Firewall
Next Generation Firewall
Stateful Firewall + other features such as AppID, ContentID, UserID
Single Pass Architecture: Single Pass Parallel Processing (SP3)
All check (SSL Decryption, Security Policy, AV, IPS, Anti spyware) are checked in parallel, not sequential. Other vendors don't have this architecture
Control plane and data plane a separated and each plane has its own CPU and RAM
Zero Trust Architecture
Never trust, always verify
Inspect perimeter traffic
Inbound Traffic
Outbound Traffic
Also inspect internal traffic
Virtual System
Fortigate - VDOM
Cisco - Virtual Instance
CheckPoint - VS (Virtual System)
Palo Alto - vSys
License
Device > Licenses
Maintenance Mode and Factory Reset
Maintenance Mode Entry: maint
Reset factory default
go to maintenance mode
request sytem private-data-reset
Configuration
Enable IPv6
Device > Setup > Session > Session Settings > Enable IPv6 Firewalling
Interface Types
Tap: Like span port
Virtual Wire: Bridge interface, need 2 interfaces
Network
Network > Interfaces: create interface
Network > Zones: create Zone
Network > Routing > Logical Routers: Create routers
Management Profiles
Network > Network Profiles > Interface Management
Network > Interfaces > Ethernet > Advanced, then Other Info: apply Management Profile
Management Interface
Setup > Management
If using Service Route for specific service, traffic has to be allowed by security policy
Authentication
Only users created under Device > Administrators can log in firewall unless authentication profiles is configured in Device > Management > Authentication Settings section
Local Database
Create Local Users
Device > Local User Database > Users
Create Authentication Prifile
Device > Authentication Profile, in Advanced tab select local User created above
Link Admin account
Device > Administrators > Select Authentication Profile created in step 2
Admin Roles can be created under Device > Admin Roles and assign to users
LDAP/Radius Authentication
Create Server Profile
Device > Server Profiles > LDAP
Create Authentication Profile
Device > Authentication Profile, in Advanced tab select user
Link Admin Account
Device > Administrator > Select Authentication Profile created in step 2
Note: For Radius, remember to push admin role
Authentication Sequence
Useful for migration scenarios
Create Authentication Sequence
Device > Authentication Sequence
Security and NAT Policy
Policies > Security
Action:
Drop: Silent block
Deny: the best practice action to be used generally which has default action based on application
Reset Both Client and Server: Send TCP reset to Client and Server, TCP using TCP RST, UDP use ICMP Unreachable
Log:
Log at Session Start: Used when troubleshooting
Log at Session End: Always
For Deny policy, it's advice to set application to any instead of application-default
By default:
intrazone traffic is allowed
interzone traffic is blocked
Default rule can't be edit, need to select and click override before editting
Policies > NAT
NAT Policies use pre-nat information
Application Usage with App-ID
Configure Application Group
Objects > Application Groups
Add Application to Security Policy
Policies > Security
Classifing TCP Traffic
not-applicable (SYN): traffic dropped per policy before application identified
incomplete (SYN/ACK): 3-way handshake didn't complete or was followed by no data
insufficient-data(Data Transferring): not enough payload for identification
unknown-tcp or unknown-p2p: Unidentified traffic
Classifying UDP Traffic
not-applicable: Traffic dropped per policy before application identified
unknown-udp or unknown-p2p: unidentified traffic
Application Block page
Device > Response Pages > Application Block Page
Response Pages must also be enabled on the inetrface Management Profile assigned to the firewalls interface that is required to response.
Application Shift
Network traffic can shift from one application to another during a session
Implicitly uses: informed, automatically handle by firewall
Depends on: need to allowed by administrators
Custom Application and Application Override
Objects > Application > Add
Policies > Application Override: For custom or internal application
Policy Optimizer
Policies, under Policy Optimizer > Rules without App Controls: show what apps seen via rules without application control
Security Profiles
Antivirus
Objects > Security Profiles > Antivirus
Vulnerability Protection
Objects > Security Profiles > Vulnerability Protection
File Blocking
Objects > Security Profiles > File Blocking
Data Filtering
Need to remove dlp plugin: Device > Plugins
Objects Custom Objects > Data Patterns
Objects Security Profiles > Data Filtering
Anti-Spyware
Objects > Security Profiles > Anti-Spyware
Block domain using EDL
Sinkhole
Honey Spot
Intercept DNS query and use IP address of firewall as address in dns reply
External Dynamic Lists
Objects > External Dynamic Lists
When adding domain entries, remember to add trailing / to match the domain exactly, e.g abc.com without a / will match abc.com.site.com, but with a / it will match abc.com only
Under Anti-Spyware Profiles > DNS Policies > External Dynamic List will have the list created earlier
URL Filtering
Objects > Security Profiles > URL Filtering
URL Filtering can be applied directly to Security Policy directly or via Security Profiles,
The difference is Security Profiles will be able to log both allowed and blocked URLs, also response page has URL category information
Security Policy directly applied: just have application information without category in response page
Action:
Allow: Allow without log
Alert: Allow and Log
Custom URL Category: Ojbects > Custom Objects > URL Category
Need URL Filtering License to query PANDB
Return Verdict:
PAN DB doesn't know -> unknown
PAN DB is not available -> not resolved
Classified in many categories -> the category with the most strict URL Filtering profile action is enforced. From most to least strict, the actions are block, override, continue, alert, and allow.
If having custom category, EDL and PANDB applied: order of action is from custom category then EDL and lastly PANDB
Action:
Allow - no log
Alert - log only
Block
Continue
Override: redirect to webpage, user has to enter a password which is predefined
Change Category of sites: Click Request Change URL Category in Security Profiles or in detail view of log
WildFire Analysis
Detect whether a file is malicious using cloud sandboxing and signatures
Objects > Security Profiles > Wildfire Analysis
debug wildfire monitor-log settings
debug wildfire monitor-log interval 1
debug wildfire upload-log show
Security Profile Group
Objects > Security Profile Groups
SSL Decryption
Device > Certificate Management > Certificates. Need to generate 2 certificates: 1 for trust and 1 for untrust
Certificate to sign certificate sent to clients must be Certificate Authority
After generating, open certificate to select forward trust or untrust
All clients must trust trust-certiface of firewall, but not untrust-certificate, so when firewall signs untrusted website, firewall signs it with untrust-certificate, client browser still see warning
Policy > Decryption
Default action is allow, to block need to use decryption profile
User-ID
Enable User-ID by Zone
AD Integration Configuration
Monitor
Monitor > Log > Traffic: Seucurity Log from Security Policy
Monitor > Log > Threat: Threat Log from Security Profiles
Monitor > Log > URL Filtering: URL Filtering Log
Monitor > Log > WildFire Submissions
Monitor > Log > User-ID = show user ip-user-mapping all (in CLI)
Log filter
(subtype eq auth): seach authentication log
addr.dst eq 8.8.8.8
( addr.dst in 8.8.8.8 ) and ( app eq ping )
rule eq 'intrazone-default'
app eq paloalto-updates
action neq allow
action eq block-url
category eq hacking
user.src eq 'domain\user'
flags has proxy
Config Audit
Device > Setup > Management > Require audit comment on policies
CLI
Delete logged-on user session: delete admin-sessions username $username
show session all filter nat source nat-rule $natrulename [count yes]: view nat session
Reference
Last updated