthanfunctioningasaproxy(inthecasewherethenegotiatedcipherincludesaPerfect
ForwardSecrecy(PFS)keyexchangealgorithm,thefirewallwillfunctionasatransparentproxy).The
firewallisabletoapplysecuritypoliciestothedecryptedtraffic,detectingmaliciouscontentandcontrolling
applicationsrunningoverthissecurechannel.
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.

SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.

DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5200Series,PA5000SeriesandPA3000Seriesplatforms
onlyandrequiresthatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecounselbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates
ThefirewallautomaticallydecryptsSSLtrafficfromwebsitesandapplicationsusingECCcertificates,
includingEllipticalCurveDigitalSignatureAlgorithm(ECDSA)certificates.Asorganizationstransitionto
usingECCcertificatestobenefitfromthestrongkeysandsmallcertificatesize,youcancontinuetomaintain
visibilityintoandsafelyenableECCsecuredapplicationandwebsitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupportedfortrafficthatismirroredtothe
firewall;encryptedtrafficusingECCcertificatesmustpassthroughthefirewalldirectlyforthefirewalltodecrypt
it.
Youcannotuseahardwaresecuritymodule(HSM)tostoreprivateECDSAkeysusedforSSLForwardProxyor
InboundInspectiondecryption.

PerfectForwardSecrecy(PFS)SupportforSSLDecryption
PFSisasecurecommunicationprotocolthatpreventsthecompromiseofoneencryptedsessionfrom
leadingtothecompromiseofmultipleencryptedsessions.WithPFS,aservergeneratesuniqueprivatekeys
foreachsecuresessionitestablisheswithaclient.Ifaserverprivatekeyiscompromised,onlythesingle
sessionestablishedwiththatkeyisvulnerableanattackercannotretrievedatafrompastandfuture
sessionsbecausetheserverestablisheseachconnectedwithauniquelygeneratedkey.Thefirewalldecrypts
SSLsessionsestablishedwithPFSkeyexchangealgorithms,andpreservesPFSprotectionforpastand
futuresessions.
SupportforDiffieHellman(DHE)basedPFSandellipticalcurveDiffieHellman(ECDHE)basedPFSis
enabledbydefault(Objects > Decryption Profile > SSL Decryption > SSL Protocol Settings).
IfyouusetheDHEorECDHEkeyexchangealgorithmstoenablePFS,youcannotuseahardware
securitymodule(HSM)tostoretheprivatekeysusedforSSLInboundInspection.

DefineTraffictoDecrypt Decryption
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuites,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1 SelectObjects > Decryption Profile, Addormodifyadecryptionprofilerule,andgivetheruleadescriptive

Name.
Step2 (Optional)Allowtheprofileruletobe Shared acrosseveryvirtualsystemonafirewalloreveryPanorama

devicegroup.
Step3 (DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe

firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.

Decryption DefineTraffictoDecrypt
ConfigureaDecryptionProfileRule(Continued)
Step4 (Optional)BlockandcontrolSSL SelectSSL Decryption:

tunneledand/orinboundtraffic SelectSSL Forward Proxytoconfiguresettingstoverify
undergoingSSLForwardProxy certificates,enforceprotocolversionsandciphersuites,and
decryptionorSSLInboundInspection. performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
IfyouusetheDHEorECDHEkeyexchangealgorithms
toenablePerfectForwardSecrecy(PFS)SupportforSSL
Decryption,youcannotuseahardwaresecuritymodule
(HSM)tostoretheprivatekeysforSSLInbound
Inspection.
Step5 (Optional)Blockandcontroltraffic(for SelectNo Decryptionandconfiguresettingstovalidatecertificates

example,aURLcategory)forwhichyou fortrafficthatisexcludedfromdecryption.
havedisableddecryption. Thesesettingareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdisablesdecryptionfor
certaintraffic.
Step6 (Optional)BlockandcontrolSSHtraffic SelectSSH Proxyandconfiguresettingstoenforcesupported

undergoingSSHProxydecryption. protocolversionsand
Thesesettingsareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdecryptsSSHtraffic.
Step7 Addthedecryptionprofileruletoa 1. SelectPolicies > DecryptionandCreateaDecryptionPolicy

decryptionpolicyrule. Ruleormodifyanexistingrule.
Trafficthatthepolicyrulesmatchestois 2. SelectOptions andselectaDecryption Profiletoblockand
enforcedbasedontheadditionalprofile controlvariousaspectsofthetrafficmatchedtotherule.
rulesettings. Theprofilerulesettingsthatareappliedtomatchingtraffic
dependonthepolicyruleAction(DecryptorNoDecrypt)and
thepolicyruleType(SSLForwardProxy,SSLInbound
Inspection,orSSHProxy).Thisallowsyoutousethedefault
decryptionprofile,standarddecryptionprofilecustomizedfor
yourorganization,withdifferenttypesofdecryptionpolicy
rules.
3. ClickOK.

DefineTraffictoDecrypt Decryption
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionMirroring.
ConfigureaDecryptionPolicyRule
Step1 SelectPolicies > DecryptionandAddanewdecryptionpolicyrule.
Step2 GivethepolicyruleadescriptiveName.
Step3 Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoDecryptionExclusions.Youcanexcludeapplications
runningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesameapplications
whentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoDecryptionExclusions.Forexample,you
couldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryoucouldexclude
financialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworksURLcategories.
Step4 Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:

matchingtraffic:therulecaneither Decryptmatchingtraffic:
decryptmatchingtrafficorexclude
matchingtrafficfromdecryption. 1. SelectDecrypt.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Excludematchingtrafficfromdecryption:
SelectNo Decrypt.
Step5 (Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea

DecryptionProfile,selectObjects > Decryption Profile).
Step6 ClickOKtosavethepolicy.

Decryption DefineTraffictoDecrypt
ConfigureaDecryptionPolicyRule
Step7 Chooseyournextstep... Fullyenablethefirewalltodecrypttraffic:

ConfigureSSHProxy

ConfigureSSLForwardProxy Decryption
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
Step1 Ensurethattheappropriateinterfaces ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

areconfiguredaseithervirtualwire, tab.TheInterface Typecolumndisplaysifaninterfaceisconfigured
Layer2,orLayer3interfaces. tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
aninterfacetomodifyitsconfiguration,includingwhattypeof
interfaceitis.
Step2 Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.

Decryption ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise 1. GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAsignedcertificateastheforward CAtosignandvalidate:
trustcertificate. a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2. ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
NOTE:LeaveExport private keyunselectedinorderto
ensurethattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3. ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4. ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5. Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6. ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.

ConfigureSSLForwardProxy Decryption
Useaselfsignedcertificateasthe 1. Generateanewcertificate:
forwardtrustcertificate. a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2. Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3. ClickOKtosavetheselfsignedforwardtrustcertificate.
Step3 Distributetheforwardtrustcertificateto OnafirewallconfiguredasaGlobalProtectportal:

clientsystemcertificatestores. NOTE:ThisoptionissupportedwithWindowsandMacclientOS
NOTE:Ifyoudonotinstalltheforward versions,andrequiresGlobalProtectagent3.0.0orlatertobe
trustcertificateonclientsystems,users installedontheclientsystems.
willseecertificatewarningsforeachSSL
1. SelectNetwork > GlobalProtect > Portalsandthenselectan
sitetheyvisit.
existingportalconfigurationorAddanewone.
IfyouareusinganenterpriseCAsigned
certificateastheforwardtrustcertificate 2. SelectAgent andthenselectanexistingagentconfigurationor
forSSLForwardProxydecryption,and Addanewone.
theclientsystemsalreadyhavethe 3. AddtheSSLForwardProxyforwardtrustcertificatetothe
enterpriseCAaddedtothelocaltrusted TrustedRootCAsection.
rootCAlist,youcanskipthisstep.
4. Install in Local Root Certificate Storesothatthe
GlobalProtectportalautomaticallydistributesthecertificate
andinstallsitinthecertificatestoreonGlobalProtectclient
systems.
5. ClickOKtwice.
WithoutGlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).

Decryption ConfigureSSLForwardProxy
Step4 Configuretheforwarduntrust 1. ClickGenerateatthebottomofthecertificatespage.

certificate. 2. EnteraCertificate Name,suchasmyfwduntrust.
3. SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4. ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5. ClickGeneratetogeneratethecertificate.
6. ClickOKtosave.
7. Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
NOTE:Donotexporttheforwarduntrustcertificateforimport
intoclientsystems.Iftheforwardtrustcertificateisimported
onclientsystems,theuserswillnotseecertificatewarningsfor
SSLsiteswithuntrustedcertificates.
8. ClickOKtosave.
Step5 (Optional)SetthekeysizeoftheSSL ConfiguretheKeySizeforSSLForwardProxyServerCertificates.

ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6 CreateaDecryptionPolicyRuletodefine 1. SelectPolicies > Decryption,Addormodifyanexistingrule,

trafficforthefirewalltodecrypt. anddefinetraffictobedecrypted.
2. SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3. ClickOK tosave.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.
Step9 Chooseyournextstep... EnableUserstoOptOutofSSLDecryption.

DecryptionExclusionstodisabledecryptionforcertaintypesof
traffic.

ConfigureSSLInboundInspection Decryption
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
YoucanalsoenablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysisandsignature
generation.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
Step1 Ensurethattheappropriateinterfaces ViewconfiguredinterfacesontheNetwork > Interfaces >

areconfiguredaseitherTap,Virtual Ethernet tab.TheInterface Typecolumndisplaysifaninterfaceis
Wire,Layer2,orLayer3interfaces. configuredtobeaVirtual WireorLayer 2,or Layer 3interface.
YoucannotuseaTapmode Youcanselectaninterfacetomodifyitsconfiguration,including
interfaceforSSLinbound whattypeofinterfaceitis.
inspectionifthenegotiated
cyphersincludePFSkey
exchangealgorithms(DHEand
ECDHE).
Step2 Ensurethatthetargetedserver Onthewebinterface,selectDevice > Certificate Management >

certificateisinstalledonthefirewall. Certificates > Device Certificatestoviewcertificatesinstalledon
thefirewall.
Toimportthetargetedservercertificateontothefirewall:
1. OntheDevice Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.

SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
variousaspectsofthedecryptedtraffic(forexample,
CreateaDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3. ClickOK tosave.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.

Decryption ConfigureSSLInboundInspection
Step6 Chooseyournextstep... EnableUserstoOptOutofSSLDecryption.

DecryptionExclusionstodisabledecryptionforcertaintypesof
traffic.

ConfigureSSHProxy Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1 Ensurethattheappropriateinterfaces ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

areconfiguredaseithervirtualwire, tab.TheInterface Typecolumndisplaysifaninterfaceisconfigured
Layer2,orLayer3interfaces. tobeaVirtual WireorLayer 2,orLayer 3interface.Youcanselect
Decryptioncanonlybeperformedon aninterfacetomodifyitsconfiguration,includingwhattypeof
virtualwire,Layer 2,orLayer3 interfaceitis.
interfaces.

SettheruleTypetoSSH Proxy.
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3. ClickOK tosave.
Step4 (Optional)ContinuetoDecryptionExclusionstodisabledecryptionforcertaintypesoftraffic.

Decryption DecryptionExclusions
PaloAltoNetworksexcludescertainapplicationsandservicesfromSSLdecryptionbydefaultandyoucan
alsochoosetoexcludeatargetedserverfromdecryptionorexcludecertaintrafficfromdecryptionbased
onsource,destination,URLcategory,andservice.Thepredefineddecryptionexclusionsautomatically
excludeapplicationsandservicesfromdecryptionthatdonotfunctioncorrectlywhenthefirewalldecrypts
them,andcustomdecryptionexclusionsallowyoutoexcludetrafficfromdecryptionforlegalorprivacy
reasons.
PaloAltoNetworksPredefinedDecryptionExclusions
ExcludeaServerfromDecryption
CreateaPolicyBasedDecryptionExclusion
PaloAltoNetworksPredefinedDecryptionExclusions
PaloAltoNetworksdefinesdecryptionexclusionstoidentifyapplicationandservicesthatdonotfunction
correctlywhenthefirewalldecryptsthem.PaloAltoNetworksdeliversnewandupdatedpredefined
decryptionexclusionstothefirewallaspartoftheApplicationsandThreatscontentupdate(orthe
Applicationscontentupdate,ifyoudonothaveaThreatPreventionlicense).Predefineddecryption
exclusionsareenabledbydefaultthefirewalldoesnotdecrypttrafficmatchingthepredefinedexclusion
andallowstheencryptedtrafficbasedonyoursecuritypolicy.Becausethetrafficremainsencrypted,the
firewalldoesnotinspectandfurtherenforcethetraffic.Youcanalsochoosetodisableapredefined
exclusions;inthiscase,encryptedapplicationsorservicesthatthefirewallcannotdecryptarenotsupported
(youmightchoosetododisablepredefinedexclusionsinordertoenforceastrictsecuritypolicythatallows
onlyapplicationsandservicesthatthefirewallcaninspectandenforce).
YoucanviewandmanageallPaloAltoNetworkspredefineddecryptionexclusionsdirectlyonthefirewall
(Device > Certificate Management > Decryption Exclusions):
Thefirewallautomaticallyremovesenabledpredefineddecryptionexclusionsfromthelistwhenthey
becomeobsolete(whenanapplicationthatdecryptionpreviouslycausedtobreakisnowsupportedwith
decryption).Show Obsoletestocheckiftherearedisabled,predefinedexclusionsremainingonthelistthat
arenolongerneeded,asthefirewalldoesnotremovedisabledpredefineddecryptionexclusions
automatically.

DecryptionExclusions Decryption
Beyondthepredefineddecryptionexclusions,youcanalsocreatecustomdecryptionexclusions:Excludea
ServerfromDecryptiontoexcludetrafficfromdecryptionbasedonservercertificatesorCreatea
PolicyBasedDecryptionExclusiontoexcludetrafficfromdecryptionbasedonapplication,source,
destination,URLcategory,andservice.
YoucanexcludetargetedservertrafficfromSSLdecryption.Forexample,ifyouhaveSSLdecryption
enabled,youcouldconfigureadecryptionexceptionfortheserveronyourcorporatenetworkthathoststhe
webservicesforyourHRsystems.Thistypeofdecryptionexclusionisbasedonthehostnamethatidentifies
theservertoothernetworkdevices.Theserverhostnamethatyouusetodefinethedecryptionexclusion
iscomparedagainstthecommonname(CN)inthecertificateaserverpresentsor,inthecasewhereasingle
serverishostingmultiplewebsitesusingdifferentcertificates,thehostnameiscomparedagainsttheserver
nameindication(SNI)thattheclientpresentstoindicatetheservertowhichitwantstoconnect.
Step1 SelectDevice > Certificate Management > SSL Decryption Exclusions.
Step2 Addanewdecryptionexclusion,orselectanexistingcustomentrytomodifyit.
Step3 Enterthehostnameofthewebsiteorapplicationyouwanttoexcludefromdecryption.
Toexcludeallhostnamesassociatedwithacertaindomainfromdecryption,youcanuseawildcardasterisk
(*).Inthiscase,allsessionswheretheserverpresentsaCNthatcontainsthedomainareexcludedfrom
decryption.
Makesurethatthehostnamefieldisuniqueforeachcustomentry.Ifapredefinedexclusionmatchesa
customentry,thecustomentrytakesprecedence.
Step4 Optionally,selectShared tosharetheexclusionacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step5 Excludetheapplicationfromdecryption.Alternatively,ifyouaremodifyinganexistingdecryptionexclusion,
youcanclearthischeckboxtostartdecryptinganentrythatwaspreviouslyexcludedfromdecryption.
Step6 Click OKtosavethenewexclusionentry.
CreateaPolicyBasedDecryptionExclusion
Excludecertaintrafficfromdecryptionbasedonapplication,source,destination,URLcategory,and/or
service.Forexample,leverageURLcategoriestoexcludetrafficthatisfinancialorhealthrelatedfrom
decryption,asthattrafficislikelytobepersonaltousers.
Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethatadecryption
exclusionruleislistedfirstinyourdecryptionpolicy.

Decryption DecryptionExclusions
ExcludeCertainTrafficfromDecryption
Step1 Excludetrafficfromdecryptionbasedon 1. SelectPolicies > DecryptionandAddormodifyadecryption

matchcriteria. policyrule.
Thisexampleshowshowtoexclude 2. Definethetrafficthatyouwanttoexcludefromdecryption.
trafficcategorizedasfinancialor Inthisexample:
healthrelatedfromSSLForwardProxy
a. GivetheruleadescriptiveName,suchas
decryption.
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestinedfor
anexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3. SelectOptionsandsettheruletoNo Decrypt.
4. (Optional)Youcanuseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5. ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
Step2 Placethedecryptionexclusionruleatthe OntheDecryption > Policiespage,selectthepolicy

topofyourdecryptionpolicy. NoDecryptFinanceHealth,andclickMove Upuntilitappearsatthe
Decryptionrulesareenforcedagainst topofthelist(oryoucandraganddroptherule).
incomingtrafficinsequenceandthefirst
ruletomatchtotrafficisenforced
movingtheNo Decryptruletothetopof
therulelistensuresthatthetraffic
matchedtotheruleremainsencrypted,
evenifthetrafficislatermatchedto
otherdecryptionrules.
Step3 Commit theconfiguration.

EnableUserstoOptOutofSSLDecryption Decryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
Step1 (Optional)CustomizetheSSL 1. SelectDevice > Response Pages.

DecryptionOptoutPage. 2. SelecttheSSL Decryption Opt-out Pagelink.
3. SelectthePredefinedpageandclickExport.
4. UsingtheHTMLtexteditorofyourchoice,editthepage.
5. Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6. AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8. Backonthefirewall,selectDevice > Response Pages.
9. SelecttheSSL Decryption Opt-out Pagelink.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2 EnableSSLDecryptionOptOut. 1. OntheDevice > Response Pagespage,clicktheDisabledlink.

2. SelecttheEnable SSL Opt-out PageandclickOK.

Decryption EnableUserstoOptOutofSSLDecryption
Step3 VerifythattheOptOutpagedisplays Fromabrowser,gotoanencryptedsitethatmatchesyour

whenyouattempttobrowsetoasite. decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.

ConfigureDecryptionPortMirroring Decryption
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
Step1 Requestalicenseforeachfirewallon 1. LogintothePaloAltoNetworksCustomerSupportwebsite

whichyouwanttoenabledecryption andnavigatetotheAssetstab.
portmirroring. 2. Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3. SelectDecryption Port Mirror.Alegalnoticedisplays.
4. Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5. ClickActivate.
Step2 InstalltheDecryptionPortMirrorlicense 1. Fromthefirewallwebinterface,selectDevice > Licenses.

onthefirewall. 2. ClickRetrieve license keys from license server.
3. Verifythatthelicensehasbeenactivatedonthefirewall.
4. Rebootthefirewall(Device > Setup > Operations).This

featureisnotavailableforconfigurationuntilPANOS
reloads.

Decryption ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring(Continued)
Step3 Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:

traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
1. SelectDevice > Virtual System.
2. SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3. SelecttheAllow forwarding of decrypted contentcheckbox.
4. ClickOKtosave.
Step4 EnableanEthernetinterfacetobeused 1. SelectNetwork > Interfaces > Ethernet.

fordecryptionmirroring. 2. SelecttheEthernetinterfacethatyouwanttoconfigurefor
decryptionportmirroring.
3. SelectDecrypt MirrorastheInterface Type.
ThisinterfacetypewillappearonlyiftheDecryptionPort
Mirrorlicenseisinstalled.
4. ClickOKtosave.
Step5 Enablemirroringofdecryptedtraffic. 1. SelectObjects > Decryption Profile.

2. SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3. Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4. ClickOKtosavethedecryptionprofile.
Step6 Attachthedecryptionprofilerule(with 1. SelectPolicies > Decryption.

decryptionportmirroringenabled)toa 2. ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicyrule.Alltraffic decryptionpolicytoedit.
decryptedbasedonthepolicyruleis
mirrored. 3. IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4. ClickOKtosavethepolicy.

TemporarilyDisableSSLDecryption Decryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
DisableSSLDecryption set system setting ssl-decrypt skip-ssl-decrypt yes

ReenableSSLDecryption set system setting ssl-decrypt skip-ssl-decrypt no

URLFiltering
ThePaloAltoNetworksURLfilteringsolutionallowsyoutomonitorandcontrolthesitesuserscanaccess,
topreventphishingattacksbycontrollingthesitestowhichuserscansubmitvalidcorporatecredentials,and
toenforcesafesearchforsearchengineslikeGoogleandBing.
URLFilteringOverview
URLFilteringConcepts
PANDBCategorization
EnableaURLFilteringVendor
DetermineURLFilteringPolicyRequirements
UseanExternalDynamicListinaURLFilteringProfile
CustomizetheURLFilteringResponsePages
AllowPasswordAccesstoCertainSites
SafeSearchEnforcement
MonitorWebActivity
SetUpthePANDBPrivateCloud
URLFilteringUseCases
TroubleshootURLFiltering

URLFilteringOverview URLFiltering
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintocategories.YoucanusetheseURLcategories
asamatchcriteriatoenforcesecuritypolicyandtosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.YoucanalsouseURLfilteringtoenforcesafesearchsettingsforyourusers,andto
PreventCredentialPhishingbasedonURLcategory.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URLFilteringVendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C2)communicationstoprotectyournetworkfromcyberthreats.TheURL
categoriesmalwareandphishingareupdatedeveryfiveminutes,toensurethatyoucanmanageaccess
tothesesiteswithinminutesofcategorization.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.thatisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.

URLFiltering URLFilteringOverview
InteractionBetweenAppIDandURLCategories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCases.
PANDBPrivateCloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveinternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.

URLFilteringOverview URLFiltering
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
Differences PANDBPublicCloud PANDBPrivateCloud
Contentand Content(regularandcritical)updatesandfull ContentupdatesandfullURLdatabaseupdates

DatabaseUpdates databaseupdatesarepublishedmultipletimes areavailableonceadayduringtheworkweek.
duringtheday.ThePANDBpubliccloud
updatestheURLcategoriesmalwareand
phishingeveryfiveminutes.Thefirewall
checksforcriticalupdateswheneveritqueries
thecloudserversforURLlookups.

URLFiltering URLFilteringOverview
Differences PANDBPublicCloud PANDBPrivateCloud
URL SubmitURLcategorizationchangerequests SubmitURLcategorizationchangerequestsonly

Categorization usingthefollowingoptions: usingthePaloAltoNetworksTestASite
Requests PaloAltoNetworksTestASitewebsite. website.
URLfilteringprofilesetuppageonthe
firewall.
URLfilteringlogonthefirewall.
UnresolvedURL IfthefirewallcannotresolveaURLquery,the Ifthefirewallcannotresolveaquery,the

Queries requestissenttotheserversinthepublic requestissenttotheM500appliance(s)inthe
cloud. PANDBprivatecloud.Ifthereisnomatchfor
theURL,thePANDBprivatecloudsendsa
categoryunknownresponsetothefirewall;the
requestisnotsenttothepubliccloudunlessyou
haveconfiguredtheM500appliancetoaccess
thePANDBpubliccloud.
IftheM500appliance(s)thatconstituteyour
PANDBprivatecloudisconfiguredtobe
completelyoffline,itdoesnotsendanydataor
analyticstothepubliccloud.

URLFilteringConcepts URLFiltering
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URLCategories
EachwebsitedefinedintheURLfilteringdatabaseisassignedaURLcategory.Hereareafewwaysto
leverageURLcategories:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
EnforcepolicybasedonURLcategoryIfyouwantaspecificpolicyruletoapplyonlytowebtrafficto
sitesinaspecificcategory,usethesiteURLcategoryasmatchcriteriawhenyoucreatethepolicyrule.
Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicytoapplybandwidth
controlstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryasPolicyMatch
Criteriaformoreinformation.
BlockorallowcorporatecredentialsubmissionsbasedonURLcategoryPreventCredentialPhishingby
enablingthefirewalltodetectcorporatecredentialsubmissionstosites,andthenblockorallowthose
submissionsbasedonURLcategory.Blockusersfromsubmittingcredentialstomaliciousanduntrusted
sites,warnusersagainstenteringcorporatecredentialsonunknownsitesorwarnthemagainstreusing
corporatecredentialsonnoncorporatesites,andexplicitlyallowuserssubmitcredentialstocorporate
andsanctionedsites.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:

URLFiltering URLFilteringConcepts
Category Description
notresolved IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
YoucansubmitURLcategorizationchangerequestsusingthePaloAltoNetworksdedicatedwebportal(Test
ASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlogonthefirewall.Eachchange
requestisautomaticallyprocessedeveryday,providedthewebsitesprovidesmachinereadablecontentthatisin
asupportedformatandlanguage.Sometimes,thecategorizationchangerequiresamemberofthePaloAlto
Networksengineeringstafftoperformamanualreview.Insuchcases,theprocessmaytakealittlelonger.

URLFilteringProfile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatyoucanapplytoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile.
YoucanthencustomizethenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalways
beblockedorallowed.Forexample,youmaywanttoblocksocialnetworkingsites,butallowsomewebsites
thatarepartofthesocialnetworkingcategory.
ConfigureabestpracticeURLFilteringprofiletoensureprotectionagainstURLsthat
havebeenobservedhostingmalwareorexploitivecontent.
URLFilteringProfileActions
TheURLFilteringprofilespecifieswebaccessandcredentialsubmissionpermissionsforeachURLcategory.
Bydefault,siteaccessforallURLcategoriesissettoallowwhenyouCreateanewURLFilteringprofile.This
meansthattheuserswillbeabletobrowsetoallsitesfreelyandthetrafficwillnotbelogged.Youcan
customizetheURLFilteringprofilewithcustomSite Accesssettingsforeachcategory,orusethepredefined
defaultURLfilteringprofileonthefirewalltoallowaccesstoallURLcategoriesexceptthefollowing
threatpronecategories,whichitblocks:abuseddrugs,adult,gambling,hacking,malware,phishing,
questionable,andweapons.
ForeachURLcategory,selecttheUser Credential Submissionstoallowordisallowusersfromsubmittingvalid
corporatecredentialstoaURLinthatcategoryinordertoPreventCredentialPhishing.Managingthesites
towhichuserscansubmitcredentialsrequiresUserIDandyoumustfirstSetUpCredentialPhishing
Prevention.URLcategorieswiththeSite Accesssettoblockareautomaticallysettoalsoblockuser
credentialsubmissions.
LearnmoreaboutconfiguringabestpracticeURLFilteringprofiletoensureprotection
againstURLsthathavebeenobservedhostingmalwareorexploitivecontent.
Action Description
SiteAccess
alert ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow Thewebsiteisallowedandnologentryisgenerated.
block Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
BlockingsiteaccessforaURLcategoryalsosetsUserCredentialSubmissionsforthatURL
categorytoblock.

Action Description
continue Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
NOTE:TheContinuepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
override Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeAllowPasswordAccesstoCertain
Sites.
NOTE:TheOverridepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
none ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
UserCredentialPermissions
NOTE:ThesesettingsrequireyoutofirstSetUpCredentialPhishingPrevention.
alert AllowuserstosubmitcorporatecredentialstositesinthisURLcategory,butgeneratea
URLFilteringalertlogeachtimethisoccurs.
allow(default) AllowuserstosubmitcorporatecredentialstowebsitesinthisURLcategory.
block Blockusersfromsubmittingcorporatecredentialstowebsitesinthiscateogry.Adefault
antiphishingresponsepageisdisplayedtouserswhentheyaccesssitestowhich
corporatecredentialsubmissionsareblocked.Youcanchoosetocreateacustomblock
pagetodisplay.
continue DisplayaresponsepagetousersthatpromptsthemtoselectContinuetoaccesstoaccess
thesite.Bydefault,theAntiPhishingContinuePageisshowntouserwhentheyaccess
sitestowhichcredentialsubmissionsarediscouraged.Youcanalsochoosetocreatea
customresponsepagetodisplayforexample,ifyouwanttowarnusersagainstphishing
attemptsorreusingtheircredentialsonotherwebsites.
BlockandAllowLists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefineBlockandAllowListstospecifywebsitesthatshouldalwaysbeblockedorallowed,
regardlessofURLcategory.

WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningthealloworblocklistentries.Forexample,enter
www.paloaltonetworks.comorpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample,topreventauserfromaccessinganywebsitewithinthepaloaltonetworks.comdomain,add
*.paloaltonetworks.comtotheblocklist.Thiswillblockallpaloaltoneworks.comURLs,evenifthe
addressincludesadomainprefix(http://,www)orasubdomainprefix(mail.paloaltonetworks.com).The
sameappliestothesubdomainsuffix.Forexample,ifyouwanttoblockpaloaltonetworks.com/en/US,
youwouldaddpaloaltonetworks.com/*totheblocklistaswell.
Further,toblockaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmustaddanentrywith
aslash(/)attheend.Inthisexample,youwouldadd*.paloaltonetworks.com/totheblocklist.
Theblockandallowlistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
Everysubstringseparatedbyacharacterlistedaboveisconsideredatoken.Atokencanbeanynumber
ofASCIIcharactersthatdoesnotcontainanyseparatorcharacteroranasterisks(*).Forexample,the
followingpatternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausetheasterisks(*)isnottheonlycharacterinthetoken:
ww*.yahoo.com
www.y*.com
ExternalDynamicListforURLs
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.

ContainerPages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
IfyouhaveenabledtheLog container page onlyoption,theremaynotalwaysbeacorrelated

URLlogentryforthreatsdetectedbyantivirusorvulnerabilityprotection.
HTTPHeaderLogging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute Description
UserAgent ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
XForwardedFor(XFF) TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.

URLFilteringResponsePages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenContainerPagesisenabled:
URLFilteringandCategoryMatchBlockPage
AccessblockedbyaURLFilteringProfileorbecausetheURLcategoryisblockedbyaSecuritypolicyrule.
URLFilteringContinueandOverridePage
PagewithinitialblockpolicythatallowsuserstobypasstheblockbyclickingContinue.WithURLAdmin
Overrideenabled,(AllowPasswordAccesstoCertainSites),afterclickingContinue,theusermustsupply
apasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPage
AccessblockedbyaSecuritypolicyrulewithaURLFilteringprofilethathastheSafeSearchEnforcement
optionenabled(seeSafeSearchEnforcement).Theuserwillseethispageifasearchisperformedusing
Google,Bing,Yahoo,orYandexandtheirbrowserorsearchengineaccountsettingforSafeSearchisnot
settostrict.

AntiPhishingBlockPage
Thispagedisplaystouserswhentheyattempttoentercorporatecredentials(usernamesorpasswords)
onawebpageinacategoryforwhichcredentialsubmissionsareblocked.Theusercancontinueto
accessthesitebutremainsunabletosubmitvalidcorporatecredentialstoanyassociatedwebforms.To
controlthesitestowhichuserscansubmitcorporatecredentials,thefirewallmustbeconfiguredwith
UserIDandenabledtoToPreventCredentialPhishingbasedonURLcategory.
AntiPhishingContinuePage
Thispagewarnsusersagainstsubmittingcredentials(usernamesandpasswords)toawebsite.Warning
usersagainstsubmittingcredentialscanhelptodiscouragethemfromreusingcorporatecredentialsand
toeducatethemaboutpossiblephishingattempts.TheymustselectContinuetoproceedtocredentials
onthesite.Tocontrolthesitestowhichuserscansubmitcorporatecredentials,thefirewallmustbe
configuredwithUserIDandenabledtoToPreventCredentialPhishingbasedonURLcategory.
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
Table:URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneof
thesupportedTable:ResponsePageReferencestoexternalimages,sounds,orstylesheets.
Table:URLFilteringResponsePageVariables
Variable Usage
<user/> Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/> ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/> ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/> HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.

YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
break;
case 'kids':
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
Table:ResponsePageReferences
ReferenceType ExampleHTMLCode
Image <img src="http://virginiadot.org/images/Stop-Sign-gif.gif">
Sound <embed src="http://simplythebest.net/sounds/WAV/WAV_files/

movie_WAV_files/ do_not_go.wav" volume="100" hidden="true"
autostart="true">
StyleSheet <link href="http://example.com/style.css" rel="stylesheet"

type="text/css" />
Hyperlink <a href="http://en.wikipedia.org/wiki/Acceptable_use_policy">View

Corporate
Policy</a>
URLCategoryasPolicyMatchCriteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType Description
Authentication Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionforAuthenticationpolicyrules.

Decryption DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.In
thiscase,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
Security InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
ASecuritypolicyrulethatallowstheITSecuritygrouptoaccesscontentcategorized
ashacking.TheSecuritypolicyrulereferencesthehackingcategoryinthe
Services/URL CategorytabandITSecuritygroupintheUserstab.
AnotherSecuritypolicyrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.

PANDBCategorization URLFiltering
PANDBCategorization
WhenauserrequestsaURLthefirewalldeterminestheURLcategorybycomparingtheURLwiththe
followingcomponents(inorder)untilitfindsamatch:
IfarequestedURLmatchesanexpiredentryinthedataplane(DP)URLcache,thecacherespondswiththe
expiredcategory,butalsosendsaURLcategorizationquerytothemanagementplane(MP)cache.This
preventsunnecessarydelaysintheDP,assumingthatthefrequencyofcategorychangeislow.Similarly,in
theMPURLcache,ifaURLqueryfromtheDPcachematchesanexpiredentryintheMPcache,theMP
respondstotheDPwiththeexpiredcategoryandwillalsosendaURLcategorizationrequesttothePANDB
clouddatabase.Upongettingtheresponsefromthecloud,thefirewallsendstheupdatedcategorytothe
DP.
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabaseisupdated.Each
timethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30minutes,the
databaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdatewillbe
performed.
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component Description
URLFilteringSeed Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
Database thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.

URLFiltering PANDBCategorization
Component Description
CloudService ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
SeeDifferencesBetween providesadistributed,highperformance,andstableenvironmentforseeddatabase
thePANDBPublicCloud downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
andPANDBPrivate performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
Cloud,forinformationon asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
theprivatecloud. mechanismtoupdatethelocalURLdatabaseonthefirewalliftheversiondoesnot
match.EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalso
checkforcriticalupdates.Iftherehavebeennoqueriestothecloudserversformore
than30minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
ManagementPlane(MP) WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
URLCache fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothelocaldriveonthe
firewalleveryeighthours,beforethefirewallisrebooted,orwhenthecloud
upgradestheURLdatabaseversiononthefirewall.Afterrebootingthefirewall,the
filethatwassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecently
used(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheis
full.Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbe
replacedbythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftime;thisexpirationperiodisnotconfigurable.

EnableaURLFilteringVendor URLFiltering
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
Step1 ObtainandinstallaPANDBURL 1. SelectDevice > Licensesand,intheLicenseManagement

filteringlicenseandconfirmthatitis section,selectthelicenseinstallationmethod:
installed. Retrieve license keys from license server
NOTE:Ifthelicenseexpires,PANDB Activate feature using authorization code
URLFilteringcontinuestoworkbasedon Manually upload license key
theURLcategoryinformationthatexists
inthedataplaneandmanagementplane 2. Afterinstallingthelicense,confirmthatthePANDBURL
caches.However,URLcloudlookupsand Filteringsection,Date Expiresfield,displaysavaliddate.
othercloudbasedupdateswillnot
functionuntilyouinstallavalidlicense.

URLFiltering EnableaURLFilteringVendor
EnablePANDBURLFiltering(Continued)
Step2 Downloadtheinitialseeddatabaseand 1. InthePANDBURLFilteringsection,Download Statusfield,

activatePANDBURLFiltering. clickDownload Now.
NOTE:ThefirewallmusthaveInternet 2. ChoosearegionandthenclickOKtostartthedownload.
access;youcannotmanuallyuploadthe
3. Afterthedownloadcompletes,clickActivate.Thevalueinthe
PANDBseeddatabase.
ActivefieldchangestoYes.
NOTE:IfPANDBisalreadytheactiveURLfilteringvendor,
clickingRe-Downloadclearsthedataplaneandmanagement
planecachesandreplacesthemwithanewseeddatabase.
Youshouldavoiddoingthisunlessitisnecessary,asyouwill
loseyourcache,whichiscustomizedbasedonyourusersweb
traffic.
Step3 Schedulethefirewalltodownload 1. SelectDevice > Dynamic Updates.

dynamicupdatesforApplicationsand 2. IntheSchedulefieldintheApplicationsandThreatssection,
Threats. clicktheNonelinktoscheduleperiodicupdates.
NOTE:AThreatPreventionlicenseis NOTE:Youcanonlyscheduledynamicupdatesifthefirewall
requiredtoreceivecontentupdates, hasdirectinternetaccess.Ifupdatesarealreadyscheduledin
whichcoversAntivirusandApplications asection,thelinktextdisplaystheschedulesettings.
andThreats.
TheApplicationsandThreatsupdatessometimescontain
updatesforURLfilteringrelatedtoSafeSearchEnforcement.
Step1 ObtainandinstallaBrightCloudURL 1. SelectDevice > Licensesand,intheLicense Management

filteringlicenseandconfirmthatitis section,selectthelicenseinstallationmethod:
installed. Activate feature using authorization code
BrightCloudhasanoptionintheURL Retrieve license keys from license server
filteringprofile(Objects > Security Manually upload license key
Profiles > URL Filtering)toeitherallow
allcategoriesorblockallcategoriesifthe 2. Afterinstallingthelicense,confirmthattheBrightCloudURL
licenseexpires. Filteringsection,Date Expiresfield,displaysavaliddate.

EnableaURLFilteringVendor URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step2 InstalltheBrightClouddatabase. FirewallwithDirectInternetAccess

Thewayyoudothisdependsonwhether SelectDevice > LicensesandintheBrightCloudURLFiltering
ornotthefirewallhasdirectInternet section,Activefield,clicktheActivatelinktoinstallthe
access. BrightClouddatabase.Thisoperationautomaticallyinitiatesa
systemreset.
FirewallwithoutDirectInternetAccess
1. DownloadtheBrightClouddatabasetoahostthathas
Internetaccess.Thefirewallmusthaveaccesstothehost:
a. OnahostwithInternetaccess,gotothePaloAlto
NetworksCustomerSupportwebsite,
www.paloaltonetworks.com/support/tabs/overview.html,
andlogin.
b. IntheResourcessection,clickDynamic Updates.
c. IntheBrightCloudDatabasesection,clickDownloadand
savethefiletothehost.
2. Uploadthedatabasetothefirewall:
a. Logintothefirewall,selectDevice > Dynamic Updatesand
clickUpload.
b. FortheType,selectURL Filtering.
c. EnterthepathtotheFileonthehostorclickBrowseto
findit,thenclickOK.WhentheStatusisCompleted,click
Close.
3. Installthedatabase:
a. SelectDevice > Dynamic UpdatesandclickInstall From
File.
b. FortheType,selectURL Filtering.Thefirewall
automaticallyselectsthefileyoujustuploaded.
c. ClickOKand,whentheResultisSucceeded,clickClose.
Step3 Enablecloudlookupsfordynamically 1. AccessthePANOSCLI.

categorizingaURLifthecategoryisnot 2. EnterthefollowingcommandstoenabledynamicURL
availableonthelocalBrightCloud filtering:
database.
> configure
# set deviceconfig setting url dynamic-url yes
# commit

URLFiltering EnableaURLFilteringVendor
EnableBrightCloudURLFiltering(Continued)
Step4 Schedulethefirewalltodownload 1. SelectDevice > Dynamic Updates.

dynamicupdatesforApplicationsand 2. IntheApplicationsandThreatssection,Schedulefield,click
ThreatssignaturesandURLfiltering. theNonelinktoscheduleperiodicupdates.
Youcanonlyscheduledynamicupdates
3. IntheURLFilteringsection,Schedulefield,clicktheNonelink
ifthefirewallhasdirectInternetaccess.
toscheduleperiodicupdates.
TheApplicationsandThreatsupdates
NOTE:Ifupdatesarealreadyscheduledinasection,thelink
mightcontainupdatesforURLfiltering
textdisplaystheschedulesettings.
relatedtotheSafe Search Enforcement
optionintheURLfilteringprofile.For
example,ifPaloAltoNetworksadds
supportforanewsearchprovider
vendororifthemethodusedtodetect
theSafeSearchsettingforanexisting
vendorchanges,theApplicationand
Threatsupdateswillincludethatupdate.
BrightCloudupdatesincludeadatabase
ofapproximately20millionwebsites
thatarestoredlocallyonthefirewall.
YoumustscheduleURLfilteringupdates
toreceiveBrightClouddatabase
updates.
NOTE:AThreatPreventionlicenseis
requiredtoreceiveAntivirusand
ApplicationsandThreatsupdates.

DetermineURLFilteringPolicyRequirements URLFiltering
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
Step1 CreateanewURLFilteringprofile. 1. SelectObjects > Security Profiles >URL Filtering.

2. SelectthedefaultprofileandthenclickClone.Thenewprofile
willbenameddefault-1.
3. Selectthedefault-1profileandrenameit.Forexample,
renameittoURLMonitoring.
Step2 Configuretheactionforallcategoriesto 1. InthesectionthatlistsallURLcategories,selectallcategories.

alert,exceptforthreatpronecategories, 2. TotherightoftheActioncolumnheading,mouseoverand
whichshouldremainblocked. selectthedownarrowandthenselectSet Selected Actions
Toselectallitemsinthecategory andchoosealert.
listfromaWindowssystem,click
thefirstcategory,thenhold
downtheshiftkeyandclickthe
lastcategorythiswillselectall
categories.Holdthecontrolkey
(ctrl)downandclickitemsthat
shouldbedeselected.OnaMac,
dothesameusingtheshiftand
commandkeys.Youcouldalso
justsetallcategoriestoalertand
manuallychangethe
recommendedcategoriesbackto
3. Toensurethatyoublockaccesstothreatpronesites,select
block.
thefollowingcategoriesandthensettheactiontoblock:
abuseddrugs,adult,gambling,hacking,malware.phishing,
questionable,weapons.
Step3 ApplytheURLFilteringprofiletothe 1. SelectPolicies > Security andselecttheappropriatesecurity

securitypolicyrule(s)thatallowsweb policytomodifyit.
trafficforusers. 2. SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselectthenewprofile.
3. ClickOKtosave.

URLFiltering DetermineURLFilteringPolicyRequirements
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
Step5 ViewtheURLfilteringlogstodetermine SelectMonitor > Logs > URL Filtering.Alogentrywillbecreated

allofthewebsitecategoriesthatyour foranywebsitethatexistsintheURLfilteringdatabasethatisina
usersareaccessing.Inthisexample, categorythatissettoanyactionotherthanallow.
somecategoriesaresettoblock,so
thosecategorieswillalsoappearinthe
logs.
Forinformationonviewingthelogsand
generatingreports,seeMonitorWeb
Activity.

ConfigureURLFiltering URLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
InadditiontomanagingwebaccesswithaURLFilteringprofile,andifyouhaveUserIDconfigured,youcan
alsomanagethesitestowhichuserscansubmitcorporatecredentials.
ConfigureWebsiteAccessandCredentialSubmissionPermissions
Step1 CreateaURLFilteringprofile. 1. SelectObjects > Security Profiles >URL Filteringand Addor

Ifyouhavenotdonesoalready, modifyaURLFilteringprofile.
configureabestpracticeURL
Filteringprofiletoensure
protectionagainstURLsthat
havebeenobservedhosting
malwareorexploitivecontent.
Step2 DefinesiteaccessforeachURLcategory. SelectCategoriesandsettheSiteAccessforeachURLcategory:

AllowtraffictotheURLcategory.Allowedtrafficisnotlogged.
Selectalerttohavevisibilityintositesusersareaccessing.
Matchingtrafficisallowed,butaURLFilteringlogisgenerated
torecordwhenauseraccessesasiteinthecategory.
Selectblockto denyaccesstotrafficthatmatchesthecategory
andtoenableloggingoftheblockedtraffic.
Selectcontinuetodisplayapagetouserswithawarningand
requirethemtoclickContinuetoproceedtoasiteinthe
category.
Toonlyallowaccessifusersprovideaconfiguredpassword,
selectoverride.Formoredetailsonthissetting,seeAllow
PasswordAccesstoCertainSites.

URLFiltering ConfigureURLFiltering
Step3 ConfiguretheURLFilteringprofileto 1. SelectUser Credential Detection.

detectcorporatecredentialsubmissions 2. SelectoneoftheMethodstoCheckforCorporateCredential
towebsitesthatareinallowedURL SubmissionstowebpagesfromtheUser Credential
categories. Detectiondropdown:
NOTE:Thefirewallautomaticallyskips Use IP User MappingChecksforvalidcorporate
checkingcredentialsubmissionsfor usernamesubmissionsandverifiesthattheusername
AppIDsassociatedwithsitesthathave matchestheuserloggedinthesourceIPaddressofthe
neverbeenobservedhostingmalwareor session.Tousethismethod,thefirewallmatchesthe
phishingcontenttoensurethebest submittedusernameagainstitsIPaddresstousername
performanceandalowfalsepositiverate mappingtable.Tousethismethodyoucanuseanyofthe
evenifyouenablechecksinthe usermappingmethodsdescribedinMapIPAddressesto
correspondingcategory.Thelistofsites Users.
onwhichthefirewallwillskipcredential
Use Domain Credential FilterChecksforvalidcorporate
checkingisautomaticallyupdatedvia
usernamesandpasswordsubmissionsverifiesthatthe
ApplicationandThreatcontentupdates.
usernamemapstotheIPaddressoftheloggedinuser.See
ConfigureUserMappingUsingtheWindowsUserID
AgentforinstructionsonhowtosetupUserIDtoenable
thismethod.
Use Group MappingChecksforvalidusername
submissionsbasedontheusertogroupmappingtable
populatedwhenyouconfigurethefirewalltoMapUsersto
Groups.
Withgroupmapping,youcanapplycredentialdetectionto
anypartofthedirectory,orspecificgroup,suchasgroups
likeITthathaveaccesstoyourmostsensitiveapplications.
Thismethodispronetofalsepositivesin
environmentsthatdonothaveuniquelystructured
usernames.Becauseofthis,youshouldonlyuse
thismethodtoprotectyourhighvalueuser
accounts.
3. SettheValid Username Detected Log Severitythefirewall
usestologdetectionofcorporatecredentialsubmissions.By
default,thefirewalllogstheseeventsasmediumseverity.
Step4 Alloworblockusersfromsubmitting 1. ForeachURLcategorytowhichSite Accessisallowed,select

corporatecredentialstositesbasedon howyouwanttotreatUser Credential Submissions:
URLcategorytoPreventCredential alertAllowuserstosubmitcredentialstothewebsite,but
Phishing. generateaURLFilteringalertlogeachtimeausersubmits
NOTE:Thefirewallautomaticallyskips credentialstositesinthisURLcategory.
checkingcredentialsubmissionsfor allow(default)Allowuserstosubmitcredentialstothe
AppIDsassociatedwithsitesthathave website.
neverbeenobservedhostingmalwareor blockDisplaystheAntiPhishingBlockPagetoblockusers
phishingcontenttoensurethebest fromsubmittingcredentialstothewebsite.
performanceandalowfalsepositiverate
continuePresenttheAntiPhishingContinuePageto
evenifyouenablechecksinthe
requireuserstoclickContinuetoaccessthesite.
correspondingcategory.Thelistofsites
onwhichthefirewallwillskipcredential 2. ConfiguretheURLFilteringprofiletodetectcorporate
checkingisautomaticallyupdatedvia credentialsubmissionstowebsitesthatareinallowedURL
ApplicationandThreatcontentupdates. categories.

ConfigureURLFiltering URLFiltering
Step5 DefineBlockandAllowListstospecify 1. SelectOverridesandenterURLsorIPaddressesintheBlock

websitesthatshouldalwaysbeblocked List andselectanaction:
orallowed,regardlessofURLcategory. blockBlocktheURL.
Forexample,toreduceURLFiltering continuePromptusersclickContinue toproceedtothe
logs,youmaywantaddyoucorporate webpage.
websitesintheallowlist,sonologswill overrideTheuserwillbeapromptedforapasswordto
begeneratedforthosesites.Or,ifthere continuetothewebsite.
isawebsitethisisbeingoverlyusedand
alertAllowtheusertoaccessthewebsiteandaddanalert
isnotworkrelatedinanyway,youcan
logentryintheURLlog.
addittotheblocklist.
Itemsintheblocklistwillalwaysbe 2. FortheAllow list,enterIPaddressesorURLsthatshould
blockedregardlessoftheactionforthe alwaysbeallowed.Eachrowmustbeseparatedbyanewline.
associatedcategory,andURLsinthe
allowlistwillalwaysbeallowed.
Formoreinformationontheproper
formatandwildcardsusage,seeBlock
andAllowLists.
Step6 EnableSafeSearchEnforcement.
Step7 LogonlyContainerPagesforURL 1. SelectURL Filtering Settings.The Log container page only

filteringevents. optionisenabledbydefaultsothatonlythemainpagethat
matchesthecategoryislogged,notsubsequent
pages/categoriesthatmaybeloadedwithinthecontainer
page.
2. Toenableloggingforallpages/categories,cleartheLog
container page onlycheckbox.
Step8 EnableHTTPHeaderLoggingforoneor SelectURL Filtering Settingsandselectoneormoreofthe

moreofthesupportedHTTPheader followingfieldstolog:
fields. User-Agent
Referer
X-Forwarded-For
Step9 SavetheURLFilteringprofileand 1. ClickOK.

commityourchanges. 2. ClickCommit.
NOTE:TotesttheURLfilteringconfiguration,simplyaccessa
websiteinacategorythatissettoblockorcontinuetoseeif
theappropriateactionisperformed.

URLFiltering UseanExternalDynamicListinaURLFilteringProfile
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenthelistisupdatedonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
Step1 ConfiguretheFirewalltoAccessan EnsurethatthelistdoesnotincludeIPaddressesordomain

ExternalDynamicList. names;thefirewallskipsnonURLentries.
Verifytheformattingofthelist(seeBlockandAllowLists).
SelectURL ListfromtheTypedropdown.
Step2 UsetheexternaldynamiclistinaURL 1. SelectObjects > Security Profiles > URL Filtering.

Filteringprofile. 2. AddormodifyanexistingURLFilteringprofile.
3. Nametheprofileand,intheCategoriestab,selectthe
externaldynamiclistfromtheCategorylist.
4. ClickActiontoselectamoregranularactionfortheURLsin
theexternaldynamiclist.
NOTE:IfaURLthatisincludedinanexternaldynamiclistis
alsoincludedinacustomURLcategory,orBlockandAllow
Lists,theactionspecifiedinthecustomcategoryortheblock
andallowlistwilltakeprecedenceovertheexternaldynamic
list.
5. ClickOK.
6. AttachtheURLFilteringprofiletoaSecuritypolicyrule.
a. SelectPolicies > Security.
b. SelecttheActionstaband,intheProfileSettingsection,
selectthenewprofileintheURL Filteringdropdown.
c. ClickOKandCommit.
Step3 Testthatthepolicyactionisenforced. 1. ViewExternalDynamicListEntriesfortheURLlist,and

attempttoaccessaURLfromthelist.
2. Verifythattheactionyoudefinedisenforcedinthebrowser.
3. Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
b. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.

UseanExternalDynamicListinaURLFilteringProfile URLFiltering
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
Step4 Verifywhetherentriesintheexternal UsethefollowingCLIcommandonafirewalltoreviewthedetails

dynamiclistwereignoredorskipped. foralist.
InalistoftypeURL,thefirewallskips request system external-list show type url name
nonURLentriesasinvalidandignores <list_name>
entriesthatexceedthemaximumlimit Forexample:
forthefirewallmodel. request system external-list show type url name
Tocheckwhetheryouhave My_URL_List
reachedthelimitforanexternal vsys5/My_URL_List:
dynamiclisttype,selectObjects Next update at: Tue Jan 3 14:00:00 2017
> External Dynamic Listsand Source: http://example.com/My_URL_List.txt
clickList Capacities. Referenced: Yes
Valid: Yes
Auth-Valid: Yes
Total valid entries: 3

Total invalid entries: 0
Valid urls:
www.URL1.com
www.URL2.com
www.URL3.com

URLFiltering CustomizetheURLFilteringResponsePages
ThefirewallprovidespredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser:
Auserattemptstobrowsetoasiteinacategorywithrestrictedaccess.
Ausersubmitsvalidcorporatecredentialstoasiteforwhichcredentialdetectionisenabled(Prevent
CredentialPhishingbasedonURLcategory).
ContainerPagesblocksasearchattempt.
However,youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableuse
policies,andlinkstoyourinternalresources.
Step1 Exportthedefaultresponsepage(s). 1. SelectDevice > Response Pages.

2. SelectthelinkfortheURLfilteringresponsepageyouwantto
modify.
3. Clicktheresponsepage(predefinedorshared)andthenclick
theExportlinkandsavethefiletoyourdesktop.
Step2 Edittheexportedpage. 1. UsingtheHTMLtexteditorofyourchoice,editthepage:

Ifyouwanttheresponsepagetodisplaycustom
informationaboutthespecificuser,URL,orcategorythat
wasblocked,addoneormoreofthesupportedTable:URL
FilteringResponsePageVariables.
Ifyouwanttoincludecustomimages(suchasyour
corporatelogo),asound,orstylesheet,orlinktoanother
URL,forexampletoadocumentdetailingyouracceptable
webusepolicy,includeoneormoreofthesupportedTable:
ResponsePageReferences.
2. Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.Forexample,inNotepadyou
wouldselectUTF-8fromtheEncodingdropdownintheSave
Asdialog.
Step3 Importthecustomizedresponsepage. 1. SelectDevice > Response Pages.

2. SelectthelinkthatcorrespondstotheURLFilteringresponse
pageyouedited.
Step4 Savethenewresponsepage(s). Committhechanges.
Step5 Verifythatthenewresponsepage Fromabrowser,gototheURLthatwilltriggertheresponsepage.

displays. Forexample,toseeamodifiedURLFilteringandCategoryMatch
responsepage,browsetoURLthatyourURLfilteringpolicyisset
toblock.

AllowPasswordAccesstoCertainSites URLFiltering
AllowPasswordAccesstoCertainSites
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
ConfigureURLAdminOverride
Step1 SettheURLadminoverridepassword. 1. SelectDevice > Setup > Content ID.

2. IntheURL Admin Overridesection,clickAdd.
3. IntheLocationfield,selectthevirtualsystemtowhichthis
passwordapplies.
4. EnterthePasswordandConfirm Password.
5. SelectanSSL/TLS Service Profile.Theprofilespecifiesthe
certificatethatthefirewallpresentstotheuserifthesitewith
theoverrideisanHTTPSsite.Fordetails,seeConfigurean
SSL/TLSServiceProfile.
6. SelecttheModeforpromptingtheuserforthepassword:
TransparentThefirewallinterceptsthebrowsertraffic
destinedforsiteinaURLcategoryyouhavesettooverride
andimpersonatestheoriginaldestinationURL,issuingan
HTTP401topromptforthepassword.Notethattheclient
browserwilldisplaycertificateerrorsifitdoesnottrustthe
certificate.
RedirectThefirewallinterceptsHTTPorHTTPStrafficto
aURLcategorysettooverrideandredirectstherequestto
aLayer3interfaceonthefirewallusinganHTTP302
redirectinordertopromptfortheoverridepassword.If
youselectthisoption,youmustprovidetheAddress(IP
addressorDNShostname)towhichtoredirectthetraffic.
7. ClickOK.
Step2 (Optional)Setacustomoverrideperiod. 1. EdittheURLFilteringsection.

2. Tochangetheamountoftimeuserscanbrowsetoasiteina
categoryforwhichtheyhavesuccessfullyenteredthe
overridepassword,enteranewvalueintheURL Admin
Override Timeout field.Bydefault,userscanaccesssites
withinthecategoryfor15minuteswithoutreenteringthe
password.
3. Tochangetheamountoftimeusersareblockedfrom
accessingasitesettooverrideafterthreefailedattemptsto
entertheoverridepassword,enteranewvalueintheURL
Admin Lockout Timeoutfield.Bydefault,usersareblocked
for30minutes.
4. ClickOK.

URLFiltering AllowPasswordAccesstoCertainSites
ConfigureURLAdminOverride(Continued)
Step3 (Redirectmodeonly)CreateaLayer3 1. Createamanagementprofiletoenabletheinterfacetodisplay

interfacetowhichtoredirectweb theURLFilteringContinueandOverridePageresponsepage:
requeststositesinacategoryconfigured a. SelectNetwork > Interface MgmtandclickAdd.
foroverride. b. EnteraNamefortheprofile,selectResponse Pages,and
thenclickOK.
2. CreatetheLayer3interface.Besuretoattachthe
managementprofileyoujustcreated(ontheAdvanced >
Other InfotaboftheEthernetInterfacedialog).
Step4 (Redirectmodeonly)Totransparently Touseaselfsignedcertificate,youmustfirstcreatearootCA

redirectuserswithoutdisplaying certificateandthenusethatCAtosignthecertificateyouwilluse
certificateerrors,installacertificatethat forURLadminoverrideasfollows:
matchestheIPaddressoftheinterface 1. TocreatearootCAcertificate,selectDevice > Certificate
towhichyouareredirectingweb Management > Certificates > Device Certificates andthen
requeststoasiteinaURLcategory clickGenerate.EnteraCertificate Name,suchasRootCA.Do
configuredforoverride.Youcaneither notselectavalueintheSigned Byfield(thisiswhatindicates
generateaselfsignedcertificateor thatitisselfsigned).MakesureyouselecttheCertificate
importacertificatethatissignedbyan AuthoritycheckboxandthenclickGeneratethecertificate.
externalCA.
2. TocreatethecertificatetouseforURLadminoverride,click
Generate.EnteraCertificate NameandentertheDNS
hostnameorIPaddressoftheinterfaceastheCommon
Name.IntheSigned Byfield,selecttheCAyoucreatedinthe
previousstep.AddanIPaddressattributeandspecifytheIP
addressoftheLayer 3interfacetowhichyouwillbe
redirectingwebrequeststoURLcategoriesthathavethe
overrideaction.
3. Generatethecertificate.
4. Toconfigureclientstotrustthecertificate,selecttheCA
certificateontheDevice CertificatestabandclickExport.
YoumustthenimportthecertificateasatrustedrootCAinto
allclientbrowsers,eitherbymanuallyconfiguringthebrowser
orbyaddingthecertificatetothetrustedrootsinanActive
DirectoryGroupPolicyObject(GPO).
Step5 SpecifywhichURLcategoriesrequirean 1. SelectObjects > URL Filteringandeitherselectanexisting

overridepasswordtoenableaccess. URLfilteringprofileorAddanewone.
2. OntheCategoriestab,settheActiontooverrideforeach
categorythatrequiresapassword.
3. CompleteanyremainingsectionsontheURLfilteringprofile
andthenclickOKtosavetheprofile.
Step6 ApplytheURLFilteringprofiletothe 1. SelectPolicies > Security andselecttheappropriatesecurity

securitypolicyrule(s)thatallowsaccess policytomodifyit.
tothesitesrequiringpasswordoverride 2. SelecttheActionstabandintheProfile Settingsection,click
foraccess. thedropdownforURL Filteringandselecttheprofile.
3. ClickOKtosave.

SafeSearchEnforcement URLFiltering
SafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Youcanenablethefirewalltoblocksearchresultsiftheenduserisnotusingthestrictestsafe
searchsettings,andyoucanalsotransparentlyenablesafesearchforyourusers.Thefirewallsupportssafe
searchenforcementforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.
Considerthatsafesearchisabesteffortsettingandserviceprovidersdonotguaranteethatitworkswith
everywebsite,andsearchprovidersclassifysitesassafeorunsafe(notPaloAltoNetworks).
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallthenblocksanymatchingsearchqueryreturntrafficthatisnotusing
thestrictestsafesearchsettings.Therearetwomethodstoenforcesafesearch:
BlockSearchResultswhenStrictSafeSearchisnotEnabledWhenanenduserattemptstoperforma
searchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearchqueryresults
anddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovideaURLtothe
searchprovidersettingsforconfiguringsafesearch.
TransparentlyEnableSafeSearchforUsersWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
Assafesearchsettingsdifferbysearchprovider,getstartedbyreviewingthedifferentsafesearch
implementations.Therearethentwowaysyoucanenforcesafesearch:youcanblocksearchresultswhen
safesearchisdisabled,oryoucantransparentlyenablesafesearchforyourusers:
SafeSearchSettingsforSearchProviders
BlockSearchResultswhenStrictSafeSearchisnotEnabled
TransparentlyEnableSafeSearchforUsers
SafeSearchSettingsforSearchProviders
Safesearchsettingsdifferforeachsearchproviderreviewthefollowingsettingstolearnmore.

URLFiltering SafeSearchEnforcement
SearchProvider SafeSearchSettingDescription
Google/YouTube OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
SafeSearchEnforcementforGoogleSearchesonIndividualComputers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
SafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddress
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
NOTE:WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
Bing OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
BlockSearchResultswhenStrictSafeSearchisnotEnabled
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying

thepolicy.Seefordetailsonhoweachsearchproviderimplementssafesearch.ThedefaultURLFiltering
SafeSearchBlockPageprovidesalinktothesearchsettingsforthecorrespondingsearchprovider.Youcan
optionallyCustomizetheURLFilteringResponsePages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoTransparentlyEnableSafeSearchforUsers.
EnableSafeSearchEnforcement
Step1 EnableSafeSearchEnforcementinthe 1. SelectObjects > Security Profiles > URL Filtering.

URLFilteringprofile. 2. Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewprofile.
3. OntheSettingstab,selecttheSafe Search Enforcement
checkboxtoenableit.
4. (Optional)Restrictuserstospecificsearchengines:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5. Configureothersettingsasnecessaryto:
DefinesiteaccessforeachURLcategory.
DefineBlockandAllowListstospecifywebsitesthat
shouldalwaysbeblockedorallowed,regardlessofURL
category.
Step2 AddtheURLFilteringprofiletothe 1. SelectPolicies > Securityandselectaruletowhichtoapply

securitypolicyrulethatallowstraffic theURLfilteringprofilethatyoujustenabledforSafeSearch
fromclientsinthetrustzonetothe Enforcement.
Internet. 2. OntheActionstab,selecttheURL Filteringprofile.
3. ClickOKtosavethesecuritypolicyrule.
Step3 EnableSSLForwardProxydecryption. 1. AddacustomURLcategoryforthesearchsites:

Becausemostsearchenginesencrypt a. SelectObjects > Custom Objects > URL CategoryandAdd
theirsearchresults,youmustenableSSL acustomcategory.
forwardproxydecryptionsothatthe b. EnteraNameforthecategory,suchas
firewallcaninspectthesearchtrafficand SearchEngineDecryption.
detectthesafesearchsettings. c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2. FollowthestepstoConfigureSSLForwardProxy.
3. OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.

EnableSafeSearchEnforcement(Continued)
Step4 (Optional,butrecommended)BlockBing 1. AddacustomURLcategoryforBing:

searchtrafficrunningoverSSL. a. SelectObjects > Custom Objects > URL CategoryandAdd
BecausetheBingSSLsearchenginedoes acustomcategory.
notadheretothesafesearchsettings, b. EnteraNameforthecategory,suchas
forfullsafesearchenforcement,you EnableBingSafeSearch.
mustdenyallBingsessionsthatrunover c. AddthefollowingtotheSiteslist:
SSL.
www.bing.com/images/*
www.bing.com/videos/*
2. CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. LocatethecustomcategoryintheCategorylistandsetitto
block.
d. ClickOKtosavetheURLfilteringprofile.
3. AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocolandsettheDestination Portto
443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.

EnableSafeSearchEnforcement(Continued)
Step6 VerifytheSafeSearchEnforcement 1. Fromacomputerthatisbehindthefirewall,disablethestrict

configuration. searchsettingsforoneofthesupportedsearchproviders.For
Thisverificationsteponlyworksifyou example,onbing.com,clickthePreferencesiconontheBing
areusingblockpagestoenforcesafe menubar.
search.Ifyouareusingtransparentsafe
searchenforcement,thefirewallblock
pagewillinvokeaURLrewritewiththe
safesearchparametersinthequery
string. 2. SettheSafeSearchoptiontoModerateorOffandclickSave.
3. PerformaBingsearchandverifythattheURLFilteringSafe
SearchBlockpagedisplaysinsteadofthesearchresults:
4. Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5. PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
TransparentlyEnableSafeSearchforUsers
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
EnableTransparentSafeSearchEnforcement
Step1 Makesurethefirewallisrunning 1. SelectDevice > Dynamic Updates.

ContentReleaseversion475orlater. 2. ChecktheApplications and Threatssectiontodetermine
whatupdateiscurrentlyrunning.
3. Ifthefirewallisnotrunningtherequiredupdateorlater,click
Check Nowtoretrievealistofavailableupdates.
4. LocatetherequiredupdateandclickDownload.
5. Afterthedownloadcompletes,clickInstall.

EnableTransparentSafeSearchEnforcement(Continued)
Step2 EnableSafeSearchEnforcementinthe 1. SelectObjects > Security Profiles > URL Filtering.

URLFilteringprofile. 2. Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewone.
3. OntheSettingstab,selecttheSafe Search Enforcement
checkboxtoenableit.
4. (Optional)Allowaccesstospecificsearchenginesonly:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5. Configureothersettingsasnecessaryto:
DefinesiteaccessforeachURLcategory.
DefineBlockandAllowListstospecifywebsitesthat
shouldalwaysbeblockedorallowed,regardlessofURL
category.
Step3 AddtheURLFilteringprofiletothe 1. SelectPolicies > Securityandselectaruletowhichtoapply

securitypolicyrulethatallowstraffic theURLfilteringprofilethatyoujustenabledforSafeSearch
fromclientsinthetrustzonetothe Enforcement.
Internet. 2. OntheActionstab,selecttheURL Filteringprofile.
3. ClickOKtosavethesecuritypolicyrule.

Step4 (Optional,butrecommended)BlockBing 1. AddacustomURLcategoryforBing:

searchtrafficrunningoverSSL. a. SelectObjects > Custom Objects > URL CategoryandAdd
BecausetheBingSSLsearchenginedoes acustomcategory.
notadheretothesafesearchsettings, b. EnteraNameforthecategory,suchas
forfullsafesearchenforcement,you EnableBingSafeSearch.
mustdenyallBingsessionsthatrunover c. AddthefollowingtotheSiteslist:
SSL.
www.bing.com/images/*
www.bing.com/videos/*
2. CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. Locatethecustomcategoryyoujustcreatedinthe
Categorylistandsetittoblock.
d. ClickOKtosavetheURLfilteringprofile.
3. AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocol,settheDestination Portto443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
Step5 EdittheURLFilteringSafeSearchBlock 1. SelectDevice > Response Pages > URL Filtering Safe Search
Page,replacingtheexistingcodewith Block Page.
theJavaScriptforrewritingsearchquery 2. SelectPredefinedandthenclickExporttosavethefilelocally.
URLstoenforcesafesearch
transparently. 3. UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththetexthereandthensavethefile.
Copythetransparentsafesearchscriptandpasteit
intotheHTMLeditor,replacingtheentireblockpage.
Step6 ImporttheeditedURLFilteringSafe 1. Toimporttheeditedblockpage,selectDevice > Response

SearchBlockpageontothefirewall. Pages > URL Filtering Safe Search Block Page.

Step7 EnableSSLForwardProxydecryption. 1. AddacustomURLcategoryforthesearchsites:

Becausemostsearchenginesencrypt a. SelectObjects > Custom Objects > URL CategoryandAdd
theirsearchresults,youmustenableSSL acustomcategory.
forwardproxydecryptionsothatthe b. EnteraNameforthecategory,suchas
firewallcaninspectthesearchtrafficand SearchEngineDecryption.
detectthesafesearchsettings. c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
2. FollowthestepstoConfigureSSLForwardProxy.
3. OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.

MonitorWebActivity URLFiltering
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
MonitorWebActivityofNetworkUsers
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostNetwork ActivitywidgetsallowyoutosortonURLs.Forexample,intheApplicationUsagewidget,you
canseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencryptedtunnel,andssl.
YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
FromtheACC,youcanjumpdirectlytothelogs( )orselectMonitor > Logs > URL Filtering.Thelogaction

foreachentrydependsontheSiteAccesssettingyoudefinedforthecorrespondingcategory:
AlertlogInthisexample,thecomputerandinternetinfocategoryissettoalert.

URLFiltering MonitorWebActivity
BlocklogInthisexample,theinsufficientcontentcategoryissettocontinue.Ifthecategoryhadbeen
settoblockinstead,thelogActionwouldbeblockurl.
AlertlogonencryptedwebsiteInthisexample,thecategoryisprivateipaddressesandtheapplication
iswebbrowsing.Thislogalsoindicatesthatthefirewalldecryptedthistraffic.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarecoverthe24hourperiodofthedateyouselectonthecalendar.Youcanalsoexport
thereporttoPDF,CSV,orXML.


ViewtheUserActivityReport
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1 ConfigureaUserActivityReport. 1. SelectMonitor > PDF Reports > User Activity Report.
2. AddareportandenteraNameforit.
3. SelectthereportType:
SelectUsertogenerateareportforoneperson.
SelectGroupforagroupofusers.
NOTE:YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,youcan
selectthetypeUserandentertheIPaddressoftheusers
computer.
4. EntertheUsername/IP Addressforauserreportorenterthe
groupnameforausergroupreport.
5. Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
6. SelecttheInclude Detailed Browsingcheckbox,sobrowsing
informationisincludedinthereport.
Step2 Runthereport. 1. ClickRun Now.

2. Whenthefirewallfinishesgeneratingreport,clickoneofthe
linkstodownloadit:
ClickDownload User Activity ReporttodownloadaPDF
versionofthereport.
ClickDownload URL LogstodownloadaCSVfileofthe
correspondinglogentries.
3. Afterdownloadingthereport,clickCancel.
4. Ifyouwanttosavetheuseractivityreportsettingssoyoucan
runthesamereportagainlater,clickOK;otherwiseclick
Cancel.

GenerateaUserActivityReport(Continued)
Step3 Viewtheuseractivityreportbyopeningthefilethatyoudownloaded.ThePDFversionofthereportshows
theuserorgrouponwhichyoubasedthereport,thereporttimeframe,andatableofcontents:
Step4 Clickaniteminthetableofcontentstoviewthereportdetails.Forexample,clickTraffic Summary by URL

Categorytoviewstatisticsfortheselecteduserorgroup.

ConfigureCustomURLFilteringReports
Togenerateadetailedreportthatthatyoucanscheduletorunregularly,configureacustomURLFiltering
report.YoucanchooseanycombinationofURLFilteringlogfieldsonwhichtobasethereport.
ConfigureaCustomURLFilteringReport
Step1 Addanewcustomreport. 1. SelectMonitor > Manage Custom ReportsandAddareport.

2. GivethereportauniqueName,andoptionallyaDescription.
3. SelecttheDatabaseyouwanttousetogeneratethereport.To
generateadetailedURLFilteringreport,selectURLfromthe
DetailedLogssection:

ConfigureaCustomURLFilteringReport(Continued)
Step2 Configurereportoptions. 1. SelectapredefinedTime FrameorselectCustom.

2. Selectthelogcolumnstoincludeinthereportfromthe
AvailableColumnslistaddthem( )totheSelectedColumns.
Forexample,foraURLFilteringreportyoumightselect:
Action
AppCategory
Category
DestinationCountry
SourceUser
URL
3. IfthefirewallisenabledtoPreventCredentialPhishing,select
theAttributeFlags,theOperatorhasandtheValue
Credential Detectedtoalsoincludeeventsinthereportthat
recordwhenausersubmittedavalidcorporatecredentialtoa
site.
4. (Optional)SelectaSort Byoptiontosettheattributetouseto
aggregatethereportdetails.Ifyoudonotselectanattributeto
sortby,thereportwillreturnthefirstNnumberofresults
withoutanyaggregation.SelectaGroup Byattributetouseas
ananchorforgroupingdata.Thefollowingexampleshowsa
reportwithGroup BysettoApp CategoryandSort Bysettoa
CountofTop 5.

ConfigureaCustomURLFilteringReport(Continued)
Step3 Runthereport. 1. ClicktheRun Nowicontoimmediatelygeneratethereport,

whichopensinanewtab.
2. Whenyouaredonereviewingthereport,gobacktothe
Report Settingtabandeithertunethesettingsandrunthe
reportagain,orcontinuetothenextsteptoschedulethe
report.
3. SelecttheSchedulecheckboxtorunthereportonceperday.
Thiswillgenerateadailyreportthatdetailswebactivityover
thelast24hours.
Step5 Viewthecustomreport. 1. SelectMonitor > Reports.

2. ExpandtheCustom Reportspaneintherightcolumnand
selectthereportyouwanttoview.Thelatestreportdisplays
automatically.
3. Toviewthereportforapreviousdate,selectthedatefromthe
calendar.YoucanalsoexportthereporttoPDF,CSV,orXML.

SetUpthePANDBPrivateCloud URLFiltering
SetUpthePANDBPrivateCloud
TodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyournetworkordatacenter,
youmustcompletethefollowingtasks:
ConfigurethePANDBPrivateCloud
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
ConfigurethePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step1 RackmounttheM500appliance. RefertotheM500HardwareReferenceGuideforinstructions.
Step2 RegistertheM500appliance. ForinstructionsonregisteringtheM500appliance,seeRegisterthe

Firewall.

URLFiltering SetUpthePANDBPrivateCloud
Step3 PerformInitialConfigurationof 1. ConnecttotheM500applianceinoneofthefollowingways:

theM500Appliance. AttachaserialcablefromacomputertotheConsoleporton
NOTE:TheM500appliancein theM500applianceandconnectusingaterminalemulation
PANDBmodeusestwoports software(96008N1).
MGT(Eth0)andEth1;Eth2isnot AttachanRJ45EthernetcablefromacomputertotheMGT
usedinPANDBmode.The portontheM500appliance.Fromabrowser,goto
managementportisusedfor https://192.168.1.1.EnablingaccesstothisURLmightrequire
administrativeaccesstothe changingtheIPaddressonthecomputertoanaddressinthe
applianceandforobtainingthe 192.168.1.0network(forexample,192.168.1.2).
latestcontentupdatesfromthe
2. Whenprompted,logintotheappliance.Loginusingthedefault
PANDBpubliccloud.For
usernameandpassword(admin/admin).Theappliancewillbegin
communicationbetweenthe
toinitialize.
appliance(PANDBserver)andthe
firewallsonthenetwork,youcan 3. ConfigureannetworkaccesssettingsincludingtheIPaddressfor
usetheMGTportorEth1. theMGTinterface:
set deviceconfig system ip-address <server-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
where<server-IP>istheIPaddressyouwanttoassigntothe
managementinterfaceoftheserver,<netmask>isthesubnet
mask,<gateway-IP>istheIPaddressofthenetworkgateway,
and<DNS-IP>istheIPaddressoftheprimaryDNSserver.
4. ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theEth1interface:
set deviceconfig system eth1 ip-address <server-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<server-IP>istheIPaddressyouwanttoassigntothe
datainterfaceoftheserver,<netmask>isthesubnetmask,
<gateway-IP>istheIPaddressofthenetworkgateway,and
<DNS-IP>istheIPaddressoftheDNSserver.
5. SaveyourchangestothePANDBserver.
commit

Step4 SwitchtoPANDBprivatecloud 1. ToswitchtoPANDBmode,usetheCLIcommand:

mode. requestsystemsystemmodepanurldb
NOTE:YoucanswitchfromPanoramamodetoPANDBmode
andback;andfromPanoramamodetoLogCollectormodeand
back.SwitchingdirectlyfromPANDBmodetoLogCollector
modeorviceversaisnotsupported.Whenswitchingoperational
mode,adataresetistriggered.Withtheexceptionof
managementaccesssettings,allexistingconfigurationandlogs
willbedeletedonrestart.
2. Usethefollowingcommandtoverifythatthemodeischanged:
show pan-url-cloud-status
hostname: M-500
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
time: Mon Apr 27 13:43:59 2015
uptime: 10 days, 1:51:28
family: m
model: M-500
serial: 0073010000xxx
sw-version: 7.0.0
app-version: 492-2638
app-release-date: 2015/03/19 20:05:33
av-version: 0
av-release-date: unknown
wf-private-version: 0
wf-private-release-date: unknown
logdb-version: 7.0.9
platform-family: m
pan-url-db: 20150417-220
system-mode: Pan-URL-DB
operational-mode: normal
3. Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status: Up
URL database version: 20150417-220

Step5 Installcontentanddatabase Pickoneofthefollowingmethodsofinstallingthecontentand

updates. databaseupdates:
NOTE:Theapplianceonlystores IfthePANDBserverhasdirectInternetaccessusethefollowing
thecurrentlyrunningversionof commands:
thecontentandoneearlier a. Tocheckwhetheranewversionispublisheduse:
version. request pan-url-db upgrade check
b. Tochecktheversionthatiscurrentlyinstalledonyourserver
use:
request pan-url-db upgrade info
c. Todownloadandinstallthelatestversion:
request pan-url-db upgrade download latest
request pan-url-db upgrade install <version latest
| file>
d. ToscheduletheM500appliancetoautomaticallycheckfor
updates:
set deviceconfig system update-schedule pan-url-db
recurring weekly action download-and-install
day-of-week <day of week> at <hr:min>
IfthePANDBserverisoffline,accessthePaloAltoNetworks
CustomerSupportwebsitetodownloadandsavethecontent
updatestoanSCPserveronyournetwork.Youcanthenimportand
installtheupdatesusingthefollowingcommands:
scp import pan-url-db remote-port <port-number> from
username@host:path
request pan-url-db upgrade install file <filename>

Step6 Setupadministrativeaccesstothe TosetupalocaladministrativeuseronthePANDBserver:

PANDBprivatecloud. a. configure
NOTE:Theappliancehasadefault b. set mgt-config users <username> permissions
adminaccount.Anyadditional role-based <superreader | superuser> yes
administrativeusersthatyou c. set mgt-config users <username> password
createcaneitherbesuperusers
d. Enter password:xxxxx
(withfullaccess)orsuperusers
withreadonlyaccess. e. Confirm password:xxxxx
PANDBprivateclouddoesnot f. commit
supporttheuseofRADIUSVSAs. TosetupanadministrativeuserwithRADIUSauthentication:
IftheVSAsusedonthefirewallor a. CreateRADIUSserverprofile.
Panoramaareusedforenabling set shared server-profile radius
accesstothePANDBprivate <server_profile_name> server <server_name>
cloud,anauthenticationfailurewill ip-address <ip_address> port <port_no> secret
occur. <shared_password>
b. Createauthenticationprofile.
set shared authentication-profile
<auth_profile_name> user-domain
<domain_name_for_authentication> allow-list <all>
method radius server-profile <server_profile_name>
c. Attachtheauthenticationprofiletotheuser.
set mgt-config users <username>
authentication-profile <auth_profile_name>
d. Committhechanges.
commit
Toviewthelistofusers:.
show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
Step7 ConfiguretheFirewallstoAccessthePANDBPrivateCloud.

WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> enable
Or,inthewebinterfaceforeachfirewall,selectDevice > Setup >Content-ID,edittheURLFilteringsection
andenterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstothe
privatecloud:
debug device-server pan-url-db cloud-static-list-enable <IP addresses> enable
NOTE:TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothe
PANDBpubliccloud,usethecommand:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthefirewall.The
firewallfirstchecksforthelistofPANDBprivatecloudserversandwhenitcannotfindone,thefirewall
accessesthePANDBserversintheAWScloudtodownloadthelistofeligibleserverstowhichitcan
connect.
Step2 Commityourchanges.
Step3 Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status: Up
URL database version: 20150417-220

URLFilteringUseCases URLFiltering
URLFilteringUseCases
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
TheseusecasesrelyonUserIDtoimplementpoliciesbasedonusersandgroupsanda
DecryptiontoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
UseCase:ControlWebAccess
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstSecuritypolicyrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
Step1 ConfirmthatURLfilteringislicensed. 1. SelectDevice > Licensesandconfirmthatavaliddateappears

fortheURLfilteringdatabasethatwillused.Thiswilleitherbe
PANDBorBrightCloud.
2. Ifavalidlicenseisnotinstalled,seeEnablePANDBURL
Filtering.

URLFiltering URLFilteringUseCases
ControlWebAccess(Continued)
Step2 ConfirmthatUserIDisworking.UserID 1. TocheckGroupMappingfromtheCLI,enterthefollowing

isrequiredtocreatepoliciesbasedon command:
usersandgroups. showusergroupmappingstatistics
2. TocheckUserMappingfromtheCLI,enterthefollowing
command:
showuseripusermappingmpall
3. Ifstatisticsdonotappearand/orIPaddresstousermapping
informationisnotdisplayed,seeUserID.
Step3 SetupaURLfilteringprofilebycloning 1. SelectObjects > Security Profiles > URL Filteringandselect

thedefaultprofile. thedefaultprofile.
2. ClicktheCloneicon.Anewprofileshouldappearnamed
default-1.
3. Selectthenewprofileandrenameit.
Step4 ConfiguretheURLfilteringprofileto 1. ModifythenewURLfilteringprofileandintheCategorylist

blocksocialnetworkingandallow scrolltosocial-networkingandintheActioncolumnclickon
Facebook. allowandchangetheactiontoblock.
2. IntheAllow List,enterfacebook.com,pressentertostarta
newlineandthentype*.facebook.com.Bothofthese
formatsarerequired,soallURLvariantsausermayusewillbe
identified,suchasfacebook.com,www.facebook.com,and
https://facebook.com.
Step5 ApplythenewURLfilteringprofiletothe 1. SelectPolicies > Security andclickonthepolicyrulethat

securitypolicyrulethatallowsweb allowswebaccess.
accessfromtheusernetworktothe 2. OntheActionstab,selecttheURLprofileyoujustcreated
Internet. fromtheURL Filteringdropdown.
3. ClickOKtosave.

Step6 Createthesecuritypolicyrulethatwill 1. SelectPolicies > Security andclickAdd.

allowmarketingaccesstheFacebook 2. EnteraNameandoptionallyaDescriptionandTag(s).
websiteandallFacebookapplications.
3. OntheSourcetabaddthezonewheretheusersare
Thisrulemustprecedeotherrules
connected.
because:
Itisaspecificrule.Morespecificrules 4. OntheUsertabintheSource UsersectionclickAdd.
mustprecedeotherrules. 5. Selectthedirectorygroupthatcontainsyourmarketingusers.
Allowrulewillterminatewhena 6. OntheDestinationtab,selectthezonethatisconnectedto
trafficmatchoccurs. theInternet.
7. OntheApplicationstab,clickAddandaddthefacebook
AppIDsignature.
8. OntheActionstab,addthedefaultprofilesforAntivirus,
Vulnerability Protection,andAnti-Spyware.
9. ClickOKtosavethesecurityprofile.
ThefacebookAppIDsignatureusedinthispolicyrule
encompassesallFacebookapplications,suchas
facebookbase,facebookchat,andfacebookmail,sothisis
theonlyAppIDsignaturerequiredinthisrule.
Withthisruleinplace,whenamarketingemployeeattempts
toaccesstheFacebookwebsiteoranyFacebookapplication,
therulematchesbasedontheuserbeingpartofthemarketing
group.Fortrafficfromanyuseroutsideofmarketing,therule
willbeskippedbecausetherewouldnotbeatrafficmatchand
ruleprocessingwouldcontinue.

Step7 Configurethesecuritypolicytoblockall 1. FromPolicies > Security clickthemarketingFacebookallow

otherusersfromusinganyFacebook policyyoucreatedearliertohighlightitandthenclickthe
applicationsotherthansimpleweb Cloneicon.
browsing.Theeasiestwaytodothisisto 2. EnteraNameandoptionallyenteraDescriptionandTag(s).
clonethemarketingallowpolicyand
thenmodifyit. 3. OntheUsertabhighlightthemarketinggroupanddeleteit
andinthedropdownselectany.
4. OntheApplicationstab,clickthefacebookAppIDsignature
anddeleteit.
5. ClickAddandaddthefollowingAppIDsignatures:
facebookapps
facebookchat
facebookfilesharing
facebookmail
facebookposting
facebooksocialplugin
6. OntheActionstabintheAction Settingsection,selectDeny.
Theprofilesettingsshouldalreadybecorrectbecausethisrule
wascloned.
7. ClickOKtosavethesecurityprofile.
8. Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9. ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.

UseCase:UseURLCategoriesforPolicyMatching
YoucanalsouseURLcategoriesasmatchcriteriainthefollowingpolicytypes:Authentication,Decryption,
Security,andQoS.Inthisusecase,DecryptionpolicyrulesmatchonURLcategoriestocontrolwhichweb
categoriestodecryptornotdecrypt.Thefirstruleisanodecryptruleinstructingthefirewallnottodecrypt
outboundusertraffictofinancialservicesorhealthandmedicinesitesandthesecondruleinstructsthe
firewalltodecryptallothertraffic.
ConfigureaDecryptionPolicyBasedonURLCategory
Step1 Createthenodecryptrulethatwillbe 1. SelectPolicies > Decryption andclickAdd.

listedfirstinthedecryptionpolicieslist. 2. EnteraNameandoptionallyenteraDescription andTag(s).
Thiswillpreventanywebsitethatisin
thefinancialservicesor 3. OntheSourcetab,addthezonewheretheusersare
healthandmedicineURLcategories connected.
frombeingdecrypted. 4. OntheDestinationtab,enterthezonethatisconnectedtothe
Internet.
5. OntheURL Categorytab,clickAddandselectthe
financialservicesandhealthandmedicineURLcategories.
6. OntheOptionstab,settheactiontoNo Decrypt.
7. (Optional)Althoughthefirewalldoesnotdecryptandinspect
thetrafficforthesession,youcanattachaDecryption profile
ifyouwanttoenforcetheservercertificatesusedduringthe
session.Thedecryptionprofileallowsyoutoconfigurethe
firewalltoterminatetheSSLconnectioneitherwhenthe
servercertificatesareexpiredorwhentheservercertificates
areissuesbyanuntrustedissuer.

ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
Step2 Createthedecryptionpolicyrulethat 1. Selectthenodecryptpolicyyoucreatedpreviouslyandthen

willdecryptallothertraffic. clickClone.
2. EnteraNameandoptionallyenteraDescriptionandTag(s).
3. OntheURL Categorytab,selectfinancialservicesand
healthandmedicineandthenclicktheDeleteicon.
4. OntheOptionstab,settheactiontoDecryptandtheTypeto
SSL Forward Proxy.
5. (Optional)AttachaDecryption profiletospecifytheserver
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
6. Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
Step3 (BrightCloudonly)Enablecloudlookups 1. AccesstheCLIonthefirewall.

fordynamicallycategorizingaURLwhen 2. EnterthefollowingcommandstoenableDynamicURL
thecategoryisnotavailableonthelocal Filtering:
databaseonthefirewall.
a. configure
b. setdeviceconfigsettingurldynamicurlyes
c. commit
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesor
healthandmedicineURLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.

TroubleshootURLFiltering URLFiltering
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
UsethefollowingworkflowtotroubleshootPANDBactivationissues.
TroubleshootPANDBActivationIssues
Step1 AccessthePANOSCLI.
Step2 VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
show system setting url-database
Iftheresponseispaloaltonetworks,PANDBistheactivevendor.
Step3 VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
request license info
YoushouldseethelicenseentryFeature: PAN_DB URL Filtering.Ifthelicenseisnotinstalled,youwill
needtoobtainandinstallalicense.SeeConfigureURLFiltering.
Step4 Afterinstallingthelicense,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
request url-filtering download paloaltonetworks region <region>
Step5 Checkthedownloadstatusbyrunningthefollowingcommand:
request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloud
ConnectivityIssues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedthe
URLseeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
3. Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.

URLFiltering TroubleshootURLFiltering
PANDBCloudConnectivityIssues
TocheckconnectivitybetweenthefirewallandthePANDBcloud:
show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
PAN-DB URL Filtering
License : valid
Current cloud server : s0000.urlcloud.paloaltonetworks.com
Cloud connection : connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Ifthecloudisnotaccessible,theexpectedresponseissimilartothefollowing:
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Usethefollowingchecklisttoidentifyandresolveconnectivityissues:
DoesthePANDBURLFilteringlicensefieldshowsasinvalid?ObtainandinstallavalidPANDB
license.
DoestheURLdatabasestatusshowasoutofdate?Downloadanewseeddatabasebyrunningthe
followingcommand:
request url-filtering download paloaltonetworks region <region>
DoestheURLprotocolversionshowasnotcompatible?UpgradePANOStothelatestversion.
CanyoupingthePANDBcloudserverfromthefirewall?Runthefollowingcommandtocheck:
ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IsthefirewallinanHAconfiguration?VerifythattheHAstateofthefirewallsisintheactive,
activeprimary,oractivesecondarystate.AccesstothePANDBcloudwillbeblockedifthefirewallis
inadifferentstate.Runthefollowingcommandoneachfirewallinthepairtoseethestate:
show high-availability state
IfyoustillhaveproblemswithconnectivitybetweenthefirewallandthePANDBcloud,contactPaloAltoNetworks
support.

URLsClassifiedasNotResolved
UsethefollowingworkflowtotroubleshootwhysomeoralloftheURLsbeingidentifiedbyPANDBare
classifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1 CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2 Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
show system resources
YoucanalsoviewsystemresourcesontheSystemResourceswidgetontheDashboardintheweb
interface.
Step3 Iftheproblempersist,contactPaloAltoNetworkssupport.
IncorrectCategorization
SometimesyoumaycomeacrossaURLthatyoubelieveiscategorizedincorrectly.Usethefollowing
workflowtodeterminetheURLcategorizationforasiteandrequestacategorychange,ifappropriate.
TroubleshootIncorrectCategorizationIssues
Step1 Verifythecategoryinthedataplanebyrunningthefollowingcommand:
show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2 Verifyifthecategoryinthemanagementplanebyrunningthecommand:
test url-info-host <URL>
Forexample:
test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3 Verifythecategoryinthecloudbyrunningthefollowingcommand:
test url-info-cloud <URL>

URLFiltering TroubleshootURLFiltering
TroubleshootIncorrectCategorizationIssues
Step4 IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5 Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
Step6 ClicktheRequest Categorizationchangelinkandfollowinstructions.Youcanalsorequestacategorychange

fromthePaloAltoNetworksTestASitewebsitebysearchingfortheURLandthenclickingtheRequest
Changeicon.Toviewalistofallavailablecategorieswithdescriptionsofeachcategory,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Ifyourchangerequestisapproved,youwillreceiveanemailnotification.Youthenhavetwooptionstoensure
thattheURLcategoryisupdatedonthefirewall:
WaituntiltheURLinthecacheexpiresandthenexttimetheURLisaccessedbyauser,thenew
categorizationupdatewillbeputinthecache.
Runthefollowingcommandtoforceanupdateinthecache:
request url-filtering update url <URL>
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltothePANDBcloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewall
istooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youmustredownloadaninitialseeddatabase(thisoperationis
notblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
Fromthewebinterface,selectDevice > LicensesandinthePAN-DB URL Filteringsectionclickthe
Re-Downloadlink.
FromtheCLI,runthefollowingcommand:
request url-filtering download paloaltonetworks region <region_name>
RedownloadingtheseeddatabasecausestheURLcacheinthemanagementplaneanddataplane
tobepurged.Themanagementplanecachewillthenberepopulatedwiththecontentsofthe
newseeddatabase.


QualityofService
QualityofService(QoS)isasetoftechnologiesthatworkonanetworktoguaranteeitsabilitytodependably
runhighpriorityapplicationsandtrafficunderlimitednetworkcapacity.QoStechnologiesaccomplishthis
byprovidingdifferentiatedhandlingandcapacityallocationtospecificflowsinnetworktraffic.Thisenables
thenetworkadministratortoassigntheorderinwhichtrafficishandled,andtheamountofbandwidth
affordedtotraffic.
PaloAltoNetworksApplicationQualityofService(QoS)providesbasicQoSappliedtonetworksand
extendsittoprovideQoStoapplicationsandusers.
UsethefollowingtopicstolearnaboutandconfigurePaloAltoNetworksapplicationbasedQoS:
QoSOverview
QoSConcepts
ConfigureQoS
ConfigureQoSforaVirtualSystem
EnforceQoSBasedonDSCPClassification
QoSUseCases
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
andPA3000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.

QoSOverview QualityofService
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureFigure:QoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwith
QoSenabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
Figure:QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheFigure:QoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoS
policyruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.
ThematchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.

QualityofService QoSOverview
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.

QoSConcepts QualityofService
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoSforApplicationsandUsers
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoSPolicy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.

QualityofService QoSConcepts
QoSProfile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoSClasses
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.

QoSConcepts QualityofService
QoSPriorityQueuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoSBandwidthManagement
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.

QualityofService QoSConcepts
QoSEgressInterface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoSforClearTextandTunneledTraffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.

ConfigureQoS QualityofService
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Step1 Identifythetrafficyouwanttomanage Select ACC toviewtheApplication Command Centerpage.Usethe

withQoS. settingsandchartsontheACCpagetoviewtrendsandtraffic
ThisexampleshowshowtouseQoSto relatedtoApplications,URLfiltering,ThreatPrevention,Data
limitwebbrowsing. Filtering,andHIPMatches.
Clickanyapplicationnametodisplaydetailedapplication
information.
Step2 Identifytheegressinterfacefor SelectMonitor > Logs > TraffictoviewtheTrafficlogs.

applicationsthatyouwanttoreceive Tofilterandonlyshowlogsforaspecificapplication:
QoStreatment. Ifanentryisdisplayedfortheapplication,clicktheunderlined
Theegressinterfacefortraffic linkintheApplicationcolumnthenclicktheSubmiticon.
dependsonthetrafficflow.Ifyou Ifanentryisnotdisplayedfortheapplication,clicktheAddLog
areshapingincomingtraffic,the iconandsearchfortheapplication.
egressinterfaceisthe
TheEgress I/Finthetrafficlogsdisplayseachapplicationsegress
internalfacinginterface.Ifyou
interface.TodisplaytheEgress I/F columnifitisnotdisplayedby
areshapingoutgoingtraffic,the
default:
egressinterfaceisthe
externalfacinginterface. Clickanycolumnheadertoaddacolumntothelog:
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:

QualityofService ConfigureQoS
ConfigureQoS(Continued)
Step3 AddaQoSpolicyrule. 1. SelectPolicies > QoS andAddanewpolicyrule.

AQoSpolicyruledefinesthetrafficto 2. OntheGeneral tab,givetheQoSPolicyRuleadescriptive
receiveQoStreatment.Thefirewall Name.
assignsaQoSclassofservicetothe
3. SpecifytraffictoreceiveQoStreatmentbasedonSource,
trafficmatchedtothepolicyrule.
Destination,Application,Service/URL Category, and
DSCP/ToS values(theDSCP/ToS settingsallowyoutoEnforce
QoSBasedonDSCPClassification).
Forexample,selecttheApplication,clickAdd,andselect
webbrowsingtoapplyQoStowebbrowsingtraffic.
4. (Optional)Continuetodefineadditionalparameters.For
example,selectSourceandAdd asourceusertoprovideQoS
foraspecificuserswebtraffic.
5. SelectOther SettingsandassignaQoS Class totraffic
matchingthepolicyrule.Forexample,assignClass2tothe
user1swebtraffic.
6. ClickOK.

Step4 AddaQoSprofilerule. 1. SelectNetwork > Network Profiles > QoS Profile andAdda
AQoSprofileruleallowsyoutodefine newprofile.
theeightclassesofservicethattraffic 2. EnteradescriptiveProfile Name.
canreceive,includingpriority,and
3. SettheoverallbandwidthlimitsfortheQoSprofilerule:
enablesQoSBandwidthManagement.
EnteranEgress Maxvaluetosettheoverallbandwidth
YoucaneditanyexistingQoSprofile,
allocationfortheQoSprofilerule.
includingthedefault,byclickingtheQoS
profilename. EnteranEgress Guaranteed valuetosettheguaranteed
bandwidthfortheQoSProfile.
NOTE:AnytrafficthatexceedstheEgressGuaranteed
valueisbesteffortandnotguaranteed.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailablefor
alltraffic.
4. IntheClassessection,specifyhowtotreatuptoeight
individualQoSclasses:
a. AddaclasstotheQoSProfile.
b. SelectthePriority fortheclass:realtime,high,medium,
andlow.
c. EntertheEgress Max andEgress Guaranteedbandwidth
fortrafficassignedtoeachQoSclass.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.

QualityofService ConfigureQoS
Step5 EnableQoSonaphysicalinterface. 1. SelectNetwork > QoSandAdd aQoSinterface.

Partofthisstepincludestheoptionto 2. SelectPhysical Interface andchoose theInterface Nameof
selectcleartextandtunneledtrafficfor theinterfaceonwhichtoenableQoS.
uniqueQoStreatment. Intheexample,Ethernet1/1istheegressinterfacefor
Checkiftheplatformyoureusing webbrowsingtraffic(seeStep 2).
supportsenablingQoSona
3. SettheEgress Maxbandwidthforalltrafficexitingthis
subinterfacebyreviewinga
interface.
summaryoftheProduct
Specifications. ItisabestpracticetoalwaysdefinetheEgressMax
valueforaQoSinterface.Ensurethatthecumulative
guaranteedbandwidthfortheQoSprofilerules
attachedtotheinterfacedoesnotexceedthetotal
bandwidthallocatedtotheinterface.
4. SelectTurn on QoS feature on this interface.
5. IntheDefaultProfilesection,selectaQoSprofileruletoapply
toallClear Text trafficexitingthephysicalinterface.
6. (Optional)SelectadefaultQoSprofileruletoapplytoall
tunneledtrafficexitingtheinterface.
Forexample,enableQoSonethernet1/1andapplythebandwidth
andprioritysettingsyoudefinedfortheQoSprofileruleLimitWeb
Browsing(Step 4)tobeusedasthedefaultsettingsforcleartext
egresstraffic.
7. (Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8. ClickOK.

Step7 VerifyaQoSconfiguration. SelectNetwork > QoSandthenStatistics toviewQoSbandwidth,

activesessionsofaselectedQoSclass,andactiveapplicationsfor
theselectedQoSclass.
Forexample,seethestatisticsforethernet1/1withQoSenabled:
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
NOTE:BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.

QualityofService ConfigureQoSforaVirtualSystem
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertoVirtualSystemsforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
Step1 Confirmthattheappropriateinterfaces, Toviewconfiguredinterfaces,selectNetwork > Interface.

virtualrouters,andsecurityzonesare Toviewconfiguredzones,selectNetwork > Zones.
associatedwitheachvirtualsystem. Toviewinformationondefinedvirtualrouters,selectNetwork >
Virtual Routers.

ConfigureQoSforaVirtualSystem QualityofService
Step2 IdentifytraffictoapplyQoSto. Select ACC toviewtheApplication Command Centerpage.Usethe

settingsandchartsontheACCpagetoviewtrendsandtraffic
relatedtoApplications,URLfiltering,ThreatPrevention,Data
Filtering,andHIPMatches.
Toviewinformationforaspecificvirtualsystem,selectthevirtual
systemfromtheVirtual Systemdropdown:
Clickanyapplicationnametodisplaydetailedapplication
information.
Step3 Identifytheegressinterfacefor SelectMonitor > Logs > Traffictoviewtrafficlogs.Eachentryhas

applicationsthatyouidentifiedas theoptiontodisplaycolumnswithinformationnecessaryto
needingQoStreatment. configureQoSinavirtualsystemenvironment:
Inavirtualsystemenvironment,QoSis virtualsystem
appliedtotrafficonthetrafficsegress egressinterface
pointonthevirtualsystem.Depending ingressinterface
theconfigurationandQoSpolicyfora
sourcezone
virtualsystem,theegresspointofQoS
trafficcouldbeassociatedwitha destinationzone
physicalinterfaceorcouldbeazone. Todisplayacolumnifitisnotdisplayedbydefault:
Thisexampleshowshowtolimit Clickanycolumnheadertoaddacolumntothelog:
webbrowsingtrafficonvsys1.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.

Step4 CreateaQoSProfile. 1. SelectNetwork > Network Profiles > QoS Profile andclickAdd
YoucaneditanyexistingQoSProfile, toopentheQoSProfiledialog.
includingthedefault,byclickingthe 2. EnteradescriptiveProfile Name.
profilename.
3. EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4. EnteranEgress Guaranteed tosettheguaranteedbandwidth
fortheQoSprofile.
NOTE:AnytrafficthatexceedstheQoSprofilesegress
guaranteedlimitisbesteffortbutisnotguaranteed.
5. IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6. ClickOKtosavetheQoSprofile.

ConfigureQoSforaVirtualSystem QualityofService
Step5 CreateaQoSpolicy. 1. SelectPolicies > QoS andAddaQoSPolicyRule.

Inanenvironmentwithmultiplevirtual 2. SelectGeneral andgivetheQoSPolicyRuleadescriptive
systems,trafficspansmorethanone Name.
virtualsystem.Becauseofthis,whenyou
3. SpecifythetraffictowhichtheQoSpolicyrulewillapply.Use
areenablingQoSforavirtualsystem,
theSource,Destination,Application,andService/URL
youmustdefinetraffictoreceiveQoS
Categorytabstodefinematchingparametersforidentifying
treatmentbasedonsourceand
traffic.
destinationzones.Thisensuresthatthe
trafficisprioritizedandshapedonlyfor Forexample,selectApplicationandAddwebbrowsingto
thatvirtualsystem(andnotforother applytheQoSpolicyruletothatapplication:
virtualsystemsthroughwhichthetraffic
mightflow).
4. SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5. SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
6. SelectOther SettingsandselectaQoS Classtoassigntothe

QoSpolicyrule.Forexample,assignClass2towebbrowsing
trafficonvsys1:
7. ClickOKtosavetheQoSpolicyrule.

Step6 EnabletheQoSProfileonaphysical 1. SelectNetwork > QoSandclickAdd toopentheQoSInterface

interface. dialog.
Itisabestpracticetoalways 2. EnableQoSonthephysicalinterface:
definetheEgress Max valuefora a. OnthePhysical Interfacetab,selecttheInterface Nameof
QoSinterface. theinterfacetoapplytheQoSProfileto.
Inthisexample,ethernet1/1istheegressinterfacefor
webbrowsingtrafficonvsys1(seeStep 2).
b. SelectTurn on QoS feature on this interface.

3. OnthePhysical Interfacetab,selectthedefaultQoSprofileto
applytoallClear Texttraffic.
(Optional)UsetheTunnel Interfacefieldtoapplyadefault
QoSprofiletoalltunneledtraffic.
4. (Optional)OntheClear Text Traffictab,configureadditional
QoSsettingsforcleartexttraffic:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
cleartexttraffic.
ClickAddtoapplyaQoSProfiletoselectedcleartexttraffic,
furtherselectingthetrafficforQoStreatmentaccordingto
sourceinterfaceandsourcesubnet(creatingaQoSnode).
5. (Optional)Onthe Tunneled Traffic tab,configureadditional
QoSsettingsfortunnelinterfaces:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
tunneledtraffic.
ClickAddtoassociateaselectedtunnelinterfacewithaQoS
Profile.
6. ClickOK tosavechanges.
Step7 VerifyQoSconfiguration. SelectNetwork > QoStoviewthe QoSPoliciespage.TheQoS

Policies pageverifiesthatQoSisenabledandincludesa
Statisticslink.ClicktheStatisticslinktoviewQoSbandwidth,
activesessionsofaselectedQoSnodeorclass,andactive
applicationsfortheselectedQoSnodeorclass.
Inamultivsysenvironment,sessionscannotspanmultiple
systems.Multiplesessionsarecreatedforonetrafficflowifthe
trafficpassesthroughmorethanonevirtualsystem.Tobrowse
sessionsrunningonthefirewallandviewappliedQoSRulesand
QoSClasses,selectMonitor > Session Browser.

EnforceQoSBasedonDSCPClassification QualityofService
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
Expedited Forwarding (EF):Canbeusedtorequestlowloss,lowlatencyandguaranteedbandwidthfor
traffic.PacketswithEFcodepointvaluesaretypicallyguaranteedhighestprioritydelivery.
Assured Forwarding (AF):Canbeusedtoprovidereliabledeliveryforapplications.PacketswithAF
codepointindicatearequestforthetraffictoreceivehigherprioritytreatmentthanbesteffortservice
provides(thoughpacketswithanEFcodepointwillcontinuetotakeprecedenceoverthosewithanAF
codepoint).
Class Selector (CS):CanbeusedtoprovidebackwardcompatibilitywithnetworkdevicesthatusetheIP
precedencefieldtomarkprioritytraffic.
IP Precedence (ToS):Canbeusedbylegacynetworkdevicestomarkprioritytraffic(theIPPrecedence
headerfieldwasusedtoindicatethepriorityforapacketbeforetheintroductionoftheDSCP
classification).
Custom Codepoint:CreateacustomcodepointtomatchtotrafficbyenteringaCodepoint NameandBinary
Value.
Forexample,selecttheAssured Forwarding (AF)toensuretrafficmarkedwithanAFcodepointvaluehas
higherpriorityforreliabledeliveryoverapplicationsmarkedtoreceivelowerpriority.Usethefollowingsteps
toenableSessionBasedDSCPClassification.StartbyconfiguringQoSbasedonDSCPmarkingdetectedat
thebeginningofasession.Youcanthencontinuetoenablethefirewalltomarkthereturnflowforasession
withthesameDSCPvalueusedtoenforceQoSfortheinitialoutboundflow.

QualityofService EnforceQoSBasedonDSCPClassification
ApplyQoSBasedonDSCP/ToSMarking
Step1 PerformthepreliminarystepstoConfigureQoS.
Step2 DefinethetraffictoreceiveQoS 1. SelectPolicies > QoS andAddormodifyanexistingQoSrule

treatmentbasedonDSCPvalue. andpopulaterequiredfields.
2. Select DSCP/ToS and select Codepoints.
3. AddaDSCP/ToScodepointsforwhichyouwanttoenforce
QoS.
4. SelecttheTypeofDSCP/ToSmarkingfortheQoSruleto
matchtotraffic:
BESTPRACTICE:ItisabestpracticetouseasingleDSCPtype
tomanageandprioritizeyournetworktraffic.
5. MatchtheQoSpolicytotrafficonamoregranularscaleby
specifyingtheCodepoint value.Forexample,withAssured
Forwarding(AF)selectedastheTypeofDSCPvalueforthe
policytomatch,furtherspecifyanAFCodepoint valuesuchas
AF11.
NOTE:WhenExpeditedForwarding(EF)isselectedasthe
TypeofDSCPmarking,agranularCodepointvaluecannotbe
specified.TheQoSpolicyrulematchestotrafficmarkedwith
anyEFcodepointvalue.
6. SelectOther SettingsandassignaQoS Classtotraffic
matchedtotheQoSrule.Inthisexample,assignClass1to
sessionswhereaDSCPmarkingofAF11isdetectedforthe
firstpacketinthesession.
7. ClickOKtosavetheQoSrule.
Step3 DefinetheQoSpriorityfortrafficto 1. SelectNetwork > Network Profiles > QoS Profile andAddor
receivewhenitismatchedtoaQoSrule modifyanexistingQoSprofile.Fordetailsonprofileoptions
basedtheDSCPmarkingdetectedatthe tosetpriorityandbandwidthfortraffic,seeQoSConcepts
beginningofasession. andConfigureQoS.
2. Add ormodifyaprofileclass.Forexample,because Step 2
showedstepstoclassifyAF11trafficasClass1traffic,you
couldaddormodifyaclass1entry.
3. SelectaPriority fortheclassoftraffic,suchashigh.
4. ClickOKtosavetheQoSProfile.
Step4 EnableQoSonaninterface. SelectNetwork > QoSandAdd ormodifyanexistinginterfaceand

Turn on QoS feature on this interface.
Inthisexample,trafficwithanAF11DSCPmarkingismatchedto
theQoSruleandassignedClass1.TheQoSprofileenabledonthe
interfaceenforceshighprioritytreatmentforClass1trafficasit
egressesthefirewall(thesessionoutboundtraffic).

EnforceQoSBasedonDSCPClassification QualityofService
ApplyQoSBasedonDSCP/ToSMarking
Step5 EnableDSCPMarking. 1. SelectPolicies > SecurityandAddormodifyasecuritypolicy.

MarkreturntrafficwithaDSCPvalue, 2. SelectActionsandintheQoS Markingdropdown,choose
enablingtheinboundflowforasession Follow-Client-to-Server-Flow.
tobemarkedwiththesameDSCPvalue
detectedfortheoutboundflow.
Completingthisstepenablesthefirewalltomarktrafficwiththe
sameDSCPvaluethatwasdetectedatthebeginningofasession
(inthisexample,thefirewallwouldmarkreturntrafficwiththe
DSCPAF11value).WhileconfiguringQoSallowsyoutoshape
trafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewall
andtheclienttocontinuetoenforcepriorityforDSCPmarked
traffic.
Step6 Savetheconfiguration. Commityourchanges.

QualityofService QoSUseCases
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
UseCase:QoSforaSingleUser
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1 TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.

QoSUseCases QualityofService
ApplyQoStoaSingleUser(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
TheadminassociatestheCEOstrafficwithClass1(Other Settings tab)andthencontinuestopopulatethe

remainingrequiredpolicyfields;theadmingivesthepolicyadescriptiveName(Generaltab)andselectsAny
fortheSource Zone(Sourcetab)andDestination Zone(Destination tab):
Step3 NowthatClass1isassociatedwiththeCEOstraffic,theadminenablesQoSbycheckingTurn on QoS feature

on interface andselectingthetrafficflowsegressinterface.TheegressinterfacefortheCEOstrafficflowis
theexternalfacinginterface,inthiscase,ethernet1/2:
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.

ApplyQoStoaSingleUser(Continued)
Step4 AftercommittingtheQoSconfiguration,theadminnavigatestotheNetwork > QoSpagetoconfirmthatthe

QoSprofileCEO_trafficisenabledontheexternalfacinginterface,ethernet1/2:
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation)andthenenableQoS
onthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadoftheexternalfacinginterface).
UseCase:QoSforVoiceandVideoApplications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.

Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1 TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.

EnsureQualityforVoiceandVideoApplications(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:

EnsureQualityforVoiceandVideoApplications(Continued)
Step3 BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreated,ensurevoicevideotraffic(Class2inthisprofileis
associatedwithpolicy,VoiceVideo)ontheexternalfacinginterface,inthiscase,ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
Step4 TheadminselectsNetwork > QoStoconfirmthatQoSisenabledforbothincomingandoutgoingvoiceand

videotraffic:
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.

VPNs
Virtualprivatenetworks(VPNs)createtunnelsthatallowusers/systemstoconnectsecurelyoverapublic
network,asiftheywereconnectingoveralocalareanetwork(LAN).TosetupaVPNtunnel,youneedapair
ofdevicesthatcanauthenticateeachotherandencrypttheflowofinformationbetweenthem.Thedevices
canbeapairofPaloAltoNetworksfirewalls,oraPaloAltoNetworksfirewallalongwithaVPNcapable
devicefromanothervendor.
VPNDeployments
SitetoSiteVPNOverview
SitetoSiteVPNConcepts
SetUpSitetoSiteVPN
SitetoSiteVPNQuickConfigs

VPNDeployments VPNs
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments

VPNs SitetoSiteVPNOverview
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN

SitetoSiteVPNConcepts VPNs
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.IfyouconfigureanyproxyIDs,theproxyIDiscountedtowardany
IPSectunnelcapacity.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.

VPNs SitetoSiteVPNConcepts
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
SeeSetUpTunnelMonitoringforconfigurationdetails.

InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes

IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP AH
DiffieHellman(DH)exchangeoptionssupported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryptionalgorithmssupported
3des TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc AESusingCBCwithasecuritystrengthof192bits
aes256cbc AESusingCBCwithasecuritystrengthof256bits
aes128ccm AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm AESusingGCMwithasecuritystrengthof256bits
des DataEncryptionStandard(DES)withasecuritystrengthof56bits

ESP AH
Authenticationalgorithmssupported
md5 md5
sha1 sha1
sha256 sha256
sha384 sha384
sha512 sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.

ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
TheCookie Activation ThresholdisaglobalVPNsessionsettingthatlimitsthenumberofsimultaneous
halfopenedIKESAs(defaultis500).WhenthenumberofhalfopenedIKESAsexceedstheCookie
Activation Threshold,theResponderwillrequestacookie,andtheInitiatormustrespondwithan
IKE_SA_INITcontainingacookietovalidatetheconnection.Ifthecookievalidationissuccessful,another
SAcanbeinitiated.Avalueof0meansthatcookievalidationisalwayson.
TheResponderdoesnotmaintainastateoftheInitiator,nordoesitperformaDiffieHellmankey
exchange,untiltheInitiatorreturnsthecookie.IKEv2cookievalidationmitigatesaDoSattackthatwould
trytoleavenumerousconnectionshalfopen.
TheCookie Activation ThresholdmustbelowerthantheMaximum Half Opened SAsetting.IfyouChangethe
CookieActivationThresholdforIKEv2toaveryhighnumber(forexample,65534)andtheMaximum Half
Opened SAsettingremainedatthedefaultvalueof65535,cookievalidationisessentiallydisabled.

YoucanenableStrict Cookie ValidationifyouwantcookievalidationperformedforeverynewIKEv2SAa

gatewayreceives,regardlessoftheglobalthreshold.Strict Cookie ValidationaffectsonlytheIKEgateway
beingconfiguredandisdisabledbydefault.WithStrict Cookie Validationdisabled,thesystemusesthe
Cookie Activation Threshold todeterminewhetheracookieisneededornot.
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.

HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
InIKEv2,twoIKEcryptoprofilevalues,Key LifetimeandIKEv2 Authentication Multiple,controlthe

establishmentofIKEv2IKESAs.ThekeylifetimeisthelengthoftimethatanegotiatedIKESAkeyis
effective.Beforethekeylifetimeexpires,theSAmustberekeyed;otherwise,uponexpiration,theSAmust
beginanewIKEv2IKESArekey.Thedefaultvalueis8hours.
ThereauthenticationintervalisderivedbymultiplyingtheKey LifetimebytheIKEv2Authentication Multiple.
Theauthenticationmultipledefaultsto0,whichdisablesthereauthenticationfeature.
Therangeoftheauthenticationmultipleis050.So,ifyouweretoconfigureanauthenticationmultipleof
20,forexample,thesystemwouldperformreauthenticationevery20rekeys,whichisevery160hours.
ThatmeansthegatewaycouldperformChildSAcreationfor160hoursbeforethegatewaymust
reauthenticatewithIKEtorecreatetheIKESAfromscratch.
InIKEv2,theInitiatorandRespondergatewayshavetheirownkeylifetimevalue,andthegatewaywiththe
shorterkeylifetimeistheonethatwillrequestthattheSAberekeyed.

SetUpSitetoSiteVPN VPNs
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
SetUpanIKEGateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
Step1 DefinetheIKEGateway. 1. SelectNetwork > Network Profiles > IKE Gateways,clickAdd,

andontheGeneraltab,entertheNameofthegateway.
2. ForVersion,selectIKEv1 only mode,IKEv2 only mode,or
IKEv2 preferred mode.TheIKEgatewaybeginsits
negotiationwithitspeerinthemodespecifiedhere.Ifyou
selectIKEv2 preferred mode,thetwopeerswilluseIKEv2if
theremotepeersupportsit;otherwisetheywilluseIKEv1.
(TheVersionselectionalsodetermineswhichoptionsare
availableontheAdvanced Optionstab.)

VPNs SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step2 Establishthelocalendpointofthetunnel 1. ForAddress Type,clickIPv4orIPv6.

(gateway). 2. Selectthephysical,outgoingInterfaceonthefirewallwhere
thelocalgatewayresides.
3. FromtheLocal IP Addressdropdown,selecttheIPaddress
thatwillbeusedastheendpointfortheVPNconnection.This
istheexternalfacinginterfacewithapubliclyroutableIP
addressonthefirewall.
Step3 Establishthepeeratthefarendofthe 1. SelectthePeer IP TypetobeaStaticorDynamicaddress

tunnel(gateway). assignment.
2. IfthePeer IP Addressisstatic,entertheIPaddressofthe
peer.
Step4 Specifyhowthepeerisauthenticated. SelecttheAuthenticationmethod:Pre-Shared KeyorCertificate.

IfyouchoosePreSharedKey,proceedtothenextstep.Ifyou
chooseCertificate,skiptoConfigurecertificatebased
authentication.
Step5 Configureapresharedkey. 1. EnteraPre-shared Key,whichisthesecuritykeytousefor

authenticationacrossthetunnel.Reenterthevalueto
Confirm Pre-shared Key.Useamaximumof255ASCIIor
nonASCIIcharacters.
BESTPRACTICE:Generateakeythatisdifficulttocrackwith
dictionaryattacks;useapresharedkeygenerator,if
necessary.
2. ForLocal Identification,choosefromthefollowingtypesand
enteravaluethatyoudetermine:FQDN (hostname),IP
address,KEYID (binary format ID string in HEX),User FQDN
(email address).Localidentificationdefinestheformatand
identificationofthelocalgateway.Ifnovalueisspecified,the
localIPaddresswillbeusedasthelocalidentificationvalue.
3. ForPeer Identification,choosefromthefollowingtypesand
enterthevalue:FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), User FQDN (email address). Peer
identificationdefinestheformatandidentificationofthepeer
gateway.Ifnovalueisspecified,thepeerIPaddresswillbe
usedasthepeeridentificationvalue.
4. ProceedtoStep 7andcontinuefromthere.

Step6 Configurecertificatebased 1. SelectaLocal Certificatethatisalreadyonthefirewallfrom

authentication. thedropdown,orImportacertificate,orGeneratetocreate
Performtheremainingstepsinthis anewcertificate.
procedureifyouselectedCertificateas IfyouwanttoImportacertificate,ImportaCertificatefor
themethodofauthenticatingthepeer IKEv2GatewayAuthenticationandthenreturntothistask.
gatewayattheoppositeendofthe IfyouwanttoGenerateanewcertificate,generatea
tunnel. certificateonthefirewallandthenreturntothistask.
2. ClicktheHTTP Certificate Exchange checkboxifyouwantto
configureHashandURL(IKEv2only).ForanHTTPcertificate
exchange,entertheCertificate URL.Formoreinformation,
seeHashandURLCertificateExchange.
3. SelecttheLocal Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Localidentificationdefinestheformatandidentificationof
thelocalgateway.
4. SelectthePeer Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Peeridentificationdefinestheformatandidentificationofthe
peergateway.
5. SelectonetypeofPeer ID Check:
ExactCheckthistoensurethatthelocalsettingandpeer
IKEIDpayloadmatchexactly.
WildcardCheckthistoallowthepeeridentificationto
matchaslongaseverycharacterbeforethewildcard(*)
matches.Thecharactersafterthewildcardneednotmatch.
6. ClickPermit peer identification and certificate payload
identification mismatchifyouwanttoallowasuccessfulIKE
SAevenwhenthepeeridentificationdoesnotmatchthepeer
identificationinthecertificate.
7. ChooseaCertificate Profilefromthedropdown.A
certificateprofilecontainsinformationabouthowto
authenticatethepeergateway.
8. ClickEnable strict validation of peers extended key useif
youwanttostrictlycontrolhowthekeycanbeused.

Step7 Configureadvancedoptionsforthe 1. SelecttheAdvanced Optionstab.

gateway. 2. IntheCommonOptionssection,Enable Passive Modeifyou
wantthefirewalltoonlyrespondtoIKEconnectionrequests
andneverinitiatethem.
3. Enable NAT TraversalifyouhaveadeviceperformingNAT
betweenthegateways,tohaveUDPencapsulationusedon
IKEandUDPprotocols,enablingthemtopassthrough
intermediateNATdevices.
4. IfyouchoseIKEv1 only mode earlier,ontheIKEv1tab:
Chooseauto,aggressive,ormainfortheExchange Mode.
Whenadeviceissettouseautoexchangemode,itcan
acceptbothmainmodeandaggressivemodenegotiation
requests;however,wheneverpossible,itinitiates
negotiationandallowsexchangesinmainmode.
NOTE:Iftheexchangemodeisnotsettoauto,youmust
configurebothpeerswiththesameexchangemodeto
alloweachpeertoacceptnegotiationrequests.
Selectanexistingprofileorkeepthedefaultprofilefrom
IKE Crypto Profiledropdown.Fordetailsondefiningan
IKECryptoprofile,seeDefineIKECryptoProfiles.
(Onlyifusingcertificatebasedauthenticationandthe
exchangemodeisnotsettoaggressivemode)ClickEnable
Fragmentation toenablethefirewalltooperatewithIKE
Fragmentation.
ClickDead Peer DetectionandenteranInterval(rangeis
2100seconds).ForRetry, definethetimetodelay(range
is2100seconds)beforeattemptingtorecheck
availability.Deadpeerdetectionidentifiesinactiveor
unavailableIKEpeersbysendinganIKEphase1
notificationpayloadtothepeerandwaitingforan
acknowledgment.
5. IfyouchoseIKEv2 only mode orIKEv2 preferred mode in
Step 1,ontheIKEv2tab:
SelectanIKE Crypto Profilefromthedropdown,which
configuresIKEPhase1optionssuchastheDHgroup,hash
algorithm,andESPauthentication.Forinformationabout
IKEcryptoprofiles,seeIKEPhase1.
EnableStrict Cookie Validationifyouwanttoalways
enforcecookievalidationonIKEv2SAsforthisgateway.
SeeCookieActivationThresholdandStrictCookie
Validation.
Enable Liveness CheckandenteranInterval (sec) (default
is5) ifyouwanttohavethegatewaysendamessage
requesttoitsgatewaypeer,requestingaresponse.If
necessary,theInitiatorattemptsthelivenesscheckupto
10times.Ifitdoesntgetaresponse,theInitiatorclosesand
deletestheIKE_SAandCHILD_SA.TheInitiatorwillstart
overbysendingoutanotherIKE_SA_INIT.
Step8 Savethechanges. ClickOKandCommit.

ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
Step1 SelectDevice > Certificates,andifyourplatformsupportsmultiplevirtualsystems,forLocation,selectthe

appropriatevirtualsystem.
Step2 OntheDevice Certificatestab,selectthecertificatetoExporttotheserver.
NOTE:Thestatusofthecertificateshouldbevalid,notexpired.Thefirewallwillnotstopyoufromexporting
aninvalidcertificate.
Step3 ForFile Format,selectBinary Encoded Certificate (DER).
Step4 LeaveExport private keyclear.ExportingtheprivatekeyisunnecessaryforHashandURL.
Step5 ClickOK.
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.

Step1 Importacertificate. 1. SelectNetwork > IKE Gateways,Addagateway,andonthe

Generaltab,forAuthentication,selectCertificate.ForLocal
Certificate,clickImport.
2. IntheImportCertificatewindow,enteraCertificate Namefor
thecertificateyouareimporting.
3. SelectSharedifthiscertificateistobesharedamongmultiple
virtualsystems.
4. ForCertificate File,Browsetothecertificatefile.Clickonthe
filenameandclickOpen,whichpopulatestheCertificate File
field.
5. ForFile Format,selectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthe
certificate,butnotthekey.Itiscleartext.
Encrypted Private Key and Certificate (PKCS12)
Containsboththecertificateandthekey.
6. SelectImport private keyifthekeyisinadifferentfilefrom
thecertificatefile.Thekeyisoptional,withthefollowing
exception:
YoumustimportakeyifyousettheFile FormattoPEM.
EnteraKey filebyclickingBrowseandnavigatingtothe
keyfiletoimport.
EnteraPassphraseandConfirm Passphrase.
7. ClickOK.
Step2 Configurecertificatebasedauthentication.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
Step1 ChangetheSAkeylifetimeor 1. SelectNetwork > Network Profiles > IKE Cryptoandselect

authenticationintervalforanIKECrypto theIKECryptoprofilethatappliestothelocalgateway.
profile. 2. FortheKey Lifetime,selectaunit(Seconds,Minutes,Hours,
orDays)andenteravalue.Theminimumisthreeminutes.
3. ForIKE Authentication Multiple,enteravalue,whichis
multipliedbythelifetimetodeterminethereauthentication
interval.
Step2 Savetheconfiguration. ClickOKandCommit.

ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
Step1 ChangetheCookieActivation 1. SelectDevice > Setup> SessionandedittheVPNSession

Threshold. Settings.ForCookie Activation Threshold,enterthe
maximumnumberofhalfopenedSAsthatareallowedbefore
theresponderrequestsacookiefromtheinitiator(rangeis
065535;defaultis500).
2. ClickOK.
Step2 Savetheconfiguration ClickOKandCommit.
ConfigureIKEv2TrafficSelectors
InIKEv2,youcanconfigureTrafficSelectors,whicharecomponentsofnetworktrafficthatareusedduring
IKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetupthe
tunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.Usethefollowingworkflowtoconfiguretrafficselectors.
ConfigureTrafficSelectorsforIKEv2
Step1 SelectNetwork > IPSec Tunnels > Proxy IDs.
Step2 SelecttheIPv4orIPv6tab.
Step3 ClickAddandentertheNameintheProxy IDfield.
Step4 IntheLocalfield,entertheSource IP Address.
Step5 IntheRemotefield,entertheDestination IP Address.
Step6 IntheProtocolfield,selectthetransportprotocol(TCPorUDP)fromthedropdown.
Step7 ClickOK.
DefineCryptographicProfiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatarereadyforuse.

DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1 CreateanewIKEprofile. 1. SelectNetwork > Network Profiles > IKE Cryptoandselect

Add.
2. EnteraNameforthenewprofile.
Step2 SpecifytheDHGroup(DiffieHellman ClickAddinthecorrespondingsections(DHGroup,

group)forkeyexchange,andthe Authentication,andEncryption)andselectfromthedropdowns.
AuthenticationandEncryption IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
algorithms. groupsoralgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupportedgroupor
algorithmtoestablishthetunnel:
DHGroupgroup20,group19,group14,group5,group2,and
group1.
Authenticationsha512,sha384,sha256,sha1,md5.
Encryptionaes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
des.
DESisavailabletoprovidebackwardcompatibilitywith
legacydevicesthatdonotsupportstrongerencryption,
butasabestpracticealwaysuseastrongerencryption
algorithm,suchas3DESorAESifthepeercansupport
it.
Step3 Specifythedurationforwhichthekeyis 1. IntheKey Lifetimefields,specifytheperiod(inseconds,

validandthereauthenticationinterval. minutes,hours,ordays)forwhichthekeyisvalid.(Rangeis3
Fordetails,seeSAKeyLifetimeand minutesto365days;defaultis8hours.)Whenthekey
ReAuthenticationInterval. expires,thefirewallrenegotiatesanewkey.Alifetimeisthe
periodbetweeneachrenegotiation.
2. FortheIKEv2 Authentication Multiple,specifyavalue(range
is050)thatismultipliedbytheKey Lifetimetodeterminethe
authenticationcount.Thedefaultvalueof0disablesthe
reauthenticationfeature.
Step4 SaveyourIKECryptoprofile. ClickOKandclickCommit.
Step5 AttachtheIKECryptoprofiletotheIKE SeeConfigureadvancedoptionsforthegateway.

Gatewayconfiguration.

DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1 CreateanewIPSecprofile. 1. SelectNetwork > Network Profiles > IPSec Cryptoandselect

Add.
2. EnteraNameforthenewprofile.
3. SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4. ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
Step2 SelecttheDHGrouptousefortheIPSec SelectthekeystrengththatyouwanttousefromtheDH Group

SAnegotiationsinIKEphase2. dropdown.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsintheorderofmosttoleastsecureasfollows;thepeers
negotiatethestrongestsupportedgrouptoestablishthetunnel:
group20,group19,group14,group5,group2,andgroup1.
Selectno-pfsifyoudonotwanttorenewthekeythatwascreated
atphase1;thecurrentkeyisreusedfortheIPSECSAnegotiations.
Step3 Specifythedurationofthekeytimeand Usingacombinationoftimeandtrafficvolumeallowsyouto

volumeoftraffic. ensuresafetyofdata.
SelecttheLifetimeortimeperiodforwhichthekeyisvalidin
seconds,minutes,hours,ordays(rangeis3minutesto365days).
Whenthespecifiedtimeexpires,thefirewallwillrenegotiateanew
setofkeys.
SelecttheLifesizeorvolumeofdataafterwhichthekeysmustbe
renegotiated.
Step4 SaveyourIPSecprofile. ClickOKandclickCommit.
Step5 AttachtheIPSecProfiletoanIPSec SeeSetupkeyexchange.

tunnelconfiguration.

SetUpanIPSecTunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
Step1 SelectNetwork > IPSec Tunnels andthenAddanewtunnelconfiguration.
Step2 OntheGeneraltab,enteraNameforthenewtunnel.
Step3 SelecttheTunnel interfacethatwillbeusedtosetuptheIPSectunnel.

Tocreateanewtunnelinterface:
1. SelectTunnel Interface > New Tunnel Interface.(YoucanalsoselectNetwork > Interfaces > Tunneland
clickAdd.)
2. IntheInterface Name field,specifyanumericsuffix,suchas.2.
3. OntheConfig tab,selecttheSecurity Zone dropdowntodefinethezoneasfollows:
UseyourtrustzoneastheterminationpointforthetunnelSelectthezonefromthedropdown.
Associatingthetunnelinterfacewiththesamezone(andvirtualrouter)astheexternalfacinginterfaceon
whichthepacketsenterthefirewallmitigatestheneedtocreateinterzonerouting.
Or:
CreateaseparatezoneforVPNtunneltermination(Recommended)SelectNew Zone,defineaName for
thenewzone(forexamplevpncorp),andclickOK.
4. IntheVirtual Router dropdown,selectdefault.
5. (Optional)IfyouwanttoassignanIPv4addresstothetunnelinterface,selecttheIPv4 tab,andAdd theIP
addressandnetworkmask,forexample10.31.32.1/32.

SetUpanIPSecTunnel(Continued)
Step4 (Optional)EnableIPv6onthetunnel 1. SelecttheIPv6tabonNetwork > Interfaces > Tunnel > IPv6.

interface. 2. SelectthecheckboxtoEnable IPv6 on the interface.
ThisoptionallowsyoutorouteIPv6trafficoveranIPv4IPSec
tunnelandwillprovideconfidentialitybetweenIPv6networks.
TheIPv6trafficisencapsulatedbyIPv4andthenESP.Toroute
IPv6traffictothetunnel,youcanuseastaticroutetothe
tunnel,oruseOSPFv3,oruseaPolicyBasedForwarding(PBF)
ruletodirecttraffictothetunnel.
3. Enterthe64bitextendeduniqueInterface IDinhexadecimal
format,forexample,00:26:08:FF:FE:DE:4E:29.Bydefault,the
firewallwillusetheEUI64generatedfromthephysical
interfacesMACaddress.
4. ToassignanIPv6Addresstothetunnelinterface,Addthe
IPv6addressandprefixlength,forexample
2001:400:f00::1/64.IfPrefixisnotselected,theIPv6address
assignedtotheinterfacewillbewhollyspecifiedintheaddress
textbox.
a. SelectUse interface ID as host portiontoassignanIPv6
addresstotheinterfacethatwillusetheinterfaceIDasthe
hostportionoftheaddress.
b. SelectAnycasttoincluderoutingthroughthenearestnode.
Step5 Setupkeyexchange. Configureoneofthefollowingtypesofkeyexchange:

SetupAutoKeyexchange
1. SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2. (Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
SetupManualKeyexchange
1. SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
2. SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
3. SelecttheprotocoltobeusedAHorESP.
4. ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
5. ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
6. SpecifytheSPIfortheremotepeer.
7. EntertheRemote Address,theIPaddressoftheremotepeer.

SetUpanIPSecTunnel(Continued)
Step6 Protectagainstareplayattack. SelecttheShow Advanced Optionscheckbox,selectEnable

Areplayattackoccurswhenapacketis Replay Protectiontodetectandneutralizeagainstreplayattacks.
maliciouslyinterceptedand
retransmittedbytheinterceptor.
Step7 (Optional)PreservetheTypeofService IntheShow Advanced Options section,selectCopy TOS Header.

headerforthepriorityortreatmentofIP ThiscopiestheTypeofService(TOS)headerfromtheinnerIP
packets. headertotheouterIPheaderoftheencapsulatedpacketsinorder
topreservetheoriginalTOSinformation.
NOTE:Iftherearemultiplesessionsinsidethetunnel(eachwitha
differentTOSvalue),copyingtheTOSheadercancausetheIPSec
packetstoarriveoutoforder.
Step8 EnableTunnelMonitoring. Toalertthedeviceadministratortotunnelfailuresandtoprovide

NOTE:YoumustassignanIPaddressto automaticfailovertoanothertunnelinterface:
thetunnelinterfaceformonitoring. 1. SpecifyaDestination IPaddressontheothersideofthetunnel
todetermineifthetunnelisworkingproperly.
2. SelectaProfiletodeterminetheactionontunnelfailure.To
createanewprofile,seeDefineaTunnelMonitoringProfile.
Step9 CreateaProxyIDtoidentifytheVPN 1. Select Network > IPSec Tunnels andclickAdd.

peers. 2. SelecttheProxy IDstab.
ThisstepisrequiredonlyiftheVPNpeer
3. SelecttheIPv4orIPv6tab.
usespolicybasedVP).
4. ClickAddandentertheProxy IDname.
5. EntertheLocalIPaddressorsubnetfortheVPNgateway.
6. EntertheRemoteaddressfortheVPNgateway.
7. SelecttheProtocolfromthedropdown:
NumberSpecifytheprotocolnumber(usedfor
interoperabilitywiththirdpartydevices).
AnyAllowsTCPand/orUDPtraffic.
TCPSpecifytheLocalPortandRemotePortnumbers.
UDPSpecifytheLocalPortandRemotePortnumbers.
8. ClickOK.
Step10 Saveyourchanges. ClickOKandCommit.

SetUpTunnelMonitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
Step1 SelectNetwork > Network Profiles > Monitor.Adefaulttunnelmonitoringprofileisavailableforuse.
Step2 ClickAdd,andenteraNamefortheprofile.
Step3 SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4 SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5 AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.

ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
Step1 SelectNetwork > IPSec Tunnels.
Step2 ViewtheTunnel Status.

GreenindicatesavalidIPSecSAtunnel.
RedindicatesthatIPSecSAisnotavailableorhasexpired.
Step3 ViewtheIKE Gateway Status.

GreenindicatesavalidIKEphase1SA.
RedindicatesthatIKEphase1SAisnotavailableorhasexpired.
Step4 ViewtheTunnel Interface Status.

Greenindicatesthatthetunnelinterfaceisup.
Redindicatesthatthetunnelinterfaceisdown,becausetunnelmonitoringisenabledandthestatusis
down.
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorIPSecTunnel
RefreshandRestartBehaviors
RefreshorRestartanIKEGatewayorIPSecTunnel
EnableordisableanIKEgateway. 1. SelectNetwork > Network Profiles > IKE Gateways andselect

thegatewayyouwanttoenableordisable.
2. Atthebottomofthescreen,clickEnableorDisable.

EnableorDisableanIKEGatewayorIPSecTunnel(Continued)
EnableordisableanIPSectunnel. 1. SelectNetwork > IPSec Tunnels andselectthetunnelyou

wanttoenableordisable.
2. Atthebottomofthescreen,clickEnableorDisable.
RefreshandRestartBehaviors
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Phase Refresh Restart
IKEGateway Updatestheonscreenstatisticsfortheselected RestartstheselectedIKEgateway.

(IKEPhase1) IKEgateway. IKEv2:AlsorestartsanyassociatedchildIPSec
Equivalenttoissuingasecondshowcommand securityassociations(SAs).
intheCLI(afteraninitialshowcommand). IKEv1:DoesnotrestarttheassociatedIPSecSAs.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
IPSecTunnel Updatestheonscreenstatisticsfortheselected RestartstheIPSectunnel.

(IKEPhase2) IPSectunnel. Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingasecondshowcommand Equivalenttoissuingaclear, test, show
intheCLI(afteraninitialshowcommand). commandsequenceintheCLI.
RestartanIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1gateway.
RefreshorrestartanIKEgateway. 1. SelectNetwork > IPSec Tunnels andselectthetunnelforthe

gatewayyouwanttorefreshorrestart.
2. Intherowforthattunnel,undertheStatuscolumn,clickIKE
Info.
3. AtthebottomoftheIKEInfoscreen,clicktheactionyouwant:
RefreshUpdatesthestatisticsonthescreen.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.

RefreshorrestartanIPSectunnel. 1. SelectNetwork > IPSec Tunnels andselectthetunnelyou

Youmightdeterminethatthetunnelneedsto wanttorefreshorrestart.
berefreshedorrestartedbecauseyouusethe 2. Intherowforthattunnel,undertheStatuscolumn,click
tunnelmonitortomonitorthetunnelstatus,or Tunnel Info.
youuseanexternalnetworkmonitortomonitor
3. AtthebottomoftheTunnelInfoscreen,clicktheactionyou
networkconnectivitythroughtheIPSectunnel.
want:
RefreshUpdatestheonscreenstatistics.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
TestVPNConnectivity
TestVPNConnectivity
Step1 InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
Step2 enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step3 InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLI
command:
test vpn ipsec-sa tunnel <tunnel_name>
Step4 enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step5 ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
total tunnels configured: 1
filter - type IPSec, state any
total IPSec tunnel configured: 1

total IPSec tunnel shown: 1
name id state local-ip peer-ip tunnel-i/f

-------------------------------------------------------------------------
vpn-to-siteB 5 active 100.1.1.1 200.1.1.1 tunnel.41

InterpretVPNErrorMessages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis: Trythis:
IKE phase-1 negotiation VerifythatthepublicIPaddressforeachVPNpeerisaccurateintheIKEGateway

is failed as initiator, configuration.
main mode. Failed SA: VerifythattheIPaddressescanbepingedandthatroutingissuesarenotcausing
x.x.x.x[500]-y.y.y.y[50 theconnectionfailure.
0]
cookie:84222f276c2fa2e9
:0000000000000000 due to
timeout.
or
IKE phase 1 negotiation
is failed. Couldnt find
configuration for IKE
phase-1 request for peer
IP x.x.x.x[1929]
Received unencrypted ChecktheIKECryptoprofileconfigurationtoverifythattheproposalsonbothsides

notify payload (no haveacommonencryption,authentication,andDHGroupproposal.
proposal chosen) from IP
x.x.x.x[500] to
y.y.y.y[500], ignored...
or
IKE phase-1 negotiation
is failed. Unable to
process peers SA
payload.
pfs group mismatched:my: ChecktheIPSecCryptoprofileconfigurationtoverifythat:

2peer: 0 pfsiseitherenabledordisabledonbothVPNpeers
or theDHGroupsproposedbyeachpeerhasatleastoneDHGroupincommon
IKE phase-2 negotiation
failed when processing
SA payload. No suitable
proposal found in peers
SA payload.
IKE phase-2 negotiation TheVPNpeerononeendisusingpolicybasedVPN.YoumustconfigureaProxyID

failed when processing onthePaloAltoNetworksfirewall.SeeCreateaProxyIDtoidentifytheVPNpeers..
Proxy ID. Received local
id x.x.x.x/x type IPv4
address protocol 0 port
0, received remote id
y.y.y.y/y type IPv4
address protocol 0 port
0.

VPNs SitetoSiteVPNQuickConfigs
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
SitetoSiteVPNwithStaticRouting
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.

SitetoSiteVPNQuickConfigs VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting
Step1 ConfigureaLayer3interface. 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

ThisinterfaceisusedfortheIKEphase1 interfaceyouwanttoconfigureforVPN.
tunnel. 2. SelectLayer3 fromtheInterface Typedropdown.
3. OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4. SelecttheVirtual Routertouse.
192.168.210.26/24.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.26/24
TheconfigurationforVPNPeerBis:
IPv4192.168.210.120/24

QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step2 Createatunnelinterfaceandattachitto 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,suchas.1.
3. OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4. SelecttheVirtual Router.
5. (Optional)AssignanIPaddresstothetunnelinterface,select
theIPv4orIPv6tab,clickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface.
Withstaticroutes,thetunnelinterfacedoesnotrequireanIP
address.Fortrafficthatisdestinedtoaspecifiedsubnet/IP
address,thetunnelinterfacewillautomaticallybecomethe
nexthop.ConsideraddinganIPaddressifyouwanttoenable
tunnelmonitoring.
Interfacetunnel.11
Security Zonevpn_tun
IPv4172.19.9.2/24
Interfacetunnel.12
IPv4192.168.69.2/24
Step3 Configureastaticroute,onthevirtual 1. SelectNetwork > Virtual Routerandclicktherouteryou

router,tothedestinationsubnet. definedinthepriorstep.
2. SelectStatic Route,clickAdd,andenteranewroutetoaccess
thesubnetthatisattheotherendofthetunnel.
Destination192.168.69.0/24
Interfacetunnel.11
Destination172.19.9.0/24
Interfacetunnel.12
Step4 SetuptheCryptoprofiles(IKECrypto 1. SelectNetwork > Network Profiles > IKE Crypto.Inthis

profileforphase1andIPSecCrypto example,weusethedefaultprofile.
profileforphase2). 2. SelectNetwork > Network Profiles > IPSec Crypto.Inthis
Completethistaskonbothpeersand example,weusethedefaultprofile.
makesuretosetidenticalvalues.

QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step5 SetuptheIKEGateway. 1. SelectNetwork > Network Profiles > IKE Gateway.

2. Click Add andconfiguretheoptionsintheGeneraltab.
Local IP address192.168.210.26/24
Peer IP type/addressstatic/192.168.210.120
Preshared keysenteravalue
Local identificationNone;thismeansthatthelocalIP
addresswillbeusedasthelocalidentificationvalue.
Peer IP type/addressstatic/192.168.210.26
Preshared keysentersamevalueasonPeerA
Local identificationNone
3. SelectAdvanced Phase 1 OptionsandselecttheIKECrypto
profileyoucreatedearliertouseforIKEphase1.
Step6 SetuptheIPSecTunnel. 1. SelectNetwork > IPSec Tunnels.

Tunnel Interfacetunnel.11
TypeAutoKey
IKE GatewaySelecttheIKEGatewaydefinedabove.
IPSec Crypto ProfileSelecttheIPSecCryptoprofile
definedinStep 4.
TypeAutoKey
IPSec Crypto ProfileSelecttheIPSecCryptodefined
inStep 4.
3. (Optional)SelectShow Advanced Options,selectTunnel
Monitor,andspecifyaDestinationIPaddresstopingfor
verifyingconnectivity.Typically,thetunnelinterfaceIP
addressfortheVPNPeerisused.
4. (Optional)Todefinetheactiononfailuretoestablish
connectivity,seeDefineaTunnelMonitoringProfile.
Step7 Createpoliciestoallowtrafficbetween 1. SelectPolicies > Security.

thesites(subnets). 2. Createrulestoallowtrafficbetweentheuntrustandthe
vpntunzoneandthevpntunandtheuntrustzonefortraffic
originatingfromspecifiedsourceanddestinationIPaddresses.
Step8 Saveanypendingconfigurationchanges. ClickCommit.
Step9 TestVPNconnectivity. SeeViewtheStatusoftheTunnels.

SitetoSiteVPNwithOSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.

QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
Step1 ConfiguretheLayer3interfacesoneach 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

firewall. interfaceyouwanttoconfigureforVPN.
2. SelectLayer3 fromtheInterface Typedropdown.
interfacebelongs:
zoneandthenclickOK.
192.168.210.26/24.
IPv4100.1.1.1/24
IPv4200.1.1.1/24

QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)

avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,suchas,
.11.
5. AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedasthenexthopIPaddresstoroute
traffictothetunnelandcanalsobeusedtomonitorthestatus
ofthetunnel.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.40
IPv42.1.1.140/24


Step4 SetuptheOSPFconfigurationonthe 1. SelectNetwork > Virtual Routers,andselectthedefault

virtualrouterandattachtheOSPFareas routeroraddanewrouter.
withtheappropriateinterfacesonthe 2. SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
firewall.
3. Inthisexample,theOSPFconfigurationforVPNPeerAis:
FormoreinformationontheOSPF
optionsthatareavailableonthefirewall, Router ID:192.168.100.141
seeConfigureOSPF. Area ID:0.0.0.0thatisassignedtothetunnel.1interface
UseBroadcastasthelinktypewhen withLinktype:p2p
therearemorethantwoOSPFrouters Area ID:0.0.0.10thatisassignedtotheinterface
thatneedtoexchangerouting Ethernet1/1andLinkType:Broadcast
information. TheOSPFconfigurationforVPNPeerBis:
Router ID:192.168.100.140
Area ID:0.0.0.0thatisassignedtothetunnel.1interface
withLinktype:p2p
Area ID:0.0.0.20thatisassignedtotheinterface
Ethernet1/15andLinkType:Broadcast

ThisexamplesusesstaticIPaddresses 2. Click Add andconfiguretheoptionsintheGeneraltab.
forbothVPNpeers.Typically,the Inthisexample,theconfigurationforVPNPeerAis:
corporateofficeusesastatically
configuredIPaddress,andthebranch
sidecanbeadynamicIPaddress; Local IP address100.1.1.1/24
dynamicIPaddressesarenotbestsuited Peer IP address200.1.1.1/24
forconfiguringstableservicessuchas Preshared keysenteravalue
VPN. TheconfigurationforVPNPeerBis:
Peer IP address100.1.1.1/24
3. SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.


TypeAutoKey
IPSec Crypto ProfileSelecttheIKEGatewaydefined
above.
TypeAutoKey
above.
3. SelectShow Advanced Options,selectTunnel Monitor,and
specifyaDestinationIPaddresstopingforverifying
connectivity.
4. Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.


Step8 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith

theCLI. fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
show routing route type ospf
Step9 TestVPNconnectivity. SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.

SitetoSiteVPNwithStaticandDynamicRouting
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.

QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
Step1 ConfiguretheLayer3interfacesoneach 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

firewall. interfaceyouwanttoconfigureforVPN.
2. SelectLayer3 fromtheInterface Typedropdown.
interfacebelongs:
zoneandthenclickOK.
192.168.210.26/24.
IPv4100.1.1.1/24
IPv4200.1.1.1/24


QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)

Withpresharedkeys,toadd 2. Click Add andconfiguretheoptionsintheGeneraltab.
authenticationscrutinywhensettingup Inthisexample,theconfigurationforVPNPeerAis:
theIKEphase1tunnel,youcansetup
LocalandPeerIdentificationattributes
andacorrespondingvaluethatis Local IP address100.1.1.1/24
matchedintheIKEnegotiationprocess. Peer IP typedynamic
Preshared keysenteravalue
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerA.
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerB
Peer IP addressdynamic
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerB
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerA
3. SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.


avirtualrouterandsecurityzone. 2. IntheInterface Namefield,specifyanumericsuffix,say,.41.
5. AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedtoroutetraffictothetunnelandto
monitorthestatusofthetunnel.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.42
IPv42.1.1.140/24
Step5 Specifytheinterfacetoroutetraffictoa 1. OnVPNPeerA,selectthevirtualrouter.

destinationonthe192.168.x.xnetwork. 2. SelectStatic Routes,andAddtunnel.41astheInterfacefor
routingtrafficwithaDestinationinthe192.168.x.xnetwork.
Step6 SetupthestaticrouteandtheOSPF 1. OnVPNPeerB,selectNetwork > Virtual Routers,andselect

configurationonthevirtualrouterand thedefaultrouteroraddanewrouter.
attachtheOSPFareaswiththe 2. SelectStatic Routes andAddthetunnelIPaddressasthenext
appropriateinterfacesonthefirewall. hopfortrafficinthe172.168.x.x.network.
Assignthedesiredroutemetric;usingalowerthevaluemakes
theahigherpriorityforrouteselectionintheforwardingtable.
3. SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
4. Inthisexample,theOSPFconfigurationforVPNPeerBis:
RouterID:192.168.100.140
AreaID:0.0.0.0isassignedtotheinterfaceEthernet1/12
Linktype:Broadcast
AreaID:0.0.0.10thatisassignedtotheinterface
Ethernet1/1andLinkType:Broadcast
AreaID:0.0.0.20isassignedtotheinterfaceEthernet1/15
andLinkType:Broadcast

Step7 Createaredistributionprofiletoinject 1. CreatearedistributionprofileonVPNPeerB.

thestaticroutesintotheOSPF a. SelectNetwork > Virtual Routers,andselecttherouteryou
autonomoussystem. usedabove.
b. SelectRedistribution Profiles, andclick Add.
c. EnteraNamefortheprofileandselectRedistandassigna
Priorityvalue.Ifyouhaveconfiguredmultipleprofiles,the
profilewiththelowestpriorityvalueismatchedfirst.
d. SetSource Type as static,andclickOK.Thestaticroute
definedinStep 62willbeusedfortheredistribution.
2. InjectthestaticroutesintotheOSPFsystem.
a. SelectOSPF> Export Rules (forIPv4) or OSPFv3> Export
Rules (forIPv6).
b. ClickAdd,andselecttheredistributionprofilethatyoujust
created.
c. SelecthowtheexternalroutesarebroughtintotheOSPF
system.Thedefaultoption,Ext2 calculatesthetotalcostof
therouteusingonlytheexternalmetrics.Touseboth
internalandexternalOSPFmetrics,use Ext1.
d. AssignaMetric (costvalue)fortheroutesinjectedintothe
OSPFsystem.Thisoptionallowsyoutochangethemetric
fortheinjectedrouteasitcomesintotheOSPFsystem.
e. ClickOKtosavethechanges.

TypeAutoKey
above.
TypeAutoKey
above.
3. SelectShow Advanced Options,selectTunnel Monitor,and
specifyaDestinationIPaddresstopingforverifying
connectivity.
4. Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.


Step10 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith

theCLI. fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
Step11 TestVPNconnectivity. SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.

LargeScaleVPN(LSVPN)
TheGlobalProtectLargeScaleVPN(LSVPN)featureonthePaloAltoNetworksnextgenerationfirewall
simplifiesthedeploymentoftraditionalhubandspokeVPNs,enablingyoutoquicklydeployenterprise
networkswithseveralbranchofficeswithaminimumamountofconfigurationrequiredontheremote
satellites.ThissolutionusescertificatesforfirewallauthenticationandIPSectosecuredata.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs

LSVPNOverview LargeScaleVPN(LSVPN)
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.

LargeScaleVPN(LSVPN) CreateInterfacesandZonesfortheLSVPN
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.GlobalProtectsupportsbothIPv6andIPv4
addressingforthetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.GlobalProtectsupportsbothIPv6andIPv4addressingforthetunnel
interface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
Step1 ConfigureaLayer3interface. 1. SelectNetwork > Interfaces > Ethernetandthenselectthe

Theportalandeachgatewayand interfaceyouwanttoconfigureforGlobalProtectLSVPN.
satelliteallrequireaLayer3interfaceto 2. SelectLayer3 fromtheInterface Typedropdown.
enabletraffictoberoutedbetweensites.
Ifthegatewayandportalareonthesame interfacebelongs:
firewall,youcanuseasingleinterfacefor
bothcomponents.
zoneandthenclickOK.
5. AssignanIPaddresstotheinterface:
ForanIPv4address,selectIPv4andAddtheIPaddressand
203.0.11.100/24.
ForanIPv6address,selectIPv6,Enable IPv6 on the
interface,andAddtheIPaddressandnetworkmaskto
assigntotheinterface,forexample
2001:1890:12f2:11::10.1.8.160/80.

CreateInterfacesandZonesfortheLSVPN LargeScaleVPN(LSVPN)
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
Step2 Onthefirewall(s)hostingGlobalProtect 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

gateway(s),configurethelogicaltunnel 2. IntheInterface Namefield,specifyanumericsuffix,suchas.2.
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect 3. OntheConfigtab,expandtheSecurity Zonedropdownto
satellites. definethezoneasfollows:
IPaddressesarenotrequiredon Touseyourtrustzoneastheterminationpointforthe
thetunnelinterfaceunlessyou tunnel,selectthezonefromthedropdown.
plantousedynamicrouting. (Recommended)TocreateaseparatezoneforVPNtunnel
However,assigninganIPaddress termination,clickNew Zone.IntheZonedialog,definea
tothetunnelinterfacecanbe Namefornewzone(forexamplelsvpntun),selectthe
usefulfortroubleshooting Enable User Identificationcheckbox,andthenclickOK.
connectivityissues. 4. SelecttheVirtual Router.
NOTE:MakesuretoenableUserIDin
5. (Optional)ToassignanIPaddresstothetunnelinterface:
thezonewheretheVPNtunnels
terminate. ForanIPv4address,selectIPv4andAddtheIPaddressand
203.0.11.100/24.
2001:1890:12f2:11::10.1.8.160/80.
Step3 Ifyoucreatedaseparatezonefortunnel Forexample,apolicyruleenablestrafficbetweenthelsvpntun

terminationofVPNconnections,create zoneandtheL3Trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.

LargeScaleVPN(LSVPN) EnableSSLBetweenGlobalProtectLSVPNComponents
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:

EnableSSLBetweenGlobalProtectLSVPNComponents LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents
Step1 Onthefirewallhostingthe CreateaSelfSignedRootCACertificate:

GlobalProtectportal,createtherootCA 1. SelectDevice > Certificate Management > Certificates >
certificateforsigningthecertificatesof Device Certificates andclickGenerate.
theGlobalProtectcomponents.
2. EnteraCertificate Name,suchasLSVPN_CA.
3. DonotselectavalueintheSigned Byfield(thisiswhat
indicatesthatitisselfsigned).
4. SelecttheCertificate AuthoritycheckboxandthenclickOK
togeneratethecertificate.
Step2 CreateSSL/TLSserviceprofilesforthe 1. UsetherootCAontheportaltoGenerateaCertificatefor

GlobalProtectportalandgateways. eachgatewayyouwilldeploy:
Fortheportalandeachgateway,you a. SelectDevice > Certificate Management > Certificates >
mustassignanSSL/TLSserviceprofile Device Certificates andclickGenerate.
thatreferencesauniqueselfsigned b. EnteraCertificate Name.
servercertificate. c. EntertheFQDN(recommended)orIPaddressofthe
Thebestpracticeistoissueallof interfacewhereyouplantoconfigurethegatewayinthe
therequiredcertificatesonthe Common Namefield.
portal,sothatthesigning d. IntheSigned Byfield,selecttheLSVPN_CAcertificateyou
certificate(withtheprivatekey) justcreated.
doesnthavetobeexported.
e. IntheCertificateAttributessection,clickAddanddefine
IftheGlobalProtectportaland theattributestouniquelyidentifythegateway.Ifyouadda
gatewayareonthesamefirewall Host Nameattribute(whichpopulatestheSANfieldofthe
interface,youcanusethesame certificate),itmustexactlymatchthevalueyoudefinedfor
servercertificateforboth theCommon Name.
components.
f. Generatethecertificate.
2. ConfigureanSSL/TLSServiceProfilefortheportalandeach
gateway:
a. SelectDevice > Certificate Management > SSL/TLS
Service ProfileandclickAdd.
b. EnteraNametoidentifytheprofileandselecttheserver
Certificateyoujustcreatedfortheportalorgateway.
c. DefinetherangeofTLSversions(Min VersiontoMax
Version)allowedforcommunicatingwithsatellitesand
clickOK.

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step3 Deploytheselfsignedservercertificates 1. Ontheportal,selectDevice > Certificate Management >

tothegateways. Certificates > Device Certificates,selectthegateway
BestPractices: certificateyouwanttodeploy,andclickExport.
Exporttheselfsignedserver 2. SelectEncrypted Private Key and Certificate (PKCS12)from
certificatesissuedbytherootCA theFile Formatdropdown.
fromtheportalandimportthem 3. Enter(andreenter)aPassphrasetoencrypttheprivatekey
ontothegateways. associatedwiththecertificateandthenclickOKtodownload
Besuretoissueauniqueserver thePKCS12filetoyourcomputer.
certificateforeachgateway.
4. Onthegateway,selectDevice > Certificate Management >
TheCommonName(CN)and,if Certificates > Device CertificatesandclickImport.
applicable,theSubject
AlternativeName(SAN)fieldsof 5. EnteraCertificate Name.
thecertificatemustmatchtheIP 6. EnterthepathandnametotheCertificate Fileyoujust
addressorfullyqualifieddomain downloadedfromtheportal,orBrowsetofindthefile.
name(FQDN)oftheinterface
7. SelectEncrypted Private Key and Certificate (PKCS12)asthe
whereyouconfigurethe
File Format.
gateway.
8. EnterthepathandnametothePKCS12fileintheKey File
fieldorBrowsetofindit.
9. EnterandreenterthePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportalandthen
clickOKtoimportthecertificateandkey.
Step4 ImporttherootCAcertificateusedto 1. DownloadtherootCAcertificatefromtheportal.

issueservercertificatesfortheLSVPN a. SelectDevice > Certificate Management > Certificates >
components. Device Certificates.
YoumustimporttherootCAcertificate b. SelecttherootCAcertificateusedtoissuecertificatesfor
ontoallgatewaysandsatellites.For theLSVPNcomponentsandclickExport.
securityreasons,makesureyouexport c. SelectBase64 Encoded Certificate (PEM)fromtheFile
thecertificateonly,andnotthe FormatdropdownandclickOKtodownloadthe
associatedprivatekey. certificate.(Donotexporttheprivatekey.)
2. Onthefirewallshostingthegatewaysandsatellites,import
therootCAcertificate.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
g. Committhechanges.

DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step5 Createacertificateprofile. 1. SelectDevice > Certificate Management > Certificate Profile

TheGlobalProtectLSVPNportaland andclickAddandenteraprofileName.
eachgatewayrequireacertificateprofile 2. MakesureUsername FieldissettoNone.
thatspecifieswhichcertificatetouseto
3. IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
authenticatethesatellites.
CAcertificateyouimportedinthepreviousstep.
4. (Optional,butrecommended)EnableuseofCRLand/orOCSP
toenablecertificatestatusverification.
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
Step1 CreateaSCEPprofile. 1. SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2. EnteraNametoidentifytheSCEPprofile.
3. Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Step2 (Optional)TomaketheSCEPbased Selectoneofthefollowingoptions:

certificategenerationmoresecure, None(Default)TheSCEPserverdoesnotchallengetheportal
configureaSCEPchallengeresponse beforeitissuesacertificate.
mechanismbetweenthePKIandportal FixedObtaintheenrollmentchallengepasswordfromthe
foreachcertificaterequest. SCEPserver(forexample,
Afteryouconfigurethismechanism,its http://10.200.101.1/CertSrv/mscep_admin/)inthePKI
operationisinvisible,andnofurther infrastructureandthencopyorenterthepasswordintothe
inputfromyouisnecessary. Passwordfield.
TocomplywiththeU.S.Federal DynamicEntertheSCEPServer URLwheretheportalclient
InformationProcessingStandard(FIPS), submitsthesecredentials(forexample,
useaDynamicSCEPchallengeand http://10.200.101.1/CertSrv/mscep_admin/),anda
specifyaServer URLthatusesHTTPS usernameandOTPofyourchoice.Theusernameandpassword
(seeStep 7). canbethecredentialsofthePKIadministrator.

DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step3 Specifythesettingsfortheconnection 1. ConfiguretheServer URLthattheportalusestoreachthe

betweentheSCEPserverandtheportal SCEPserverinthePKI(forexample,
toenabletheportaltorequestand http://10.200.101.1/certsrv/mscep/).
receiveclientcertificates. 2. Enterastring(upto255charactersinlength)intheCA-IDENT
Toidentifythesatellite,theportal NamefieldtoidentifytheSCEPserver.
automaticallyincludesthedeviceserial
3. SelecttheSubject Alternative Name Type:
numberintheCSRrequesttotheSCEP
server.BecausetheSCEPprofile RFC 822 NameEntertheemailnameinacertificates
requiresavalueintheSubjectfield,you subjectorSubjectAlternativeNameextension.
canleavethedefault$USERNAMEtoken DNS NameEntertheDNSnameusedtoevaluate
eventhoughthevalueisnotusedin certificates.
clientcertificatesforLSVPN. Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4 (Optional)Configurecryptographic Selectthekeylength(Number of Bits)forthecertificate.Ifthe

settingsforthecertificate. firewallisinFIPSCCmodeandthekeygenerationalgorithmis
RSA.TheRSAkeysmustbe2048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):SHA1,SHA256,SHA384,or
SHA512.
Step5 (Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor signature checkbox.Thisenablestheendpointusetheprivate
encryption. keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.
Step6 (Optional)Toensurethattheportalis 1. EntertheURLfortheSCEPserversadministrativeUI(for

connectingtothecorrectSCEPserver, example,http://<hostname or
entertheCA Certificate Fingerprint. IP>/CertSrv/mscep_admin/).
ObtainthisfingerprintfromtheSCEP 2. CopythethumbprintandenteritintheCA Certificate
serverinterfaceintheThumbprintfield. Fingerprintfield.
Step7 EnablemutualSSLauthentication SelecttheSCEPserversrootCA Certificate.Optionally,youcan

betweentheSCEPserverandthe enablemutualSSLauthenticationbetweentheSCEPserverand
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicated
onthefirewallloginpageandin
itsstatusbar.
Step8 Saveandcommittheconfiguration. 1. ClickOKtosavethesettingsandclosetheSCEPconfiguration.

2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.

DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step9 (Optional)IfaftersavingtheSCEP 1. SelectDevice > Certificate Management > Certificates >

profile,theportalfailstoobtainthe Device Certificates andthenclickGenerate.
certificate,youcanmanuallygeneratea 2. EnteraCertificate Name.Thisnamecannotcontainspaces.
certificatesigningrequest(CSR)fromthe
portal. 3. SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
4. ClickOKtosubmittherequestandgeneratethecertificate.

LargeScaleVPN(LSVPN) ConfigurethePortaltoAuthenticateSatellites
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.

ConfigurethePortaltoAuthenticateSatellites LargeScaleVPN(LSVPN)
SetUpSatelliteAuthentication
Step1 (Externalauthenticationonly)Createa Configureaserverprofilefortheauthenticationservicetype:

serverprofileontheportal. AddaRADIUSserverprofile.
Theserverprofiledefineshowthe YoucanuseRADIUStointegratewithaMultiFactor
firewallconnectstoanexternal Authenticationservice.
authenticationservicetovalidatethe AddaTACACS+serverprofile.
authenticationcredentialsthatthe
satelliteadministratorenters.
NOTE:Ifyouuselocalauthentication,
skipthisstepandinsteadaddalocaluser AddanLDAPserverprofile.IfyouuseLDAPtoconnectto
forthesatelliteadministrator:seeAdd ActiveDirectory(AD),createaseparateLDAPserverprofilefor
theuseraccounttothelocaldatabase. everyADdomain.
Step2 Configureanauthenticationprofile. 1. SelectDevice > Authentication ProfileandclickAdd.

Theauthenticationprofiledefineswhich 2. EnteraNamefortheprofileandthenselectthe
serverprofiletousetoauthenticate authenticationType.IftheTypeisanexternalservice,select
satellites. theServer Profileyoucreatedinthepreviousstep.Ifyou
addedalocaluserinstead,settheTypetoLocal Database.

LargeScaleVPN(LSVPN) ConfigureGlobalProtectGatewaysforLSVPN
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfigureeachGlobalProtectgatewaytoparticipateintheLSVPNasfollows:
ConfiguretheGatewayforLSVPN
Step1 Addagateway. 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

2. IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3. (Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Step2 Specifythenetworkinformationthat 1. SelecttheInterfacethatsatelliteswilluseforingressaccess

enablessatellitedevicestoconnectto tothegateway.
thegateway. 2. SpecifytheIP Address TypeandIP address forgateway
Ifyouhaventcreatedthenetwork access:
interfaceforthegateway,seeCreate TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
InterfacesandZonesfortheLSVPNfor (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
instructions. yournetworksupportsdualstackconfigurations,where
IPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddress
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. ClickOKtosavechanges.
Step3 Specifyhowthegatewayauthenticates OntheGlobalProtectGatewayConfigurationdialog,select

satellitesattemptingtoestablishtunnels. Authenticationandthenconfigureanyofthefollowing:
IfyouhaventyetcreatedanSSL/TLS Tosecurecommunicationbetweenthegatewayandthe
Serviceprofileforthegateway,see satellites,selecttheSSL/TLS Service Profileforthegateway.
DeployServerCertificatestothe Tospecifytheauthenticationprofiletousetoauthenticate
GlobalProtectLSVPNComponents. satellites,AddaClientAuthentication.Then,enteraNameto
Ifyouhaventsetuptheauthentication identifytheconfiguration,selectOS:Satellitetoapplythe
profilesorcertificateprofiles,see configurationtoallsatellites,andspecifytheAuthentication
ConfigurethePortaltoAuthenticate Profiletousetoauthenticatethesatellite.Youcanalsoselecta
Satellitesforinstructions. Certificate Profileforthegatewaytousetoauthenticate
Ifyouhavenotyetsetupthecertificate satellitedevicesattemptingtoestablishtunnels.
profile,seeEnableSSLBetween
GlobalProtectLSVPNComponentsfor
instructions.

ConfigureGlobalProtectGatewaysforLSVPN LargeScaleVPN(LSVPN)
ConfiguretheGatewayforLSVPN(Continued)
Step4 Configurethetunnelparametersand 1. OntheGlobalProtectGatewayConfigurationdialog,select

enabletunneling. Satellite > Tunnel Settings.
2. SelecttheTunnel Configurationcheckboxtoenable
tunneling.
3. SelecttheTunnel InterfaceyoudefinedtoterminateVPN
tunnelsestablishedbytheGlobalProtectsatelliteswhenyou
performedthetasktoCreateInterfacesandZonesforthe
LSVPN.
4. (Optional)IfyouwanttopreservetheTypeofService(ToS)
informationintheencapsulatedpackets,selectCopy TOS.
NOTE:Iftherearemultiplesessionsinsidethetunnel(each
withadifferentTOSvalue),copyingtheTOSheadercancause
theIPSecpacketstoarriveoutoforder.
Step5 (Optional)Enabletunnelmonitoring. 1. SelecttheTunnel Monitoringcheckbox.

Tunnelmonitoringenablessatellitesto 2. SpecifytheDestination IPAddressthesatellitesshoulduseto
monitoritsgatewaytunnelconnection, determineifthegatewayisactive.YoucanspecifyanIPv4
allowingittofailovertoabackup address,andIPv6address,orboth.Alternatively,ifyou
gatewayiftheconnectionfails.Failover configuredanIPaddressforthetunnelinterface,youcan
toanothergatewayistheonlytypeof leavethisfieldblankandthetunnelmonitorwillinsteaduse
tunnelmonitoringprofilesupportedwith thetunnelinterfacetodetermineiftheconnectionisactive.
LSVPN.
3. SelectFailoverfromtheTunnel Monitor Profiledropdown
(thisistheonlysupportedtunnelmonitorprofileforLSVPN).
Step6 SelecttheIPSecCryptoprofiletouse IntheIPSec Crypto Profiledropdown,selectdefaulttousethe

whenestablishingtunnelconnections. predefinedprofileorselectNew IPSec Crypto Profiletodefinea
TheprofilespecifiesthetypeofIPSec newprofile.Fordetailsontheauthenticationandencryption
encryptionandtheauthentication options,seeDefineIPSecCryptoProfiles.
methodforsecuringthedatathatwill
traversethetunnel.Becausebothtunnel
endpointsinanLSVPNaretrusted
firewallswithinyourorganization,you
cantypicallyusethedefault(predefined)
profile,whichusesESPastheIPSec
protocol,group2fortheDHgroup,
AES128CBCforencryption,and
SHA1forauthentication.

LargeScaleVPN(LSVPN) ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
Step7 Configurethenetworksettingstoassign 1. OntheGlobalProtectGatewayConfigurationdialog,select

thesatellitesduringestablishmentofthe Satellite > Network Settings.
IPSectunnel. 2. (Optional)Ifclientslocaltothesatelliteneedtoresolve
Youcanalsoconfigurethe FQDNsonthecorporatenetwork,configurethegatewayto
satellitetopushtheDNSsettings pushDNSsettingstothesatellitesinoneofthefollowing
toitslocalclientsbyconfiguringa ways:
DHCPserveronthefirewall Ifthegatewayhasaninterfacethatisconfiguredasa
hostingthesatellite.Inthis DHCPclient,youcansettheInheritance Sourcetothat
configuration,thesatellitewill interfaceandassignthesamesettingsreceivedbythe
pushDNSsettingsitlearnsfrom DHCPclienttoGlobalProtectsatellites.Youcanalsoinherit
thegatewaytotheDHCPclients. theDNSsuffixfromthesamesource.
ManuallydefinethePrimary DNS,Secondary DNS,and
DNS Suffixsettingstopushtothesatellites.
3. TospecifytheIP Poolofaddressestoassignthetunnel
interfaceonthesatelliteswhentheVPNisestablished,click
AddandthenspecifytheIPaddressrange(s)touse.
4. Todefinewhatdestinationsubnetstoroutethroughthe
tunnelclickAddintheAccess Routeareaandthenenterthe
routesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthrough
thetunnel,leavethisfieldblank.Notethatinthiscase,all
trafficexcepttrafficdestinedforthelocalsubnetwillbe
tunneledtothegateway.
Torouteonlysometrafficthroughthegateway(calledsplit
tunneling),specifythedestinationsubnetsthatmustbe
tunneled.Inthiscase,thesatellitewillroutetrafficthatis
notdestinedforaspecifiedaccessrouteusingitsown
routingtable.Forexample,youmaychoosetoonlytunnel
trafficdestinedforyourcorporatenetwork,andusethe
localsatellitetosafelyenableInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthe
summaryrouteforthenetworkprotectedbyeachsatellite.
Step8 (Optional)Definewhatroutes,ifany,the 1. Toenablethegatewaytoacceptroutesadvertisedby

gatewaywillacceptfromsatellites. satellites,selectSatellite > Route Filter.
Bydefault,thegatewaywillnotaddany 2. SelecttheAccept published routescheckbox.
routessatellitesadvertisetoitsrouting
3. Tofilterwhichoftheroutesadvertisedbythesatellitestoadd
table.Ifyoudonotwantthegatewayto
tothegatewayroutingtable,clickAddandthendefinethe
acceptroutesfromsatellites,youdonot
subnetstoinclude.Forexample,ifallthesatellitesare
needtocompletethisstep.
configuredwithsubnet192.168.x.0/24ontheLANside,
configuringapermittedrouteof192.168.0.0/16toenablethe
gatewaytoonlyacceptroutesfromthesatelliteifitisinthe
192.168.0.0/16subnet.
Step9 Savethegatewayconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

GatewayConfigurationdialog.
2. Committheconfiguration.

ConfiguretheGlobalProtectPortalforLSVPN LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
GlobalProtectPortalforLSVPNPrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
GlobalProtectPortalforLSVPNPrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedtheGlobalProtectPortalforLSVPNPrerequisiteTasks,configurethe
GlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
Step1 Addtheportal. 1. SelectNetwork > GlobalProtect > PortalsandclickAdd.

2. OntheGeneral tab,enteraNamefortheportal.Theportal
nameshouldnotcontainanyspaces.
3. (Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.

LargeScaleVPN(LSVPN) ConfiguretheGlobalProtectPortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
Step2 Specifythenetworkinformationto 1. SelecttheInterfacethatsatelliteswilluseforingressaccess

enablesatellitestoconnecttotheportal. totheportal.
Ifyouhaventyetcreatedthenetwork 2. SpecifytheIP Address TypeandIP address forsatellite
interfacefortheportal,seeCreate accesstotheportal:
InterfacesandZonesfortheLSVPNfor TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6
instructions. (forIPv6trafficonly,orIPv4 and IPv6.UseIPv4 and IPv6if
yournetworksupportsdualstackconfigurations,where
IPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddress
type.Forexample,172.16.1/0forIPv4addressesor
21DA:D3:0:2F3B forIPv6addresses.Fordualstack
configurations,enterbothanIPv4andIPv6address.
3. ClickOKtosavechanges.
Step3 SpecifyanSSL/TLSServiceprofiletouse 1. OntheGlobalProtectPortalConfigurationdialog,select

toenablethesatellitetoestablishan Authentication.
SSL/TLSconnectiontotheportal. 2. SelecttheSSL/TLS Service Profile.
IfyouhaventyetcreatedanSSL/TLS
serviceprofilefortheportalandissued
gatewaycertificates,seeDeployServer
CertificatestotheGlobalProtectLSVPN
Components.
Step4 Specifyanauthenticationprofileand AddaClientAuthentication,andthenenteraNametoidentifythe

optionalcertificateprofilefor configuration,selectOS:Satellitetoapplytheconfigurationtoall
authenticatingsatellites. satellites,andspecifytheAuthentication Profiletouseto
Iftheportalcantvalidatethe authenticatesatellitedevices.YoucanalsospecifyaCertificate
serialnumbersofconnecting Profilefortheportaltousetoauthenticatesatellitedevices.
satellites,itwillfallbacktothe
authenticationprofile.Therefore,
beforeyoucansavetheportal
configuration(byclickingOK),
youmustConfigurean
Step5 Continuewithdefiningthe ClickOKtosavetheportalconfigurationorcontinuetoDefinethe

configurationstopushtothesatellites SatelliteConfigurations.
or,ifyouhavealreadycreatedthe
satelliteconfigurations,savetheportal
configuration.
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber

ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
Step1 Addasatelliteconfiguration. 1. SelectNetwork > GlobalProtect > Portalsandselectthe

Thesatelliteconfigurationspecifiesthe portalconfigurationforwhichyouwanttoaddasatellite
GlobalProtectLSVPNconfiguration configurationandthenselecttheSatellitetab.
settingstodeploytotheconnecting 2. IntheSatellitesection,clickAdd
satellites.Youmustdefineatleastone
3. EnteraNamefortheconfiguration.
satelliteconfiguration.
Ifyouplantocreatemultipleconfigurations,makesurethe
nameyoudefineforeachisdescriptiveenoughtoallowyou
todistinguishthem.
4. Tochangehowoftenasatelliteshouldchecktheportalfor
configurationupdatesspecifyavalueintheConfiguration
Refresh Interval (hours)field(rangeis148;defaultis24).

LargeScaleVPN(LSVPN) ConfiguretheGlobalProtectPortalforLSVPN
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step2 Specifythesatellitestowhichtodeploy Specifythematchcriteriaforthesatelliteconfigurationasfollows:

thisconfiguration. Torestrictthisconfigurationtosatelliteswithspecificserial
TheportalusestheEnrollment numbers,selecttheDevicestab,clickAdd,andenterserial
User/User Groupsettingsand/or number(youdonotneedtoenterthesatellitehostname;itwill
Devicesserialnumberstomatcha beautomaticallyaddedwhenthesatelliteconnects).Repeatthis
satellitetoaconfiguration.Therefore,if stepforeachsatelliteyouwanttoreceivethisconfiguration.
youhavemultipleconfigurations,besure SelecttheEnrollment User/User Grouptab,clickAdd,andthen
toorderthemproperly.Assoonasthe selecttheuserorgroupyouwanttoreceivethisconfiguration.
portalfindsamatch,itwilldeliverthe Satellitesthatdonotmatchonserialnumberwillberequiredto
configuration.Therefore,morespecific authenticateasauserspecifiedhere(eitheranindividualuseror
configurationsmustprecedemore groupmember).
generalones.SeeStep 5forinstructions NOTE:Beforeyoucanrestricttheconfigurationtospecific
onorderingthelistofsatellite groups,youmustMapUserstoGroups.
configurations.
Step3 Specifythegatewaysthatsatelliteswith 1. OntheGatewaystab,clickAdd.

thisconfigurationcanestablishVPN 2. EnteradescriptiveNameforthegateway.Thenameyou
tunnelswith. enterhereshouldmatchthenameyoudefinedwhenyou
NOTE:Routespublishedbythegateway configuredthegatewayandshouldbedescriptiveenough
areinstalledonthesatelliteasstatic identifythelocationofthegateway.
routes.Themetricforthestaticrouteis
3. EntertheFQDNorIPaddressoftheinterfacewherethe
10xtheroutingpriority.Ifyouhavemore
gatewayisconfiguredintheGatewaysfield.Theaddressyou
thanonegateway,makesuretoalsoset
specifymustexactlymatchtheCommonName(CN)inthe
theroutingprioritytoensurethatroutes
gatewayservercertificate.
advertisedbybackupgatewayshave
highermetricscomparedtothesame 4. (Optional)Ifyouareaddingtwoormoregatewaystothe
routesadvertisedbyprimarygateways. configuration,theRouting Priorityhelpsthesatellitepickthe
Forexample,ifyousettherouting preferredgateway.Enteravalueintherangeof125,with
priorityfortheprimarygatewayand lowernumbershavingthehigherpriority(thatis,thegateway
backupgatewayto1and10respectively, thesatellitewillconnecttoifallgatewaysareavailable).The
thesatellitewilluse10asthemetricfor satellitewillmultiplytheroutingpriorityby10todetermine
theprimarygatewayand100asthe theroutingmetric.
metricforthebackupgateway.
Step4 Savethesatelliteconfiguration. 1. ClickOKtosavethesatelliteconfiguration.

2. Ifyouwanttoaddanothersatelliteconfiguration,repeatthe
previoussteps.
Step5 Arrangethesatelliteconfigurationsso Tomoveasatelliteconfigurationuponthelistofconfigurations,

thattheproperconfigurationisdeployed selecttheconfigurationandclickMove Up.
toeachsatellite. Tomoveasatelliteconfigurationdownonthelistof
configurations,selecttheconfigurationandclickMove Down.

CreateaGlobalProtectSatelliteConfiguration(Continued)
Step6 Specifythecertificatesrequiredto 1. IntheTrusted Root CAfield,clickAddandthenselecttheCA

enablesatellitestoparticipateinthe certificateusedtoissuethegatewayservercertificates.The
LSVPN. portalwilldeploytherootCAcertificateyouaddheretoall
satellitesaspartoftheconfigurationtoenablethesatelliteto
establishanSSLconnectionwiththegateways.Asabest
practice,allofyourgatewaysshouldusethesameissuer.
2. SelectthemethodofClient Certificatedistribution:
TostoretheclientcertificatesontheportalselectLocal
andselecttheRootCAcertificatethattheportalwilluseto
issueclientcertificatestosatellitesuponsuccessfully
authenticatingthemfromtheIssuing Certificate
dropdown.
NOTE:IftherootCAcertificateusedtoissueyourgateway
servercertificatesisnotontheportal,youcanImportit
now.SeeEnableSSLBetweenGlobalProtectLSVPN
ComponentsfordetailsonhowtoimportarootCA
certificate.
ToenabletheportaltoactasaSCEPclienttodynamically
requestandissueclientcertificatesselectSCEPandthen
selecttheSCEPprofileusedtogenerateCSRstoyourSCEP
server.
NOTE:Iftheyouhavenotyetsetuptheportaltoactasa
SCEPclient,youcanaddaNewSCEPprofilenow.See
DeployClientCertificatestotheGlobalProtectSatellites
UsingSCEPfordetails.
Step7 Savetheportalconfiguration. 1. ClickOKtosavethesettingsandclosetheGlobalProtect

PortalConfigurationdialog.

LargeScaleVPN(LSVPN) PreparetheSatellitetoJointheLSVPN
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
Step1 ConfigureaLayer3interface. Thisisthephysicalinterfacethesatellitewillusetoconnecttothe

portalandthegateway.Thisinterfacemustbeinazonethatallows
accessoutsideofthelocaltrustnetwork.Asabestpractice,create
adedicatedzoneforVPNconnectionsforvisibilityandcontrol
overtrafficdestinedforthecorporategateways.
Step2 Configurethelogicaltunnelinterfacefor 1. SelectNetwork > Interfaces > Tunnel andclickAdd.

thetunneltousetoestablishVPN 2. IntheInterface Namefield,specifyanumericsuffix,suchas
tunnelswiththeGlobalProtect .2.
gateways.
IPaddressesarenotrequiredon
selectanexistingzoneorcreateaseparatezoneforVPN
thetunnelinterfaceunlessyou
tunneltrafficbyclickingNew ZoneanddefiningaNamefor
plantousedynamicrouting.
newzone(forexamplelsvpnsat).
However,assigninganIPaddress
tothetunnelinterfacecanbe 4. IntheVirtual Routerdropdown,selectdefault.
usefulfortroubleshooting 5. (Optional)ToassignanIPaddresstothetunnelinterface:
connectivityissues.
ForanIPv4address,selectIPv4andAddtheIPaddressand
203.0.11.100/24.
2001:1890:12f2:11::10.1.8.160/80.

PreparetheSatellitetoJointheLSVPN LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step3 Ifyougeneratedtheportalserver 1. DownloadtheCAcertificatethatwasusedtogeneratethe

certificateusingaRootCAthatisnot portalservercertificates.Ifyouareusingselfsigned
trustedbythesatellites(forexample,if certificates,exporttherootCAcertificatefromtheportalas
youusedselfsignedcertificates),import follows:
therootCAcertificateusedtoissuethe a. SelectDevice > Certificate Management > Certificates >
portalservercertificate. Device Certificates.
TherootCAcertificateisrequiredto b. SelecttheCAcertificate,andclickExport.
enablethesatellitetoestablishtheinitial c. SelectBase64 Encoded Certificate (PEM)fromtheFile
connectionwiththeportaltoobtainthe FormatdropdownandclickOKtodownloadthe
LSVPNconfiguration. certificate.(Youdonotneedtoexporttheprivatekey.)
2. ImporttherootCAcertificateyoujustexportedontoeach
satelliteasfollows.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
Step4 ConfiguretheIPSectunnel 1. SelectNetwork > IPSec TunnelsandclickAdd.

configuration. 2. OntheGeneraltab,enteradescriptiveNamefortheIPSec
configuration.
3. SelecttheTunnel Interfaceyoucreatedforthesatellite.
4. SelectGlobalProtect SatelliteastheType.
5. EntertheIPaddressorFQDNoftheportalasthePortal
Address.
6. SelecttheLayer3Interfaceyouconfiguredforthesatellite.
7. SelecttheIP Addresstouseontheselectedinterface.You
canselectanIPv4address,anIPv6address,orboth.Specifyif
youwantIPv6 preferred for portal registration.

LargeScaleVPN(LSVPN) PreparetheSatellitetoJointheLSVPN
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step5 (Optional)Configurethesatelliteto 1. Toenablethesatellitetopushroutestothegateway,onthe

publishlocalroutestothegateway. AdvancedtabselectPublish all static and connected routes
Pushingroutestothegatewayenables to Gateway.
traffictothesubnetslocaltothesatellite Ifyouselectthischeckbox,thefirewallwillforwardallstatic
viathegateway.However,youmustalso andconnectedroutesfromthesatellitetothegateway.
configurethegatewaytoacceptthe However,topreventthecreationofroutingloops,thefirewall
routesasdetailedinConfigure willapplysomeroutefilters,suchasthefollowing:
GlobalProtectGatewaysforLSVPN. Defaultroutes
Routeswithinavirtualrouterotherthanthevirtualrouter
associatedwiththetunnelinterface
Routesusingthetunnelinterface
Routesusingthephysicalinterfaceassociatedwiththe
tunnelinterface
2. (Optional)Ifyouonlywanttopushroutesforspecificsubnets
ratherthanallroutes,clickAddintheSubnetsectionand
specifywhichsubnetroutestopublish.
Step6 Savethesatelliteconfiguration. 1. ClickOKtosavetheIPSectunnelsettings.

2. ClickCommit.
Step7 Ifrequired,providethecredentialsto 1. SelectNetwork > IPSec TunnelsandclicktheGateway Info

allowthesatellitetoauthenticatetothe linkintheStatuscolumnofthetunnelconfigurationyou
portal. createdfortheLSVPN.
Thisstepisonlyrequirediftheportal 2. Clicktheenter credentialslinkinthePortal Statusfieldand
wasunabletofindaserialnumbermatch usernameandpasswordrequiredtoauthenticatethesatellite
initsconfigurationoriftheserialnumber totheportal.
didntwork.Inthiscase,thesatellitewill Aftertheportalsuccessfullyauthenticatestotheportal,itwill
notbeabletoestablishthetunnelwith receiveitssignedcertificateandconfiguration,whichitwill
thegateway(s). usetoconnecttothegateway(s).Youshouldseethetunnel
establishandtheStatuschangetoActive.

VerifytheLSVPNConfiguration LargeScaleVPN(LSVPN)
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
Step1 Verifysatelliteconnectivitywithportal. Fromthefirewallhostingtheportal,verifythatsatellitesare

successfullyconnectingbyselectingNetwork > GlobalProtect >
PortalandclickingSatellite InfointheInfocolumnoftheportal
configurationentry.
Step2 Verifysatelliteconnectivitywiththe Oneachfirewallhostingagateway,verifythatsatellitesareableto

gateway(s). establishVPNtunnelsbyselectingNetwork > GlobalProtect >
GatewaysandclickSatellite InfointheInfocolumnofthegateway
configurationentry.Satellitesthathavesuccessfullyestablished
tunnelswiththegatewaywilldisplayontheActive Satellitestab.
Step3 VerifyLSVPNtunnelstatusonthe Oneachfirewallhostingasatellite,verifythetunnelstatusby

satellite. selectingNetwork > IPSec Tunnels andverifyactiveStatusas
indicatedbyagreenicon.

LargeScaleVPN(LSVPN) LSVPNQuickConfigs
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
AdvancedLSVPNConfigurationwithiBGP

BasicLSVPNConfigurationwithStaticRouting LargeScaleVPN(LSVPN)
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step1 ConfigureaLayer3interface. Inthisexample,theLayer3interfaceontheportal/gateway

requiresthefollowingconfiguration:
Security Zonelsvpntun
IPv4203.0.113.11/24
Step2 Onthefirewall(s)hostingGlobalProtect Inthisexample,theTunnelinterfaceontheportal/gateway

gateway(s),configurethelogicaltunnel requiresthefollowingconfiguration:
interfacethatwillterminateVPNtunnels Interfacetunnel.1
establishedbytheGlobalProtect Security Zonelsvpntun
satellites.
Toenablevisibilityintousersand
groupsconnectingovertheVPN,
enableUserIDinthezone
wheretheVPNtunnels
terminate.
Step3 CreatetheSecuritypolicyruletoenable SeeCreateaSecurityPolicyRule.

trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).

LargeScaleVPN(LSVPN) BasicLSVPNConfigurationwithStaticRouting
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step4 AssignanSSL/TLSServiceprofiletothe 1. OnthefirewallhostingtheGlobalProtectportal,createthe

portal/gateway.Theprofilemust rootCAcertificateforsigningthecertificatesofthe
referenceaselfsignedservercertificate. GlobalProtectcomponents.Inthisexample,therootCA
Thecertificatesubjectnamemustmatch certificate,lsvpn-CA,willbeusedtoissuetheserver
theFQDNorIPaddressoftheLayer3 certificatefortheportal/gateway.Inaddition,theportalwill
interfaceyoucreateforthe usethisrootCAcertificatetosigntheCSRsfromthesatellites.
portal/gateway. 2. CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.
Becausetheportalandgatewayareonthesameinterfacein
thisexample,theycanshareanSSL/TLSServiceprofilethat
usesthesameservercertificate.Inthisexample,theprofileis
namedlsvpnserver.
Step5 Createacertificateprofile. Inthisexample,thecertificateprofilelsvpn-profile,references

therootCAcertificatelsvpn-CA.Thegatewaywillusethis
certificateprofiletoauthenticatesatellitesattemptingtoestablish
VPNtunnels.
Step6 Configureanauthenticationprofilefor 1. Createonetypeofserverprofileontheportal:

theportaltouseifthesatelliteserial AddaRADIUSserverprofile.
numberisnotavailable. YoucanuseRADIUStointegratewitha
MultiFactorAuthenticationservice.
AddanLDAPserverprofile.IfyouuseLDAPtoconnectto
ActiveDirectory(AD),createaseparateLDAPserver
profileforeveryADdomain.
2. Configureanauthenticationprofile.Inthisexample,the
profilelsvpn-satisusedtoauthenticatesatellites.
Step7 ConfiguretheGatewayforLSVPN. SelectNetwork > GlobalProtect > GatewaysandAdda

configuration.Thisexamplerequiresthefollowinggateway
configuration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Certificate Profilelsvpnprofile
Primary DNS/Secondary DNS4.2.2.1/4.2.2.2
IP Pool2.2.2.1112.2.2.120
Access Route10.2.10.0/24
Step8 ConfigurethePortalforLSVPN. SelectNetwork > GlobalProtect > PortalandAddaconfiguration.

Thisexamplerequiresthefollowingportalconfiguration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Authentication Profilelsvpnsat

BasicLSVPNConfigurationwithStaticRouting LargeScaleVPN(LSVPN)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step9 CreateaGlobalProtectSatellite OntheSatellite tabintheportalconfiguration,AddaSatellite

Configuration. configurationandaTrustedRootCAandspecifytheCAtheportal
willusetoissuecertificatesforthesatellites.Inthisexamplethe
requiredsettingsareasfollowing:
Gateway203.0.113.11
Issuing CertificatelsvpnCA
Trusted Root CAlsvpnCA
Step10 PreparetheSatellitetoJointheLSVPN. Thesatelliteconfigurationinthisexamplerequiresthefollowing

settings:
InterfaceConfiguration
Layer3interfaceethernet1/1,203.0.113.13/24
Tunnelinterfacetunnel.2
Zonelsvpnsat
RootCACertificatefromPortal
lsvpnCA
IPSecTunnelConfiguration
Portal Address203.0.113.11
Local IP Address203.0.113.13/24
Publish all static and connected routes to Gatewayenabled

LargeScaleVPN(LSVPN) AdvancedLSVPNConfigurationwithDynamicRouting
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.

AdvancedLSVPNConfigurationwithDynamicRouting LargeScaleVPN(LSVPN)
QuickConfig:LSVPNwithDynamicRouting
Step1 AddanIPaddresstothetunnelinterface Completethefollowingstepsoneachgatewayandeachsatellite:

configurationoneachgatewayandeach 1. SelectNetwork > Interfaces > Tunnelandselectthetunnel
satellite. configurationyoucreatedfortheLSVPNtoopentheTunnel
Interfacedialog.
Ifyouhavenotyetcreatedthetunnelinterface,seeStep 2in
QuickConfig:BasicLSVPNwithStaticRouting.
2. OntheIPv4tab,clickAddandthenenteranIPaddressand
subnetmask.Forexample,toaddanIPaddressforthe
gatewaytunnelinterfaceyouwouldenter2.2.2.100/24.
3. ClickOKtosavetheconfiguration.
Step2 Configurethedynamicroutingprotocol ToconfigureOSPFonthegateway:

onthegateway. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2. OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3. Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4. OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5. Selectp2mpastheLink Type.
6. ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachsatellite,forexample2.2.2.111.
7. ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8. Repeatthisstepeachtimeyouaddanewsatellitetothe
LSVPN.
Step3 Configurethedynamicroutingprotocol ToconfigureOSPFonthesatellite:

onthesatellite. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2. OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3. Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4. OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5. Selectp2mpastheLink Type.
6. ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachGlobalProtectgateway,for
example2.2.2.100.
7. ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8. Repeatthisstepeachtimeyouaddanewgateway.

LargeScaleVPN(LSVPN) AdvancedLSVPNConfigurationwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting(Continued)
Step4 Verifythatthegatewaysandsatellites Oneachsatelliteandeachgateway,confirmthatpeer

areabletoformrouteradjacencies. adjacencieshaveformedandthatroutingtableentrieshave
beencreatedforthepeers(thatis,thesatelliteshaveroutesto
thegatewaysandthegatewayshaveroutestothesatellites).
SelectNetwork > Virtual RouterandclicktheMore Runtime
StatslinkforthevirtualrouteryouareusingfortheLSVPN.On
theRoutingtab,verifythattheLSVPNpeerhasaroute.
OntheOSPF > Interfacetab,verifythattheTypeisp2mp.
OntheOSPF > Neighbortab,verifythatthefirewallshosting
yourgatewayshaveestablishedrouteradjacencieswiththe
firewallshostingyoursatellitesandviceversa.Alsoverifythat
theStatusisFull,indicatingthatfulladjacencieshavebeen
established.

AdvancedLSVPNConfigurationwithiBGP LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithiBGP
ThisusecaseillustrateshowGlobalProtectLSVPNsecurelyconnectsdistributedofficelocationswith
primaryanddisasterrecoverydatacentersthathousecriticalapplicationsforusersandhowinternalborder
gatewayprotocol(iBGP)easesdeploymentandupkeep.Usingthismethod,youcanextendupto500
satelliteofficesconnectingtoasinglegateway.
BGPisahighlyscalable,dynamicroutingprotocolthatisidealforhubandspokedeploymentssuchas
LSVPN.Asadynamicroutingprotocol,iteliminatesmuchoftheoverheadassociatedwithaccessroutes
(staticroutes)bymakingitrelativelyeasytodeployadditionalsatellitefirewalls.Duetoitsroutefiltering
capabilitiesandfeaturessuchasmultipletunabletimers,routedampening,androuterefresh,BGPscalesto
amuchhighernumberofroutingprefixeswithgreaterstabilitythanotherroutingprotocolslikeRIPand
OSPF.InthecaseofiBGP,apeergroup,whichincludesallthesatellitesandgatewaysintheLSVPN
deployment,establishesadjacenciesoverthetunnelendpoints.Theprotocolthenimplicitlytakescontrolof
routeadvertisements,updates,andconvergence.
Inthisexampleconfiguration,anactive/passiveHApairofPA5050firewallsisdeployedintheprimary
(active)datacenterandactsastheportalandprimarygateway.Thedisasterrecoverydatacenteralsohas
twoPA5050sinanactive/passiveHApairactingasthebackupLSVPNgateway.Theportalandgateways
serve500PA200sdeployedasLSVPNsatellitesinbranchoffices.
Bothdatacentersitesadvertiseroutesbutwithdifferentmetrics.Asaresult,thesatellitespreferandinstall
theactivedatacentersroutes.However,thebackuproutesalsoexistinthelocalroutinginformationbase
(RIB).Iftheactivedatacenterfails,theroutesadvertisedbythatdatacenterareremovedandreplacedwith
routesfromthedisasterrecoverydatacentersroutes.ThefailovertimedependsonselectionofiBGPtimes
androutingconvergenceassociatedwithiBGP.

LargeScaleVPN(LSVPN) AdvancedLSVPNConfigurationwithiBGP
Thefollowingworkflowshowsthestepsforconfiguringthisdeployment:
ConfigureLSVPNwithiBGP
Step1 CreateInterfacesandZonesforthe PortalandPrimarygateway:

LSVPN. Zone:LSVPNUntrustPrimary
Interface:ethernet1/21
IPv4:172.16.22.1/24
Zone:L3Trust
IPv4:200.99.0.1/16
Backupgateway:
Zone:LSVPNUntrustPrimary
IPv4:172.16.22.25/24
Zone:L3Trust
IPv4:200.99.0.1/16
Satellite:
Zone:LSVPNSatUntrust
IPv4:172.16.13.1/22
Zone:L3Trust
Interface:ethernet1/2.1
IPv4:200.101.1.1/24
NOTE:Configurethezones,interfaces,andIPaddresseson
eachsatellite.TheinterfaceandlocalIPaddresswillbedifferent
foreachsatellite.ThisinterfaceisusedfortheVPNconnection
totheportalandgateway.
Step2 Onthefirewall(s)hostingGlobalProtect Primarygateway:

gateway(s),configurethelogicaltunnel Interface:tunnel.5
interfacethatwillterminateVPNtunnels IPv4:10.11.15.254/22
establishedbytheGlobalProtect
Zone:LSVPNTunnelPrimary
satellites.
Backupgateway:
Interface:tunnel.1
IPv4:10.11.15.245/22
Zone:LSVPNTunnelBackup

Step3 EnableSSLBetweenGlobalProtect YoumustalsogenerateacertificatefromthesameCAforthe

LSVPNComponents. backupgateway,allowingittoauthenticatewiththesatellites.
Thegatewayusestheselfsignedroot 1. OnthefirewallhostingtheGlobalProtectportal,createthe
certificateauthority(CA)toissue rootCAcertificateforsigningthecertificatesofthe
certificatesforthesatellitesina GlobalProtectcomponents.Inthisexample,therootCA
GlobalProtectLSVPN.Becauseone certificateiscalledCAcert.
firewallhousestheportalandprimary
2. CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
gateway,asinglecertificateisusedfor
andgateways.BecausetheGlobalProtectportalandprimary
authenticatingtothesatellites.Thesame
gatewayarethesamefirewallinterface,youcanusethesame
CAisusedtogenerateacertificatefor
servercertificateforbothcomponents.
thebackupgateway.TheCAgenerates
certificatesthatpushedtothesatellites RootCACertificate:CACert
fromtheportalandthenusedbythe CertificateName:LSVPNScale
satellitestoauthenticatetothe 3. Deploytheselfsignedservercertificatestothegateways.
gateways.
4. ImporttherootCAcertificateusedtoissueservercertificates
fortheLSVPNcomponents.
5. Createacertificateprofile.
6. Repeatsteps2through5onbackupgatewaywiththe
followingsettings:
RootCACertificate:CAcert
CertificateName:LSVPNbackGWcert
Step4 ConfigureGlobalProtectGatewaysfor 1. SelectNetwork > GlobalProtect > GatewaysandclickAdd.

LSVPN. 2. OntheGeneraltab,nametheprimarygatewayLSVPN-Scale.
3. UnderNetwork Settings,selectethernet1/21astheprimary
gatewayinterfaceandenter172.16.22.1/24astheIP
address.
4. OntheAuthenticationtab,selecttheLSVPNScalecertificate
createdinStep 3.
5. SelectSatellite > Tunnel SettingsandselectTunnel
Configuration.SettheTunnel Interfacetotunnel.5.All
satellitesinthisusecaseconnecttoasinglegateway,soa
singlesatelliteconfigurationisneeded.Satellitesarematched
basedontheirserialnumbers,sonosatelliteswillneedto
authenticateasauser.
6. OnSatellite > Network Settings,definethepoolofIPaddress
toassigntothetunnelinterfaceonthesatelliteoncetheVPN
connectionisestablished.Becausethisusecaseusesdynamic
routing,theAccessRoutessettingremainsblank.
7. Repeatsteps1through5onthebackupgatewaywiththe
followingsettings:
Name: LSVPNbackup
Gateway interface:ethernet1/5
Gateway IP:172.16.22.25/24
Server cert:LSVPNbackupGWcert
Tunnel interface:tunnel.1

LargeScaleVPN(LSVPN) AdvancedLSVPNConfigurationwithiBGP
Step5 ConfigureiBGPontheprimaryand 1. SelectNetwork > Virtual RoutersandAddavirtualrouter.

backupgatewaysandadda 2. OnRouter Settings,addtheNameandInterfaceforthe
redistributionprofiletoallowthe virtualrouter.
satellitestoinjectlocalroutesbackto
thegateways. 3. OnRedistribution ProfileandselectAdd.
Eachsatelliteofficemanagesitsown a. NametheredistributionprofileToAllSatandsetthe
networkandfirewall,sothe Priorityto1.
redistributionprofilecalledToAllSatis b. SetRedistributetoRedist.
configuredtoredistributelocalroutes c. Addethernet1/23fromtheInterfacedropdown.
backtotheGlobalProtectgateway. d. ClickOK.
4. SelectBGPontheVirtualRoutertoconfigureBGP.
a. OnBGP > General,selectEnable.
b. EnterthegatewayIPaddressastheRouter ID
(172.16.22.1)and1000astheAS Number.
c. IntheOptionssection,selectInstall Route.
d. OnBGP > Peer Group,clickAddapeergroupwithallthe
satellitesthatwillconnecttothegateway.
e. OnBGP > Redist Rules,AddtheToAllSatredistribution
profileyoucreatedpreviously.
5. ClickOK.
6. Repeatsteps1through5onthebackupgatewayusing
ethernet1/6fortheredistributionprofile.
Step6 PreparetheSatellitetoJointheLSVPN. 1. Configureatunnelinterfaceasthetunnelendpointforthe

Theconfigurationshownisasampleofa VPNconnectiontothegateways.
singlesatellite. 2. SettheIPSectunneltypetoGlobalProtectSatelliteandenter
Repeatthisconfigurationeachtimeyou theIPaddressoftheGlobalProtectPortal.
addanewsatellitetotheLSVPN 3. SelectNetwork > Virtual RoutersandAddavirtualrouter.
deployment.
4. OnRouter Settings,addtheNameandInterfaceforthe
virtualrouter.
5. SelectVirtual Router >Redistribution ProfileandAdd a
profilewiththefollowingsettings.
a. NametheredistributionprofileToLSVPNGWandsetthe
Priorityto1.
b. AddanInterfaceethernet1/2.1.
c. ClickOK.
6. SelectBGP > General,EnableBGPandconfiguretheprotocol
asfollows:
a. EnterthegatewayIPaddressastheRouter ID
(172.16.22.1)and1000astheAS Number.
b. IntheOptionssection,selectInstall Route.
c. OnBGP > Peer Group,Addapeergroupcontainingallthe
satellitesthatwillconnecttothegateway.
d. OnBGP > Redist Rules,AddtheToLSVPNGWredistribution
profileyoucreatedpreviously.
7. ClickOK.

Step7 ConfiguretheGlobalProtectPortalfor 1. SelectNetwork > GlobalProtect > PortalsandclickAdd.

LSVPN. 2. OnGeneral,enterLSVPN-Portalastheportalname.
Bothdatacentersadvertisetheirroutes
3. On Network Settings,selectethernet1/21astheInterface
butwithdifferentroutingprioritiesto
andselect172.16.22.1/24astheIP Address.
ensurethattheactivedatacenteristhe
preferredgateway. 4. OntheAuthenticationtab,selectthepreviouslycreated
primarygatewaySSL/TLSProfileLSVPN-Scalefromthe
SSL/TLS Service Profiledropdownmenu.
5. OntheSatellitetab,AddasatelliteandNameit
sat-config-1.
6. SettheConfiguration Refresh Intervalto12.
7. OnGlobalProtect Satellite > Devices,addtheserialnumber
andhostnameofeachsatellitedeviceintheLSVPN.
8. OnGlobalProtect Satellite > Gateways,addthenameandIP
addressofeachgateway.Settheroutingpriorityofthe
primarygatewayto1andthebackupgatewayto10toensure
thattheactivedatacenteristhepreferredgateway.
Step8 VerifytheLSVPNConfiguration.
Step9 (Optional)AddanewsitetotheLSVPN 1. SelectNetwork > GlobalProtect > Portals > GlobalProtect

deployment. Portal> Satellite Configuration > GlobalProtect Satellite >
Devicestoaddtheserialnumberofthenewsatellitetothe
GlobalProtectportal.
2. ConfiguretheIPSectunnelonthesatellitewiththe
GlobalProtectPortalIPaddress.
3. SelectNetwork > Virtual Router > BGP > Peer Grouptoadd
thesatellitetotheBGPPeerGroupconfigurationoneach
gateway.
4. SelectNetwork > Virtual Router > BGP > Peer Grouptoadd
thegatewaystotheBGPPeerGroupconfigurationonthenew
satellite.

Networking
AllPaloAltoNetworksnextgenerationfirewallsprovideaflexiblenetworkingarchitecturethatincludes
supportfordynamicrouting,switching,andVPNconnectivity,andenablesyoutodeploythefirewallinto
nearlyanynetworkingenvironment.WhenconfiguringtheEthernetportsonyourfirewall,youcanchoose
fromvirtualwire,Layer2,orLayer3interfacedeployments.Inaddition,toallowyoutointegrateintoa
varietyofnetworksegments,youcanconfiguredifferenttypesofinterfacesondifferentports.
ThefollowingtopicsdescribenetworkingconceptsandhowtointegratePaloAltoNetworks
nextgenerationfirewallsintoyournetwork.
ConfigureInterfaces
VirtualRouters
ServiceRoutes
StaticRoutes
RIP
OSPF
BGP
RouteRedistribution
DHCP
DNS
NAT
NPTv6
NAT64
ECMP
LLDP
BFD
SessionSettingsandTimeouts
TunnelContentInspection
Reference:BFDDetails

ConfigureInterfaces Networking
ConfigureInterfaces
APaloAltoNetworksnextgenerationfirewallcanoperateinmultipledeploymentsatoncebecausethe
deploymentsoccurattheinterfacelevel.Forexample,youcanconfiguresomeinterfacesforLayer3
interfacestointegratethefirewallintoyourdynamicroutingenvironment,whileconfiguringotherinterfaces
tointegrateintoyourLayer2switchingnetwork.Thefollowingtopicsdescribeeachtypeofinterface
deploymentandhowtoconfigurethecorrespondinginterfacetypes:
TapInterfaces
VirtualWireInterfaces
Layer2Interfaces
Layer3Interfaces
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
TapInterfaces
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
VirtualWireInterfaces
VirtualWireDeploymentscanusevirtualwiresubinterfacestoseparatetrafficintozones.Inavirtualwire
deployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwoportstogetherand
shouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeployment:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen

Networking ConfigureInterfaces
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
ConfigureVirtualWires
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethatthe
VLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisisessential
becauseavirtualwiredoesnotswitchVLANtags.
CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoaddadditional
subinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthecombinationofVLANtags
andaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewiththevlan
tag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.

Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)

Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
Customer Vsys Vwire Zone VLANTag IPClassifier

Subinterfaces
A 2 e1/1.1(ingress) Zone3 100 None

e1/2.1(egress) Zone4 100
2 e1/1.2(ingress) Zone5 100 IPsubnet

e1/2.2(egress) Zone6 100 192.1.0.0/16
2 e1/1.3(ingress) Zone7 100 IPsubnet

e1/2.3(egress) Zone8 100 192.2.0.0/16
B 3 e1/1.4(ingress) Zone9 200 None

e1/2.4(egress) Zone10 200
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Thefollowingtaskshowshowtoconfigureapairofvirtualwireinterfaces.

Step1 Createavirtualwire. CreateavirtualwirebetweenportsEthernet1/3andEthernet1/4,

forexample.
1. SelectNetwork > Interfaces > Ethernetandselect aportyou
havecabled,forexampleethernet1/3.
2. ForInterface Type,selectVirtual Wire.
3. Attachtheinterfacetoavirtualwire.OntheConfigtab,
Assign Interface ToaVirtual Wire,expandthedropdownand
selectNew Virtual Wire.
4. EnteraNameforthevirtualwire,selecttheinterfacethat
belongstothevirtualwire,andclickOK.
5. ClickOK.
6. Repeatthestepsaboveforethernet1/4.
Step2 Createasecurityzone. 1. SelectNetwork > ZonesandAddazone.

2. EntertheNameofthezone,suchasInternet.
3. ForLocation,selectthevirtualsystemwherethezoneapplies.
4. ForType,selectVirtual Wire.
5. AddtheInterface thatbelongstothezone,Ethernet1/3.
6. ClickOK.
7. RepeatthesestepstoaddEthernet1/4toanotherzone.
Step3 Commit. ClickCommit.
Step4 (Optional)ApplynonIPprotocolcontrol ConfigureProtocolProtection.

tothevirtualwirezones.
Layer2Interfaces
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Devicesare
connectedtoaLayer2segment;thefirewallforwardstheframestotheproperport,whichisassociatedwith
theMACaddressidentifiedintheframe.ConfigureaLayer2Interfacewhenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.

ACiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
ThefollowingtopicsdescribethedifferenttypesofLayer2interfacesyoucanconfigureforeachtypeof
deploymentyouneed,includingdetailsonusingvirtualLANs(VLANs)fortrafficandpolicyseparation
amonggroups.
Layer2InterfaceswithNoVLANs
Layer2InterfaceswithVLANs
ConfigureaLayer2Interface
ConfigureaLayer2Interface,Subinterface,andVLAN
Layer2InterfaceswithNoVLANs
ConfigureaLayer2Interfaceonthefirewallsoitcanactasaswitchinyourlayer2network(notattheedge
ofthenetwork).TheLayer2hostsareprobablygeographicallyclosetoeachotherandbelongtoasingle
broadcastdomain.ThefirewallprovidessecuritybetweentheLayer2hostswhenyouassigntheinterfaces
tosecurityzonesandapplysecurityrulestothezones.
ThehostscommunicatewiththefirewallandeachotheratLayer2oftheOSImodelbyexchangingframes.
AframecontainsanEthernetheaderthatincludesasourceanddestinationMediaAccessControl(MAC)
address,whichisaphysicalhardwareaddress.MACaddressesare48bithexadecimalnumbersformatted
assixoctetsseparatedbyacolonorhyphen(forexample,00857E46F1B2).
ThefollowingfigurehasafirewallwiththreeLayer2interfacesthateachconnecttoaLayer 2hostina
onetoonemapping.

ThefirewallbeginswithanemptyMACtable.Whenthehostwithsourceaddress0A76F260EA83
sendsaframetothefirewall,thefirewalldoesnthavedestinationaddress0B682D051276initsMAC
table,soitdoesntknowwhichinterfacetoforwardtheframeto;itbroadcaststheframetoallofitsLayer 2
interfaces.Thefirewallputssourceaddress0A76F260EA83andassociatedEth1/1intoitsMACtable.
Thehostat0C71D4E61344receivesthebroadcast,butthedestinationMACaddressisnotitsown
MACaddress,soitdropstheframe.
ThereceivinginterfaceEthernet1/2forwardstheframetoitshost.Whenhost0B682D051276
responds,itusesthedestinationaddress0A76F260EA83,andthefirewalladdstoitsMACtable
Ethernet1/2astheinterfacetoreach0B682D051276.
Layer2InterfaceswithVLANs
WhenyourorganizationwantstodivideaLANintoseparatevirtualLANs(VLANs)tokeeptrafficand
policiesfordifferentdepartmentsseparate,youcanlogicallygroupLayer2hostsintoVLANsandthusdivide
aLayer2networksegmentintobroadcastdomains.Forexample,youcancreateVLANsfortheFinanceand
Engineeringdepartments.Todoso,ConfigureaLayer2Interface,Subinterface,andVLAN.
ThefirewallactsasaswitchtoforwardaframewithanEthernetheadercontainingaVLANID,andthe
destinationinterfacemusthaveasubinterfacewiththatVLANIDinordertoreceivethatframeandforward
ittothehost.YouconfigureaLayer2interfaceonthefirewallandconfigureoneormorelogical
subinterfacesfortheinterface,eachwithaVLANtag(ID).
Inthefollowingfigure,thefirewallhasfourLayer2interfacesthatconnecttoLayer2hostsbelongingto
differentdepartmentswithinanorganization.Ethernetinterface1/3isconfiguredwithsubinterface.1
(taggedwithVLAN10)andsubinterface.2(taggedwithVLAN20),thustherearetwobroadcastdomainson
thatsegment.HostsinVLAN10belongtoFinance;hostsinVLAN20belongtoEngineering.

Inthisexample,thehostatMACaddress0A76F260EA83sendsaframewithVLANID10tothe
firewall,whichthefirewallbroadcaststoitsotherL2interfaces.Ethernetinterface1/3acceptstheframe
becauseitsconnectedtothehostwithdestination0C71D4E61344anditssubinterface.1isassigned
VLAN10.Ethernetinterface1/3forwardstheframetotheFinancehost.
ConfigureLayer2InterfaceswithNoVLANswhenyouwantLayer2switchingandyoudontneedto
separatetrafficamongVLANs.
Step1 ConfigureaLayer2interface. 1. SelectNetwork > Interfaces > Ethernetandselectan

interface.TheInterface Nameisfixed,suchasethernet1/1.
2. ForInterface Type,selectLayer2.
3. SelecttheConfigtabandassigntheinterfacetoaSecurity
Zone,orcreateaNew Zone.
4. ConfigureadditionalLayer2interfacesonthefirewallthat
connecttootherlayer2hosts.
Step2 Commit. ClickOKandCommit.
ConfigureaLayer2Interface,Subinterface,andVLAN
ConfigureLayer2InterfaceswithVLANswhenyouwantLayer2switchingandtrafficseparationamong
VLANs.YoucanoptionallycontrolnonIPprotocolsbetweensecurityzonesonaLayer2interfaceor
betweeninterfaceswithinasinglezoneonaLayer2VLAN.
ConfigureaLayer2InterfaceandSubinterfaceandAssignaVLANID
Step1 ConfigureaLayer2interfaceand 1. SelectNetwork > Interfaces > Ethernetandselectan

subinterfaceandassignaVLANID. interface.TheInterface Nameisfixed,suchasethernet1/1.
2. ForInterface Type,selectLayer2.
3. SelecttheConfigtab.
4. ForVLAN,leavethesettingNone.
5. AssigntheinterfacetoaSecurity ZoneorcreateaNew Zone.
6. ClickOK.
7. WiththeEthernetinterfacehighlighted,clickAdd
Subinterface.
8. TheInterface Nameremainsfixed.Aftertheperiod,enterthe
subinterfacenumber,intherange19,999.
9. EnteraVLANTagIDintherange14,094.
10. AssignthesubinterfacetoaSecurity Zone.
11. ClickOK.

ConfigureaLayer2InterfaceandSubinterfaceandAssignaVLANID(Continued)
Step3 (Optional)ApplyaZoneProtection ConfigureProtocolProtection

profilewithprotocolprotectionto
controlnonIPprotocolpacketsbetween
Layer2zones(orbetweeninterfaces
withinaLayer2zone).
Layer3Interfaces
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.BeforeyoucanConfigureLayer
3Interfaces,youmustconfiguretheVirtualRoutersthatyouwantthefirewalltousetoroutethetrafficfor
eachLayer3interface.
Figure:Layer3Deployment
ThefollowingtopicsdescribeshowtoconfigureLayer3interfaces.ThistopicexplainsRouter
Advertisements(RAs)thatthefirewallcansendcontainingDNSOptionstoconfigureyourIPv6hosts.This
topicdescribesNeighborDiscoveryProtocol(NDP)monitoring,whichyoucanusetoviewtheIPv6
addressesofdevicesonthelinklocalnetworkandquicklylocatedevices.
ConfigureLayer3Interfaces
ManageIPv6HostsUsingNDP
ConfigureLayer3Interfaces
ThefollowingprocedureisrequiredtoconfigureLayer3Interfaces(Ethernet,VLAN,loopback,andtunnel
interfaces)withIPv4orIPv6addressessothatthefirewallcanperformroutingontheseinterfaces.Ifa
tunnelisusedforroutingoriftunnelmonitoringisturnedon,thetunnelneedsanIPaddress.Before
performingthefollowingtask,defineoneormoreVirtualRouters.
Youwouldtypicallyusethefollowingproceduretoconfigureanexternalinterfacethatconnectstothe
internetandaninterfaceforyourinternalnetwork.YoucanconfigurebothIPv4andIPv6addressesona
singleinterface.
PANOSfirewallmodelssupportamaximumof16,000IPaddressesassignedtophysicalor
virtualLayer3interfaces;thismaximumincludesbothIPv4andIPv6addresses.

IfyoureusingIPv6routes,youcanconfigurethefirewalltoprovideIPv6RouterAdvertisementsforDNS
Configuration.ThefirewallprovisionsIPv6DNSclientswithRecursiveDNSServer(RDNS)addressesanda
DNSSearchListsothattheclientcanresolveitsIPv6DNSrequests.ThusthefirewallisactinglikeaDHCPv6server
foryou.
SetUpaLayer3InterfaceandZone
Step1 Selectaninterfaceandconfigureitwith 1. SelectNetwork > InterfacesandeitherEthernet,VLAN,

asecurityzone. loopback,orTunnel,dependingonwhattypeofinterfaceyou
want.
2. Selecttheinterfacetoconfigure.
3. SelecttheInterface TypeLayer3.
4. OntheConfigtab,forVirtual Router,selectthevirtualrouter
youareconfiguring,suchasdefault.
5. ForVirtual System,selectthevirtualsystemyouare
configuringifonamultivirtualsystemfirewall.
6. ForSecurity Zone,selectthezonetowhichtheinterface
belongsorcreateaNew Zone.
7. ClickOK.
Step2 ConfigureaninterfacewithanIPv4 1. SelectNetwork > InterfacesandeitherEthernet,VLAN,

address. loopback,orTunnel,dependingonwhattypeofinterfaceyou
TherearethreewaystoassignanIPv4 want.
addresstoaLayer3interface: 2. Selecttheinterfacetoconfigure.
Static 3. OntheIPv4tab,setTypetoStatic.
DHCPClientThefirewallinterface
4. AddaNameandoptionalDescriptionfortheaddress.
actsasaDHCPclientandreceivesa
dynamicallyassignedIPaddress.The 5. ForType,selectoneofthefollowing:
firewallalsoprovidesthecapabilityto IP NetmaskEntertheIPaddressandnetworkmaskto
propagatesettingsreceivedbythe assigntotheinterface,forexample,208.80.56.100/24.
DHCPclientinterfaceintoaDHCP IP RangeEnteranIPaddressrange,suchas
serveroperatingonthefirewall.This 192.168.2.1192.168.2.4.
ismostcommonlyusedtopropagate
FQDNEnteraFullyQualifiedDomainName.
DNSserversettingsfromanInternet
serviceprovidertoclientmachines 6. SelectTagstoapplytotheaddress.
operatingonthenetworkprotected 7. ClickOK.
bythefirewall.
PPPoEConfiguretheinterfaceasa
PointtoPointProtocoloverEthernet
(PPPoE)terminationpointtosupport
connectivityinaDigitalSubscriber
Line(DSL)environmentwherethereis
aDSLmodembutnootherPPPoE
devicetoterminatetheconnection.

SetUpaLayer3InterfaceandZone(Continued)
Step3 Configureaninterfacewith 1. SelectNetwork > InterfacesandeitherEthernet,VLAN,

PointtoPointProtocoloverEthernet loopback,orTunnel.
(PPPoE).SeeLayer3Interfaces. 2. Selecttheinterfacetoconfigure.
NOTE:PPPoEisnotsupportedinHA
3. OntheIPv4tab,setTypetoPPPoE.
active/activemode.
4. OntheGeneraltab,selectEnabletoactivatetheinterfacefor
PPPoEtermination.
5. EntertheUsernameforthepointtopointconnection.
6. EnterthePasswordfortheusernameandConfirm Password.
7. ClickOK.
Step4 ConfigureaninterfaceasaDHCPClient 1. SelectNetwork > InterfacesandeitherEthernet,VLAN,

sothatitreceivesadynamicallyassigned loopback,orTunnel.
IPv4address. 2. Selecttheinterfacetoconfigure.
NOTE:DHCPclientisnotsupportedin
3. OntheIPv4tab,setTypetoDHCP Client.
HAactive/activemode.
4. SelectEnabletoactivatetheDHCPclientontheinterface.
5. SelectAutomatically create default route pointing to default
gateway provided by servertoautomaticallycreateadefault
routethatpointstothedefaultgatewaythattheDHCPserver
provides.
6. (Optional)EnteraDefault Route Metric(prioritylevel)forthe
defaultroute,whichthefirewallusesforpathselection(range
is165,535;nodefault).Thelowerthevalue,thehigherthe
prioritylevel.
7. ClickOK.

Step5 ConfiguretheinterfacewithastaticIPv6 1. SelectNetwork > InterfacesandeitherEthernet,VLAN,

address. loopback,orTunnel.
2. Selecttheinterfacetoconfigure.
3. OntheIPv6tab,selectEnable IPv6 on the interfacetoenable
IPv6addressingontheinterface.
4. ForInterface ID,enterthe64bitextendeduniqueidentifier
(EUI64)inhexadecimalformat(forexample,
00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,the
firewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as
host portionoptionwhenaddinganaddress,thefirewalluses
theInterfaceIDasthehostportionofthataddress.
5. AddtheIPv6Addressorselectanaddressgroup.
6. SelectEnable address on interfacetoenablethisIPv6address
ontheinterface.
7. SelectUse interface ID as host portiontousetheInterfaceID
asthehostportionoftheIPv6address.
8. (Optional)SelectAnycast tomaketheIPv6address(route)an
Anycastaddress(route),whichmeansmultiplelocationscan
advertisethesameprefix,andIPv6sendstheanycasttrafficto
thenodeitconsidersthenearest,basedonroutingprotocol
costsandotherfactors.
9. (Ethernetinterfaceonly)SelectSend Router Advertisement
(RA)toenablethefirewalltosendthisaddressinRouter
Advertisements,inwhichcaseyoumustalsoenabletheglobal
Enable Router Advertisementoptionontheinterface(next
step).
10. (Ethernetinterfaceonly)EntertheValid Lifetime (sec), in
seconds,thatthefirewallconsiderstheaddressvalid.TheValid
LifetimemustequalorexceedthePreferred Lifetime (sec)
(defaultis2,592,000).
11. (Ethernetinterfaceonly)EnterthePreferred Lifetime (sec)(in
seconds)thatthevalidaddressispreferred,whichmeansthe
firewallcanuseittosendandreceivedtraffic.Afterthe
PreferredLifetimeexpires,thefirewallcantusetheaddressto
establishnewconnections,butanyexistingconnectionsare
validuntiltheValid Lifetimeexpires(defaultis604,800).
12. (Ethernetinterfaceonly)SelectOn-linkifsystemsthathave
addresseswithintheprefixarereachablewithoutarouter.
13. (Ethernetinterfaceonly)SelectAutonomousifsystemscan
independentlycreateanIPaddressbycombiningthe
advertisedprefixwithanInterfaceID.
14. ClickOK.

Step6 (EthernetorVLANinterfaceusingIPv6 1. SelectNetwork > InterfacesandEthernetorVLAN.

addressonly)Enablethefirewalltosend 2. Selecttheinterfaceyouwanttoconfigure.
IPv6RouterAdvertisements(RAs)from
aninterface,andoptionallytuneRA 3. SelectIPv6.
parameters. 4. SelectEnable IPv6 on the interface.
TuneRAparametersforeitherof 5. OntheRouter Advertisementtab,selectEnable Router
thesereasons:Tointeroperate Advertisement(defaultisdisabled).
witharouter/hostthatuses
differentvalues.Toachievefast 6. (Optional)SetMin Interval (sec),theminimuminterval,in
convergencewhenmultiple seconds,betweenRAsthefirewallsends(rangeis31,350;
gatewaysarepresent.For defaultis200).ThefirewallsendsRAsatrandomintervals
example,setlowerMin Interval, betweentheminimumandmaximumvaluesyouset.
Max Interval,andRouter 7. (Optional)SetMax Interval (sec),themaximuminterval,in
LifetimevaluessotheIPv6 seconds,betweenRAsthefirewallsends(rangeis41,800;
client/hostcanquicklychange defaultis600).ThefirewallsendsRAsatrandomintervals
thedefaultgatewayafterthe betweentheminimumandmaximumvaluesyouset.
primarygatewayfails,andstart 8. (Optional)SetHop Limittoapplytoclientsforoutgoing
forwardingtoanotherdefault packets(rangeis1255;defaultis64).Enter0fornohoplimit.
gatewayinthenetwork.
9. (Optional)SetLink MTU,thelinkmaximumtransmissionunit
(MTU)toapplytoclients(rangeis1,2809,192;defaultis
unspecified).SelectunspecifiedfornolinkMTU.
10. (Optional)SetReachable Time (ms),thereachabletime,in
milliseconds,thattheclientwillusetoassumeaneighboris
reachableafterreceivingaReachabilityConfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
11. (Optional)SetRetrans Time (ms),theretransmissiontimer
thatdetermineshowlongtheclientwillwait,inmilliseconds,
beforeretransmittingNeighborSolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
12. (Optional)SetRouter Lifetime (sec) tospecifyhowlong,in
seconds,theclientwillusethefirewallasthedefaultgateway
(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,
theclientremovesthefirewallentryfromitsDefaultRouter
Listandusesanotherrouterasthedefaultgateway.
13. SetRouter Preference,whichtheclientusestoselecta
preferredrouterifthenetworksegmenthasmultipleIPv6
routers.High,Medium(default),orLowistheprioritythatthe
RAadvertisesindicatingtherelativepriorityoffirewallvirtual
routerrelativetootherroutersonthesegment.
14. SelectManaged Configurationtoindicatetotheclientthat
addressesareavailableviaDHCPv6.
15. SelectOther Configurationtoindicatetotheclientthatother
addressinformation(suchasDNSrelatedsettings)isavailable
viaDHCPv6.
16. SelectConsistency ChecktohavethefirewallverifythatRAs
sentfromotherroutersareadvertisingconsistentinformation
onthelink.Thefirewalllogsanyinconsistencies.
17. ClickOK.

Step7 (EthernetorVLANinterfaceusingIPv6 1. SelectNetwork > InterfacesandEthernetorVLAN.

addressonly)SpecifytheRecursiveDNS 2. Selecttheinterfaceyouareconfiguring.
ServeraddressesandDNSSearchList
thefirewallwilladvertiseinNDRouter 3. SelectIPv6 > DNS Support.
Advertisementsfromthisinterface. 4. Include DNS information in Router Advertisementtoenable
TheRDNSserversandDNSSearchList thefirewalltosendIPv6DNSinformation.
arepartoftheDNSconfigurationforthe 5. ForDNSServer,AddtheIPv6addressofaRecursiveDNS
DNSclientsothattheclientcanresolve Server.AdduptoeightRecursiveDNSservers.Thefirewall
IPv6DNSrequests. sendsserveraddressesinanICMPv6RouterAdvertisementin
orderfromtoptobottom.
6. SpecifytheLifetimeinseconds,whichisthemaximumlength
oftimetheclientcanusethespecificRDNSServertoresolve
domainnames.
TheLifetime rangeisanyvalueequaltoorbetweenthe
Max Interval (thatyouconfiguredontheRouter
Advertisement tab)andtwotimesthatMax Interval.For
example,ifyourMaxIntervalis600seconds,theLifetime
rangeis6001,200seconds.
ThedefaultLifetime is1,200seconds.
7. ForDNSSuffix,AddaDNS Suffix(domainnameofamaximum
of255bytes).AdduptoeightDNSsuffixes.Thefirewallsends
suffixesinanICMPv6RouterAdvertisementinorderfromtop
tobottom.
oftimetheclientcanusethesuffix.TheLifetimehasthesame
rangeanddefaultvalueastheServer.
9. ClickOK.
Step8 (Optional)Enableservicesonthe 1. Toenableservicesontheinterface,selectNetwork >

interface. InterfacesandEthernetorVLAN.
2. Selecttheinterfaceyouareconfiguring.
3. SelectAdvanced > Other Info.
4. ExpandtheManagement Profiledropdown,andselecta
profileorNew Management Profile.
5. EnteraNamefortheprofile.
6. ForPermitted Services,selectservices,suchasPingandclick
OK.
Step9 Commit. ClickOKandCommit.
Step10 Cabletheinterface. Attachstraightthroughcablesfrominterfacesyouconfiguredto

thecorrespondingswitchorrouteroneachnetworksegment.
Step11 Verifythattheinterfaceisactive. Fromthewebinterface,selectNetwork > Interfacesandverify

thaticonintheLinkStatecolumnisgreen.Youcanalsomonitorlink
statefromtheInterfaceswidgetontheDashboard.
Step12 Configurestaticroutesand/oradynamic ConfigureaStaticRoute

routingprotocol(RIP,OSPF,orBGP)so RIP
thatthevirtualroutercanroutetraffic. OSPF
BGP

Step13 ConfigureaStaticRoutetoconfigureadefaultroute.
ManageIPv6HostsUsingNDP
ThistopicdescribeshowthefirewallusesNDPtoprovisionIPv6hostsandmonitorIPv6addresses.
IPv6RouterAdvertisementsforDNSConfiguration
NDPMonitoring
EnableNDPMonitoring
IPv6RouterAdvertisementsforDNSConfiguration
ThefirewallimplementationofNeighborDiscovery(ND)isenhancedsothatyoucanprovisionIPv6hosts
withtheRecursiveDNSServer(RDNSS)OptionandDNSSearchList(DNSSL)OptionperRFC6106,IPv6
RouterAdvertisementOptionsforDNSConfiguration.WhenyouConfigureLayer3Interfaces,you
configuretheseDNSoptionsonthefirewallsothefirewallcanprovisionyourIPv6hosts;thereforeyou
dontneedaseparateDHCPv6servertoprovisionthehosts.ThefirewallsendsIPv6RouterAdvertisements
(RAs)containingtheseoptionstoIPv6hostsaspartoftheirDNSconfigurationtofullyprovisionthemto
reachinternetservices.Thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofdomainnames(suffixes)thattheDNSclientappends(oneatatime)toanunqualifieddomain
namebeforeenteringthedomainnameintoaDNSquery.
IPv6RouterAdvertisementforDNSconfigurationissupportedforEthernetinterfaces,subinterfaces,
AggregatedEthernetinterfaces,andLayer3VLANinterfacesonallPANOSplatforms.
ThecapabilityofthefirewalltosendIPv6RAsforDNSconfigurationallowsthefirewalltoperformarolesimilar
toDHCP,andisunrelatedtothefirewallbeingaDNSproxy,DNSclientorDNSserver.
AfteryouconfigurethefirewallwiththeaddressesofRDNSservers,thefirewallprovisionsanIPv6host(the
DNSclient)withthoseaddresses.TheIPv6hostusesoneormoreofthoseaddressestoreachanRDNS
server.RecursiveDNSreferstoaseriesofDNSrequestsbyanRDNSServer,asshownwiththreepairsof
queriesandresponsesinthefollowingfigure.Forexample,whenausertriestoaccess

www.paloaltonetworks.com,thelocalbrowserseesthatitdoesnothavetheIPaddressforthatdomain
nameinitscache,nordoestheclientsoperatingsystemhaveit.Theclientsoperatingsystemlaunchesa
DNSquerytoaRecursiveDNSServerbelongingtothelocalISP.
AnIPv6RouterAdvertisementcancontainmultipleDNSRecursiveServerAddressoptions,eachwiththe
sameordifferentlifetimes.AsingleDNSRecursiveDNSServerAddressoptioncancontainmultiple
RecursiveDNSServeraddressesaslongastheaddresseshavethesamelifetime.
ADNSSearchListisalistofdomainnames(suffixes)thatthefirewalladvertisestoaDNSclient.Thefirewall
thusprovisionstheDNSclienttousethesuffixesinitsunqualifiedDNSqueries.TheDNSclientappends
thesuffixes,oneatatime,toanunqualifieddomainnamebeforeitentersthenameintoaDNSquery,
therebyusingafullyqualifieddomainname(FQDN)intheDNSquery.Forexample,ifauser(oftheDNS
clientbeingconfigured)triestosubmitaDNSqueryforthenamequalitywithoutasuffix,therouter
appendsaperiodandthefirstDNSsuffixfromtheDNSSearchListtothenameandtransmitsaDNSquery.
IfthefirstDNSsuffixonthelistiscompany.com,theresultingDNSqueryfromtherouterisfortheFQDN
quality.company.com.
IftheDNSqueryfails,theclientappendsthesecondDNSsuffixfromthelisttotheunqualifiednameand
transmitsanewDNSquery.TheclientusestheDNSsuffixesinorderuntilaDNSlookupsucceeds(ignoring
theremainingsuffixes)ortherouterhastriedallofthesuffixesonthelist.
YouconfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNSclientrouterinanND
DNSSLoption;theDNSclientreceivingtheDNSSearchListoptionisprovisionedtousethesuffixesinits
unqualifiedDNSqueries.

ConfigureRDNSServersandDNSSearchList
Step1 EnablethefirewalltosendIPv6Router 1. SelectNetwork > InterfacesandEthernetorVLAN.

Advertisementsfromaninterface. 2. Selecttheinterfacetoconfigure.
3. OntheIPv6tab,selectEnable IPv6 on the interface.
4. OntheRouter Advertisementtab,selectEnable Router
Advertisement.
5. ClickOK.
Step2 SpecifytheRecursiveDNSServer 1. SelectNetwork > InterfacesandEthernetorVLAN.

addressesandDNSSearchListthe 2. Selecttheinterfaceyouareconfiguring.
firewallwilladvertiseinNDRouter
Advertisementsfromthisinterface. 3. SelectIPv6 > DNS Support.
TheRDNSserversandDNSSearchList 4. Include DNS information in Router Advertisementtoenable
arepartoftheDNSconfigurationforthe thefirewalltosendIPv6DNSinformation.
DNSclientsothattheclientcanresolve 5. ForDNSServer,AddtheIPv6addressofaRecursiveDNS
IPv6DNSrequests. Server.AdduptoeightRecursiveDNSservers.Thefirewall
sendsserveraddressesinanICMPv6RouterAdvertisementin
orderfromtoptobottom.
oftimetheclientcanusethespecificRDNSServertoresolve
domainnames.
TheLifetime rangeisanyvalueequaltoorbetweenthe
Max Interval (thatyouconfiguredontheRouter
Advertisement tab)andtwotimesthatMax Interval.For
example,ifyourMaxIntervalis600seconds,theLifetime
rangeis6001,200seconds.
ThedefaultLifetime is1,200seconds.
7. ForDNSSuffix,AddaDNS Suffix(domainnameofamaximum
of255bytes).AdduptoeightDNSsuffixes.Thefirewallsends
suffixesinanICMPv6RouterAdvertisementinorderfromtop
tobottom.
oftimetheclientcanusethesuffix.TheLifetimehasthesame
rangeanddefaultvalueastheServer.
9. ClickOK.
NDPMonitoring
NeighborDiscoveryProtocol(NDP)forIPv6(RFC4861)performsfunctionssimilartoARPfunctionsfor
IPv4.ThefirewallbydefaultrunsNDP,whichusesICMPv6packetstodiscoverandtrackthelinklayer
addressesandstatusofneighborsonconnectedlinks.
EnableNDPMonitoringsoyoucanviewtheIPv6addressesofdevicesonthelinklocalnetwork,theirMAC
address,associatedusernamefromUserID(iftheuserofthatdeviceusedthedirectoryservicetologin),
reachabilityStatusoftheaddress,andLastReporteddateandtimetheNDPmonitorreceivedaRouter
AdvertisementfromthisIPv6address.Theusernameisonabestcasebasis;therecanbemanyIPv6devices
onanetworkwithnousername,suchasprinters,faxmachines,servers,etc.

Ifyouwanttoquicklytrackadeviceanduserwhohasviolatedasecurityrule,itisveryusefultohavethe
IPv6address,MACaddressandusernamedisplayedallinoneplace.YouneedtheMACaddressthat
correspondstotheIPv6addressinordertotracetheMACaddressbacktoaphysicalswitchorAccessPoint.
NDPmonitoringisnotguaranteedtodiscoveralldevicesbecausetherecouldbeothernetworkingdevices
betweenthefirewallandtheclientthatfilteroutNDPorDuplicateAddressDetection(DAD)messages.The
firewallcanmonitoronlythedevicesthatitlearnsaboutontheinterface.
NDPmonitoringalsomonitorsDuplicateAddressDetection(DAD)packetsfromclientsandneighbors.You
canalsomonitorIPv6NDlogstomaketroubleshootingeasier.
NDPmonitoringissupportedforEthernetinterfaces,subinterfaces,AggregatedEthernetinterfaces,and
VLANinterfacesonallPANOSmodels.
EnableNDPMonitoring
PerformthistasktoenableNDPMonitoringforaninterface.
EnableNDPMonitoring
Step1 EnableNDPmonitoring. 1. SelectNetwork > InterfacesandEthernetorVLAN.

2. Selecttheinterfaceyouareconfiguring.
3. SelectIPv6.
4. SelectAddress Resolution.
5. SelectEnable NDP Monitoring.
NOTE:AfteryouenableordisableNDPmonitoring,youmust
CommitbeforeNDPmonitoringcanstartorstop.
6. ClickOK.
Step3 MonitorNDPandDADpacketsfrom 1. SelectNetwork > InterfacesandEthernetorVLAN.

clientsandneighbors. 2. FortheinterfacewhereyouenabledNDPmonitoring,inthe
Featurescolumn,hoverovertheNDPMonitoringicon:
TheNDPMonitoringsummaryfortheinterfacedisplaysthe
listofIPv6PrefixesthatthisinterfacewillsendintheRouter
Advertisement(RA)ifRAisenabled(theyaretheIPv6prefixes
oftheinterfaceitself).
ThesummaryalsoindicateswhetherDAD,Router
Advertisement,andDNSSupportareenabled;IPaddressesof
anyRecursiveDNSServersconfigured;andanyDNSsuffixes
configuredontheDNSSearchList.
3. ClickontheNDPMonitoringicontodisplaydetailed
information.

EnableNDPMonitoring(Continued)
EachrowofthedetailedNDPMonitoringtablefortheinterfacedisplaystheIPv6addressofaneighborthefirewall
hasdiscovered,thecorrespondingMACaddress,correspondingUserID(onabestcasebasis),reachabilityStatusof
theaddress,andLastReporteddateandtimethisNDPMonitorreceivedanRAfromthisIPaddress.AUserIDwillnot
displayforprintersorothernonuserbasedhosts.IfthestatusoftheIPaddressisStale,theneighborisnotknownto
bereachable,perRFC4861.
AtthebottomrightisthecountofTotal Devices Detectedonthelinklocalnetwork.
EnteranIPv6addressinthefilterfieldtosearchforanaddresstodisplay.
SelectthecheckboxestodisplayornotdisplayIPv6addresses.
Clickthenumbers,therightorleftarrow,ortheverticalscrollbartoadvancethroughmanyentries.
ClickClear All NDP Entriestocleartheentiretable.
Step4 MonitorNDlogsforreportingpurposes. 1. SelectMonitor > Logs > System.

2. IntheTypecolumn,viewipv6ndlogsandcorresponding
descriptions.
Forexample,inconsistentrouteradvertisementreceived
indicatesthatthefirewallreceivedanRAdifferentfromthe
RAthatitisgoingtosendout.
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesmodelssupportaggregategroups.Youcanadduptoeightaggregategroupsper
firewallandeachgroupcanhaveuptoeightinterfaces.
PANOSfirewallmodelssupportamaximumof16,000IPaddressesassignedtophysicalor
virtualLayer3interfaces;thismaximumincludesbothIPv4andIPv6addresses.

Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,and
PA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
Step1 Configurethegeneralinterfacegroup 1. SelectNetwork > Interfaces > EthernetandAdd Aggregate

parameters. Group.
2. InthefieldadjacenttothereadonlyInterface Name,entera
number(18)toidentifytheaggregategroup.
3. FortheInterface Type,selectHA,Virtual Wire,Layer2,or
Layer3.
4. ConfiguretheremainingparametersfortheInterface Type
youselected.

ConfigureanAggregateInterfaceGroup(Continued)
Step2 ConfiguretheLACPsettings. 1. SelecttheLACPtabandEnable LACP.

Performthissteponlyifyouwantto 2. SettheModeforLACPstatusqueriestoPassive(thefirewall
enableLACPfortheaggregategroup. justrespondsthedefault)orActive(thefirewallqueriespeer
NOTE:YoucannotenableLACPfor devices).
virtualwireinterfaces. Asabestpractice,setoneLACPpeertoactiveandthe
othertopassive.LACPcannotfunctionifbothpeers
arepassive.Thefirewallcannotdetectthemodeofits
peerdevice.
3. SettheTransmission RateforLACPqueryandresponse
exchangestoSlow(every30secondsthedefault)orFast
(everysecond).BaseyourselectiononhowmuchLACP
processingyournetworksupportsandhowquicklyLACP
peersmustdetectandresolveinterfacefailures.
4. SelectFast Failoverifyouwanttoenablefailovertoastandby
interfaceinlessthanonesecond.Bydefault,theoptionis
disabledandthefirewallusestheIEEE802.1axstandardfor
failoverprocessing,whichtakesatleastthreeseconds.
Asabestpractice,useFast Failoverindeployments
whereyoumightlosecriticaldataduringthestandard
failoverinterval.
5. EntertheMax Ports(numberofinterfaces)thatareactive
(18)intheaggregategroup.Ifthenumberofinterfacesyou
assigntothegroupexceedstheMax Ports,theremaining
interfaceswillbeinstandbymode.ThefirewallusestheLACP
Port Priorityofeachinterfaceyouassign(Step 3)to
determinewhichinterfacesareinitiallyactiveandto
determinetheorderinwhichstandbyinterfacesbecome
activeuponfailover.IftheLACPpeershavenonmatching
portpriorityvalues,thevaluesofthepeerwiththelower
System Prioritynumber(defaultis32,768;rangeis165,535)
willoverridetheotherpeer.
6. (Optional)Foractive/passivefirewallsonly,selectEnable in
HA Passive StateifyouwanttoenableLACPprenegotiation
forthepassivefirewall.LACPprenegotiationenablesquicker
failovertothepassivefirewall(fordetails,seeLACPandLLDP
PreNegotiationforActive/PassiveHA).
NOTE:Ifyouselectthisoption,youcannotselectSame
System MAC Address for Active-Passive HA;prenegotiation
requiresuniqueinterfaceMACaddressesoneachHAfirewall.
7. (Optional)Foractive/passivefirewallsonly,selectSame
System MAC Address for Active-Passive HAandspecifya
singleMAC AddressforbothHAfirewalls.Thisoption
minimizesfailoverlatencyiftheLACPpeersarevirtualized
(appearingtothenetworkasasingledevice).Bydefault,the
optionisdisabled:eachfirewallinanHApairhasaunique
MACaddress.
IftheLACPpeersarenotvirtualized,useuniqueMAC
addressestominimizefailoverlatency.

ConfigureanAggregateInterfaceGroup(Continued)
Step3 Assigninterfacestotheaggregategroup. Performthefollowingstepsforeachinterface(18)thatwillbea

memberoftheaggregategroup.
1. SelectNetwork > Interfaces > Ethernetandclicktheinterface
nametoeditit.
2. SettheInterface TypetoAggregate Ethernet.
3. SelecttheAggregate Groupyoujustdefined.
4. SelecttheLink Speed,Link Duplex,andLink State.
Asabestpractice,setthesamelinkspeedandduplex
valuesforeveryinterfaceinthegroup.For
nonmatchingvalues,thefirewalldefaultstothe
higherspeedandfullduplex.
5. (Optional)EnteranLACP Port Priority(defaultis32,768;
rangeis165,535)ifyouenabledLACPfortheaggregate
group.IfthenumberofinterfacesyouassignexceedstheMax
Portsvalueofthegroup,theportprioritiesdeterminewhich
interfacesareactiveorstandby.Theinterfaceswiththelower
numericvalues(higherpriorities)willbeactive.
6. ClickOK.
Step4 Ifthefirewallshaveanactive/active 1. SelectDevice > High Availability > Active/Active Configand

configurationandyouareaggregating editthePacketForwardingsection.
HA3interfaces,enablepacket 2. SelecttheaggregategroupyouconfiguredfortheHA3
forwardingfortheaggregategroup. InterfaceandclickOK.
Step5 Commityourchangesandverifythe 1. ClickCommit.

aggregategroupstatus. 2. SelectNetwork > Interfaces > Ethernet.
3. VerifythattheLinkStatecolumndisplaysagreeniconforthe
aggregategroup,indicatingthatallmemberinterfacesareup.
Iftheiconisyellow,atleastonememberisdownbutnotall.If
theiconisred,allmembersaredown.
4. IfyouconfiguredLACP,verifythattheFeaturescolumn
displaystheLACPenabledicon fortheaggregategroup.
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.

Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
Step1 ConfiguretheInterfaceManagement 1. SelectNetwork > Network Profiles > Interface Mgmtand

profile. clickAdd.
2. Selecttheprotocolsthattheinterfacepermitsfor
managementtraffic:Ping,Telnet,SSH,HTTP,HTTP OCSP,
HTTPS,orSNMP.
3. Selecttheservicesthattheinterfacepermitsformanagement
traffic:
Response PagesUsetoenableresponsepagesfor:
CaptivePortalToserveCaptivePortalresponsepages,
thefirewallleavesportsopenonLayer3interfaces:port
6080forNTLANManager(NTLM),6081forCaptive
Portalintransparentmode,and6082forCaptivePortal
inredirectmode.Fordetails,seeConfigureCaptive
Portal.
URLAdminOverrideFordetails,seeAllowPassword
AccesstoCertainSites.
User-IDUsetoRedistributeUserMappingsand
AuthenticationTimestamps.
User-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPUsetoConfigureUserIDtoMonitor
SyslogSendersforUserMappingoverSSLorUDP.
4. (Optional)AddthePermittedIPAddressesthatcanaccessthe
interface.Ifyoudontaddentriestothelist,theinterfacehas
noIPaddressrestrictions.
5. ClickOK.
Step2 AssigntheInterfaceManagementprofile 1. SelectNetwork > Interfaces,selectthetypeofinterface

toaninterface. (Ethernet,VLAN,Loopback,orTunnel),andselectthe
interface.
2. SelectAdvanced > Other infoandselecttheInterface
Management Profileyoujustadded.

Networking VirtualRouters
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningstaticroutesor
throughparticipationinoneormoreLayer3routingprotocols(dynamicroutes).Theroutesthatthefirewall
obtainsthroughthesemethodspopulatethefirewallsIProutinginformationbase(RIB).Whenapacketis
destinedforadifferentsubnetthantheoneitarrivedon,thevirtualrouterobtainsthebestroutefromthe
RIB,placesitintheforwardinginformationbase(FIB),andforwardsthepackettothenexthoprouter
definedintheFIB.ThefirewallusesEthernetswitchingtoreachotherdevicesonthesameIPsubnet.(An
exceptiontoonebestroutegoingintheFIBoccursifyouareusingECMP,inwhichcaseallequalcostroutes
gointheFIB.)
TheEthernet,VLAN,andtunnelinterfacesdefinedonthefirewallreceiveandforwardLayer 3packets.The
destinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andthefirewall
consultspolicyrulestoidentifythesecuritypoliciesthatitappliestoeachpacket.Inadditiontoroutingto
othernetworkdevices,virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthop
isspecifiedtopointtoanothervirtualrouter.
YoucanconfigureLayer3interfacesonavirtualroutertoparticipatewithdynamicroutingprotocols(BGP,
OSPF,OSPFv3,orRIP)aswellasaddstaticroutes.Youcanalsocreatemultiplevirtualrouters,each
maintainingaseparatesetofroutesthatarentsharedbetweenvirtualrouters,enablingyoutoconfigure
differentroutingbehaviorsfordifferentinterfaces.
EachLayer3Ethernet,loopback,VLAN,andtunnelinterfacedefinedonthefirewallmustbeassociatedwith
avirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,youcanconfiguremultiplerouting
protocolsandstaticroutesforavirtualrouter.Regardlessofthestaticroutesanddynamicroutingprotocols
youconfigureforavirtualrouter,onegeneralconfigurationisrequired:
DefineaVirtualRouter
Step1 Gathertherequiredinformationfrom Interfacesonthefirewallthatyouwanttoperformrouting.

yournetworkadministrator. Administrativedistancesforstatic,OSPFinternal,OSPF
external,IBGP,EBGPandRIP.
Step2 Createavirtualrouterandapply 1. SelectNetwork > Virtual Routers.

interfacestoit. 2. Selectavirtualrouter(theonenameddefaultoradifferent
Thefirewallcomeswithavirtualrouter virtualrouter)orAddtheNameofanewvirtualrouter.
nameddefault.Youcaneditthedefault
3. SelectRouter Settings > General.
virtualrouteroraddanewvirtualrouter.
4. ClickAddintheInterfacesboxandselectanalreadydefined
interfacefromthedropdown.
Repeatthisstepforallinterfacesyouwanttoaddtothe
virtualrouter.
5. ClickOK.

VirtualRouters Networking
DefineaVirtualRouter(Continued)
Step3 SetAdministrativeDistancesforstatic SetAdministrativeDistancesfortypesofroutesasrequiredfor

anddynamicrouting. yournetwork.Whenthevirtualrouterhastwoormoredifferent
routestothesamedestination,itusesadministrativedistanceto
choosethebestpathfromdifferentroutingprotocolsandstatic
routes,bypreferringalowerdistance.
StaticRangeis10240;defaultis10.
OSPF InternalRangeis10240;defaultis30.
OSPF ExternalRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
NOTE:SeeECMPifyouwanttoleveragehavingmultiple
equalcostpathsforforwarding.
Step4 Commitvirtualroutergeneralsettings. ClickOKandCommit.
Step5 ConfigureLayer3Interfaces(Ethernet,
VLAN,loopback,ortunnelinterfaces).

Networking ServiceRoutes
ServiceRoutes
Thefirewallusesthemanagement(MGT)interfacebydefaulttoaccessexternalservices,suchasDNS
servers,externalauthenticationservers,PaloAltoNetworksservicessuchassoftware,URLupdates,
licensesandAutoFocus.AnalternativetousingtheMGTinterfaceistoconfigureadataport(aregular
interface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknownasaservice
route.Theservicepacketsexitthefirewallontheportassignedfortheexternalserviceandtheserversends
itsresponsetotheconfiguredsourceinterfaceandsourceIPaddress.
YoucanconfigureserviceroutesgloballyforthefirewallorCustomizeServiceRoutesforaVirtualSystem
onafirewallenabledformultiplevirtualsystemssothatyouhavetheflexibilitytouseinterfacesassociated
withavirtualsystem.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticularservice
inheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
Thefollowingprocedureenablesyoutochangetheinterfacethefirewallusestosendrequeststoexternal
services.
I
ConfigureServiceRoutesontheFirewall
Step1 Customizeserviceroutes. 1. SelectDevice > Setup > Services > GlobalandclickService

Route Configuration.
2. ClicktheCustomizeradiobutton,andselectoneofthe
following:
Forapredefinedservice,selectIPv4orIPv6andclickthe
linkfortheserviceforwhichyouwanttomodifythe
Source Interface andselecttheinterface.Youcanspecify
bothIPv4andIPv6addressesforaservice.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,theSource Addressdropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
NOTE:Tousethesamesourceinterfaceandsourceaddress
formultipleservices,selectthecheckboxfortheservicesand
clickSet Selected Service Routestoeasilyupdatethe
selectedserviceroutes.
Step2 Savetheconfiguration. ClickCommitandOK.

StaticRoutes Networking
StaticRoutes
Staticroutesaretypicallyusedinconjunctionwithdynamicroutingprotocols.Youmightconfigureastatic
routeforalocationthatadynamicroutingprotocolcantreach.Staticroutesrequiremanualconfiguration
oneveryrouterinthenetwork,ratherthanthefirewallenteringdynamicroutesinitsroutetables;even
thoughstaticroutesrequirethatconfigurationonallrouters,theymaybedesirableinsmallnetworksrather
thanconfiguringaroutingprotocol.
StaticRouteOverview
StaticRouteRemovalBasedonPathMonitoring
ConfigureaStaticRoute
ConfigurePathMonitoringforaStaticRoute
StaticRouteOverview
IfyoudecidethatyouwantspecificLayer3traffictotakeacertainroutewithoutparticipatinginIProuting
protocols,youcanConfigureaStaticRouteusingIPv4andIPv6routes.
Adefaultrouteisaspecificstaticroute.Ifyoudontusedynamicroutingtoobtainadefaultrouteforyour
virtualrouter,youmustconfigureastaticdefaultroute.Whenthevirtualrouterhasanincomingpacketand
findsnomatchforthepacketsdestinationinitsroutetable,thevirtualroutersendsthepackettothedefault
route.ThedefaultIPv4routeis0.0.0.0/0;thedefaultIPv6routeis::/0.YoucanconfigurebothanIPv4and
IPv6defaultroute
Staticroutesthemselvesdontchangeoradjusttochangesinnetworkenvironments,sotraffictypicallyisnt
reroutedifafailureoccursalongtheroutetoastaticallydefinedendpoint.However,youhaveoptionsto
backupstaticroutesintheeventofaproblem:
YoucanconfigureastaticroutewithaBidirectionalForwardingDetection(BFD)profilesothatifaBFD
sessionbetweenthefirewallandtheBFDpeerfails,thefirewallremovesthefailedstaticroutefromthe
RIBandFIBtablesandusesanalternatepathwithalowerpriority.
YoucanConfigurePathMonitoringforaStaticRoutesothatthefirewallcanuseanalternativeroute.
Bydefault,staticrouteshaveanadministrativedistanceof10.Whenthefirewallhastwoormoreroutesto
thesamedestination,itusestheroutewiththelowestadministrativedistance.Byincreasingthe
administrativedistanceofastaticroutetoavaluehigherthanadynamicroute,youcanusethestaticroute
asabackuprouteifthedynamicrouteisunavailable.
Whileyoureconfiguringastaticroute,youcanspecifywhetherthefirewallinstallsanIPv4staticroutein
theunicastormulticastroutetable(RIB),orbothtables,ordoesntinstalltherouteatall.Forexample,you
couldinstallanIPv4staticrouteinthemulticastroutetableonly,becauseyouwantonlymulticasttrafficto
usethatroute.Thisoptiongiveyoumorecontroloverwhichroutethetraffictakes.Youcanspecifywhether
thefirewallinstallsanIPv6staticrouteintheunicastroutetableornot.

Networking StaticRoutes
StaticRouteRemovalBasedonPathMonitoring
WhenyouConfigurePathMonitoringforaStaticRoute,thefirewallusespathmonitoringtodetectwhen
thepathtooneormoremonitoreddestinationhasgonedown.Thefirewallcanthenreroutetrafficusingan
alternativeroutes.ThefirewallusespathmonitoringforstaticroutesmuchlikepathmonitoringforHAor
policybasedforwarding(PBF),asfollows:
ThefirewallsendsICMPpingmessages(heartbeatmessages)tooneormoremonitoreddestinations
thatyoudeterminearerobustandreflecttheavailabilityofthestaticroute.
Ifpingstoanyorallofthemonitoreddestinationsfail,thefirewallconsidersthestaticroutedowntoo
andremovesitfromtheRoutingInformationBase(RIB)andForwardingInformationBase(FIB).TheRIB
isthetableofstaticroutesthefirewallisconfiguredwithanddynamicroutesithaslearnedfromrouting
protocols.TheFIBistheforwardingtableofroutesthefirewallusesforforwardingpackets.Thefirewall
selectsanalternativestaticroutetothesamedestination(basedontheroutewiththelowestmetric)
fromtheRIBandplacesitintheFIB.
Thefirewallcontinuestomonitorthefailedroute.Whentheroutecomesbackup,and(basedonthe
AnyorAllfailurecondition)thepathmonitorreturnstoUpstate,thepreemptiveholdtimerbegins.The
pathmonitormustremainupforthedurationoftheholdtimer;thenthefirewallconsidersthestatic
routestableandreinstatesitintotheRIB.Thefirewallthencomparesmetricsofroutestothesame
destinationtodecidewhichroutegoesintheFIB.
Pathmonitoringisadesirablemechanismtoavoidblackholingtrafficfor:
Astaticordefaultroute.
Astaticordefaultrouteredistributedintoaroutingprotocol.
Astaticordefaultroutebetweentwovirtualroutersincaseonerouterhasaproblem(Bidirectional
ForwardingDetection[BFD]doesntfunctionbetweenvirtualrouters).
AstaticordefaultroutewhenonepeerdoesnotsupportBFD.(Thebestpracticeisnottoenableboth
BFDandpathmonitoringonasingleinterface.)
AstaticordefaultrouteinsteadofusingPBFpathmonitoring,whichdoesntremoveafailedstaticroute
fromtheRIB,FIB,orredistributionpolicy.
Inthefollowingfigure,thefirewallisconnectedtotwoISPsforrouteredundancytotheinternet.The
primarydefaultroute0.0.0.0(metric10)usesNextHop192.0.2.10;thesecondarydefaultroute0.0.0.0
(metric50)usesNextHop198.51.100.1.Thecustomerpremisesequipment(CPE)forISPAkeepsthe
primaryphysicallinkactive,evenafterinternetconnectivitygoesdown.Withthelinkartificiallyactive,the
firewallcantdetectthatthelinkisdownandthatitshouldreplacethefailedroutewiththesecondaryroute
initsRIB.
Toavoidblackholingtraffictoafailedlink,configurepathmonitoringof192.0.2.20,192.0.2.30,and
192.0.2.40andifall(orany)ofthepathstothesedestinationsfail,thefirewallpresumesthepathtoNext
Hop192.0.2.10isalsodown,removesthestaticroute0.0.0.0(thatusesNextHop192.0.2.10)fromitsRIB,
andreplacesitwiththesecondaryroutetothesamedestination0.0.0.0(thatusesNextHop198.51.100.1),
whichalsoaccessestheinternet.

WhenyouConfigureaStaticRoute,oneoftherequiredfieldsistheNextHoptowardthatdestination.The
typeofnexthopyouconfiguredeterminestheactionthefirewalltakesduringpathmonitoring,asfollows:
IfNextHopTypein FirewallActionforICMPPing
StaticRouteis:
IP Address ThefirewallusesthesourceIPaddressandegressinterfaceofthestaticrouteasthe
sourceaddressandegressinterfaceintheICMPping.ItusestheconfiguredDestination
IPaddressofthemonitoreddestinationasthepingsdestinationaddress.Itusesthe
staticroutesnexthopaddressasthepingsnexthopaddress.
Next VR ThefirewallusesthesourceIPaddressofthestaticrouteasthesourceaddressinthe
ICMPping.Theegressinterfaceisbasedonthelookupresultfromthenexthopsvirtual
router.TheconfiguredDestinationIPaddressofthemonitoreddestinationisthepings
destinationaddress.
None ThefirewallusesthedestinationIPaddressofthepathmonitorasthenexthopandsends
theICMPpingtotheinterfacespecifiedinthestaticroute.
Whenpathmonitoringforastaticordefaultroutefails,thefirewalllogsacriticalevent
(pathmonitorfailure).Whenthestaticordefaultrouterecovers,thefirewalllogsanothercriticalevent
(pathmonitorrecovery).
Firewallssynchronizepathmonitoringconfigurationsforanactive/passiveHAdeployment,butthefirewall
blocksegressICMPpingpacketsonapassiveHApeerbecauseitisnotactivelyprocessingtraffic.The
firewalldoesntsynchronizepathmonitoringconfigurationsforactive/activeHAdeployments.
Performthefollowingtasktoconfigureastaticrouteordefaultrouteforavirtualrouteronthefirewall.

Step1 Configureastaticroute. 1. SelectNetwork > Virtual Routerandselectthevirtualrouter

youareconfiguring,suchasdefault.
2. SelecttheStatic Routestab.
3. SelectIPv4orIPv6,dependingonthetypeofstaticrouteyou
wanttoconfigure.
4. AddaNamefortheroute.
5. ForDestination,entertherouteandnetmask(forexample,
192.168.2.2/24foranIPv4addressor2001:db8:123:1::1/64
foranIPv6address).Ifyourecreatingadefaultroute,enter
thedefaultroute(0.0.0.0/0foranIPv4addressor::/0foran
IPv6address).
6. (Optional)ForInterface,specifytheoutgoinginterfacefor
packetstousetogotothenexthop.Usethisforstricter
controloverwhichinterfacethefirewallusesratherthanthe
interfaceintheroutetableforthenexthopofthisroute.
7. ForNext Hop, selectoneofthefollowing:
IP AddressEntertheIPaddress(forexample,
192.168.56.1or2001:db8:49e:1::1)whenyouwantto
routetoaspecificnexthop.YoumustEnable IPv6 on the
interface(whenyouConfigureLayer3Interfaces)tousean
IPv6nexthopaddress.Ifyourecreatingadefaultroute,for
Next HopyoumustselectIP AddressandentertheIP
addressforyourInternetgateway(forexample,
192.168.56.1or2001:db8:49e:1::1).
Next VRSelectthisoptionandthenselectavirtualrouter
ifyouwanttorouteinternallytoadifferentvirtualrouteron
thefirewall.
DiscardSelecttodroppacketsthatareaddressedtothis
destination.
NoneSelectifthereisnonexthopfortheroute.For
example,apointtopointconnectionneedsnonexthop
becausethereisonlyonewayforpacketstogo.
8. EnteranAdmin Distancefortheroutetooverridethedefault
administrativedistancesetforstaticroutesforthisvirtual
router(rangeis10240;defaultis10).
9. EnteraMetricfortheroute(rangeis165,535).

ConfigureaStaticRoute(Continued)
10. SelecttheRoute Table(theRIB)intowhichyouwantthe

firewalltoinstallthestaticroute:
UnicastInstalltherouteintheunicastroutetable.Choose
thisoptionifyouwanttherouteusedonlyforunicast
traffic.
MulticastInstalltherouteinthemulticastroutetable
(availableforIPv4routesonly).Choosethisoptionifyou
wanttherouteusedonlyformulticasttraffic.
BothInstalltherouteintheunicastandmulticastroute
tables(availableforIPv4routesonly).Choosethisoptionif
youwanteitherunicastormulticasttraffictousetheroute.
No InstallDonotinstalltherouteineitherroutetable.
11. (Optional)ApplyaBFD Profiletothestaticroutesothatifthe
staticroutefails,thefirewallimplementationofBFDremoves
theroutefromtheRIBandFIBandusesanalternativeroute.
DefaultisNone.
12. ClickOKtwice.
Step2 Committheconfiguration. ClickOKandCommit.
UsethefollowingproceduretoconfigureStaticRouteRemovalBasedonPathMonitoring.
Step1 Enablepathmonitoringforastatic 1. SelectNetwork > Virtual Routersandselectavirtualrouter.

route. 2. SelectStatic Routes,selectIPv4orIPv6,andselectthestatic
routeyouwanttomonitor.Youcanmonitorupto128static
routes.
3. SelectPath Monitoringtoenablepathmonitoringforthe
route.

ConfigurePathMonitoringforaStaticRoute(Continued)
Step2 Configurethemonitoreddestination(s) 1. AddamonitoreddestinationbyName.Youcanadduptoeight

forthestaticroute. monitoreddestinationsperstaticroute.
2. SelectEnabletomonitorthedestination.
3. ForSource IP,selecttheIPaddressthatthefirewallusesin
theICMPpingtothemonitoreddestination:
IftheinterfacehasmultipleIPaddresses,selectone.
Ifyouselectaninterface,thefirewallusesthefirstIP
addressassignedtotheinterfacebydefault.
IfyouselectDHCP (Use DHCP Client address),thefirewall
usestheaddressthatDHCPassignedtotheinterface.To
seetheDHCPaddress,selectNetwork > Interfaces >
Ethernet andintherowfortheEthernetinterface,clickon
Dynamic DHCP Client.TheIPAddressdisplaysinthe
DynamicIPInterfaceStatuswindow.
4. ForDestination IP,enteranIPaddressoraddressobjectto
whichthefirewallwillmonitorthepath.Themonitored
destinationandstaticroutedestinationmustusethesame
addressfamily(IPv4orIPv6).
ThedestinationIPaddressshouldbelongtoareliable
endpoint;youwouldntwanttobasepathmonitoring
onadevicethatitselfisunstableorunreliable.
5. (Optional)SpecifytheICMPPing Interval (sec)insecondsto
determinehowfrequentlythefirewallmonitorsthepath
(rangeis160;defaultis3).
6. (Optional)SpecifytheICMPPing Count ofpacketsthatdont
returnfromthedestinationbeforethefirewallconsidersthe
staticroutedownandremovesitfromtheRIBandFIB(range
is310;defaultis5).
7. ClickOK.

Step3 Determinewhetherpathmonitoringfor 1. SelectaFailure Condition,whetherAnyorAllofthe

thestaticrouteisbasedononeorall monitoreddestinationsforthestaticroutemustbe
monitoreddestinations,andsetthe unreachablebyICMPforthefirewalltoremovethestatic
preemptiveholdtime. routefromtheRIBandFIBandaddthestaticroutethathas
thenextlowestmetricgoingtothesamedestinationtothe
FIB.
SelectAlltoavoidthepossibilityofany single
monitoreddestinationsignalingaroutefailurewhen
thedestinationissimplyofflineformaintenance,for
example.
2. (Optional)SpecifythePreemptive Hold Time (min),whichis
thenumberofminutesadownedpathmonitormustremainin
Upstatebeforethefirewallreinstallsthestaticrouteintothe
RIB.Thepathmonitorevaluatesallofitsmonitored
destinationsforthestaticrouteandcomesupbasedonthe
AnyorAllfailurecondition.Ifalinkgoesdownorflapsduring
theholdtime,whenthelinkcomesbackup,thepathmonitor
cancomebackup;thetimerrestartswhenthepathmonitor
returnstoUpstate.
APreemptive Hold Time ofzerocausesthefirewallto
reinstalltherouteintotheRIBimmediatelyuponthepath
monitorcomingup.Rangeis01,440;defaultis 2.
3. ClickOK.
Step4 Committheconfiguration. ClickCommit.
Step5 Verifypathmonitoringonstaticroutes. 1. SelectNetwork > Virtual Routersandintherowofthevirtual

routeryouareinterestedin,selectMore Runtime Stats.
2. FromtheRoutingtab,selectStatic Route Monitoring.
3. Forastaticroute(Destination),viewwhetherPathMonitoring
isEnabledorDisabled.TheStatuscolumnindicateswhether
therouteisUp,Down,orDisabled.Flagsforthestaticroute
are:Aactive,Sstatic,EECMP.
4. SelectRefreshperiodicallytoseethelateststateofthepath
monitoring(healthcheck).
5. HoverovertheStatusofaroutetoviewthemonitoredIP
addressesandresultsofthepingssenttothemonitored
destinationsforthatroute.Forexample,3/5meansthataping
intervalof3secondsandapingcountof5consecutivemissed
pings(thefirewallreceivesnopinginthelast15seconds)
indicatespathmonitoringdetectsalinkfailure.Basedonthe
AnyorAllfailurecondition,ifpathmonitoringisinfailedstate
andthefirewallreceivesapingafter15seconds,thepathcan
bedeemedupandthePreemptive Hold Timestarts.
TheStateindicatesthelastmonitoredpingresults:successor
failed.Failedindicatesthattheseriesofpingpackets(ping
intervalmultipliedbypingcount)wasnotsuccessful.Asingle
pingpacketfailuredoesnotreflectafailedpingstate.

Step6 ViewtheRIBandFIBtoverifythatthe 1. SelectNetwork > Virtual Routersandintherowofthevirtual

staticrouteisremoved. routeryouareinterestedin,selectMore Runtime Stats.
2. FromtheRoutingtab,selectRoute Table(RIB)andthenthe
Forwarding Table(FIB)tovieweach,respectively.
3. SelectUnicastorMulticasttoviewtheappropriateroute
table.
4. ForDisplay Address Family,selectIPv4 and IPv6,IPv4 Only,
orIPv6 Only.
5. (Optional)Inthefilterfield,entertherouteyouaresearching
forandselectthearrow,orusethescrollbartomovethrough
pagesofroutes.
6. Seeiftherouteisremovedorpresent.
7. SelectRefreshperiodicallytoseethelateststateofthepath
monitoring(healthcheck).
NOTE:Toviewtheeventsloggedforpathmonitoring,select
Monitor > Logs > System.Viewtheentryfor
path-monitor-failure,whichindicatespathmonitoringfora
staticroutedestinationfailed,sotheroutewasremoved.View
theentryforpath-monitor-recovery,whichindicatespath
monitoringforthestaticroutedestinationrecovered,sothe
routewasrestored.

RIP Networking
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
Step1 Configuregeneralvirtualrouter SeeVirtualRoutersfordetails.

configurationsettings.
Step2 ConfiguregeneralRIPconfiguration 1. SelecttheRIPtab.

settings. 2. SelectEnabletoenabletheRIPprotocol.
3. SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughRIP.Thisistherecommendeddefault
setting.
4. DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughRIP.
Step3 ConfigureinterfacesfortheRIP 1. OntheInterfaces tab,selectaninterfacefromthedropdown

protocol. intheInterfaceconfigurationsection.
2. Selectanalreadydefinedinterface.
3. SelectEnable.
4. SelectAdvertisetoadvertiseadefaultroutetoRIPpeerswith
thespecifiedmetricvalue.
5. (Optional)SelectaprofilefromtheAuth Profiledropdown.
6. Selectnormal,passiveorsendonlyfromtheModedropdown.
7. ClickOK.
Step4 ConfigureRIPtimers. 1. OntheTimerstab,enteravalueforInterval Seconds (sec).

ThissettingdefinesthelengthofthefollowingRIPtimer
intervalsinseconds(rangeis160;defaultis1).
2. SpecifytheUpdate Intervalstodefinethenumberofintervals
betweenrouteupdateannouncements(rangeis13600;
defaultis30).
3. SpecifytheDelete Intervalstodefinethenumberofintervals
betweenthetimethattherouteexpirestoitsdeletion(range
is13600;defaultis180).
4. SpecifytheExpire Intervals todefinethenumberofintervals
betweenthetimethattheroutewaslastupdatedtoits
expiration(rangeis13600;defaultis120).

Networking RIP
ConfigureRIP(Continued)
Step5 (Optional)ConfigureAuthProfiles. Bydefault,thefirewalldoesnotuseRIPauthenticationforthe

exchangebetweenRIPneighbors.Optionally,youcanconfigure
RIPauthenticationbetweenRIPneighborsbyeitherasimple
passwordorMD5authentication.MD5authenticationis
recommended;itismoresecurethanasimplepassword.
SimplePasswordRIPauthentication
1. SelectAuth ProfilesandAddanamefortheauthentication
profiletoauthenticateRIPmessages.
2. SelectSimple Password asthePassword Type.
3. Enterasimplepasswordandthenconfirm.
MD5RIPauthentication
1. SelectAuth Profiles andAddanamefortheauthentication
profiletoauthenticateRIPmessages.
2. SelectMD5 asthePassword Type.
3. Addoneormorepasswordentries,including:
KeyID(rangeis0255)
Key
4. (Optional)SelectPreferred status.
5. ClickOKtospecifythekeytobeusedtoauthenticateoutgoing
message.
6. ClickOKagainintheVirtualRouterRIPAuthProfiledialog
box.

OSPF Networking
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes

Networking OSPF
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType Description
BackboneArea Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.

OSPF Networking
OSPFAreaType Description
NormalOSPFArea InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
StubOSPFArea Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSAArea TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF

Step2 EnableOSPF. 1. SelecttheOSPFtab.

2. SelectEnabletoenabletheOSPFprotocol.
3. (Optional)EntertheRouter ID.
4. SelectReject Default Route ifyoudonotwanttolearnany
defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughOSPF.

Networking OSPF
ConfigureOSPF(Continued)
Step3 ConfigureAreasTypefortheOSPF 1. OntheAreas tab,AddanAreaIDfortheareainx.x.x.xformat.

protocol. Thisistheidentifierthateachneighbormustaccepttobepart
ofthesamearea.
2. OntheTypetab,selectoneofthefollowingfromtheareaType
dropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanleavethe
areaonlybyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesAddrangesofexternalroutesthatyouwant
toenableorsuppressadvertisingfor.
3. PriorityEntertheOSPFpriorityforthisinterface(0255).
Thisisthepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)accordingtotheOSPF
protocol.Whenthevalueiszero,therouterwillnotbeelected
asaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
NeighborsForp2pmpinterfaces,entertheneighborIP
addressforallneighborsthatarereachablethroughthis
interface.
4. Selectnormal,passiveorsend-onlyastheMode.
5. ClickOK.
Step4 ConfigureAreasRangefortheOSPF 1. OntheRangetab,AddaggregateLSAdestinationaddressesin

protocol theareaintosubnets.
2. AdvertiseorSuppressadvertisingLSAsthatmatchthe
subnet,andclickOK.Repeattoaddadditionalranges.

OSPF Networking
Step5 ConfigureAreasInterfacesforthe 1. OntheInterfacetab,Addthefollowinginformationforeach

OSPFprotocol interfacetobeincludedinthearea:
InterfaceSelectaninterfacefromthedropdown.
EnableSelectingthisoptioncausestheOSPFinterface
settingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfaceto
sendorreceiveOSPFpackets.AlthoughOSPFpacketsare
notsentorreceivedifyouchoosethisoption,theinterface
isincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthat
areaccessiblethroughtheinterfacetobediscovered
automaticallybymulticastingOSPFhellomessages,suchas
anEthernetinterface.Choosep2p(pointtopoint)to
automaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefined
manually.Definingneighborsmanuallyisallowedonlyfor
p2mpmode.
MetricEnteranOSPFmetricforthisinterface(rangeis
065535;defaultis10).
PriorityEnteranOSPFpriorityforthisinterface.Thisis
thepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)(rangeis0255;default
is1).Ifzeroisconfigured,therouterwillnotbeelectedasa
DRorBDR.
profile.
TimingModifythetimingsettingsifdesired(not
recommended).Fordetailsonthesesettings,refertothe
onlinehelp.
Ifp2mpisselectedforLink Typeinterfaces,enterthe
neighborIPaddressesforallneighborsthatarereachable
throughthisinterface.
2. ClickOK.
Step6 ConfigureAreasVirtualLinks. 1. OntheVirtual Linktab,Addthefollowinginformationforeach

virtuallinktobeincludedinthebackbonearea:
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)on
theothersideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathat
physicallycontainsthevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
profile.
2. ClickOK.

Networking OSPF
Step7 (Optional)ConfigureAuthProfiles. Bydefault,thefirewalldoesnotuseOSPFauthenticationforthe

exchangebetweenOSPFneighbors.Optionally,youcanconfigure
OSPFauthenticationbetweenOSPFneighborsbyeitherasimple
passwordorusingMD5authentication.MD5authenticationis
recommended;itismoresecurethanasimplepassword.
SimplePasswordOSPFauthentication
1. OntheAuth Profilestab,Addanamefortheauthentication
profiletoauthenticateOSPFmessages.
2. SelectSimple Passwordasthe Password Type.
3. Enterasimplepasswordandthenconfirm.
MD5OSPFauthentication
1. OntheAuth Profiles tab,Addanamefortheauthentication
profiletoauthenticateOSPFmessages.
2. SelectMD5asthe Password TypeandAddoneormore
passwordentries,including:
KeyID(rangeis0255)
Key
SelectthePreferredoptiontospecifythatthekeybeused
toauthenticateoutgoingmessages.
3. ClickOK.
4. ClickOK.
Step8 ConfigureAdvancedOSPFoptions. 1. OntheAdvancedtab,selectRFC 1583 Compatibility toensure

compatibilitywithRFC1583.
2. ConfigureavaluefortheSPF Calculation Delay(sec)timer.
Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3. ConfigureavaluefortheLSA Interval (sec) time.Thistimer
specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.

OSPF Networking
ConfigureOSPFv3
OSPFv3supportsbothIPv4andIPv6.YoumustuseOSPFv3ifyouareusingIPv6.
ConfigureOSPFv3

Step2 ConfiguregeneralOSPFconfiguration 1. SelecttheOSPFtab.

settings. 2. SelectEnabletoenabletheOSPFprotocol.
3. SelectReject Default Route ifyoudonotwanttolearnany
defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
4. ClearReject Default Routeifyouwanttopermitredistribution
ofdefaultroutesthroughOSPF.
Step3 ConfiguregeneralOSPFv3configuration 1. SelecttheOSPFv3tab.

settings. 2. SelectEnabletoenabletheOSPFprotocol.
3. SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughOSPFv3Thisistherecommended
defaultsetting.
ClearReject Default Routeifyouwanttopermitredistribution
ofdefaultroutesthroughOSPFv3.

Networking OSPF
ConfigureOSPFv3(Continued)
Step4 ConfigureAuthProfilefortheOSPFv3 Whenconfiguringanauthenticationprofile,youmustuse

protocol. EncapsulatingSecurityPayload(ESP)(whichisrecommended)or
WhileOSPFv3doesn'tincludeany IPv6AuthenticationHeader(AH).
authenticationcapabilitiesofitsown,it ESPOSPFv3authentication
reliesentirelyonIPsectosecure
communicationsbetweenneighbors.
profiletoauthenticateOSPFv3messages.
2. SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
3. SelectESPforProtocol.
4. SelectaCrypto Algorithmfromthedropdown.
Youcanenternoneoroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
5. IfaCrypto Algorithmotherthannonewasselected,entera
valueforKeyandthenconfirm.
AHOSPFv3authentication
profiletoauthenticateOSPFv3messages.
2. SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
3. SelectAHforProtocol.
4. SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
5. EnteravalueforKeyandthenconfirm.
6. ClickOK.
7. ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.

OSPF Networking
Step5 ConfigureAreasTypefortheOSPF 1. OntheAreastab,AddanAreaID.Thisistheidentifierthat

protocol. eachneighbormustaccepttobepartofthesamearea.
2. OntheGeneraltab,selectoneofthefollowingfromthearea
Typedropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanonlyleave
theareabyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesAddrangesofexternalroutesthatyouwant
toenableorsuppressadvertisingfor.
Step6 AssociateanOSPFv3authentication ToanArea

profiletoanareaoraninterface. 1. OntheAreastab,selectanexistingareafromthetable.
2. OntheGeneraltab,selectapreviouslydefinedAuthentication
ProfilefromtheAuthenticationdropdown.
3. ClickOK.
ToanInterface
1. OntheAreastab,selectanexistingareafromthetable.
2. SelecttheInterfacetabandAddtheauthenticationprofileyou
wanttoassociatewiththeOSPFinterfacefromtheAuth
Profiledropdown.
Step7 (Optional)ConfigureExportRules 1. OntheExporttab,clickAdd.

2. SelectAllow Redistribute Default Routetopermit
redistributionofdefaultroutesthroughOSPFv3.
3. Selectthenameofaredistributionprofile.Thevaluemustbe
anIPsubnetorvalidredistributionprofilename.
4. SelectametrictoapplyforNew Path Type.
5. SpecifyaNew Tagforthematchedroutethathasa32bit
value.
6. Assignametricforthenewrule(rangeis165,535).
7. ClickOK.

Networking OSPF
Step8 ConfigureAdvancedOSPFv3options. 1. OntheAdvancedtab,selectDisable Transit Routing for SPF

CalculationifyouwantthefirewalltoparticipateinOSPF
topologydistributionwithoutbeingusedtoforwardtransit
traffic.
2. ConfigureavaluefortheSPF Calculation Delay(sec)timer.
Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3. ConfigureavaluefortheLSA Interval (sec) time.Thistimer
specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.
4. (Optional)ConfigureOSPFGracefulRestart.
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGrace Period.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMax Neighbor Restart Time.Whenthefirewallreceives
theGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborandadvertise
routesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.Ifneither
expiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithoutnetwork
disruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexithelper
modeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypassthe
neighbor.

OSPF Networking
Step1 SelectNetwork > Virtual Routersandselectthevirtualrouteryouwanttoconfigure.
Step2 SelectOSPF > Advanced.
Step3 Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
Step4 ConfigureaGrace Periodinseconds.
Step5 ConfigureaMax Neighbor Restart Timeinseconds.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
show routing route
show routing fib
Ifyouareusingthewebinterfacetoviewtheroutingtable,usethefollowingworkflow:
ViewtheRoutingTable
1. SelectNetwork > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2. SelectRouting > Route TableandexaminetheFlagscolumnoftheroutingtableforroutesthatwerelearnedby

OSPF.
ConfirmOSPFAdjacencies
UsethefollowingworkflowtoconfirmthatOSPFadjacencieshavebeenestablished:

Networking OSPF
ViewtheNeighborTabtoConfirmOSPFAdjacencies
1. Select Network > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2. SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished.
ConfirmthatOSPFConnectionsareEstablished
ViewtheSystemlogtoconfirmthatthefirewallhasestablishedOSPFconnections.
ExaminetheSystemLog
1. SelectMonitor > System andlookformessagestoconfirmthatOSPFadjacencieshavebeenestablished.
2. SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished

(arefull).

BGP Networking
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
BGPOverview
MPBGP
ConfigureBGP
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast
ConfigureaBGPPeerwithMPBGPforIPv4Multicast
BGPOverview
BGPfunctionsbetweenautonomoussystems(exteriorBGPoreBGP)orwithinanAS(interiorBGPoriBGP)
toexchangeroutingandreachabilityinformationwithBGPspeakers.ThefirewallprovidesacompleteBGP
implementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
BGPsettingspervirtualrouter,whichincludebasicparameterssuchaslocalrouteIDandlocalAS,and
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteAS,andadvancedoptions
suchasneighborattributesandconnections.
Routepoliciestocontrolrouteimport,exportandadvertisement;prefixbasedfiltering;andaddress
aggregation.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.Authentication
helpspreventrouteleakingandsuccessfulDoSattacks.
MultiprotocolBGP(MPBGP)toallowBGPpeerstocarryIPv6unicastroutesandIPv4multicastroutes
inUpdatepackets,andtoallowthefirewallandaBGPpeertocommunicatewitheachotherusingIPv6
addresses.
MPBGP
BGPsupportsIPv4unicastprefixes,butaBGPnetworkthatusesIPv4multicastroutesorIPv6unicast
prefixesneedsmultiprotocolBGP(MPBGP)inordertoexchangeroutesofaddresstypesotherthanIPv4
unicast.MPBGPallowsBGPpeerstocarryIPv4multicastroutesandIPv6unicastroutesinUpdatepackets,
inadditiontotheIPv4unicastroutesthatBGPpeerscancarrywithoutMPBGPenabed.
Inthisway,MPBGPprovidesIPv6connectivitytoyourBGPnetworksthatuseeithernativeIPv6ordual
stackIPv4andIPv6.ServiceproviderscanofferIPv6servicetotheircustomers,andenterprisescanuseIPv6
servicefromserviceproviders.ThefirewallandaBGPpeercancommunicatewitheachotherusingIPv6
addresses.

Networking BGP
InorderforBGPtosupportmultiplenetworklayerprotocols(otherthanBGPforIPv4),Multiprotocol
ExtensionsforBGP4(RFC4760)useNetworkLayerReachabilityInformation(NLRI)inaMultiprotocol
ReachableNLRIattributethatthefirewallsendsandreceivesinBGPUpdatepackets.Thatattributecontains
informationaboutthedestinationprefix,includingthesetwoidentifiers:
TheAddressFamilyIdentifier(AFI),asdefinedbytheIANAinAddressFamilyNumbers,indicatesthat
thedestinationprefixisanIPv4orIPv6address.(PANOSsupportsIPv4andIPv6AFIs.)
TheSubsequentAddressFamilyIdentifier(SAFI)inPANOSindicatesthatthedestinationprefixisa
unicastormulticastaddress(iftheAFIisIPv4),orthatthedestinationprefixisaunicastaddress(ifthe
AFIisIPv6).PANOSdoesnotsupportIPv6multicast.
IfyouenableMPBGPforIPv4multicastorifyouconfigureamulticaststaticroute,thefirewallsupports
separateunicastandmulticastroutetablesforstaticroutes.Youmightwanttoseparatetheunicastand
multicasttrafficgoingtothesamedestination.Themulticasttrafficcantakeadifferentpathfromunicast
trafficbecause,forexample,yourmulticasttrafficiscritical,soyouneedittobemoreefficientbyhavingit
takefewerhopsorundergolesslatency.
YoucanalsoexercisemorecontroloverhowBGPfunctionsbyconfiguringBGPtouseroutesfromonlythe
unicastormulticastroutetable(orboth)whenBGPimportsorexportsroutes,sendsconditional
advertisements,orperformsrouteredistributionorrouteaggregation.
YoucandecidetouseadedicatedmulticastRIB(routetable)byenablingMPBGPandselectingtheAddress
FamilyofIPv4andSubsequentAddressFamilyofmulticastorbyinstallinganIPv4staticrouteinthe
multicastroutetable.AfteryoudoeitherofthosemethodstousethemulticastRIB,thefirewallusesthe
multicastRIBforallmulticastroutingandreversepathforwarding(RPF).IfyouprefertousetheunicastRIB
forallrouting(unicastandmulticast),youshouldnotenablethemulticastRIBbyeithermethod.
Inthefollowingfigure,astaticrouteto192.168.10.0/24isinstalledintheunicastroutetable,anditsnext
hopis198.51.100.2.However,multicasttrafficcantakeadifferentpathtoaprivateMPLScloud;thesame
staticrouteisinstalledinthemulticastroutetablewithadifferentnexthop(198.51.100.4)sothatitspath
isdifferent.
Usingseparateunicastandmulticastroutetablesgivesyoumoreflexibilityandcontrolwhenyouconfigure
theseBGPfunctions:
InstallanIPv4staticrouteintotheunicastormulticastroutetable,orboth,asdescribedinthepreceding
example.(YoucaninstallanIPv6staticrouteintotheunicastroutetableonly).

BGP Networking
CreateanImportrulesothatanyprefixesthatmatchthecriteriaareimportedintotheunicastor
multicastroutetable,orboth.
CreateanExportrulesothatprefixesthatmatchthecriteriaareexported(senttoapeer)fromtheunicast
ormulticastroutetable,orboth.
ConfigureaconditionaladvertisementwithaNonExistfiltersothatthefirewallsearchestheunicastor
multicastroutetable(orboth)toensuretheroutedoesntexistinthattable,andsothefirewalladvertises
adifferentroute.
ConfigureaconditionaladvertisementwithanAdvertisefiltersothatthefirewalladvertisesroutes
matchingthecriteriafromtheunicastormulticastroutetable,orboth.
Redistributearoutethatappearsintheunicastormulticastroutetable,orboth.
Configurerouteaggregationwithanadvertisefiltersothataggregatedroutestobeadvertisedcome
fromtheunicastormulticastroutetable,orboth.
Conversely,configurerouteaggregationwithasuppressfiltersothataggregatedroutesthatshouldbe
suppressed(notadvertised)comefromtheunicastormulticastroutetable,orboth.
WhenyouconfigureapeerwithMPBGPusinganAddressFamilyofIPv6,youcanuseIPv6addressesin
theAddressPrefixandNextHopfieldsofanImportrule,Exportrule,ConditionalAdvertisement(Advertise
FilterandNonExistFilter),andAggregaterule(AdvertiseFilter,SuppressFilter,andAggregateRoute
Attribute).
ConfigureBGP
PerformthefollowingtasktoconfigureBGP.
ConfigureBGP

Step2 EnableBGPforthevirtualrouter,assign 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

arouterID,andassignthevirtualrouter 2. SelectBGP.
toanAS.
3. SelectEnabletoenableBGPforthisvirtualrouter.
4. AssignaRouter IDtoBGPforthevirtualrouter,whichis
typicallyanIPv4addresstoensureitisunique.
5. AssigntheAS Number,thenumberoftheAStowhichthe
virtualrouterbelongs,basedontherouterID.Rangeis
14,294,967,295.
6. ClickOK.

Networking BGP
ConfigureBGP(Continued)
Step3 ConfiguregeneralBGPconfiguration 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

settings. 2. SelectBGP > General.
3. SelectReject Default Routetoignoreanydefaultroutesthat
areadvertisedbyBGPpeers.
4. SelectInstall RoutetoinstallBGProutesintheglobalrouting
table.
5. SelectAggregate MED toenablerouteaggregationevenwhen
routeshavedifferentMultiExitDiscriminator(MED)values.
6. SpecifytheDefault Local Preferencethatcanbeusedto
determinepreferencesamongdifferentpaths.
7. SelecttheAS Formatforinteroperabilitypurposes:
2 Byte(defaultvalue)
4 Byte
8. EnableordisableeachofthefollowingsettingsforPath
Selection:
Always Compare MEDEnablethiscomparisontochoose
pathsfromneighborsindifferentautonomoussystems.
Deterministic MED ComparisonEnablethiscomparison
tochoosebetweenroutesthatareadvertisedbyIBGP
peers(BGPpeersinthesameautonomoussystem).
9. ForAuth Profiles,Addanauthenticationprofile:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphrase
forBGPpeercommunications.TheSecretisusedasakey
inMD5authentication.
10. ClickOK.
11. ClickOK.

BGP Networking
Step4 (Optional)ConfigureBGPsettings. 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

2. SelectBGP > Advanced.
3. SelectECMP Multiple AS Support ifyouconfiguredECMPand
youwanttorunECMPovermultipleBGPautonomous
systems.
4. SelectEnforce First AS for EBGPtocausethefirewalltodrop
anincomingUpdatepacketfromaneBGPpeerthatdoesnt
listtheeBGPpeersownASnumberasthefirstASnumberin
theAS_PATHattribute.Defaultisenabled.
5. SelectGraceful Restart andconfigurethefollowingtimers:
Stale Route Time (sec)Specifiesthelengthoftimein
secondsthataroutecanstayinthestalestate(rangeis
13,600;defaultis120).
Local Restart Time (sec)Specifiesthelengthoftimein
secondsthatthelocaldevicewaitstorestart.Thisvalueis
advertisedtopeers(rangeis13,600;defaultis120).
Max Peer Restart Time (sec)Specifiesthemaximum
lengthoftimeinsecondsthatthelocaldeviceacceptsasa
graveperiodrestarttimeforpeerdevices(rangeis13,600;
defaultis120).
6. SpecifyanIPv4identifiertorepresentthereflectorclusterin
theReflector Cluster ID box.
7. SpecifytheidentifierfortheASconfederationtobepresented
asasingleAStoexternalBGPpeersintheConfederation
Member AS box.
8. AddthefollowinginformationforeachDampeningProfile
thatyouwanttoconfigure,selectEnable,andclickOK:
Profile NameEnteranametoidentifytheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhich
arouteadvertisementissuppressed(rangeis0.01,000.0;
defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhich
asuppressedrouteisusedagain(rangeis0.01,000.0;
defaultis 5).
Max Hold Time (sec)Specifythemaximumlengthoftime
insecondsthataroutecanbesuppressed,regardlessof
howunstableithasbeen(rangeis03,600seconds;default
is900).
Decay Half Life Reachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredreachable(rangeis03,600
seconds;defaultis300).
Decay Half Life Unreachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredunreachable(rangeis
9. ClickOK.
10. ClickOK.

Networking BGP
Step5 ConfigureaBGPpeergroup. 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

2. SelectBGP > Peer GroupandAddaNameforthepeergroup
andselectEnable.
3. SelectAggregated Confed AS Pathtoincludeapathtothe
configuredaggregatedconfederationAS.
4. SelectSoft Reset with Stored Infotoperformasoftresetof
thefirewallafterupdatingthepeersettings.
5. SelecttheTypeofpeergroup:
IBGPExport Next Hop: SelectOriginalorUse self
EBGP ConfedExport Next Hop:Select OriginalorUse
self
EBGP ConfedExport Next Hop:SelectOriginalorUse
self
EBGPImport Next Hop:SelectOriginalorUse self,
Export Next Hop:SpecifyResolveorUse self.Select
Remove Private AS ifyouwanttoforceBGPtoremove
privateASnumbersfromtheAS_PATHattributein
UpdatesthatthefirewallsendstoapeerinanotherAS.
6. ClickOK.
Step6 ConfigureaBGPpeerthatbelongstothe 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

peergroupandspecifyitsaddressing. 2. SelectBGP > Peer Groupandselectthepeergroupyou
created.
3. ForPeer,AddapeerbyName.
4. SelectEnabletoactivatethepeer.
5. EnterthePeer AStowhichthepeerbelongs.
6. SelectAddressing.
7. ForLocal Address,selecttheInterfaceforwhichyouare
configuringBGP.IftheinterfacehasmorethanoneIP
address,entertheIPaddressforthatinterfacetobetheBGP
peer.
8. ForPeer Address,entertheIPaddressoftheBGPpeer.
9. ClickOK.

BGP Networking
Step7 Configureconnectionsettingsforthe 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

BGPpeer. 2. SelectBGP > Peer Groupandselectthepeergroupyou
created.
3. SelectthePeeryouconfigured.
4. SelectConnection Options.
5. SelectanAuth Profileforthepeer.
6. SetaKeep Alive Interval (sec),theinterval(inseconds)after
whichroutesfromthepeeraresuppressedaccordingtothe
HoldTimesetting(rangeis01,200;defaultis30).
7. SetMulti Hop,thetimetolive(TTL)valueintheIPheader
(rangeis1255;defaultis0.Thedefaultvalueof0means2for
eBGPand255foriBGP).
8. SetOpen Delay Time (sec),thedelayinsecondsbetweena
TCPhandshakeandthefirewallsendingthefirstBGPOpen
messagetoestablishaBGPconnection(rangeis0240;
defaultis0).
9. SetHold Time (sec),thelengthoftimeinsecondsthatmay
elapsebetweensuccessiveKeepaliveorUpdatemessages
fromthepeerbeforethepeerconnectionisclosed(rangeis
10. SetIdle Hold Time (sec),thelengthoftimetowait(in
seconds)beforeretryingtoconnecttothepeer(rangeis
11. ForIncoming Connections,enteraRemote Portandselect
Allowtoallowincomingtraffictothisport.
12. ForOutgoing Connections,enteraLocal Portandselect
Allowtoallowoutgoingtrafficfromthisport.
13. ClickOK.

Networking BGP
Step8 ConfiguretheBGPpeerwithsettingsfor 1. SelectNetwork > Virtual Routers andselectavirtualrouter.

routereflectorclient,peeringtype, 2. SelectBGP > Peer Groupandselectthepeergroupyou
maximumprefixes,andBidirectional created.
ForwardingDetection(BFD).
3. SelectthePeeryouconfigured.
4. SelectAdvanced.
5. ForReflector Client,selectoneofthefollowing:
non-clientPeerisnotaroutereflectorclient(default).
clientPeerisaroutereflectorclient.
meshed-client
6. ForPeering Type,selectoneofthefollowing:
BilateralThetwoBGPpeersestablishapeerconnection.
Unspecified(default).
7. ForMax Prefixes,enterthemaximumnumberofsupportedIP
prefixes(rangeis1100,000)orselectunlimited.
8. ToenableBFDforthepeer(andtherebyoverridetheBFD
settingforBGP,aslongasBFDisnotdisabledforBGPatthe
virtualrouterlevel),selectoneofthefollowing:
defaultPeerusesonlydefaultBFDsettings.
Inherit-vr-global-setting(default)PeerinheritstheBFD
profilethatyouselectedgloballyforBGPforthevirtual
router.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
NOTE:SelectingDisable BFD disablesBFDfortheBGPpeer.
9. ClickOK.
Step9 ConfigureImportandExportrules. 1. SelecttheImporttabandAddanameintheRulesfieldand

Theimport/exportrulesareusedto selectEnable.
import/exportroutesfrom/toother 2. Add thePeer Groupfromwhichtherouteswillbeimported.
routers.Forexample,importingthe
3. ClicktheMatchtabanddefinetheoptionsusedtofilter
defaultroutefromyourInternetService
routinginformation.YoucanalsodefinetheMultiExit
Provider.
Discriminator(MED)valueandanexthopvaluetoroutersor
subnetsforroutefiltering.TheMEDoptionisanexternal
metricthatletsneighborsknowaboutthepreferredpathinto
anAS.Alowervalueispreferredoverahighervalue.
4. ClicktheActiontabanddefinetheactionthatshouldoccur
(allow/deny)basedonthefilteringoptionsdefinedinthe
Matchtab.IfDenyisselected,nofurtheroptionsneedtobe
defined.IftheAllowactionisselected,definetheother
attributes.
5. ClicktheExporttabanddefineexportattributes,whichare
similartotheImportsettings,butareusedtocontrolroute
informationthatisexportedfromthefirewalltoneighbors.
6. ClickOK.

BGP Networking
Step10 Configureconditionaladvertising,which 1. SelecttheConditional Advtab,AddanameinthePolicyfield.

allowsyoutocontrolwhatrouteto 2. SelectEnable.
advertiseintheeventthatadifferent
routeisnotavailableinthelocalBGP 3. AddintheUsed By sectionthepeergroup(s)thatwillusethe
routingtable(LocRIB),indicatinga conditionaladvertisementpolicy.
peeringorreachabilityfailure. 4. SelecttheNon Exist Filtertabanddefinethenetwork
Thisisusefulincaseswhereyouwantto prefix(es)ofthepreferredroute.Thisspecifiestheroutethat
trytoforceroutestooneASover youwanttoadvertise,ifitisavailableinthelocalBGProuting
another,forexampleifyouhavelinksto table.IfaprefixisgoingtobeadvertisedandmatchesaNon
theInternetthroughmultipleISPsand Existfilter,theadvertisementwillbesuppressed.
youwanttraffictoberoutedtoone 5. SelecttheAdvertise Filterstabanddefinetheprefix(es)of
providerinsteadoftheotherunless therouteintheLocalRIBroutingtablethatshouldbe
thereisalossofconnectivitytothe advertisedintheeventthattherouteinthenonexistfilteris
preferredprovider. notavailableinthelocalroutingtable.Ifaprefixisgoingtobe
advertisedanddoesnotmatchaNonExistfilter,the
advertisementwilloccur.
Step11 Configureaggregateoptionsto 1. SelecttheAggregatetab,andAddanamefortheaggregate

summarizeroutesintheBGP address.
configuration. 2. InthePrefixfield,enterthenetworkprefixthatwillbethe
BGProuteaggregationisusedtocontrol primaryprefixfortheaggregatedprefixes.
howBGPaggregatesaddresses.Each
3. SelecttheSuppress Filters tabanddefinetheattributesthat
entryinthetableresultsinoneaggregate
willcausethematchedroutestobesuppressed.
addressbeingcreated.Thiswillresultin
anaggregateentryintheroutingtable 4. SelecttheAdvertise Filters tabanddefinetheattributesthat
whenatleastoneormorespecificroute willcausethematchedroutestoalwaysbeadvertisedto
matchingtheaddressspecifiedis peers.
learned.
Step12 Configureredistributionrules. 1. SelecttheRedist RulestabandclickAdd.

Thisruleisusedtoredistributehost 2. IntheNamefield,enteranIPsubnetorselectaredistribution
routesandunknownroutesthatarenot profile.Youcanalsoconfigureanewredistributionprofile
onthelocalRIBtothepeersrouters. fromthedropdownifneeded.
3. Enabletherule.
4. IntheMetricfield,entertheroutemetricthatwillbeusedfor
therule.
5. IntheSet Origindropdown,selectincomplete,igp,oregp.
6. (Optional)SetMED,localpreference,ASpathlimitand
communityvalues.
AfteryouConfigureBGP,configureaBGPpeerwithMPBGPforIPv4orIPv6unicastforeitherofthe
followingreasons:
TohaveyourBGPpeercarryIPv6unicastroutes,configureMPBGPwiththeAddressFamilyTypeof
IPv6andSubsequentAddressFamilyofUnicastsothatthepeercansendBGPupdatesthatincludeIPv6
unicastroutes.BGPpeering(LocalAddressandPeerAddress)canstillbothbeIPv4addresses,orthey
canbothbeIPv6addresses.
ToperformBGPpeeringoverIPv6addresses(Local AddressandPeer AddressuseIPv6addresses).

Networking BGP
ThefollowingtaskshowshowtoenableaBGPpeerwithMPBGPsoitcancarryIPv6unicastroutes,and
soitcanpeerusingIPv6addresses.
Thetaskalsoshowshowtoviewtheunicastormulticastroutetables,andhowtoviewtheforwardingtable,
theBGPlocalRIB,andBGPRIBOut(routessenttoneighbors)toseeroutesfromtheunicastormulticast
routetableoraspecificaddressfamily(IPv4orIPv6).
Step1 EnableMPBGPExtensionsforapeer. ConfigurethefollowingsothataBGPpeercancarryIPv4orIPv6

unicastroutesinUpdatespacketsandthefirewallcanuseIPv4or
IPv6addressestocommunicatewithitspeer.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
youareconfiguring.
2. SelectBGP.
3. SelectPeer Group andselectapeergroup.
4. SelectaBGPpeer(router).
6. SelectEnable MP-BGP Extensions forthepeer.
7. ForAddress Family Type,selectIPv4orIPv6.Forexample,
selectIPv6.
8. ForSubsequent Address Family,Unicastisselected.Ifyou
choseIPv4fortheAddressFamily,youcanselectMulticast
also.
9. ForLocal Address,selectanInterfaceandoptionallyselectan
IPaddress,forexample,2001:DB8:55::/32
10. ForPeer Address,enterthepeersIPaddress,usingthesame
addressfamily(IPv4orIPv6)astheLocalAddress,for
example,2001:DB8:58::/32.
11. SelectAdvanced.
12. (Optional)Enable Sender Side Loop Detection.Whenyou
enableSenderSideLoopDetection,thefirewallwillcheckthe
AS_PATHattributeofarouteinitsFIBbeforeitsendsthe
routeinanupdate,toensurethatthepeerASnumberisnot
ontheAS_PATHlist.Ifitis,thefirewallremovesittoprevent
aloop
13. ClickOK.

BGP Networking
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast(Continued)
Step2 (Optional)Createastaticrouteand 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

installitintheunicastroutetable youareconfiguring.
becauseyouwanttheroutetobeused 2. SelectStatic Routes,selectIPv4orIPv6,andAddaroute.
onlyforunicastpurposes.
3. EnteraNameforthestaticroute.
4. EntertheIPv4orIPv6Destinationprefixandnetmask,
dependingonwhetheryouchoseIPv4orIPv6.
5. SelecttheegressInterface.
6. SelecttheNext Hop asIPv6 Address(orIP Addressifyou
choseIPv4)andentertheaddressofthenexthoptowhich
youwanttodirectunicasttrafficforthisstaticroute.
7. EnteranAdmin Distance.
8. EnteraMetric.
9. ForRoute Table,selectUnicast.
10. ClickOK.
Step4 Viewtheunicastormulticastroutetable. 1. SelectNetwork > Virtual Routers.

2. Intherowforthevirtualrouter,clickMore Runtime Stats.
3. SelectRouting > Route Table.
4. ForRoute Table,selectUnicastorMulticasttodisplayonly
thoseroutes.
5. ForDisplay Address Family,selectIPv4 Only,IPv6 Only,or
IPv4 and IPv6todisplayonlyroutesforthataddressfamily.
NOTE:SelectingMulticastwithIPv6 Onlyisnotsupported.
Step5 ViewtheForwardingTable. 1. SelectNetwork > Virtual Routers.

3. SelectRouting > Forwarding Table.

Networking BGP
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast(Continued)
Step6 ViewtheBGPRIBtables. 1. ViewtheBGPLocalRIB,whichshowstheBGProutesthatthe

firewallusestorouteBGPpackets.
a. SelectNetwork > Virtual Routers.
b. Intherowforthevirtualrouter,clickMore Runtime Stats.
c. SelectBGP > Local RIB.
d. ForRoute Table,selectUnicastorMulticasttodisplayonly
thoseroutes.
e. ForDisplay Address Family,selectIPv4 Only,IPv6 Only,or
2. ViewtheBGPRIBOuttable,whichshowstheroutesthatthe
firewallsendstoBGPneighbors.
a. SelectNetwork > Virtual Routers.
b. Intherowforthevirtualrouter,clickMore Runtime Stats.
c. SelectBGP > RIB Out.
d. ForRoute Table,selectUnicastorMulticasttodisplayonly
thoseroutes.
e. ForDisplay Address Family,selectIPv4 Only,IPv6 Only,or
AfteryouConfigureBGP,configureaBGPpeerwithMPBGPforIPv4multicastifyouwantyourBGPpeer
tobeabletolearnandpassIPv4multicastroutesinBGPupdates.Youllbeabletoseparateunicastfrom
multicasttraffic,oremploythefeatureslistedinMPBGPtouseonlyroutesfromtheunicastormulticast
routetable,orroutesfrombothtables.
Ifyouwanttosupportmulticasttrafficonly,youmustuseafiltertoeliminateunicasttraffic.
ThefirewalldoesntsupportECMPformulticasttraffic.
Step1 EnableMPBGPextensionssothata 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

BGPpeercanexchangeIPv4multicast youareconfiguring.
routes. 2. SelectBGP.
3. SelectPeer Group, selectapeergroupandaBGPpeer.
5. SelectEnable MP-BGP Extensions.
6. ForAddress Family Type,selectIPv4.
7. ForSubsequent Address Family,selectUnicastandthen
Multicast.
8. ClickOK.

BGP Networking
ConfigureaBGPPeerwithMPBGPforIPv4Multicast(Continued)
Step2 (Optional)CreateanIPv4staticroute 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

andinstallitinthemulticastroutetable youareconfiguring.
only. 2. SelectStatic Routes > IPv4 andAddaNamefortheroute.
Youwoulddothistodirectmulticast
3. EntertheIPv4Destinationprefixandnetmask.
trafficforaBGPpeertoaspecificnext
hop,asshowninthetopologyin 4. SelecttheegressInterface.
MPBGP. 5. SelecttheNext Hop asIP Address andentertheIPaddressof
thenexthoptowhichyouwanttodirectmulticasttrafficfor
thisstaticroute.
6. EnteranAdmin Distance.
7. EnteraMetric.
8. ForRoute Table,selectMulticast.
9. ClickOK.
Step4 Viewtheroutetable. 1. SelectNetwork > Virtual Routers.

3. SelectRouting > Route Table.
4. ForRoute Table,selectUnicastorMulticasttodisplayonly
thoseroutes.
Step5 ToviewtheForwardingtable,BGPLocal
RIB,orBGPRIBOuttable,seeConfigure
aBGPPeerwithMPBGPforIPv4or
IPv6Unicast.

Networking RouteRedistribution
RouteRedistribution
Routeredistributiononthefirewallistheprocessofmakingroutesthatthefirewalllearnedfromonerouting
protocol(orastaticorconnectedroute)availabletoadifferentroutingprotocol,therebyincreasing
accessibilityofnetworktraffic.Withoutrouteredistribution,arouterorvirtualrouteradvertisesandshares
routesonlywithotherroutersthatrunthesameroutingprotocol.YoucanredistributeIPv6BGP,connected,
orstaticroutesintotheOSPFRIBandredistributeOSPFv3,connected,orstaticroutesintotheBGPRIB.
Thismeans,forexample,youcanmakespecificnetworksthatwereonceavailableonlybymanualstatic
routeconfigurationonspecificroutersavailabletoBGPautonomoussystemsorOSPFareas.Youcanalso
advertiselocallyconnectedroutes,suchasroutestoaprivatelabnetwork,intoBGPautonomoussystems
orOSPFareas.
YoumightwanttogiveusersonyourinternalOSPFv3networkaccesstoBGPsotheycanaccessdevices
ontheinternet.InthiscaseyouwouldredistributeBGProutesintotheOSPFv3RIB.
Conversely,youmightwanttogiveyourexternalusersaccesstosomepartsofyourinternalnetwork,so
youmakeinternalOSPFv3networksavailablethroughBGPbyredistributingOSPFv3routesintotheBGP
RIB.
RedistributeIPv6Routes
Step1 CreateanIPv6Redistributionprofile. 1. SelectNetwork > Virtual Routersandselectavirtualrouter.

2. SelectRedistribution Profile > IPv6andAddaprofile.
3. EnteraNamefortheprofile.
4. EnteraPriorityfortheprofileintherange1255.Thefirewall
matchesroutestoprofilesinorderusingtheprofilewiththe
highestpriority(lowestpriorityvalue)first.Higherpriority
rulestakeprecedenceoverlowerpriorityrules.
5. ForRedistribute,selectoneofthefollowing:
RedistSelectforredistributiontheroutesthatmatchthis
filter.
No RedistSelectforredistributionroutesthatmatchthe
redistributionprofilesexcepttheroutesthatmatchthis
filter.Thisselectiontreatstheprofileasablacklistthat
specifieswhichroutesnottoselectforredistribution.For
example,ifyouhavemultipleredistributionprofilesfor
BGP,youcancreateaNo Redistprofiletoexcludeseveral
prefixes,andthenageneralredistributionprofilewitha
lowerpriority(higherpriorityvalue)afterit.Thetwo
profilescombineandthehigherpriorityprofiletakes
precedence.YoucanthaveonlyNo Redistprofiles;you
wouldalwaysneedatleastoneRedistprofileto
redistributeroutes.
6. OntheGeneral Filtertab,forSourceType,selectoneormore
typesofroutetoredistribute:
bgpRedistributeBGProutesthatmatchtheprofile.
connectRedistributeconnectedroutesthatmatchthe
profile.
ospfv3RedistributeOSPFv3routesthatmatchtheprofile.
staticRedistributestaticroutesthatmatchtheprofile.

RouteRedistribution Networking
RedistributeIPv6Routes(Continued)
7. (Optional)ForInterface,Addoneormoreegressinterfacesof
associatedroutestomatchforredistribution.Toremovean
entry,clickDelete.
8. (Optional)ForDestination,AddoneormoreIPv6destinations
ofroutestomatchforredistribution.Toremoveanentry,click
Delete.
9. (Optional)ForNext Hop,AddoneormorenexthopIPv6
addressesofroutestomatchforredistribution.Toremovean
entry,clickDelete.
10. ClickOK.
Step2 (WhenGeneralFilterincludesospfv3) 1. SelectNetwork > Virtual Routersandselectthevirtualrouter.

OptionallycreateanOSPFfilterto 2. SelectRedistribution Profile > IPv6andselecttheprofileyou
furtherspecifywhichOSPFv3routesto created.
redistribute.
3. SelectOSPF Filter.
4. ForPathType,selectoneormoreofthefollowingtypesof
OSPFpathtoredistribute:ext-1,ext-2,inter-area,or
intra-area.
5. TospecifyanAreafromwhichtoredistributeOSPFv3routes,
AddanareainIPaddressformat.
6. TospecifyaTag,AddataginIPaddressformat.
7. ClickOK.
Step3 (WhenGeneralFilterincludesbgp) 1. SelectNetwork > Virtual Routersandselectthevirtualrouter.

OptionallycreateaBGPfiltertofurther 2. SelectRedistribution Profile > IPv6andselecttheprofileyou
specifywhichBGProutestoredistribute. created.
3. SelectBGP Filter.
4. ForCommunity,Addtoselectfromthelistofcommunities,
suchaswellknowncommunities:local-as,no-advertise,
no-export,ornopeer.Youcanalsoentera32bitvaluein
decimalorhexadecimalorinAS:VALformat,whereASand
VALareeachintherange065,535.Enteramaximumof10
entries.
5. ForExtended Community,Addanextendedcommunityasa
64bitvalueinhexadecimalorinTYPE:AS:VALor
TYPE:IP:VALformat.TYPEis16bits;ASorIPis16bits;VAL
is32bits.Enteramaximumoffiveentries.
6. ClickOK.

Networking RouteRedistribution
RedistributeIPv6Routes(Continued)
Step4 Selecttheprotocolintowhichyouare 1. SelectNetwork > Virtual Routersandselectthevirtualrouter.

redistributingroutes,andsetthe 2. SelectBGP > Redist Rules.
attributesforthoseroutes.
3. SelectAllow Redistribute Default Routetoallowthefirewall
Thistaskillustratesredistributingroutes
toredistributethedefaultroute.
intoBGP.
4. ClickAdd.
5. SelectAddress Family Type:IPv4orIPv6tospecifyinwhich
routetabletheredistributedrouteswillbeput.
6. SelecttheNameoftheRedistributionprofileyoucreated.,
whichselectstheroutestoredistribute.
7. Enabletheredistributionrule.
8. (Optional)Enteranyofthefollowingvalues,whichthefirewall
appliestotheroutesbeingredistributed:
Metricintherange165,535.
Set OriginOriginoftheroute:igp,egp,orincomplete.
Set MEDMEDvalueintherange04,294,967,295.
Set Local PreferenceLocalpreferencevalueintherange
04,294,967,295.
Set AS Path LimitMaximumnumberofautonomous
systemsintheAS_PATHintherange1255.
Set CommunitySelectorentera32bitvalueindecimalor
hexadecimal,orenteravalueinAS:VALformat,whereAS
andVALareeachintherange065,525.Enteramaximum
of10entries.
Set Extended CommunitySelectorenteranextended
communityasa64bitvalueinhexadecimalorin
TYPE:AS:VALorTYPE:IP:VALformat.TYPEis16bits;ASor
IPis16bits;VALis32bits.Enteramaximumoffiveentries.
9. ClickOK.

DHCP Networking
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCPOverview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.

Networking DHCP
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
FirewallasaDHCPServerandClient
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCPMessages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.

DHCP Networking
DHCPMessage Description
DHCPDISCOVER ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCPAddressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.

Networking DHCP
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface <interface> expired-onlycommandtoclearexpiredleases,making
thoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface <interface> ip
<ip_address> commandtoreleaseaparticularIPaddress.Usethe clear dhcp lease interface <interface>
mac <mac_address> commandtoreleaseaparticularMACaddress.

DHCP Networking
DHCPOptions
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption DHCPOptionName
51 Leaseduration
3 Gateway
1 IPPoolSubnet(mask)
6 DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44 WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41 NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42 NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70 PostOfficeProtocolVersion3(POP3)serveraddress
69 SimpleMailTransferProtocol(SMTP)serveraddress

Networking DHCP
DHCPOption DHCPOptionName
15 DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
YoucanentermultipleoptionvaluesforanOption CodewiththesameOption Name,butallvaluesfora

particularcodeandnamecombinationmustbethesametype(IPaddress,ASCII,orhexadecimal).Ifonetype
isinheritedorentered,andlateradifferenttypeisenteredforthesamecodeandnamecombination,the
secondtypewilloverwritethefirsttype.
YoucanenteranOption CodemorethanoncebyusingadifferentOption Name.Inthiscase,theOption Type
fortheOptionCodecandifferamongthemultipleoptionnames.Forexample,ifoptionCoastalServer
(optioncode6)isconfiguredwithIPaddresstype,optionServerXYZ(optioncode6)withASCIItypeisalso
allowed.
Thefirewallsendsmultiplevaluesforanoption(strungtogether)toaclientinorderfromtoptobottom.
Therefore,whenenteringmultiplevaluesforanoption,enterthevaluesintheorderofpreference,orelse
movetheoptionstoachieveyourpreferredorderinthelist.Theorderofoptionsinthefirewallconfiguration
determinestheorderthattheoptionsappearinDHCPOFFERandDHCPACKmessages.
Youcanenteranoptioncodethatalreadyexistsasapredefinedoptioncode,andthecustomizedoption
codewilloverridethepredefinedDHCPoption;thefirewallissuesawarning.
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
Option OptionName OptionDescription/Behavior

Code
43 VendorSpecific Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
Information beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55 ParameterRequestList Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.

DHCP Networking
Option OptionName OptionDescription/Behavior

Code
60 VendorClassIdentifier Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
(VCI) DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
Step1 SelectaninterfacetobeaDHCPServer. 1. SelectNetwork > DHCP > DHCP ServerandAddanInterface

nameorselectonefromthedropdown.
2. ForMode,selectenabledorautomode.Automodeenables
theserveranddisablesitifanotherDHCPserverisdetected
onthenetwork.Thedisabledsettingdisablestheserver.
3. (Optional)SelectPing IP when allocating new IPifyouwant
theservertopingtheIPaddressbeforeitassignsthataddress
toitsclient.
NOTE:Ifthepingreceivesaresponse,thatmeansadifferent
devicealreadyhasthataddress,soitisnotavailable.The
serverassignsthenextaddressfromthepoolinstead.This
behaviorissimilartoOptimisticDuplicateAddressDetection
(DAD)forIPv6,RFC4429.
NOTE:AfteryousetoptionsandreturntotheDHCPserver
tab,theProbe IPcolumnfortheinterfaceindicatesifPing IP
when allocating new IPwasselected.

Networking DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step2 ConfigurethepredefinedDHCPOptions IntheOptionssection,selectaLeasetype:

thattheserversendstoitsclients. UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIP Pools andassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionallythenumberof
Minutes.
Inheritance SourceLeaveNoneorselectasourceDHCPclient
interfaceorPPPoEclientinterfacetopropagatevariousserver
settingsintotheDHCPserver.IfyouspecifyanInheritance
Source,selectoneormoreoptionsbelowthatyouwant
inheritedfromthissource.
Specifyinganinheritancesourceallowsthefirewalltoquickly
addDHCPoptionsfromtheupstreamserverreceivedbythe
DHCPclient.Italsokeepstheclientoptionsupdatedifthe
sourcechangesanoption.Forexample,ifthesourcereplacesits
NTPserver(whichhadbeenidentifiedasthePrimary NTP
server),theclientwillautomaticallyinheritthenewaddressasits
Primary NTPserver.
NOTE:WheninheritingDHCPoption(s)thatcontainmultipleIP
addresses,thefirewallusesonlythefirstIPaddresscontainedin
theoptiontoconservecachememory.IfyourequiremultipleIP
addressesforasingleoption,configuretheDHCPoptions
directlyonthatfirewallratherthanconfigureinheritance.
Check inheritance source statusIfyouselectedanInheritance
Source,clickingthislinkopenstheDynamic IP Interface Status
window,whichdisplaystheoptionsthatwereinheritedfromthe
DHCPclient.
GatewayIPaddressofthenetworkgateway(aninterfaceon
thefirewall)thatisusedtoreachanydevicenotonthesameLAN
asthisDHCPserver.
Subnet MaskNetworkmaskusedwiththeaddressesintheIP
Pools.

DHCP Networking
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
Step3 (Optional)Configureavendorspecificor 1. IntheCustomDHCPOptionssection,AddadescriptiveName

customDHCPoptionthattheDHCP toidentifytheDHCPoption.
serversendstoitsclients. 2. EntertheOption Code youwanttoconfiguretheserverto
offer(rangeis1254).(SeeRFC2132foroptioncodes.)
3. IftheOption Codeis43,theVendor Class Identifierfield
appears.EnteraVCI,whichisastringorhexadecimalvalue
(with0xprefix)usedasamatchagainstavaluethatcomes
fromtheclientRequestcontainingoption60.Theserverlooks
uptheincomingVCIinitstable,findsit,andreturnsOption43
andthecorrespondingoptionvalue.
4. Inherit from DHCP server inheritance sourceSelectitonly
ifyouspecifiedanInheritance Source fortheDHCPServer
predefinedoptionsandyouwantthevendorspecificand
customoptionsalsotobeinheritedfromthissource.
5. Check inheritance source statusIfyouselectedan
Inheritance Source,clickingthislinkopensDynamic IP
Interface Status,whichdisplaystheoptionsthatwere
inheritedfromtheDHCPclient.
6. IfyoudidnotselectInherit from DHCP server inheritance
source,selectanOption Type:IP Address,ASCII,or
Hexadecimal.Hexadecimalvaluesmuststartwiththe0x
prefix.
7. EntertheOption ValueyouwanttheDHCPservertoofferfor
thatOption Code.Youcanentermultiplevaluesonseparate
lines.
8. ClickOK.

Networking DHCP
Step4 (Optional)Addanothervendorspecific 1. RepeatStep 3toenteranothercustomDHCPOption.

orcustomDHCPoption. YoucanentermultipleoptionvaluesforanOption Code
withthesameOption Name,butallvaluesforanOption
Codemustbethesametype(IP Address,ASCII,or
Hexadecimal).Ifonetypeisinheritedorenteredanda
differenttypeisenteredforthesameOption Codeandthe
sameOption Name,thesecondtypewilloverwritethefirst
type.
Whenenteringmultiplevaluesforanoption,enterthe
valuesintheorderofpreference,orelsemovetheCustom
DHCPOptionstoachievethepreferredorderinthelist.
SelectanoptionandclickMove Up orMove Down.
YoucanenteranOption Codemorethanoncebyusinga
differentOption Name.Inthiscase,theOption Typeforthe
OptionCodecandifferamongthemultipleoptionnames.
2. ClickOK.
Step5 IdentifythestatefulpoolofIPaddresses 1. IntheIP Poolsfield,AddtherangeofIPaddressesfromwhich

fromwhichtheDHCPserverchoosesan thisserverassignsanaddresstoaclient.EnteranIPsubnet
addressandassignsittoaDHCPclient. andsubnetmask(forexample,192.168.1.0/24)orarangeof
NOTE:Ifyouarenotthenetwork IPaddresses(forexample,192.168.1.10192.168.1.20).
administratorforyournetwork,askthe AnIPPooloraReserved Addressismandatoryfor
networkadministratorforavalidpoolof dynamicIPaddressassignment.
IPaddressesfromthenetworkplanthat AnIPPoolisoptionalforstaticIPaddressassignmentas
canbedesignatedtobeassignedbyyour longasthestaticIPaddressesthatyouassignfallintothe
DHCPserver. subnetthatthefirewallinterfaceservices.
2. (Optional)RepeatStep 1tospecifyanotherIPaddresspool.
Step6 (Optional)SpecifyanIPaddressfromthe 1. IntheReserved Address field,clickAdd.

IPpoolsthatwillnotbeassigned 2. EnteranIPaddressfromtheIP Pools(formatx.x.x.x)thatyou
dynamically.IfyoualsospecifyaMAC donotwanttobeassigneddynamicallybytheDHCPserver.
Address,theReserved Addressis
assignedtothatdevicewhenthedevice 3. (Optional)SpecifytheMAC Address(formatxx:xx:xx:xx:xx:xx)
requestsanIPaddressthroughDHCP. ofthedevicetowhichyouwanttopermanentlyassigntheIP
addressspecifiedinStep 2.
NOTE:SeetheDHCPAddressing
sectionforanexplanationofallocation 4. (Optional)RepeatStep 2andStep 3toreserveanother
ofaReserved Address. address.
Step7 Committheconfiguration. ClickOKandCommitthechange.

DHCP Networking
BeforeconfiguringafirewallinterfaceasaDHCPclient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
YoucanalsoConfiguretheManagementInterfaceasaDHCPClient.
Step1 ConfigureaninterfaceasaDHCPclient. 1. SelectNetwork>Interfaces.

2. OntheEthernettabortheVLANtab,Addaninterface,or
selectaconfiguredinterface,thatyouwanttobeaDHCP
client.
3. SelecttheIPv4tab;forType,selectDHCP Client.
4. SelectEnable.
5. (Optional)SelectAutomatically create default route pointing
to default gateway provided by server.Thiscausesthe
firewalltocreateastaticroutetoadefaultgatewaythatwill
beusefulwhenclientsaretryingtoaccessmanydestinations
thatdonotneedtohaveroutesmaintainedinaroutingtable
onthefirewall.
6. (Optional)EnteraDefault Route Metric(prioritylevel)forthe
routebetweenthefirewallandtheDHCPserver(rangeis
165535;thereisnodefaultmetric).Aroutewithalower
numberhashigherpriorityduringrouteselection.For
example,aroutewithametricof10isusedbeforearoute
withametricof100.
7. (Optional)SelectShow DHCP Client Runtime Infotoseeallof
thesettingstheclienthasinheritedfromitsDHCPserver.

NowtheEthernetinterfaceindicatesDynamic-DHCP Clientinits
IP AddressfieldontheEthernettab.
Step3 (Optional)Seewhichinterfacesonthe 1. SelectNetwork > Interfaces > EthernetandlookintheIP

firewallareconfiguredasDHCPclients. AddressfieldtoseewhichinterfacesindicateDHCPClient.
2. SelectNetwork > Interfaces > VLANandlookintheIP
AddressfieldtoseewhichinterfacesindicateDHCPClient.

Networking DHCP
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramamodelsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallmodels(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingrestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
YoucannotusethedynamicIPaddressofthemanagementinterfacetoconnecttoaHardwareSecurity
Module(HSM).TheIPaddressontheHSMclientfirewallmustbeastaticIPaddressbecauseHSM
authenticatesthefirewallusingtheIPaddress,andoperationsonHSMwouldstopworkingiftheIP
addressweretochangeduringruntime.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
Step1 ConfiguretheManagementinterfaceas 1. SelectDevice > Setup > ManagementandeditManagement

aDHCPclientsothatitcanreceiveits InterfaceSettings.
IPaddress(IPv4),netmask(IPv4),and 2. ForIP Type,selectDHCP Client.
defaultgatewayfromaDHCPserver.
3. (Optional)Selectoneorbothoptionsforthefirewalltosend
Optionally,youcanalsosendthe
totheDHCPserverinDHCPDiscoverorRequestmessages:
hostnameandclientidentifierofthe
managementinterfacetotheDHCP Send HostnameSendstheHostname(asdefinedin
serveriftheorchestrationsystemyou Device > Setup > Management)aspartofDHCPOption12.
useacceptsthisinformation. Send Client IDSendstheclientidentifieraspartofDHCP
Option61.AclientidentifieruniquelyidentifiesaDHCP
client,andtheDHCPServerusesittoindexits
configurationparameterdatabase.
4. ClickOK.

DHCP Networking
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
Step2 (Optional)Configurethefirewallto 1. SelectDevice > Setup > ManagementandeditGeneral

acceptthehostnameanddomainfrom Settings.
theDHCPserver. 2. Selectoneorbothoptions:
Accept DHCP server provided HostnameAllowsthe
firewalltoacceptthehostnamefromtheDHCPserver(if
valid).Whenenabled,thehostnamefromtheDHCPserver
overwritesanyexistingHostnamespecifiedinDevice >
Setup > Management.Donotselectthisoptionifyouwant
tomanuallyconfigureahostname.
Accept DHCP server provided DomainAllowsthefirewall
toacceptthedomainfromtheDHCPServer.Thedomain
(DNSsuffix)fromtheDHCPServeroverwritesanyexisting
DomainspecifiedinDevice > Setup > Management.Donot
selectthisoptionifyouwanttomanuallyconfigurea
domain.
3. ClickOK.
Step4 ViewDHCPclientinformation. 1. SelectDevice > Setup > ManagementandManagement

InterfaceSettings.
2. ClickShow DHCP Client Runtime Info.
Step5 (Optional)RenewtheDHCPleasewith 1. SelectDevice > Setup > ManagementandeditManagement

theDHCPserver,regardlessofthelease InterfaceSettings.
term. 2. ClickShow DHCP Client Runtime Info.
Thisoptionisconvenientifyouare
3. ClickRenew.
testingortroubleshootingnetwork
issues.
Step6 (Optional)ReleasethefollowingDHCP UsetheCLIoperationalcommandrequest dhcp client

optionsthatcamefromtheDHCP management-interface release.
server:
IPAddress
Netmask
DefaultGateway
DNSServer(primaryandsecondary)
NTPServer(primaryandsecondary)
Domain(DNSSuffix)
AreleasefreestheIPaddress,
whichdropsyournetwork
connectionandrendersthe
firewallunmanageableifno
otherinterfaceisconfiguredfor
managementaccess.

Networking DHCP
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
Step1 SelectDHCPRelay. SelectNetwork>DHCP > DHCP Relay.
Step2 SpecifytheIPaddressofeachDHCP 1. IntheInterfacefield,selectfromthedropdowntheinterface

serverwithwhichtheDHCPrelayagent youwanttobetheDHCPrelayagent.
willcommunicate. 2. SelecteitherIPv4orIPv6,indicatingthetypeofDHCPserver
addressyouwillspecify.
3. IfyoucheckedIPv4,intheDHCP Server IP Address field,Add
theaddressoftheDHCPservertoandfromwhichyouwill
relayDHCPmessages.
4. IfyoucheckedIPv6,intheDHCP Server IPv6 Address field,
AddtheaddressoftheDHCPservertoandfromwhichyou
willrelayDHCPmessages.Ifyouspecifyamulticastaddress,
alsospecifyanoutgoingInterface.
5. (Optional)RepeatSteps24toenteramaximumofeight
DHCPserveraddressesperIPaddressfamily.
MonitorandTroubleshootDHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheDHCPserverhasassigned,thecorrespondingMACaddress,
stateanddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all

DHCP Networking
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip mac state duration lease_time
192.168.3.11 f0:2f:af:42:70:cf committed 0 Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface GW DNS1 DNS2 DNS-Suffix Inherit source
-------------------------------------------------------------------------------------
ethernet1/2 192.168.3.1 10.43.2.10 10.44.2.10 ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state <interface_name>commandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface State IP Gateway Leased-until
---------------------------------------------------------------------------
ethernet1/1 Bound 10.43.14.80 10.43.14.1 70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd

Networking DNS
DNS
DomainNameSystem(DNS)isaprotocolthattranslates(resolves)auserfriendlydomainname,suchas
www.paloaltonetworks.com,toanIPaddresssothatuserscanaccesscomputers,websites,services,or
otherresourcesontheinternetorprivatenetworks.
DNSOverview
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Reference:DNSProxyRuleandFQDNMatching
DNSOverview
DNSperformsacrucialroleinenablinguseraccesstonetworkresourcessothatusersneednotremember
IPaddressesandindividualcomputersneednotstoreahugevolumeofdomainnamesmappedtoIP
addresses.DNSemploysaclient/servermodel;aDNSserverresolvesaqueryforaDNSclientbylooking
upthedomaininitscacheandifnecessarysendingqueriestootherserversuntilitcanrespondtotheclient
withthecorrespondingIPaddress.
TheDNSstructureofdomainnamesishierarchical;thetopleveldomain(TLD)inadomainnamecanbea
genericTLD(gTLD):com,edu,gov,int,mil,net,ororg(govandmilarefortheUnitedStatesonly)oracountry
code(ccTLD),suchasau(Australia)orus(UnitedStates).ccTLDsaregenerallyreservedforcountriesand
dependentterritories.
Afullyqualifieddomainname(FQDN)includesataminimumahostname,asecondleveldomain,andaTLD
tocompletelyspecifythelocationofthehostintheDNSstructure.Forexample,
www.paloaltonetworks.comisanFQDN.
WhereveraPaloAltoNetworksfirewallusesanFQDNintheuserinterfaceorCLI,thefirewallmustresolve
thatFQDNusingDNS.DependingonwheretheFQDNqueryoriginates,thefirewalldetermineswhichDNS
settingstousetoresolvethequery.ThefollowingfirewalltasksarerelatedtoDNS:
ConfigureyourfirewallwithatleastoneDNSserversoitcanresolvehostnames.Configureprimaryand
secondaryDNSserversoraDNSProxyobjectthatspecifiessuchservers,asshowninUseCase1:
FirewallRequiresDNSResolutionforManagementPurposes.
CustomizehowthefirewallhandlesDNSresolutioninitiatedbySecuritypolicyrules,reporting,and
managementservices(suchasemail,Kerberos,SNMP,syslog,andmore)foreachvirtualsystem,as
showninUseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,
Reporting,andServiceswithinitsVirtualSystem.
ConfigurethefirewalltoactasaDNSserverforaclient,asshowninUseCase3:FirewallActsasDNS
ProxyBetweenClientandServer.

DNS Networking
ConfigureanAntiSpywareprofiletoUseDNSQueriestoIdentifyInfectedHostsontheNetwork.
EnablePassiveDNSMonitoring,whichallowsthefirewalltoautomaticallysharedomaintoIPaddress
mappingsbasedonyournetworktrafficwithPaloAltoNetworks.ThePaloAltoNetworksthreat
researchteamusesthisinformationtogaininsightintomalwarepropagationandevasiontechniquesthat
abusetheDNSsystem.
EnableEvasionSignaturesandthenenableevasionsignaturesforthreatprevention.
ConfigureanInterfaceasaDHCPServer.ThisenablesthefirewalltoactasaDHCPServerandsends
DNSinformationtoitsDHCPclientssotheprovisionedDHCPclientscanreachtheirrespectiveDNS
servers.
DNSProxyObject
WhenconfiguredasaDNSproxy,thefirewallisanintermediarybetweenDNSclientsandservers;itactsas
aDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifitdoesntfindthedomainnameinits
DNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthespecific
DNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived).Thefirewallforwardsthequerytothe
appropriateDNSserverbasedonthematchresults.Ifnomatchisfound,thefirewallusesdefaultDNS
servers.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
Whenconfiguringmultipletenants(ISPsubscribers)withDNSservices,eachtenantshouldhave
itsownDNSproxydefined,whichkeepsthetenantsDNSserviceseparatefromothertenants
services.
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
WhenyouConfigureaDNSProxyObject,youcansupplytheDNSproxywithstaticFQDNtoaddress
mappings.YoucanalsocreateDNSproxyrulesthatcontroltowhichDNSserverthedomainnamequeries
(thatmatchtheproxyrules)aredirected.Youcanconfigureamaximumof256DNSproxyobjectsona
firewall.
WhenthefirewallreceivesanFQDNquery(andthedomainnameisnotintheDNSproxycache),thefirewall
comparesthedomainnamefromtheFQDNquerytothedomainnamesinDNSProxyrulesoftheDNS
Proxyobject.IfyouspecifymultipledomainnamesinasingleDNSProxyrule,aquerythatmatchesanyone
ofthedomainnamesintherulemeansthequerymatchestherule.Reference:DNSProxyRuleandFQDN
MatchingdescribeshowthefirewalldetermineswhetheranFQDNmatchesadomainnameinaDNSproxy
rule.ADNSquerythatmatchesaruleissenttotheprimaryDNSserverconfiguredfortheproxyobjectto
beresolved.

Networking DNS
DNSServerProfile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutetableofthevirtualrouterwherethesourceinterfaceisassigned.Itspossiblethatthe
resultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegressout
ofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddresswould
betheaddressconfigured.ThesourceaddressisusedasthedestinationaddressinthereplyfromtheDNS
server.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
YouConfigureaDNSServerProfileforavirtualsystemonly;itisnotforaglobalSharedlocation.
MultiTenantDNSDeployments
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.An
environmentwhereanISPhasmultipletenantsonafirewallisknownasmultitenancy.Therearethreeuse
casesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,therequestcomesfromthemanagementplanetoresolveanFQDNforamanagementevent
suchasasoftwareupdateservice.ThefirewallusestheserviceroutetogettoaDNSserverbecause
DNSrequestisntcominginonaspecificvirtualrouter.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesfromasecuritypolicy,a
report,oraservice,youcanspecifyasetofDNSserversspecifictothevirtualsystem(tenant)oryoucan
defaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNSserverspervirtual
system,youmustconfigureaDNSProxyObject.Theresolutionisspecifictothevirtualsystemtowhich
theDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtualsystem,the
firewallusestheglobalDNSsettings.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyObjectrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoits
DNSservers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryand
secondaryDNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethe
defaultDNSsettings.
ThefollowingtablesummarizestheDNSresolutiontypes.ThebindinglocationdetermineswhichDNS
proxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshowhowaserviceprovider
mightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueriesrequiredonthefirewalland
fortenant(subscriber)virtualsystems.

DNS Networking
ResolutionType Location:Shared Location:SpecificVsys
FirewallDNSresolutionperformedby Binding:Global N/A

managementplane IllustratedinUseCase1
Securityprofile,reporting,andserverprofile Binding:Global Binding:Specificvsys

resolutionperformedbymanagementplane SamebehaviorasUseCase1 IllustratedinUseCase2
DNSproxyresolutionforDNSclienthosts Binding:Interface
connectedtointerfaceonfirewall,goingthrough ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequest
thefirewalltoaDNSServerperformedby wasreceived.
dataplane IllustratedinUseCase3
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
IfyourfirewallistoactasaDNSproxy,performthistasktoconfigureaDNSProxyObject.Theproxyobject
caneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtualsystem.
WhenthefirewallisenabledtoactasaDNSproxy,evasionsignaturesthatdetectedcraftedHTTPorTLS
requestscanalerttoinstanceswhereaclientconnectstoadomainotherthanthedomainsspecifiedinthe
originalDNSquery.Asabestpractices,EnableEvasionSignaturesafterconfiguringDNSproxy.

Networking DNS
Step1 ConfigurethebasicsettingsforaDNS 1. SelectNetwork > DNS ProxyandAddanewobject.

Proxyobject. 2. VerifythatEnableisselected.
3. EnteraNamefortheobject.
4. ForLocation,selectthevirtualsystemtowhichtheobject
applies.IfyouselectShared,youmustspecifyatleasta
PrimaryDNSserveraddress,andoptionallyaSecondary
address.
5. Ifyouselectedavirtualsystem,forServer Profile,selecta
DNSServerprofileorelseclickDNS Server Profileto
configureanewprofile.SeeConfigureaDNSServerProfile.
6. ForInheritanceSource,selectasourcefromwhichtoinherit
defaultDNSserversettings.ThedefaultisNone.
7. ForInterface,clickAddandspecifytheinterfacestowhichthe
DNSProxyobjectapplies.
IfyouusetheDNSProxyobjectforperformingDNS
lookups,aninterfaceisrequired.Thefirewallwilllistenfor
DNSrequestsonthisinterface,andthenproxythem.
IfyouusetheDNSProxyobjectforaserviceroute,the
interfaceisoptional.
Step2 (Optional)SpecifyDNSProxyrules. 1. OntheDNS Proxy Rulestab,AddaNamefortherule.

2. Turn on caching of domains resolved by this mappingifyou
wantthefirewalltocachetheresolveddomains.
3. ForDomain Name,Addoneormoredomains,oneentryper
row,towhichthefirewallcomparesFQDNqueries.Ifaquery
matchesoneofthedomainsintherule,thequeryissentto
oneofthefollowingserverstoberesolved(dependingon
whatyouconfiguredinthepriorstep):
ThePrimaryorSecondaryDNSServerdirectlyspecified
forthisproxyobject.
ThePrimaryorSecondaryDNSServerspecifiedinthe
DNSServerprofileforthisproxyobject.
Reference:DNSProxyRuleandFQDNMatchingdescribes
howthefirewallmatchesdomainnamesinanFQDNtoaDNS
proxyrule.Ifnomatchisfound,defaultDNSserversresolve
thequery.
4. Dooneofthefollowing,dependingonwhatyousetthe
Locationto:
Ifyouchoseavirtualsystem,selectaDNS Server profile.
IfyouchoseShared,enteraPrimaryandoptionallya
Secondaryaddress.
5. ClickOK.

DNS Networking
ConfigureaDNSProxyObject(Continued)
Step3 (Optional)SupplytheDNSProxywith 1. OntheStatic Entriestab,AddaName.

staticFQDNtoaddressentries.Static 2. EntertheFullyQualifiedDomainName(FQDN).
DNSentriesallowthefirewalltoresolve
theFQDNtoanIPaddresswithout 3. ForAddress,AddtheIPaddresstowhichtheFQDNshouldbe
sendingaquerytotheDNSserver. mapped.
YoucanprovideadditionalIPaddressesforanentry.The
firewallwillprovidealloftheIPaddressesinitsDNSresponse
andtheclientchooseswhichaddresstouse.
4. ClickOK.
Step4 (Optional)Enablecachingandconfigure 1. OntheAdvancedtab,selectTCP QueriestoenableDNS

otheradvancedsettingsfortheDNS queriesusingTCP.
Proxy. Max Pending RequestsEnterthemaximumnumberof
concurrent,pendingTCPDNSrequeststhatthefirewallwill
support(rangeis64256;defaultis64).
2. ForUDP Queries Retries,enter:
Interval (sec)Thelengthoftime(inseconds)afterwhich
anotherrequestissentifnoresponsehasbeenreceived
AttemptsThemaximumnumberofUDPqueryattempts
(excludingthefirstattempt)afterwhichthenextDNS
serverisqueried(rangeis130;defaultis5.)
3. SelectCachetoenablethefirewalltocacheFQDNtoaddress
mappingsthatitlearns.
SelectEnable TTL tolimitthelengthoftimethefirewall
cachesDNSresolutionentriesfortheproxyobject.
Disabledbydefault.
EnterTime to Live (sec),thenumberofsecondsafter
whichallcachedentriesfortheproxyobjectareremoved.
Aftertheentriesareremoved,newDNSrequestsmustbe
resolvedandcachedagain.Rangeis6086,400.Thereis
nodefaultTTL;entriesremainuntilthefirewallrunsout
ofcachememory.
Cache EDNS ResponsesSelectthisifyouwantthe
firewalltocachepartialDNSresponsesthataregreater
than512bytes.IfasubsequentFQDNforacachedentry
arrives,thefirewallsendsthepartialDNSresponse.Ifyou
wantfullDNSresponses(greaterthan512bytes),dont
selectthisoption.
ConfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.ThePrimary DNSor
Secondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstotheDNSserver.

Networking DNS
Step1 NametheDNSserverprofile,selectthe 1. SelectDevice > Server Profiles > DNSandAddaNameforthe

virtualsystemtowhichitapplies,and DNSserverprofile.
specifytheprimaryandsecondaryDNS 2. ForLocation,selectthevirtualsystemtowhichtheprofile
serveraddresses. applies.
3. ForInheritance Source,fromthedropdown,selectNoneif
theDNSserveraddressesarenotinherited.Otherwise,
specifytheDNSserverfromwhichtheprofileshouldinherit
settings.IfyouchooseaDNSserver,clickCheck inheritance
source statustoseethatinformation.
4. SpecifytheIPaddressofthePrimary DNSserver,orleaveas
inheritedifyouchoseanInheritance Source.
NOTE:KeepinmindthatifyouspecifyanFQDNinsteadofan
IPaddress,theDNSforthatFQDNisresolvedinDevice >
Virtual Systems > DNS Proxy.
5. SpecifytheIPaddressoftheSecondary DNSserver,orleave
asinheritedifyouchoseanInheritance Source.
Step2 Configuretheserviceroutethatthe 1. ClickService Route IPv4toenablethesubsequentinterface

firewallautomaticallyuses,basedon andIPv4addresstobeusedastheserviceroute,ifthetarget
whetherthetargetDNSServerhasanIP DNSaddressisanIPv4address.
addressfamilytypeofIPv4orIPv6. 2. SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
3. SpecifytheIPv4Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
4. ClickService Route IPv6toenablethesubsequentinterface
andIPv6addresstobeusedastheserviceroute,ifthetarget
DNSaddressisanIPv6address.
5. SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
6. SpecifytheIPv6Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
7. ClickOK.
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.

DNS Networking
ConfigureDNSServicesfortheFirewall
Step1 Configuretheprimaryandsecondary 1. SelectDevice > Setup > Services > GlobalandEdit.(For

DNSserversyouwantthefirewallto firewallsthatdonotsupportmultiplevirtualsystems,thereis
useforitsmanagementDNS noGlobaltab;simplyedittheServices.)
resolutions. 2. OntheServicestab,forDNS,clickServersandenterthe
NOTE:Youmustmanuallyconfigureat Primary DNS ServeraddressandSecondary DNS Server
leastoneDNSserveronthefirewallorit address.
wontbeabletoresolvehostnames;it
wontuseDNSserversettingsfrom
anothersource,suchasanISP.
Step2 Alternatively,youcanconfigureaDNS 1. SelectDevice > Setup > Services > GlobalandEdit.

ProxyObjectifyouwanttoconfigure 2. OntheServicestab,forDNS,selectDNS Proxy Object.
advancedDNSfunctionssuchassplit
DNS,DNSproxyoverrides,DNSproxy 3. FromtheDNS Proxydropdown,selecttheDNSproxythat
rules,staticentries,orDNSinheritance. youwanttousetoconfigureglobalDNSservices,orclickDNS
ProxytoconfigureanewDNSproxyobjectasfollows:
a. ClickEnableandenteraNamefortheDNSproxyobject.
b. ForLocation,selectSharedforglobal,firewallwideDNS
proxyservices.
NOTE:SharedDNSproxyobjectsdontuseDNSserver
profilesbecausetheydontrequireaspecificserviceroute
belongingtoatenantvirtualsystem.
c. EnterthePrimaryDNSserverIPaddress.Optionallyenter
aSecondaryDNSserverIPaddress.

Networking DNS
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
ObjecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Any
servicewithaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminethe
primary(orsecondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.

DNS Networking
ConfigureaDNSProxyforaVirtualSystem
Step1 Foreachvirtualsystem,specifytheDNS 1. SelectDevice > Virtual SystemsandAddtheIDofthevirtual

Proxytouse. system(rangeis1255),andanoptionalName,inthis
example,Corp1Corporation.
2. OntheGeneraltab,chooseaDNS Proxyorcreateanewone.
Inthisexample,Corp1DNSProxyisselectedastheproxyfor
Corp1Corporationsvirtualsystem.
3. ForInterfaces,clickAdd.Inthisexample,Ethernet1/20is
dedicatedtothistenant.
4. ForVirtual Routers,clickAdd.AvirtualrouternamedCorp1
VRisassignedtothevirtualsysteminordertoseparate
routingfunctions.
5. ClickOK.
Step2 ConfigureaDNSProxyandaserver 1. SelectNetwork > DNS ProxyandclickAdd.

profiletosupportDNSresolutionfora 2. ClickEnableandenteraNamefortheDNSProxy.
virtualsystem.
3. ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).(Youcouldchoosethe
SharedDNSProxyresourceinstead.)
4. ForServer Profile,chooseorcreateaprofiletocustomize
DNSserverstouseforDNSresolutionsforthistenants
securitypolicy,reporting,andserverprofileservices.
Iftheprofileisnotalreadyconfigured,intheServer Profile
field,clickDNS Server ProfiletoConfigureaDNSServer
Profile.
TheDNSserverprofileidentifiestheIPaddressesofthe
primaryandsecondaryDNSservertouseformanagement
DNSresolutionsforthisvirtualsystem.
5. Alsoforthisserverprofile,optionallyconfigureaService
Route IPv4and/oraService Route IPv6toinstructthefirewall
whichSource InterfacetouseinitsDNSrequests.Ifthat
interfacehasmorethanoneIPaddress,configuretheSource
Addressalso.
6. ClickOK.
OptionaladvancedfeaturessuchassplitDNScanbeconfiguredusingDNS Proxy Rules.A

separateDNSserverprofilecanbeusedtoredirectDNSresolutionsmatchingtheDomain
NameinaDNS Proxy RuletoanothersetofDNSservers,ifrequired.UseCase3illustrates
splitDNS.
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:

Networking DNS
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
ThisscenariohappenstousesplitDNS,aconfigurationwhereDNSProxyrulesareconfiguredtoredirect
DNSrequeststoasetofDNSserversbasedonadomainnamematch.Ifthereisnomatch,theserverprofile
determinestheDNSserverstowhichtosendtherequest,hencethetwo,splitDNSresolutionmethods.
FordataplaneDNSresolutions,thesourceIPaddressfromtheDNSproxyinPANOStothe
outsideDNSserverwouldbetheaddressoftheproxy(thedestinationIPoftheoriginalrequest).
AnyserviceroutesdefinedintheDNSServerProfilearenotused.Forexample,iftherequestis
fromhost1.1.1.1totheDNSproxyat2.2.2.2,thentherequesttotheDNSserver(at3.3.3.3)
woulduseasourceof2.2.2.2andadestinationof3.3.3.3.

DNS Networking
ConfigureaDNSProxyandDNSProxyRules
ConfigureaDNSProxyandDNSproxyrules. 1. SelectNetwork > DNS ProxyandclickAdd.

2. ClickEnableandenteraNamefortheDNSProxy.
3. ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).
4. ForInterface,selecttheinterfacethatwillreceivetheDNS
requestsfromthetenantshosts,inthisexample,
Ethernet1/20.
5. ChooseorcreateaServer ProfiletocustomizeDNSservers
toresolveDNSrequestsforthistenant.
6. OntheDNS Proxy Rulestab,AddaNamefortherule.
7. (Optional)SelectTurn on caching of domains resolved by this
mapping.
8. AddoneormoreDomain Name(s),oneentryperrow.
Reference:DNSProxyRuleandFQDNMatchingdescribes
howthefirewallmatchesFQDNstodomainnamesinaDNS
proxyrule.
9. ForDNS Server profile,selectaprofilefromthedropdown.
ThefirewallcomparesthedomainnameintheDNSrequestto
thedomainname(s)definedintheDNS Proxy Rules.Ifthereis
amatch,theDNS Server profiledefinedintheruleisusedto
determinetheDNSserver.
Inthisexample,ifthedomainintherequestmatches
myweb.corp1.com,theDNSserverdefinedinthemywebDNS
ServerProfileisused.Ifthereisnomatch,theDNSserver
definedintheServer Profile(Corp1DNSServerProfile)is
used.
10. ClickOKtwice.
Reference:DNSProxyRuleandFQDNMatching
WhenyouconfigurethefirewallwithaDNSProxyObjectthatusesDNSproxyrules,thefirewallcompares
anFQDNfromaDNSquerytothedomainnameofaDNSproxyrule.Thefirewallcomparisonworksas
follows:
FQDNComparisontoDNSProxyRule ForExample
ThefirewallfirsttokenizestheFQDNsandthe *.boat.fish.comconsistsoffourtokens:
domainsnamesintheDNSproxyrules.Inadomain [*][boat][fish][com]
name,astringdelimitedbyaperiod(.)isatoken.
Thematchingprocessisanexacttokenmatch Rule: fishing

betweentheFQDNandthedomainnameintherule; FQDN:fish NotaMatch
partialstringsarenotmatched.

Networking DNS
Anexceptiontotheexactmatchrequirementisthe Rule: *.boat.com

useofthewildcardanasterisk(*).The*matchesone FQDN:www.boat.comMatch
ormoretokens. FQDN:www.blue.boat.comMatch
Thismeansaruleconsistingofonlyawildcard(*) FQDN:boat.comNotaMatch
matchesanyFQDNwithoneormoretokens.
Rule: *
FQDN:boatMatch
FQDN:boat.com Match
FQDN:www.boat.com Match
Youcanusean*inanyposition:precedingtokens, Rule: www.*.com

betweentokens,ortrailingtokens(butnotwithother FQDN:www.boat.comMatch
characterswithinasingletoken). FQDN:www.blue.boat.comMatch
Rule: www.boat.*
FQDN:www.boat.comMatch
FQDN:www.boat.fish.comMatch
Rule: www.boat*.com Invalid
Multiplewildcards(*)canappearinanypositionofthe Rule: a.*.d.*.com

domainname:precedingtokens,betweentokens,or FQDN:a.b.d.e.comMatch
trailingtokens.Eachnonconsecutive*matchesone FQDN:a.b.c.d.e.f.comMatch
ormoretokens.
FQDN:a.d.d.e.f.comMatch(First*matchesd;
second*matcheseandf)
FQDN:a.d.e.f.comNotaMatch(First*matchesd;
subsequentdintheruleisnotmatched)
Whenwildcardsareusedinconsecutivetokens,the Consecutivewildcardsprecedingtokens:
first*matchesoneormoretokens;thesecond* Rule: *.*.boat.com
matchesonetoken. FQDN:www.blue.boat.comMatch
Thismeansaruleconsistingofonly*.*matchesany FQDN:www.blue.sail.boat.comMatch
FQDNwithtwoormoretokens.
Consecutivewildcardsbetweentokens:
Rule: www.*.*.boat.com
FQDN:www.blue.sail.boat.comMatch
FQDN:www.big.blue.sail.boat.comMatch
Consecutivewildcardstrailingtokens:
Rule: www.boat.*.*
FQDN:www.boat.fish.comMatch
FQDN:www.boat.fish.ocean.comMatch
Consecutivewildcardsonly:
Rule: *.*
FQDN:boatNotaMatch
FQDN:boat.com Match
FQDN:www.boat.com Match

DNS Networking
Consecutiveandnonconsecutivewildcardscan Rule: a.*.d.*.*.com

appearinthesamerule. FQDN:a.b.c.d.e.f.comMatch(First*matchesb
andc;second*matchese;third*matchesf)
FQDN:a.b.c.d.e.comNotaMatch(First*matches
bandc;second*matchese;third*notmatched)
TheImplicittailmatchbehaviorprovidesan Rule: www.boat.fish

additionalshorthand: FQDN:www.boat.fish.comMatch
Aslongasthelasttokenoftheruleisnotan*,a FQDN:www.boat.fish.ocean.comMatch
comparisonwillmatchifalltokensintherulematch FQDN:www.boat.fishMatch
theFQDN,evenwhentheFQDNhasadditional
trailingtokensthattheruledoesnthave.
Thisruleendswith*,sotheImplicittailmatchrule Rule: www.boat.fish.*

doesntapply.The*behavesasstated;itmatchesone FQDN:www.boat.fish.comMatch
ormoretokens. FQDN:www.boat.fish.ocean.comMatch
FQDN:www.boat.fishNotaMatch(ThisFQDN
doesnothaveatokentomatchthe*intherule.)
InthecasewhereanFQDNmatchesmorethanone Rule1: *.fish.comMatch

rule,atiebreakingalgorithmselectsthemostspecific Rule2: *.comMatch
(longest)rule;thatis,thealgorithmfavorstherule Rule3: boat.fish.comMatchandTieBreaker
withmoretokensandfewerwildcards(*).
FQDN:boat.fish.com
FQDNmatchesallthreerules;thefirewallusesRule3
becauseitisthemostspecific.
Rule1: *.fish.comNotaMatch
Rule2: *.comMatch
Rule3: boat.fish.comNotaMatch
FQDN:fish.com
FQDNdoesnotmatchRule1becausethe*doesnot
haveatokentomatch.
Rule1: *.fish.comMatchandTieBreaker
Rule2: *.comMatch
Rule3: boat.fish.comNotaMatch
FQDN:blue.boat.fish.com
FQDNmatchesRule1andRule2(becausethe*
matchesoneormoretokens).ThefirewallusesRule1
becauseitisthemostspecific.
Whenworkingwithwildcards(*)and Replacethis:
Implicittailmatchrules,therecanbecaseswhenthe Rule:www.boat
FQDNmatchesmorethanoneruleandthe withthis:
tiebreakingalgorithmweighstherulesequally.
Rule:www.boat.com
Toavoidambiguity,ifruleswithanImplicittailmatch
orawildcard(*)canoverlap,replacean
Implicittailmatchrulebyspecifyingthetailtoken.
WhencreatingDNSproxyrules,thefollowingbestpracticeswillhelpyouavoidambiguityandunexpected
results:

Networking DNS
BestPracticesforCreatingDNSProxyRules ForExample
AvoidinvokinganImplicittailmatchbyincludinga boat.com
topleveldomaininthedomainname.
Ifyouuseawildcard(*),useitonlyastheleftmost *.boat.com
token.
Thispracticefollowsthecommonunderstandingof
wildcardDNSrecordsandthehierarchicalnatureof
DNS.
Usenomorethanone*inarule.
Usethe*toestablishabaseruleassociatedwitha Rule:*.corporation.comDNSserverA
DNSserver,anduseruleswithmoretokenstobuild Rule:www.corporation.comDNSserverB
exceptionstotherule,whichyouassociatewith Rule:*.internal.corporation.comDNSserverC
differentservers.
Rule:www.internal.corporation.comDNSserverD
Thetiebreakingalgorithmwillselectthemost
FQDN:mail.internal.corporation.commatchesDNS
specificmatch,basedonthenumberofmatched
serverC
tokens.
FQDN:mail.corporation.commatchesDNSserverA

NAT Networking
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyRules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.

Networking NAT
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destination Destination IP address
+ destination-port Destination port
+ from From zone
+ ha-device-id HA Active/Active device ID
+ protocol IP protocol value
+ source Source IP address
+ source-port Source port
+ to To Zone
+ to-interface Egress interface to use
| Pipe through a command
<Enter> Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443

NAT Networking
NATAddressPoolsIdentifiedasAddressObjects
WhenconfiguringaDynamic IPorDynamic IP and PortNATaddresspoolinaNATpolicyrule,itistypicalto

configurethepooloftranslatedaddresseswithaddressobjects.EachaddressobjectcanbeahostIP
address,IPaddressrange,orIPsubnet.
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.

Networking NAT
SourceNATandDestinationNAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
DestinationNAT
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.

NAT Networking
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NATRuleCapacities
ThenumberofNATrulesallowedisbasedonthefirewallmodel.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
modelspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,evenifthemodelsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
DynamicIPandPortNATOversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedonthemodel.Theoversubscriptionrateisglobal;it
appliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionrateforthemodelapplies,asshowninthetablebelow.ThePlatform Defaultsettingallows
foranupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachmodel.
Model DefaultOversubscriptionRate
PA200 2
PA220 2
PA500 2

Networking NAT
Model DefaultOversubscriptionRate
PA820 2
PA850 2
PA3020 2
PA3050 2
PA3060 2
PA5020 4
PA5050 8
PA5060 8
PA5220 4
PA5250 8
PA5260 8
PA7050 8
PA7080 8
VM50 2
VM100 1
VM200 1
VM300 2
VM500 8
VM700 8
VM1000HV 2
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachmodelsupportsa
maximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesforthemodel,thecommitwillfail.

NAT Networking
DataplaneNATMemoryStatistics
Theshow running global-ippoolcommanddisplaysstatisticsrelatedtoNATmemoryconsumptionfora

pool.TheSizecolumndisplaysthenumberofbytesofmemorythattheresourcepoolisusing.TheRatio
columndisplaystheoversubscriptionratio(forDIPPpoolsonly).Thelinesofpoolandmemorystatisticsare
explainedinthefollowingsampleoutput:
ForNATpoolstatisticsforavirtualsystem,theshow running ippoolcommandhascolumnsindicatingthe

memorysizeusedperNATruleandtheoversubscriptionratioused(forDIPPrules).Thefollowingissample
outputforthecommand.
Afieldintheoutputoftheshow running nat-rule-ippool rulecommandshowsthememory(bytes)used

perNATrule.Thefollowingissampleoutputforthecommand,withthememoryusagefortheruleencircled.

Networking NAT
ConfigureNAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology:

NAT Networking
Basedonthistopology,therearethreeNATpoliciesweneedtocreateasfollows:
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).

Networking NAT
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
Step1 Createanaddressobjectfortheexternal 1. SelectObjects > AddressesandAddaNameandoptional

IPaddressyouplantouse. Descriptionfortheobject.
2. SelectIP NetmaskfromtheTypedropdownandthenenter
theIPaddressoftheexternalinterfaceonthefirewall,
203.0.113.100inthisexample.
3. ClickOK.
Althoughyoudonothavetouseaddressobjectsin
yourpolicies,itisabestpracticebecauseitsimplifies
administrationbyallowingyoutomakeupdatesinone
placeratherthanhavingtoupdateeverypolicywhere
theaddressisreferenced.
Step2 CreatetheNATpolicy. 1. SelectPolicies > NATandclickAdd.

2. OntheGeneraltab,enteradescriptiveNameforthepolicy.
3. (Optional)Enteratag,whichisakeywordorphrasethatallows
youtosortorfilterpolicies.
5. OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
6. OntheTranslated Packettab,selectDynamic IP And Port
fromtheTranslation TypedropdownintheSourceAddress
Translationsectionofthescreen.
7. ForAddress Type,therearetwochoices.Youcouldselect
Translated AddressandthenclickAdd.Selecttheaddress
objectyoujustcreated.
AnalternativeAddress TypeisInterface Address,inwhich
casethetranslatedaddresswillbetheIPaddressofthe
interface.Forthischoice,youwouldselectanInterfaceand
optionallyanIP AddressiftheinterfacehasmorethanoneIP
address.
8. ClickOK.

NAT Networking
ConfigureSourceNAT(Continued)
Step4 (Optional)AccesstheCLItoverifythe 1. Usetheshow session all commandtoviewthesession

translation. table,whereyoucanverifythesourceIPaddressandportand
thecorrespondingtranslatedIPaddressandport.
2. Usetheshow session id <id_number> toviewmoredetails
aboutasession.
3. IfyouconfiguredDynamicIPNAT,usetheshow counter
global filter aspect session severity drop | match
nat commandtoseeifanysessionsfailedduetoNATIP
allocation.IfalloftheaddressesintheDynamicIPNATpool
areallocatedwhenanewconnectionissupposedtobe
translated,thepacketwillbedropped.
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
Step1 Createanaddressobjectfortheweb 1. SelectObjects > AddressesandAddaNameandoptional

server. Descriptionfortheobject.
2. SelectIP NetmaskfromtheTypedropdownandenterthe
publicIPaddressofthewebserver,203.0.113.11inthis
example.
3. ClickOK.

2. OntheGeneraltab,enteradescriptiveNamefortheNATrule.
4. IntheDestination Addresssection,Addtheaddressobject
youcreatedforyourpublicwebserver.
5. OntheTranslated Packettab,selectDestination Address
Translation andthenentertheIPaddressthatisassignedto
thewebserverinterfaceontheDMZnetwork,10.1.1.11in
thisexample.
6. ClickOK.

Networking NAT
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
Step1 Createanaddressobjectfortheweb 1. SelectObjects > AddressesandAddaNameandoptional

serversinternalIPaddress. Descriptionfortheobject.
2. SelectIP NetmaskfromtheTypedropdownandentertheIP
addressofthewebserverontheDMZnetwork,10.1.1.11in
thisexample.
3. ClickOK.
NOTE:Ifyoudidnotalreadycreateanaddressobjectforthe
publicaddressofyourwebserver,youshouldcreatethat
objectnow.

2. OntheGeneraltab,enteradescriptiveNamefortheNATrule.
yourDMZintheSource Zonesection(clickAddandthen
selectthezone)andthezoneyoucreatedfortheexternal
networkfromtheDestination Zonedropdown.
4. IntheSource Addresssection,Addtheaddressobjectyou
createdforyourinternalwebserveraddress.
5. OntheTranslated Packettab,selectStatic IPfromthe
Translation TypedropdownintheSource Address
Translationsectionandthenselecttheaddressobjectyou
createdforyourexternalwebserveraddressfromthe
Translated Addressdropdown.
6. IntheBi-directionalfield,selectYes.
7. ClickOK.

NAT Networking
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1 ViewtheDIPPNAToversubscription 1. SelectDevice > Setup > Session > Session Settings.Viewthe
rate. NAT Oversubscription Ratesetting.
Step2 SettheDIPPNAToversubscriptionrate. 1. EdittheSessionSettingssection.

2. IntheNAT Oversubscription Ratedropdown,select1x,2x,
4x,or8x, dependingonwhichratioyouwant.
NOTE:ThePlatform Default settingappliesthedefault
oversubscriptionsettingforthemodel.Ifyouwantno
oversubscription,select1x.
3. ClickOKandCommitthechange.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
Step1 CreatetheNATpolicy. 1. SelectPolicies > NATandclickAddadescriptiveNameforthe

policy.
3. ForSource Address,clickAddandenterthehostaddress.
ClickOK.
4. OntheTranslated Packettab,selectNonefromthe
Translation TypedropdownintheSourceAddress
Translationsectionofthescreen.
5. ClickOK.
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.

Networking NAT
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReservedynamicIPNATaddressesfora Enterthefollowingcommands:
firewall. admin@PA-3020# set setting nat reserve-ip yes
admin@PA-3020# set setting nat reserve-time <1-604800
secs>
ReservedynamicIPNATaddressesfora Enterthefollowingcommands:
virtualsystem. admin@PA-3020# set vsys <vsysid> setting nat reserve-ip
yes
admin@PA-3020# set vsys <vsysid> setting nat
reserve-time <1-604800 secs>
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
setting nat reserve-ip no commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.

NAT Networking
NATConfigurationExamples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).

Networking NAT
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:

NAT Networking
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
Usetheshow session allCLIcommandtoverifythetranslation.

Networking NAT
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:

NAT Networking
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.

Networking NAT
Toverifythetranslations,usetheCLIcommandshow session all filter destination 80.80.80.80. Note

thataclientaddress192.168.1.11anditsportnumberaretranslatedto10.16.1.103andaportnumber.The
destinationaddress80.80.80.80istranslatedto10.2.133.15.
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination NextHop
3.1.1.0/24 2.1.1.2

NAT Networking
RouteonR2:
Destination NextHop
1.1.1.0/24 2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination NextHop
2.1.1.8/29 2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1

Networking NAT
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1

NPTv6 Networking
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
ModelSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6

Networking NPTv6
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
ModelSupportforNPTv6
NPTv6issupportedonthefollowingmodels(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5200Series,PA5000Series,PA3060firewall,andPA3050firewall,PA800
firewallandPA220firewall.Modelssupportedwithnoabilitytohavehardwareperformasessionlookup:
PA3020firewall,PA500firewall,PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivatenetwork,
andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavetheconvenienceof
privateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.

NPTv6 Networking
HowNPTv6Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping

Networking NPTv6
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDPProxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.

NPTv6 Networking
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).

Networking NPTv6
NPTv6andNDPProxyExample
ThefollowingfigureillustrateshowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
TheNDPProxyinNPTv6Example
TheNPTv6TranslationinNPTv6Example
NeighborsintheNDCacheareNotTranslated
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat

NPTv6 Networking
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
TheNPTv6TranslationinNPTv6Example
Inthisexample,theOriginal PacketisconfiguredwithaSource AddressofFDD4:7A3E::0andaDestinationof

Any.TheTranslated PacketisconfiguredwiththeTranslated Addressof2001:DB8::0.
Therefore,outgoingpacketswithasourceofFDD4:7A3E::0aretranslatedto2001:DB8::0.Incoming
packetswithadestinationprefixinthenetwork2001:DB8::0aretranslatedtoFDD4:7A3E::0.
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanNPTv6Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
Step1 CreateanewNPTv6policy. 1. SelectPolicies>NATandclickAdd.

2. OntheGeneraltab,enteradescriptiveNamefortheNPTv6
policyrule.
3. (Optional)EnteraDescriptionandTag.
4. ForNAT Type,selectNPTv6.

Networking NPTv6
ConfigureanNPTv6Policy(Continued)
Step2 Specifythematchcriteriaforincoming 1. OntheOriginal Packet tab,forSource Zone,leaveAnyorAdd

packets;packetsthatmatchallofthe thesourcezonetowhichthepolicyapplies.
criteriaaresubjecttotheNPTv6 2. EntertheDestination Zonetowhichthepolicyapplies.
translation.
3. (Optional)SelectaDestination Interface.
Zonesarerequiredforbothtypesof
translation. 4. (Optional)SelectaService torestrictwhattypeofpacketsare
translated.
5. Ifyouaredoingsourcetranslation,enteraSource Addressor
selectAny.Theaddresscouldbeanaddressobject.The
followingconstraintsapplytoSource Address andDestination
Address:
PrefixesofSource AddressandDestination Addressfor
theOriginal Packet andTranslated Packetmustbeinthe
formatxxxx:xxxx::/yy,althoughleadingzerosintheprefix
canbedropped.
TheIPv6addresscannothaveaninterfaceidentifier(host)
portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TheSource AddressandDestination Addresscannotboth
besettoAny.
6. Ifyouaredoingsourcetranslation,youcanoptionallyentera
Destination Address.Ifyouaredoingdestinationtranslation,
theDestination Addressisrequired.Thedestinationaddress
(anaddressobjectisallowed)mustbeanetmask,notjustan
IPv6addressandnotarange.Theprefixlengthmustbeavalue
from/32to/64,inclusive.Forexample,2001:db8::/32.

NPTv6 Networking
ConfigureanNPTv6Policy(Continued)
Step3 Specifythetranslatedpacket. 1. OntheTranslated Packettab,ifyouwanttodosource

translation,intheSourceAddressTranslationsection,for
Translation Type,selectStatic IP.Ifyoudonotwanttodo
sourcetranslation,selectNone.
2. IfyouchoseStatic IP,theTranslated Addressfieldappears.
EnterthetranslatedIPv6prefixoraddressobject.Seethe
constraintslistedinStep 5.
ItisabestpracticetoconfigureyourTranslated
Addresstobetheprefixoftheuntrustinterface
addressofyourfirewall.Forexample,ifyouruntrust
interfacehastheaddress2001:1a:1b:1::99/64,make
yourTranslated Address 2001:1a:1b:1::0/64.
3. (Optional)SelectBi-directional ifyouwantthefirewallto
createacorrespondingNPTv6translationintheopposite
directionofthetranslationyouconfigure.
IfyouenableBi-directionaltranslation,itisvery
importanttomakesureyouhaveSecuritypolicyrules
inplacetocontrolthetrafficinbothdirections.
Withoutsuchpolicyrules,Bi-directionaltranslation
allowspacketstobeautomaticallytranslatedinboth
directions,whichyoumightnotwant.
4. Ifyouwanttododestinationtranslation,selectDestination
Address Translation.IntheTranslated Addressfield,choose
anaddressobjectfromthedropdownorenteryourinternal
destinationaddress.
5. ClickOK.
Step4 ConfigureNDPProxy. 1. SelectNetwork > Interfaces > Ethernet andselectan

Whenyouconfigurethefirewalltoactas interface.
anNDPProxyforaddresses,itallowsthe 2. OntheAdvanced>NDP Proxytab,selectEnable NDP Proxy
firewalltosendNeighborDiscovery(ND) andclickAdd.
advertisementsandrespondtoND
3. EntertheIP Address(es)forwhichNDPProxyisenabled.It
solicitationsfrompeersthatareasking
canbeanaddress,arangeofaddresses,oraprefixandprefix
forMACaddressesofIPv6prefixes
length.TheorderofIPaddressesdoesnotmatter.These
assignedtodevicesbehindthefirewall.
addressesareideallythesameastheTranslatedAddresses
thatyouconfiguredinanNPTv6policy.
Iftheaddressisasubnet,theNDPProxywillrespond
toalladdressesinthesubnet,soyoushouldlistthe
neighborsinthatsubnetwithNegateselected,as
describedinthenextstep.
4. (Optional)Enteroneormoreaddressesforwhichyoudonot
wantNDPProxyenabled,andselectNegate.Forexample,
fromanIPaddressrangeorprefixrangeconfiguredintheprior
step,youcouldnegateasmallersubsetofaddresses.Itis
recommendedthatyounegatetheaddressesoftheneighbors
ofthefirewall.

Networking NAT64
NAT64
NAT64providesawaytotransitiontoIPv6whileyoustillneedtocommunicatewithIPv4networks.When
youneedtocommunicatefromanIPv6onlynetworktoanIPv4network,youuseNAT64totranslate
sourceanddestinationaddressesfromIPv6toIPv4andviceversa.NAT64allowsIPv6clientstoaccessIPv4
serversandallowsIPv4clientstoaccessIPv6servers.YoushouldunderstandNATbeforeconfiguring
NAT64.
NAT64Overview
IPv4EmbeddedIPv6Address
DNS64Server
PathMTUDiscovery
IPv6InitiatedCommunication
ConfigureNAT64forIPv6InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
NAT64Overview
YoucanconfiguretwotypesofNAT64translationonaPaloAltoNetworksfirewall;eachoneisdoinga
bidirectionaltranslationbetweenthetwoIPaddressfamilies:
ThefirewallsupportsstatefulNAT64forIPv6InitiatedCommunication,whichmapsmultipleIPv6
addressestooneIPv4address,thuspreservingIPv4addresses.(ItdoesnotsupportstatelessNAT64,
whichmapsoneIPv6addresstooneIPv4addressandthereforedoesnotpreserveIPv4addresses.)
ConfigureNAT64forIPv6InitiatedCommunication.
PaloAltoNetworksalsosupportsIPv4initiatedcommunicationwithastaticbindingthatmapsanIPv4
addressandportnumbertoanIPv6address.ConfigureNAT64forIPv4InitiatedCommunication.Italso
supportsportrewrite,whichpreservesevenmoreIPv4addressesbytranslatinganIPv4addressandport
numbertoanIPv6addresswithmultipleportnumbers.ConfigureNAT64forIPv4Initiated
CommunicationwithPortTranslation.
AsingleIPv4addresscanbeusedforNAT44andNAT64;youdontreserveapoolofIPv4addressesfor
NAT64only.
NAT64operatesonLayer3interfaces,subinterfaces,andtunnelinterfaces.TouseNAT64onaPaloAlto
NetworksfirewallforIPv6initiatedcommunication,youmusthaveathirdpartyDNS64Serverorasolution
inplacetoseparatetheDNSqueryfunctionfromtheNATfunction.TheDNS64servertranslatesbetween
yourIPv6hostandanIPv4DNSserverbyencodingtheIPv4addressitreceivesfromapublicDNSserver
intoanIPv6addressfortheIPv6host.
PaloAltoNetworkssupportsthefollowingNAT64features:
Hairpinning(NATUTurn);additionally,NAT64preventshairpinningloopattacksbydroppingall
incomingIPv6packetsthathaveasourceprefixof64::/n.

NAT64 Networking
TranslationofTCP/UDP/ICMPpacketsperRFC6146andthefirewallmakesabestefforttotranslate
otherprotocolsthatdontuseanapplicationlevelgateway(ALG).Forexample,thefirewallcantranslate
aGREpacket.ThistranslationhasthesamelimitationasNAT44:ifyoudonthaveanALGforaprotocol
thatcanuseaseparatecontrolanddatachannel,thefirewallmightnotunderstandthereturntrafficflow.
TranslationbetweenIPv4andIPv6oftheICMPlengthattributeoftheoriginaldatagramfield,perRFC
4884.
IPv4EmbeddedIPv6Address
NAT64usesanIPv4embeddedIPv6addressasdescribedinRFC6052,IPv6AddressingofIPv4/IPv6
Translators.AnIPv4embeddedIPv6addressisanIPv6addressinwhich32bitshaveanIPv4address
encodedinthem.TheIPv6prefixlength(PLinthefigure)determineswhereintheIPv6addresstheIPv4
addressisencoded,asfollows:
Thefirewallsupportstranslationfor/32,/40,/48,/56,/64,and/96subnetsusingtheseprefixes.Asingle
firewallsupportsmultipleprefixes;eachNAT64ruleusesoneprefix.TheprefixcanbetheWellKnown
Prefix(64:FF9B::/96)oraNetworkSpecificPrefix(NSP)thatisuniquetotheorganizationthatcontrolsthe
addresstranslator(theDNS64device).AnNSPisusuallyanetworkwithintheorganizationsIPv6prefix.The
DNS64devicetypicallysetstheufieldandsuffixtozeros;thefirewallignoresthosefields.
DNS64Server
IfyouwanttoperformNAT64translationusingIPv6InitiatedCommunication,youmustuseathirdparty
DNS64serverorotherDNS64solutionthatissetupwiththeWellKnownPrefixoryourNSP.Whenan
IPv6hostattemptstoaccessanIPv4hostordomainontheinternet,theDNS64serverqueriesan
authoritativeDNSserverfortheIPv4addressmappedtothathostname.TheDNSserverreturnsan
Addressrecord(Arecord)totheDNS64servercontainingtheIPv4addressforthehostname.
TheDNS64serverinturnconvertstheIPv4addresstohexadecimalandencodesitintotheappropriate
octetsoftheIPv6prefixitissetuptouse(theWellKnownPrefixoryourNSP)basedontheprefixlength,
whichresultsinanIPv4EmbeddedIPv6Address.TheDNS64serversendsanAAAArecordtotheIPv6host
thatmapstheIPv4embeddedIPv6addresstotheIPv4hostname.

Networking NAT64
PathMTUDiscovery
IPv6doesnotfragmentpackets,sothefirewallusestwomethodstoreducetheneedtofragmentpackets:
WhenthefirewallistranslatingIPv4packetsinwhichtheDF(dontfragment)bitiszero,thatindicates
thesenderexpectsthefirewalltofragmentpacketsthataretoolarge,butthefirewalldoesntfragment
packetsfortheIPv6network(aftertranslation)becauseIPv6doesntfragmentpackets.Instead,youcan
configuretheminimumsizeintowhichthefirewallwillfragmentIPv4packetsbeforetranslatingthem.
TheNAT64 IPv6 Minimum Network MTU valueisthissetting,whichcomplieswithRFC6145,IP/ICMP
TranslationAlgorithm.YoucansettheNAT64 IPv6 Minimum Network MTUtoitsmaximumvalue(Device >
Setup > Session),whichcausesthefirewalltofragmentIPv4packetstotheIPv6minimumsizebefore
translatingthemtoIPv6.(TheNAT64 IPv6 Minimum Network MTUdoesnotchangetheinterfaceMTU.)
TheothermethodthefirewallusestoreducefragmentationisPathMTUDiscovery(PMTUD).Inan
IPv4initiatedcommunication,ifanIPv4packettobetranslatedhastheDFbitsetandtheMTUforthe
egressinterfaceissmallerthanthepacket,thefirewallusesPMTUDtodropthepacketandreturnan
ICMPDestinationUnreachablefragmentationneededmessagetothesource.Thesourcelowersthe
pathMTUforthatdestinationandresendsthepacketuntilsuccessivereductionsinthepathMTUallow
packetdelivery.
IPv6InitiatedCommunication
IPv6initiatedcommunicationtothefirewallissimilartosourceNATforanIPv4topology.ConfigureNAT64
forIPv6InitiatedCommunicationwhenyourIPv6hostneedstocommunicationwithanIPv4server.
IntheNAT64policyrule,configuretheoriginalsourcetobeanIPv6hostaddressorAny.Configurethe
destinationIPv6addressaseithertheWellKnownPrefixortheNSPthattheDNS64serveruses.(Youdo
notconfigurethefullIPv6destinationaddressintherule.)
Asshownintheexampletopologybelow,IPv6initiatedcommunicationrequiresaDNS64Server.The
DNS64servermustbesetuptousetheWellKnownPrefix64:FF9B::/96oryourNetworkSpecificPrefix,
whichmustcomplywithRFC6052(/32,/40,/48,/56,/64,or/96).
Onthetranslatedsideofthefirewall,thetranslationtypemustbeDynamicIPandPortinordertoimplement
statefulNAT64.YouconfigurethesourcetranslatedaddresstobetheIPv4addressoftheegressinterface
onthefirewall.Youdonotconfigurethedestinationtranslationfield;thefirewalltranslatestheaddressby
firstfindingtheprefixlengthintheoriginaldestinationaddressoftheruleandthenbasedontheprefix,
extractingtheencodedIPv4addressfromtheoriginaldestinationIPv6addressintheincomingpacket.
BeforethefirewalllooksattheNAT64rule,thefirewallmustdoaroutelookuptofindthedestination
securityzoneforanincomingpacket.YoumustensurethattheNAT64prefixcanbereachedthroughthe
destinationzoneassignmentbecausetheNAT64prefixshouldnotberoutablebythefirewall.Thefirewall
wouldlikelyassigntheNAT64prefixtothedefaultrouteordroptheNAT64prefixbecausethereisnoroute
forit.ThefirewallwillnotfindadestinationzonebecausetheNAT64prefixisnotinitsroutingtable,
associatedwithanegressinterfaceandzone.
Youmustalsoconfigureatunnelinterface(withnoterminationpoint).YouapplytheNAT64prefixtothe
tunnelandapplytheappropriatezonetoensurethatIPv6trafficwiththeNAT64prefixisassignedtothe
properdestinationzone.ThetunnelalsohastheadvantageofdroppingIPv6trafficwiththeNAT64prefix
ifthetrafficdoesnotmatchtheNAT64rule.Yourconfiguredroutingprotocolonthefirewalllooksupthe
IPv6prefixinitsroutingtabletofindthedestinationzoneandthenlooksattheNAT64rule.
ThefigurebelowillustratestheroleoftheDNS64serverinthenameresolutionprocess.Inthisexample,the
DNS64serverisconfiguredtouseWellKnownPrefix64:FF9B::/96.

NAT64 Networking
1.AuserattheIPv6hostenterstheURLwww.abc.com,whichgeneratesanameserverlookup(nslookup)
totheDNS64server.
2.TheDNS64ServersendsannslookuptothepublicDNSserverforwww.abc.com,requestingitsIPv4
address.
3.TheDNSserverreturnsanArecordthatprovidestheIPv4addresstotheDNS64server.
4.TheDNS64serversendsanAAAArecordtotheIPv6user,convertingtheIPv4dotteddecimaladdress
198.51.100.1intoC633:6401hexadecimalandembeddingitintoitsownIPv6prefix,64:FF9B::/96.[198=
C6hex;51=33hex;100=64hex;1=01hex.]TheresultisIPv4EmbeddedIPv6Address
64:FF9B::C633:6401.
Keepinmindthatina/96prefix,theIPv4addressisthelastfouroctetsencodedintheIPv6address.Ifthe
DNS64serverusesa/32,/40,/48,/56or/64prefix,theIPv4addressisencodedasshowninRFC6052.
Uponthetransparentnameresolution,theIPv6hostsendsapackettothefirewallcontainingitsIPv6source
addressanddestinationIPv6address64:FF9B::C633:6401asdeterminedbytheDNS64server.Thefirewall
performstheNAT64translationbasedonyourNAT64rule.

Networking NAT64
ThisconfigurationtaskanditsaddressescorrespondtothefiguresinIPv6InitiatedCommunication.
Step1 EnableIPv6tooperateonthefirewall. 1. SelectDevice > Setup > SessionandedittheSessionSettings.

2. SelectEnable IPv6 Firewalling.
3. ClickOK.
Step2 CreateanaddressobjectfortheIPv6 1. SelectObjects > AddressesandclickAdd.

destinationaddress(pretranslation). 2. EnteraNamefortheobject,forexample,nat64IPv4Server.
3. ForType,selectIP NetmaskandentertheIPv6prefixwitha
netmaskthatiscompliantwithRFC6052(/32,/40,/48,/56,
/64,or/96).ThisiseithertheWellKnownPrefixoryour
NetworkSpecificPrefixthatisconfiguredontheDNS64
Server.
Forthisexample,enter64:FF9B::/96.
NOTE:Thesourceanddestinationmusthavethesame
netmask(prefixlength).
(Youdontenterafulldestinationaddressbecause,basedon
theprefixlength,thefirewallextractstheencodedIPv4
addressfromtheoriginaldestinationIPv6addressinthe
incomingpacket.Inthisexample,theprefixintheincoming
packetisencodedwithC633:6401inhexadecimal,whichis
theIPv4destinationaddress198.51.100.1.)
4. ClickOK.
Step3 (Optional)Createanaddressobjectfor 1. SelectObjects > AddressesandclickAdd.

theIPv6sourceaddress(pretranslation). 2. EnteraNamefortheobject.
3. ForType,selectIP NetmaskandentertheaddressoftheIPv6
host,inthisexample,2001:DB8::5/96.
4. ClickOK.
Step4 (Optional)Createanaddressobjectfor 1. SelectObjects > AddressesandclickAdd.

theIPv4sourceaddress(translated). 2. EnteraNamefortheobject.
3. ForType,selectIP NetmaskandentertheIPv4addressofthe
firewallsegressinterface,inthisexample,192.0.2.1.
4. ClickOK.
Step5 CreatetheNAT64rule. 1. SelectPolicies > NATandclickAdd.

2. OntheGeneraltab,enteraNamefortheNAT64rule,for
example,nat64_ipv6_init.
4. ForNAT Type,selectnat64.

NAT64 Networking
Step6 Specifytheoriginalsourceand 1. FortheOriginal Packet,AddtheSource Zone,likelyatrusted

destinationinformation. zone.
2. SelecttheDestination Zone,inthisexample,theUntrustzone.
3. (Optional)SelectaDestination Interfaceorthedefault(any).
4. ForSource Address,selectAny orAddtheaddressobjectyou
createdfortheIPv6host.
5. ForDestination Address,Addtheaddressobjectyoucreated
fortheIPv6destinationaddress,inthisexample,nat64IPv4
Server.
6. (Optional)ForService,selectany.
Step7 Specifythetranslatedpacket 1. FortheTranslated Packet,inSource Address Translation,

information. for Translation Type,selectDynamic IP and Port.
2. ForAddress Type,dooneofthefollowing:
SelectTranslated AddressandAddtheaddressobjectyou
createdfortheIPv4sourceaddress.
SelectInterface Address,inwhichcasethetranslated
sourceaddressistheIPaddressandnetmaskofthe
firewallsegressinterface.Forthischoice,selectan
InterfaceandoptionallyanIP Addressiftheinterfacehas
morethanoneIPaddress.
3. LeaveDestination Address Translationunselected.(The
firewallextractstheIPv4addressfromtheIPv6prefixinthe
incomingpacket,basedontheprefixlengthspecifiedinthe
originaldestinationoftheNAT64rule.)
4. ClickOKtosavetheNAT64policyrule.
Step8 Configureatunnelinterfacetoemulatea 1. SelectNetwork > IPSec TunnelsandAddatunnel.

loopbackinterfacewithanetmaskother 2. OntheGeneraltab,enteraNameforthetunnel.
than128.
3. FortheTunnel Interface,selectNew Tunnel Interface.
4. IntheInterface Namefield,enteranumericsuffix,suchas.2.
5. OntheConfigtab,selecttheVirtual Routerwhereyouare
configuringNAT64.
6. ForSecurity Zone,selectthedestinationzoneassociatedwith
theIPv4serverdestination(Trustzone).
7. OntheIPv6tab,selectEnable IPv6 on the interface.
8. ClickAddandfortheAddress,selectNewAddress.
9. EnteraNamefortheaddress.
10. (Optional)EnteraDescriptionforthetunneladdress.
11. ForType,selectIP NetmaskandenteryourIPv6prefixand
prefixlength,inthisexample,64:FF9B::/96.
12. ClickOKtosavethenewaddress.
13. SelectEnable address on interfaceandclickOK.
14. ClickOKtosavethetunnelinterface.
15. ClickOKtosavethetunnel.

Networking NAT64
Step9 CreateasecuritypolicytoallowNAT 1. SelectPolicies > Security andAddaruleName.

trafficfromthetrustzone. 2. SelectSourceandAddaSource Zone;selectTrust.
3. ForSource Address,selectAny.
4. SelectDestinationandAddaDestination Zone;select
Untrust.
5. ForApplication,selectAny.
6. ForActions,selectAllow.
7. ClickOK.
Step11 TroubleshootorviewaNAT64session. > show session id <session-id>
IPv4initiatedcommunicationtoanIPv6serverissimilartodestinationNATinanIPv4topology.The
destinationIPv4addressmapstothedestinationIPv6addressthroughaonetoone,staticIPtranslation
(notamanytoonetranslation).
ThefirewallencodesthesourceIPv4addressintoWellKnownPrefix64:FF9B::/96asdefinedinRFC6052.
ThetranslateddestinationaddressistheactualIPv6address.TheusecaseforIPv4initiatedcommunication
istypicallywhenanorganizationisprovidingaccessfromthepublic,untrustzonetoanIPv6serverinthe
organizationsDMZzone.ThistopologydoesnotuseaDNS64server.

3. ClickOK.

NAT64 Networking
Step2 (Optional)WhenanIPv4packethasits 1. SelectDevice > Setup > SessionandeditSessionSettings.

DFbitsettozero(andbecauseIPv6does 2. ForNAT64 IPv6 Minimum Network MTU,enterthesmallest
notfragmentpackets),ensurethe numberofbytesintowhichthefirewallwillfragmentIPv4
translatedIPv6packetdoesnotexceed packetsfortranslationtoIPv6(rangeis12809216,defaultis
thepathMTUforthedestinationIPv6 1280).
network.
TIP:IfyoudontwantthefirewalltofragmentanIPv4packet
priortotranslation,settheMTUto9216.Ifthetranslated
IPv6packetstillexceedsthisvalue,thefirewalldropsthe
packetandissuesanICMPpacketindicatingdestination
unreachablefragmentationneeded.
3. ClickOK.

destinationaddress(pretranslation). 2. EnteraNamefortheobject,forexample,nat64_ip4server.
3. ForType,selectIP NetmaskandentertheIPv4addressand
netmaskofthefirewallinterfaceintheUntrustzone.This
exampleuses198.51.19.1/24.
4. ClickOK.

sourceaddress(translated). 2. EnteraNamefortheobject,forexample,nat64_ip6source.
3. ForType,selectIP NetmaskandentertheNAT64IPv6
addresswithanetmaskthatiscompliantwithRFC6052(/32,
/40,/48,/56,/64,or/96).
(ThefirewallencodestheprefixwiththeIPv4sourceaddress
192.1.2.8,whichisC001:0208inhexadecimal.)
4. ClickOK.

destinationaddress(translated). 2. EnteraNamefortheobject,forexample,nat64_server_2.
IPv6server(destination).Thisexampleuses2001:DB8::2/64.
4. ClickOK.


Networking NAT64
Step7 Specifytheoriginalsourceand 1. FortheOriginal Packet,AddtheSource Zone,likelyan

destinationinformation. untrustzone.
2. SelecttheDestination Zone,likelyatrustorDMZzone.
3. ForSource Address,selectAny orAddtheaddressobjectfor
theIPv4host.
4. ForDestination Address,AddtheaddressobjectfortheIPv4
destination,inthisexample,nat64_ip4server.
5. ForService,selectany.
Step8 Specifythetranslatedpacket 1. FortheTranslated Packet,intheSource Address

information. Translation,Translation Type,selectStatic IP.
2. ForTranslated Address,selectthesourcetranslatedaddress
objectyoucreated,nat64_ip6source.
3. ForDestination Address Translation,forTranslated
Address,specifyasingleIPv6address(theaddressobject,in
thisexample,nat64_server_2,ortheIPv6addressofthe
server).
4. ClickOK.
Step9 CreateasecuritypolicytoallowtheNAT 1. SelectPolicies > Security andAddaruleName.

trafficfromtheUntrustzone. 2. SelectSourceandAddaSource Zone;selectUntrust.
4. SelectDestinationandAddaDestination Zone;selectDMZ.
6. ClickOK.
ThistaskbuildsonthetasktoConfigureNAT64forIPv4InitiatedCommunication,buttheorganization
controllingtheIPv6networkpreferstotranslatethepublicdestinationportnumbertoaninternal
destinationportnumberandtherebykeepitprivatefromusersontheIPv4untrustsideofthefirewall.In
thisexample,port8080istranslatedtoport80.Todothat,intheOriginalPacketoftheNAT64policyrule,
createanewServicethatspecifiesthedestinationportis8080.FortheTranslatedPacket,thetranslated
portis80.

NAT64 Networking

3. ClickOK.
Step2 (Optional)WhenanIPv4packethasits 1. SelectDevice > Setup > SessionandeditSessionSettings.

DFbitsettozero(andbecauseIPv6does 2. ForNAT64 IPv6 Minimum Network MTU,enterthesmallest
notfragmentpackets),ensurethe numberofbyesintowhichthefirewallwillfragmentIPv4
translatedIPv6packetdoesnotexceed packetsfortranslationtoIPv6(rangeis12809216,defaultis
thepathMTUforthedestinationIPv6 1280).
network.
TIP:IfyoudontwantthefirewalltofragmentanIPv4packet
priortotranslation,settheMTUto9216.Ifthetranslated
IPv6packetstillexceedsthisvalue,thefirewalldropsthe
packetandissuesanICMPpacketindicatingdestination
unreachablefragmentationneeded.
3. ClickOK.

destinationaddress(pretranslation). 2. EnteraNamefortheobject,forexample,nat64_ip4server.
3. ForType,selectIP NetmaskandentertheIPv4addressand
netmaskofthefirewallinterfaceintheUntrustzone.This
exampleuses198.51.19.1/24.
4. ClickOK.

sourceaddress(translated). 2. EnteraNamefortheobject,forexample,nat64_ip6source.
3. ForType,selectIP NetmaskandentertheNAT64IPv6
addresswithanetmaskthatiscompliantwithRFC6052(/32,
/40,/48,/56,/64,or/96).
(ThefirewallencodestheprefixwiththeIPv4sourceaddress
192.1.2.8,whichisC001:0208inhexadecimal.)
4. ClickOK.

Networking NAT64

destinationaddress(translated). 2. EnteraNamefortheobject,forexample,nat64_server_2.
IPv6server(destination).Thisexampleuses2001:DB8::2/64.
4. ClickOK.

Step7 Specifytheoriginalsourceand 1. FortheOriginal Packet,AddtheSource Zone,likelyan

destinationinformation,andcreatea untrustzone.
servicetolimitthetranslationtoasingle 2. SelecttheDestination Zone,likelyatrustorDMZzone.
ingressportnumber.
3. ForService,selectNewService.
4. EnteraNamefortheService,suchasPort_8080.
5. SelectTCPastheProtocol.
6. ForDestination Port,enter8080.
7. ClickOKtosavetheService.
8. ForSource Address,selectAny orAddtheaddressobjectfor
theIPv4host.
9. ForDestination Address,AddtheaddressobjectfortheIPv4
destination,inthisexample,nat64_ip4server.
Step8 Specifythetranslatedpacket 1. FortheTranslated Packet,intheSource Address

information. Translation,Translation Type,selectStatic IP.
2. ForTranslated Address,selectthesourcetranslatedaddress
objectyoucreated,nat64_ip6source.
3. ForDestination Address Translation,forTranslated
Address,specifyasingleIPv6address(theaddressobject,in
thisexample,nat64_server_2,ortheIPv6addressofthe
server).
4. SpecifytheprivatedestinationTranslated Port numberto
whichthefirewalltranslatesthepublicdestinationport
number,inthisexample,80.
5. ClickOK.
Step9 CreateasecuritypolicytoallowtheNAT 1. SelectPolicies > Security andAddaruleName.

trafficfromtheUntrustzone. 2. SelectSourceandAddaSource Zone;selectUntrust.
4. SelectDestinationandAddaDestination Zone;selectDMZ.
6. ClickOK.

NAT64 Networking

Networking ECMP
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPModel,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMPLoadBalancingAlgorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
HashbasedalgorithmsprioritizesessionstickinessTheIP ModuloandIP Hashalgorithmsusehashes
basedoninformationinthepacketheader,suchassourceanddestinationaddress.Becausetheheader
ofeachflowinagivensessioncontainsthesamesourceanddestinationinformation,theseoptions

ECMP Networking
prioritizesessionstickiness.IfyouchoosetheIP Hashalgorithm,youcanoptionallysetaHash Seedvalue

tofurtherrandomizeloadbalancingifyouhavealargenumberofsessionstothesamedestinationand
theyrenotbeingdistributedevenlyovertheECMPlinks.
BalancedalgorithmprioritizesloadbalancingTheBalanced Round Robinalgorithmdistributesincoming
sessionsequallyacrossthelinks,favoringloadbalancingoversessionstickiness.(Roundrobinindicates
asequenceinwhichtheleastrecentlychosenitemischosen.)Inaddition,ifnewroutesareaddedor
removedfromanECMPgroup(forexampleifapathinthegroupgoesdown),thevirtualrouterwill
rebalancethesessionsacrosslinksinthegroup.Additionally,iftheflowsinasessionhavetoswitch
routesduetoanoutage,whentheoriginalrouteassociatedwiththesessionbecomesavailableagain,the
flowsinthesessionwillreverttotheoriginalroutewhenthevirtualrouteronceagainrebalancesthe
load.
Weightedalgorithmprioritizeslinkcapacityand/orspeedAsanextensiontotheECMPprotocol
standard,thePaloAltoNetworksimplementationprovidesforaWeighted Round Robinloadbalancing
optionthattakesintoaccountdifferinglinkcapacitiesandspeedsontheegressinterfacesofthefirewall.
Withthisoption,youcanassignECMP Weights(rangeis1255;defaultis100)totheinterfacesbasedon
linkperformanceusingfactorssuchaslinkcapacity,speed,andlatencytoensurethatloadsarebalanced
tofullyleveragetheavailablelinks.
Forexample,supposethefirewallhasredundantlinkstoanISP:ethernet1/1(100Mbps)and
ethernet1/8(200Mbps).Althoughtheseareequalcostpaths,thelinkviaethernet1/8providesgreater
bandwidthandthereforecanhandleagreaterloadthantheethernet1/1link.Therefore,toensurethat
theloadbalancingfunctionalitytakesintoaccountlinkcapacityandspeed,youmightassignethernet1/8
aweightof200andethernet1/1aweightof100.The2:1weightratiocausesthevirtualroutertosend
twiceasmanysessionstoethernet1/8asitsendstoethernet1/1.However,becausetheECMPprotocol
isinherentlysessionbased,whenusingtheWeighted Round Robinalgorithm,thefirewallwillbeableto
loadbalanceacrosstheECMPlinksonlyonabesteffortbasis.
KeepinmindthatECMPweightsareassignedtointerfacestodetermineloadbalancing(toinfluence
whichequalcostpathischosen),notforrouteselection(aroutechoicefromroutesthatcouldhave
differentcosts).
Assignlowerspeedorlowercapacitylinkswithalowerweight.Assignhigherspeedor
highercapacitylinkswithahigherweight.Inthismanner,thefirewallcandistributesessions
basedontheseratios,ratherthanoverdrivealowcapacitylinkthatisoneoftheequalcostpaths.
ECMPModel,Interface,andIPRoutingSupport
ECMPissupportedonallPaloAltoNetworksfirewallmodels,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.

Networking ECMP
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
Step1 EnableECMPforavirtualrouter. 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

onwhichtoenableECMP.
2. SelectRouter Settings > ECMPandselectEnable.
Step2 (Optional)Enablesymmetricreturnof (Optional)SelectSymmetric Return tocausereturnpacketsto

packetsfromservertoclient. egressoutthesameinterfaceonwhichtheassociatedingress
packetsarrived.Thatis,thefirewallwillusetheingressinterfaceon
whichtosendreturnpackets,ratherthanusetheECMPinterface.
TheSymmetric Returnsettingoverridesloadbalancing.This
behavioroccursonlyfortrafficflowsfromtheservertotheclient.
Step3 Specifythemaximumnumberof ForMax Pathallowed,enter2,3,or4.Default:2.

equalcostpaths(toadestination
network)thatcanbecopiedfromthe
RoutingInformationBase(RIB)tothe
ForwardingInformationBase(FIB).
Step4 Selecttheloadbalancingalgorithmfor ForLoad Balance,selectoneofthefollowingoptionsfromthe

thevirtualrouter.Formoreinformation Methoddropdown:
onloadbalancingmethodsandhowthey IP Modulo (default)Usesahashofthesourceanddestination
differ,seeECMPLoadBalancing IPaddressesinthepacketheadertodeterminewhichECMP
Algorithms. routetouse.
IP HashUsesahashofthesourceanddestinationIPaddresses
andoptionallythesourceanddestinationportnumbersinthe
packetheadertodeterminewhichECMProutetouse.Specify
optionsinStep 5below.
Balanced Round RobinUsesroundrobinamongtheECMP
pathsandrebalancespathswhenthenumberofpathschanges.
Weighted Round RobinUsesroundrobinandarelativeweight
toselectfromamongECMPpaths.SpecifytheweightsinStep 6
below.
Step5 (IP Hashonly)ConfigureIPHashoptions. IfyouselectedIP HashastheMethod:

1. SelectUse Source/Destination Portsifyouwanttousesource
ordestinationportnumbersintheIP Hashcalculation.
2. EnteraHash Seed value(anintegerwithamaximumofnine
digits).SpecifyaHash Seedvaluetofurtherrandomizeload
balancing.Specifyingahashseedvalueisusefulifyouhavea
largenumberofsessionswiththesametupleinformation.

ECMP Networking
ConfigureECMPonaVirtualRouter(Continued)
Step6 (Weighted Round Robinonly)Definea IfyouselectedWeighted Round RobinastheMethod,definea

weightforeachinterfaceintheECMP weightforeachoftheinterfacesthataretheegresspointsfor
group. traffictoberoutedtothesamedestinations(thatis,interfacesthat
arepartofanECMPgroup,suchastheinterfacesthatprovide
redundantlinkstoyourISPorinterfacestothecorebusiness
applicationsonyourcorporatenetwork).
Thehighertheweight,themoreoftenthatequalcostpathwillbe
selectedforanewsession.
Givehigherspeedlinksahigherweightthanaslower
linkssothatmoreoftheECMPtrafficgoesoverthe
fasterlink.
1. CreateanECMPgroupbyclickingAddandselectingan
Interfacefromthedropdown.
2. AddtheotherinterfacesintheECMPgroup.
3. ClickonWeightandspecifytherelativeweightforeach
interface(rangeis1255;defaultis100).
Step7 Savetheconfiguration. 1. Click OK.

2. AttheECMPConfigurationChangeprompt,clickYestorestart
thevirtualrouter.Restartingthevirtualroutermightcause
existingsessionstobeterminated.
NOTE:Thismessagedisplaysonlyifyouaremodifyingan
existingvirtualrouterwithECMP.
Step8 Commit. Committheconfiguration.
EnableECMPforMultipleBGPAutonomousSystems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.

Networking ECMP
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
Step1 ConfigureECMP. SeeConfigureECMPonaVirtualRouter.

ECMP Networking
EnableECMPforBGPAutonomousSystems(Continued)
Step2 ForBGProuting,enableECMPover 1. SelectNetwork > Virtual Routersandselectthevirtualrouter

multipleautonomoussystems. onwhichtoenableECMPformultipleBGPautonomous
systems.
2. SelectBGP > AdvancedandselectECMP Multiple AS Support.
Step3 Committheconfiguration. ClickOKandCommittheconfiguration.
VerifyECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.ToverifyECMP,usethefollowingproceduretolookattheFIBand
confirmthatsomeroutesareequalcostmultiplepaths.
ConfirmThatRoutesAreEqualCostMultiplePaths
Step1 SelectNetwork > Virtual Routers.
Step2 IntherowofthevirtualrouterforwhichyouenabledECMP,clickMore Runtime Stats.
Step3 SelectRouting>Forwarding TabletoseetheFIB.Inthetable,notethatmultipleroutes

tothesameDestination(outadifferentInterface)havetheEflag.
Anasterisk(*)denotesthepreferredpathfortheECMPgroup.

Networking LLDP
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDPOverview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireappliancearenotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:

LLDP Networking
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
SupportedTLVsinLLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
MandatoryTLVs TLVType Description
ChassisIDTLV 1 Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksmodelswill
usetheMACaddressofEth0toensureuniqueness.
PortIDTLV 2 IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Timetolive(TTL) 3 Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
TLV retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
EndofLLDPDU 0 IndicatestheendoftheTLVsintheLLDPEthernetframe.
TLV

Networking LLDP
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
OptionalTLVs TLVType PurposeandNotesRegardingFirewallImplementation
PortDescriptionTLV 4 Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
SystemNameTLV 5 Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
SystemDescription 6 Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
TLV
SystemCapabilities 7 Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management 8 OneormoreIPaddressesusedforfirewallmanagement,asfollows:
Address IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDPSyslogMessagesandSNMPTraps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.

LLDP Networking
ConfigureLLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
Step1 EnableLLDPonthefirewall. SelectNetwork > LLDP andedittheLLDPGeneralsection;select

Enable.
Step2 (Optional)ChangeLLDPglobalsettings. 1. ForTransmit Interval (sec),specifytheinterval(inseconds)at

whichLLDPDUsaretransmitted.Default:30seconds.Range:
13600seconds.
2. ForTransmit Delay (sec),specifythedelaytime(inseconds)
betweenLLDPtransmissionssentafterachangeismadeina
TLVelement.Thedelayhelpstopreventfloodingthesegment
withLLDPDUsifmanynetworkchangesspikethenumberof
LLDPchanges,oriftheinterfaceflaps.TheTransmit Delay
mustbelessthantheTransmit Interval.Default:2seconds.
Range:1600seconds.
3. ForHold Time Multiple,specifyavaluethatismultipliedby
theTransmit IntervaltodeterminethetotalTTLHoldTime.
Default:4.Range:1100.ThemaximumTTLHoldTimeis
65535seconds,regardlessofthemultipliervalue.
4. ForNotification Interval,specifytheinterval(inseconds)at
whichLLDPSyslogMessagesandSNMPTrapsaretransmitted
whenMIBchangesoccur.Default:5seconds.Range:13600
seconds.
5. ClickOK.

Networking LLDP
ConfigureLLDP(Continued)
Step3 CreateanLLDPprofile. 1. SelectNetwork > Network Profiles > LLDP Profile andAdda
FordescriptionsoftheoptionalTLVs, NamefortheLLDPprofile.
seeSupportedTLVsinLLDP. 2. ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
3. SelectSNMP Syslog Notification toenableSNMPnotifications
andsyslogmessages.Ifenabled,theglobalNotification
Intervalisused.ThefirewallwillsendbothanSNMPtrapand
asyslogeventasconfiguredintheDevice > Log Settings >
System > SNMP Trap ProfileandSyslog Profile.
4. ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
5. (Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
6. SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
7. SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
8. ClickOK.
9. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
10. ClickOK.
Step4 AssignanLLDPprofiletoaninterface. 1. SelectNetwork > Interfaces andselecttheinterfacewhere

youwillassignanLLDPprofile.
2. SelectAdvanced > LLDP.
3. SelectEnable LLDPtoassignanLLDPprofiletotheinterface.
4. ForProfile,selecttheprofileyoucreated.SelectingNone
enablesLLDPwithbasicfunctionality:sendsthethree
mandatoryTLVsandenablestransmit-receivemode.
Ifyouwanttocreateanewprofile,clickLLDP Profileand
followtheinstructionsstepsabove.
5. ClickOK.

LLDP Networking
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
Step1 ViewLLDPglobalsettings. SelectNetwork > LLDP.

OntheLLDPGeneralscreen,EnableindicateswhetherLLDPis
enabledornot.
IfLLDPisenabled,theconfiguredglobalsettings(Transmit
Interval,TransmitDelay,HoldTimeMultiple,andNotification
Interval)aredisplayed.
IfLLDPisnotenabled,thedefaultvaluesoftheglobalsettings
aredisplayed.
Fordescriptionsofthesevalues,see(Optional)ChangeLLDPglobal
settings.
Step2 ViewtheLLDPstatusinformation. 1. SelecttheStatustab.

2. (Optional)Enterafiltertorestricttheinformationthatis
displayed.
InterfaceInformation:
InterfaceNameoftheinterfacesthathaveLLDPprofiles
assignedtothem.
LLDPLLDPstatus:enabledordisabled.
ModeLLDPmodeoftheinterface:Tx/Rx,TxOnly,orRx
Only.
ProfileNameoftheprofileassignedtotheinterface.
TransmissionInformation:
Total TransmittedCountofLLDPDUstransmittedoutthe
interface.
Dropped TransmitCountofLLDPDUsthatwerenot
transmittedouttheinterfacebecauseofanerror.For
example,alengtherrorwhenthesystemisconstructingan
LLDPDUfortransmission.
ReceivedInformation:
Total ReceivedCountofLLDPframesreceivedonthe
interface.
Dropped TLVCountofLLDPframesdiscardedupon
receipt.
ErrorsCountofTLVsthatwerereceivedontheinterface
andcontainederrors.TypesofTLVerrorsinclude:oneor
moremandatoryTLVsmissing,outoforder,containing
outofrangeinformation,orlengtherror.
UnrecognizedCountofTLVsreceivedontheinterface
thatarenotrecognizedbytheLLDPlocalagent.For
example,theTLVtypeisinthereservedTLVrange.
Aged OutCountofitemsdeletedfromtheReceiveMIB
duetoproperTTLexpiration.

Networking LLDP
ViewLLDPSettingsandStatus(Continued)
Step3 ViewsummaryLLDPinformationfor 1. SelectthePeerstab.

eachneighborseenonaninterface. 2. (Optional)Enterafiltertorestricttheinformationbeing
displayed.
LocalInterfaceInterfaceonthefirewallthatdetectedthe
neighboringdevice.
RemoteChassisIDChassisIDofthepeer.TheMACaddresswill
beused.
PortIDPortIDofthepeer.
NameNameofpeer.
MoreinfoProvidesthefollowingremotepeerdetails,whichare
basedontheMandatoryandOptionalTLVs:
ChassisType:MACaddress.
MACAddress:MACaddressofthepeer.
SystemName:Nameofthepeer.
SystemDescription:Descriptionofthepeer.
PortDescription:Portdescriptionofthepeer.
PortType:Interfacename.
PortID:Thefirewallusestheinterfacesifname.
SystemCapabilities:Capabilitiesofthesystem.O=Other,
P=Repeater,B=Bridge,W=WirelessLAN,R=Router,
T=Telephone
EnabledCapabilities:Capabilitiesenabledonthepeer.
ManagementAddress:Managementaddressofthepeer.
ClearLLDPStatistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
Step1 ClearLLDPstatisticsforspecific 1. SelectNetwork > LLDP > Statusandinthelefthandcolumn,

interfaces. selectoneormoreinterfacesforwhichyouwanttoclearLLDP
statistics.
2. ClickClear LLDP Statistics atthebottomofthescreen.

BFD Networking
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
BFDOverview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDModel,Interface,andClientSupport

Networking BFD
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDModel,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA5200Series,PA7000Series,andVMSeries
firewalls.EachmodelsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.

BFD Networking
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
IfyouimplementbothBFDforBGPandHApathmonitoring,PaloAltoNetworksrecommends
younotimplementBGPGracefulRestart.WhentheBFDpeersinterfacefailsandpath
monitoringfails,BFDcanremovetheaffectedroutesfromtheroutingtableandsynchronizethis
changetothepassiveHAfirewallbeforeGracefulRestartcantakeeffect.Ifyoudecideto
implementBFDforBGP,GracefulRestartforBGP,andHApathmonitoring,youshouldconfigure
BFDwithalargerDesiredMinimumTxIntervalandlargerDetectionTimeMultiplierthanthe
defaultvalues.

Networking BFD
ConfigureBFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
ConfiguredoneormoreVirtualRouters.
ConfiguredoneormoreStaticRoutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.

BFD Networking
ConfigureBFD
Step1 CreateaBFDprofile. 1. SelectNetwork > Network Profiles > BFD Profile andAdda
NOTE:IfyouchangeasettinginaBFD NamefortheBFDprofile.Thenameiscasesensitiveand
profilethatanexistingBFDsessionis mustbeuniqueonthefirewall.Useonlyletters,numbers,
usingandyoucommitthechange,before spaces,hyphens,andunderscores.
thefirewalldeletesthatBFDsessionand 2. SelecttheMode inwhichBFDoperates:
recreatesitwiththenewsetting,the ActiveBFDinitiatessendingcontrolpacketstopeer
firewallsendsaBFDpacketwiththe (default).AtleastoneoftheBFDpeersmustbeActive;
localstatesettoadmindown.Thepeer bothcanbeActive.
devicemayormaynotflaptherouting
PassiveBFDwaitsforpeertosendcontrolpacketsand
protocolorstaticroute,dependingon
respondsasrequired.
thepeersimplementationofRFC 5882,
Section3.2. 3. EntertheDesired Minimum Tx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichyouwanttheBFD
protocol(referredtoasBFD)tosendBFDcontrolpackets;you
arethusnegotiatingthetransmitintervalwiththepeer.
MinimumonPA7000,PA5200Series,andPA5000Series
firewallsis50;minimumonPA3000Seriesfirewallis100;
minimumonVMSeriesfirewallis200.Maximumis2000;
defaultis1000.
Ifyouhavemultipleroutingprotocolsthatuse
differentBFDprofilesonthesameinterface,configure
theBFDprofileswiththesameDesired Minimum Tx
Interval.
4. EntertheRequired Minimum Rx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichBFDcanreceive
BFDcontrolpackets.MinimumonPA7000,PA5200Series,
andPA5000Seriesfirewallsis50;minimumonPA3000
Seriesfirewallis100;minimumonVMSeriesfirewallis200.
Maximumis2000;defaultis1000.
5. EntertheDetection Time Multiplier.Thetransmitinterval
(negotiatedfromtheDesired Minimum Tx Interval)multiplied
bytheDetection Time Multiplierequalsthedetectiontime.If
BFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.
Rangeis250;defaultis3.
Forexample,atransmitintervalof300msx3(DetectionTime
Multiplier)=900msdetectiontime.
WhenconfiguringaBFDprofile,takeinto
considerationthatthefirewallisasessionbased
devicetypicallyattheedgeofanetworkordatacenter
andmayhaveslowerlinksthanadedicatedrouter.
Therefore,thefirewalllikelyneedsalongerinterval
andahighermultiplierthanthefastestsettings
allowed.Adetectiontimethatistooshortcancause
falsefailuredetectionswhentheissueisreallyjust
trafficcongestion.

Networking BFD
ConfigureBFD(Continued)
6. EntertheHold Time (ms).Thisisthedelay,inmilliseconds,

afteralinkcomesupbeforeBFDtransmitsBFDcontrol
packets.Hold Time appliestoBFDActivemodeonly.IfBFD
receivesBFDcontrolpacketsduringtheHold Time,itignores
them.Rangeis0120000.Thedefaultis0,whichmeansno
transmitHold Time isused;BFDsendsandreceivesBFD
controlpacketsimmediatelyafterthelinkisestablished.
7. (Optional)ForaBGPIPv4implementationonly,configure
hoprelatedsettingsfortheBFDprofile:
SelectMultihoptoenableBFDoverBGPmultihop.
EntertheMinimum Rx TTL.Thisistheminimum
TimetoLivevalue(numberofhops)BFDwillaccept
(receive)inaBFDcontrolpacketwhenBGPsupports
multihopBFD.(Rangeis1254;thereisnodefault).
ThefirewalldropsthepacketifitreceivesasmallerTTL
thanitsconfiguredMinimum Rx TTL.Forexample,ifthe
peeris5hopsaway,andthepeertransmitsaBFDpacket
withaTTLof100tothefirewall,andiftheMinimum Rx
TTLforthefirewallissetto96orhigher,thefirewalldrops
thepacket.
8. ClickOK.
Step2 (Optional)EnableBFDforastaticroute. 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

Boththefirewallandthepeeratthe wherethestaticrouteisconfigured.
oppositeendofthestaticroutemust 2. SelecttheStatic Routestab.
supportBFDsessions.
3. SelecttheIPv4orIPv6tab.
4. SelectthestaticroutewhereyouwanttoapplyBFD.
5. SelectanInterface(evenifyouareusingaDHCPaddress).
TheInterfacesettingcannotbeNone.
6. ForNext Hop,selectIP AddressandentertheIPaddressifnot
alreadyspecified.
7. ForBFD Profile,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
NOTE:SelectingNone (Disable BFD) disablesBFDforthis
staticroute.
8. ClickOK.
ABFDcolumnontheIPv4orIPv6tabindicatestheBFDprofile
configuredforthestaticroute.

BFD Networking
Step3 (Optional)EnableBFDforallBGP 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

interfacesorforasingleBGPpeer. whereBGPisconfigured.
IfyouenableordisableBFD 2. SelecttheBGPtab.
globally,allinterfacesrunning
3. (Optional)ToapplyBFDtoallBGPinterfacesonthevirtual
BGPwillbetakendownand
router,intheBFDdropdown,selectoneofthefollowingand
broughtbackupwiththeBFD
clickOK:
function.ThiscandisruptallBGP
traffic.WhenyouenableBFDon defaultUsesonlydefaultsettings.
theinterface,thefirewallstops ABFDprofileyouconfiguredSeeCreateaBFDprofile.
theBGPconnectiontothepeer New BFD ProfileAllowsyoutoCreateaBFDprofile.
toprogramBFDontheinterface. NOTE:SelectingNone (Disable BFD) disablesBFDforallBGP
ThepeerdeviceseestheBGP interfacesonthevirtualrouter;youcannotenableBFDfora
connectiondrop,whichcan singleBGPinterface.
resultinareconvergence.Enable
BFDforBGPinterfacesduringan 4. (Optional)ToenableBFDforasingleBGPpeerinterface
offpeaktimewhena (therebyoverridingtheBFD settingforBGPaslongasitisnot
reconvergencewillnotimpact disabled),performthefollowingtasks:
productiontraffic. a. SelectthePeer Group tab.
IfyouimplementbothBFDfor b. Selectapeergroup.
BGPandHApathmonitoring, c. Selectapeer.
PaloAltoNetworks d. IntheBFD dropdown,selectoneofthefollowing:
recommendsyounotimplement defaultUsesonlydefaultsettings.
BGPGracefulRestart.Whenthe
Inherit-vr-global-setting(default)TheBGPpeerinherits
BFDpeersinterfacefailsand
theBFDprofilethatyouselectedgloballyforBGPforthe
pathmonitoringfails,BFDcan
virtualrouter.
removetheaffectedroutesfrom
theroutingtableand ABFDprofileyouconfiguredSeeCreateaBFDprofile.
synchronizethischangetothe NOTE:SelectingDisable BFD disablesBFDfortheBGPpeer.
passiveHAfirewallbefore 5. ClickOK.
GracefulRestartcantakeeffect.
IfyoudecidetoimplementBFD 6. ClickOK.
forBGP,GracefulRestartfor ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
BGP,andHApathmonitoring, profileconfiguredfortheinterface.
youshouldconfigureBFDwitha
largerDesiredMinimumTx
IntervalandlargerDetection
TimeMultiplierthanthedefault
values.

Networking BFD
Step4 (Optional)EnableBFDforOSPFor 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

OSPFv3globallyorforanOSPF whereOSPForOSPFv3isconfigured.
interface. 2. SelecttheOSPForOSPFv3 tab.
3. (Optional)IntheBFDdropdown,selectoneofthefollowing
toenableBFDforallOSPForOSPFv3interfacesandclickOK:
NOTE:SelectingNone (Disable BFD) disablesBFDforall
OSPFinterfacesonthevirtualrouter;youcannotenableBFD
forasingleOSPFinterface.
4. (Optional)ToenableBFDonasingleOSPFpeerinterface(and
therebyoverridetheBFDsettingforOSPF,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheAreastabandselectanarea.
b. OntheInterfacetab,selectaninterface.
c. IntheBFD dropdown,selectoneofthefollowingto
configureBFDforthespecifiedOSPFpeer:
Inherit-vr-global-setting(default)OSPFpeerinheritsthe
BFDsettingforOSPForOSPFv3forthevirtualrouter.
NOTE:SelectingDisable BFDdisablesBFDfortheOSPFor
OSPFv3interface.
d. ClickOK.
5. ClickOK.
ABFDcolumnontheOSPFInterfacetabindicatestheBFDprofile
configuredfortheinterface.

BFD Networking
Step5 (Optional)EnableBFDforRIPgloballyor 1. SelectNetwork > Virtual Routers andselectthevirtualrouter

forasingleRIPinterface. whereRIPisconfigured.
2. SelecttheRIP tab.
3. (Optional)IntheBFD dropdown,selectoneofthefollowing
toenableBFDforallRIPinterfacesonthevirtualrouterand
clickOK:
NOTE:SelectingNone (Disable BFD) disablesBFDforallRIP
interfacesonthevirtualrouter;youcannotenableBFDfora
singleRIPinterface.
4. (Optional)ToenableBFDforasingleRIPinterface(and
therebyoverridetheBFDsettingforRIP,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheInterfacestabandselectaninterface.
b. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings).
Inherit-vr-global-setting(default)RIPinterfaceinherits
theBFDprofilethatyouselectedforRIPgloballyforthe
virtualrouter.
NOTE:SelectingNone (Disable BFD)disablesBFDforthe
RIPinterface.
c. ClickOK.
5. ClickOK.
TheBFDcolumnontheInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Step7 ViewBFDsummaryanddetails. 1. SelectNetwork > Virtual Routers,findthevirtualrouteryou

areinterestedin,andclickMore Runtime Stats.
2. SelecttheBFD Summary Information tabtoseesummary
information,suchasBFDstateandruntimestatistics.
3. (Optional)Selectdetailsintherowoftheinterfaceyouare
interestedintoviewReference:BFDDetails.
Step8 MonitorBFDprofilesreferencedbya UsethefollowingCLIoperationalcommands:

routingconfiguration;monitorBFD show routing bfd active-profile [<name>]
statistics,status,andstate. show routing bfd details [interface <name>] [local-ip
<ip>] [multihop] [peer-ip <ip>] [session-id]
[virtual-router <name>]
show routing bfd drop-counters session-id
<session-id>
show counter global | match bfd
Step9 (Optional)ClearBFDtransmit,receive, clear routing bfd counters session-id all | <1-1024>

anddropcounters.

Networking BFD
Step10 (Optional)ClearBFDsessionsfor clear routing bfd session-state session-id all |

debugging. <1-1024>

SessionSettingsandTimeouts Networking
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andCaptivePortalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TransportLayerSessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop

Networking SessionSettingsandTimeouts
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
YoucanuseZoneProtectionProfilesonthefirewalltoconfigurepacketbasedattackprotectionand
therebydropIP,TCP,andIPv6packetswithundesirablecharacteristicsorstripundesirableoptionsfrom
packetsbeforeallowingthemintothezone.Youcanalsoconfigurefloodprotection,specifyingtherateof
SYNconnectionspersecond(notmatchinganexistingsession)thattriggeranalarm,causethefirewallto
randomlydropSYNpacketsoruseSYNcookies,andcausethefirewalltodropSYNpacketsthatexceedthe
maximumrate.
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.

TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.

ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit Handshake optioninaZoneProtectionprofilewillpreventaTCPsessionfrombeingestablishedif

thesessionestablishmentproceduredoesnotusethewellknownthreewayhandshake,butinsteadusesa
variation,suchasafourwayorfivewaysplithandshakeorasimultaneousopen.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessionsandallLayer7processesforsplit
handshakeandsimultaneousopensessionestablishmentwithoutenablingtheSplit Handshakeoption.
Nevertheless,theSplit Handshake option(whichcausesaTCPsplithandshakedrop) ismadeavailable.When
theSplit Handshake optionisconfiguredforaZoneProtectionprofileandthatprofileisappliedtoazone,
TCPsessionsforinterfacesinthatzonemustbeestablishedusingthestandardthreewayhandshake;
variationsarenotallowed.
TheSplit Handshake optionisdisabledbydefault.
ThefollowingillustratesthestandardthreewayhandshakeusedtoestablishaTCPsessionwithaPANOS
firewallbetweentheinitiator(typicallyaclient)andthelistener(typicallyaserver).
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.

YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize

ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 10inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AUDPdatagramisencapsulatedinanIPpacket.AlthoughUDPusesachecksumfordataintegrity,it
performsnoerrorcheckingatthenetworkinterfacelevel.Errorcheckingisassumedtobeunnecessaryor
isperformedbytheapplicationratherthanUDPitself.UDPhasnomechanismtohandleflowcontrolof
packets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
YoucanuseZoneProtectionProfilesonthefirewalltoconfigurefloodprotectionandtherebyspecifythe
rateofUDPconnectionspersecond(notmatchinganexistingsession)thattriggeranalarm,triggerthe
firewalltorandomlydropUDPpackets,andcausethefirewalltodropUDPpacketsthatexceedthe
maximumrate.(AlthoughUDPisconnectionless,thefirewalltracksUDPdatagramsinIPpacketsona
sessionbasis;thereforeiftheUDPpacketdoesntmatchanexistingsession,itisconsideredanewsession
anditcountsasaconnectiontowardthethresholds.)
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.YoucancontrolICMPv4andICMPv6packetsin
severalways:

CreateSecurityPolicyRulesBasedonICMPandICMPv6Packetsandselecttheicmporipv6-icmp
applicationintherule.
ControlICMPv6RateLimitingwhenyouConfigureSessionSettings.
UseZoneProtectionProfilestoconfigurefloodprotection,specifyingtherateofICMPorICMPv6
connectionspersecond(notmatchinganexistingsession)thattriggeranalarm,triggerthefirewallto
randomlydropICMPorICMPv6packets,andcausethefirewalltodropICMPorICMPv6packetsthat
exceedthemaximumrate.
UseZoneProtectionProfilestoconfigurepacketbasedattackprotection:
ForICMP,youcandropcertaintypesofpacketsorsuppressthesendingofcertainpackets.
ForICMPv6packets(Types1,2,3,4,and137),youcanspecifythatthefirewallusetheICMP
sessionkeytomatchasecuritypolicyrule,whichdetermineswhethertheICMPv6packetisallowed
ornot.(Thefirewallusesthesecuritypolicyrule,overridingthedefaultbehaviorofusingthe
embeddedpackettodetermineasessionmatch.)WhenthefirewalldropsICMPv6packetsthat
matchasecuritypolicyrule,thefirewalllogsthedetailsinTrafficlogs.
SecurityPolicyRulesBasedonICMPandICMPv6Packets
ThefirewallforwardsICMPorICMPv6packetsonlyifasecuritypolicyruleallowsthesession(asthefirewall
doesforotherpackettypes).Thefirewalldeterminesasessionmatchinoneoftwoways,dependingon
whetherthepacketisanICMPorICMPv6errorpacketorredirectpacketasopposedtoanICMPorICMPv6
informationalpacket:
ICMPTypes3,5,11,and12andICMPv6Types1,2,3,4,and137Thefirewallbydefaultlooksupthe
embeddedIPpacketbytesofinformationfromtheoriginaldatagramthatcausedtheerror(theinvoking
packet).Iftheembeddedpacketmatchesanexistingsession,thefirewallforwardsordropstheICMPor
ICMPv6packetaccordingtotheactionspecifiedinthesecuritypolicyrulethatmatchesthatsame
session.(YoucanuseZoneProtectionProfileswithpacketbasedattackprotectiontooverridethis
defaultbehaviorfortheICMPv6types.)
RemainingICMPorICMPv6PacketTypesThefirewalltreatstheICMPorICMPv6packetasifit
belongstoanewsession.Ifasecuritypolicyrulematchesthepacket(whichthefirewallrecognizesasan
icmporipv6-icmpsession),thefirewallforwardsordropsthepacketbasedonthesecuritypolicyrule
action.Securitypolicycountersandtrafficlogsreflecttheactions.
Ifnosecuritypolicyrulematchesthepacket,thefirewallappliesitsdefaultsecuritypolicyrules,which
allowintrazonetrafficandblockinterzonetraffic(loggingisdisabledbydefaultfortheserules).
Althoughyoucanoverridethedefaultrulestoenableloggingorchangethedefaultaction,we
dontrecommendyouchangethedefaultbehaviorforaspecificcasebecauseitwillimpactall
trafficthatthosedefaultrulesaffect.Instead,createsecuritypolicyrulestocontrolandlogICMP
orICMPv6packetsexplicitly.
TherearetwowaystocreateexplicitsecuritypolicyrulestohandleICMPorICMPv6packetsthatare
noterrororredirectpackets:
Createasecuritypolicyruletoallow(ordeny)allICMPorICMPv6packetsInthesecuritypolicy
rule,specifytheapplicationicmporipv6-icmp;thefirewallallows(ordenies)allIPpacketsmatching
theICMPprotocolnumber(1)orICMPv6protocolnumber(58),respectively,throughthefirewall.
Createacustomapplicationandasecuritypolicyruletoallow(ordeny)packetsfromortothat
applicationThismoregranularapproachallowsyoutoControlSpecificICMPorICMPv6Typesand
Codes.

ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdontfloodthenetworksegmentsprotectedbythefirewall.
FirsttheglobalICMPv6 Error Packet Rate (per sec) controlstherateatwhichICMPv6errorpacketsareallowed
throughthefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.If
thefirewallreachestheICMPv6errorpacketrate,thenthetokenbucketcomesintoplayandthrottling
occurs,asfollows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPv6messagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPv6messageissent;whenthebucketreacheszero
tokens,nomoreICMPv6messagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsize
ofthetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ControlSpecificICMPorICMPv6TypesandCodes
UsethistasktocreateacustomICMPorICMPv6applicationandthencreateasecuritypolicyruletoallow
ordenythatapplication.
ControlSpecificICMPorICMPv6TypesandCodes
Step1 Createacustomapplicationfor 1. SelectObject > Applications andAddacustomapplication.

ICMPorICMPv6messagetypes 2. OntheConfigurationtab,enteraNameforthecustomapplication
andcodes. andaDescription.Forexample,enterthenameping6.
3. ForCategory,selectnetworking.
4. ForSubcategory,selectip-protocol.
5. ForTechnology,selectnetwork-protocol.
6. ClickOK.
7. OntheAdvancedtab,selectICMP TypeorICMPv6 Type.
8. ForType,enterthenumber(rangeis0255)thatdesignatesthe
ICMPorICMPv6messagetypeyouwanttoallowordeny.For
example,EchoRequestmessage(ping)is128.
9. IftheTypeincludescodes,entertheCodenumber(rangeis0255)
thatappliestotheTypevalueyouwanttoallowordeny.SomeType
valueshaveCode0only.
10. ClickOK.
Step2 CreateaSecuritypolicyrulethat CreateaSecurityPolicyRule.OntheApplicationtab,specifythename

allowsordeniesthecustom ofthecustomapplicationyoujustcreated.
applicationyoucreated.

ConfigureSessionTimeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
Step1 AccesstheSessionSettings. SelectDevice > Setup > SessionandedittheSessionTimeouts.
Step2 (Optional)Changemiscellaneous DefaultMaximumlengthoftimethatanonTCP/UDPornonICMP

timeouts. sessioncanbeopenwithoutaresponse(rangeis115,999,999;
defaultis30).
Discard DefaultMaximumlengthoftimethatanonTCP/UDP
sessionremainsopenafterPANOSdeniesasessionbasedonsecurity
policiesconfiguredonthefirewall(rangeis115,999,999;defaultis
60).
ScanMaximumlengthoftimethatanysessionremainsopenafterit
isconsideredinactive;anapplicationisregardedasinactivewhenit
exceedstheapplicationtricklingthresholddefinedfortheapplication
Captive PortalAuthenticationsessiontimeoutfortheCaptivePortal
webform.Toaccesstherequestedcontent,theusermustenterthe
authenticationcredentialsinthisformandbesuccessfully
authenticated(rangeis115,999,999;defaultis30).
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,select
Device > User Identification > Captive Portal Settings.SeeConfigure
CaptivePortal.

ChangeSessionTimeouts(Continued)
Step3 (Optional)ChangeTCPtimeouts. Discard TCPMaximumlengthoftimethataTCPsessionremains

openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:90.Range:115,999,999.
TCPMaximumlengthoftimethataTCPsessionremainsopen
withoutaresponse,afteraTCPsessionisintheEstablishedstate(after
thehandshakeiscompleteand/ordataisbeingtransmitted).
Default: 3,600.Range:115,999,999.
TCP HandshakeMaximumlengthoftimepermittedbetween
receivingtheSYNACKandthesubsequentACKtofullyestablishthe
session.Default:10.Range:160.
TCP initMaximumlengthoftimepermittedbetweenreceivingthe
SYNandSYNACKpriortostartingtheTCPhandshaketimer.Default:
5.Range:160.
TCP Half ClosedMaximumlengthoftimebetweenreceivingthefirst
FINandreceivingthesecondFINoraRST.Default:120.
Range: 1604,800.
TCP Time WaitMaximumlengthoftimeafterreceivingthesecond
FINoraRST.Default:15.Range:1600.
Unverified RSTMaximumlengthoftimeafterreceivingaRSTthat
cannotbeverified(theRSTiswithintheTCPwindowbuthasan
unexpectedsequencenumber,ortheRSTisfromanasymmetricpath).
Default:30.Range:1600.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step4 (Optional)ChangeUDPtimeouts. Discard UDPMaximumlengthoftimethataUDPsessionremains

openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:60.Range:115,999,999.
UDPMaximumlengthoftimethataUDPsessionremainsopen
withoutaUDPresponse.Default:30.Range:115,999,999.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step5 (Optional)ChangeICMPtimeouts. ICMPMaximumlengthoftimethatanICMPsessioncanbeopen

withoutanICMPresponse.Default:6.Range:115,999,999.
SeealsotheDiscard Default andScantimeoutinthesection(Optional)
Changemiscellaneoustimeouts.
Step6 Committhechanges. ClickOKandCommitthechanges.
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
Step1 Changethesessionsettings. SelectDevice > Setup > SessionandedittheSessionSettings.

ConfigureSessionSettings(Continued)
Step2 Specifywhethertoapply SelectRematch all sessions on config policy change to applynewly

newlyconfiguredSecurity configuredSecuritypolicyrulestosessionsthatarealreadyinprogress.This
policyrulestosessionsthat capabilityisenabledbydefault.Ifyouclearthischeckbox,anypolicyrule
areinprogress. changesyoumakeapplyonlytosessionsinitiatedafteryoucommitthepolicy
change.
Forexample,ifaTelnetsessionstartedwhileanassociatedpolicyrulewas
configuredthatallowedTelnet,andyousubsequentlycommittedapolicy
changetodenyTelnet,thefirewallappliestherevisedpolicytothecurrent
sessionandblocksit.
Step3 ConfigureIPv6settings. ICMPv6 Token Bucket SizeDefault:100tokens.SeethesectionICMPv6

RateLimiting.
ICMPv6 Error Packet Rate (per sec)Default:100.SeethesectionICMPv6
RateLimiting.
Enable IPv6 FirewallingEnablesfirewallcapabilitiesforIPv6.All
IPv6basedconfigurationsareignoredifIPv6isnotenabled.EvenifIPv6is
enabledforaninterface,theIPv6 Firewallingsettingmustalsobeenabled
forIPv6tofunction.
Step4 Enablejumboframesandset 1. SelectEnable Jumbo FrametoenablejumboframesupportonEthernet

theMTU. interfaces.Jumboframeshaveamaximumtransmissionunit(MTU)of
9,216bytesandareavailableoncertainmodels.
2. SettheGlobal MTU,dependingonwhetherornotyouenabledjumbo
frames:
Ifyoudidnotenablejumboframes,theGlobal MTUdefaultsto1,500
bytes;therangeis576to1,500 bytes.
Ifyouenabledjumboframes,theGlobal MTUdefaultsto9,192 bytes;
therangeis9,192to9,216 bytes.
NOTE:Ifyouenablejumboframesandyouhaveinterfaceswherethe
MTUisnotspecificallyconfigured,thoseinterfaceswillautomatically
inheritthejumboframesize.Therefore,beforeyouenablejumboframes,
ifyouhaveanyinterfacethatyoudonotwanttohavejumboframes,you
mustsettheMTUforthatinterfaceto1500bytesoranothervalue.
Step5 TuneNATsessionsettings. NAT64 IPv6 Minimum Network MTUSetstheglobalMTUforIPv6

translatedtraffic.Thedefaultof1,280 bytesisbasedonthestandard
minimumMTUforIPv6traffic.
NAT Oversubscription RateIfNATisconfiguredtobeDynamicIPand
Port(DIPP)translation,anoversubscriptionratecanbeconfiguredto
multiplythenumberoftimesthatthesametranslatedIPaddressandport
paircanbeusedconcurrently.Therateis1,2,4,or8.Thedefaultsettingis
basedonthefirewallmodel.
Arateof1meansnooversubscription;eachtranslatedIPaddressand
portpaircanbeusedonlyonceatatime.
IfthesettingisPlatform Default,userconfigurationoftherateis
disabledandthedefaultoversubscriptionrateforthemodelapplies.
Reducingtheoversubscriptionratedecreasesthenumberofsourcedevice
translations,butprovideshigherNATrulecapacities.

Step6 Tuneacceleratedaging SelectAccelerated Aging to enablefasteragingoutofidlesessions.Youcan

settings. alsochangethethreshold(%)andscalingfactor:
Accelerated Aging ThresholdPercentageofthesessiontablethatisfull
whenacceleratedagingbegins.Thedefaultis80%.Whenthesessiontable
reachesthisthreshold(%full),PANOSappliestheAcceleratedAging
ScalingFactortotheagingcalculationsforallsessions.
Accelerated Aging Scaling FactorScalingfactorusedintheaccelerated
agingcalculations.Thedefaultscalingfactoris2,meaningthatthe
acceleratedagingoccursataratetwiceasfastastheconfiguredidletime.
Theconfiguredidletimedividedby2resultsinafastertimeoutofonehalf
thetime.Tocalculatethesessionsacceleratedaging,PANOSdividesthe
configuredidletime(forthattypeofsession)bythescalingfactorto
determineashortertimeout.
Forexample,ifthescalingfactoris10,asessionthatwouldnormallytime
outafter3600secondswouldtimeout10timesfaster(in1/10ofthetime),
whichis360seconds.
Step7 Enablepacketbuffer 1. SelectPacket Buffer Protectiontoenablethefirewalltotakeaction

protection. againstsessionsthatcanoverwhelmtheitspacketbufferandcauses
legitimatetraffictobedropped.
2. Ifyouenablepacketbufferprotection,youcantunethethresholdsand
timersthatdictatehowthefirewallrespondstopacketbufferabuse.
Alert(%):Whenpacketbufferutilizationexceedsthisthreshold,the
firewallcreatesalogevent.Thethresholdissetto50%bydefaultand
therangeis0%to99%.Ifthevalueissetto0%,thefirewalldoesnot
createalogevent.
Activate(%):Whenapacketbufferutilizationexceedsthisthreshold,
thefirewallappliesrandomearlydrop(RED)toabusivesessions.The
thresholdissetto50%bydefaultandtherangeis0%to99%.Ifthe
valueissetto0%,thefirewalldoesnotapplyRED.
NOTE:Alerteventsarerecordedinthesystemlog.Eventsfordropped
traffic,discardedsessions,andblockedIPaddressarerecordedinthethreat
log.
BlockHoldTime(sec):TheamountoftimeaREDmitigatedsessionis
allowedtocontinuebeforeitisdiscarded.Bydefault,theblockhold
timeis60seconds.Therangeis0to65,535seconds.Ifthevalueisset
to0,thefirewalldoesnotdiscardsessionsbasedonpacketbuffer
protection.
BlockDuration(sec):Thissettingdefineshowlongasessionis
discardedoranIPaddressisblocked.Thedefaultis3,600secondwith
arangeof0secondsto15,999,999seconds.Ifthisvalueissetto0,the
firewalldoesnotdiscardsessionsorblockIPaddressesbasedon
packetbufferprotection.

Step8 Enablebufferingofmulticast 1. SelectMulticast Route Setup Bufferingtoenablethefirewalltopreserve

routesetuppackets. thefirstpacketinamulticastsessionwhenthemulticastrouteor
forwardinginformationbase(FIB)entrydoesnotyetexistforthe
correspondingmulticastgroup.Bydefault,thefirewalldoesnotbufferthe
firstmulticastpacketinanewsession;instead,itusesthefirstpacketto
setupthemulticastroute.Thisisexpectedbehaviorformulticasttraffic.
Youonlyneedtoenablemulticastroutesetupbufferingifyourcontent
serversaredirectlyconnectedtothefirewallandyourcustomapplication
cannotwithstandthefirstpacketinthesessionbeingdropped.This
optionisdisabledbydefault.
2. Ifyouenablebuffering,youcanalsotunetheBuffer Size,whichspecifies
thebuffersizeperflow.Thefirewallcanbufferamaximumof5,000
packets.
NOTE:Youcanalsotunetheduration,inseconds,forwhichamulticast
routeremainsintheroutingtableonthefirewallafterthesessionendsby
configuringthemulticastsettingsonthevirtualrouterthathandlesyour
virtualrouter(settheMulticast Route Age Out Time (sec)onthe
Multicast > Advancedtabinthevirtualrouterconfiguration.
Step9 Savethesessionsettings. ClickOK.
Step10 TunetheMaximumSegment 1. SelectNetwork > Interfaces,selectEthernet,VLAN,orLoopback,and

Size(MSS)adjustmentsize selectaLayer3interface.
settingsforaLayer3 2. SelectAdvanced > Other Info.
interface.
3. SelectAdjust TCP MSS andenteravalueforoneorbothofthefollowing:
IPv4 MSS Adjustment Size (rangeis40300bytes;defaultis40 bytes).
IPv6 MSS Adjustment Size(rangeis60300 bytes;defaultis60bytes).
4. ClickOK.
Step11 Committhechanges. ClickCommit.
Step12 Rebootthefirewallafter 1. SelectDevice > Setup > Operations.

changingthejumboframe 2. ClickReboot Device.
configuration.
PreventTCPSplitHandshakeSessionEstablishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.

ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step1 ConfigureaZoneProtectionprofileto 1. SelectNetwork > Network Profiles > Zone ProtectionandAdd

preventTCPsessionsthatuseanything anewprofile(orselectanexistingprofile).
otherthanathreewayhandshaketo 2. Ifcreatinganewprofile,enteraNamefortheprofileandan
establishasession. optionalDescription.
3. SelectPacket Based Attack Protection > TCP Dropandselect
Split Handshake.
4. ClickOK.
Step2 Applytheprofiletooneormoresecurity 1. SelectNetwork > Zonesandselectthezonewhereyouwant

zones. toassignthezoneprotectionprofile.
2. IntheZonewindow,fromtheZone Protection Profile
dropdown,selecttheprofileyouconfiguredintheprevious
step.
Alternatively,youcouldstartcreatinganewprofilehereby
clickingZone Protection Profile,inwhichcaseyouwould
continueaccordingly.
3. ClickOK.
4. (Optional)Repeatsteps13toapplytheprofiletoadditional
zones.

TunnelContentInspection Networking
TunnelContentInspection
Thefirewallcaninspectthetrafficcontentofcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)(RFC2784)
NonencryptedIPSectraffic[NULLEncryptionAlgorithmforIPSec(RFC2410)andtransportmodeAH
IPSec]
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,aNullEncryptedIPSec
tunnelinsideaGREtunnel).YoucanviewtunnelinspectionlogsandtunnelactivityintheACCtoverifythat
tunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
AllfirewallmodelssupporttunnelcontentinspectionofGREandnonencryptedIPSec.Tunnelcontent
inspectionofGTPUissupportedonlyonthePA5200SeriesandVMSeriesfirewalls.Thefirewallsdont
terminateGRE,nonencryptedIPSec,orGTPUtunnels.
Tunnelcontentinspectionisforcleartexttunnels,notforVPNorLSVPNtunnels,whichcarryencrypted
traffic.
TunnelContentInspectionOverview
ConfigureTunnelContentInspection
ViewInspectedTunnelActivity
ViewTunnelInformationinLogs
CreateaCustomReportBasedonTaggedTunnelTraffic
TunnelContentInspectionOverview
Yourfirewallcaninspecttunnelcontentanywhereonthenetworkwhereyoudonothavetheopportunity
toterminatethetunnelfirst.AslongasthefirewallisinthepathofaGRE,nonencryptedIPSec,orGTPU
tunnel,thefirewallcaninspectthetunnelcontent.
Enterprisecustomerswhowanttunnelcontentinspectioncanhavesomeorallofthetrafficonthe
firewalltunneledusingGREornonencryptedIPSec.Forsecurity,QoS,andreportingreasons,youwant
toinspectthetrafficinsidethetunnel.
ServiceProvidercustomersuseGTPUtotunneldatatrafficfrommobiledevices.Youwanttoinspect
theinnercontentwithoutterminatingthetunnelprotocol,andyouwanttorecorduserdatafromyour
users.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnelinterfaces.(Thecleartexttunnelthatthefirewallinspectscan
beinsideaVPNorLSVPNtunnelthatterminatesatthefirewall,henceaVPNorLSVPNtunnelinterface.In
otherwords,whenthefirewallisaVPNorLSVPNendpoint,thefirewallcaninspectthetrafficofany
nonencryptedtunnelprotocolsthattunnelcontentinspectionsupports.)
TunnelcontentinspectionissupportedinLayer3,Layer2,virtualwire,andtapdeployments.Tunnelcontent
inspectionworksonsharedgatewaysandonvirtualsystemtovirtualsystemcommunications.

Networking TunnelContentInspection
Theprecedingfigureillustratesthetwolevelsoftunnelinspectionthefirewallcanperform.Whenafirewall
configuredwithTunnelInspectionpolicyrulesreceivesapacket:
ThefirewallfirstperformsaSecuritypolicychecktodeterminewhetherthetunnelprotocol(Application)
inthepacketispermittedordenied.(IPv4andIPv6packetsaresupportedprotocolsinsidethetunnel.)
IftheSecuritypolicyallowsthepacket,thefirewallmatchesthepackettoaTunnelInspectionpolicyrule
basedonsourcezone,sourceaddress,sourceuser,destinationzone,anddestinationaddress.TheTunnel
Inspectionpolicyruledeterminesthetunnelprotocolsthatthefirewallinspects,themaximumlevelof
encapsulationallowed(asingletunneloratunnelwithinatunnel),whethertoallowpacketscontaining
atunnelprotocolthatdoesntpassstrictheaderinspectionperRFC2780,andwhethertoallowpackets
containingunknownprotocols.
IfthepacketpassestheTunnelInspectionpolicyrulesmatchcriteria,thefirewallinspectstheinner
content,whichissubjecttoyourSecuritypolicy(required)andoptionalpoliciesyoucanspecify.(The
supportedpolicytypesfortheoriginalsessionarelistedinthefollowingtable).
Ifthefirewallinsteadfindsanothertunnel,thefirewallrecursivelyparsesthepacketforthesecond
headerandisnowatleveltwoofencapsulation,sothesecondtunnelinspectionpolicyrule,which
matchesatunnelzone,mustallowamaximumtunnelinspectionleveloftwolevelsforthefirewallto
continueprocessingthepacket.
Ifyourruleallowstwolevelsofinspection,thefirewallperformsaSecuritypolicycheckonthisinner
tunnelandthentheTunnelInspectionpolicycheck.Thetunnelprotocolyouuseinaninnertunnel
candifferfromthetunnelprotocolyouuseintheoutertunnel.
Ifyourruledoesntallowtwolevelsofinspection,thefirewallbasesitsactiononwhetheryou
configuredittodroppacketsthathavemorelevelsofencapsulationthanthemaximumtunnel
inspectionlevelyouconfigured.
Bydefault,thecontentencapsulatedinatunnelbelongstothesamesecurityzoneasthetunnel,andis
subjecttotheSecuritypolicyrulesthatprotectthatzone.However,youcanconfigureatunnelzone,which
givesyoutheflexibilitytoconfigureSecuritypolicyrulesforinsidecontentthatdifferfromtheSecurity
policyrulesforthetunnel.Ifyouuseadifferenttunnelinspectionpolicyforthetunnelzone,itmustalways
haveamaximumtunnelinspectionleveloftwolevelsbecausebydefinitionthefirewallislookingatthe
secondlevelofencapsulation.

Althoughtunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications,youcantassigntunnelzonestosharedgatewaysorvirtual
systemtovirtualsystemcommunications;theyaresubjecttothesameSecuritypolicyrulesas
thezonestowhichtheybelong.
Thefollowingtableindicateswithacheckmarkwhichtypesofpolicyyoucanapplytoanoutertunnel
session,aninnertunnelsession,andtheinside,originalsession:
PolicyType OuterTunnelSession InnerTunnelSession Inside,OriginalSession
AppOverride

DoSProtection
NAT

PolicyBasedForwarding(PBF)

andSymmetricReturn
QoS

Security(required)
UserID
ZoneProtection
Theinnertunnelsessionsandoutertunnelsessionscounttowardthemaximumsessioncapacityforthe
firewallmodel.
WhenyouenableoreditaTunnelInspectionpolicy(toaddaprotocol,increasemaximumlevelsof
inspection,orenablesecurityoptions),youaffectexistingtunnelsessions.ThefirewalltreatsexistingTCP
sessionsinsidethetunnelasnonSYNTCPflows.Topreventthefirewallfromdroppingallexistingsessions
whenyouenableoreditaTunnelInspectionpolicy,youcancreateaZoneProtectionprofilethatdisables
Reject Non-SYN TCPandapplytheprofiletothezonesthatcontrolyourtunnelssecuritypolicies.Thetaskto
ConfigureTunnelContentInspectionincludesthesesteps.
ThefirewalldoesntsupportaTunnelInspectionpolicyrulethatmatchestrafficforatunnelthatterminates
onthefirewall;thefirewalldiscardspacketsthatmatchtheinnertunnelsession.Forexample,whenanIPSec
tunnelterminatesonthefirewall,dontcreateaTunnelInspectionpolicyrulethatmatchesthetunnelyou
terminate.Thefirewallalreadyinspectstheinnertunneltraffic,sonoTunnelInspectionpolicyruleis
necessary.
YoucanViewInspectedTunnelActivityontheACCorViewTunnelInformationinLogs.Tofacilitatequick
viewing,configureaMonitortagsoyoucanmonitortunnelactivityandfilterlogresultsbythattag.
TheACCtunnelactivityprovidesdatainvariousviews.FortheTunnelIDUsage,TunnelMonitorTag,and
TunnelApplicationUsage,thedataforbytes,sessions,threats,content,andURLscomefromtheTraffic
Summarydatabase.FortheTunnelUser,TunneledSourceIPandTunneledDestinationIPActivity,datafor

bytesandsessionscomefromTrafficSummarydatabase,dataforthreatscomefromtheThreatSummary,
dataforURLscomefromtheURLSummary,anddataforcontentscomefromtheDatadatabase,whichisa
subsetoftheThreatlogs.
IfyouenableNetFlowontheinterface,NetFlowwillcapturestatisticsfortheoutertunnelonly,toavoid
doublecounting(countingbytesofbothouterandinnerflows).
FortheTunnelInspectionpolicyruleandtunnelzonecapacitiesforyourfirewallmodel,seetheProduction
Selectiontool.
ThefollowingfigureillustratesacorporationthatrunsmultipledivisionsandusesdifferentSecuritypolicies
andaTunnelInspectionpolicy.ACentralITteamprovidesconnectivitybetweenregions.Atunnelconnects
SiteAtoSiteC;anothertunnelconnectsSiteAtoSiteD.CentralITplacesafirewallinthepathofeach
tunnel;thefirewallinthetunnelbetweenSitesAandCperformstunnelinspection;thefirewallinthetunnel
betweenSitesAandDhasnotunnelinspectionpolicybecausethetrafficisverysensitive.
Performthistasktoconfiguretunnelcontentinspectionforatunnelprotocolthatyouallowinatunnel.
Step1 CreateaSecuritypolicytoallowpackets ConfigureaSecurityPolicyRule.

throughthetunnelfromthesourcezone Thefirewallcancreatetunnelinspectionlogsatthestartor
tothedestinationzonethatusea endofasession.WhenyouspecifyActionsfortheSecurity
specificapplication,suchastheGRE policyrule,selectLog at Session Startforlonglivedtunnel
application. sessionssuchasGREsessions.

ConfigureTunnelContentInspection(Continued)
Step2 CreateaTunnelInspectionpolicyrule. 1. SelectPolicies > Tunnel InspectionandAddapolicyrule.

2. OntheGeneraltab,enteraTunnelInspectionpolicyrule
Name,beginningwithanalphanumericcharacterand
containingzeroormorealphanumeric,underscore(_),hyphen
(),dot(.),andspacecharacters.
4. (Optional)SpecifyaTagthatidentifiesthepacketsthatare
subjecttotheTunnelInspectionpolicyrule,forreportingand
loggingpurposes.
Step3 Specifythecriteriathatdeterminethe 1. SelecttheSourcetab.

sourceofpacketstowhichtheTunnel 2. AddaSource Zonefromthelistofzones.ThedefaultisAny
Inspectionpolicyruleapplies. zone.
3. (Optional)AddaSource Address.YoucanenteranIPv4or
IPv6address,anaddressgroup,oraGeoRegionaddress
object.ThedefaultisAnysourceaddress.
4. (Optional)SelectNegatetochooseanyaddressesexceptthe
specifiedones.
5. (Optional)AddaSource User.Thedefaultisanysourceuser.
Known-user isauserwhohasauthenticated;anUnknown
userhasnotauthenticated.
Step4 Specifythecriteriathatdeterminethe 1. SelecttheDestinationtab.

destinationofpacketstowhichthe 2. AddaDestination Zonefromthelistofzones.Thedefaultis
TunnelInspectionpolicyruleapplies. Anyzone.
3. (Optional)AddaDestination Address.YoucanenteranIPv4
orIPv6address,anaddressgroup,oraGeoRegionaddress
object.ThedefaultisAnydestinationaddress.
YoucanalsoconfigureanewAddressorAddressGroup.
4. (Optional)SelectNegatetochooseanyaddressesexceptthe
specifiedones.
Step5 Specifythetunnelprotocolsthefirewall 1. SelecttheInspectiontab.

willinspectforthisrule. 2. AddoneormoretunnelProtocolsthatyouwantthefirewall
toinspect:
GREFirewallinspectspacketsthatuseGenericRoute
Encapsulationinthetunnel.
GTP-UFirewallinspectspacketsthatuseGeneralPacket
RadioService(GPRS)TunnelingProtocolforUserData
(GTPU)inthetunnel.
Non-encrypted IPSecFirewallinspectspacketsthatuse
nonencryptedIPSec(NullEncryptedIPSecortransport
modeAHIPSec)inthetunnel.

Step6 Specifyhowmanylevelsof 1. SelectInspect Options.

encapsulationthefirewallinspectsand 2. SelecttheMaximum Tunnel Inspection Levelsthatthe
theconditionsunderwhichthefirewall firewallwillinspect:
dropsapacket.
One LevelFirewallinspectscontentthatisintheouter
tunnelonly(default).
Two Levels (Tunnel In Tunnel)Firewallinspectscontent
thatisintheoutertunnelandcontentthatisintheinner
tunnel.
3. Selectthefollowingtospecifywhetherthefirewalldropsa
packetunderthiscondition:
a. Drop packet if over maximum tunnel inspection level
Firewalldropsapacketthatcontainsmorelevelsof
encapsulationthanareconfiguredforMaximum Tunnel
Inspection Levels.
b. Drop packet if tunnel protocol fails strict header check
Firewalldropsapacketthatcontainsatunnelprotocolthat
usesaheaderthatisnoncompliantwiththeRFCforthe
protocol.Noncompliantheaderscanindicatesuspicious
packets.ThisoptioncausesthefirewalltoverifyGRE
headersagainstRFC 2890.
NOTE:IfyourfirewallistunnelingGREwithadevicethat
implementsaversionofGREolderthanRFC2890,you
shouldntenabletheoptiontoDrop packet if tunnel
protocol fails strict header check.
c. Drop packet if unknown protocol inside tunnelFirewall
dropsapacketthatcontainsaprotocolinsidethetunnel
thatthefirewallcantidentify.
Forexample,ifthisoptionisselected,thefirewalldrops
encryptedIPSecpacketsthatmatchtheTunnelInspection
policyrulebecausethefirewallcantreadthem.Thus,you
canallowIPSecpackets,andthefirewallwillallowonly
nullencryptedIPSecandAHIPSecpackets.
4. ClickOK.
Step7 ManageTunnelInspectionpolicyrules. UsethefollowingtomanageTunnelInspectionpolicyrules:

(Filterfield)Displaysonlythetunnelpolicyrulesnamedinthe
filterfield.
DeleteRemovesselectedtunnelpolicyrules.
CloneAnalternativetotheAddbutton;duplicatestheselected
rulewithanewname,whichyoucanthenrevise.
EnableEnablestheselectedtunnelpolicyrules.
DisableDisablestheselectedtunnelpolicyrules.
MoveMovestheselectedtunnelpolicyrulesupordowninthe
list;packetsareevaluatedagainsttherulesinorderfromthetop
down.
Highlight Unused RulesHighlightstunnelpolicyrulesthatno
packetshavematchedsincethelasttimethefirewallwas
restarted.

Step8 (Optional)Createatunnelsourcezone 1. IfyouwanttunnelcontenttobesubjecttodifferentSecurity

andtunneldestinationzonefortunnel policyrulesfromtheSecuritypolicyrulesforthezoneofthe
contentandconfigureaSecuritypolicy outertunnel(configuredearlier),selectNetwork > Zonesand
ruleforeachzone. AddaNamefortheTunnelSourceZone.
Thebestpracticeistocreate 2. ForLocation,selectthevirtualsystem.
tunnelzonesforyourtunnel
3. ForType,selectTunnel.
traffic.Thus,thefirewallcreates
separatesessionsfortunneled 4. ClickOK.
andnontunneledpacketsthat 5. RepeatthesesubstepstocreatetheTunnelDestinationZone.
havethesamefivetuple(source
IPaddressandport,destination 6. ConfigureaSecurityPolicyRulefortheTunnelSourceZone.
IPaddressandport,and Becauseyoumightnotknowtheoriginatorofthe
protocol). tunneltrafficorthedirectionofthetrafficflowand
Assigningtunnelzonestotunnel youdontwanttoinadvertentlyprohibittrafficforan
trafficonaPA5200Series applicationthroughthetunnel,specifybothtunnel
firewallcausesthefirewalltodo zonesastheSource Zoneandspecifybothtunnel
tunnelinspectioninsoftware; zonesastheDestination ZoneinyourSecuritypolicy
tunnelinspectionisntoffloaded rule,orselectAnyforboththesourceanddestination
tohardware. zones;thenspecifytheApplications.
7. ConfigureaSecurityPolicyRulefortheTunnelDestination
Zone.ThetipforconfiguringaSecuritypolicyruleforthe
TunnelSourceZoneappliestotheTunnelDestinationZone
also.

Step9 (Optional)SpecifytheTunnelSource 1. SpecifytheTunnelSourceZoneandTunnelDestinationZone

ZoneandTunnelDestinationZonefor youjustaddedasthezonesfortheinnercontent.Select
theinnercontent. Policies > Tunnel InspectionandontheGeneraltab,select
theNameoftheTunnelInspectionpolicyruleyoucreated.
2. SelectInspection.
3. SelectSecurity Options.
4. SelectEnable Security Optionstocausetheinnercontent
sourcetobelongtotheTunnel Source Zone youspecify,and
tocausetheinnercontentdestinationtobelongtotheTunnel
Destination Zoneyouspecify.(Defaultisdisabled.)
IfyoudontEnable Security Options,theinnercontentsource
belongstothesamesourcezoneastheoutertunnelsource,
andtheinnercontentdestinationbelongstothesame
destinationzoneastheoutertunneldestination,andtheyare
thereforesubjecttothesameSecuritypolicyrulesthatapply
tothoseouterzones.
5. ForTunnel Source Zone,selectoneofthefollowing:
Default(thedefaultsetting).Theinnercontentwillusethe
samezonethatisusedintheoutertunnelforpolicy
enforcement.
Theappropriatetunnelzoneyoucreatedinthepriorstep
sothattheSecuritypolicyrulesassociatedwiththatzone
applytothetunnelsourcezone.
6. ForTunnel Destination Zone,selectoneofthefollowing:
Default(thedefaultsetting).Theinnercontentwillusethe
samezonethatisusedintheoutertunnelforpolicy
enforcement.
Theappropriatetunnelzoneyoucreatedinthepriorstep
sothattheSecuritypolicyrulesassociatedwiththatzone
applytothetunneldestinationzone.
IfyouconfigureaTunnel Source ZoneandTunnel
Destination Zoneforthetunnelinspectionpolicyrule,
youshouldconfigureaspecificSource Zone(inStep3)
andaspecificDestination Zone(inStep4)inthematch
criteriaofthetunnelinspectionpolicyrule,insteadof
specifyingaSource ZoneofAnyandaDestination
ZoneofAny.Thistipensuresthedirectionofzone
reassignmentcorrespondstotheparentzones.
7. ClickOK.

Step10 (Optional)IfyouenabledRematch 1. SelectNetwork > Network Profiles > Zone Protectionand

Sessions(Device > Setup > Session), Addaprofile.
ensurethefirewalldoesntdropexisting 2. EnteraNamefortheprofile.
sessionswhenyoucreateorrevisea
TunnelInspectionpolicy,bydisabling 3. SelectPacket Based Attack Protection > TCP Drop.
Reject Non-SYN TCPforthezonesthat 4. ForReject Non-SYN TCP,selectno.
controlyourtunnelsSecuritypolicies.
5. ClickOK.
Thefirewalldisplaysthefollowing
warningwhenyou: 6. SelectNetwork > Zonesandselectthezonethatcontrolsyour
tunnelssecuritypolicies.
CreateaTunnelInspectionpolicyrule.
EditaTunnelInspectionpolicyruleby 7. ForZone Protection Profile,selecttheZoneProtectionprofile
addingaProtocolorbyincreasingthe youjustcreated.
Maximum Tunnel Inspection Levels 8. ClickOK.
fromOne LeveltoTwo Levels. 9. RepeatthepriorthreestepsinthissectiontoapplytheZone
Enable Security Optionsinthe Protectionprofiletoadditionalzonesthatcontrolyour
Security Optionstabbyeitheradding tunnelsSecuritypolicies.
newzonesorchangingonezoneto
10. Afterthefirewallhasrecognizedtheexistingsessions,youcan
anotherzone.
reenableReject Non-SYN TCPbysettingittoyesorglobal.
Warning:Enablingtunnel
inspectionpoliciesonexisting
tunnelsessionswillcause
existingTCPsessionsinsidethe
tunneltobetreatedas
nonsyntcpflows.Toensure
existingsessionsarenot
droppedwhenthetunnel
inspectionpolicyisenabled,set
theReject Non-SYN TCPsetting
forthezone(s)tonousinga
ZoneProtectionprofileand
applyittothezonesthatcontrol
thetunnelssecuritypolicies.
Oncetheexistingsessionshave
beenrecognizedbythefirewall,
youcanreenabletheReject
Non-SYN TCPsettingbysetting
ittoyesorglobal.
Step11 Tagtunneltrafficforaggregatedlogging 1. SelectPolicies > Tunnel InspectionandselecttheTunnel

andreportingacrossfirewallsoroutside Inspectionpolicyruleyoucreated.
thefirewall. 2. SelectInspection > Monitor Options.
Ifyoutagtunneltraffic,youcan
3. EnteraMonitor Nametogroupsimilartraffictogetherfor
laterfilterontheMonitorTagin
purposesofloggingandreporting.
theTunnelInspectionlogand
usetheACCtoviewtunnel 4. EnteraMonitor Tag (number)togroupsimilartraffictogether
activitybasedonMonitorTag. forloggingandreporting(rangeis116,777,215).Thetag
numberisgloballydefined.
5. ClickOK.

Step12 (Optional)Limitfragmentationoftraffic 1. SelectNetwork > Network Profiles > Zone Protectionand

inatunnel. AddaprofilebyName.
2. EnteraDescription.
3. SelectPacket Based Attack Protection > IP Drop >
Fragmented traffic.
4. ClickOK.
5. SelectNetwork > Zonesandselectthetunnelzonewhereyou
wanttolimitfragmentation.
6. ForZone Protection Profile,selecttheprofileyoujustcreated
toapplytheZoneProtectionprofiletothetunnelzone.
7. ClickOK.
Performthefollowingtasktoviewactivityofinspectedtunnels.

UsetheACCtoviewinspectedtunnelactivity. 1. SelectACCandselectaVirtual SystemorAllvirtualsystems.

2. SelectTunnel Activity.
3. SelectaTimeperiodtoview,suchasLast 24 HrsorLast 30
Days.
4. ForGlobal Filters,clickthe+or-buttonstouseACCFilters
ontunnelactivity.
5. Viewinspectedtunnelactivity;youcandisplayandsortdata
ineachwindowbybytes,sessions,threats,content,orURLs.
Eachwindowdisplaysadifferentaspectoftunneldatain
graphandtableformat:
Tunnel ID UsageEachtunnelprotocolliststheTunnelIDs
oftunnelsusingthatprotocol.Tablesprovidetotalsof
Bytes,Sessions,Threats,Content,andURLsforthe
protocol.HoveroverthetunnelIDtogetabreakdownper
tunnelID.
Tunnel Monitor TagEachtunnelprotocolliststunnel
monitortagsoftunnelsusingthattag.Tablesprovidetotals
ofBytes,Sessions,Threats,Content,andURLsforthetag
andfortheprotocol.Hoveroverthetunnelmonitortagto
getabreakdownpertag.
Tunneled Application UsageApplicationcategories
graphicallydisplaytypesofapplicationsgroupedinto
media,generalinterest,collaboration,andnetworking,and
colorcodedbytheirrisk.TheApplicationtablesalso
includeacountofusersperapplication.
Tunneled User ActivityDisplaysagraphofbytessentand
bytesreceived,forexample,alonganxaxisofdateand
time.Hoveroverapointonthegraphtoviewdataatthat
point.TheSourceUserandDestinationUsertableprovides
dataperuser.
Tunneled Source IP ActivityDisplaysgraphsandtablesof
bytes,sessions,andthreats,forexample,fromanAttacker
atanIPaddress.Hoveroverapointonthegraphtoview
dataatthatpoint.
Tunneled Destination IP ActivityDisplaysgraphsand
tablesbasedondestinationIPaddresses.Viewthreatsper
VictimatanIPaddress,forexample.Hoveroverapointon
thegraphtoviewdataatthatpoint.
YoucanviewTunnelInspectionlogsthemselvesorviewtunnelinspectioninformationinothertypesoflogs.

ViewTunnelinspectionlogs. 1. SelectMonitor > Logs > Tunnel Inspectionandviewthelog

data,notingthetunnelApplicationsusedinyourtrafficand
anyhighcountsforpacketsfailingStrictCheckingofheaders,
forexample.
2. ClicktheDetailedLogViewicon toseedetailsabouta
log.
Viewotherlogsfortunnelinspection 1. SelectMonitor > Logs.

information. 2. SelectTraffic,Threat,URL Filtering,WildFire Submissions,
Data Filtering,orUnified.
3. Foralogentry,clicktheDetailedLogViewicon .
4. IntheFlagswindow,seeiftheTunnel Inspectedflagis
checked.ATunnelInspectedflagindicatesthefirewalluseda
TunnelInspectionpolicyruletoinspecttheinsidecontentor
innertunnel.ParentSessioninformationreferstoanouter
tunnel(relativetoaninnertunnel)oraninnertunnel(relative
toinsidecontent).
OntheTraffic,Threat,URL Filtering,WildFire Submissions,
Data Filteringlogs,onlydirectparentinformationappearsin
theDetailedLogViewoftheinnersessionlog,notunnellog
information.Ifyouconfiguredtwolevelsoftunnelinspection,
youcanselecttheparentsessionofthisdirectparenttoview
thesecondparentlog.(YoumustmonitortheTunnel
Inspectionlogasshowninthepriorsteptoviewtunnellog
information.)
5. Ifyouareviewingthelogforaninsidesessionthatistunnel
inspected,clicktheView Parent SessionlinkintheGeneral
sectiontoseetheoutsidesessioninformation.
Youcancreateareporttogatherinformationbasedonthetagyouappliedtotunneltraffic.
CreateacustomreportusingMonitor Tagsand 1. SelectMonitor > Manage Custom ReportsandclickAdd.

theTunnel Inspectedflag. 2. ForDatabase,selecttheTraffic,Threat, URL,Data Filtering,
orWildFire Submissions log.
3. ForAvailable Columns,selectFlagsandMonitor Tag,along
withotherdatayouwantinthereport.
SeeGenerateCustomReportsfordetailsaboutcreatingacustom
report.

Reference:BFDDetails Networking
ToseethefollowingBFDinformationforavirtualrouter,youcanViewBFDsummaryanddetails.
Name Value(Example) Description
SessionID 1 IDnumberoftheBFDsession.
Interface ethernet1/12 InterfaceyouselectedwhereBFDisrunning.
Protocol STATIC(IPV4)OSPF Staticroute(IPaddressfamilyofstaticroute)and/ordynamic

routingprotocolthatisrunningBFDontheinterface.
LocalIPAddress 10.55.55.2 IPaddressofinterface.
NeighborIPAddress 10.55.55.1 IPaddressofBFDneighbor.
BFDProfile default*(ThisBFD NameofBFDprofileappliedtotheinterface.

sessionhasmultiple BecausethesampleinterfacehasbothastaticrouteandOSPF
BFDprofiles.Lowest runningBFDwithdifferentprofiles,thefirewallusestheprofile
DesiredMinimumTx withthelowestDesired Minimum Tx Interval.Inthisexample,
Interval(ms)isusedto theprofileusedisthedefaultprofile.
selecttheeffective
profile.)
State(local/remote) up/up BFDstatesofthelocalandremoteBFDpeers.Possiblestates

areadmindown,down,init,andup.
UpTime 2h36m21s419ms LengthoftimeBFDhasbeenup(hours,minutes,seconds,and

milliseconds).
Discriminator 1391591427/ DiscriminatorsforlocalandremoteBFDpeers.

(local/remote) 1
Mode Active ModeinwhichBFDisconfiguredontheinterface:Activeor

Passive.
DemandMode Disabled PANOSdoesnotsupportBFDDemandMode,soitisalwaysin

Disabledstate.
Multihop Disabled BFDmultihop:EnabledorDisabled.
MultihopTTL TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
LocalDiagCode 0(NoDiagnostic) Diagnosticcodesindicatingthereasonforthelocalsystemslast

changeinstate:
0NoDiagnostic
1ControlDetectionTimeExpired
2EchoFunctionFailed
3NeighborSignaledSessionDown
4ForwardingPlaneReset
5PathDown
6ConcatenatedPathDown
7AdministrativelyDown
8ReverseConcatenatedPathDown

Networking Reference:BFDDetails
LastReceivedRemoteDiag 0(NoDiagnostic) DiagnosticcodelastreceivedfromBFDpeer.

Code
TransmitHoldTime 0ms Holdtime(inmilliseconds)afteralinkcomesupbeforeBFD

transmitsBFDcontrolpackets.Aholdtimeof0msmeansto
transmitimmediately.Rangeis0120000ms.
ReceivedMinRxInterval 1000ms MinimumRxintervalreceivedfromthepeer;theintervalat

whichtheBFDpeercanreceivecontrolpackets.Maximumis
2000ms.
NegotiatedTransmit 1000ms Transmitinterval(inmilliseconds)thattheBFDpeershave

Interval agreedtosendBFDcontrolpacketstoeachother.Maximumis
2000ms.
ReceivedMultiplier 3 DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
DetectTime(exceeded) 3000ms(0) Calculateddetectiontime(NegotiatedTransmitInterval

multipliedbyMultiplier)andthenumberofmillisecondsthe
detectiontimeisexceeded.
TxControlPackets(last) 9383(420msago) NumberofBFDcontrolpacketstransmitted(andlengthoftime

sinceBFDtransmittedthemostrecentcontrolpacket).
RxControlPackets(last) 9384(407msago) NumberofBFDcontrolpacketsreceived(andlengthoftime

sinceBFDreceivedthemostrecentcontrolpacket).
AgentDataPlane Slot1DP0 OnPA7000Seriesfirewalls,thedataplaneCPUthatisassigned

tohandlepacketsforthisBFDsession.
Errors 0 NumberofBFDerrors.
LastPacketCausingStateChange
Version 1 BFDversion.
PollBit 0 BFDpollbit;0indicatesnotset.
DesiredMinTxInterval 1000ms Desiredminimumtransmitintervaloflastpacketcausingstate

change.
RequiredMinRxInterval 1000ms Requiredminimumreceiveintervaloflastpacketcausingstate

change.
DetectMultiplier 3 DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator 1 Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
YourDiscriminator 1391591427 Localdiscriminator.Adiscriminatorisaunique,nonzerovalue

thepeersusetodistinguishmultipleBFDsessionsbetween
them.
DiagnosticCode 0(NoDiagnostic) Diagnosticcodeoflastpacketcausingstatechange.

Reference:BFDDetails Networking
Length 24 LengthofBFDcontrolpacketinbytes.
DemandBit 0 PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit 0 PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit 0 Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1 Ifsetto1,thetransmittingsystemsBFDimplementationdoes
Bit notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0 PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
RequiredMinEchoRx 0ms PANOSdoesnotsupporttheBFDEchofunction,sothiswill

Interval alwaysbe0ms.

Policy
Policiesallowyoutoenforcerulesandtakeaction.Thedifferenttypesofpolicyrulesthatyoucancreateon
thefirewallare:Security,NAT,QualityofService(QoS),PolicyBasedForwarding(PBF),Decryption,
ApplicationOverride,Authentication,DenialofService(DoS),andZoneprotectionpolicies.Allthese
differentpoliciesworktogethertoallow,deny,prioritize,forward,encrypt,decrypt,makeexceptions,
authenticateaccess,andresetconnectionsasneededtohelpsecureyournetwork.Thefollowingtopics
describehowtoworkwithpolicy:
PolicyTypes
SecurityPolicy
PolicyObjects
SecurityProfiles
BestPracticeInternetGatewaySecurityPolicy
EnumerationofRulesWithinaRulebase
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
UseTagstoGroupandVisuallyDistinguishObjects
UseanExternalDynamicListinPolicy
RegisterIPAddressesandTagsDynamically
MonitorChangesintheVirtualEnvironment
CLICommandsforDynamicIPAddressesandTags
IdentifyUsersConnectedthroughaProxyServer
PolicyBasedForwarding

PolicyTypes Policy
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
Security Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
PolicyBasedForwarding Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
ApplicationOverride IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
Authentication Identifytrafficthatrequiresuserstoauthenticate.Formoredetails,see
AuthenticationPolicy.
DoSProtection Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.

Policy SecurityPolicy
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualSecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationPolicybeforeSecuritypolicy.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
Securitypolicyrule.Whenasessionmatchoccurs,thefirewallappliesthematchingSecuritypolicyruleto
bidirectionaltraffic(clienttoserverandservertoclient)inthatsession.Fortrafficthatdoesntmatchany
definedrules,thedefaultrulesapply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebase
arepredefinedtoallowallintrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.
Althoughtheserulesarepartofthepredefinedconfigurationandarereadonlybydefault,youcanoverride
themandchangealimitednumberofsettings,includingthetags,action(alloworblock),logsettings,and
securityprofiles.
Securitypolicyrulesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirst
rulethatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.
Therefore,themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatch
criteria.Trafficthatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,iflogging
isenabledforthatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfigured
tologatthestartofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
ComponentsofaSecurityPolicyRule
TheSecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields

SecurityPolicy Policy
RequiredFields
RequiredField Description
Name Alabelthatsupportsupto31characters,usedtoidentifytherule.
Rule Type Specifieswhethertheruleappliestotrafficwithinazone,betweenzones,orboth:

universal(default)Appliestheruletoallmatchinginterzoneandintrazonetrafficinthe
specifiedsourceanddestinationzones.Forexample,ifyoucreateauniversalrulewith
sourcezonesAandBanddestinationzonesAandB,therulewouldapplytoalltraffic
withinzoneA,alltrafficwithinzoneB,andalltrafficfromzoneAtozoneBandalltraffic
fromzoneBtozoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthespecifiedsourcezones(you
cannotspecifyadestinationzoneforintrazonerules).Forexample,ifyousetthesource
zonetoAandB,therulewouldapplytoalltrafficwithinzoneAandalltrafficwithin
zoneB,butnottotrafficbetweenzonesAandB.
interzoneAppliestheruletoallmatchingtrafficbetweenthespecifiedsourceand
destinationzones.Forexample,ifyousetthesourcezonetoA,B,andCandthe
destinationzonetoAandB,therulewouldapplytotrafficfromzoneAtozoneB,from
zoneBtozoneA,fromzoneCtozoneA,andfromzoneCtozoneB,butnottraffic
withinzonesA,B,orC.
Source Zone Thezonefromwhichthetrafficoriginates.
Destination Zone Thezoneatwhichthetrafficterminates.IfyouuseNAT,makesuretoalwaysreferencethe

postNATzone.
Application Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField Description
Tag Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description Atextfield,upto255characters,usedtodescribetherule.
Source IP Address DefinehostIPorFQDN,subnet,namedgroups,orcountrybasedenforcement.Ifyouuse

NAT,makesuretoalwaysrefertotheoriginalIPaddressesinthepacket(i.e.thepreNAT
IPaddress).
Destination IP Address Thelocationordestinationforthetraffic.IfyouuseNAT,makesuretoalwaysrefertothe

originalIPaddressesinthepacket(i.e.thepreNATIPaddress).

OptionalField Description(Continued)
User Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
URL Category UsingtheURLCategoryasmatchcriteriaallowsyoutocustomizesecurityprofiles

(Antivirus,AntiSpyware,Vulnerability,FileBlocking,DataFiltering,andDoS)ona
perURLcategorybasis.Forexample,youcanprevent.exefiledownload/uploadforURL
categoriesthatrepresenthigherriskwhileallowingthemforothercategories.This
functionalityalsoallowsyoutoattachschedulestospecificURLcategories(allow
socialmediawebsitesduringlunch&afterhours),markcertainURLcategorieswithQoS
(financial,medical,andbusiness),andselectdifferentlogforwardingprofilesona
perURLcategorybasis.
AlthoughyoucanmanuallyconfigureURLcategoriesonyourfirewall,totakeadvantageof
thedynamicURLcategorizationupdatesavailableonthePaloAltoNetworksfirewalls,you
mustpurchaseaURLfilteringlicense.
NOTE:ToblockorallowtrafficbasedonURLcategory,youmustapplyaURLFiltering
profiletothesecuritypolicyrules.DefinetheURLCategoryasAnyandattachaURL
Filteringprofiletothesecuritypolicy.SeeDefineBasicSecurityPolicyRulesfor
informationonusingthedefaultprofilesinyoursecuritypolicyandseeControlAccessto
WebContentformoredetails.
Service AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
NOTE:Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsandprotocols.
Applicationdefaultisthedefaultoption;whilethefirewallstillchecksforallapplications
onallports,withthisconfiguration,applicationsareonlyallowedontheirstandard
ports/protocols.
Security Profiles Provideadditionalprotectionfromthreats,vulnerabilities,anddataleaks.Securityprofiles

areonlyevaluatedforrulesthathaveanallowaction.
HIP Profile(for AllowsyoutoidentifyclientswithHostInformationProfile(HIP)andthenenforceaccess

GlobalProtect) privileges.
Options Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.

SecurityPolicyActions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action Description
Allow(defaultaction) Allowsthetraffic.
Deny BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthat
isbeingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,view
theapplicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client SendsaTCPresettotheclientsidedevice.
Reset server SendsaTCPresettotheserversidedevice.
Reset both SendsaTCPresettoboththeclientsideandserversidedevices.
NOTE:Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbeforea3wayhandshakeis
completed,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMPUnreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheckboxisselected,thefirewallsends
anICMPmessagetotheclient.
Step1 (Optional)DeletethedefaultSecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

policyrule. allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2 Addarule. 1. SelectPolicies > SecurityandclickAdd.

3. SelectaRule Type.
Step3 Definethematchingcriteriaforthe 1. IntheSourcetab,selectaSource Zone.

sourcefieldsinthepacket. 2. SpecifyaSource IP Addressorleavethevaluesettoany.
3. SpecifyaSourceUserorleavethevaluesettoany.

CreateaSecurityPolicyRule(Continued)
Step4 Definethematchingcriteriaforthe 4. IntheDestinationtab,settheDestination Zone.

destinationfieldsinthepacket. 5. SpecifyaDestination IP Addressorleavethevaluesettoany.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
Step5 Specifytheapplicationtherulewillallow 1. IntheApplicationstab,AddtheApplicationtosafelyenable.

orblock. Youcanselectmultipleapplications,oruseapplicationgroups
Asabestpractice,alwaysuse orapplicationfilters.
applicationbasedsecuritypolicy 2. IntheService/URL Categorytab,keeptheServicesetto
rulesinsteadofportbasedrules application-defaulttoensurethatanyapplicationstherule
andalwayssettheServiceto allowsareonlyallowedontheirstandardports.
applicationdefaultunlessyou
areusingamorerestrictivelistof
portsthanthestandardportsfor
anapplication.
Step6 (Optional)SpecifyaURLcategoryas IntheService/URL Categorytab,selecttheURL Category.

matchcriteriafortherule. IfyouselectaURLcategory,onlywebtrafficwillmatchtherule
andonlyifthetrafficistothespecifiedcategory.
Step7 Definewhatactionyouwantthefirewall IntheActionstab,selectanAction.SeeSecurityPolicyActionsfor

totakefortrafficthatmatchestherule. adescriptionofeachaction.
Step8 Configurethelogsettings. Bydefault,theruleissettoLog at Session End.Youcanclear

thissettingifyoudontwantanylogsgeneratedwhentraffic
matchesthisrule,orselectLog at Session Startformore
detailedlogging.
SelectaLog Forwardingprofile.
Step9 Attachsecurityprofilestoenablethe IntheActionstab,selectProfilesfromtheProfile Typedropdown

firewalltoscanallallowedtrafficfor andthenselecttheindividualsecurityprofilestoattachtotherule.
threats. Alternatively,selectGroupfromtheProfile Typedropdownand
SeeCreateBestPracticeSecurity selectasecurityGroup Profiletoattach.
Profilestolearnhowtocreate
securityprofilesthatprotect
yournetworkfrombothknown
andunknownthreats.
Step10 Savethepolicyruletotherunning ClickCommit.


CreateaSecurityPolicyRule(Continued)
Step11 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI

policieseffectively,testwhetheryour command:
securitypolicyrulesarebeingevaluated test security-policy-match source <IP_address>
anddeterminewhichsecuritypolicyrule destination <IP_address> destination port <port_number>
appliestoatrafficflow. protocol <protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedfora
serverinthedatacenterwiththeIPaddress208.90.56.11whenit
accessestheMicrosoftupdateserver:
test security-policy-match source 208.80.56.11
destination 176.9.45.70 destination-port 80 protocol 6
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;

Policy PolicyObjects
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddress
grouppolicyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject Description
Address/AddressGroup, Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
Region policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/UserGroup Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
ApplicationGroupand AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
ApplicationFilter filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/ServiceGroups Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
NOTE:Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.

SecurityProfiles Policy
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,
spyware,andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurity
profile(s)thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecks
anddatafiltering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeSecurityProfilesformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup

Policy SecurityProfiles
AntivirusProfiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action Description
Default ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow Permitstheapplicationtraffic.
Alert Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop Dropstheapplicationtraffic.
Reset Client ForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset Server ForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset Both ForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe

connection.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheinternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
AntiSpywareProfiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasinternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.

StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionforlowand
informationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
VulnerabilityProtectionProfiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URLFilteringProfiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.

DataFilteringProfiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
YoucancreatecustomdatapatternobjectsandattachthemtoaDataFilteringprofiletodefinethetypeof
informationonwhichyouwanttofilter.Createdatapatternobjectsbasedon:
Predefined PatternsFilterforcreditcardandsocialsecuritynumbers(withorwithoutdashes)using
predefinedpatterns.
Regular ExpressionsFilterforastringofcharacters.
File PropertiesFilterforfilepropertiesandvaluesbasedonfiletype.
Ifyoureusingathirdparty,endpointdatalossprevention(DLP)solutionstopopulatefilepropertiestoindicate
sensitivecontent,thisoptionenablesthefirewalltoenforceyourDLPpolicy.
Togetstarted,SetUpDataFiltering.
FileBlockingProfiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
YoucandefineyourowncustomFileBlockingprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingfileblockingtoaSecuritypolicyrule.Thepredefinedprofiles,whichareavailablewith
contentreleaseversion653andlater,allowyoutoquicklyenablebestpracticefileblockingsettings:
basic file blockingAttachthisprofiletotheSecuritypolicyrulesthatallowtraffictoandfromless
sensitiveapplicationstoblockfilesthatarecommonlyincludedinmalwareattackcampaignsorthathave
norealusecaseforupload/download.ThisprofileblocksuploadanddownloadofPEfiles(.scr,.cpl,.dll,
.ocx,.pif,.exe),Javafiles(.class,.jar),Helpfiles(.chm,.hlp)andotherpotentiallymaliciousfiletypes,
including.vbe,.hta,.wsf,.torrent,.7z,.rar,.bat.Additionally,itpromptsuserstoacknowledgewhenthey
attempttodownloadencryptedrarorencryptedzipfiles.Thisrulealertsonallotherfiletypestogive
youcompletevisibilityintoallfiletypescominginandoutofyournetwork.
strict file blockingUsethisstricterprofileontheSecuritypolicyrulesthatallowaccesstoyourmost
sensitiveapplications.Thisprofileblocksthesamefiletypesastheotherprofile,andadditionallyblocks
flash,.tar,multilevelencoding,.cab,.msi,encryptedrar,andencryptedzipfiles.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.

ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
Togetstarted,SetUpFileBlocking.
WildFireAnalysisProfiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.IfaprofileruleissettoforwardfilestotheWildFirepubliccloud,thefirewallalso
forwardsfilesthatmatchexistingantivirussignatures,inadditiontounknownfiles.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.

ZoneProtectionProfilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.
SecurityProfileGroup
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup

Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
Step1 Createasecurityprofilegroup. 1. SelectObjects > Security Profile GroupsandAddanew

Ifyounamethegroupdefault, securityprofilegroup.
thefirewallwillautomatically 2. GivetheprofilegroupadescriptiveName,forexample,
attachittoanynewrulesyou Threats.
create.Thisisatimesaverifyou
3. IfthefirewallisinMultipleVirtualSystemMode,enablethe
haveapreferredsetofsecurity
profiletobeSharedbyallvirtualsystems.
profilesthatyouwanttomake
suregetattachedtoeverynew 4. Addexistingprofilestothegroup.
rule.
5. ClickOKtosavetheprofilegroup.
Step2 Addasecurityprofilegrouptoasecurity 1. SelectPolicies > Security andAddormodifyasecuritypolicy

policy. rule.
2. SelecttheActionstab.
3. IntheProfileSettingsection,selectGroup fortheProfile Type.
4. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selectthebestpracticegroup):
5. ClickOK tosavethepolicyandCommityourchanges.
Step3 Saveyourchanges. Click Commit.

Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.

Createasecurityprofilegroup. 1. SelectObjects > Security Profile GroupsandAddanew

securityprofilegroup.
2. GivetheprofilegroupadescriptiveName,forexample,
Threats.
3. IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4. Addexistingprofilestothegroup.Fordetailsoncreating
profiles,seeSecurityProfiles.
5. ClickOKtosavetheprofilegroup.
6. Addthesecurityprofilegrouptoasecuritypolicy.
7. AddormodifyasecuritypolicyruleandselecttheActionstab.
8. SelectGroup fortheProfile Type.
9. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selecttheThreatsgroup):
10. ClickOK tosavethepolicyandCommityourchanges.

Setupadefaultsecurityprofilegroup. 1. SelectObjects > Security Profile Groupsandaddanew

securityprofilegroupormodifyanexistingsecurityprofile
group.
2. Namethesecurityprofilegroupdefault:
4. Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup. Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).

BestPracticeInternetGatewaySecurityPolicy Policy
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheinternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeinternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
Thefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeinternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
Abestpracticeinternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateitherblock
everythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,abest
practicesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeinternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeinternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:

Policy BestPracticeInternetGatewaySecurityPolicy
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology Whyisthisimportant?
InspectAllTrafficforVisibility Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.

BestPracticeMethodology Whyisthisimportant?
ReducetheAttackSurface Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,enableattachFileBlockingandURLFiltering
profilestoallrulesthatallowapplicationtraffictopreventusersfromvisiting
threatpronewebsitesandpreventthemfromuploadingordownloadingdangerous
filetypes(eitherknowinglyorunknowingly).Topreventattackersfromexecuting
successfulphishingattacks(thecheapestandeasiestwayforthemtomaketheirway
intoyournetwork),configurecredentialphishingprevention.
PreventKnownThreats Enablethefirewalltoscanallallowedtrafficforknownthreatsbyattachingsecurity
profilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
InadditiontoapplicationbasedSecuritypolicyrules,createrulesforblockingknown
maliciousIPaddressesbasedonthreatintelligencefromPaloAltoNetworksand
reputablethirdpartyfeeds.
DetectUnknownThreats ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithin
filesbydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWildFireappliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifitfindsmalware,itautomaticallydevelopsasignature
anddeliversittoyouinaslittleasfiveminutes(andnowthatunknownthreatisa
knownthreat).
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand

craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.

HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeinternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateaninternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,phishingattacks,APTsarealldeliveredvialegitimateapplications.Toprotectagainst
knownandunknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallow
rules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincluderulesforblocking

knownmaliciousIPaddresses,aswellastemporaryrulestopreventotherapplicationsyoumightnot
haveknownaboutfrombreakingandtoidentifypolicygapsandsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeinternetgatewaysecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
IdentifyWhitelistApplications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceinternetgatewaysecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess

(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.

ApplicationType BestPracticeforSecuring
SanctionedApplications ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inaninternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionandadminister
foryourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
GeneralTypesof Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
Applications userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,andweb
services,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
CustomApplications Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
SpecifictoYour nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
Environment youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.

CreateUserGroupsforAccesstoWhitelistApplications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
Itjusttakesoneendusertoclickonaphishinglinkandsupplytheircredentialstoenableanattackerto
gainaccesstoyournetwork.Todefendagainstthisverysimpleandeffectiveattacktechnique,SetUp
CredentialPhishingPreventiononallofyourSecuritypolicyrulesthatallowuseraccesstotheinternet.
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgenttoensurethatyoucandetect
whenyourusersaresubmittingtheircorporatecredentialstoasiteinanunauthorizedcategory.
DecryptTrafficforFullVisibilityandThreatInspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:

BestPracticeDecryptionProfile
Step1 ConfiguretheSSL Decryption > SSL Forward ProxysettingstoblockexceptionsduringSSL

negotiationandblocksessionsthatcantbedecrypted:
Step2 ConfiguretheSSL Decryption > SSL Protocol SettingstoblockuseofvulnerableSSL/TLSversions

(TLS1.0andSSLv3)andtoavoidweakalgorithms(MD5,RC4,and3DES):

BestPracticeDecryptionProfile(Continued)
Step3 Fortrafficthatyouarenotdecrypting,configuretheNo Decryption settingstotoblockencrypted

sessionstositeswithexpiredcertificatesoruntrustedissuers:
CreateBestPracticeSecurityProfiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.

SecurityProfile BestPracticeSettings
FileBlocking Usethepredefinedstrictfileblockingprofiletoblockfilesthatarecommonlyincludedin
malwareattackcampaignsorthathavenorealusecaseforupload/download.Thepredefined
strictprofileblocksbatchfiles,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),and
BitTorrentfilesaswellasWindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,
.ocx,.sys,.scr,.drv,.efi,.fon,and.piffiles.Thisprofileallowsdownload/uploadofexecutables
andarchivefiles(.zipand.rar),butforceuserstoclickcontinuebeforetransferringafiletogive
thempause.Thepredefinedprofilealertsonallotherfiletypesforvisibilityintowhatotherfile
transfersarehappeningsothatyoucandetermineifyouneedtomakepolicychanges.
WhydoIneedthisprofile?
Therearemanywaysforattackerstodelivermaliciousfiles:asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.Attachingthestrictfileblocking
profilereducesyourattacksurfacebypreventingthesetypesofattacks.
WhatifIcantblockallofthefiletypescoveredinthepredefinedstrictprofile?
Ifyouhavemissioncriticalapplicationsthatpreventyoufromblockingallofthefiletypes
includedinthepredefinedstrictprofile,youcanclonetheprofileandmodifyitforthoseusers
whomusttransferafiletypecoveredbythepredefinedprofile.Ifyouchoosenottoblockall
PEfilespertherecommendation,makesureyousendallunknownfilestoWildFireforanalysis.
Additionally,settheActiontocontinuetopreventdrivebydownloads,whichiswhenanend
userdownloadscontentthatinstallsmaliciousfiles,suchasJavaappletsorexecutables,without
knowingtheyaredoingit.Drivebydownloadscanoccurwhenusersvisitwebsites,viewemail
messages,orclickintopopupwindowsmeanttodeceivethem.Educateyourusersthatifthey
arepromptedtocontinuewithafiletransfertheydidntknowinglyinitiate,theymaybesubject
toamaliciousdownload.Inaddition,usingfileblockinginconjunctionwithURLfilteringtolimit
thecategoriesinwhichuserscantransferfilesisanothergoodwaytoreducetheattacksurface
whenyoufinditnecessarytoallowfiletypesthatmaycarrythreats.

Antivirus AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.
Vulnerability AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
Protection overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.

AntiSpyware AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNSsinkhole
andpacketcapturetohelpyoutrackdowntheendpointthatattemptedtoresolvethemalicious
domain.

URLFiltering Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,extremism,copyrightinfringement,andparked.Failuretoblockthesedangerous
categoriesputsyouatriskforexploitinfiltration,malwaredownload,commandandcontrol
activity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
WhatifIcantblockalloftherecommendedcategories?
Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Oncategoriesyoudecidetoallow,
makesureyouSetUpCredentialPhishingPreventiontoensurethatusersarentsubmitting
theircorporatecredentialstoasitethatmaybehostingaphishingattack.
Allowingtraffictoarecommendedblockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatallowsillegaldownloadof
softwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.

WildFire Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
Analysis yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
DefinetheInitialInternetGatewaySecurityPolicy
Theoverallgoalofabestpracticeinternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockknownmaliciousIPaddresses,badapplicationsaswellassome
temporaryallowrulesthataredesignedtohelpyourefineyourpolicyandpreventapplicationsyourusers
mayneedfrombreakingwhileyoutransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreateRulesBasedonTrustedThreatIntelligenceSources
Step2:CreatetheApplicationWhitelistRules
Step3:CreatetheApplicationBlockRules

Step4:CreatetheTemporaryTuningRules
Step5:EnableLoggingforTrafficthatDoesntMatchAnyRules
Step1:CreateRulesBasedonTrustedThreatIntelligenceSources
Beforeyouallowandblocktrafficbyapplication,itisadvisabletoblocktrafficfromIPaddressesthatPalo
AltoNetworksandtrustedthirdpartysourceshaveproventobemalicious.Therulesbelowensurethat
yournetworkisalwaysprotectedagainsttheIPaddressesfromthePaloAltoNetworksMaliciousIPAddress
Feedsandotherfeeds,whicharecompiledanddynamicallyupdatedbasedonthelatestthreatintelligence.
CreateRulesBasedonTrustedThreatIntelligenceSources
Step1 BlocktraffictoandfromIPaddressesthatPaloAltoNetworkshasidentifiedasmalicious.
WhydoIneedtheserules? RuleHighlights
ThisruleprotectsyouagainstIPaddresses OneruleblocksoutboundtraffictoknownmaliciousIP
thatPaloAltoNetworkshasproventobe addresses,whileanotherruleblocksinboundtraffictothose
usedalmostexclusivelytodistribute addresses.
malware,initiatecommandandcontrol SettheexternaldynamiclistPalo Alto Networks - Known
activity,andlaunchattacks. malicious IP addressesastheDestinationaddressforthe
outboundtrafficrule,andastheSourceaddressfortheinbound
trafficrule.
Denytrafficthatmatchtheserules.
Enableloggingfortrafficmatchingtheserulessothatyoucan
investigatepotentialthreatsonyournetwork.
Becausetheserulesareintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
Step2 LogtraffictoandfromhighriskIPaddressesfromtrustedthreatadvisories.
WhydoIneedtheserules? RuleHighlights
AlthoughPaloAltoNetworkshasnodirect OnerulelogsoutboundtraffictohighriskIPaddresses,while
evidenceofthemaliciousnessoftheIP anotherrulelogsinboundtraffictothoseaddresses.
addressesinthehighriskIPaddressfeed, SettheexternaldynamiclistPalo Alto Networks - High risk IP
youshouldmonitortheseIPaddressessince addressesastheDestinationaddressfortheoutboundtraffic
threatadvisorieshavelinkedthemto rule,andastheSourceaddressfortheinboundtrafficrule.
maliciousbehavior. Allowaccessfortrafficmatchingthisrule,butenableloggingso
YoucanusetheserulestofilteryourTraffic thatyoucaninvestigateapotentialthreatonyournetwork.
logsanddecidewhethertoblockhighriskIP Becausethisruleisintendedtocatchmalicioustraffic,it
addressesbasedonthelogactivity. matchestotrafficfromanyuserrunningonanyport.

CreateRulesBasedonTrustedThreatIntelligenceSources(Continued)
Step3 (MineMeldusersonly)BlocktrafficfrominboundIPaddressesthattrustedthirdpartyfeedshaveidentified
asmalicious.
WhydoIneedthisrule? RuleHighlights
BlocktrafficfrommaliciousIPaddresses Toenforcethisrule:
basedonblocklistscompiledbySpamhaus a. UseMineMeldtoforwardtheIPaddressesfromthe
andtheInternetStormCenter,abranchof followingsources(knownasminersinMineMeld),
theSANSInstitute.ThelistscontainIP spamhaus.DROP,spamhaus.EDROP,anddshield.block,to
addressesthatattackersusetospread anexternaldynamiclist.
malware,Trojans,andbotnets,andtocarry b. ConfiguretheFirewalltoAccessanExternalDynamicList,
outlargescaleinfrastructureattacks. usingtheURLthatMineMeldprovidesforthelist.
c. SettheexternaldynamiclistastheSourceaddressforthe
rule.
UsetheDropActiontosilentlydropthetrafficwithoutsending
asignaltotheclientortheserver.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigatemisuseofapplicationsandpotentialthreatsonyour
network.
Becausethisruleisintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
Step2:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethenextpartofthebestpracticeinternet
gatewaysecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.

CreatetheApplicationWhitelistRules
Step1 AllowaccesstoyourcorporateDNSservers.
AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly rulebase.
exploitedbyattackers. Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface. center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2 AllowaccesstootherrequiredITinfrastructureresources.
Enabletheapplicationsthatprovideyour Becausetheseapplicationsrunonthedefaultport,allowaccess
networkinfrastructureandmanagement toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
functions,suchasNTP,OCSP,STUN,and theseservicesareneeded),andallhaveadestinationaddressof
ping. any,containtheminasingleapplicationgroupandcreatea
WhileDNStrafficallowedinthepreceding singleruletoenableaccesstoallofthem.
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore accesstoanyuser.
requireaseparaterule.
Step3 AllowaccesstoITsanctionedSaaSapplications.
WithSaaSapplications,yourproprietarydata GroupallsanctionedSaaSapplicationsinanapplicationgroup.
isinthecloud.Thisruleensuresthatonly SaaSapplicationsshouldalwaysrunontheapplicationdefault
yourknownusershaveaccesstothese port.
applications(andtheunderlyingdata). Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
ScanallowedSaaStrafficforthreats. AccesstoWhitelistApplications.
Step4 AllowaccesstoITprovisionedonpremiseapplications.

CreatetheApplicationWhitelistRules(Continued)
Businesscriticaldatacenterapplicationsare Groupalldatacenterapplicationsinanapplicationgroup.
oftenleveragedinattacksduringthe Createanaddressgroupforyourdatacenterserveraddresses.
exfiltrationstage,usingapplicationssuchas Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
FTP,orinthelateralmovementstageby AccesstoWhitelistApplications.
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5 Allowaccesstoapplicationsyouradministrativeusersneed.
Toreduceyourattacksurface,CreateUser ThisrulerestrictsaccesstousersintheIT_adminsgroup.
GroupsforAccesstoWhitelistApplications. Createcustomapplicationsforinternalapplicationsor
Becauseadministratorsoftenneedaccessto applicationsthatrunonnonstandardportssothatyoucan
sensitiveaccountdataandremoteaccessto enforcethemontheirdefaultportsratherthanopening
othersystems(forexampleRDP),youcan additionalportsonyournetwork.
greatlyreduceyourattacksurfacebyonly Ifyouhavedifferentusergroupsfordifferentapplications,
allowingaccesstotheadministratorswho createseparaterulesforgranularcontrol.
haveabusinessneed.
Step6 Allowaccesstogeneralbusinessapplications.
Beyondtheapplicationsyousanctionforuse Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
andadministerforyourusers,therearea AccesstoWhitelistApplications.
varietyofapplicationsthatusersmay Forvisibility,createseparateapplicationfiltersforeachtypeof
commonlyuseforbusinesspurposes,for applicationyouwanttoallow.
exampletointeractwithpartners,suchas Attachthebestpracticesecurityprofilestoensurethatalltraffic
WebEx,Adobeonlineservices,orEvernote, isfreeofknownandunknownthreats.SeeCreateBestPractice
butwhichyoumaynotofficiallysanction. SecurityProfiles.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.

CreatetheApplicationWhitelistRules(Continued)
Step7 (Optional)Allowaccesstopersonalapplications.
Asthelinesblurbetweenworkandpersonal Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
devices,youwanttoensurethatall AccesstoWhitelistApplications.
applicationsyourusersaccessaresafely Forvisibility,createseparateapplicationfiltersforeachtypeof
enabledandfreeofthreats. applicationyouwanttoallow.
Byusingapplicationfilters,youcansafely Scanalltrafficforthreatsbyattachingyourbestpractice
enableaccesstopersonalapplicationswhen securityprofilegroup.SeeCreateBestPracticeSecurity
youcreatethisinitialrulebase.Afteryou Profiles.
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.
Step8 Allowgeneralwebbrowsing.
Whilethepreviousruleallowedaccessto Thisruleusesthesamebestpracticesecurityprofilesastherest
personalapplications(manyofthem oftherules,exceptfortheFileBlockingprofile,whichismore
browserbased),thisruleallowsgeneralweb stringentbecausegeneralwebbrowsingtrafficismore
browsing. vulnerabletothreats.
Generalwebbrowsingismoreriskprone Thisruleallowsonlyknownuserstopreventdeviceswith
thanothertypesofapplicationtraffic.You malwareorembeddeddevicesfromreachingtheinternet.
mustCreateBestPracticeSecurityProfiles Useapplicationfilterstoallowaccesstogeneraltypesof
andattachthemtothisruleinordertosafely applications.
enablewebbrowsing. MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
Becausethreatsoftenhideinencrypted youwanttoallowuserstobeabletobrowsetoHTTPSsites.
traffic,youmustDecryptTrafficforFull thatareexcludedfromdecryption.
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.

Step3:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep4:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
CreatetheApplicationBlockRules
Step1 Blockapplicationsthatdonothavealegitimateusecase.
Blocknefariousapplicationssuchas UsetheDropActiontosilentlydropthetrafficwithoutsending
encryptedtunnelsandpeertopeerfile asignaltotheclientortheserver.
sharing,aswellaswebbasedfilesharing Enableloggingfortrafficmatchingthisrulesothatyoucan
applicationsthatarenotITsanctioned. investigatemisuseofapplicationsandpotentialthreatsonyour
Becausethetuningrulesthatfolloware network.
designedtoallowtrafficwithmaliciousintent Becausethisruleisintendedtocatchmalicioustraffic,it
orlegitimatetrafficthatisnotmatchingyour matchestotrafficfromanyuserrunningonanyport.
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2 BlockpublicDNSandSMTPapplications.
BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
DNStunneling,commandandcontroltraffic, messagetoboththeclientsideandserversidedevices.
andremoteadministration. Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.

Step4:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
CreateTemporaryTuningRules
Step1 AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
Thisrulehelpsyoudetermineifyouhaveany Unlikethewhitelistrulesthatallowapplicationsonthedefault
gapsinyourpolicywhereusersareunableto portonly,thisruleallowswebbrowsingandSSLtrafficonany
accesslegitimateapplicationsbecausethey portsothatyoucanfindgapsinyourwhitelist.
arerunningonnonstandardports. Becausethisruleisintendedtofindgapsinpolicy,limititto
Youmustmonitoralltrafficthatmatchesthis knownusersonyournetwork.SeeCreateUserGroupsfor
rule.Foranytrafficthatislegitimate,you AccesstoWhitelistApplications.
shouldtunetheappropriateallowruleto MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
includetheapplication,perhapscreatinga youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
customapplicationwhereappropriate. arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.

CreateTemporaryTuningRules
Step2 AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
Thisrulehelpsyoudeterminewhetheryou Whilethemajorityoftheapplicationwhitelistrulesapplyto
havegapsinyourUserIDcoverage. knownusersorspecificusergroups,thisruleexplicitlymatches
Thisrulealsohelpsyouidentifycompromised trafficfromunknownusers.
orembeddeddevicesthataretryingtoreach Notethatthisrulemustgoabovetheapplicationblockrulesor
theinternet. trafficwillneverhitit.
Itisimportanttoblocknonstandardport Becauseitisanallowrule,youmustattachthebestpractice
usage,evenforwebbrowsingtraffic, securityprofilestoscanforthreats.
becauseitisusuallyanevasiontechnique.
Step3 Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
thatyouwerentawarewererunningonyour theapplicationblockrulestopreventbadapplicationsfrom
networksothatyoucanfinetuneyour runningonyournetwork.
applicationwhitelist. IfyouarerunningPANOS7.0.xorearlier,toappropriately
Monitoralltrafficmatchingthisruleto identifyunexpectedapplications,youmustuseanapplication
determinewhetheritrepresentsapotential filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour allowanyapplication.
whitelistrulestoallowthetraffic.
Step4 Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
applicationsrunningonunknownports. fromanyuseronanyport,itmustcomeattheendofyour
Thisrulealsohelpsyouidentifyunknown rulebase.
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
customapplicationtoaddtoyourapplication investigateformisuseofapplicationsandpotentialthreatson
whitelist. yournetworkoridentifylegitimateapplicationsthatrequirea
Anytrafficmatchingthisruleisactionable customapplication.
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.

Step5:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1 SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2 Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step3 OntheActionstab,selectLog at Session EndandclickOK.
Step4 Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5 Committhechangesyoumadetotherulebase.
MonitorandFineTunethePolicyRulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.

IdentifyPolicyGaps
Step1 Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')

IdentifyPolicyGaps(Continued)
Step2 Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
Afterseveralmonthsofmonitoringyourinitialinternetgatewaybestpracticesecuritypolicy,youshouldsee
lessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
Step1 SelectPolicies > Security.
Step2 SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3 Committhechanges.

MaintaintheRulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1 Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2 DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3 TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.

EnumerationofRulesWithinaRulebase Policy
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.

Policy EnumerationofRulesWithinaRulebase
ViewtheOrderedListofRulesWithinaRulebase(Continued)
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.

MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem Policy
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step1 Selectthepolicytype(forexample,Policy > Security)orobjecttype(forexample,Objects > Addresses).
Step2 SelecttheVirtual Systemandselectoneormorepolicyrulesorobjects.
Step3 Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4 IntheDestinationdropdown,selectthenewvirtualsystemorShared.
Step5 (Policyrulesonly)SelecttheRule order:

Move top(default)Therulewillcomebeforeallotherrules.
Move bottomTherulewillcomeafterallotherrules.
Before ruleIntheadjacentdropdown,selecttherulethatcomesaftertheSelectedRules.
After ruleIntheadjacentdropdown,selecttherulethatcomesbeforetheSelectedRules.
Step6 TheError out on first detected error in validationcheckboxisselectedbydefault.Thefirewallstops

performingthechecksforthemoveorcloneactionwhenitfindsthefirsterror,anddisplaysjustthiserror.
Forexample,ifanerroroccurswhentheDestinationvsysdoesnthaveanobjectthatthepolicyruleyouare
movingreferences,thefirewallwilldisplaytheerrorandstopanyfurthervalidation.Whenyoumoveorclone
multipleitemsatonce,selectingthischeckboxwillallowyoutofindoneerroratatimeandtroubleshootit.
Ifyouclearthecheckbox,thefirewallcollectsanddisplaysalistoferrors.Ifthereareanyerrorsinvalidation,
theobjectisnotmovedorcloneduntilyoufixalltheerrors.
Step7 ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.

Policy UseTagstoGroupandVisuallyDistinguishObjects
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
CreateandApplyTags
CreateandApplyTags
Step1 Createtags. 1. SelectObjects > Tags.

NOTE:Totagazone,youmustcreatea 2. OnPanoramaoramultiplevirtualsystemfirewall,selectthe
tagwiththesamenameasthezone. Device GrouportheVirtual Systemtotomakethetag
Whenthezoneisattachedinpolicy available.
rules,thetagcolorautomaticallydisplays
3. ClickAddandenteraNametoidentifythetag,orselecta
asthebackgroundcoloragainstthezone
zonenamefromthedropdowntocreateatagforazone.The
name.
maximumlengthis127characters.
4. (Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
5. (Optional)Assignoneofthe17predefinedcolorstothetag.
Bydefault,ColorisNone.
6. ClickOKandCommittosavethechanges.

UseTagstoGroupandVisuallyDistinguishObjects Policy
CreateandApplyTags(Continued)
Step2 Applytagstopolicy. 1. SelectPoliciesandanyrulebaseunderit.

2. ClickAddtocreateapolicyruleandusethetaggedobjects
youcreatedinStep1.
3. Verifythatthetagsareinuse.
Step3 Applytagstoanaddressobject,address 1. Createtheobject.

group,service,orservicegroup. Forexampletocreateaservicegroup,selectObjects >
Service Groups > Add.
2. SelectatagfromtheTagsdropdownorenteranameinthe
fieldtocreateanewtag.
Toeditatagoraddcolortothetag,see ModifyTags.
ModifyTags
ModifyTags
SelectObjects > Tagstoperformanyofthefollowingoperationswithtags:

ClickthelinkintheNamecolumntoeditthepropertiesofatag.
Selectataginthetable,andclickDeletetoremovethetagfromthefirewall.
ClickClonetocreateaduplicatetagwiththesameproperties.Anumericalsuffixisaddedtothetagname.
Forexample,FTP1.
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.

UsetheTagBrowser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orinternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.

UsetheTagBrowser
Explorethetagbrowser. 1. AccesstheTag BrowserontheleftpaneofthePoliciestab.

Thetagbrowserdisplaysthetagsthathavebeenusedinthe
rulesfortheselectedrulebase,forexamplePolicies >
Security.
2. Tag (#)Displaysthelabelandtherulenumberorrangeof
numbersinwhichthetagisusedcontiguously.Hoveroverthe
labeltoseethelocationwheretherulewasdefined,itcanbe
inheritedfromasharedlocation,adevicegroup,oravirtual
system.
3. RuleListstherulenumberorrangeofnumbersassociated
withthetags.
4. Sortthetags.
Filter by first tag in ruleSortsrulesusingthefirsttag
appliedtoeachruleintherulebase.Thisviewisparticularly
usefulifyouwanttonarrowthelistandviewrelatedrules
thatmightbespreadaroundtherulebase.Forexampleif
thefirsttagineachruledenotesitsfunctionbest
practices,administration,webaccess,datacenteraccess,
proxyyoucannarrowtheresultandscantherulesbased
onfunction.
Rule OrderSortsthetagsintheorderofappearance
withintheselectedrulebase.Whendisplayedinorderof
appearance,tagsusedincontiguousrulesaregrouped.The
rulenumberwithwhichthetagisassociatedisdisplayed
alongwiththetagname.
AlphabeticalSortsthetagsinalphabeticalorderwithin
theselectedrulebase.Thedisplayliststhetagnameand
color(ifacolorisassigned)andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoes
notdisplayrulenumbersforuntaggedrules.Whenyou
selectNone,therightpaneisfilteredtodisplayrulesthat
havenotagsassignedtothem.
5. ClearClearsthefilteronthecurrentlyselectedtagsinthe
searchbar.
6. Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7. Expandorcollapsethetagbrowser.

UsetheTagBrowser(Continued)
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,selectoneormore
YoucanfilterrulesbasedontagswithanAND tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
oranORoperator. includeanyofthecurrentlyselectedtags.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags. Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule. HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.

UsetheTagBrowser(Continued)
Reorderrulesusingtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.

Policy UseanExternalDynamicListinPolicy
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouoranothersourcehostson
anexternalwebserversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforce
policyontheentriesinthelist.Asthelistisupdated,thefirewalldynamicallyimportsthelistatthe
configuredintervalandenforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthe
firewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
PaloAltoNetworksMaliciousIPAddressFeeds
ConfiguretheFirewalltoAccessanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
ViewExternalDynamicListEntries
ExcludeEntriesfromanExternalDynamicList
EnforcePolicyonanExternalDynamicList
FindExternalDynamicListsThatFailedAuthentication
DisableAuthenticationforanExternalDynamicList
ExternalDynamicList
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver,butonlyifthelistisnotsecuredwithSSL.Toretrievetheexternaldynamic
list,thefirewallusesinterfaceconfiguredwiththePalo Alto Networks Servicesserviceroute.
Thefirewallsupportsfourtypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall(seeUseanExternalDynamicListofTypeIPorPredefinedIPasaSource
orDestinationAddressObjectinaSecurityPolicyRule.)Ifyouneedagilityinenforcingpolicyforalistof
sourceordestinationIPaddressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIP
addressasasourceordestinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyor
allowaccesstotheIPaddresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.The
firewalltreatsanexternaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddresses
includedinalistarehandledasoneaddressobject.
PredefinedIPAddressApredefinedIPaddresslistisatypeofIPaddresslistthatreferstoanyofthe
twoPaloAltoNetworksMaliciousIPAddressFeedsthathavefixedorpredefinedcontents.These
feedsareautomaticallyaddedtoyourfirewallifyouhaveanactiveThreatPreventionlicense.A
predefinedIPaddresslistcanalsorefertoanyexternaldynamiclistyoucreatethatusesaPaloAlto
NetworksIPaddressfeedasasource.

UseanExternalDynamicListinPolicy Policy
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule(seeUseanExternalDynamicListin
aURLFilteringProfile).
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligencefeedsandwanttoprotectyournetworkfromnewsourcesofthreator
malwareassoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamic
list,thefirewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.
TheDNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallmodel,youcanuseamaximumof30externaldynamiclistswithuniquesourcestoenforce
policy;predefinedIPaddressfeedsdonotcounttowardthislimit.Theexternaldynamiclistlimitisnot
applicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledformultiplevirtual
systems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.AsourceisaURLthat
includestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamiclist.Thefirewall
matchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000Series,PA5200Series,andthePA7000Seriesfirewallssupportamaximum
of150,000totalIPaddresses;allothermodelssupportamaximumof50,000totalIPaddresses.Nolimits
areenforcedforthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitis
reachedonthefirewall,thefirewallgeneratesasyslogmessage.TheIPaddressesinpredefinedIP
addresslistsdonotcounttowardthelimit.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachmodel,with
nolimitsenforcedonthenumberofentriesperlist.
Listentriesonlycounttowardthefirewalllimitsiftheybelongtoanexternaldynamiclistthatisreferenced
inpolicy.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedforthemodel.Toensurethattheentriesdonotexceedthelimit,checkthe
numberofentriescurrentlyusedinpolicy.SelectObjects > External Dynamic ListsandclickList
Capacities.
FormattingGuidelinesforanExternalDynamicList
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
TheentriesinapredefinedIPaddresslistcomplywiththeformattingguidelinesforIPaddresslists.
IPAddressList
DomainList
URLList

IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Asubnet
oranIPaddressrange,suchas92.168.20.0/24or192.168.20.40192.168.20.50,countasoneIPaddress
entryandnotasmultipleIPaddresses.Ifyouaddcomments,thecommentmustbeonthesamelineasthe
IPaddress/range/subnet.ThespaceattheendoftheIPaddressisthedelimiterthatseparatesacomment
fromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
PaloAltoNetworksMaliciousIPAddressFeeds
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwofeedswithmaliciousIP
addressesthatyoucanusetosecureyournetworkagainstmalicioushosts.
PaloAltoNetworksKnownMaliciousIPAddressesContainsIPaddressesthatareverifiedmalicious
basedonWildFireanalysis,Unit42research,anddatagatheredfromtelemetry(ShareThreatIntelligence
withPaloAltoNetworks).AttackersusetheseIPaddressesalmostexclusivelytodistributemalware,
initiatecommandandcontrolactivity,andlaunchattacks.

PaloAltoNetworksHighRiskIPAddressesContainsmaliciousIPaddressesfromthreatadvisories
issuedbytrustedthirdpartyorganizations.PaloAltoNetworkscompilesthelistofthreatadvisories,but
doesnothavedirectevidenceofthemaliciousnessoftheIPaddresses.
Thefirewallreceivesupdatesforthesefeedsthroughdailyantiviruscontentupdates,allowingyouto
enforcesecuritypolicyonthefirewallbasedonthelatestthreatintelligencefromPaloAltoNetworks.The
PaloAltoNetworksIPaddressfeedsarepredefined,whichmeansthatyoucannotmodifytheircontents.
Youcanusethemasis(seeEnforcePolicyonanExternalDynamicList),orcreateacustomexternaldynamic
listthatuseseitherfeedasasource(seeConfiguretheFirewalltoAccessanExternalDynamicList)and
excludeentriesfromthelistasneeded.
Youmustestablishtheconnectionbetweenthefirewallandthesourcethathoststheexternaldynamiclist
beforeyoucanEnforcePolicyonanExternalDynamicList.
Step1 (Optional)Customizetheserviceroutethatthefirewallusestoretrieveexternaldynamiclists.
SelectDevice > Setup > Services > Service Route Configuration > CustomizeandmodifytheExternal
DynamicListsserviceroute.
NOTE:ThefirewalldoesnotusetheExternalDynamicListsserviceroutetoretrievethePaloAltoNetworks
MaliciousIPAddressFeeds;itdynamicallyreceivesupdatestothesefeedsthroughdailyantiviruscontent
updates(activeThreatPreventionlicenserequired).
Step2 Findanexternaldynamiclisttousewiththefirewall.
Createanexternaldynamiclistandhostitonawebserver.EnterIPaddresses,domains,orURLsinablank
textfile.Eachlistentrymustbeonaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeetheFormattingGuidelinesforanExternalDynamicListtoensurethatthefirewalldoesnotskiplist
entries.Topreventcommiterrorsandinvalidentries,donotprefixhttp://orhttps://toanyoftheentries.
UseanexternaldynamiclisthostedbyanothersourceandverifythatitfollowstheFormattingGuidelines
foranExternalDynamicList.
Step3 SelectObjects > External Dynamic Lists.
Step4 ClickAddandenteradescriptiveNameforthelist.
Step5 (Optional)SelectSharedtosharethelistwithallvirtualsystemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystemthatiscurrentlyselectedintheVirtual
Systemsdropdown.
Step6 (Panoramaonly)SelectDisable overridetoensurethatafirewalladministratorcannotoverridesettings

locallyonafirewallthatinheritsthisconfigurationthroughaDeviceGroupcommitfromPanorama.

Step7 SelectthelistType(forexample,URL List).

Ensurethatthelistonlyincludesentriesforthelisttype.SeeVerifywhetherentriesintheexternaldynamic
listwereignoredorskipped.
Step8 EntertheSourceforthelistyoujustcreatedonthewebserver.Thesourcemustincludethefullpathto
accessthelist.Forexample,https://1.2.3.4/EDL_IP_2015.
IfyouarecreatingalistoftypePredefinedIP,selectaPaloAltoNetworksmaliciousIPaddressfeedtouseas
asource.
Step9 IfthelistsourceissecuredwithSSL(i.e.listswithanHTTPSURL),enableserverauthentication.Selecta
Certificate ProfileorcreateaNew Certificate Profile forauthenticatingtheserverthathoststhelist.The
certificateprofileyouselectmusthaverootCA(certificateauthority)andintermediateCAcertificatesthat
matchthecertificatesinstalledontheserveryouareauthenticating.
Maximizethenumberofexternaldynamicliststhatyoucanusetoenforcepolicy.Usethesame
certificateprofiletoauthenticateexternaldynamiclistsfromthesamesourceURL.Ifyouassign
differentcertificateprofilestoexternaldynamiclistsfromthesamesourceURL,thefirewallcounts
eachlistasauniqueexternaldynamiclist.
Step10 EnableclientauthenticationifthelistsourcehasanHTTPSURLandrequiresbasicHTTPauthenticationfor
listaccess.
1. SelectClient Authentication.
2. EnteravalidUsernametoaccessthelist.
3. EnterthePasswordandConfirm Password.
Step11 (NotavailableonPanorama)ClickTest Source URLtoverifythatthefirewallcanconnecttothewebserver.
Step12 (Optional)SpecifytheRepeatfrequencyatwhichthefirewallretrievesthelist.Bydefault,thefirewall
retrievesthelistonceeveryhourandcommitsthechanges.
NOTE:Theintervalisrelativetothelastcommit.So,forthefiveminuteinterval,thecommitoccursin5
minutesifthelastcommitwasanhourago.Toretrievethelistimmediately,seeRetrieveanExternalDynamic
ListfromtheWebServer.

Step14 EnforcePolicyonanExternalDynamicList.
Iftheserverorclientauthenticationfails,thefirewallceasestoenforcepolicybasedonthelast
successfullyretrievedexternaldynamiclist.FindExternalDynamicListsThatFailedAuthentication
andviewthereasonsforauthenticationfailure.
RetrieveanExternalDynamicListfromtheWebServer
WhenyouConfiguretheFirewalltoAccessanExternalDynamicList,youcanconfigurethefirewallto
retrievethelistfromthewebserveronanhourly,daily,weekly,ormonthlybasis.Ifyouhaveaddedor
deletedIPaddressesfromthelistandneedtotriggeranimmediaterefresh,usethefollowingprocessto
fetchtheupdatedlist.
RetrieveanExternalDynamicList
Step1 Toretrievethelistondemand,selectObjects > External Dynamic Lists.
Step2 Selectthelistthatyouwanttorefresh,andclickImport Now.Thejobtoimportthelistisqueued.
Step3 ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.
Step4 (Optional)Afterthefirewallretrievesthelist,ViewExternalDynamicListEntries.
BeforeyouEnforcePolicyonanExternalDynamicList,youcanviewthecontentsofanexternaldynamic
listdirectlyonthefirewalltocheckifitcontainscertainIPaddresses,domains,orURLs.Theentries
displayedarebasedontheversionoftheexternaldynamiclistthatthefirewallmostrecentlyretrieved.
Step1 SelectObjects > External Dynamic Lists.
Step2 Clicktheexternaldynamiclistyouwanttoview.

Step3 ClickList Entries and Exceptionsandviewtheobjectsthatthefirewallretrievedfromthelist.
Thelistmightbeemptyif:
Thefirewallhasnotyetretrievedtheexternaldynamiclist.Toforcethefirewalltoretrieveanexternal
dynamiclistimmediately,RetrieveanExternalDynamicListfromtheWebServer.
Thefirewallisunabletoaccesstheserverthathoststheexternaldynamiclist.ClickTest Source URLto
verifythatthefirewallcanconnecttotheserver.
Step4 EnteranIPaddress,domain,orURL(dependingonthetypeoflist)inthefilterfieldandApplyFilter( )to

checkifitsinthelist.ExcludeEntriesfromanExternalDynamicListbasedonwhichIPaddresses,domains,
andURLsyouneedtoblockorallow.
Step5 (Optional)ViewtheAutoFocusIntelligenceSummaryforalistentry.Hoveroveranentrytoopenthe
dropdownandthenclickAutoFocus.
Asyouviewtheentriesofanexternaldynamiclist,youcanexcludeupto100entriesfromthelist.Theability
toexcludeentriesfromanexternaldynamiclistgivesyoutheoptiontoenforcepolicyonsome(butnotall)
oftheentriesinalist.Thisishelpfulifyoucannoteditthecontentsofanexternaldynamiclist(suchasthe
PaloAltoNetworksHighRiskIPAddressesfeed)becauseitcomesfromathirdpartysource.
Step1 ViewExternalDynamicListEntries.

Step2 Selectupto100entriestoexcludefromthelistandclickSubmit( )ormanuallyAddalistexception.

YoucannotsaveyourchangestotheexternaldynamiclistifyouhaveduplicateentriesintheManual
Exceptionslist.Toidentifyduplicateentries,lookforentrieswitharedunderline.
Amanualexceptionmustmatchalistentryexactly.Forexample,iftheIPaddressrange1.1.1.13.3.3.3is
alistentryandyoumanuallyenteranIPaddresswithinthisrangeasalistexception,thefirewallwill
continuetoenforcepolicyonalltheIPaddressesintherange.
Step3 ClickOKandCommittosaveyourchanges.
Step4 (Optional)EnforcePolicyonanExternalDynamicList.
EnforcePolicyonanExternalDynamicList
BlockorallowtrafficbasedonIPaddressesorURLsinanexternaldynamiclist,oruseandynamicdomain
listwithaDNSsinkholetopreventaccesstomaliciousdomains.Refertothetablebelowforthewaysyou
canuseexternaldynamicliststoenforcepolicyonthefirewall.
EnforcePolicyonEntriesinanExternalDynamicList
ConfigureDNSSinkholingforaListofCustomDomains.
UseanExternalDynamicListinaURLFilteringProfile.

EnforcePolicyonEntriesinanExternalDynamicList(Continued)
UseanExternalDynamicListofTypeURLas 1. SelectPolicies > Security.

MatchCriteriainaSecurityPolicyRule. 2. ClickAddandenteradescriptiveNamefortherule.
3. IntheSourcetab,selecttheSource Zone.
4. IntheDestinationtab,selecttheDestination Zone.
5. IntheService/URL Categorytab,clickAddtoselectthe
appropriateexternaldynamiclistfromtheURLCategorylist.
6. IntheActionstab,settheAction SettingtoAlloworDeny.
8. Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
UsethefollowingCLIcommandonafirewalltoreviewthe
detailsforalist.
request system external-list show type <domain | ip
| url>name_of_ list
For example:
request system external-list show type url
EBL_ISAC_Alert_List
9. Testthatthepolicyactionisenforced.
a. ViewExternalDynamicListEntriesfortheURLlist,and
attempttoaccessaURLfromthelist.
b. Verifythattheactionyoudefinedisenforced.
c. Tomonitortheactivityonthefirewall:
SelectACCandaddaURLDomainasaglobalfilterto
viewtheNetworkActivityandBlockedActivityforthe
URLyouaccessed.
SelectMonitor > Logs > URL Filteringtoaccessthe
detailedlogview.

EnforcePolicyonEntriesinanExternalDynamicList(Continued)
UseanExternalDynamicListofTypeIPor 1. SelectPolicies > Security.

PredefinedIPasaSourceorDestination 2. ClickAdd andgivetheruleadescriptivenameintheGeneral
AddressObjectinaSecurityPolicyRule. tab.
Thiscapabilityisusefulifyoudeploynew
3. IntheSource tab,selecttheSource Zoneandoptionallyselect
serversandwanttoallowaccesstothenewly
theexternaldynamiclistastheSourceAddress.
deployedserverswithoutrequiringafirewall
commit. 4. IntheDestination tab,selecttheDestination Zone and
optionallyselecttheexternaldynamiclistastheDestination
Address.
5. IntheService/ URL Category tab,makesuretheService isset
toapplication-default.
6. IntheActions tab,settheAction Setting toAlloworDeny.
NOTE:Createseparateexternaldynamiclistsifyouwantto
specifyallowanddenyactionsforspecificIPaddresses.
7. Leavealltheotheroptionsatthedefaultvalues.
8. ClickOKtosavethechanges.
10. Testthatthepolicyactionisenforced.
a. ViewExternalDynamicListEntriesfortheexternal
dynamiclist,andattempttoaccessanIPaddressfromthe
list.
b. Verifythattheactionyoudefinedisenforced.
c. SelectMonitor > Logs > Trafficandviewthelogentryfor
thesession.
d. Toverifythepolicyrulethatmatchesaflow,usethe
followingCLIcommand:
test security-policy-match source <IP_address>
destination <IP_address> destination port
<port_number> protocol <protocol_number>
Tipsforenforcingpolicyonthefirewallwithexternaldynamiclists:
Whenviewingexternaldynamiclistsonthefirewall(Objects > External Dynamic Lists),clickList
CapacitiestocomparehowmanyIPaddresses,domains,andURLsarecurrentlyusedinpolicywiththetotal
numberofentriesthatthefirewallsupportsforeachlisttype.
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServerforadomain,IPaddress,orURLthat
belongstooneormoreexternaldynamiclistsisusedinpolicy.Thisisusefulfordeterminingwhichexternal
dynamiclist(referencedinaSecuritypolicyrule)iscausingthefirewalltoblockorallowacertaindomain,IP
address,orURL.
WhenanexternaldynamiclistthatrequiresSSLfailsclientorserverauthentication,thefirewallgeneratesa
systemlogofcriticalseverity.Thelogiscriticalbecausethefirewallceasestoenforcepolicybasedonthe
externaldynamiclistafteritfailsauthentication.Usethefollowingprocesstoviewcriticalsystemlog
messagesnotifyingyouofauthenticationfailurerelatedtoexternaldynamiclists.

Step1 SelectMonitor > Logs > System.
Step2 Constructthefollowingfilterstoviewallmessagesrelatedtoauthenticationfailure,andapplythefilters.For
moreinformation,reviewthecompleteworkflowtoFilterLogs.
Serverauthenticationfailure(eventid eq tls-edl-auth-failure)
Clientauthenticationfailure(eventid eq edl-cli-auth-failure)
Step3 Reviewthesystemlogmessages.Themessagedescriptionincludesthenameoftheexternaldynamiclist,the
sourceURLforthelist,andthereasonfortheauthenticationfailure.
Theserverthathoststheexternaldynamiclistfailsauthenticationifthecertificateisexpired.Ifyouhave
configuredthecertificateprofiletocheckcertificaterevocationstatusviaCertificateRevocationList(CRL)or
OnlineCertificateStatusProtocol(OCSP),theservermayalsofailauthenticationif:
Thecertificateisrevoked.
Therevocationstatusofthecertificateisunknown.
TheconnectiontimesoutasthefirewallisattemptingtoconnecttotheCRL/OCSPservice.
Formoreinformationoncertificateprofilesettings,refertothestepstoConfigureaCertificateProfile.
VerifythatyouaddedtherootCAandintermediateCAoftheservertothecertificateprofile
configuredwiththeexternaldynamiclist.Otherwise,thefirewallwillnotauthenticatethelist
properly.
Clientauthenticationfailsifyouhaveenteredtheincorrectusernameandpasswordcombinationfor
theexternaldynamiclist.
Step4 (Optional)DisableAuthenticationforanExternalDynamicListthatfailedauthenticationasastopgap
measureuntilthelistownerrenewsthecertificate(s)oftheserverthathoststhelist.
DisableAuthenticationforanExternalDynamicList
PaloAltoNetworksrecommendsthatyouenableauthenticationfortheserversthathosttheexternal
dynamiclistsconfiguredonyourfirewall.However,ifyouFindExternalDynamicListsThatFailed
Authenticationandprefertodisableserverauthenticationforthoselists,youcandosothroughtheCLI.The
procedurebelowonlyappliestoexternaldynamiclistssecuredwithSSL(i.e.,listswithanHTTPSURL);the
firewalldoesnotenforceserverauthenticationonlistswithanHTTPURL.
Disablingserverauthenticationforanexternaldynamiclistalsodisablesclientauthentication.
Withclientauthenticationdisabled,thefirewallwillnotbeabletoconnecttoanexternaldynamic
listthatrequiresausernameandpasswordforaccess.

DisableServerAuthenticationforanExternalDynamicList
Step1 LaunchtheCLIandswitchtoconfigurationmodeasfollows:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
Thechangefromthe>tothe#symbolindicatesthatyouarenowinconfigurationmode.
Step2 EntertheappropriateCLIcommandforthelisttype:
IPAddress
set external-list <external dynamic list name> type ip certificate-profile None
Domain
set external-list <external dynamic list name> type domain certificate-profile None
URL
set external-list <external dynamic list name> type url certificate-profile None
Step3 Verifythatauthenticationisdisabledfortheexternaldynamiclist.
Triggerarefreshforthelist(seeRetrieveanExternalDynamicListfromtheWebServer).Ifthefirewall
retrievesthelistsuccessfully,serverauthenticationisdisabled.

Policy RegisterIPAddressesandTagsDynamically
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedmodelsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.YoucanalsoautomaticallyremovetagsonthesourceordestinationIPaddress
includedinafirewalllog.
Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowingoptions:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPCto
retrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
AutoTagTagthesourceordestinationIPaddressautomaticallywhenalogisgeneratedonthefirewall,
andregistertheIPaddressandtagmappingtoaUserIDagentonthefirewallorPanorama,ortoa
remoteUserIDagentusinganHTTPserverprofile.Forexample,wheneverthefirewallgeneratesa
threatlog,youcanconfigurethefirewalltotagthesourceIPaddressinthethreatlogwithaspecifictag
name.SeeForwardLogstoanHTTP(S)Destination.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.

MonitorChangesintheVirtualEnvironment Policy
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.

Policy MonitorChangesintheVirtualEnvironment
SetuptheVMMonitoringAgent
Step1 EnabletheVMMonitoringAgent. 1. SelectDevice > VM Information Sources.

NOTE:Youcanconfigureupto10VM 2. ClickAddandenterthefollowinginformation:
informationsourcesforeachfirewall,or ANametoidentifytheVMwareESX(i)orvCenterServer
foreachvirtualsystemonamultiple thatyouwanttomonitor.
virtualsystemscapablefirewall.
EntertheHost information for the serverhostnameorIP
Ifyourfirewallsareconfiguredinahigh addressandthePortonwhichitislistening.
availabilityconfiguration:
SelecttheTypetoindicatewhetherthesourceisaVMware
Inanactive/passivesetup,onlythe ESX(i)serveroraVMware vCenterServer.
activefirewallmonitorstheVM
Addthecredentials(UsernameandPassword)to
sources.
authenticatetotheserverspecifiedabove.
Inanactive/activesetup,onlythe
Usethecredentialsofanadministrativeusertoenable
firewallwiththepriorityvalueof
access.
primarymonitorstheVMsources.
(Optional)ModifytheUpdate intervaltoavaluebetween
5600seconds.Bydefault,thefirewallpollsevery5
seconds.TheAPIcallsarequeuedandretrievedwithin
every60seconds,soupdatesmaytakeupto60seconds
plustheconfiguredpollinginterval.
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatusdisplaysasconnected.

SetuptheVMMonitoringAgent(Continued)
Step2 Verifytheconnectionstatus. VerifythattheconnectionStatusdisplaysasconnected.
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource InterfacefortheVM
Monitorservice).
AttributesMonitoredintheAWSandVMwareEnvironments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation InstanceState
Version InstanceType
NetworkVirtualSwitchName,PortGroup KeyName
Name,andVLANID
ContainerNamevCenterName,DataCenter PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress. PublicDNSName
SubnetID
Tag(key,value);upto18tagssupportedperinstance
VPCID

Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachmodelisdifferent.Usethefollowing
tableforspecificsonyourmodel:
Model MaximumnumberofdynamicallyregisteredIP addresses
PA7000Series,PA5060,VM300,VM500, 100,000
VM700,VM1000HV
PA5050 50,000
PA5020 25,000
PA3000Series 5,000
VM100 2,500
PA500,PA200, 1000
VM200,VM50
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.

AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
Step1 EnableVMSourceMonitoring. SeeEnableVMMonitoringtoTrackChangesontheVirtual

Network.
Step2 Createdynamicaddressgroupsonthe 1. Logintothewebinterfaceofthefirewall.

firewall. 2. SelectObject > Address Groups.
Viewthetutorialtoseeabig
3. ClickAddandenteraNameandaDescriptionfortheaddress
pictureviewofthefeature.
group.
4. SelectTypeasDynamic.
5. Definethematchcriteria.Youcanselectdynamicandstatic
tagsasthematchcriteriatopopulatethemembersofthe
group.ClickAdd Match Criteria,andselecttheAndorOr
operatorandselecttheattributesthatyouwouldliketofilter
forormatchagainst.andthenclickOK.
6. ClickCommit.
Step3 Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.Ubuntu
Linux64bit'and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthe
nameoftheserverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or
'black')

UseDynamicAddressGroupsinPolicy(Continued)
Step4 Usedynamicaddressgroupsinpolicy. 1. SelectPolicies > Security.

Viewthetutorial. 2. ClickAddandenteraNameandaDescriptionforthepolicy.
3. AddtheSource Zone tospecifythezonefromwhichthetraffic
originates.
4. AddtheDestination Zoneatwhichthetrafficisterminating.
5. FortheDestination Address,selecttheDynamicaddress
groupyoujustcreated.
6. SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilestotherule.
7. RepeatsSteps1through6tocreateanotherpolicyrule.
8. ClickCommit.
Step5 Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccessto
webservers.
Step6 Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
1. SelectPolicies > Security,andselecttherule.
2. Selectthedropdownarrownexttotheaddressgrouplink,andselectInspect.Youcanalsoverifythatthe
matchcriteriaisaccurate.
3. ClickthemorelinkandverifythatthelistofregisteredIPaddressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongtothisaddressgroup,andaredisplayedhere.

CLICommandsforDynamicIPAddressesandTags Policy
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example CLICommand
ViewallregisteredIPaddressesthatmatchthe show log iptag tag_name equal state.poweredOn

tag,state.poweredOnorthatarenottaggedas show log iptag tag_name not-equal switch.vSwitch0
vSwitch0.
ViewalldynamicallyregisteredIPaddressesthat show vm-monitor source source-name vmware1 tag

weresourcedbyVMInformationSourcewith state.poweredOn registered-ip all
namevmware1andtaggedaspoweredOn. registered IP Tags
----------------------------- -----------------
fe80::20c:29ff:fe69:2f76 "state.poweredOn"
10.1.22.100 "state.poweredOn"
2001:1890:12f2:11:20c:29ff:fe69:2f76 "state.poweredOn"
fe80::20c:29ff:fe69:2f80 "state.poweredOn"
2001:1890:12f2:11:2cf8:77a9:5435:c0d "state.poweredOn"
fe80::2cf8:77a9:5435:c0d "state.poweredOn"
ClearallIPaddressesandtagslearnedfroma debug vm-monitor clear source-name <name>

specificVMMonitoringsourcewithout
disconnectingthesource.
DisplayIPaddressesregisteredfromallsources. show object registered-ip all
DisplaythecountforIPaddressesregisteredfrom show object registered-ip all option count

allsources.
ClearIPaddressesregisteredfromallsources debug object registered-ip clear all
AddordeletetagsforagivenIPaddressthatwas debug object test registered-ip [<register/unregister>]

registeredusingtheXMLAPI. <ip/netmask> <tag>

Policy CLICommandsforDynamicIPAddressesandTags
Example CLICommand
Viewalltagsregisteredfromaspecificinformation show vm-monitor source source-name vmware1 tag all

source. vlanId.4095
vswitch.vSwitch1
host-ip.10.1.5.22
portgroup.TOBEUSED
hostname.panserver22
portgroup.VM Network 2
datacenter.ha-datacenter
vlanId.0
state.poweredOn
vswitch.vSwitch0
vmname.Ubuntu22-100
vmname.win2k8-22-105
resource-pool.Resources
vswitch.vSwitch2
guestos.Ubuntu Linux 32-bit
guestos.Microsoft Windows Server 2008 32-bit
annotation.
version.vmx-08
portgroup.VM Network
vm-info-source.vmware1
uuid.564d362c-11cd-b27f-271f-c361604dfad7
uuid.564dd337-677a-eb8d-47db-293bd6692f76
Total: 22
Viewalltagsregisteredfromaspecificdata ToviewtagsregisteredfromtheCLI:
source,forexamplefromtheVMMonitoring show log iptag datasource_type equal unknown
Agentonthefirewall,theXMLAPI,Windows ToviewtagsregisteredfromtheXMLAPI:
UserIDAgentortheCLI. show log iptag datasource_type equal xml-api
ToviewtagsregisteredfromVMInformationsources:
show log iptag datasource_type equal vm-monitor
ToviewtagsregisteredfromtheWindowsUserIDagent:
show log iptag datasource_type equal xml-api
datasource_subtype equal user-id-agent
ViewalltagsthatareregisteredforaspecificIP debug object registered-ip show tag-source ip

address(acrossallsources). ip_address tag all

IdentifyUsersConnectedthroughaProxyServer Policy
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoEnableUserID.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
Step1 EnablethefirewalltouseXFFvaluesin 1. SelectDevice > Setup > Content-IDandeditthe

policiesandinthesourceuserfieldsof XForwardedForHeaderssettings.
logs. 2. SelectUse X-Forwarded-For Header in User-ID.
Step2 RemoveXFFvaluesfromoutgoingweb 1. SelectStrip X-Forwarded-For Header.

requests. 2. ClickOKandCommit.

Policy IdentifyUsersConnectedthroughaProxyServer
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
Step3 Verifythefirewallispopulatingthe 1. Selectalogtypethathasasourceuserfield(forexample,

sourceuserfieldsoflogs. Monitor > Logs > Traffic).
2. VerifythattheSourceUsercolumndisplaystheusernamesof
userswhoaccesstheweb.
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
Step1 ConfigureaURLFilteringprofile. 1. SelectObjects > Security Profiles > URL Filtering.

2. SelectanexistingprofileorAddanewprofileandentera
descriptiveName.
NOTE:YoucantenableXFFlogginginthedefaultURL
Filteringprofile.
3. IntheCategoriestab,DefinesiteaccessforeachURL
category.
4. SelecttheSettingstabandselectX-Forwarded-For.
Step2 AttachtheURLFilteringprofiletoa 1. SelectPolicies > Securityandclicktherule.

policyrule. 2. SelecttheActionstab,settheProfile TypetoProfiles,and
selecttheURL Filteringprofileyoujustcreated.
Step3 VerifythefirewallisloggingXFFvalues. 1. SelectMonitor > Logs > URL Filtering.

2. DisplaytheXFFvaluesinoneofthefollowingways:
TodisplaytheXFFvalueforasinglelogClickthespyglass
iconforthelogtodisplaysitsdetails.TheHTTPHeaders
sectiondisplaystheXForwardedForvalue.
TodisplaytheXFFvaluesforalllogsOpenthedropdown
inanycolumnheader,selectColumns,andselect
X-Forwarded-For.Thepagethendisplaysan
XForwardedForcolumn.

PolicyBasedForwarding Policy
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperinternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheinternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
PathMonitoringforPBF
ServiceVersusApplicationsinPBF
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,connectivityissuesoccurwhen
trafficarrivesatoneinterfaceonthefirewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsaredifferent,thefirewallisunabletotrackthe
stateoftheentiresessionandthiscausesaconnectionfailure.Toensurethatthetrafficusesasymmetrical
path,whichmeansthatthetrafficarrivesatandleavesfromthesameinterfaceonwhichthesessionwas
created,youcanenabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupforreturntrafficandinsteaddirectsthe
flowbacktotheMACaddressfromwhichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egressinterfacesIPaddress,aroutelookupis
performedandsymmetricreturnisnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.

Policy PolicyBasedForwarding
PathMonitoringforPBF
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
Behaviorofasessionona Iftherulestaysenabledwhenthe IfruleisdisabledwhenthemonitoredIP

monitoringfailure monitoredIPaddressisunreachable addressisunreachable
Foranestablishedsession wait-recoverContinuetouseegress wait-recoverContinuetouseegress

interfacespecifiedinthePBFrule interfacespecifiedinthePBFrule
fail-overUsepathdeterminedby fail-overUsepathdeterminedbyrouting
routingtable(noPBF) table(noPBF)
Foranewsession wait-recoverUsepathdeterminedby wait-recoverChecktheremainingPBF

routingtable(noPBF) rules.Ifnomatch,usetheroutingtable
fail-overUsepathdeterminedby fail-overChecktheremainingPBFrules.If
routingtable(noPBF) nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.

Youcannotusecustomapplications,applicationfiltersorapplicationgroupsinPBFrules.
CreateaPolicyBasedForwardingRule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
Step1 CreateaPBFrule. 1. SelectPolicies > Policy Based ForwardingandclickAdd.

WhencreatingaPBFruleyoumust 2. GivetheruleadescriptivenameintheGeneraltab.
specifyanamefortherule,asourcezone
3. IntheSourcetab,selectthefollowing:
orinterface,andanegressinterface.All
othercomponentsareeitheroptionalor a. SelecttheTypeZoneorInterfacetowhichthe
haveadefaultvalueprovided. forwardingpolicywillbeapplied,andtherelevantzoneor
interface.Ifyouwanttoenforcesymmetricreturn,you
Youcanspecifythesourceand
mustselectasourceinterface.
destinationaddressesusinganIP
address,anaddressobject,ora NOTE:PBFisonlysupportedonLayer3interfaces;
FQDN.Forthenexthop, loopbackinterfacesdonotsupportPBF.
however,youmustspecifyanIP b. (Optional)SpecifytheSource AddresstowhichPBFwill
address. apply.Forexample,aspecificIPaddressorsubnetIP
addressfromwhichyouwanttoforwardtraffictothe
interfaceorzonespecifiedinthisrule.
NOTE:UsetheNegateoptiontoexcludeaoneormore
sourceIPaddressesfromthePBFrule.Forexample,ifyour
PBFruledirectsalltrafficfromthespecifiedzonetothe
internet,NegateallowsyoutoexcludeinternalIPaddresses
fromthePBFrule.
Theevaluationorderistopdown.Apacketismatched
againstthefirstrulethatmeetsthedefinedcriteria;aftera
matchistriggeredthesubsequentrulesarenotevaluated.
c. (Optional)AddandselecttheSource Userorgroupsof
userstowhomthepolicyapplies.
4. IntheDestination/Application/Servicetab,selectthe
following:
a. Destination Address.BydefaulttheruleappliestoAnyIP
address.UsetheNegateoptiontoexcludeoneormore
destinationIPaddressesfromthePBFrule.
b. SelecttheApplication(s)orService(s)thatyouwantto
controlusingPBF.
Applicationspecificrulesarenotrecommendedfor
usewithPBF.Wheneverpossible,useaservice
object,whichistheLayer4port(TCPorUDP)used
bytheprotocolorapplication.Formoredetails,see
ServiceVersusApplicationsinPBF.

CreateaPBFRule(Continued)
Step2 Specifyhowtoforwardtrafficthat 1. IntheForwardingtab,selectthefollowing:

matchestherule. a. SettheAction. Theoptionsareasfollows:
NOTE:IfyouareconfiguringPBFina ForwardDirectsthepackettoaspecificEgress
multiVSYSenvironment,youmust Interface.EntertheNext HopIPaddressforthepacket
createseparatePBFrulesforeachvirtual (youcannotuseadomainnameforthenexthop).
system(andcreatetheappropriate Forward To VSYS(Onafirewallenabledformultiple
Securitypolicyrulestoenablethe virtualsystems)Selectthevirtualsystemtowhichto
traffic). forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
NOTE:Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattachaSchedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List(youcannotusean
FQDNasthenexthop).Youcanaddupto8nexthopIP
addresses;tunnelandPPoEinterfacesarenotavailableasa
nexthopIPaddress.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheinternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheinternet.
Step3 Savethepoliciestotherunningconfigurationonthefirewall.
ClickCommit.ThePBFruleisineffect.

UseCase:PBFforOutboundAccesswithDualISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantinternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantinternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.

PBFforOutboundAccesswithDualISPs
Step1 Configuretheingressandtheegress 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

interfacesonthefirewall. wanttoconfigure,forexample,Ethernet1/1andEthernet1/3.
Egressinterfacescanbeinthesame Theinterfaceconfigurationonthefirewallusedinthisexample
zone.Inthisexampleweassignthe isasfollows:
egressinterfacestodifferentzones. Ethernet1/1connectedtotheprimaryISP:
Zone:ISPEast
IPAddress:1.1.1.2/30
VirtualRouter:Default
Ethernet1/3connectedtothebackupISP:
Zone:ISPWest
IPAddress:2.2.2.2/30
Ethernet1/2istheingressinterface,usedbythenetwork
clientstoconnecttotheinternet:
Zone:Trust
IPAddress:192.168.54.1/24
Step2 Onthevirtualrouter,addastaticroute 1. SelectNetwork > Virtual Routerandthenselectthedefault

tothebackupISP. linktoopentheVirtualRouterdialog.
2. SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandspecifytheDestinationIPaddressforwhichyou
aredefiningthestaticroute.Inthisexample,weuse0.0.0.0/0
foralltraffic.
3. SelecttheIP AddressradiobuttonandsettheNext HopIP
addressforyourrouterthatconnectstothebackupinternet
gateway(youcannotuseadomainnameforthenexthop).In
thisexample,2.2.2.1.
4. Specifyacostmetricfortheroute.Inthisexample,weuse10.
5. ClickOKtwicetosavethevirtualrouterconfiguration.

PBFforOutboundAccesswithDualISPs(Continued)
Step3 CreateaPBFrulethatdirectstrafficto 1. SelectPolicies > Policy Based ForwardingandclickAdd.

theinterfacethatisconnectedtothe 2. GivetheruleadescriptiveNameintheGeneraltab.
primaryISP.
3. IntheSourcetab,settheSource ZonetoTrust.
Makesuretoexcludetrafficdestinedto
internalservers/IPaddressesfromPBF. 4. IntheDestination/Application/Servicetab,setthefollowing:
Defineanegaterulesothattraffic a. IntheDestinationAddresssection,AddtheIPaddressesor
destinedtointernalIPaddressesisnot addressrangeforserversontheinternalnetworkorcreate
routedthroughtheegressinterface anaddressobjectforyourinternalservers.SelectNegateto
definedinthePBFrule. excludetheIPaddressesoraddressobjectlistedabovefrom
usingthisrule.
b. IntheServicesection,Addtheservice-httpand
service-httpsservicestoallowHTTPandHTTPStrafficto
usethedefaultports.Forallothertrafficthatisallowedby
securitypolicy,thedefaultroutewillbeused.
NOTE:ToforwardalltrafficusingPBF,settheServiceto
Any.

Step4 Specifywheretoforwardtraffic.
1. IntheForwardingtab,specifytheinterfacetowhichyouwanttoforwardtrafficandenablepath
monitoring.
2. Toforwardtraffic,settheActiontoForward,andselecttheEgress InterfaceandspecifytheNext Hop.In
thisexample,theegressinterfaceisethernet1/1,andthenexthopIPaddressis1.1.1.1(youcannotusea
FQDNforthenexthop).
3. EnableMonitorandattachthedefaultmonitoringprofile,totriggerafailovertothebackupISP.Inthis
example,wedonotspecifyatargetIPaddresstomonitor.ThefirewallwillmonitorthenexthopIPaddress;
ifthisIPaddressisunreachablethefirewallwilldirecttraffictothedefaultroutespecifiedonthevirtual
router.
4. (Requiredifyouhaveasymmetricroutes).SelectEnforce Symmetric Returntoensurethatreturntraffic
fromthetrustzonetotheinternetisforwardedoutonthesameinterfacethroughwhichtrafficingressed
fromtheinternet.
5. NATensuresthatthetrafficfromtheinternetisreturnedtothecorrectinterface/IPaddressonthefirewall.
6. ClickOKtosavethechanges.

Step5 CreateNATrulesbasedontheegressinterfaceandISP.TheserulesensurethatthecorrectsourceIPaddress
isusedforoutboundconnections.
1. SelectPolicies > NATandclickAdd.
2. Inthisexample,theNATrulewecreateforeachISPisasfollows:
NATforPrimaryISP
IntheOriginal Packettab,
Source Zone:trust
Destination Zone:ISPWest
IntheTranslated Packettab,underSourceAddressTranslation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
IP Address:1.1.1.2/30
NATforBackupISP
IntheOriginal Packettab,
Source Zone:trust
Destination Zone:ISPEast
IntheTranslated Packettab,underSourceAddressTranslation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
IP Address:2.2.2.2/30
Step6 Createsecuritypolicytoallowoutbound Tosafelyenableapplications,createasimplerulethatallowsaccess

accesstotheinternet. totheinternetandattachthesecurityprofilesavailableonthe
firewall.
2. GivetheruleadescriptiveNameintheGeneraltab.
3. IntheSourcetab,settheSource Zonetotrust.
4. IntheDestinationtab,SettheDestination ZonetoISPEast
andISPWest.
5. IntheService/ URL Categorytab,leavethedefault
application-default.
6. IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. AttachthedefaultprofilesforAntivirus,AntiSpyware,
VulnerabilityProtectionandURLFiltering,underProfile
Setting.
7. UnderOptions,verifythatloggingisenabledattheendofa
session.Onlytrafficthatmatchesasecurityruleislogged.

Step7 Savethepoliciestotherunning ClickCommit.

Step8 VerifythatthePBFruleisactiveandthattheprimaryISPisusedforinternetaccess.
1. Launchawebbrowserandaccessawebserver.Onthefirewallcheckthetrafficlogforwebbrowsing
activity.
2. Fromaclientonthenetwork,usethepingutilitytoverifyconnectivitytoawebserverontheinternet.and
checkthetrafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3. ToconfirmthatthePBFruleisactive,usethefollowingCLIcommand:
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ==============
Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
Step9 VerifythatthefailovertothebackupISPoccursandthattheSourceNATiscorrectlyapplied.
1. UnplugtheconnectiontotheprimaryISP.
2. ConfirmthatthePBFruleisinactivewiththefollowingCLIcommand:
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ============== ===
Use ISP-Pr 1 Disabled Forward ethernet1/1 1.1.1.1
3. Accessawebserver,andcheckthetrafficlogtoverifythattrafficisbeingforwardedthroughthebackup
ISP.

4. ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
---------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
---------------------------------------------------------
87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5. Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session 87212
c2s flow:
source: 192.168.54.56 [Trust]
dst: 204.79.197.200
proto: 6
sport: 53236 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 204.79.197.200 [ISP-East]
dst: 2.2.2.2
proto: 6
sport: 443 dport: 12896
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Nov5 11:16:10 2014
timeout : 1800 sec
time to live : 1757 sec
total byte count(c2s) : 1918
total byte count(s2c) : 4333
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 7
vsys : vsys1
application : ssl
rule : Trust2ISP
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source
nat-rule : NAT-Backup ISP(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : search-engines
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/3
session QoS rule : N/A (class 4)

VirtualSystems
Thistopicdescribesvirtualsystems,theirbenefits,typicalusecases,andhowtoconfigurethem.Italso
provideslinkstoothertopicswherevirtualsystemsaredocumentedastheyfunctionwithotherfeatures.
VirtualSystemsOverview
CommunicationBetweenVirtualSystems
SharedGateway
ConfigureVirtualSystems
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
CustomizeServiceRoutesforaVirtualSystem
VirtualSystemFunctionalitywithOtherFeatures

VirtualSystemsOverview VirtualSystems
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(Security,NAT,QoS,PolicybasedForwarding,Decryption,Application
Override,Authentication,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement

VirtualSystems VirtualSystemsOverview
Serverprofiles
Logging,reporting,andvisibilityfunctions
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.

VirtualSystemsOverview VirtualSystems
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA3000Series,PA5000Series,PA5200Series,andPA7000Series
firewalls.Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.A
VirtualSystemslicenseisrequiredtosupportmultiplevirtualsystemsonthePA3000Seriesfirewalls,and
tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA220,PA500,PA800Series,orVMSeries
firewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.

VirtualSystems CommunicationBetweenVirtualSystems
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
InterVSYSTrafficThatMustLeavetheFirewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.

CommunicationBetweenVirtualSystems VirtualSystems
InterVSYSTrafficThatRemainsWithintheFirewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.

VirtualSystems CommunicationBetweenVirtualSystems
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.

CommunicationBetweenVirtualSystems VirtualSystems
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
InterVSYSCommunicationUsesTwoSessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.

VirtualSystems SharedGateway
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.

SharedGateway VirtualSystems
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportSecurity,DoSpolicies,QoS,Decryption,ApplicationOverride,orAuthentication
policies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.

VirtualSystems ConfigureVirtualSystems
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA3000Seriesfirewall,orifyouarecreatingmore
thanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupportandLicensing
forVirtualSystems.
ConfigureaVirtualSystem
Step1 Enablevirtualsystems. 1. SelectDevice > Setup > ManagementandedittheGeneral

Settings.
2. SelecttheMulti Virtual System Capabilitycheckboxandclick
OK.Thisactiontriggersacommitifyouapproveit.
OnlyafterenablingvirtualsystemswilltheDevicetabdisplay
theVirtual Systems andShared Gatewaysoptions.
Step2 Createavirtualsystem. 1. SelectDevice > Virtual Systems,clickAddandenteravirtual

systemID,whichisappendedtovsys(rangeis1255).
NOTE:ThedefaultIDis1,whichmakesthedefaultvirtual
systemvsys1.Thisdefaultappearsevenonplatformsthatdo
notsupportmultiplevirtualsystems.
2. ChecktheAllow forwarding of decrypted contentcheckbox
ifyouwanttoallowthefirewalltoforwarddecryptedcontent
toanoutsideservice.Forexample,youmustenablethis
optionforthefirewalltobeabletosenddecryptedcontentto
WildFireforanalysis.
3. EnteradescriptiveNameforthevirtualsystem.Amaximum
of31alphanumeric,space,andunderscorecharactersis
allowed.

ConfigureVirtualSystems VirtualSystems
Step3 Assigninterfacestothevirtualsystem. 1. OntheGeneraltab,selectaDNS Proxy objectifyouwantto

Thevirtualrouters,vwires,orVLANscan applyDNSproxyrulestotheinterface.
eitherbeconfiguredalreadyoryoucan 2. IntheInterfacesfield,clickAddtoentertheinterfacesor
configurethemlater,atwhichpointyou subinterfacestoassigntothevirtualsystem.Aninterfacecan
specifythevirtualsystemassociated belongtoonlyonevirtualsystem.
witheach.
3. Doanyofthefollowing,basedonthedeploymenttype(s)you
needinthevirtualsystem:
IntheVLANsfield,clickAddtoentertheVLAN(s)toassign
tothevsys.
IntheVirtual Wires field,clickAddtoenterthevirtual
wire(s)toassigntothevsys.
IntheVirtual Routers field,clickAddtoenterthevirtual
router(s)toassigntothevsys.
4. IntheVisible Virtual System field,checkallvirtualsystems
thatshouldbemadevisibletothevirtualsystembeing
configured.Thisisrequiredforvirtualsystemsthatneedto
communicatewitheachother.
Inamultitenancyscenariowherestrictadministrative
boundariesarerequired,novirtualsystemswouldbechecked.
5. ClickOK.
Step4 (Optional)Limittheresourceallocations 1. OntheResourcetab,optionallysetlimitsforavirtualsystem.

forsessions,rules,andVPNtunnels Therearenodefaultvalues.
allowedforthevirtualsystem.The Sessions LimitRangeis1262144.
flexibilityofbeingabletoallocatelimits Security RulesRangeis02500.
pervirtualsystemallowsyouto
NAT RulesRangeis03000.
effectivelycontrolfirewallresources.
Decryption RulesRangeis0250.
QoS RulesRangeis01000.
Application Override RulesRangeis0250.
Policy Based Forwarding RulesRangeis0500.
Authentication RulesRangeis01000.
DoS Protection RulesRangeis01000.
Site to Site VPN TunnelsRangeis01024.
Concurrent SSL VPN TunnelsRangeis01024.
2. ClickOK.
Step5 Savetheconfiguration. ClickCommitandOK.Thevirtualsystemisnowanobject

accessiblefromtheObjectstab.
Step6 Createatleastonevirtualrouterforthe 1. SelectNetwork > Virtual RoutersandAddavirtualrouterby

virtualsysteminordertomakethe Name.
virtualsystemcapableofnetworking 2. ForInterfaces,clickAddandfromthedropdown,selectthe
functions,suchasstaticanddynamic interfacesthatbelongtothevirtualrouter.
routing.
3. ClickOK.
Alternatively,yourvirtualsystemmight
useaVLANoravirtualwire,depending
onyourdeployment.
Step7 Configureasecurityzoneforeach Foratleastoneinterface,createaLayer3securityzone.See

interfaceinthevirtualsystem. ConfigureInterfacesandZones.

VirtualSystems ConfigureVirtualSystems
Step8 Configurethesecuritypolicyrulesthat SeeCreateaSecurityPolicyRule.

allowordenytraffictoandfromthe
zonesinthevirtualsystem.

Aftercreatingavirtualsystem,youcanusetheCLIto
commitaconfigurationforonlyaspecificvirtualsystem:
commit partial vsys vsys<id>
Step10 (Optional)Viewthesecuritypolicies OpenanSSHsessiontousetheCLI.Toviewthesecuritypolicies

configuredforavirtualsystem. foravirtualsystem,inoperationalmode,usethefollowing
commands:
set system setting target-vsys <vsys-id>
show running security-policy

ConfigureInterVirtualSystemCommunicationwithintheFirewall VirtualSystems
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
Step1 Configureanexternalzoneforeach 1. SelectNetwork > Zones andAddanewzonebyName.

virtualsystem. 2. ForLocation,selectthevirtualsystemforwhichyouare
creatinganexternalzone.
3. ForType,selectExternal.
4. ForVirtual Systems,clickAddandenterthevirtualsystem
thattheexternalzonecanreach.
5. Zone Protection ProfileOptionallyselectazoneprotection
profile(orconfigureonelater)thatprovidesflood,
reconnaissance,orpacketbasedattackprotection.
6. Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
7. OptionallyselecttheEnable User Identificationcheckboxto
enableUserIDfortheexternalzone.
8. ClickOK.
Step2 ConfiguretheSecuritypolicyrulesto SeeCreateaSecurityPolicyRule.

allowordenytrafficfromtheinternal SeeInterVSYSTrafficThatRemainsWithintheFirewall.
zonestotheexternalzoneofthevirtual
system,andviceversa.

VirtualSystems ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
Step1 ConfigureaSharedGateway. 1. SelectDevice > Shared Gateway,clickAdd andenteranID.

2. EnterahelpfulName,preferablyincludingtheIDofthe
gateway.
3. IntheDNS Proxy field,selectaDNSproxyobjectifyouwant
toapplyDNSproxyrulestotheinterface.
4. AddanInterfacethatconnectstotheoutsideworld.
5. ClickOK.
Step2 Configurethezonefortheshared 1. SelectNetwork > Zones andAddanewzonebyName.

gateway. 2. ForLocation,selectthesharedgatewayforwhichyouare
NOTE:Whenaddingobjectssuchas creatingazone.
zonesorinterfacestoasharedgateway,
3. ForType,selectLayer3.
thesharedgatewayitselfwillbelistedas
anavailablevsysintheVSYSdropdown 4. Zone Protection ProfileOptionallyselectazoneprotection
menu. profile(orconfigureonelater)thatprovidesflood,
reconnaissance,orpacketbasedattackprotection.
5. Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
6. OptionallyselecttheEnable User Identificationcheckboxto
enableUserIDforthesharedgateway.
7. ClickOK.

CustomizeServiceRoutesforaVirtualSystem VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
Whenafirewallisenabledformultiplevirtualsystems,thevirtualsystemsinherittheglobalserviceand
serviceroutesettings.Forexample,thefirewallcanuseasharedemailservertooriginateemailalertstoall
virtualsystems.Insomescenarios,youdwanttocreatedifferentserviceroutesforeachvirtualsystem.
OneusecaseforconfiguringserviceroutesatthevirtualsystemlevelisifyouareanISPwhoneedsto
supportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.Eachtenantrequirescustom
serviceroutestoaccessservicesuchasDNS,Kerberos,LDAP,NetFlow,RADIUS,TACACS+,MultiFactor
Authentication,email,SNMPtrap,syslog,HTTP,UserIDAgent,VMMonitor,andPanorama(deploymentof
contentandsoftwareupdates).AnotherusecaseisanITorganizationthatwantstoprovidefullautonomy
togroupsthatsetserversforservices.Eachgroupcanhaveavirtualsystemanddefineitsownservice
routes.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.After
youselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewallselectstheegress
interfacebasedonthedestinationIPaddress.Therefore,Ifavirtualsystemhasmultiplevirtualrouters,packets
toalloftheserversforaservicemustegressoutofonlyonevirtualrouter.Apacketwithaninterfacesource
addressmayegressadifferentinterface,butthereturntrafficwouldbeontheinterfacethathasthesourceIP
address,creatingasymmetrictraffic.
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
WhenyouenableMultiVirtualSystemCapability,anyvirtualsystemthatdoesnothavespecificservice
routesconfiguredinheritstheglobalserviceandserviceroutesettingsforthefirewall.Youcaninstead
configureavirtualsystemtouseadifferentserviceroute,asdescribedinthefollowingworkflow.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Thefirewallsupportssyslogforwardingonavirtualsystembasis.Whenmultiplevirtualsystems
onafirewallareconnectingtoasyslogserverusingSSLtransport,thefirewallcangenerateonly
onecertificateforsecurecommunication.Thefirewalldoesnotsupporteachvirtualsystem
havingitsowncertificate.

VirtualSystems CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1 Customizeserviceroutesforavirtual 1. SelectDevice > Setup > Services > Virtual Systems,andselect
system. thevirtualsystemyouwanttoconfigure.
2. ClicktheService Route Configurationlink.
3. Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4. IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5. ClickOK.
6. Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7. ClickOK.

Ifyouareconfiguringpervirtualsystemserviceroutesforlogging
servicesforaPA7000Seriesfirewall,continuetothetask
ConfigureaPA7000SeriesFirewallforLoggingPerVirtual
System.

ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,Syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.For
informationabouttheLPCitself,seethePA7000SeriesHardwareReferenceGuide.
IfyouhaveenabledmultivirtualsystemcapabilityonyourPA7000Seriesfirewall,youcanconfigure
loggingfordifferentvirtualsystemsasdescribedinthefollowingworkflow.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
Step1 CreateaLogCardsubinterface. 1. SelectNetwork > Interfaces > Ethernetandselectthe

interfacethatwillbetheLogCardinterface.
2. EntertheInterface Name.
3. ForInterface Type,selectLog Cardfromthedropdown.
4. ClickOK.
Step2 Addasubinterfaceforeachtenanton 1. HighlighttheEthernetinterfacethatisaLogCardinterface

theLPCsphysicalinterface. typeandclickAdd Subinterface.
2. ForInterface Name,aftertheperiod,enterthesubinterface
assignedtothetenantsvirtualsystem.
3. ForTag,enteraVLANtagvalue.
TIP:Makethetagthesameasthesubinterfacenumberfor
easeofuse,butitcouldbeadifferentnumber.
4. (Optional)EnteraComment.
5. OntheConfigtab,intheAssign Interface to Virtual System
field,selectthevirtualsystemtowhichtheLPCsubinterface
isassigned(fromthedropdown).Alternatively,youcanclick
Virtual Systemstoaddanewvirtualsystem.
6. ClickOK.

ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem(Continued)
Step3 Entertheaddressesassignedtothe 1. SelecttheLog Card Forwardingtab,anddooneorbothofthe

subinterface,andconfigurethedefault following:
gateway. FortheIPv4section,entertheIP Address and
Netmask assignedtothesubinterface.Enterthe
Default Gateway(thenexthopwherepacketswillbe
sentthathavenoknownnexthopaddressinthe
RoutingInformationBase[RIB]).
FortheIPv6section,entertheIPv6 Addressassigned
tothesubinterface.EntertheIPv6 Default Gateway.
2. ClickOK.
Step4 Savetheconfiguration. ClickOK and Commit.
Step5 Ifyouhaventalreadydoneso,configure CustomizeServiceRoutesforaVirtualSystem.

theremainingserviceroutesforthe
virtualsystem.
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,youcancreateandconfiguregranularpermissionsfora
vsysadminordeviceadminrole.

CreateanAdminRoleProfilePerVirtualSystemorFirewall
Step1 CreateanAdminRoleProfilethatgrants 1. SelectDevice > Admin RolesandAddanAdmin Role Profile.

ordisablespermissiontoan 2. EnteraNameandoptionalDescriptionoftheprofile.
Administratortoconfigureorreadonly
variousareasofthewebinterface. 3. ForRole,specifywhichlevelofcontroltheprofileaffects:
DeviceTheprofileallowsthemanagementoftheglobal
settingsandanyvirtualsystems.
Virtual SystemTheprofileallowsthemanagementofonly
thevirtualsystem(s)assignedtotheadministrator(s)who
havethisprofile.(Theadministratorwillbeabletoaccess
Device > Setup > Services > Virtual Systems,butnotthe
Globaltab.)
4. OntheWeb UItabfortheAdminRoleProfile,scrolldownto
Device,andleavethegreencheckmark(Enable).
UnderDevice,enableSetup.UnderSetup,enabletheareas
towhichthisprofilewillgrantconfigurationpermissionto
theadministrator,asshownbelow.(TheReadOnlylockicon
appearsintheEnable/DisablerotationifReadOnlyis
allowedforthatsetting.)
ManagementAllowsanadminwiththisprofileto
configuresettingsontheManagementtab.
OperationsAllowsanadminwiththisprofileto
configuresettingsontheOperationstab.
ServicesAllowsanadminwiththisprofiletoconfigure
settingsontheServicestab.Anadminmusthave
ServicesenabledinordertoaccesstheDevice > Setup
Services > Virtual Systemstab.IftheRolewasspecified
asVirtual Systeminthepriorstep,Servicesistheonly
settingthatcanbeenabledunderDevice > Setup.
Content-IDAllowsanadminwiththisprofileto
configuresettingsontheContent-IDtab.
WildFireAllowsanadminwiththisprofiletoconfigure
settingsontheWildFiretab.
SessionAllowsanadminwiththisprofiletoconfigure
settingsontheSessiontab.
HSMAllowsanadminwiththisprofiletoconfigure
settingsontheHSMtab.
5. ClickOK.
6. (Optional)RepeattheentiresteptocreateanotherAdminRole
profilewithdifferentpermissions,asnecessary.

CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
Step2 ApplytheAdminroleprofiletoan 1. SelectDevice > Administrators,clickAddandentertheName

administrator. toaddanAdministrator.
2. (Optional)SelectanAuthentication Profile.
3. (Optional)Select Use only client certificate authentication
(Web)tohavebidirectionalauthentication;togettheserver
toauthenticatetheclient.
4. EnteraPasswordandConfirm Password.
5. (Optional)SelectUse Public Key Authentication (SSH) ifyou
wanttouseamuchstronger,keybasedauthentication
methodusinganSSHpublickeyratherthanjustapassword.
6. ForAdministrator Type,selectRole Based.
7. ForProfile,selecttheprofilethatyoujustcreated.
8. (Optional)SelectaPassword Profile.
9. ClickOK.

VirtualSystemFunctionalitywithOtherFeatures VirtualSystems
VirtualSystemFunctionalitywithOtherFeatures
Manyfirewallfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreportedper
virtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthedocumentation
andthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seeVirtualWireInterfaces.

ZoneProtectionandDoSProtection
Attacksagainstyournetworkcanoriginateexternallyorinternally.Becausedifferentpartsofanetwork
performfunctionsthatrequiredifferenttypesandlevelsofprotection,aglobalsecuritypolicyorportbased
securityisnotgranularenoughtoproperlysecureeachpartofthenetwork.
Thesolutionistosegmentthenetworkintofunctionalandorganizationalzonestoreducethenetworks
attacksurface(theportionofthenetworkanditstrafficexposedtopotentialexternalandinternalattackers).
Youprotecteachzonebyusingzoneprotectiontoprotectzonebordersanddenialofservice(DoS)
protectiontodefendtheendpointsandresourcesineachsecurityzone.
NetworkSegmentationUsingZones
HowDoZonesProtecttheNetwork?
ZoneDefense
ConfigureZoneProtectiontoIncreaseNetworkSecurity
DoSProtectionAgainstFloodingofNewSessions

NetworkSegmentationUsingZones ZoneProtectionandDoSProtection
NetworkSegmentationUsingZones
Thelargerthenetwork,themoredifficultitistoprotect.Alarge,unsegmentednetworkpresentsalarge
attacksurfacewithmoreweaknessesandvulnerabilities.Becausetrafficandapplicationshaveaccesstothe
entirenetwork,onceanattackergainsentrytoanetwork,theattackercanmovelaterallythroughthe
networktoaccesscriticaldata.Alargenetworkisalsomoredifficulttomonitorandcontrol.Segmentingthe
networklimitsanattackersabilitytomovethroughthenetworkbypreventinglateralmovementbetween
zones.
Asecurityzoneisagroupofoneormorephysicalorvirtualfirewallinterfacesandthenetworksegments
connectedtothezonesinterfaces.Youcontrolprotectionforeachzoneindividuallysothateachzone
receivesthespecificprotectionsitneeds.Forexample,azoneforthefinancedepartmentmaynotneedto
allowalloftheapplicationsthatazoneforITallows.
Tofullyprotectyournetwork,alltrafficmustflowthroughthefirewall.ConfigureInterfacesandZonesto
createseparatezonesfordifferentfunctionalareassuchastheinternetgateway,sensitivedatastorage,and
businessapplications,andfordifferentorganizationalgroupssuchasfinance,IT,marketing,andengineering.
Whereverthereisalogicaldivisionoffunctionality,applicationusage,oruseraccessprivileges,youcan
createaseparatezonetoisolateandprotecttheareaandapplytheappropriatesecuritypolicyrulesto
preventunnecessaryaccesstodataandapplicationsthatonlyoneorsomegroupsneedtoaccess.Themore
granularthezones,thegreaterthevisibilityandcontrolyouhaveovernetworktraffic.Dividingyournetwork
intozoneshelpstocreateaZeroTrustarchitecturethatexecutesasecurityphilosophyoftrustingnousers,
devices,applications,orpackets,andverifyingeverything.Theendgoalistocreateanetworkthatallows
accessonlytotheusers,devices,andapplicationsthathavelegitimatebusinessneeds,andtodenyallother
traffic.
Howtoappropriatelyrestrictandpermitaccesstozonesdependsonthenetworkenvironment.For
example,environmentssuchassemiconductormanufacturingfloorsorroboticassemblyplants,wherethe
workstationscontrolsensitivemanufacturingequipment,orhighlyrestrictedaccessareas,mayrequire
physicalsegmentationthatpermitsnoaccessfromoutsidedevices(nomobiledeviceaccess).
Inenvironmentswhereuserscanaccessthenetworkwithmobiledevices,enablingUserIDandAppIDin
conjunctionwithsegmentingthenetworkintozonesensuresthatusersreceivetheappropriateaccess
privilegesregardlessofwheretheyaccessthenetwork,becauseaccessprivilegesaretiedtoauserorauser
groupinsteadoftoadeviceinoneparticularzone.
Theprotectionrequirementsfordifferentfunctionalareasandgroupsmayalsodiffer.Forexample,azone
thathandlesalargeamountoftrafficmayrequiredifferentfloodprotectionthresholdsthanazonethat
normallyhandleslesstraffic.Theabilitytodefinetheappropriateprotectionforeachzoneisanotherreason
tosegmentthenetwork.Whatappropriateprotectionisdependsonyournetworkarchitecture,whatyou
wanttoprotect,andwhattrafficyouwanttopermitanddeny.

ZoneProtectionandDoSProtection HowDoZonesProtecttheNetwork?
HowDoZonesProtecttheNetwork?
Zonesnotonlyprotectyournetworkbysegmentingitintosmaller,moreeasilycontrolledareas,zonesalso
protectthenetworkbecauseyoucancontrolaccesstozonesandtrafficmovementbetweenzones.
Zonespreventuncontrolledtrafficfromflowingthroughthefirewallinterfacesintoyournetworkbecause
firewallinterfacescantprocesstrafficuntilyouassignthemtozones.Thefirewallapplieszoneprotection
oningressinterfaces,wheretrafficentersthefirewallinthedirectionofflowfromtheoriginatingclientto
therespondingserver(c2s),tofiltertrafficbeforeitentersazone.
Thefirewallinterfacetypeandthezonetype(Tap,virtualwire,L2,L3,Tunnel,orExternal)mustmatch,
whichhelpstoprotectthenetworkagainstadmittingtrafficthatdoesntbelonginazone.Forexample,you
canassignanL2interfacetoanL2zoneoranL3interfacetoanL3zone,butyoucantassignanL2interface
toanL3zone.
Inaddition,afirewallinterfacecanbelongtoonezoneonly.Trafficdestinedfordifferentzonescantusethe
sameinterface,whichhelpstopreventinappropriatetrafficfromenteringazoneandenablesyouto
configuretheprotectionappropriateforeachindividualzone.Youcanconnectmorethanonefirewall
interfacetoazonetoincreasebandwidth,buteachinterfacecanconnecttoonlyonezone.
Afterthefirewalladmitstraffictoazone,trafficflowsfreelywithinthatzoneandisnotlogged.Thesmaller
youmakeeachzone,thegreaterthecontrolyouhaveoverthetrafficthataccesseseachzone,andthemore
difficultitisformalwaretomovelaterallyacrossthenetworkbetweenzones.Trafficcantflowbetween
zonesunlessasecuritypolicyruleallowsitandthezonesareofthesamezonetype(Tap,virtualwire,L2,
L3,Tunnel,orExternal).Forexample,asecuritypolicyrulecanallowtrafficbetweentwoL3zones,butnot
betweenanL3zoneandanL2zone.Thefirewalllogstrafficthatflowsbetweenzoneswhenasecuritypolicy
rulepermitsinterzonetraffic.
Bydefault,securitypolicyrulespreventlateralmovementoftrafficbetweenzones,somalwarecantgain
accesstoonezoneandthenmovefreelythroughthenetworktoothertargets.
Tunnelzonesarefornonencryptedtunnels.Youcanapplydifferentsecuritypolicyrulestothe
tunnelcontentandtothezoneoftheoutertunnel,asdescribedintheTunnelContentInspection
Overview.

ZoneDefense ZoneProtectionandDoSProtection
ZoneDefense
Zoneprotectiondefendszonesfromflooding,reconnaissance,packetbased,andprotocolbasedattacks
withzoneprotectionprofiles,andfromtargetedfloodingandresourceattackswithdenialofservice(DoS)
protectionprofilesandDosprotectionpolicyrules,tocomplementnextgenerationfirewallfeaturessuchas
AppIDandUserID.ADoSattackoverloadsthenetworkwithlargeamountsofunwantedtrafficanattempt
todisruptnetworkservices.
Unlikesecuritypolicyrules,therearenodefaultzoneprotectionprofilesorDoSprotectionprofilesandDoS
protectionpolicyrules.Youconfigureandapplyzoneprotectionbasedonthewayyousegmentyour
networkintozonesandonwhatyouwanttoprotectineachzone.
ZoneDefenseTools
HowDotheZoneDefenseToolsWork?
PacketBufferProtection
DoSProtectionProfilesandPolicyRules
ZoneDefenseTools
PaloAltoNetworksfirewallsprovidethreecomplementarytoolstoprotectthezonesinyournetwork:
Zoneprotectionprofilesdefendthezoneattheingresszoneedgeagainstreconnaissanceportscanand
hostsweepattacks,IPpacketbasedattacks,nonIPprotocolattacks,andagainstfloodattacksbylimiting
thenumberofconnectionspersecondofdifferentpackettypes.Theingresszoneiswheretrafficenters
thefirewallinthedirectionofflowfromtheclienttotheserver(c2s),wheretheclientistheoriginator
oftheflowandtheserveristheresponder.Theegresszoneiswheretrafficentersthefirewallinthe
directionofflowfromtheservertotheclient(s2c).
Zoneprotectionprofilesprovidebroaddefenseoftheentirezonebasedontheaggregatetrafficentering
thezone,protectingagainstfloodattacksandundesirablepackettypesandoptions.Zoneprotection
profilesdontcontroltrafficbetweenzones,theycontroltrafficonlyattheingresszone.Zoneprotection
profilesdonttakeindividualIPaddressesintoaccountbecausetheyapplytotheaggregatetraffic
enteringthezone(DoSprotectionpolicyrulesdefendindividualIPaddressesinazone).
Usezoneprotectionprofilesasafirstpasstodetectandremovenoncomplianttraffic.Zoneprotection
profilesdefendthenetworkasthesessionisformed,beforethefirewallperformsDoSprotectionpolicy
andsecuritypolicyrulelookups,andconsumefewerCPUcyclesthanaDoSprotectionpolicyorsecurity
policyrulelookup.Ifazoneprotectionprofiledeniestraffic,thefirewalldoesntspendCPUcycleson
policyrulelookups.
DoSprotectionprofilesandDoSprotectionpolicyrulesdefendagainstfloodattacksandprotectspecific
individualendpointsandresources.Thedifferencebetweenfloodprotectionusingazoneprotection
profileandusingaDoSprotectionprofileisthatazoneprotectionprofiledefendsanentireingresszone
basedontheaggregatetrafficflowingintothezone,whileaDoSprotectionpolicyruleappliesaDoS
protectionprofilethatcanprotectspecificIPaddressesandaddressgroups,users,zones,andinterfaces,
soDoSprotectionismoregranularandtargetedthanazoneprotectionprofile.
ADoSprotectionprofilesetsfloodprotectionthresholds(connectionspersecondlimits),resource
protectionthresholds(sessionlimitsforspecifiedendpointsandresources),andwhethertheprofile
appliestoaggregateorclassifiedtraffic.

ZoneProtectionandDoSProtection ZoneDefense
ADoSprotectionpolicyrulespecifies:
Source,destination,andservicesmatchcriteria.
Theactiontotakewhentrafficmatchestherule.
Loggingandschedulingoptions.
TheaggregateorclassifiedDoSprotectionprofiletheruleappliestomatchingtrafficwhen
protectingresources.
AggregateDoSprotectionprofilesandpolicyrulesapplytoallofthetrafficthatmatchesthespecified
source,destination,andservices.ClassifiedDoSprotectionprofilesandpolicyrulesprotectonlythe
trafficthatmatchesthesource,destination,orsourceanddestinationpairIPaddressesandtheservices
specifiedintheDoSprotectionpolicyrule.
Securitypolicyrulesaffectboththeingress(c2s)andegress(s2c)flowsofasession.Toestablisha
session,theincomingtrafficmustmatchanexistingsecuritypolicyrule(includingthedefaultrules).If
thereisnomatch,thefirewalldiscardsthepacket.
ASecurityPolicycanprotectzonesbycontrollingtrafficbetweenzones(interzone)andwithinzones
(intrazone)usingcriteriaincludingzones,IPaddresses,users,applications,services,andURLcategories.
Thedefaultsecuritypolicyrulesdonotpermittraffictotravelbetweenzones,soyouneedtoconfigure
asecurityruleifyouwanttoallowinterzonetraffic.Allintrazonetrafficisallowedbydefault.Youcan
configuresecuritypolicyrulestomatchandcontrolintrazone,interzone,oruniversal(intrazoneand
interzone)traffic.
Zoneprotectionprofiles,DoSprotectionprofilesandpolicyrules,andsecuritypolicyrulesonlyaffectdataplane
trafficonthefirewall.Trafficoriginatingonthefirewallmanagementinterfacedoesnotcrossthedataplane,so
thefirewalldoesnotmatchmanagementtrafficagainsttheseprofilesorpolicyrules.
HowDotheZoneDefenseToolsWork?
Whenapacketarrivesatthefirewall,thefirewallattemptstomatchthepackettoanexistingsession,based
ontheingresszone,egresszone,sourceIPaddress,destinationIPaddress,protocol,andapplicationderived
fromthepacketheader.Ifthefirewallfindsamatch,thenthepacketusesthesecuritypolicyrulesthat
alreadycontrolthesession.
Ifthepacketdoesnotmatchanexistingsession,thefirewalluseszoneprotectionprofiles,DoSprotection
profilesandpolicyrules,andsecuritypolicyrulestodeterminewhethertoestablishasessionordiscardthe
packet,andthelevelofaccessthepacketreceives.
Thefirstprotectionthefirewallappliesisthebroadedgedefenseofthezoneprotectionprofile,ifoneexists
forthezone.Thefirewalldeterminesthezonefromtheinterfaceonwhichthepacketarrives(eachinterface
isassignedtoonezoneonlyandallinterfacesthatcarrytrafficmustbelongtoazone).Ifthezoneprotection
profiledeniesthepacket,thepacketisdiscardedandnoDoSprotectionpolicyruleorsecuritypolicylookup
occurs.Thefirewallapplieszoneprotectionprofilesonlytopacketsthatdonotmatchanexistingsession.
Afterthefirewallestablishesasession,thefirewallbypassesthezoneprotectionprofilelookupfor
succeedingpacketsinthatsession.
ThesecondprotectionthefirewallappliesisaDoSprotectionpolicyrulelookup.Evenifazoneprotection
profileallowsapacketbasedonthetotalamountoftrafficgoingtothezone,aDoSprotectionpolicyrule
andprotectionprofilemaydenythepacketifitisgoingtoaparticulardestinationorcomingfromaparticular
sourcethathasexceededthefloodprotectionorresourceprotectionsettingsintherulesDoSprotection
profile.IfthepacketmatchesaDoSprotectionpolicyrule,thefirewallappliestheruletothepacket.Ifthe

ruledeniesaccess,thefirewalldiscardsthepacketanddoesnotperformasecuritypolicylookup.Iftherule
allowsaccess,thefirewallperformsasecuritypolicylookup.TheDoSprotectionpolicyruleisenforcedonly
onnewsessions.
ThethirdprotectionthefirewallappliesisaSecurityPolicylookup,whichhappensonlyifthezone
protectionprofileandDoSprotectionpolicyrulesallowthepacket.Ifthefirewallfindsnosecuritypolicy
rulematchforthepacket,thefirewalldiscardsthepacket.Ifthefirewallfindsamatchingsecuritypolicyrule,
thefirewallappliestheruletothepacket.Thefirewallenforcesthesecuritypolicyruleontrafficinboth
directions(c2sands2c)forthelifeofthesession.
Applyazoneprotectionprofiletoazonetodefendtheentirezonebasedontheaggregatetrafficentering
theingresszone:
FloodProtection
ReconnaissanceProtection
PacketBasedAttackProtection
ProtocolProtection
FloodProtection
AzoneprotectionprofilewithfloodprotectionconfigureddefendsanentireingresszoneagainstSYN,
ICMP,ICMPv6,UDP,andotherIPfloods.Thefirewallmeasurestheaggregateamountofeachfloodtype
ingressingthezoneinconnectionspersecondandcomparesthetotaltothethresholdsconfiguredinthe
zoneprotectionprofile.
Foreachfloodtype,yousetthreethresholds:
AlarmRateThenumberofconnectionspersecondtotriggeranalarm.
ActivateThenumberofconnectionspersecondtoactivatethefloodprotectionmechanism.ForICMP,
ICMPv6,UDP,andotherIPfloods,theprotectionmechanismisRandomEarlyDrop(RED,alsoknownas
RandomEarlyDetection),andpacketsbegintodropwhenthenumberofconnectionspersecond
reachestheActivatethreshold.ForSYNfloods,theprotectionmechanismcanbeREDorSYNcookies.
SYNcookiesdoesnotdroppackets.Asthenumberofconnectionspersecondincreasesabovethe
Activatethreshold,thefirewalldropsmorepacketswhenREDistheprotectionmechanism.
MaximumThenumberofconnectionspersecondtodropincomingpacketswhenREDisthe
protectionmechanism.
Ifthenumberofconnectionspersecondexceedsathreshold,thefirewallgeneratesanalarm,activatesthe
dropmechanism,ordropsallpacketswhenREDistheprotectionmechanism.
ForSYNpacketsonly,youcanselectSYN CookiesinsteadofdroppingthepacketswithRED.Whenyouuse
SYN Cookies,thefirewallactsasaproxyforthetargetserverandrespondstotheSYNrequestbygenerating
aSYNACKpacketandcorrespondingcookieonbehalfofthetarget.WhenthefirewallreceivesanACK
packetfromtheinitiatorwiththecorrectcookie,thefirewallforwardstheSYNpackettothetargetserver.

TheadvantagetousingSYNcookiesinsteadofREDisthatthefirewalldropstheoffendingpacketsand
treatslegitimateconnectionsfairly.BecauseREDrandomlydropsconnections,REDimpactssomelegitimate
traffic.However,usingSYNcookiesinsteadofREDusesmorefirewallresourcesbecausethefirewall
handlesthethreewaySYNhandshakeforthetarget.Thetradeoffisusingmorefirewallresourcesversus
notdroppinglegitimatetrafficwithREDandoffloadingtheSYNhandshakefromthetarget.
Adjustthedefaultthresholdvaluesinazoneprotectionprofiletothelevelsappropriateforyournetwork.
Thedefaultvaluesarehighsothatactivatingazoneprotectionprofiledoesnotunexpectedlydroplegitimate
traffic.
Adjustthethresholdsforyourenvironmentbytakingabaselinemeasurementofthepeaktrafficloadfor
eachfloodtypetodeterminethenormaltrafficloadforthezone.SetAlarm Ratethresholdsat1520percent
abovethebaselinenumberofconnectionspersecondandmonitorthealarmstoseeifthethresholdis
reasonableforthelegitimatetrafficload.Becausethenormaltrafficloadexperiencessomefluctuation,itis
bestnottodroppacketstooaggressively.
WhiledeterminingabaselineandtestingtheAlarm Ratethreshold,settheActivateandMaximumthresholds
toahighnumbertoavoiddroppinglegitimatepacketsifthethresholdsaretooaggressive.Afteryou
determineareasonableAlarm Ratethreshold,setActivateandMaximumthresholdstodroppacketswhen
trafficincreasesenoughbeyondnormaltoindicateafloodattack.Continuetomonitortrafficandadjustthe
thresholdstomeetyoursecurityobjectivesandtoensurethatthethresholdsdontdroplegitimatetraffic
butdopreventunwantedspikesintrafficvolume.
AmajordifferencebetweenfloodprotectionusingazoneprotectionprofileandaDoSprotectionprofileis
wherethefirewallappliesfloodprotection.Zoneprotectionprofilesapplytoanentirezone,whileDoS
protectionprofilesapplyonlytotheIPaddresses,zones,andusersspecifiedintheDoSprotectionpolicy
ruleassociatedwiththeprofile.
ReconnaissanceProtection
Similartothemilitarydefinitionofreconnaissance,thenetworksecuritydefinitionofreconnaissanceis
whenattackersattempttogaininformationaboutyournetworksvulnerabilitiesbysecretlyprobingthe
networktofindweaknesses.Reconnaissanceactivitiesareoftenpreludestoanetworkattack.
Zoneprotectionprofileswithreconnaissanceprotectionenableddefendagainstportscansandhostsweeps:
Portscansdiscoveropenportsonanetwork.Aportscanningtoolsendsclientrequeststoarangeofport
numbersonahost,withthegoaloflocatinganactiveporttoexploitinanattack.Zoneprotectionprofiles
defendagainstbothTCPandUDPportscans.
Hostsweepsexaminemultiplehoststodetermineifaspecificportisopenandvulnerable.
Youcanusereconnaissancetoolsforlegitimatepurposessuchaswhitehattestingofnetworksecurityor
thestrengthofafirewall.Youcanspecifyupto20IPaddressesornetmaskaddressobjectstoexcludefrom
reconnaissanceprotectionsothatyourinternalITdepartmentcanconductwhitehatteststofindandfix
networkvulnerabilities.
Youcansettheactiontotakewhenreconnaissancetraffic(excludingwhitehattraffic)exceedsthe
configuredthresholdwhenyouConfigureReconnaissanceProtection.
PacketBasedAttackProtection
Packetbasedattackstakemanyforms.ZoneprotectionprofilescheckIP,TCP,ICMP,IPv6,andICMPv6
packetheaderparametersandprotectazoneby:

Droppingpacketswithundesirablecharacteristics.
Strippingundesirableoptionsfrompacketsbeforeadmittingthemtothezone.
YouselectthedropcharacteristicsforeachpackettypewhenyouConfigurePacketBasedAttack
Protection.
Forexample,youcandropmalformedIPpackets,TCPSYNandSYNACKpacketsthatcontaindata,
fragmentedICMPpackets,andsoon.Eachpackettypehasasetofcharacteristicsandoptionsthatyou
selecttocontrolwhetherthefirewalldropsapacket.BestPracticesforSecuringYourNetworkfromLayer 4
andLayer 7Evasionsincludessomespecificrecommendationsforconfiguringpacketbasedattack
protection.
ProtocolProtection
WhilepacketbasedattackprotectiondefendsagainstLayer 3packetbasedattacks,protocolprotection
defendsagainstnonIPprotocolpackets.Theprotocolprotectionportionofazoneprotectionprofileblocks
orallowsnonIPprotocolpacketsbetweensecurityzonesonaLayer 2VLANoronavirtualwireorbetween
interfaceswithinasinglezoneonaLayer 2VLAN.ConfigureProtocolProtectiontoreducesecurityrisksand
facilitateregulatorycompliancebypreventinglesssecureprotocolpacketsfromenteringazone,oran
interfaceinazone,wheretheydontbelong.
ExamplesofnonIPprotocolsthatyoucanblock(exclude)orallow(include)areAppleTalk,BanyanVINES,
LLDP,NetBEUI,SpanningTree,andSupervisoryControlandDataAcquisition(SCADA)systemssuchas
GenericObjectOrientedSubstationEvent(GOOSE),amongmanyothers.
YoucanrunAppIDreportstodeterminewhetheranynonIPprotocolpacketsarearrivingatLayer 2
interfacesonthefirewall.Applythezoneprotectionprofiletoaningresssecurityzoneforphysicalinterfaces
orAEinterfaces,therebycontrollinginterzonetraffic(wheretheprotocolpacketsattempttoenteronezone
fromanother)orintrazonetraffic(wheretheprotocolpacketstraverseasinglezoneVLANbetweenits
interfaces).
EachIncludeListorExcludeListyouconfiguresupportsupto64Ethertypeentries,eachidentifiedbyits
IEEEhexadecimalEthertypecode.OthersourcesofEthertypecodesare
standards.ieee.org/develop/regauth/ethertype/eth.txtand
http://www.cavebear.com/archive/cavebear/Ethernet/type.html.
ProtocolprotectiondoesntletyoublockIPv4(Ethertype0x0800),IPv6(0x86DD),ARP(0x0806),or
VLANtaggedframes(0x8100).ThesefourEthertypesarealwaysimplicitlyallowedinanIncludeListwithout
listingthem.TheyrealsoimplicitlyallowedevenifyouconfigureanExcludeList;youcantexcludethem.
WhenyouconfigurezoneprotectionfornonIPprotocolsonzonesthathaveAggregatedEthernet(AE)
interfaces,youcantblockorallowanonIPprotocolononlyoneAEinterfacebecauseAEinterfacesare
treatedasagroup.
PacketBufferProtection
PacketbufferprotectionallowsyoutoprotectyourfirewallandnetworkfromsinglesessionDoSattacks
thatcanoverwhelmthefirewallspacketbufferandcauselegitimatetraffictodrop.Althoughyoudont
ConfigurePacketBufferProtectioninazoneprotectionprofileorinaDoSprotectionprofileorpolicyrule,
packetbufferprotectiondefendszonesandyouenableitwhenyouconfigureoreditazone(Network >
Zones).

Whenyouenablepacketbufferprotection,thefirewallmonitorssessionsfromallzonesandhoweach
sessionutilizesthepacketbuffer.Ifasessionexceedsaconfiguredpercentageofpacketbufferutilization
andtraversesaningresszonewithpacketbufferprotectionenabled,thenthefirewalltakesactionagainst
thatsession.ThefirewallbeginsbycreatinganalertlogintheSystemlogwhenasessionreachesthefirst
threshold.Ifasessionreachesthesecondthreshold,thefirewallmitigatestheabusebyimplementing
RandomEarlyDrop(RED)tothrottlethesession.Ifthefirewallcannotreducepacketbufferutilizationusing
RED,theBlockHoldTimetimerbeginscountingdown.Whenthetimerexpires,thefirewalltakesadditional
mitigationsteps(sessiondiscardorIPblock).Theblockdurationdefineshowlongasessionremains
discardedoranIPaddressremainsblockedafterreachingtheblockholdtime.
Inadditiontomonitoringthebufferutilizationofindividualsessions,packetbufferprotectioncanalsoblock
anIPaddressifcertaincriteriaaremet.Whilethefirewallmonitorsthepacketbuffers,ifitdetectsasource
IPaddressrapidlycreatingsessionsthatwouldnotindividuallybeseenasanattack,itblocksthatIPaddress.
DoSProtectionProfilesandPolicyRules
DoSprotectionprofilesandDoSprotectionpolicyrulescombinetoprotectspecificareasofyournetwork
againstpacketfloodattacksandtoprotectindividualresourcesagainstsessionfloods.
DoSprotectionprofilessettheprotectionthresholdstoprovideDoSProtectionAgainstFloodingofNew
SessionsforIPfloods(connectionspersecondlimits),toprovideresourceprotection(maximumconcurrent
sessionlimitsforspecifiedendpointsandresources),andtoconfigurewhethertheprofileappliesto
aggregateorclassifiedtraffic.DoSprotectionpolicyrulescontrolwheretoapplyDoSprotectionandwhat
actiontotakewhentrafficmatchesthecriteriadefinedintherule.
Unlikeazoneprotectionprofile,whichprotectsonlytheingresszone,DoSprotectionprofilesandpolicy
rulescanprotectspecificresourcesinsideazoneandtrafficflowingbetweendifferentendpointsandareas.
Alsounlikeazoneprotectionprofile,whichsupportsonlyaggregatetraffic,youcanconfigureaggregateor
classifiedDoSprotectionprofilesandpolicyrules.
DoSProtectionPolicyRules
DoSProtectionPolicyRules
DoSprotectionpolicyrulesprovidegranularmatchingcriteriasothatyouhaveflexibilityindefiningwhat
youwanttoprotect:
Sourcezoneorinterface
Destinationzoneorinterface
SourceIPaddressesandaddressranges,addressgroupobjects,andcountries
DestinationIPaddressesandaddressranges,addressgroupobjects,andcountries
Services(byportandprotocol)
Users
Theflexiblematchingcriteriaenableyoutoprotectentirezonesorsubnets,asingleserver,oranythingin
between.WhentrafficmatchesaDoSprotectionpolicyrule,thefirewalltakesoneofthreeactions:
DenyThefirewalldeniesaccessanddoesntapplyaDoSprotectionprofile.Denyingessentially
blackliststrafficthatmatchestherule.

AllowThefirewallpermitsaccessanddoesntapplyaDoSprotectionprofile.Allowingessentially
whiteliststrafficthatmatchestherule.
ProtectThefirewallappliesthespecifiedDoSprotectionprofileorprofiles.ADoSprotectionpolicyrule
canhaveoneaggregateDoSprotectionprofileandoneclassifiedDoSprotectionprofile.Incoming
packetscountagainstbothDoSprotectionprofilesifthetheymatchtherule.TheProtectactionprotects
againstfloodsbyapplyingthethresholdssetintheDoSprotectionprofileorprofilestotrafficthat
matchestherule.
ThefirewallonlyappliesDoSprotectionprofilesiftheActionisProtect.IftheDoSprotectionpolicyrules
ActionisProtect,specifytheappropriateaggregateand/orclassifiedDoSprotectionprofileintherulesothat
thefirewallappliestheDoSprotectionprofiletotrafficthatmatchestherule.
YoucanattachbothanaggregateandaclassifiedDoSprotectionprofiletoaDoSprotectionpolicyrule.The
firewallchecksandenforcestheaggregateratelimitsbeforeitcheckstheclassifiedratelimits,soifthematch
criteriamatchesbothprofiles,thethresholdsintheaggregateprofileareusedfirst.
WhenyoucreateDoSprotectionpolicyrules,youapplyDoSprotectionprofilestothepolicyrulesifthe
ruleshaveanactionofProtect(iftheactionisDenyorAllow,noDoSprotectionprofileisused).
ConfiguringfloodprotectionthresholdsinaDoSprotectionprofileissimilartoconfiguringFloodProtection
inazoneprotectionprofile.Thedifferenceiswhereyouapplyfloodprotection.Applyingfloodprotection
withazoneprotectionprofileprotectstheingresszone,whileapplyingfloodprotectionwithaDoS
protectionprofileandpolicyruleismoregranularandtargeted,andcanevenbeclassifiedtoasingleIP
address.
ForbothaggregateandclassifiedDoSprotectionprofiles,aswithzoneprotectionprofiles,youcan:
ConfigureSYN,UDP,ICMP,ICMPv6,andotherIPfloodprotection.
Setalarm,activate,andmaximumconnectionspersecondthresholds.Whenincoming
connectionspersecondreachtheactivatethreshold,thefirewallbeginstodroppackets.Whenthe
incomingconnectionspersecondreachthemaximumthreshold,thefirewalldropsadditionalincoming
connections.
UseSYNcookiesinsteadofREDforSYNfloodpackets.
TheadviceinzoneprotectionprofileFloodProtectionaboutadjustingthedefaultfloodthresholdvaluesfor
yournetworkstrafficisvalidforsettingDoSprotectionprofilefloodprotectionthresholds.Takeabaseline
measurementofpeaktrafficloadsoveraperiodoftimeandadjustthefloodthresholdstoallowthe
expectedlegitimatetrafficloadandtothrottleordroptrafficwhentheloadindicatesafloodattack.Monitor
thetrafficandcontinuetoadjustthethresholdsuntiltheymeetyourprotectionobjectives.
ConfiguringresourceprotectionthresholdsinaDoSprotectionprofilesetsthemaximumnumberof
concurrentsessionsthataresourcesupports.Whenthenumberofconcurrentsessionsreachesits
maximumlimit,newsessionsaredropped.YoudefinetheresourceyouareprotectinginaDoSprotection
policyrulebytheresourcessourceIPaddress,destinationIPaddress,orthesourceanddestinationIP
addresspair.
AnaggregateDoSprotectionprofileappliestoallofthetrafficthatmatchestheassociatedDoSprotection
policyrule,forallsources,destinations,andservicesallowedforthatrule.AclassifiedDoSprotectionprofile
canenforcedifferentsessionratelimitsfordifferentgroupsofendhostsorevenforoneparticularendhost.
HerearesomeexamplesofwhatyoucandowithaclassifiedDoSprotectionprofile:

TopreventhostsonyournetworkfromstartingaDoSattack,youcanmonitortherateoftrafficeach
hostinasourceaddressgroupinitiates.Todothis,setanappropriatealarmthresholdinaDoSprotection
profiletonotifyyouifahostinitiatesanunusuallylargeamountoftraffic,andcreateaDoSprotection
policyrulethatappliestheprofiletothesourceaddressgroup.Investigateanyhoststhatinitiateenough
traffictosetoffthealarm.
ToprotectcriticalweborDNSserversonyournetwork,protecttheindividualservers.Todothis,set
appropriatefloodingandresourceprotectionthresholdsinaDoSprotectionprofile,andcreateaDoS
protectionpolicyrulethatappliestheprofiletoeachserversIPaddressbyaddingtheIPaddressesas
therulesdestinationcriteria.
TracktheflowbetweenapairofendpointsbysettingappropriatethresholdsintheDoSprotection
profileandcreatingaDoSprotectionpolicyrulethatspecifiesthesourceanddestinationIPaddressesof
theendpointsasthematchingcriteria.
DonotusesourceIPclassificationforinternetfacingzonesinclassifiedDoSprotectionpolicy
rules.ThefirewalldoesnothavethecapacitytostorecountersforeverypossibleIPaddresson
theinternet.

ConfigureZoneProtectiontoIncreaseNetworkSecurity ZoneProtectionandDoSProtection
ConfigureZoneProtectiontoIncreaseNetworkSecurity
Thefollowingtopicsprovidezoneprotectionconfigurationexamples:
ConfigureReconnaissanceProtection
ConfigurePacketBasedAttackProtection
ConfigureProtocolProtection
ConfigurePacketBufferProtection
ConfigureoneofthefollowingReconnaissanceProtectionactionsforthefirewalltotakeinresponsetothe
correspondingreconnaissanceattempt:
AllowThefirewallallowstheportscanorhostsweepreconnaissancetocontinue.
AlertThefirewallgeneratesanalertforeachportscanorhostsweepthatmatchestheconfigured
thresholdwithinthespecifiedtimeinterval.Alertisthedefaultaction.
BlockThefirewalldropsallsubsequentpacketsfromthesourcetothedestinationfortheremainderof
thespecifiedtimeinterval.
BlockIPThefirewalldropsallsubsequentpacketsforthespecifiedDuration,inseconds(therangeis
13,600).Track Bydetermineswhetherthefirewallblockssourceorsourceanddestinationtraffic.
Step1 ConfigureReconnaissanceProtection. 1. SelectNetwork > Network Profiles > Zone Protection.

2. SelectaZoneProtectionprofileorAddanewprofileandenter
aNameforit.
3. OntheReconnaissanceProtectiontab,selectthescantypes
toprotectagainst.
4. SelectanActionforeachscan.IfyouselectBlockIP,youmust
alsoconfigureTrack By(sourceorsourceanddestination)
andDuration.
5. SettheIntervalinseconds.Thisoptionsdefinesthetime
intervalforportscanandhostsweepdetection.
6. SettheThreshold.Thethresholddefinesthenumberofport
scaneventsorhostsweepsthatoccurswithintheinterval
configuredabovethattriggersanaction.
Step2 (Optional)ConfigureaSourceAddress 1. OntheReconnaissanceProtectiontab,AddaSourceAddress

Exclusion. Exclusion.
a. EnteradescriptiveNameforthewhitelistedaddress.
b. SettheAddressTypetoIPv4orIPv6andthenselectan
addressobjectorenteranIPaddress.
c. ClickOK.
2. ClickOKtosavetheZoneProtectionprofile.

ZoneProtectionandDoSProtection ConfigureZoneProtectiontoIncreaseNetworkSecurity
Toenhancesecurityforazone,PacketBasedAttackProtectionallowsyoutospecifywhetherthefirewall
dropsIP,IPv6,TCP,ICMP,orICMPv6packetsthathavecertaincharacteristicsorstripscertainoptionsfrom
thepackets.
Forexample,youcandropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduringaTCP
threewayhandshake.AZoneProtectionprofilebydefaultissettodropSYNandSYNACKpacketswith
data(youmustapplytheprofiletothezone).
TheTCPFastOpenoption(RFC7413)preservesthespeedofaconnectionsetupbyincludingdatainthe
payloadofSYNandSYNACKpackets.AZoneProtectionprofiletreatshandshakesthatusetheTCPFast
OpenoptionseparatelyfromotherSYNandSYNACKpackets;theprofilebydefaultissettoallowthe
handshakepacketsiftheycontainavalidFastOpencookie.
IfyouhaveexistingZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefaultsettings
willapplytoeachprofileandthefirewallwillactaccordingly.
Step1 CreateaZoneProtectionprofilefor 1. SelectNetwork > Network Profiles > Zone Protectionand

packetbasedattackprotection. Addanewprofile.
2. EnteraNamefortheprofileandanoptionalDescription.
3. SelectPacket Based Attack Protection.
4. Oneachtab(IP Drop,TCP Drop,ICMP Drop,IPv6 Drop,and
ICMPv6 Drop),selectthesettingsyouwanttoenforceto
protectazone.
5. ClickOK.
Step2 ApplytheZoneProtectionprofiletoa 1. SelectNetwork > Zones andselectthezonewhereyouwant

securityzonethatisassignedto toassigntheZoneProtectionprofile.
interfacesyouwanttoprotect. 2. AddtheInterfacesbelongingtothezone.
3. ForZone Protection Profile,selecttheprofileyoujust
created.
4. ClickOK.
ConfigureProtocolProtection
ProtectvirtualwireorLayer2securityzonesfromnonIPprotocolpacketsbyusingProtocolProtection.
UseCase:NonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
UseCase:NonIPProtocolProtectionWithinaSecurityZoneonLayer2Interfaces

UseCase:NonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
Inthisusecase,thefirewallisinaLayer2VLANdividedintotwosubinterfaces.VLAN100is
192.168.100.1/24,subinterface.6.VLAN200is192.168.100.1/24,subinterface.7.NonIPprotocol
protectionappliestoingresszones.Inthisusecase,iftheInternetzoneistheingresszone,thefirewall
blockstheGenericObjectOrientedSubstationEvent(GOOSE)protocol.IftheUserzoneistheingresszone,
thefirewallallowstheGOOSEprotocol.ThefirewallimplicitlyallowsIPv4,IPv6,ARP,andVLANtagged
framesinbothzones.
ProvideNonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
Step1 ConfiguretwoVLANsubinterfaces. 1. SelectNetwork > Interfaces > VLANandAddaninterface.

2. Interface Namedefaultstovlan.Aftertheperiod,enter7.
3. OntheConfigtab,Assign Interface TotheVLAN200.
4. ClickOK.
5. SelectNetwork > Interfaces > VLANandAddaninterface.
6. Interface Namedefaultstovlan.Aftertheperiod,enter6.
7. OntheConfigtab,Assign Interface TotheVLAN100.
8. ClickOK.

ProvideNonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces(Continued)
Step2 ConfigureprotocolprotectioninaZone 1. SelectNetwork > Network Profiles > Zone Protection and
ProtectionprofiletoblockGOOSE Addaprofile.
protocolpackets. 2. EntertheNameBlockGOOSE.
3. SelectProtocol Protection.
4. ChooseRule TypeofExclude List.
5. EntertheProtocol Name, GOOSE,toeasilyidentifythe
Ethertypeonthelist.Thefirewalldoesntverifythatthename
youentermatchestheEthertypecode;itusesonlythe
Ethertypecodetofilter.
6. EnterEthertype code0x88B8.TheEthertypemustbe
precededby0xtoindicateahexadecimalvalue.Rangeis
0x0000to0xFFFF.
7. SelectEnabletoenforcetheprotocolprotection.Youcan
disableaprotocolonthelist,forexample,fortesting.
8. ClickOK.
Step3 ApplytheZoneProtectionprofiletothe 1. SelectNetwork > ZonesandAddazone.

Internetzone. 2. EntertheNameofthezone,Internet.
5. AddtheInterface thatbelongstothezone,vlan.7.
6. ForZone Protection Profile,selecttheprofileBlockGOOSE.
7. ClickOK.
Step4 Configureprotocolprotectiontoallow CreateanotherZoneprotectionprofilenamedAllowGOOSE,and

GOOSEprotocolpackets. chooseRule TypeofInclude List.
WhenconfiguringanIncludelist,includeallrequired
nonIPprotocols;anincompletelistcanresultinlegitimate
nonIPtrafficbeingblocked.
Step5 ApplytheZoneProtectionprofiletothe 1. SelectNetwork > ZonesandAddazone.

Userzone. 2. EntertheNameofthezone,User.
5. AddtheInterface thatbelongstothezone,vlan.6.
6. ForZone Protection Profile,selecttheprofileAllowGOOSE.
7. ClickOK.
Step7 ViewthenumberofnonIPpacketsthe AccesstheCLI.

firewallhasdroppedbasedonprotocol > show counter global name pkt_nonip_pkt_drop
protection. > show counter global name pkt_nonip_pkt_drop delta yes

UseCase:NonIPProtocolProtectionWithinaSecurityZoneonLayer2Interfaces
IfyoudontimplementaZoneProtectionprofilewithnonIPprotocolprotection,thefirewallallowsnonIP
protocolsinasinglezonetogofromoneLayer2interfacetoanother.Inthisusecase,blacklistingLLDP
packetsensuresthatLLDPforonenetworkdoesntdiscoveranetworkreachablethroughanotherinterface
inthezone.
Inthefollowingfigure,theLayer2VLANnamedDatacenterisdividedintotwosubinterfaces:
192.168.1.1/24,subinterface.7and192.168.1.2/24,subinterface.8.TheVLANbelongstotheUserzone.
ByapplyingaZoneProtectionprofilethatblocksLLDPtotheUserzone:
Subinterface.7blocksLLDPfromitsswitchtothefirewallattheredXontheleft,preventingthattraffic
fromreachingsubinterface.8.
Subinterface.8blocksLLDPfromitsswitchtothefirewallattheredXontheright,preventingthattraffic
fromreachingsubinterface.7.
ProvideNonIPProtocolProtectionWithinaSingleZoneonLayer2Interfaces
Step1 CreateasubinterfaceforanEthernet 1. SelectNetwork > Interfaces > Ethernet andselectaLayer2

interface. interface,inthisexample,ethernet1/1.
2. SelectAdd Subinterfaces.
3. TheInterface Namedefaultstotheinterface(ethernet1/1).
Aftertheperiod,enter7.
4. ForTag,enter300.
5. ForSecurity Zone,selectUser.
6. ClickOK.
Step2 Createasecondsubinterfaceforthe 1. SelectNetwork > Interfaces > Ethernet andselecttheLayer2

Ethernetinterface. interface:ethernet1/1.
2. SelectAdd Subinterfaces.
3. TheInterface Namedefaultstotheinterface(ethernet1/1).
Aftertheperiod,enter8.
4. ForTag,enter400.
5. ForSecurity Zone,selectUser.
6. ClickOK.

ProvideNonIPProtocolProtectionWithinaSingleZoneonLayer2Interfaces(Continued)
Step3 CreateaVLANfortheLayer2interface 1. SelectNetwork > VLANsandAddaVLAN.

andtwosubinterfaces. 2. EntertheNameoftheVLAN;forthisexample,enter
Datacenter.
3. ForVLAN Interface,selectNone.
4. ForInterfaces,clickAddandselecttheLayer2interface:
ethernet1/1,andtwosubinterfaces:ethernet1/1.7and
ethernet1/1.8.
5. ClickOK.
Step4 BlocknonIPprotocolpacketsinaZone 1. SelectNetwork > Network Profiles > Zone Protection and
Protectionprofile. Addaprofile.
2. EntertheName,inthisexample,BlockLLDP.
3. EnteraprofileDescriptionBlockLLDPpacketsfroman
LLDPnetworktootherinterfacesinthezone(intrazone).
4. SelectProtocol Protection.
5. ChooseRule TypeofExclude List.
6. EnterProtocol NameLLDP.
7. EnterEthertype code0x88cc.TheEthertypemustbe
precededby0xtoindicateahexadecimalvalue.
8. SelectEnable.
9. ClickOK.
Step5 ApplytheZoneProtectionprofiletothe 1. SelectNetwork > Zones.

securityzonetowhichLayer2VLAN 2. Addazone.
belongs.
3. EntertheNameofthezone,User.
6. AddanInterface thatbelongstothezone,ethernet1/1.7
7. AddanInterface thatbelongstothezone,ethernet1/1.8.
8. ForZone Protection Profile,selecttheprofileBlockLLDP.
9. ClickOK.
Step7 ViewthenumberofnonIPpacketsthe AccesstheCLI.

firewallhasdroppedbasedonprotocol > show counter global name pkt_nonip_pkt_drop
protection. > show counter global name pkt_nonip_pkt_drop delta yes
ConfigurePacketBufferProtection
YouconfigurePacketBufferProtectionsettingsgloballyandthenapplythemperingresszone.Whenthe
firewalldetectshighbufferutilization,thefirewallonlymonitorsandtakesactionagainstsessionsfrom
zoneswithpacketbufferprotectionenabled.Therefore,iftheabusivesessionisfromazonewithoutpacket
bufferprotection,thehighpacketbufferutilizationcontinues.Packetbufferprotectioncanbeappliedtoa
zonebutitisnotactiveuntilglobalsettingsareconfiguredandenabled.

EnablePacketBufferProtection
Step1 Configuretheglobalsessionthresholds. 1. SelectDevice > Setup > Session.

2. EdittheSessionSettings.
3. SelectthePacket Buffer Protectioncheckboxtoenableand
configurethepacketbufferprotectionthresholds.
4. Enteravalueforeachthresholdandtimertodefinethepacket
bufferprotectionbehavior.
Alert(%)Whenpacketbufferutilizationexceedsthis
thresholdformorethan10seconds,thefirewallcreatesa
logeventeveryminute.Thefirewallgenerateslogevents
whenpacketbufferprotectionisenabledglobally.The
defaultthresholdis50%andtherangeis0%to99%.Ifthe
valueis0%,thefirewalldoesnotcreatealogevent.
Activate(%)Whenapacketbufferutilizationexceedsthis
threshold,thefirewallappliesREDtoabusivesessions.The
defaultthresholdis50%andtherangeis0%to99%.Ifthe
valueis0%,thefirewalldoesnotapplyRED.
NOTE:ThefirewallrecordsalerteventsintheSystemlog
andeventsfordroppedtraffic,discardedsessions,and
blockedIPaddressintheThreatlog.
BlockHoldTime(sec)Theamountoftimea
REDmitigatedsessionisallowedtocontinuebeforethe
firewalldiscardsit.Bydefault,theblockholdtimeis60
seconds.Therangeis0to65,535seconds.Ifthevalueis0,
thefirewalldoesnotdiscardsessionsbasedonpacket
bufferprotection.
BlockDuration(sec)Thissettingdefineshowlonga
sessionremainsdiscardedoranIPaddressremainsblocked.
Thedefaultis3,600secondswitharangeof0secondsto
15,999,999seconds.Ifthisvalueis0,thefirewalldoesnot
discardsessionsorblockIPaddressesbasedonpacket
bufferprotection.
5. ClickOK.
Step2 Enablepacketbufferprotectiononan 1. SelectNetwork > Zones.

ingresszone. 2. Chooseaningresszoneandclickonitsname.
3. SelecttheEnable Packet Buffer Protectioncheckboxinthe
ZoneProtectionsection.
4. ClickOK.

ZoneProtectionandDoSProtection DoSProtectionAgainstFloodingofNewSessions
DoSProtectionAgainstFloodingofNewSessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsagainstDoSattacksofnewsessionsonly,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
DoSProtectionProfilesandPolicyRulesworktogethertoprovideprotectionagainstfloodingofmany
incomingSYN,UDP,ICMP,andICMPv6packets,andothertypesofIPpackets.Youdeterminewhat
thresholdsconstituteflooding.Ingeneral,theDoSProtectionprofilesetsthethresholdsatwhichthefirewall
generatesaDoSalarm,takesactionsuchasRandomEarlyDrop,anddropsadditionalincomingconnections.
ADoSProtectionpolicyrulethatissettoprotect(ratherthantoallowordenypackets)determinesthe
criteriaforpacketstomatch(suchassourceaddress)inordertobecountedtowardthethresholds.This
flexibilityallowsyoutoblacklistcertaintraffic,orwhitelistcertaintrafficandtreatothertrafficasDoStraffic.
Whentheincomingrateexceedsyourmaximumthreshold,thefirewallblocksincomingtrafficfromthe
sourceaddress.
MultipleSessionDoSAttack
SingleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessions
EndaSingleSessionDoSAttack
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit

DoSProtectionAgainstFloodingofNewSessions ZoneProtectionandDoSProtection
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheProtectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheActivateRate,thefirewalltakesthe
actionspecifiedintheDoSProtectionprofile.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSProtectionpolicyrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamically
puttheDoSProtectionprofilesettingsintoeffect.TheDoSProtectionprofilespecifiesthataMaxRateof
3000packetspersecondisallowed.WhenincomingpacketsmatchtheDoSProtectionpolicyrule,new
connectionspersecondarecountedtowardtheAlert,Activate,andMax Ratethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMax Ratethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlock Durationisspecified,and
ClassifiedissettoincludesourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.

SequenceofEventsasFirewallQuarantinesanIPAddress(Continued)
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheblocklistsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdontmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheblocklistwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrules(theaddressremains
ontheblocklist)untiltheBlockDurationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
evaluation.YoumustconfigureaSecuritypolicyruletoallowordenytrafficbecausewithoutone,animplicit
Denyruledeniesalltraffic.

Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatmatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlockDuration
expires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblockedagain.
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyordrop
ruleinplace.Hence,asinglesessionattackrequiresaSecuritypolicydenyordropruleinorder
foreachpackettocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivityfromthatsourceIPaddress,
suchaspacketswithadifferentapplication.QuarantiningtheIPaddressfromallactivityprotectsagainsta
modernattackerwhoattemptsarotatingapplicationattack,inwhichtheattackersimplychanges
applicationstostartanewattackorusesacombinationofdifferentattacksinahybridDoSattack.Youcan
MonitorBlockedIPAddressestoviewtheblocklist,removeentriesfromit,andgetadditionalinformation
aboutanIPaddressontheblocklist.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
toSecuritypolicyenforcement.TheattacktrafficthatmatchedtheDoSProtectionprofileand
DoSProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyEndaSingleSessionDoSAttack.

Step1 ConfigureSecuritypolicyrulestodeny CreateaSecurityPolicyRule

trafficfromtheattackersIPaddressand
allowothertrafficbasedonyour
networkneeds.Youcanspecifyanyof
thematchcriteriainaSecuritypolicy
rule,suchassourceIPaddress.
(Requiredforsinglesessionattack
mitigationorattacksthathavenot
triggeredtheDoSProtectionpolicy
threshold;optionalformultiplesession
attackmitigation).
NOTE:Thisstepisoneofthesteps
typicallyperformedtostopanexisting
attack.SeeEndaSingleSessionDoS
Attack.

ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step2 ConfigureaDoSProtectionprofilefor 1. SelectObjects > Security Profiles > DoS ProtectionandAdda

floodprotection. profileName.
Becausefloodattackscanoccur 2. SelectClassifiedastheType.
overmultipleprotocols,asabest
3. ForFlood Protection,selectalltypesoffloodprotection:
practice,activateprotectionfor
allofthefloodtypesintheDoS SYN Flood
Protectionprofile. UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
4. WhenyouenableSYN Flood,selecttheActionthatoccurs
whenconnectionspersecond(cps)exceedtheActivate Rate
threshold:
a. Random Early DropThefirewallusesanalgorithmto
progressivelystartdroppingthattypeofpacket.Ifthe
attackcontinues,thehighertheincomingcpsrate(above
theActivate Rate)gets,themorepacketsthefirewalldrops.
Thefirewalldropspacketsuntiltheincomingcpsrate
reachestheMax Rate,atwhichpointthefirewalldropsall
incomingconnections.Random Early Drop(RED)isthe
defaultactionforSYN Flood,andtheonlyactionforUDP
Flood,ICMP Flood,ICMPv6 Flood,andOther IP Flood.RED
ismoreefficientthanSYNCookiesandcanhandleslarger
attacks,butdoesntdiscernbetweengoodandbadtraffic.
b. SYN CookiesRatherthanimmediatelysendingtheSYNto
theserver,thefirewallgeneratesacookie(onbehalfofthe
server)tosendintheSYNACKtotheclient.Theclient
respondswithitsACKandthecookie;uponthisvalidation
thefirewallthensendstheSYNtotheserver.TheSYN
Cookiesactionrequiresmorefirewallresourcesthan
Random Early Drop;itsmorediscerningbecauseitaffects
badtraffic.
5. (Optional)Oneachofthefloodtabs,changethefollowing
thresholdstosuityourenvironment:
Alarm Rate (connections/s)Specifythethresholdrate
(cps)abovewhichaDoSalarmisgenerated.(Rangeis
02,000,000;defaultis10,000.)
Activate Rate (connections/s)Specifythethresholdrate
(cps)abovewhichaDoSresponseisactivated.Whenthe
Activate Ratethresholdisreached,Random Early Drop
occurs.Rangeis02,000,000;defaultis10,000.(ForSYN
Flood,youcanselecttheactionthatoccurs.)
Max Rate (connections/s)Specifythethresholdrateof
incomingconnectionspersecondthatthefirewallallows.
Whenthethresholdisexceeded,newconnectionsthat
arrivearedropped.(Rangeis22,000,000;defaultis
40,000.)
Thedefaultthresholdvaluesinthisstepareonly
startingpointsandmightnotbeappropriateforyour
network.Youmustanalyzethebehaviorofyour
networktoproperlysetinitialthresholdvalues.

6. Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121,600;defaultis300.)
SetalowBlock Durationvalueifyouareconcerned
thatpacketsyouincorrectlyidentifyasattacktraffic
willbeblockedunnecessarily.
SetahighBlock Durationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarentpart
ofanattack.
7. ClickOK.

Step3 ConfigureaDoSProtectionpolicyrule 1. SelectPolicies > DoS ProtectionandAddaNameonthe

thatspecifiesthecriteriaformatching Generaltab.Thenameiscasesensitiveandcanbea
theincomingtraffic. maximumof31characters,includingletters,numbers,spaces,
Thefirewallresourcesarefinite, hyphens,andunderscores.
soyouwouldntwanttoclassify 2. OntheSourcetab,choosetheTypetobeaZoneorInterface,
usingsourceaddressonan andthenAddthezone(s)orinterface(s).Choosezoneor
internetfacingzonebecause interfacedependingonyourdeploymentandwhatyouwant
therecanbeanenormous toprotect.Forexample,ifyouhaveonlyoneinterfacecoming
numberofuniqueIPaddresses intothefirewall,chooseInterface.
thatmatchtheDoSProtection
3. (Optional)ForSource Address,selectAnyforanyincomingIP
policyrule.Thatwouldrequire
addresstomatchtheruleorAddanaddressobjectsuchasa
manycountersandthefirewall
geographicalregion.
wouldrunoutoftracking
resources.Instead,defineaDoS 4. (Optional)ForSource User,selectanyorspecifyauser.
Protectionpolicyrulethat 5. (Optional)SelectNegatetomatchanysourcesexceptthose
classifiesusingthedestination youspecify.
address(oftheserveryouare
protecting). 6. (Optional)OntheDestinationtab,choosetheTypetobea
ZoneorInterface,andthenAddthedestinationzone(s)or
interface(s).Forexample,enterthesecurityzoneyouwantto
protect.
7. (Optional)ForDestination Address,selectAnyorentertheIP
addressofthedeviceyouwanttoprotect.
8. (Optional)OntheOption/Protectiontab,AddaService.
SelectaserviceorclickServiceandenteraName.SelectTCP
orUDP.EnteraDestination Port.Notspecifyingaparticular
serviceallowstheruletomatchafloodofanyprotocoltype
withoutregardtoanapplicationspecificport.
9. OntheOption/Protectiontab,forAction,selectProtect.
10. SelectClassified.
11. ForProfile,selectthenameoftheDoS Protectionprofileyou
created.
12. ForAddress,selectsource-ip-onlyorsrc-dest-ip-both,
whichdeterminesthetypeofIPaddresstowhichtherule
applies.Choosethesettingbasedonhowyouwantthe
firewalltoidentifyoffendingtraffic:
Specifysource-ip-onlyifyouwantthefirewalltoclassify
onlyonthesourceIPaddress.Becauseattackersoftentest
theentirenetworkforhoststoattack,source-ip-onlyisthe
typicalsettingforawiderexamination.
Specifysrc-dest-ip-bothifyouwanttoprotectagainst
DoSattacksonlyontheserverthathasaspecific
destinationaddress,andyoualsowanttoensurethatevery
sourceIPaddresswontsurpassaspecificcpsthresholdto
thatserver.
13. ClickOK.

EndaSingleSessionDoSAttack
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
UsetheCLItoEndaSingleAttackingSession
Step1 IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,usetheACCtofilterondestinationaddresstoviewthe
activitytothetargethostbeingattacked.
Step2 CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3 CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Step4 EndanyexistingattacksfromtheattackingsourceIPaddressbyexecutingtheclear session all filter

source <ip-address>operationalcommand.
Alternatively,ifyouknowthesessionID,youcanexecutetheclear session id <value>commandtoend
thatsessiononly.
NOTE:Ifyouusetheclear session all filter source <ip-address>command,allsessionsmatching
thesourceIPaddressarediscarded,whichcanincludebothgoodandbadsessions.
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.

IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallmodel(notaVMSeriesfirewall)toidentify,for
eachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1 Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> show running resource-monitor ingress-backlogs
-- SLOT:s1, DP:dp1 -- USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:SESS-ID PCT GRP-ID COUNT
6 92% 1 156 7 1732
SESSION DETAILS
SESS-ID PROTO SZONESRC SPORT DST DPORT IGR-IF EGR-IF APP
6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesmodelonly,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 dp dp1
OnPA5000Series,PA5200Series,andPA7000Seriesmodelsonly,youcanlimitoutputtoadataplane.
Forexample:
admin@PA-5060> show running resource-monitor ingress-backlogs dp dp1

ViewFirewallResourceUsage,TopSessions,andSessionDetails(Continued)
Step2 UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanEndaSingle
SessionDoSAttack.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNewSessions.
Onahardwaremodelthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstraffictothe
FPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthesession
doesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshouldinstead
DiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usetheshow session id <session-id>operationalcommand
intheCLIasshowninthefollowingexample.The layer7 processing valueindicatescompletedfor
sessionsoffloadedorenabledforsessionsnotoffloaded.

Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
Step1 IntheCLI,executethefollowingoperationalcommandonanyhardwaremodel:
admin@PA-7050> request session-discard [timeout <seconds>] [reason <reason-string>] id
<session-id>
Thedefaulttimeoutis3,600seconds.
Step2 Verifythatsessionshavebeendiscarded.
admin@PA-7050> show session all filter state discard

Certifications
ThefollowingtopicsdescribehowtoconfigurePaloAltoNetworksfirewallsandappliancestosupportthe
CommonCriteriaandtheFederalInformationProcessingStandard1402(FIPS1402),whicharesecurity
certificationsthatensureastandardsetofsecurityassurancesandfunctionalities.Thesecertificationsare
oftenrequiredbycivilianU.S.governmentagenciesandgovernmentcontractors.
VisitthePaloAltoNetworkswebsitefordetailsaboutCertifications.
EnableFIPSandCommonCriteriaSupport
FIPSCCSecurityFunctions
EnableFIPSandCommonCriteriaSupport
UsethefollowingprocedurestoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
FIPSCCmodeissupportedonallPaloAltoNetworksnextgenerationfirewallsandappliancesincluding
VMSeriesfirewalls.ToenableFIPSCCmode,firstbootthefirewallintotheMaintenanceRecoveryTool
(MRT)andthenchangetheoperationalmodefromnormal modetoFIPS-CC mode.Theproceduretochange
theoperationalmodeisthesameforallfirewallsandappliancesbuttheproceduretoaccesstheMRTvaries.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
AccesstheMaintenanceRecoveryTool(MRT)
ChangetheOperationalModetoFIPSCCMode

EnableFIPSandCommonCriteriaSupport Certifications
TheMaintenanceRecoveryTool(MRT)enablesyoutoperformseveraltasksonPaloAltoNetworksfirewalls
andappliances.Forexample,youcanrevertthefirewallorappliancetofactorydefaultsettings,revert
PANOSoracontentupdatetoapreviousversion,rundiagnosticsonthefilesystem,gathersystem
information,andextractlogs.Additionally,youcanusetheMRTtoChangetheOperationalModeto
FIPSCCModeorfromFIPSCCmodetonormalmode.
ThefollowingproceduresdescribehowtoaccesstheMaintenanceRecoveryTool(MRT)onvariousPalo
AltoNetworksproducts.
AccesstheMRTon 1. Establishaserialconsolesessiontothefirewallorappliance.
hardwarefirewallsand a. Connectaserialcablefromtheserialportonyourcomputertotheconsole
appliances(suchas portonthefirewallorappliance.
PA200firewalls, NOTE:Ifyourcomputerdoesnothavea9pinserialportbutdoeshaveaUSB
PA7000Seriesfirewalls, port,useaserialtoUSBconvertertoestablishtheconnection.Ifthefirewall
orMSeriesappliances). hasamicroUSBconsoleport,connecttotheportusingastandardTypeA
USBtomicroUSBcable.
b. Openandsettheterminalemulationsoftwareonyourcomputerto
96008N1andthenconnecttotheappropriateCOMport.
OnaWindowssystem,youcangototheControlPaneltoviewthe
COMportsettingsforDeviceandPrinterstodeterminewhichCOM
portisassignedtotheconsole.
c. Loginusinganadministratoraccount.(Thedefaultusername/passwordis
admin/admin.)
2. EnterthefollowingCLIcommandandpressytoconfirm:
3. AfterthefirewallorappliancebootstotheMRTwelcomescreen(in
approximately2to3minutes),pressEnteronContinuetoaccesstheMRT
mainmenu.
YoucanalsoaccesstheMRTbyrebootingthefirewallorapplianceand
enteringmaintatthemaintenancemodeprompt.Adirectserialconsole
connectionisrequired.
AfterthefirewallorappliancebootsintotheMRT,youcanaccessthe
MRTremotelybyestablishinganSSHconnectiontothemanagement
(MGT)interfaceIPaddressandthenlogginginusingmaintasthe
usernameandthefirewallorapplianceserialnumberasthepassword.

Certifications EnableFIPSandCommonCriteriaSupport
AccesstheMaintenanceRecoveryTool(MRT)(Continued)
AccesstheMRTon 1. EstablishanSSHsessiontothemanagementIPaddressofthefirewallandlogin
VMSeriesfirewalls usinganadministratoraccount.
deployedinaprivate 2. EnterthefollowingCLIcommandandpressytoconfirm:
cloud(suchasona
VMwareESXiorKVM
NOTE:Itwilltakeapproximately2to3minutesforthefirewalltoboottothe
hypervisor).
MRT.Duringthistime,yourSSHsessionwilldisconnect.
3. AfterthefirewallbootstotheMRTwelcomescreen,loginbasedonthe
operationalmode:
NormalmodeEstablishanSSHsessiontothemanagementIPaddressofthe
firewallandloginusingmaintastheusernameandthefirewallorappliance
serialnumberasthepassword.
FIPSCCmodeAccessthevirtualmachinemanagementutility(suchasthe
vSphereclient)andconnecttothevirtualmachineconsole.
4. FromtheMRTwelcomescreen,pressEnteronContinuetoaccesstheMRT
mainmenu.
AccesstheMRTon 1. EstablishanSSHsessiontothemanagementIPaddressofthefirewallandlogin
VMSeriesfirewalls usinganadministratoraccount.
deployedinthepublic 2. EnterthefollowingCLIcommandandpressytoconfirm:
cloud(suchasAWSor
Azure).
NOTE:Itwilltakeapproximately2to3minutesforthefirewalltoboottothe
MRT.Duringthistime,yourSSHsessionwilldisconnect.
3. AfterthefirewallbootstotheMRTwelcomescreen,loginbasedonthevirtual
machinetype:
AWSLoginasec2-userandselecttheSSHpublickeyassociatedwiththe
virtualmachinewhenyoudeployedit.
AzureEnterthecredentialsyoucreatedwhenyoudeployedtheVMSeries
firewall.
4. FromtheMRTwelcomescreen,pressEnteronContinuetoaccesstheMRT
mainmenu.

EnableFIPSandCommonCriteriaSupport Certifications
ThefollowingproceduredescribeshowtochangetheoperationalmodeofaPaloAltoNetworksproduct
fromnormalmodetoFIPSCCmode.
Step1 ConnecttothefirewallorapplianceandAccesstheMaintenanceRecoveryTool(MRT).
Step2 SelectSet FIPS-CC Modefromthemenu.
Step3 Enable FIPS-CC Mode.Themodechangeoperationstartsandastatusindicatorshowsprogress.Afterthe

modechangeiscomplete,thestatusshowsSuccess.
Step4 Whenprompted,selectReboot.
IfyouchangetheoperationalmodeonaVMSeriesfirewalldeployedinthepubliccloud(AWSor
Azure)andyouloseyourSSHconnectiontotheMRTbeforeyouareabletoReboot,youmustwait
1015minutesforthemodechangetocomplete,logbackintotheMRT,andthenrebootthefirewall
tocompletetheoperation.
AfteryouswitchtoFIPSCCmode,youseethefollowingstatus:FIPS-CC mode enabled
successfully.Inaddition,thefollowingchangesareineffect:
FIPS-CCdisplaysatalltimesinthestatusbaratthebottomofthewebinterface.
Thedefaultadministratorlogincredentialschangetoadmin/paloalto.
SeeFIPSCCSecurityFunctionsfordetailsonthesecurityfunctionsthatareenforcedinFIPSCC
mode.

Certifications FIPSCCSecurityFunctions
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforcedonallfirewallsandappliances:
Tologin,thebrowsermustbeTLS1.1(orlater)compatible;onaWF500appliance,youmanagethe
applianceonlythroughtheCLIandyoumustconnectusinganSSHv2compatibleclientapplication.
Allpasswordsmustbeatleastsixcharacters.
YoumustensurethatFailed AttemptsandLockout Time (min) aregreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustensurethattheIdle Timeoutisgreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedtime,theadministratorisautomaticallyloggedout.
Thefirewallorapplianceautomaticallydeterminestheappropriatelevelofselftestingandenforcesthe
appropriatelevelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPSCCalgorithmsarenotdecryptedtheyareignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2,048bits(or
more)orECDSA256bits(ormore);youmustalsouseadigestofSHA256orgreater.
Youcannotuseahardwaresecuritymodule(HSM)tostoretheprivateECDSAkeysusedforSSL
ForwardProxyorSSLInboundInspection.
Telnet,TFTP,andHTTPmanagementconnectionsarenotavailable.
Highavailability(HA)portencryptionisrequired.
TheserialconsoleportinFIPSCCmodefunctionsasalimitedstatusoutputportonly;CLIaccessisnot
available.
TheserialconsoleportonhardwareandprivatecloudVMSeriesfirewallsbootedintotheMRT
providesinteractiveaccesstotheMRT.
InteractiveconsoleaccessisnotsupportedinthehypervisorenvironmentprivatecloudVMSeries
firewallsbootedintotheMRT;youcanaccesstheMRTonlyusingSSH.

FIPSCCSecurityFunctions Certifications

Pan-Os 8.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan-Os 8.0

Uploaded by

Copyright:

Available Formats

PANOS

Monitoring ........................................................ 269

AppID ........................................................... 473

ThreatPrevention .................................................. 495

CustomizetheActionandTriggerConditionsforaBruteForceSignature ............... 508

URLFiltering ...................................................... 583

Networking ....................................................... 753

ZoneProtectionProfiles ....................................................... 957

VirtualSystems ................................................... 1033

VirtualSystemComponentsandSegmentation ................................. 1034

ZoneProtectionandDoSProtection ................................ 1055

Certifications ..................................................... 1085

AccesstheMaintenanceRecoveryTool(MRT) .................................. 1086

Step1 Gathertherequiredinformationfrom IPaddressforMGTport

Step2 Connectyourcomputertothefirewall. Youcanconnecttothefirewallinoneofthefollowingways:

Step3 Whenprompted,logintothefirewall. Youmustloginusingthedefaultusernameandpassword

Step4 ConfiguretheMGTinterface. 1. SelectDevice > Setup > InterfacesandedittheManagement

Step5 ConfigureDNS,updateserver,and 1. SelectDevice > Setup > Services.

Step6 Configuredateandtime(NTP)settings. 1. SelectDevice > Setup > Services.

Step7 (Optional)Configuregeneralfirewall 1. SelectDevice > Setup > ManagementandedittheGeneral

Step8 Setasecurepasswordfortheadmin 1. SelectDevice > Administrators.

Step9 Commityourchanges. ClickCommitatthetoprightofthewebinterface.Thefirewallcan

Step10 Connectthefirewalltoyournetwork. 1. Disconnectthefirewallfromyourcomputer.

Step11 OpenanSSHmanagementsessionto Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH

Step12 Verifynetworkaccesstoexternal 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

Step1 Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.

Step2 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

Step3 (Optional)Thefirewallcomes Youmustdeletetheconfigurationinthefollowingorder:

Step4 Configuretheinterfaceyouplantouse 1. SelectNetwork > Interfacesandselecttheinterfacethat

Step5 ConfiguretheServiceRoutes. 1. SelectDevice > Setup > Services > GlobalandclickService

Step6 Configureanexternalfacinginterface 1. SelectNetwork > Interfacesandthenselectthe

Step7 CreateaNATpolicyrule. 1. IfyouareusingaprivateIPaddressontheinternalfacing

Step8 Verifythatyouhaveconnectivityfrom 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

Step1 Logintothewebinterface. Usingasecureconnection(https)fromyourwebbrowser,login

Step2 Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

Step3 GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto

Step4 Registerthefirewall. Ifyoualreadyhaveasupportaccount,loginandregisterthe

Step1 Locatetheactivationcodesforthe Whenyoupurchasedyoursubscriptionsyoushouldhavereceived

Step2 ActivateyourSupportlicense. 1. LogintothewebinterfaceandthenselectDevice > Support.

Step3 Activateeachlicenseyoupurchased. SelectDevice > Licensesandthenactivateyourlicensesand

Step4 Verifythatthelicensewassuccessfully OntheDevice > Licensespage,verifythatthelicensewas

Step5 (WildFiresubscriptionsonly)Performa AfteractivatingaWildFiresubscription,acommitisrequiredfor

Step1 Ensurethatthefirewallhasaccesstothe 1. Bydefault,thefirewallaccessestheUpdate Serverat

Step2 Checkforthelatestcontentupdates. SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

Step3 Installthecontentupdates. ClicktheInstalllinkintheActioncolumn.Whentheinstallation

Step4 Scheduleeachcontentupdate. 1. SetthescheduleofeachupdatetypebyclickingtheNonelink.

Step5 UpdatePANOS. 1. ReviewtheReleaseNotes.

Step1 Configureadefaultroutetoyour 1. SelectNetwork > Virtual Routerandthenselectthedefault

Step2 Configuretheexternalinterface(the 1. SelectNetwork > Interfacesandthenselecttheinterfaceyou

Step3 Configuretheinterfacethatconnectsto 1. SelectNetwork > Interfacesandselecttheinterfaceyouwant

Step4 Configuretheinterfacethatconnectsto 1. Selecttheinterfaceyouwanttoconfigure.

Step5 (Optional)Createtagsforeachzone. Tagsallowyoutovisuallyscanpolicyrules.

Step6 Savetheinterfaceconfiguration. ClickCommit.

Step7 Cablethefirewall. Attachstraightthroughcablesfromtheinterfacesyouconfigured

Step8 Verifythattheinterfacesareactive. SelectDashboardandverifythattheinterfacesyouconfigured

Step1 (Optional)Deletethedefaultsecurity Bydefault,thefirewallincludesasecurityrulenamedrule1that

Step4 Saveyourpoliciestotherunning ClickCommit.

Step5 Toverifythatyouhavesetupyourbasic Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI

ViewLogs. Specifically,viewthetrafficandthreatlogs(Monitor > Logs).

Step1 Confirmthatyourfirewallisregistered 1. GotothePaloAltoNetworksCustomerSupportwebsite,log

Step2 ConfigureWildFireforwardingsettings. 1. SelectDevice > Setup > WildFireandedittheGeneral

Step3 EnablethefirewalltoforwardPEsfor 1. SelectObjects > Security Profiles > WildFire Analysisand

Step4 ApplythenewWildFireAnalysisprofile 1. SelectPolicies > Securityandeitherselectanexistingpolicy