Professional Documents
Culture Documents
PAN‐OS®
Administrator’s
Guide
Version 7.1
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐us
About this Guide
This guide takes you through the configuration and maintenance of your Palo Alto Networks next‐generation
firewall. For additional information, refer to the following resources:
For information on how to configure other components in the Palo Alto Networks Next‐Generation Security
Platform, go to the Technical Documentation portal: https://www.paloaltonetworks.com/documentation or
search the documentation.
For access to the knowledge base and community forums, refer to https://live.paloaltonetworks.com.
For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
For the most current PAN‐OS and Panorama 7.1 release notes, go to
https://www.paloaltonetworks.com/documentation/71/pan‐os/pan‐os‐release‐notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found
at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: October 21, 2016
2 • PAN‐OS 7.1 Administrator’s Guide © Palo Alto Networks, Inc.
Getting Started
The following topics provide detailed steps to help you deploy a new Palo Alto Networks next‐generation
firewall. They provide details for integrating a new firewall into your network, registering the firewall,
activating licenses and subscriptions, and configuring basic security policies and threat prevention features.
After you perform the basic configuration steps required to integrate the firewall into your network, you can
use the rest of the topics in this guide to help you deploy the comprehensive security platform features as
necessary to address your network security needs.
Integrate the Firewall into Your Management Network
Register the Firewall
Activate Licenses and Subscriptions
Install Content and Software Updates
Segment Your Network Using Interfaces and Zones
Set Up a Basic Security Policy
Assess Network Traffic
Enable Basic Threat Prevention Features
Best Practices for Completing the Firewall Deployment
Integrate the Firewall into Your Management Network
All Palo Alto Networks firewalls provide an out‐of‐band management port (MGT) that you can use to
perform the firewall administration functions. By using the MGT port, you separate the management
functions of the firewall from the data processing functions, safeguarding access to the firewall and
enhancing performance. When using the web interface, you must perform all initial configuration tasks from
the MGT port even if you plan to use an in‐band data port for managing your firewall going forward.
Some management tasks, such as retrieving licenses and updating the threat and application signatures on
the firewall require access to the Internet. If you do not want to enable external access to your MGT port,
you will need to either set up an in‐band data port to provide access to required external services (using
service routes) or plan to manually upload updates regularly.
The following topics describe how to perform the initial configuration steps that are necessary to integrate
a new firewall into the management network and deploy it in a basic security configuration.
Determine Your Management Strategy
Perform Initial Configuration
Set Up Network Access for External Services
The following topics describe how to integrate a single Palo Alto Networks next‐generation
firewall into your network. However, for redundancy, consider deploying a pair of firewalls in a
High Availability configuration.
Determine Your Management Strategy
The Palo Alto Networks firewall can be configured and managed locally or it can be managed centrally using
Panorama, the Palo Alto Networks centralized security management system. If you have six or more firewalls
deployed in your network, use Panorama to achieve the following benefits:
Reduce the complexity and administrative overhead in managing configuration, policies, software and
dynamic content updates. Using device groups and templates on Panorama, you can effectively manage
firewall‐specific configuration locally on a firewall and enforce shared policies across all firewalls or
device groups.
Aggregate data from all managed firewalls and gain visibility across all the traffic on your network. The
Application Command Center (ACC) on Panorama provides a single glass pane for unified reporting
across all the firewalls, allowing you to centrally analyze, investigate and report on network traffic,
security incidents and administrative modifications.
The procedures that follow describe how to manage the firewall using the local web interface. If you want
to use Panorama for centralized management, first Perform Initial Configuration and verify that the firewall
can establish a connection to Panorama. From that point on you can use Panorama to configure your firewall
centrally.
Perform Initial Configuration
By default, the firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For
security reasons, you must change these settings before continuing with other firewall configuration tasks.
You must perform these initial configuration tasks either from the MGT interface, even if you do not plan to
use this interface for your firewall management, or using a direct serial connection to the console port on
the firewall.
Set Up Network Access to the Firewall
Set Up Network Access to the Firewall (Continued)
Set Up Network Access to the Firewall (Continued)
Set Up Network Access to the Firewall (Continued)
2. Use the following CLI command to retrieve information on the
support entitlement for the firewall from the Palo Alto
Networks update server:
request support check
If you have connectivity, the update server will respond with
the support status for your firewall. Because your firewall is
not registered, the update server will return the following
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
Set Up Network Access for External Services
By default, the firewall uses the MGT interface to access remote services, such as DNS servers, content
updates, and license retrieval. If you do not want to enable external network access to your management
network, you must set up an in‐band data port to provide access to required external services and set up
service routes to instruct the firewall what port to use to access the external services.
This task requires familiarity with firewall interfaces, zones, and policies. For more information on
these topics, see Configure Interfaces and Zones and Set Up a Basic Security Policy.
Set Up a Data Port for Access to External Services
Set Up a Data Port for Access to External Services (Continued)
Set Up a Data Port for Access to External Services (Continued)
Set Up a Data Port for Access to External Services (Continued)
Set Up a Data Port for Access to External Services (Continued)
2. Use the following CLI command to retrieve information on the
support entitlement for the firewall from the Palo Alto
Networks update server:
request support check
If you have connectivity, the update server will respond with
the support status for your firewall. Because your firewall is
not registered, the update server will return the following
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
Register the Firewall
Before you can activate support and other licenses and subscriptions, you must first register the firewall.
If you are registering a VM‐Series firewall, refer to the VM‐Series Deployment Guide.
Register the Firewall
Activate Licenses and Subscriptions
Before you can start using your firewall to secure the traffic on your network, you must activate the licenses
for each of the services you purchased. Available licenses and subscriptions include the following:
Threat Prevention—Provides antivirus, anti‐spyware, and vulnerability protection.
Decryption Mirroring—Provides the ability to create a copy of decrypted traffic from a firewall and send
it to a traffic collection tool that is capable of receiving raw packet captures—such as NetWitness or
Solera—for archiving and analysis.
URL Filtering—Allows you create security policy to enforce web access based on dynamic URL
categories. You must purchase and install a subscription for one of the supported URL filtering databases:
PAN‐DB or BrightCloud. With PAN‐DB, you can set up access to the PAN‐DB public cloud or to the
PAN‐DB private cloud. For more information about URL filtering, see Control Access to Web Content.
Virtual Systems—This license is required to enable support for multiple virtual systems on PA‐2000 and
PA‐3000 Series firewalls. In addition, you must purchase a Virtual Systems license if you want to increase
the number of virtual systems beyond the base number provided by default on PA‐4000 Series, PA‐5000
Series, and PA‐7000 Series firewalls (the base number varies by platform). The PA‐500, PA‐200, and
VM‐Series firewalls do not support virtual systems.
WildFire—Although basic WildFire support is included as part of the Threat Prevention license, the
WildFire subscription service provides enhanced services for organizations that require immediate
coverage for threats, frequent WildFire signature updates, advanced file type forwarding (APK, PDF,
Microsoft Office, and Java Applet), as well as the ability to upload files using the WildFire API. A WildFire
subscription is also required if your firewalls will be forwarding files to a WF‐500 appliance.
GlobalProtect—Provides mobility solutions and/or large‐scale VPN capabilities. By default, you can
deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use HIP
checks, you will also need gateway licenses (subscription) for each gateway.
AutoFocus—Provides a graphical analysis of firewall traffic logs and identifies potential risks to your
network using threat intelligence from the AutoFocus portal. With an active license, you can also open
an AutoFocus search based on logs recorded on the firewall.
Activate Licenses and Subscriptions
Activate Licenses and Subscriptions (Continued)
Install Content and Software Updates
In order to stay ahead of the changing threat and application landscape, Palo Alto Networks maintains a
Content Delivery Network (CDN) infrastructure for delivering content updates to Palo Alto Networks
firewalls. The firewalls access the web resources in the CDN to perform various App‐ID and Content‐ID
functions. By default, the firewalls use the management port to access the CDN infrastructure for application
updates, threat and antivirus signature updates, BrightCloud and PAN‐DB database updates and lookups,
and access to the Palo Alto Networks WildFire cloud. To ensure that you are always protected from the
latest threats (including those that have not yet been discovered), you must ensure that you keep your
firewalls up‐to‐date with the latest content and software updates published by Palo Alto Networks.
The following content updates are available, depending on which subscriptions you have:
Although you can manually download and install content updates at any time, as a best practice
you should Schedule each content update. Scheduled updates occur automatically.
Antivirus—Includes new and updated antivirus signatures, including signatures discovered by the
WildFire cloud service. You must have a Threat Prevention subscription to get these updates. New
antivirus signatures are published daily.
Applications—Includes new and updated application signatures. This update does not require any
additional subscriptions, but it does require a valid maintenance/support contract. New application
updates are published weekly. To review the policy impact of new application updates, see Manage New
App‐IDs Introduced in Content Releases.
Applications and Threats—Includes new and updated application and threat signatures. This update is
available if you have a Threat Prevention subscription (and you get it instead of the Applications update).
New Applications and Threats updates are published weekly. To review the policy impact of new
application updates, see Manage New App‐IDs Introduced in Content Releases.
GlobalProtect Data File—Contains the vendor‐specific information for defining and evaluating host
information profile (HIP) data returned by GlobalProtect agents. You must have a GlobalProtect gateway
license and create an update schedule in order to receive these updates.
BrightCloud URL Filtering—Provides updates to the BrightCloud URL Filtering database only. You must
have a BrightCloud subscription to get these updates. New BrightCloud URL database updates are
published daily. If you have a PAN‐DB license, scheduled updates are not required as firewalls remain
in‐sync with the servers automatically.
WildFire—Provides near real‐time malware and antivirus signatures created as a result of the analysis
done by the WildFire cloud service. Without the subscription, you must wait 24 to 48 hours for the
signatures to roll into the Applications and Threats update.
Install Content and Software Updates
Install Content and Software Updates (Continued)
You cannot download the antivirus update until you
have installed the Application and Threats update.
• Upgrade—Indicates that a new version of the BrightCloud
database is available. Click the link to begin the download and
installation of the database. The database upgrade begins in the
background; when completed a check mark displays in the
Currently Installed column. Note that if you are using PAN‐DB
as your URL filtering database you will not see an upgrade link
because the PAN‐DB database on the firewall automatically
synchronizes with the PAN‐DB cloud.
To check the status of an action, click Tasks (on the
lower right‐hand corner of the window).
• Revert—Indicates that a previously installed version of the
content or software version is available. You can choose to
revert to the previously installed version.
Install Content and Software Updates (Continued)
Segment Your Network Using Interfaces and Zones
Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic
enters and exits the firewall through interfaces. The firewall determines how to act on a packet based on
whether the packet matches a Security policy rule. At the most basic level, each Security policy rule must
identify where the traffic came from and where it is going. On a Palo Alto Networks next‐generation firewall,
Security policy rules are applied between zones. A zone is a grouping of interfaces (physical or virtual) that
represents a segment of your network that is connected to, and controlled by, the firewall. Because traffic
can only flow between zones if there is a Security policy rule to allow it, this is your first line of defense. The
more granular the zones you create, the greater control you have over access to sensitive applications and
data and the more protection you have against malware moving laterally throughout your network. For
example, you might want to segment access to the database servers that store your customer data into a
zone called Customer Data. You can then define security policies that only permit certain users or groups of
users to access the Customer Data zone, thereby preventing unauthorized internal or external access to the
data stored in that segment.
Network Segmentation for a Reduced Attack Surface
Configure Interfaces and Zones
Network Segmentation for a Reduced Attack Surface
The following diagram shows a very basic example of how you can create zones to segment your network.
The more granular you make your zones (and the corresponding security policy rules that allows traffic
between zones), the more you reduce the attack surface on your network. This is because traffic can flow
freely within a zone (intra‐zone traffic), but traffic cannot flow between zones (inter‐zone traffic) until you
define a Security policy rule that allows it. Additionally, an interface cannot process traffic until you have
assigned it to a zone. Therefore, by segmenting your network into granular zones you have more control over
access to sensitive applications or data and you can prevent malicious traffic from establishing a
communication channel within your network, thereby reducing the likelihood of a successful attack on your
network.
Configure Interfaces and Zones
After you identify how you want to segment your network and the zones you will need to create to achieve
the segmentation (as well as the interfaces to map to each zone), you can begin configuring the interfaces
and zones on the firewall. Each interface on the firewall supports all Interface Deployments and the
deployment you will use depends on the topology of each part of the network you are connecting to. The
following workflow shows how to configure Layer 3 interfaces and assign them to zones. For details on
integrating the firewall using a different type of interface deployments (for example Virtual Wire
Deployments or Layer 2 Deployments), see Networking.
The firewall comes preconfigured with a default virtual wire interface between ports Ethernet
1/1 and Ethernet 1/2 (and a corresponding default security policy and virtual router). If you do
not plan to use the default virtual wire, you must manually delete the configuration and commit
the change before proceeding to prevent it from interfering with other settings you define. For
instructions on how to delete the default virtual wire and its associated security policy and zones,
see Step 3 in Set Up a Data Port for Access to External Services.
Set Up Interfaces and Zones
Set Up Interfaces and Zones (Continued)
Set Up Interfaces and Zones (Continued)
Set Up a Basic Security Policy
Now that you have defined some zones and attached them to interfaces, you are ready to begin creating
your Security Policy. The firewall will not allow any traffic to flow from one zone to another unless there is
a Security policy rule to allow it. When a packet enters a firewall interface, the firewall matches the attributes
in the packet against the Security policy rules to determine whether to block or allow the session based on
attributes such as the source and destination security zone, the source and destination IP address, the
application, user, and the service. The firewall evaluates incoming traffic against the security policy rulebase
from left to right and from top to bottom and then takes the action specified in the first security rule that
matches (for example, whether to allow, deny, or drop the packet). This means that you must order the rules
in your security policy rulebase so that more specific rules are at the top of the rulebase and more general
rules are at the bottom to ensure that the firewall is enforcing policy as expected.
The following workflow shows how to set up a very basic Internet gateway security policy that enables
access to the network infrastructure, to data center applications, and to the Internet. This will enable you to
get the firewall up and running so that you can verify that you have successfully configured the firewall. This
policy is not comprehensive enough to protect your network. After you verify that you have successfully
configured the firewall and integrated it into your network, proceed to Policy to learn how to create a Best
Practice Internet Gateway Security Policy that will safely enable application access while protecting your
network from attack.
Define Basic Security Policy Rules
Define Basic Security Policy Rules (Continued)
Define Basic Security Policy Rules (Continued)
Define Basic Security Policy Rules (Continued)
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Assess Network Traffic
Now that you have a basic security policy, you can review the statistics and data in the Application Command
Center (ACC), traffic logs, and the threat logs to observe trends on your network. Use this information to
identify where you need to create more granular security policy rules.
Monitor Network Traffic
• Use the Application Command Center and Use In the ACC, review the most used applications and the high‐risk
the Automated Correlation Engine. applications on your network. The ACC graphically summarizes the
log information to highlight the applications traversing the
network, who is using them (with User‐ID enabled), and the
potential security impact of the content to help you identify what
is happening on the network in real time. You can then use this
information to create appropriate security policy rules that block
unwanted applications, while allowing and enabling applications in
a secure manner.
The Compromised Hosts widget in ACC > Threat Activity displays
potentially compromised hosts on your network and the logs and
match evidence that corroborates the events.
• Determine what updates/modifications are For example:
required for your network security policy rules • Evaluate whether to allow web content based on schedule,
and implement the changes. users, or groups.
• Allow or control certain applications or functions within an
application.
• Decrypt and inspect content.
• Allow but scan for threats and exploits.
For information on refining your security policies and for attaching
custom security profiles, see Enable Basic Threat Prevention
Features.
Monitor Network Traffic
• View AutoFocus Threat Data for Logs. Review the AutoFocus intelligence summary for artifacts in your
logs. An artifact is an item, property, activity, or behavior
associated with logged events on the firewall. The intelligence
summary reveals the number of sessions and samples in which
WildFire detected the artifact. Use WildFire verdict information
(benign, grayware, malware) and AutoFocus matching tags to look
for potential risks in your network.
AutoFocus tags created by Unit 42, the Palo Alto Networks
threat intelligence team, call attention to advanced,
targeted campaigns and threats in your network.
From the AutoFocus intelligence summary, you can start an
AutoFocus search for artifacts and assess their
pervasiveness within global, industry, and network
contexts.
• Monitor Web Activity of Network Users. Review the URL filtering logs to scan through alerts, denied
categories/URLs. URL logs are generated when a traffic matches a
security rule that has a URL filtering profile attached with an action
of alert, continue, override or block.
Enable Basic Threat Prevention Features
The Palo Alto Networks next‐generation firewall has unique threat prevention capabilities that allow it to
protect your network from attack despite the use of evasion, tunneling, or circumvention techniques. The
threat prevention features on the firewall include the WildFire service, Security Profiles that support
Antivirus, Anti‐Spyware, Vulnerability Protection, URL Filtering, File Blocking and Data Filtering capabilities,
the Denial of Service (DoS) and Zone protection functionality, and AutoFocus threat intelligence.
Threat Prevention contains more in‐depth information on how to protect your network from threats. For
details on how to scan encrypted (SSH or SSL) traffic for threats, see Decryption. Visit Applipedia and Threat
Vault to learn more about the applications and threats that Palo Alto Networks products can identify,
respectively.
Before you can apply threat prevention features, you must first configure zones—to identify one
or more source or destination interfaces—and security policy rules. To configure interfaces, zones,
and the policies that are needed to apply threat prevention features, see Configure Interfaces and
Zones and Set Up a Basic Security Policy.
To begin protecting your network from threats, start here:
Enable Basic WildFire Forwarding
Scan Traffic for Threats
Control Access to Web Content
Enable AutoFocus Threat Intelligence
Enable Basic WildFire Forwarding
WildFire is a cloud‐based virtual environment that analyzes and executes unknown samples (files and email
links) and determines the samples to be malicious, grayware, or benign. With WildFire enabled, a Palo Alto
Networks firewall can forward unknown samples to WildFire for analysis. For newly‐discovered malware,
WildFire generates a signature to detect the malware and distributes it to all firewalls with active WildFire
licenses. This enables global firewalls to detect and prevent malware found by a single firewall.
A basic WildFire service is included as part of the Palo Alto Networks next generation firewall and does not
require a WildFire subscription. With the basic WildFire service, you can enable the firewall to forward
portable executable (PE) files. Additionally, if do not have a WildFire subscription, but you do have a Threat
Prevention subscription, you can receive signatures for malware WildFire identifies every 24‐ 48 hours (as
part of the antivirus updates).
Beyond the basic WildFire service, a WildFire subscription is required for the firewall to:
Get the latest WildFire signatures every five minutes.
Forward advanced file types and email links for analysis.
Use the WildFire API.
Use a WF‐500 appliance to host a WildFire private cloud or a WildFire hybrid cloud.
If you have a WildFire subscription, go ahead and get started with WildFire to get the most out of your
subscription. Otherwise, take the following steps to enable basic WildFire forwarding:
Enable Basic WildFire Forwarding
4. Click OK to save your changes.
Step 5 Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
Step 6 Review and implement WildFire best practices to ensure that you are getting the most of WildFire detection
and prevention capabilities.
Step 7 Click Commit to save your configuration updates.
Enable Basic WildFire Forwarding
Scan Traffic for Threats
Security Profiles provide threat protection in security policies. For example, you can apply an antivirus profile
to a security policy and all traffic that matches the security policy will be scanned for viruses.
The following sections provide steps for setting up a basic threat prevention configuration:
Set Up Antivirus, Anti‐Spyware, and Vulnerability Protection
Set Up File Blocking
Set Up Antivirus, Anti‐Spyware, and Vulnerability Protection
Every Palo Alto Networks next‐generation firewall comes with redefined Antivirus, Anti‐Spyware, and
Vulnerability Protection profiles that you can attach to security policies. There is one predefined Antivirus
profile, default, which uses the default action for each protocol (block HTTP, FTP, and SMB traffic and alert
on SMTP, IMAP, and POP3 traffic). There are two predefined Anti‐Spyware and Vulnerability Protection
profiles:
default—Applies the default action to all client and server critical, high, and medium severity
spyware/vulnerability protection events. It does not detect low and informational events.
strict—Applies the block response to all client and server critical, high and medium severity
spyware/vulnerability protection events and uses the default action for low and informational events.
To ensure that the traffic entering your network is free from threats, attach the predefined profiles to your
basic web access policies. As you monitor the traffic on your network and expand your policy rulebase, you
can then design more granular profiles to address your specific security needs.
Set up Antivirus/Anti‐Spyware/Vulnerability Protection
Set up Antivirus/Anti‐Spyware/Vulnerability Protection (Continued)
Recommendations for HA Configurations:
• Active/Passive HA—If the firewalls use the MGT port for content updates, configure a schedule on each firewall so
that each firewall downloads and installs content independently. If the firewalls are using a data port for content
updates, the passive firewall will not perform downloads while it is in the passive state. In this case set a schedule
on each peer and enable Sync To Peer to ensure that content updates on the active peer sync to the passive peer.
• Active/Active HA—If the firewalls use the MGT port for content updates, configure a schedule on each firewall, but
do not enable Sync To Peer. If the firewalls are using a data port for content updates, schedule content updates on
each firewall and select Sync To Peer to enable the active‐primary firewall to download and install the content
updates and then push the content update to the active‐secondary peer.
Set up Antivirus/Anti‐Spyware/Vulnerability Protection (Continued)
Set Up File Blocking
File Blocking Profiles allow you to identify specific file types that you want to want to block or monitor. For
most traffic (including traffic on your internal network) you will want to block files that are known to carry
threats or that have no real use case for upload/download. Currently, these include batch files, DLLs, Java
class files, help files, Windows shortcuts (.lnk), and BitTorrent files. Additionally, to provide drive‐by
download protection, allow download/upload of executables and archive files (.zip and .rar), but force users
to acknowledge that they are transferring a file so that they will notice that the browser is attempting to
download something they were not aware of. For policy rules that allow general web browsing, be more
strict with your file blocking because the risk of users unknowingly downloading malicious files is much
higher. For this type of traffic you will want to attach a more strict file blocking profile that also blocks
portable executable (PE) files.
Configure File Blocking
Configure File Blocking (Continued)
Control Access to Web Content
URL Filtering provides visibility and control over web traffic on your network. With URL filtering enabled,
the firewall can categorize web traffic into one or more (from approximately 60) categories. You can then
create policies that specify whether to allow, block, or log (alert) traffic based on the category to which it
belongs. The following workflow shows how to enable PAN‐DB for URL filtering, create security profiles,
and attach them to security policies to enforce a basic URL filtering policy.
Configure URL Filtering
Configure URL Filtering (Continued)
2. Click OK to save the URL filtering profile.
Configure URL Filtering (Continued)
Enable AutoFocus Threat Intelligence
With a valid AutoFocus subscription, you can compare the activity on your network with the latest threat
data available on the AutoFocus portal. Connecting your firewall and AutoFocus unlocks the following
features:
Ability to view an AutoFocus intelligence summary for session artifacts recorded in the firewall logs.
Ability to open an AutoFocus search for log artifacts from the firewall.
The AutoFocus intelligence summary reveals the prevalence of an artifact on your network and on a global
scale. The WildFire verdicts and AutoFocus tags listed for the artifact indicate whether the artifact poses a
security risk.
Enable AutoFocus Threat Intelligence on the Firewall
Best Practices for Completing the Firewall Deployment
Now that you have integrated the firewall into your network and enabled the basic security features, you
can begin configuring more advanced features. Here are some things to consider next:
Learn about the different Management Interfaces that are available to you and how to access and use
them.
Replace the Certificate for Inbound Management Traffic. By default, the firewall ships with a default
certificate that enables HTTPS access to the web interface over the management (MGT) interface or any
other interface that supports HTTPS management traffic. To improve the security of inbound
management traffic, replace the default certificate with a new certificate issued specifically for your
organization.
Configure a best‐practice security policy rulebase to safely enable applications and protect your
network from attack. See Best Practice Internet Gateway Security Policy for details.
Set up High Availability—High availability (HA) is a configuration in which two firewalls are placed in a
group and their configuration and session tables are synchronized to prevent a single point to failure on
your network. A heartbeat connection between the firewall peers ensures seamless failover in the event
that a peer goes down. Setting up a two‐firewall cluster provides redundancy and allows you to ensure
business continuity.
Configure the Master Key—Every Palo Alto Networks firewall has a default master key that encrypts all
private keys on the firewall used for cryptographic protocols. As a best practice to safeguard the keys,
configure the master key on each firewall to be unique. However, if you use Panorama, you must use
the same master key on Panorama and all managed firewalls. Otherwise, Panorama cannot push
configurations to the firewalls.
Manage Firewall Administrators—Every Palo Alto Networks firewall and appliance is preconfigured with
a default administrative account (admin) that provides full read‐write access (also known as superuser
access) to the firewall. As a best practice, create a separate administrative account for each person who
needs access to the administrative or reporting functions of the firewall. This allows you to better
protect the firewall from unauthorized configuration (or modification) and to enable logging of the
actions of each individual administrator.
Enable User Identification (User‐ID)—User‐ID is a Palo Alto Networks next‐generation firewall feature
that allows you to create policies and perform reporting based on users and groups rather than
individual IP addresses.
Enable Decryption—Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for
visibility, control, and granular security. Use decryption on a firewall to prevent malicious content from
entering your network or sensitive content from leaving your network concealed as encrypted or
tunneled traffic.
Enable Passive DNS Collection for Improved Threat Intelligence—Enable this opt‐in feature to enable
the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for
analysis in order to improve threat intelligence and threat prevention capabilities.
Follow the Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions.