You are on page 1of 678

PANOS

WebInterface
ReferenceGuide

Version8.0
ContactInformation

Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport

AboutthisGuide

ThisguidedescribesthePaloAltoNetworksnextgenerationfirewallandPanoramawebinterfaces.Itprovides
referenceinformationonhowtopopulatefieldswithinthesewebinterface.Foradditionalinformation,refertothe
followingresources:

Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,
refertohttps://www.paloaltonetworks.com/documentation.

Foraccesstotheknowledgebase,discussionforums,andvideos,refertohttps://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPANOSandPanorama8.0releasenotes,see
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

Palo Alto Networks, Inc.

www.paloaltonetworks.com

2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.

RevisionDate:February6,2017

2 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents

WebInterfaceBasics ................................................. 13
FirewallOverview .................................................................14
FeaturesandBenefits..............................................................15
LastLoginTimeandFailedLoginAttempts ...........................................16
MessageoftheDay ...............................................................17
TaskManager.....................................................................18
Language.........................................................................20
Alarms...........................................................................20
CommitChanges ..................................................................21
SaveCandidateConfigurations......................................................25
RevertChanges...................................................................29
LockConfigurations ...............................................................33
GlobalFind.......................................................................34
ThreatDetails.....................................................................35
AutoFocusIntelligenceSummary ....................................................37

Dashboard.......................................................... 39

ACC ................................................................ 41
AFirstGlanceattheACC.......................................................42
ACCTabs .....................................................................43
ACCWidgets .................................................................44
ACCActions..................................................................45

Monitor............................................................. 49
Monitor>Logs....................................................................50
LogTypes ....................................................................50
LogActions...................................................................53
Monitor>ExternalLogs ............................................................55
Monitor>AutomatedCorrelationEngine.............................................56
Monitor>AutomatedCorrelationEngine>CorrelationObjects .........................57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents ..........................58
Monitor>PacketCapture ..........................................................59
PacketCaptureOverview......................................................59
BuildingBlocksforaCustomPacketCapture......................................60
EnableThreatPacketCapture ...................................................63

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 3
TableofContents

Monitor>AppScope .............................................................. 64
SummaryReport ............................................................... 65
ChangeMonitorReport......................................................... 66
ThreatMonitorReport.......................................................... 67
ThreatMapReport ............................................................. 68
NetworkMonitorReport........................................................ 69
TrafficMapReport ............................................................. 71
Monitor>SessionBrowser ......................................................... 72
Monitor>BlockIPList............................................................. 73
BlockIPListEntries............................................................ 73
VieworDeleteBlockIPListEntries .............................................. 74
Monitor>Botnet .................................................................. 75
ManagingBotnetReports ....................................................... 75
ConfiguringtheBotnetReport................................................... 76
Monitor>PDFReports............................................................. 77
Monitor>PDFReports>ManagePDFSummary ...................................... 78
Monitor>PDFReports>UserActivityReport........................................ 80
Monitor>PDFReports>SaaSApplicationUsage ..................................... 81
Monitor>PDFReports>ReportGroups ............................................. 83
Monitor>PDFReports>EmailScheduler............................................ 84
Monitor>ManageCustomReports .................................................. 85
Monitor>Reports................................................................. 86

Policies .............................................................87
PolicyTypes ...................................................................... 88
MoveorCloneaPolicyRule ........................................................ 89
Policies>Security ................................................................. 90
SecurityPolicyOverview ....................................................... 90
BuildingBlocksinaSecurityPolicyRule .......................................... 91
CreatingandManagingPolicies .................................................. 98
OverridingorRevertingaSecurityPolicyRule....................................100
Policies>NAT ...................................................................102
GeneralTab ..................................................................102
OriginalPacketTab ...........................................................103
TranslatedPacketTab.........................................................104
Active/ActiveHABindingTab ..................................................105
Policies>QoS....................................................................107
Policies>PolicyBasedForwarding..................................................111
GeneralTab ..................................................................111
SourceTab ...................................................................112
Destination/Application/ServiceTab............................................113
ForwardingTab ...............................................................113
Policies>Decryption..............................................................115
GeneralTab ..................................................................115
SourceTab ...................................................................116

4 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents

DestinationTab .............................................................. 117


Service/URLCategoryTab ..................................................... 118
OptionsTab.................................................................. 118
Policies>TunnelInspection ....................................................... 119
BuildingBlocksinaTunnelInspectionPolicy ..................................... 119
Policies>ApplicationOverride..................................................... 122
GeneralTab.................................................................. 123
SourceTab................................................................... 123
DestinationTab .............................................................. 124
Protocol/ApplicationTab...................................................... 124
Policies>Authentication .......................................................... 125
BuildingBlocksofanAuthenticationPolicyRule .................................. 125
CreateandManageAuthenticationPolicy ....................................... 128
Policies>DoSProtection.......................................................... 129
DoSProtectionPolicyOverview ................................................ 129
BuildingBlocksofaDoSProtectionPolicy ....................................... 130

Objects ............................................................133
Move,Clone,Override,orRevertObjects........................................... 134
MoveorCloneanObject...................................................... 134
OverrideorRevertanObject................................................... 134
Objects>Addresses .............................................................. 136
Objects>AddressGroups ......................................................... 138
Objects>Regions................................................................ 140
Objects>Applications............................................................ 141
ApplicationsOverview ........................................................ 141
ActionsSupportedonApplications.............................................. 145
DefiningApplications ......................................................... 147
Objects>ApplicationGroups ...................................................... 150
Objects>ApplicationFilters ....................................................... 151
Objects>Services ................................................................ 152
Objects>ServiceGroups.......................................................... 153
Objects>Tags ................................................................... 154
CreateTags .................................................................. 154
UsetheTagBrowser .......................................................... 155
ManageTags ................................................................. 156
Objects>ExternalDynamicLists ................................................... 158
Objects>CustomObjects ......................................................... 161
Objects>CustomObjects>DataPatterns.......................................... 162
DataPatternSettings ......................................................... 162
SyntaxforRegularExpressionDataPatterns..................................... 163
RegularExpressionDataPatternExamples....................................... 164
Objects>CustomObjects>Spyware/Vulnerability................................... 165
Objects>CustomObjects>URLCategory .......................................... 169
Objects>SecurityProfiles......................................................... 170

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 5
TableofContents

ActionsinSecurityProfiles .....................................................170
Objects>SecurityProfiles>Antivirus...............................................173
Objects>SecurityProfiles>AntiSpywareProfile....................................175
Objects>SecurityProfiles>VulnerabilityProtection .................................178
Objects>SecurityProfiles>URLFiltering ...........................................181
GeneralSettings..............................................................181
Categories ...................................................................182
Overrides....................................................................183
URLFilteringSettings .........................................................185
UserCredentialDetection......................................................186
Objects>SecurityProfiles>FileBlocking ...........................................188
Objects>SecurityProfiles>WildFireAnalysis.......................................190
Objects>SecurityProfiles>DataFiltering ..........................................191
Objects>SecurityProfiles>DoSProtection .........................................193
Objects>SecurityProfileGroups...................................................196
Objects>LogForwarding .........................................................197
Objects>Authentication..........................................................200
Objects>DecryptionProfile .......................................................202
DecryptionProfileGeneralSettings .............................................202
SettingstoControlDecryptedSSLTraffic ........................................203
SettingstoControlTrafficthatisnotDecrypted..................................205
SettingstoControlDecryptedSSHTraffic .......................................205
Objects>Schedules ..............................................................207

Network.......................................................... 209
Network>VirtualWires...........................................................210
Network>Interfaces..............................................................211
FirewallInterfacesOverview ...................................................212
CommonBuildingBlocksforFirewallInterfaces...................................212
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces....................213
Layer2Interface ..............................................................214
Layer2Subinterface ..........................................................215
Layer3Interface ..............................................................215
Layer3Subinterface ..........................................................226
VirtualWireInterface .........................................................235
VirtualWireSubinterface......................................................236
TapInterface .................................................................237
LogCardInterface ............................................................238
LogCardSubinterface.........................................................239
DecryptMirrorInterface .......................................................240
AggregateEthernet(AE)InterfaceGroup.........................................241
AggregateEthernet(AE)Interface...............................................244
HAInterface .................................................................249
Network>Interfaces>VLAN ......................................................250
Network>Interfaces>Loopback...................................................256

6 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents

Network>Interfaces>Tunnel ..................................................... 258


Network>VirtualRouters......................................................... 260
GeneralSettingsofaVirtualRouter ............................................. 261
StaticRoutes ................................................................. 261
RouteRedistribution.......................................................... 264
RIP ......................................................................... 265
OSPF ....................................................................... 268
OSPFv3..................................................................... 274
BGP......................................................................... 281
IPMulticast .................................................................. 296
ECMP ....................................................................... 300
MoreRuntimeStatsforaVirtualRouter ......................................... 302
Network>Zones................................................................. 311
BuildingBlocksofSecurityZones ............................................... 311
Network>VLANs ................................................................ 314
Network>IPSecTunnels.......................................................... 315
IPSecVPNTunnelManagement ................................................ 315
IPSecTunnelGeneralTab...................................................... 316
IPSecTunnelProxyIDsTab .................................................... 318
IPSecTunnelStatusontheFirewall............................................. 319
IPSecTunnelRestartorRefresh................................................ 319
Network>DHCP ................................................................ 320
DHCPOverview.............................................................. 320
DHCPAddressing ............................................................ 321
DHCPServer................................................................. 321
DHCPRelay ................................................................. 324
DHCPClient................................................................. 324
Network>DNSProxy............................................................ 325
DNSProxyOverview ......................................................... 325
DNSProxySettings ........................................................... 326
AdditionalDNSProxyActions .................................................. 328
Network>QoS .................................................................. 329
QoSInterfaceSettings ........................................................ 329
QoSInterfaceStatistics........................................................ 331
Network>LLDP ................................................................. 332
BuildingBlocksofLLDP....................................................... 332
Network>NetworkProfiles ....................................................... 335
Network>NetworkProfiles>GlobalProtectIPSecCrypto ............................ 336
Network>NetworkProfiles>IKEGateways ........................................ 337
IKEGatewayManagement..................................................... 337
IKEGatewayGeneralTab...................................................... 338
IKEGatewayAdvancedOptionsTab............................................ 341
IKEGatewayRestartorRefresh................................................ 342
Network>NetworkProfiles>IPSecCrypto......................................... 343
Network>NetworkProfiles>IKECrypto ........................................... 344
Network>NetworkProfiles>InterfaceMgmt ....................................... 345
Network>NetworkProfiles>Monitor ............................................. 346

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 7
TableofContents

Network>NetworkProfiles>ZoneProtection.......................................347
BuildingBlocksofZoneProtectionProfiles.......................................348
FloodProtection ..............................................................349
ReconnaissanceProtection .....................................................352
PacketBasedAttackProtection.................................................353
ProtocolProtection ...........................................................360
Network>NetworkProfiles>LLDPProfile ..........................................361
Network>NetworkProfiles>BFDProfile...........................................362
BFDOverview................................................................362
BuildingBlocksofaBFDProfile ................................................363
Network>NetworkProfiles>QoS.................................................365

Device ............................................................ 367


Device>Setup ...................................................................368
Device>Setup>Management .....................................................369
Device>Setup>Operations .......................................................384
EnableSNMPMonitoring......................................................390
Device>Setup>HSM............................................................392
HardwareSecurityModuleProviderSettings .....................................392
HSMAuthentication...........................................................393
HardwareSecurityModuleProviderConfigurationandStatus ......................393
HardwareSecurityModuleStatus ...............................................394
Device>Setup>Services .........................................................395
DestinationServiceRoute......................................................399
Device>Setup>Interfaces ........................................................400
Device>Setup>Telemetry........................................................404
Device>Setup>ContentID.......................................................406
Device>Setup>WildFire.........................................................410
Device>Setup>Session ..........................................................412
SessionSettings ..............................................................412
SessionTimeouts .............................................................414
TCPSettings .................................................................416
DecryptionSettings:CertificateRevocationChecking .............................418
DecryptionSettings:ForwardProxyServerCertificateSettings .....................419
VPNSessionSettings ..........................................................420
Device>HighAvailability..........................................................421
HALite......................................................................421
ImportantConsiderationsforConfiguringHA.....................................421
ConfigureHASettings .........................................................422
Device>ConfigAudit .............................................................432
Device>PasswordProfiles ........................................................433
UsernameandPasswordRequirements ..........................................434
Device>Administrators ...........................................................435
Device>AdminRoles .............................................................437
Device>AccessDomain ..........................................................439

8 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents

Device>AuthenticationProfile.................................................... 440
ConfigureanAuthenticationProfile ............................................. 440
ExportSAMLMetadatafromanAuthenticationProfile ............................ 445
Device>AuthenticationSequence ................................................. 447
Device>VMInformationSources .................................................. 448
Device>VirtualSystems .......................................................... 452
Device>SharedGateways ........................................................ 454
Device>CertificateManagement.................................................. 455
Device>CertificateManagement>Certificates...................................... 456
ManageFirewallandPanoramaCertificates ...................................... 456
ManageDefaultTrustedCertificateAuthorities .................................. 460
Device>CertificateManagement>CertificateProfile................................ 461
Device>CertificateManagement>OCSPResponder ................................ 463
Device>CertificateManagement>SSL/TLSServiceProfile ........................... 464
Device>CertificateManagement>SCEP........................................... 465
Device>CertificateManagement>SSLDecryptionExclusion......................... 468
Device>ResponsePages ......................................................... 470
Device>LogSettings ............................................................. 472
SelectLogForwardingDestinations ............................................. 472
DefineAlarmSettings ......................................................... 474
ClearLogs ................................................................... 475
Device>ServerProfiles ........................................................... 476
Device>ServerProfiles>SNMPTrap.............................................. 477
Device>ServerProfiles>Syslog ................................................... 479
Device>ServerProfiles>Email .................................................... 481
Device>ServerProfiles>HTTP ................................................... 482
Device>ServerProfiles>NetFlow ................................................. 484
Device>ServerProfiles>RADIUS................................................. 485
Device>ServerProfiles>TACACS+................................................ 486
Device>ServerProfiles>LDAP ................................................... 487
Device>ServerProfiles>Kerberos ................................................ 489
Device>ServerProfiles>SAMLIdentityProvider.................................... 490
Device>ServerProfiles>DNS .................................................... 493
Device>ServerProfiles>MultiFactorAuthentication ................................ 494
Device>LocalUserDatabase>Users.............................................. 496
Device>LocalUserDatabase>UserGroups........................................ 497
Device>ScheduledLogExport .................................................... 498
Device>Software................................................................ 499
Device>DynamicUpdates ........................................................ 501
Device>Licenses ................................................................ 505
BehavioronLicenseExpiry .................................................... 506

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 9
TableofContents

Device>Support .................................................................507
Device>MasterKeyandDiagnostics...............................................508

UserIdentification ................................................. 511


Device>UserIdentification>UserMapping .........................................512
EnableWMIAuthentication ....................................................513
EnableClientProbing..........................................................513
EnableServerMonitoring......................................................514
ConfigureCacheTimeoutsforUserMappingEntries..............................516
EnableNTLMAuthentication ...................................................516
EnableRedistributionofUserMappingsAmongFirewalls..........................517
ManageSyslogMessageFilters .................................................518
ManagetheUserIgnoreList....................................................519
MonitorServers ..............................................................520
IncludeorExcludeSubnetworksforUserMapping ................................522
Device>UserIdentification>ConnectionSecurity ...................................524
Device>UserIdentification>UserIDAgents........................................525
ConfigureAccesstoUserIDAgents.............................................525
ManageAccesstoUserIDAgents ..............................................527
Device>UserIdentification>TerminalServicesAgents ...............................528
Device>UserIdentification>GroupMappingSettings................................529
Device>UserIdentification>CaptivePortalSettings .................................533

GlobalProtect...................................................... 537
Network>GlobalProtect>Portals..................................................538
GeneralTab ..................................................................539
AuthenticationConfigurationTab ...............................................540
AgentConfigurationTab .......................................................542
ClientlessConfigurationTab....................................................556
SatelliteConfigurationTab.....................................................559
Network>GlobalProtect>Gateways...............................................562
GeneralTab ..................................................................563
AuthenticationTab ............................................................564
AgentTab....................................................................564
SatelliteConfigurationTab.....................................................572
Network>GlobalProtect>MDM...................................................574
Network>GlobalProtect>BlockList ...............................................575
Network>GlobalProtect>ClientlessApps..........................................576
Network>GlobalProtect>ClientlessAppGroups....................................577
Objects>GlobalProtect>HIPObjects..............................................578
GeneralTab ..................................................................579
MobileDeviceTab............................................................580
PatchManagementTab........................................................581
FirewallTab ..................................................................582
AntivirusTab .................................................................582
AntiSpywareTab .............................................................583

10 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents

DiskBackupTab.............................................................. 583
DiskEncryptionTab........................................................... 584
DataLossPreventionTab...................................................... 584
CustomChecksTab ........................................................... 585
Objects>GlobalProtect>HIPProfiles .............................................. 586
Device>GlobalProtectClient...................................................... 588
ManagingtheGlobalProtectAgentSoftware ..................................... 588
SettingUptheGlobalProtectAgent ............................................. 589
UsingtheGlobalProtectAgent ................................................. 590

PanoramaWebInterface ............................................591
UsethePanoramaWebInterface .................................................. 593
ContextSwitch .................................................................. 597
PanoramaCommitOperations..................................................... 598
DefiningPoliciesonPanorama..................................................... 607
LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode ................ 608
Panorama>Setup>Interfaces ..................................................... 609
Panorama>HighAvailability....................................................... 611
Panorama>ManagedWildFireClusters ............................................. 614
ManagedWildFireClusterTasks................................................ 614
ManagedWildFireApplianceTasks............................................. 615
ManagedWildFireInformation................................................. 616
ManagedWildFireClusterandApplianceAdministration .......................... 619
Panorama>Administrators ........................................................ 627
Panorama>AdminRoles .......................................................... 629
Panorama>AccessDomains ...................................................... 631
Panorama>ManagedDevices..................................................... 632
ManagedFirewallAdministration............................................... 632
ManagedFirewallInformation.................................................. 633
FirewallSoftwareandContentUpdates ......................................... 635
FirewallBackups.............................................................. 636
Panorama>Templates ............................................................ 638
Templates ................................................................... 638
TemplateStacks .............................................................. 640
Panorama>DeviceGroups ........................................................ 641
Panorama>ManagedCollectors................................................... 643
LogCollectorInformation...................................................... 643
LogCollectorConfiguration .................................................... 644
SoftwareUpdatesforDedicatedLogCollectors .................................. 652
Panorama>CollectorGroups ...................................................... 654
CollectorGroupConfiguration ................................................. 654
CollectorGroupInformation ................................................... 659
Panorama>Plugins............................................................... 660

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 11
TableofContents

Panorama>VMwareNSX.........................................................661
ConfigureaNotifyGroup......................................................662
CreateServiceDefinitions......................................................663
ConfigureAccesstotheNSXManager...........................................664
CreateSteeringRules..........................................................665
Panorama>LogIngestionProfile ...................................................667
Panorama>LogSettings ..........................................................668
Panorama>ScheduledConfigExport ...............................................670
Panorama>Software .............................................................671
ManagePanoramaSoftwareUpdates............................................672
DisplayPanoramaSoftwareUpdateInformation..................................673
Panorama>DeviceDeployment....................................................674
ManageSoftwareandContentUpdates .........................................674
DisplaySoftwareandContentUpdateInformation ................................676
ScheduleDynamicContentUpdates.............................................677
ManageFirewallLicenses......................................................678

12 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics
FirewallOverview
FeaturesandBenefits
LastLoginTimeandFailedLoginAttempts
MessageoftheDay
TaskManager
Language
Alarms
CommitChanges
SaveCandidateConfigurations
RevertChanges
LockConfigurations
GlobalFind
ThreatDetails
AutoFocusIntelligenceSummary

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 13
FirewallOverview WebInterfaceBasics

FirewallOverview

PaloAltoNetworksnextgenerationfirewallssafelyenableapplicationsandpreventmodernthreatsby
inspectingalltrafficapplications,threats,andcontentandtyingittotheuser,regardlessoflocationor
devicetype.Theapplication,content,andusertheelementsthatrunyourbusinessbecomeintegral
componentsofyourSecuritypolicy.Thisallowsyoutoalignsecuritywithyourkeybusinessinitiatives.With
ournextgenerationsecurityplatform,youreduceresponsetimestoincidents,discoverunknownthreats,
andstreamlinesecuritynetworkdeployment.
Safelyenableapplications,users,andcontentbyclassifyingalltraffic,determiningthebusinessusecase,
andassigningpoliciestoallowandprotectaccesstorelevantapplications.
Preventthreatsbyeliminatingunwantedapplicationstoreduceyourthreatfootprintandapplytargeted
Securitypolicyrulestoblockknownvulnerabilityexploits,viruses,spyware,botnets,andunknown
malware(APTs).
Protectyourdatacentersthroughthevalidationofapplications,isolationofdata,controloverrogue
applications,andhighspeedthreatprevention.
Securepublicandprivatecloudcomputingenvironmentswithincreasedvisibilityandcontrol;deploy,
enforce,andmaintainSecuritypolicyrulesatthesamepaceasyourvirtualmachines.

14 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics FeaturesandBenefits

FeaturesandBenefits

ThePaloAltoNetworksnextgenerationfirewallsprovidegranularcontroloverthetrafficallowedtoaccess
yournetwork.Theprimaryfeaturesandbenefitsinclude:
Applicationbasedpolicyenforcement(AppID)Accesscontrolaccordingtoapplicationtypeisfar
moreeffectivewhenapplicationidentificationisbasedonmorethanjustprotocolandportnumber.The
AppIDservicecanblockhighriskapplications,aswellashighriskbehavior,suchasfilesharing,and
trafficencryptedwiththeSecureSocketsLayer(SSL)protocolcanbedecryptedandinspected.
Useridentification(UserID)TheUserIDfeatureallowsadministratorstoconfigureandenforce
firewallpoliciesbasedonusersandusergroupsinsteadoforinadditiontonetworkzonesandaddresses.
Thefirewallcancommunicatewithmanydirectoryservers,suchasMicrosoftActiveDirectory,
eDirectory,SunOne,OpenLDAP,andmostotherLDAPbaseddirectoryserverstoprovideuserand
groupinformationtothefirewall.Youcanthenusethisinformationforsecureapplicationenablement
thatcanbedefinedperuserorgroup.Forexample,theadministratorcouldallowoneorganizationtouse
awebbasedapplicationbutnotallowanyotherorganizationsinthecompanytousethatsame
application.Youcanalsoconfiguregranularcontrolofcertaincomponentsofanapplicationbasedon
usersandgroups(seeUserIdentification).
ThreatpreventionThreatpreventionservicesthatprotectthenetworkfromviruses,worms,spyware,
andothermalicioustrafficcanbevariedbyapplicationandtrafficsource(seeObjects>SecurityProfiles).
URLfilteringOutboundconnectionscanbefilteredtopreventaccesstoinappropriatewebsites(see
Objects>SecurityProfiles>URLFiltering).
TrafficvisibilityExtensivereports,logs,andnotificationmechanismsprovidedetailedvisibilityinto
networkapplicationtrafficandsecurityevents.TheApplicationCommandCenter(ACC)intheweb
interfaceidentifiestheapplicationswiththemosttrafficandthehighestsecurityrisk(seeMonitor).
NetworkingversatilityandspeedThePaloAltoNetworksfirewallcanaugmentorreplaceyourexisting
firewallandcanbeinstalledtransparentlyinanynetworkorconfiguredtosupportaswitchedorrouted
environment.Multigigabitspeedsandasinglepassarchitectureprovidetheseservicestoyouwithlittle
ornoimpactonnetworklatency.
GlobalProtectTheGlobalProtectsoftwareprovidessecurityforclientsystems,suchaslaptopsthat
areusedinthefield,byallowingeasyandsecureloginfromanywhereintheworld.
FailsafeoperationHighavailability(HA)supportprovidesautomaticfailoverintheeventofany
hardwareorsoftwaredisruption(seeDevice>VirtualSystems).
MalwareanalysisandreportingTheWildFirecloudbasedanalysisserviceprovidesdetailedanalysis
andreportingonmalwarethatpassesthroughthefirewall.IntegrationwiththeAutoFocusthreat
intelligenceserviceallowsyoutoassesstheriskassociatedwithyournetworktrafficatorganization,
industry,andgloballevels.
VMSeriesfirewallAVMSeriesfirewallprovidesavirtualinstanceofPANOSpositionedforuseina
virtualizeddatacenterenvironmentandisidealforyourprivate,public,andhybridcloudcomputing
environments.
ManagementandPanoramaYoucanmanageeachfirewallthroughanintuitivewebinterfaceor
throughacommandlineinterface(CLI)oryoucancentrallymanageallfirewallsthroughthePanorama
centralizedmanagementsystem,whichhasawebinterfaceverysimilartothewebinterfaceonPaloAlto
Networksfirewalls.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 15
LastLoginTimeandFailedLoginAttempts WebInterfaceBasics

LastLoginTimeandFailedLoginAttempts

Todetectmisuseandpreventexploitationofaprivilegedaccount,suchasanadministrativeaccountona
PaloAltoNetworksfirewallorPanorama,thewebinterfaceandthecommandlineinterface(CLI)displays
yourlastlogintimeandanyfailedloginattemptsforyourusernamewhenyoulogin.Thisinformationallows
youtoeasilyidentifywhethersomeoneisusingyouradministrativecredentialstolaunchanattack.
Afteryoulogintothewebinterface,thelastlogintime informationappearsatthebottomleftofthe
window.Ifoneormorefailedloginsoccurredsincethelastsuccessfullogin,acautioniconappearstothe
rightofthelastlogininformation.Hoveroverthecautionsymboltoviewthenumberoffailedloginattempts
orclicktoviewtheFailed Login Attempts Summarywindow,whichliststheadministrativeaccountname,the
sourceIPaddress,andthereasonfortheloginfailure.
Ifyouseemultiplefailedloginattemptsthatyoudonotrecognizeasyourown,youshouldworkwithyour
networkadministratortolocatethesystemthatisperformingthebruteforceattackandtheninvestigate
theuserandhostcomputertoidentifyanderadicateanymaliciousactivity.Ifyouseethatthelastlogindate
andtimeindicatesanaccountcompromise,youshouldimmediatelychangeyourpasswordandthenperform
aconfigurationaudittodetermineifsuspiciousconfigurationchangeswerecommitted.Revertthe
configurationtoaknowngoodconfigurationifyouseethatlogswereclearedorifyouhavedifficulty
determiningifimproperchangesweremadeusingyouraccount.

16 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics MessageoftheDay

MessageoftheDay

IfyouoranotheradministratorconfiguredamessageofthedayorPaloAltoNetworksembeddedoneas
partofasoftwareorcontentrelease,aMessageoftheDaydialogdisplaysautomaticallywhenuserslogin
tothewebinterface.Thisensuresthatusersseeimportantinformation,suchasanimpendingsystemrestart,
thatimpactsthetaskstheyintendtoperform.
Thedialogdisplaysonemessageperpage.IfthedialogincludestheoptiontoselectDo not show again,you
canselectitforeachmessagethatyoudontwantthedialogtodisplayaftersubsequentlogins.

AnytimetheMessage of the Daychanges,themessageappearsinyournextsessionevenifyouselectedDo


not show againduringapreviouslogin.Youmustthenreselectthisoptiontoavoidseeingthemodified
messageinsubsequentsessions.

Tonavigatethedialogpages,clicktheright( )andleft( )arrowsalongthesidesofthedialogorclicka


pageselector( )alongthebottomofthedialog.AfteryouClosethedialog,youcanmanuallyreopenit
byclickingmessages( )atthebottomofthewebinterface.
Toconfigureamessageoftheday,selectDevice > Setup > ManagementandedittheBannersandMessages
settings.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 17
TaskManager WebInterfaceBasics

TaskManager

ClickTasksatthebottomofthewebinterfacetodisplaythetasksthatyou,otheradministrators,orPANOS
initiatedsincethelastfirewallreboot(forexample,manualcommitsorautomaticFQDNrefreshes).Foreach
task,theTaskManagerprovidestheinformationandactions describedinthetablebelow.

Somecolumnsarehiddenbydefault.Todisplayorhidespecificcolumns,openthedropdowninanycolumn
header,selectColumns,andselect(display)orclear(hide)thecolumnnames.

Field/Button Description

Tofilterthetasks,enteratextstringbasedonavalueinoneofthe
columnsandApplyFilter( ).Forexample,enteringedlwillfilterthe
listtodisplayonlyEDLFetch(fetchexternaldynamiclists)tasks.To
removefiltering,RemoveFilter( ).

Type Thetypeoftask,suchaslogrequest,licenserefresh,orcommit.Ifthe
informationrelatedtothetask(suchaswarnings)istoolongtofitin
theMessagescolumn,youcanclicktheTypevaluetoseeallthe
details.

Status Indicateswhetherthetaskispending(suchascommitswithQueued
status),inprogress(suchaslogrequestswithActivestatus),
completed,orfailed.Forcommitsinprogress,theStatusindicatesthe
percentageofcompletion.

JobID Anumberthatidentifiesthetask.FromtheCLI,youcanusetheJobID
toseeadditionaldetailsaboutatask.Forexample,youcanseethe
positionofacommittaskinthecommitqueuebyentering:
> show jobs id <job-id>
Thiscolumnishiddenbydefault.

EndTime Thedateandtimewhenthetaskfinished.Thiscolumnishiddenby
default.

StartTime Thedateandtimewhenthetaskstarted.Forcommittasks,theStart
Timeindicateswhenthecommitwasaddedtothecommitqueue.

Messages Displaysdetailsaboutthetask.Iftheentryindicatesthattherearetoo
manymessages,youcanclickthetaskTypetoseethemessages.
Forcommittasks,theMessagesincludethedequeuedtimetoindicate
whenPANOSstartedperformingthecommit.Toseethedescription
anadministratorenteredforacommit,clickCommit Description.For
details,seeCommitChanges.

Action Clickxtocancelapendingcommitinitiatedbyanadministratoror
PANOS.Thisbuttonisavailableonlytoadministratorswhohaveone
ofthefollowingpredefinedroles:superuser,deviceadministrator,
virtualsystemadministrator,orPanoramaadministrator.

18 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics TaskManager

Field/Button Description

Show Selectthetasksyouwanttodisplay:
All Tasks(default)
Alltasksofacertaintype(Jobs,Reports,orLog Requests)
AllRunningtasks(inprogress)
AllRunningtasksofacertaintype(Jobs,Reports,orLog Requests)
(Panoramaonly)Usetheseconddropdowntodisplaythetasksfor
Panorama(default)oraspecificmanagedfirewall.

ClearCommitQueue CancelallpendingcommitsinitiatedbyadministratorsorPANOS.This
buttonisavailableonlytoadministratorswhohaveoneofthe
followingpredefinedroles:superuser,deviceadministrator,virtual
systemadministrator,orPanoramaadministrator.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 19
Language WebInterfaceBasics

Language

Bydefault,thelocale(suchasSpanish)ofthecomputerfromwhichyoulogintothefirewalldeterminesthe
languagethatthewebinterfacedisplays.TochangetheLanguage(bottomofthewebinterface),selecta
LanguagefromthedropdownandclickOK.Thewebinterfacethenrefreshesusingthenewlanguage.

Alarms

Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype(see
DefineAlarmSettings).Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystem
Alarmsdialogtodisplaythealarm.Afterclosingthedialog,youcanreopenitanytimebyclickingAlarms
( )atthebottomofthewebinterface.Topreventthefirewallfromautomaticallyopeningthedialogfor
aparticularalarm,selectUnacknowledgedAlarmsandclickAcknowledgetomovethealarmstothe
AcknowledgedAlarmslist.

20 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics CommitChanges

CommitChanges

ClickCommitatthetoprightofthewebinterfaceandspecifyanoperationforpendingchangestothe
firewallconfiguration:commit(activate),validate,orpreview .Youcanfilterpendingchangesby
administratororlocationandthenpreview,validate,andcommitonlythosechanges.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.
UsetheTaskManagertocancelcommitsorseedetailsaboutcommitsthatarepending,inprogress,
completed,orfailed.
TheCommitdialogdisplaystheoptionsdescribedinthefollowingtable.

Field/Button Description

CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallcommitswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthecommitscope:
SuperuserroleThefirewallcommitsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethecommitscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallcommitschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallcommitsonly
yourchangesandnotthoseofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthecommitscope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallcommits
onlytheconfigurationchangesintheaccessdomainsassignedtoyour
account.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 21
CommitChanges WebInterfaceBasics

Field/Button Description

CommitChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallcommits.
Theadministrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthecommitscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,youcanlimitthecommitscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopeonlytothechanges
youmadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filtersthecommitscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thecommitscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoavirtualsystem,youmust
includethechangesofalladministratorswhoadded,deleted,
orrepositionedrulesforthesamerulebaseinthatvirtual
system.

CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objectsPolicyrulesorobjectsthataredefinedona
firewallthatdoesnothavemultiplevirtualsystems.
device-and-networkNetworkanddevicesettingsthatareglobal
(suchasInterfaceManagementprofiles)andnotspecifictoavirtual
system.Thisalsoappliestonetworkanddevicesettingsonafirewall
thatdoesnothavemultiplevirtualsystems.
<virtual-system>Thenameofthevirtualsysteminwhichpolicy
rulesorobjectsaredefinedonafirewallthathasmultiplevirtual
systems.Thisalsoincludesnetworkanddevicesettingsthatare
specifictoavirtualsystem(suchaszones).

22 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics CommitChanges

Field/Button Description

LocationType Thiscolumncategorizesthelocationsofpendingchanges:
Virtual SystemsSettingsthataredefinedinaspecificvirtual
system.
Other ChangesSettingsthatarenotspecifictoavirtualsystem
(suchassharedobjects).

IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.

GroupbyLocationType GroupsthelistofconfigurationchangesintheCommit Scopeby


Location Type.

PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewbrowserwindow,
yourbrowsermustallowpopups.Ifthepreviewwindowdoes
notopen,refertoyourbrowserdocumentationforthestepsto
allowpopups.

ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be CommittedIndicateswhetherthecommitcurrently
includesthesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 23
CommitChanges WebInterfaceBasics

Field/Button Description

ValidateCommit Validateswhetherthefirewallconfigurationhascorrectsyntaxandis
semanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.

Description Allowsyoutoenteradescription(upto512characters)tohelpother
administratorsunderstandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.

Commit Startsthecommitor,ifothercommitsarepending,addsyourcommit
tothecommitqueue.

24 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics SaveCandidateConfigurations

SaveCandidateConfigurations

SelectConfig > Save ChangesatthetoprightofthefirewallorPanoramawebinterfacetosaveanewsnapshot


fileofthecandidateconfigurationortooverwriteanexistingconfigurationfile.IfthefirewallorPanorama
rebootsbeforeyoucommityourchanges,youcanthenrevertthecandidateconfigurationtothesaved
snapshottorestorechangesyoumadeafterthelastcommit.Toreverttothesnapshot,selectDevice > Setup
> OperationsandLoad named configuration snapshot.Ifyoudontreverttothesnapshotafterareboot,the
candidateconfigurationwillbethesameasthelastcommittedconfiguration(therunningconfiguration).
Youcanfilterwhichconfigurationchangestosavebasedonadministratororlocation.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.

Youshouldperiodicallysaveyourchangessothatyoudontlosethemifthefirewallor
Panoramareboots.

Savingyourchangestothecandidateconfigurationdoesnotactivatethosechanges;youmustCommitChanges
toactivatethem.

TheSaveChangesdialogdisplaystheoptionsdescribedinthefollowingtable:

Field/Button Description

SaveAllChanges Savesallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallsaveswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthesavescope:
SuperuserroleThefirewallsavesthechangesofalladministrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethesavescope(seeDevice>AdminRoles).
IftheprofileincludestheprivilegetoSave For Other Admins,the
firewallsaveschangesconfiguredbyanyandalladministrators.If
yourAdminRoleprofiledoesnotincludetheprivilegetoSave For
Other Admins,thefirewallsavesonlyyourchangesandnotthose
ofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthesavescope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallsavesonly
theconfigurationchangesintheaccessdomainsassignedtoyour
account.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 25
SaveCandidateConfigurations WebInterfaceBasics

Field/Button Description

SaveChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallsaves.The
administrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthesavescopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoSave For Other
Admins,youcanlimitthesavescopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoSave For Other
Admins,youcanlimitthesavescopeonlytothechangesyoumade
inspecificlocations.
Filterthesavescopeasfollows:
FilterbyadministratorEvenifyourroleallowssavingthechanges
ofotheradministrators,thesavescopeincludesonlyyourchanges
bydefault.Toaddotheradministratorstothesavescope,clickthe
<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectchangesinspecificlocationstoIncludein
Save.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filtersthesavescopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thesavescopeincludesonlytheconfigurationchangesinthe
accessdomainsassignedtoyouraccount.

SaveScope Liststhelocationsthathavechangestosave.Whetherthelistincludes
allchangesorasubsetofthechangesdependsonseveralfactors,as
describedfortheSaveAllChangesandSaveChangesMadeBy
options.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
specifictoavirtualsystem.
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.

26 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics SaveCandidateConfigurations

Field/Button Description

LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Groups(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Templates(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Collector Groups(Panoramaonly)Settingsthatarespecifictoa
CollectorGroupconfiguration.

IncludeinSave Enablesyoutoselectthechangesyouwanttosave.Bydefault,all
(partialsaveonly) changeswithintheSave Scopeareselected.Thiscolumndisplaysonly
afteryouchoosetoSave Changes Made Byspecificadministrators.
Theremightdependenciesthataffectthechangesyouinclude
inasave.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotsavethe
changefortheotheradministratorwithoutalsosavingyour
ownchange.

GroupbyLocationType GroupsthelistofconfigurationchangesintheSave ScopebyLocation


Type.

PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheSave
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 27
SaveCandidateConfigurations WebInterfaceBasics

Field/Button Description

ChangeSummary Liststheindividualsettingsforwhichyouaresavingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be SavedIndicateswhetherthesaveoperationwillinclude
thesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).

Save Savestheselectedchangestoaconfigurationsnapshotfile:
IfyouselectedSave All Changes,thefirewalloverwritesthedefault
configurationsnapshotfile(.snapshot.xml).
IfyouselectedSave Changes Made By,specifytheNameofanew
orexistingconfigurationfile,andclickOK.

28 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics RevertChanges

RevertChanges

SelectConfig > Revert ChangesatthetoprightofthefirewallorPanoramawebinterfacetoundochanges


madetothecandidateconfigurationsincethelastcommit.Revertingchangesrestoresthesettingstothe
valuesoftherunningconfiguration.Youcanfilterwhichconfigurationchangestorevertbasedon
administratororlocation.Thelocationcanbespecificvirtualsystems,sharedpoliciesandobjects,orshared
deviceandnetworksettings.
YoucannotrevertchangesuntilthefirewallorPanoramafinishesprocessingallcommitsthatarependingor
inprogress.Afteryouinitiatetherevertprocess,thefirewallorPanoramaautomaticallylocksthecandidate
andrunningconfigurationssothatotheradministratorscannoteditsettingsorcommitchanges.After
completingtherevertprocess,thefirewallorPanoramaautomaticallyremovesthelock.
TheRevertChangesdialogdisplaystheoptionsdescribedinthefollowingtable:

Field/Button Description

RevertAllChanges Revertsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallrevertswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinestherevertscope:
SuperuserroleThefirewallrevertsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminetherevertscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallrevertschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallrevertsonly
yourchangesandnotthoseofotheradministrators.
InAdminRoleprofiles,theprivilegesforcommittingalso
applytoreverting.

Ifyouimplementedaccessdomains,thefirewallautomaticallyapplies
thosedomainstofiltertherevertscope(seeDevice>AccessDomain).
Regardlessofyouradministrativerole,thefirewallrevertsonlythe
configurationchangesintheaccessdomainsassignedtoyouraccount.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 29
RevertChanges WebInterfaceBasics

Field/Button Description

RevertChangesMadeBy Filtersthescopeofconfigurationchangesthatthefirewallreverts.The
administrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimittherevertscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,youcanlimittherevertscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimittherevertscopeonlytothechanges
youmadeinspecificlocations.
Filtertherevertscopeasfollows:
FilterbyadministratorEvenifyourroleallowsrevertingthe
changesofotheradministrators,therevertscopeincludesonlyyour
changesbydefault.Toaddotheradministratorstotherevertscope,
clickthe<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectthechangesinspecificlocationstoInclude
inRevert.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
filterstherevertscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,therevertscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.

RevertScope Liststhelocationsthathavechangestorevert.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedfortheRevertAllChangesandRevertChanges
MadeByoptions.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
specifictoavirtualsystem.
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.

30 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics RevertChanges

Field/Button Description

LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Group(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Template(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Log Collector Group(Panoramaonly)Settingsthatarespecificto
aCollectorGroupconfiguration.
Log Collector(Panoramaonly)SettingsthatarespecifictoaLog
Collectorconfiguration.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).

IncludeinRevert Enablesyoutoselectthechangesyouwanttorevert.Bydefault,all
(partialrevertonly) changeswithintheRevert Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoRevert Changes Made Byspecific
administrators.
Theremightdependenciesthataffectthechangesyouinclude
inarevert.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotrevertyour
changewithoutalsorevertingthechangefortheother
administrator.

GroupbyLocationType ListstheconfigurationchangesintheRevert ScopebyLocation Type.

PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheRevert
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 31
RevertChanges WebInterfaceBasics

Field/Button Description

ChangeSummary Liststheindividualsettingsforwhichyouarerevertingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be RevertedIndicateswhethertherevertoperationwill
includethesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).

Revert Revertstheselectedchanges.

32 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics LockConfigurations

LockConfigurations

Tohelpyoucoordinateconfigurationtaskswithotherfirewalladministratorsduringconcurrentlogin
sessions,thewebinterfaceenablesyoutoapplyaconfigurationorcommitlock sothatother
administratorscannotchangetheconfigurationorcommitchangesuntilthelockisremoved.
Atthetoprightofthewebinterface,alockedpadlock( )indicatesthatoneormorelocksareset(with
thenumberoflocksinparentheses);anunlockedpadlock( )indicatesthatnolocksareset.Clickingeither
padlockopenstheLocksdialog,whichprovidesthefollowingoptionsandfields.

Toconfigurethefirewalltoautomaticallysetacommitlockwheneveranadministratorchangesthecandidate
configuration,selectDevice > Setup > Management,edittheGeneralSettings,enableAutomatically
Acquire Commit Lock,andthenclickOKandCommit.
Whenyourevertchanges(Config > Revert Changes),thefirewallautomaticallylocksthecandidateand
runningconfigurationsothatotheradministratorscannoteditsettingsorcommitchanges.Aftercompletingthe
revertprocess,thefirewallautomaticallyremovesthelock.

Field/Button Description

Admin Theusernameoftheadministratorwhosetthelock.

Location Onafirewallwithmorethanonevirtualsystem(vsys),thescopeofthe
lockcanaspecificvsysortheSharedlocation.

Type Thelocktypecanbe:
ConfigLockBlocksotheradministratorsfromchangingthe
candidateconfiguration.Onlyasuperuserortheadministratorwho
setthelockcanremoveit.
CommitLockBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.Thecommitqueue
doesnotacceptnewcommitsuntilalllocksarereleased.Thislock
preventscollisionsthatcanoccurwhenmultipleadministrators
makechangesduringconcurrentloginsessionsandone
administratorfinishesandinitiatesacommitbeforetheother
administratorshavefinished.Thefirewallautomaticallyremovesthe
lockaftercompletingthecommitforwhichtheadministratorsetthe
lock.Asuperuserortheadministratorwhosetthelockcanalso
manuallyremoveit.

Comment Enterupto256charactersoftext.Thisisusefulforother
administratorswhowanttoknowthereasonforthelock.

CreatedAt Thedateandtimewhenanadministratorsetthelock.

LoggedIn Indicateswhethertheadministratorwhosetthelockiscurrently
loggedin.

TakeaLock Tosetalock,Take a Lock,selecttheType,selecttheLocation(multiple


virtualsystemfirewallsonly),enteroptionalComments,clickOK,and
thenClose.

RemoveLock Toreleasealock,selectit,Remove Lock,clickOK,andthenClose.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 33
GlobalFind WebInterfaceBasics

GlobalFind

GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyname,threatID,orapplicationname.Thesearchresultsare
groupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterfacesothatyoucan
easilyfindalloftheplaceswherethestringexistsorisreferenced.
Tolaunchglobalfind,clickthe Searchicon ontheupperrightsideofthewebinterface.GlobalFind
isavailablefromallwebinterfacepagesandlocations.ThefollowingisalistofGlobalFindfeaturestohelp
youperformsuccessfulsearches:
Ifyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifadministrativerolesare
defined,GlobalFindwillreturnresultsonlyforareasofthefirewallforwhichyouhavepermissionto
access.ThesameappliestoPanoramadevicegroups;youwillseesearchresultsonlyfordevicegroups
towhichyouhaveadministrativeaccess.
SpacesinsearchtextarehandledasANDoperations.Forexample,ifyousearchoncorp policy,both
corpandpolicymustexistintheconfigurationitemforittobeincludedinthesearchresults.

Tofindanexactphrase,surroundthephraseinquotes.
Torerunaprevioussearch,clickGlobalFindandalistofthelast20searchesaredisplayed.Clickany
iteminthelisttorerunthatsearch.Thesearchhistorylistisuniquetoeachadministrativeaccount.
GlobalFindisavailableforeachfieldthatissearchable.Forexample,inthecaseofasecuritypolicy,youcan
searchonthefollowingfields:Name,Tags,Zone,Address,User,HIPProfile,Application,andService.To
performasearch,clickthedropdownnexttoanyofthesefieldsandclickGlobal Find.Forexample,ifyou
clickGlobal Findonazonenamedl3vlantrust,GlobalFindwillsearchtheentireconfigurationforthatzone
nameandreturnresultsforeachlocationwherethezoneisreferenced.Thesearchresultsaregroupedby
categoryandyoucanhoveroveranyitemtoviewdetailsoryoucanclickanitemtonavigatetothe
configurationpageforthatitem.
GlobalFinddoesnotsearchdynamiccontentthatthefirewallallocatestousers(suchaslogs,addressranges,
orindividualDHCPaddresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchasthe
DNSentry,butyoucannotsearchforindividualaddressesissuedtousers.Anotherexampleisusernames
thatthefirewallcollectswhenyouenabletheUserIDfeature.Inthiscase,ausernameorusergroupthat
existsintheUserIDdatabaseisonlysearchableifthenameorgroupexistsintheconfiguration,suchas
whenausergroupnameisdefinedinapolicy.Ingeneral,youcanonlysearchforcontentthatthefirewall
writestotheconfiguration.
Lookingformore?
LearnmoreaboutusingGlobalFindtosearchthefirewallorPanoramaconfiguration.

34 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics ThreatDetails

ThreatDetails

Monitor>Logs>Threat
ACC>ThreatActivity
Objects>SecurityProfiles>AntiSpyware/VulnerabilityProtection
UsetheThreatDetailsdialogtolearnmoreaboutthethreatsignatureswithwhichthefirewallisequipped
andtheeventsthattriggerthosesignatures.Threatdetailsareprovidedfor:
Threatlogsthatrecordthethreatsthatthefirewalldetects(Monitor > Logs > Threat)
Thetopthreatsfoundinyournetwork(ACC > Threat Activity)
Threatsignaturesthatyouwanttomodifyorexcludefromenforcement(Objects > Security Profiles >
Anti-Spyware/Vulnerability Protection)
Whenyoufindathreatsignatureyouwanttolearnmoreabout,hoverovertheThreat NameorthethreatID
andclickException toreviewthethreatdetails.Thethreatdetailsallowyoutoeasilycheckwhetherathreat
signatureisconfiguredasanexceptiontoyoursecuritypolicyandtofindthelatestThreatVaultinformation
aboutaspecificthreat.ThePaloAltoNetworksThreatVaultdatabaseisintegratedwiththefirewall,
allowingyoutoviewexpandeddetailsaboutthreatsignaturesinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforaloggedthreat.
Dependingonthetypeofthreatyoureviewing,thedetailsincludeallorsomeofthethreatdetailsdescribed
inthefollowingtable.

ThreatDetails Description

Name Threatsignaturename.

ID UniquethreatsignatureID.SelectView in Threat VaulttoopenaThreatVaultsearch


inanewbrowserwindowandlookupthelatestinformationthatthePaloAlto
Networksthreatdatabasehasforthissignature.TheThreatVaultentryforthethreat
signaturemightincludeadditionaldetails,includingthefirstandlastcontentreleases
toincludeupdatestothesignatureandtheminimumPANOSversionrequiredto
supportthesignature.

Description Informationaboutthethreatthattriggersthesignature.

Severity Thethreatseveritylevel:informational,low,medium,high,orcritical.

CVE Publiclyknownsecurityvulnerabilitiesassociatedwiththethreat.TheCommon
VulnerabilitiesandExposures(CVE)identifieristhemostusefulidentifierforfinding
informationaboutuniquevulnerabilitiesasvendorspecificIDscommonly
encompassmultiplevulnerabilities.

Bugtraq ID TheBugtraqIDassociatedwiththethreat.

Vendor ID Thevendorspecificidentifierforavulnerability.Forexample,MS16148isthe
vendorIDforoneormoreMicrosoftvulnerabilitiesandAPBSB1639isthevendor
IDforoneormoreAdobevulnerabilities.

Reference Researchsourcesyoucanusetolearnmoreaboutthethreat.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 35
ThreatDetails WebInterfaceBasics

ThreatDetails Description

Exempt Profiles Securityprofilesthatdefineadifferentenforcementactionforthethreatsignature


thanthedefaultsignatureaction.Thethreatexceptionisonlyactivewhenexempt
profilesareattachedtoasecuritypolicyrule(checkiftheexceptionisUsedincurrent
securityrule).

Used in current security ActivethreatexceptionsAcheckmarkinthiscolumnindicatesthatthefirewallis


rule activelyenforcingthethreatexception(theExemptProfilesthatdefinethethreat
exceptionareattachedtoasecuritypolicyrule).
Ifthiscolumnisclear,thefirewallisenforcingthethreatbasedonlyonthe
recommendeddefaultsignatureaction.

Exempt IP Addresses ExemptIPaddressesYoucanaddanIPaddressonwhichtofilterthethreat


exceptionorviewexistingExempt IP Addresses.Thisoptionenforcesathreat
exceptiononlywhentheassociatedsessionhaseitherasourceordestinationIP
addressthatmatchestheexemptIPaddress.Forallothersessions,thethreatis
enforcedbasedonthedefaultsignatureaction.

Ifyourehavingtroubleviewingthreatdetails,checkforthefollowingconditions:
ThefirewallThreatPreventionlicenseisactive(Device > Licenses).
ThelatestAntivirusandThreatsandApplicationscontentupdatesareinstalled.
ThreatVaultaccessisenabled(selectDevice > Setup > ManagementandedittheLogging and
ReportingsettingtoEnable Threat Vault Access).
Thedefault(orcustom)Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofilesareappliedto
yoursecuritypolicy.

36 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
WebInterfaceBasics AutoFocusIntelligenceSummary

AutoFocusIntelligenceSummary

YoucanviewagraphicaloverviewofthreatintelligencethatAutoFocuscompilestohelpyouassessthe
pervasivenessandriskofthefollowingfirewallartifacts:
IPAddress
URL
Domain
Useragent(foundintheUserAgentcolumnofDataFilteringlogs)
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash(foundintheFileDigestcolumnofWildFireSubmissionslogs)
ToviewtheAutoFocusIntelligenceSummarywindow,youmusthaveanactiveAutoFocussubscriptionand
enableAutoFocusthreatintelligence .Hoveroveranartifacttoopenthedropdown( )andthenclick
AutoFocus.TheAutoFocusIntelligenceSummaryisonlyavailablewhenyou:
ViewTraffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogs(Monitor > Logs).
Viewexternaldynamiclistentries .

Field/Button Description

SearchAutoFocusfor... ClicktolaunchanAutoFocussearchfortheartifact.

Analysis Information Tab

Sessions ThenumberofprivatesessionsinwhichWildFiredetectedtheartifact.Privatesessions
aresessionsrunningonlyonfirewallsassociatedwithyoursupportaccount.Hoverover
asessionbartoviewthenumberofsessionspermonth.

Samples Organizationandglobalsamples(filesandemaillinks)associatedwiththeartifactand
groupedbyWildFireverdict(benign,grayware,ormalware).Globalreferstosamples
fromallWildFiresubmissions,whileorganizationrefersonlytosamplessubmittedto
WildFirebyyourorganization.
ClickonaWildFireverdicttolaunchanAutoFocussearchfortheartifactfilteredby
scope(organizationorglobal)andWildFireverdict.

MatchingTags AutoFocustags matchedtotheartifact:


PrivateTagsVisibleonlytoAutoFocususersassociatedwithyoursupportaccount.
PublicTagsVisibletoallAutoFocususers.
Unit42TagsIdentifythreatsandcampaignsthatposeadirectsecurityrisk.These
tagsarecreatedbyUnit42(thePaloAltoNetworksthreatintelligenceandresearch
team).
InformationalTagsUnit42tagsthatidentifycommoditythreats.
Hoveroveratagtoviewthetagdescriptionandothertagdetails.
ClickatagtolaunchanAutoFocussearchforthattag.
Toviewmorematchingtagsforanartifact,clicktheellipsis(...)tolaunchanAutoFocus
searchforthatartifact.TheTagscolumnintheAutoFocussearchresultsdisplaysmore
matchingtagsfortheartifact.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 37
AutoFocusIntelligenceSummary WebInterfaceBasics

Field/Button Description

Passive DNS Tab


ThePassiveDNStabdisplayspassiveDNShistoryassociatedwiththeartifact.Thistabonlydisplaysmatching
informationiftheartifactisanIPaddress,domain,orURL.

Request ThedomainthatsubmittedaDNSrequest.ClickthedomaintolaunchanAutoFocus
searchforit.

Type TheDNSrequesttype(example:A,NS,CNAME).

Response TheIPaddressordomaintowhichtheDNSrequestresolved.ClicktheIPaddressor
domaintolaunchanAutoFocussearch.
TheResponsecolumndoesnotdisplayprivateIPaddresses.

Count Thenumberoftimestherequestwasmade.

FirstSeen ThedateandtimethattheRequest,Response,andTypecombinationwasfirstseen
basedonpassiveDNShistory.

LastSeen ThedateandtimethattheRequest,Response,andTypecombinationwasmostrecently
seenbasedonpassiveDNShistory.

Matching Hashes Tab


TheMatchingHashestabdisplaysthefivemostrecentprivatesampleswhereWildFiredetectedtheartifact.Private
samplesaresamplesdetectedonlyonfirewallsassociatedwithyoursupportaccount.

SHA256 TheSHA256hashforasample.ClickthehashtolaunchanAutoFocussearchforthat
hash.

FileType Thefiletypeofthesample.

CreateDate ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdicttoit.

UpdateDate ThedateandtimethatWildFireupdatedtheWildFireverdictforasample.

Verdict TheWildFireverdictforasample:benign,grayware,ormalware.

38 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Dashboard
TheDashboardwidgetsshowgeneralfirewallorPanoramainformation,suchasthesoftwareversion,
statusofeachinterface,resourceutilization,andupto10entriesforeachofseverallogtypes;logwidgets
displayentriesfromthelasthour.Bydefault,theDashboarddisplayswidgetsinaLayoutof3 Columnsbutyou
cancustomizetheDashboardtodisplayonly2 Columns,instead.
Youcanalsodecidewhichwidgetstodisplayorhidesothatyouseeonlythoseyouwanttomonitor.To
displayawidget,selectawidgetcategoryfromtheWidgetsdropdownandselectawidgettoaddittothe
Dashboard(widgetnamesthatappearinfadedgrayedouttextarealreadydisplayed).Hide(stopdisplaying)
awidgetbyclosingthewidget( inthewidgetheader).ThefirewallsandPanoramasaveyourwidget
displaysettingsacrosslogins(separatelyforeachadministrator).
RefertotheLast updatedtimestamptodeterminewhentheDashboarddatawaslastrefreshed.Youcan
manuallyrefreshtheentireDashboard( inthetoprightcorneroftheDashboard)oryoucanrefresh
individualwidgets( withineachwidgetheader).Usetheunlabeleddropdownnexttothemanual
Dashboardrefreshoption( )toselecttheautomaticrefreshintervalfortheentireDashboard(inminutes):
1 min,2 mins,or5 mins;todisableautomaticrefreshfortheentireDashboard,selectManual.

DashboardWidgets Description

Application Widgets

TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.

TopHighRiskApplications SimilartoTopApplicationsexceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.

ACCRiskFactor Displaystheaverageriskfactor(15)forthenetworktrafficprocessedoverthepastweek.
Highervaluesindicatehigherrisk.

System Widgets

GeneralInformation DisplaysthefirewallorPanoramanameandmodel,thePANOSorPanoramasoftware
version,theapplication,threat,andURLfilteringdefinitionversions,thecurrentdateand
time,andthelengthoftimesincethelastrestart.

Interfaces Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
(Firewallonly)

SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount(the
numberofsessionsestablishedthroughthefirewallorPanorama).

HighAvailability Indicateswhenhighavailability(HA)isenabledtheHAstatusofthelocalandpeer
firewall/Panoramagreen(active),yellow(passive),orblack(other).Formoreinformation
aboutHA,refertoDevice>VirtualSystemsorPanorama>HighAvailability.

Locks Showsconfigurationlocksthatadministratorshaveset.

LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(webinterfaceorCLI),andsessionstarttime
foreachadministratorwhoiscurrentlyloggedin.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 39
Dashboard

DashboardWidgets Description

Logs Widgets

ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Displaysonlyentriesfromthelast60minutes.

URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.

DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.

ConfigLogs Displaystheadministratorusername,client(webinterfaceorCLI),anddateandtimefor
thelast10entriesintheConfigurationlog.Displaysonlyentriesfromthelast60minutes.

SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfiginstalledentryindicatesconfigurationchangeswerecommitted
successfully.Displaysonlyentriesfromthelast60minutes.

40 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC
TheApplicationCommandCenter(ACC)isananalyticaltoolthatprovidesactionableintelligenceaboutthe
activitywithinyournetwork.TheACCusesthefirewalllogstographicallydepicttraffictrendsonyour
network.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizetherelationships
betweeneventsonthenetworkincludingnetworkusagepatterns,trafficpatterns,andsuspiciousactivity
andanomalies.

Whatdoyouwanttoknow? See:

HowdoIusetheACC? AFirstGlanceattheACC
ACCTabs
ACCWidgets
HowdoIinteractwiththeACC? ACCActions
WorkingwithTabsandWidgets
WorkingwithFilters
Looking for more? UsetheApplicationCommandCenter

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 41
ACC

AFirstGlanceattheACC

AFirstGlanceattheACC

1 Tabs TheACCincludespredefinedtabsthatprovidevisibilityintonetworktraffic,threatactivity,
blockedactivity,andtunnelactivity.Forinformationoneachtab,seeACCTabs.

2 Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheeventsandtrends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowingfilters:
bytes(inandout),sessions,content(filesanddata),URLcategories,applications,users,
threats(malicious,benign,grayware,phishing),andcount.Forinformationoneachwidget,
seeACCWidgets.

3 Time Thechartsandgraphsineachwidgetprovidearealtimeandhistoricview.Youcanchoose
acustomrangeorusethepredefinedtimeperiodsthatrangefromthelast15minutesup
tothelast30daysorlast30calendardays.
Thetimeperiodusedtorenderdata,bydefault,isthelasthour.Thedateandtimeinterval
aredisplayedonscreen.Forexample:
11/11 10:30:00-01/12 11:29:59

4 GlobalFilters Theglobalfiltersallowyoutosetthefilteracrossalltabs.Thechartsandgraphsapplythe
selectedfiltersbeforerenderingthedata.Forinformationonusingthefilters,seeACC
Actions.

42 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC

AFirstGlanceattheACC

5 Application TheapplicationviewallowsyoufiltertheACCviewbyeitherthesanctionedand
View unsanctionedapplicationsinuseonyournetwork,orbytheriskleveloftheapplicationsin
useonyournetwork.Greenindicatessanctionedapplications,blueunsanctioned
applications,andyellowindicatesapplicationsthathavedifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.

6 RiskMeter Theriskmeter(1=lowestto5=highest)indicatestherelativesecurityriskonyournetwork.
Theriskmeterusesavarietyoffactorssuchasthetypeofapplicationsseenonthenetwork
andtherisklevelsassociatedwiththeapplications,thethreatactivityandmalwareasseen
throughthenumberofblockedthreats,andcompromisedhostsortraffictomalwarehosts
anddomains.

7 Source ThedatausedforthedisplayvariesbetweenthefirewallandPanorama.Youhavethe
followingoptionstoselectwhatdataisusedtogeneratetheviewsontheACC:
VirtualSystem:Onafirewallthatisenabledformultiplevirtualsystems,youcanusethe
Virtual SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjust
aselectedvirtualsystem.
DeviceGroup:OnPanorama,youcanusetheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
DataSource:OnPanorama,youcanalsochangethedisplaytousePanoramaorRemote
Device Data(managedfirewalldata).WhenthedatasourceisPanorama,youcanfilterthe
displayforaspecificdevicegroup.

8 Export YoucanexportthewidgetsdisplayedinthecurrenttabasaPDF.

ACCTabs

Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.Itfocusesonthetop
applicationsbeingused,thetopuserswhogeneratetrafficwithadrilldownintothebytes,content,
threatsorURLsaccessedbytheuser,andthemostusedsecurityrulesagainstwhichtrafficmatches
occur.Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,orIPaddress,
byingressoregressinterfaces,andbyhostinformationsuchastheoperatingsystemsofthedevices
mostcommonlyusedonthenetwork.
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork.Itfocusesonthetopthreats
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,topWildFiresubmissionsby
filetypeandapplication,andapplicationsthatusenonstandardports.TheCompromisedHostswidget
supplementsdetectionwithbettervisualizationtechniques.Itusestheinformationfromthecorrelated
eventstab(Monitor>AutomatedCorrelationEngine>CorrelatedEvents)topresentanaggregatedview
ofcompromisedhostsonyournetworkbysourceusersorIPaddresses,sortedonseverity.
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsinthis
taballowyoutoviewactivitydeniedbyapplicationname,username,threatname,content(filesand
data),andthetopsecurityruleswithadenyactionthatblockedtraffic.
Tunnel ActivityDisplaystheactivityoftunneltrafficthatthefirewallinspectedbasedonyourtunnel
inspectionpolicies.InformationincludestunnelusagebasedontunnelID,monitortag,user,andtunnel
protocolssuchasGenericRoutingEncapsulation(GRE),GeneralPacketRadioService(GPRS)Tunneling
ProtocolforUserData(GTPU),andnonencryptedIPSec.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 43
ACC

ACCWidgets

Thewidgetsoneachtabareinteractive.Youcansetfiltersanddrilldownintothedisplaytocustomizethe
viewandfocusontheinformationyouneed.

Eachwidgetisstructuredtodisplaythefollowinginformation:

1 View Youcansortthedatabybytes,sessions,threats,count,users,content,
applications,URLs,malicious,benign,grayware,phishing,file(name)s,data,
profiles,objects.Theavailableoptionsvarybywidget.

2 Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,
stackedareagraph,stackedbargraph,andmap.Theavailableoptionsvaryby
widgetandtheinteractionexperiencevarieswitheachgraphtype.Forexample,
thewidgetforApplicationsusingNonStandardPortsallowsyoutochoose
betweenatreemapandalinegraph.
Todrilldownintothedisplay,clickonthegraph.Theareayouclickonbecomes
afilterandallowsyoutozoominandviewmoregranularinformationaboutthat
selection.

3 Table Thedetailedviewofthedatausedtorenderthegraphdisplaysinatablebelow
thegraph.
Youcanclickandsetalocalfilteroraglobalfilterforelementsinthetable.With
alocalfilter,thegraphisupdatedandthetableissortedbythatfilter.
Withaglobalfilter,theviewacrosstheACCpivotstodisplayonlythe
informationspecifictoyourfilter.

44 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC

4 Actions Thefollowingareactionsavailableinthetitlebarofawidget:
MaximizeviewAllowsyoutoenlargethewidgetandviewitinalarger
screenspace.Inthemaximizedview,youcanseemorethanthetoptenitems
thatdisplayinthedefaultwidgetview.
SetuplocalfiltersAllowsyoutoaddfiltersthatrefinethedisplaywithinthe
widget.SeeWorkingwithFiltersLocalFiltersandGlobalFilters.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyousetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andfiltersanddisplaysonlylogsthatmatchyourfilterset.
ExportAllowsyoutoexportthegraphasaPDF.

Foradescriptionofeachwidget,seethedetailsonusingtheACC.

ACCActions

TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkingwithTabsandWidgets
WorkingwithFiltersLocalFiltersandGlobalFilters

WorkingwithTabsandWidgets

WorkingwithTabsandWidgets

Addacustomtab. 1. SelectAdd( )alongthelistoftabs.


2. AddaView Name.Thisnamewillbeusedasthe
nameforthetab.Youcanaddupto10customtabs.

Editatab. Selectthetabandclickeditnexttothetabnametoedit
thetab.
Example: .

Setatabasdefault 1. Editatab.
2. Select tosetthecurrenttabasthedefault.
Eachtimeyoulogintothefirewall,thistabwill
display.

Saveatabstate 1. Editatab.
2. Select tosaveyourpreferencesinthecurrent
tabasthedefault.
Thetabstateincludinganyfiltersthatyoumayhave
setaresynchronizedacrossHApeers.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 45
ACC

WorkingwithTabsandWidgets(Continued)

Exportatab 1. Editatab.
2. Select toexportthecurrenttab.Thetab
downloadstoyourcomputerasa.txtfile.Youmust
enablepopupstodownloadthefile.

Importatab 1. Addacustomtab.
2. Select toimportatab.
3. Browsetothetext(.txt)fileandselectit.

Seewhichwidgetsareincludedinaview. 1. Selecttheviewandclickedit( ).
2. SelecttheAdd Widgetsdropdowntoreview
selectedwidgets.

Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widgetandthenselectthewidgetyou
wanttoadd.Youcanselectamaximumof12
widgets.
3. (Optional)Tocreateatwocolumnlayout,selectAdd
Widget Group.Youcandraganddropwidgetsinto
thetwocolumndisplay.Asyoudragthewidgetinto
thelayout,aplaceholderwilldisplayforyoutodrop
thewidget.
Youcannotnameawidgetgroup.

Deleteatab,widget,orwidgetgroup. Todeleteacustomtab,selectthetabandclickdelete(
).

Youcannotdeleteapredefinedtab.

Todeleteawidgetorwidgetgroup,editthetaband
thenclickdelete([X]).Youcannotundoadeletion.

Resetthedefaultview. Onapredefinedview,suchastheBlocked Activityview,


youcandeleteoneormorewidgets.Ifyouwanttoreset
thelayouttoincludethedefaultsetofwidgetsforthetab,
editthetabandReset View.

WorkingwithFiltersLocalFiltersandGlobalFilters

TohonethedetailsandfinelycontrolwhattheACCdisplays,youcanusefilters:
LocalFiltersLocalfiltersareappliedonaspecificwidget.Alocalfilterallowsyoutointeractwiththe
graphandcustomizethedisplaysothatyoucandigintothedetailsandaccesstheinformationyouwant
tomonitoronaspecificwidget.Youcanapplyalocalfilterintwoways:clickintoanattributeinthegraph
ortable;orselectSet Filterwithinawidget.Set Filterallowsyoutosetalocalfilterthatispersistentacross
reboots.

46 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
ACC

GlobalfiltersGlobalfiltersareappliedacrosstheACC.Aglobalfilterallowsyoutopivotthedisplay
aroundthedetailsyoucaremostaboutandexcludetheunrelatedinformationfromthecurrentdisplay.
Forexample,toviewalleventsrelatedtoaspecificuserandapplication,youcanapplytheusersIP
addressandspecifytheapplicationtocreateaglobalfilterthatdisplaysonlyinformationpertainingto
thatuserandapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent
acrosslogins.
Globalfilterscanbeappliedinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertobeaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidgetandapplythe
attributegloballytoupdatethedisplayacrossalltabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.

WorkingwithFilters

Setalocalfilter. 1. SelectawidgetandclickFilter( ).
Youcanalsoclickanattributeinthe 2. Add( )filtersyouwanttoapply.
tablebelowthegraphtoapplyitas
3. ClickApply.Thesefiltersarepersistentacross
alocalfilter.
reboots.
Thenumberoflocalfiltersappliedonawidgetare
indicatednexttothewidgetname.

Setaglobalfilterfromatable. Hoveroveranattributeinatableandclickthearrowthat
appearstotherightoftheattribute.

SetaglobalfilterusingtheGlobalFilters Add( )filtersyouwanttoapply.


pane.

Promotealocalfiltertoasglobalfilter. 1. Onanytableinawidget,selectanattribute.Thissets
theattributeasalocalfilter.
2. Topromotethefiltertoaglobalfilter,hoveroverthe
attributeandclickthearrowtotherightofthe
attribute.

Removeafilter. ClickRemove( )toremoveafilter.


GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogandthenselectthefilterandremoveit.

Clearallfilters GlobalfiltersClear AllGlobalFilters.


LocalfiltersSelectawidgetandclickFilter( ).Then
Clear AllintheSetLocalFilterswidget.

Negatefilters SelectanattributeandNegate( )afilter.


GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogaddafilter,andthennegateit.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 47
ACC

WorkingwithFilters(Continued)

Viewwhatfiltersareinuse. GlobalfiltersThenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
LocalfiltersThenumberoflocalfiltersappliedona
widgetaredisplayednexttothewidgetname.Toview
thefilters,clickSetLocalFilters.

48 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor
Thefollowingtopicsdescribethefirewallreportsandlogsyoucanusetomonitoractivityonyournetwork:
Monitor>Logs
Monitor>ExternalLogs
Monitor>AutomatedCorrelationEngine
Monitor>PacketCapture
Monitor>AppScope
Monitor>SessionBrowser
Monitor>BlockIPList
Monitor>Botnet
Monitor>PDFReports
Monitor>ManageCustomReports
Monitor>Reports

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 49
Monitor>Logs Monitor

Monitor>Logs

Whatdoyouwanttoknow? See:

Tellmeaboutthedifferenttypesof LogTypes
logs.

Filterlogs. LogActions
Exportlogs.
Viewdetailsforindividuallog
entries.
Modifythelogdisplay.

Looking for more? Monitorandmanagelogs.

LogTypes

Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsarerespected.Onlythe
informationthatyouhavepermissiontoseeisincluded,andthismightvarydependingonthetypesoflogs
youareviewing.Forinformationonadministratorpermissions,refertoDevice>AdminRoles.

LogType Description

Traffic Displaysanentryforthestartandendofeachsession.Eachentryincludesthedate
andtime,sourceanddestinationzones,addressesandports,applicationname,
securityrulenameappliedtotheflow,ruleaction(allow,deny,ordrop),ingressand
egressinterface,numberofbytes,andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession,
orwhetherthesessionwasdeniedordropped.Adropindicatesthatthesecurity
rulethatblockedthetrafficspecifiedanyapplication,whileadenyindicatesthe
ruleidentifiedaspecificapplication.
Iftrafficisdroppedbeforetheapplicationisidentified,suchaswhenaruledropsall
trafficforaspecificservice,theapplicationisshownasnotapplicable.
Drilldownintrafficlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthesession,suchaswhether
anICMPentryaggregatesmultiplesessionsbetweenthesamesourceand
destination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.

50 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Logs

LogType Description

Threat Displaysanentryforeachsecurityalarmgeneratedbythefirewall.Eachentry
includesthedateandtime,athreatnameorURL,thesourceanddestinationzones,
addresses,andports,theapplicationname,andthealarmaction(alloworblock)and
severity.
TheTypecolumnindicatesthetypeofthreat,suchasvirusorspyware;the
NamecolumnisthethreatdescriptionorURL;andtheCategorycolumnisthe
threatcategory(suchaskeylogger)orURLcategory.
Drilldowninthreatlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthethreat,suchaswhether
theentryaggregatesmultiplethreatsofthesametypebetweenthesamesource
anddestination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Iflocalpacketcapturesareenabled,clickDownload( )toaccesscaptured
packets.Toenablelocalpacketcaptures,refertothesubsectionsunderObjects
> Security Profiles.
Toviewmoredetailsaboutathreatortoquicklyconfigurethreatexemptions
directlyfromthethreatlogs,clickthethreatnameintheNamecolumn.The
ExemptProfileslistshowsallcustomAntivirus,Antispyware,andVulnerability
protectionprofiles.Toconfigureanexemptionforathreatsignature,selectthe
checkboxtotheleftofthesecurityprofilenameandsaveyourchange.Toadd
exemptionsforIPAddresses(upto100IPaddressespersignature),highlightthe
securityprofile,addtheIPaddress(es)intheExemptIPAddressessectionand
clickOKtosave.Toviewormodifytheexemption,gototheassociatedsecurity
profileandclicktheExceptionstab.Forexample,ifthethreattypeis
vulnerability,selectObjects > Security Profiles > Vulnerability Protection,click
theassociatedprofilethenclicktheExceptionstab.

URLFiltering DisplayslogsforURLfilters,whichcontrolaccesstowebsitesandwhetherusers
cansubmitcredentialstowebsites.
SelectObjects>SecurityProfiles>URLFilteringtodefineURLfilteringsettings,
includingwhichURLcategoriestoblockorallowandtowhichyouwanttograntor
disablecredentialsubmissions.YoucanalsoenableloggingoftheHTTPheader
optionsfortheURL.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
WildFire DisplayslogsforfilesandemaillinksthatthefirewallforwardedforWildFire
Submissions analysis.TheWildFirecloudanalyzesthesampleandreturnsanalysisresults,which
includetheWildFireverdictassignedtothesample(benign,malware,grayware,or
phishing).YoucanconfirmifthefirewallallowedorblockedafilebasedonSecurity
policyrulesbyviewingtheActioncolumn.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhash(intheFileDigestcolumn)contained
inalogentryandclickthedropdown( )toopentheAutoFocusIntelligence
Summaryfortheartifact.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 51
Monitor>Logs Monitor

LogType Description

DataFiltering DisplayslogsforthesecuritypolicieswithattachedDataFilteringprofiles,tohelp
preventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingtheareaprotectedbythefirewall,andFileBlockingprofiles,thatprevent
certainfiletypesfrombeinguploadedordownloaded.
Toconfigurepasswordprotectionforaccessthedetailsforalogentry,click .
EnterthepasswordandclickOK.RefertoDevice>ResponsePagesforinstructions
onchangingordeletingthedataprotectionpassword.
Thesystempromptsyoutoenterthepasswordonlyoncepersession.

HIPMatch DisplaysallHIPmatchesthattheGlobalProtectgatewayidentifieswhen
comparingtherawHIPdatareportedbytheagenttothedefinedHIPobjectsand
HIPprofiles.Unlikeotherlogs,aHIPmatchisloggedevenwhenitdoesnotmatch
asecuritypolicy.Formoreinformation,refertoNetwork>GlobalProtect>Portals.

UserID DisplaysinformationaboutIPaddresstousernamemappings,suchasthesourceof
themappinginformation,whentheUserIDagentperformedthemapping,andthe
remainingtimebeforemappingsexpire.Youcanusethisinformationtohelp
troubleshootUserIDissues.Forexample,ifthefirewallisapplyingthewrongpolicy
ruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothe
correctIPaddressandwhetherthegroupassociationsarecorrect.

TunnelInspection Displaysanentryforthestartandendofeachinspectedtunnelsession.Thelog
includestheReceiveTime(dateandtimethefirstandlastpacketinthesession
arrived),TunnelID,MonitorTag,SessionID,Securityruleappliedtothetunnel
traffic,andmore.SeePolicies>TunnelInspectionformoreinformation.

Configuration Displaysanentryforeachconfigurationchange.Eachentryincludesthedateand
time,theadministratorusername,theIPaddressfromwherethechangewasmade,
thetypeofclient(webinterfaceorCLI),thetypeofcommandexecuted,whether
thecommandsucceededorfailed,theconfigurationpath,andthevaluesbeforeand
afterthechange.

System Displaysanentryforeachsystemevent.Eachentryincludesthedateandtime,the
eventseverity,andaneventdescription.

Alarms Thealarmslogrecordsdetailedinformationonalarmsthataregeneratedbythe
system.TheinformationinthislogisalsoreportedinAlarms.RefertoDefineAlarm
Settings.

Authentication Displaysinformationaboutauthenticationeventsthatoccurwhenenduserstryto
accessnetworkresourcesforwhichaccessiscontrolledbyAuthenticationpolicy
rules.Youcanusethisinformationtohelptroubleshootaccessissuesandtoadjust
yourAuthenticationpolicyasneeded.Inconjunctionwithcorrelationobjects,you
canalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,
suchasbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestoLogAuthenticationTimeouts.
Thesetimeoutsrelatetotheperiodoftimewhenauserneedauthenticatefora
resourceonlyoncebutcanaccessitrepeatedly.Seeinginformationaboutthe
timeoutshelpsyoudecideifandhowtoadjustthem.
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandto
administratoraccesstothewebinterface.

52 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Logs

LogType Description

Unified DisplaysthelatestTraffic,Threat,URLFiltering,WildFireSubmissions,andData
Filteringlogentriesinasingleview.Thecollectivelogviewenablesyouto
investigateandfilterthesedifferenttypesoflogstogether(insteadofsearching
eachlogsetseparately).Or,youcanchoosewhichlogtypestodisplay:clickthe
arrowtotheleftofthefilterfieldandselecttraffic,threat,url,data,and/or
wildfiretodisplayonlytheselectedlogtypes.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsare
respected.WhenviewingUnifiedlogs,onlythelogsthatyouhavepermissiontosee
aredisplayed.Forexample,anadministratorwhodoesnothavepermissiontoview
WildFireSubmissionslogswillnotseeWildFireSubmissionslogentrieswhen
viewingUnifiedlogs.Forinformationonadministratorpermissions,refertoDevice
>AdminRoles.
YoucanusetheUnifiedlogsetwiththeAutoFocusthreatintelligence
portal.SetupanAutoFocussearch toaddAutoFocussearchfilters
directlytotheUnifiedlogfilterfield.

LogActions

Action Description

FilterLogs Eachlogpagehasafilterfieldatthetopofthepage.Youcanaddartifactstothefield,
suchasanIPaddressoratimerange,tofindmatchinglogentries.Theiconstotheright
ofthefieldenableyoutoapply,clear,create,save,andloadfilters.

Createafilter:
Clickanartifactinalogentrytoaddthatartifacttothefilter.
ClickAdd( )todefinenewsearchcriteria.Foreachcriterion,selectthe
Connectorthatdefinesthesearchtype(andoror),theAttributeonwhichto
basethesearch,anOperatortodefinethescopeofthesearch,andaValuefor
evaluationagainstlogentries.AddeachcriteriontothefilterfieldandClose
whenyoufinish.Youcanthenapply( )thefilter.
IftheValuestringmatchesanOperator(suchashasorin),enclosethestring
inquotationmarkstoavoidasyntaxerror.Forexample,ifyoufilterby
destinationcountryanduseINasaValuetospecifyINDIA,enterthefilteras
( dstloc eq "IN" ).
Thelogfilter(receive_time in last-60-seconds)causesthenumberof
logentries(andlogpages)displayedtogroworshrinkovertime.

ApplyfiltersClickApplyFilter( )todisplaylogentriesthatmatchthecurrent
filter.
DeletefiltersClickClearFilter( )toclearthefilterfield.
SaveafilterClickSaveFilter( ),enteranameforthefilter,andclickOK.
UseasavedfilterClickLoadFilter( )toaddasavedfiltertothefilterfield.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 53
Monitor>Logs Monitor

Action Description

ExportLogs ClickExporttoCSV( )toexportalllogsmatchedtothecurrentfiltertoa


CSVformattedreportandcontinuetoDownload file.Bydefault,thereportcontainsup
to2,000linesoflogs.TochangethelinelimitforgeneratedCSVreports,selectDevice
> Setup > Management > Logging and Reporting Settings > Log Export and Reporting
andenteranewMax Rows in CSV Exportvalue.

Highlight Selecttohighlightlogentriesthatmatchtheaction.Thefilteredlogsarehighlightedin
PolicyActions thefollowingcolors:
GreenAllow
YellowContinue,oroverride
RedDeny,drop,dropicmp,rstclient,resetserver,resetboth,blockcontinue,
blockoverride,blockurl,dropall,sinkhole

ChangeLog Tocustomizethelogdisplay:
Display ChangetheautomaticrefreshintervalSelectanintervalfromtheinterval
dropdown(60 seconds,30 seconds,10 seconds,orManual).
ChangethenumberandorderofentriesdisplayedperpageLogentriesare
retrievedinblocksof10pages.
Usethepagingcontrolsatthebottomofthepagetonavigatethroughthelog
list.
Tochangethenumberoflogentriesperpage,selectthenumberofrowsfrom
theperpagedropdown(20,30,40,50,75,or100).
Tosorttheresultsinascendingordescendingorder,usetheASCorDESC
dropdown.
ResolveIPaddressestodomainnamesSelectResolve Hostnametobeginresolving
externalIPaddressestodomainnames.
ChangetheorderinwhichlogsaredisplayedSelectDESCtodisplaylogsin
descendingorderbeginningwithlogentrieswiththemostrecentReceiveTime.
SelectASCtodisplaylogsinascendingorderbeginningwithlogentrieswiththe
oldestReceiveTime.

ViewDetails Toviewinformationaboutindividuallogentries:
forIndividual Todisplayadditionaldetails,clickDetails( )foranentry.Ifthesourceor
LogEntries destinationhasanIPaddresstodomainorusernamemappingdefinedinthe
Addressespage,thenameispresentedinsteadoftheIPaddress.Toviewthe
associatedIPaddress,moveyourcursoroverthename.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,filename,
URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryfortheartifact.

54 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>ExternalLogs

Monitor>ExternalLogs

UsethispagetoviewlogsingestedfromtheTrapsEndpointSecurityManager(ESM)intoLogCollectors
thataremanagedbyPanorama.ToviewTrapsESMlogsonPanorama,dothefollowing:
OntheTrapsESMserver,configurePanoramaasaSyslogserverandselecttheloggingeventstoforward
toPanorama.Theeventscanincludesecurityevents,policychanges,agentandESMServerstatus
changes,andchangestoconfigurationsettings.
OnaPanoramathatisdeployedinPanoramamodewithoneormoreManagedLogCollectors,setupa
logingestionprofile(Panorama>LogIngestionProfile)andattachtheprofiletoaCollectorGroup
(Panorama>CollectorGroups)inwhichtostoretheTrapsESMlogs.
ExternallogsarenotassociatedwithadevicegroupandarevisibleonlywhenyouselectDevice Group:All
becausethelogsarenotforwardedfromfirewalls.

LogType Description

Monitor > External Logs > Thesethreateventsincludeallprevention,notification,provisional,and


Traps ESM >Threat postdetectioneventsthatarereportedbytheTrapsagents.

Monitor > External Logs > ESMServersystemeventsincludechangesrelatedtoESMstatus,licenses,ESMTech


Traps ESM > System Supportfiles,andcommunicationwithWildFire.

Monitor > External Logs > Policychangeeventsincludechangestorules,protectionlevels,contentupdates,


Traps ESM > Policy hashcontrollogs,andverdicts.

Monitor > External Logs > Agentchangeeventsoccurontheendpointandincludechangestocontentupdates,


Traps ESM > Agent licenses,software,connectionstatus,onetimeactionrules,processesandservices,
andquarantinedfiles.

Monitor > External Logs > ESMconfigurationchangeeventsincludesystemwidechangestolicensing,


Traps ESM > Config administrativeusersandroles,processes,restrictionsettings,andconditions.

Panoramacancorrelatediscretesecurityeventsontheendpointswitheventsonthenetworktotraceany
suspiciousormaliciousactivitybetweentheendpointsandthefirewall.Toviewcorrelatedeventsthat
Panoramaidentifies,seeMonitor>AutomatedCorrelationEngine>CorrelatedEvents.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 55
Monitor>AutomatedCorrelationEngine Monitor

Monitor>AutomatedCorrelationEngine

Theautomatedcorrelationenginetrackspatternsonyournetworkandcorrelateseventsthatindicatean
escalationinsuspiciousbehaviororeventsthatamounttomaliciousactivity.Theenginefunctionsasyour
personalsecurityanalystwhoscrutinizesisolatedeventsacrossthedifferentsetsoflogsonthefirewall,
queriesthedataforspecificpatterns,andconnectsthedotssothatyouhaveactionableinformation.
Thecorrelationengineusescorrelationobjectsthatgeneratecorrelatedevents.Correlatedeventscollate
evidencetohelpyoutracecommonalityacrossseeminglyunrelatednetworkeventsandprovidethefocus
forincidentresponse.
Theautomatedcorrelationengineissupportedonthefollowingmodelsonly:
PanoramaMSeriesandthevirtualappliance
PA800Seriesfirewalls
PA3000Seriesfirewalls
PA5000Seriesfirewalls
PA5200Seriesfirewalls
PA7000Seriesfirewalls

Whatdoyouwanttoknow? See:

Whatarecorrelationobjects? Monitor>AutomatedCorrelationEngine>Correlation
Objects
Whatisacorrelatedevent? Monitor>AutomatedCorrelationEngine>Correlated
WheredoIseethematchevidence Events
foracorrelationmatch?

HowcanIseeagraphicalviewof SeetheCompromisedHostswidgetinACC.
correlationmatches?

Looking for more? UsetheAutomatedCorrelationEngine

56 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AutomatedCorrelationEngine>CorrelationObjects

Monitor>AutomatedCorrelationEngine>Correlation
Objects

Tocountertheadvancesinexploitsandmalwaredistributionmethods,correlationobjectsextendthe
signaturebasedmalwaredetectioncapabilitiesonthefirewall.Theyprovidetheintelligenceforidentifying
suspiciousbehaviorpatternsacrossdifferentsetsoflogsandtheygathertheevidencerequiredto
investigateandpromptlyrespondtoanevent.
Acorrelationobjectisadefinitionfilethatspecifiespatternsformatching,thedatasourcestousefor
performingthelookups,andthetimeperiodwithinwhichtolookforthesepatterns.Apatternisaboolean
structureofconditionsthatquerythedatasources,andeachpatternisassignedaseverityandathreshold,
whichisnumberoftimethepatternmatchoccurswithinadefinedtimelimit.Whenapatternmatchoccurs,
acorrelationeventislogged.
Thedatasourcesusedforperforminglookupscanincludethefollowinglogs:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Forexample,thedefinitionfora
correlationobjectcanincludeasetofpatternsthatquerythelogsforevidenceofinfectedhosts,evidence
ofmalwarepatterns,orforlateralmovementofmalwareinthetraffic,urlfiltering,andthreatlogs.
CorrelationobjectsaredefinedbyPaloAltoNetworksandarepackagedwithcontentupdates.Youmust
haveavalidthreatpreventionlicensetogetcontentupdates.
Bydefault,allcorrelationobjectsareenabled.Todisableanobject,selecttheobjectandDisableit.

Correlation Description
ObjectFields

NameandTitle Thelabelindicatesthetypeofactivitythatthecorrelationobjectdetects.

ID Auniquenumberidentifiesthecorrelationobject.Thisnumberisinthe6000series.

Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.

State Thestateindicateswhetherthecorrelationobjectisenabled(active)ordisabled
(inactive).

Description ThedescriptionspecifiesthematchconditionsforwhichthefirewallorPanoramawill
analyzelogs.Itdescribestheescalationpatternorprogressionpaththatwillbeused
toidentifymaliciousactivityorsuspicioushostbehavior.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents Monitor

Monitor>AutomatedCorrelationEngine>Correlated
Events

CorrelatedeventsexpandthethreatdetectioncapabilitiesonthefirewallandPanorama;thecorrelated
eventsgatherevidenceofsuspiciousorunusualbehaviorofusersorhostsonthenetwork.
Thecorrelationobjectmakesitpossibletopivotoncertainconditionsorbehaviorsandtracecommonalities
acrossmultiplelogsources.Whenthesetofconditionsspecifiedinacorrelationobjectareobservedonthe
network,eachmatchisloggedasacorrelatedevent.
Thecorrelatedeventincludesthedetailslistedinthefollowingtable.

Field Description

MatchTime Thetimethecorrelationobjecttriggeredamatch.

UpdateTime Thetimestampwhenthematchwaslastupdated.

ObjectName Thenameofthecorrelationobjectthattriggeredthematch.

SourceAddress TheIPaddressoftheuserfromwhomthetrafficoriginated

SourceUser Theuserandusergroupinformationfromthedirectoryserver,ifUserIDis
enabled.

Severity Aratingthatclassifiestheriskbasedontheextentofdamagecaused.

Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.

Toviewthedetailedlogview,clickDetails( )foranentry.Thedetailedlogviewincludesalltheevidence
foramatch:

Tab Description

Match ObjectDetailsPresentsinformationonthecorrelationobjectthattriggeredthe
Information match.Forinformationoncorrelationobjects,seeMonitor>AutomatedCorrelation
Engine>CorrelationObjects.

MatchDetailsAsummaryofthematchdetailsthatincludesthematchtime,last
updatetimeonthematchevidence,severityoftheevent,andaneventsummary.

Match Thistabincludesalltheevidencethatcorroboratesthecorrelatedevent.Itlists
Evidence detailedinformationontheevidencecollectedforeachsession.

SeeagraphicaldisplayoftheinformationintheCorrelated Eventstab,seetheCompromisedHostswidget
ontheACC > Threat Activitytab.IntheCompromisedHostswidget,thedisplayisaggregatedbysourceuser
andIPaddressandsortedbyseverity.
Toconfigurenotificationswhenacorrelatedeventislogged,gototheDevice > Log SettingsorPanorama >
Log Settingstab.

58 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture

Monitor>PacketCapture

AllPaloAltoNetworksfirewallshaveabuiltinpacketcapture(pcap)featureyoucanusetocapturepackets
thattraversethenetworkinterfacesonthefirewall.Youcanthenusethecaptureddatafortroubleshooting
purposesortocreatecustomapplicationsignatures.

ThepacketcapturefeatureisCPUintensiveandcandegradefirewallperformance.Onlyuse
thisfeaturewhennecessaryandmakesuretoturnitoffafteryoucollecttherequiredpackets.

Whatdoyouwanttoknow? See:

Whatarethedifferentmethods PacketCaptureOverview
thefirewallcanusetocapture
packets?

HowdoIgenerateacustompacket BuildingBlocksforaCustomPacketCapture
capture?

HowdoIgeneratepacketcaptures EnableThreatPacketCapture
whenthefirewalldetectsathreat?

WheredoIdownloadapacket PacketCaptureOverview
capture?

Looking for more?

Turnonextendedpacketcapture Device>Setup>ContentID
forsecurityprofiles.

Usepacketcapturetowrite SeeDoc2015.
customapplicationsignatures.
Thisexampleusesathirdpartyappbutyoucanusethe
firewalltocapturetherequiredpackets.

Preventafirewalladminfrom DefineWebInterfaceAdministratorAccess.
viewingpacketcaptures.

Seeanexample. SeeTakePacketCaptures.

PacketCaptureOverview

YoucanconfigureaPaloAltoNetworksfirewalltoperformacustompacketcaptureorathreatpacket
capture.
CustomPacketCaptureCapturepacketsforalltrafficortrafficbasedonfiltersyoudefine.Forexample,
youcanconfigurethefirewalltocaptureonlypacketstoandfromaspecificsourceanddestinationIP
addressorport.Usethesepacketcapturestotroubleshootnetworktrafficrelatedissuesortogather
applicationattributestowritecustomapplicationsignatures(Monitor > Packet Capture).Youdefinethefile
namebasedonthestage(Drop,Firewall,Receive,orTransmit)and,afterthepcapiscomplete,you
downloadthepcapintheCapturedFilessection.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 59
Monitor>PacketCapture Monitor

ThreatPacketCaptureCapturepacketswhenthefirewalldetectsavirus,spyware,orvulnerability.You
enablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.These
packetcapturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulorto
learnmoreaboutthemethodsusedbyanattacker.Theactionforthethreatmustbesettoeitherallow
oralert;otherwise,thethreatisblockedandpacketscannotbecaptured.Youconfigurethistypeof
packetcaptureintheObjects > Security Profiles.Todownload( )pcaps,selectMonitor > Threat.

BuildingBlocksforaCustomPacketCapture

ThefollowingtabledescribesthecomponentsoftheMonitor > Packet Capturepagethatyouusetoconfigure


packetcaptures,enablepacketcapture,andtodownloadpacketcapturefiles.

60 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture

CustomPacket ConfiguredIn Description


CaptureBuilding
Blocks

ManageFilters ConfigureFiltering Whenenablingcustompacketcaptures,youshoulddefine


filterssothatonlythepacketsthatmatchthefiltersare
captured.Thiswillmakeiteasiertolocatetheinformationyou
needinthepcapsandwillreducetheprocessingpowerrequired
bythefirewalltoperformthepacketcapture.
ClickAddtoaddanewfilterandconfigurethefollowingfields:
IdEnterorselectanidentifierforthefilter.
Ingress InterfaceSelecttheingressinterfaceonwhichyou
wanttocapturetraffic.
SourceSpecifythesourceIPaddressofthetrafficto
capture.
DestinationSpecifythedestinationIPaddressofthetraffic
tocapture.
Src PortSpecifythesourceportofthetraffictocapture.
Dest PortSpecifythedestinationportofthetrafficto
capture.
ProtoSpecifytheprotocolnumbertofilter(1255).For
example,ICMPisprotocolnumber1.
Non-IPChoosehowtotreatnonIPtraffic(excludeallIP
traffic,includeallIPtraffic,includeonlyIPtraffic,ordonot
includeanIPfilter).BroadcastandAppleTalkareexamplesof
NonIPtraffic.
IPv6SelectthisoptiontoincludeIPv6packetsinthefilter.

Filtering ConfigureFiltering Afterdefiningfilters,settheFilteringtoON.IffilteringisOFF,


thenalltrafficiscaptured.

PreParseMatch ConfigureFiltering Thisoptionisforadvancedtroubleshootingpurposes.Aftera


packetenterstheingressport,itproceedsthroughseveral
processingstepsbeforeitisparsedformatchesagainst
preconfiguredfilters.
Itispossibleforapacket,duetoafailure,tonotreachthe
filteringstage.Thiscanoccur,forexample,ifaroutelookupfails.
SetthePre-Parse MatchsettingtoONtoemulateapositive
matchforeverypacketenteringthesystem.Thisallowsthe
firewalltocapturepacketsthatdonotreachthefiltering
process.Ifapacketisabletoreachthefilteringstage,itisthen
processedaccordingtothefilterconfigurationanddiscardedif
itfailstomeetfilteringcriteria.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 61
Monitor>PacketCapture Monitor

CustomPacket ConfiguredIn Description


CaptureBuilding
Blocks

PacketCapture ConfigureCapturing ClickthetoggleswitchtoturnpacketcaptureONorOFF.


Youmustselectatleastonecapturestage.ClickAddandspecify
thefollowing:
StageIndicatethepointatwhichtocapturepackets:
dropWhenpacketprocessingencountersanerrorand
thepacketisdropped.
firewallWhenthepackethasasessionmatchorafirst
packetwithasessionissuccessfullycreated.
receiveWhenthepacketisreceivedonthedataplane
processor.
transmitWhenthepacketistransmittedonthe
dataplaneprocessor.
FileSpecifythecapturefilename.Thefilenameshould
beginwithaletterandcanincludeletters,digits,periods,
underscores,orhyphens.
Packet CountSpecifythemaximumnumberofpackets,
afterwhichcapturingstops.
Byte CountSpecifythemaximumnumberofbytes,after
whichcapturingstops.

CapturedFiles CapturedFiles Containsalistofcustompacketcapturespreviouslygenerated


bythefirewall.Clickafiletodownloadittoyourcomputer.To
deleteapacketcapture,selectthepacketcaptureandthen
Deleteit.
File NameListsthepacketcapturefiles.Thefilenamesare
basedonthefilenameyouspecifyforthecapturestage
DateDatethefilewasgenerated.
Size (MB)Thesizeofthecapturefile.
Afteryouturnonpacketcaptureandthenturnitoff,youmust
clickRefresh( )beforeanynewpcapfilesdisplayinthislist.

ClearAllSettings Settings ClickClear All Settingstoturnoffpacketcaptureandtoclear


allpacketcapturesettings.
Thisdoesnotturnoffpacketcapturesetinasecurity
profile.Forinformationonenablingpacketcaptureona
securityprofile,seeEnableThreatPacketCapture.

62 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PacketCapture

EnableThreatPacketCapture

Objects>SecurityProfiles
Toenablethefirewalltocapturepacketswhenitdetectsathreat,enablethepacketcaptureoptioninthe
securityprofile.
FirstselectObjects > Security Profilesandthenmodifythedesiredprofileasdescribedinthefollowingtable:

PacketCapture Location
Optionsin
SecurityProfiles

Antivirus Selectacustomantivirusprofileand,intheAntivirustab,selectPacket Capture.

AntiSpyware SelectacustomAntiSpywareprofile,clicktheDNS Signaturestaband,inthe


Packet Capturedropdown,selectsingle-packetorextended-capture.

Vulnerability SelectacustomVulnerabilityProtectionprofileand,intheRulestab,clickAddto
Protection addanewruleorselectanexistingrule.ThenselectthePacket Capturedropdown
andselectsingle-packetorextended-capture.

InAntiSpywareandVulnerabilityProtectionprofiles,youcanalsoenablepacketcaptureonexceptions.Click
theExceptionstabandinthePacketCapturecolumnforasignature,clickthedropdownandselect
single-packetorextended-capture.

(Optional)Todefinethelengthofathreatpacketcapturebasedonthenumberofpacketscaptured(and
whichisbasedonaglobalsetting),selectDevice > Setup > Content-IDand,intheContentIDSettingssection,
modifytheExtended Packet Capture Length (packets)field(rangeis150;defaultis5).
Afteryouenablepacketcaptureonasecurityprofile,youneedtoverifythattheprofileispartofasecurity
rule.Forinformationonhowtoaddasecurityprofiletoasecurityrule,seeSecurityPolicyOverview.
Eachtimethefirewalldetectsathreatwhenpacketcaptureisenabledonthesecurityprofile,youcan
download( )orexportthepacketcapture.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 63
Monitor>AppScope Monitor

Monitor>AppScope

TheAppScopereportsprovidegraphicalvisibilityintothefollowingaspectsofyournetwork:
Changesinapplicationusageanduseractivity
Usersandapplicationsthattakeupmostofthenetworkbandwidth
Networkthreats
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected,andhelpspinpoint
problematicbehavior;eachreportprovidesadynamic,usercustomizablewindowintothenetwork.The
reportsincludeoptionstoselectthedataandrangestodisplay.OnPanorama,youcanalsoselecttheData
Sourcefortheinformationthatisdisplayed.Thedefaultdatasource(onnewPanoramainstallations)uses
thelocaldatabaseonPanorama,whichstoreslogsforwardedbythemanagedfirewalls;onanupgrade,the
defaultdatasourceistheRemote Device Data(managedfirewalldata).Tofetchanddisplayanaggregated
viewofthedatadirectlyfromthemanagedfirewalls,younowhavetoswitchthesourcefromPanoramato
Remote Device Data.
HoveringthemouseoverandclickingeitherthelinesorbarsonthechartsswitchestotheACCandprovides
detailedinformationaboutthespecificapplication,applicationcategory,user,orsource.

ApplicationCommand Description
CenterCharts

Summary SummaryReport

ChangeMonitor ChangeMonitorReport

ThreatMonitor ThreatMonitorReport

ThreatMap ThreatMapReport

NetworkMonitor NetworkMonitorReport

TrafficMap TrafficMapReport

64 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope

SummaryReport

TheSummaryreportdisplayschartsforthetopfivegainers,losers,andbandwidthconsumingapplications,
applicationcategories,users,andsources.
ToexportthechartsinthesummaryreportasaPDF,clickExport( ).Eachchartissavedasapage
inthePDFoutput.

AppScopeSummaryReport

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 65
Monitor>AppScope Monitor

ChangeMonitorReport

TheChangeMonitorreportdisplayschangesoveraspecifiedtimeperiod.Forexample,thefigurebelow
displaysthetopapplicationsthatgainedinuseoverthelasthourascomparedwiththelast24hourperiod.
Thetopapplicationsaredeterminedbysessioncountandsortedbypercentage.

AppScopeChangeMonitorReport

Thisreportcontainsthefollowingoptions.

ChangeMonitorReportOptions Description

Top Bar

Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.

Application Determinesthetypeofitemreported:Application,
ApplicationCategory,Source,orDestination.

Gainers Displaysmeasurementsofitemsthathaveincreased
overthemeasuredperiod.

Losers Displaysmeasurementsofitemsthathavedecreased
overthemeasuredperiod.

New Displaysmeasurementsofitemsthatwereaddedover
themeasureperiod.

Dropped Displaysmeasurementsofitemsthatwere
discontinuedoverthemeasureperiod.

Filter Appliesafiltertodisplayonlytheselecteditem.None
displaysallentries.

66 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope

ChangeMonitorReportOptions Description

CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.

Sort Determineswhethertosortentriesbypercentageor
rawgrowth.

Export Exportsthegraphasa.pngimageorasaPDF.

Bottom Bar

Compare(interval) Specifiestheperiodoverwhichthechange
measurementsaretaken.

ThreatMonitorReport

TheThreatMonitorreportdisplaysacountofthetopthreatsovertheselectedtimeperiod.Forexample,
thefigurebelowshowsthetop10threattypesforthepast6hours.

AppScopeThreatMonitorReport

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 67
Monitor>AppScope Monitor

Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.

ThreatMonitorReportOptions Description

Top Bar

Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.

Threat Determinesthetypeofitemmeasured:Threat,Threat
Category,Source,orDestination.

Filter Appliesafiltertodisplayonlytheselecteditem.

Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.

Export Exportsthegraphasa.pngimageorasaPDF.

Bottom Bar

Specifiestheperiodoverwhichthemeasurementsaretaken.

ThreatMapReport

TheThreatMapreportshowsageographicalviewofthreats,includingseverity.

AppScopeThreatMapReport

68 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope

Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Clickacountryonthemapto
Zoom InandthenZoom Outasneeded.Thisreportcontainsthefollowingoptions.

ThreatMapReportOptions Description

Top Bar

Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.

Incomingthreats Displaysincomingthreats.

Outgoingthreats Displaysoutgoingthreats.

Filter Appliesafiltertodisplayonlytheselecteditem.

ZoomInandZoomOut Zoominandzoomoutofthemap.

Export Exportsthegraphasa.pngimageorasaPDF.

Bottom Bar

Indicatestheperiodoverwhichthemeasurementsaretaken.

NetworkMonitorReport

TheNetworkMonitorreportdisplaysthebandwidthdedicatedtodifferentnetworkfunctionsoverthe
specifiedperiodoftime.Eachnetworkfunctioniscolorcodedasindicatedinthelegendbelowthechart.
Forexample,theimagebelowshowsapplicationbandwidthforthepast7daysbasedonsession
information.

AppScopeNetworkMonitorReport

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 69
Monitor>AppScope Monitor

Thereportcontainsthefollowingoptions.

NetworkMonitorReportOptions Description

Top Bar

Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.

Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.

Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.

CountSessionsandCountBytes Determineswhethertodisplaysessionorbyteinformation.

Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.

Export Exportsthegraphasa.pngimageorasaPDF.

Bottom Bar

Indicatestheperiodoverwhichthechangemeasurementsare
taken.

70 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>AppScope

TrafficMapReport

TheTrafficMapreportshowsageographicalviewoftrafficflowsaccordingtosessionsorflows.

AppScopeTrafficMapReport

Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.

TrafficMapReportOptions Description

Top Bar

Top10 Determinesthenumberofrecordswiththe
highestmeasurementincludedinthechart.

Incomingtraffic Displaysincomingtraffic.

Outgoingtraffic Displaysoutgoingtraffic.

CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.

ZoomInandZoomOut Zoominandzoomoutofthemap.

Export Exportthegraphasa.pngimageorasaPDF.

Bottom Bar

Indicatestheperiodoverwhichthechange
measurementsaretaken.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 71
Monitor>SessionBrowser Monitor

Monitor>SessionBrowser

SelectMonitor > Session Browsertobrowseandfiltercurrentrunningsessionsonthefirewall.Forinformation


onfilteringoptionsforthispage,seeLogActions.

72 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>BlockIPList

Monitor>BlockIPList

YoucanconfigurethefirewalltoplaceIPaddressesontheblocklistinseveralways,includingthefollowing:
ConfigureaDoSProtectionpolicyrulewiththeActiontoProtectandapplyaClassifiedDoSProtection
profiletotherule.TheprofileincludestheBlockDuration.
ConfigureaSecuritypolicyrulewithaVulnerabilityProtectionprofilethatusesarulewiththeActionto
Block IPandapplytheruletoazone.
TheBlockIPListissupportedonPA3050,PA3060,PA5000Series,PA5200Series,andPA7000Series
firewalls.

Whatdoyouwanttoknow? See:

WhatdotheBlockIPListfields BlockIPListEntries
indicate?

HowdoIfilter,navigate,ordelete VieworDeleteBlockIPListEntries
BlockIPListentries?

Looking for more? SetUpAntivirus,AntiSpyware,andVulnerabilityProtection


DoSProtectionAgainstFloodingofNewSessions
MonitorBlockedIPAddresses

BlockIPListEntries

ThefollowingtableexplainstheblocklistentryforasourceIPaddressthatthefirewallisblocking.

Field Description

BlockTime Month/dayandhours:minutes:secondswhentheIPaddresswentontheBlock
IPList.

Type Typeofblockaction:whetherthehardware(hw)orsoftware(sw)blockedthe
IPaddress.
WhenyouconfigureaDoSProtectionpolicyoraSecuritypolicythatusesa
VulnerabilityProtectionprofiletoblockconnectionsfromsourceIPv4
addresses,thefirewallautomaticallyblocksthattrafficinhardwarebefore
thosepacketsuseCPUorpacketbufferresources.Ifattacktrafficexceedsthe
blockingcapacityofthehardware,thefirewallusessoftwaretoblockthe
traffic.

SourceIPAddress SourceIPaddressofthepacketthatthefirewallblocked.

IngressZone Securityzoneassignedtotheinterfacewherethepacketenteredthefirewall.

TimeRemaining NumberofsecondsremainingfortheIPaddresstobeontheBlockIPList.

BlockSource NameoftheclassifiedDoSProtectionprofileorVulnerabilityprotectionobject
namewhereyouspecifiedtheBlockIPaction.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 73
Monitor>BlockIPList Monitor

Field Description

TotalBlockedIPs:xoutof CountofblockedIPaddresses(x)outofthenumberofblockedIPaddressesthe
y(z%used) firewallsupports(y),andthecorrespondingpercentageofblockedIPaddresses
used(z).

VieworDeleteBlockIPListEntries

NavigatetheBlockIPlistentries,viewdetailedinformation,anddeleteanentryifdesired.

VieworDeleteBlockIPListEntries

Searchforspecific Selectavalueinacolumn,whichentersafilterintheFiltersfield,andclicktheright
BlockIPList arrowtoinitiatethesearchforentrieswiththatvalue.
information ClicktheXtoremovethefilter.

ViewBlockIPList EnterapagenumberinthePagefieldorclickthesinglearrowstoseetheNextPage
entriesbeyondthe orPreviousPageofentries.ClickthedoublearrowstoviewtheLastPageorFirst
currentscreen Pageofentries.

Viewdetailed ClickonaSourceIPAddressofanentry,whichlinkstoNetworkSolutionsWhoIs
informationaboutanIP withinformationabouttheaddress.
addressontheBlockIP
List

DeleteBlockIPList SelectanentryandclickDelete.
entries

CleartheentireBlockIP ClickClear Alltopermanentlydeleteallentries,whichmeansthosepacketsareno


List longerblocked.

74 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>Botnet

Monitor>Botnet

Thebotnetreportenablesyoutousebehaviorbasedmechanismstoidentifypotentialmalwareand
botnetinfectedhostsinyournetwork.Thereportassignseachhostaconfidencescoreof1to5toindicate
thelikelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Beforeschedulingthereportor
runningitondemand,youmustconfigureittoidentifytypesoftrafficassuspicious.ThePANOS
AdministratorsGuideprovidesdetailsoninterpretingbotnetreportoutput.
ManagingBotnetReports
ConfiguringtheBotnetReport

ManagingBotnetReports

Monitor>Botnet>ReportSetting
Beforegeneratingthebotnetreport,youmustspecifythetypesoftrafficthatindicatepotentialbotnet
activity(seeConfiguringtheBotnetReport).Toscheduleadailyreportorrunitondemand,clickReport
Settingandcompletethefollowingfields.Toexportareport,selectitandExport to PDF,Export to CSV,or
Export to XML.

BotnetReportSettings Description

TestRunTimeFrame SelectthetimeintervalforthereportLast 24 Hours(default)orLast


Calendar Day.

RunNow ClickRun Nowtomanuallyandimmediatelygenerateareport.Thereport


displaysinanewtabwithintheBotnetReportdialog.

No.ofRows Specifythenumberofrowstodisplayinthereport(defaultis100).

Scheduled Selectthisoptiontoautomaticallygeneratethereportdaily.Bydefault,this
optionisenabled.

QueryBuilder (Optional)AddqueriestotheQueryBuildertofilterthereportoutputby
attributessuchassource/destinationIPaddresses,users,orzones.For
example,ifyouknowthattrafficinitiatedfromtheIPaddress192.0.2.0
containsnopotentialbotnetactivity,youcanadd
not (addr.src in 192.0.2.0)asaquerytoexcludethathostfromthe
reportoutput.
ConnectorSelectalogicalconnector(andoror).IfyouselectNegate,
thereportwillexcludethehoststhatthequeryspecifies.
AttributeSelectazone,address,oruserthatisassociatedwiththehosts
thatthefirewallevaluatesforbotnetactivity.
OperatorSelectanoperatortorelatetheAttributetoaValue.
ValueEnteravalueforthequerytomatch.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 75
Monitor>Botnet Monitor

ConfiguringtheBotnetReport

Monitor>Botnet>Configuration
Tospecifythetypesoftrafficthatindicatepotentialbotnetactivity,clickConfigurationontherightsideof
theBotnetpageandcompletethefollowingfields.Afterconfiguringthereport,youcanrunitondemandor
scheduleittorundaily(seeMonitor>PDFReports>ManagePDFSummary).

BotnetConfiguration Description
Settings

HTTPTraffic EnableanddefinetheCountforeachtypeofHTTPTrafficthatthereport
willinclude.TheCountvaluesyouenteraretheminimumnumberofevents
ofeachtraffictypethatmustoccurforthereporttolisttheassociatedhost
withahigherconfidencescore(higherlikelihoodofbotnetinfection).Ifthe
numberofeventsislessthantheCount,thereportwilldisplaythelower
confidencescoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.
Malware URL visit(rangeis21000;defaultis5)Identifiesusers
communicatingwithknownmalwareURLsbasedonmalwareandbotnet
URLfilteringcategories.
Use of dynamic DNS(rangeis21000;defaultis5)Looksfordynamic
DNSquerytrafficthatmightindicatemalware,botnetcommunications,
orexploitkits.Generally,usingdynamicDNSdomainsisveryrisky.
MalwareoftenusesdynamicDNStoavoidIPblacklisting.Considerusing
URLfilteringtoblocksuchtraffic.
Browsing to IP domains(rangeis21000;defaultis10)Identifiesusers
whobrowsetoIPdomainsinsteadofURLs.
Browsing to recently registered domains(rangeis21000;defaultis
5)Looksfortraffictodomainsthatwereregisteredwithinthepast30
days.Attackers,malware,andexploitkitsoftenusenewlyregistered
domains.
Executable files from unknown sites(rangeis21000;defaultis5)
IdentifiesexecutablefilesdownloadedfromunknownURLs.Executable
filesareapartofmanyinfectionsand,whencombinedwithothertypes
ofsuspicioustraffic,canhelpyouprioritizehostinvestigations.

UnknownApplications Definethethresholdsthatdeterminewhetherthereportwillincludetraffic
associatedwithsuspiciousUnknownTCPorUnknownUDPapplications.
Sessions Per Hour(rangeis13600;defaultis10)Thereportincludes
trafficthatinvolvesuptothespecifiednumberofapplicationsessionsper
hour.
Destinations Per Hour(rangeis13600;defaultis10)Thereport
includestrafficthatinvolvesuptothespecifiednumberofapplication
destinationsperhour.
Minimum Bytes(rangeis1200;defaultis50)Thereportincludes
trafficforwhichtheapplicationpayloadequalsorexceedsthespecified
size.
Maximum Bytes(rangeis1200;defaultis100)Thereportincludes
trafficforwhichtheapplicationpayloadisequaltoorlessthanthe
specifiedsize.

IRC SelectthisoptiontoincludetrafficinvolvingIRCservers.

76 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports

Monitor>PDFReports

Monitor>PDFReports>ManagePDFSummary
Monitor>PDFReports>UserActivityReport
Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>ReportGroups
Monitor>PDFReports>EmailScheduler

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 77
Monitor>PDFReports>ManagePDFSummary Monitor

Monitor>PDFReports>ManagePDFSummary

PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.

PDFSummaryReport

TocreatePDFsummaryreports,clickAdd.ThePDF Summary Reportpageopenstoshowalloftheavailable


reportelements.

ManagingPDFReports

78 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>ManagePDFSummary

Useoneormoreoftheseoptionstodesignthereport:
Toremoveanelementfromthereport,clickdelete([X])orcleartheitemfromtheappropriate
dropdown.
Selectadditionalelementsbyselectingthemintheappropriatedropdown.
Draganddropanelementtomoveittoanotherareaofthereport.

Thereisamaximumof18reportelementsallowed.Ifyouhave18already,youmustdelete
existingelementsbeforeyoucanaddnewones.

ToSavethereport,enterareportname,andclickOK.
TodisplayPDFreports,selectMonitor > ReportsandclickPDF Summary Reportandclickareporttoopenor
savethatreport.Youcanalsoexportareportusingtheoptionsatthebottomofthepage(Export to PDF,
Export to CSV,orExport to XML)orclickadayinthecalendartodownloadareportforthatday.

NewPDFsummaryreportswillnotappearuntilafterthereportruns,whichwilloccur
automaticallyevery24hoursat2a.m.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 79
Monitor>PDFReports>UserActivityReport Monitor

Monitor>PDFReports>UserActivityReport

Usethispagetocreatereportsthatsummarizetheactivityofindividualusersorusergroups.ClickAddand
specifythefollowinginformation.

User/GroupActivity Description
ReportSettings

Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Type ForUserActivityReport:SelectUserandentertheUsernameorIP address


(IPv4orIPv6)oftheuserwhowillbethesubjectofthereport.

ForGroupActivityReport:SelectGroupandentertheGroup Name.

TimePeriod Selectthetimeframeforthereportfromthedropdown.

IncludeDetailed (Optional)SelectthisoptiontoincludedetailedURLlogsinthereport.
Browsing Thedetailedbrowsinginformationcanincludealargevolumeoflogs
(thousands)fortheselecteduserorusergroupandcauseareportto
beverylarge.

TheGroupActivityReportdoesnotincludeBrowsingSummarybyURLCategory;allother
informationiscommonacrosstheUserActivityReportandtheGroupActivityReport.

Torunthereportondemand,clickRun Now.Tochangethemaximumnumberofrowsthatdisplayinthe
report,seeLoggingandReportingSettings.
Tosavethereport,clickOK.Youcanthenschedulethereportforemaildelivery(Monitor>PDFReports>
EmailScheduler).

80 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>SaaSApplicationUsage

Monitor>PDFReports>SaaSApplicationUsage

UsethispagetocreateareportthatsummarizestheSaaSapplicationactivityonyournetwork.This
predefinedreportpresentsacomparisononthesanctionedversusunsanctionedSaaSapplicationusageon
yournetworkandyoucanusethisinformationtohelpsteeryouruserstowardsanctionedapplications.You
canthenenforcegranularcontextandapplicationbasedpoliciesforSaaSapplicationsthatyouwanttoallow
orblockonyournetwork.
Forgeneratinganaccurateandinformativereport,youmusttagthesanctionedapplicationsonyour
network(seeActionsSupportedonApplications).ThefirewallandPanoramaconsideranyapplication
withoutthispredefinedtagasunsanctionedforuseonthenetwork.Itisimportanttoknowaboutthe
sanctionedapplicationsandunsanctionedapplicationsthatareprevalentonyournetworkbecause
unsanctionedSaaSapplicationsareapotentialthreattoinformationsecurity;theyarenotapprovedforuse
onyournetworkandcancauseanexposuretothreatsandlossofprivateandsensitivedata.
.

Makesureyoutagapplicationsconsistentlyacrossallfirewallsordevicegroups.Ifthesameapplicationistagged
assanctionedinonevirtualsystemandisnotsanctionedinanotheroronPanorama,ifanapplicationis
unsanctionedinaparentdevicegroupbutistaggedassanctionedinachilddevicegroup(orviceversa)theSaaS
ApplicationUsagereportwillproduceoverlappingresults.
OntheACC,settheApplication ViewtoBy Sanctioned Statetovisuallyidentifyapplicationsthathave
differentsanctionedstateacrossvirtualsystemsordevicegroups.Greenindicatessanctionedapplications,blueis
forunsanctionedapplications,andyellowindicatesapplicationsthathaveadifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.

Toconfigurethereport,clickAddandspecifythefollowinginformation:

SaaSApplicationUsage Description
ReportSettings

Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

TimePeriod Selectthetimeframeforthereportfromthedropdown:Last 7 Days,Last 30


Days,orLast 90 Days.Thereportincludesdatafromthecurrentday(theday
onwhichthereportisgenerated).

Includelogsfrom Fromthedropdown,selectwhetheryouwanttogeneratethereportona
selectedusergroup,onaselectedzone,orforallusergroupsandzones
configuredonthefirewallorPanorama.
ForaselectedusergroupSelecttheUser Groupforwhichthefirewallor
Panoramawillfilterthelogs.
ForaselectedzoneSelecttheZoneforwhichthefirewallorPanorama
willfilterthelogs.
ForallusergroupsandzonesYoucanreportonallgroupsorchooseup
to25usergroupsforwhichyouwantvisibility.Ifyouhavemorethan25
groups,thefirewallorPanoramawilldisplaythetop25groupsinthereport
andassignallremainingusergroupstotheOthersgroup.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 81
Monitor>PDFReports>SaaSApplicationUsage Monitor

SaaSApplicationUsage Description
ReportSettings

Includeusergroup Thisoptionfiltersthelogsfortheusergroupsyouwanttoincludeinthe
informationinthereport report.Selectthemanage groupsorthemanage groups for the selected
(Notavailableifyou zonelinktochooseupto25usergroupsforwhichyouwantvisibility.
choosetogeneratethe Whenyougenerateareportforspecificusergroupsonaselectedzone,users
reportonaSelected whoarenotamemberofanyoftheselectedgroupsareassignedtoauser
User Group.) groupcalledOthers.

Usergroup Selecttheusergroup(s)forwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected User GroupintheInclude logs from
dropdown.

Zone Selectthezoneforwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected ZoneintheInclude logs from
dropdown.
YoucanthenselectIncludeusergroupinformationinthereport.

Includedetailed TheSaaSApplicationUsagePDFreportisatwopartreport.Bydefault,both
applicationcategory partsofthereportaregenerated.Thefirstpartofthereport(tenpages)
informationinreport focusesontheSaaSapplicationsusedonyournetworkduringthereporting
period.
Clearthisoptionifyoudonotwantthesecondpartofthereportthatincludes
detailedinformationforSaaSandnonSaaSapplicationsforeachapplication
subcategorylistedinthefirstpartofthereport.Thissecondpartofthereport
includesthenamesofthetopapplicationsineachsubcategoryand
informationaboutusers,usergroups,files,bytestransferred,andthreats
generatedfromtheseapplications.
Withoutthedetailedinformation,thereportistenpageslong.

Limitmaxsubcategories SelectwhetheryouwanttouseallapplicationsubcategoriesintheSaaS
inthereportto ApplicationUsagereportorwhetheryouwanttolimitthemaximumnumber
to10,15,20,or25subcategories.
Whenyoureducethemaximumnumberofsubcategories,thedetailedreport
isshorterbecauseyoulimittheSaaSandnonSaaSapplicationactivity
informationincludedinthereport.

ClickRun Nowtogeneratethereportondemand.
Toschedulethereport,seeMonitor>PDFReports>EmailScheduler.
OnPA200andPA500firewalls,theSaaSApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkyouusetoopenthereportinawebbrowser.
Formoreinformationonthereport,seeManageReporting .

82 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>PDFReports>ReportGroups

Monitor>PDFReports>ReportGroups

Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.

ReportGroupSettings Description

Name Enteranametoidentifythereportgroup(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

TitlePage Selectthisoptiontoincludeatitlepageinthereport.

Title Enterthenamethatwillappearasthereporttitle.

Reportselection/ Foreachreporttoincludeinthegroup,selectthereportintheleftcolumnand
Widgets Addittotherightcolumn.Youcanselectthefollowingreporttypes:
PredefinedReport
CustomReport
PDFSummaryReport
CSV
LogViewWheneveryoucreateacustomreport,thefirewall
automaticallycreatesaLogViewreportwiththesamename.TheLogView
reportshowsthelogsthatthefirewallusedtobuildthecontentsofthe
customreport.Toincludethelogviewdata,whencreatingareportgroup,
addyourCustom ReportsandthenaddthematchingLog Viewreports.
Theaggregatereportgeneratedforthereportgroupdisplaysthecustom
reportdatafollowedbythelogdata.
Afteryousavethereportgroup,theWidgetscolumnoftheReportGroups
pageliststhereportsyouaddedtothegroup.

Tousethereportgroup,refertoMonitor>PDFReports>EmailScheduler.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 83
Monitor>PDFReports>EmailScheduler Monitor

Monitor>PDFReports>EmailScheduler

UsetheEmailschedulertoschedulereportsfordeliverybyemail.Beforeaddingaschedule,youmustdefine
reportgroupsandanemailprofile.RefertoMonitor>PDFReports>ReportGroupsandDevice>Server
Profiles>Email.
Scheduledreportsbeginrunningat2:00AM,andemailforwardingoccursafterallscheduledreportshave
finishedrunning.

EmailSchedulerSettings Description

Name Enteranametoidentifytheschedule(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

ReportGroup Selectthereportgroup(Monitor>PDFReports>ReportGroups)ortheSaaS
ApplicationUsagereport(Monitor>PDFReports>SaaSApplicationUsage)
youwanttoschedule.

EmailProfile Selecttheprofilethatdefinestheemailsettings.RefertoDevice>Server
Profiles>Emailforinformationondefiningemailprofiles.

Recurrence Selectthefrequencyatwhichtogenerateandsendthereport.

OverrideEmail Enteranoptionalemailaddresstouseinsteadoftherecipientspecifiedinthe
Addresses emailprofile.

Sendtestemail ClicktosendatestemailtotheemailaddressdefinedintheselectedEmail
Profile.

84 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Monitor Monitor>ManageCustomReports

Monitor>ManageCustomReports

Youcancreatecustomreportstorunondemandoronschedule(eachnight).Forreportsthatarepredefined,
selectMonitor > Reports.
Addacustomreporttocreateanewone.Tobasethereportonanexistingtemplate,Load Templateandselect
thetemplate.Togenerateareportondemand,insteadoforinadditiontotheScheduledtime,clickRun Now.
Specifythefollowingsettingstodefinethereport.

CustomReportSettings Description

Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Enteradescriptionforthecustomreport.

Database Choosethedatabasetouseasthedatasourceforthereport.

Scheduled Selectthisoptiontorunthereporteachnight.Thereportthenbecomes
availablebyselectingMonitor > Reports.

TimeFrame ChooseafixedtimeframeorchooseCustomandspecifyadateandtime
range.

SortBy Choosesortingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.

GroupBy Choosegroupingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.

Columns SelectAvailableColumnstoincludeinthecustomreportandadd( )them


toSelectedColumns.SelectUp,Down,Top,andBottomtoreorderselected
columns.Asneeded,youcanalsoselectandremove( )previouslyselected
columns.

QueryBuilder Tobuildareportquery,specifythefollowingandclickAdd.Repeatas
neededtoconstructthefullquery.
ConnectorChoosetheconnector(andoror)toprecedetheexpression
youareadding.
NegateSelectthisoptiontointerpretthequeryasanegation.Inthe
previousexample,thenegateoptioncausesamatchonentriesthatare
notinthepast24hoursorarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthe
choiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattribute
applies(suchas=).Theavailableoptionsdependonthechoiceof
database.
ValueSpecifytheattributevaluetomatch.

Formoreinformation,seeGenerateCustomReports.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 85
Monitor>Reports Monitor

Monitor>Reports

Thefirewallprovidesvarioustop50reportsofthetrafficstatisticsforthepreviousdayoraselectedday
inthepreviousweek.
Toviewareport,expandareportcategory(suchasCustomReports)ontherightsideofthepageandselect
areportname.Thepagelistsreportsinsections.Youcanviewtheinformationineachreportfortheselected
timeperiod.
Bydefault,thefirewalldisplaysallreportsforthepreviouscalendarday.Toviewreportsforotherdates,
selectareportgenerationdateinthecalendaratthebottomrightofthepage.
Toviewreportsonasystemotherthanthefirewall,selectanexportoption:
Export to PDF
Export to CSV
Export to XML

86 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies
Thissectiondescribesthefirewallwebinterfacesyoucanusetoconfigurepolicies:
PolicyTypes
MoveorCloneaPolicyRule
Policies>Security
Policies>NAT
Policies>QoS
Policies>PolicyBasedForwarding
Policies>Decryption
Policies>TunnelInspection
Policies>ApplicationOverride
Policies>Authentication
Policies>DoSProtection

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 87
PolicyTypes Policies

PolicyTypes

Policiesenableyoutocontrolfirewalloperationbyenforcingrulesandautomatingactions.Thefirewall
supportsthefollowingpolicytypes:
Basicsecuritypoliciestoblockorallowanetworksessionbasedontheapplication,thesourceand
destinationzonesandaddresses,andoptionallybasedontheservice(portandprotocol).Zones
identifythephysicalorlogicalinterfacesthatsendorreceivethetraffic.SeePolicies>Security.
NetworkAddressTranslation(NAT)policiestotranslateaddressesandports.SeetoPolicies>NAT.
QualityofService(QoS)policiestodeterminehowtrafficisclassifiedfortreatmentwhenitpasses
throughaninterfacewithQoSenabled.SeePolicies>QoS.
Policybasedforwardingpoliciestooverridetheroutingtableandspecifyanegressinterfacefortraffic.
SeePolicies>PolicyBasedForwarding.
Decryptionpoliciestospecifytrafficdecryptionforsecuritypolicies.Eachpolicycanspecifythe
categoriesofURLsforthetrafficyouwanttodecrypt.SSHdecryptionisusedtoidentifyandcontrolSSH
tunnelinginadditiontoSSHshellaccess.SeePolicies>Decryption.
TunnelInspectionpoliciestoenforceSecurity,DoSProtection,andQoSpoliciesontunneledtraffic,and
toviewtunnelactivity.SeePolicies>TunnelInspection.
Overridepoliciestooverridetheapplicationdefinitionsprovidedbythefirewall.SeePolicies>
ApplicationOverride.
Authenticationpoliciestodefineauthenticationforenduserswhoaccessnetworkresources.See
Policies>Authentication.
Denialofservice(DoS)policiestoprotectagainstDoSattacksandtakeprotectiveactioninresponseto
rulematches.SeePolicies>DoSProtection.

SharedpolicespushedfromPanoramadisplayinorangeonthefirewallwebinterface.You
caneditthesesharedpoliciesonlyonPanorama;youcannoteditthemonthefirewall.
UsetheTagBrowsertoviewallthetagsusedinarulebase.Inrulebaseswithmanyrules,the
tagbrowsersimplifiesthedisplaybypresentingthetags,colorcode,andtherulenumbersin
whichtagsareused.

88 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies MoveorCloneaPolicyRule

MoveorCloneaPolicyRule

Whenmovingorcloningpolicies ,youcanassignaDestination(avirtualsystemonafirewalloradevice
grouponPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveapolicyrule,selecttheruleinthePoliciestab,clickMove,selectMove to other vsys(firewallsonly)
orMove to other device group(Panoramaonly),specifythefieldsinthefollowingtable,andthenclickOK.
Tocloneapolicyrule,selecttheruleinthePoliciestab,clickClone,specifythefieldsinthefollowingtable,
andthenclickOK.

Move/CloneSettings Description

SelectedRules DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepolicyrulesyouselectedfortheoperation.

Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.

Ruleorder Selecttherulepositionrelativetootherrules:
Move topTherulewillprecedeallotherrules.
Move bottomTherulewillfollowallotherrules.
Before ruleIntheadjacentdropdown,selectthesubsequentrule.
After ruleIntheadjacentdropdown,selecttheprecedingrule.

Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 89
Policies>Security Policies

Policies>Security

Securitypolicyrulesreferencesecurityzonesandenableyoutoallow,restrict,andtracktrafficonyour
networkbasedontheapplication,userorusergroup,andservice(portandprotocol).Bydefault,thefirewall
includesasecurityrulenamedrule1thatallowsalltrafficfromtheTrustzonetotheUntrustzone.

Whatdoyouwanttoknow? See:

WhatisaSecuritypolicy? SecurityPolicyOverview
ForPanorama,seeMoveorCloneaPolicyRule
Whatarethefieldsavailableto BuildingBlocksinaSecurityPolicyRule
createaSecuritypolicyrule?

HowcanIusethewebinterfaceto CreatingandManagingPolicies
manageSecuritypolicyrules?
OverridingorRevertingaSecurityPolicyRule
Looking for more? SecurityPolicy

SecurityPolicyOverview

Securitypoliciesallowyoutoenforcerulesandtakeaction,andcanbeasgeneralorspecificasneeded.The
policyrulesarecomparedagainsttheincomingtrafficinsequence,andbecausethefirstrulethatmatches
thetrafficisapplied,themorespecificrulesmustprecedethemoregeneralones.Forexample,arulefora
singleapplicationmustprecedearuleforallapplicationsifallothertrafficrelatedsettingsarethesame.

Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationpolicybeforeSecuritypolicy.Fordetails,seePolicies>Authentication.

Fortrafficthatdoesntmatchanyuserdefinedrules,thedefaultrulesapply.Thedefaultrulesdisplayedat
thebottomofthesecurityrulebasearepredefinedtoallowallintrazonetraffic(withinthezone)anddeny
allinterzonetraffic(betweenzones).Althoughtheserulesarepartofthepredefinedconfigurationandare
readonlybydefault,youcanOverridethemandchangealimitednumberofsettings,includingthetags,
action(allowordeny),logsettings,andsecurityprofiles.
TheinterfaceincludesthefollowingtabsfordefiningSecuritypolicyrules.
GeneralSelecttheGeneraltabtoconfigureanameanddescriptionfortheSecuritypolicyrule.
SourceSelecttheSourcetabtodefinethesourcezoneorsourceaddressfromwhichthetraffic
originates.
UserSelecttheUsertabtoenforcepolicyforindividualusersoragroupofusers.Ifyouareusing
GlobalProtectwithhostinformationprofile(HIP)enabled,youcanalsobasethepolicyoninformation
collectedbyGlobalProtect.Forexample,theuseraccesslevelcanbedeterminedHIPthatnotifiesthe
firewallabouttheuser'slocalconfiguration.TheHIPinformationcanbeusedforgranularaccesscontrol
basedonthesecurityprogramsthatarerunningonthehost,registryvalues,andmanyothercheckssuch
aswhetherthehosthasantivirussoftwareinstalled.
DestinationSelecttheDestinationtabtodefinethedestinationzoneordestinationaddressforthetraffic.

90 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security

ApplicationSelecttheApplicationtabtohavethepolicyactionoccurbasedonanapplicationor
applicationgroup.AnadministratorcanalsouseanexistingAppIDsignatureandcustomizeittodetect
proprietaryapplicationsortodetectspecificattributesofanexistingapplication.Customapplicationsare
definedinObjects > Applications.
Service/URL CategorySelecttheService/URL CategorytabtospecifyaspecificTCPand/orUDPport
numberoraURLcategoryasmatchcriteriainthepolicy.
ActionSelecttheActiontabtodeterminetheactionthatwillbetakenbasedontrafficthatmatchesthe
definedpolicyattributes.

BuildingBlocksinaSecurityPolicyRule

Thefollowingsectiondescribeseachcomponentinasecuritypolicyrule.Whenyouviewthedefault
securityrule,orcreateanewrule,youcanconfiguretheoptionsdescribedhere.

BuildingBlocksin ConfiguredIn Description


aSecurityRule

Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas


rulesaremoved.Whenyoufilterrulestomatchspecificfilter(s),
eachruleislistedwithitsnumberinthecontextofthecomplete
setofrulesintherulebaseanditsplaceintheevaluationorder.
InPanorama,prerulesandpostrulesareindependently
numbered.WhenrulesarepushedfromPanoramatoamanaged
firewall,therulenumberingincorporateshierarchyinprerules,
firewallrules,andpostruleswithinarulebaseandreflectsthe
rulesequenceanditsevaluationorder.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 91
Policies>Security Policies

BuildingBlocksin ConfiguredIn Description


aSecurityRule

Name General Enteranametoidentifytherule.Thenameiscasesensitiveand


canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.

Tag Addandspecifythetagforthepolicy.
Apolicytagisakeywordorphrasethatallowsyoutosortor
filterpolicies.Thisisusefulwhenyouhavedefinedmany
policiesandwanttoviewthosethataretaggedwithaparticular
keyword.Forexample,youmaywanttotagcertainruleswith
specificwordslikeDecryptandNodecrypt,orusethenameof
aspecificdatacenterforpoliciesassociatedwiththatlocation.
Youcanalsoaddtagstothedefaultrules.

Type Specifieswhethertheruleappliestotrafficwithinazone,
betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzone
andintrazonetrafficinthespecifiedsourceanddestination
zones.Forexample,ifyoucreateauniversalrulewithsource
zonesAandBanddestinationzonesAandB,therulewould
applytoalltrafficwithinzoneA,alltrafficwithinzoneB,and
alltrafficfromzoneAtozoneBandalltrafficfromzoneBto
zoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthe
specifiedsourcezones(youcannotspecifyadestinationzone
forintrazonerules).Forexample,ifyousetthesourcezone
toAandB,therulewouldapplytoalltrafficwithinzoneA
andalltrafficwithinzoneB,butnottotrafficbetweenzones
AandB.
interzoneAppliestheruletoallmatchingtrafficbetween
thespecifiedsourceanddestinationzones.Forexample,if
yousetthesourcezonetoA,B,andCandthedestination
zonetoAandB,therulewouldapplytotrafficfromzoneA
tozoneB,fromzoneBtozoneA,fromzoneCtozoneA,and
fromzoneCtozoneB,butnottrafficwithinzonesA,B,orC.

SourceZone Source ClickAddtochoosesourcezones(defaultisany).Zonesmustbe


ofthesametype(Layer2,Layer3,orvirtualwire).Todefinenew
zones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.

SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions
(defaultisany).Selectfromthedropdown,orclickAddress,
Address Group,orRegionsatthebottomofthedropdown,
andspecifythesettings.

92 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security

BuildingBlocksin ConfiguredIn Description


aSecurityRule

SourceUser User ClickAddtochoosethesourceusersorgroupsofuserssubject


tothepolicy.Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheir
system.WhenthePrelogonoptionisconfiguredonthe
PortalforGlobalProtectclients,anyuserwhoisnotcurrently
loggedintotheirmachinewillbeidentifiedwiththeusername
prelogon.Youcanthencreatepoliciesforprelogonusers
andalthoughtheuserisnotloggedindirectly,theirmachines
areauthenticatedonthedomainasiftheywerefullylogged
in.
known-userIncludesallauthenticatedusers,whichmeans
anyIPwithuserdatamapped.Thisoptionisequivalenttothe
domainusersgrouponadomain.
unknownIncludesallunauthenticatedusers,whichmeans
IPaddressesthatarenotmappedtoauser.Forexample,you
coulduseunknownforguestlevelaccesstosomething
becausetheywillhaveanIPonyournetworkbutwillnotbe
authenticatedtothedomainandwillnothaveIPtouser
mappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbythe
selectioninthiswindow.Forexample,youmaywanttoadd
oneuser,alistofindividuals,somegroups,ormanuallyadd
users.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.

SourceHIPProfile ClickAddtochoosehostinformationprofiles(HIP)toidentify
users.AHIPenablesyoutocollectinformationaboutthe
securitystatusofyourendhosts,suchaswhethertheyhavethe
latestsecuritypatchesandantivirusdefinitionsinstalled.Using
hostinformationprofilesforpolicyenforcementenables
granularsecuritythatensuresthattheremotehostsaccessing
yourcriticalresourcesareadequatelymaintainedandin
adherencewithyoursecuritystandardsbeforetheyareallowed
accesstoyournetworkresources.ThefollowingsourceHIP
profilesaresupported:
anyIncludesanyendpoint,regardlessofHIPinformation.
selectIncludesselectedHIPprofilesasdeterminedbythe
selectioninthewindow.Forexample,youmaywanttoadd
oneHIPprofile,alistofHIPprofiles,ormanuallyaddHIP
profiles.
no-hipHIPinformationisnotrequired.Thissettingenables
accessfromthirdpartyclientsthatcannotcollectorsubmit
HIPinformation.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 93
Policies>Security Policies

BuildingBlocksin ConfiguredIn Description


aSecurityRule

DestinationZone Destination ClickAddtochoosedestinationzones(defaultisany).Zones


mustbeofthesametype(Layer2,Layer3,orvirtualwire).To
definenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.
Onintrazonerules,youcannotdefineaDestination
Zonebecausethesetypesofrulesonlymatchtraffic
withasourceandadestinationwithinthesamezone.To
specifythezonesthatmatchanintrazoneruleyouonly
needtosettheSourceZone.

Destination ClickAddtoadddestinationaddresses,addressgroups,or
Address regions(defaultisany).Selectfromthedropdown,orclick
Addressatthebottomofthedropdown,andspecifyaddress
settings.

Application Application Selectspecificapplicationsforthesecurityrule.Ifanapplication


hasmultiplefunctions,youcanselecttheoverallapplicationor
individualfunctions.Ifyouselecttheoverallapplication,all
functionsareincludedandtheapplicationdefinitionis
automaticallyupdatedasfuturefunctionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainersinthe
securityrule,youcanviewdetailsoftheseobjectsbyholding
yourmouseovertheobjectintheApplicationcolumn,clickthe
dropdownarrowandselectValue.Thisallowsyoutoview
applicationmembersdirectlyfromthepolicywithouthavingto
navigatetotheObjecttab.

94 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security

BuildingBlocksin ConfiguredIn Description


aSecurityRule

Service Service/URL Category SelectservicestolimittospecificTCPand/orUDPport


numbers.Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonany
protocolorport.
application-defaultTheselectedapplicationsareallowed
ordeniedonlyontheirdefaultportsdefinedbyPaloAlto
Networks.Thisoptionisrecommendedforallowpolicies
becauseitpreventsapplicationsfromrunningonunusual
portsandprotocolwhich,ifnotintentional,canbeasignof
undesiredapplicationbehaviorandusage.
Whenyouusethisoption,thefirewallstillchecksfor
allapplicationsonallportsbut,withthis
configuration,applicationsareonlyallowedontheir
defaultportsandprotocols.
SelectClickAdd.Chooseanexistingserviceorchoose
ServiceorService Grouptospecifyanewentry.(Orselect
Objects>ServicesandObjects>ServiceGroups).

URLCategory SelectURLcategoriesforthesecurityrule.
Chooseanytoallowordenyallsessionsregardlessofthe
URLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory
(includingacustomcategory)fromthedropdown.Youcan
addmultiplecategories.SelectObjects>ExternalDynamic
Liststodefinecustomcategories.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 95
Policies>Security Policies

BuildingBlocksin ConfiguredIn Description


aSecurityRule

Action Actions Tospecifytheactionfortrafficthatmatchestheattributes


definedinarule,selectfromthefollowingactions:
Allow(default)Allowsthetraffic.
DenyBlockstraffic,andenforcesthedefaultDenyAction
definedfortheapplicationthatisbeingdenied.Toviewthe
denyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
Becausethedefaultdenyactionvariesbyapplication,the
firewallcouldblockthesessionandsendaresetforone
application,whileitcoulddropthesessionsilentlyfor
anotherapplication.
DropSilentlydropstheapplication.ATCPresetisnotsent
tothehost/application,unlessyouselectSend ICMP
Unreachable.
Reset clientSendsaTCPresettotheclientsidedevice.
Reset serverSendsaTCPresettotheserversidedevice.
Reset bothSendsaTCPresettoboththeclientsideand
serversidedevices.
Send ICMP UnreachableOnlyavailableforLayer3
interfaces.WhenyouconfigureSecuritypolicyruletodrop
trafficortoresettheconnection,thetrafficdoesnotreach
thedestinationhost.Insuchcases,forallUDPtrafficandfor
TCPtrafficthatisdropped,youcanenablethefirewallto
sendanICMPUnreachableresponsetothesourceIPaddress
fromwherethetrafficoriginated.Enablingthissettingallows
thesourcetogracefullycloseorclearthesessionand
preventsapplicationsfrombreaking.
ToviewtheICMPUnreachablePacketRateconfiguredon
thefirewall,viewtheSessionSettingssectioninDevice >
Setup > Session.
Tooverridethedefaultactiondefinedonthepredefined
interzoneandintrazonerules:seeOverridingorRevertinga
SecurityPolicyRule

ProfileSetting Actions Tospecifythecheckingdonebythedefaultsecurityprofiles,


selectindividualAntivirus,AntiSpyware,Vulnerability
Protection,URLFiltering,FileBlocking,and/orDataFiltering
profiles.
Tospecifyaprofilegroupratherthanindividualprofiles,select
Profile Type Groupandthenselectaprofilegroupfromthe
Group Profiledropdown.
Todefinenewprofilesorprofilegroups,clickNewnexttothe
appropriateprofileorgroup(refertoObjects>SecurityProfile
Groups).
Youcanalsoattachsecurityprofiles(orprofilegroups)tothe
defaultrules.

96 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security

BuildingBlocksin ConfiguredIn Description


aSecurityRule

Options Actions TheOptionstabincludestheloggingsettingsandacombination


ofotheroptionslistedbelow.
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log At Session StartGeneratesatrafficlogentryforthe
startofasession(disabledbydefault).
Log At Session EndGeneratesatrafficlogentryfortheend
ofasession(enabledbydefault).
Ifthesessionstartorendentriesarelogged,dropand
denyentriesarealsologged.

Log Forwarding ProfileToforwardthelocaltrafficlogand


threatlogentriestoremotedestinations,suchasPanorama
andsyslogservers,selectalogprofilefromtheLog
Forwarding Profiledropdown.
Thegenerationofthreatlogentriesisdeterminedby
thesecurityprofiles.Todefinenewlogprofiles,click
New (refertoObjects>LogForwarding).
Youcanalsomodifythelogsettingsonthedefaultrules.Specify
anycombinationofthefollowingoptions:
ScheduleTolimitthedaysandtimeswhentheruleisin
effect,selectaschedulefromthedropdown.Todefinenew
schedules,clickNew(refertoSettingstoControlDecrypted
SSLTraffic).
QoS MarkingTochangetheQualityofService(QoS)setting
onpacketsmatchingtherule,selectIP DSCPorIP
PrecedenceandentertheQoSvalueinbinaryorselecta
predefinedvaluefromthedropdown.Formoreinformation
onQoS,refertoQualityofService .
Disable Server Response InspectionTodisablepacket
inspectionfromtheservertotheclient,selectthisoption.
Thisoptionmaybeusefulunderheavyserverloadconditions.

Description General Enteradescriptionforthepolicy(upto255characters).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 97
Policies>Security Policies

CreatingandManagingPolicies

SelectthePolicies > Securitypagetoadd,andmodify,andmanagesecuritypolicies:

Task Description

Add Toaddanewpolicyrule,dooneofthefollowing:
ClickAddatthebottomofthepage.
SelectaruleonwhichtobasethenewruleandclickClone Ruleorselectarule
byclickingthewhitespaceoftheruleandselectClone Ruleatthebottomofthe
page(arulethatisselectedinthewebinterfacedisplayswithayellow
background).Thecopiedrule,rulenisinsertedbelowtheselectedrule,wheren
isthenextavailableintegerthatmakestherulenameunique.Fordetailson
cloning,seeMoveorCloneaPolicyRule.

Modify Tomodifyarule,clicktherule.
IftheruleispushedfromPanorama,theruleisreadonlyonthefirewallandcannot
beeditedlocally.

OverrideandRevertactionspertainonlytothedefaultrulesthataredisplayedatthe
bottomoftheSecurityrulebase.Thesepredefinedrulesallowallintrazonetraffic
anddenyallinterzonetrafficinstructthefirewallonhowtohandletrafficthatdoes
notmatchanyotherruleintherulebase.Becausetheyarepartofthepredefined
configuration,youmustOverridetheminordertoeditselectpolicysettings.Ifyou
areusingPanorama,youcanalsoOverridethedefaultrules,andthenpushthemto
firewallsinaDeviceGrouporSharedcontext.YoucanalsoRevertthedefaultrules,
whichrestoresthepredefinedsettingsorthesettingspushedfromPanorama.For
details,seeOverridingorRevertingaSecurityPolicyRule.

Move RulesareevaluatedtopdownandasenumeratedonthePoliciespage.Tochange
theorderinwhichtherulesareevaluatedagainstnetworktraffic,selectaruleand
clickMove Up,Move Down,Move Top,orMove Bottom.Fordetails,seeMoveor
CloneaPolicyRule.

Delete SelectaruleandclickDeletetoremovetheexistingrule.

Enable/Disable Todisablearule,selecttheruleandclickDisable.Toenablearulethatisdisabled,
selecttheruleandclickEnable.

ViewUnused Toidentifyrulesthathavenotbeenusedsincethelasttimethefirewallwas
rules restarted,selectHighlight Unused Rules.Youcanthendecidewhethertodisable
theruleordeleteit.Rulesnotcurrentlyinusearedisplayedwithadottedyellow
background.
Eachfirewallmaintainsaflagfortherulesthathaveamatch.Becausetheflag
isresetwhenadataplaneresetoccursonarebootorarestart,monitorthis
listperiodicallytodeterminewhethertherulehashadamatchsincethelast
checkbeforeyoudeleteordisableit.

98 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
Policies Policies>Security

Task Description

Show/Hide ToshoworhidethecolumnsthatdisplayinthePoliciespages,selectthisoption
columns nexttothecolumnnametotogglethedisplayofeachcolumn.

Applyfilters Toapplyafiltertothelist,selectfromtheFilter Rulesdropdown.Toaddavalueto


defineafilter,clickthedropdownfortheitemandchooseFilter.
Thedefaultrulesarenotpartofrulebasefilteringandalwaysshowupinthe
listoffilteredrules.

Toviewthenetworksessionsthatwereloggedasmatchesagainstthepolicy,click
thedropdownfortherulenameandchooseLog Viewer.

Todisplaythecurrentvaluebyclickingthedropdownfortheentryandchoosing
Value.Youcanalsoedit,filter,orremovecertainitemsdirectlyfromthecolumn
menu.Forexample,toviewaddressesincludedinanaddressgroup,holdyourmouse
overtheobjectintheAddresscolumn,clickthedropdownandselectValue.This
allowsyoutoquicklyviewthemembersandthecorrespondingIPaddressesforthe
addressgroupwithouthavingtonavigatetotheObjecttab.

TofindobjectsusedwithinapolicybasedontheirnameorIPaddress,usethefilter
option.Afteryouapplythefilter,youwillseeonlytheitemsthatmatchthefilter.The
filteralsoworkswithembeddedobjects.Example:whenyoufilteron10.1.4.8,only
thepolicythatcontainsthataddressisdisplayed:

Previewrules UsePreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe


(Panorama managedfirewalls.Withineachrulebase,thehierarchyofrulesisvisually
only) demarcatedforeachdevicegroup(andmanagedfirewall)tomakeiteasiertoscan
throughalargenumbersofrules.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 99
Policies>Security Policies

OverridingorRevertingaSecurityPolicyRule

Thedefaultsecurityrulesinterzonedefaultandintrazonedefaulthavepredefinedsettingsthatyoucan
overrideonafirewalloronPanorama.Ifafirewallreceivesthedefaultrulesfromadevicegroup,youcan
alsooverridethedevicegroupsettings.Thefirewallorvirtualsystemwhereyouperformtheoverridestores
alocalversionoftheruleinitsconfiguration.Thesettingsyoucanoverrideareasubsetofthefullset(the
followingtableliststhesubsetforsecurityrules).Fordetailsonthedefaultsecurityrules,seePolicies>
Security.
Tooverridearule,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.The
Namecolumndisplaystheinheritanceicon( )forrulesyoucanoverride.Selecttherule,clickOverride,
andeditthesettingsinthefollowingtable.
TorevertanoverriddenruletoitspredefinedsettingsortothesettingspushedfromaPanoramadevice
group,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.TheName
columndisplaystheoverrideicon( )forrulesthathaveoverriddenvalues.Selecttherule,clickRevert,
andclickYestoconfirmtheoperation.

FieldstoOverrideaDefault Description
SecurityRule

General Tab

Name TheNamethatidentifiestheruleisreadonly;youcannotoverrideit.

RuleType TheRule Typeisreadonly;youcannotoverrideit.

Description TheDescriptionisreadonly;youcannotoverrideit.

Tag SelectTagsfromthedropdown.
Apolicytagisakeywordorphrasethatenablesyoutosortorfilter
policies.Thisisusefulwhenyouhavedefinedmanypoliciesandwant
toviewthosethataretaggedwithaparticularkeyword.Forexample,
youmightwanttotagcertainsecuritypolicieswithInboundtoDMZ,
tagspecificdecryptionpolicieswiththewordsDecryptorNodecrypt,
orusethenameofaspecificdatacenterforpoliciesassociatedwith
thatlocation.

Actions Tab

ActionSetting SelecttheappropriateActionfortrafficthatmatchestherule.
Allow(default)Allowsthetraffic.
DenyBlockstrafficandenforcesthedefaultDenyActionthatis
definedfortheapplicationthatthefirewallisdenying.Toviewthe
denyactionthatisdefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
DropSilentlydropstheapplication.Thefirewalldoesnotsenda
TCPresetmessagetothehostorapplication.
Reset clientSendsaTCPresetmessagetotheclientsidedevice.
Reset serverSendsaTCPresetmessagetotheserversidedevice.
Reset bothSendsaTCPresetmessagetoboththeclientsideand
serversidedevices.

100 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>Security

FieldstoOverrideaDefault Description
SecurityRule

ProfileSetting Profile TypeAssignprofilesorprofilegroupstothesecurityrule:


Tospecifythecheckingthatthedefaultsecurityprofilesperform,
selectProfilesandthenselectoneormoreoftheindividual
Antivirus,Vulnerability Protection,Anti-Spyware,URL Filtering,
File Blocking,Data Filtering,andWildFire Analysisprofiles.
Toassignaprofilegroupratherthanindividualprofiles,selectGroup
andthenselectaGroup Profilefromthedropdown.
Todefinenewprofiles(Objects>SecurityProfiles)orprofilegroups
(Objects>SecurityProfileGroups),clickNewinthedropdownfor
thecorrespondingprofileorgroup.

LogSetting Specifyanycombinationofthefollowingoptions:
Log ForwardingToforwardthelocaltrafficlogandthreatlog
entriestoremotedestinations,suchasPanoramaandsyslog
servers,selectaLog Forwardingprofilefromthedropdown.
SecurityprofilesdeterminethegenerationofThreatlogentries.To
defineanewLog Forwardingprofile,selectProfileinthe
dropdown(seeObjects>LogForwarding).
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log at Session StartGeneratesatrafficlogentryforthestart
ofasession(selectedbydefault).
Log at Session EndGeneratesatrafficlogentryfortheendof
asession(clearedbydefault).
Ifyouconfigurethefirewalltoincludesessionstartorsession
endentriesintheTrafficlog,itwillalsoincludedropanddeny
entries.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 101


Policies>NAT Policies

Policies>NAT

IfyoudefineLayer3interfacesonthefirewall,youcanconfigureaNetworkAddressTranslation(NAT)
policy tospecifywhethersourceordestinationIPaddressesandportsareconvertedbetweenpublicand
privateaddressesandports.Forexample,privatesourceaddressescanbetranslatedtopublicaddresseson
trafficsentfromaninternal(trusted)zonetoapublic(untrusted)zone.NATisalsosupportedonvirtualwire
interfaces.
NATrulesarebasedonsourceanddestinationzones,sourceanddestinationaddresses,andapplication
service(suchasHTTP).Likesecuritypolicies,NATpolicyrulesarecomparedagainstincomingtrafficin
sequence,andthefirstrulethatmatchesthetrafficisapplied.
Asneeded,addstaticroutestothelocalroutersothattraffictoallpublicaddressesisroutedtothefirewall.
Youmayalsoneedtoaddstaticroutestothereceivinginterfaceonthefirewalltoroutetrafficbacktothe
privateaddress.
ThefollowingtablesdescribetheNATandNPTv6(IPv6toIPv6NetworkPrefixTranslation)settings:
GeneralTab
OriginalPacketTab
TranslatedPacketTab
Active/ActiveHABindingTab
Lookingformore?
SeeNAT

GeneralTab

Policies>NAT>General
SelecttheGeneraltabtoconfigureanameanddescriptionfortheNATorNPTv6policy.Youcanconfigure
atagtoallowyoutosortorfilterpolicieswhenmanypoliciesexist.SelectthetypeofNATpolicyyouare
creating,whichaffectswhichfieldsareavailableontheOriginal PacketandTranslated Packettabs.

NATRule Description
GeneralSettings

Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevicegroups.

Description Enteradescriptionfortherule(upto255characters).

Tag Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.

102 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>NAT

NATRule Description
GeneralSettings

NATType Specifythetypeoftranslation:
ipv4translationbetweenIPv4addresses.
nat64translationbetweenIPv6andIPv4addresses.
nptv6translationbetweenIPv6prefixes.
YoucannotcombineIPv4andIPv6addressrangesinasingleNATrule.

OriginalPacketTab

Policies>NAT>OriginalPacket
SelecttheOriginal Packettabtodefinethesourceanddestinationzonesofpacketsthatthefirewallwill
translateand,optionally,specifythedestinationinterfaceandtypeofservice.Youcanconfiguremultiple
sourceanddestinationzonesofthesametypeandyoucanapplytheruletospecificnetworksorspecificIP
addresses.

NATRuleOriginal Description
PacketSettings

SourceZone/ Selectoneormoresourceanddestinationzonesfortheoriginal
DestinationZone (nonNAT)packet(defaultisAny).Zonesmustbeofthesametype
(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Youcanspecifymultiplezonestosimplifymanagement.Forexample,
youcanconfiguresettingssothatmultipleinternalNATaddressesare
directedtothesameexternalIPaddress.

DestinationInterface Specifythedestinationinterfaceofpacketsthefirewalltranslates.You
canusethedestinationinterfacetotranslateIPaddressesdifferently
inthecasewherethenetworkisconnectedtotwoISPswithdifferent
IPaddresspools.

Service Specifytheserviceforwhichthefirewalltranslatesthesourceor
destinationaddress.Todefineanewservicegroup,selectObjects>
ServiceGroups.

SourceAddress/ Specifyacombinationofsourceanddestinationaddressesforthe
DestinationAddress firewalltotranslate.
ForNPTv6,theprefixesconfiguredforSource Addressand
Destination Addressmustbeintheformatxxxx:xxxx::/yy.Theaddress
cannothaveaninterfaceidentifier(host)portiondefined.Therangeof
supportedprefixlengthsis/32to/64.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 103


Policies>NAT Policies

TranslatedPacketTab

Policy>NAT>TranslatedPacket
SelecttheTranslated Packettabtodetermine,forSourceAddressTranslation,thetypeoftranslation to
performonthesource,andtheaddressand/orporttowhichthesourcewillbetranslated.
YoucanalsoenableDestinationAddressTranslationforaninternalhostthatneedstobeaccessedbya
publicIPaddress.Inthiscase,youdefineasourceaddress(public)anddestinationaddress(private)inthe
Original Packettabforaninternalhost,andintheTranslated PackettabyouenableDestination Address
TranslationandentertheTranslated Address.Whenthepublicaddressisaccessed,itwillbetranslatedtothe
internal(destination)addressoftheinternalhost.

NATRule Description
TranslatedPacket
Settings

SourceAddress SelecttheTranslationType(dynamicorstaticaddresspool),andenteranIPaddressor
Translation addressrange(address1address2)thatthesourceaddressistranslatedto(Translated
Address).Thesizeoftheaddressrangeislimitedbythetypeofaddresspool:
Dynamic IP And PortAddressselectionisbasedonahashofthesourceIPaddress.Fora
givensourceIPaddress,thefirewallusesthesametranslatedsourceaddressforall
sessions.DynamicIPandPortsourceNATsupportsapproximately64,000concurrent
sessionsoneachIPaddressintheNATpool.Onsomemodels,oversubscriptionis
supported,whichallowsasingleIPtohostmorethan64,000concurrentsessions.
PaloAltoNetworksDynamicIP/portNATsupportsmoreNATsessionsthanaresupported
bythenumberofavailableIPaddressesandports.ThefirewallcanuseIPaddressandport
combinationsuptotwotimes(simultaneously)onthePA200,PA500,andPA3000
Seriesfirewalls,fourtimesonthePA5020firewalls,andeighttimesonthePA5050and
PA5060firewallswhendestinationIPaddressesareunique.
Dynamic IPThenextavailableaddressinthespecifiedrangeisused,buttheportnumber
isunchanged.Upto32,000consecutiveIPaddressesaresupported.AdynamicIPpoolcan
containmultiplesubnets,soyoucantranslateyourinternalnetworkaddressestotwoor
moreseparatepublicsubnets.
Advanced (Dynamic IP/Port Fallback)Usethisoptiontocreateafallbackpoolthatwill
performIPandporttranslationandwillbeusediftheprimarypoolrunsoutofaddresses.
YoucandefineaddressesforthepoolbyusingtheTranslatedAddressoptionorthe
InterfaceAddressoption,whichisforinterfacesthatreceiveanIPaddressdynamically.
Whencreatingafallbackpool,makesureaddressesdonotoverlapwithaddressesinthe
primarypool.
Static IPThesameaddressisalwaysusedforthetranslationandtheportisunchanged.
Forexample,ifthesourcerangeis192.168.0.1192.168.0.10andthetranslationrangeis
10.0.0.110.0.0.10,address192.168.0.2isalwaystranslatedto10.0.0.2.Theaddressrange
isvirtuallyunlimited.
NPTv6mustuseStatic IPtranslationforSourceAddressTranslation.ForNPTv6,the
prefixesconfiguredforTranslated Addressmustbeintheformatxxxx:xxxx::/yy.The
addresscannothaveaninterfaceidentifier(host)portiondefined.Therangeofsupported
prefixlengthsis/32to/64.
NoneTranslationisnotperformed.

104 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>NAT

NATRule Description
TranslatedPacket
Settings

Bidirectional (Optional)Enablebidirectionaltranslationifyouwantthefirewalltocreateacorresponding
translation(NATorNPTv6)intheoppositedirectionofthetranslationyouconfigure.
Ifyouenablebidirectionaltranslation,youmustensurethatyouhavesecuritypolicies
inplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,thebidirectional
featureallowspacketstobetranslatedautomaticallyinbothdirections.

DestinationAddress EnteranIPaddressorrangeofIPaddressesandatranslatedportnumber(165535)towhich
Translation thedestinationaddressandportnumberaretranslated.IftheTranslated Portfieldisblank,
thedestinationportisnotchanged.Destinationtranslationistypicallyusedtoallowan
internalserver,suchasanemailserver,tobeaccessedfromthepublicnetwork.
ForNPTv6,theprefixesconfiguredforDestinationprefixTranslated Addressmustbeinthe
formatxxxx:xxxx::/yy.Theaddresscannothaveaninterfaceidentifier(host)portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TranslatedPortisnotsupportedforNPTv6becauseNPTv6isstrictlyprefix
translation.ThePortandHostaddresssectionissimplyforwardedunchanged.

Active/ActiveHABindingTab

Policies>NAT>Active/ActiveHABinding
TheActive/ActiveHABindingtabisavailableonlyifthefirewallisinahighavailability(HA)active/active
configuration.Inthisconfiguration,youmustbindeachsourceNATrule(whetherstaticordynamicNAT)to
DeviceID0orDeviceID1;youmustbindeachdestinationNATruletoeitherDeviceID0,DeviceID1,both
(DeviceID0andDeviceID1),ortotheactiveprimaryfirewall.
SelectanActive/Active HA BindingsettingtobindtheNATruletoanHAfirewallasfollows:
0BindstheNATruletothefirewallthathasHADeviceID0.
1BindstheNATruletothefirewallthathasHADevice ID 1.
bothBindstheNATruletoboththefirewallthathasHADeviceID0andthefirewallthathasHADevice
ID1.ThissettingdoesnotsupportDynamicIPorDynamicIPandPortNAT.
primaryBindstheNATruletothefirewallthatisinHAactiveprimarystate.Thissettingdoesnot
supportDynamicIPorDynamicIPandPortNAT.
YoutypicallyconfiguredevicespecificNATruleswhenthetwoHApeershaveuniqueNATIPaddresspools.
Whenthefirewallcreatesanewsession,theHAbindingdetermineswhichNATrulesthesessioncanmatch.
Thebindingmustincludethesessionownerfortheruletomatch.Thesessionsetupfirewallperformsthe
NATrulematchingbutthesessioniscomparedtoNATrulesthatareboundtothesessionownerand
translatedaccordingtooneoftherules.Fordevicespecificrules,thefirewallskipsallNATrulesthatarenot
boundtothesessionowner.Forexample,supposethefirewallwithDeviceID1isthesessionownerand
thesessionsetupfirewall.WhenDeviceID1attemptstomatchasessiontoaNATrule,itignoresallrules
boundtoDeviceID0.
Ifonepeerfails,thesecondpeercontinuestoprocesstrafficforthesynchronizedsessionsfromthefailed
peer,includingNATtranslations.PaloAltoNetworksrecommendsyoucreateaduplicateNATrulethatis
boundtothesecondDeviceID.Therefore,therearetwoNATruleswiththesamesourcetranslation
addressesandthesamedestinationtranslationaddressesoneruleboundtoeachDeviceID.This

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 105


Policies>NAT Policies

configurationallowstheHApeertoperformnewsessionsetuptasksandperformNATrulematchingfor
NATrulesthatareboundtoitsDeviceID.WithoutaduplicateNATrule,thefunctioningpeerwilltryto
performtheNATpolicymatchbutthesessionwontmatchthefirewallsowndevicespecificrulesandthe
firewallskipsallotherNATrulesthatarenotboundtoitsDeviceID.
Lookingformore?
SeeNATinActive/ActiveHAMode

106 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>QoS

Policies>QoS

AddQoSpolicy rulestodefinethetrafficthatreceivesspecificQoStreatmentandassignaQoSclass
foreachQoSpolicyruletospecifythattheassignedclassofserviceappliestoalltrafficmatchedtothe
associatedruleasitexitsaQoSenabledinterface.
QoSpolicyrulespushedtoafirewallfromPanoramaareshowninorangeandcannotbeeditedatthefirewall
level.
Additionally,tofullyenablethefirewalltoprovideQoS:
SetbandwidthlimitsforeachQoSclassofservice(selectNetwork>NetworkProfiles>QoStoaddor
modifyaQoSprofile).
EnableQoSonaninterface(selectNetwork>QoS).
RefertoQualityofService forcompleteQoSworkflows,concepts,andusecases.
Addanewruleorcloneanexistingruleandthendefinethefollowingfields.

QoSPolicyRuleSettings

General Tab

Name Enteranametoidentifytherule(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Enteranoptionaldescription.

Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.

Source Tab

SourceZone Selectoneormoresourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 107


Policies>QoS Policies

QoSPolicyRuleSettings

SourceAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andclickAddtoaddyourselections
totheSelectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.Todefinenewaddressgroups,selectObjects>AddressGroups.

SourceUser SpecifythesourceusersandgroupstowhichtheQoSpolicywillapply.

Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesNOTmatch.

Destination Tab

DestinationZone Selectoneormoredestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).

DestinationAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andAddyourselectionstothe
Selectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.

Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesnotmatch.

108 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>QoS

QoSPolicyRuleSettings

Application Tab

Application SelectspecificapplicationsfortheQoSrule.Todefinenewapplicationsor
applicationgroups,selectObjects > Applications.
Ifanapplicationhasmultiplefunctions,youcanselecttheoverallapplication
orindividualfunctions.Ifyouselecttheoverallapplication,allfunctionsare
included,andtheapplicationdefinitionisautomaticallyupdatedasfuture
functionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainerintheQoSrule,you
canviewdetailsontheseobjectsbyholdingyourmouseovertheobjectin
theApplicationcolumn,clickthedownarrowandselectValue.Thisenables
youtoeasilyviewapplicationmembersdirectlyfromthepolicywithout
havingtogototheObjectstab.

Service/URL Category Tab

Service SelectservicestolimittospecificTCPand/orUDPportnumbers.Choose
oneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsareallowedordenied
onlyontheirdefaultportsdefinedbyPaloAltoNetworks.Thisoptionis
recommendedforallowpolicies.
SelectClickAdd.ChooseanexistingserviceorchooseServiceor
Service Grouptospecifyanewentry.

URLCategory SelectURLcategoriesfortheQoSrule.
SelectAnytoensurethatasessioncanmatchthisQoSruleregardlessof
theURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
RefertoObjects>ExternalDynamicListsforinformationondefining
customcategories.

DSCP/TOS Tab

Any SelectAny(default)toallowthepolicytomatchtotrafficregardlessofthe
DifferentiatedServicesCodePoint(DSCP)valueortheIPPrecedence/Type
ofService(ToS)definedforthetraffic.

Codepoints SelectCodepointstoenabletraffictoreceiveQoStreatmentbasedonthe
DSCPorToSvaluedefinedapacketsIPheader.TheDSCPandToSvalues
areusedtoindicatethelevelofservicerequestedfortraffic,suchashigh
priorityorbesteffortdelivery.Usingcodepointsasmatchingcriteriaina
QoSpolicyallowsasessiontoreceiveQoStreatmentbasedonthe
codepointdetectedatthebeginningofthesession.
ContinuetoAddcodepointstomatchtraffictotheQoSpolicy:
GivecodepointentriesadescriptiveName.
SelecttheTypeofcodepointyouwanttouseasmatchingcriteriaforthe
QoSpolicyandthenselectaspecificCodepointvalue.Youcanalsocreate
aCustom CodepointbyenteringaCodepoint NameandBinary Value.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 109


Policies>QoS Policies

QoSPolicyRuleSettings

Other Settings Tab

Class ChoosetheQoSclasstoassigntotherule,andclickOK.Classcharacteristics
aredefinedintheQoSprofile.RefertoNetwork>NetworkProfiles>QoS
forinformationonconfiguringsettingsforQoSclasses.

Schedule SelectNoneforthepolicyruletoremainactiveatalltimes.
Fromthedropdown,selectSchedule(calendaricon)tosetasingletime
rangeorarecurringtimerangeduringwhichtheruleisactive.

110 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>PolicyBasedForwarding

Policies>PolicyBasedForwarding

Normally,whentrafficentersthefirewall,theingressinterfacevirtualrouterdictatestheroutethat
determinestheoutgoinginterfaceanddestinationsecurityzonebasedondestinationIPaddress.Bycreating
apolicybasedforwarding(PBF)rule ,youcanspecifyotherinformationtodeterminetheoutgoing
interface,includingsourcezone,sourceaddress,sourceuser,destinationaddress,destinationapplication,
anddestinationservice.TheinitialsessiononagivendestinationIPaddressandportthatisassociatedwith
anapplicationwillnotmatchanapplicationspecificruleandwillbeforwardedaccordingtosubsequentPBF
rules(thatdonotspecifyanapplication)orthevirtualroutersforwardingtable.Allsubsequentsessionson
thatdestinationIPaddressandportforthesameapplicationwillmatchanapplicationspecificrule.To
ensureforwardingthroughPBFrules,applicationspecificrulesarenotrecommended.
Whennecessary,PBFrulescanbeusedtoforcetrafficthroughanadditionalvirtualsystemusingthe
ForwardtoVSYSforwardingaction.Inthiscase,itisnecessarytodefineanadditionalPBFrulethatwill
forwardthepacketfromthedestinationvirtualsystemoutthroughaparticularegressinterface onthe
firewall.
Thefollowingtablesdescribethepolicybasedforwardingsettings:
GeneralTab
SourceTab
Destination/Application/ServiceTab
ForwardingTab
Lookingformore?
RefertoPolicyBasedForwarding

GeneralTab

SelecttheGeneraltabtoconfigureanameanddescriptionforthePBFpolicy.Atagcanalsobeconfigured
toallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.

Field Description

Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.

Description Enteradescriptionforthepolicy(upto255characters).

Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 111


Policies>PolicyBasedForwarding Policies

SourceTab

Select the Source tab to define the source zone or source address that defines the incoming source traffic to
which the forwarding policy will be applied.

Field Description

SourceZone Tochoosesourcezones(defaultisany),clickAddandselectfromthe
dropdown.Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
OnlyLayer3typezonesaresupportedforpolicybasedforwarding.

SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.

SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.

112 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>PolicyBasedForwarding

Destination/Application/ServiceTab

SelecttheDestination/Application/Servicetabtodefinethedestinationsettingsthatwillbeappliedtotraffic
thatmatchestheforwardingrule.

Field Description

DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultisany).
Bydefault,theruleappliestoAnyIPaddress.Selectfromthedropdown,orclick
Address,Address Group,orRegionsatthebottomofthedropdown,andspecify
thesettings.

Application/Service SelectspecificapplicationsorservicesforthePBFrule.Todefinenew
applications,refertoDefiningApplications.Todefineapplicationgroups,referto
Objects>ApplicationGroups.
ApplicationspecificrulesarenotrecommendedforusewithPBF.
Wheneverpossible,useaserviceobject,whichistheLayer4port(TCPor
UDP)usedbytheprotocolorapplication.
Ifyouareusingapplicationgroups,filters,orcontainerinthePBFrule,youcan
viewdetailsontheseobjectsbyholdingyourmouseovertheobjectinthe
Applicationcolumn,clickingthedownarrowandselectingValue.Thisenablesyou
toeasilyviewapplicationmembersdirectlyfromthepolicywithouthavingtogo
totheObjecttabs.

ForwardingTab

SelecttheForwardingtabtodefinetheactionandnetworkinformationthatwillbeappliedtotrafficthat
matchestheforwardingpolicy.TrafficcanbeforwardedtoanexthopIPaddress,avirtualsystem,orthe
trafficcanbedropped.

Field Description

Action Selectoneofthefollowingoptions:
ForwardSpecifythenexthopIPaddressandegressinterface(the
interfacethatthepackettakestogettothespecifiednexthop).
Forward To VSYSChoosethevirtualsystemtoforwardtofromthe
dropdown.
DiscardDropthepacket.
No PBFDonotalterthepaththatthepacketwilltake.Thisoption,
excludesthepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedintherule.Matching
packetsusetheroutetableinsteadofPBF;thefirewallusestheroute
tabletoexcludethematchedtrafficfromtheredirectedport.

EgressInterface DirectsthepackettoaspecificEgressInterface

NextHop Ifyoudirectthepackettoaspecificinterface,specifytheNextHopIP
addressforthepacket.

Monitor EnableMonitoringtoverifyconnectivitytoatargetIP Addressortothe


Next HopIPaddress.SelectMonitorandattachamonitoringProfile(default
orcustom)thatspecifiestheactionwhentheIPaddressisunreachable.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 113


Policies>PolicyBasedForwarding Policies

Field Description

EnforceSymmetricReturn (Requiredforasymmetricroutingenvironments)SelectEnforce Symmetric


ReturnandenteroneormoreIPaddressesintheNext Hop AddressList.
Enablingsymmetricreturnensuresthatreturntraffic(say,fromtheTrust
zoneontheLANtotheInternet)isforwardedoutthroughthesameinterface
throughwhichtrafficingressesfromtheInternet.

Schedule Tolimitthedaysandtimeswhentheruleisineffect,selectaschedulefrom
thedropdown.Todefinenewschedules,refertoSettingstoControl
DecryptedSSLTraffic.

114 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>Decryption

Policies>Decryption

Youcanconfigurethefirewalltodecrypttrafficforvisibility,control,andgranularsecurity.Decryption
policiescanapplytoSecureSocketsLayer(SSL)includingSSLencapsulatedprotocolssuchasIMAP(S),
POP3(S),SMTP(S),andFTP(S),andSecureShell(SSH)traffic.SSHdecryptioncanbeusedtodecrypt
outboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedtotunneldisallowed
applicationsandcontent.
Addadecryptionpolicyruletodefinetrafficthatyouwanttodecrypt(forexample,youcandecrypttraffic
basedonURLcategorization).Decryptionpolicyrulesarecomparedagainstthetrafficinsequence,somore
specificrulesmustprecedethemoregeneralones.
SSLforwardproxydecryptionrequirestheconfigurationofatrustedcertificatethatwillbepresentedtothe
useriftheservertowhichtheuserisconnectingpossessesacertificatesignedbyaCAtrustedbythe
firewall.CreateacertificateontheDevice > Certificate Management > Certificatespageandthenclickthename
ofthecertificateandselectForward Trust Certificate.

Certainapplicationswillnotfunctioniftheyaredecryptedbythefirewall.Topreventthisfrom
occurring,PANOSwillnotdecrypttheSSLtrafficfortheseapplicationsandthedecryption
rulesettingswillnotapply.
RefertotheListofApplicationsExcludedfromSSLDecryption.

Thefollowingtablesdescribethedecryptionpolicysettings:
GeneralTab
SourceTab
DestinationTab
Service/URLCategoryTab
OptionsTab
Lookingformore?
SeeDecryption

GeneralTab

SelecttheGeneraltabtoconfigureanameanddescriptionforthedecryptionpolicy.Atagcanalsobe
configuredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.

Field Description

Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.

Description Enteradescriptionfortherule(upto255characters).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 115


Policies>Decryption Policies

Field Description

Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.

SourceTab

SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetraffictowhichthe
decryptionpolicywillbeapplied.

Field Description

SourceZone ClickAddtochoosesourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).Todefinenewzones,refertoNetwork
>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.

SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.SelectNegateto
chooseanyaddressexcepttheconfiguredones.

116 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>Decryption

Field Description

SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
tousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.

DestinationTab

SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.

Field Description

DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.

DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.Select
Negatetochooseanyaddressexcepttheconfiguredones.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 117


Policies>Decryption Policies

Service/URLCategoryTab

SelecttheService/URL CategorytabtoapplythedecryptionpolicytotrafficbasedonTCPportnumberorto
anyURLcategory(oralistofcategories).

Field Description

Service ApplythedecryptionpolicytotrafficbasedonspecificTCPportnumbers.
Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsaredecrypted(orare
exemptfromdecryption)onlyonthedefaultportsdefinedforthe
applicationsbyPaloAltoNetworks.
SelectClickAdd.ChooseanexistingserviceorspecifyanewServiceor
Service Group.(OrselectObjects>ServicesandObjects>Service
Groups).

URLCategoryTab SelectURLcategoriesforthedecryptionrule.
ChooseanytomatchanysessionsregardlessoftheURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
Refertoforinformationondefiningcustomcategories.

OptionsTab

SelecttheOptionstabtodetermineifthematchedtrafficshouldbedecryptedornot.IfDecryptisset,specify
thedecryptiontype.Youcanalsoaddadditionaldecryptionfeaturesbyconfiguringorselectingadecryption
profile.

Field Description

Action Selectdecryptorno-decryptforthetraffic.

Type Selectthetypeoftraffictodecryptfromthedropdown:
SSL Forward ProxySpecifiesthatthepolicywilldecryptclienttraffic
destinedforanexternalserver.
SSH ProxySpecifiesthatthepolicywilldecryptSSHtraffic.Thisoption
allowsyoutocontrolSSHtunnelinginpoliciesbyspecifyingthe
sshtunnelAppID.
SSL Inbound InspectionSpecifiesthatthepolicywilldecryptSSL
inboundinspectiontraffic.

DecryptionProfile Attachadecryptionprofiletothepolicyruleinordertoblockandcontrol
certainaspectsofthetraffic.Fordetailsoncreatingadecryptionprofile,
selectObjects>DecryptionProfile.

118 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>TunnelInspection

Policies>TunnelInspection

Youcanconfigurethefirewalltoinspectthetrafficcontentofthefollowingcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmodeAHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU);supportedonlyon
PA5200SeriesandVMSeriesfirewalls.
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandontrafficnestedwithinanothercleartexttunnel(forexample,NullEncrypted
IPSecinsideaGREtunnel).
CreateaTunnelInspectionpolicythat,whenmatchinganincomingpacket,determineswhichtunnel
protocolsinthepacketthefirewallwillinspectandthatspecifiestheconditionsunderwhichthefirewall
dropsorcontinuestoprocessthepacket.YoucanviewtunnelinspectionlogsandtunnelactivityintheACC
toverifythattunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnels.ThefeatureissupportedinLayer3,Layer2,virtualwire,and
tapdeployments.Tunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications.

Whatdoyouwanttoknow? See:

Whatarethefieldsavailableto BuildingBlocksinaTunnelInspectionPolicy
createaTunnelInspectionpolicy?

HowcanIviewtunnelinspection LogTypesandSeverityLevels
logs?

Lookingformore? TunnelContentInspection

BuildingBlocksinaTunnelInspectionPolicy

ThefollowingtabledescribesthefieldsyouconfigureforaTunnelInspectionpolicy.

BuildingBlocksin ConfiguredIn Description


aTunnel
InspectionPolicy

Name General EnteranamefortheTunnelInspectionpolicybeginningwithanalphanumeric


characterandcontainingzeroormorealphanumeric,underscore(_),hyphen(),
dot(.),andspacecharacters.

Description (Optional)EnteradescriptionfortheTunnelInspectionpolicy.

Tags (Optional)Enteroneormoretagsforreportingandloggingpurposesthat
identifythepacketsthataresubjecttotheTunnelInspectionpolicy.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 119


Policies>TunnelInspection Policies

BuildingBlocksin ConfiguredIn Description


aTunnel
InspectionPolicy

SourceZone Source AddoneormoresourcezonesofpacketstowhichtheTunnelInspectionpolicy


applies(defaultisAny).

SourceAddress (Optional)AddsourceIPv4orIPv6addresses,addressgroups,orGeoRegion
addressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).

SourceUser (Optional)AddsourceusersofpacketstowhichtheTunnelInspectionpolicy
applies(defaultisany).

Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.

DestinationZone Destination AddoneormoredestinationzonesofpacketstowhichtheTunnelInspection


policyapplies(defaultisAny).

Destination (Optional)AdddestinationIPv4orIPv6addresses,addressgroups,orGeo
Address RegionaddressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).

Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.

TunnelProtocol Inspection AddoneormoretunnelProtocolsthatyouwantthefirewalltoinspect:


GREFirewallinspectspacketsthatuseGenericRouteEncapsulationinthe
tunnel.
GTP-UFirewallinspectspacketsthatuseGeneralPacketRadioService
(GPRS)TunnelingProtocolforUserData(GTPU)inthetunnel(supported
onlyonPA5200SeriesandVMSeriesfirewalls).
Non-encrypted IPSecFirewallinspectspacketsthatusenonencrypted
IPSec(NullEncryptedIPSecortransportmodeAHIPSec)inthetunnel.
Toremoveaprotocolfromyourlist,selectandDeleteit.

MaximumTunnel Inspection > Selectthemaximumleveloftunnelsthefirewallwillinspect:One Level(default)


InspectionLevels Inspect orTwo Levels (Tunnel In Tunnel).
Options
Droppacketif (Optional)Droppacketsthatcontainmorelevelsofencapsulationthan
overmaximum configuredforMaximumTunnelInspectionLevels.
tunnelinspection
level

Droppacketif (Optional)Droppacketsthatcontainatunnelprotocolthatusesaheaderthat
tunnelprotocol isnoncompliantwiththeRFCforthatprotocol.Noncompliantheaderscan
failsstrictheader indicatesuspiciouspackets.ThisoptioncausesthefirewalltoverifyGRE
check headersagainstRFC2890.
DontenablethisoptionifyourfirewallistunnelingGREwithadevicethat
implementsaversionofGREolderthanRFC2890.

Droppacketif (Optional)Droppacketsthatcontainaprotocolinsidethetunnelthatthe
unknownprotocol firewallcannotidentify.
insidetunnel

120 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>TunnelInspection

BuildingBlocksin ConfiguredIn Description


aTunnel
InspectionPolicy

EnableSecurity Inspection > (Optional)Enable Security Optionstoassignsecurityzonesforseparate


Options Security Securitypolicytreatmentoftunnelcontent.Theinnercontentsourcewill
Options belongtotheTunnel Source Zoneyouspecifyandtheinnercontent
destinationwillbelongtotheTunnel Destination Zoneyouspecify.
IfyoudonotEnable Security Options,theinnercontentsourcebelongstothe
samesourcezoneastheoutertunnelsource,andtheinnercontentdestination
belongstothesamedestinationzoneastheoutertunneldestination.
Therefore,boththeinnercontentsourceanddestinationaresubjecttothe
sameSecuritypoliciesthatapplytothoseouterzones.

TunnelSource (Optional)Selectoneofthefollowing:
Zone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunnelsourcezone.

Tunnel (Optional)Selectoneofthefollowing:
DestinationZone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunneldestinationzone.

MonitorName Inspection > (Optional)Enteramonitornametogroupsimilartraffictogetherformonitoring


Monitor thetrafficinlogsandreports.
Options
MonitorTag (Optional)Enteramonitortagnumberthatcangroupsimilartraffictogetherfor
(number) loggingandreporting(rangeis1to16,777,215).Thetagnumberisglobally
defined.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 121


Policies>ApplicationOverride Policies

Policies>ApplicationOverride

Tochangehowthefirewallclassifiesnetworktrafficintoapplications,youcanspecifyapplicationoverride
policies.Forexample,ifyouwanttocontroloneofyourcustomapplications,anapplicationoverridepolicy
canbeusedtoidentifytrafficforthatapplicationaccordingtozone,sourceanddestinationaddress,port,
andprotocol.Ifyouhavenetworkapplicationsthatareclassifiedasunknown,youcancreatenew
applicationdefinitionsforthem(refertoDefiningApplications).
Likesecuritypolicies,applicationoverridepoliciescanbeasgeneralorspecificasneeded.Thepolicyrules
arecomparedagainstthetrafficinsequence,sothemorespecificrulesmustprecedethemoregeneralones.
BecausetheAppIDengineinPANOSclassifiestrafficbyidentifyingtheapplicationspecificcontentin
networktraffic,thecustomapplicationdefinitioncannotsimplyuseaportnumbertoidentifyanapplication.
Theapplicationdefinitionmustalsoincludetraffic(restrictedbysourcezone,sourceIPaddress,destination
zone,anddestinationIPaddress).
Tocreateacustomapplicationwithapplicationoverride:
Createacustomapplication(seeDefiningApplications).Itisnotrequiredtospecifysignaturesforthe
applicationiftheapplicationisusedonlyforapplicationoverriderules.
Defineanapplicationoverridepolicythatspecifieswhenthecustomapplicationshouldbeinvoked.A
policytypicallyincludestheIPaddressoftheserverrunningthecustomapplicationandarestrictedset
ofsourceIPaddressesorasourcezone.
Usethefollowingtablestoconfigureanapplicationoverriderule.
GeneralTab
SourceTab
DestinationTab
Protocol/ApplicationTab
Lookingformore?
SeeUseApplicationObjectsinPolicy

122 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>ApplicationOverride

GeneralTab

SelecttheGeneraltabtoconfigureanameanddescriptionfortheapplicationoverridepolicy.Atagcanalso
beconfiguredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.

Field Description

Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.

Description Enteradescriptionfortherule(upto255characters).

Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.

SourceTab

SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetrafficto
whichtheapplicationoverridepolicywillbeapplied.

Field Description

SourceZone Addsourcezones(defaultisany).Zonesmustbeofthesametype(Layer2,
Layer3,orvirtualwire).Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.

SourceAddress Addsourceaddresses,addressgroups,orregions(defaultisany).Selectfrom
thedropdown,orclickAddress,Address Group,orRegionsatthebottom
ofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 123


Policies>ApplicationOverride Policies

DestinationTab

SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.

Field Description

DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.

DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.

Protocol/ApplicationTab

SelecttheProtocol/Applicationtabtodefinetheprotocol(TCPorUDP),port,andapplicationthatfurther
definestheattributesoftheapplicationforthepolicymatch.

Field Description

Protocol Selecttheprotocol(TCPorUDP)forwhichtoallowanapplicationoverride.

Port Entertheportnumber(0to65535)orrangeofportnumbers(port1port2)
forthespecifieddestinationaddresses.Multipleportsorrangesmustbe
separatedbycommas.

Application Selecttheoverrideapplicationfortrafficflowsthatmatchtheaboverule
criteria.Whenoverridingtoacustomapplication,thereisnothreat
inspectionthatisperformed.Theexceptiontothisiswhenyouoverridetoa
predefinedapplicationthatsupportsthreatinspection.
Todefinenewapplications,refertoObjects>Applications).

124 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>Authentication

Policies>Authentication

YourAuthenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessnetworkresources.

Whatdoyouwanttoknow? See:

Whatarethefieldsavailableto BuildingBlocksofanAuthenticationPolicyRule
createanAuthenticationrule?

HowcanIusethewebinterfaceto CreateandManageAuthenticationPolicy
manageAuthenticationpolicy?
ForPanorama,seeMoveorCloneaPolicyRule
Looking for more? AuthenticationPolicy

BuildingBlocksofanAuthenticationPolicyRule

Wheneverauserrequestsaresource(suchaswhenvisitingawebpage),thefirewallevaluates
Authenticationpolicy.Basedonthematchingpolicyrule,thefirewallthenpromptstheusertorespondto
oneormorechallengesofdifferentfactors(types),suchasloginandpassword,voice,SMS,push,or
onetimepassword(OTP)authentication.Aftertheuserrespondstoallthefactors,thefirewallevaluates
Securitypolicy(seePolicies>Security)todeterminewhethertoallowaccesstotheresource.

Thefirewalldoesnotpromptuserstoauthenticateiftheyaccessnonwebbasedresources(suchasaprinter)
throughaGlobalProtectgateway thatisinternalorintunnelmode.Instead,theuserswillseeconnection
failuremessages.Toensureuserscanaccesstheseresources,setupanauthenticationportalandtrainusersto
visititwhentheyseeconnectionfailures.ConsultyourITdepartmenttosetupanauthenticationportal.

ThefollowingtabledescribeseachbuildingblockorcomponentinanAuthenticationpolicyrule.Beforeyou
Addarule,completetheprerequisitesdescribedinCreateandManageAuthenticationPolicy.

BuildingBlocksin ConfiguredIn Description


anAuthentication
Rule

Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas


rulesaremoved.Whenyoufilterrulestomatchspecificfilters,
thePolicies > Authenticationpagelistseachrulewithits
numberinthecontextofthecompletesetofrulesinthe
rulebaseanditsplaceintheevaluationorder.Fordetails,see
rulesequenceanditsevaluationorder .

Name General Enteranametoidentifytherule.Thenameiscasesensitiveand


canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.

Description Enteradescriptionfortherule(upto255characters).

Tag Selectatagforsortingandfilteringrules(seeObjects>Tags).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 125


Policies>Authentication Policies

BuildingBlocksin ConfiguredIn Description


anAuthentication
Rule

SourceZone Source Addzonestoapplytheruleonlytotrafficcomingfrom


interfacesinthezonesthatyouspecify(defaultisany).
Todefinenewzones,seeNetwork>Zones.

SourceAddress Addaddressesoraddressgroupstoapplytheruleonlytotraffic
originatingfromthesourcesthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.

SourceUser User Selectthesourceusersorusergroupstowhichtheruleapplies:


anyIncludesanytrafficregardlessofsourceuser.
pre-logonIncludesremoteuserswhoarenotloggedinto
theirclientsystemsbutwhoseclientsystemsconnecttothe
networkthroughtheGlobalProtectprelogonfeature .
known-userIncludesallusersforwhomthefirewallalready
hasIPaddresstousernamemappingsbeforetheruleevokes
authentication.
unknownIncludesallusersforwhomthefirewalldoesnot
haveIPaddresstousernamemappings.Aftertherule
evokesauthentication,thefirewallcreatesusermappingsfor
unknownusersbasedontheusernamestheyentered.
SelectIncludesonlytheusersandusergroupsthatyouAdd
totheSourceUserlist.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.

SourceHIPProfile Addhostinformationprofiles(HIP)toidentifyusers.AHIP
enablesyoutocollectinformationaboutthesecuritystatusof
yourendhosts,suchaswhethertheyhavethelatestsecurity
patchesandantivirusdefinitions.Fordetailsandtodefinenew
HIPs,seeObjects>GlobalProtect>HIPProfiles.

DestinationZone Destination Addzonestoapplytheruleonlytotrafficgoingtointerfacesin


thezonesthatyouspecify(defaultisany).Todefinenewzones,
seeNetwork>Zones.

Destination Addaddressesoraddressgroupstoapplytheruleonlytothe
Address destinationsthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.

126 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>Authentication

BuildingBlocksin ConfiguredIn Description


anAuthentication
Rule

Service Service/URL Category Selectfromthefollowingoptionstoapplytheruleonlyto


servicesonspecificTCPandUDPportnumbers:
anySpecifiesservicesonanyportandusinganyprotocol.
defaultSpecifiesservicesonlyonthedefaultportsthatPalo
AltoNetworksdefines.
SelectEnablesyoutoAddservicesorservicegroups.To
createnewservicesandservicegroups,seeObjects>
ServicesandObjects>ServiceGroups.

URLCategory SelecttheURLcategoriestowhichtheruleapplies:
SelectanytospecifyalltrafficregardlessoftheURL
category.
Addcategories.Todefinecustomcategories,seeObjects>
CustomObjects>URLCategory.

Authentication Actions Selecttheauthenticationenforcementobject(Objects>


Enforcement Authentication)thatspecifiesthemethod(suchasCaptive
Portalorbrowserchallenge)andauthenticationprofilethatthe
firewallusestoauthenticateusers.Theauthenticationprofile
defineswhetherusersrespondtoasinglechallengeorto
multifactorauthentication(seeDevice>Authentication
Profile).Youcanselectapredefinedorcustomauthentication
enforcementobject.

Timeout Toreducethefrequencyofauthenticationchallengesthat
interrupttheuserworkflow,youcanspecifytheintervalin
minutes(defaultis60)whenthefirewallpromptstheuserto
authenticateonlyonceforrepeatedaccesstoresources.
IftheAuthentication Enforcementobjectspecifiesmultifactor
authentication,theusermustauthenticateonceforeachfactor.
Thefirewallrecordsatimestampandreissuesachallengeonly
whenthetimeoutforafactorexpires.Redistributing the
timestampstootherfirewallsenablesyoutoapplythetimeout
evenifthefirewallthatinitiallyallowsaccessforauserisnotthe
samefirewallthatlatercontrolsaccessforthatuser.

Log Selectthisoption(disabledbydefault)ifyouwantthefirewallto
Authentication generateAuthenticationlogswhenevertheTimeoutassociated
Timeouts withanauthenticationfactorexpires.Enablingthisoption
providesmoredatatotroubleshootaccessissues.In
conjunctionwithcorrelationobjects,youcanalsouse
Authenticationlogstoidentifysuspiciousactivityonyour
network(suchasbruteforceattacks).
Enablingthisoptionincreaseslogtraffic.

LogForwarding SelectaLogForwardingprofileifyouwantthefirewallto
forwardAuthenticationlogstoPanoramaortoexternalservices
suchasasyslogserver(seeObjects>LogForwarding).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 127


Policies>Authentication Policies

CreateandManageAuthenticationPolicy

SelectthePolicies > AuthenticationpagetocreateandmanageAuthenticationpolicyrules:

Task Description

Add PerformthefollowingprerequisitesbeforecreatingAuthenticationpolicyrules:
ConfiguretheUserIDCaptivePortalsettings(seeDevice>User
Identification>CaptivePortalSettings).ThefirewallusesCaptivePortalto
displaythefirstauthenticationfactorthattheAuthenticationrulerequires.
CaptivePortalalsoenablesthefirewalltorecordthetimestampsassociated
withauthenticationTimeoutperiodsandtoupdateusermappings.
Configureaserverprofilethatspecifieshowthefirewallcanaccesstheservice
thatwillauthenticateusers(seeDevice>ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifies
authenticationsettings(seeDevice>AuthenticationProfile).
Assigntheauthenticationprofiletoanauthenticationenforcementobjectthat
specifiestheauthenticationmethod(seeObjects>Authentication).
Tocreatearule,performoneofthefollowingstepsandthencompletethefields
describedinBuildingBlocksofanAuthenticationPolicyRule:
ClickAdd.
SelectaruleonwhichtobasethenewruleandclickClone Rule.Thefirewall
insertsthecopiedrule,named<rulename>#,belowtheselectedrule,where#is
thenextavailableintegerthatmakestherulenameunique.Fordetails,seeMove
orCloneaPolicyRule.

Modify Tomodifyarule,clicktheruleNameandeditthefieldsdescribedinBuildingBlocks
ofanAuthenticationPolicyRule.
IfthefirewallreceivedtherulefromPanorama,theruleisreadonly;youcan
edititonlyonPanorama.

Move Whenmatchingtraffic,thefirewallevaluatesrulesfromtoptobottomintheorder
thatthePolicies > Authenticationpageliststhem.Tochangetheevaluationorder,
selectaruleandMove Up,Move Down,Move Top,orMove Bottom.Fordetails,see
MoveorCloneaPolicyRule.

Delete Toremoveanexistingrule,selectandDeleteit.

Enable/Disable Todisablearule,selectandDisableit.Toreenableadisabledrule,selectandEnable
it.

Highlight Toidentifyrulesthathavenotmatchedtrafficsincethelasttimethefirewallwas
UnusedRules restarted,Highlight Unused Rules.Youcanthendecidewhethertodisableordelete
unusedrules.Thepagehighlightsunusedruleswithadottedyellowbackground.

Previewrules ClickPreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe


(Panorama managedfirewalls.Withineachrulebase,thepagevisuallydemarcatestherule
only) hierarchyforeachdevicegroup(andmanagedfirewall)tofacilitatescanningof
numerousrules.

128 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>DoSProtection

Policies>DoSProtection

Whatdoyouwanttoknow? See:

WhatisaDoSProtectionpolicy? DoSProtectionPolicyOverview
Whatarethefieldsavailableto BuildingBlocksofaDoSProtectionPolicy
createaDoSProtectionpolicy?

HowdoIconfigureaDoS SeeObjects>SecurityProfiles>DoSProtection
Protectionprofile?

Lookingformore? SeeDosProtectionPolicies

DoSProtectionPolicyOverview

ADoSProtectionpolicyallowsyoutoprotectagainstDoSattacksbyspecifyingwhethertodenyorallow
packetsthatmatchasourceinterface,zone,addressoruserand/oradestinationinterface,zone,oruser.
Alternatively,youcanchoosetheProtectactionandspecifyaDoSprofilewhereyousetthethresholds
(sessionsorpacketspersecond)thattriggeranalarm,activateaprotectiveaction,andindicatethemaximum
rateabovewhichpacketsaredropped.Thus,youcancontrolthenumberofsessionsbetweeninterfaces,
zones,addresses,andcountriesbasedonaggregatesessionsorsourceand/ordestinationIPaddresses.For
example,youcancontroltraffictoandfromcertainaddressesoraddressgroups,orfromcertainusersand
forcertainservices.
ThefirewallenforcesDoSProtectionpolicyrulesbeforeSecuritypolicyrulestoensurethefirewallusesits
resourcesinthemostefficientmanner.IfaDoSProtectionpolicyruledeniesapacket,thatpacketnever
reachesaSecuritypolicyrule.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 129


Policies>DoSProtection Policies

BuildingBlocksofaDoSProtectionPolicy

BuildingBlocksin ConfiguredIn Description


aDoSProtection
Policy

Name Policies > DoS EnteranametoidentifytheDoSProtectionpolicyrule.Thenameis


Protection > casesensitiveandcanhaveupto31characters,whichcanbeletters,numbers,
General spaces,hyphens,andunderscores.Thenamemustbeuniqueonafirewalland,
onPanorama,uniquewithinitsdevicegroupandanyancestorordescendant
devicegroups.

Description Enteradescriptionfortherule(upto255characters).

Tags Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.A
tagisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthosethat
aretaggedwithaparticularkeyword.Forexample,youmaywanttotagcertain
securitypolicieswithInboundtoDMZ,decryptionpolicieswiththewords
DecryptorNodecrypt,orusethenameofaspecificdatacenterforpolicies
associatedwiththatlocation.

130 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Policies Policies>DoSProtection

BuildingBlocksin ConfiguredIn Description


aDoSProtection
Policy

Type Policies > DoS SelectthetypeofsourcetowhichtheDoSProtectionpolicyruleapplies:


Protection > InterfaceApplytheruletotrafficcomingfromthespecifiedinterfaceor
Source groupofinterfaces.
ZoneApplytheruletotrafficcomingfromanyinterfaceinaspecifiedzone.
ClickAddtoselectmultipleinterfacesorzones.

SourceAddress SelectAnyorAddandspecifyoneormoresourceaddressestowhichtheDoS
Protectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.

SourceUser SpecifyoneormoresourceuserstowhichtheDoSProtectionpolicyrule
applies:
anyIncludespacketsregardlessofthesourceuser.
pre-logonIncludespacketsfromremoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheirsystem.When
pre-logonisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotdirectlyloggedin,theirmachinesareauthenticated
onthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPaddress
withuserdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPaddressonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousernamemappinginformationonthefirewall.
SelectIncludesusersspecifiedinthiswindow.Forexample,youcanselect
oneuser,alistofindividuals,somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,thelist
ofusersdoesnotdisplay;youmustenteruserinformationmanually.

Type Policies > DoS SelectthetypeofdestinationtowhichtheDoSProtectionpolicyruleapplies:


Protection > InterfaceApplytheruletopacketsgoingtothespecifiedinterfaceorgroup
Destination ofinterfaces.ClickAddandselectoneormoreinterfaces.
ZoneApplytheruletopacketsgoingtoanyinterfaceinthespecifiedzone.
ClickAddandselectoneormorezones.

Destination SelectAnyorAddandspecifyoneormoredestinationaddressestowhichthe
Address DoSProtectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 131


Policies>DoSProtection Policies

BuildingBlocksin ConfiguredIn Description


aDoSProtection
Policy

Service Policies > DoS ClickAddandselectoneormoreservicestowhichtheDoSProtectionpolicy


Protection > applies.ThedefaultisAnyservice.
Option /
Action Protection SelecttheactionthatthefirewallperformsonpacketsthatmatchtheDoS
Protectionpolicyrule:
DenyDropallpacketsthatmatchtherule.
AllowPermitallpacketsthatmatchtherule.
ProtectEnforceprotections(onpacketsthatmatchtherule)specifiedin
theDoSProtectionprofileappliedtothisrule.Packetsthatmatchtherule
arecountedtowardthethresholdratesintheDoSProtectionprofile,which
inturntriggeranalarm,activateanotheraction,andtriggerpacketdrops
whenthemaximumrateisexceeded.

Schedule SpecifytheschedulewhentheDoSProtectionpolicyruleisineffect.The
defaultsettingofNoneindicatesnoschedule;thepolicyisalwaysineffect.
Alternatively,selectascheduleorcreateanewscheduletocontrolwhenthe
DoSProtectionpolicyruleisineffect.EnteraNamefortheschedule.Select
Sharedtosharethisschedulewitheveryvirtualsystemonamultiplevirtual
systemfirewall.SelectaRecurrence ofDaily,Weekly,orNon-recurring.Add
aStart TimeandEnd Timeinhours:minutes,basedona24hourclock.

LogForwarding Ifyouwanttotriggerforwardingofthreatlogentriesformatchedtraffictoan
externalservice,suchastoasyslogserverorPanorama,selectaLog
ForwardingprofileorclickProfiletocreateanewone.
Onlytrafficthatmatchesanactionintherulewillbeloggedand
forwarded.

Aggregate SelectanAggregateDoSProtectionprofilethatspecifiesthethresholdratesat
whichtheincomingconnectionspersecondtriggeranalarm,activateanaction,
andexceedamaximumrate.Allincomingconnections(theaggregate)count
towardthethresholdsspecifiedinanAggregateDoSProtectionprofile.
AnAggregateprofilesettingofNonemeanstherearenothresholdsettingsin
placefortheaggregatetraffic.SeeObjects>SecurityProfiles>DoS
Protection.

Classified Selectthisoptionandspecifythefollowing:
ProfileSelectaClassifiedDoSProtectionprofiletoapplytothisrule.
AddressSelectwhetherincomingconnectionscounttowardthe
thresholdsintheprofileiftheymatchthesource-ip-only,
destination-ip-only,orsrc-dest-ip-both.
IfyouspecifyaClassifiedDoSProtectionprofile,onlytheincoming
connectionsthatmatchasourceIPaddress,destinationIPaddress,orsource
anddestinationIPaddresspaircounttowardthethresholdsspecifiedinthe
profile.Forexample,youcanspecifyaClassifiedDoSProtectionprofilewitha
Max Rateof100cps,andspecifyanAddresssettingofsource-ip-onlyinthe
rule.Theresultwouldbealimitof100connectionspersecondforthat
particularsourceIPaddress.
SeeObjects>SecurityProfiles>DoSProtection.

132 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects
Objectsaretheelementsthatenableyoutoconstruct,schedule,andsearchforpolicyrules,andSecurity
Profilesprovidethreatprotectioninpolicyrules.
ThissectiondescribeshowtoconfiguretheSecurityProfilesandobjectsthatyoucanusewithPolicies:
Move,Clone,Override,orRevertObjects
Objects>Addresses
Objects>AddressGroups
Objects>Regions
Objects>Applications
Objects>ApplicationGroups
Objects>ApplicationFilters
Objects>Services
Objects>ServiceGroups
Objects>Tags
Objects>GlobalProtect>HIPObjects
Objects>GlobalProtect>HIPProfiles
Objects>ExternalDynamicLists
Objects>CustomObjects
Objects>SecurityProfiles
Objects>SecurityProfileGroups
Objects>LogForwarding
Objects>Authentication
Objects>DecryptionProfile
Objects>Schedules

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 133


Move,Clone,Override,orRevertObjects Objects

Move,Clone,Override,orRevertObjects

Seethefollowingtopicsforoptionstomodifyexistingobjects:
MoveorCloneanObject
OverrideorRevertanObject

MoveorCloneanObject

Whenmovingorcloningobjects,youcanassignaDestination(avirtualsystemonafirewalloradevicegroup
onPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveanobject,selecttheobjectintheObjectstab,clickMove,selectMove to other vsys(firewallonly)or
Move to other device group(Panoramaonly),completethefieldsinthefollowingtable,andthenclickOK.
Tocloneanobject,selecttheobjectintheObjectstab,clickClone,completethefieldsinthefollowingtable,
andthenclickOK.

Move/CloneSettings Description

SelectedObjects DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepoliciesorobjectsyouselectedfortheoperation.

Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.

Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.

OverrideorRevertanObject

InPanorama,youcannestdevicegroupsinatreehierarchyofuptofourlevels.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.Youcanoverrideanobjectinadescendantsothatitsvaluesdifferfromthoseinanancestor.
Thisoverridecapabilityisenabledbydefault.However,youcannotoverridesharedordefault
(preconfigured)objects.Thewebinterfacedisplaysthe icontoindicateanobjecthasinheritedvalues
anddisplaysthe icontoindicateaninheritedobjecthasoverriddenvalues.
OverrideanobjectSelecttheObjectstab,selectthedescendantDevice Groupthatwillhavethe
overriddenversion,selecttheobject,clickOverride,andeditthesettings.YoucannotoverrideNameor
Sharedsettingsforanobject.

134 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Move,Clone,Override,orRevertObjects

RevertanoverriddenobjecttoitsinheritedvaluesSelecttheObjectstab,selecttheDevice Groupthat
hastheoverriddenversion,selecttheobject,clickRevert,andclickYestoconfirmtheoperation.
DisableoverridesforanobjectSelecttheObjectstab,selecttheDevice Groupwheretheobjectresides,
clicktheobjectNametoeditit,selectDisable override,andclickOK.Overridesforthatobjectarethen
disabledinalldevicegroupsthatinherittheobjectfromtheselectedDevice Group.
ReplaceallobjectoverridesacrossPanoramawiththevaluesinheritedfromtheSharedlocationor
ancestordevicegroupsSelectPanorama > Setup > Management,editthePanoramaSettings,select
Ancestor Objects Take Precedence,andclickOK.YoumustthencommittoPanoramaandtothedevice
groupscontainingoverridestopushtheinheritedvalues.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 135


Objects>Addresses Objects

Objects>Addresses

AnaddressobjectcanincludeanIPv4orIPv6address(singleIP,range,subnet)oraFQDN.Itallowsyouto
reusethesameobjectasasourceordestinationaddressacrossallthepolicyrulebaseswithouthavingto
additmanuallyeachtime.ItisconfiguredusingthewebinterfaceortheCLIandacommitoperationis
requiredtomaketheobjectapartoftheconfiguration.
Todefineanaddressobject,clickAddandfillinthefollowingfields:

AddressObjectSettings Description

Name Enteranamethatdescribestheaddressestobedefined(upto63
characters).Thisnameappearsintheaddresslistwhendefiningsecurity
policies.Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheaddressobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.

Description Enteradescriptionfortheobject(upto255characters).

Type SpecifyanIPv4orIPv6addressoraddressrange,oranFQDN.
IP Netmask:
EntertheIPv4orIPv6addressorIPaddressrangeusingthefollowing
notation:
ip_address/mask or ip_address
wherethemaskisthenumberofsignificantbinarydigitsusedforthe
networkportionoftheaddress.Ideally,forIPv6,youspecifyonlythe
networkportion,notthehostportion.
Examples:
192.168.80.150/32(indicatesoneaddress)
192.168.80.0/24(indicatesalladdressesfrom192.168.80.0through
192.168.80.255)
2001:db8::/32
2001:db8:123:1::/64
IP Range:
Enterarangeofaddressesusingthefollowingformat:
ip_addressip_address
wherebothaddressescanbeIPv4orbothcanbeIPv6.
Example:
2001:db8:123:1::12001:db8:123:1::22

136 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Addresses

AddressObjectSettings Description

Type(continued) FQDN:
TospecifyanaddressusingtheFQDN,selectFQDNandenterthedomain
name.
TheFQDNinitiallyresolvesatcommittime.Entriesaresubsequently
refreshedwhenthefirewallperformsacheckevery30minutes;allchanges
intheIPaddressfortheentriesarepickedupattherefreshcycle
TheFQDNisresolvedbythesystemDNSserveroraNetwork>DNSProxy
object,ifaproxyisconfigured.

Tags Selectorenterthetagsthatyouwishtoapplytothisaddressobject.
YoucandefineataghereorusetheObjects>Tagstabtocreatenewtags.
Forinformationontags,seeObjects>Tags.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 137


Objects>AddressGroups Objects

Objects>AddressGroups

Tosimplifythecreationofsecuritypolicies,addressesthatrequirethesamesecuritysettingscanbe
combinedintoaddressgroups.Anaddressgroupcanbestaticordynamic.
DynamicAddressGroups:Adynamicaddressgrouppopulatesitsmembersdynamicallyusinglooksups
fortagsandtagbasedfilters.Dynamicaddressgroupsareveryusefulifyouhaveanextensivevirtual
infrastructurewherechangesinvirtualmachinelocation/IPaddressarefrequent.Forexample,youhave
asophisticatedfailoversetuporprovisionnewvirtualmachinesfrequentlyandwouldliketoapplypolicy
totrafficfromortothenewmachinewithoutmodifyingtheconfiguration/rulesonthefirewall.
Touseadynamicaddressgroupinpolicyyoumustcompletethefollowingtasks:
Defineadynamicaddressgroupandreferenceitinapolicyrule.
NotifythefirewalloftheIPaddressesandthecorrespondingtags,sothatmembersofthedynamic
addressgroupcanbeformed.YoucandothisusingexternalscriptsthatusetheXMLAPIonthe
firewallor,foraVMwarebasedenvironment,youcanselectDevice > VM Information Sourcesto
configuresettingsonthefirewall.
Dynamicaddressgroupscanalsoincludestaticallydefinedaddressobjects.Ifyoucreateanaddress
objectandapplythesametagsthatyouhaveassignedtoadynamicaddressgroup,thatdynamicaddress
groupwillincludeallstaticanddynamicobjectsthatmatchthetags.Youcan,thereforeusetagstopull
togetherbothdynamicandstaticobjectsinthesameaddressgroup.
StaticAddressGroups:Astaticaddressgroupcanincludeaddressobjectsthatarestatic,dynamic
addressgroups,oritcanbeacombinationofbothaddressobjectsanddynamicaddressgroups.
Tocreateanaddressgroup,clickAddandfillinthefollowingfields:

AddressGroupSettings Description

Name Enteranamethatdescribestheaddressgroup(upto63characters).This
nameappearsintheaddresslistwhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheaddressgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressgroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.

Description Enteradescriptionfortheobject(upto255characters).

138 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>AddressGroups

AddressGroupSettings Description

Type SelectStaticorDynamic.
Tocreateadynamicaddressgroup,usethematchcriteriaisassemblethe
memberstobeincludedinthegroup.DefinetheMatchcriteriausingthe
ANDorORoperators.
Toviewthelistofattributesforthematchcriteria,youmusthave
configuredthefirewalltoaccessandretrievetheattributesfromthe
source/host.Eachvirtualmachineontheconfiguredinformation
source(s)isregisteredwiththefirewallandthefirewallcanpollthe
machinetoretrievechangesinIPaddressorconfigurationwithout
anymodificationsonthefirewall.
Forastaticaddressgroup,clickAddandselectoneormoreAddresses.Click
Addtoaddanobjectoranaddressgrouptotheaddressgroup.Thegroup
cancontainaddressobjects,andbothstaticanddynamicaddressgroups.

Tags Selectorenterthetagsthatyouwishtoapplytothisaddressgroup.For
informationontags,seeObjects>Tags.

MembersCountand Afteryouaddanaddressgroup,theMembersCountcolumnontheObjects
Address > Address Groupspageindicateswhethertheobjectsinthegroupare
populateddynamicallyorstatically.
Forastaticaddressgroup,youcanviewthecountofthemembersinthe
addressgroup.
Foranaddressgroupthatusestagstodynamicallypopulatemembersor
hasbothstaticanddynamicmembers,toviewthemembers,clickthe
More...linkintheAddresscolumn.YoucannowviewtheIPaddresses
thatareregisteredtotheaddressgroup.
TypeindicateswhethertheIPaddressisastaticaddressobjector
beingdynamicallyregisteredanddisplaystheIPaddress.
ActionallowsyoutoUnregister TagsfromanIPaddress.Clickthe
linktoAddtheregistrationsourceandspecifythetagstounregister.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 139


Objects>Regions Objects

Objects>Regions

Thefirewallsupportscreationofpolicyrulesthatapplytospecifiedcountriesorotherregions.Theregionis
availableasanoptionwhenspecifyingsourceanddestinationforsecuritypolicies,decryptionpolicies,and
DoSpolicies.Youcanchoosefromastandardlistofcountriesorusetheregionsettingsdescribedinthis
sectiontodefinecustomregionstoincludeasoptionsforSecuritypolicyrules.
Thefollowingtablesdescribetheregionsettings:

RegionSettings Description

Name Enteranamethatdescribestheregion(upto31characters).Thisname
appearsintheaddresslistwhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

GeoLocation Tospecifylatitudeandlongitude,selectthisoptionandspecifythevalues
(xxx.xxxxxxformat).Thisinformationisusedinthetrafficandthreatmapsfor
AppScope.RefertoMonitor>Logs.

Addresses SpecifyanIPaddress,rangeofIPaddresses,orsubnettoidentifytheregion,
usinganyofthefollowingformats:
x.x.x.x
x.x.x.xy.y.y.y
x.x.x.x/n

140 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Applications

Objects>Applications

Whatareyoulookingfor? See

Understandtheapplication ApplicationsOverview
settingsandattributesdisplayed
ontheApplicationspage. ActionsSupportedonApplications

Addanewapplicationormodifyan DefiningApplications
existingapplication.

ApplicationsOverview

TheApplicationspagelistsvariousattributesofeachapplicationdefinition,suchastheapplicationsrelative
securityrisk(1to5).Theriskvalueisbasedoncriteriasuchaswhethertheapplicationcansharefiles,is
pronetomisuse,ortriestoevadefirewalls.Highervaluesindicatehigherrisk.
Thetopapplicationbrowserareaofthepageliststheattributesthatyoucanusetofilterthedisplayas
follows.Thenumbertotheleftofeachentryrepresentsthetotalnumberofapplicationswiththatattribute.

Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.

ThefollowingtabledescribesapplicationdetailscustomapplicationsandPaloAltoNetworksapplications
mightdisplaysomeorallofthesefields.

ApplicationDetails Description

Name Nameoftheapplication.

Description Descriptionoftheapplication(upto255characters).

AdditionalInformation Linkstowebsources(Wikipedia,Google,andYahoo!)thatcontain
additionalinformationabouttheapplication.

StandardPorts Portsthattheapplicationusestocommunicatewiththenetwork.

Dependson Listofotherapplicationsthatarerequiredforthisapplicationtorun.
Whencreatingapolicyruletoallowtheselectedapplication,youmust
alsobesurethatyouareallowinganyotherapplicationsthatthe
applicationdependson.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 141


Objects>Applications Objects

ApplicationDetails Description

ImplicitlyUses Otherapplicationsthattheselectedapplicationdependsonbutthat
youdonotneedtoaddtoyourSecuritypolicyrulestoallowthe
selectedapplicationbecausethoseapplicationsaresupported
implicitly.

PreviouslyIdentifiedAs ForanewAppID,orAppIDsthatarechanged,thisindicateswhat
theapplicationwaspreviouslyidentifiedas.Thishelpsyouassess
whetherpolicychangesarerequiredbasedonchangesinthe
application.IfanAppIDisdisabled,sessionsassociatedwiththat
applicationwillmatchpolicyasthepreviouslyidentifiedasapplication.
Similarly,disabledAppIDswillappearinlogsastheapplicationthey
werepreviousidentifiedas.

DenyAction AppIDsaredevelopedwithadefaultdenyactionthatdictateshow
thefirewallrespondswhentheapplicationisincludedinaSecurity
policyrulewithadenyaction.Thedefaultdenyactioncanspecify
eitherasilentdroporaTCPreset.Youcanoverridethisdefaultaction
inSecuritypolicy.

Characteristics

Evasive Usesaportorprotocolforsomethingotherthanitsoriginallyintended
purposewiththehopethatitwilltraverseafirewall.

ExcessiveBandwidth Consumesatleast1Mbpsonaregularbasisthroughnormaluse.

PronetoMisuse Oftenusedfornefariouspurposesoriseasilysetuptoexposemore
thantheuserintended.

SaaS Onthefirewall,SoftwareasaService(SaaS)ischaracterizedasa
servicewherethesoftwareandinfrastructureareownedandmanaged
bytheapplicationserviceproviderbutwhereyouretainfullcontrolof
thedata,includingwhocancreate,access,share,andtransferthedata.
Keepinmindthatinthecontextofhowanapplicationischaracterized,
SaaSapplicationsdifferfromwebservices.Webservicesarehosted
applicationswhereeithertheuserdoesntownthedata(forexample,
Pandora)orwheretheserviceisprimarilycomprisedofsharingdata
fedbymanysubscribersforsocialpurposes(forexample,LinkedIn,
Twitter,orFacebook).

CapableofFileTransfer Hasthecapabilitytotransferafilefromonesystemtoanotherovera
network.

TunnelsOtherApplications Isabletotransportotherapplicationsinsideitsprotocol.

UsedbyMalware Malwarehasbeenknowntousetheapplicationforpropagation,
attack,ordatatheft,orisdistributedwithmalware.

HasKnownVulnerabilities Haspubliclyreportedvulnerabilities.

Widelyused Likelyhasmorethan1,000,000users.

ContinueScanningforOther Instructsthefirewalltocontinuetotryandmatchagainstother
Applications applicationsignatures.Ifyoudonotselectthisoption,thefirewall
stopslookingforadditionalapplicationmatchesafterthefirst
matchingsignature.

142 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Applications

ApplicationDetails Description

Classification

Category Theapplicationcategorywillbeoneofthefollowing:
businesssystems
collaboration
generalinternet
media
networking
unknown

Subcategory Thesubcategoryinwhichtheapplicationisclassified.Different
categorieshavedifferentsubcategoriesassociatedwiththem.For
example,subcategoriesinthecollaborationcategoryincludeemail,
filesharing,instantmessaging,Internetconferencing,socialbusiness,
socialnetworking,voipvideo,andwebposting.Whereas,
subcategoriesinthebusinesssystemscategoryincludeauthservice,
database,erpcrm,generalbusiness,management,officeprograms,
softwareupdate,andstoragebackup.

Technology Theapplicationtechnologywillbeoneofthefollowing:
clientserver:Anapplicationthatusesaclientservermodelwhere
oneormoreclientscommunicatewithaserverinthenetwork.
networkprotocol:Anapplicationthatisgenerallyusedfor
systemtosystemcommunicationthatfacilitatesnetwork
operation.ThisincludesmostoftheIPprotocols.
peertopeer:Anapplicationthatcommunicatesdirectlywithother
clientstotransferinformationinsteadofrelyingonacentralserver
tofacilitatethecommunication.
browserbased:Anapplicationthatreliesonawebbrowserto
function.

Risk Assignedriskoftheapplication.
Tocustomizethissetting,clicktheCustomizelink,enteravalue(15),
andclickOK.

Options

SessionTimeout Periodoftime,inseconds,requiredfortheapplicationtotimeoutdue
toinactivity(rangeis1604800seconds).Thistimeoutisforprotocols
otherthanTCPorUDP.ForTCPandUDP,refertothenextrowsin
thistable.
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.

TCPTimeout(seconds) Timeout,inseconds,forterminatingaTCPapplicationflow(rangeis
1604800).
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
Avalueof0indicatesthattheglobalsessiontimerwillbeused,which
is3600secondsforTCP.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 143


Objects>Applications Objects

ApplicationDetails Description

UDPTimeout(seconds): Timeout,inseconds,forterminatingaUDPapplicationflow(rangeis
1604800seconds).
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.

TCPHalfClosed(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontablebetweenreceivingthefirstFINpacketandreceivingthe
secondFINpacketorRSTpacket.Ifthetimerexpires,thesessionis
closed(rangeis1604800).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Half Closedsetting.

TCPTimeWait(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontableafterreceivingthesecondFINpacketoraRSTpacket.If
thetimerexpires,thesessionisclosed(rangeis1600).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Time Waitsetting.

AppIDEnabled IndicateswhethertheAppIDisenabledordisabled.IfanAppIDis
disabled,trafficforthatapplicationwillbetreatedasthePreviously
Identified AsAppIDinbothSecuritypolicyandinlogs.For
applicationsaddedaftercontentreleaseversion490,youhavethe
abilitytodisablethemwhileyoureviewthepolicyimpactofthenew
app.Afterreviewingpolicy,youmaychoosetoenabletheAppID.You
alsohavetheabilitytodisableanapplicationthatyouhavepreviously
enabled.Onamultivsysfirewall,youcandisableAppIDsseparately
ineachvirtualsystem.

WhenthefirewallisnotabletoidentifyanapplicationusingtheAppID,thetrafficisclassifiedasunknown:
unknowntcporunknownudp.Thisbehaviorappliestoallunknownapplicationsexceptthosethatfully
emulateHTTP.Formoreinformation,refertoMonitor>Botnet.
Youcancreatenewdefinitionsforunknownapplicationsandthendefinesecuritypoliciesforthenew
applicationdefinitions.Inaddition,applicationsthatrequirethesamesecuritysettingscanbecombinedinto
applicationgroupstosimplifythecreationofsecuritypolicies.

144 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Applications

ActionsSupportedonApplications

Youcanperformanyofthefollowingactionsonthispage:

ActionsSupportedfor Description
Applications

Filterbyapplication Tosearchforaspecificapplication,entertheapplicationnameordescription
intheSearchfieldandpressEnter.Thedropdowntotherightofthesearch
boxallowsyoutosearchorfilterforaspecificapplicationorviewAll
applications,Custom applications,Disabled applications,orTagged
applications.
Theapplicationislistedandthefiltercolumnsareupdatedtoshowstatistics
fortheapplicationsthatmatchedthesearch.Asearchwillmatchpartial
strings.Whenyoudefinesecuritypolicies,youcanwriterulesthatapplytoall
applicationsthatmatchasavedfilter.Suchrulesaredynamicallyupdated
whenanewapplicationisaddedthroughacontentupdatethatmatchesthe
filter.
Tofilterbyapplicationattributesdisplayedonthepage;clickanitemthatyou
wanttouseasabasisforfiltering.Forexample,torestrictthelisttothe
collaborationcategory,clickcollaborationandthelistwillonlyshow
applicationsinthiscategory.

Tofilteronadditionalcolumns,selectanentryintheothercolumns.The
filteringissuccessive:firstCategoryfiltersareapplied,thenSubcategory
filters,thenTechnologyfilters,thenRiskfilters,andfinallyCharacteristic
filters.Forexample,ifyouapplyaCategory,Subcategory,andRiskfilter,the
Technologycolumnisautomaticallyrestrictedtothetechnologiesthatare
consistentwiththeselectedCategoryandSubcategory,eventhougha
Technologyfilterhasnotbeenexplicitlyapplied.Eachtimeyouapplyafilter,
thelistofapplicationsinthelowerpartofthepageautomaticallyupdates.To
createanewapplicationfilter,seeObjects>ApplicationFilters.

Addanewapplication. Toaddanewapplication,seeDefiningApplications.

Viewand/orcustomize Clicktheapplicationnamelink,toviewtheapplicationdescriptionincludingthe
applicationdetails. standardportandcharacteristicsoftheapplication,riskamongotherdetails.For
detailsontheapplicationsettings,seeDefiningApplications.
Iftheicontotheleftoftheapplicationnamehasayellowpencil( ),the
applicationisacustomapplication.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 145


Objects>Applications Objects

ActionsSupportedfor Description
Applications

Disableanapplications YoucanDisableanapplication(orseveralapplications)sothattheapplication
signatureisnotmatchedagainsttraffic.Securityrulesdefinedtoblock,allow,or
enforceamatchingapplicationarenotappliedtotheapplicationtrafficwhen
theappisdisabled.Youmightchoosetodisableanapplicationthatisincluded
withanewcontentreleaseversionbecausepolicyenforcementforthe
applicationmightchangewhentheapplicationisuniquelyidentified.For
example,anapplicationthatisidentifiedaswebbrowsingtrafficisallowedby
thefirewallpriortoanewcontentversioninstallation;afterinstallingthe
contentupdate,theuniquelyidentifiedapplicationnolongermatchesthe
Securityrulethatallowswebbrowsingtraffic.Inthiscase,youcouldchooseto
disabletheapplicationsothattrafficmatchedtotheapplicationsignature
continuestobeclassifiedaswebbrowsingtrafficandisallowed.

Enableanapplication SelectadisabledapplicationandEnabletheapplicationsothatitcanbe
enforcedaccordingtoyourconfiguredsecuritypolicies.

Importanapplication Toimportanapplication,clickImport.Browsetoselectthefile,andselectthe
targetvirtualsystemfromtheDestinationdropdown.

Exportanapplication Toexportanapplication,selectthisoptionfortheapplicationandclickExport.
Followthepromptstosavethefile.

Assesspolicyimpactafter Review Policiestoassessthepolicybasedenforcementforapplicationsbefore


installinganewcontentrelease. andafterinstallingacontentreleaseversion.UsethePolicyReviewdialogto
reviewpolicyimpactfornewapplicationsincludedinadownloadedcontent
releaseversion.ThePolicyReviewdialogallowsyoutoaddorremoveapending
application(anapplicationthatisdownloadedwithacontentreleaseversionbut
isnotinstalledonthefirewall)toorfromanexistingSecuritypolicyrule;policy
changesforpendingapplicationsdonottakeeffectuntilthecorresponding
contentreleaseversionisinstalled.YoucanalsoaccessthePolicyReviewdialog
whendownloadingandinstallingcontentreleaseversionsontheDevice >
Dynamic Updatespage.

Taganapplication. ApredefinedtagnamedsanctionedisavailableforyoutotagSaaSapplications.
WhileaSaaSapplicationisanapplicationthatisidentifiedasSaas=yesinthe
detailsonapplicationcharacteristics,youcanusethesanctionedtagonany
application.
Selectanapplication,clickTag Application,and,fromthedropdown,selectthe
predefinedSanctionedtagtoidentifyanyapplicationthatyouwanttoexplicitly
allowonyournetwork.WhenyouthengeneratetheSaaSApplicationUsage
Report(seeMonitor>PDFReports>SaaSApplicationUsage),youcancompare
statisticsontheapplicationthatyouhavesanctionedversusunsanctionedSaaS
applicationsthatarebeingusedonyournetwork.
Whenyoutaganapplicationassanctioned,thefollowingrestrictionsapply:
Thesanctionedtagcannotbeappliedtoanapplicationgroup.
ThesanctionedtagcannotbeappliedattheSharedlevel;youcantagan
applicationonlyperdevicegrouporpervirtualsystem.
Thesanctionedtagcannotbeusedtotagapplicationsincludedinacontainer
app,suchasfacebookmail,whichispartofthefacebookcontainerapp.
YoucanalsoRemove tagorOverride tag.Theoverrideoptionisonlyavailable
onafirewallthathasinheritedsettingsfromadevicegrouppushedfrom
Panorama.

146 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Applications

DefiningApplications

SelectObjects > ApplicationstoAddanewcustomapplicationforthefirewalltoevaluatewhenapplying


policies.

NewApplicationSettings Description

Configuration Tab

Name Entertheapplicationname(upto31characters).Thisnameappearsinthe
applicationslistwhendefiningsecuritypolicies.Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,periods,hyphens,
andunderscores.Thefirstcharactermustbealetter.

Shared Selectthisoptionifyouwanttheapplicationtobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theapplicationwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,the
applicationwillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisapplicationobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettings
foranydevicegroupthatinheritstheobject.

Description Enteradescriptionoftheapplicationforgeneralreference(upto255
characters).

Category Selecttheapplicationcategory,suchasemailordatabase.Thecategoryis
usedtogeneratetheTopTenApplicationCategorieschartandisavailable
forfiltering(refertoACC).

Subcategory Selecttheapplicationsubcategory,suchasemailordatabase.The
subcategoryisusedtogeneratetheTopTenApplicationCategorieschart
andisavailableforfiltering(refertoACC).

Technology Selectthetechnologyfortheapplication.

ParentApp Specifyaparentapplicationforthisapplication.Thissettingapplieswhena
sessionmatchesboththeparentandthecustomapplications;however,the
customapplicationisreportedbecauseitismorespecific.

Risk Selecttherisklevelassociatedwiththisapplication(1=lowestto5=highest).

Characteristics Selecttheapplicationcharacteristicsthatmayplacetheapplicationatrisk.
Foradescriptionofeachcharacteristic,refertoCharacteristics.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 147


Objects>Applications Objects

NewApplicationSettings Description

Advanced Tab

Port IftheprotocolusedbytheapplicationisTCPand/orUDP,selectPortand
enteroneormorecombinationsoftheprotocolandportnumber(oneentry
perline).Thegeneralformatis:
<protocol>/<port>
wherethe<port>isasingleportnumber,ordynamicfordynamicport
assignment.
Examples:TCP/dynamicorUDP/32.
Thissettingapplieswhenusingapp-defaultintheServicecolumnofa
Securityrule.

IPProtocol TospecifyanIPprotocolotherthanTCPorUDP,selectIP Protocol,and


entertheprotocolnumber(1to255).

ICMPType TospecifyanInternetControlMessageProtocolversion4(ICMP)type,
selectICMP Typeandenterthetypenumber(rangeis0255).

ICMP6Type TospecifyanInternetControlMessageProtocolversion6(ICMPv6)type,
selectICMP6 Typeandenterthetypenumber(rangeis0255).

None Tospecifysignaturesindependentofprotocol,selectNone.

Timeout Enterthenumberofsecondsbeforeanidleapplicationflowisterminated
(rangeis0604800seconds).Azeroindicatesthatthedefaulttimeoutofthe
applicationwillbeused.ThisvalueisusedforprotocolsotherthanTCPand
UDPinallcasesandforTCPandUDPtimeoutswhentheTCPtimeoutand
UDPtimeoutarenotspecified.

TCPTimeout EnterthenumberofsecondsbeforeanidleTCPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.

UDPTimeout EnterthenumberofsecondsbeforeanidleUDPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.

TCPHalfClosed Enterthemaximumlengthoftimethatasessionremainsinthesessiontable,
betweenreceivingthefirstFINandreceivingthesecondFINorRST.Ifthe
timerexpires,thesessionisclosed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1604800seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
HalfClosedsetting.

TCPTimeWait Enterthemaximumlengthoftimethatasessionremainsinthesessiontable
afterreceivingthesecondFINoraRST.Ifthetimerexpires,thesessionis
closed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1600seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
TimeWaitsetting.

Scanning SelectthescanningtypesthatyouwanttoallowbasedonSecurityProfiles
(filetypes,datapatterns,andviruses).

148 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Applications

NewApplicationSettings Description

Signature Tab

Signatures ClickAddtoaddanewsignature,andspecifythefollowinginformation:
Signature NameEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
TransactionortothefulluserSession.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
Specifytheconditionsthatidentifythesignature.Theseconditionsareused
togeneratethesignaturethatthefirewallusestomatchtheapplication
patternsandcontroltraffic:
Toaddacondition,selectAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
SelectanOperatorfromthedropdown.TheoptionsarePattern Match,
Greater Than,Less Than,andEqual Toandspecifythefollowingoptions:
(ForPatternMatchonly)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates.
PatternSpecifyaregularexpressiontospecifyuniquestring
contextvaluesthatapplytothecustomapplication.
Performapacketcapturetoidentifythecontext.SeePattern
RulesSyntaxforpatternrulesforregularexpressions.

(ForGreaterThan,LessThan)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates
ValueSpecifyavaluetomatchon(rangeis04294967295).
Qualifier and Value(Optional)Addqualifier/valuepairs.
(ForEqualToonly)
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP(forexample,unknownreqtcp)oradditionalcontextsthatare
availablethroughdynamiccontentupdates(forexample,
dnp3reqfunccode).
ForunknownrequestsandresponsesforTCPorUDP,specify
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
Forallothercontexts,specifyaValuethatispertinenttotheapplication.
Tomoveaconditionwithinagroup,selecttheconditionandMove Upor
Move Down.Tomoveagroup,selectthegroupandMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.

Itisnotrequiredtospecifysignaturesfortheapplicationiftheapplicationisusedonlyfor
applicationoverriderules.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 149


Objects>ApplicationGroups Objects

Objects>ApplicationGroups

Tosimplifythecreationofsecuritypolicies,applicationsrequiringthesamesecuritysettingscanbe
combinedbycreatinganapplicationgroup.(Todefineanewapplication,refertoDefiningApplications.)

NewApplicationGroup Description
Settings

Name Enteranamethatdescribestheapplicationgroup(upto31characters).This
nameappearsintheapplicationlistwhendefiningsecuritypolicies.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheapplicationgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theapplicationgroupwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theapplication
groupwillbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisapplicationgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.

Applications ClickAddandselectapplications,applicationfilters,and/orotherapplication
groupstobeincludedinthisgroup.

150 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>ApplicationFilters

Objects>ApplicationFilters

Applicationfiltershelptosimplifyrepeatedsearches.Todefineanapplicationfilter,Addandenteraname
foryournewfilter.Intheupperareaofthewindow,clickanitemthatyouwanttouseasabasisforfiltering.
Forexample,torestrictthelisttotheCollaborationcategory,clickcollaboration.

Tofilteronadditionalcolumns,selectanentryinthecolumns.Thefilteringissuccessive:categoryfiltersare
appliedfirstfollowedbysubcategoryfilters,technologyfilters,riskfilters,andthencharacteristicfilters.
Asyouselectfilters,thelistofapplicationsthatdisplayonthepageisautomaticallyupdated.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 151


Objects>Services Objects

Objects>Services

Whenyoudefinesecuritypoliciesforspecificapplications,youcanselectoneormoreservicestolimitthe
portnumberstheapplicationscanuse.Thedefaultserviceisany,whichallowsallTCPandUDPports.
TheHTTPandHTTPSservicesarepredefined,butyoucanaddadditionalservicedefinitions.Servicesthat
areoftenassignedtogethercanbecombinedintoservicegroupstosimplifythecreationofsecuritypolicies
(refertoObjects>ServiceGroups).
Thefollowingtabledescribestheservicesettings:

ServiceSettings Description

Name Entertheservicename(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Description Enteradescriptionfortheservice(upto255characters).

Shared Selectthisoptionifyouwanttheserviceobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theserviceobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisserviceobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.

Protocol Selecttheprotocolusedbytheservice(TCPorUDP).

DestinationPort Enterthedestinationportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thedestinationportisrequired.

SourcePort Enterthesourceportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thesourceportisoptional.

152 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>ServiceGroups

Objects>ServiceGroups

Tosimplifythecreationofsecuritypolicies,youcancombineservicesthathavethesamesecuritysettings
intoservicegroups.Todefinenewservices,refertoObjects>Services.
Thefollowingtabledescribestheservicegroupsettings:

ServiceGroupSettings Description

Name Entertheservicegroupname(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Shared Selectthisoptionifyouwanttheservicegrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theservicegroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisservicegroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.

Service ClickAddtoaddservicestothegroup.Selectfromthedropdownorclick
Serviceatthebottomofthedropdownandspecifythesettings.Referto
Objects>Servicesforadescriptionofthesettings.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 153


Objects>Tags Objects

Objects>Tags

Tagsallowyoutogroupobjectsusingkeywordsorphrases.Tagscanbeappliedtoaddressobjects,address
groups(staticanddynamic),zones,services,servicegroups,andtopolicyrules.Youcanuseatagstosortor
filterobjects,andtovisuallydistinguishobjectsbecausetheycanhavecolor.Whenacolorisappliedtoa
tag,thePolicytabdisplaystheobjectwithabackgroundcolor.
ApredefinedtagnamedSanctionedisavailablefortaggingapplications(Objects > Applications).Thesetagsare
requiredforaccuratelyMonitor>PDFReports>SaaSApplicationUsage.

Whatdoyouwanttoknow? See:

HowdoIcreatetags? CreateTags
Whatisthetagbrowser? UsetheTagBrowser
Searchforrulesthataretagged. ManageTags
Grouprulesusingtags.
Viewtagsusedinpolicy.
Applytagstopolicy.

Looking for more? SeePolicy.

CreateTags

SelectObjects > Tagstocreateatag,assignacolor,delete,rename,andclonetags.Eachobjectcanhaveup


to64tags;whenanobjecthasmultipletags,itdisplaysthecolorofthefirsttagappliedtoit.
Onthefirewall,theObjects >Tagstabdisplaysthetagsthatyoudefinelocallyonthefirewallorpushfrom
Panoramatothefirewall;onPanorama,itdisplaysthetagsthatyoudefineonPanorama.Thistabdoesnot
displaythetagsthataredynamicallyretrievedfromtheVMInformationsourcesdefinedonthefirewallfor
formingdynamicaddressgroups,ortagsthataredefinedusingtheXMLAPI.
Whenyoucreateanewtag,thetagisautomaticallycreatedintheVirtualSystemorDeviceGroupthatis
currentlyselectedonthefirewallorPanorama.

TagSettings Description

Name Enterauniquetagname(upto127characters).Thenameisnot
casesensitive.

Shared Selectthisoptionifyouwantthetagtobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
thetagwillbeavailableonlytotheVirtual SystemselectedintheObjects
tab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thetagwillbe
availableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thistagindevicegroupsthatinheritthetag.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritsthetag.

154 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Tags

TagSettings Description

Color Selectacolorfromthecolorpaletteinthedropdown.Thedefaultvalueis
None.

Comments Addalabelordescriptiontoremindyouwhatthetagisusedfor.

Addatag:Toaddanewtag,clickAddandthenfillinthefollowingfields:
YoucanalsocreateanewtagwhenyoucreateoreditpolicyinthePoliciestab.Thetagisautomatically
createdintheDeviceGrouporVirtualSystemthatiscurrentlyselected.
Editatag:Toedit,rename,orassignacolortoatag,clickthetagnamethatdisplaysasalinkandmodify
thesettings.
Deleteatag:Todeleteatag,clickDeleteandselectthetaginthewindow.Youcannotdeleteapredefined
tag.
MoveorCloneatag:Theoptionstomoveorcloneatagallowsyoutocopyatagormoveatagtoa
differentDeviceGrouporVirtualSystemonfirewallswithmultiplevirtualsystemsenabled.
ClickCloneorMoveandselectthetaginthewindow.SelecttheDestinationlocationDeviceGroupor
VirtualSystemforthetag.ClearthisselectionforError out on first detected error in validationifyouwant
thevalidationprocesstodiscoveralltheerrorsfortheobjectbeforedisplayingtheerrors.Bydefault,this
optionisenabledandthevalidationprocessstopswhenthefirsterrorisdetectedandonlydisplaysthe
error.
OverrideorRevertatag(Panoramaonly):TheOverrideoptionisavailableifyouhavenotselectedthe
Disableoverrideoptionwhencreatingthetag.Itallowsyoutooverridethecolorassignedtothetagthat
wasinheritedfromasharedorancestordevicegroup.TheLocationfielddisplaysthecurrentdevice
group.YoucanalsoselecttheDisableoverridetodisablefurtheroverrides.
Toundothechangesonatag,clickRevert.Whenyourevertatag,theLocationfielddisplaysthedevice
grouporvirtualsystemfromwherethetagwasinherited.

UsetheTagBrowser

Policies>Rulebase(Security,NAT,QoS...)
Thetagbrowserpresentsasummaryofallthetagsusedwithinarulebase(policyset).Itallowsyoutoseea
listofallthetagsandtheorderinwhichtheyarelistedintherulebase.
Youcansort,browse,search,andfilterforaspecifictag,orviewonlythefirsttagappliedtoeachruleinthe
rulebase.
Thefollowingtabledescribestheoptionsinthetagbrowser:

UsetheTagBrowser Description

Tag(#) Displaysthelabelandtherulenumberorrangeofnumbersinwhichthetag
isusedcontiguously.
Hoveroverthelabeltoseethelocationwheretherulewasdefined.The
locationcanbeinheritedfromtheSharedlocation,adevicegroup,ora
virtualsystem.

Rule Liststherulenumberorrangeofnumbersassociatedwiththetags.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 155


Objects>Tags Objects

UsetheTagBrowser Description

Filterbyfirsttaginrule Displaysonlythefirsttagappliedtoeachruleintherulebase,whenselected.
Thisviewisparticularlyusefulifyouwanttonarrowthelistandviewrelated
rulesthatmightbespreadaroundtherulebase.Forexample,ifthefirsttag
ineachruledenotesitsfunctionadministration,webaccess,datacenter
access,proxyyoucannarrowtheresultandscantherulesbasedon
function.

RuleOrder Sortsthetagsintheorderofappearancewithintheselectedrulebase.When
displayedinorderofappearance,tagsusedincontiguousrulesaregrouped
together.Therulenumberwithwhichthetagisassociatedisdisplayedalong
withthetagname.

Alphabetical Sortsthetagsinalphabeticalorderwithintheselectedrulebase.Thedisplay
liststhetagname,color(ifacolorisassigned),andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoesnotdisplayrule
numbersforuntaggedrules.WhenyouselectNone,therightpaneisfiltered
todisplayrulesthathavenotagsassignedtothem.

Clear Clearsthefilteronthecurrentlyselectedtagsinthesearchbar.

Searchbar Allowsyoutosearchforatag,enterthetermandclickthegreenarrowto
applythefilter.
Italsodisplaysthetotalnumberoftagsintherulebaseandthenumberof
selectedtags.

Forotheractions,seeManageTags.

ManageTags

Thefollowingtableliststheactionsthatyoucanperformusingthetagbrowser.

ManageTags

Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
Selectataginthetagbrowserand,fromthe
dropdown,selectApply the Tag to the
Selection(s).
Draganddroptagsfromthetagbrowserontothe
tagcolumnoftherule.Whenyoudropthetags,a
confirmationdialogdisplays.

Viewthecurrentlyselectedtags. 1. Selectoneormoretagsinthetagbrowser.Thetags
arefilteredusinganORoperator.
2. Therightpaneupdatestodisplaytherulesthathave
anyoftheselectedtags.
3. Toviewthecurrentlyselectedtags,hoveroverthe
Clearlabelinthetagbrowser.

156 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Tags

ManageTags(Continued)

Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,select
Youcanfilterrulesbasedontagswithan oneormoretagsinthetagbrowser.Therightpanewill
ANDoranORoperator. displayonlytherulesthatincludethecurrentlyselected
tags.
ANDfilter:Toviewrulesthathavealltheselectedtags,
hoveroverthenumberintheRulecolumnofthetag
browserandselectFilterinthedropdown.Repeatto
addmoretags.

Clickthe inthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.

Untagarule. HoverovertherulenumberintheRulecolumnofthetag
browserandselectUntag Rule(s)inthedropdown.
Confirmthatyouwanttoremovetheselectedtagfrom
therule.

Reorderaruleusingtags. Selectoneormoretagsandhoverovertherulenumber
intheRulecolumnofthetagbrowserandselectMove
Rule(s)inthedropdown.
Selectatagfromthedropdowninthemoverulewindow
andselectwhetheryouwanttoMove BeforeorMove
Afterthetagselectedinthedropdown.

Addanewrulethatappliestheselected Selectoneormoretags,hoverovertherulenumberinthe
tags. Rulecolumnofthetagbrowser,andselectAdd New Rule
inthedropdown.
Thenumericalorderofthenewrulevariesbywhether
youselectedaruleontherightpane.Ifnorulewas
selectedontherightpane,thenewrulewillbeadded
aftertheruletowhichtheselectedtag(s)belongs.
Otherwise,thenewruleisaddedaftertheselectedrule.

Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetag
nameyouwanttosearchforandclick todisplaythe
tagsthatmatchyourinput.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 157


Objects>ExternalDynamicLists Objects

Objects>ExternalDynamicLists

AnexternaldynamiclistisanaddressobjectbasedonanimportedlistofIPaddresses,URLs,ordomain
namesthatyoucanuseinpolicyrulestoblockorallowtraffic.Thislistmustbeatextfilesavedtoaweb
serverthatisaccessiblebythefirewall.Thefirewallusesthemanagement(MGT)interfacebydefaultto
retrievethislist.
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwoDynamicIPLists:PaloAlto
NetworksHighriskIPaddressesandPaloAltoNetworksKnownmaliciousIPaddresses.Thesefeedsboth
containmaliciousIPaddressentries,whichyoucanusetoblocktrafficfrommalicioushosts.Thefirewall
receivesdailyupdatesforthesefeedsthroughantiviruscontentupdates.
YoucanuseanIPaddresslistasanaddressobjectinthesourceanddestinationofyourpolicyrules;youcan
useaURLListinObjects>SecurityProfiles>URLFilteringorasamatchcriteriainSecuritypolicyrules;and
youcanuseadomainlistinObjects>SecurityProfiles>AntiSpywareProfileforsinkholingspecified
domainnames.
Oneachfirewallmodel,youcanuseupto30externaldynamiclistswithuniquesourcesacrossallSecurity
policyrules.Themaximumnumberofentriesthatthefirewallsupportsforeachlisttypevariesbasedonthe
firewallmodel(viewthedifferentfirewalllimitsforeachexternaldynamiclisttype).Listentriesonlycount
towardthemaximumlimitiftheexternaldynamiclistisusedinpolicy.Ifyouexceedthemaximumnumber
ofentriesthataresupportedonamodel,thefirewallgeneratesaSystemlogandskipstheentriesthat
exceedthelimit.TocheckthenumberofIPaddresses,domains,andURLscurrentlyusedinpolicyandthe
totalnumbersupportedonthefirewall,clickList Capacities(firewallonly).
Toretrievethelatestversionoftheexternaldynamiclistfromtheserverthathostsit,selectanexternal
dynamiclistandclickImport Now.

Youcannotdelete,clone,oreditthesettingsofthePaloAltoNetworksmaliciousIPaddressfeeds.

ClickAddtocreateanewexternaldynamiclistandconfigurethesettingsdescribedinthetablebelow.

ExternalDynamicListSettings Description

Name Enteranametoidentifytheexternaldynamiclist(upto32characters).Thisname
identifiesthelistwhenyouusethelisttoenforcepolicy.

Shared Selectthisoptionifyouwanttheexternaldynamiclisttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theexternaldynamiclistwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theexternal
dynamiclistwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride(Panoramaonly) Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
externaldynamiclistobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforany
devicegroupthatinheritstheobject.

158 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>ExternalDynamicLists

ExternalDynamicListSettings Description

TestSourceURL(firewallonly) Clicktoverifythatthefirewallcanconnecttotheserverthathoststheexternal
dynamiclist.
Thistestdoesnotcheckwhethertheserverauthenticatessuccessfully.

Create List Tab

Type Selectfromthefollowingtypesofexternaldynamiclists:
Youcannotmix Predefined IP ListListsofthistypeuseaPaloAltoNetworksmaliciousor
IP addresses,URLs,and highriskIPaddressfeedasasourceoflistentries(activeThreatPrevention
domainnamesinasingle licenserequired).
list.Eachlistmustinclude IP ListEachlistcanincludeIPrangesandIPsubnetsintheIPv4andIPv6
entriesofonlyonetype. addressspace.ThelistmustcontainonlyoneIPaddress,range,orsubnetper
line.Example:
192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through
192.168.80.255)
2001:db8:123:1::1 - 2001:db8:123:1::22

AsubnetoranIPaddressrange,suchas92.168.20.0/24or
192.168.20.40192.168.20.50,countasoneIPaddressentryandnotas
multipleIPaddresses.
Domain ListEachlistcanhaveonlyonedomainnameentryperline.Example:
www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net

ForthelistofdomainsincludedintheExternalDynamicList,thefirewall
createsasetofcustomsignaturesoftypespywareandmediumseverity,so
thatyoucanusethesinkholeactionforacustomlistofdomains.
URL ListEachlistcanhaveonlyoneURLentryperline.Example:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*

ForeachURLlist,thedefaultactionissettoallow.Toeditthedefaultaction,
seeObjects>SecurityProfiles>URLFiltering.

Description Enteradescriptionfortheexternaldynamiclist(upto255characters).

Source EnteranHTTPorHTTPSURLpaththatcontainsthetextfile.Forexample,
http://1.1.1.1/myfile.txt.
IftheexternaldynamiclistisaPredefinedIPList,selectPalo Alto
Networks - High risk IP addressesorPalo Alto Networks - Known
malicious IP addressesasthelistsource.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 159


Objects>ExternalDynamicLists Objects

ExternalDynamicListSettings Description

CertificateProfile IftheexternaldynamiclisthasanHTTPSURL,selectanexistingcertificateprofile
(firewallandPanorama)orcreateanewCertificate Profile(firewallonly)for
authenticatingthewebserverthathoststhelist.Formoreinformationon
configuringacertificateprofile,seeDevice>CertificateManagement>
CertificateProfile.
Default:None (Disable Cert profile)
Tomaximizethenumberofexternaldynamicliststhatyoucanuseto
enforcepolicy,usethesamecertificateprofiletoauthenticateexternal
dynamicliststhatusethesamesourceURLsothatthelistscountasonly
oneexternaldynamiclist.ExternaldynamiclistsfromthesamesourceURL
thatusedifferentcertificateprofilesarecountedasuniqueexternal
dynamiclists.

ClientAuthentication Selectthisoption(disabledbydefault)toaddausernameandpasswordforthe
firewalltousewhenaccessinganexternaldynamiclistsourcethatrequiresbasic
HTTPauthentication.Thissettingisavailableonlywhentheexternaldynamiclist
hasanHTTPSURL.
UsernameEnteravalidusernametoaccessthelist.
Password/Confirm PasswordEnterandconfirmthepasswordforthe
username.

Repeat Specifythefrequencyinwhichthefirewallretrievesthelistfromthewebserver.
YoucanchooseHourly,Five Minute,Daily,Weekly,orMonthly.Attheconfigured
interval,thefirewallretrievesthelistandautomaticallycommitsthechangesto
theconfiguration.Anypolicyrulesthatreferencethelistareupdatedsothatthe
firewallcansuccessfullyenforcepolicy.
YoudonothaveatoconfigureafrequencyforapredefinedIPlistbecause
thefirewalldynamicallyreceivescontentupdateswithanactiveThreat
Preventionlicense.

List Entries and Exceptions Tab

ListEntries Displaystheentriesintheexternaldynamiclist.
AddanentryasalistexceptionSelectupto100entriesandclickSubmit( ).
ViewanAutoFocusthreatintelligencesummaryforanitemHoveroveran
entry,clickthedropdown,andclickAutoFocus.YoumusthaveanAutoFocus
licenseandenableAutoFocusthreatintelligenceonthefirewall toviewan
itemsummary.
CheckifanIPaddress,domain,orURLisintheexternaldynamiclistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.

ManualExceptions Displaysexceptionstotheexternaldynamiclist.
EditanexceptionClickonanexceptionandmakeyourchanges.
ManuallyenteranexceptionAddanewexceptionmanually.
RemoveanexceptionfromtheManualExceptionslistSelectandDeletean
exception.
CheckifanIPaddress,domain,orURLisintheManualExceptionslistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.Youcannotsaveyourchangestotheexternal
dynamiclistifyouhaveduplicateentriesintheManualExceptionslist.

160 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>CustomObjects

Objects>CustomObjects

Createcustomdatapatterns,vulnerabilityandspywaresignatures,andURLcategoriestousewithpolicies:
Objects>CustomObjects>DataPatterns
Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>URLCategory

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 161


Objects>CustomObjects>DataPatterns Objects

Objects>CustomObjects>DataPatterns

Whatareyoulookingfor? See:

Create a data pattern. DataPatternSettings


Learn more about syntax for regular expression SyntaxforRegularExpressionDataPatterns
data patterns and see some examples.
RegularExpressionDataPatternExamples

DataPatternSettings

SelectObjects > Custom Objects > Data Patternstodefinethecategoriesofsensitiveinformationthatyoumay


wanttofilter.Forinformationondefiningdatafilteringprofiles,selectObjects>SecurityProfiles>Data
Filtering.
Youcancreatethreetypesofdatapatternsforthefirewalltousewhenscanningforsensitiveinformation:
PredefinedUsethepredefineddatapatternstoscanfilesforsocialsecurityandcreditcardnumbers.
Regular ExpressionCreatecustomdatapatternsusingregularexpressions.
File PropertiesScanfilesforspecificfilepropertiesandvalues.

DataPatternSettings Description

Name Enterthedatapatternname(upto31characters).Thenamecasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Description Enteradescriptionforthedatapattern(upto255characters).

Shared Selectthisoptionifyouwantthedatapatterntobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,thedatapatternwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thedata
patternwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisdatapatternobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.

PatternType Selectthetypeofdatapatternyouwanttocreate:
PredefinedPattern
RegularExpression
FileProperties

162 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>CustomObjects>DataPatterns

DataPatternSettings Description

PredefinedPattern PaloAltoNetworksprovidespredefineddatapatternstoscanforcertain
typesofinformationinfiles,forexample,forcreditcardnumbersorsocial
securitynumbers.Toconfiguredatafilteringbasedonapredefinedpattern,
Addapatternandselectthefollowing:
NameSelectapredefinedpatterntousetofilterforsensitivedata.
Whenyoupickapredefinedpattern,theDescriptionpopulates
automatically.
SelecttheFile Typeinwhichyouwanttodetectthepredefinedpattern.

RegularExpression Addacustomdatapattern.GivethepatternadescriptiveName,settheFile
Typeyouwanttoscanforthedatapattern,andentertheregularexpression
thatdefinestheData Pattern.
Forregularexpressiondatapatternsyntaxdetailsandexamples,see:
SyntaxforRegularExpressionDataPatterns
RegularExpressionDataPatternExamples

FileProperties Buildadatapatterntoscanforfilepropertiesandtheassociatedvalues.For
example,AddadatapatterntofilterforMicrosoftWorddocumentsand
PDFswherethedocumenttitleincludesthewordssensitive,internal,or
confidential.
GivethedatapatternadescriptiveName.
SelecttheFile Typethatyouwanttoscan.
SelecttheFile Propertythatyouwanttoscanforaspecificvalue.
EntertheProperty Valueforwhichyouwanttoscan.

SyntaxforRegularExpressionDataPatterns

Whencreatingaregularexpressiondatapattern,thefollowinggeneralrequirementsapply:
Thepatternmusthavestringofatleastsevenbytestomatch.Itcancontainmorethansevenbytesbut
notfewer.
Thestringmatchmayormaynotbecasesensitive,dependingonwhichdecoderyouuse.Whenyou
needcasesensitivity,definepatternsforallpossiblestringstomatchallvariationsofaterm.Forexample,
tomatchanydocumentsdesignatedasconfidential,youmustcreateapatternthatincludes
confidential,Confidential,andCONFIDENTIAL.
TheregularexpressionsyntaxinPANOSissimilartotraditionalregularexpressionenginesbutevery
engineisunique.ThefollowingtabledescribesthesyntaxsupportedinPANOS.

Pattern Description
RulesSyntax

. Matchanysinglecharacter.

? Matchtheprecedingcharacterorexpression0or1time.ThegeneralexpressionMUST
beinsideapairofparentheses.
Example:(abc)?

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 163


Objects>CustomObjects>DataPatterns Objects

Pattern Description
RulesSyntax

* Matchtheprecedingcharacterorexpression0ormoretimes.Thegeneralexpression
MUSTbeinsideapairofparentheses.
Example:(abc)*

+ Matchtheprecedingcharacterorregularexpressiononeormoretimes.Thegeneral
expressionMUSTbeinsideapairofparentheses.
Example:(abc)+

| Equivalenttoor.
Example:((bif)|(scr)|(exe))matchesbif,scrorexe.
Thealternativesubstringsmustbeinparentheses.

Usedtocreaterangeexpressions.
Example:[cz]matchesanycharacterbetweencandz,inclusive.

[] Matchany.
Example:[abz]:matchesanyofthecharactersa,b,orz.

^ Matchanyexcept.
Example:[^abz]matchesanycharacterexcepta,b,orz.

{} Min/Maxnumberofbytes.
Example:{1020}matchesanystringthatisbetween10and20bytes.Thismustbe
directlyinfrontofafixedstring,andonlysupports.

\ Toperformaliteralmatchonanyoneofthespecialcharactersabove,itMUSTbeescaped
byprecedingthemwitha\(backslash).

&amp &isaspecialcharacter,sotolookforthe&inastringyoumustuse&ampinstead.

RegularExpressionDataPatternExamples

Thefollowingareexamplesofvalidcustompatterns:
.*((Confidential)|(CONFIDENTIAL))
LooksforthewordConfidentialorCONFIDENTIALanywhere
.*atthebeginningspecifiestolookanywhereinthestream
Dependingonthecasesensitivityrequirementsofthedecoder,thismaynotmatchconfidential
(alllowercase)
.*((Proprietary&ampConfidential)|(ProprietaryandConfidential))
LooksforeitherProprietary&ConfidentialorProprietaryandConfidential
MoreprecisethanlookingforConfidential
.*(PressRelease).*((Draft)|(DRAFT)|(draft))
LooksforPressReleasefollowedbyvariousformsoftheworddraft,whichmayindicatethatthe
pressreleaseisn'treadytobesentoutsidethecompany
.*(Trinidad)
Looksforaprojectcodename,suchasTrinidad

164 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>CustomObjects>Spyware/Vulnerability

Objects>CustomObjects>Spyware/Vulnerability

Thefirewallsupportstheabilitytocreatecustomspywareandvulnerabilitysignaturesusingthefirewall
threatengine.Youcanwritecustomregularexpressionpatternstoidentifyspywarephonehome
communicationorvulnerabilityexploits.Theresultingspywareandvulnerabilitypatternsbecomeavailable
foruseinanycustomvulnerabilityprofiles.Thefirewalllooksforthecustomdefinedpatternsinnetwork
trafficandtakesthespecifiedactionforthevulnerabilityexploit.

Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.

Youcanoptionallyincludeatimeattributewhendefiningcustomsignaturesbyspecifyingathresholdper
intervalfortriggeringpossibleactionsinresponsetoanattack.Actionistakenonlyafterthethresholdis
reached.
UsetheCustom Spyware SignaturepagetodefinesignaturesforAntiSpywareprofiles.UsetheCustom
Vulnerability SignaturepagetodefinesignaturesforVulnerabilityProtectionprofiles.

CustomVulnerabilityand Description
SpywareSignature
Settings

Configuration Tab

ThreatID Enteranumericidentifierfortheconfiguration(spywaresignaturesrangeis
1500018000;vulnerabilitysignaturesrangeis4100045000).

Name Specifythethreatname.

Shared Selectthisoptionifyouwantthecustomsignaturetobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,thecustomsignaturewillbeavailableonlytotheVirtual
SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thecustom
signaturewillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thissignatureindevicegroupsthatinheritthesignature.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritsthesignature.

Comment Enteranoptionalcomment.

Severity Assignalevelthatindicatestheseriousnessofthethreat.

DefaultAction Assignthedefaultactiontotakeifthethreatconditionsaremet.Foralistof
actions,seeActionsinSecurityProfiles.

Direction Indicatewhetherthethreatisassessedfromtheclienttoserver,serverto
client,orboth.

AffectedSystem Indicatewhetherthethreatinvolvestheclient,server,either,orboth.
Appliestovulnerabilitysignatures,butnotspywaresignatures.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 165


Objects>CustomObjects>Spyware/Vulnerability Objects

CustomVulnerabilityand Description
SpywareSignature
Settings

CVE Specifythecommonvulnerabilityenumeration(CVE)asanexternal
referenceforadditionalbackgroundandanalysis.

Vendor Specifythevendoridentifierforthevulnerabilityasanexternalreference
foradditionalbackgroundandanalysis.

Bugtraq Specifythebugtraq(similartoCVE)asanexternalreferenceforadditional
backgroundandanalysis.

Reference Addanylinkstoadditionalanalysisorbackgroundinformation.The
informationisshownwhenauserclicksonthethreatfromtheACC,logs,or
vulnerabilityprofile.

166 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>CustomObjects>Spyware/Vulnerability

CustomVulnerabilityand Description
SpywareSignature
Settings

Signatures Tab

StandardSignature SelectStandardandthenAddanewsignature.Specifythefollowing
information:
StandardEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
transactionortothefullusersession.
AddaconditionbyclickingAdd Or ConditionorAdd And Condition.Toadd
aconditionwithinagroup,selectthegroupandthenclickAdd Condition.
Addaconditiontoasignaturesothatthesignatureisgeneratedfortraffic
whentheparametersyoudefinefortheconditionaretrue.Selectan
Operatorfromthedropdown.Theoperatordefinesthetypeofcondition
thatmustbetrueforthecustomsignaturetomatchtotraffic.Choosefrom
Less Than,Equal To,Greater Than,orPattern Matchoperators.
WhenchoosingaPattern Matchoperator,specifyforthefollowingtobe
trueforthesignaturetomatchtotraffic:
ContextSelectfromtheavailablecontexts.
PatternSpecifyaregularexpression.SeePatternRulesSyntaxfor
patternrulesforregularexpressions.
Qualifier and ValueOptionally,addqualifier/valuepairs.
NegateSelectNegatesothatthecustomsignaturematchesto
trafficonlywhenthedefinedPatternMatchconditionisnottrue.
Thisallowsyoutoensurethatthecustomsignatureisnottriggered
undercertainconditions.
AcustomsignaturecannotbecreatedwithonlyNegate
conditions;atleastonepositiveconditionmustbeincluded
inorderforanegateconditiontospecified.Also,ifthescope
ofthesignatureissettoSession,aNegateconditioncannot
beconfiguredasthelastconditiontomatchtotraffic.
Youcandefineexceptionsforcustomvulnerabilityorspyware
signaturesusingthenewoptiontonegatesignaturegeneration
whentrafficmatchesbothasignatureandtheexceptiontothe
signature.Usethisoptiontoallowcertaintrafficinyournetworkthat
mightotherwisebeclassifiedasspywareoravulnerabilityexploit.In
thiscase,thesignatureisgeneratedfortrafficthatmatchesthe
pattern;trafficthatmatchesthepatternbutalsomatchesthe
exceptiontothepatternisexcludedfromsignaturegenerationand
anyassociatedpolicyaction(suchasbeingblockedordropped).For
example,youcandefineasignaturetobegeneratedforredirected
URLs;however,youcannowalsocreateanexceptionwherethe
signatureisnotgeneratedforURLsthatredirecttoatrusteddomain.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 167


Objects>CustomObjects>Spyware/Vulnerability Objects

CustomVulnerabilityand Description
SpywareSignature
Settings

WhenchoosinganEqual To,Less Than,orGreater Thanoperator,specify


forthefollowingtobetrueforthesignaturetomatchtotraffic:
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP.
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.

CombinationSignature SelectCombinationandspecifythefollowinginformation:
SelectCombination Signaturestospecifyconditionsthatdefinesignatures:
AddaconditionbyclickingAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.
SelectTime Attributetospecifythefollowinginformation:
Number of HitsSpecifythethresholdthatwilltriggeranypolicybased
actionasanumberofhits(11000)inaspecifiednumberofseconds
(13600).
Aggregation CriteriaSpecifywhetherthehitsaretrackedbysourceIP
address,destinationIPaddress,oracombinationofsourceand
destinationIPaddresses.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.

168 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>CustomObjects>URLCategory

Objects>CustomObjects>URLCategory

UsethecustomURLcategorypagetocreateyourcustomlistofURLsanduseitinaURLfilteringprofileor
asmatchcriteriainpolicyrules.InacustomURLcategory,youcanaddURLentriesindividually,orimporta
textfilethatcontainsalistofURLs.

URLentriesaddedtocustomcategoriesarecaseinsensitive.

ThefollowingtabledescribesthecustomURLsettings:

CustomURLCategory Description
Settings

Name EnteranametoidentifythecustomURLcategory(upto31characters).This
namedisplaysinthecategorylistwhendefiningURLfilteringpoliciesandin
thematchcriteriaforURLcategoriesinpolicyrules.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description EnteradescriptionfortheURLcategory(upto255characters).

Shared SelectthisoptionifyouwanttheURLcategorytobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theURLcategorywillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theURL
categorywillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thiscustomURLobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.

Sites AddClickAddtoenterURLs,onlyoneineachrow.EachURLcanbein
theformatwww.example.comorcanincludewildcards,suchas
*.example.com.Foradditionalinformationonformatssupported,see
BlockListinObjects>SecurityProfiles>URLFiltering.
ImportClickImportandbrowsetoselectthetextfilethatcontainsthe
listofURLs.EnteronlyoneURLperrow.EachURLcanbeintheformat
www.example.comorcanincludewildcards,suchas*.example.com.
Foradditionalinformationonformatssupported,seeBlockListinObjects
>SecurityProfiles>URLFiltering.
ExportClickExporttoexportthecustomURLentriesincludedinthelist.
TheURLsareexportedasatextfile.
DeleteSelectanentryandclickDeletetoremovetheURLfromthelist.
TodeleteacustomcategorythatyouhaveusedinaURLfiltering
profile,youmustsettheactiontoNonebeforeyoucandeletethe
customcategory.SeeCategoryactionsinObjects>SecurityProfiles
>URLFiltering.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 169


Objects>SecurityProfiles Objects

Objects>SecurityProfiles

SecurityprofilesprovidethreatprotectioninSecurityPolicy.EachSecuritypolicyrulecanincludeoneor
moreSecurityProfiles.Thefollowingareavailableprofiletypes:
Antivirusprofilestoprotectagainstworms,viruses,andtrojansandtoblockspywaredownloads.See
Objects>SecurityProfiles>Antivirus.
AntiSpywareprofilestoblockattemptsfromspywareoncompromisedhoststryingtophonehomeor
beaconouttoexternalcommandandcontrol(C2)servers.SeeObjects>SecurityProfiles>
AntiSpywareProfile.
Vulnerabilityprotectionprofilestostopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.SeeObjects>SecurityProfiles>VulnerabilityProtection.
URLfilteringprofilestorestrictusersaccesstospecificwebsitesand/orwebsitecategories,suchas
shoppingorgambling.SeeObjects>SecurityProfiles>URLFiltering.
Fileblockingprofilestoblockselectedfiletypes,andinthespecifiedsessionflowdirection
(inbound/outbound/both).SeeObjects>SecurityProfiles>FileBlocking.
WildFireanalysisprofilestospecifyforfileanalysistobeperformedlocallyontheWildFireappliance
orintheWildFirecloud.SeeObjects>SecurityProfiles>WildFireAnalysis.
Datafilteringprofilesthathelppreventsensitiveinformationsuchascreditcardorsocialsecurity
numbersfromleavingaprotectednetwork.SeeObjects>SecurityProfiles>DataFiltering.
DoSProtectionprofilesareusedwithDoSProtectionpolicyrulestoprotectthefirewallfrom
highvolumesinglesessionandmultiplesessionattacks.SeeObjects>SecurityProfiles>DoS
Protection.
Inadditionaltoindividualprofiles,youcancombineprofilesthatareoftenappliedtogether,andcreate
SecurityProfilegroups(Objects > Security Profile Groups).

ActionsinSecurityProfiles

Theactionspecifieshowthefirewallrespondstoathreatevent.Everythreatorvirussignaturethatis
definedbyPaloAltoNetworksincludesadefaultaction,whichistypicallyeithersettoAlert, whichinforms
youusingtheoptionyouhaveenabledfornotification,ortoReset Both,whichresetsbothsidesofthe
connection.However,youcandefineoroverridetheactiononthefirewall.Thefollowingactionsare
applicablewhendefiningAntivirusprofiles,AntiSpywareprofiles,VulnerabilityProtectionprofiles,custom
spywareobjects,customvulnerabilityobjects,orDoSProtectionprofiles.

Action Description Antivirus AntiSpywar Vulnerability Custom DoS


Profile eprofile Protection Object Protection
Profile Spywareand Profile
Vulnerability

Default Takesthedefaultaction RandomEarly


thatisspecifiedinternally Drop
foreachthreatsignature.
Forantivirusprofiles,it
takesthedefaultaction
forthevirussignature.

170 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles

Action Description Antivirus AntiSpywar Vulnerability Custom DoS


Profile eprofile Protection Object Protection
Profile Spywareand Profile
Vulnerability

Allow Permitstheapplication
traffic.

Alert Generatesanalertfor
eachapplicationtraffic Generatesan
flow.Thealertissavedin alertwhen
thethreatlog. attackvolume
(cps)reaches
theAlarm
thresholdset
intheprofile.

Drop Dropstheapplication
traffic.

Reset Client ForTCP,resetsthe


clientsideconnection.
ForUDP,theconnection
isdropped

Reset Server ForTCP,resetsthe


serversideconnection.
ForUDP,theconnection
isdropped

Reset Both ForTCP,resetsthe


connectiononbothclient
andserverends.
ForUDP,theconnection
isdropped

Block IP Blockstrafficfromeither
asourceora
sourcedestinationpair;
Configurablefora
specifiedperiodoftime.

Sinkhole ThisactiondirectsDNS
queriesformalicious
domainstoasinkholeIP
address.
Theactionisavailablefor
PaloAltoNetworksDNS
signaturesandforcustom
domainsincludedin
Objects>External
DynamicLists.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 171


Objects>SecurityProfiles Objects

Action Description Antivirus AntiSpywar Vulnerability Custom DoS


Profile eprofile Protection Object Protection
Profile Spywareand Profile
Vulnerability

Random Causesthefirewallto
Early Drop randomlydroppackets
whenconnectionsper
secondreachtheActivate
RatethresholdinaDoS
Protectionprofileapplied
toaDoSProtectionrule.

SYN Cookies Causesthefirewallto


generateSYNcookiesto
authenticateaSYNfroma
clientwhenconnections
persecondreachthe
ActivateRateThresholdin
aDoSProtectionprofile
appliedtoaDoS
Protectionrule.

Youcannotdeleteaprofilethatisusedinapolicyrule;youmustfirstremovetheprofilefrom
thepolicyrule.

172 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>Antivirus

Objects>SecurityProfiles>Antivirus

UsetheAntivirus Profilespagetoconfigureoptionstohavethefirewallscanforvirusesonthedefinedtraffic.
Settheapplicationsthatshouldbeinspectedforvirusesandtheactiontotakewhenavirusisdetected.The
defaultprofileinspectsallofthelistedprotocoldecodersforviruses,generatesalertsforSimpleMail
TransportProtocol(SMTP),InternetMessageAccessProtocol(IMAP),andPostOfficeProtocolVersion3
(POP3),andtakesthedefaultactionforotherapplications(alertordeny),dependingonthetypeofvirus
detected.TheprofilewillthenbeattachedtoaSecuritypolicyruletodeterminethetraffictraversing
specificzonesthatwillbeinspected.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ToaddanewAntivirusprofile,selectAddandenterthefollowingsettings:

Field Description

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofantivirus
profileswhendefiningsecuritypolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,periods,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbe
availableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Antivirusprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroup
thatinheritstheprofile.

The Antivirus tab allows you to specify the action for the different types of traffic, such as ftp, and http.

PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.

DecodersandActions Foreachtypeoftrafficthatyouwanttoinspectforviruses,selectanactionfrom
thedropdown.Youcandefinedifferentactionsforstandardantivirussignatures
(Actioncolumn)andsignaturesgeneratedbytheWildFiresystem(WildFireAction
column).
Someenvironmentsmayhaverequirementsforalongersoaktimeforantivirus
signatures,sothisoptionenablestheabilitytosetdifferentactionsforthetwo
antivirussignaturetypesprovidedbyPaloAltoNetworks.Forexample,the
standardantivirussignaturesgothroughalongersoakperiodbeforebeingreleased
(24hours),versusWildFiresignatures,whichcanbegeneratedandreleasedwithin
15minutesafterathreatisdetected.Becauseofthis,youmaywanttochoosethe
alertactiononWildFiresignaturesinsteadofblocking.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 173


Objects>SecurityProfiles>Antivirus Objects

Field Description

ApplicationsExceptions TheApplications Exceptiontableallowsyoutodefineapplicationsthatwillnotbe


andActions inspected.Forexample,toblockallHTTPtrafficexceptforaspecificapplication,
youcandefineanantivirusprofileforwhichtheapplicationisanexception.Block
istheactionfortheHTTPdecoder,andAllowistheexceptionfortheapplication.
Foreachapplicationexception,selecttheactiontobetakenwhenthethreatis
detected.Foralistofactions,seeActionsinSecurityProfiles.
Tofindanapplication,starttypingtheapplicationnameinthetextbox.Amatching
listofapplicationsisdisplayed,andyoucanmakeaselection.

VirusException TheVirus Exceptionstabtodefinealistofthreatsthatwillbeignoredbythe


antivirusprofile.

ThreatID Toaddspecificthreatsthatyouwanttoignore,enteroneThreatIDatatimeand
clickAdd.ThreatIDsarepresentedaspartofthethreatloginformation.Referto
Monitor>Logs.

174 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>AntiSpywareProfile

Objects>SecurityProfiles>AntiSpywareProfile

YoucanattachanAntiSpywareprofiletoaSecuritypolicyrulefordetectingconnectionsinitiatedby
spywareandcommandandcontrol(C2)malwareinstalledonsystemsonyournetwork.Youcanchoose
betweentwopredefinedAntiSpywareprofilesinaSecuritypolicyrule.Eachoftheseprofileshasasetof
predefinedrules(withthreatsignatures)organizedbytheseverityofthethreat;eachthreatsignature
includesadefaultactionthatisspecifiedbyPaloAltoNetworks.
DefaultThedefaultprofileusesthedefaultactionforeverysignature,asspecifiedbyPaloAlto
Networkswhenthesignatureiscreated.
StrictThestrictprofileoverridestheactiondefinedinthesignaturefileforcritical,high,andmedium
severitythreats,andsetsittotheblockaction.Thedefaultactionistakenwithlowandinformational
severitythreats.
Youcanalsocreatecustomprofiles.Youcan,forexample,reducethestringencyforAntiSpyware
inspectionfortrafficbetweentrustedsecurityzones,andmaximizetheinspectionoftrafficreceived
fromtheInternet,ortrafficsenttoprotectedassetssuchasserverfarms.
ThefollowingtablesdescribetheAntiSpywareprofile settings:

AntiSpywareProfile Description
Settings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
AntiSpywareprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,periods,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisAntiSpywareprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

Rules
AntiSpywarerulesallowyoutodefineacustomseverityandactiontotakeonanythreat,aspecific
threatnamethatcontainsthetextthatyouenter,and/orbyathreatcategory,suchasadware.
Addanewrule,oryoucanselectanexistingruletoandselectFind Matching Signaturestofilterthreat
signaturesbasedonthatrule.

RuleName Specifytherulename.

ThreatName Enteranytomatchallsignatures,orentertexttomatchanysignature
containingtheenteredtextaspartofthesignaturename.

Severity Chooseaseveritylevel(critical,high,medium,low,orinformational).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 175


Objects>SecurityProfiles>AntiSpywareProfile Objects

AntiSpywareProfile Description
Settings

Action Chooseanactionforeachthreat.Foralistofactions,seeActionsinSecurity
Profiles.

PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.

Exceptions Tab
Allowsyoutochangetheactionforaspecificsignature.Forexample,youcangeneratealertsfora
specificsetofsignaturesandblockallpacketsthatmatchallothersignatures.Threatexceptionsare
usuallyconfiguredwhenfalsepositivesoccur.Tomakemanagementofthreatexceptionseasier,youcan
addthreatexceptionsdirectlyfromtheMonitor > Logs > Threatlist.Ensurethatyouobtainthelatest
contentupdatessothatyouareprotectedagainstnewthreatsandhavenewsignaturesforany
falsepositives.

Exceptions SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
UsetheIPAddressExemptionscolumntoaddIPaddressfilterstoathreat
exception.IfIPaddressesareaddedtoathreatexception,thethreat
exceptionactionforthatsignaturewillonlybetakenovertherule'saction
ifthesignatureistriggeredbyasessionhavingeitherthesourceor
destinationIPmatchinganIPintheexception.Youcanaddupto100IP
addressespersignature.Withthisoption,youdonothavetocreateanew
policyruleandnewvulnerabilityprofiletocreateanexceptionforaspecific
IPaddress.

DNS Signature Tab


TheDNS Signaturessettingsprovidesanadditionalmethodofidentifyinginfectedhostsonanetwork.
ThesesignaturesdetectspecificDNSlookupsforhostnamesthathavebeenassociatedwithmalware.
TheDNSsignaturescanbeconfiguredtoallow,alert,sinkhole,orblockwhenthesequeriesareobserved,
justaswithregularantivirussignatures.Additionally,hoststhatperformDNSqueriesformalware
domainswillappearinthebotnetreport.DNSsignaturesaredownloadedaspartoftheantivirusupdates.

ExternalDynamicList Allowsyoutoselectthelistsforwhichyouwanttoenforceanactionwhen
Domains aDNSqueryoccurs.Bydefault,thelistofDNSsignaturesprovidedthrough
contentupdates(PaloAltoNetworksDNSSignatureslist)issinkholed.The
defaultIPaddressusedforsinkholingbelongstoPaloAltoNetworks
(71.19.152.112).ThisIPaddressisnotstaticandcanbemodifiedthrough
contentupdatesonthefirewallorPanorama.
Toaddanewlist,clickAddandselecttheExternalDynamicListoftype
Domainthatyouhadcreated.Tocreateanewlist,seeObjects>External
DynamicLists.

176 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>AntiSpywareProfile

AntiSpywareProfile Description
Settings

ActiononDNSqueries ChooseanactiontobetakenwhenDNSlookupsaremadetoknown
malwaresites.Theoptionsarealert,allow,block,orsinkhole.Thedefault
actionforPaloAltoNetworksDNSsignaturesissinkhole.
TheDNSsinkholeactionprovidesadministratorswithamethodof
identifyinginfectedhostsonthenetworkusingDNStraffic,evenwhenthe
firewallisnorthofalocalDNSserver(i.e.thefirewallcannotseethe
originatoroftheDNSquery).Whenathreatpreventionlicenseisinstalled
andanAntiSpywareprofileisenabledinaSecurityProfile,theDNSbased
signatureswilltriggeronDNSqueriesdirectedatmalwaredomains.Ina
typicaldeploymentwherethefirewallisnorthofthelocalDNSserver,the
threatlogwillidentifythelocalDNSresolverasthesourceofthetraffic
ratherthantheactualinfectedhost.SinkholingmalwareDNSqueriessolves
thisvisibilityproblembyforgingresponsestothequeriesdirectedat
maliciousdomains,sothatclientsattemptingtoconnecttomalicious
domains(forcommandandcontrol,forexample)insteadattempt
connectionstoanIPaddressspecifiedbytheadministrator.Infectedhosts
canthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIParemostlikelyinfectedwithmalware.
Afterselectingthesinkholeaction,specifyanIPv4and/orIPv6addressthat
willbeusedforsinkholing.Bydefault,thesinkholeIPaddressissettoaPalo
AltoNetworksserver.Youcanthenusethetrafficlogsorbuildacustom
reportthatfiltersonthesinkholeIPaddressandidentifyinfectedclients.
ThefollowingisthesequenceofeventsthatwilloccurwhenanDNSrequest
issinkholed:
MalicioussoftwareonaninfectedclientcomputersendsaDNSqueryto
resolveamalicioushostontheInternet.
Theclient'sDNSqueryissenttoaninternalDNSserver,whichthenqueries
apublicDNSserverontheothersideofthefirewall.
TheDNSquerymatchesaDNSentryintheDNSsignaturesdatabase,sothe
sinkholeactionwillbeperformedonthequery.
Theinfectedclientthenattemptstostartasessionwiththehost,butuses
theforgedIPaddressinstead.TheforgedIPaddressistheaddressdefined
intheAntiSpywareprofileDNSSignaturestabwhenthesinkholeactionis
selected.
TheadministratorisalertedofamaliciousDNSqueryinthethreatlog,and
canthensearchthetrafficlogsforthesinkholeIPaddressandcaneasily
locatetheclientIPaddressthatistryingtostartasessionwiththesinkhole
IPaddress.

PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.

ThreatID ManuallyenterDNSsignatureexceptions(rangeis
40000004999999).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 177


Objects>SecurityProfiles>VulnerabilityProtection Objects

Objects>SecurityProfiles>VulnerabilityProtection

ASecuritypolicyrulecanincludespecificationofaVulnerabilityProtectionprofilethatdeterminesthelevel
ofprotectionagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.TherearetwopredefinedprofilesavailablefortheVulnerabilityProtectionfeature:
Thedefaultprofileappliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
vulnerabilities.Itdoesnotdetectlowandinformationalvulnerabilityprotectionevents.
Thestrictprofileappliestheblockresponsetoallclientandservercritical,highandmediumseverity
spywareeventsandusesthedefaultactionforlowandinformationalvulnerabilityprotectionevents.
Customizedprofilescanbeusedtominimizevulnerabilitycheckingfortrafficbetweentrustedsecurity
zones,andtomaximizeprotectionfortrafficreceivedfromuntrustedzones,suchastheInternet,aswellas
thetrafficsenttohighlysensitivedestinations,suchasserverfarms.ToapplyVulnerabilityProtection
profilestoSecuritypolicies,refertoPolicies>Security.
TheRulessettingsspecifycollectionsofsignaturestoenable,aswellasactionstobetakenwhenasignature
withinacollectionistriggered.
TheExceptionssettingsallowsyoutochangetheresponsetoaspecificsignature.Forexample,youcan
blockallpacketsthatmatchasignature,exceptfortheselectedone,whichgeneratesanalert.TheException
tabsupportsfilteringfunctions.
TheVulnerability Protectionpagepresentsadefaultsetofcolumns.Additionalcolumnsofinformationare
availablebyusingthecolumnchooser.Clickthearrowtotherightofacolumnheaderandselectthecolumns
fromtheColumnssubmenu.
ThefollowingtablesdescribetheVulnerabilityProtectionprofilesettings:

VulnerabilityProtection Description
ProfileSettings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
VulnerabilityProtectionprofileswhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,periods,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisVulnerabilityProtectionprofileindevicegroupsthatinherittheprofile.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheprofile.

Rules Tab

RuleName Specifyanametoidentifytherule.

ThreatName Specifyatextstringtomatch.Thefirewallappliesacollectionofsignatures
totherulebysearchingsignaturenamesforthistextstring.

178 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>VulnerabilityProtection

VulnerabilityProtection Description
ProfileSettings

Action Choosetheactiontotakewhentheruleistriggered.Foralistofactions,see
ActionsinSecurityProfiles.
TheDefaultactionisbasedonthepredefinedactionthatispartofeach
signatureprovidedbyPaloAltoNetworks.Toviewthedefaultactionfora
signature,selectObjects > Security Profiles > Vulnerability Protectionand
Addorselectanexistingprofile.ClicktheExceptionstabandthenclick
Show all signaturestoseealistofallsignaturesandtheassociatedAction.

HostType Specifywhethertolimitthesignaturesfortheruletothosethatareclient
side,serverside,oreither(any).

PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.

Category Selectavulnerabilitycategoryifyouwanttolimitthesignaturestothose
thatmatchthatcategory.

CVEList Specifycommonvulnerabilitiesandexposures(CVEs)ifyouwanttolimitthe
signaturestothosethatalsomatchthespecifiedCVEs.
EachCVEisintheformatCVEyyyyxxxx,whereyyyyistheyearandxxxxis
theuniqueidentifier.Youcanperformastringmatchonthisfield.For
example,tofindvulnerabilitiesfortheyear2011,enter2011.

VendorID SpecifyvendorIDsifyouwanttolimitthesignaturestothosethatalso
matchthespecifiedvendorIDs.
Forexample,theMicrosoftvendorIDsareintheformMSyyxxx,whereyy
isthetwodigityearandxxxistheuniqueidentifier.Forexample,tomatch
Microsoftfortheyear2009,enterMS09.

Severity Selectseveritiestomatch(informational,low,medium,high,orcritical)if
youwanttolimitthesignaturestothosethatalsomatchthespecified
severities.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 179


Objects>SecurityProfiles>VulnerabilityProtection Objects

VulnerabilityProtection Description
ProfileSettings

Exceptions Tab

Threats SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
Chooseanactionfromthedropdown,orchoosefromtheAction
dropdownatthetopofthelisttoapplythesameactiontoallthreats.Ifyou
selectedShow All,thenallsignaturesarelisted.Ifnot,onlythesignatures
thatareexceptionsarelisted.
SelectPacket Captureifyouwanttocaptureidentifiedpackets.
Thevulnerabilitysignaturedatabasecontainssignaturesthatindicatea
bruteforceattack;forexample,ThreatID40001triggersonanFTPbrute
forceattack.Bruteforcesignaturestriggerwhenaconditionoccursina
certaintimethreshold.Thethresholdsarepreconfiguredforbruteforce
signatures,andcanbechangedbyclickingedit( )nexttothethreat
nameontheVulnerabilitytab(withtheCustomoptionselected).Youcan
specifythenumberofhitsperunitoftimeandwhetherthethresholdapplies
tosource,destination,orsourceanddestination.
ThresholdscanbeappliedonasourceIP,destinationIPoracombinationof
sourceIPanddestinationIP.
Thedefaultactionisshowninparentheses.TheCVEcolumnshows
identifiersforcommonvulnerabilitiesandexposures(CVE).Theseunique,
commonidentifiersareforpubliclyknowninformationsecurity
vulnerabilities.
ClickintotheIPAddressExemptionscolumntoAddIPaddressfilterstoa
threatexception.WhenyouaddanIPaddresstoathreatexception,the
threatexceptionactionforthatsignaturewilltakeprecedenceoverthe
rule'sactiononlyifthesignatureistriggeredbyasessionwitheithera
sourceordestinationIPaddressmatchinganIPaddressintheexception.
Youcanaddupto100IPaddressespersignature.Youmustenteraunicast
IPaddress(thatis,anaddresswithoutanetmask),suchas10.1.7.8or
2001:db8:123:1::1.ByaddingIPaddressexemptions,youdonothaveto
createanewpolicyruleandnewvulnerabilityprofiletocreateanexception
foraspecificIPaddress.

180 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>URLFiltering

Objects>SecurityProfiles>URLFiltering

YoucanuseURLfiltering profilestocontrolaccesstowebcontent.

Whatareyoulookingfor? See:

Control access to websites based on URL category. Categories


Enable the firewall to detect corporate credential UserCredentialDetection
submissions, and then control the URL categories
to which users can submit credentials. Categories

Enforce safe search settings. URLFilteringSettings


Enable logging of HTTP headers. URLFilteringSettings
Define website block and allow lists. Overrides
Allow password-based access to certain sites. Overrides
Looking for more? LearnmoreaboutandconfigureURLFiltering .
PreventCredentialPhishing basedonURLcategory.
TocreatecustomURLcategorieswithyourownlistsof
URLs,selectObjects>CustomObjects>URLCategory.

GeneralSettings

GeneralSettings Description

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
URLfilteringprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisURLFilteringprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 181


Objects>SecurityProfiles>URLFiltering Objects

Categories

Objects>SecurityProfiles>URLFiltering>Categories

CategoriesSettings Description

Category Inadditiontothepredefinedcategories,bothcustomURLcategoriesandexternal
dynamiclistsoftypeURLaredisplayedunderCategory.Bydefault,theSite Access
andUser Credential SubmissionpermissionsforallcategoriesaresettoAllow.

SiteAccess ForeachURLcategory,selecttheactiontotakewhenauserattemptstoaccessa
URLinthatcategory(Site Access):
alertAllowsaccesstothewebsitebutaddsanalerttotheURLlogeachtimea
useraccessestheURL.
allowAllowsaccesstothewebsite.
blockBlocksaccesstothewebsite.IftheSiteAccesstoaURLcategoryissetto
block,theUserCredentialSubmissionpermissionsisautomaticallyalsosetto
block.
continueDisplaysapagetousersthattowarnthemagainstcontinuingtoaccess
thepage.Toaccessthewebsite,theusermustclickContinue.
TheContinuepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.

overrideDisplaysaresponsepagethatpromptstheusertoenteravalid
passwordinordertogainaccesstothesite.ConfigureURLAdminOverride
settings(Device > Setup > Content ID)tomanagepasswordandotheroverride
settings.(SeealsotheManagementSettingstableinDevice>Setup>
ContentID).
TheOverridepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.

none(customURLcategoryonly)IfyouhavecreatedcustomURLcategories,set
theactiontononetoallowthefirewalltoinherittheURLfilteringcategory
assignmentfromyourURLdatabasevendor.Settingtheactiontononegivesyou
theflexibilitytoignorecustomcategoriesinaURLfilteringprofile,whileallowing
youtousethecustomURLcategoryasamatchcriteriainpolicyrules(Security,
Decryption,andQoS)tomakeexceptionsortoenforcedifferentactions.To
deleteacustomURLcategory,youmustsettheactiontononeinanyprofile
wherethecustomcategoryisused.ForinformationoncustomURLcategories,
seeObjects>CustomObjects>URLCategory.

182 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>URLFiltering

CategoriesSettings Description

UserCredential ForeachURLcategory,selecttheUser Credential Submissionstoallowordisallow


Submission usersfromsubmittingvalidcorporatecredentialstoaURLinthatcategory.Before
youcancontrolusercredentialsubmissionsbasedonURLcategory,youmustenable
credentialsubmissiondetection(selecttheUser Credential Detectiontab).
URLcategorieswiththeSite Accesssettoblockareautomaticallysettoalsoblock
usercredentialsubmissions.
alertAllowuserstosubmitcredentialstothewebsite,butgenerateaURL
Filteringlogeachtimeausersubmitscredentialstositesinthiscategory.
allow(default)Allowuserstosubmitcredentialstothewebsite.
blockBlockusersfromsubmittingcredentialstothewebsite.Adefault
antiphishingresponsepageblocksusercredentialsubmissions.
continueDisplayaresponsepagetousersthatpromptsthemtoselectContinue
tosubmitcredentialstothesite.Bydefault,anantiphishingcontinuepage
displaystowarnuserswhentheyattempttosubmitcredentialstositestowhich
credentialsubmissionsarediscouraged.Youcanchoosetocreateacustom
responsepagetowarnusersagainstphishingattemptsortoeducatethemagainst
reusingvalidcorporatecredentialsonotherwebsites.

CheckURLCategory ClicktoaccessthePANDBURLFilteringdatabase,whereyoucanenteraURLorIP
addresstoviewcategorizationinformation.

DynamicURLFiltering SelecttoenablecloudlookupforcategorizingtheURL.Thisoptionisinvokedifthe
Default:Disabled localdatabaseisunabletocategorizetheURL.
(Configurablefor IftheURLisunresolvedaftera5secondtimeoutwindow,theresponseisdisplayed
BrightCloudonly) asNot resolved URL.
WithPANDB,this
optionisenabled
bydefaultandis
notconfigurable.

Overrides

Objects>SecurityProfiles>URLFiltering>Overrides

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 183


Objects>SecurityProfiles>URLFiltering Objects

OverridesSettings Description

ActiononLicense WithBrightCloud:
Expiration IfyouareusingtheBrightClouddatabase,youcanconfiguretheactiontotakeifthe
URLfilteringlicenseexpires:
BlockBlocksaccesstoallwebsites.Uponlicenseexpiration,allURLsare
blocked,notjusttheURLcategoriespreviouslysettoblock.
AllowAllowsaccesstoallwebsites.Uponlicenseexpiration,allURLsare
allowed,notjusttheURLcategoriessettoallow.
WithPANDB:
IfthelicenseexpiresforPANDB,URLfilteringisnotenforced:
URLcategoriesthatarecurrentlyinthecachewillbeusedtoeitherblockorallow
contentbasedonyourconfiguration.Usingcachedresultsisasecurityrisk
becausethecategorizationinformationmightbestale.
URLsthatarenotinthecachewillbecategorizedasnotresolvedandwillbe
allowed.
Alwaysrenewyourlicenseintimetoensurenetworksecurity.

AllowList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoallowor
Ifyouwouldliketo generatealertson.EntereachIPaddressorURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheallowlistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
allow(withouta toallowtheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")

Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Thislisttakesprecedenceovertheselectedwebsitecategories.

184 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>URLFiltering

OverridesSettings Description

BlockList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoblockor
Ifyouwouldliketo generatealertson.EntereachURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheblocklistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
block(withouta toblocktheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists. www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")

Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com

Action Selecttheactiontotakewhenawebsiteintheblocklistisaccessed.
alertAllowtheusertoaccessthewebsite,butaddanalerttotheURLlog.
blockBlockaccesstothewebsite.
continueAllowtheusertoaccesstheblockedpagebyclickingContinueonthe
blockpage.
overrideAllowtheusertoaccesstheblockedpageafterenteringapassword.
ThepasswordandotheroverridesettingsarespecifiedintheURLAdminOverride
areaoftheSettingspage(refertotheManagementSettingstableinDevice>
Setup>Management).

URLFilteringSettings

Objects>SecurityProfiles>URLFiltering>URLFilteringSettings

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 185


Objects>SecurityProfiles>URLFiltering Objects

URLFilteringSettings Descriptions

Logcontainerpageonly SelectthisoptiontologonlytheURLsthatmatchthecontenttypethatisspecified.
Default:Enabled

EnableSafeSearch Selectthisoptiontoenforcestrictsafesearchfiltering.
Enforcement Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesand
Default:Disabled videosinsearchqueryreturntraffic.WhenyouselectthesettingtoEnableSafe
AURLfilteringlicenseis SearchEnforcement,thefirewallblockssearchresultsiftheenduserisnotusingthe
notrequiredtousethis strictestsafesearchsettingsinthesearchquery.Thefirewallcanenforcesafesearch
feature. forthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.This
isabesteffortsettingandisnotguaranteedbythesearchproviderstoworkwith
everywebsite.
TousesafesearchenforcementyoumustenablethissettingandthenattachtheURL
filteringprofileSecuritypolicyrule.Thefirewallwillthenblockanymatchingsearch
queryreturntrafficthatisnotusingthestrictestsafesearchsettings.
IfyouareperformingasearchonYahooJapan(yahoo.co.jp)whileloggedinto
yourYahooaccount,thelockoptionforthesearchsettingmustalsobe
enabled.
Topreventusersfrombypassingthisfeaturebyusingothersearchproviders,
configuretheURLfilteringprofiletoblockthesearchenginescategoryand
thenallowaccesstoBing,Google,Yahoo,Yandex,andYouTube.

HTTPHeaderLogging EnablingHTTPHeaderLoggingprovidesvisibilityintotheattributesincludedinthe
HTTPrequestsenttoaserver.Whenenabledoneormoreofthefollowing
attributevaluepairsarerecordedintheURLFilteringlog:
UserAgentThewebbrowserthattheuserusedtoaccesstheURL.This
informationissentintheHTTPrequesttotheserver.Forexample,theUserAgent
canbeInternetExplorerorFirefox.TheUserAgentvalueinthelogsupportsup
to1024characters.
RefererTheURLofthewebpagethatlinkedtheusertoanotherwebpage;itis
thesourcethatredirected(referred)theusertothewebpagethatisbeing
requested.Thereferervalueinthelogsupportsupto256characters.
XForwardedForTheheaderfieldoptionthatpreservestheIPaddressofthe
userwhorequestedthewebpage.ItallowsyoutoidentifytheIPaddressofthe
user,whichisparticularlyusefulifyouhaveaproxyserveronyournetworkoryou
haveimplementedSourceNAT,thatismaskingtheusersIPaddresssuchthatall
requestsseemtooriginatefromtheproxyserversIPaddressoracommonIP
address.Thexforwardedforvalueinthelogsupportsupto128characters.

UserCredentialDetection

Objects>SecurityProfiles>URLFiltering>UserCredentialDetection
Enablethefirewalltodetectwhenuserssubmitcorporatecredentials.Thefirewallusesoneofthree
methodstodetectvalidcredentialssubmittedtowebpages.EachmethodrequiresUserID,whichenables
thefirewalltocompareusernameandpasswordsubmissionstowebpagesagainstvalid,corporate
credentials.SelectoneofthesemethodstothencontinuetoPreventCredentialPhishing basedonURL
category.

186 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>URLFiltering

UserCredentialDetection Description
Settings

IPUser Thiscredentialdetectionmethodchecksforvalidusernamesubmissions.Youcanuse
thismethodtodetectcredentialsubmissionsthatincludeavalidcorporateusername
(regardlessoftheaccompanyingpassword).Thefirewalldeterminesausername
matchbyverifyingthattheusernamematchestheuserloggedinthesourceIP
addressofthesession.Tousethismethod,thefirewallmatchesthesubmitted
usernameagainstitsIPaddresstousernamemappingtable.Tousethismethodyou
canuseanyoftheusermappingmethodsdescribedinMapIPAddressestoUsers.

GroupMapping Thefirewalldeterminesiftheusernameausersubmitstoarestrictedsitematches
anyvalidcorporateusername.Todothis,thefirewallmatchesthesubmitted
usernametothelistofusernamesinitsusertogroupmappingtabletodetectwhen
userssubmitacorporateusernamestoasiteinarestrictedcategory.
ThismethodonlychecksforcorporateusernamesubmissionsbasedonLDAPgroup
membership,whichmakesitsimpletoconfigure,butmorepronetofalsepositives.
Youmustenablegroupmapping tousethismethod.

DomainCredential Thiscredentialdetectionmethodenablesthefirewalltocheckforavalidcorporate
usernameandtheassociatedpassword.Thefirewalldeterminesiftheusernameand
passwordausersubmitsmatchesthesameuserscorporateusernameandpassword.
Todothis,thefirewallmustabletomatchcredentialsubmissionstovalidcorporate
usernamesandpasswordsandverifythattheusernamesubmittedmapstotheIP
addressoftheloggedinuser.ThismodeissupportedonlywiththeWindowsbased
UserIDagent,andrequiresthattheUserIDagentisinstalledonareadonlydomain
controller(RODC)andequippedwiththeUserIDCredentialServiceAddon.Touse
thismethod,youmustalsoenableUserIDtoMapIPAddressestoUsersusingany
ofthesupportedusermappingmethods,includingAuthenticationPolicyandCaptive
PortalandGlobalProtect.
SeePreventCredentialPhishing fordetailsoneachofthemethodsthefirewall
canusetocheckforvalidcorporatecredentialsubmissions,andforstepstoenable
phishingprevention.

ValidUsernameDetected Settheseverityforlogsthatindicatethefirewalldetectedavalidusername
LogSeverity submissiontoawebsite.
Thislogseverityisassociatedwitheventswhereavalidusernameissubmittedto
websiteswithcredentialsubmissionpermissionstoalert,blockorcontinue.Logsthat
recordwhenausersubmitsavalidusernametoawebsiteforwhichcredential
submissionsareallowedhaveaseverityofinformational.SelectCategoriestoreview
oradjusttheURLcategoriestowhichcredentialsubmissionsareallowedand
blocked.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 187


Objects>SecurityProfiles>FileBlocking Objects

Objects>SecurityProfiles>FileBlocking

YoucanattachaFileBlockingprofiletoaSecuritypolicyrule(Policies>Security)toblockusersfrom
uploadingordownloadingspecifiedfiletypesortogenerateanalertwhenauserattemptstouploador
downloadspecifiedfiletypes.
Thefollowingtablesdescribethefileblockingprofilesettings.

FileBlockingProfile Description
Settings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
fileblockingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisFileBlockingprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

188 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>FileBlocking

FileBlockingProfile Description
Settings

Rules Defineoneormorerulestospecifytheactiontaken(ifany)fortheselected
filetypes.Toaddarule,specifythefollowingandclickAdd:
NameEnterarulename(upto31characters).
ApplicationsSelecttheapplicationstheruleappliestoorselectany.
File TypesClickinthefiletypesfieldandthenclickAddtoviewalistof
supportedfiletypes.Clickafiletypetoaddittotheprofileandcontinue
toaddadditionalfiletypesasneeded.IfyouselectAny,thedefinedaction
istakenonallsupportedfiletypes.
DirectionSelectthedirectionofthefiletransfer(Upload,Download,or
Both).
ActionSelecttheactiontakenwhentheselectedfiletypesaredetected:
alertAnentryisaddedtothethreatlog.
blockThefileisblocked.
continueAmessagetotheuserindicatesthatadownloadhasbeen
requestedandaskstheusertoconfirmwhethertocontinue.Thepurpose
istowarntheuserofapossibleunknowndownload(alsoknownasa
drivebydownload)andtogivetheusertheoptionofcontinuingor
stoppingthedownload.
Whenyoucreateafileblockingprofilewiththeactioncontinueor
continue-and-forward(usedforWildFireforwarding),youcanonly
choosetheapplicationweb-browsing.Ifyouchooseanyother
application,trafficthatmatchestheSecuritypolicyrulewillnotflow
throughthefirewallduetothefactthattheuserswillnotbeprompted
withacontinuepage.
forwardThefileisautomaticallysenttoWildFire.
continue-and-forwardAcontinuepageispresented,andthefileissent
toWildFire(combinesthecontinueandforwardactions).Thisactiononly
workswithwebbasedtraffic.Thisisduetothefactthatausermustclick
continuebeforethefilewillbeforwardandthecontinueresponsepage
optionisonlyavailablewithhttp/https.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 189


Objects>SecurityProfiles>WildFireAnalysis Objects

Objects>SecurityProfiles>WildFireAnalysis

UseaWildFireAnalysisprofiletospecifyforWildFirefileanalysistobeperformedlocallyontheWildFire
applianceorintheWildFirecloud.Youcanspecifytraffictobeforwardedtothepubliccloudorprivatecloud
basedonfiletype,application,orthetransmissiondirectionofthefile(uploadordownload).Aftercreating
aWildFireanalysisprofile,addingtheprofiletoapolicy(Policies > Security)furtherallowsyouapplythe
profilesettingstoanytrafficmatchedtothatpolicy(forexample,aURLcategorydefinedinthepolicy).

WildFireAnalysisProfileSettings

Name EnteradescriptivenamefortheWildFireanalysisprofile(upto31
characters).ThisnameappearsinthelistofWildFireAnalysisprofilesthat
youcanchoosefromwhendefiningaSecuritypolicyrule.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Optionallydescribetheprofilerulesortheintendedusefortheprofile(up
to255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Rules DefineoneormorerulestospecifytraffictoforwardtoeithertheWildFire
publiccloudortheWildFireappliance(privatecloud)foranalysis.
EnteradescriptiveNameforanyrulesyouaddtotheprofile(upto31
characters).
AddanApplicationsothatanyapplicationtrafficwillbematchedtothe
ruleandforwardedtothespecifiedanalysisdestination.
SelectaFile Typetobeanalyzedatthedefinedanalysisdestinationfor
therule.
AWildFireprivatecloud(hostedbyaWF500appliance)doesnot
supportanalysisforAPKfiles.

ApplytheruletotrafficdependingonthetransmissionDirection.Youcan
applytheruletouploadtraffic,downloadtraffic,orboth.
SelecttheDestinationfortraffictobeforwardedforanalysis:
Selectpubliccloudsothatalltrafficmatchedtotheruleisforwarded
totheWildFirepubliccloudforanalysis.
Selectprivatecloudsothatalltrafficmatchedtotheruleis
forwardedtotheWildFireapplianceforanalysis.

190 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>DataFiltering

Objects>SecurityProfiles>DataFiltering

Datafilteringenablesthefirewalltodetectsensitiveinformationsuchascreditcardorsocialsecurity
numbersorinternalcorporatedocumentsandpreventthisdatafromleavingasecurenetwork.Beforeyou
enabledatafiltering,selectObjects>CustomObjects>DataPatternstodefinethetypeofdatayouwant
tofilter(suchassocialsecuritynumbersordocumenttitlesthatcontainthewordconfidential).Youcan
addseveraldatapatternobjectstoasingleDataFilteringprofileand,whenattachedtoaSecuritypolicyrule,
thefirewallscansallowedtrafficforeachdatapatternandblocksmatchingtrafficbasedonthedatafiltering
profilesettings.

DataFilteringProfile Description
Settings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Description Enteradescriptionfortheprofile(upto255characters).

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisDataFilteringprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

DataCapture Selectthisoptiontoautomaticallycollectthedatathatisblockedbythe
filter.
SpecifyapasswordforManageDataProtectionontheSettingspagetoview
yourcaptureddata.RefertoDevice>Setup>Management.

DataPattern AddanexistingdatapatterntouseforfilteringorselectNewtoconfigurea
newdatapatternobject(Objects>CustomObjects>DataPatterns).

Applications Specifytheapplicationstoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedapplications.This
selectiondoesnotblockallpossibleapplications,justthelistedones.
ClickAddtospecifyindividualapplications.

FileTypes Specifythefiletypestoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedfiletypes.Thisselection
doesnotblockallpossiblefiletypes,justthelistedones.
ClickAddtospecifyindividualfiletypes.

Direction Specifywhethertoapplythefilterintheuploaddirection,download
direction,orboth.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 191


Objects>SecurityProfiles>DataFiltering Objects

DataFilteringProfile Description
Settings

AlertThreshold Specifythenumberoftimesthedatapatternmustbedetectedinafileto
triggeranalert.

BlockThreshold Blockfilesthatcontainatleastthismanyinstancesofthedatapattern.

LogSeverity Definethelogseverityrecordedforeventsthatmatchthisdatafiltering
profilerule.

192 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>DoSProtection

Objects>SecurityProfiles>DoSProtection

DoSProtectionprofilesaredesignedforhighprecisiontargetingandtheyaugmentZoneProtection
profiles.ADoSProtectionprofilespecifiesthethresholdratesatwhichnewconnectionspersecond(cps)
triggeranalarmandanaction(specifiedintheDoSProtectionpolicy).TheDoSProtectionprofilealso
specifiesthemaximumrateofconnectionspersecondandhowlongablockedIPaddressremainsonthe
BlockIPlist.YouapplyaDoSprotectionprofiletoaDoSprotectionpolicyrulewhereyouspecifythecriteria
forpacketstomatchtherule.
ADoSProtectionprofileisconfiguredtobeanAggregateorClassifiedtype.YoucanapplyaClassifiedDoS
ProtectionprofiletoaClassifiedDoSProtectionrule.
AClassifiedDoSProtectionrulehasClassifiedselectedandspecifiesaClassifiedDoSProtectionprofile.
WhenaDoSProtectionruleactionisProtect,thefirewallcountsconnectionstowardthecpsthresholds
oftheDoSProtectionprofileifthepacketmeetsthespecifiedAddresstype:sourceiponly,
destinationiponly,orsrcdestipboth.
Bycomparison,aDoSProtectionruleisanAggregaterulewhenClassifiedisnotselected.WhenaDoS
ProtectionruleactionisProtect,anAggregaterulecausesthefirewalltocountallconnectionsthatmeet
thecriteriafortherule(theaggregate)towardthecpsthresholdsthatarespecifiedintheAggregateDoS
Protectionprofileidentifiedintherule.
ToapplyaDoSProtectionprofiletoaDoSProtectionpolicy,seePolicies>DoSProtection.

Ifyouhaveamultiplevirtualsystem(multivsys)environmentandhaveconfiguredthefollowing:
Externalzonestoenableintervirtualsystemcommunicationand
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddressforexternal
communications,then
ThefollowingZoneandDoSprotectionmechanismsaredisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protection,createaseparatezoneprotectionprofilefortheshared
gateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotectionprofilewitheither
RandomEarlyDroporSYNcookies.Onanexternalzone,onlyRandomEarlyDropisavailableforSYNFlood
protection.

DoSProtectionProfileSettings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 193


Objects>SecurityProfiles>DoSProtection Objects

DoSProtectionProfileSettings

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisDoSProtectionprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

Description Enteradescriptionoftheprofile(upto255characters).

Type Selectoneofthefollowingprofiletypes:
aggregateApplytheDoSthresholdsconfiguredintheprofiletoall
connectionsthatmatchtherulecriteriaonwhichthisprofileisapplied.
Forexample,anaggregaterulewithaSYNfloodthresholdof10,000
connectionspersecond(cps)countsallconnectionsthathitthat
particularDoSrule.
classifiedApplytheDoSthresholdsconfiguredintheprofiletothe
connectionsthatmatchtheclassificationcriterion(sourceIPaddress,
destinationIPaddress,orsourceanddestinationIPaddresspair).

Flood Protection Tab

SYNFloodtab Selectthisoptiontoenablethetypeoffloodprotectionindicatedonthetab
UDPFloodtab andspecifythefollowingsettings:
ICMPFloodtab Action(SYN Floodonly)ActionthatthefirewallperformsiftheDoS
ICMPv6tab ProtectionpolicyactionisProtectandifincomingconnectionsper
second(cps)reachtheActivate Rate.Chooseoneofthefollowing:
OtherIPtab
Random Early DropDroppacketsrandomlywhenconnectionsper
secondreachtheActivate Ratethreshold.
SYN cookiesUseSYNcookiestogenerateacknowledgmentsso
thatitisnotnecessarytodropconnectionsduringaSYNflood
attack.
Alarm RateSpecifythethresholdrate(cps)atwhichaDoSalarmis
generated(rangeis0to2,000,000cps;defaultis10,000cps).
Activate RateSpecifythethresholdrate(cps)atwhichaDoSresponse
isactivated.TheDoSresponseisconfiguredintheActionfieldoftheDoS
Protectionprofile(RandomEarlyDroporSYNcookies).TheActivate
Raterangeis0to2,000,000cps;defaultis10,000cps.
IftheprofileActionisRandom Early Drop(RED),whenincoming
connectionspersecondreachtheActivate Ratethreshold,REDoccurs.If
thecpsrateincreases,theREDrateincreasesaccordingtoanalgorithm.
ThefirewallcontinueswithREDuntilthecpsratereachestheMax Rate
threshold.
Max RateSpecifythethresholdrateofincomingconnectionsper
secondthefirewallallows.AttheMax Ratethreshold,thefirewalldrops
100%ofnewconnections(rangeis2to2,000,000cps;defaultis
40,000 cps.)
Block DurationSpecifythelengthoftime(seconds)duringwhichthe
offendingIPaddressremainsontheBlockIPlistandconnectionswiththe
IPaddressareblocked.Thefirewalldoesntcountpacketsthatarrive
duringtheblockdurationtowardtheAlarmRate,ActivateRate,orMax
Ratethresholds(rangeis1to21,600seconds;defaultis300 seconds).

Resources Protection Tab

Sessions Selectthisoptiontoenableresourcesprotection.

194 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>SecurityProfiles>DoSProtection

DoSProtectionProfileSettings

MaxConcurrentLimit Specifythemaximumnumberofconcurrentsessions.
FortheAggregateprofiletype,thislimitappliestoalltraffichittingthe
DoSProtectionruleonwhichtheDoSProtectionprofileisapplied.
FortheClassifiedprofiletype,thislimitappliestothetrafficona
classifiedbasis(sourceIP,destinationIPorsourceanddestinationIP)
hittingtheDoSProtectionruletowhichtheDoSProtectionprofileis
applied.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 195


Objects>SecurityProfileGroups Objects

Objects>SecurityProfileGroups

ThefirewallsupportstheabilitytocreateSecurityProfilegroups,whichspecifysetsofSecurityProfilesthat
canbetreatedasaunitandthenaddedtosecuritypolicies.Forexample,youcancreateathreatsSecurity
ProfilegroupthatincludesprofilesforAntivirus,AntiSpyware,andVulnerabilityProtectionandthencreate
aSecuritypolicyrulethatincludesthethreatsprofile.
Antivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,andfileblockingprofilesthatareoften
assignedtogethercanbecombinedintoprofilegroupstosimplifythecreationofsecuritypolicies.
TodefineanewSecurityProfile,selectObjects > Security Profiles.
ThefollowingtabledescribestheSecurityProfilesettings:

SecurityProfileGroup Description
Settings

Name Entertheprofilegroupname(upto31characters).Thisnameappearsinthe
profileslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Shared Selectthisoptionifyouwanttheprofilegrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilegroupwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisSecurityProfilegroupobjectindevicegroupsthatinherittheobject.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheobject.

Profiles SelectanAntivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,
and/orfileblockingprofiletobeincludedinthisgroup.Datafilteringprofiles
canalsobespecifiedinSecurityProfilegroups.RefertoObjects>Security
Profiles>DataFiltering.

196 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>LogForwarding

Objects>LogForwarding

Bydefault,thelogsthatthefirewallgeneratesresideonlyinitslocalstorage.However,ifyouwanttouse
Panoramaorexternalservices(suchasasyslogserver)tocentrallymonitorloginformation,youcandefine
aLogForwardingprofileandassignittoSecurity,Authentication,andDoSProtectionpolicyrules.Log
ForwardingprofilesdefineforwardingdestinationsforthefollowingLogTypes:Traffic,Threat,WildFire
Submissions,URLFiltering,DataFiltering,TunnelInspection,andAuthenticationlogs.

Toforwardotherlogtypes,seeDevice>LogSettings.
OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceforthefirewalltoforward
logstothefollowingloggingdestinations:Syslog,HTTP,Email,andSNMP.Thisisalsorequired
toforwardfilestoWildFire.Aftertheportisconfigured,logforwardingandWildFireforwarding
willautomaticallyusethisportandthereisnospecialconfigurationrequiredforthistooccur.
JustconfigureadataportononeofthePA7000SeriesNPCsasinterfacetypeLogCardand
ensurethatthenetworkthatwillbeusedcancommunicatewithyourlogservers.ForWildFire
forwarding,thenetworkmustcommunicatesuccessfullywiththeWildFirecloudand/or
WildFireappliance.

ThefollowingtabledescribestheLogForwardingprofilesettings:

LogForwardingProfile Description
Settings

Name Enteraname(upto64characters)toidentifytheprofile.Thisnameappears
inthelistofLogForwardingprofileswhendefiningSecuritypolicyrules.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisLogForwardingprofileindevicegroupsthatinherittheprofile.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheprofile.

Description EnteradescriptiontoexplainthepurposeofthisLogForwardingprofile.

MatchList(unlabeled) Addoneormorematchlistprofiles(upto64)thatspecifyforwarding
destinations,logattributebasedfilterstocontrolwhichlogsthefirewall
forwards,andactionstoperformonthelogs(suchasautomatictagging).
Completethefollowingtwofieldsforeachmatchlistprofile.

Name(matchlistprofile) Enteraname(upto31characters)toidentifythematchlistprofile.

Description(matchlist Enteradescription(upto1,023characters)toexplainthepurposeofthis
profile) matchlistprofile.

LogType Selectthetypeoflogstowhichthismatchlistprofileapplies:traffic,threat,
WildFire,URL,data,tunnel,orauthentication(auth).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 197


Objects>LogForwarding Objects

LogForwardingProfile Description
Settings

Filter Bydefault,thefirewallforwardsAll LogsoftheselectedLog Type.To


forwardasubsetofthelogs,selectanexistingfilterfromthedropdownor
selectFilter Buildertoaddanewfilter.Foreachqueryinanewfilter,
specifythefollowingfieldsandAddthequery:
ConnectorSelecttheconnectorlogic(and/or)forthequery.Select
Negateifyouwanttoapplynegationtothelogic.Forexample,toavoid
forwardinglogsfromanuntrustedzone,selectNegate,selectZoneasthe
Attribute,selectequalastheOperator,andenterthenameofthe
untrustedZoneintheValuecolumn.
AttributeSelectalogattribute.Theavailableattributesdependonthe
Log Type.
OperatorSelectthecriteriontodeterminewhethertheattributeapplies
(suchasequal).TheavailablecriteriadependontheLog Type.
ValueSpecifytheattributevaluetomatch.
Todisplayorexport thelogsthatthefiltermatches,selectView Filtered
Logs.ThistabprovidesthesameoptionsastheMonitoringtabpages(such
asMonitoring > Logs > Traffic).

Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .

SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).

Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).

Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).

HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).

198 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>LogForwarding

LogForwardingProfile Description
Settings

BuiltinActions Addtheactiontoperform.Addorremoveatagtothesourceordestination
IPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremote
UserIDagentsothatyoucanrespondtoaneventanddynamicallyenforce
Securitypolicy.TheabilitytotaganIPaddressanddynamicallyenforce
policyusingdynamicaddressgroupsgivesyoubettervisibility,context,and
controlforconsistentlyenforcingSecuritypolicyirrespectiveofwherethe
IPaddressmovesacrossyournetwork.
Configurethefollowingsettings:
Addanactionandenteranametodescribeit.
SelectthetargetIPaddressyouwanttotagSource Addressor
Destination Address.
Youcantakeanactionforalllogtypesthatincludeasourceordestination
IPaddressinthelogentry.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs;youcannotconfigureanactionfor
SystemlogsandConfigurationlogsbecausethelogtypedoesnotinclude
anIPaddressinthelogentry.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 199


Objects>Authentication Objects

Objects>Authentication

Anauthenticationenforcementobjectspecifiesthemethodandservicetouseforauthenticatingendusers
whoaccessyournetworkresources.YouassigntheobjecttoAuthenticationpolicyrules,whichinvokethe
authenticationmethodandservicewhentrafficmatchesarule(seePolicies>Authentication).
Thefirewallhasthefollowingpredefined,readonlyauthenticationenforcementobjects:
default-browser-challengeThefirewalltransparentlyobtainsuserauthenticationcredentials.Ifyou
selectthisaction,youmustenableKerberosSingleSignOn(SSO)orNTLANManager(NTLM)
authenticationwhenyouconfigureCaptivePortal .IfKerberosSSOauthenticationfails,thefirewall
fallsbacktoNTLMauthentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktotheauthenticationmethodspecifiedinthepredefineddefault-web-formobject.
default-web-formToauthenticateusers,thefirewallusesthecertificateprofileorauthenticationprofile
youspecifiedwhenconfiguringCaptivePortal .Ifyouspecifiedanauthenticationprofile,thefirewall
ignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortalpagefortheusertoenter
authenticationcredentials.
default-no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticatingusers.
Beforecreatingacustomauthenticationenforcementobject:
Configureaserverprofilethatspecifieshowtoconnecttotheauthenticationservice(seeDevice>
ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifiesauthenticationsettingssuchas
Kerberossinglesignonparameters(seeDevice>AuthenticationProfile).
Tocreateacustomauthenticationenforcementobject,clickAddandcompletethefollowingfields:

Authentication Description
EnforcementSettings

Name Enteradescriptivename(upto31characters)tohelpyouidentifytheobjectwhen
definingAuthenticationrules.Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
objectwillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theobjectwillbeavailable
onlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) authenticationenforcementobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritstheobject.

200 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Authentication

Authentication Description
EnforcementSettings

AuthenticationMethod Selectamethod:
browser-challengeThefirewalltransparentlyobtainsuserauthentication
credentials.Ifyouselectthisaction,theAuthentication Profileyouselectmusthave
KerberosSSOenabledorelseyoumusthaveconfiguredNTLMintheCaptivePortal
settings .IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLM
authentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktoweb-formauthentication.
web-formToauthenticateusers,thefirewallusesthecertificateprofileyou
specifiedwhenconfiguringCaptivePortal ortheAuthentication Profileyouselect
intheauthenticationenforcementobject.IfyouselectanAuthentication Profile,the
firewallignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortal
pagefortheusertoenterauthenticationcredentials.
no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticating
users.

AuthenticationProfile Selecttheauthenticationprofilethatspecifiestheservicetouseforvalidatingthe
identitiesofusers.

Message Enterinstructionsthattellusershowtorespondtothefirstauthenticationchallengethat
theyseewhentheirtraffictriggerstheAuthenticationrule.Themessagedisplaysinthe
Captive Portal Comfort Page.Ifyoudontenteramessage,thedefaultCaptive Portal
Comfort Pagedisplays(seeDevice>ResponsePages).
ThefirewalldisplaystheCaptive Portal Comfort Pageonlyforthefirst
authenticationchallenge(factor),whichyoudefineintheAuthenticationtabof
theAuthentication Profile(seeDevice>AuthenticationProfile).Formultifactor
authentication(MFA)challengesthatyoudefineintheFactorstaboftheprofile,
thefirewalldisplaystheMFA Login Page.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 201


Objects>DecryptionProfile Objects

Objects>DecryptionProfile

DecryptionprofilesenableyoutoblockandcontrolspecificaspectsoftheSSLforwardproxy,SSLinbound
inspection,andSSHtraffic.Afteryoucreateadecryptionprofile,youcanthenaddthatprofiletoa
decryptionpolicy;anytrafficmatchedtothedecryptionpolicywillbeenforcedaccordingtotheprofile
settings.
YoucanalsocontroltheCAsthatyourfirewalltrusts.Formoreinformation,refertoManageDefaultTrusted
CertificateAuthorities.
Adefaultdecryptionprofileisconfiguredonthefirewall,andisautomaticallyincludedinnewdecryption
policies(youcannotmodifythedefaultdecryptionprofile).ClickAddtocreateanewdecryptionprofile,or
selectanexistingprofiletoCloneormodifyit.

Whatareyoulookingfor? See:

Addanewdecryptionprofile. DecryptionProfileGeneralSettings
Enableportmirroringfordecryptedtraffic.

BlockandcontrolSSLdecryptedtraffic. SettingstoControlDecryptedSSLTraffic
Blockandcontroltrafficthatyouhaveexcluded SettingstoControlTrafficthatisnotDecrypted
fromdecryption(forexample,trafficclassified
ashealthandmedicineorfinancialservices).

BlockandcontroldecryptedSSHtraffic. SettingstoControlDecryptedSSHTraffic

DecryptionProfileGeneralSettings

DecryptionProfile Description
GeneralSettings

Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofdecryption
profileswhendefiningdecryptionpolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,andunderscores.

Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbeavailable
onlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Decryptionprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroupthat
inheritstheprofile.

202 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>DecryptionProfile

DecryptionProfile Description
GeneralSettings

DecryptionMirroring SelectanInterfacetousefordecryptionportmirroring.
Interface Beforeyoucanenabledecryptionportmirroring,youmustobtainaDecryption
(PA3000Series, PortMirrorlicense,installthelicense,andrebootthefirewall.
PA5000Series,and
PA7000Series
firewallsonly)

ForwardedOnly SelectForwarded OnlyifyouwanttomirrordecryptedtrafficonlyafterSecuritypolicy


(PA3000Series, enforcement.Withthisoption,onlytrafficthatisforwardedthroughthefirewallis
PA5000Series,and mirrored.Thisoptionisusefulifyouareforwardingthedecryptedtraffictootherthreat
PA7000Series detectiondevices,suchasaDLPdeviceoranotherintrusionpreventionsystem(IPS).If
firewallsonly) youclearthisselection(thedefaultsetting),thefirewallwillmirroralldecryptedtraffic
totheinterfacebeforesecuritypolicieslookup,whichallowsyoutoreplayeventsand
analyzetrafficthatgeneratesathreatortriggersadropaction.

SettingstoControlDecryptedSSLTraffic

ThefollowingtabledescribesthesettingsyoucanusetocontrolSSLtrafficthathasbeendecryptedusing
eitherSSLForwardProxydecryptionorSSLInboundInspection.Youcanusethesesettingstolimitorblock
SSLsessionsbasedoncriteriaincludingthestatusoftheexternalservercertificate,theuseofunsupported
ciphersuitesorprotocolversions,ortheavailabilityofsystemresourcestoprocessdecryption.

SSLDecryptionTab Description
Settings

SSLForwardProxyTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLForwardProxy.

ServerCertificateValidationSelectoptionstocontrolservercertificatesfordecryptedSSLtraffic.

Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.

Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers

Blocksessionswith TerminatetheSSLsessionifaserverreturnsacertificaterevocationstatus
unknowncertificatestatus ofunknown.Certificaterevocationstatusindicatesiftrustforthe
certificatehasbeenorhasnotbeenrevoked.

Blocksessionsonthe TerminatetheSSLsessionifthecertificatestatuscannotberetrievedwithin
certificatestatuscheck theamountoftimethatthefirewallisconfiguredtostopwaitingfora
timeout responsefromacertificatestatusservice.YoucanconfigureCertificate
Status Timeoutvaluewhencreatingormodifyingacertificateprofile
(Device > Certificate Management > Certificate Profile).

Restrictcertificate Limitsthecertificateextensionsusedinthedynamicservercertificatetokey
extensions usageandextendedkeyusage.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 203


Objects>DecryptionProfile Objects

SSLDecryptionTab Description
Settings

UnsupportedModeChecksSelectoptionstocontrolunsupportedSSLapplications.

Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversion PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.

Blocksessionswith TerminatethesessioniftheciphersuitespecifiedintheSSLhandshakeifit
unsupportedciphersuites isnotsupportedbyPANOS.

Blocksessionswithclient TerminatesessionswithclientauthenticationforSSLforwardproxytraffic.
authentication

FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailabletoprocessdecryption.

Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.

BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available signcertificates.

Forunsupportedmodesandfailuremodes,thesessioninformationiscachedfor12hours,so
futuresessionsbetweenthesamehostsandserverpairarenotdecrypted.Enabletheoptionsto
blockthosesessionsinstead.

SSLInboundInspectionTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLInbound
Inspection.

UnsupportedModeChecksSelectoptionstocontrolsessionsifunsupportedmodesaredetectedin
SSLtraffic.

Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversions PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.

Blocksessionswith TerminatethesessioniftheciphersuiteusedisnotsupportedbyPANOS.
unsupportedciphersuites

FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailable.

Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.

BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available decryptthesessionkey.

SSLProtocolSettingsTabSelectthefollowingsettingstoenforceprotocolversionsandciphersuites
forSSLsessiontraffic.

ProtocolVersions EnforcetheuseofminimumandmaximumprotocolversionsfortheSSL
session.

MinVersion SettheminimumprotocolversionthatcanbeusedtoestablishtheSSL
connection.

MaxVersion SetthemaximumprotocolversionthatcanbeusedtoestablishtheSSL
connection.YoucanchoosetheoptionMaxsothatnomaximumversionis
specified;inthiscase,protocolversionsthatareequivalenttoorarealater
versionthantheselectedminimumversionaresupported.

204 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>DecryptionProfile

SSLDecryptionTab Description
Settings

KeyExchangeAlgorithms EnforcetheuseoftheselectedkeyexchangealgorithmsfortheSSLsession.
ToimplementPerfectForwardSecrecy(PFS)forSSLForwardProxy
decryptedtraffic,youcanselectDHEtoenableDiffieHellmankeyexchange
basedPFSorECDHEtoenableellipticcurveDiffieHellmanbasedPFS.

EncryptionAlgorithms EnforcetheuseoftheselectedencryptionalgorithmsfortheSSLsession.

AuthenticationAlgorithms EnforcetheuseoftheselectedauthenticationalgorithmsfortheSSL
session.

SettingstoControlTrafficthatisnotDecrypted

YoucanusetheNo Decryptiontabtoenablesettingstoblocktrafficthatismatchedtoadecryptionpolicy
configuredwiththeNo Decryptaction(Policies > Decryption > Action).Usetheseoptionstocontrolserver
certificatesforthesession,thoughthefirewalldoesnotdecryptandinspectthesessiontraffic.

NoDecryptionTab Description
Settings

Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.

Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers

SettingstoControlDecryptedSSHTraffic

ThefollowingtabledescribesthesettingsyoucanusetocontroldecryptedinboundandoutboundSSH
traffic.ThesesettingsallowyoutolimitorblockSSHtunneledtrafficbasedoncriteriaincludingtheuseof
unsupportedalgorithms,thedetectionofSSHerrors,ortheavailabilityofresourcestoprocessSSHProxy
decryption.

SSHProxyTab Description
Settings

UnsupportedModeChecksUsetheseoptionstocontrolsessionsifunsupportedmodesaredetected
inSSHtraffic.SupportedSSHversionisSSHversion2.

Blocksessionswith TerminatesessionsiftheclienthellomessageisnotsupportedbyPANOS.
unsupportedversions

Blocksessionswith Terminatesessionsifthealgorithmspecifiedbytheclientorserverisnot
unsupported supportedbyPANOS.
algorithms

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 205


Objects>DecryptionProfile Objects

SSHProxyTab Description
Settings

FailureChecksSelectactionstotakeifSSHapplicationerrorsoccurandifsystemresourcesarenot
available.

Blocksessionson TerminatesessionsifSSHerrorsoccur.
SSHerrors

Blocksessionsif Terminatesessionsifsystemresourcesarenotavailabletoprocessdecryption.
resourcesnot
available

206 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Objects Objects>Schedules

Objects>Schedules

Objects>Schedules
Bydefault,Securitypolicyrulesarealwaysineffect(alldatesandtimes).TolimitaSecuritypolicyruleto
specifictimes,youcandefineschedules,andthenapplythemtotheappropriatepolicies.Foreachschedule,
youcanspecifyafixeddateandtimerangeorarecurringdailyorweeklyschedule.Toapplyschedulesto
securitypolicies,refertoPolicies>Security.

WhenaSecuritypolicyruleisinvokedbyadefinedschedule,onlynewsessionsareaffectedby
theappliedSecuritypolicyrule.Existingsessionsarenotaffectedbythescheduledpolicy.

ScheduleSettings Description

Name Enteraschedulename(upto31characters).Thisnameappearsinthe
schedulelistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Shared Selectthisoptionifyouwantthescheduletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theschedulewillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theschedule
willbeavailableonlytotheDevice GroupselectedintheObjectstab.

Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisscheduleindevicegroupsthatinherittheschedule.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheschedule.

Recurrence Selectthetypeofschedule(Daily,Weekly,orNon-Recurring).

Daily ClickAddandspecifyaStart TimeandEnd Timein24hourformat


(HH:MM).

Weekly ClickAdd,selectaDay of Week,andspecifytheStart TimeandEnd Timein


24hourformat(HH:MM).

Nonrecurring ClickAddandspecifyaStart Date,Start Time,End Date,andEnd Time.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 207


Objects>Schedules Objects

208 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network
Network>VirtualWires
Network>Interfaces
Network>VirtualRouters
Network>Zones
Network>VLANs
Network>IPSecTunnels
Network>DHCP
Network>DNSProxy
Network>QoS
Network>LLDP
Network>NetworkProfiles

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 209


Network>VirtualWires Network

Network>VirtualWires

SelectNetwork > Virtual Wirestodefinevirtualwiresafteryouhavespecifiedtwovirtualwireinterfaceson


thefirewall(Network>Interfaces).

VirtualWireSettings Description

VirtualWireName Enteravirtualwirename(upto31characters).Thisnameappearsinthelist
ofvirtualwireswhenconfiguringinterfaces.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.

Interfaces SelecttwoEthernetinterfacesfromthedisplayedlistforthevirtualwire
configuration.Interfacesarelistedhereonlyiftheyhavethevirtualwire
interfacetypeandhavenotbeenassignedtoanothervirtualwire.
Forinformationonvirtualwireinterfaces,seeVirtualWireInterface.

TagAllowed Enterthetagnumber(04094)orrangeoftagnumbers(tag1tag2)forthe
trafficallowedonthevirtualwire.Atagvalueofzeroindicatesuntagged
traffic(thedefault).Multipletagsorrangesmustbeseparatedbycommas.
Trafficthathasanexcludedtagvalueisdropped.
Tagvaluesarenotchangedonincomingoroutgoingpackets.

Whenutilizingvirtualwiresubinterfaces,theTag Allowedlistwillcauseall
trafficwiththelistedtagstobeclassifiedtotheparentvirtualwire.Virtual
wiresubinterfacesmustutilizetagsthatdonotexistintheparent'sTag
Allowedlist.

MulticastFirewalling Selectifyouwanttobeabletoapplysecurityrulestomulticasttraffic.Ifthis
settingisnotenabled,multicasttrafficisforwardedacrossthevirtualwire.

LinkStatePassThrough Selectifyouwanttobringdowntheotherinterfaceinavirtualwirepair
whenadownlinkstateisdetected.Ifyoudonotselectoryoudisablethis
option,linkstatusisnotpropagatedacrossthevirtualwire.

210 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Network>Interfaces

Firewallinterfaces(ports)enableafirewalltoconnectwithothernetworkdevicesandwithotherinterfaces
withinthefirewall.Thefollowingtopicsdescribetheinterfacetypesandhowtoconfigurethem:

Whatareyoulookingfor? See

Whatarefirewallinterfaces? FirewallInterfacesOverview
Iamnewtofirewallinterfaces; CommonBuildingBlocksforFirewallInterfaces
whatarethecomponentsofa
firewallinterface? CommonBuildingBlocksforPA7000SeriesFirewall
Interfaces
Ialreadyunderstandfirewall Physical Interfaces (Ethernet)
interfaces;howcanIfind
Layer2Interface
informationonconfiguringa
specificinterfacetype? Layer2Subinterface
Layer3Interface
Layer3Subinterface
VirtualWireInterface
VirtualWireSubinterface
TapInterface
LogCardInterface
LogCardSubinterface
DecryptMirrorInterface
AggregateEthernet(AE)InterfaceGroup
AggregateEthernet(AE)Interface
HAInterface
Logical Interfaces
Network>Interfaces>VLAN
Network>Interfaces>Loopback
Network>Interfaces>Tunnel
Looking for more? Networking

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 211


Network>Interfaces Network

FirewallInterfacesOverview

Theinterfaceconfigurationsoffirewalldataportsenabletraffictoenterandexitthefirewall.APaloAlto
Networksfirewallcanoperateinmultipledeploymentssimultaneouslybecauseyoucanconfigurethe
interfacestosupportdifferentdeployments.Forexample,youcanconfiguretheEthernetinterfacesona
firewallforvirtualwire,Layer2,Layer3,andtapmodedeployments.Theinterfacesthatthefirewall
supportsare:
PhysicalInterfacesThefirewallsupportstwokindsofEthernetcopperandfiberopticthatcansend
andreceivetrafficatdifferenttransmissionrates.YoucanconfigureEthernetinterfacesasthefollowing
types:tap,highavailability(HA),logcard(interfaceandsubinterface),decryptmirror,virtualwire
(interfaceandsubinterface),Layer2(interfaceandsubinterface),Layer3(interfaceandsubinterface),and
aggregateEthernet.Theavailableinterfacetypesandtransmissionspeedsvarybyhardwaremodel.
LogicalInterfacesTheseincludevirtuallocalareanetwork(VLAN)interfaces,loopbackinterfaces,and
tunnelinterfaces.YoumustsetupthephysicalinterfacebeforedefiningaVLANoratunnelinterface.

CommonBuildingBlocksforFirewallInterfaces

SelectNetwork > Interfacestodisplayandconfigurethecomponentsthatarecommontomostinterface


types.

ForadescriptionofcomponentsthatareuniqueordifferentwhenyouconfigureinterfacesonaPA7000Series
firewall,orwhenyouusePanoramatoconfigureinterfacesonanyfirewall,seeCommonBuildingBlocksfor
PA7000SeriesFirewallInterfaces.

FirewallInterface Description
Building Blocks

Interface(Interface Theinterfacenameispredefinedandyoucannotchangeit.However,youcan
Name) appendanumericsuffixforsubinterfaces,aggregateinterfaces,VLANinterfaces,
loopbackinterfaces,andtunnelinterfaces.

InterfaceType ForEthernetinterfaces(Network > Interfaces > Ethernet),youcanselectthe


interfacetype:
Tap
HA
Decrypt Mirror(PA7000Series,PA5000Series,andPA3000Seriesfirewalls
only)
Virtual Wire
Layer 2
Layer 3
Log Card(PA7000Seriesfirewallonly)
Aggregate Ethernet

ManagementProfile SelectaManagement Profile(Network > Interfaces > <if-config > Advanced > Other
Info)thatdefinestheprotocols(suchasSSH,Telnet,andHTTP)youcanuseto
managethefirewalloverthisinterface.

212 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

FirewallInterface Description
Building Blocks
(Continued)

LinkState ForEthernetinterfaces,LinkStateindicateswhethertheinterfaceiscurrently
accessibleandcanreceivetrafficoverthenetwork:
GreenConfiguredandup
RedConfiguredbutdownordisabled
GrayNotconfigured
Hoveroverthelinkstatetodisplayatooltipthatindicatesthelinkspeedandduplex
settingsforthatinterface.

IPAddress (Optional)ConfiguretheIPv4orIPv6addressoftheEthernet,VLAN,loopback,or
tunnelinterface.ForanIPv4address,youcanalsoselecttheaddressingmode(Type)
fortheinterface:Static,DHCP Client,orPPPoE.

VirtualRouter AssignavirtualroutertotheinterfaceorclickVirtual Routertodefineanewone


(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtualrouter
assignmentfromtheinterface.

Tag(Subinterfaceonly) EntertheVLANtag(14,094)forthesubinterface.

VLAN SelectNetwork > Interfaces > VLANandmodifyanexistingVLANorAddanewone


(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignmentfrom
theinterface.ToenableswitchingbetweenLayer2interfaces,ortoenablerouting
throughaVLANinterface,youmustconfigureaVLANobject.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,select
avirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefineanewvsys.

SecurityZone SelectaSecurity Zone(Network > Interfaces > <if-config> Config)fortheinterface,


orselectZonetodefineanewone.SelectNonetoremovethecurrentzone
assignmentfromtheinterface.

Features ForEthernetinterfaces,thiscolumnindicateswhetherthefollowingfeaturesare
enabled:
DHCPClient
DNSProxy
GlobalProtectgatewayenabled
LinkAggregationControlProtocol(LACP)
LinkLayerDiscoveryProtocol(LLDP)
NDPMonitor
NetFlowprofile
QualityofService(QoS)profile

Comment Adescriptionoftheinterfacefunctionorpurpose.

CommonBuildingBlocksforPA7000SeriesFirewallInterfaces

ThefollowingtabledescribesthecomponentsoftheNetwork > Interfaces > Ethernetpagethatareuniqueor


differentwhenyouconfigureinterfacesonaPA7000Seriesfirewall,orwhenyouusePanoramato
configureinterfacesonanyfirewall.ClickAdd Interfacetocreateanewinterfaceorselectanexisting
interface(ethernet1/1,forexample)toeditit.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 213


Network>Interfaces Network

OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceononedataport.

PA7000SeriesFirewall Description
InterfaceBuildingBlocks

Slot Selecttheslotnumber(112)oftheinterface.OnlyPA7000Seriesfirewallshave
multipleslots.IfyouusePanoramatoconfigureaninterfaceforanyotherfirewall
model,selectSlot 1.

Interface(InterfaceName) SelectthenameofaninterfacethatisassociatedwiththeselectedSlot.

Layer2Interface

Network>Interfaces>Ethernet
SelectNetwork > Interfaces > EthernettoconfigureaLayer2interface.clickthenameofanInterface
(ethernet1/1,forexample)thatisnotconfiguredandspecifythefollowinginformation.

Layer2Interface ConfiguredIn Description


Settings

InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.


Interface
Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectLayer2.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.

VLAN Ethernet ToenableswitchingbetweenLayer2interfacesortoenableroutingthrougha


Interface > Config VLANinterface,selectanexistingVLANorclickVLANtodefineanewVLAN
(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignment
fromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.

SecurityZone SelectaSecurity ZonefortheinterfaceorclickZonetodefineanewzone.


SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectautotohavethe


Interface > firewallautomaticallydeterminethespeed.
Advanced
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).

214 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer2Interface ConfiguredIn Description


Settings

EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP


Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.

EnableinHA IfLLDPisenabled,selecttoallowanHApassivefirewalltoprenegotiateLLDP
PassiveState withitspeerbeforethefirewallbecomesactive.

Layer2Subinterface

Network>Interfaces>Ethernet
ForeachEthernetportconfiguredasaphysicalLayer2interface,youcandefineanadditionallogicalLayer
2interface(subinterface)foreachVLANtagassignedtothetrafficthattheportreceives.Toenable
switchingbetweenLayer2subinterfaces,assignthesameVLANobjecttothesubinterfaces.
ToconfigureaLayer2Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.

Layer2SubinterfaceSettings

InterfaceName ThereadonlyInterfaceNamedisplaysthenameofthephysicalinterfaceyouselected.Inthe
adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.

Comment Enteranoptionaldescriptionforthesubinterface.

Tag EntertheVLANtag(14,094)forthesubinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.

VLAN ToenableswitchingbetweenLayer2interfacesortoenableroutingthroughaVLANinterface,
selectaVLAN,orclickVLANtodefineanewVLAN(seeNetwork>VLANs).SelectNonetoremove
thecurrentVLANassignmentfromthesubinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.

SecurityZone SelectasecurityzoneforthesubinterfaceorclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.

Layer3Interface

Network>Interfaces>Ethernet

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 215


Network>Interfaces Network

ToconfigureaLayer3interface,clickthenameofanInterface(ethernet1/1,forexample)thatisnot
configuredandspecifythefollowinginformation.

Layer3Interface ConfiguredIn Description


Settings

InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.


Interface
Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectLayer3.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
interfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
interface.

VirtualRouter Ethernet Selectavirtualrouter,orclickVirtual Routertodefineanewone(see


Interface > Network>VirtualRouters).SelectNonetoremovethecurrentvirtual
Config routerassignmentfromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)fortheinterfaceorclickVirtual
Systemtodefineanewvsys.

SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto.


Interface >
LinkDuplex Advanced Selectwhethertheinterfacetransmissionmodeisfullduplex(full),
halfduplex(half),ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).

216 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Interface ConfiguredIn Description


Settings

ManagementProfile Ethernet Selectaprofilethatdefinestheprotocols(forexample,SSH,Telnet,and


Interface > HTTP)youcanusetomanagethefirewalloverthisinterface.SelectNone
Advanced > Other toremovethecurrentprofileassignmentfromtheinterface.
Info
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(5769,192;defaultis1,500).Ifmachinesoneithersideof
thefirewallperformPathMTUDiscovery(PMTUD)andtheinterface
receivesapacketexceedingtheMTU,thefirewallreturnsanICMP
fragmentationneededmessagetothesourceindicatingthepacketistoo
large.

AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoitishelpfultoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.

UntaggedSubinterface SpecifiesthatallsubinterfacesbelongingtothisLayer3interfaceare
untagged.PANOSselectsanuntaggedsubinterfaceastheingress
interfacebasedonthepacketdestination.IfthedestinationistheIP
addressofanuntaggedsubinterface,itmapstothesubinterface.Thisalso
meansthatpacketsinthereversedirectionmusthavetheirsource
addresstranslatedtotheIPaddressoftheuntaggedsubinterface.A
byproductofthisclassificationmechanismisthatallmulticastand
broadcastpacketsareassignedtothebaseinterface,notany
subinterfaces.BecauseOpenShortestPathFirst(OSPF)usesmulticast,
thefirewalldoesnotsupportitonuntaggedsubinterfaces.

IPAddress Ethernet ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,click


MACAddress Interface > AddandenteranIPaddressanditsassociatedhardware(MAC)address.
Advanced > ARP Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
Entries reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.

IPv6Address Ethernet ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),


MACAddress Interface > clickAddandentertheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 217


Network>Interfaces Network

Layer3Interface ConfiguredIn Description


Settings

EnableNDPProxy Ethernet SelecttoenabletheNeighborDiscoveryProtocol(NDP)proxyforthe


Interface > interface.ThefirewallwillrespondtoNDpacketsrequestingMAC
Advanced > NDP addressesforIPv6addressesinthislist.IntheNDresponse,thefirewall
Proxy sendsitsownMACaddressfortheinterfacetoindicateitwillactasproxy
byrespondingtopacketsdestinedforthoseaddresses.
ItisrecommendedthatyouselectEnable NDP ProxyifyouuseNetwork
PrefixTranslationIPv6(NPTv6).
IfEnable NDP Proxyisselected,youcanfilternumerousAddressentries
byenteringasearchstringandclickingApplyFilter( ).

Address ClickAddtoenteroneormoreIPv6addresses,IPranges,IPv6subnets,or
addressobjectsforwhichthefirewallwillactastheNDPproxy.Ideally,
oneoftheseaddressesisthesameaddressasthatofthesource
translationinNPTv6.Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendthatyoualsoaddtheIPv6
neighborsofthefirewallandthenselectNegatetoinstructthefirewall
nottorespondtotheseIPaddresses.

Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.You
cannegateasubsetofthespecifiedIPaddressrangeorIPsubnet.

EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.


Interface > LLDPfunctionsatthelinklayertodiscoverneighboringdevicesandtheir
Advanced > LLDP capabilities.

LLDPProfile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>
LLDPProfile).SelectNonetoconfigurethefirewalltouseglobaldefaults.

EnableinHAPassive IfLLDPisenabled,selecttoallowthefirewallasanHApassivefirewallto
State prenegotiateLLDPwithitspeerbeforethefirewallbecomesactive.

Type Ethernet SelectthemethodforassigninganIPv4addresstypetotheinterface:


Interface > IPv4 StaticYoumustmanuallyspecifytheIPaddress.
PPPoEThefirewallwillusetheinterfaceforPointtoPointProtocol
overEthernet(PPPoE).
DHCP ClientEnablestheinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedo
notsupportPPPoEorDHCPClient.

BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.

218 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Interface ConfiguredIn Description


Settings

IPv4 address Type = Static

IP Ethernet ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIP
Interface > IPv4 addressandnetworkmaskfortheinterface.
TypetheentryinClasslessInterdomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yourfirewallusesdeterminesthemaximum
numberofIPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.

IPv4 address Type = PPPoE

Enable Ethernet SelecttoactivatetheinterfaceforPPPoEtermination.


Interface > IPv4 >
Username PPPoE > General Entertheusernameforthepointtopointconnection.
Password/Confirm Enterandthenconfirmthepasswordfortheusername.
Password

ShowPPPoEClient (Optional)Opensadialogthatdisplaysparametersthatthefirewall
RuntimeInfo negotiatedwiththeInternetserviceprovider(ISP)toestablisha
connection.ThespecificinformationdependsontheISP.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 219


Network>Interfaces Network

Layer3Interface ConfiguredIn Description


Settings

Authentication Ethernet SelecttheauthenticationprotocolforPPPoEcommunications:CHAP


Interface > IPv4 > (ChallengeHandshakeAuthenticationProtocol),PAP(Password
PPPoE > AuthenticationProtocol),orthedefaultAuto(thefirewalldeterminesthe
Advanced protocol).SelectNonetoremovethecurrentprotocolassignmentfrom
theinterface.

StaticAddress PerformoneofthefollowingstepstospecifytheIPaddressthatthe
Internetserviceproviderassigned(nodefaultvalue):
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
SelectNonetoremovethecurrentaddressassignmentfromthe
interface.

Automaticallycreate SelecttoautomaticallycreateadefaultroutethatpointstothePPPoE
defaultroutepointing peerwhenconnected.
topeer

DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandInternetservice
provider,enteraroutemetric(prioritylevel)toassociatewiththedefault
routeandtouseforpathselection(rangeis165,535).Theprioritylevel
increasesasthenumericvaluedecreases.

AccessConcentrator (Optional)EnterthenameoftheaccessconcentratorontheInternet
serviceproviderendtowhichthefirewallconnects(nodefault).

Service (Optional)Entertheservicestring(nodefault).

Passive Selecttousepassivemode.Inpassivemode,aPPPoEendpointwaitsfor
theaccessconcentratortosendthefirstframe.

IPv4 address Type = DHCP

Enable Ethernet SelecttoactivatetheDHCPclientontheinterface.


Interface > IPv4
Automaticallycreate Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver

DefaultRouteMetric FortheroutebetweenthefirewallandDHCPserver,optionallyentera
routemetric(prioritylevel)toassociatewiththedefaultrouteandtouse
forpathselection(rangeis165,535,nodefault).Theprioritylevel
increasesasthenumericvaluedecreases.

ShowDHCPClient SelecttodisplayallsettingsreceivedfromtheDHCPserver,including
RuntimeInfo DHCPleasestatus,dynamicIPaddressassignment,subnetmask,
gateway,andserversettings(DNS,NTP,domain,WINS,NIS,POP3,and
SMTP).

220 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Interface ConfiguredIn Description


Settings

EnableIPv6onthe Ethernet SelecttoenableIPv6addressingonthisinterface.


interface Interface > IPv6

InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.

Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisement.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime(defaultis2,592,000).
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires
(defaultis604,800).
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 221


Network>Interfaces Network

Layer3Interface ConfiguredIn Description


Settings

EnableDuplication Ethernet Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe


AddressDetection Interface > IPv6 > otherfieldsinthissection.
Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).

ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis1036,000;defaultis30).

NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).

EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDPMonitor( inFeaturescolumn)andview
informationaboutaneighborthatthefirewalldiscovered,suchasthe
IPv6address,thecorrespondingMACaddress,andtheUserID(ona
bestcasebasis).

222 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Interface ConfiguredIn Description


Settings

EnableRouter Ethernet Toprovidestatelessaddressautoconfiguration(SLAAC)onIPv6


Advertisement Interface > IPv6 > interfaces,selectandconfiguretheotherfieldsinthissection.IPv6DNS
Router clientsthatreceivetherouteradvertisement(RA)messagesusethis
Advertisement information.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,clickAddintheIPaddresstableandconfigurethe
Address.IfyousetRAoptionsforanyIPaddress,youmustselectthe
Enable Router Advertisementoptionfortheinterface.

MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.

MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis41,800;defaultis600).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.

HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.

LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).

ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).

RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).

RouterLifetime(sec) Specifyhowlong,insecond,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.

RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.

Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 223


Network>Interfaces Network

Layer3Interface ConfiguredIn Description


Settings

ConsistencyCheck Ethernet SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters


Interface > IPv6 > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
OtherConfiguration (cont) Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.

224 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Interface ConfiguredIn Description


Settings

IncludeDNS Ethernet SelecttoenablethefirewalltosendDNSinformationinNDProuter


informationinRouter Interface > IPv6 > advertisement(RA)messagesfromthisIPv6Ethernetinterface.Theother
Advertisement DNS Support DNSSupportfieldsinthistablearevisibleonlyafteryouselectthis
option.

Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewall
sendsintheorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusesthoseaddressesinthe
sameorder.SelectaserverandMove UporMove Downtochangethe
orderoftheserversorDeleteaserverfromthelistwhenyounolonger
needit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanusetheRDNSserverstoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).

Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNS
searchlist(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothatnameandthentransmits
theDNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
triesDNSsuffixesuntilaDNSlookupissuccessful(ignorestheremaining
suffixes)oruntiltherouterhastriedallsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsintheorderlistedfromtoptobottom
inanNDProuteradvertisementtotherecipient,whichusesthose
addressesinthesameorder.SelectasuffixandMove UporMove Down
tochangetheorderofthesuffixesorDeleteasuffixfromthelistwhen
younolongerneedit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSSearchList(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 225


Network>Interfaces Network

Layer3Subinterface

Network>Interfaces>Ethernet
ForeachEthernetportconfiguredasaphysicalLayer3interface,youcandefineadditionallogicalLayer3
interfaces(subinterfaces).
ToconfigureaLayer3Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.

Layer3Subinterface ConfiguredIn Description


Settings

InterfaceName Layer3 ThereadonlyInterface Namefielddisplaysthenameofthephysical


Subinterface interfaceyouselected.Intheadjacentfield,enteranumericsuffix
(19,999)toidentifythesubinterface.

Comment Enteranoptionaldescriptionforthesubinterface.

Tag EntertheVLANtag(14,094)forthesubinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
subinterfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.

VirtualRouter Layer3 Assignavirtualroutertotheinterface,orclickVirtual Routertodefinea


Subinterface > newone(seeNetwork>VirtualRouters).SelectNonetoremovethe
Config currentvirtualrouterassignmentfromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)forthesubinterfaceorclickVirtual
Systemtodefineanewvsys.

SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanew
zone.SelectNonetoremovethecurrentzoneassignmentfromthe
subinterface.

226 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Subinterface ConfiguredIn Description


Settings

ManagementProfile Layer3 Management ProfileSelectaprofilethatdefinestheprotocols(for


Subinterface > example,SSH,Telnet,andHTTP)youcanusetomanagethefirewallover
Advanced > Other thisinterface.SelectNonetoremovethecurrentprofileassignmentfrom
Info theinterface.

MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(rangeis5769,192;defaultis1,500).Ifmachinesoneither
sideofthefirewallperformPathMTUDiscovery(PMTUD)andthe
interfacereceivesapacketexceedingtheMTU,thefirewallreturnsan
ICMPfragmentationneededmessagetothesourceindicatingthepacketis
toolarge.

AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.

IPAddress Layer3 ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,Add


MACAddress Subinterface > anIPaddressanditsassociatedhardware[mediaaccesscontrol(MAC)]
Advanced > ARP address.Todeleteanentry,selecttheentryandclickDelete.StaticARP
Entries entriesreduceARPprocessingandprecludemaninthemiddleattacks
forthespecifiedaddresses.

IPv6Address Layer3 ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),


MACAddress Subinterface > AddtheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 227


Network>Interfaces Network

Layer3Subinterface ConfiguredIn Description


Settings

EnableNDPProxy Layer3 EnableNeighborDiscoveryProtocol(NDP)proxyfortheinterface.The


Subinterface > firewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Advanced > NDP addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
Proxy addressfortheinterfacesothatthefirewallwillreceivethepackets
meantfortheaddressesinthelist.
ItisrecommendedthatyouenableNDPproxyifyouareusingNetwork
PrefixTranslationIPv6(NPTv6).
IfyouselectedEnable NDP Proxy,youcanfilternumerousAddress
entriesbyenteringafilterandclickingApplyFilter(grayarrow).

Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddress
objectsforwhichthefirewallwillactasNDPproxy.Ideally,oneofthese
addressesisthesameaddressasthatofthesourcetranslationinNPTv6.
Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendyoualsoaddtheIPv6
neighborsofthefirewallandthenclickNegatetoinstructthefirewallnot
torespondtotheseIPaddresses.

Negate NegateanaddresstopreventNDPproxyforthataddress.Youcannegate
asubsetofthespecifiedIPaddressrangeorIPsubnet.

Type Layer3 SelectthemethodforassigninganIPv4addresstypetothesubinterface:


Subinterface > StaticYoumustmanuallyspecifytheIPaddress.
IPv4 DHCP ClientEnablesthesubinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)mode
dontsupportDHCPClient.

BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.

IP Layer3 AddandperformoneofthefollowingstepstospecifyastaticIPaddress
Subinterface > andnetworkmaskfortheinterface.
IPv4, Type = TypetheentryinClasslessInterDomainRouting(CIDR)notation:
Static ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
CreateanAddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximum
numberofIPaddresses.
DeleteanIPaddresswhenyounolongerneedit.

228 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Subinterface ConfiguredIn Description


Settings

Enable Layer3 SelecttoactivatetheDHCPclientontheinterface.


Subinterface >
Automaticallycreate IPv4, Type = Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing DHCP gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver

DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandDHCPserver,youcan
enteraroutemetric(prioritylevel)toassociatewiththedefaultrouteand
touseforpathselection(rangeis165535;thereisnodefault).The
prioritylevelincreasesasthenumericvaluedecreases.

ShowDHCPClient SelectShow DHCP Client Runtime Infotodisplayallsettingsreceived


RuntimeInfo fromtheDHCPserver,includingDHCPleasestatus,dynamicIPaddress
assignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 229


Network>Interfaces Network

Layer3Subinterface ConfiguredIn Description


Settings

EnableIPv6onthe Layer3 SelecttoenableIPv6addressingonthisinterface.


interface Subinterface >
IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.

Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisementinthistable.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime.Thedefaultis2,592,000.
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires.The
defaultis604,800.
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.

230 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Subinterface ConfiguredIn Description


Settings

EnableDuplication Layer3 Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe


AddressDetection Subinterface> otherfieldsinthissection.
IPv6 > Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).

ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis136,000;defaultis30).

NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).

EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDP( inFeaturescolumn)toviewinformation
aboutaneighborthefirewalldiscovered,suchastheIPv6address,the
correspondingMACaddress,andtheUserID(onabestcasebasis).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 231


Network>Interfaces Network

Layer3Subinterface ConfiguredIn Description


Settings

EnableRouter Layer3 ToprovideNeighborDiscoveryonIPv6interfaces,selectandconfigure


Advertisement Subinterface > theotherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
IPv6 > Router advertisement(RA)messagesusethisinformation.
Advertisement RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,AddandconfigureanAddressintheIPaddress
table.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
Advertisementfortheinterface.

MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.

MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis41,800;defaultis600).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.

HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.

LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).

ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).

RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).

RouterLifetime(sec) Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.

RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.

Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration

OtherConfiguration Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.

232 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Layer3Subinterface ConfiguredIn Description


Settings

ConsistencyCheck Layer3 SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters


Subinterface > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
IPv6 > Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
(cont)

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 233


Network>Interfaces Network

Layer3Subinterface ConfiguredIn Description


Settings

IncludeDNS Layer3 SelectforthefirewalltosendDNSinformationinNDProuter


informationinRouter Subinterface > advertisementsfromthisIPv6Ethernetsubinterface.TheotherDNS
Advertisement IPv6 > DNS Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Support
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewall
sendsinorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusestheminthesameorder.
SelectaserverandMove UporMove Downtochangetheorderofthe
serversorDeleteaserverfromthelistwhenyounolongerneedit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseanRDNSservertoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).

Suffix Addoneormoredomainnames(suffixes)fortheDNSsearchlist(DNSSL).
Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothenameandtransmitsthe
DNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
usestheDNSsuffixesuntilaDNSlookupissuccessful(ignoresthe
remainingsuffixes)oruntiltherouterhastriedallofsuffixesonthelist.
Configurethefirewallwiththesuffixesthatyouwanttoprovidetothe
DNSclientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistoptionthatthefirewallsendsinorderlistedfromtopto
bottominanNDProuteradvertisementtotherecipient,whichuses
theminthesameorder.SelectasuffixandMove UporMove Downto
changetheorderofthesuffixesorDeleteasuffixwhenyounolonger
needit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSsearchlist(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).

234 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

VirtualWireInterface

Network>Interfaces>Ethernet
AvirtualwireinterfacebindstwoEthernetportstogether,allowingforalltraffictopassbetweentheports,
orjusttrafficwithselectedVLANtags(nootherswitchingorroutingservicesareavailable).Youcanalso
createVirtualWiresubinterfacesandclassifytrafficaccordingtoanIPaddress,IPrange,orsubnet.Avirtual
wirerequiresnochangestoadjacentnetworkdevices.
Tosetupavirtualwirethroughthefirewall,identifytheinterfacetouseforthevirtualwire(Network >
Interfaces > Ethernet),specifythevirtualwireinterfacesettingsasdescribedinthefollowingtable,andthen
Addthevirtualwire(Network > Virtual Wires).

Ifyouareusinganexistinginterfaceforthevirtualwire,firstremovetheinterfacefromanyassociatedsecurity
zone.

VirtualWire ConfiguredIn Description


InterfaceSetting

InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.


Interface
Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectVirtual Wire.

VirtualWire Ethernet Selectavirtualwire,orclickVirtual WiretodefinenewNetwork>Virtual


Interface > Config Wires.SelectNonetoremovethecurrentvirtualwireassignmentfromthe
interface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.

SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe


Interface > firewallautomaticallydeterminethespeed.
Advanced
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).

EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP


Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.

EnableinHA IfLLDPisenabled,selecttoconfigureanHApassivefirewalltoprenegotiate
PassiveState LLDPwithitspeerbeforethefirewallbecomesactive.
IfLLDPisnotenabled,selecttoconfigureanHApassivefirewalltosimplypass
LLDPpacketsthroughthefirewall.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 235


Network>Interfaces Network

VirtualWireSubinterface

Network>Interfaces>Ethernet
Virtualwire(vwire)subinterfacesallowyoutoseparatetrafficbyVLANtagsoraVLANtagandIPclassifier
combination,assignthetaggedtraffictoadifferentzoneandvirtualsystem,andthenenforcesecurity
policiesforthetrafficthatmatchesthedefinedcriteria.
ToaddaVirtualWireInterfaceselecttherowforthatinterface,clickAdd Subinterface,andspecifythe
followinginformation.

VirtualWire Description
Subinterface
Settings

InterfaceName ThereadonlyInterface Namedisplaysthenameofthevwireinterfaceyouselected.Inthe


adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.

Comment Enteranoptionaldescriptionforthesubinterface.

Tag EntertheVLANtag(04,094)forthesubinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectingNoneremovesthecurrentNetFlowserverassignmentfromthe
subinterface.

IPClassifier ClickAddandenteranIPaddress,IPrange,orsubnettoclassifythetrafficonthisvwire
subinterface.

VirtualWire Selectavirtualwire,orclickVirtual Wiretodefineanewone(seeNetwork>VirtualWires).Select


Nonetoremovethecurrentvirtualwireassignmentfromthesubinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.

SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.

236 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

TapInterface

Network>Interfaces>Ethernet
Youcanuseatapinterfacetomonitortrafficonaport.
Toconfigureatapinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfiguredandspecify
thefollowinginformation.

TapInterface ConfiguredIn Description


Settings

InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.


Interface
Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectTap.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.

VirtualSystem Ethernet Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,


Interface > Config selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.

SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe


Interface > firewallautomaticallydeterminethespeed.
Advanced
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 237


Network>Interfaces Network

LogCardInterface

Network>Interfaces>Ethernet
IfyouconfigurelogforwardingonaPA7000Seriesfirewall,youmustconfigureonedataportastypeLog
Card.Thisisbecausethetrafficandloggingcapabilitiesofthisfirewallmodelexceedthecapabilitiesofthe
management(MGT)interface.Alogcarddataportperformslogforwardingforsyslog,email,Simple
NetworkManagementProtocol(SNMP),Panoramalogforwarding,andWildFirefileforwarding.

YoucanconfigureonlyoneportonthefirewallastypeLog Card.Ifyouenablelogforwardingbutdonot
configureaninterfacewiththeLog Cardtype,yougetanerrorwhenyouattempttocommityourchanges.

Toconfigurealogcardinterface,selectanInterfacethatisnotconfigured(ethernet1/16,forexample)and
configurethesettingsdescribedinthefollowingtable.

LogCard ConfiguredIn Description


InterfaceSettings

Slot Ethernet Selecttheslotnumber(112)oftheinterface.


Interface
InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.

Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectLog Card.

IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:


Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
Default GatewayTheIPv4addressofthedefaultgatewayfortheport.

IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
Default GatewayTheIPv6addressofthedefaultgatewayfortheport.

LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto(default)to


Interface > havethefirewallautomaticallydeterminethespeedbasedontheconnection.
Advanced Forinterfacesthathaveanonconfigurablespeed,autoistheonlyoption.
Theminimumrecommendedspeedfortheconnectionis1000(Mbps).

LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomaticallybasedontheconnection(auto).Thedefault
isauto.

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomaticallybasedontheconnection(auto).Thedefaultisauto.

238 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

LogCardSubinterface

Network>Interfaces>Ethernet
ToaddaLogCardInterface,selecttherowforthatinterface,Add Subinterface,andspecifythefollowing
information.

LogCard ConfiguredIn Description


Subinterface
Settings

InterfaceName LPC Subinterface Interface Name(readonly)displaysthenameofthelogcardinterfaceyou


selected.Intheadjacentfield,enteranumericsuffix(19,999)toidentifythe
subinterface.

Comment Enteranoptionaldescriptionfortheinterface.

Tag EntertheVLANTag(04,094)forthesubinterface.
Makethetagthesameasthesubinterfacenumberforeaseofuse.

VirtualSystem LPC Subinterface Selectthevirtualsystem(vsys)towhichtheLogProcessingCard(LPC)


> Config subinterfaceisassigned.Alternatively,youcanclickVirtual Systemstoadda
newvsys.OnceanLPCsubinterfaceisassignedtoavsys,thatinterfaceisused
asthesourceinterfaceforallservicesthatforwardlogs(syslog,email,SNMP)
fromthelogcard.

IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:


Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
Default GatewayTheIPv4addressofthedefaultgatewayfortheport.

IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
Default GatewayTheIPv6addressofthedefaultgatewayfortheport.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 239


Network>Interfaces Network

DecryptMirrorInterface

Network>Interfaces>Ethernet
TousetheDecryptionPortMirrorfeature,youmustselecttheDecrypt Mirrorinterfacetype.Thisfeatureenables
creatingacopyofdecryptedtrafficfromafirewallandsendingittoatrafficcollectiontoolthatcanreceiverawpacket
capturessuchasNetWitnessorSoleraforarchivingandanalysis.Organizationsthatrequirecomprehensivedata
captureforforensicandhistoricalpurposesordataleakprevention(DLP)functionalityrequirethisfeature.Decryption
portmirroringisonlyavailableonPA7000Seriesfirewalls,PA5000Seriesfirewalls,andPA3000Seriesfirewalls.To
enablethefeature,youmustacquireandinstallthefreelicense.
Toconfigureadecryptmirrorinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.

DecryptMirrorInterfaceSettings

InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.

Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectDecrypt Mirror.

LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.

LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

240 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

AggregateEthernet(AE)InterfaceGroup

Network>Interfaces>Ethernet
AnAEinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfacesintoa
singlevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.AnAE
interfacegroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinueto
supporttraffic.
BeforeconfiguringanAEinterfacegroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidth(1Gbpsor10Gbps)andinterfacetype(HA3,virtualwire,
Layer2,orLayer3).YoucanadduptoeightAEinterfacegroupsperfirewallandeachgroupcanhaveupto
eightinterfaces.

AllPaloAltoNetworksfirewallsexceptthePA200andVMSeriesmodelssupportAEinterfacegroups.
YoucanaggregatetheHA3(packetforwarding)interfacesinahighavailability(HA)active/activeconfigurationbut
onlyonthefollowingfirewallmodels:
PA220
PA500
PA800Series
PA3000Series
PA5000Series
PA5200Series

ToconfigureanAEinterfacegroup,Add Aggregate Group,configurethesettingsdescribedinthefollowing


table,andthenassigninterfacestothegroup(seeAggregateEthernet(AE)Interface).

Aggregate ConfiguredIn Description


InterfaceGroup
Settings

InterfaceName Aggregate ThereadonlyInterface Nameissettoae.Intheadjacentfield,enteranumeric


Ethernet suffix(1to8)toidentifytheAEinterfacegroup.
Interface
Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType Selecttheinterfacetype,whichcontrolstheremainingconfiguration
requirementsandoptions:
HAOnlyselectiftheinterfaceisanHA3linkbetweentwofirewallsinan
active/activedeployment.OptionallyselectaNetflow Profileandconfigure
theLACPtab(seeEnableLACP).
Virtual WireOptionallyselectaNetflow Profile,andconfiguretheConfig
andAdvancedtabsasdescribedinVirtualWireSettings.
Layer 2OptionallyselectaNetflow Profile;configuretheConfigand
AdvancedtabsasdescribedinLayer2InterfaceSettings;andoptionally
configuretheLACPtab(seeEnableLACP).
Layer 3OptionallyselectaNetflow Profile;configuretheConfig,IPv4or
IPv6,andAdvancedtabsasdescribedinLayer3InterfaceSettings;and
optionallyconfiguretheLACPtab(seeEnableLACP).

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheAEinterfacegroup.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 241


Network>Interfaces Network

Aggregate ConfiguredIn Description


InterfaceGroup
Settings

EnableLACP Aggregate SelectifyouwanttoenableLinkAggregationControlProtocol(LACP)forthe


Ethernet AEinterfacegroup.LACPisdisabledbydefault.
Interface > LACP IfyouenableLACP,interfacefailuredetectionisautomaticatthephysicaland
datalinklayersregardlessofwhetherthefirewallanditsLACPpeeraredirectly
connected.(WithoutLACP,interfacefailuredetectionisautomaticonlyatthe
physicallayerbetweendirectlyconnectedpeers).LACPalsoenablesautomatic
failovertostandbyinterfacesifyouconfigurehotspares(seeMaxPorts).

Mode SelecttheLACPmodeofthefirewall.BetweenanytwoLACPpeers,itis
recommendedthatoneisactiveandtheotherispassive.LACPcannotfunction
ifbothpeersarepassive.
ActiveThefirewallactivelyqueriestheLACPstatus(availableor
unresponsive)ofpeerdevices.
Passive(default)ThefirewallpassivelyrespondstoLACPstatusqueries
frompeerdevices.

Transmission Selecttherateatwhichthefirewallexchangesqueriesandresponseswithpeer
Rate devices:
FastEverysecond
SlowEvery30seconds(thisisthedefaultsetting)

FastFailover Selectif,whenaninterfacegoesdown,youwantthefirewalltofailovertoan
operationalinterfacewithinonesecond.Otherwise,failoveroccursatthe
standardIEEE802.1AXdefinedspeed(atleastthreeseconds).

242 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Aggregate ConfiguredIn Description


InterfaceGroup
Settings

SystemPriority Aggregate Thenumberthatdetermineswhetherthefirewalloritspeeroverridesthe


Ethernet otherwithrespecttoportpriorities(seetheMax Portsfielddescriptionbelow).
Interface > LACP Thelowerthenumber,thehigherthepriority(rangeis165,535;
(cont) defaultis32,768).

MaxPorts Thenumberofinterfaces(18)thatcanbeactiveatanygiventimeinanLACP
aggregategroup.Thevaluecannotexceedthenumberofinterfacesyouassign
tothegroup.Ifthenumberofassignedinterfacesexceedsthenumberofactive
interfaces,thefirewallusestheLACPportprioritiesoftheinterfacesto
determinewhichareinstandbymode.YousettheLACPportprioritieswhen
configuringindividualinterfacesforthegroup(seeAggregateEthernet(AE)
Interface).

EnableinHA Forfirewallsdeployedinahighavailability(HA)active/passiveconfiguration,
PassiveState selecttoallowthepassivefirewalltoprenegotiateLACPwithitsactivepeer
beforeafailoveroccurs.Prenegotiationspeedsupfailoverbecausethe
passivefirewalldoesnothavetonegotiateLACPbeforebecomingactive.

SameSystem Thisappliesonlytofirewallsdeployedinahighavailability(HA)active/passive
MACAddressfor configuration;firewallsinanactive/activeconfigurationrequireuniqueMAC
ActivePassive addresses.
HA HAfirewallpeershavethesamesystempriorityvalue.However,inan
active/passivedeployment,thesystemIDforeachcanbethesameor
different,dependingonwhetheryouassignthesameMACaddress.
hentheLACPpeers(alsoinHAmode)arevirtualized(appearingtothe
networkasasingledevice),usingthesamesystemMACaddressforthe
firewallsminimizeslatencyduringfailover.WhentheLACPpeersare
notvirtualized,usingtheuniqueMACaddressofeachfirewall
minimizesfailoverlatency.
LACPusestheMACaddresstoderiveasystemIDforeachLACPpeer.Ifthe
firewallpairandpeerpairhaveidenticalsystempriorityvalues,LACPusesthe
systemIDvaluestodeterminewhichoverridestheotherwithrespecttoport
priorities.IfbothfirewallshavethesameMACaddress,bothwillhavethesame
systemID,whichwillbehigherorlowerthanthesystemIDoftheLACPpeers.
IftheHAfirewallshaveuniqueMACaddresses,itispossibleforonetohavea
highersystemIDthantheLACPpeerswhiletheotherhasalowersystemID.
Inthelattercase,whenfailoveroccursonthefirewalls,portprioritization
switchesbetweentheLACPpeersandthefirewallthatbecomesactive.

MACAddress IfyouenabledUse Same System MAC Address,selectasystemgenerated


MACaddress,orenteryourown,forbothfirewallsintheactive/passivehigh
availability(HA)pair.Youmustverifytheaddressisgloballyunique.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 243


Network>Interfaces Network

AggregateEthernet(AE)Interface

Network>Interfaces>Ethernet
ToconfigureanAggregateEthernet(AE)Interface,firstconfigureanAggregateEthernet(AE)Interface
Groupandclickthenameoftheinterfaceyouwillassigntothatgroup.Theinterfaceyouselectmustbethe
sametypeasthatdefinedfortheAEinterfacegroup(forexample,Layer3);youwillchangethetypeto
Aggregate Ethernetwhenyouconfiguretheinterface.Specifythefollowinginformationfortheinterface.

IfyouenabledLinkAggregationControlProtocol(LACP)fortheAEinterfacegroup,selectthesame
Link SpeedandLink Duplexforeveryinterfaceinthatgroup.Fornonmatchingvalues,thecommit
operationdisplaysawarningandPANOSdefaultstothehigherspeedandfullduplex.

Aggregate ConfiguredIn Description


InterfaceSettings

InterfaceName Aggregate Theinterfacenameispredefinedandyoucannotchangeit.


Ethernet
Comment Interface (Optional)Enteradescriptionfortheinterface.

InterfaceType SelectAggregate Ethernet.

AggregateGroup Assigntheinterfacetoanaggregategroup.

LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.

LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).

LACPPort ThefirewallonlyusesthisfieldifyouenabledLinkAggregationControl
Priority Protocol(LACP)fortheaggregategroup.Ifthenumberofinterfacesyouassign
tothegroupexceedsthenumberofactiveinterfaces(theMaxPortsfield),the
firewallusestheLACPportprioritiesoftheinterfacestodeterminewhichare
instandbymode.Thelowerthenumericvalue,thehigherthepriority(rangeis
165,535;defaultis32,768).

VirtualRouter Aggregate SelectthevirtualroutertowhichyouassigntheAggregateEthernetinterface.


Ethernet
SecurityZone Interface > SelectthesecurityzonetowhichyouassigntheAggregateEthernetinterface.
Config

244 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Aggregate ConfiguredIn Description


InterfaceSettings

EnableIPv6on Aggregate SelecttoenableIPv6onthisinterface.


theinterface Ethernet
Interface > IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youUse interface ID as host portionwhenaddinganaddress,thefirewalluses
theinterfaceIDasthehostportionofthataddress.

Address AddanIPv6addressandconfigurethefollowingparameters:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
one.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
TheremainingfieldsapplyarevisibleonlyafteryouenableRA:
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 245


Network>Interfaces Network

Aggregate ConfiguredIn Description


InterfaceSettings

Enable Aggregate Selecttoenableduplicateaddressdetection(DAD),whichthenallowsyouto


Duplication Ethernet specifythenumberofDADAttempts.
Address Interface > IPv6 >
Detection Address
Resolution
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).

ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).

NSInterval Specifythelengthoftime,inseconds,beforeaDADattemptfailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)

EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).

246 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Aggregate ConfiguredIn Description


InterfaceSettings

EnableRouter Aggregated SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe


Advertisement Ethernet otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Interface > IPv6 > advertisement(RA)messagesusethisinformation.
Router RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
Advertisement staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,AddandconfigureanAddressintheIPaddresstable.
IfyousetRAoptionsforanyIPaddress,youmustEnable Router
Advertisementfortheinterface.

MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.

MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis41,800;defaultis600).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.

HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.

LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis1,2809,192;defaultisunspecified).

ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).

RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait,
inmilliseconds,beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).

RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.

Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.

Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration

Other Selecttoindicatetotheclientthatotheraddressinformation(suchas
Configuration DNSrelatedsettings)isavailableviaDHCPv6.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 247


Network>Interfaces Network

Aggregate ConfiguredIn Description


InterfaceSettings

Consistency Aggregated SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare


Check Ethernet advertisingconsistentinformationonthelink.Thefirewalllogsany
Interface > IPv6 > inconsistenciesinasystemlog;thetypeisipv6nd.
Router
Advertisement
(cont)

IncludeDNS Aggregated SelectforthefirewalltosendDNSinformationinNDProuteradvertisement


informationin Ethernet (RA)messagesfromthisIPv6AggregatedEthernetinterface.TheotherDNS
Router Interface > IPv6 > Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Advertisement DNS Support

Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6AggregatedEthernet
interface.RDNSserverssendaseriesofDNSlookuprequeststorootDNS
serversandauthoritativeDNSserverstoultimatelyprovideanIPaddressto
theDNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusesthoseaddressesinthesameorder.Selectaserver
andMove UporMove DowntochangetheorderoftheserversorDeletea
serverwhenyounolongerneedit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSServerstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).

Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandtransmitstheDNSquery.IfthefirstDNSsuffix
onthelistiscompany.com,theresultingDNSqueryfromtherouterisforthe
fullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNSclient
routerinaNeighborDiscoveryDNSSLoption;theDNSclientreceivingthe
DNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusestheminthesameorder.
SelectasuffixandMove UporMove Downtochangetheorderofthesuffixes
orDeleteasuffixfromthelistwhenyounolongerneedit.

248 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces

Aggregate ConfiguredIn Description


InterfaceSettings

Lifetime Aggregated EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe


Ethernet routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
Interface > IPv6 > list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
DNS Support 1,200).
(cont)

HAInterface

Network>Interfaces>Ethernet
Eachhighavailability(HA)interfacehasaspecificfunction:oneinterfaceisforconfigurationsynchronization
andheartbeats,andtheotherinterfaceisforstatesynchronization.Ifactive/activehighavailabilityis
enabled,thefirewallcanuseathirdHAinterfacetoforwardpackets.

SomePaloAltoNetworksfirewallsincludededicatedphysicalportsforuseinHAdeployments(oneforthecontrol
linkandoneforthedatalink).Forfirewallsthatdonotincludededicatedports,youmustspecifythedataportsthat
willbeusedforHA.ForadditionalinformationonHA,refertoDevice>VirtualSystems.

ToconfigureanHAinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.

HAInterface Description
Settings

InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.

Comment Enteranoptionaldescriptionfortheinterface.

InterfaceType SelectHA.

LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.

LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).

LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 249


Network>Interfaces>VLAN Network

Network>Interfaces>VLAN

AVLANinterfacecanprovideroutingintoaLayer3network(IPv4andIPv6).YoucanaddoneormoreLayer
2Ethernetports(seeLayer2Interface)toaVLANinterface.

VLANInterface ConfigureIn Description


Settings

InterfaceName VLAN Interface ThereadonlyInterface Nameissettovlan.Intheadjacentfield,entera


numericsuffix(19999)toidentifytheinterface.

Comment Enteranoptionaldescriptionfortheinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.

VLAN VLAN Interface > SelectaVLANorclickVLANtodefineanewone(seeNetwork>VLANs).


Config SelectNonetoremovethecurrentVLANassignmentfromtheinterface.

VirtualRouter Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew


one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
routerassignmentfromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.

SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

Management VLAN Interface > Management ProfileSelectaprofilethatdefinestheprotocols(forexample,


Profile Advanced > Other SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.

MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(rangeis5769,192;defaultis1,500).Ifmachinesoneithersideofthe
firewallperformPathMTUDiscovery(PMTUD)andtheinterfacereceivesa
packetexceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.

AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

250 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces>VLAN

VLANInterface ConfigureIn Description


Settings

IPAddress VLAN Interface > ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,clickAdd


MACAddress Advanced > ARP andenteranIPaddress,enteritsassociatedhardware[mediaaccesscontrol
Interface Entries (MAC)]address,andselectaLayer3interfacethatcanaccessthehardware
address.Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.

IPv6Address VLAN Interface > ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),click


MACAddress Advanced > ND Add andentertheIPv6addressandMACaddressoftheneighbor.
Entries

EnableNDP VLAN Interface > SelecttoenableNeighborDiscoveryProtocol(NDP)Proxyfortheinterface.


Proxy Advanced > NDP ThefirewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Proxy addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
addressfortheinterface,andisbasicallysaying,sendmethepacketsmeant
fortheseaddresses.
(Recommended)EnableNDPProxyifyouareusingNetworkPrefixTranslation
IPv6(NPTv6).
IfyouEnable NDP Proxy,youcanfilternumerousAddressentries:firstenter
afilterandthenapplyit(greenarrow).

Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddressobjectsfor
whichthefirewallwillactasNDPProxy.Ideally,oneoftheseaddressesisthe
sameaddressasthatofthesourcetranslationinNPTv6.Theorderof
addressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponseforall
addressesinthesubnet,sowerecommendyoualsoaddthefirewallsIPv6
neighborsandthenclickNegatetoinstructthefirewallnottorespondtothese
IPaddresses.

Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.Youcan
negateasubsetofthespecifiedIPaddressrangeorIPsubnet.

For an IPv4 address

Type VLAN Interface > SelectthemethodforassigninganIPv4addresstypetotheinterface:


IPv4 StaticYoumustmanuallyspecifytheIPaddress.
DHCP ClientEnablestheinterfacetoactasaDynamicHostConfiguration
Protocol(DHCP)clientandreceiveadynamicallyassignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedont
supportDHCPClient.

BasedonyourIPaddressmethodselection,theoptionsdisplayedinthetabwill
vary.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 251


Network>Interfaces>VLAN Network

VLANInterface ConfigureIn Description


Settings

IPv4addressType=Static

IP VLAN Interface > ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress


IPv4 andnetworkmaskfortheinterface.
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
CreateanAddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
DeleteanIPaddresswhenyounolongerneedit.

IPv4 address Type = DHCP

Enable VLAN Interface > SelecttoactivatetheDHCPclientontheinterface.


IPv4
Automatically Selecttoautomaticallycreateadefaultroutethatpointstothedefaultgateway
createdefault thattheDHCPserverprovides.
routepointingto
defaultgateway
providedby
server

DefaultRoute FortheroutebetweenthefirewallandDHCPserver,optionallyenteraroute
Metric metric(prioritylevel)toassociatewiththedefaultrouteandtouseforpath
selection(rangeis165,535;thereisnodefault).Theprioritylevelincreasesas
thenumericvaluedecreases.

ShowDHCP SelecttodisplayallsettingsreceivedfromtheDHCPserver,includingDHCP
ClientRuntime leasestatus,dynamicIPaddressassignment,subnetmask,gateway,andserver
Info settings(DNS,NTP,domain,WINS,NIS,POP3,andSMTP).

For an IPv6 address

EnableIPv6on VLAN Interface > SelecttoenableIPv6addressingonthisinterface.


theinterface IPv6

InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.

252 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces>VLAN

VLANInterface ConfigureIn Description


Settings

Address VLAN Interface > ClickAddandconfigurethefollowingparametersforeachIPv6address:


IPv6 (cont) AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
anaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.

Enable VLAN Interface > Selecttoenableduplicateaddressdetection(DAD),whichallowsyoutospecify


Duplication IPv6 > Address thenumberofDADAttempts.
Address Resolution
Detection

DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).

ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).

NSInterval SpecifythenumberofsecondsforDADattemptsbeforefailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)

EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 253


Network>Interfaces>VLAN Network

VLANInterface ConfigureIn Description


Settings

EnableRouter VLAN Interface > SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe


Advertisement IPv6 > Router otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Advertisement advertisement(RA)messagesusethisinformation.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,AddanAddresstotheIPaddresstableandconfigure
it.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
Advertisementfortheinterface.

MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.

MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis41,800;defaultis600).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.

HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.

LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis12809192;defaultisunspecified).

ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).

RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait
(inmilliseconds)beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).

RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.

Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.

Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration

Other Selecttoindicatetotheclientthatotheraddressinformation(forexample,
Configuration DNSrelatedsettings)isavailableviaDHCPv6.

254 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces>VLAN

VLANInterface ConfigureIn Description


Settings

Consistency VLAN Interface > SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare


Check IPv6 > Router advertisingconsistentinformationonthelink.Thefirewalllogsany
Advertisement inconsistenciesinasystemlog;thetypeisipv6nd.
(cont)

IncludeDNS VLAN Interface > SelectforthefirewalltosendDNSinformationinNDProuteradvertisements


informationin IPv6 > DNS fromthisIPv6VLANinterface.TheotherDNSSupportfieldsinthistableare
Router Support visibleonlyafteryouselectthisoption.
Advertisement

Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6VLANinterface.RDNS
serverssendaseriesofDNSlookuprequeststorootDNSserversand
authoritativeDNSserverstoultimatelyprovideanIPaddresstotheDNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusestheminthesameorder.SelectaserverandMove Up
orMove DowntochangetheorderoftheserversorDeleteaserverfromthe
listwhenyounolongerneedit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSserverstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).

Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandthentransmitstheDNSquery.IfthefirstDNS
suffixonthelistiscompany.com,theresultingDNSqueryfromtherouteris
forthefullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclientreceiving
theDNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusesthoseaddressesinthe
sameorder.SelectasuffixandMove UporMove Downtochangetheorderof
thesuffixesorDeleteasuffixfromthelistwhenyounolongerneedit.

Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
1,200).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 255


Network>Interfaces>Loopback Network

Network>Interfaces>Loopback

Usethefollowingfieldstoconfigurealoopbackinterface:

Loopback ConfigureIn Description


InterfaceSettings

InterfaceName Loopback ThereadonlyInterface Nameissettoloopback.Intheadjacentfield,entera


Interface numericsuffix(19999)toidentifytheinterface.

Comment Enteranoptionaldescriptionfortheinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.

VirtualRouter Loopback Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew


Interface > Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
routerassignmentfromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.

SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,


Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.

MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.

AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
IPv6 MSS Adjustment SizeRangeis60300;defaultis60.
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

256 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces>Loopback

Loopback ConfigureIn Description


InterfaceSettings

For an IPv4 address

IP Loopback ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress
Interface > IPv4 andnetworkmaskfortheinterface.
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.

For an IPv6 address

EnableIPv6on Loopback SelecttoenableIPv6addressingonthisinterface.


theinterface Interface > IPv6

InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.

Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
anaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 257


Network>Interfaces>Tunnel Network

Network>Interfaces>Tunnel

Usethefollowingfieldstoconfigureatunnelinterface:

TunnelInterface ConfigureIn Description


Settings

InterfaceName Tunnel Interface ThereadonlyInterface Nameissettotunnel.Intheadjacentfield,entera


numericsuffix(19,999)toidentifytheinterface.

Comment Enteranoptionaldescriptionfortheinterface.

NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.

VirtualRouter Tunnel Interface Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew


> Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
routerassignmentfromtheinterface.

VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.

SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
SelectNonetoremovethecurrentzoneassignmentfromtheinterface.

Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,


Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.

MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.

For an IPv4 address

IP Tunnel Interface ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress


> IPv4 andnetworkmaskfortheinterface.
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.

For an IPv6 address

EnableIPv6on Tunnel Interface SelecttoenableIPv6addressingonthisinterface.


theinterface > IPv6

258 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Interfaces>Tunnel

TunnelInterface ConfigureIn Description


Settings

InterfaceID Tunnel Interface Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for


> IPv6 example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.

Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
anaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 259


Network>VirtualRouters Network

Network>VirtualRouters

Thefirewallrequiresavirtualroutertoobtainroutestoothersubnetseitherusingstaticroutesthatyou
manuallydefine,orthroughparticipationinLayer3routingprotocols(dynamicroutes).EachLayer3
interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociatedwithavirtual
router.Eachinterfacecanbelongtoonlyonevirtualrouter.
Definingavirtualrouterrequiresgeneralsettingsandanycombinationofstaticroutesordynamicrouting
protocols,asrequiredbyyournetwork.Youcanalsoconfigureotherfeaturessuchasrouteredistribution
andECMP.

Whatareyoulookingfor? See

Whataretherequiredelementsof GeneralSettingsofaVirtualRouter
avirtualrouter?

Configure:

StaticRoutes

RouteRedistribution

RIP

OSPF

OSPFv3

BGP

IPMulticast

ECMP
Viewinformationaboutavirtual MoreRuntimeStatsforaVirtualRouter
router.

Looking for more? Networking

260 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

GeneralSettingsofaVirtualRouter

Network>VirtualRouters>RouterSettings>General
AllvirtualroutersrequirethatyouassignLayer3interfacesandadministrativedistancemetricsasdescribed
inthefollowingtable.

VirtualRouterGeneral Description
Settings

Name Specifyanametodescribethevirtualrouter(upto31characters).Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Interfaces Selecttheinterfacesthatyouwanttoincludeinthevirtualrouter.Thus,they
canbeusedasoutgoinginterfacesinthevirtualroutersroutingtable.
Tospecifytheinterfacetype,refertoNetwork>Interfaces.
Whenyouaddaninterface,itsconnectedroutesareaddedautomatically.

AdministrativeDistances Specifythefollowingadministrativedistances:
Static routesRangeis10240;defaultis10.
OSPF IntRangeis10240;defaultis30.
OSPF ExtRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.

StaticRoutes

Network>VirtualRouters>StaticRoutes
Optionallyaddoneormorestaticroutes.ClicktheIPorIPv6tabtospecifytherouteusinganPv4orIPv6
address.Itisusuallynecessarytoconfiguredefaultroutes(0.0.0.0/0)here.Defaultroutesareappliedfor
destinationsthatareotherwisenotfoundinthevirtualroutersroutingtable.

StaticRouteSettings Description

Name Enteranametoidentifythestaticroute(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

Destination EnteranIPaddressandnetworkmaskinClasslessInterdomainRouting
(CIDR)notation:ip_address/mask(forexample,192.168.2.0/24forIPv4or
2001:db8::/32forIPv6).

Interface Selecttheinterfacetoforwardpacketstothedestination,orconfigurethe
nexthopsettings,orboth.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 261


Network>VirtualRouters Network

StaticRouteSettings Description

NextHop Selectoneofthefollowing:
IP AddressSelecttoentertheIPaddressofthenexthoprouter.
Next VRSelecttoselectavirtualrouterinthefirewallasthenexthop.
Thisallowsyoutorouteinternallybetweenvirtualrouterswithinasingle
firewall.
DiscardSelectifyouwanttodroptrafficthatisaddressedtothis
destination.
NoneSelectifthereisnonexthopfortheroute.

AdminDistance Specifytheadministrativedistanceforthestaticroute(10240;defaultis
10).

Metric Specifyavalidmetricforthestaticroute(165535).

RouteTable Selecttheroutetableintowhichthefirewallinstallsthestaticroute:
UnicastInstallstherouteintotheunicastroutetable.
MulticastInstallstherouteintothemulticastroutetable.
BothInstallstherouteintotheunicastandmulticastroutetables.
No InstallDoesnotinstalltherouteintheroutetable(RIB);thefirewall
retainsthestaticrouteforfuturereferenceuntilyoudeletetheroute.

BFDProfile ToenableBidirectionalForwardingDetection(BFD)forastaticrouteona
PA3000Series,PA5000Series,PA5200Series,PA7000Series,or
VMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforthestaticroute.
TouseBFDonastaticroute:
Boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.
ThestaticrouteNext HoptypemustbeIP Addressandyoumustentera
validIPaddress.
TheInterfacesettingcannotbeNone;youmustselectaninterface(even
ifyouareusingaDHCPaddress).

PathMonitoring Selecttoenablepathmonitoringforthestaticroute.

FailureCondition Selecttheconditionunderwhichthefirewallconsidersthemonitoredpath
downandthusthestaticroutedown:
AnyIfanyoneofthemonitoreddestinationsforthestaticrouteis
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
AllIfallofthemonitoreddestinationsforthestaticrouteare
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
SelectAlltoavoidthepossibilityofasinglemonitoreddestination
signalingastaticroutefailurewhenthatmonitoreddestinationissimply
offlineformaintenance,forexample.

262 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

StaticRouteSettings Description

PreemptiveHoldTime EnterthenumberofminutesadownedpathmonitormustremaininUp
(min) statethepathmonitorevaluatesallofitsmembermonitoreddestinations
andmustremainUpbeforethefirewallreinstallsthestaticrouteintothe
RIB.Ifthetimerexpireswithoutthelinkgoingdownorflapping,thelinkis
deemedstable,pathmonitorcanremainUp,andthefirewallcanaddthe
staticroutebackintotheRIB.
Ifthelinkgoesdownorflapsduringtheholdtime,pathmonitorfailsandthe
timerrestartswhenthedownedmonitorreturnstoUpstate.APreemptive
Hold Time ofzerocausesthefirewalltoreinstallthestaticrouteintotheRIB
immediatelyuponthepathmonitorcomingup.Rangeis01,440;defaultis2.

Name Enteranameforthemonitoreddestination(upto31characters).

Enable Selecttoenablepathmonitoringofthisspecificdestinationforthestatic
route;thefirewallsendsICMPpingstothisdestination.

SourceIP SelecttheIPaddressthatthefirewallwilluseasthesourceintheICMPping
tothemonitoreddestination:
IftheinterfacehasmultipleIPaddresses,selectone.
Ifyouselectaninterface,thefirewallusesthefirstIPaddressassignedto
theinterfacebydefault.
IfyouselectDHCP (Use DHCP Client address),thefirewallusesthe
addressthatDHCPassignedtotheinterface.ToseetheDHCPaddress,
selectNetwork > Interfaces > Ethernet andintherowfortheEthernet
interface,clickonDynamic DHCP Client.TheIPAddressappearsinthe
DynamicIPInterfaceStatuswindow.

DestinationIP Enterarobust,stableIPaddressoraddressobjectforwhichthefirewallwill
monitorthepath.Themonitoreddestinationandthestaticroutedestination
mustusethesameaddressfamily(IPv4orIPv6)

PingInterval(sec) SpecifytheICMPpingintervalinsecondstodeterminehowfrequentlythe
firewallmonitorsthepath(pingsthemonitoreddestination;rangeis160;
defaultis3).

PingCount SpecifythenumberofconsecutiveICMPpingpacketsthatdonotreturn
fromthemonitoreddestinationbeforethefirewallconsidersthelinkdown.
BasedontheAnyorAllfailurecondition,ifpathmonitoringisinfailedstate,
thefirewallremovesthestaticroutefromtheRIB(rangeis310;defaultis5).
Forexample,aPingIntervalof3secondsandPingCountof5missedpings
(thefirewallreceivesnopinginthelast15seconds)meanspathmonitoring
detectsalinkfailure.Ifpathmonitoringisinfailedstateandthefirewall
receivesapingafter15seconds,thelinkisdeemedup;basedontheAnyor
Allfailurecondition,pathmonitoringtoAnyorAllmonitoreddestinations
canbedeemedup,andthePreemptiveHoldTimestarts.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 263


Network>VirtualRouters Network

RouteRedistribution

Network>VirtualRouter>RedistributionProfiles
Redistributionprofilesdirectthefirewalltofilter,setpriority,andperformactionsbasedondesirednetwork
behavior.Routeredistributionallowsstaticroutesandroutesthatareacquiredbyotherprotocolstobe
advertisedthroughspecifiedroutingprotocols.
Redistributionprofilesmustbeappliedtoroutingprotocolsinordertotakeeffect.Withoutredistribution
rules,eachprotocolrunsseparatelyanddoesnotcommunicateoutsideitspurview.Redistributionprofiles
canbeaddedormodifiedafterallroutingprotocolsareconfiguredandtheresultingnetworktopologyis
established.
ApplyredistributionprofilestotheRIPandOSPFprotocolsbydefiningexportrules.Applyredistribution
profilestoBGPintheRedistribution Rulestab.Refertothefollowingtable.

RedistributionProfile Description
Settings

Name AddaRedistribution Profileandentertheprofilename.

Priority Enterapriority(rangeis1255)forthisprofile.Profilesarematchedinorder
(lowestnumberfirst).

Redistribute Choosewhethertoperformrouteredistributionbasedonthesettingsinthis
window.
RedistSelecttoredistributematchingcandidateroutes.Ifyouselectthis
option,enteranewmetricvalue.Alowermetricvaluemeansamore
preferredroute.
No RedistSelecttonotredistributematchingcandidateroutes.

General Filter Tab

Type Selecttheroutetypesofthecandidateroute.

Interface Selecttheinterfacestospecifytheforwardinginterfacesofthecandidate
route.

Destination Tospecifythedestinationofthecandidateroute,enterthedestinationIP
addressorsubnet(formatx.x.x.xorx.x.x.x/n)andclickAdd.Toremovean
entry,clickremove( ).

NextHop Tospecifythegatewayofthecandidateroute,entertheIPaddressorsubnet
(formatx.x.x.xorx.x.x.x/n)thatrepresentsthenexthopandclickAdd.To
removeanentry,clickremove( ).

OSPF Filter Tab

PathType SelecttheroutetypesofthecandidateOSPFroute.

Area SpecifytheareaidentifierforthecandidateOSPFroute.EntertheOSPF
area ID(formatx.x.x.x),andclickAdd.
Toremoveanentry,clickremove( ).

Tag SpecifyOSPFtagvalues.Enteranumerictagvalue(1255),andclickAdd.
Toremoveanentry,clickremove( ).

264 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

RedistributionProfile Description
Settings

BGP Filter Tab

Community SpecifyacommunityforBGProutingpolicy.

ExtendedCommunity SpecifyanextendedcommunityforBGProutingpolicy.

RIP

Network>VirtualRouters>RIP
ConfiguringtheRoutingInformationProtocol(RIP)includesthefollowinggeneralsettings:

RIPSettings Description

Enable SelecttoenableRIP.

RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughRIP.

BFD ToenableBidirectionalForwardingDetection(BFD)forRIPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
default(profilewiththedefaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforallRIPinterfacesonthevirtual
router;youcannotenableBFDforasingleRIPinterface.

Inaddition,RIPsettingsonthefollowingtabsmustbeconfigured:
Interfaces:SeeRIPInterfacesTab.

Timers:SeeRIPTimersTab.

Auth Profiles:SeeRIPAuthProfilesTab.

Export Rules:SeeRIPExportRulesTab.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 265


Network>VirtualRouters Network

RIPInterfacesTab

Network>VirtualRouters>RIP>Interfaces
UsethefollowingfieldstoconfigureRIPinterfaces:

RIPInterfaceSettings Description

Interface SelecttheinterfacethatrunstheRIPprotocol.

Enable Selecttoenablethesesettings.

Advertise SelecttoenableadvertisementofadefaultroutetoRIPpeerswiththe
specifiedmetricvalue.

Metric Specifyametricvaluefortherouteradvertisement.Thisfieldisvisibleonly
ifyouenableAdvertise.

AuthProfile Selecttheprofile.

Mode Selectnormal,passive,orsend-only.

BFD ToenableBFDforaRIPinterface(andtherebyoverridetheBFDsettingfor
RIP,aslongasBFDisnotdisabledforRIPatthevirtualrouterlevel),select
oneofthefollowing:
default(profilewiththedefaultBFDsettings)
aBFDprofilethatyoucreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheRIPinterface.

RIPTimersTab

Network>VirtualRouter>RIP>Timers
ThefollowingtabledescribesthetimersthatcontrolRIProuteupdatesandexpirations.

RIPTimerSettings Description

RIP Timing

IntervalSeconds(sec) Definethelengthofthetimerintervalinseconds.Thisdurationisusedfor
theremainingRIPtimingfields(rangeis160).

UpdateIntervals Enterthenumberofintervalsbetweenrouteupdateannouncements(range
is13,600).

ExpireIntervals Enterthenumberofintervalsbetweenthetimethattheroutewaslast
updatedtoitsexpiration(rangeis13,600).

DeleteIntervals Enterthenumberofintervalsbetweenthetimethattherouteexpirestoits
deletion(rangeis13,600).

266 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

RIPAuthProfilesTab

Network>VirtualRouter>RIP>AuthProfiles
Bydefault,thefirewalldoesnotauthenticateRIPmessagesbetweenneighbors.ToauthenticateRIP
messagesbetweenneighbors,createanauthenticationprofileandapplyittoaninterfacerunningRIPona
virtualrouter.ThefollowingtabledescribesthesettingsfortheAuth Profilestab.

RIPAuthProfileSettings Description

ProfileName EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthesimplepasswordandthenconfirm.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.

RIPExportRulesTab

Network>VirtualRouter>RIP>ExportRules
RIPexportrulesallowyoutocontrolwhichroutesthevirtualroutersendstopeers.

RIPExportRules Description
Settings

AllowRedistributeDefault Selecttopermitthefirewalltoredistributeitsdefaultroutetopeers.
Route

RedistributionProfile ClickAddandselectorcreatearedistributionprofilethatallowsyouto
modifyrouteredistribution,filter,priority,andactionbasedonthedesired
networkbehavior.RefertoRouteRedistribution.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 267


Network>VirtualRouters Network

OSPF

Network>VirtualRouter>OSPF
ConfiguringtheOpenShortestPathFirst(OSPF)protocolrequiresyoutoconfigurethefollowinggeneral
settings(exceptBFD,whichisoptional):

OSPFSettings Description

Enable SelecttoenabletheOSPFprotocol.

RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughOSPF.

RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.

BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFgloballyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,orVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforallOSPFinterfacesonthe
virtualrouter;youcannotenableBFDforasingleOSPFinterface.

Inaddition,youmustconfigureOSPFsettingsonthefollowingtabs:
Areas:SeeOSPFAreasTab.

Auth Profiles:SeeOSPFAuthProfilesTab.

Export Rules:SeeOSPFExportRulesTab.

Advanced:SeeOSPFAdvancedTab.

268 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPFAreasTab

Network>VirtualRouter>OSPF>Areas
ThefollowingfieldsdescribetheOSPFareasettings:

OSPFAreasSettings Description

Areas

AreaID ConfiguretheareaoverwhichtheOSPFparameterscanbeapplied.
Enteranidentifierfortheareainx.x.x.xformat.Thisistheidentifierthateach
neighbormustaccepttobepartofthesamearea.

Type Selectoneofthefollowingoptions.
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(rangeis1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.SelectAdvertise
Default RoutetospecifywhethertoincludeadefaultrouteLSAin
advertisementstothestubareaalongwiththeassociatedmetricvalue
(1255).Also,selecttheroutetypeusedtoadvertisethedefaultLSA.Click
AddintheExternal Rangessectionandenterrangesifyouwantto
enableorsuppressadvertisingexternalroutesthatarelearnedthrough
NSSAtootherareas.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 269


Network>VirtualRouters Network

OSPFAreasSettings Description

Range ClickAddtoaggregateLSAdestinationaddressesintheareaintosubnets.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.

Interface Addaninterfacetobeincludedintheareaandenterthefollowing
information:
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfacetosendorreceive
OSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedifyou
choosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPF
peerinterface(andtherebyoverridetheBFDsettingforOSPF,aslongas
BFDisnotdisabledforOSPFatthevirtualrouterlevel),selectoneofthe
following:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheOSPFpeer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforeitissentoutofaninterface(rangeis03,600;defaultis1).

270 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPFAreasSettings Description

Interface(cont) Graceful Restart Hello Delay (sec)AppliestoanOSPFinterfacewhen


Active/PassiveHighAvailabilityisconfigured.Graceful Restart Hello
DelayisthelengthoftimeduringwhichthefirewallsendsGraceLSA
packetsat1secondintervals.Duringthistime,nohellopacketsaresent
fromtherestartingfirewall.Duringtherestart,thedeadtimer(whichisthe
Hello IntervalmultipliedbytheDead Counts)isalsocountingdown.Ifthe
deadtimeristooshort,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itisrecommendedthatthe
deadtimerbeatleastfourtimesthevalueoftheGraceful Restart Hello
Delay.Forexample,aHello Intervalof10secondsandaDead Countsof
4yieldadeadtimerof40seconds.IftheGraceful Restart Hello Delayis
setto10seconds,that10seconddelayofhellopacketsiscomfortably
withinthe40seconddeadtimer,sotheadjacencywillnottimeoutduring
agracefulrestart(rangeis110;defaultis10).

VirtualLink Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.

OSPFAuthProfilesTab

Network>VirtualRouter>OSPF>AuthProfiles
ThefollowingfieldsdescribetheOSPFauthenticationprofilesettings:

OSPFAuthProfile Description
Settings

ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.

PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthepassword.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 271


Network>VirtualRouters Network

OSPFExportRulesTab

Network>VirtualRouter>OSPF>ExportRules
ThefollowingtabledescribesthefieldstoexportOSPFroutes:

OSPFExportRules Description
Settings

AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route

Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.

NewPathType Choosethemetrictypetoapply.

NewTag Specifyatagforthematchedroutethathasa32bitvalue.

Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).

272 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPFAdvancedTab

Network>VirtualRouter>OSPF>Advanced
ThefollowingfieldsdescribeRFC1583compatibility,OSPFtimers,andgracefulrestart:

OSPFAdvancedSettings Description

RFC1583Compatibility SelecttoensurecompatibilitywithRFC1583(OSPFVersion2).

Timers SPF Calculation Delay (sec)Allowsyoutotunethedelaytimebetween


receivingnewtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routerspeeringwith
thefirewallshouldbetunedinasimilarmannertooptimizeconvergence
times.
LSA Interval (sec)Specifiestheminimumtimebetweentransmissionsof
twoinstancesofthesameLSA(samerouter,sametype,sameLSAID).This
isequivalenttoMinLSIntervalinRFC2328.Lowervaluescanbeusedto
reducereconvergencetimeswhentopologychangesoccur.

GracefulRestart Enable Graceful RestartEnabledbydefault,afirewallenabledforthis


featurewillinstructneighboringrouterstocontinueusingaroutethrough
thefirewallwhileatransitiontakesplacethatrendersthefirewall
temporarilydown.
Enable Helper ModeEnabledbydefault,afirewallenabledforthismode
continuestoforwardtoanadjacentdevicewhenthatdeviceisrestarting.
Enable Strict LSA CheckingEnabledbydefault,thisfeaturecausesan
OSPFhelpermodeenabledfirewalltoexithelpermodeifatopology
changeoccurs.
Grace Period (sec)Periodoftime,inseconds,thatpeerdevicesshould
continuetoforwardtothisfirewallwhileadjacenciesarebeing
reestablishedortherouterisbeingrestarted(rangeis51,800;defaultis
120).
Max Neighbor Restart TimeMaximumgraceperiod,inseconds,thatthe
firewallwillacceptasahelpmoderouter.Ifthepeerdevicesoffersa
longergraceperiodinitsgraceLSA,thefirewallwillnotenterhelpermode
(rangeis51,800;defaultis140).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 273


Network>VirtualRouters Network

OSPFv3

Network>VirtualRouter>OSPFv3
ConfiguringtheOpenShortestPathFirstv3(OSPFv3)protocolrequiresconfiguringthefirstthreesettings
inthefollowingtable(BFDisoptional):

OSPFv3Settings Description

Enable SelecttoenabletheOSPFprotocol.

RejectDefaultRoute SelectifyoudonotwanttolearnanydefaultroutesthroughOSPF.

RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.

BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFv3globallyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
(SelectNone (Disable BFD)todisableBFDforallOSPFv3interfaceson
thevirtualrouter;youcannotenableBFDforasingleOSPFv3interface.)

Inaddition,configureOSPFv3settingsonthefollowingtabs:
Areas:SeeOSPFv3AreasTab.

Auth Profiles:SeeOSPFv3AuthProfilesTab.

Export Rules:SeeOSPFv3ExportRulesTab.

Advanced:SeeOSPFv3AdvancedTab.

274 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPFv3AreasTab

Network>VirtualRouter>OSPFv3>Areas
ThefollowingfieldsdescribeOSPFv3areas:

OSPv3AreasSettings Description

Authentication SelectthenameoftheAuthenticationprofilethatyouwanttospecifyfor
thisOSPFarea.

Type Selectoneofthefollowing:
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.Specifywhether
toincludeadefaultrouteLSAinadvertisementstothestubareaalong
withtheassociatedmetricvalue(1255).Also,selecttheroutetypeused
toadvertisethedefaultLSA.ClickAddintheExternal Rangessectionand
enterrangesifyouwanttoenableorsuppressadvertisingexternalroutes
thatarelearnedthroughNSSAtootherareas

Range ClickAddtoaggregateLSAdestinationIPv6addressesintheareabysubnet.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 275


Network>VirtualRouters Network

OSPv3AreasSettings Description

Interface ClickAddandenterthefollowinginformationforeachinterfacetobe
includedinthearea,andclickOK.
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
Instance ID EnteranOSPFv3instanceIDnumber.
PassiveSelecttoifyoudonotwanttheOSPFinterfacetosendor
receiveOSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedif
youchoosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPFv3
peerinterface(andtherebyoverridetheBFDsettingforOSPFv3,aslong
asBFDisnotdisabledforOSPFv3atthevirtualrouterlevel),selectone
ofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDfortheOSPFv3peer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03,600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforethefirewallsendsitoutofaninterface(rangeis03,600;default
is 1).

276 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPv3AreasSettings Description

Interface(continued) Graceful Restart Hello Delay (sec)AppliestoanOSPFinterfacewhen


Active/PassiveHighAvailabilityisconfigured.Graceful Restart Hello
DelayisthelengthoftimeduringwhichthefirewallsendsGraceLSA
packetsat1secondintervals.Duringthistime,nohellopacketsaresent
fromtherestartingfirewall.Duringtherestart,thedeadtimer(whichisthe
Hello IntervalmultipliedbytheDead Counts)isalsocountingdown.Ifthe
deadtimeristooshort,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itisrecommendedthatthe
deadtimerbeatleastfourtimesthevalueoftheGraceful Restart Hello
Delay.Forexample,aHello Intervalof10secondsandaDead Countsof
4yieldadeadtimerof40seconds.IftheGraceful Restart Hello Delayis
setto10seconds,that10seconddelayofhellopacketsiscomfortably
withinthe40seconddeadtimer,sotheadjacencywillnottimeoutduring
agracefulrestart(rangeis110;defaultis10).
NeighborsForp2pmpinterfaces,entertheneighborIPaddressforall
neighborsthatarereachablethroughthisinterface.

VirtualLinks Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Instance IDEnteranOSPFv3instanceIDnumber.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 277


Network>VirtualRouters Network

OSPFv3AuthProfilesTab

Network>VirtualRouter>OSPFv3>AuthProfiles
UsethefollowingfieldstoconfigureauthenticationforOSPFv3.

OSPFv3AuthProfile Description
Settings

ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.

SPI Specifythesecurityparameterindex(SPI)forpackettraversalfromthe
remotefirewalltothepeer.

Protocol Specifyeitherofthefollowingprotocols:
ESPEncapsulatingSecurityPayloadprotocol.
AHAuthenticationHeaderprotocol

CryptoAlgorithm Specifyoneofthefollowing
NoneNocryptoalgorithmwillbeused.
SHA1(default)SecureHashAlgorithm1.
SHA256SecureHashAlgorithm2.Asetoffourhashfunctionswitha
256bitdigest.
SHA384SecureHashAlgorithm2.Asetoffourhashfunctionswitha
384bitdigest.
SHA512SecureHashAlgorithm2.Asetoffourhashfunctionswitha
512bitdigest.
MD5TheMD5messagedigestalgorithm.

Key/ConfirmKey Enterandconfirmanauthenticationkey.

Encryption(ESPprotocol Specifyoneofthefollowing:
only) 3des(default)appliesTripleDataEncryptionAlgorithm(3DES)using
threecryptographickeysof56bits.
aes-128-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof128bits.
aes-192-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof192bits.
aes-256-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof256bits.
nullNoencryptionisused.

Key/ConfirmKey Enterandconfirmanencryptionkey.

278 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

OSPFv3ExportRulesTab

Network>VirtualRouter>OSPFv3>ExportRules
UsethefollowingfieldstoexportOSPFv3routes.

OSPFv3ExportRules Description
Settings

AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route

Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.

NewPathType Choosethemetrictypetoapply.

NewTag Specifyatagforthematchedroutethathasa32bitvalue.

Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 279


Network>VirtualRouters Network

OSPFv3AdvancedTab

Network>VirtualRouter>OSPFv3>Advanced
UsethefollowingfieldstodisabletransitroutingforSPFcalculations,configureOSPFv3timers,and
configuregracefulrestartforOSPFv3.

OSPFv3Advanced Description
Settings

DisableTransitRoutingfor SelectifyouwanttosettheRbitinrouterLSAssentfromthisfirewallto
SPFCalculation indicatethatthefirewallisnotactive.Wheninthisstate,thefirewall
participatesinOSPFv3butotherroutersdonotsendtransittraffic.Inthis
state,localtrafficwillstillbeforwardedtothefirewall.Thisisusefulwhile
performingmaintenancewithadualhomednetworkbecausetrafficcanbe
reroutedaroundthefirewallwhileitcanstillbereached.

Timers SPF Calculation Delay (sec)Thisisadelaytimerallowingyoutotunethe


delaytimebetweenreceivingnewtopologyinformationandperformingan
SPFcalculation.LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannertooptimize
convergencetimes.
LSA Interval (sec)Theoptionspecifiestheminimumtimebetween
transmissionsoftwoinstancesofthesameLSA(samerouter,sametype,
sameLSAID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhentopology
changesoccur.

GracefulRestart Enable Graceful RestartEnabledbydefault,afirewallenabledforthis


featurewillinstructneighboringrouterstocontinueusingaroutethrough
thefirewallwhileatransitiontakesplacethatrendersthefirewall
temporarilydown.
Enable Helper ModeEnabledbydefault,afirewallenabledforthismode
continuestoforwardtoanadjacentdevicewhenthatdeviceisrestarting.
Enable Strict LSA CheckingEnabledbydefault,thisfeaturecausesan
OSPFhelpermodeenabledfirewalltoexithelpermodeifatopology
changeoccurs.
Grace Period (sec)Theperiodoftime,inseconds,thatpeerdevices
continuetoforwardtothisfirewallwhileadjacenciesarebeing
reestablishedorwhiletherouterisbeingrestarted(rangeis51,800;
defaultis120).
Max Neighbor Restart TimeThemaximumgraceperiod,inseconds,that
thefirewallwillacceptasahelpmoderouter.Ifthepeerdevicesoffersa
longergraceperiodinitsgraceLSA,thefirewallwillnotenterhelpermode
(rangeis5800;defaultis140).

280 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGP

Network>VirtualRouter>BGP
ConfiguringBorderGatewayProtocol(BGP)requiresyoutoconfigureBasicBGPSettingstoenableBGPand
configuretheRouterIDandASNumberasdescribedinthefollowingtable.Inaddition,youmustconfigure
aBGPpeeraspartofaBGPpeergroup.
ConfiguretheremainingBGPsettingsonthefollowingtabsasneededforyournetwork:
General:SeeBGPGeneralTab.

Advanced:SeeBGPAdvancedTab.

Peer Group:SeeBGPPeerGroupTab.

Import:SeeBGPImportandExportTabs.

Export:SeeBGPImportandExportTabs.

Conditional Adv:SeeBGPConditionalAdvTab.
Aggregate:SeeBGPAggregateTab.

Redist Rules:SeeBGPRedistRulesTab.

BasicBGPSettings

TouseBGPonavirtualrouter,youmustenableBGPandconfiguretheRouterIDandASNumber;enabling
BFDisoptional.

BGPSettings ConfigureIn Description

Enable BGP SelecttoenableBGP.

RouterID EntertheIPaddresstoassigntothevirtualrouter.

ASNumber EnterthenumberoftheAStowhichthevirtualrouterbelongs,basedonthe
routerID(rangeis14,294,967,295).

BFD ToenableBidirectionalForwardingDetection(BFD)forBGPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,PA7000
Series,orVMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
anexistingBFDprofileonthefirewall
createaNew BFD Profile
SelectNone (Disable BFD)todisableBFDforallBGPinterfacesonthevirtual
router;youcannotenableBFDforasingleBGPinterface.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPare
takendownandbroughtbackupwiththeBFDfunction,whichcan
disruptBGPtraffic.Therefore,enableBFDonBGPinterfacesduringan
offpeaktimewhenreconvergencedoesnotimpactproductiontraffic.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 281


Network>VirtualRouters Network

BGPGeneralTab

Network>VirtualRouter>BGP>General
UsethefollowingfieldstoconfiguregeneralBGPsettings.

BGPGeneral ConfigureIn Description


Settings

RejectDefault BGP > General SelecttoignoreanydefaultroutesthatareadvertisedbyBGPpeers.


Route

InstallRoute SelecttoinstallBGProutesintheglobalroutingtable.

AggregateMED SelecttoenablerouteaggregationevenwhenrouteshavedifferentMultiExit
Discriminator(MED)values.

DefaultLocal Specifiesavaluethatthefirewallcanusetodeterminepreferencesamong
Preference differentpaths.

ASFormat Selectthe2byte(default)or4byteformat.Thissettingisconfigurablefor
interoperabilitypurposes.

AlwaysCompare EnableMEDcomparisonforpathsfromneighborsindifferentautonomous
MED systems.

Deterministic EnableMEDcomparisontochoosebetweenroutesthatareadvertisedbyiBGP
MEDComparison peers(BGPpeersinthesameautonomoussystem).

AuthProfiles Addanewauthprofileandconfigurethefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphraseforBGPpeer
communications.
Delete( )profileswhenyounolongerneedthem.

282 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPAdvancedTab

Network>VirtualRouter>BGP>Advanced
AdvancedBGPsettingsincludeavarietyofcapabilities.YoucanrunECMPovermultipleBGPautonomous
systems.YoucanrequireeBGPpeerstolisttheirownASasthefirstASinanAS_PATHattribute(toprevent
spoofedUpdatepackets).YoucanconfigureBGPgracefulrestart,ameansbywhichBGPpeersindicate
whethertheycanpreserveforwardingstateduringaBGPrestarttominimizetheconsequencesofroutes
flapping(goingupanddown).YoucanconfigureroutereflectorsandASconfederations,whicharetwo
methodstoavoidhavingafullmeshofBGPpeeringsinanAS.Youcanconfigureroutedampeningto
preventunnecessaryrouterconvergencewhenaBGPnetworkisunstableandroutesareflapping.

BGPAdvanced ConfigureIn Description


Settings

ECMPMultiple BGP > Advanced SelectifyouenableECMPforavirtualrouterandyouwanttorunECMPover


ASSupport multipleBGPautonomoussystems.

EnforceFirstAS CausesthefirewalltodropanincomingUpdatepacketfromaneBGPpeerthat
forEBGP doesntlisttheeBGPpeersownASnumberasthefirstASnumberinthe
AS_PATHattribute.ThispreventsBGPfromfurtherprocessingaspoofedor
erroneousUpdatepacketthatarrivesfromanASotherthananeighboringAS.
Defaultisenabled.

GracefulRestart Activatethegracefulrestartoption.
Stale Route TimeSpecifythelengthoftime,inseconds,thataroutecan
stayinthestalestate(rangeis13,600;defaultis120).
Local Restart TimeSpecifythelengthoftime,inseconds,thatthefirewall
takestorestart.Thisvalueisadvertisedtopeers(rangeis13,600;defaultis
120).
Max Peer Restart TimeSpecifythemaximumlengthoftime,inseconds,
thatthefirewallacceptsasagraceperiodrestarttimeforpeerdevices
(rangeis13,600;defaultis120).

ReflectorCluster SpecifyanIPv4identifiertorepresentthereflectorcluster.Aroutereflector
ID (router)inanASperformsaroleofreadvertisingroutesitlearnedtoitspeers
(ratherthanrequirefullmeshconnectivityandallpeerssendroutestoeach
other).Theroutereflectorsimplifiesconfiguration.

Confederation SpecifytheidentifierfortheASconfederationtobepresentedasasingleAS
MemberAS toexternalBGPpeers.UseaBGPconfederationtodivideautonomoussystems
intosubautonomoussystemsandreducefullmeshpeering.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 283


Network>VirtualRouters Network

BGPAdvanced ConfigureIn Description


Settings

Dampening BGP > Advanced Routedampeningisamethodthatdeterminewhetherarouteissuppressed


Profiles (cont) frombeingadvertisedbecauseitisflapping.Routedampeningcanreducethe
numberoftimesroutersareforcedtoreconvergeduetoroutesflapping.
Settingsinclude:
Profile NameEnteranametoidentifytheprofile.
EnableActivatetheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicharoute
advertisementissuppressed(rangeis0.01,000.0;defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhichasuppressed
routeisusedagain(rangeis0.01,000.0;defaultis5).
Max. Hold TimeSpecifythemaximumlengthoftime,inseconds,thata
routecanbesuppressed,regardlessofhowunstableithasbeen(rangeis
03,600;defaultis900).
Decay Half Life ReachableSpecifythelengthoftime,inseconds,after
whicharoutesstabilitymetricishalvedifthefirewallconsiderstherouteis
reachable(rangeis03,600;defaultis300).
Decay Half Life UnreachableSpecifythelengthoftime,inseconds,after
whicharoutesstabilitymetricishalvedifthefirewallconsiderstherouteis
unreachable(rangeis03,600;defaultis300).
Delete( )profileswhenyounolongerneedthem.

284 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPPeerGroupTab

Network>VirtualRouter>BGP>PeerGroup
ABGPpeergroupisacollectionofBGPpeersthatsharesettings,suchasthetypeofpeergroup(EBGP,for
example),orthesettingtoremoveprivateASnumbersfromtheAS_PATHlistthatthevirtualroutersends
inUpdatepackets.BGPpeergroupssaveyoufromhavingtoconfiguremultiplepeerswiththesame
settings.YoumustconfigureatleastoneBGPpeergroupinordertoconfiguretheBGPpeersthatbelong
tothegroup.

BGPPeerGroup ConfigureIn Description


Settings

Name BGP > Peer Group Enteranametoidentifythepeergroup.

Enable Selecttoactivatethepeergroup.

Aggregated SelecttoincludeapathtotheconfiguredaggregatedconfederationAS.
ConfedASPath

SoftResetwith Selecttoperformasoftresetofthefirewallafterupdatingthepeersettings.
StoredInfo

Type Specifythetypeofpeerorgroupandconfiguretheassociatedsettings(see
belowinthistablefordescriptionsofImport Next HopandExport Next Hop).
IBGPSpecifythefollowing:
Export Next Hop
EBGP ConfedSpecifythefollowing:
Export Next Hop
IBGP ConfedSpecifythefollowing:
Export Next Hop
EBGPSpecifythefollowing:
Import Next Hop
Export Next Hop
Remove Private AS(selectifyouwanttoforceBGPtoremoveprivate
ASnumbersfromtheAS_PATHattribute).

ImportNextHop Chooseanoptionfornexthopimport:
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use PeerUsethepeer'sIPaddressastheNextHopaddress.

ExportNextHop Chooseanoptionfornexthopexport:
ResolveResolvetheNextHopaddressusingtheForwardingInformation
Base(FIB).
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use SelfReplacetheNextHopaddresswiththevirtualrouter'sIPaddress
toensurethatitwillbeintheforwardingpath.

RemovePrivate SelecttoremoveprivateautonomoussystemsfromtheAS_PATHlist.
AS

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 285


Network>VirtualRouters Network

BGPPeerGroup ConfigureIn Description


Settings
(Continued)

Name BGP > Peer Group AddaNewBGPpeerandenteranametoidentifyit.


> Peer
Enable Selecttoactivatethepeer.

PeerAS Specifytheautonomoussystem(AS)ofthepeer.

EnableMPBGP BGP > Peer Group EnablesthefirewalltosupporttheMultiprotocolBGPAddressFamily


Extensions > Peer > IdentifierforIPv4andIPv6andSubsequentAddressFamilyIdentifieroptions
Addressing perRFC4760.

AddressFamily SelecteithertheIPv4orIPv6addressfamilythatBGPsessionswiththispeer
Type willsupport.

Subsequent SelecteithertheUnicastorMulticastsubsequentaddressfamilyprotocolthe
AddressFamily BGPsessionswiththispeerwillcarry.

LocalAddress Chooseafirewallinterface.
Interface

LocalAddressIP ChoosealocalIPaddress.

PeerAddressIP SpecifytheIPaddressandportofthepeer.

AuthProfile BGP > Peer Group SelectaprofileorselectNew Auth Profilefromthedropdown.EnteraProfile


> Peer > NameandtheSecret,andConfirm Secret.
Connection
KeepAlive Options Specifyanintervalafterwhichroutesfromapeeraresuppressedaccordingto
Interval theholdtimesetting(rangeis01,200seconds;defaultis30seconds).

MultiHop Setthetimetolive(TTL)valueintheIPheader(rangeis1255;defaultis0).
Thedefaultvalueof0means2foreBGPand255foriBGP.

OpenDelayTime SpecifythedelaytimebetweenopeningthepeerTCPconnectionandsending
thefirstBGPopenmessage(rangeis0240seconds;defaultis0seconds).

HoldTime SpecifytheperiodoftimethatmayelapsebetweensuccessiveKEEPALIVEor
UPDATEmessagesfromapeerbeforethepeerconnectionisclosed.(rangeis
33,600seconds;defaultis90seconds).

IdleHoldTime Specifythetimetowaitintheidlestatebeforeretryingconnectiontothepeer
(rangeis13,600seconds;defaultis15seconds).

Incoming SpecifytheincomingportnumberandAllowtraffictothisport.
Connections
RemotePort

Outgoing SpecifytheoutgoingportnumberandAllowtrafficfromthisport
Connections
LocalPort

286 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPPeerGroup ConfigureIn Description


Settings
(Continued)

ReflectorClient BGP > Peer Group Selectthetypeofreflectorclient(Non-Client,Client,orMeshed Client).


> Peer > Routesthatarereceivedfromreflectorclientsaresharedwithallinternaland
Advanced externalBGPpeers.

PeeringType SpecifyaBilateralpeerorleaveUnspecified.

MaxPrefixes SpecifythemaximumnumberofsupportedIPprefixes(1100,000or
unlimited).

EnableSender EnabletocausethefirewalltochecktheAS_PATHattributeofarouteinitsFIB
SideLoop beforeitsendstherouteinanupdate,toensurethatthepeerASnumberisnot
Detection ontheAS_PATHlist.Ifitis,thefirewallremovesittopreventaloop.Usually
thereceiverdoesloopdetection,butthisoptimizationfeaturehasthesender
doloopdetection.

BFD ToenableBidirectionalForwardingDetection(BFD)foraBGPpeer(and
therebyoverridetheBFDsettingforBGP,aslongasBFDisnotdisabledfor
BGPatthevirtualrouterlevel),selectthedefaultprofile(defaultBFDsettings),
anexistingBFDprofile,Inherit-vr-global-setting(toinherittheglobalBGP
BFDprofile),orNew BFD Profile(tocreateanewBFDprofile).Disable BFD
disablesBFDfortheBGPpeer.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPwillbe
takendownandbroughtbackupwiththeBFDfunction.Thiscan
disruptallBGPtraffic.WhenyouenableBFDontheinterface,the
firewallwillstoptheBGPconnectiontothepeertoprogramBFDon
theinterface.ThepeerdevicewillseetheBGPconnectiondrop,which
canresultinareconvergencethatimpactsproductiontraffic.
Therefore,enableBFDonBGPinterfacesduringanoffpeaktime
whenareconvergencewillnotimpactproductiontraffic.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 287


Network>VirtualRouters Network

BGPImportandExportTabs

Network>VirtualRouter>BGP>Import
Network>VirtualRouter>BGP>Export
AddanewImportorExportruletoimportorexportBGProutes.

BGPImportand ConfigureIn Description


ExportSettings

Rules BGP > Import or Specifyanametoidentifytherule.


Export > General
Enable Selecttoactivatetherule.

UsedBy Selectthepeergroupsthatwillusethisrule.

ASPathRegular BGP > Import or SpecifyaregularexpressionforfilteringofASpaths.


Expression Export > Match

Community Specifyaregularexpressionforfilteringofcommunitystrings.
Regular
Expression

Extended Specifyaregularexpressionforfilteringofextendedcommunitystrings.
Community
Regular
Expression

MED SpecifyaMultiExitDiscriminatorvalueforroutefilteringintherange
04,294,967,295.

RouteTable ForanImport Rule,specifywhichroutetablethematchingrouteswillbe


importedinto:unicast,multicast,orboth.
ForanExport Rule,specifywhichroutetablethematchingrouteswillbe
exportedfrom:unicast,multicast,orboth.

AddressPrefix SpecifyIPaddressesorprefixesforroutefiltering.

NextHop Specifynexthoproutersorsubnetsforroutefiltering

FromPeer Specifypeerroutersforroutefiltering

288 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPImportand ConfigureIn Description


ExportSettings
(Continued)

Action BGP > Import or Specifyanaction(AlloworDeny)totakewhenthematchconditionsaremet.


Export > Action
Dampening Specifythedampeningparameter,onlyiftheactionisAllow.

LocalPreference Specifyalocalpreferencemetric,onlyiftheactionisAllow.

MED SpecifyaMEDvalue,onlyiftheactionisAllow(065,535).

Weight Specifyaweightvalue,onlyiftheactionisAllow(065,535).

NextHop Specifyanexthoprouter,onlyiftheactionisAllow.

Origin Specifythepathtypeoftheoriginatingroute:IGP,EGP,orincomplete,onlyif
theactionisAllow.

ASPathLimit SpecifyanASpathlimit,onlyiftheactionisAllow.

ASPath SpecifyanASpath:None,Remove,Prepend,Remove and Prepend,onlyifthe


actionisAllow.

Community Specifyacommunityoption:None,Remove All,Remove Regex,Append,or


Overwrite,onlyiftheactionisAllow.

Extended Specifyacommunityoption:None,Remove All,Remove Regex,Append,or


Community Overwrite,onlyiftheactionisAllow.

Delete ruleswhenyounolongerneedthemorClonearulewhen
appropriate.YoucanalsoselectrulesandMove UporMove Downtochange
theirorder.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 289


Network>VirtualRouters Network

BGPConditionalAdvTab

Network>VirtualRouter>BGP>ConditionalAdv
ABGPconditionaladvertisementallowsyoutocontrolwhichroutetoadvertiseintheeventthatapreferred
routeisnotavailableinthelocalBGProutingtable(LocRIB),indicatingapeeringorreachabilityfailure.This
isusefulwhereyouwanttotrytoforceroutestooneASoveranother,suchaswhenyouhavelinkstothe
internetthroughmultipleISPsandyouwanttraffictoberoutedtooneproviderinsteadoftheotherexcept
whenthereisalossofconnectivitytothepreferredprovider.
Forconditionaladvertisement,youconfigureaNonExistfilterthatspecifiesthepreferredroute(s)(Address
Prefix)plusanyotherattributesthatidentifythepreferredroute(suchasASPathRegularExpression).Ifa
routematchingtheNonExistfilterisnotfoundinthelocalBGProutingtable,onlythenwillthefirewallallow
advertisementofthealternateroute(theroutetotheother,nonpreferredprovider)asspecifiedinits
Advertisefilter.
Toconfigureconditionaladvertisement,selecttheConditional Advtab,Addaconditionaladvertisement,and
configurethevaluesdescribedinthefollowingtable.

BGPConditional ConfigureIn Description


Advertisement
Settings

Policy BGP > Specifyanameforthisconditionaladvertisementpolicyrule.


Conditional Adv
Enable Selecttoenablethisconditionaladvertisementpolicyrule.

UsedBy Addthepeergroupsthatwillusethisconditionaladvertisementpolicyrule.

290 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPConditional ConfigureIn Description


Advertisement
Settings
(Continued)

NonExistFilter BGP > Usethistabtospecifytheprefix(es)ofthepreferredroute.Thisspecifiesthe


Conditional Adv > routethatyouwanttoadvertise,ifitisavailableinthelocalBGProutingtable.
Non Exist Filters (IfaprefixisgoingtobeadvertisedandmatchesaNonExistfilter,the
advertisementwillbesuppressed.)
AddaNonExistFilterandspecifyanametoidentifythisfilter.

Enable SelecttoactivatetheNonExistfilter.

ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression

Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression

Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression

MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).

RouteTable Specifywhichroutetable(unicast,multicast,orboth)thefirewallwillsearch
toseeifthematchedrouteispresent.Ifthematchedrouteisnotpresentin
thatroutetable,onlythenwillthefirewallallowtheadvertisementofthe
alternateroute.

AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
preferredroute(s).

NextHop Specifynexthoproutersorsubnetsforfilteringtheroute.

FromPeer Specifypeerroutersforroutefiltering.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 291


Network>VirtualRouters Network

BGPConditional ConfigureIn Description


Advertisement
Settings
(Continued)

AdvertiseFilter BGP > Usethistabtospecifytheprefix(es)oftherouteintheLocalRIBroutingtable


Conditional Adv > toadvertiseiftherouteintheNonExistfilterisnotavailableinthelocalrouting
Advertise Filters table.
IfaprefixistobeadvertisedanddoesnotmatchaNonExistfilter,the
advertisementwilloccur.
Addanadvertisefilterandspecifyanametoidentifythisfilter.

Enable Selecttoactivatethefilter.

ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression

Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression

Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression

MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).

RouteTable Specifywhichroutetablethefirewalluseswhenamatchedrouteistobe
conditionallyadvertised:unicast,multicast,orboth.

AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
routetobeadvertisedifthepreferredrouteisnotavailable.

NextHop Specifynexthoproutersorsubnetsforroutefiltering.

FromPeer Specifypeerroutersforroutefiltering.

292 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPAggregateTab

Network>VirtualRouter>BGP>Aggregate
Routeaggregationistheactofcombiningspecificroutes(thosewithalongerprefixlength)intoasingle
route(withashorterprefixlength)toreduceroutingadvertisementsthatthefirewallmustsendandtohave
fewerroutesintheroutetable.

BGPAggregate ConfigureIn Description


Settings

Name BGP > Aggregate Enteranamefortheaggregationrule.

Prefix Enterasummaryprefix(IPaddress/prefixlength)thatwillbeusedtoaggregate
thelongerprefixes.

Enable Selecttoenablethisaggregationofroutes.

Summary Selecttosummarizeroutes.

ASSet Selecttocausethefirewall,forthisaggregationrule,toincludethesetofAS
numbers(ASset)intheASpathoftheaggregateroute.TheASsetisthe
unorderedlistoftheoriginASnumbersfromtheindividualroutesthatare
aggregated.

Name BGP > Aggregate Definetheattributesthatwillcausethematchedroutestobesuppressed.Add


> Suppress andenteranameforaSuppressFilter.
Filters
Enable SelecttoenabletheSuppressFilter.

ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression aggregated,forexample,^5000meansrouteslearnedfromAS5000.

Community Specifyaregularexpressionforcommunitiestofilterwhichrouteswillbe
Regular aggregated,forexample,500:.*matchescommunitieswith500:x.
Expression

Extended Specifyaregularexpressionforextendedcommunitiestofilterwhichroutes
Community willbeaggregated.
Regular
Expression

MED SpecifytheMEDthatfilterswhichrouteswillbeaggregated.

RouteTable Specifywhichroutetabletouseforaggregatedroutesthatshouldbe
suppressed(notadvertised):unicast,multicast,orboth.

AddressPrefix EntertheIPaddressthatyouwanttosuppressfromadvertisement.

NextHop EnterthenexthopaddressoftheBGPprefixthatyouwanttosuppress.

FromPeer EntertheIPaddressofthepeerfromwhichtheBGPprefix(thatyouwantto
suppress)wasreceived.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 293


Network>VirtualRouters Network

BGPAggregate ConfigureIn Description


Settings
(Continued)

Name BGP > Aggregate DefinetheattributesforanAdvertiseFilterthatcausesthefirewalltoadvertise


> Advertise topeersanyroutethatmatchesthefilter.ClickAddandenteranameforthe
Filters AdvertiseFilter.

Enable SelecttoenablethisAdvertiseFilter.

ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression advertised.

Community SpecifyaregularexpressionforCommunitytofilterwhichrouteswillbe
Regular advertised.
Expression

Extended SpecifyaregularexpressionforExtendedCommunitytofilterwhichrouteswill
Community beadvertised.
Regular
Expression

MED SpecifyaMEDvaluetofilterwhichrouteswillbeadvertised.

RouteTable SpecifywhichroutetabletouseforanAdvertiseFilterofaggregateroutes:
unicast,multicast,orboth.

AddressPrefix EnteranIPaddressthatyouwantBGPtoadvertise.

NextHop EntertheNextHopaddressoftheIPaddressyouwantBGPtoadvertise.

FromPeer EntertheIPaddressofthepeerfromwhichtheprefixwasreceived,thatyou
wantBGPtoadvertise.

BGP > Aggregate Definetheattributesfortheaggregateroute.


> Aggregate
LocalPreference Route Attributes Localpreferenceintherange04,294,967,295.
MED MultiExitDiscriminatorintherange04,294,967,295.

Weight Weightintherange065,535.

NextHop NextHopIPaddress.

Origin Originoftheroute:igp,egp,orincomplete.

ASPathLimit ASPathLimitintherange1255.

ASPath SelectType:NoneorPrepend.

Community SelectType:None,Remove All,Remove Regex,Append,orOverwrite.

Extended SelectType:None,Remove All,Remove Regex,Append,orOverwrite.


Community

294 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPRedistRulesTab

Network>VirtualRouter>BGP>RedistRules
ConfigurethesettingsdescribedinthefollowingtabletocreaterulesforredistributingBGProutes.

BGP ConfigureIn Description


Redistribution
RulesSettings

Allow BGP > Redist PermitsthefirewalltoredistributeitsdefaultroutetoBGPpeers.


Redistribute Rules
DefaultRoute

Name AddanIPsubnetorcreatearedistributionrulefirst.

Enable Selecttoenablethisredistributionrule.

RouteTable Specifywhichroutetabletheroutewillberedistributedinto:unicast,
multicast,orboth.

Metric Enterametricintherange165,535.

SetOrigin Selecttheoriginfortheredistributedroute(igp,egp,orincomplete).Thevalue
incompleteindicatesaconnectedroute.

SetMED EnteraMEDfortheredistributedrouteintherange04,294,967,295.

SetLocal Enteralocalpreferencefortheredistributedrouteintherange
Preference 04,294,967,295.

SetASPathLimit EnteranASpathlimitfortheredistributedrouteintherange1255.

SetCommunity Selectorentera32bitvalueindecimalorhexadecimalorinAS:VALformat;
ASandVALareeachintherange065,535.Enteramaximumof10
communities.

SetExtended Entera64bitvalueinhexadecimalorinTYPE:AS:VALorTYPE:IP:VALformat.
Community TYPEis16bits;ASorIPis16bits;VALis32bits.Enteramaximumoffive
extendedcommunities.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 295


Network>VirtualRouters Network

IPMulticast

Network>VirtualRouter>Multicast
ConfiguringMulticastprotocolsrequiresconfiguringthefollowingstandardsetting:

MulticastSetting Description

Enable Selecttoenablemulticastrouting.

Inaddition,settingsonthefollowingtabsmustbeconfigured:
Rendezvous Point:SeeMulticastRendezvousPointTab.

Interfaces:SeeMulticastInterfacesTab.

SPT Threshold:SeeMulticastSPTThresholdTab.

Source Specific Address Space:SeeMulticastSourceSpecificAddressTab.


Advanced:SeeMulticastAdvancedTab.

296 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

MulticastRendezvousPointTab

Network>VirtualRouter>Multicast>RendezvousPoint
UsethefollowingfieldstoconfigureanIPmulticastrendezvouspoint:

MulticastSettings Description
RendezvousPoint

RPType ChoosethetypeofRendezvousPoint(RP)thatwillrunonthisvirtualrouter.
AstaticRPmustbeexplicitlyconfiguredonotherPIMrouterswhereasa
candidateRPiselectedautomatically.
NoneChooseifthereisnoRPrunningonthisvirtualrouter.
StaticSpecifyastaticIPaddressfortheRPandchooseoptionsforRP
InterfaceandRP Addressfromthedropdown.SelectOverride learned
RP for the same groupifyouwanttousethespecifiedRPinsteadofthe
RPelectedforthisgroup.
CandidateSpecifythefollowinginformationforthecandidateRP
runningonthisvirtualrouter:
RP InterfaceSelectaninterfacefortheRP.Validinterfacetypes
includeloopback,L3,VLAN,aggregateEthernet,andtunnel.
RP AddressSelectanIPaddressfortheRP.
PrioritySpecifyapriorityforcandidateRPmessages(default192).
Advertisement intervalSpecifyanintervalbetween
advertisementsforcandidateRPmessages.
Group listIfyouchooseStaticorCandidate,clickAddtospecifyalistof
groupsforwhichthiscandidateRPisproposingtobetheRP.

RemoteRendezvousPoint ClickAddandspecifythefollowing:
IP addressSpecifytheIPaddressfortheRP.
Override learned RP for the same groupSelecttousethespecifiedRP
insteadoftheRPelectedforthisgroup.
GroupSpecifyalistofgroupsforwhichthespecifiedaddresswillactas
theRP.

MulticastInterfacesTab

Network>VirtualRouter>Multicast>Interfaces
Usethefollowingfieldstoconfiguremulticastinterfaces:

MulticastSettings Description
Interfaces

Name Enteranametoidentifyaninterfacegroup.

Description Enteranoptionaldescription.

Interface ClickAddtospecifyoneormorefirewallinterfaces.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 297


Network>VirtualRouters Network

MulticastSettings Description
Interfaces(Continued)

GroupPermissions Specifygeneralrulesformulticasttraffic:
Any SourceClickAddtospecifyalistofmulticastgroupsforwhich
PIMSMtrafficispermitted.
Source-SpecificClickAddtospecifyalistofmulticastgroupand
multicastsourcepairsforwhichPIMSSMtrafficispermitted.

IGMP SpecifyrulesforIGMPtraffic.IGMPmustbeenabledforhostfacing
interfaces(IGMProuter)orforIGMPproxyhostinterfaces.
EnableSelecttoenabletheIGMPconfiguration.
IGMP VersionChooseversion1,2,or3torunontheinterface.
Enforce Router-Alert IP OptionSelecttorequiretherouteralertIP
optionwhenspeakingIGMPv2orIGMPv3.Thismustbedisabledfor
compatibilitywithIGMPv1.
RobustnessChooseanintegervaluetoaccountforpacketlossona
network(rangeis17;defaultis2).Ifpacketlossiscommon,choosea
highervalue.
Max SourcesSpecifythemaximumnumberofsourcespecific
membershipsallowedonthisinterface(0=unlimited).
Max GroupsSpecifythemaximumnumberofgroupsallowedonthis
interface.
Query ConfigurationSpecifythefollowing:
Query intervalSpecifytheintervalatwhichgeneralqueriesaresent
toallhosts.
Max Query Response TimeSpecifythemaximumtimebetweena
generalqueryandaresponsefromahost.
Last Member Query IntervalSpecifytheintervalbetweengroupor
sourcespecificquerymessages(includingthosesentinresponseto
leavegroupmessages).
Immediate LeaveSelecttoleavethegroupimmediatelywhena
leavemessageisreceived.

PIMconfiguration SpecifythefollowingProtocolIndependentMulticast(PIM)settings:
EnableSelecttoallowthisinterfacetoreceiveand/orforwardPIM
messages.
Assert IntervalSpecifytheintervalbetweenPIMassertmessages.
Hello IntervalSpecifytheintervalbetweenPIMhellomessages.
Join Prune IntervalSpecifytheintervalbetweenPIMjoinandprune
messages(seconds).Defaultis60.
DR PrioritySpecifythedesignatedrouterpriorityforthisinterface.
BSR BorderSelecttousetheinterfaceasthebootstrapborder.
PIM NeighborsClickAddtospecifythelistofneighborsthatwill
communicatewithusingPIM.

298 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

MulticastSPTThresholdTab

Network>VirtualRouter>Multicast>SPTThreshold
UsethefollowingfieldstoconfiguremulticastSPTthresholds:

MulticastSettingsSPT Description
Threshold

Name TheShortestPathTree(SPT)thresholddefinesthethroughputrate(inkbps)
atwhichmulticastroutingwillswitchfromsharedtreedistribution(sourced
fromtherendezvouspoint)tosourcetreedistribution.
AddthefollowingSPTsettings:
Multicast Group PrefixSpecifythemulticastIPaddress/prefixforwhich
theSPTwillbeswitchedtosourcetreedistributionwhenthethroughput
reachesthedesiredthreshold(kbps).
ThresholdSpecifythethroughputatwhichtoswitchfromsharedtree
distributiontosourcetreedistribution.

MulticastSourceSpecificAddressTab

Network>VirtualRouter>Multicast>SourceSpecificAddressSpace
Defineanameforamulticastgroupandconfiguresourcespecificmulticastservices.

MulticastSettings Description
SourceSpecificAddress
Space

Name Definesthemulticastgroupsforwhichthefirewallwillprovide
sourcespecificmulticast(SSM)services.
Addthefollowingsettingsforsourcespecificaddresses:
NameEnteranametoidentifythisgroupofsettings.
GroupSpecifygroupsfortheSSMaddressspace.
IncludedSelecttoincludethespecifiedgroupsintheSSMaddress
space.

MulticastAdvancedTab

Network>VirtualRouter>Multicast>Advanced
Configurethelengthoftimeamulticastrouteremainsintheroutingtableafterthesessionends.

MulticastAdvanced Description
Settings

RouteAgeOutTime(sec) Allowsyoutotunetheduration,inseconds,forwhichamulticastroute
remainsintheroutingtableonthefirewallafterthesessionends(rangeis
2107200;defaultis210).

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 299


Network>VirtualRouters Network

ECMP

Network>VirtualRouters>RouterSettings>ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewallhaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Makeuseoftheavailablebandwidthonalllinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
waitingfortheroutingprotocolorRIBtabletoelectanalternativepath,whichcanhelpreducedown
timewhenlinksfail.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevel.Thismeansthefirewallchoosesan
equalcostpathatthestartofanewsession,noteachtimethefirewallreceivesapacket.

Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestartthevirtualrouter,
whichmightcauseexistingsessionstobeterminated.

ToconfigureECMPforavirtualrouter,selectavirtualrouterand,forRouter Settings,selecttheECMPtab
andconfiguretheECMPSettingsasdescribed.

Whatareyoulookingfor? See:

Whatarethefieldsavailableto ECMPSettings
configureECMP?

Looking for more? ECMP

300 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

ECMPSettings

Network>VirtualRouters>RouterSettings>ECMP
UsethefollowingfieldstoconfigureEqualCostMultiplePathsettings.

ECMPSettings Description

Enable EnableECMP.
Enabling,disabling,orchangingECMPrequiresthatyourestartthe
firewall,whichmightcausesessionstobeterminated.

SymmetricReturn (Optional)SelectSymmetric Returntocausereturnpacketstoegressoutthe


sameinterfaceonwhichtheassociatedingresspacketsarrived.Thatis,the
firewallwillusetheingressinterfaceonwhichtosendreturnpackets,rather
thanusetheECMPinterface,sotheSymmetric Returnsettingoverridesload
balancing.Thisbehavioroccursonlyfortrafficflowsfromtheservertothe
client.

MaxPath Selectthemaximumnumberofequalcostpaths:(2,3,or4)toadestination
networkthatcanbecopiedfromtheRIBtotheFIB.Defaultis2.

Method ChooseoneofthefollowingECMPloadbalancingalgorithmstouseonthe
virtualrouter.ECMPloadbalancingisdoneatthesessionlevel,notatthe
packetlevel.Thismeansthatthefirewall(ECMP)choosesanequalcostpathat
thestartofanewsession,noteachtimeapacketisreceived.
IP ModuloBydefault,thevirtualrouterloadbalancessessionsusingthis
option,whichusesahashofthesourceanddestinationIPaddressesinthe
packetheadertodeterminewhichECMProutetouse.
IP HashOptionallyclickUse Source/Destination Portstoincludetheports
inthehashcalculation,inadditiontothesourceanddestinationIP
addresses.YoucanalsoenteraHash Seedvalue(aninteger)tofurther
randomizeloadbalancing.
Weighted Round RobinThisalgorithmcanbeusedtotakeinto
considerationdifferentlinkcapacitiesandspeeds.Uponchoosingthis
algorithm,theInterfacewindowopens.ClickAddandselectanInterfaceto
beincludedintheweightedroundrobingroup.Foreachinterface,enterthe
Weighttobeusedforthatinterface.Weightdefaultsto100;rangeis1255.
Thehighertheweightforaspecificequalcostpath,themoreoftenthat
equalcostpathwillbeselectedforanewsession.Ahigherspeedlinkshould
begivenahigherweightthanaslowerlink,sothatmoreoftheECMPtraffic
goesoverthefasterlink.ClickAddagaintoaddanotherinterfaceand
weight.
Balanced Round RobinDistributesincomingECMPsessionsequallyacross
links.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 301


Network>VirtualRouters Network

MoreRuntimeStatsforaVirtualRouter

Afteryouconfigurestaticroutesorroutingprotocolsforavirtualrouter,selectNetwork > Virtual Routers,and


selectMore Runtime Statsinthelastcolumntoseedetailedinformationaboutthevirtualrouter,suchasthe
routetable,forwardingtable,andtheroutingprotocolsandstaticroutesyouconfigured.Thesewindows
providemoreinformationthancanfitonasinglescreenforthevirtualrouter.Thewindowdisplaysthe
followingtabs:
Routing:SeeRoutingTab.

RIP:SeeRIPTab.

BGP:SeeBGPTab.

Multicast:SeeMulticastTab.

BFD Summary Information:SeeBFDSummaryInformationTab.

RoutingTab

TheRoutingTabisdividedintothreetabs:
Routing Table:SeeRouteTableTab.

Forwarding Table:SeeForwardingTableTab.

Static Route Monitoring:SeeStaticRouteMonitoringTab.

RouteTableTab

ThefollowingtabledescribesthevirtualroutersRuntime StatsfortheRoute Table.

RouteTableRuntime Description
Stats

RouteTable SelectUnicastorMulticasttodisplayeithertheunicastormulticastroutetable.

DisplayAddress SelectIPv4 Only,IPv6 Only,orIPv4 and IPv6(default)tocontrolwhichgroupof


Family addressestodisplayinthetable.

Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofnetworksthe
virtualroutercanreach.

NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.

Metric Metricfortheroute.Whenaroutingprotocolhasmorethanoneroutetothe
samedestinationnetwork,itpreferstheroutewiththelowestmetricvalue.Each
routingprotocolusesadifferenttypeofmetric;forexample,RIPuseshopcount.

Weight Weightfortheroute.Forexample,whenBGPhasmorethanoneroutetothe
samedestination,itwillprefertheroutewiththehighestweight.

302 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

RouteTableRuntime Description
Stats

Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea

Age Ageoftherouteentryintheroutingtable.Staticrouteshavenoage.

Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.

Refresh Clicktorefreshtheruntimestatsinthetable.

ForwardingTableTab

ThefollowingtabledescribesRuntime StatsfortheForwarding Table(ForwardingInformationBaseFIB)on


avirtualrouter.Thefirewallchoosesthebestroutefromtheroutetable(RIB)towardadestination
networktoplaceintheFIB.

ForwardingTable Description
RuntimeStats

DisplayAddress SelectIPv4 Only,IPv6 Only,orIPv4 and IPv6(default)tocontrolwhichroutetable


Family todisplay.

Destination BestIPv4addressandnetmaskorIPv6addressandprefixlengthtoanetworkthe
virtualroutercanreach,selectedfromtheRouteTable.

NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.

Flags uRouteisup.
hRouteistoahost.
gRouteistoagateway.
eFirewallselectedthisrouteusingEqualCostMultipath(ECMP).
*Routeisthepreferredpathtoadestinationnetwork.

Interface Egressinterfacethevirtualrouterwillusetoreachthenexthop.

MTU Maximumtransmissionunit(MTU);maximumnumberofbytesthatthefirewall
willtransmitinasingleTCPpackettothisdestination.

Refresh Clicktorefreshtheruntimestatsinthetable.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 303


Network>VirtualRouters Network

StaticRouteMonitoringTab

ThefollowingtabledescribesthevirtualroutersRuntime StatsforStatic Route Monitoring.

StaticRoute Description
MonitoringRuntime
Stats

Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofanetworkthe
virtualroutercanreach.

NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.

Metric Metricfortheroute.Whenthereismorethanonestaticroutetothesame
destinationnetwork,thefirewallpreferstheroutewiththelowestmetricvalue.

Weight Weightfortheroute.

Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea

Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.

PathMonitoring(Fail Ifpathmonitoringisenabledforthisstaticroute,FailOnindicates:
On) AllFirewallconsidersthestaticroutedownandwillfailoverifallofthe
monitoreddestinationsforthestaticroutearedown.
AnyFirewallconsidersthestaticroutedownandwillfailoverifanyoneof
themonitoreddestinationsforthestaticrouteisdown.
Ifstaticroutepathmonitoringisdisabled,FailOnindicatesDisabled.

Status StatusofthestaticroutebasedonICMPpingstothemonitoreddestinations:Up,
Down,orpathmonitoringforthestaticrouteisDisabled.

Refresh Refreshestheruntimestatsinthetable.

304 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

RIPTab

ThefollowingtabledescribesthevirtualroutersRuntimeStatsforRIP.

RIPRuntimeStats Description

Summary Tab

IntervalSeconds Numberofsecondsinaninterval.RIPusesthisvalue(alengthoftime)tocontrol
itsUpdate,Expire,andDeleteIntervals.

UpdateIntervals NumberofintervalsbetweenRIProuteadvertisementupdatesthatthevirtual
routersendstopeers.

ExpireIntervals Numberofintervalssincethelastupdatethevirtualrouterreceivedfromapeer,
afterwhichthevirtualroutermarkstheroutesfromthepeerasunusable.

DeleteIntervals Numberofintervalsafteraroutehasbeenmarkedasunusablethat,ifnoupdate
isreceived,thefirewalldeletestheroutefromtheroutingtable.

Interface Tab

Address IPaddressofaninterfaceonthevirtualrouterwhereRIPisenabled.

AuthType Typeofauthentication:simplepassword,MD5,ornone.

SendAllowed CheckmarkindicatesthisinterfaceisallowedtosendRIPpackets.

ReceiveAllowed CheckmarkindicatesthisinterfaceisallowedtoreceiveRIPpackets.

AdvertiseDefault CheckmarkindicatesthatRIPwilladvertiseitsdefaultroutetoitspeers.
Route

DefaultRouteMetric Metric(hopcount)assignedtothedefaultroute.Thelowerthemetricvalue,the
higherpriorityithasintheroutetabletobeselectedasthepreferredpath.

KeyId Authenticationkeyusedwithpeers.

Preferred Preferredkeyforauthentication.

Peer Tab

PeerAddress IPaddressofapeertothevirtualroutersRIPinterface.

LastUpdate Dateandtimethatthelastupdatewasreceivedfromthispeer.

RIPVersion RIPversionthepeerisrunning.

InvalidPackets Countofinvalidpacketsreceivedfromthispeer.Possiblecausesthatthefirewall
cannotparsetheRIPpacket:xbytesoverarouteboundary,toomanyroutesin
packet,badsubnet,illegaladdress,authenticationfailed,ornotenoughmemory.

InvalidRoutes Countofinvalidroutesreceivedfromthispeer.Possiblecauses:routeisinvalid,
importfails,ornotenoughmemory.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 305


Network>VirtualRouters Network

BGPTab

ThefollowingtabledescribesthevirtualroutersRuntimeStatsforBGP.

BGPRuntimeStats Description

Summary Tab

RouterId RouterIDassignedtotheBGPinstance.

RejectDefaultRoute IndicateswhethertheRejectDefaultRouteoptionisconfigured,whichcauses
theVRtoignoreanydefaultroutesthatareadvertisedbyBGPpeers.

RedistributeDefault IndicateswhethertheAllowRedistributeDefaultRouteoptionisconfigured.
Route

InstallRoute IndicateswhethertheInstallRouteoptionisconfigured,whichcausestheVRto
installBGProutesintheglobalroutingtable.

GracefulRestart IndicateswhetherornotGracefulRestartisenabled(support).

ASSize IndicateswhethertheASFormatsizeselectedis2Byteor4Byte.

LocalAS NumberoftheAStowhichtheVRbelongs.

LocalMemberAS LocalMemberASnumber(validonlyiftheVRisinaconfederation).Thefieldis
0iftheVRisnotinaconfederation.

ClusterID DisplaystheReflectorClusterIDconfigured.

DefaultLocal DisplaystheDefaultLocalPreferenceconfiguredfortheVR.
Preference

AlwaysCompare IndicateswhethertheAlwaysCompareMEDoptionisconfigured,whichenables
MED acomparisontochoosebetweenroutesfromneighborsindifferentautonomous
systems.

AggregateRegardless IndicateswhethertheAggregateMEDoptionisconfigured,whichenablesroute
MED aggregationevenwhenrouteshavedifferentMEDvalues.

DeterministicMED IndicateswhethertheDeterministicMEDcomparisonoptionisconfigured,which
Processing enablesacomparisontochoosebetweenroutesthatareadvertisedbyIBGP
peers(BGPpeersinthesameAS).

CurrentRIBOut NumberofentriesintheRIBOuttable.
Entries

PeakRIBOutEntries PeaknumberofAdjRIBOutroutesthathavebeenallocatedatanyonetime.

Peer Tab

Name Nameofthepeer.

Group Nameofthepeergrouptowhichthispeerbelongs.

LocalIP IPaddressoftheBGPinterfaceontheVR.

PeerIP IPaddressofthepeer.

PeerAS Autonomoussystemtowhichthepeerbelongs.

306 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

BGPRuntimeStats Description
(Continued)

PasswordSet Yesornoindicateswhetherauthenticationisset.

Status Statusofthepeer,suchasActive,Connect,Established,Idle,OpenConfirm,or
OpenSent.

StatusDuration Durationofthepeersstatus.
(secs.)

Peer Group Tab

GroupName Nameofapeergroup.

Type Typeofpeergroupconfigured,suchasEBGPorIBGP.

AggregateConfed. YesornoindicateswhethertheAggregateConfederationASoptionis
AS configured.

SoftResetSupport Yesornoindicateswhetherthepeergroupsupportssoftreset.Whenrouting
policiestoaBGPpeerchange,routingtableupdatesmightbeaffected.Asoft
resetofBGPsessionsispreferredoverahardresetbecauseasoftresetallows
routingtablestobeupdatedwithoutclearingtheBGPsessions.

NextHopSelf Yesornoindicateswhetherthisoptionisconfigured.

NextHopThirdParty Yesornoindicateswhetherthisoptionisconfigured.

RemovePrivateAS IndicateswhetherupdateswillhaveprivateASnumbersremovedfromthe
AS_PATHattributebeforetheupdateissent.

Local RIB Tab

Prefix NetworkprefixandsubnetmaskintheLocalRoutingInformationBase.

Flag *indicatestheroutewaschosenasthebestBGProute.

NextHop IPaddressofthenexthoptowardthePrefix.

Peer Nameofpeer.

Weight WeightattributeassignedtothePrefix.Ifthefirewallhasmorethanonerouteto
thesamePrefix,theroutewiththehighestweightisinstalledintheIProuting
table.

LocalPref. Localpreferenceattributefortheroute,whichisusedtochoosetheexitpoint
towardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreferenceis
preferredoveralowerlocalpreference.

ASPath ListofautonomoussystemsinthepathtothePrefixnetwork;thelistis
advertisedinBGPupdates.

Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.

MED MultiExitDiscriminator(MED)attributeoftheroute.TheMEDisametric
attributeforaroute,whichtheASadvertisingtheroutesuggeststoanexternal
AS.AlowerMEDispreferredoverahigherMED.

FlapCount Numberofflapsfortheroute.

RIB Out Tab

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 307


Network>VirtualRouters Network

BGPRuntimeStats Description
(Continued)

Prefix NetworkroutingentryintheRoutingInformationBase.

NextHop IPaddressofthenexthoptowardthePrefix.

Peer PeertowhichtheVRwilladvertisethisroute.

LocalPref. Localpreferenceattributetoaccesstheprefix,whichisusedtochoosetheexit
pointtowardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreference
ispreferredoveralowerlocalpreference.

ASPath ListofautonomoussystemsinthepathtothePrefixnetwork.

Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.

MED MultiExitDiscriminator(MED)attributetothePrefix.TheMEDisametric
attributeforaroute,whichtheASthatisadvertisingtheroutesuggeststoan
externalAS.AlowerMEDispreferredoverahigherMED.

Adv.Status Advertisedstatusoftheroute.

Aggr.Status Indicateswhetherthisrouteisaggregatedwithotherroutes.

MulticastTab

ThefollowingtabledescribesthevirtualroutersRuntimeStatsforIPMulticast.

MulticastRuntime Description
Stats

FIB Tab

Group MulticastgroupaddressthattheVRwillforward.

Source Multicastsourceaddress.

IncomingInterfaces IndicatesinterfaceswherethemulticasttrafficcomesinontheVR.

IGMP Interface Tab

Interface InterfacethathasIGMPenabled.

Version Version1,2,or3ofInternetGroupManagementProtocol(IGMP).

Querier IPaddressoftheIGMPquerieronthatinterface.

QuerierUpTime LengthoftimethatIGMPquerierhasbeenup.

QuerierExpiryTime TimeremainingbeforethecurrenttheOtherQuerierPresenttimerexpires.

Robustness RobustnessvariableoftheIGMPinterface.

GroupsLimit Numberofmulticastgroupsallowedontheinterface.

SourcesLimit Numberofmulticastsourcesallowedontheinterface.

308 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>VirtualRouters

MulticastRuntime Description
Stats(Continued)

ImmediateLeave YesornoindicateswhetherImmediateLeaveisconfigured.Immediateleave
indicatesthatthevirtualrouterwillremoveaninterfacefromtheforwardingtable
entrywithoutsendingtheinterfaceIGMPgroupspecificqueries.

IGMP Membership Tab

Interface Nameofaninterfacetowhichthemembershipbelongs.

Group IPMulticastgroupaddress.

Source Sourceaddressofmulticasttraffic.

UpTime Lengthoftimethismembershipbeenup.

ExpiryTime Lengthoftimeremainingbeforemembershipexpires.

FilterMode Includeorexcludethesource.VRisconfiguredtoincludealltraffic,oronlytraffic
fromthissource(include),ortrafficfromanysourceexceptthisone(exclude).

ExcludeExpiry TimeremainingbeforetheinterfaceExcludestateexpires.

V1HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version1membersontheIPsubnetattachedtotheinterface.

V2HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version2membersontheIPsubnetattachedtotheinterface.

PIM Group Mapping Tab

Group IPaddressofthegroupmappedtoaRendezvousPoint.

RP IPaddressofRendezvousPointforthegroup.

Origin IndicateswheretheVRlearnedoftheRP.

PIMMode ASMorSSM.

Inactive IndicatesthatthemappingofthegrouptotheRPisinactive.

PIM Interface Tab

Interface NameofinterfaceparticipatinginPIM.

Address IPaddressoftheinterface.

DR IPaddressoftheDesignatedRouterontheinterface.

HelloInterval Hellointervalconfigured,inseconds.

Join/PruneInterval Join/Pruneintervalconfigured,inseconds.

AssertInterval Assertintervalconfigured,inseconds.

DRPriority PriorityconfiguredfortheDesignatedRouter.

BSRBorder Yesorno.

PIM Neighbor Tab

Interface NameofinterfaceintheVR.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 309


Network>VirtualRouters Network

MulticastRuntime Description
Stats(Continued)

Address IPaddressoftheneighbor.

SecondaryAddress SecondaryIPaddressoftheneighbor.

UpTime Lengthoftimetheneighborhasbeenup.

ExpiryTime LengthoftimeremainingbeforetheneighborexpiresbecausetheVRisnot
receivinghellopacketsfromtheneighbor.

GenerationID ValuethattheVRreceivedfromtheneighborinthelastPIMhellomessage
receivedonthisinterface.

DRPriority DesignatedRouterprioritythattheVRreceivedinthelastPIMhellomessage
fromthisneighbor.

BFDSummaryInformationTab

BFDsummaryinformationincludesthefollowingdata.

BFDSummary Description
InformationRuntime
Stats

Interface InterfacethatisrunningBFD.

Protocol Staticroute(IPaddressfamilyofstaticroute)ordynamicroutingprotocolthatis
runningBFDontheinterface.

LocalIPAddress IPaddressoftheinterfacewhereyouconfiguredBFD.

NeighborIPAddress IPaddressofBFDneighbor.

State BFDstatesofthelocalandremoteBFDpeers:admin down,down,init,orup.

Uptime LengthoftimeBFDhasbeenup(hours,minutes,seconds,andmilliseconds).

Discriminator(local) DiscriminatorforlocalBFDpeer.Adiscriminatorisaunique,nonzerovaluethe
peersusetodistinguishmultipleBFDsessionsbetweenthem.

Discriminator DiscriminatorforremoteBFDpeer.
(remote)

Errors NumberofBFDerrors.

SessionDetails ClickDetailstoseeBFDinformationforasessionsuchastheIPaddressesofthe
localandremoteneighbors,thelastreceivedremotediagnosticcode,numberof
transmittedandreceivedcontrolpackets,numberoferrors,informationabout
thelastpacketcausingstatechange,andmore.

310 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Zones

Network>Zones

Securityzonesarealogicalwaytogroupphysicalandvirtualinterfacesonthefirewalltocontrolandlogthe
trafficthattraversesspecificinterfacesonyournetwork.Aninterfaceonthefirewallmustbeassignedtoa
securityzonebeforetheinterfacecanprocesstraffic.Azonecanhavemultipleinterfacesofthesametype
assignedtoit(suchastap,layer2,orlayer3interfaces),butaninterfacecanbelongtoonlyonezone.
Policyrulesonthefirewallusesecurityzonestoidentifywherethetrafficcomesfromandwhereitisgoing.
Trafficcanflowfreelywithinazonebuttrafficcannotflowbetweendifferentzonesuntilyoudefinea
Securitypolicyrulethatallowsit.Toallowordenyinterzonetraffic,Securitypolicyrulesmustreferencea
sourcezoneanddestinationzone(notinterfaces)andthezonesmustbeofthesametype;thatis,aSecurity
policyrulecanallowordenytrafficfromoneLayer2zoneonlytoanotherLayer2zone.

Whatareyoulookingfor? See:

Whatarethefields BuildingBlocksofSecurityZones
availabletoconfigure
securityzones?

Looking for more? SegmentYourNetworkUsingInterfacesandZones

BuildingBlocksofSecurityZones

Todefineasecurityzone,clickAddandspecifythefollowinginformation.

SecurityZoneSettings Description

Name Enterazonename(upto31characters).Thisnameappearsinthelistofzones
whendefiningsecuritypoliciesandconfiguringinterfaces.Thenameis
casesensitiveandmustbeuniquewithinthevirtualrouter.Useonlyletters,
numbers,spaces,hyphens,periods,andunderscores.

Location Thisfieldispresentonlyifthefirewallsupportsmultiplevirtualsystems(vsys)
andthatcapabilityisenabled.Selectthevsystowhichthiszoneapplies.

Type Selectazonetype(Tap,Virtual Wire,Layer2,Layer3,External,orTunnel)to


viewalltheInterfacesofthattypethathavenotbeenassignedtoazone.The
Layer2andLayer3zonetypeslistallEthernetinterfacesandsubinterfacesof
thattype.Addtheinterfacesthatyouwanttoassigntothezone.
TheExternalzoneisusedtocontroltrafficbetweenmultiplevirtualsystemson
asinglefirewall.Itdisplaysonlyonfirewallsthatsupportmultiplevirtual
systemsandonlyiftheMulti Virtual System Capabilityisenabled.For
informationonexternalzonessee,InterVSYSTrafficThatRemainsWithinthe
Firewall.
Aninterfacecanbelongtoonlyonezoneinonevirtualsystem.

Interfaces Addoneormoreinterfacestothiszone.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 311


Network>Zones Network

SecurityZoneSettings Description

ZoneProtectionProfiles Selectaprofilethatspecifieshowthefirewallrespondstoattacksfromthis
zone.Tocreateanewprofile,seeNetwork>NetworkProfiles>Zone
Protection.

EnablePacketBuffer IfyouhaveconfiguredPacketBufferProtection,selecttoapplythepacket
Protection bufferprotectionsettings,configuredunderDevice>Setup>Session,tothis
zone(disabledbydefault).Packetbufferprotectionisappliedtotheingress
zoneonly.

LogSetting SelectaLogForwardingprofileforforwardingzoneprotectionlogstoan
externalsystem.
IfyouhaveaLogForwardingprofilenameddefault,thatprofilewillbe
automaticallyselectedforthisdropdownwhendefininganewsecurityzone.
Youcanoverridethisdefaultsettingatanytimebycontinuingtoselecta
differentLogForwardingprofilewhensettingupanewsecurityzone.To
defineoraddanewLogForwardingprofile(andtonameaprofiledefaultso
thatthisdropdownispopulatedautomatically),clickNew(refertoObjects>
LogForwarding).
IfyouareconfiguringthezoneinaPanoramatemplate,theLog Setting
dropdownlistsonlysharedLogForwardingprofiles;tospecifya
nonsharedprofile,youmusttypeitsname.

EnableUserIdentification IfyouconfiguredUserIDtoperformIPaddresstousernamemapping
(discovery),selecttoapplythemappinginformationtotrafficinthiszone.If
youdisablethisoption,firewalllogs,reports,andpolicieswillexcludeuser
mappinginformationfortrafficwithinthezone.
Bydefault,ifyouselectthisoption,thefirewallappliesusermapping
informationtothetrafficofallsubnetworksinthezone.Tolimitthe
informationtospecificsubnetworkswithinthezone,usetheInclude Listand
Exclude List.
EnableUserIDontrustedzonesonly.IfyouenableUserIDandclient
probingonanexternaluntrustedzone(suchastheinternet),probes
couldbesentoutsideyourprotectednetwork,resultinginan
informationdisclosureoftheUserIDagentserviceaccountname,
domainname,andencryptedpasswordhash,whichcouldallowan
attackertogainunauthorizedaccesstoprotectedresources.
UserIDperformsdiscoveryforthezoneonlyifitfallswithinthe
networkrangethatUserIDmonitors.Ifthezoneisoutsidethatrange,
thefirewalldoesnotapplyusermappinginformationtothezonetraffic
evenifyouselectEnable User Identification.Fordetails,seeInclude
orExcludeSubnetworksforUserMapping.

312 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>Zones

SecurityZoneSettings Description

UserIdentificationACL Bydefault,ifyoudonotspecifysubnetworksinthislist,thefirewallappliesthe
IncludeList usermappinginformationitdiscoverstoallthetrafficofthiszoneforusein
logs,reports,andpolicies.
Tolimittheapplicationofusermappinginformationtospecificsubnetworks
withinthezone,thenforeachsubnetworkclickAddandselectanaddress(or
addressgroup)objectortypetheIPaddressrange(forexample,10.1.1.1/24).
Theexclusionofallothersubnetworksisimplicit:youdonotneedtoaddthem
totheExclude List.
AddentriestotheExclude Listonlytoexcludeusermappinginformationfora
subsetofthesubnetworksintheInclude List.Forexample,ifyouadd
10.0.0.0/8totheInclude Listandadd10.2.50.0/22totheExclude List,the
firewallincludesusermappinginformationforallthezonesubnetworksof
10.0.0.0/8except10.2.50.0/22,andexcludesinformationforallzone
subnetworksoutsideof10.0.0.0/8.
Youcanonlyincludesubnetworksthatfallwithinthenetworkrange
thatUserIDmonitors.Fordetails,seeIncludeorExcludeSubnetworks
forUserMapping.

UserIdentificationACL Toexcludeusermappinginformationforasubsetofthesubnetworksinthe
ExcludeList Include List,Addanaddress(oraddressgroup)objectortypetheIPaddress
rangeforeachsubnetworktoexclude.
IfyouaddentriestotheExclude ListbutnottheInclude List,the
firewallexcludesusermappinginformationforallsubnetworkswithin
thezone,notjustthesubnetworksyouadded.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 313


Network>VLANs Network

Network>VLANs

ThefirewallsupportsVLANsthatconformtotheIEEE802.1Qstandard.EachLayer2interfacedefinedon
thefirewallcanbeassociatedwithaVLAN.ThesameVLANcanbeassignedtomultipleLayer2interfaces
buteachinterfacecanbelongtoonlyoneVLAN.

VLANSettings Description

Name EnteraVLANname(upto31characters).Thisnameappearsinthe
listofVLANswhenconfiguringinterfaces.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.

VLANInterface SelectaNetwork>Interfaces>VLANtoallowtraffictoberouted
outsidetheVLAN.

Interfaces SpecifyfirewallinterfacesfortheVLAN.

StaticMAC SpecifytheinterfacethroughwhichaMACaddressisreachable.This
Configuration willoverrideanylearnedinterfacetoMACmappings.

314 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>IPSecTunnels

Network>IPSecTunnels

SelectNetwork > IPSec TunnelstoestablishandmanageIPSecVPNtunnelsbetweenfirewalls.Thisisthe


Phase2portionoftheIKE/IPSecVPNsetup.

Whatareyoulookingfor? See:

ManageIPSecVPNtunnels. IPSecVPNTunnelManagement
ConfigureanIPSectunnel. IPSecTunnelGeneralTab
IPSecTunnelProxyIDsTab
ViewIPSectunnelstatus. IPSecTunnelStatusontheFirewall
RestartorrefreshanIPSectunnel. IPSecTunnelRestartorRefresh
Looking for more? SetupanIPSectunnel.

IPSecVPNTunnelManagement

Network>IPSecTunnels
ThefollowingtabledescribeshowtomanageyourIPSecVPNtunnels.

FieldstoManageIPSecVPNTunnels

Add AddanewIPSecVPNtunnel.SeeIPSecTunnelGeneralTabforinstructions
onconfiguringthenewtunnel.

Delete Deleteatunnelthatyounolongerneed.

Enable Enableatunnelthathasbeendisabled(tunnelsareenabledbydefault).

Disable Disableatunnelthatyoudontwanttousebutarenot,yet,readytodelete.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 315


Network>IPSecTunnels Network

IPSecTunnelGeneralTab

Network>IPSecTunnels>General
UsethefollowingfieldstosetupanIPSectunnel.

IPSecTunnelGeneral Description
Settings

Name EnteraNametoidentifythetunnel(upto63characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
The63characterlimitforthisfieldincludesthetunnelnameinadditionto
theProxyID,whichisseparatedbyacoloncharacter.

TunnelInterface Selectanexistingtunnelinterface,orclickNew Tunnel Interface.For


informationoncreatingatunnelinterface,refertoNetwork>Interfaces>
Tunnel.

IPv4orIPv6 SelectIPv4orIPv6toconfigurethetunneltohaveendpointswiththatIP
typeofaddress.

Type Selectwhethertouseanautomaticallygeneratedormanuallyentered
securitykey.Auto keyisrecommended.

AutoKey IfyouchooseAuto Key,specifythefollowing:


IKE GatewayRefertoNetwork>NetworkProfiles>IKEGatewaysfor
descriptionsoftheIKEgatewaysettings.
IPSec Crypto ProfileSelectanexistingprofileorkeepthedefault
profile.Todefineanewprofile,clickNewandfollowtheinstructionsin
Network>NetworkProfiles>IPSecCrypto.
ClickShow Advanced Optionstoaccesstheremainingfields.
Enable Replay ProtectionSelecttoprotectagainstreplayattacks.
Copy TOS HeaderCopythe(TypeofService)TOSfieldfromtheinnerIP
headertotheouterIPheaderoftheencapsulatedpacketsinorderto
preservetheoriginalTOSinformation.ThisalsocopiestheExplicit
CongestionNotification(ECN)field.
Tunnel MonitorSelecttoalertthedeviceadministratoroftunnel
failuresandtoprovideautomaticfailovertoanotherinterface.
YouneedtoassignanIPaddresstothetunnelinterfacefor
monitoring.

Destination IPSpecifyanIPaddressontheothersideofthetunnel
thatthetunnelmonitorwillusetodetermineifthetunnelisworking
properly.
ProfileSelectanexistingprofilethatwilldeterminetheactionsthat
aretakenifthetunnelfails.Iftheactionspecifiedinthemonitor
profileiswaitrecover,thefirewallwillwaitforthetunneltobecome
functionalandwillNOTseekanalternatepathwiththeroutetable.
Ifthefailoveractionisused,thefirewallwillchecktheroutetable
toseeifthereisanalternateroutethatcanbeusedtoreachthe
destination.Formoreinformation,seeNetwork>NetworkProfiles
>Monitor.

316 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>IPSecTunnels

IPSecTunnelGeneral Description
Settings(Continued)

ManualKey IfyouchooseManual Key,specifythefollowing:


Local SPISpecifythelocalsecurityparameterindex(SPI)forpacket
traversalfromthelocalfirewalltothepeer.SPIisahexadecimalindex
thatisaddedtotheheaderforIPSectunnelingtoassistindifferentiating
betweenIPSectrafficflows.
InterfaceSelecttheinterfacethatisthetunnelendpoint.
Local AddressSelecttheIPaddressforthelocalinterfacethatisthe
endpointofthetunnel.
Remote SPISpecifytheremotesecurityparameterindex(SPI)for
packettraversalfromtheremotefirewalltothepeer.
ProtocolChoosetheprotocolfortrafficthroughthetunnel(ESPorAH).
AuthenticationChoosetheauthenticationtypefortunnelaccess(SHA1,
SHA256,SHA384,SHA512,MD5,orNone).
Key/Confirm KeyEnterandconfirmanauthenticationkey.
EncryptionSelectanencryptionoptionfortunneltraffic(3des,
aes-128-cbc,aes-192-cbc,aes-256-cbc,des,ornull[noencryption]).
Key/Confirm KeyEnterandconfirmanencryptionkey.

GlobalProtectSatellite IfyouchooseGlobalProtect Satellite,specifythefollowing:


NameEnteranametoidentifythetunnel(upto31characters).The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Tunnel InterfaceSelectanexistingtunnelinterface,orclickNewTunnel
Interface.
Portal AddressEntertheIPaddressoftheGlobalProtectPortal.
InterfaceSelecttheinterfacefromthedropdownthatistheegress
interfacetoreachtheGlobalProtectPortal.
Local IP AddressEntertheIPaddressoftheegressinterfacethat
connectstotheGlobalProtectPortal.
Advanced Options
Publish all static and connected routes to GatewaySelecttopublishall
routesfromthesatellitetotheGlobalProtectGatewayinwhichthis
satelliteisconnected.
SubnetClickAddtomanuallyaddlocalsubnetsforthesatellitelocation.
Ifothersatellitesareusingthesamesubnetinformation,youmustNAT
alltraffictothetunnelinterfaceIP.Also,thesatellitemustnotshare
routesinthiscase,soallroutingwillbedonethroughthetunnelIP.
External Certificate AuthoritySelectifyouwilluseanexternalCAto
managecertificates.Onceyouhaveyourcertificatesgenerated,youwill
needtoimportthemintothesatelliteandselecttheLocal Certificateand
theCertificate Profile.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 317


Network>IPSecTunnels Network

IPSecTunnelProxyIDsTab

Network>IPSecTunnels>ProxyIDs
TheIPSec Tunnel Proxy IDstabisseparatedintotwotabs:IPv4andIPv6.Thehelpissimilarforbothtypes;the
differencesbetweenIPv4andIPv6aredescribedintheLocalandRemotefieldsinthefollowingtable.
TheIPSec Tunnel Proxy IDstabisalsousedforspecifyingtrafficselectorsforIKEv2.

ProxyIDsIPv4andIPv6 Description
Settings

ProxyID ClickAddandenteranametoidentifytheproxy.
ForanIKEv2trafficselector,thisfieldisusedastheName.

Local ForIPv4:EnteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.2.0/24).
ForIPv6:EnteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:0::/48).
IPv6addressingdoesnotrequirethatallzerosbewritten;leadingzeroscan
beomittedandonegroupingofconsecutivezeroscanbereplacedbytwo
adjacentcolons(::).
ForanIKEv2trafficselector,thisfieldisconvertedtoSourceIPAddress.

Remote Ifrequiredbythepeer:
ForIPv4,enteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.1.0/24).
ForIPv6,enteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:55::/48).
ForanIKEv2trafficselector,thisfieldisconvertedtoDestinationIP
Address.

Protocol Specifytheprotocolandportnumbersforthelocalandremoteports:
NumberSpecifytheprotocolnumber(usedforinteroperabilitywith
thirdpartydevices).
AnyAllowTCPand/orUDPtraffic.
TCPSpecifythelocalandremoteTCPportnumbers.
UDPSpecifythelocalandremoteUDPportnumbers.
EachconfiguredproxyIDwillcounttowardstheIPSecVPNtunnelcapacity
ofthefirewall.
ThisfieldisalsousedasanIKEv2trafficselector.

318 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>IPSecTunnels

IPSecTunnelStatusontheFirewall

Network>IPSecTunnels
ToviewthestatusofcurrentlydefinedIPSecVPNtunnels,opentheIPSec Tunnelspage.Thefollowingstatus
informationisreportedonthepage:
TunnelStatus(firststatuscolumn)GreenindicatesanIPSecphase2securityassociation(SA)tunnel.
RedindicatesthatIPSecphase2SAisnotavailableorhasexpired.
IKEGatewayStatusGreenindicatesavalidIKEphase1SAorIKEv2IKESA.RedindicatesthatIKE
phase1SAisnotavailableorhasexpired.
TunnelInterfaceStatusGreenindicatesthatthetunnelinterfaceisup(becausetunnelmonitoris
disabledorbecausetunnelmonitorstatusisUPandthemonitoringIPaddressisreachable).Redindicates
thatthetunnelinterfaceisdownbecausethetunnelmonitorisenabledandtheremotetunnel
monitoringIPaddressisunreachable.

IPSecTunnelRestartorRefresh

Network>IPSecTunnels
SelectNetwork > IPSec Tunnelstodisplaystatusoftunnels.InthefirstStatuscolumnisalinktotheTunnel
Info.ClickthetunnelyouwanttorestartorrefreshtoopentheTunnel Infopageforthattunnel.Clickonone
ofentriesinthelistandthenclick:
RestartRestarttheselectedtunnel.Arestartdisruptstrafficgoingacrossthetunnel.
RefreshShowthecurrentIPSecSAstatus.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 319


Network>DHCP Network

Network>DHCP

DynamicHostConfigurationProtocol(DHCP)isastandardizedprotocolthatprovidesTCP/IPandlinklayer
configurationparametersandnetworkaddressestodynamicallyconfiguredhostsonaTCP/IPnetwork.An
interfaceonaPaloAltoNetworksfirewallcanactasaDHCPserver,client,orrelayagent.Assigningthese
rolestodifferentinterfacesallowsthefirewalltoperformmultipleroles.

Whatareyoulookingfor? See:

WhatisDHCP? DHCPOverview
HowdoesaDHCPserverallocate DHCPAddressing
addresses?

Configureaninterfaceonthefirewalltoactasa:

DHCPServer

DHCPRelay

Network>DNSProxy
Looking for more? DHCP

DHCPOverview

Network>DHCP
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthefirewallcan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AfirewallactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientfirewallssaveconfigurationtimeandeffort,andneednotknowthe
addressingplanofthenetworkorothernetworkresourcesandoptionsinheritedfromtheDHCPserver.
AfirewallactingasaDHCPservercanserviceclients.ByusingoneoftheDHCPaddressingmechanisms,
theadministratorsavesconfigurationtimeandhasthebenefitofreusingalimitednumberofIP
addressesclientsnolongerneednetworkconnectivity.TheservercanalsodeliverIPaddressingand
DHCPoptionstomultipleclients.
AfirewallactingasaDHCPrelayagentlistensforbroadcastandunicastDHCPmessagesandrelaysthem
betweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPmessages
thataserversendstoaclientaresenttoport68.

320 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>DHCP

DHCPAddressing

TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientfirewall.TheDHCP
assignmentremainsinplaceeveniftheclientdisconnects(logsoff,reboots,hasapoweroutage,etc.).
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientfirewallisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
firewallisturnedoff,unplugged,rebooted,orapoweroutageoccurs.
KeepthefollowingpointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youcanconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocateeveryaddressintheIP PoolsasaReserved Address,therearenodynamicaddresses
freetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanyfirewall.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.

DHCPServer

Network>DHCP>DHCPServer
ThefollowingsectiondescribeseachcomponentoftheDHCPserver.BeforeyouconfigureaDHCPserver,
youshouldalreadyhaveconfiguredaLayer3EthernetorLayer3VLANinterfacethatisassignedtoavirtual
routerandazone.YoushouldalsoknowavalidpoolofIPaddressesfromyournetworkplanthatcanbe
designatedtobeassignedbyyourDHCPservertoclients.
WhenyouaddaDHCPserver,youconfigurethesettingsdescribedinthetablebelow.

DHCPServer ConfiguredIn Description


Settings

Interface DHCP Server NameoftheinterfacethatwillserveastheDHCPserver.

Mode Selectenabledorautomode.Automodeenablestheserver
anddisablesitifanotherDHCPserverisdetectedonthe
network.Thedisabledsettingdisablestheserver.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 321


Network>DHCP Network

DHCPServer ConfiguredIn Description


Settings
(Continued)

PingIPwhen DHCP Server > Lease IfyouclickPing IP when allocating new IP,theserverwillping
allocatingnewIP theIPaddressbeforeitassignsthataddresstoitsclient.Ifthe
pingreceivesaresponse,thatmeansadifferentfirewall
alreadyhasthataddress,soitisnotavailableforassignment.
Theserverassignsthenextaddressfromthepoolinstead.If
youselectthisoption,theProbeIPcolumninthedisplaywill
haveacheckmark.

Lease Specifyaleasetype.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIPPoolsandassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionally,thenumberof
Minutes.

IPPools SpecifythestatefulpoolofIPaddressesfromwhichtheDHCP
serverchoosesanaddressandassignsittoaDHCPclient.
Youcanenterasingleaddress,anaddress/<masklength>,
suchas192.168.1.0/24,orarangeofaddresses,suchas
192.168.1.10192.168.1.20.

ReservedAddress OptionallyspecifyanIPaddress(formatx.x.x.x)fromtheIP
poolsthatyoudonotwantdynamicallyassignedbytheDHCP
server.
IfyoualsospecifyaMAC Address(formatxx:xx:xx:xx:xx:xx),
theReserved Addressisassignedtothefirewallassociated
withthatMACaddresswhenthatfirewallrequestsanIP
addressthroughDHCP.

InheritanceSource DHCP Server > Options SelectNone(default)orselectasourceDHCPclientinterface


orPPPoEclientinterfacetopropagatevariousserversettings
totheDHCPserver.IfyouspecifyanInheritance Source,
selectoneormoreoptionsbelowthatyouwantinherited
fromthissource.
OnebenefitofspecifyinganinheritancesourceisthatDHCP
optionsarequicklytransferredfromtheserverthatis
upstreamofthesourceDHCPclient.Italsokeepstheclients
optionsupdatedifanoptionontheinheritancesourceis
changed.Forexample,iftheinheritancesourcefirewall
replacesitsNTPserver(whichhadbeenidentifiedasthe
Primary NTPserver),theclientwillautomaticallyinheritthe
newaddressasitsPrimary NTPserver.

Checkinheritance IfyouselectedanInheritance Source,clickCheck inheritance


sourcestatus source statustoopentheDynamicIPInterfaceStatus
window,whichdisplaystheoptionsthatareinheritedfromthe
DHCPclient.

322 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>DHCP

DHCPServer ConfiguredIn Description


Settings
(Continued)

Gateway DHCP Server > Options (cont) SpecifytheIPaddressofthenetworkgateway(aninterfaceon


thefirewall)thatisusedtoreachanydevicenotonthesame
LANasthisDHCPserver.

SubnetMask Specifythenetworkmaskthatappliestotheaddressesinthe
IP Pools.

Options Forthefollowingfields,clickthedropdownandselectNone
orinherited,orentertheIPaddressoftheremoteserverthat
yourDHCPserverwillsendtoclientsforaccessingthat
service.Ifyouselectinherited,theDHCPserverinheritsthe
valuesfromthesourceDHCPclientspecifiedasthe
Inheritance Source.
TheDHCPserversendsthesesettingstoitsclients.
Primary DNS, Secondary DNSIPaddressofthepreferred
andalternateDomainNameSystem(DNS)servers.
Primary WINS,Secondary WINSIPaddressofthe
preferredandalternateWindowsInternetNameService
(WINS)servers.
Primary NIS,Secondary NISIPaddressofthepreferred
andalternateNetworkInformationService(NIS)servers.
Primary NTP,Secondary NTPIPaddressoftheavailable
networktimeprotocol(NTP)servers.
POP3 ServerIPaddressofaPostOfficeProtocolversion
3(POP3)server.
SMTP ServerIPaddressofaSimpleMailTransfer
Protocol(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthattheclientcannot
resolve.

CustomDHCP ClickAddandentertheNameofthecustomoptionyouwant
options theDHCPServertosendtoclients.
EnteranOption Code(rangeis1254).
IfOption Code 43isentered,theVendorClassIdentifier(VCI)
fieldappears.Enteramatchcriterionthatwillbecomparedto
theincomingVCIfromtheclientsOption60.Thefirewall
looksattheincomingVCIfromtheclientsOption60,findsthe
matchingVCIinitsownDHCPservertable,andreturnsthe
correspondingvaluetotheclientinOption43.TheVCImatch
criterionisastringorhexvalue.Ahexvaluemusthavea0x
prefix.
SelectInherited from DCHP server inheritance sourceto
havetheserverinheritthevalueforthatoptioncodefromthe
inheritancesourceinsteadofyouenteringanOption Value.
Asanalternativetothisoption,youcanproceedwiththe
following:
Option Type:SelectIP Address,ASCII,orHexadecimalto
specifythetypeofdatausedfortheOptionValue.
ForOption Value,clickAddandenterthevalueforthecustom
option.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 323


Network>DHCP Network

DHCPRelay

Network>DHCP>DHCPRelay
BeforeconfiguringafirewallinterfaceasaDHCPrelayagent,makesureyouhaveconfiguredaLayer 3
EthernetorLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.You
wantthatinterfacetobeabletopassDHCPmessagesbetweenclientsandservers.Eachinterfacecan
forwardmessagestoamaximumofeightexternalIPv4DHCPserversandeightexternalIPv6DHCPservers.
AclientsendsaDHCPDISCOVERmessagetoallconfiguredservers,andthefirewallrelaystheDHCPOFFER
messageofthefirstserverthatrespondsbacktotherequestingclient.

DHCPRelay Description
Settings

Interface NameoftheinterfacethatwillbetheDHCPrelayagent.

IPv4/IPv6 SelectthetypeofDHCPserverandIPaddressyouwillspecify.

DHCPServerIP EntertheIPaddressoftheDHCPservertoandfromwhich
Address youwillrelayDHCPmessages.

Interface IfyouselectedIPv6astheIPaddressprotocolfortheDHCP
serverandspecifiedamulticastaddress,youmustalsospecify
anoutgoinginterface.

DHCPClient

Network>Interfaces>Ethernet>IPv4
Network>Interfaces>VLAN>IPv4
BeforeconfiguringafirewallinterfaceasaDHCPclient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.Performthis
taskifyouneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.

DHCPClientSettings Description

Type SelectDHCP ClientandthenEnabletoconfiguretheinterfaceasaDHCPclient.

Automaticallycreatedefault Causesthefirewalltocreateastaticroutetoadefaultgatewaythatwillbeuseful
routepointingtodefault whenclientsaretryingtoaccessmanydestinationsthatdonotneedtohave
gatewayprovidedbyserver routesmaintainedinaroutingtableonthefirewall.

DefaultRouteMetric Optionally,enteraDefault Route Metric(prioritylevel)fortheroutebetweenthe


firewallandtheDHCPserver.Aroutewithalowernumberhashigherpriority
duringrouteselection.Forexample,aroutewithametricof10isusedbeforea
routewithametricof100(rangeis165535;nodefault).

ShowDHCPClientRuntime DisplaysallsettingsreceivedfromtheDHCPserver,includingDHCPleasestatus,
Info dynamicIPassignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).

324 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>DNSProxy

Network>DNSProxy

DNSserversperformtheserviceofresolvingadomainnamewithanIPaddressandviceversa.Whenyou
configurethefirewallasaDNSproxy,itactsasanintermediarybetweenclientsandserversandasaDNS
serverbyresolvingqueriesfromitsDNScacheorforwardingqueriestootherDNSservers.Usethispageto
configurethesettingsthatdeterminehowthefirewallservesasaDNSproxy.

Whatdoyouwanttoknow? See:

HowdoesthefirewallproxyDNSrequests? DNSProxyOverview
HowdoIconfigureaDNSproxy? DNSProxySettings
HowdoIconfigurestaticFQDNtoIP
addressmappings?

HowcanImanageDNSproxies? AdditionalDNSProxyActions
Lookingformore? DNS

DNSProxyOverview

YoucanconfigurethefirewalltoactasaDNSserver.First,createaDNSproxyandselecttheinterfacesto
whichtheproxyapplies.ThenspecifythedefaultDNSprimaryandsecondaryserverstowhichthefirewall
sendstheDNSquerieswhenitdoesntfindthedomainnameinitsDNSproxycache(andwhenthedomain
namedoesntmatchaproxyrule).
TodirectDNSqueriestodifferentDNSserversbasedondomainnames,createDNSproxyrules.Specifying
multipleDNSserverscanensurelocalizationofDNSqueriesandincreaseefficiency.Forexample,youcan
forwardallcorporateDNSqueriestoacorporateDNSserverandforwardallotherqueriestoISPDNS
servers.
UsethefollowingtabstodefineaDNSproxy(beyondthedefaultDNSprimaryandsecondaryservers):
Static EntriesAllowsyoutoconfigurestaticFQDNtoIPaddressmappingsthatthefirewallcachesand
sendstohostsinresponsetoDNSqueries.
DNS Proxy RulesAllowsyoutospecifydomainnamesandcorrespondingprimaryandsecondaryDNS
serverstoresolvequeriesthatmatchtherule.IfthedomainnameisntintheDNSproxycache,the
firewallsearchesforamatchintheDNSproxy(ontheinterfaceonwhichthequeryarrived),andforwards
thequerytoaDNSserverbasedonthematchresults.Ifnomatchresults,thefirewallsendsthequery
tothedefaultDNSprimaryandsecondaryservers.Youcanenablecachingofdomainsthatmatchthe
rule.
AdvancedAllowsyoutoenablecachingandcontrolTCPqueriesandUDPQueryRetries.Thefirewall
sendsTCPorUDPDNSqueriesthroughtheconfiguredinterface.UDPqueriesswitchovertoTCPwhen
aDNSqueryresponseistoolongforasingleUDPpacket.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 325


Network>DNSProxy Network

DNSProxySettings

ClickAddandconfigurethefirewalltoactasaDNSproxy.Youcanconfigureamaximumof256DNSproxies
onafirewall.

DNSProxySettings ConfiguredIn Description

Enable DNS Proxy SelecttoenablethisDNSproxy.

Name SpecifyanametoidentifytheDNSproxyobject(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.

Location SpecifythevirtualsystemtowhichtheDNSproxyobjectapplies:
Shared:Proxyappliestoallvirtualsystems.IfyouchooseShared,
theServer Profilefieldisnotavailable.Instead,enterthePrimary
andSecondaryDNSserverIPaddressesoraddressobjects.
SelectavirtualsystemtousethisDNSproxy;youmustconfigure
avirtualsystemfirst.SelectDevice > Virtual Systems,selecta
virtualsystem,andselectaDNS Proxy.

InheritanceSource SelectasourcefromwhichtoinheritdefaultDNSserversettings.
(Sharedlocationonly) Thisiscommonlyusedinbranchofficedeploymentswherethe
firewall'sWANinterfaceisaddressedbyDHCPorPPPoE.

Checkinheritancesource Selecttoseetheserversettingsthatarecurrentlyassignedtothe
status DHCPclientandPPPoEclientinterfaces.ThesemayincludeDNS,
(Sharedlocationonly) WINS,NTP,POP3,SMTP,orDNSsuffix.

Primary/Secondary SpecifytheIPaddressesofthedefaultprimaryandsecondaryDNS
(Sharedlocationonly) serverstowhichthisfirewall(asDNSproxy)sendsDNSqueries.If
theprimaryDNSservercannotbefound,thefirewallusesthe
secondaryDNSserver.

ServerProfile SelectorcreateanewDNSserverprofile.Thisfielddoesnotappear
(VirtualSystemlocation iftheLocationofvirtualsystemswasspecifiedasShared.
only)

Interface AddaninterfacetofunctionasaDNSproxy.Youcanaddmultiple
interfaces.ToremovetheDNSproxyfromaninterface,selectand
Deleteit.
AninterfaceisnotrequirediftheDNSProxyisusedonlyforservice
routefunctionality.UseadestinationserviceroutewithaDNSproxy
withnointerfaceifyouwantthedestinationserviceroutetosetthe
sourceIPaddress.Otherwise,theDNSproxyselectsaninterfaceIP
addresstouseasasource(whennoDNSserviceroutesareset).

326 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.


Network Network>DNSProxy

DNSProxySettings ConfiguredIn Description

Name DNS Proxy > DNS Anameisrequiredsothatanentrycanbereferencedandmodified


Proxy Rules viatheCLI.

Turnoncachingof Selecttoenablecachingofdomainsthatareresolvedbythis
domainsresolvedbythis mapping.
mapping

DomainName Addoneormoredomainnamestowhichthefirewallcompares
incomingFQDNs.IftheFQDNmatchesoneofthedomainsinthe
rule,thefirewallforwardsthequerytothePrimary/SecondaryDNS
serverspecifiedforthisproxy.Todeleteadomainnamefromthe
rule,selectitandclickDelete.

DNSServerProfile SelectoraddaDNSserverprofiletodefineDNSsettingsforthe
(Sharedlocationonly) virtualsystem,includingtheprimaryandsecondaryDNSserverto
whichthefirewallsendsdomainnamequeries.

Primary/Secondary EnterthehostnameorIPaddressoftheprimaryandsecondaryDNS
(VirtualSystemlocation serverstowhichthefirewallsendsmatchingdomainnamequeries.
only)

Name DNS Proxy > Static Enteranameforthestaticentry.


Entries
FQDN EntertheFullyQualifiedDomainName(FQDN)tomaptothestatic
IPaddressesdefinedintheAddressfield.

Address AddoneormoreIPaddressesthatmaptothisdomain.Thefirewall
includesalloftheseaddressesinitsDNSresponse,andtheclient
chooseswhichIPaddresstouse.Todeleteanaddress,selectthe
addressandclickDelete.

PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 327


Network>DNSProxy Network

DNSProxySettings ConfiguredIn Description

TCPQueries DNS Proxy > SelecttoenableDNSqueriesusingTCP.Specifythemaximum


Advanced numberofconcurrentpendingTCPDNSrequests(Max Pending
Requests)thatthefirewallwillsupport(rangeis64256;defaultis
64).

UDPQueriesRetries SpecifysettingsforUDPqueryretries:
IntervalTime,inseconds,afterwhichtheDNSproxysends
anotherrequestifithasntreceivedaresponse(rangeis130;
defaultis2).
AttemptsMaximumnumberofattempts(excludingthefirst
attempt)afterwhichtheDNSPtriesthenextDNSserver(rangeis
130;defaultis5).

Cache SelecttoenablethefirewalltocacheDNSentries(enabledby
default)andspecifythefollowing:
Enable TTLLimitthelengthoftimethefirewallcachesDNS
entriesfortheproxyobject.TTLisdisabledbydefault.Thenenter
Time to Live (sec)thenumberofsecondsafterwhichallcached
entriesfortheproxyobjectareremovedandnewDNSrequests
mustberesolvedandcachedagain.Rangeis6086,400.Thereis
nodefaultTTL;entriesremainuntilthefirewallrunsoutofcache
memory.
Cache EDNS ResponsesSelectCacheExtensionMechanisms