Today we look more in detail about comparison – FortiAnalyzer vs Panorama, understand their purpose, capabilities, and key differences.   

What is FortiAnalyzer?

FortiAnalyzer is a centralized network security management solution having logging and reporting capabilities for Fortinet network devices at network security fabric layer. It performs functions such as viewing and filtering individual event logs, security reports generation, event logs management, alerting based on suspicious behaviour, and investigation activity via drill down feature. 

FortiAnalyzer can orchestrate security tools, people, and processes to have streamlined execution, incident analysis and response. It can automate workflows and trigger actions with playbooks, connectors, and event handlers. Response in real time for network security attacks, vulnerabilities, and warnings of compromise suspicion.

What is Panorama?

Palo Alto Panorama is a centralized management platform to have insight into network wide traffic logs and threats. Reduction in complexity by simplification of configuration, management, and deployment of Palo Alto network security devices. Panorama provides a graphical summary of applications on the network, users, and potential security impact.

You can deploy enterprise-wide policies along with local policies to bring in flexibility. Delegation of appropriate levels of administrative control at network device level and role-based access management is available. Central analysis of logs, investigation and reporting on network traffic, security incidents and notifications is available.

Comparison: FortiAnalyzer vs Panorama

Download: FortiAnalyzer vs Panorama Comparison Table

Continue Reading:

Cisco SD-WAN vs Palo Alto Prisma: Detailed Comparison

Fundamentals of FortiGate Firewall: Essential Guide

Are You Preparing For Your Next Interview

If you want to learn more about Palo Alto or Fortigate (Fortinet), then check our e-book on Palo Alto Interview Questions & Answers and Fortinet Interview questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Palo Alto Packet Flow Troubleshooting Issues

1. Incorrect Security Policies

• Issue: Traffic is being dropped due to misconfigured or missing security policies.
• Troubleshooting:
  • Verify the security policies using the CLI command show running security-policy or through the GUI.
  • Ensure that traffic matches the intended policy based on source, destination, and service.
  • Check the rule order and make sure no unintended policy overrides occur.

2. NAT Misconfigurations

• Issue: Traffic might not be properly translated due to incorrect Network Address Translation (NAT) rules.
• Troubleshooting:
  • Use the command show running nat-policy to verify NAT rules.
  • Confirm the source and destination NAT configurations, and ensure that the translated IPs are correct.
  • Utilize packet capture to see if the translation is occurring as expected.

3. Zone Misalignment

• Issue: Traffic is dropped because it is not traversing through the correct zones.
• Troubleshooting:
  • Confirm that the zones are correctly configured and that both the source and destination zones are assigned properly.
  • Check if the zones match the security policies for inter-zone or intra-zone traffic.

4. Routing Issues

• Issue: The firewall might not know how to route traffic to the next hop or the intended destination.
• Troubleshooting:
  • Check the routing table using the command  show routing route
  • Verify static and dynamic routing configurations.
  • Perform trace routes or ping tests to validate the reachability of the destination.

5. Session Table Problems

• Issue: Traffic may be dropped due to session table issues, such as an existing session not being cleared.
• Troubleshooting:
  • Use the command show session all to see the active sessions.
  • Clear the session related to the problematic traffic using the clear session id <session-id> command.
  • Check if session timeouts are configured too aggressively.

6. Application Identification (App-ID) Problems

• Issue: Traffic may be classified incorrectly due to App-ID issues, causing unexpected behavior.
• Troubleshooting:
  • Use packet capture or logs to verify how the application is being identified.
  • Adjust App-ID settings or override the App-ID as needed for specific traffic.
  • Monitor traffic using the “ACC” tab in the web interface to see how applications are being categorized.

7. Asymmetric Routing

• Issue: When traffic flows into one interface and the return traffic comes from another, the firewall may drop it.
• Troubleshooting:
  • Enable session synchronization for asymmetric traffic using session distribution or configuring source/destination zone-based routing.
  • Use packet captures and session lookups to trace asymmetric paths.

8. High Availability (HA) Configuration Issues

• Issue: Traffic might be dropped during failover or HA synchronization.
• Troubleshooting:
  • Ensure HA configurations are correct and both devices are synchronized.
  • Check the failover logs to determine if traffic was interrupted during an HA event.
  • Perform packet captures during HA transitions to analyze packet drops.

9. Decryption Issues (SSL/TLS Decryption)

• Issue: Misconfigurations in SSL/TLS decryption rules can cause traffic to be dropped or misclassified.
• Troubleshooting:
  • Review the SSL/TLS decryption policy.
  • Use decryption logs to check whether traffic is being decrypted as expected.
  • Analyze traffic using packet capture tools to confirm if decryption is causing issues.

10. GlobalProtect VPN Issues

• Issue: Traffic passing through GlobalProtect VPN might face issues due to misconfigurations or certificate problems.
• Troubleshooting:
  • Verify the GlobalProtect configuration and client settings.
  • Check for certificate-related errors.
  • Analyze the traffic through GlobalProtect using packet captures to identify where the issue lies.

11. Licensing and Feature Constraints

• Issue: Certain traffic may be dropped due to feature or license limitations, such as URL filtering or WildFire.
• Troubleshooting:
  • Ensure that all necessary licenses are active and not expired.
  • Review feature-specific logs to determine if traffic is being blocked due to licensing constraints.

12. Fragmentation Issues

• Issue: Packet fragmentation can cause issues with larger packets being dropped.
• Troubleshooting:
  • Check if fragmentation is enabled for relevant traffic.
  • Use packet captures to determine if fragmented packets are causing the problem.
  • Adjust Maximum Transmission Unit (MTU) settings as needed.

Each of these common issues can be addressed through packet captures, session monitoring, and careful analysis of the Palo Alto firewall’s traffic logs.

Palo Alto Firewall Architecture : An Overview

Palo Alto Firewall Architecture is based upon an exclusive design of Single Pass Parallel Processing (SP3) Architecture. This setup enables high-throughput, low-latency network security integrated with remarkably features and technology. Palo Alto Networks fixes the performance problems that impact today’s security infrastructure with the SP3 architecture (, which is composed of two key components:

1. Single Pass software
2. Parallel Processing hardware

Single Pass Software

Palo Alto Networks Next-Generation Firewall is provided with a Single Pass Software. It processes the packet to perform features such as networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for detecting threats and malicious contents. Processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall significantly reduces the overhead of packet processing.

On the contrary, other firewall vendors leverage a different type of network architecture, which produces a higher overhead when processing packets traversing the firewall. Another notable feature introduced in other Firewall vendor’s Next-Generation Firewalls is Unified Threat Management (UTM) which processes the packet and then verifies the contents of packet. As a result, spike in CPU overhead affects latency and throughput of the Firewalls, a degradation in performance.

Single Pass software is designed to achieve two key parameters.

• Firstly, the single pass software performs operation per packet. When packet is processed in this mechanism the functions like policy lookup, application identification and decoding and signature matching for all threats and content are all performed just once.
• Secondly, the packet processed in Single Pass software is stream based, and uses uniform signature matching to detect and block threats. Single Pass does not use separate engines and signature sets and file proxies requiring for file download prior to scanning, the single pass software in our next generation firewalls scans packets once and stream based fashion to avoid latency and throughput.

This Single Pass software content processing enables high throughput and low latency with all security functions active. It also offers the additional feature of a single fully integrated policy, enabling easier management of enterprise network security.

Related – Palo Alto Administration & Management

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware makes sure function specific processing is done in parallel at the hardware level, which in conjunction with the dedicated data plane and control plane, produces amazing performance results. By separation of the data plane and control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the platform.

Palo Alto Firewall Architecture : Control Plane & Data Plane

Control plane is liable for tasks such as management, configuration of Palo Alto firewall and it also takes care of logging and reporting features. Palo Alto Networks Next-Generation Firewall’s main feature is the set of dedicated processors which are responsible for specific functions (all of these work in parallel). The data plane in the high end models contains three types of processors (CPUs) connected by high speed of 1Gbps busses.

Types Of Processors:

The three type of processors are-

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection tasks.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar other tasks.
3. Network Processor: Dedicated processor responsible for network tasks such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

First, Palo Alto Firewall Architecture design split up the 2 planes i.e. it has separate data plane and control plane. This separation means that heavy utilization of one plane will never impact the other. The second important element is the Parallel Processing hardware which includes discrete specialized processing groups that work in harmony to perform several key functions.

• Routing, flow lookup, traffic analysis statistics, NAT and similar other functions are performed on network specific hardware.
• User-ID, App-ID and policies all occur on a multi core security engine with hardware acceleration for encryption, decryption and compression, decompression.
• Content-ID content analysis uses dedicated and specialized content scanning engine.
• On the control plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging and reporting without interfering user data.

Conclusion

Network Architecture of Palo Alto consists of Single Pass software and Parallel Processing hardware, which is perfectly apposite combination in network security and empowers the Palo Alto Networks next-generation firewalls to restore visibility and control over enterprise networks.

Continue Reading:

SSL VPN Configuration in Palo Alto

Palo Alto GlobalProtect

Firewall is a network security device which grants or rejects network access to traffic flowing between untrusted zone (External networks) to trusted (Internal networks) zone. Starting from initial days of Stateful inspection firewalls and then onto UTM (unified threat management), Application aware next generation firewalls have now become synonyms for firewalls.

Palo Alto is one such Next Gen firewall which provides flexible deployment options for your network, firewall platforms, available both for physical and virtual platforms. 

In this article we will learn more about how to reset Palo Alto firewall to factory default, why it is required and so on.

Reset Palo Alto Firewall to Factory Default Settings

There could be three scenarios or cases where it is required to reset the Palo Alto firewall to its default settings. In case you don’t have admin password or you have admin password or with admin password need to remove all logs and restore the default configuration of firewall.

Steps to Restore Default Configuration

To reset the firewall to default configuration you need to go to maintenance mode first. 

Step 1 : connect the console cable from console port to your system and verify console settings as under speed – 9600, data bits – 8, parity – none and stop bits – 1 

Step 2: enter maintenance mode and power on or reboot the device 

Step 3: during boot below screen will appear

Booting PANOS (sysroot0) after 5 seconds…

Entry: Type ‘Maint’ and Enter

Step 4: There will be multiple options on display you need to choose PANOS (maint) mode

Step 5: it will display the maintenance recovery section. Press enter to proceed further

Step 6: Choose ‘Factory reset’ and press enter

Step 7: Warning message will display along with factory reset option. Select factory reset and press enter.

The progress will be displayed on screen with percent complete 

Factory reset on completion will display as per screen below to complete process reboot the device

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

In today’s topic we will learn about the Palo Alto Cloud based Next Generation firewall for Azure, its features, and architecture and how it works?

About Palo Alto Cloud NGFW for Azure 

Cloud NGFW is a machine learning (ML) aware cloud native service. Multiple applications can run securely with cloud NGFW in place matching cloud speed, agility and on demand scaling. It is an extension of Palo Alto threat prevention capabilities and native integration into cloud. It stops web-based attacks, vulnerabilities, exploits including sophisticated file-based attack with patented technology of App-ID traffic classification 

Cloud NGFW provides:

• Reduction in infrastructure management overhead
• Web based and zero day-based threats can be stopped in real time
• Web applications securely connect to legitimate web-based services
• Simplified native cloud provider experience with consistent and simple firewall policy management across multi-tenants
• Automation of end to end workflows having support of APIs, ARM templates and Terraform tool

Palo Alto Cloud NGFW Architecture 

The cloud NGFW is an native ISV service of Microsoft Azure. Palo Alto develops and manages FWaaS (Firewall as a Service) using hooks provided by Azure service to leverage FWaaS (Firewall as a Service) via Azure APIs and UI. The cloud NGFW is available in the Azure marketplace. The components of cloud NGFW for Azure includes:

• Cloud NGFW – is managed Azure regional service made available in selected Azure regions
• Next generation firewall (NGFW) is offered as a resource associated with customer VNet or vWAN hub. It is scalable, resilient and manifests itself as a private IP address in the NGFW subnet specified by the user. VNet UDRs need to be updated to send traffic through these IP addresses. 
• NGFW Rulestack – resource includes security rules set along with associated objects and security profiles for advanced access control using App-ID and URL filtering capability, threat prevention etc. local rulestack can be associated with multiple NGFWs. 

Using cloud NGFW you can secure inbound, outbound traffic and East-West traffic.

Inbound traffic is controlled by App-ID for application based on payload. Cloud NGFW prevents vulnerabilities and exploits entering the VNet in inbound traffic allowed by Azure security groups. (ASGs)

Outbound traffic is the traffic originate within the application is protected by ensuring resources in the application VNet connect to only allowed services and URLs and prevents exfiltration of sensitive data.

East-West traffic is the traffic inside Azure region. Traffic between source and destination is deployed in two different VNet s or in two different subnets under the same VNet. Cloud NGFW stops malware propagation within Azure hence blocking lateral movement of hackers within the environment. 

Capabilities of Cloud NGFW for Azure

The cloud NGFW for Azure includes capabilities in various fields as depicted below:

• Administration and cloud deployments – Enablement of NGFW capabilities in Azure environments with ease of management of 0 day and day N operations on NGFW resources in cloud similar to any other Azure service 
• Complete control and visibility into applications – App-ID and URL filtering provides application awareness and control
• Next generation threat prevention includes secure cloud delivery and prevention signatures across physical and software base
• Securing network traffic across VNets and vWANs. 
• Gateway Load balancing (GWLB) provides high availability and scalability with an automated cloud firewall approach which scales up as traffic grows and handles increased throughput demands. 
• Integration of security with cloud provider processes. Cloud provider security architecture could be used while onboarding, monitoring and logging. 

Today we look more in detail about two most popular company’s firewalls, Palo Alto vs Checkpoint, their key differences, features etc.

About Palo Alto Firewall

Palo Alto is a cyber security firm based out of California founded in 2005. They offer a wide range of products with an advanced enterprise firewall product , a network security control center, advanced endpoint protection systems, a cloud-based threat analysis service, a range of analytics and cloud storage products.

They also operate a threat intelligence and security consulting team known as team 42 which comprises cyber threat researchers and security tech experts and analyse to discover and help to prevent new threats such as malicious software and new attacks of bad actors. The company had acquired Morta Security, Cyvera, CirroSecure, LightCyber, Evident.io, Secdo, RedLock, CloudGenix, Expanse, and many other cybersecurity firms.

Palo Alto firewalls are used by a number of organizations and data centres to keep networks safe and secure from advanced level of security threats. Palo Alto firewall is used to identify, control, and inspect SSL encrypted traffic and applications. It offers monitoring applications, threats and contents. It offers a real time content scanning system for protection from viruses, data leakage, online threats, spyware and application vulnerabilities.

Features of Palo Alto firewall:

• Inspects all traffic including all applications, threats and content and tie that traffic to user regardless of location or device type
• Identify users in all locations irrespective of device type and OS
• Offers policy-based decryption to allow to decrypt malicious traffic leaving aside sensitive traffic encrypted
• URL filtering to provide protection against web-based threats 
• DNS security to enable predictive analysis , machine learning and automation to block DNS attacks 

About Checkpoint Firewall

An American – Israeli company specialized in cyber security software for varied purposes including network, endpoint, cloud, mobile, and data security. Checkpoint in 1993 came with a firewall product called Firewall-1. Checkpoint firewalls are designed to control traffic between external and internal networks.

Checkpoint firewall is part of software blade architecture which gives features like data loss prevention, application control, intrusion detection and prevention, VPN and mobile device connectivity, internet access and filtering.

Features of Checkpoint firewall:

• Checkpoint NGFW can be installed on specific appliances or in virtual mode
• Checkpoint NGFW contains IPS software blade which provides geo protection as well as frequent , automated threat definition updates 
• Offers centralized management and role-based administration
• Combines perimeter, endpoints, cloud and mobile security with application control, advanced URL filtering and data loss prevention capabilities

Comparison Table: Palo alto vs Checkpoint Firewall

Below table summarizes the differences between the two types of firewalls:

Function	Palo Alto Firewall	Checkpoint Firewall
Software	Uses PAN OS	Checkpoint Software blade
Firewall throughput	2Gbps (App ID enabled)	4 Gbps (Ideal testing condition – Stateful, 2.1 Gbps in real testing condition)
IPSec VPN throughput	500 Mbps	2.25 Gbps
IPS Throughput	1000 Mbps	1.44 Gbps (460 Mbps IPS real testing condition)
Connections per Second supported	50 000	48 000
Total Connections	2 50000	3 200 000
Unicast IPv4 Routing Protocols and static routing	BGP, RIP, OSPF static routing	RIP, OSPF, BGP, static routing, PBR
Firewall Mode: Router or Bridge	L1, L2, L3	L2, L3
High availability	Active /Active , Active/Passive	Cluster XL
Real time threat prevention	Alerts are generated post infection few minutes later. Infection alert is sent so cyber security team can take action on it.	Checkpoint prevents Patient-0 and malware is blocked before entering into network.
Security priority	Inspects part of traffic for threats exposing customers to risk.	Inspects 100% traffic for threats.
Application awareness	Limited visibility comparing only 3500 applications	Wider visibility of high-risk applications and shadow IT about 8600 applications
Preventive protection	Do not have capability and can scan documents with its post infection scan engine.	Provide users sanitized version of documents for safe work environment.
Response to vulnerabilities	128 days on an average to fix	6 days on an average to fix
clear view of threats	Don’t have capability for MITRE ATT&CK framework	MITRE ATT&CK framework to prevent cyber attacks
SSH and SSL usage	First firewall to decrypt, inspect and control SSL and SSH . Policy control over SSL allows personal use of applications securely (like twitter, Facebook)	No SSL decryption , inspection and control (inbound and outbound)
	SSH controls ensure it is not being used to tunnel other applications	No way to identify intended use of SSH
Security score	Cyber security rating of 13/20	Highest score in NSS lab BPS 2019
Features	SSL decryption to examine SSL concealed threats	Patient zero prevention
	Automatic failover support	100% traffic inspection
	URL filtering	Robust intrusion prevention system
		Change management function

Download the comparison table: Palo Alto vs Checkpoint Firewall

Quick Facts !

Palo alto has global share of 18.9% in Year 2021 whereas Checkpoint market share is 9.1%

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Types of Firewall: Network Security

Organizations need to keep pace with rapid increase in technology demands such as remote working, anywhere connectivity, lower latency , increased availability along with protection of infrastructure from a never ending list of threats and vulnerabilities. The firewalls are a crucial security product which provides capabilities to protect your networks and data residing within. Moving from stateful network firewalls to next generation firewalls is a game changer. 

A traditional firewall approach based on filtering incoming and outgoing traffic based upon Internet protocol (IP) port and IP addresses is replaced by next generation firewalls which provide add-on features like application control, intrusion prevention (IPS), URL filtering and advanced threat protection capabilities like sandboxing. 

Today we look more in detail about two most popular companies’ firewalls : Palo Alto vs Fortinet Firewall, key differences, features etc. 

About Palo Alto Firewall

Palo Alto is a global cyber security company based out of Santa Clara, it’s one of the core security products in cloud-based security offering is Palo Alto used by 85000 customers across 150+ countries. It has both physical and VM series firewalls – the PA-220, PA-800, PA-3200 series and PA-5200 series are next generation hardware while PA-7050 and PA-7080 are chassis-based architecture.

Release of PAN OS 9.0 new K2 series firewalls were introduced which was a 5G ready firewall designed for service provider mobile network deployments having 5G and IoT security needs. The VM series firewalls can be deployed in on premises or cloud environments. They use a unified licensing system which is platform agnostic. 

Features of Palo Alto Firewall

• License bundles antivirus, antispyware, and vulnerability protection . Threat prevention allows to obtain content updates for malware protection
• Able to create a copy of decrypted traffic from firewall and send it to traffic collection tool for archiving and analysis
• Ability to control access to websites based on category of URLs
• Receive antivirus signatures updates which include signatures discovery by wildfire 
• Special license for provision of extended VPN remote access connectivity which has multiple gateway usage, mobile apps, mobile security management, host information checks or internal gateway

About Fortinet Firewall

Fortinet was founded in 2000 by brothers Ken Xie and Michael Xie as a cybersecurity company. The name of Fortinet firewall is derived from the phrase ‘Fortified networks’. FortiOS is an operating system for hardware which is the base of security fabric.

Majority of Fortinet models use specialized accelerated hardware known as security processing units which can offload resource intensive processing from main processing resources. Having specialized content processors which accelerate a wide range of essential security functions such as virus scanning, attack detection, encryption, and decryption. 

Features of Fortinet Firewall

• Understand application layer protocols and applications
• Gives ability to block access to malicious, hacked, or inappropriate websites 
• Protects against viruses, spyware, and content level threats
• Performs dynamic analysis to identify unknown malware with automatic response and detection in the cloud
• Provides protection against threats on mobile devices by using detection engines to prevent both new and evolving threats to gain access to network and also personal information 
• Aggregates malicious source IP list 
• Controls access to risky industrial protocols
• Protection0 against spam at network perimeter, controls email attacks and infections

Comparison Table: Palo Alto vs Fortinet firewall

Below table summarizes the key points of differences between the two types of firewalls:

Download the comparison table: palo alto vs fortinet firewall

Continue Reading:

Palo Alto Firewall Architecture

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Today we look more in detail about comparison between next generation firewalls such as Juniper SRX firewall and Palo Alto firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a next generation firewall departure from ScreenOS based firewalls. SRX provides scalability and scalable services. Scaling under load is a typical requirement of firewalls including other services such as stateful firewall, VPN, NAT, UTM and intrusion prevention. The SRX branch series of firewalls are meant for small and large office locations where the firewall is typically deployed at network edge and in data center series of SRX designed to provide scaling services.  

Related: How to configure Juniper SRX Firewall? Step by Step Guide

Features of Juniper SRX Firewall

• Users can limit traffic and shape bandwidth based on application information and contexts
• Ability to route traffic over different WAN links
• More accurate and granular security policies
• Prevent users to download ransomware hidden within encrypted traffic 

Palo Alto Firewall

Palo Alto detects known and unknown threats such as encrypted traffic with intelligence. PAN-OS is software which runs Palo Alto networks having key technologies built into PAN-OS as a native feature – App-ID, content-ID, device-ID, and User-ID. Policies and rules can be applied uniformly across all assets. Anomalous user behaviour across enterprise and consistently protect all business applications and allow to grant leased privileged zero trust policies. 

Palo Alto can access TLS/SSL encryption and feature of inspection for traffic monitoring to ensure malicious traffic in encrypted disguise enters your network. Customers have access to granular controls for application, tunnel monitoring, QoS services , integrated DNS, usage-based policy configuration and mobile device management. 

Features of Palo Alto Firewall

• Consistent protection from threats in real time, full visibility, and traffic control
• User access filtering and assessment in intelligent manner
• Data loss prevention with outbound traffic exfiltration

Comparison: Juniper SRX Firewall vs Palo alto Firewall

Below table summarizes the points of comparison between the two types of firewalls:

Download the comparison table: Juniper SRX Firewall vs Palo alto Firewall

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Palo Alto vs Checkpoint Firewall: Detailed Comparison

Palo Alto Panorama is the centralized management server that offers a global visibility and control over the multiple Palo Alto Networks next generation firewalls from web interface console. Panorama manage multiple Palo Alto Networks firewalls all from a central location.

Key Features of Palo Alto Panorama

• Application Command Center (ACC): ACC provides a visual summary of application, web, threat and data transfer activity.
• App-Scope: App-Store provides a comparison view of application activity across either multiple devices or a single device.
• Policy-Based Application Usage Control: Using a policy editor application can be developed, deployed and managed the application usage control.
• Shared Policies: Panorama deploys a set of global policies across a set of distributed firewalls. Panorama administrator can modify or remove policy.
• Centralized Update Management: Panorama can be used to manage licenses and performs device or content updates (virus patterns, threat signatures, App-ID).
• Logging: Detailed logs are collected locally, leveraging device storage and eliminating the need for centralized logging.
• Reporting: Reporting feature of panorama can generate more than 30 predefined reports, can be used as is or modified and saved for future use. Reports can be exported to PDF format and also scheduled for email delivery.

Panorama Management Architecture

Panorama provides many features to manage their Palo Alto Networks firewalls using a model that provides both central and local control. Panorama features a number of tools for centralized administration:

Templates: Templates can be used to manage configuration centrally and then push the changes to all managed Palo Alto firewalls.

Device Groups: Panorama manages common policy and objects via device groups. Device groups are used to centrally manage the Palo Alto with common requirements and common policies.

Role-based Administration: This feature can be used to assign role-based administration access (enabled, read-only, or disabled and hidden from view) to different users.

Software, Content and License Update Management: Software update, license management can be flooded in network by Panorama in organized manner.

Panorama Deployment

Panorama can be deployed in either as a hardware appliance or as a virtual appliance.

Hardware Appliance:

Panorama uses M-100 hardware appliance for high performance dedicated hardware and the separate the Panorama management and logging functions for large volumes of log data. Panorama running on the M-100 appliance can be deployed in the following ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA. (Related – High Availability Palo Alto)

Distributed: Management and logging function can be parted across multiple devices. This feature can be divided between Panorama manager and Panorama log collector.

Panorama Manager: Panorama Manager does not store log data locally; it saves log separately. Manager analyzes the data saved in the log collectors for centralized reporting.

Panorama Log Collector: Dedicated log collector device deployed to collect high logging volume that will aggregate log information from multiple managed firewalls.

Virtual Appliance:

Panorama can be deployed as a virtual appliance on VMware ESXi to support virtualization initiatives and integrates the rack space which is limited and costly in a data center. Virtual Appliance can be deployed in following two ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA.

Distributed: Management and logging function can be parted across multiple devices. It supports a combination of the hardware and virtual appliance.

Panorama Manager: Virtual appliance acts as a Panorama manager and is responsible for handling the tasks associated with policy and device configuration across all managed devices.

Panorama Log Collector: Panorama log collectors are responsible for offloading log collection and processing tasks and may be deployed using the M-100. Virtual appliance is not to be used as a Panorama log collector.

PANORAMA SPECIFICATIONS
Number of Devices Supported	Up to 1,000
Administrator Authentication	Local database, RADIUS
High Availability	Active/Passive
Log Storage	Maximum of 2 Terabytes (TB)
Command Line Interface	SSHv2, Telnet or Console
Web Interface	HTTPS, HTTP
Device Connection	SSLv2
Management Tools and APIS	Graphical User Interface (GUI) Command Line Interface (CLI) XML-Based Rest API
VIRTUAL APPLIANCE SPECIFICATIONS
Minimum Server Hardware Requirements	40 GB 4 GB RAM Quad-Core CPU (2GHz+)
VMware Support	VMware ESX 4.1 or greater
Browser Support	IE v7 or greater Firefox v3.6 or greater Safari v5.0 or greater Chrome v11.0 or greater
Log Storage	VMware Virtual Disk: 2TB maximum NFS

Conclusion

Panorama manages multiple Palo Alto Networks firewalls all from a central location and provides features such as templates, device groups, role-based administration and update management. Organizations can delegate appropriate access to all management functions; visualization tools, policy creation, reporting and logging at both a global level and local level.

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Palo Alto Prisma Access is a Cloud service provided by Palo Alto Networks. This service provides secure access to Internet and business applications that may be hosted on SASE, a corporate headquarters, Data Centres, OR instances that you may have running inside of Public Cloud.

Let’s discuss the above given diagram to understand the Prisma Access :

Prisma Access deployed in the middle of a data centre or headquarters, your mobile users and remote networks and the Internet. This kind of set-up allows Prisma Access to inspect and analyse all traffic. To identify applications, threat, content, and it provides visibility into the use of SASE applications and ability to control which SASE applications are available to use by your users.

Being a Cloud service, Prisma also allows you to avoid the challenges of figuring out what type of Hardware to buy (It provides Scalability). It also minimises the coverage gaps or inconsistencies associated with distributer organisations.

In the past perhaps you have multiple point solutions for remote access that you had to deploy across your enterprise and the access was not the same, the user experience was also not the same.

All these scenarios create in-consistencies in how these point products were managed. Well, in Prisma Access you don’t need to worry about these because it all encompassed within the cloud services. We can shrink or expand our requirement based on the user’s load and avail cloud services accordingly. If the number of users connected decreases, we are able to decrease the amount of compute resources that are allocated to Prisma Access.

Let’s take a look of individual components of Prisma Access:

Palo Alto Prisma Access for Mobile Users

Palo Alto Prisma Access for Mobile Users provide security services that Palo Alto Networks is known for. For example, App-ID, User-id, Threat-Prevention, DNS-Security, Enterprise-DLP, all these services are available with Prisma Access.

Prisma Access also provides an alternative to the traditional on-premises deployment of Remote Access VPN. Instead of having multiple solutions at various locations, you can manage it as part of a Unified Service in a single pane of glass. 

You are able to select locations that are suitable for users. Prisma Cloud Access has more than 100 locations available to choose from, it includes locations in regions like Africa, Asia, Australia, New Zealand, Europe, Japan, Middle East, North America, Central America, South America.

You can also enable Prisma access with Mobile users in Hybrid-network in which Mobile users combine with on-premises firewalls that can run Global Protect Gateways for areas where Palo Alto Networks don’t have coverage. If you are familiar with Global Protect, the functionalities are very similar, 

1. Users will connect to the portal, 
2. Then the portal will decide which is the best available location for that specific user, 
3. It will connect to that location; the user will build the IPSec tunnel to that location. 
4. Then traffic gets sent through that tunnel to the Prisma Access.

From Prisma Access, the traffic will split to the direct out to the Internet from the cloud service OR leverage the service connection to reach internal resources that you may have stored in Headquarters, DC, in your Cloud Instances. All of this is logged, and all the logs are sent to the Cortex Data Lake.

Palo Alto Prisma Access for Remote Networks

Palo Alto Prisma Access for remote networks provides security services just like it does for mobile users (App-ID, Threat-Prevention, User-id) 

Enabling your remote network to safely use common applications and web access. Remote Access connects to Prisma Access via industry IPSec VPN cable devices (don’t need Palo Alto Firewall at both ends). Any firewall which supports IPSec VPN can connect with Prisma Access and we can send that remote site’s traffic to, so that traffic may be forwarded to the Prisma Access and provide internet access to internal DC or H.Q resources through a service connection. 

See below image -> features of Remote Network Setup

Prisma Access for remote networks are managed in the same manners as Mobile users so, you can use a single pane of glass to manage all of these remote sites.

Let’s take a look at Service Connections.

Service Connections

Service connections are glue that hold everything together, they connect Prisma Access to your H.Q or Data Centre resources. It also leverages IPSec tunnels for secure transport over the internet. 

These are Layer 3 router connections which can accommodate static or dynamic routing and can terminate any IPSec capable firewall, router or SD-WAN device that may be sitting on your premises.

These terminate on a corporate access node on the Prisma Access end of the connection and the service connections are what provide the inbound connectivity to those centrally located resources that may be sitting in your Headquarters, DC. Below image can explain the set-up process to enable Service Connections in Prisma.

• It covers tunnel information
• Routing
• QoS (Bandwidth Allocation)

The difference between Remote Network and Service Connection is

• Remote Network can do outbound and inbound connectivity
• Whereas Service Connections are only for inbound connectivity

In Service Connection you can route traffic to Prisma Access to the internet. 

Palo Alto Prisma Access Management Methods

There are two methods which are used to manage Prisma Access

1. First method is via the Cloud Service plug-in on a Panorama managed device. If you are already a consumer of Palo Alto Network device, you can use same Panorama with a Cloud Services plug-in to manage your on-premises firewall and Prisma Access through Panorama.
2. Second option is Cloud Manage; this is also a Cloud provider service. If you don’t have Panorama or are new to Palo Alto Networks, this will be the easiest way to get Prisma Access. It’s ability to deploy Prisma Access and use Prisma Access service without need to deploy another on-premises device OR VM (Virtual-Machine) on which you may have to run services.

Plao Alto Prisma Access uses Cortex Data Lake to store logs. Cortex Data Lake stores the logging that happens for any of the actions taken by Prisma Access. You can forward logs to any other device by redirecting the logs from Cortex Data Lake to on-prem device or log server.

Continue Reading:

USER ID – PALO ALTO NETWORKS

High Availability Palo Alto

Palo Alto vs Fortinet Firewall: Detailed Comparison

Palo Alto Security Profiles & Security Policies

While security policy rules enable to allow or block traffic in network, security profiles scans applications for threats, such as viruses, malware, spyware, and DDOS attacks. When traffic matches the rule set in the security policy, rule is applied for further content inspection such as antivirus checks and data filtering.

Antivirus Profiles

Antivirus profiles blocks viruses, worms, and Trojans as well as spyware. Palo Alto protects user data from malware without impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript viruses and compressed zipped files.

Anti-Spyware Profiles

Anti-Spyware profiles block spyware on hosts, allowing to detect malicious traffic leaving the network from infected clients. Anti-Spyware profile is applied on various levels of zones. Profile can be customized or one of the following profiles types can be selected when applying Anti-Spyware to a Security policy rule:

Vulnerability Protection Profiles

Vulnerability Protection profiles protects from unauthorized access to the systems. It protects against threat entering into the network. For example, it helps in protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. Default option in vulnerability protection profile protects clients and servers from all the critical high and the medium severity threats. When the firewall detects a threat event, the following actions can be configuring:

URL Filtering Profiles

URL Filtering profiles enable to monitor and control how users access the web over HTTP and HTTPS. By default, firewall have default profile that is configured to block URL like malware, phishing and adult content. New action can be added in default URL profile that will have all categories set to allow for visibility into the traffic in network. Customization of newly added URL profiles and add lists of specific websites that should always be blocked or allowed, which provides more granular control over URL categories.

Data Filtering Profiles

Data filtering profiles protect sensitive information like credit card details or social security numbers when leaving a protected network. Data filtering profile filter on keywords, like sensitive project name or the word confidential. Custom data pattern can be created and then attached to a Data Filtering profile. Create data pattern objects based on following:

File Blocking Profiles

File blocking profiles are used to block particular file types over particular applications and in the defined session flow direction (inbound/outbound/both). Alerts can be set on upload and/or download on an application. In file blocking profile, custom block pages can be configured that will appear when a user attempts to download the specified file type. File blocking profiles allow the user to take a moment to consider they want to download a file.  Custom File Blocking profile can be defined or we may choose one of the following:

• Basic File Blocking: Security policy allows traffic less sensitive. It blocks traffic that are malware. In this profile, files are blocked while uploading and downloading like executable .scr, .cpl, .dll, .ocx, .pif, and Java files like .class, .jar, and .chm, .hlp and other critical malicious file types having .vbe, .hta, .wsf, .torrent, .7z, .rar, .bat. Prompts appears on user’s screen to acknowledge when they attempt to download encrypted .rar or encrypted .zip files.

• Strict File Blocking: This allows access to your most sensitive applications. Add on to basic file blocking, it blocks additionally .tar, multi-level encoding, .cab, .msi, encrypted .rar, and encrypted .zip files.

Wildfire Analysis Profiles

Wildfire analysis profile is used to forward unknown files or email links. Analysis are based upon application file type and transmission direction ie whether for upload or download. Files or email links matching the profile rule are forwarded either to the Wildfire public cloud or the Wildfire private cloud, depending on the analysis location defined for the rule.

DoS Protection Profiles

DoS (Denial of Service) protection policies allow to control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. Following are two DoS protection mechanisms in Palo Alto Networks firewalls.

Flood Protection: In this method, packet is flooded in the network and as a results many sessions are half-open with service being unable to serve each request. This method protects user from this kind of attack.

Resource Protection: This method is used to prevent session exhaustion attacks. Large number of hosts are used to establish as many fully established sessions and henceforth they consume system’s resources. This method is used to protect from resource usage.

Zone Protection Profiles

Zone Protection Profiles protect the network zone from attack and are applied to the entire zone. In this profile, packets per second (pps) thresholds limits defined for zone, the threshold is based on the packets per second that do not match a previously established session.

Conclusion on palo alto security profiles and security policies:

Security policy rules allow or block traffic in network, while security profiles scans the applications for threats, such as viruses, malware, spyware, and DDOS attacks.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Checkpoint Firewall Policy: Rules & Configuration

Penetration of cloud all around the enterprises also brought the need for hybrid networking solutions supporting private WANs and commodity Internet connections to support adoption of cloud applications, remote connectivity, scalability with application performance and including visibility. Major networking vendors like Cisco, Palo Alto, Juniper networks and so on are offering SD-WAN solutions oriented towards servicing cloud infrastructures. 

Today we look more in detail about two most popular SD-WAN solutions from leading network services providers – Cisco SD-WAN and Palo Alto Prism (Cloud Genix), their advantages, how they differ from each other and how they can still be integrated, use cases etc.

Cisco SD-WAN

In traditional WANs traffic is routed from remote sites to enterprise data centres using private MPLS circuits. But this traditional structure is getting out of date due to increased penetration of applications movement over public clouds such as Microsoft Azure, Amazon AWS. Moving user traffic from branches to enterprise DC and then onto cloud or Internet is inefficient, expensive and lacks scalability.

SD-WAN architecture applies the principle of Software defined networking (SDN) replacing traditional data centres. It is designed to meet the demands of enterprise applications and increased security requirements. Cisco SD-WAN is made up of four components and segregated into four planes namely:

• orchestration plane,
• management plane,
• control plane, and
• data plane.

Cisco vBond operates at orchestration plane and performs orchestration of onboarding of new unconfigured devices to SD-WAN fabric. Cisco vManage operates at the management plane and runs the user interface of system and dashboard. It collects network telemetry data, runs analytics and alerts on events, creates device templates, push configurations, and overlay traffic engineering.

Cisco vSmart is a control plane component and they are the brain of overlay fabric. Advertising policies, routing, and security. Cisco vEdge is a data plane and it sits at WAN edge and establish network fabric and join SD-WAN overlay. 

Features of SD-WAN

• Centralized management is main feature which offers operational simplicity, reduction in changes and deployment times as a result
• Transport independent overlay as underlay transport is abstracted from overlay fabric, any combination of transports can be used in active/active fashion to reduce bandwidth costs.
• Sophisticated security as it uses certificate identity with zero trust security model
• Visibility of applications -Real time analysis and application visibility are core components of this architecture and enables enforcement of service level agreements (SLA) and tracking of performance metrics for specific sets.

Palo Alto Prisma (Cloud Genix)

Palo Alto Prisma SD-WAN is a cloud delivered service which implements application defined, autonomous SD-WAN which help to secure and connect branch offices, data centres, and campus sites in a simple and cost-effective manner. The application fabric connects to sites in a secure way having application awareness and gives freedom to use any WAN, any cloud.

It has Instant on Network (ION) devices deployed in locations to have control and visibility wherever desired. It allows to create policies based on business intent, enables dynamic path selection using the highest performance network, and visibility into applications and network performance.

A secure application fabric, AppFabric, is established by creating a virtual private network over every WAN link. ION devices automatically choose the best WAN path for applications and do a real time analysis of application performance metrics and WAN links. 

Features of Palo Alto Prisma (Cloud Genix)

• Let you measure and monitor specific paths as well as dynamically move sessions to optimal path
• Leverages commodity links such as broadband Internet, LTE etc 
• Eliminates the need to manage multiple, disparate consoles from different vendors using ‘Panorama’ network security management tool
• Provisioning of new branches with zero touch provisioning for automating tedious onboarding process 
• Hardware high availability in active/passive mode 

Cisco SD-WAN vs Palo Alto Prisma: Comparison Table

Download the comparison table: cisco sd-wan vs palo alto prisma

Continue Reading:

Palo Alto Prisma SD WAN: CloudGenix SD WAN

FortiGate SD-WAN Fundamentals

Palo Alto GlobalProtect is a network security for endpoints that protects mobile workforce by extending the Next-Generation Security Platform to all users geographically anywhere. GlobalProtect secures traffic by applying security policies with Palo Alto next-generation to the application.

GlobalProtect enables security policies that are implemented whether the users re internal or remote. Security policy can prevent cyberattacks by GlobalProtect polices in Palo Alto.

• App-ID™ technology identifies type of application traffic, regardless of port number, and establishes policies to manage application usage based on users and devices.
• User-ID™ technology identifies users and group membership implementation of role-based network security policies.
• SSL Decryption inspects and controls applications that are encrypted with SSL/TLS/SSH traffic and stops attacks within the encrypted traffic.
• WildFire® Malware prevention service automates the analysis of content to identify the threat to prevent it in near-real time.
• Threat Prevention for IPS and antivirus blocks network based vulnerable applications, denial-of-service (DoS) attacks and port scans. Antivirus profiles block malware and spyware from reaching the endpoint using a stream based engine.
• URL Filtering with PAN-DB categorizes URLs based on their content at the domain, file and page level and receives analysis from WildFire.
• File blocking stops the transfer of unwanted and virus infected files.
• Data filtering enables policies that can be used to stop the unauthorized movement of data, such as the transfer of customer information or other confidential content.

Palo Alto GlobalProtect Components:

• GlobalProtect Gateway: GlobalProtect delivers mobile threat prevention and policy implementation based on application, users, contents, device and device state. GlobalProtect Gateway establishes VPN connections to secure the traffic, implement policy to manage access to applications and data and provides secure connection with mobile from attacks. GlobalProtect Gateways runs on the Palo Alto Networks next-generation security platform.
• GlobalProtect App: GlobalProtect App enables device management and establishes secure VPN connectivity for mobile client devices and interacts with GlobalProtect Mobile Security Manager. GlobalProtect App uses the GlobalProtect Gateway for a prescribed location to provide a transparent user experience for security.
• GlobalProtect Mobile Security Manager: GlobalProtect Mobile Security Manager ensures that devices are fully configured for use in a business environment. It delivers configuration and ongoing management of mobile device settings and checkout for compliance with policy and monitors application usage in mobile. GlobalProtect Mobile Security Manager combines with the WildFire cloud service to know the android devices that are impacted with malware and spyware, it runs on the GP-100 appliance.

Palo Alto GlobalProtect : Key Usage Scenarios and Benefits

Remote Access VPN:

• Provides secure access to internal and external cloud-based business applications.

Advanced Threat Prevention:                                                   

• Stops threats from reaching the endpoint.
• Protects against phishing and credential theft.

URL Filtering   (Check: What is URL Filtering?)

• Enforces acceptable use policies.
• Filters access to malicious and spyware domains and adult content.
• Prevents the use of avoidance and evasion tools.
• Secures access to SaaS applications.
• Controls access and implement policies for SaaS applications while blocking unsanctioned applications.

BYOD

• Supports app-level VPN for user privacy.
• Enables secure, clientless access for partners, business associates, and contractors and guests.
• Supports automated identification of unmanaged devices.
• Supports customized authentication mechanisms for managed and unmanaged devices like mobiles.

Zero Trust Implementation

• Delivers reliable user identification.
• Delivers immediate and accurate HIP for visibility and policy implement.
• Enforces step up multi factor authentication to get access sensitive resources.

Host Information Profile

Palo Alto GlobalProtect checks the endpoint to get details configured in a host information profile (HIP) that’s shared with the next-generation firewall. Next-generation firewall uses the host information profile to implement application policies that only allow access when the endpoint is properly configured and secured. These principles help implement compliance with policies that govern the amount of access a given user should have with a particular device. Below are attributes of host information profile policy: –

• Managed/Unmanaged device identification
• Machine certificates present on device
• Device information received from mobile device manager
• Operating system and application patch level
• Host anti-malware version and state
• Host firewall version and state
• Disk encryption configuration
• Data backup product configuration
• Customized host conditions

Conclusion

Plao Alto GlobalProtect provides an unmatchable mobile security solution by combining traditionally distinct technologies, to manage the device, protect the device and control the application data. GlobalProtect uses the next-generation security platform to implement mobile app policies and to identify and secure mobile threats. Using the next-generation security platform, organizations can implement policies at the network layer, thus securing connection for both corporate and personally owned devices. Mobile device application data will be more secured with GlobalProtect.

Network Address Translation (NAT) allows to translate private, non-routable IP addresses to one or more globally routable IP addresses, thereby saving an organization’s routable IP addresses. Palo Alto firewall supports NAT on Layer 3 and virtual wire interfaces. In PAN-OS, NAT policy rules instruct the firewall what action have to be taken.

Palo Alto NAT Policy Overview

NAT rule is created to match a packet’s source zone and destination zone. Zones are created to inspect packets from source and destination. Palo Alto evaluates the rules in a sequential order from the top to down. Palo Alto firewall checks the packet and performs a route lookup to find the egress interface and zone. Next, it verifies the packet and matches one of the NAT rules that have been defined in zones, based on source and destination zone. Policy is created and then applied to match the packet based on source and destination address.

One to one NAT is called in Palo Alto as static NAT. Palo Alto Firewall reads the pre-NAT parameters like

• Pre-NAT IP address
• Pre-NAT zone

Step by Step process  –  NAT Configuration in Palo Alto

STEP 1: Create the zones and interfaces

1. Login to the Palo Alto firewall and navigate to the “network tab”.
2. Create the three zones
   • Trust
   • un trust A
   • un trust B
3. Create the layer 3 interfaces and tie them to the corresponding zones along with the IP addresses.

STEP 2: Configure layer 3 routing

1. Navigate to the virtual router workspace and configure any layer 3 requirement of your network.

STEP 3: Create the NAT statements

1. Define the NAT statements on the firewall. Go to the policies tab and select the NAT workspace.
2. Our purpose is to allow traversal of traffic from the internal user subnet going into the lab devices on “un trust B” using the routable private IP space.

STEP 4: Create the matching security rule

1. Every NAT rule should be paired with a corresponding security rule. Go to the security workspace on the policies tab.
2. As established earlier, the pre-NAT IP is preserved at least on how the firewall processes the packet so the security rule will still utilize the pre-NAT IP addresses.

NAT Types – Palo alto

1. Many-to-One, Hide NAT, Source NAT

Hide NAT is the most common use of address translation. It hides all internal local LAN subnets behind a single external public IP. NAT policy will translate subnet originating from the trust zone, going out to the untrust zone and will change the source address to the IP assigned to the external physical interface. It will also randomize the source port. When packets are received back from destination, it will automatically be reverse translated and the firewall maintains a state table tracking all active sessions and their NAT actions.

2. Many-to-Many NAT

In this NAT type, the address is changed from Interface to translated address. Palo Alto Firewall selects an IP from the available pool based on a source IP address. Source address will remain the same for all translated IPs. Source port is randomized. If the source ports remains the same (depends upon application where a specific source port may be require) the translation type is Dynamic NAT, which will preserve the client’s source port per translation.

3. One-to-One NAT, Static NAT

This is one to one mapping of internal IP with external global IP. Webserver is mapped with single global IP to get access from internet. One-to-one NAT policy translates and forwards incoming connections to the specific server. Following are two ways to achieve this: –

Bi-directional policy:

In a bi-directional policy, flag is set which allows the system to create an (invisible) implied inbound policy. Bi-directional policy will source from trust and will be destined for untrust, with a source address set to the server’s internal IP and Source Translation being its public NAT address. Policy created with a source zone of untrust and destination of any, destination IP of the public NAT address and translation to the server’s IP address.

Uni-directional policy:

Uni-directional NAT policy has less control than bi-directional NAT policy and it allows for PAT or Port Address Translation. With PAT, we get a great benefit when only a single public IP address an be used for multiple internal services.

Related – NAT Type 1 vs 2 vs 3

Source and Destination NAT

In case of U-Turn situation, internal hosts need to connect to an internal server that is on the same network as the client, on its public IP address. To be able to reach internal resources on a public IP, a new NAT policy needs to be created to accommodate trust to untrust translation.

Further, asymmetric loop is created if server receives a packet with the original source address and it then sends reply packets directly to the client. The flow will be Client -> Palo Alto Firewall -> Server -> Client and the firewall session will be terminated as it violates TCP sanity checks. Solution is to add source translation to the firewall IP, so the server’s reply packets are sent to the firewall allowing for stateful sessions.

NAT on a VWire

VWire is a Virtual wire, which provides benefit of security transparently to the end devices. Because interfaces in a VWire do not have an IP address assigned, hence IP address must be assigned from pool. When performing NAT on VWire interfaces, Source address is translated to a different subnet on which the neighboring devices are communicating.

Conclusion

NAT in PAN OS allows use to create a rule that instructs the firewall what to do with packet, which packet are from trusted or untrusted zone, which packet port need translation and what the translated addresses and ports are.

The entry and exit point of traffic in a firewall is enabled by the interface configurations of data ports. Palo Alto being a next-generation firewall, can operate in multiple deployments simultaneously as the deployments occur at the interface level and you can configure interfaces to support different deployments.

For instance, the configuration can be done for some Layer 3 interfaces to integrate the Palo Alto firewall into dynamic routing environment, and at the same time other interfaces can be configured to integrate into the Layer 2 switching network. Thus, Palo Alto firewall provides an added advantage of flexibility and ease of deployment in network segmentation.

Palo Alto Interface Types

The firewall provides configuration options for both physical/Ethernet interfaces and logical interfaces.

Physical/Ethernet Interface Types

• Tap Mode
• High availability (HA)
• Log card
• Virtual Wire
• Decrypt mirror
• Layer 2
• Layer 3
• Aggregate Ethernet

Logical interface Types

• VLAN
• Loopback
• Tunnel
• SD-WAN

In this article, we will discuss the major interface types in detail.

TAP: Interface Type/ Deployment Option

TAP Mode interface type uses mirroring or SPAN feature that allows passive monitoring of the traffic flow across a network. It involves configuration of SPAN in which the tap port on Palo Alto firewall connects to the destination SPAN port of the switch.

PROS

• Organizations can monitor traffic without any changes to the network infrastructure.
• Any threats on your network can be identified by the firewall.
• Tap mode offers the visibility of application, user and content.

CONS

As the traffic is not running through the Palo Alto firewall, so it cannot block any threats to the traffic. The traffic can be monitored and cannot be controlled.

VIRTUAL WIRE (V-WIRE): Interface Type/ Deployment Option

As the name implies, it’s a virtual interface in which a firewall is installed transparently on a network segment by binding two interfaces/ firewall ports. V-wire deployment mode simplifies the installation and configuration as the firewall can be inserted into an existing network. You need not to do any network redesigning or reconfiguration of the adjacent network devices. No MAC or IP addresses need to be assigned to the interfaces.

The virtual wire interfaces have no Layer 2 or Layer 3 addresses as it is directly connected to a Layer 2/Layer 3 networking device/host.

PROS

• The traffic can be monitored as well as controlled, this overcomes the limitation of TAP mode in which traffic can’t be controlled.
• It doesn’t require any redesigning/reconfiguring.
• It supports traffic blocking/allowing based on VLAN (Virtual LAN) tags.
• It support features like App-ID, User-ID, Content-ID, NAT, QoS and SSL decryption.

CONS

It does not support switching, VPN tunnels, or routing as no IP address is assigned to Layer 2 or Layer 3 devices.

LAYER 2: Interface Type/ Deployment Option

In this type of interface, the firewall is configured to perform switching between two or more network segments. The traffic can be examined as per the policies which provides increased security and visibility within the internal network.

The firewall interfaces do not participate in the Spanning tree topology but they are capable of supporting the access/trunk links. Any bridge protocol data units (BPDU) received are directly transferred to the neighbouring Layer 2 switch without processing.

Layer 2 interface is to be configured when switching is required.

The routing of traffic between VLAN/other networks is achieved via a default gateway. This default gateway is generally a Layer 3 switch.

PROS

The traffic can be examined, monitored and controlled.

It supports features like App-ID, User-ID, Content-ID, NAT, QoS and SSL decryption.

LAYER 3: Interface Type/ Deployment Option

Layer 3 interface type supports IP address configuration. The traffic routes between multiple ports. Each port is configured with an IP address and security zone. Layer 3 interface configuration requires internal virtual router. For each Layer 3 interface virtual router needs to be configured to route the traffic

PROS

• The traffic can be examined, monitored and controlled.

• It support features like App-ID, User-ID, Content-ID, NAT, QoS and SSL decryption.

• It supports sub interfaces with VLAN tags

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

A VPN connection that allows you to connect two Local Area Networks (LANs) securely is called a site-to-site VPN. Route based VPN can be configuring to connect Palo Alto Networks firewalls located at two sites or to connect a Palo Alto Networks firewall with a third-party security device at another location. Palo Alto firewall can also communicate with third-party policy-based VPN devices. Palo Alto sets up route based VPN tunnel to take routing decision to choose destination and all traffic handled by VPN tunnel.

IP Security (IPSec) set of protocols is used to set up a secure tunnel for the VPN traffic, and the information in the TCP/IP packet is secured by ESP encryption. The IP packet (header and payload) is embedded into another IP payload, a new header is applied and then passed through the IPSec tunnel. Source IP address in new header is local VPN peer and destination IP address is far end peer. When packet reaches far end, header is removed and only original IP packet is left.

Diagram above depicts a VPN tunnel between two sites. When a user that is secured by VPN Peer A needs data from a server located behind VPN peer B. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters (IKE phase 1) to establish a secure connection and authenticate with VPN Peer B. VPN tunnel is established by using the IPSec Crypto profile to allow the secure transfer of data between the two sites.

IPSec VPN Set Up: Palo Alto Networks

Setting Up Site-to-Site VPN

Site-to-Site VPN with Static Routing

In this scenario, VPN connection between two sites is set up by using static routes. Tunnel interfaces on VPN Peer A and VPN Peer B do not require an IP address because the firewall uses the tunnel interface as the next hop for routing traffic across the sites. Static IP address is assigned to each tunnel interface for monitoring.

Site-to-Site VPN with OSPF

In this case, each site uses OSPF for dynamic routing of traffic.

Site-to-Site VPN with Static and Dynamic Routing

In this scenario, one site uses static routes and the other site uses OSPF. When the routing protocol is different between two peers, redistribution profile must be configured on firewall to participate in both static and dynamic routing process. Without this redistribution profile routing protocol do not exchange any route information with other protocols running on the same router.

Conclusion

Virtual private networks (VPNs) create tunnels that allow users systems to connect securely over a public network to transfer data. To set up a VPN tunnel, both end Palo Alto Networks firewalls need to authenticate each other and encrypt the data traffic between them.

In our previous article, we studied IPSec VPN Set Up. In this article we will run through CLI commands and GUI steps to configure an IPSec VPN, including the tunnel and route configuration on a Palo Alto Networks firewall. Let’s discuss the VPN configuration in Palo alto in detail.

SSL VPN Configuration : Palo Alto

Configuring the GRE Tunnel on Palo Alto Firewall:

IPSec Tunnel creation commands should be executed in the order listed below:

Verification commands to validate IPSEC Tunnel configuration:

SSL Decryption with Certificate in Palo Alto:

Conclusion

In this article, we configured the GRE, IPSec and SSL/TLS including defining a certificate, GlobalProtect Portal and GlobalProtect Gateway and Security policies to permit the traffic which is received from the GlobalProtect tunnel interface.

Continue Reading:

Palo Alto SSL Decryption

Palo Alto Troubleshooting CLI Commands

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

What is Decryption?

Palo Alto firewalls can be decrypt and inspect traffic to gain visibility of threats and to control protocols, certificate verification and failure handling. Decryption can apply policies on encrypted traffic so that the firewall handles encrypted traffic according to the customer’s configured security policies. Decryption is carried out for traffic content that entering into network and encryption is performed for  content that leaving network. Below are different ways that Palo Alto can help decrypt traffic.

• SSH Proxy
• SSL Inbound Inspection
• SSL Forward Proxy (SSL Decryption)

SSH Proxy

SSH Proxy is a way that the firewall can decrypt and inspect tunneled SSH traffic passing through the firewall. It does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up. With SSH decryption enabled, the firewall decrypts SSH traffic based on your decryption policy. Traffic is re-encrypted as it exits the firewall.

Configuration of SSH Proxy

SSL Inbound Inspection

SSL Inbound Inspection is required to inspect the communication of a web server protected by the firewall, to decrypt the traffic using the internal web servers SSL Certificate. With an SSL Inbound Inspection decryption policy configured, the firewall decrypts all SSL traffic. Firewall blocks, restricts, or allows the traffic based on the decryption profile applied to the traffic, including any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles.

Configuration of SSL Inbound Inspection

 Related – Palo Alto Firewall Architecture

SSL Forward Proxy (Palo Alto SSL Decryption)

SSL Forward Proxy (SSL Decryption) is an advance feature of firewall to inspect traffic inside the SSL encrypted packet. SSL Decryption is the ability to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall:

• Without SSL Decryption: Firewall has no access to the information inside of an encrypted SSL packet.
• With SSL Decryption:  Traffic generated from source own network, there will be visibility into the SSL packet to find hidden applications and threats inside SSL traffic.

Configuration of SSL Forward Proxy

TLSv1.3

TLSv1.3 is the latest version of the TLS (Transport Layer Security) protocol, which is the improved version of SSL.

Verify Decryption

• View decrypted traffic sessions.
• View SSL Traffic sessions that are not decrypted in session logs.
• View the log for a particular session in the decryption log by applying filter on the Session ID.
• View all TLS and SSH traffic, filter the traffic logs to view both decrypted and undecrypted TLS and SSH traffic.

Conclusion

SSL Decryption refers to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall. Before SSL Decryption, Palo Alto firewall would have no access to the information inside an encrypted SSL packet. Palo Alto firewall decrypts the SSL traffic to allow Application Control features such as the URL Filter, Virus Scanner, or File Content policy to scan the traffic. It dynamically creates a certificate and signs it with the SSL Inspection root certificate.

Continue Reading:

SSL Certificate types : Intermediate Certificate and Root Certificate

IPSec VPN Set Up – Palo Alto

High Availability (HA) Overview

While setting up two Palo Alto firewalls as an HA pair, it is essential that HA peers same have same version of PAN-OS device. High availability (HA) minimizes downtime and makes sure that a secondary firewall is available in the event when the active firewall fails. Dedicated HA ports in the firewalls are used to synchronize data, object and policy configurations and maintain state information with passive firewall. There are some Firewall specific configuration which are not synchronized between peers such as management interface IP address and administrator profiles and log data and Application Command Center (ACC).

High Availability Modes:

There are two modes of firewall deployment in HA pair.

Active/Passive: In this mode, one firewall actively manages traffic while the other is synchronized and ready to transition to the active state if a failure occurs in network. Both firewalls in a HA mode share the same configuration settings and one firewall actively manages traffic. When the active firewall fails, the passive firewall transitions to the active state and takes over role as active node. A/P (Active/passive) HA is supported in the virtual wire, Layer 2 and Layer 3 deployments.

Active/Active:  In this HA mode, both firewalls in the A/A mode process the traffic and work synchronously to organize session setup and session ownership. Both firewalls individually maintain routing tables and synchronize to each other. A/A (Active/ Active) HA is supported in virtual wire and Layer 3 deployments.

Failover

When a failure occurs in network where one firewall goes down and the other peer takes over the role, the event is called a failover. A failover is triggered when heartbeat and hello messages fail to respond, physical link goes down or ICMP response fails. Below is the explanation of each parameter: –

• Heartbeat Polling and Hello messages:  Hello message and heartbeat polling is used to verify the status of peer firewall, i.e. whether it is alive and operational. Hello messages are sent from one peer to the other at the configured parameter.
• Link Monitoring: Physical interfaces to be monitored are grouped into a channel group and their state (link up or link down) is monitored.
• Path Monitoring: Path monitoring uses ICMP to verify reachability of the IP address. The default interval for ping is 200ms.

Device Priority and Preemption

Firewalls in a High Availability (HA) pair can be configured with a device priority value to highlight a preference for which firewall should consider as the active. Enable the preemptive behavior on both the firewalls and configure the device priority value for each firewall. Firewall with the lower numerical value, and therefore higher priority, is designated as an active and the other firewall is the act as a passive firewall.

Floating IP Address and Virtual MAC Address

In a HA deployment of A/A mode, floating IP addresses moves from one HA firewall to the other if a link or firewall goes down. Firewall responds to ARP requests with a virtual MAC address. Floating IP addresses are recommended when layer 3 redundancy functionality such as Virtual Router Redundancy Protocol (VRRP) is configured on firewall. It can also be used to implement VPNs and source NAT.

ARP Load-Sharing

In a HA deployment active/active configuration, ARP load-sharing allows the firewalls to share an IP address and provide gateway services. Use ARP load-sharing, when there is no Layer 3 device between the firewall and end hosts.

Route-Based Redundancy

In an active/active HA deployment, firewalls use dynamic routing protocols to determine the best path. In such a scenario, no floating IP addresses is necessary. If link failure or any topology changes occurs, routing protocol (RIP, OSPF, or BGP) handles the rerouting of traffic.

HA Firewall States

Configure Active/Passive HA

Configure Active/Active HA

Verify Failover

Conclusion

In High availability (HA), two firewalls are combined together in a group and their configuration is synchronized to prevent a single point of failure in a network. A heartbeat connection between the firewall peers keeps sending keep alive signal to ensure entire failover in the event that a peer goes down. Deploy two firewalls in an HA pair provides redundancy and allows you to ensure business continuity with 99.99% uptime.

Continue Reading:

 IPSec VPN Set Up – Palo Alto

NAT Configuration & NAT Types – Palo Alto   

Packet Flow in Palo Alto

• Virtual Machine
• Containers
• Serverless and many points in between security devices

They can spin up and be destroyed in a matter of a minute. This dynamic distributed hardware makes it hard to identify resources, configuration, monitoring alerts, control permissions and Identity Access. Moreover, it can ensure compliance like HIPPA, SOC2 and PCI.

What is Prisma Cloud?

Palo Alto Prisma Cloud is a comprehensive platform which simplifies security across the cloud native network.

This Cloud Native Platform brings together a comprehensive security and capabilities by delivering Full Life Cycle Security and Full Stack Protection. Prisma Cloud enhances Visibility, Secure Data, perform Threat detection and Workload Protection. 

In Palo Alto Networks we know the future will run into the Cloud technology so Prisma helps us to secure the Cloud hub and secure your future technologies that way.

Prisma Cloud gives us below questions to think about Cloud Security:

• How can cloud provide security to users
• How can we protect cloud-based infrastructure?
• How can the Cloud help us to deliver better security?

To answer the above questions, we should understand what exactly Prisma Cloud is. Nowadays 8 out of 10 applications are moving to the Cloud Network. Everything is managed by a Cloud provider or DevOps team.

Prisma Cloud can identify essentially configuration errors, particular workload has got out of compliance and needs to be corrected as per Governance rule and regulation to meet those Compliance.  Prisma Cloud could do lots of different things (shown in below image)

Let’s discuss some key-points of Prisma Cloud

• Supports Multiple Cloud Infrastructure Platforms: It supports deployment of multiple cloud infrastructure from using single CONSOLE. Like you can implement and monitor your network which are hosted on different cloud services Like Azure, AWS and Google.
• Policy Scan and Monitoring: Prisma can scan policies which are implemented on multiple Cloud network and compare those policies with compliance standards. It notifies the administrator if any policy violation happens.
• Anomaly Detection: Prisma cloud uses machine learning to detect the malicious behaviour of traffic. Prisma can check the traffic pattern and take necessary action accordingly. Every traffic pattern is categorised by severity of risk and relevant business impact. Furthermore, risks are aggregated based on the severity and alerts can be customised by the administrator to get the notification on the dashboard.
• Compliance Report: Prisma Cloud can generate policy violation and threat identification report which further discussed with CISA and risk management team to prohibit the risk factor and mitigate any compliance issue.

Palo Alto Prisma Cloud Dashboard Features

Prisma Cloud Dashboard provides you below features

• It provides and measure Cloud Security Capabilities
• Progress Report and Alerts
• Increase operationalization to modify the errors

1. Dashboard: It covers Asset, Alerts, Compliance, and policies

2. Inventory: Alerts and Compliance of assets which are managed by PrismaCloud

3. SecOps: It represents the performance of assets which are connected to Internet.

4. Prisma Cloud Policies: It provides predefined policies which can adhere to PIC-DSS, HIPPA, SOC2 and         Governance. You can customise Prisma Policies according to network requirements.

5. Threat Detection: It can detect Vulnerabilities in CSPM (Cloud Security Posture Management) and CWPP     (Cloud Workload Protection Platform) 

6. Investigation: Investigate logs and error in Prisma Cloud

Compliance Dashboard: It shows Compliance chart and standards. We can customise the report and charts in this Dashboard.

Prisma Cloud Network Security: It provides network security logs that are exposed to public cloud network.

Prisma Cloud Onboarding

To add your account to Prisma Cloud first you need to add your Cloud Vendor (AWS, Azure, Google) to Prisma Cloud. Please find the steps below

1. Login into your Prisma Cloud Account 

2. Go to Setting

3. Select New Cloud Account

4. It will prompt multiple Cloud Vendors in the list, select your Cloud Service Provider. Here I am selecting AWS.

5. Name your AWS Cloud name

6. Select Mode of Cloud i.e, Monitor (Default Service Account with Read-Only Access) OR Monitor & Protect  Account (Prisma can read the configuration and apply mitigation as to avoid Compliance Issue)

7. Select Data Security option which scan malware

8. Select Next

9. From the Configure Account step we can select Create Stack, we will use CloudFormation template to create the resources that are required on AWS account. So, the Prisma Cloud should have the necessary APIs and the Cloud Trail SNS data

10. Select Cloud Stack

Once we select Create Stack it will navigate to the Console of the AWS Account, we can monitor the Stack creation process. 

You can mention Stack Name, Prisma Cloud Role Name with DLP. After verifying the configuration, you can select Create Stack.

Now a new Stack has been created. Make sure there is no errors have occurred.

If I click to the Output TAB, two new resources are created 

• The RoleARN: It is required to access your S3 buckets 
• The SNSARN: It is required for Forward scan event notifications 

Now we need to go to the Prisma Cloud window (step 9) and add those values in Role ARN tab and SNS topic ARN tab.

11. We can copy RoleARN from AWS Account and paste in Prisma Cloud Onboarding setup.

12. Similarly, we can copy SNSARN information and paste it to SNS Topic ARN.

Now go to Resources TAB and check if the RoleARN and SNSARN are created there.

Now the next step is to create Cloud Trail from the Setup tab. We configure Cloud Trail to monitor right events and SNS Topics so that Prisma Cloud Data Security Module when new objects are added to storage and forward scanning is triggered to pick up any new or modified files.

As shown in the below link in the dialogue box, it takes you to Tech Docs, online documentation where steps are mentioned to follow the entire On-boarding procedure for AWS/admin guide.

13. Let’s go back to the AWS console and select Cloud Trail in the option. Now we are navigated to Cloud Trail service page.

14. We get started to Create Cloud Trail.

15. Give name to the CloudTrail, we have mentioned ctrail-demo, select other options for S3 and Trail log folder.

16. Please refer all the steps mentioned in below image and when your are finished, Click Next.

17. In the  Choose Log Events sections select event types, dis-select API read mode.

18. In the Data event follow below image and select the mentioned, red-marked options. Click Next

19. It further moved to the review page. Review your configuration and click Create Trail TAB.

Now we have seen from the table that Trail has been created and logging successfully.

20. Let’s move forward to the next step once CloudTrail configuration is completed.

21. Now we will configure Data Security. You have all the S3 bucket options to select for account. OR you can customise and select a specific bucket list as per your requirement.

Select option Forward OR Forward and Backward option 

Forward option: Forward scan is enabled by default and cannot be disabled 

Forward & backward scan: when you select backward scan, Prisma Cloud starts scanning all existing files in the bucket in a batch operation.

Depending on the files in the bucket, backward portions may cost more for organisation.

22. Select Default Account from the option and click next.

23. Now we can check the status of services which we have configured for the Prisma Cloud account. It monitors the  Prisma Cloud status with an AWS account.

For Data Security status of CloudTrail and Storage MUST be healthy. Once status is Green you can proceed for the Done option.

Your account on Prisma Cloud is ready.

Continue Reading:

Palo Alto Prisma Access: SASE

Palo Alto Prisma SD WAN: CloudGenix SD WAN

Introduction: Packet Flow in Palo Alto

Packet passes through the multiple stages such as ingress and forwarding/egress stages that make packet forwarding decisions on a per-packet basis. Following are the stages of packet flow starting from receiving the packet to being transmitted out an interface –

Stages : Packet Flow in Palo Alto

Ingress Stage 

This stage receives packet, parses the packets and passes for further inspection. Firewall continues with a session lookup and other security modules. After that firewall forwards the packet to the egress stage.

Packet Parsing

Packet inspection starts with the parameter of Layer-2 header on ingress port like 802.1q tag and destination MAC address are used as key to lookup the ingress logical interface. Packet will be discarded if interface not found.

The firewall will discard the packet in IPV4 case if mismatch of Ethernet type and IP version, Truncated IP header, IP protocol number 0, TTL zero, Land attack, Ping of death, Martian IP address, IP checksum errors. It will also discard the packet in IPV6 case if there is mismatch of Ethernet type and IP version, Truncated IPv6 header, Truncated IP packet (IP payload buffer length less than IP payload field), Jumbo Gram extension (RFC 2675), Truncated extension header.

The Layer-4 (TCP/UDP) header is parsed.

TCP: Firewall will discard the packet if TCP header is truncated, Data offset field is less than 5, Checksum error, Invalid combination of TCP flags.

UDP:  Firewall will discard the packet if UDP header truncated, UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field), Checksum error.

Tunnel Decapsulation

Firewall performs decapsulation/decryption at the parsing stage. Firewall decapsulates the packet first and checks for errors and if error is found, packet will be discarded.

IP Defragmentation

Firewall parses IP fragments, reassembles using the defragmentation process and then feeds the packet back to the ingress with the IP header.  Firewall discards the packet if packet is effected with tear-drop attack, fragmentation errors, buffered fragments (max packet threshold).

Related – Palo Alto Firewall Architecture

Firewall Session Lookup

Firewall inspects the packet and performs the lookup on packet. Firewall session includes two unidirectional flows, where each flow is uniquely identified. In PAN-OS, the firewall finds the flow using a 6-tuple terms:

• Source and destination addresses: IP addresses from the IP packet.
• Source and destination ports:  Port numbers from TCP/UDP protocol headers
• Protocol: The IP protocol number from the IP header is used to derive the flow key.
• Security zone: This field is derived from the ingress interface at which a packet arrives.

Zone Protection Checks

When packet arrives on a firewall interface, the ingress interface performs the inspection of packet whether any zone profile exists. If zone profile exists, the packet is passed for evaluation as per profile configuration.

TCP State Check

Firewall firstly checks the SYN bit set in packet received, if it is not found, then packet will be discarded.  If the SYN Flood protection action is set to Random Early Drop (RED) and this is default configuration, firewall simply drops the packet. SYN Cookies is preferred way when more traffic to pass through.

Forwarding Setup

Packet forwarding of packet depends on the configuration of the interface. Below are interface modes which decides action: –

NAT Policy Lookup

NAT is applicable only in Layer-3 or Virtual Wire mode. The ingress/egress zone information evaluates NAT rules for the original packet.

• For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone.
• For source NAT, the firewall evaluates the NAT rule for source IP allocation. If the allocation check fails, the firewall discards the packet.

User-ID

Firewall uses the IP address of the packet to gather the information from User-IP mapping table. The corresponding user information is fetched from user-group mapping table and fetches the group mapping associated with this user.

DoS Protection Policy Lookup

Firewall checks the DoS (Denial of Service) protection policy for traffic based on the DoS protection profile. DoS protection policy action is set to Protect, the firewall checks the specified thresholds and if there is a match, firewall discards the packet.

Security Policy Lookup

Firewall uses application ANY to inspect the packet and perform the lookup and check for a rule match.  If the policy action is set to ‘deny’, the firewall drops the packet if no rule match. The firewall permits intra-zone traffic by default.  This default behavior for intra-zone and inter-zone traffic can be modified from the security policies rule base.

Session Allocation

Firewall allocates a new session entry from the free pool if all checks are performed. Session allocation failure occurs if VSYS session maximum reached or firewall allocates all available sessions.

Firewall Session Fast Path

Session fast path checks the packet from layer 2 to layer 4 and passes under below conditions: –

• If the session is in discard state, then the firewall discards the packet.
• If the session is active, refresh session timeout.
• If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet, session is closed as of these timers expire.
• If NAT is applicable, translate the L3/L4 header as applicable.

Security Processing

When packet is inspected and matches an existing session, it will be subject to further processing when the packet has TCP/UDP data (payload), or it is a non-TCP/UDP packet.  Firewall checks for session application, if not found, it performs an App-ID lookup. If the App-ID lookup is non-conclusive, the content inspection module performs the known protocol decoder to check the application. If the firewall detects the application, the session is forwarded to content inspection if any of the following applied:

• Application Layer Gateway (ALG) is involved.
• Application is tunneled application.
• Security rule has security profile associated.

Captive Portal

If the user information was not found for the source IP address extracted from the packet and the packet forwarded toward destination, firewall performs a captive portal rule lookup and forwards for captive portal authentication.

Application Identification (App-ID)

Firewall firstly performs an application policy lookup to see if there is a rule match. If there is no application rule, then application signatures are used to identify the application.

Content Inspection

Firewall performs content Inspection, identifies the content and permits as per security policy rule. Next, it forwards the packet to the forwarding stage.

Forwarding/Egress

• Firewall performs QoS shaping as applicable in the egress process. Firewall inspects the packet MTU size and the fragment bit settings on the packet at egress interface and performs fragmentation if required.
• If the egress interface is a tunnel interface, then IPsec/SSL-VPN tunnel encryption is performed.

Related – Palo Alto Cheatsheet 

Conclusion

Packet is inspected by Palo Alto Firewall at various stages from ingress to egress and performs the defined action as per policy / security checks and encryption. Packet passes from Layer 2 checks and discards if error is found in 802.1q tag and MAC address lookup. Packet is forwarded for TCP/UDP check and discarded if anomaly in packet. Next is defragmentation/decapsulation and NAT, followed by zone check. Later on, User-ID lookup and DoS attack protection and other security checks in zone are executed as per configured rule.

Protection of sensitive data is major challenge from unwanted and unauthorized sources. The next generation firewalls introduced by Palo Alto during year 2010 come up with variety of built in functions and capabilities such as hybrid cloud support, network threat prevention, application and identity based controls and scalability with performance etc.

Next Generation firewalls like Palo Alto firewalls include deep packet inspection (DPI), surface level packet inspection and TCP handshaking testing etc. These firewalls monitor the entire data transactions, including packet headers, packet contents and sources.

In this article we will learn more about Palo Alto firewall TCP reset feature from server mechanism used when a threat is detected over the network, why it is used and its usefulness and how it works.

Palo Alto Firewall – TCP Reset

TCP reset from server mechanism is a threat sensing mechanism used in Palo Alto firewall. There could be several reasons for reset but in case of Palo Alto firewall reset shall be sent only in specific scenario when a threat is detected in traffic flow.

TCP header contains a bit called ‘RESET’. This ‘RESET’ will cause TCP connection to directly close without any negotiation performed as compared to FIN bit. TCP reset can be caused by several reasons.

TCP reset sent by firewall could happen due to multiple reasons such as:

• Configuration of access control lists (ACLs) where action is set to ‘DENY’
• When a threat is detected on the network traffic flow

Usually firewall has smaller session TTL than client PC for idle connection. The firewall will silently expire the session without the knowledge of the client /server. And when client comes to send traffic on expired session, it generates final reset from the client. Firewalls can be also configured to send RESET when session TTL expire for idle sessions both at server and client end.

The TCP RST (reset) is an immediate close of a TCP connection. This allows for resources that were allocated for the previous connection to be released and made available to the system. The receiver of RST segment should also consider the possibility that the application protocol client at the other end was abruptly terminated and did not have a chance to process data that was sent to it.

TCP protocol defines connections between hosts over the network at transport layer (L4) of the network OSI model, enabling traffic between applications (talking over protocols like HTTPS or FTP) on different devices. TCP was designed to prevent unreliable packet delivery, lost or duplicate packets, and network congestion issues.

A TCP RST is like a panic button which alerts the sender that something went wrong with the packet delivery. An attacker can cause denial of service attacks (DoS) by flooding device with TCP packets. In case of TCP reset, the attacker spoofs TCS RST packets that are not associated with real TCP connections. TCP resets are used as remediation technique to close suspicious connections.

Continue Reading:

TCP FIN vs TCP RST

Palo Alto Packet Capture/ Packet Sniffing

Palo Alto Interface Types & Deployment Modes Explained

Before discussing Palo alto packet capture, let’s first understand the term packet capture. Packet capture is network interception of data packet which can be analysed , downloaded, archived or discarded. The reason for packet capturing is performed to identify threats, detect undesirable behaviours, network congestions, packet loss and analysis of network.

Packet capturing is performed in two ways

• one is by whole packet capturing and
• secondly by specific packet portion capturing.

There are several products available which let sniff or capture packets. Palo Alto network firewalls have capability to take packet captures of traffic and let them store to perform analysis.

In this article we will learn more about Palo Alto Packet capturing/packet Sniffing capabilities, its features , advantages and use cases etc.

Palo Alto Packet Capture 

Palo Alto network firewalls have built in capability of packet capture (pcap) feature that allows capture of packets which traverse the network interfaces on firewall. Packets can be captured for troubleshooting purposes or create custom signatures.

Packet capturing is a CPU intensive activity and degrade performance of firewall.

Types of Packet Capture

There are several types of packet capture which we can enable based on the need as under:

Custom Packet Capture –

The firewall capture all traffic or specific traffic based on defined filters. For example, we can configure firewall to capture packet coming from a specific source and going to a specific destination or port. We can then use packet capture to troubleshoot network problems or to gather application attributes which enable to create custom application signatures or request and application signature for Palo Alto firewall.

Threat Packet Capture –

It captures when firewall detects a virus , spyware or vulnerability. Feature needs to be enabled in Antivirus, anti-spyware and vulnerability protection security profiles. Threat log will have a link to export packet capture. These packet captures provide context around the threat and help to determine if attack was successful or learn about methods used by attacker. It can be submitted to Palo Alto networks to determine if threat was false-positive or false-negative.

Application Packet Capture –

It is a type of packet capturing based on specific application filters. Traffic log has view or export feature as per rule definition to capture packet.

Management Interface Packet Capture –

It is defined as capturing of packet on management interface (MGT). It is useful to troubleshoot services which traverse the interface such as firewall management authentication to external authentication services, software and content updates, log forwarding, SNMP servers communication, authentication requests for GlobalProtect and captive portal.

GTP Event Packet Capture –

Firewall captures single GTP event such as GTP-in-GTP , IP spoofing on end user, abnormal GTP messages, Making troubleshooting easier for mobile network operations.

How to capture packets in Palo Alto firewall?

To capture packets on Palo Alto firewall, go to Monitor à Packet capture à click Manage filters (hyperlink)

Click Add and in ID column select 1

Under Ingress interface column à choose Ethernet ½ (inside security zone)

Under source column type source 192.168.1.20 (inside client machine) > type destination 192.168.50.10 (DMZ machine) > under Proto > type 1 (ICMP)

Click toggle to make filtering ON

Under configure packet >stage>Add > Select stage : receive

Type name for file (ICMP -PCAP-1) > type packet count : 100>type byte count >1000> click Ok

The packet capture will automatically stop if packet count hits 100 or byte count hits 1000. It is advisable to keep size of packet capturing file small so as to have less impact on CPU and memory of firewall.

Click on Packet capture (OFF) to make it ON (Toggle) and initiate packet capture

Click ok to continue on warning message, Packet capture file will show on the left side under capture files. Click on captured file (ICMP-PCAP-1) and download the Pcap file. Wireshark network protocol analyzer is required to open pcap file.

At least one capture stage is required to be selected. Stage indicates the point at which packet capture is to start.

Continue Reading:

What is Packet Capture?

Why you should be worried about Network Packet Loss?

Firewall is a network security device that permit or denies network access to traffic flows between an untrusted zone and a trusted zone. Palo Alto Firewall is one of the globally coveted and widely preferred Security Firewall in enterprise cyber security space. Infact, due to its efficacy and security features, Palo Alto earned itself place in Leaders Quadrant of Gartner Magic Quadrant.

In this article we will understand the Administration & Management of Palo Alto –

Features and Benefits of Palo Alto

• Application-based policy enforcement (App-ID)
• User identification (User-ID)
• Threat prevention
• URL filtering
• Traffic visibility
• Networking versatility and speed
• Global Protect
• Fail-safe operation
• Malware analysis and reporting
• VM-Series firewall
• Management and Panorama

Firewall Administration:

Configuration, Management and Monitoring of Palo Alto firewalls can be performed via web interface, CLI and API management interface. Administrator can customize role-based access to the management interfaces for specific tasks or permissions.

Roles and authentication method are defined by administrator. Authentication method relies on a local firewall database or an external service. If you have already configured the authentication profile or you will use Local Authentication without a firewall database. Below are steps to configure profile on firewall.

Select Device > Add an account.

1.Enter a user Name

Account will be added in local database of firewall. Enter the name that you specified for the account in the database (see Add the user group to the local database.)

2.Select an Authentication Profile or sequence if you configured either for the administrator.

Select None (default) and enter a Password.

3.Select the Administrator Type.

If a custom role is configured for the user, select Role Based and select the Admin Role Profile.

4.(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database.

5.Click OK and Commit.

Keywords and Options:

Administration and Maintenance for the firewall can be done by defining Management Settings. Below are the keywords and options wrt each keyword/feature –

General

Select the Device > Setup > Management > General Settings

• Hostname
• Domain
• Login Banner
• Time Zone
• Locale
• Time
• Serial Number
• Geo Location
• Automatically acquire commit lock
• Certificate Expiration Check
• Multi Virtual System Capability

Authentication

Select the Device > Setup > Management > Authentication Settings

• Authentication Profile
• Certificate Profile
• Idle Timeout
• Failed Attempts
• Lockout Time

Panorama

Select the Device > Setup > Management > Panorama Settings

• Panorama Servers
• Receive Timeout for connection to device/Panorama
• Send Timeout for connection to device/Panorama
• Retry Count for SSL send to device/Panorama
• Share Unused Address and Service Objects with Devices (Panorama only)
• Shared Objects Take Precedence (Panorama only)

Management Interface

Select the Device > Setup > Management > Management Interface Settings

• MGT Interface Speed
• MGT Interface IP Address
• Netmask
• Default Gateway
• MGT Interface IPv6 Address
• Default IPv6 Gateway
• MGT Interface Services
• Permitted IPs

Logging and Reporting

Select the Device > Setup > Management > Logging and Reporting Settings

• Log Storage
• Max Rows in User Activity Report
• Max Rows in CSV Export
• Number of Versions for Config Audit
• Number of Versions for Config Backups
• Average Browse Time (sec)
• Page Load Threshold (sec)
• Send Hostname in Syslog
• Stop Traffic when LogDb full
• Enable Log on High DP Load
• Buffered log forwarding from device
• Get Only New Logs on Convert to Primary
• Only Active Primary Logs to Local Disk

Password Complexity

Select the Device > Setup > Management > Minimum Password Complexity

• Enabled
• Minimum Length
• Block Repeated Characters
• Expiration Warning Period (days)
• Post Expiration Grace Period (days)
• Allowed expired admin login (count)

Operations

Defining Operations Settings

Select the Device > Setup > Operations

• Validate candidate Config
• Revert to last saved Config
• Revert to running config
• Save named configuration snapshot
• Save candidate config.
• Load named configuration snapshot
• Load configuration version
• Export named configuration snapshot
• Export configuration version
• Export device state
• Import named config snapshot
• Import device state

Device Operations

Select the Device > Setup > Device Operations

• Reboot Device
• Shutdown Device
• Restart Data Plane

Services

Defining Services Settings

Select the Device > Setup > Services

• DNS
• Primary DNS Server
• Secondary DNS Server
• Primary NTP Server
• Secondary NTP Server
• Update Server

Proxy

Select the Device > Setup > Proxy Server

• Server
• Port
• User
• Password/Confirm Password
• Service Route Configuration

Content

Defining Content ID Settings

Select the Device > Setup > Content-ID

• URL Filtering
• Dynamic URL Cache Timeout
• URL Continue Timeout
• URL Admin Override Timeout
• URL Admin Lockout Timeout
• x-forwarded-for
• Strip-x-forwarded-for
• Allow Forwarding of Decrypted Content

URL Admin Override

Select the Device > Setup > Content-ID > URL Admin Override

• Settings for URL Admin Override
• Manage Data Protection
• Container Pages

Session

Defining Session Settings

Select the Device > Setup > Session

• Rematch Sessions
• ICMPv6 Token Bucket Size
• ICMPv6 Error Packet Rate
• Jumbo Frame/Jumbo Frame MTU
• Enable IPv6 Firewalling
• NAT64 IPv6 Minimum Network MTU
• Accelerated Aging

Session Features

Select the Device > Setup > Session > Session Features

• Decryption Certificate Revocation Settings
• Enable
• Receive Timeout
• Enable OCSP
• Receive Timeout
• Block Session with Unknown Certificate Status
• Block Session On Certificate Status
• Check Timeout Certificate Status
• Timeout

SNMP

Select the Device > Setup > Operations

• SNMP Setup
• Physical Location
• Contact
• Version

Statistics Service

Select the Device > Setup > Operations

• Application and Threat Reports
• Unknown Application Reports
• URL Reports
• Device traces for crashes

Management options:  

Note – Do not enable management access from the internet or from other untrusted zones

• Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH (recommended), Telnet, or the console port.
• Use the Web Interface to perform configuration and monitoring tasks with relative ease. GUI allows you to access the firewall using HTTPS (recommended) or HTTP and it is the best way to perform administrative tasks.
• Use the XML API to streamline your operations and integrate with existing, internally developed applications and repositories. XML API can be implemented using HTTP/HTTPS requests and responses.
• Use Panorama to perform web-based management, reporting, and log collection for multiple firewalls. Panorama web interface is somewhere same as the firewall web interface but with additional functions for centralized management.

Physical Interface Types:

Palo Alto has five types of interfaces enlisted as below:

1. Tap mode – This interface simply listens to a span/mirror port of a switch
2. Virtual wire – This type is used to logically bind two Ethernet interfaces together, hence allowing all traffic to pass between the interfaces.
3. L2 – In this mode, multiple interfaces can be configured into a “virtual-switch” or VLAN.
4. L3 – In this mode, IP address is required. This interface includes all layer-3 operations.
5. HA – On all devices except the 4000 and 5000 series, you must configure two traffic ports as the HA ports.

Logical Interface Types:

Below are the types of logical interfaces supported on Paloalto Firewall:

• Sub interfaces (802.1q)
  • Up to 4094 VLAN supported per port
  • Max of 4094 VLANs per system
• Aggregate interfaces (802.3ad)
  • Only on PA-4000 and PA-5000 series
  • Up to 8 physicals 1 Gig interfaces can be placed into an aggregate group
  • Up to 8 aggregate groups are supported per device
  • Each interface in a group must be the same physical media (all copper, or all fiber)
• Tunnel interfaces– Used for IPsec or SSL VPNs
• Loopback interfaces

Available Features in Different Interface Modes

• Vwire
  • No VPN
  • No “auto” setting for HA passive link
• L2
  • No VPN
  • No NAT (FYI in PAN-OS 4.1 you can do NAT in Vwire mode)
  • No “auto” setting for HA passive link
  • If IPv6 is passing, security policies can be written for this traffic
  • No Multicast support
• L3
• If IPv6 is passing, security policies can be written for this traffic

Interface Management

• An interface management profile specifies which protocols can be used to manage the firewall.
• Management profile can be assigned to:
  • L3 interfaces
  • Loopback interfaces
  • VLAN interfaces

Device Management

• Managing the firewall (via GUI, SSH, etc.) is performed via the MGT interface on the PAN by default.
• You can specify different physical interfaces to use for specific management services via Device tab -> Setup -> Service Route Configuration.

Related – Palo Alto CLI Cheatsheet

Palo Alto has been considered one of the most coveted and preferred Next generation Firewall considering its robust performance, deep level of packet inspection and myriad of features required in enterprise and service provider domain. When troubleshooting network and security issues for many different devices/platforms, an extensive set of commands with options are available which are great utilities in troubleshooting and fault finding, both in implementation and Operations phase.

Palo Alto Troubleshooting : CLI Commands

The following Palo Alto commands are really the basics and need no further explanation. Let’s have a look on below command table with description.

CLI COMMANDS	DESCRIPTION
show system info	-Shows session information
show system environmental show CPU usage show temperature show counters for everything show the statistics on application recognition	-Shows environmental health of system
show ntp	-Shows the network time server information
show arp {all | <interface-name>} show neighbor interface {all | <interface-name>}	-shows the ARP results
show mac all	-shows the mac table results
show jobs all show jobs id <id> show running resource-monitor	-Shows the processes running in the management plane
show system resource show system disk-space	– Shows the percent usage of disk partitions
request restart system	– Restart the device
show admins all show admins	-Shows the how many admin accounts are
show the uptime and the active sessions	-Shows the device uptime
show running security-policy	– Shows the running security policy
request license info	– Shows the licenses installed on the device
show vpn gateway	-Shows the list of all IPSec gateways configured on device with configuration
show vpn ike-sa	-Shows IKE phase 1 SAs
show vpn ipsec-sa	-Shows IKE phase 2 SAs
show vpn tunnel	-Shows a list of auto-key IPSec tunnel configurations
show vpn flow	-Shows the IPSec counters
show global-protect-gateway current-user show global-protect-gateway flow	GlobalProtect
show high-availability all	-Shows a summary of all HA runtime
show high-availability state show high-availability link-monitoring show high-availability path-monitoring show high-availability control-link statistics show high-availability state-synchronization	-Shows a local HA peer state
show high-availability flap-statistics	Shows a stats of sent and received messages.
scp export log system to <username@host:path_to_destination_filename> scp import software from <username@host:path> tftp export configuration from running-config.xml to <tftp-host> tftp import url-block-page from <tftp-host>	Export/Import Files
show user group-mapping state all	User-IDs and Groups
request system fqdn {show | refresh}	IP Addresses of FQDN Objects
show dns-proxy statistics all show dns-proxy cache all	DNS Proxy
show system setting url-database	Active URL Vendor/Database
show system setting url-cache all	PAN-DB URL Test & Cache
set system setting fan-mode auto	Fan Speed
show session id <id>	Reason for Session Close
show session all filter state discard show session all filter application dns destination 8.8.8.8 show session info show specific session	Examining the Session Table
set system setting additional-threat-log on	Zone Protection Logging
view-pcap follow yes filter-pcap	Live Viewing of Packet Captures
tcpdump snaplen 0 filter “port 53” view-pcap follow yes mgmt-pcap mgmt.pcap	Capturing Management Packets
less mp-log	Viewing Management-Plane Logs
show routing table	-Display the routing table.
show routing fib show routing protocol <protocol>	-Look at routes for a specific destination
set system setting arp-cache-timeout <60-65536>	-Change the ARP cache timeout setting from default
show system setting arp-cache-timeout show routing path-monitor debug routing path-monitor	-View the ARP cache timeout setting
ping host X.X.X.X	-Ping to a destination IP address
traceroute host X.X.X.X	-Trace destination network
ping host ipwithease.com	-Ping fqdn
show netstat statistics	-Show network statistics
find command	Find
show system statistics application show system statistics session	Live Session ‘n Application Statistics
show interface {all | <interface-name>} show the interface state (speed/duplex/state/mac) show interface HW settings show interface zone settings show interface counters	Shows Interface Status and counters and config etc.
show running nat-policy	-Shows the NAT policy table
test nat-policy-match	-Test the NAT policy
show running ippool show running global-ippool	-Shows NAT pool utilization
show routing bfd active-profile [<name>]	Shows BFD profiles
show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>]	Shows BFD details
show routing bfd drop-counters session-id <session-id>	-Shows BFD statistics on dropped sessions.
show counter global | match bfd	-Show BFD packets.i.e. transmitted/received/dropped.
clear routing bfd counters session-id all | <1-1024>	-Clear counters of transmitted, received, and dropped BFD packets for particular session id.
clear routing bfd session-state session-id all | <1-1024>	-Clear BFD sessions for debugging purposes
show vlan all   show counter global	-Verify vlan configured on device   – Shows the counter of times the PVST
show system info | match system-mode	-Display the current operational mode
request system system-mode logger	– Changes from Panorama mode to Log Collector mode
show device groups name	– Shows the history of device group
show templates name <template-name>	– Shows the history of template
show config pushed-shared-policy	– Shows all the policy rules and objects pushed from Panorama to a firewall
show config pushed-template	-Shows all the template configured from Panorama to a firewall
show logging-status device <firewall-serial-number>	– Shows logging information to the Panorama

Download the descriptive command table here.

Conclusion

Palo Alto Network troubleshooting CLI commands are used to verify the configuration and environmental health of PAN device, verify connectivity, license, VPN, Routing, HA, User-ID, logs, NAT, PVST, BFD and Panorama and others.

In case, you are preparing for your next interview, you may like to go through the following links-

Palo Alto Firewall Questions and Answers in PDF

Palo Alto Firewall Architecture

Also if you are reading more about Network Security and Firewall we also have a combo product covering the details of ASA Firewall, Palo Alto, Checkpoint Firewall, Juniper SRX Firewall, Proxy, CCNA Security, Cisco, IPS/IDS, VPN

Click here to buy the Network Security Combo

USER ID : PALO ALTO NETWORKS

User Identification is a very unique feature of Palo Alto firewall with a range of enterprise directory and terminal services to map application activity and policies to usernames and groups instead of just IP addresses. Configuring User-ID empowers the Application Command Center (ACC), App Scope, reports, and logs to comprise usernames in addition to user IP addresses.

The user identity, as opposed to an IP address, is an entire factor of an effective security key infrastructure. User-id mapping with IP address keeps track of who is using applications in your network, and who transmitted a threat or who is transferring files. This approach can strengthen security policies and reduce incident response times.

Connection Security

Connection Security uses the certificate profile to verify the identity of the User-ID agent by checking the server certificate implemented by the agent.

User Mapping

User-ID agent mapping is used to map IP address to username on the firewall. Mapping can be done with known IP address to known user name so that security rules can be enforced appropriately. User-identification defines the various techniques that are used to find the users and groups in the network and shows how user mapping and group mapping work together to enable user and group based security enforcement and visibility. User Mapping methods are as:

• Port Mapping
• Server Monitoring
• Syslog
• XFF Headers
• Authentication Policy and Captive Portal
• Global Protect
• XML API
• Client Probing

User ID Agents

User-ID Agent is used to collect logs of user mapping. To map usernames to IP addresses, User-ID agents monitor directory servers. User-ID agents send the user mappings logs to firewall. Log Collectors or Panorama and other appliances can then serve as redistribution points that forward the user mappings to other firewalls Log Collectors or Panorama. Configuration of user-ID agent in firewall (Device > User Identification > User-ID Agents) or Panorama (Panorama > User Identification) is used to collect user mappings logs, where you can configure its connections to the User-Identification agents or redistribution points.

Terminal Services Agents

In the firewall, the multiple users share the same IP address, this is where a Terminal Services (TS) agent identifies and maintain the record of individual users by assigning port ranges to each one. Terminal Services agent sends information to every connected firewall of the allocated port range so that the firewalls can enforce policy based on users and user groups. Firewall can collect username-to-port mapping information from up to 5,000 multi-user systems. The number of Terminal Services agents from which a firewall can collect the mapping information varies by firewall model.

Group Mapping

In order for Security policies profile reports to be based on users and user groups, the firewall fetches the list of groups and the corresponding list of members identified and maintained in the directory servers. Palo Alto firewall supports many vendors of LDAP directory servers such as –

• Microsoft Active Directory (AD)
• Novell eDirectory
• Sun ONE Directory Server.

LDAP server profile should be configured before group mapping configuration profile. LDAP server profile can be configured as (Device > Server Profiles > LDAP). To define policy rules based on user or group in firewall, first we need to create an LDAP server profile that defines how the firewall can connect and authenticates to the directory server. In some models, firewall does not support the directory server natively, and this can be mapped in group by XML API.

Captive Portal

Captive Portal is used to build a user-to-IP mapping on the Palo Alto firewall. Captive Portal is triggered depends on the policies for http and/or https traffic only and is triggered only for the IP addresses without existing user-to-IP mapping.

SSL/TLS Service Profile 

To specify a firewall server certificate and the allowed protocols for securing redirect requests, select an SSL/TLS service profile under (Device > Certificate Management > SSL/TLS Service Profile). By selecting None, firewall uses its default certificate profile.

Authentication Profile

You can select an authentication profile (Device > Authentication Profile) to authenticate users when their traffic matches an Authentication policy rule (Policies > Authentication). Authentication profile applied in the Captive Portal Settings that reference one of the default authentication enforcement objects (Objects > Authentication).

Certificate Profile

You can select a Certificate Profile (Device > Certificate Management > Certificate Profile) to authenticate users when their traffic matches any Authentication policy rule (Policies > Authentication).

Conclusion

User-Identification technology is responsible for collecting user information from multiple sources including VPNs, WLAN controllers, captive portals, directory servers, proxies and more resources. User and group information must be directly integrated into the technology platforms that secure modern organizations with policies and profiles. It gathers information about user who is using the applications in the customer network, and who may have transmitted a threat or is transferring files, thereby strengthening security policies of organization and reducing incident response times.

Related – Palo Alto Security Profiles and Security Policies