Introduction to Palo Alto

Firewall is a network security device that permit or denies network access to traffic flows between an untrusted zone and a trusted zone. Palo Alto Firewall is one of the globally coveted and widely preferred Security Firewall in enterprise cyber security space. Infact, due to its efficacy and security features, Palo Alto earned itself place in Leaders Quadrant of Gartner Magic Quadrant.

In this article we will understand the Administration & Management of Palo Alto –

Features and Benefits of Palo Alto

• Application-based policy enforcement (App-ID)
• User identification (User-ID)
• Threat prevention
• URL filtering
• Traffic visibility
• Networking versatility and speed
• Global Protect
• Fail-safe operation
• Malware analysis and reporting
• VM-Series firewall
• Management and Panorama

Firewall Administration:

Configuration, Management and Monitoring of Palo Alto firewalls can be performed via web interface, CLI and API management interface. Administrator can customize role-based access to the management interfaces for specific tasks or permissions.

Roles and authentication method are defined by administrator. Authentication method relies on a local firewall database or an external service. If you have already configured the authentication profile or you will use Local Authentication without a firewall database. Below are steps to configure profile on firewall.

Select Device > Add an account.

1.Enter a user Name

Account will be added in local database of firewall. Enter the name that you specified for the account in the database (see Add the user group to the local database.)

2.Select an Authentication Profile or sequence if you configured either for the administrator.

Select None (default) and enter a Password.

3.Select the Administrator Type.

If a custom role is configured for the user, select Role Based and select the Admin Role Profile.

4.(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database.

5.Click OK and Commit.

Keywords and Options:

Administration and Maintenance for the firewall can be done by defining Management Settings. Below are the keywords and options wrt each keyword/feature –

General

Select the Device > Setup > Management > General Settings

• Hostname
• Domain
• Login Banner
• Time Zone
• Locale
• Time
• Serial Number
• Geo Location
• Automatically acquire commit lock
• Certificate Expiration Check
• Multi Virtual System Capability

Authentication

Select the Device > Setup > Management > Authentication Settings

• Authentication Profile
• Certificate Profile
• Idle Timeout
• Failed Attempts
• Lockout Time

Panorama

Select the Device > Setup > Management > Panorama Settings

• Panorama Servers
• Receive Timeout for connection to device/Panorama
• Send Timeout for connection to device/Panorama
• Retry Count for SSL send to device/Panorama
• Share Unused Address and Service Objects with Devices (Panorama only)
• Shared Objects Take Precedence (Panorama only)

Management Interface

Select the Device > Setup > Management > Management Interface Settings

• MGT Interface Speed
• MGT Interface IP Address
• Netmask
• Default Gateway
• MGT Interface IPv6 Address
• Default IPv6 Gateway
• MGT Interface Services
• Permitted IPs

Logging and Reporting

Select the Device > Setup > Management > Logging and Reporting Settings

• Log Storage
• Max Rows in User Activity Report
• Max Rows in CSV Export
• Number of Versions for Config Audit
• Number of Versions for Config Backups
• Average Browse Time (sec)
• Page Load Threshold (sec)
• Send Hostname in Syslog
• Stop Traffic when LogDb full
• Enable Log on High DP Load
• Buffered log forwarding from device
• Get Only New Logs on Convert to Primary
• Only Active Primary Logs to Local Disk

Password Complexity

Select the Device > Setup > Management > Minimum Password Complexity

• Enabled
• Minimum Length
• Block Repeated Characters
• Expiration Warning Period (days)
• Post Expiration Grace Period (days)
• Allowed expired admin login (count)

Operations

Defining Operations Settings

Select the Device > Setup > Operations

• Validate candidate Config
• Revert to last saved Config
• Revert to running config
• Save named configuration snapshot
• Save candidate config.
• Load named configuration snapshot
• Load configuration version
• Export named configuration snapshot
• Export configuration version
• Export device state
• Import named config snapshot
• Import device state

Device Operations

Select the Device > Setup > Device Operations

• Reboot Device
• Shutdown Device
• Restart Data Plane

Services

Defining Services Settings

Select the Device > Setup > Services

• DNS
• Primary DNS Server
• Secondary DNS Server
• Primary NTP Server
• Secondary NTP Server
• Update Server

Proxy

Select the Device > Setup > Proxy Server

• Server
• Port
• User
• Password/Confirm Password
• Service Route Configuration

Content

Defining Content ID Settings

Select the Device > Setup > Content-ID

• URL Filtering
• Dynamic URL Cache Timeout
• URL Continue Timeout
• URL Admin Override Timeout
• URL Admin Lockout Timeout
• x-forwarded-for
• Strip-x-forwarded-for
• Allow Forwarding of Decrypted Content

URL Admin Override

Select the Device > Setup > Content-ID > URL Admin Override

• Settings for URL Admin Override
• Manage Data Protection
• Container Pages

Session

Defining Session Settings

Select the Device > Setup > Session

• Rematch Sessions
• ICMPv6 Token Bucket Size
• ICMPv6 Error Packet Rate
• Jumbo Frame/Jumbo Frame MTU
• Enable IPv6 Firewalling
• NAT64 IPv6 Minimum Network MTU
• Accelerated Aging

Session Features

Select the Device > Setup > Session > Session Features

• Decryption Certificate Revocation Settings
• Enable
• Receive Timeout
• Enable OCSP
• Receive Timeout
• Block Session with Unknown Certificate Status
• Block Session On Certificate Status
• Check Timeout Certificate Status
• Timeout

SNMP

Select the Device > Setup > Operations

• SNMP Setup
• Physical Location
• Contact
• Version

Statistics Service

Select the Device > Setup > Operations

• Application and Threat Reports
• Unknown Application Reports
• URL Reports
• Device traces for crashes

Management options:  

Note – Do not enable management access from the internet or from other untrusted zones

• Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH (recommended), Telnet, or the console port.
• Use the Web Interface to perform configuration and monitoring tasks with relative ease. GUI allows you to access the firewall using HTTPS (recommended) or HTTP and it is the best way to perform administrative tasks.
• Use the XML API to streamline your operations and integrate with existing, internally developed applications and repositories. XML API can be implemented using HTTP/HTTPS requests and responses.
• Use Panorama to perform web-based management, reporting, and log collection for multiple firewalls. Panorama web interface is somewhere same as the firewall web interface but with additional functions for centralized management.

Physical Interface Types:

Palo Alto has five types of interfaces enlisted as below:

1. Tap mode – This interface simply listens to a span/mirror port of a switch
2. Virtual wire – This type is used to logically bind two Ethernet interfaces together, hence allowing all traffic to pass between the interfaces.
3. L2 – In this mode, multiple interfaces can be configured into a “virtual-switch” or VLAN.
4. L3 – In this mode, IP address is required. This interface includes all layer-3 operations.
5. HA – On all devices except the 4000 and 5000 series, you must configure two traffic ports as the HA ports.

Logical Interface Types:

Below are the types of logical interfaces supported on Paloalto Firewall:

• Sub interfaces (802.1q)
  • Up to 4094 VLAN supported per port
  • Max of 4094 VLANs per system
• Aggregate interfaces (802.3ad)
  • Only on PA-4000 and PA-5000 series
  • Up to 8 physicals 1 Gig interfaces can be placed into an aggregate group
  • Up to 8 aggregate groups are supported per device
  • Each interface in a group must be the same physical media (all copper, or all fiber)
• Tunnel interfaces– Used for IPsec or SSL VPNs
• Loopback interfaces

Available Features in Different Interface Modes

• Vwire
  • No VPN
  • No “auto” setting for HA passive link
• L2
  • No VPN
  • No NAT (FYI in PAN-OS 4.1 you can do NAT in Vwire mode)
  • No “auto” setting for HA passive link
  • If IPv6 is passing, security policies can be written for this traffic
  • No Multicast support
• L3
• If IPv6 is passing, security policies can be written for this traffic

Interface Management

• An interface management profile specifies which protocols can be used to manage the firewall.
• Management profile can be assigned to:
  • L3 interfaces
  • Loopback interfaces
  • VLAN interfaces

Device Management

• Managing the firewall (via GUI, SSH, etc.) is performed via the MGT interface on the PAN by default.
• You can specify different physical interfaces to use for specific management services via Device tab -> Setup -> Service Route Configuration.

Related – Palo Alto CLI Cheatsheet