Palo Alto Networks Administrators Guide
Palo Alto Networks Administrators Guide
Palo Alto Networks Administrators Guide
Administrator's Guide
Release 3.1
Palo Alto Networks
Administrator’s Guide
Release 3.1
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 3
Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 4
Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
About Firewall Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
About Virtual Wire Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
About Layer 2 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
About Layer 3 Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
About Tap Mode Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
About Point-to-Point Protocol over Ethernet Support . . . . . . . . . . . . . . . . . . . . . . . 84
Defining Virtual Wires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
About Firewall Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
About Aggregate Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Viewing the Current Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring Layer 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring Layer 2 Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring Layer 3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring Layer 3 Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Chapter 5
Policies and Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 7
Configuring IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 8
Configuring SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chapter 9
Configuring Quality of Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Chapter 10
Panorama Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Chapter 11
Central Management of Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Appendix A
Custom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Default Antivirus Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Default Application Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Default File Blocking Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Default URL Filtering Response Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Default Anti-Spyware Download Response Page . . . . . . . . . . . . . . . . . . . . . . . . 235
Appendix B
Application Categories, Subcategories, Technologies, and Characteristics 239
Application Categories and Subcategories . . . . . . . . . . . . . . . . . . . . . . . . 239
Application Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Application Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Appendix C
Federal Information Processing Standards Support . . . . . . . . . . . . . . . . 243
Appendix D
Open Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Preface
This preface contains the following sections:
• “About This Guide” in the next section
• “Organization” on page 9
Organization
This guide is organized as follows:
• Chapter 1, “Introduction”—Provides an overview of the firewall.
• Chapter 6, “Reports and Logs”—Describes how to view the reports and logs provided
with the firewall.
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Symbol Description
NOTE
Indicates helpful suggestions or supplementary information.
CAUTION
Indicates actions that could cause loss of data.
Related Documentation
The following additional documentation is provided with the firewall:
• Quick Start
• Online help—Click Help in the upper-right corner of the web interface to access the
online help system.
Technical Support
For technical support, use the following methods:
• Go to http://support.paloaltonetworks.com.
• Threat prevention—Threat prevention services that protect the network from viruses,
worms, spyware, and other malicious traffic can be varied by application and traffic
source (refer to “About Security Profiles” on page 132).
• Networking versatility and speed—The firewall can augment or replace your existing
firewall, and can be installed transparently in any network or configured to support a
switched or routed environment. Multi-gigabit speeds and a single-pass architecture
provide all services with little or no impact on network latency.
• CLI—Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the
console port (refer to the PAN-OS Command Line Interface Reference Guide).
• Simple Network Management Protocol (SNMP)—Supports RFC 1213 (MIB-II) and RFC
2665 (Ethernet interfaces) for remote monitoring, and generates SNMP traps for one or
more trap sinks (refer to “Defining SNMP Trap Destinations” on page 63 and “SNMP
MIBs” on page 245
• Syslog—Provides message generation for one or more remote syslog servers (refer to
“Defining Syslog Servers” on page 64).
This chapter describes how to set up and start using the firewall:
• “Preparing the Firewall” in the next section
3. Obtain an IP address from your system administrator for configuring the management
port on the firewall.
4. Set the IP address on your computer to 192.168.1.2 and the subnet mask to 255.255.255.0.
2. Start your computer. Assign a static IP address to your computer on the subnet 192.168.1.0
(for example, 192.168.1.5).
The browser automatically opens the Palo Alto Networks login page.
4. Enter admin in both the Name and Password fields, and click Login. The system presents
a warning that the default password should be changed. Click OK to continue.
5. On the Device tab, click the Quick Start Setup link to open the Quick Start page.
a. In the Management Configuration area, enter the IP address of the Domain Name
Service (DNS) server. Enter the IP address or host and domain name of the Network
Time Protocol (NTP) server and select your time zone. If you do not use NTP, you can
enter a time manually on the Setup page. Refer to “About System Setup,
Configuration, and License Management” on page 66.
b. If this is the first Palo Alto Networks firewall for your company, click the Support link
and register the firewall. If you have already registered a firewall, you have received a
user name and password and the license authorization code for any optional features.
Enter these on the page. Use a space to separate multiple authorization codes.
c. Select the Update Application and Threat Content check box to automatically update
the firewall with the latest application and threat data. Select the Update Software
check box to update the firewall with the latest available software.
8. Click admin.
9. In the New Password and Confirm New Password fields, enter and confirm a case-
sensitive password (up to 15 characters).
• To display submenu items, click the icon to the left of an item. To hide submenu
items, click the icon to the left of the item.
• On most configuration pages, you can click New to create a new item.
• To delete one or more items, select their check boxes and click Delete. In most cases, the
system prompts you to confirm by clicking OK or to cancel the deletion by clicking
Cancel.
• On some configuration pages, you can select the check box for an item and click Clone to
create a new item with the same information as the selected item.
• After you configure settings, you must click OK or Save to store the changes. When you
click OK, the current “candidate” configuration is updated. Clicking Commit at the top of
the page applies the candidate configuration to the active configuration, which activates
all configuration changes since the last commit. For more information about committing
changes, refer to “Managing Configurations” on page 72.
• To view help information on a page, click the icon in upper right area of the page.
This chapter describes how to perform basic system configuration and maintenance for the
firewall and includes overviews of the virtual systems, high availability, and logging
functions:
• “About Virtual Systems” in the next section
For example, if you want to customize the security features for the traffic that is associated
with your Finance department, you can define a Finance virtual system and then define
security policies to apply only to that department.
Figure 3 illustrates the relationship between policies and virtual systems in the firewall.
Policies are associated with individual virtual systems, by contrast with device and network
level functions, which apply to the overall firewall.
Internet
Device admin
To optimize policy administration, you can create virtual system administrator accounts that
allow access to individual virtual systems, while maintaining separate administrator accounts
for overall device and network functions. For example, a virtual system administrator in the
Finance department can be assigned to manage the security policies only for that department.
Initially all interfaces, zones, and policies belong to the default virtual system (vsys1).
When you enable multiple virtual systems, note the following:
• All items needed for policies are created and administered by a virtual systems
administrator.
• Zones are objects within virtual systems. Before defining a policy or policy object, select
the virtual system from the Virtual System drop-down list on the Policies or Objects tab.
• Interfaces, VLANs, virtual wires, and virtual routers can be assigned to virtual systems.
Refer to “Defining Virtual Systems” on page 27.
• Remote logging destinations (SNMP, syslog, and email), as well as applications, services,
and profiles, can be shared by all virtual systems or be limited to a selected virtual system.
Internet
Shared Gateways
In a standard virtual system interface configuration, each virtual system uses a dedicated
interface to the outside world. Each virtual system is autonomous, and there are no direct
communication paths among the virtual systems that are internal to the firewall, unless such
communications are explicitly configured (refer to “Communications Among Virtual
Systems” on page 25). Because each virtual system has its own IP address, multiple addresses
are required for external communications.
Internet
Shared gateways allow virtual systems to share a common interface for external
communications. This is especially helpful in deployments where the Internet Service
Provider (ISP) provides only a single IP address. All of the virtual systems communicate with
the outside world through the physical interface using a single IP address (see Figure 6). A
single virtual router is used to route the traffic for all of the virtual systems through the shared
gateway.
Internet
x.x.x.x
Shared gateway
All policy rules are managed at the virtual system level. However, you can create NAT and
policy-based forwarding rules through the shared gateway, if needed, by selecting the shared
gateway from the Virtual System drop-down list on the policy screen.
To define virtual systems, you must first enable the definition of multiple virtual systems. To
do so, open the Device > Setup page, click Edit in the Multi Virtual System Capability table,
and select the Allow multiple virtual systems check box. This adds a Virtual Systems link to
the side menu.
You can now open the Virtual Systems page, click New, and specify the following
information.
After defining the virtual systems, you can perform any of the following additional tasks:
• To change a virtual system, click the virtual system name or the name of the interface,
VLAN, virtual wire, virtual router, or visible virtual systems you want to change, make
the appropriate changes, and click OK.
• To define security zones for the new virtual system, choose Network > Zones and define
security zones for each new virtual system (refer to “Defining Security Zones” on
page 97). When you define a new zone, you can now select a virtual system.
• Click Network > Interfaces and verify that each interface has a virtual system and
security zone.
Shared gateways use Layer 3 interfaces, and at least one Layer 3 interface must be configured
to configure a shared gateway. Refer to “Configuring Layer 3 Interfaces” on page 88.
To add a shared gateway, click New, and specify the following information.
• If the active firewall fails, then the passive firewall detects that heartbeats are lost and
automatically becomes active.
• If one high availability interface fails, synchronization continues over the remaining
interface. If the state synchronization connection is lost, then no state synchronization
occurs. If the configuration synchronization is lost, heartbeats are lost. Both devices
determine that the other is down, and both become active.
Note: In an active/passive pair, both firewalls must be the same model and have the same
licenses. If state synchronization is enabled, sessions continue after a switchover;
however, threat prevention functions do not continue.
Note: On the PA-2000 Series and PA-500 firewalls, you specify the data ports to use for
high availability. On the PA-4000 Series, there are dedicated physical ports for high
availability.
2. Mount the passive firewall on a rack near the active firewall, and power it up as described
in the Hardware Reference Guide. If this is an existing installation, perform a factory reset in
maintenance mode by selecting the Factory Reset option from the main menu. Refer to
the PAN-OS Command Line Interface Reference Guide.
3. Connect the passive firewall to your network and the Internet using the same physical
ports as the active firewall.
4. Using two crossover RJ-45 Ethernet cables, connect the HA1 and HA2 ports on the
passive firewall to the HA1 and HA2 ports on the active firewall, or connect the ports on
both firewalls to a switch.
Note: On the PA-2000 and PA-500 Series, you must use the traffic interfaces for
high availability. For example, connect the ethernet1/15 interfaces to each other
and the ethernet1/6 interfaces to each other.
5. Open the Network tab and verify that the high availability links are up. Configure each to
be of the type high availability.
6. Configure high availability settings on the active and passive firewalls. Refer to “Enabling
High Availability on the Firewall” on page 30.
After setting up high availability as described in “Setting Up High Availability” on page 29,
you can enable high availability on both the active and passive firewall. For each section on
the High Availability page, click Edit in the header, and specify the corresponding
information described in the following table.
Control Link
Port (If supported on your firewall model) Select the HA port.
IP Address Enter the IP address of the HA1 interface for the current firewall.
Netmask Enter the network mask for the IP address, such as “255.255.255.0”.
Encryption Select the check box if you want to encrypt communications over the high
availability link, and enter a passphrase. The same passphrase must be
entered in both firewalls.
Monitor Hold Time Enter the length of time (milliseconds) that the system will wait before
(ms) determining that the control link is down (1000-60000 ms, default 3000 ms).
Link Speed Select the speed for the data link between the active and passive firewalls.
(PA-4000 only)
Link Duplex Select a duplex option for the data link between the active and passive
(PA-4000 only) firewalls.
Data Link
Port (If supported on your firewall model) Select the high availability port.
Enable State Select the check box to enable synchronization of the configuration and
Synchronization session information with the passive firewall.
Link Speed (PA-4000 Select the speed for the control link between the active and passive firewalls.
only)
Link Duplex Select a duplex option for the control link between the active and passive
(PA-4000 only) firewalls.
Link Monitoring
Enabled Select the check box to enable link monitoring. Link monitoring allows
failover to be triggered when a physical link or group of physical links fails.
Use link monitoring for virtual wire or Layer 3 configurations.
Failure Condition Select whether a failover occurs when any or all of the monitored link groups
fail.
Link Groups Define one or more link groups to monitor specific Ethernet links. To add a
link group, specify the following and click Add:
• Name—Enter a link group name.
• Enabled—Select the check box to enable the link group.
• Failure Condition—Select whether a failure occurs when any or all of the
selected links fail.
• Interfaces—Select one or more Ethernet interfaces to be monitored (mul-
tiple addresses must be separated by commas).
To delete a link group, select the group, and click Delete.
• The Preemptive option must be enabled on both devices for the higher priority firewall to
resume active operation upon recovery following a failure.
• The subnet that is used for the local and peer IP should not be used anywhere else on the
virtual router.
• The OS and Content versions should be the same on each device. A mismatch can
prevent the devices in the cluster from synchronizing.
• The HA1 MAC address for each firewall is unique, but the HA2 MAC address is the same
on both devices.
• The LEDs are green on the high availability ports for the active firewall and amber on the
passive firewall.
• To test failover, pull a cable on the active device, or put the active device into a suspend
state by issuing the CLI command request high-availability state suspend. You can also
suspend the active device by pressing the Suspend link at the top right corner of the High
Availability configuration page on the Device tab.
• To place a suspended device back into a functional state, use the CLI command
request high-availability state functional.
• To view detailed high availability information about the local firewall, use the CLI
command show high-availability all.
• To compare the configuration of the local and peer firewalls, use the CLI command
show high-availability state from either device. You can also compare the configurations
on the local and peer firewalls using the Config Audit tool on the Device tab by selecting
the desired local configuration in the left selection box and the peer configuration in the
right selection box.
• Synchronize the firewalls from the web interface by pressing the Push Configuration
button located in the high availability widget on the ACC tab. Note that the configuration
on the device from which you push the configuration overwrites the configuration on the
peer device. To synchronize the firewalls from the CLI on the active device, use the
command request high-availability sync-to-remote running-config.
• To follow the status of the load, use the CLI command show jobs processed.
• For Active Directory, a direct connection is required to all Domain Controllers to monitor
user session activity and determine the user IP addresses.
• For eDirectory, when a user logs in, the IP address information is stored in eDirectory and
retrieved by the User-ID Agent.
• For eDirectory, the host PC is polled to verify IP address and user information using WMI
or NetBIOS. This occurs every 20 minutes to verify that the IP address-to-user name
mapping is still correct and when an IP address is seen that does not have an associated
user name.
• The User-ID Agent API is used to send information on user IP addresses to the User-ID
Agent.
• For eDirectory and other Lightweight Directory Access Protocol (LDAP) based
directories, the device queries the directory directly for user and group information.
The following figure shows how the Active Directory and eDirectory/LDAP methods are
applied. For Active Directory, the User-ID Agent associates users and groups and performs
the user-IP address mapping. For eDirectory, the firewall associates the users and groups
while the User-ID Agent performs the user-IP address mapping.
User-ID Agent
LDAP Firewall is responsible is responsible for
and/or for user/group membership IP-address mapping
eDirectory
Note: User identification mapping requires that the firewall obtain the source IP
address of the user before the IP address is translated with NAT. If multiple users
appear to have the same source address, due to NAT or use of a proxy device,
accurate user identification is not possible.
In addition to the User-ID Agents, the firewall supports a Terminal Services Agent (TS agent)
that allows the firewall to identify individual users who are supported by the same terminal
server. The firewall also supports captive portals for situations in which the User-ID Agent is
unable to associate a user with an IP address.
• If the action for the rule is “web form,” a web form is presented to the user to prompt for
a password.
• If rule is “NTLM” and the browser is Internet Explorer or Firefox, the firewall performs an
NTLM authentication challenge (transparent to the user). If another browser is used, the
web form is presented.
If the above-mentioned captive portal rules do not apply because the traffic is not HTTP/
HTTPS or there is no rule match, then the firewall applies its IP-based security policies (as
opposed to user-based security policies).
Follow the instructions in this section to configure the firewall for IP address-to-user
mappings and to set up captive portals.
To specify the User-ID Agent for IP address-to-user mappings, click Add in the User
Identification area and specify the following information.
To enable captive portal and configure RADIUS servers to authenticate users who enter
through captive portals, click Edit in the Captive Portal area and specify the following
settings.
To specify LDAP servers for user identification, click Add in the LDAP Server area and
specify the following information.
Note: If the multiple virtual system capability is on, you can configure one or more agents
per virtual system. This is useful to separate user identification in support of ISPs or other
entities that maintain separate user records.
4. Choose a local system account with Server Operator privileges, or select This Account
and browse or enter information for an account with Server Operator privileges.
• “About Security Profile Groups” on page 158—Describes how to set up captive portal
policies.
To install the User-ID Agent, open the installer file and follow the on-screen instructions.
• Get Groups—Lists the groups that were retrieved from the directory. Select a group to
display its individual members.
• LDAP—Displays the group and user hierarchy from the directory, based on LDAP. Click
Get LDAP tree to refresh this information.
• Filter Group Members—Configures the groups from which the agent extracts users.
Only the users that belong to the selected filtered groups are read from the Domain
Controller. This option can minimize the traffic between the User-ID Agent and the
Domain Controller, and thereby improve overall performance. This approach is effective
if there are numerous groups but only a few are intended for use in device policy.
• Ignore Groups—Configures the groups with users that the User-ID Agent should ignore.
If this option is set, then the users that belong to one of the selected ignored groups are
added to the ignore user list for this User-ID Agent.
3. Enter a fully qualified domain name and the port number that you want to assign for
communications regarding user identification information. The port number should be
higher than 1024.
4. In the Domain Controller Address area, enter the IP address of a domain controller (such
as an Active Directory server) that hosts user identification information, and click Add.
Repeat to add any additional domain controllers.
5. Select the Allow Distribution Groups check box to allow distribution groups to be part of
the information sent to the firewall.
6. Select the Disable NetBIOS Probing check box if you want to disable WMI/NetBIOS
probing for each workstation. When this check box is selected, the User-ID Agent relies
only on security logs and session information. If you do not disable probing, select
whether to use NetBIOS (default) or WMI.
Note: For WMI polling to work effectively, the PanAgent service must be
configured with a Domain Administrator account, and each probed client PC must
have a Remote Administration exception configured in the Windows Firewall. If
you use another software firewall, you must add the port exceptions listed in the
document at this location: http://msdn.microsoft.com/en-us/library/
ms809327.aspx
7. Select the Enable Group Cache check box to enable the user-group membership cache.
When this check box is selected, the user-group membership is cached; when the User-ID
Agent is restarted, it first reloads the user-group membership from the cache to speed up
the restart process.
– Age-out Timeout—Timeout value for user entries. If there are no successful polls,
security logs, or other information during this interval to indicate that the user is still
at this IP address, the IP-to-user mapping is removed. If this field is left blank, the
default timeout value 45 minutes is used. If NetBIOS Probing is disabled, entries do
not time out.
– Security Log Timer—Frequency at which the security log is read. Default is 1 second.
– Server Session Timer—Frequency at which the server session table is read from the
Domain Controller.
9. In the Allow List area, enter the IP address and network mask of a subnet that you want
to scan for users and click Add. Use the format ip_address/mask (for example, 10.1.1.1/24)
in the IP Address and Subnet Mask field. Repeat to add additional subnets. You must
specify at least one network.
10. In the Ignore List area, enter the IP address and network mask of any subnet that you
want to explicitly exclude from scans, and click Add. Use the format ip_address/mask (for
example, 10.1.1.1/24) in the IP Address and Subnet Mask field. Repeat to exclude
additional subnets.
The User-ID Agent is restarted if the configuration is saved successfully. You can also
click the OK button to save the configuration and restart the User-ID Agent. If you do not
want to restart the User-ID Agent, click Cancel to close the dialog box.
Note: During normal operation, the left side of the Palo Alto Networks User-ID
Agent window displays information about users and groups. To display the
detailed log information, choose File > Show Logs.
If you install a new version of the agent and the installer detects an existing installation on
your PC, the installer automatically removes the older version before performing the
installation.
The window contains a side menu for access to the Configuration and Monitor panels. The
main panel contains the following areas:
• Device Connection List—Shows all firewalls that are connected to the User-Identification
Agent. The Device IP column shows the firewall IP address and port, and the Connection
Status column displays the current connection status: “Connected,” “Disconnected,” or
“Connecting.” Disconnected items are removed from the Connection List box when you
close and then reopen the controller.
• User-ID Server Connection List—Shows connection status for all configured User-ID
servers. If a connection cannot be established successfully, the status is shown as
“Connecting,” with a reason such as “Server Down” or “Credential invalid.”
3. In the Device Listening Port field, enter the port on which the PC will listen for messages
from the firewall (default 5007).
4. Select the Entry Timeout check box if you want to specify a timeout for User-ID Agent
connections. Enter a timeout value after which all entries to the specified type of server
are considered to be logged off and are removed (1 - 360000 seconds, default is disabled).
If any connection comes up before the timeout is reached, the timeout count stops. The
timing starts after all connections to eDirectory LDAP servers go down.
5. Select the Enable Network Address Allow/Ignore List check box to configure a list of
allowed or ignored IP addresses. If you use this option, only the addresses in the Allowed
List and not in the Ignore List are identified and recorded by the User-ID Agent. To add
an address, enter the address and click Add. To remove entries, select them and click
Delete. The format is x.x.x.x or x.x.x.x/y (default is disabled).
6. Select the Device Access Control check box to limit user access to an allowed set of
firewalls. If the Enable Device Access Control List check box is selected, then the agent
accepts incoming connections only from the firewalls in the allow list. To add a firewall to
the allow list, enter its IP address in the entry field, and click Add. To remove entries,
select them and click Remove.
7. If any item has been configured, the Commit button is enabled. Click Commit to save the
configuration. When you commit, you are prompted to restart the User-ID Agent service.
If you click Cancel when prompted to restart, the existing configuration remains as the
running configuration. The new configuration can be applied only after the User-ID agent
service is restarted.
8. Click Configure in the side menu to display the submenu, and then select eDirectory to
display the eDirectory configuration panel.
9. Use the LDAP Server Selection area to specify the list of servers for EDirectory LDAP.
The agent queries the servers in this IP list to collect the user-to-IP address mapping data.
Enter an IP address and click Add to add it to the list. To remove entries, select them and
click Remove.
10. If several servers have the same settings, you can select a server and click Copy Settings
to copy settings from an already-configured server to the selected server. A dialog box
opens to show a list of servers. Select the server from which you want to copy the settings,
and click OK.
11. In the Basic Settings area, configure the following settings. (If the server list is empty or no
server is selected, the Basic Settings and Advanced Settings areas are disabled.)
– Search Base—Specify the starting point or root context for agent queries. Example:
dc=domain1, dc=example, dc=com
– Bind Distinguished Name—Specify the account to bind to the LDAP server. Example:
cn=admin, ou=IT, dc=domain1, dc=example, dc=com
– Bind Password—Specify the bind account password. The agent saves the encrypted
password in the configuration file.
– Server Domain Prefix—Specify a prefix to uniquely identify the user. Use if there are
overlapping name spaces. Example: Different users with the same name from two
different directories
– Search Interval—Specify the time interval between consecutive queries from the User-
ID Agent (range 1-36000 secs, default 30 secs).
12. For most installations, the settings in the Advanced Settings area do not require
modification. If modification is required to address specific conventions for your
installation, configure the settings as follows (defaults are provided only for EDirectory;
for Other, you must supply your own entries):
– Login Address Attribute Names—Specify the name of the attribute to store the login
IP address (default is networkAddress).
– Login Time Attribute Name—Specify the attribute to store the login time (default is
loginTime).
– Login ID Attribute Name—Specify the name of the attribute to store the login unique
ID (default is uniqueID).
– Bind Port—Specify the binding port (default is 636). If you select Other, enter the port
number and/or select SSL. If SSL is not selected, a pop-up window warns that clear
text will be used for the login account and password.
– Verify Server Certificate—Select the check box to verify the eDirectory server
certificate when using SSL (default is disabled).
13. Click Configure in the side menu, if necessary, to display the submenu, and then select
User-ID API display the User-ID API configuration panel.
a. Select the Enable User-ID API check box to activate the User-ID API functionality.
b. You must configure the listening port to be different from the listening port on the
Configure panel that is used to communication with the firewall. The default listening
port for User-ID API is 5006.
c. Select the Server Allow List check box to configure a list of allowed server IP
addresses. If you use this option, the User-ID Agent accepts incoming connections
only from the User-ID API Servers that are in the list (default is disabled). To add an
address, enter the address and click Add. To remove entries, select them and click
Remove.
3. To search for a specific firewall, select Search IP and enter an IP address, or select Search
Name and enter a user login name.
The panel displays the requested login information. When you click in the first column
for an entry, the details are presented below the login information list.
Note: The status bar at the bottom of the agent window shows the status of the
User-ID Agent. If there are no errors, the status bar displays “Ready” or
“Connected,” indicating that the controller has successfully connected to the agent
service. If the connection is not successful, an error message is presented.
To configure the TS agent on the firewall, click Add in the Terminal Server Agent area of the
User Identification page and specify the following information.
2. The installer first checks for platform compatibility. If the platform is not compatible, an
error message is displayed.
3. The installer checks whether an existing TS agent exists on the system. If the installer
detects that the TS agent already exists on the system (you are upgrading the TS agent), it
first uninstalls the agent before running the installer.
– If you are installing a TS agent that has a newer driver than the existing installation,
the installation wizard prompts you to reboot the system after upgrading in order to
use the new driver.
– If you are installing a TS agent with the same driver version as the existing installation,
you can perform the installation as prompted, and do not need to reboot the system
afterwards.
4. Follow the installer instructions to specify an installation location and complete the
installation.
Note: If you specify a destination folder other than the default one, make sure that
you use the same destination when you upgrade the TS agent in the future. If you do
not, the existing configuration will be lost and the default configuration will be used.
2. The configuration panel opens with Terminal Server Agent highlighted on the left side of
the window.
The connection list box shows all the Palo Alto Networks devices that connect to the TS
agent. The Device IP column shows the device IP and port; and the Connection Status
column indicates whether the status is Connected, Disconnected, or Connecting.
Disconnected items are removed from the Connection List box when you close and then
reopen the TS agent configuration window.
3. Select the Enable Device Access Control List check box if you want to explicitly list the
firewalls that the TS agent will accept. Add each device IP address and click Add. Click
Remove to delete an address from the list. Click Save to save the allow list.
5. Configure settings as described in the following table, and then click Save.
Note: If you enter an incorrect parameter and then attempt to save the
configuration, a message is displayed to indicate that the configuration will not be
saved unless you modify the parameter correctly.
6. Click Monitor to display the port allocation information for all terminal server users.
7. View the displayed information. For a description of the type of information displayed,
refer to the following table.
8. Click the Refresh Ports Count button to update the Ports Count field manually, or select
the Refresh Interval check box and configure a refresh interval to update this field
automatically.
The following table lists the menu options available in the TS agent application window.
When you create an administrative account, you specify either local authentication (no
authentication profile) or an authentication profile (RADIUS, LDAP, or local DB
authentication). This setting indicates how the user password is checked.
Administrator roles determine the functions that the administrator is permitted to perform
after logging in. You can assign roles directly to an administrator account, or define role
profiles, which specify detailed privileges, and assign those to administrator accounts.
Refer to the following sections for additional information:
• For instructions on setting up authentication profiles, refer to “Setting Up Authentication
Profiles” on page 55.
• For information on SSL VPNs, refer to “Configuring SSL VPNs” on page 205.
Use the Admin Roles page to define role profiles that determine the access and responsibilities
available for administrative users. To add a new administrator role, click New and specify the
following information. For instructions on defining administrator accounts, refer to “Creating
Administrative Accounts” on page 57.
• If None is specified as the authentication profile on the Settings page, then the user must
be authenticated locally by the firewall according to the authentication profile that is
specified for the user.
Use the Authentication Profile page to configure authentication profiles. To add a new
authentication profile, click New and configure the following settings. To change an entry,
click the link for the entry.
Use the RADIUS page to configure settings for the RADIUS servers that are identified in the
authentication profiles. To add a new server, click New and configure the following settings.
To change an entry, click the link for the entry.
Use the LDAP page to configure settings for the LDAP servers to use for authentication by
way of authentication profiles. To add a new server, click New and configure the following
settings. To change an entry, click the link for the entry.
Administrator accounts control access to the firewall. Each administrator can have full or
read-only access to a single device or to a virtual system on a single device. The predefined
admin account has full access. To ensure that the device management interface remains
secure, it is recommended that administrative passwords be changed periodically using a
mixture of lower-case letters, upper-case letters, and numbers.
To add a new administrator account, click New and specify the following information.
Note: On the Panorama Administrator’s page for “super user,” a lock icon is
shown in the right column if an account is locked out. The administrator can click
the icon to unlock the account.
Use the Access Domain page to define virtual system domains for administrators. Click New
and specify the following information.
You can create client certificate profiles and then attach a profile to an administrator login on
the Setup page or to an SSL VPN login for authentication purposes. Refer to “Defining the
Host Name and Network Settings” on page 66.
The configuration log settings specify the configuration log entries that are logged remotely
with Panorama, and sent as syslog messages and/or email notifications.
To define the configuration log settings, click Edit and specify the following information.
The system log settings specify the severity levels of the system log entries that are logged
remotely with Panorama, and sent as SNMP traps, syslog messages, and/or email
notifications. The system logs show system events, such as high availability failures, link
status changes, and administrators logging in and out.
To define the system log settings, click Edit and specify the following information.
To generate SNMP traps for system, traffic, or threat log entries, you must specify one or more
SNMP trap destinations. After you define the trap destinations, you can use them for system
log entries (refer to “Defining System Log Settings” on page 62).
To define SNMP trap destinations, click New and specify the following information.
Note: Do not delete a destination that is used in any system log settings or
logging profile.
SNMP MIBs
The firewall supports the following SNMP Management Information Bases (MIBs):
• SNMPv2-MIB
• DISMAN-EVENT-MIB
• IF-MIB
• HOST-RESOURCES-MIB
• ENTITY-SENSOR-MIB
• PAN-COMMON-MIB
The full set of MIBs is available on the Palo Alto Networks support site:
http://support.paloaltonetworks.com.
To generate syslog messages for system, configuration, traffic, or threat log entries, you must
specify one or more syslog servers. After you define the syslog servers, you can use them for
system and configuration log entries (refer to “Defining System Log Settings” on page 62).
To define syslog servers, click New and specify the following information.
Note: You cannot delete a server that is used in any system or configuration log
settings or logging profiles.
To generate email messages for system, configuration, traffic, or threat log entries, you must
specify the email settings. After you define the email settings, you can enable email
notification for system and configuration log entries (refer to “Defining System Log Settings”
on page 62). For information on scheduling email report delivery, refer to “Scheduling
Reports for Email Delivery” on page 182.
To define email settings, click New and specify the following information.
Note: You cannot delete an email setting that is used in any system or
configuration log settings or logging profiles.
You can schedule exports of logs and save them to a File Transfer Protocol (FTP) server in CSV
format. Log profiles contain the schedule and FTP server information. For example, a profile
may specify that the previous day’s logs are collected each day at 3AM and stored on a
particular FTP server.
To create a log export profile and schedule exports, click New or click the profile link and
specify the following information. When you click OK, the new profile is added to the
Scheduled Log Export page, and the specified export is scheduled. No commit is required.
• “Support for Certificate Revocation List and Online Certificate Status Protocol” on
page 79
The Setup page allows you to specify the host name of the firewall, the network settings of the
management interface, and the IP addresses of various network servers (Panorama, DNS,
NTP, and RADIUS). You can also enable the use of virtual systems (if supported on the
firewall model), save, load, import, and export configurations, set the date and time manually,
and reboot the device.
If you do not want to use the management port, you can define a loopback interface and
manage the firewall through the IP address of the loopback interface (refer to “Configuring
Loopback Interfaces” on page 94).
Perform any of the following operations on this page:
• To change the host name or network settings, click Edit on the first table on the page, and
specify the following information.
Configuration Links
Include a logo on custom Click Custom Logo. Click Browse to locate the logo file, and then OK to
reports upload the file to the firewall. To remove a previously uploaded logo,
click Remove and then click OK. Refer to “Generating Custom Reports”
on page 183.
Add additional Click Manage Data Protection and configure the following:
protection for access to • To set a new password if one has not already been set, click Set data
logs that may contain access password. Enter and confirm the password.
sensitive information,
• To change the password, click Change data access password. Enter the
such as credit card
old password, and enter and confirm the new password.
numbers or social
security number • To delete the password and the data that has been protected, click
Delete data access password and protected data.
Specify how the firewall Click Service Route Configuration and configure the following:
will communicate with • To communicate with all external servers through the management
other servers interface, select Use Management Interface for all.
• Choose Select to choose options based on the type of service. Select the
source from the Source Address drop-down list.
Configure settings for Click CRL/OCSP Settings and follow the instructions in “Support for
certificate validation Certificate Revocation List and Online Certificate Status Protocol” on
page 79.
Access quick start Click Quick Start. Refer to “Setting Up the Firewall” on page 17.
screens for the firewall
Multi-Virtual Systems
Enable the use of Click Edit for Multi Virtual System Capability near the top of the Setup
multiple virtual systems page. Select the check box, and click OK. For more information about
(if supported on the virtual systems, refer to “About Virtual Systems” on page 24.
firewall model)
Settings
IPv6 Firewalling Click Edit and select the IPv6 Firewalling check box.
IPv6 objects apply only to virtual wire policies. All IPv6-based
configurations are ignored if IPv6 is not enabled.
Rematch Sessions Click Edit and select the check box Rematch all sessions on config policy
change.
For example, assume that Telnet was previously allowed and then
changed to Deny in the last commit. The default behavior is for any
Telnet sessions started before the commit to continue to be allowed.
However, if Rematch Sessions is configured, those Telnet sessions are
terminated.
Jumbo Frame Select the check box and specify the Maximum Transmission Unit (MTU),
Jumbo Frame MTU excluding the Ethernet header (range 512-9192).
Dynamic URL cache Click Edit and enter the timeout (in hours). This value is used in dynamic
Timeout URL filtering to determine the length of time an entry remains in the
cache after it is returned from the BrightCloud service. For information on
URL filtering, refer to “About URL Filtering Profiles” on page 137.
URL Continue Timeout Specify the interval following a user's “continue” action before the user
must press continue again for URLs in the same category (1 - 86400
minutes).
URL Admin Override Specify the interval after the user enters the admin override password
Timeout before the user must re-enter the admin override password for URLs in
the same category (1 - 86400 minutes).
URL Admin Lockout Specify the period of time that a user is locked out from attempting to use
Timeout the URL Admin Override password following three unsuccessful
attempts (1 - 86400 minutes).
Management
Enter the timeout interval (1 - 1440 minutes). A value of 0 means that the
Idle Timeout
management, web, or CLI session does not time out.
Max. Rows in CSV Enter the maximum number of rows that is supported for CSV file
Export exports (1-1048576, default 65535).
Receive Timeout for Enter the timeout for receiving TCP messages from Panorama (1-120
connection to Panorama seconds, default 20).
You can view and compare configuration files by using the Config Audit page. From the
drop-down lists, select the configurations that you want to compare. Select whether to view
the differences in a side-by-side display or as inline comparisons, and select the number of
lines that you want to include for context. Click Submit.
The system presents the configurations and highlights the differences, as in the following
side-by-side example.
Panorama automatically saves all of the configuration files that are committed on each
managed firewall, whether the changes are made through the Panorama interface or locally
on the firewall.
Managing Configurations
Device > Setup
When you change a configuration setting and click OK, the current “candidate” configuration
is updated, not the active configuration. Clicking Commit at the top of the page applies the
candidate configuration to the active configuration, which activates all configuration changes
since the last commit.
This method allows you to review the configuration before activating it. Activating multiple
changes simultaneously helps avoid invalid configuration states that can occur when changes
are applied in real-time.
You can save and roll back (restore) the candidate configuration as often as needed and also
load, validate, import, and export configurations. Pressing Save creates a copy of the current
candidate configuration, whereas choosing Commit updates the active configuration with the
contents of the candidate configuration.
Note: It is a good idea to periodically save the configuration settings you have
entered by clicking the Save link in the upper-right corner of the screen.
Note: When you click Commit or enter a commit CLI command, all changes made
through the web interface and the CLI since the last commit are activated. To avoid possible
conflicts, use only the web interface or CLI for most configuration changes.
Installing a License
Device > Licenses
When you purchase a subscription from Palo Alto Networks, you receive an authorization
code that can be used to activate one or more license keys.
Perform any of these functions from the License page:
• To enable licenses for standard URL filtering, BrightCloud URL filtering, and Threat
Prevention, click the Active link.
• To activate subscriptions that do not require an authorization code, such as for trial
licenses, click Retrieve license keys from license server.
• If the firewall does not have connectivity to the license server and you want to upload
license keys manually, follow these steps:
c. Click Manually upload license key, click Browse and select the file, and click OK.
To track the progress of the load, use the following CLI command:
tail follow yes mp-log Pan_bc_download.log
You can now activate the BrightCloud URL filtering from the Licenses page.
Custom response pages are the web pages that are displayed when a user tries to access a
URL. You can provide a custom HTML message that is downloaded and displayed instead of
the requested web page or file.
Each virtual system can have its own custom response pages.
The following table describes the types of custom response pages that support customer
messages.
Note: Refer to Appendix A, “Custom Pages” for examples of the default response
pages.
You can perform any of the following functions under Response Pages.
• To import a custom HTML response page, click the Import link for the type of page.
Browse to locate the page. A message is displayed to indicate whether the import
succeeded. For the import to be successful, the file must be in HTML format.
• To export a custom HTML response page, click the Export link for the type of page. Select
whether to open the file or save it to disk, and select the check box if you want to always
use the same option.
• To enable or disable the Application Block page or SSL Decryption Opt-out pages, click
the Enable link for the type of page. Select or deselect the Enable check box.
• To use the default response page instead of a previously uploaded page, click the Restore
Block Page link for the type of page, and click Restore. A message is displayed to indicate
that the restoration succeeded.
To upgrade to a new release of the PAN-OS software, you can view the latest versions of the
PAN-OS software available from Palo Alto Networks, read the release notes for each version,
and then select the release you want to download and install (a support license is required).
Perform any of the following functions on the Software page:
• Click Refresh to view the latest software releases available from Palo Alto Networks.
• Click Download to install a new release from the download site. When the download is
complete, a checkmark is displayed in the Downloaded column. To install a downloaded
release, click Install next to the release.
During installation, you are asked whether to reboot when installation is complete. When
the installation is complete, you will be logged out while the firewall is restarted. The
firewall will be rebooted, if that option was selected.
• Click Upload to install a release that you previously stored on your PC. Browse to select
the software package, and click Install from File. Choose the file that you just selected
from the drop-down list, and click OK to install the image.
• The date and time settings on the firewall must be current. PAN-OS software is digitally
signed and the signature checked by the device prior to installing a new version. If the
date setting is not current, the device may perceive the signature to be erroneously in the
future and display the message
Decrypt failed: GnuPG edit non-zero, with code 171072 Failed to load into
PAN software manager.
Palo Alto Networks periodically posts updates with new or revised application definitions
and information on new security threats, such as antivirus signatures (threat prevention
license required). To upgrade the firewall, you can view the latest updates, read the release
notes for each update, and then select the update you want to download and install.
On the Dynamic Updates page, you may see two entries listed in the Application and Threats
or URL Filtering area, one for the currently installed version and one for the latest version
available on the update server. If the latest version is already installed, there is only a single
entry.
Perform any of the following functions on this page:
• Click Check Now to view the latest threat and application definition updates available
from Palo Alto Networks.
• Click Download next to an update to install it. When the download is complete, a
checkmark is displayed in the Downloaded column.
• Click the Schedule link to schedule automatic updates, click the schedule link. Specify the
frequency and timing for the updates and whether the update will be downloaded and
installed or only downloaded. If you select Download Only, you can install the
downloaded update by clicking the Upgrade link on the Dynamic Updates page. When
you click OK, the update is schedule. No commit is required.
• Click Upload to install a file that you previously stored on your PC. Browse to select the
file, and click Install from File. Choose the file that you just selected from the drop-down
list, and click OK to install.
The Certificates page allows you to generate the following security certificates:
• Web interface—Import or export a certificate or generate a self-signed certificate to
authenticate users for access to the web interface.
When the firewall decrypts traffic, it checks the upstream certificate to see if it is issued by
a trusted CA. If not, it uses a special untrusted CA certificate to sign the SSL decryption
certificate. In this case, the user sees the usual certificate error page when accessing the
firewall and must dismiss the warning to log in.
The firewall has a large list of existing trusted CAs. The trusted CA certificate is for
additional CAs that are trusted for your enterprise but are not part of the pre-installed
trusted list.
You can upload your own SSL server certificate to allow inspection of traffic coming to
your SSL server.
a. Click Import in the Web Interface Certificate, Trusted CA Certificate, or SSL Forward
Proxy Certificate area
b. Enter the certificate file name or click Browse to locate the file on your computer.
c. (Web interface and SSL forward proxy only) Enter the key file name or click Browse to
locate the file on your computer. Enter the certificate pass phrase. The key should be in
Privacy Enhanced Mail (PEM) format.
d. (SSL forward proxy only). Select the virtual system to which you want to import the
certificate from the drop-down list.
a. Click Export.
b. (SSL forward proxy only). Select the virtual system from which you want to export
the certificate from the drop-down list.
c. Click Save and then choose a location to copy the file to your local computer.
• To generate a self-signed web, SSL forward proxy, or SSL VPN/SSL inbound inspection
certificate:
Note: If you are using Panorama, you also have the option of generating a self-
signed certificate for the Panorama server. Refer to “Central Management of
Devices” on page 223 for information on Panorama.
b. Enter the IP address or fully qualified domain name that will appear on the certificate
in the Name field.
e. Select the country code from the drop-down list. To view a list of country code defini-
tions, click the ISO 3166 Country Codes link.
g. Click OK to save the settings and generate the certificate. After the certificate is saved,
the web interface is restarted.
• To add an SSL inbound inspection certificate (this is the private key and public certificate
for the destination server).
a. Enter the IP address or fully qualified domain name that appears on the certificate in
the Name field.
b. Enter the certificate file name or click Browse to locate the file on your computer.
c. Enter the key file name or click Browse to locate the file on your computer. Enter the
certificate pass phrase. The key should be in Privacy Enhanced Mail (PEM) format.
• Use openssl, a text editor, and the following procedure to convert the files:
4. Copy and paste this section into a new file named server.key.
5. Copy and paste this section into a new text document named server.crt.
Each trusted certificate authority (CA) maintains certificate revocation lists (CRLs) to
determine if an SSL certificate is valid (not revoked) for SSL decryption. The Online Certificate
Status Protocol (OCSP) can also be used to dynamically check the revocation status of a
certificate. For more information on SSL decryption, refer to “About SSL Decryption Policies”
on page 129.
To configure CRL and OCSP settings, click CRL/OCSP Settings on the Setup page, and
specify the following settings.
The Support page allows you to access product and security alerts from Palo Alto Networks,
based on the serial number of your firewall. You can also view a technical knowledge base,
and create and view “tickets” for technical support requests.
Perform any of the following functions on this page:
• To view the details of an alert, click the alert name.
• To enter a request for technical support, click Create Ticket. To view your current support
requests, click View Ticket.
This chapter describes how to configure the firewall to support your network architecture:
• “About Firewall Deployment” in the next section
Note: For information about VPN support on the firewall, refer to “Configuring
IPSec Tunnels” on page 189 and “Configuring IPSec Tunnels” on page 189. For
information about quality of service (QoS) support, refer to “Configuring Quality
of Service” on page 211
A virtual wire is the default configuration, and should be used only when no switching,
routing, or Network Address Translation (NAT) is needed.
No routing or
switching performed
To set up virtual wires, refer to “Configuring Virtual Wire Interfaces” on page 91.
Routing between
two networks
10.1.2.1/24 10.1.1.1/24
Note: When deployed in tap mode, the firewall is not able to take action, such as
blocking traffic or applying QoS traffic control.
Use this page to define virtual wires after you have specified two virtual wire interfaces on the
firewall. For an overview of virtual wire deployments, refer to “About Virtual Wire
Deployments” on page 82. For instructions on specifying interfaces as virtual wire, refer to
“Configuring Virtual Wire Interfaces” on page 91.
To define virtual wires, click New and specify the following information.
To change a virtual wire name or the allowed tags, click the virtual wire name on the Virtual
Wires page, change the settings, and click OK. Virtual wires also can be changed from the
Interfaces page (refer to “Configuring Virtual Wire Interfaces” on page 91).
To delete one or more virtual wires, select the check box next to the virtual wire names and
click Delete. Note that deleting a virtual wire removes it from the associated virtual wire
interfaces shown on the Interfaces page.
• The 1 Gig links in a group must be of the same type (all copper or all fiber).
• All of the members of an aggregate interface must be of the same type. This is validated
during the commit operation.
The Interfaces page lists the interface type, link state, and security zone for each configured
interface, along with the IP address, virtual router, VLAN tag, and VLAN or virtual wire
name (as applicable).
By default, the interfaces are listed by interface name. To group the interfaces by another
column, such as Security Zone, select the column name from the Group By drop-down list at
the bottom of the page.
The following icons are used on the Interfaces page:
Indicates one or more required interface properties are undefined, such as a security zone.
Move the cursor over the icon to view the missing items. Also, “none” appears in the
corresponding column for each missing item.
Used to delete a logical interface (displayed in the last column). You can delete a logical
interface by clicking the icon, but the interface type of a logical interface cannot be
changed (and the physical Ethernet interfaces cannot be deleted).
Indicates the link is up (green), down (red), or in an unknown state (gray).
You can configure one or more Ethernet ports as a Layer 2 interface for untagged VLAN
traffic. For each main Layer 2 interface, you can define multiple Layer 2 subinterfaces for
traffic with specific VLAN tags (refer to “Configuring Layer 2 Subinterfaces” on page 88) and
VLAN interfaces to provide Layer 3 routing of VLAN traffic (refer to “Configuring VLAN
Interfaces” on page 93).
To modify a Layer 2 Ethernet interface, follow these steps:
1. Remove the interface from the current security zone, if any. For the interface you want to
change, click the name shown in the Security Zone column, select None, and click OK.
2. If you want to change a virtual wire to another interface type, click the virtual wire name
shown in the VLAN/Virtual Wire column, if any, select None, and click OK.
Assign Interface To
VLAN Select a VLAN, or click New to define a new VLAN (refer to “About
VLAN Support” on page 113).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
For each Ethernet port configured as a Layer 2 interface, you can define an additional logical
Layer 2 interface (subinterface) for each VLAN tag that is used on the traffic received by the
port. To configure the main Layer 2 interfaces, refer to “Configuring Layer 2 Interfaces” on
page 87.
To add a Layer 2 Ethernet subinterface, select L2 Interface from the New drop-down list at the
bottom of the Interfaces page, and specify the following information.
Assign Interface To
VLAN For a Layer 2 interface, select a VLAN, or click New to define a new
VLAN (refer to “About VLAN Support” on page 113).
Zone For all interfaces, select a security zone for the interface, or click New to
define a new zone (refer to “Defining Security Zones” on page 97).
You can configure one or more Ethernet ports as Layer 3 interfaces for untagged routed traffic.
You can then define Layer 3 subinterfaces for traffic with specific VLAN tags (refer to
“Configuring Layer 3 Subinterfaces” on page 90). For information on configuring Layer 3
interfaces for PPPoE, refer to “About Point-to-Point Protocol over Ethernet Support” on
page 84.
To modify a Layer 3 interface, follow these steps:
1. Remove the interface from the current security zone, if any. For the interface you want to
change, click the name shown in the Security Zone column, select None, and click OK.
2. If you want to change a virtual wire to another interface type, click the virtual wire name
shown in the VLAN/Virtual Wire column, if any, select None, and click OK.
For each Ethernet port configured as a Layer 3 interface, you can define an additional logical
Layer 3 interface (subinterface) for each VLAN tag that is used on the traffic received by the
port. To configure the main Layer 3 interfaces, refer to “Configuring Layer 3 Interfaces” on
page 88.
To add a Layer 3 Ethernet subinterface, select L3 Interface from the New drop-down list at the
bottom of the Interfaces page, and specify the following information.
Assign Interface To
Virtual Router Select a virtual router, or click New to define a new virtual router (refer to
“About Virtual Routers and Routing Protocols” on page 98).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
You can bind two Ethernet ports together as a virtual wire, which allows all traffic to pass
between the ports, or just traffic with selected VLAN tags (no other switching, routing, or
NAT services are available). A virtual wire requires no changes to adjacent network devices.
For an overview of virtual wire deployments, refer to “About Virtual Wire Deployments” on
page 82.
To set up a virtual wire through the firewall, you must first define the in and out virtual wire
interfaces, as described in the following procedure, and then create the virtual wire using the
interfaces that you created.
To configure each virtual wire interface, follow these steps:
1. Identify the interface you want to use for the virtual wire, and remove it from the current
security zone, if any. For the interface you want to change, click the name shown in the
Security Zone column, select None, and click OK.
Assign Interface To
Virtual Wire Select a virtual wire, or click New to define a new virtual wire (refer to
“Defining Virtual Wires” on page 84).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
If you want to change a virtual wire to another interface type, click the virtual wire name
shown in the VLAN/Virtual Wire column, if any, select None, and click OK.
You can configure one or more interfaces as part of an aggregate Ethernet interface group.
First define the group, as described in this section, and then assign interfaces to the group. For
instructions on assigning interfaces to the group, refer to “Configuring Layer 3 Subinterfaces”
on page 90.
To create and configure aggregate group interfaces, select Aggregate Group from the New
drop-down list and specify the following information.
Assign Interface To
Virtual Wire Select a virtual wire, or click New to define a new virtual wire (refer to
“Defining Virtual Wires” on page 84).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
Each aggregate Ethernet interface is assigned a name of the form ae.number and can be of the
type Layer 2, Layer 3, or virtual wire. After the assignment is made, the new interface
functions in the same way as any other interface.
To configure aggregate Ethernet interfaces, click the interface name and specify the following
information.
For each Ethernet port configured as a Layer 2 interface, you can define a VLAN interface to
allow routing of the VLAN traffic to Layer 3 destinations outside the VLAN. To configure the
main Layer 2 interfaces, refer to “Configuring Layer 2 Interfaces” on page 87.
To define VLAN interfaces, select VLAN Interface from the New drop-down list at the
bottom of the page and specify the following information.
Assign Interface To
Virtual Router Select a virtual router, or click New to define a new virtual router (refer to
“About Virtual Routers and Routing Protocols” on page 98).
VLAN Select a VLAN, or click New to define a new VLAN (refer to “About
VLAN Support” on page 113).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
You can define one or more Layer 3 loopback interfaces, as needed. Each loopback interface
can be associated with a Layer 3 interface (unnumbered) or have its own IP address. For
example, you can define a loopback interface to manage the firewall, rather than use the
management port.
To define loopback interfaces, select Loopback Interface from the New drop-down list at the
bottom of the page, and specify the following information.
Assign Interface To
Virtual Router Select a virtual router, or click New to define a new virtual router (refer to
“About Virtual Routers and Routing Protocols” on page 98).
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
You can define tap interfaces as needed to permit connection to a span port on a switch for
traffic monitoring only (refer to “About Tap Mode Deployments” on page 83).
To define tap interfaces, click an interface name to open the Edit Ethernet Interface page, and
specify the following information.
Assign Interface To
Virtual System Select a virtual system.
Zone Select a security zone for the interface, or click New to define a new zone
(refer to “Defining Security Zones” on page 97).
1. Click OK to submit the new interface, or click Cancel to discard your changes.
2. To activate your changes immediately or save them for future activation, refer to
“Managing Configurations” on page 72.
Note: On the PA-2000 Series and PA-500 firewalls, you specify the data ports to be
used for HA. The PA-4000 Series has dedicated physical ports for HA. For additional
information on HA, refer to “Enabling High Availability on the Firewall” on page 30.
To define HA interface, click an interface name to open the Edit Ethernet Interface page, and
specify the following information.
In order for a firewall interface to be able to process traffic, it must be assigned to a security
zone. To define security zones, click New and specify the following information.
• Routing policies based on route-map to control import, export and advertisement, prefix-
based filtering, and address aggregation.
• Advanced BGP features that include route reflector, AS confederation, route flap
dampening, and graceful restart.
• Authentication profiles, which specify the MD5 authentication key for BGP connections.
• Peer group and neighbor settings, which include neighbor address and remote AS and
advanced options such as neighbor attributes and connections.
• Routing policy, which specifies rule sets that peer groups and peers use to implement
imports, exports, conditional advertisements, and address aggregation controls.
Redistribution Profiles
Redistribution profiles allow you to modify route redistribution filter, priority, and action
based on desired network behavior.
Defining virtual routers allows you to set up forwarding rules for Layer 3 and enable the use
of dynamic routing protocols. Each Layer 3 interface, loopback interface, and VLAN interface
defined on the firewall should be associated with a virtual router. Each interface can belong to
only one virtual router.
Admin Distances
Admin Distances Specify the following administrative distances:
• Static routes (10-240, default 10).
• Internal OSPF (10-240, default 30).
• External OSPF (10-240, default 110).
• Internal BGP (IBGP) (10-240, default 200).
• External BGP (EBGP) (10-240, default 20).
• RIP (10-240, default 120).
Static Routes In this section, optionally enter one or more static routes.
Note: It is usually necessary to configure default routes (0.0.0.0/0) here. Default
routes are applied for destinations that are otherwise not found in the virtual
router’s routing table. Click Add after adding each route. The new route is added.
Click the icon to delete a route.
• RIP—Specify parameters for use of the Routing Information Protocol (RIP) on the
selected interfaces. Although it is possible to configure both RIP and OSPF, it is generally
recommended to choose only one of these protocols. Refer to the following table.
• OSPF—Specify parameters for use of the Open Shortest Path First (OSPF) protocol on the
selected interfaces. Although it is possible to configure both RIP and OSPF, it is generally
recommended to choose only one of these protocols. Refer to the following table.
• BGP—Specify parameters for use of Border Gateway Protocol (BGP) on the selected
interfaces. Refer to the following table.
Detailed runtime statistics are available for the virtual router and dynamic routing protocols
from the Virtual Routers page. Click the More Runtime Stats link to open a new window that
contains the routing table as well as routing protocol-specific details. For an overview of
virtual routers, refer to “About Virtual Routers and Routing Protocols” on page 98.
The firewall supports the selection of DHCP servers or DHCP relay for IP address assignment
on the Layer 3 interfaces. Multiple DHCP servers are supported. Client requests can be
forwarded to all servers, with the first server response sent back to the client.
The DHCP assignment also works across an IPSec VPN, allowing clients to receive an IP
address assignment from a DHCP server on the remote end of an IPSec tunnel. For
information on IPSec VPN tunnels, refer to “Configuring IPSec Tunnels” on page 189.
Use this page to specify DHCP servers or DHCP relay for IP address assignment on the Layer
3 interfaces. You can specify multiple DHCP servers and configure them so that client
requests are forwarded to all servers, with the first server response sent back to the client.
To configure DHCP settings, click New and specify the following information.
Preferred WINS Enter the IP address of the preferred and alternate Windows Internet
Alternate WINS Naming Service (WINS) servers. The alternate server address is optional.
Preferred NIS Enter the IP address of the preferred and alternate Network Information
Alternate NIS Service (NIS) servers. The alternate server address is optional.
Gateway Enter the IP address of the network gateway that is used to reach the
DHCP servers.
POP3 Server Enter the IP address of the Post Office Protocol (POP3) server.
SMTP Server Enter the IP address of the Simple Mail Transfer Protocol (SMTP) server.
IP Pools Specify the range of IP addresses to which this DHCP configuration
applies and click Add. You can enter an IP subnet and subnet mask (for
example, 192.168.1.0/24) or a range of IP addresses (for example,
192.168.1.10-192.168.1.20). Add multiple entries to specify multiple IP
address pools.
To edit an existing entry, click Edit, make the changes, and click Done. To
delete an entry, click Delete.
Note: If you leave this area blank, there will be no restrictions on the IP ranges.
Reserved Addresses Enter the IP address (format x.x.x.x) or MAC address (format
xx:xx:xx:xx:xx:xx) of any devices that you do not want to subject to DHCP
address assignment.
To edit an existing entry, click Edit, make the changes, and click Done. To
delete an entry, click Delete.
Note: If you leave this area blank, then there will be no reserved IP addresses.
The firewall supports VLANs that conform to the IEEE 802.1Q standard. Each Layer 2
interface that is defined on the firewall must be associated with a VLAN. The same VLAN can
be assigned to multiple Layer 2 interfaces, but each interface can belong to only one VLAN.
Optionally, a VLAN can also specify a VLAN interface that can route traffic to Layer 3
destinations outside the VLAN.
Each Layer 2 interface defined on the firewall must be associated with a VLAN. The same VLAN can be
assigned to multiple Layer 2 interfaces, but each interface can belong to only one VLAN. Optionally, a
VLAN can also specify a VLAN interface that can route traffic to Layer 3 destinations outside the VLAN.
– IKE gateways include the configuration information that is necessary to perform IKE
protocol negotiation with peer gateways when setting up IPSec VPN tunnels.
– IKE crypto profiles specify the protocols and algorithms for Phase 1 identification,
authentication, and encryption in VPN tunnels.
– IPSec crypto profiles specify the protocols and algorithms for Phase 2 identification,
authentication, and encryption in VPN tunnels.
– Tunnel monitor profiles specify how the firewall monitors IPSec tunnels and the
actions that are taken if the tunnel is not available.
• Interface management profiles—These profiles specify the protocols that can be used to
manage the firewall for Layer 3 interface, including VLAN and loopback interfaces. Refer
to “Defining Interface Management Profiles” on page 114.
• Zone protection profiles—These profiles determine how the firewall responds to attacks
from individual security zones. Refer to “Defining Zone Protection Profiles” on page 115.
The following types of protection are supported:
– Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding
attacks.
• QoS profiles—These profiles determine how the QoS traffic classes are treated. You can
set overall limits on bandwidth regardless of class and also set limits for individual
classes. You can also assign priorities to different classes. Priorities determine how traffic
is treated in the presence of contention. Refer to “Defining QoS Profiles” on page 214.
Use this page to specify the protocols that are used to manage the firewall. To assign
management profiles to each interface, refer to “Configuring Layer 3 Interfaces” on page 88
and “Configuring Layer 3 Subinterfaces” on page 90.
To define interface management profiles, click New and specify the following information.
For an overview of firewall interfaces, refer to “About Firewall Interfaces” on page 85.
Use this page to determine how the firewall responds to attacks from specified security zones.
The same profile can be assigned to multiple zones. For an overview of security zones, refer to
“About Security Zones” on page 97.
To define zone protection profiles, click New and specify the following information.
About Policies
Policies allow you to control firewall operation by enforcing rules and automatically taking
action. The following types of policies are supported:
• Basic security policies to block or allow a network session based on the application, the
source and destination zones and addresses, and optionally the service (port and
protocol). Zones identify the physical or logical interfaces that send or receive the traffic.
Refer to “About Security Policies” on page 122.
• Network Address Translation (NAT) policies to translate addresses and ports, as needed.
Refer to “About NAT Policies” on page 125.
• SSL Decryption policies to specify SSL traffic decryption for security policies. Each policy
can specify the categories of URLs for the traffic you want to decrypt. Refer to “About SSL
Decryption Policies” on page 129.
Note: Shared polices pushed from Panorama are shown in green on the firewall
web interface pages and cannot be edited at the device level.
• To apply a filter to the list, select from the Filter Rules drop-down list.
– Click Add Rule at the bottom of the page. A new rule with the default settings is
added to the bottom of the list, and given the next rule number. The source and
destination zones must be for the same type of interfaces (Layer 2, Layer 3, or virtual
wire). To define new zones, refer to “Defining Security Zones” on page 97.
– Right-click on the number of a rule you want to copy, and select Clone Rule, or select a
rule by clicking the white space of the rule, and select Clone Rule at the bottom of the
page (a selected rule has a yellow background). The copied rule is inserted below the
selected rule, and the subsequent rules are renumbered.
• To change a field in a new or existing rule, click the current field value, specify the
appropriate information, and click OK.
• If you add a rule description, is added next to the rule name. By default, rules are
named “rulen”, where n increases sequentially as rules are added. As rules are cloned,
deleted, or moved, the rule names are not adjusted to match the rule numbers. Only the
rule numbers in the first column determine the order in which the rules are compared
against the network traffic.
• To delete, disable, or move a rule up or down in the list, right-click on the rule number
and select the appropriate action, or click the white space of a rule and select the action at
the bottom of the page. Note that for disabled rules, the rule is grayed out and the Disable
Rule option is changed to Enable Rule.
• To specify source or destination addresses, click the address entry to open the pop-up
window. Choose select and do any of the following:
– Select the check box next to the appropriate addresses and/or address groups
in the Available column, and click Add to add your selections to the Selected
column.
– Enter the first few characters of a name in the Search field to show the addresses and
address groups that start with those characters. Selecting an item in the list will set the
check box in the Available column. Repeat this process as often as needed, and then
click Add.
– Enter one or more IP addresses (one per line), with or without a network mask. The
general format is:
ip_address/mask
– To remove source or destination addresses, select the appropriate check boxes in the
Selected column and click Remove, or select any to clear all addresses and address
groups.
– To add new addresses that can be used in the current or other policies, click New
Address (refer to “Defining Applications” on page 148). To define new address
groups, refer to “Defining Address Groups” on page 143.
• To specify source or destination users for a policy, click the user entry to open the pop-up
window. Choose select and do any of the following:
– Select the check box next to the appropriate user or user group in the Available
column, and click Add to add your selections to the Selected column.
– Enter the first few characters of a name in the Search field to list all users and user
groups that start with those characters. Selecting an item in the list sets the check box
in the Available column. Repeat this process as often as needed, and then click Add.
– To remove users or user groups, select the appropriate check boxes in the Selected
column and click Remove, or select any to clear all users.
• To select applications for the security rule, click the application entry to open the pop-up.
The default of any should be used only in rules that specify the deny (block) action. To
select specific applications, choose Select and do any of the following:
– To select according to the columns at the top of the page, click an entry in a column to
display check boxes, and then select the check boxes. The filtering is successive: first
category filters are applied, then sub category filters, then technology filters, then risk,
filters, and finally characteristic filters. For a description of the choices in each column,
refer to “Application Categories, Subcategories, Technologies, and Characteristics” on
page 239.
– Enter the first few characters of a name in the Search field to list all applications,
categories, and groups that start with those characters. Selecting an item in the list will
set the check box in the Available column. Repeat this process as often as needed, and
then click Add.
– Select a filter from the Filters drop-down list and click Add Filter.
– Select a group from the Groups drop-down list and click Add Group.
– Each time you make a selection the list of applications on the page is updated. When
you have finished selecting applications, click OK.
• To select specific services for a policy, click the service entry to open the pop-up window.
Choose Select and do any of the following:
– Select the check box next to the appropriate services and/or service groups in
the Available column, and click Add to add your selections to the Selected column.
– Enter the first few characters of a name in the Search field to list all services and
groups that start with those characters. Selecting an item in the list will set the check
box in the Available column. Repeat this process as often as needed, and then click
Add.
– To remove services, clear the appropriate check boxes in the Selected column and click
Remove, or select any to clear all individual services and groups.
– To define new services, click New Service (refer to “Defining Services” on page 152).
To define new service groups, refer to “Defining Service Groups” on page 153.
Note: By default, traffic between each pair of security zones is blocked until at least
one rule is added to allow traffic between the two zones.
Security policies can be as general or specific as needed. The policy rules are compared against
the incoming traffic in sequence, and because the first rule that matches the traffic is applied,
the more specific rules must precede the more general ones. For example, a rule for a single
application must precede a rule for all applications if all other traffic-related settings are the
same. If the traffic does not match any of the rules, the traffic is blocked.
Use the Security page to determine whether to allow or block network session based on
specified traffic attributes. After creating a new rule, configure the rule by clicking the current
field values and specifying the appropriate information, as described in the following table.
For configuration guidelines, refer to “Guidelines on Defining Policies” on page 120.
Note: Palo Alto Networks Dynamic IP/port NAT supports more NAT sessions
than are supported by the number of available IP addresses and ports. The firewall
can use IP address and port combinations up to two times (simultaneously) on the
PA-2000 series, four times on the PA-4020, and eight times on the PA-4050/4060
devices when destination IP addresses are unique.
• Dynamic IP—For outbound traffic. Private source addresses translate to the next
available address in a range.
• Static IP—For inbound or outbound traffic. You can use static IP to change the source or
the destination IP address while leaving the source or destination port unchanged. When
used to map a single public IP address to multiple private servers and services,
destination ports can stay the same or be directed to different destination ports.
Note: You may need to define static routes on the adjacent router and/or the firewall to
ensure that traffic sent to a public IP address is routed to the appropriate private address.
If the public address is the same as the firewall interface (or on the same subnet), then a
static route is not required on the router for that address. When you specify service (TCP
or UDP) ports for NAT, the pre-defined HTTP service (service-http) includes two TCP
ports: 80 and 8080. To specify a single port, such as TCP 80, you must define a new
service.
The next table summarizes the NAT types. The two dynamic methods map a range of client
addresses (M) to a pool (N) of NAT addresses, where M and N are different numbers. N can
also be 1. Dynamic IP/Port NAT differs from Dynamic IP NAT in that the TCP and UDP
source ports are not preserved in Dynamic IP/Port, whereas they are unchanged with
Dynamic IP NAT. There are also differing limits to the size of the translated IP pool, as noted
below.
With Static IP NAT, there is a one-to-one mapping between each original address and its
translated address. This can be expressed as 1-to-1 for a single mapped IP address, or M-to-M
for a pool of many one-to-one, mapped IP addresses.
In the following example, the first NAT rule translates the private address of an internal mail
server to a static public IP address. The rule applies only to outgoing email sent from the “L3
trust” zone to the “L3 untrust” zone. For traffic in the reverse direction (incoming email), the
second rule translates the destination address from the server’s public address to its private
address.
NAT address translation rules are based on the source and destination zones, the source and
destination addresses, and the application service (such as HTTP). Like security policies, the
NAT policy rules are compared against the incoming traffic in sequence, and the first rule that
matches the traffic is applied.
As needed, add static routes to the local router so that traffic to all public addresses is routed
to the firewall. You may also need to add static routes to the receiving interface on the firewall
to route traffic back to the private address (refer to “About Firewall Interfaces” on page 85).
For configuration guidelines, refer to “Guidelines on Defining Policies” on page 120.
Original Packet
Source Zone Select one or more source and destination zones for the original (non-
Destination Zone NAT) packet (default is any). Zones must be of the same type (Layer 2,
Layer 3, or virtual wire). To define new zones, refer to “Defining Security
Zones” on page 97.
Multiple zones can be used to simplify management. For example, you
can configure settings so that multiple internal NAT addresses are
directed to the same external IP address.
Destination Interface Specify the type of interface (none, loopback, or vlan). Destination
interface can be used to translate IP addresses differently in the case
where the network is connected to two ISPs with different IP address
pools.
Source Address Specify a combination of source and destination addresses for which the
Destination Address source or destination address must be translated.
Service Specify the services for which the source or destination address is
translated. To define new service groups, refer to “Defining Service
Groups” on page 153.
Translated Packet
Source Translation Enter an IP address or address range (address1-address2) that the source
address is translated to, and select a dynamic or static address pool. The
size of the address range is limited by the type of address pool:
• Dynamic IP/port—The next available address in the address range is
used, and the source port number is changed. Up to 64K concurrent ses-
sions are translated to the same public IP address, each with a different
port number. Up to 254 consecutive IP addresses are supported. Port
numbers are managed internally.
• Dynamic IP—The next available address in the specified range is used,
but the port number is unchanged. Up to 16k consecutive IP addresses
are supported.
• Static IP—The same address is always used, and the port is unchanged.
For example, if the source range is 192.168.0.1-192.168.0.10 and the
translation range is 10.0.0.1-10.0.0.10, address 192.168.0.2 is always
translated to 10.0.0.2. The address range is virtually unlimited.
Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route
that determines the outgoing interface and destination security zone. With policy based
forwarding, you can specify other information to determine the outgoing interface, including
source and destination IP addresses, source and destination ports, and user ID. The initial
session on a given destination IP address and port that is associated with an application will
not match an application-specific rule and will be forwarded according to subsequent policy
based forwarding rules (that do not specify an application) or the virtual router’s forwarding
table. All subsequent sessions on that destination IP address and port for the same application
will match an application-specific rule. To ensure forwarding through policy based
forwarding rules, application-specific rules are not recommended.
Click New on this page to create a new rule. For configuration guidelines, refer to “Guidelines
on Defining Policies” on page 120.
Secure Socket Layer (SSL) decryption policies specify the SSL traffic to be decrypted so that
security policies can be applied. Each policy specifies the categories of URLs whose traffic you
want to decrypt or not decrypt.
You can configure the firewall to decrypt SSL traffic for visibility, control, and granular
security. App-ID and the antivirus, vulnerability, anti-spyware, URL filtering, and file-
blocking profiles are applied to decrypted traffic before it is re-encrypted as traffic exits the
device. End-to-end SSL security between clients and servers is maintained, and the firewall
acts as a trusted third party during the connection. No decrypted traffic leaves the device.
The firewall inspects compliant SSL traffic, regardless of the protocols that are encapsulated.
Like security policies, SSL decryption policies can be as general or specific as needed. The
policy rules are compared against the traffic in sequence, so the more specific rules must
precede the more general ones.
Note: Refer to the Palo Alto Networks Tech Note, “Controlling SSL Decryption,” for
instructions on managing SSL certificates to avoid certificate mismatch errors, and
“Controlling SSL Decryption” for guidelines on how to develop policies to handle non-
standard SSL implementations.
Click New on this page to create a new rule. After creating a new rule, configure the rule by
clicking the current field values and specifying the appropriate information, as described in
the following table. For configuration guidelines, refer to “Guidelines on Defining Policies” on
page 120.
You can restrict security policies to selected users or applications by clicking the user or
application link on the Security or SSL Decryption device rules page. For information on
restricting rules by application, refer to “Defining Applications” on page 148.
To restrict a policy to selected users, follow these steps:
1. On the Security or SSL Decryption device rules page, click the underlined link for the
source or destination user to open the selection window.
Note: If you are using a RADIUS server and not the User-ID Agent, the list of
users is not displayed, and you must enter user information manually.
3. To add groups of users, select from the Available User Groups check boxes and click Add
User Group. Alternatively, you can enter text to match one or more groups and click Add
User Group.
4. To add individual users, enter search string in the User search field and click Find. You
can then select users and click Add User. Alternatively, you can enter individual user
names in the Additional Users area.
5. Click OK to save the selections and update the security or SSL decryption rule.
2. Define an application override policy that specifies when the custom application should
be invoked. A policy typically includes the IP address of the server running the custom
application and a restricted set of source IP addresses or a source zone.
After creating a new rule, configure the rule by clicking the current field values and specifying
the appropriate information, as described in the following table.
Before you define captive portal policies, enable captive portal and configure captive portal
settings on the User Identification page, as described in “Configuring the Firewall for User
Identification” on page 35.
Click Add Rule to create new rule and add it to the list on the page. Configure the rule by
clicking the current field values and specifying the appropriate information, as described in
the following table.
• Alert—Generates an alert for each application traffic flow. The alert is saved in the threat
log.
You can choose from the following actions when defining threat-based policies:
• None—No action.
• Alert—Generates an alert for each application traffic flow. The alert is saved in the threat
log.
• URL filtering profiles to restrict access to specific web sites and web site categories. Refer
to “About URL Filtering Profiles” on page 137.
• File blocking profiles to block selected file types. Refer to “Defining File Blocking
Profiles” on page 139.
• Data filtering profiles that help prevent sensitive information such as credit card or social
security numbers from leaving the area protected by the firewall. Refer to “Defining Data
Filtering Profiles” on page 139.
In additional to individual profiles, you can create profile groups to combine profiles that are
often applied together.
Each security policy can specify an antivirus profile that identifies which applications are
inspected for viruses and the action taken when a virus is detected. The default profile
inspects all of the listed protocol decoders for viruses, generates alerts for Simple Mail
Transport Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office
Protocol Version 3 (POP3) , and takes the default action for other applications (alert or deny),
depending on the type of virus detected.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted
security zones, and to maximize the inspection of traffic received from untrusted zones, such
as the Internet, as well as the traffic sent to highly sensitive destinations, such as server farms.
To define an antivirus profile, click New and specify the following information. For
information on action types, refer to “About Security Profiles” on page 132.
Anti-Virus Tab
Packet Capture Select the check box if you want to capture identified packets.
Decoders and Actions For each type of traffic that you want to inspect for viruses, select an
action from the drop-down list.
Applications Exceptions Identify applications that will be exceptions to the antivirus rule.
and Actions For example, to block all HTTP traffic except for a specific application,
you can define an antivirus profile for which the application is an
exception. Block is the action for the HTTP decoder, and Allow is the
exception for the application.
To find an application, start typing the application name in the text box. A
matching list of applications is displayed, and you can make a selection.
The application is added to the table, and you can assign an action.
For each application exception, select the action to be taken when the
threat is detected.
Each security policy can specify an anti-spyware profile that determines the combination of
methods used to combat spyware—download protection, web site blocking, and “phone
home” detection (detection of traffic from installed spyware). The default anti-spyware profile
provides download protection over all of the listed applications, and phone-home protection
for all severity levels except the informational level.
Customized profiles can be used to minimize anti-spyware inspection for traffic between
trusted security zones, and to maximize the inspection of traffic received from untrusted
zones, such as the Internet, as well as the traffic sent to highly sensitive destinations, such as
server farms.
To define anti-spyware profiles, click New and specify the following information.
Download Protection
Tab
Packet Capture Select the check box capture spyware packets.
Decoders and Actions For each type of traffic that you want to inspect for viruses, select an
action from the drop-down list.
Applications Exceptions Identify applications that will be exceptions to the spyware rule.
and Actions For example, to block all HTTP traffic except for a specific application,
you can define a spyware profile for which the application is an
exception. Block is the action for the HTTP decoder, and Allow is the
exception for the application.
To find an application, start typing the application name in the text box. A
matching list of applications is displayed, and you can make a selection.
The application is added to the table, and you can assign an action.
For each application exception, select the action to be taken when the
threat is detected.
Phone Home
Protection Tab
Type To use rule-based protection, select Simple from the Type drop-down list
and select an action (None, default, Allow, Alert, or Block) for each
severity level of spyware threats.
To use threat-based protection, select Custom from the Type drop-down
list.
Enable Select the check box for each threat for which you want to assign an
(Threat-based protection action, or select All to respond to all listed threats. The list depends on the
only) selected host, category, and severity. If the list is empty, there are no
threats for the current selections.
Actions Choose an action from the drop-down list box, or choose from the Action
(Threat-based protection drop-down at the top of the list to apply the same action to all threats.
only)
Packet Capture Select the check box to collect the traffic packets from the threat.
Spyware Exception
Tab
Threat ID Use this tab if you want the system to ignore specific threats. Exceptions
that are already specified are listed. You can add additional threats by
entering the threat ID and clicking Add. Threat IDs are presented as part
of the threat log information. Refer to “Viewing the Logs” on page 175.
Each security policy can specify a vulnerability protection profile that determines the level of
protection against buffer overflows, illegal code execution, and other attempts to exploit
system vulnerabilities. The default profile protects clients and servers from all known critical,
high-, and medium-severity threats.
Customized profiles can be used to minimize vulnerability checking for traffic between
trusted security zones, and to maximize protection for traffic received from untrusted zones,
such as the Internet, as well as the traffic sent to highly sensitive destinations, such as server
farms. To apply vulnerability protection profiles to security policies, refer to “About Security
Profiles” on page 132.
To define vulnerability protection profiles, click New and specify the following information.
Vulnerability Tab
Rule Type To use rule-based protection, select Simple from the Type drop-down list
and select an action (None, Default, Allow, Alert, or Block) for each
threat severity level.
To use threat-based protection, select Custom from the Type drop-down
list and select threats and actions.
Threats Select the Enable check box for each threat for which you want to assign
an action, or select All to respond to all listed threats. The list depends on
the selected host, category, and severity. If the list is empty, there are no
threats for the current selections.
Choose an action from the drop-down list box, or choose from the Action
drop-down at the top of the list to apply the same action to all threats.
Note: The default action is shown in parentheses.
The CVE column shows identifiers for common vulnerabilities and exposures
(CVE). These unique, common identifiers are for publicly known information
security vulnerabilities.
Packet Capture Select the check box if you want to capture identified packets.
Each security policy can specify a URL filtering profile that blocks access to specific web sites
and web site categories, or generates an alert when the specified web sites are accessed (a URL
filtering license is required). You can also define a “block list” of web sites that are always
blocked (or generate alerts) and an “allow list” of web sites that are always allowed. The web
categories are predefined by Palo Alto Networks.
To apply URL filtering profiles to security policies, refer to “About Security Policies” on
page 122. To create custom URL categories with your own lists of URLs, refer to “About
Custom URL Categories” on page 155.
To define URL filtering profiles, click New and specify the following information.
Each security policy can specify a file blocking profile that blocks selected file types from
being uploaded and/or downloaded, or generates an alert when the specified file types are
detected. To apply file blocking profiles to security policies, refer to “About Security Policies”
on page 122.
To define file blocking profiles, click New and specify the following information.
You can define security policies that help prevent sensitive information such as credit card or
social security numbers from leaving the area protected by the firewall.
To apply data filtering profiles to security policies, refer to “About Security Policies” on
page 122.
To define data filtering profiles, click New and specify the following information.
Note: Specify a password for Manage Data Protection on the Settings page to
view your captured data. Refer to “Defining the Host Name and Network
Settings” on page 66.
To modify parameters for a data pattern in the list, click the item and specify information as
described in the following table.
• Applications and application groups that allow you to specify how specify software
applications are treated in policies. Refer to “About Applications and Application
Groups” on page 143.
• Application filters that allow you to simplify searches. Refer to “About Application
Filters” on page 151.
• Services and service groups to limit the port numbers. Refer to “About Services and
Service Groups” on page 152.
• Data patterns to define categories of sensitive information for data filtering policies. Refer
to “About Data Patterns” on page 153.
• Custom URL categories that contain your own lists of URLs to include as a group in URL
filtering profiles. Refer to “About Custom URL Categories” on page 155.
• Spyware and vulnerability threats to allow for detailed threat responses. Refer to “About
Security Profile Groups” on page 158.
• Log forwarding to specify log settings. Refer to “About Log Forwarding” on page 159.
• Schedules to specify when policies are active. Refer to “About Schedules” on page 160.
To define security policies for specific source or destination addresses, you must first define
the addresses and address ranges. Addresses requiring the same security settings can be
combined into address groups to simplify policy creation (refer to “Defining Address
Groups” on page 143).
To define an address range, click New and specify the following information.
To simplify the creation of security policies, addresses requiring the same security settings can
be combined into address groups.
To define address groups, click New and specify the following information.
The Attribute column is redisplayed with a highlighted check box for the column and the
selected item. Use the column and item check boxes to select or deselect individual items
or the full column.
• To filter on additional columns, select an entry in the columns to display check boxes. The
filtering is successive: first category filters are applied, then sub category filters, then
technology filters, then risk, filters, and finally characteristic filters.
For example, the next figure shows the result of applying a category, sub category, and
risk filter. In applying the first two filters, the Technology column is automatically
restricted to the technologies that are consistent with the selected category and sub
category, even though a technology filter has not been explicitly applied.
Each time a filter is applied, the list of applications in the lower part of the page is
automatically updated, as shown in the following figure. Any saved filters can be viewed
in Objects > Application Filters.
• To search for a specific application, enter the application name or description in the
Search field, and press Enter. The application is listed, and the filter columns are updated
to show statistics for the applications that matched the search.
A search will match partial strings. When you define security policies, you can write rules
that apply to all applications that match a saved filter. Such rules are dynamically
updated when a new application is added through a content update that matches the
filter.
• Click an application name to view additional details about the application, as described in
the following table. You can also customize risk and timeout values, as described in the
following table.
When the firewall is not able to identify an application using the application ID, the traffic is
classified as unknown: unknown-tcp or unknown-udp. This behavior applies to all unknown
applications except those that fully emulate HTTP. For more information, refer to “Identifying
Unknown Applications and Taking Action” on page 185.
You can create new definitions for unknown applications and then define security policies for
the new application definitions. In addition, applications that require the same security
settings can be combined into application groups to simplify the creation of security policies.
Host: www.specifiedsite.com
The following signature can identify specifiedsite traffic if the host field is www.specifiedsite.com.
username@hostname# show application specifiedsite
specifiedsite {
category collaboration;
subcategory social-networking;
technology browser-based;
decoder http;
signature {
s1 {
and-condition {
a1 {
or-condition {
o1 {
context http-req-host-header;
pattern www\.specifiedsite\.com;
}
}
}
}
}
}
}
The host field includes the pattern specifiedblog.com. However, if a signature is written with
that value in the host, it will match all traffic going to specifiedblog.com, including posting and
viewing traffic. Therefore, it is necessary to look for more patterns.
One way to do this is to look for post_title and post-author patterns in the parameters of the
post. The resulting signature detects postings to the web site:
username@hostname# show application specifiedblog_blog_posting
specifiedblog_blog_posting {
category collaboration;
subcategory web-posting;
technology browser-based;
decoder http;
signature {
s1 {
and-condition {
a1 {
or-condition {
o1 {
context http-req-host-header;
pattern specifiedblog\.com;
method POST;
}
}
}
a2 {
or-condition {
o2 {
context http-req-params;
pattern post_title;
method POST;
}
}
}
a3 {
or-condition {
o3 {
context http-req-params;
pattern post_author;
method POST;
}
}
}
}
}
}
}
Defining Applications
Objects > Applications
To add a new application, click New and specify the following information.
To simplify the creation of security policies, applications requiring the same security settings
can be combined into application groups. To define new applications, refer to “Defining
Applications” on page 148.
To define an application group, click New and specify the following information.
You can define application filters to simplify repeated searches. To define application filters to
simplify repeated searches, click New and enter a name for the filter.
In the upper area of the window, click an item that you want to use as a basis for filtering. For
example, to restrict the list to the Networking category, click Networking.
The column is redisplayed with a highlighted check box for the column and the selected item.
Use the column and item check boxes to select or deselect individual items or the full column.
To filter on additional columns, select an entry in the columns to display check boxes. The
filtering is successive: first category filters are applied, then sub category filters, then
technology filters, then risk, filters, and finally characteristic filters.
For example, the next figure shows the result of choosing a category, sub category, and risk
filter. In applying the first two filters, the Technology column is automatically restricted to the
technologies that are consistent with the selected category and sub category, even though a
technology filter has not been explicitly applied.
As you select options, the list of applications in the lower part of the page is automatically
updated, as shown in the figure.
Defining Services
Objects > Services
When you define security policies for specific applications, you can select one or more services
to limit the port numbers the applications can use. The default service is any, which allows all
TCP and UDP ports.
The HTTP and HTTPS services are predefined, but you can add additional service definitions.
Services that are often assigned together can be combined into service groups to simplify the
creation of security policies (refer to “Defining Service Groups” on page 153).
To define services, click New and specify the following information.
To simplify the creation of security policies, you can combine services that have the same
security settings into service groups. To define new services, refer to “Defining Services” on
page 152.
To define service groups, click New and specify the following information.
• The string match is case-sensitive, as with most regular expression engines. Looking for
“confidential” is different than looking for “Confidential” or “CONFIDENTIAL.”
The regular expression syntax in PAN-OS is similar to traditional regular expression engines,
but every engine is unique. The following table describes the syntax supported in PAN-OS.
• .*(Press Release).*((Draft)|(DRAFT)|(draft))
– Looks for “Press Release” followed by various forms of the word draft, which may
indicate that the press release isn't ready to be sent outside the company
• .*(Trinidad)
The custom URL categories feature allows you to create your own lists of URLs that can be
selected in any URL filtering profile. Each custom category can be controlled independently
and will have an action associated with it in each URL filtering profile (allow, block, continue,
override, or alert).
Before you begin, create a text file that contains the URLs to include, with one URL per line.
Each URL can be in the format “www.example.com,” and can contain * as a wildcard, such as
“www.ex*.com.” For additional information on wildcards, refer to the description of Block
List in Table 63.
Click New and specify the following information. For instructions on setting up URL filtering
profiles, refer to “About URL Filtering Profiles” on page 137.
The firewall supports the ability to create custom spyware and vulnerability signatures using
the firewall threat engine. You can write custom regular expression patterns to identify
spyware phone home communication or vulnerability exploits. The resulting spyware and
vulnerability patterns become available for use in any custom vulnerability profiles. The
firewall looks for the custom-defined patterns in network traffic and takes the specified action
for the vulnerability exploit. Support is provided for creation of custom signatures using
HTTP, SMTP, IMAP, FTP, and POP3.
Use the Custom Threat Signatures page to define signatures for vulnerability profiles. Click
New and specify the following information.
Use the Data Patterns page to define the categories of sensitive information that you may
want to subject to filtering using data filtering security policies. For information on defining
data filtering profiles, refer to “Defining Data Filtering Profiles” on page 139.
To define a data object, click New and specify the following information.
Shared If the device is in Multiple Virtual System Mode, select this check box to
allow the profile to be shared by all virtual systems.
Add Pattern The pre-defined patterns include credit card number and social security
number (with and without dashes).
Click to add a new pattern. Specify a name for the pattern, enter the
regular expression that defines the pattern, and enter a weight to assign to
the pattern. Add additional patterns as needed, or click to delete an
object.
Weight Enter weights for pre-specified pattern types. The weight is a number
between 1 and 255. Alert and Block thresholds specified in the Data
Filtering Profile are a function of this weight.
The firewall supports the ability to create security profile groups, which specify sets of
security profiles that can be treated as a unit and then added to security policies. For example,
you can create a “threats” security profile group that includes profiles for antivirus, anti-
spyware, and vulnerability and then create a security policy that includes the “threats”
profile.
Antivirus, anti-spyware, vulnerability protection, URL filtering, and file blocking profiles that
are often assigned together can be combined into profile groups to simplify the creation of
security policies.
To define security profile groups, click New and specify the following information. To define
new security profiles, refer to “About Security Profile Groups” on page 158.
Each security policy can specify a log forwarding profile that determines whether traffic and
threat log entries are logged remotely with Panorama, and/or sent as SNMP traps, syslog
messages, or email notifications. By default, only local logging is performed.
Traffic logs record information about each traffic flow, and threat logs record the threats or
problems with the network traffic, such as virus or spyware detection. Note that the antivirus,
anti-spyware, and vulnerability protection profiles associated with each rule determine which
threats are logged (locally or remotely). To apply logging profiles to security policies, refer to
“About Security Policies” on page 122.
To define log forwarding profiles, click New and specify the following information.
About Schedules
Objects > Schedules
By default, each security policy applies to all dates and times. To limit a security policy to
specific times, you can define schedules, and then apply them to the appropriate policies. For
each schedule, you can specify a fixed date and time range or a recurring daily or weekly
schedule. To apply schedules to security policies, refer to “About Security Policies” on
page 122.
To define schedule, click New and specify the following information.
This chapter describes how to view the reports and logs provided with the firewall:
• “Using the Dashboard” in the next section
The Dashboard page displays general device information, such as the software version, the
operational status of each interface, resource utilization, and up to 10 of the most recent
entries in the threat, configuration, and system logs. All of the available charts are displayed
by default, but each user can remove and add individual charts, as needed.
Click Refresh to update the Dashboard. To change the automatic refresh interval, select an
interval from the drop-down list (1 min, 2 mins, 5 mins, or Manual). To add a chart to the
Dashboard, click the chart name on the left side of the page. To delete a chart, click in the
title bar of the chart.
Review the following information in each chart.
The Application Command Center (ACC) page displays the overall risk level for your
network traffic, the risk levels and number of threats detected for the most active and highest-
risk applications on your network, and the number of threats detected from the busiest
application categories and from all applications at each risk level. The ACC can be viewed for
the past hour, day, week, month, or any custom-defined time frame.
Risk levels (1=lowest to 5=highest) indicate the application’s relative security risk based on
criteria such as whether the application can share files, is prone to misuse, or tries to evade
firewalls.
To view the Application Command Center:
1. Under the ACC tab, change one or more of the following settings at the top of the page,
and click Go:
d. For the selected sorting method, select the top number of applications and application
categories shown in each chart from the Top N drop-down list. The default is the
top 25.
2. To open log pages associated with the information on the page, use the log links in the
upper-right corner of the page, as shown here. The context for the logs matches the
information on the page.
3. To filter the list, click Set Filter. Choose a filter type from the drop-down list, enter a
value, and click OK.
4. Choose a view from the drop-down list for the area of interest, as described in the
following table.
5. Use the drop-down lists for Applications, URL Filtering, and Threat to display the
information described in the following table.
6. To view additional details, click any of the links. A details page opens to show
information about the item at the top and additional lists for related items.
The App-Scope reports introduce a visibility and analysis tools to help pinpoint problematic
behavior, helping you understand the following aspects of your network:
• Changes in application usage and user activity
• Network threats
With the App-Scope reports, you can quickly see if any behavior is unusual or unexpected.
Each report provides a dynamic, user-customizable window into the network. The reports
include options to select the data and ranges to display.
To view the reports, click the report name under App-Scope on the left side of the page in the
Monitor tab. Select one of the report types lists below. Report options are available from the
drop-down lists at the top and bottom of some of the pages.
Summary Report
The Summary report (Figure 29) displays charts for the top five gainers, losers, and
bandwidth consuming applications, application categories, users, and sources.
For example, in Figure 30 the figure displays the top 25 applications that gained in use for the
24-hour period ending with the last full hour today. The top applications are determined by
session count and sorted by per cent.
Each threat type is color-coded as indicated in the legend below the chart. This report contains
the following buttons and options.
For example, Figure 31 the figure displays the top 10 threats over the past 24 hours.
Each threat type is color-coded as indicated in the legend below the chart. Click a country on
the map to zoom in. Click the Zoom Out button in the lower right corner of the screen to zoom
out.
This report contains the following buttons and options.
For example, Figure 33 displays the top 10 applications over the past 6 hours, measured by the
number of bytes transmitted and received.
Each traffic type is color-coded as indicated in the legend below the chart. This report contains
the following buttons and options.
The firewall maintains logs for traffic flows, threats, configuration changes, and system
events. You can view the current logs at any time. To locate specific entries, you can apply
filters to most of the log fields.
To view the logs, click the log types on the left side of the page in the Monitor tab.
Each log page has a filter area at the top of the page.
• To define other search criteria, click the Add Filter Expression button to open the
Expression pop-up window. Select the type of search (and/or), the attribute to include in
the search, the matching operation, and the values for the match, if appropriate. Click
Add to add the criterion to the filter area on the log page, and then click Close to close the
pop-up window. Click the Apply Filter button to display the filtered list.
Note: You must use the Expression pop-up window to define AND and OR
filters, or enter the desired filter directly.
You can combine filter expressions added on the Log page with those that you
define in the Expression pop-up window. Each is added as an entry on the Filter
line on the Log page.
If you set the “in” Received Time filter to Last 60 seconds, some of the page links
on the log viewer may not show results because the number of pages may grow or
shrink due to the dynamic nature of the selected time.
• To clear filters and redisplay the unfiltered list, click the Clear Filter button.
• To save your selections as a new filter, click the Save Filter button, enter a name for the
filter, and click OK.
• To export the current log listing (as shown on the page, including any applied filters) click
the Save Filter button. Select whether to open the file or save it to disk, and select the
check box if you want to always use the same option. Click OK.
Click the Refresh link at the top of the page to update the log. To change the automatic refresh
interval, select an interval from the drop-down list (1 min, 30 seconds, 10 seconds, or Manual).
To change the number of log entries per page, select the number of rows from the Rows drop-
down list.
Log entries are retrieved in blocks of 10 pages. To move between pages, click the page
numbers or the left or right arrowhead icons at the bottom of the frame. To view the next
block of pages, click ; to view the first block of pages, click .
If an entry has an underlined name link, you can click the link to display additional details.
You can also specify exceptions if you want to ignore the log entry. Select Current security
profile (the default) to disable the entry for the profile that caused it, or choose Multiple
security profiles and select other profiles. Click Add to ignore the log entry for the specified
profiles. Click Close to close the Details window.
When you create exceptions they appear in a tab on the vulnerability, anti-spyware, or
antivirus profile. Refer to “About Security Profiles” on page 132.
If the source or destination has an IP address to name mapping defined in the Addresses page,
the name is presented instead of the IP address. To view the associated IP address, move your
cursor over the name.
PDF summary reports contain information compiled from existing reports, based on data for
the top 5 in each category (instead of top 50). They also contain trend charts that are not
available in other reports.
To create PDF summary reports, click New. The Manage PDF Summary Reports page opens
to show all of the available report elements.
• Select additional elements by choosing from the drop-down list boxes near the top of the
page.
• Drag and drop an element’s icon box to move it to another area of the report.
Click Save, enter a name for the report, as prompted, and click OK.
To display PDF reports, choose PDF Summary Report, and select a report type from the drop-
down list at the bottom of the page to display the generated reports of that type. Click an
underlined report link to open or save the report.
To schedule email delivery of reports, choose Email Scheduler. Click the link for a report to
display the email options, or click New to create a new email schedule. Specify the following
information.
To send a test message to the recipients, click Send Test Message. The selected report will be
sent at a standard time each day or week.
Use this page to create reports that summarize the activity of individual users. Click New and
specify the following information.
To run the report on demand, select the report and click Edit, and then click Run.
Report groups allow you to create sets of reports that the system can compile and send as a
single aggregate PDF report with an optional title page and all the constituent reports
included.
To create a new report group, click New and specify the following information.
To use the report group, refer to “Scheduling Reports for Email Delivery” in the next section.
Use the Email scheduler to schedule reports for delivery by email. Before adding a schedule,
you must define report groups and an email profile. Refer to “Managing Report Groups” on
page 182 and “Defining Email Notification Settings” on page 64.
To schedule report delivery, click New and specify the following information.
Viewing Reports
Monitor
The firewall provides various “top 50” reports of the traffic statistics for the previous day or a
selected day in the previous week.
To view the reports, click the report names on the left side of the page under the Monitor tab.
By default, all reports are displayed for the previous calendar day. To view reports for any of
the previous days, select a report generation date from the Select drop-down list at the bottom
of the page.
The reports are listed in sections. You can view the information in each report for the selected
time period. To export the log in CSV format, click Export to CSV. To open the log
information in PDF format, click Export to PDF. The PDF file opens in a new window. Click
the icons at the top of the window to print or save the file.
You can customize most of the standard reports available from the Monitor tab by selecting
fields to include in the report and applying filters.
To create a custom report, click New to open a new report. Alternatively, to use an existing
report as a template, click Open to choose the report. Select the report and click Load to add
the report settings as a template.
To define a custom report:
1. Enter a report title.
2. Choose the database for the report from the Database drop-down list.
3. Select the columns to include in the report from the Columns drop-down list.
The available columns depend on the choice of database. When you add or remove
columns, the column headers on the page are updated to reflect your choices.
4. Choose the amount of information to include in the report (top 5, 10, 25, or 50), and how
to sort the report.
– Click Scheduled to run the report each night and make the results available in the
Custom Report list on the side menu.
– Click Run to run the report immediately and display the results in a new tab on the
page. This option does not save the report results.
2. Click New if you are creating a new report or Open to choose an existing report.
– Add a condition by clicking Add Condition and selecting from the Attribute,
Operation, and Value drop-down lists. Successive pairs of conditions are combined
using the AND operator (both must be valid for the filter to apply).
– Combine conditions by clicking Add Group. Select the type of operator to use between
groups (AND, OR) and then drag the small yellow box for a condition to move it to the
group.
In the following example, the custom report filter will capture data that applies to the
source IP subnet 10.1.1.0/24 AND destination IP address 10.0.0.5 OR to the destination
user user1.
4. Configure any additional report settings, and click OK to save the report, including the
specified filters.
• Detailed traffic logs—You can use the detailed traffic logs to track down unknown
applications. If logging is enabled for the start and end of session, the traffic log will
provide specific information about the start and end of an unknown session. Use the filter
option to restrict the display to entries that match “unknown-tcp,” as shown in the next
figure.
Taking Action
You can take the following actions to deal with unknown applications:
• Use custom application definition with application override (refer to “Custom
Application Definition with Application Override” on page 131).
• Use custom applications with signatures (refer to “Custom Applications with Signatures”
on page 146).
• Request an App-ID from Palo Alto Networks (refer to “Requesting an App-ID from Palo
Alto Networks” in the next section).
Policies can also be set to control unknown applications by unknown TCP, unknown UDP or
by a combination of source zone, destination zone, and IP addresses. Refer to “About
Application Override Policies” on page 131.
This chapter describes virtual private networks (VPNs) in general and IP Security (IPSec)
VPNs in detail, and describes how to configure IPSec tunnels for VPNs on the firewall. Refer
to the following sections:
• “About Virtual Private Networks” in the next section
Note: In addition to IPSec VPNs, the firewall also supports Secure Socket Layer
(SSL) VPNs, which allow remote users to establish VPN connections through the
firewall. Refer to Chapter 8, “Configuring SSL VPNs” for more information.
The following figure shows a standard IPSec tunnel between two devices. The configuration
can include a tunnel monitor on each side to alert the device administrator of tunnel failure
and provide automatic failover. Tunnel monitors are useful if you want to be able to provide
failover of IPSec traffic to another interface.
IPSec
tunnel
Firewall Switch Internet Switch Firewall
Router Router
Local Local
network network
You can configure route-based VPNs to connect Palo Alto Networks firewalls at central and
remote sites or to connect Palo Alto Networks firewalls with third party security devices at
other locations. With route-based VPNs, the firewall makes a routing decision based on the
destination IP address. If traffic is routed through a VPN tunnel, then it is encrypted as VPN
traffic. It is not necessary to define special rules or to make explicit reference to a VPN tunnel;
routing and encryption decisions are determined only by the destination IP address.
The firewall can also interoperate with a policy-based VPN. To connect with a policy-based
VPN, configure the Proxy ID for the tunnel. If multiple phase 2 tunnels are required,
configure different Proxy IDs on each. Refer to “Setting Up IPSec Tunnels” on page 196.
For the IPSec connection between the firewalls, the full IP packet (header and payload) is
embedded in another IP payload, and a new header is applied. The new header uses the IP
address of the outgoing firewall interface as the source IP address and the incoming firewall
interface at the far end of the tunnel as the destination IP address. When the packet reaches
the firewall at the far end of the tunnel, the original packet is reconstructed and sent to the
actual destination host.
IPSec Security Associations (SAs) are defined at each end of the IPSec tunnel to apply all of the
parameters that are required for secure transmission, including the security parameter index
(SPI), security protocol, cryptographic keys, and the destination IP address. Encryption, data
authentication, are all handled by the SAs.
• SSL VPNs are used solely to connect remote users to the network and permit direct access
through a web browser without requiring installation of a client application.
• Connections between a central site and multiple remote sites require VPN tunnels for
each central - remote site pair.
Each tunnel is bound to a tunnel interface. It is necessary to assign the tunnel interface to the
same virtual router as the incoming (clear text) traffic. In this way, when a packet comes to the
firewall, the route lookup function can determine the appropriate tunnel to use. The tunnel
interface appears to the system as a normal interface, and the existing routing infrastructure
can be applied.
Each tunnel interface can have a maximum of 10 IPSec tunnels. This allows you to set up IPSec
tunnels for individual networks that are all associated with the same tunnel interface on the
firewall.
The same method must be applied to both ends of the IPSec tunnel. In the case of manual
keys, the same key is entered at both ends; in the case of IKE, the same methods and attributes
are applied at both ends.
IKE provides a standard mechanism for generating and maintaining security keys:
• Identification—The identification process involves recognition of the peers at both ends
of the IPSec tunnel. Each peer is identified by IP address or peer ID (contained in the
payload of the IP packet). The firewall or other security device at each end of the tunnel
adds the identification of the peer at the other end into its local configuration.
• Authentication—There are two types of authentication methods: pre-shared key and PKI.
Currently only the pre-shared key method is supported by Palo Alto Networks firewalls.
The firewall supports definition of IKE gateways, which specify the configuration information
necessary to perform IKE protocol negotiation with peer gateways.
IKE configuration options include Diffie-Hellman Group for key agreement, Encryption
algorithm, and hash for message authentication.
• Lifetime—Specify the length of time that the negotiated key will stay effective.
• Lifetime—Specify the length of time that the negotiated key will stay effective.
For details on the specific protocols and algorithms supported for IPSec and IKE crypto
profiles, refer to “Defining IKE Crypto Profiles” on page 195 and “Defining IPSec Crypto
Profiles” on page 195.
Note: Before you begin, make sure that your Ethernet interfaces, virtual routers, and
zones are configured properly. Refer to “About Firewall Interfaces” on page 85, “About
Virtual Routers and Routing Protocols” on page 98, and “Defining Security Zones” on
page 97.
2. Define IKE gateways with the configuration information for IKE protocol negotiation
with peer gateways. Refer to “Defining IKE Gateways” on page 194.
3. Configure the protocols and algorithms for identification, authentication, and encryption
in VPN tunnels using IKE SA negotiation:
– For IKEv1 Phase-1, refer to “Defining IKE Crypto Profiles” on page 195.
– For IKEv1 Phase-2, refer to “Defining IPSec Crypto Profiles” on page 195.
4. Configure the parameters that are needed to establish IPSec VPN tunnels. Refer to
“Setting Up IPSec Tunnels” on page 196.
5. Specify how the firewall will monitor the IPSec tunnels. Refer to “Defining Tunnel
Monitor Profiles” on page 199 .
6. Set up static routes or assign routing protocols to redirect traffic into the newly
established tunnels. The Routing Information Protocol (RIP) and Open Shortest Path First
(OSPF) options are supported; you can enable one or both of these protocols on the tunnel
interface. Refer to “About Virtual Routers and Routing Protocols” on page 98.
7. Set security policies to filter and inspect the traffic as described in “About Security
Policies” on page 122. Define the source and destination zones and specify the policy
attributes as follows:
– Outgoing traffic—For source, use the clear text zone. For destination, use the tunnel
interface zone.
– Incoming traffic—For source, use the tunnel interface zone. For destination, use the
clear text zone.
After defining the rule, set the source and destination addresses.
Note: VPN traffic can reuse existing security policies that were intended for
clear text, if that is appropriate for your network. You can put the tunnel
interface in a special zone to ensure that VPN traffic is separated from clear text
traffic.
When these tasks are complete, the tunnel is ready for use. Traffic destined for the addresses
defined for the tunnels is automatically routed properly and encrypted as VPN traffic.
Note: Without matching security rules, VPN traffic will be dropped by the firewall,
when a security rule is required.
The IKE protocol will be triggered when necessary (for example, when traffic is
routed to an IPSec tunnel with no keys or expired keys).
Use the IKE Gateways page to define gateways that include the configuration information
necessary to perform IKE protocol negotiation with peer gateways. To set up IKE gateways,
click New and specify the following information.
Note: The following advanced fields are visible if you click the Show advanced Phase 1 options link.
Local Identification Choose from the following types and enter the value: Fully qualified
domain name (FQDN), key ID, or user FQDN.
Peer Identification Choose from the following types and enter the value: FQDN, key ID, or
user FQDN (for the dynamic option)
Exchange Mode Choose auto, aggressive, or main.
IKE Crypto Profile Select an existing profile or keep the default profile.
Dead Peer Detection Select the check box to enable and enter an interval (2 - 100 seconds) and
delay before retrying (2 - 100 seconds). Dead peer detection identifies
inactive or unavailable IKE peers through ICMP ping and can help
restore resources that are lost when a peer is unavailable.
Note: When a device is set to use the auto exchange mode, it can accept both main
mode and aggressive mode negotiation requests; however, whenever possible, it
initiates negotiation and allows exchanges in main mode.
You must configure the peer device with the matching exchange mode to allow it to
accept negotiation requests initiated from the first device.
Use the IKE Crypto Profiles page to specify protocols and algorithms for identification,
authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1
Phase-1). Refer to “About Virtual Private Networks” on page 190 for more information.
To create a new configuration, click New and specify the following information. To change
the ordering in which an algorithm or group is listed, click the icon. The ordering
determines the first choice when settings are negotiated with a remote peer. The setting at the
top of the list is attempted first, continuing down the list until an attempt is successful.
Use the IPSec Crypto Profiles page to specify protocols and algorithms for identification,
authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1
Phase-2). Refer to “About Virtual Private Networks” on page 190 for more information.
To create a new configuration, click New and specify the following information.
To change the ordering in which an algorithm or group is listed, click the icon. the listed
order determines the order in which the algorithms are applied and can affect tunnel
performance.
Use the IPSec Tunnels page to set up the parameters to establish IPSec VPN tunnels between
firewalls.
To create a new configuration, click New and specify the following information.
Note: The following advanced fields are displayed if you select the Dynamic check box to configure a
dynamic endpoint or click the Show Advanced Options link. After configuring the basic settings, we
recommend that you open the advanced settings and select the previously-configured IPSec and IKE
crypto profiles.
Local Identification Choose from the following types and enter the value: Fully qualified
domain name (FQDN), key ID, or user FQDN.
Peer Identification Choose from the following types and enter the value: Fully qualified
domain name (FQDN), key ID, or user FQDN (for the dynamic option)
Exchange Mode Choose of the following modes:
• main—Specifies multiple two-way exchanges between the initiator and
the receiver.
• aggressive—Specifies fewer exchanges than main mode. In this mode,
both sides may exchange information before securing the channel.
• auto—Allows the firewall to connect to other machines that are config-
ured to run in either main mode or aggressive mode.
As an initiator, the firewall will select aggressive mode if the local ID is
configured to be anything other than the firewall’s IP address. Main
mode will be used if the local ID is the firewall’s IP address.
IKE Crypto Profile Select an existing profile or keep the default profile. To define a new
profile, click New and follow the instructions in “Defining IKE Crypto
Profiles” on page 195.
Dead Peer Detection Select the check box to enable and enter an interval (2 - 100 sec) and delay
before retrying (2 - 100 sec). Dead peer detection identifies inactive or
unavailable IKE peers through ICMP ping and can help restore resources
that are lost when a peer is unavailable.
IPSec Crypto Profile Select an existing profile or keep the default profile. To define a new
profile, click New and follow the instructions in “Defining IPSec Crypto
Profiles” on page 195.
Local Proxy ID Enter an IP address or subnet in the format ip_address/mask (for
example, 10.1.2.1/24).
Remote Proxy ID If required by the peer, enter an IP address or subnet in the format
ip_address/mask (for example, 10.1.1.1/24).
• Pre-shared keys may be entered incorrectly on one of the devices. Pre-shared keys must
always match.
• Phase 1 negotiation mode (aggressive/main) may not match on the devices. The
negotiation mode must always match.
• Perfect forward secrecy may be enabled on only one side. It must be enabled on both
sides.
• If the dynamic routing protocols advertise routes to public IP addresses through the IPSec
tunnel, the device establishing the tunnel may attempt phase 1 negotiation with the
destination set to the public IP rather than the endpoint of the IPSec tunnel. As a result,
the connection is never created and routing fails. To address this problem, ensure that
only private IP addresses route through the tunnel and that no public IP addresses or
default routes exist in the routing table that points to the tunnel.
• A Proxy ID may be improperly entered for the device at the far end of the IPSec tunnel.
This can occur because some vendors generate a default Proxy ID for IPSec
communications that is not easily identified by the end user.
A tunnel monitor profile specifies how the firewall monitors IPSec tunnels and the actions
that are taken if the tunnel is not available. Tunnel monitor profiles are optional, but can be
useful, for example, if you want to be able to provide failover in the event of tunnel failure.
After creating a tunnel monitor profile, you can select it in the advanced options section of the
IPSec configuration page. The firewall then monitors the specified IP address through the
tunnel to determine if the tunnel is working properly.
To create a new configuration, click New and specify the following information.
To view the status of currently defined IPSec VPN tunnels, open the IPSec Tunnels page
(Figure 43).
• IKE Gateway Status—Green indicates a valid IKE phase-1 SA. Red indicates that IKE
phase-1 SA is not available or has expired.
• Tunnel Interface Status—Green indicates that the tunnel interface is up (because tunnel
monitor is disabled, or because tunnel monitor status is UP). Red indicates that the tunnel
interface is down, because the tunnel monitor is enabled and the status is down.
Existing Topology
Headquarters:
• Firewall public IP 61.1.1.1, on interface ethernet1/1, which is in zone “ISP”, virtual-router
“public”
Branch office:
• Firewall public IP is 202.101.1.1, on interface ethernet1/2, which is in zone “ISP-branch”,
virtual-router “branch”
• Security policy to allow traffic from zone “branch-office” to zone “ISP-branch” for
internet access from the PC network
New Topology
Headquarters:
• Create a new security zone “branch-vpn.”
• Add a tunnel interface tunnel.1 to zone “branch-vpn” and assign an IP address from a
private range (for example, 172.254.254.1/24)
• Add a static route to direct traffic to 192.168.20.0/24 (the branch office network) to the
tunnel interface tunnel.1 and next hop 172.254.254.20 (the branch office tunnel interface
IP).
• Add a security policy to allow traffic from zone “branch-vpn” to zone “server.”
Branch office:
– Create a new security zone “central-vpn.”
– Add a tunnel interface tunnel.2 to zone “central-vpn” and assign an IP address from
private range (for example, 172.254.254.20/24).
– Add a static route to direct traffic to 10.100.0.0/16 (the server farm network) to the
tunnel interface tunnel.2 and next-hop 172.254.254.1 (the headquarter tunnel interface
IP).
– Add a security policy to allow traffic from zone “branch” to zone “central-vpn.”
– Local-address: ethernet1/1
– ike-gateway-profile: “branch-1-gw”
• On servers in the server farm, check the routing table and verify that the destination
192.168.20.0/24 is reachable through 10.100.0.1.
Branch office:
• Create an IKE gateway “central-gw” with these parameters:
– Peer-address: 61.1.1.1
– Local-address: ethernet1/2
Configuration Notes:
• If 202.101.1.1 is set as the peer-address parameter in “branch-1-gw” on the central site,
setting the local-id and peer-id parameters becomes unnecessary (the field can be left
empty). Note that treatment of these two parameters must be the same, because these two
fields are matched during IKE negotiation.
• The proxy-id can also be left empty on both sides (proxy-id is also matched during IKE
negotiation).
After configuring the parameters and committing the configuration, the new VPN should
work. If connectivity issues arise, refer to “VPN Connectivity Troubleshooting” in the next
section.
2. Use the ping utility to verify connectivity between the central and branch offices
(202.101.1.1 and 61.1.1.1).
3. Use the ping utility to verify connectivity between the server farm and the central firewall
(ethernet1/5).
4. Use the ping utility to verify connectivity between the branch network and the branch
firewall interface (ethernet1/10).
5. On the branch-office site, use the CLI commands test vpn ike-sa gateway central-gw and
show vpn ike-sa gateway central-gw to verify that IKE phase-1 SA can be created from
the branch office.
6. On the central site, use the CLI command show vpn ike-sa gateway branch-1-gw to
verify that IKE phase-1 SA can be created from the branch office.
7. On the branch office site, use the CLI command test vpn ipsec-sa tunnel central-vpn and
show vpn ipsec-sa tunnel central-vpn to verify that IKE phase-2 SA can be created from
the branch office.
8. On the central site, use the CLI command show vpn ipsec-sa tunnel branch-1-vpn to
verify that IKE phase-2 SA can be created from the branch office.
9. Check the server routing table in the server farm. The destination 192.169.20.0/24 must be
reachable through the central firewall’s ethernet1/5 interface IP address.
10. To check the route setting, run the traceroute command from any PC in the branch office
network, where the destination is one of servers in the server farm.
11. Run the ping utility from any PC in the branch office network, where the destination is
one of servers in the server farm. Check the encryption and decryption counters shown in
the output of the show vpn flow CLI command. Verify that these counters are
incrementing and that none of the error counters are incrementing.
12. Examine the detailed error messages for IKE negotiation in the syslog or use the
debug ike pcap command to capture IKE packets in PCAP format.
This chapter describes how to configure virtual private networks (VPNs) using Secure Socket
Layer (SSL).
• “About SSL VPNs” in the next section
• “Downloading and Activating the NetConnect SSL VPN Client” on page 209
Note: Refer to “Configuring IPSec Tunnels” on page 189 for general information
on VPNs as well as information on IPSec VPNs.
Note: Refer to “About Virtual Private Networks” on page 190 for information on
setting up VPNs to connect Palo Alto Networks firewalls at central and remote
sites or to connect Palo Alto Networks firewalls with third-party security devices
at other locations.
2. A login page opens and the user is prompted to enter a username and password.
3. After the user is successfully authenticated, the user can click the Start button to
download the thin VPN client and install it on the user's computer.
4. When the download is complete, the SSL VPN client automatically establishes a VPN
tunnel connection. If possible, the tunnel will be established using IPSec; if this is not
possible, the tunnel is established using SSL.
5. The tunnel is now established. Traffic is controlled at the gateway by use and application
based on the established security policies. If split tunneling is enabled on the client, only
the traffic bound for the network behind the gateway is sent through the firewall. All
other traffic is sent directly to the Internet.
6. At the end of the session, the user can log off from the client, or simply shut down and let
the VPN agent time out.
2. The login page opens and the user is prompted to enter a username and password to
authenticate successfully.
3. The tunnel is now established. Traffic is controlled at the gateway by use and application
based on the security policies established. If split tunneling is enabled on the client, only
the traffic bound for the network behind the gateway is sent through the firewall. All
other traffic is sent directly to the Internet.
4. At the end of the session, the user can log off from the client, or simply shut down and let
the VPN agent time out.
2. Install or generate a self-signed security certificate for the SSL VPN client, as described in
“Importing, Exporting and Generating Security Certificates” on page 77.
3. Download and activate the SSL VPN client on the client PC, as described in
“Downloading and Activating the NetConnect SSL VPN Client” on page 209.
5. Identify the users that are allowed to access the VPN, as described in “Creating a Local
User Database” on page 210.
6. (Optional) Customize the response pages that users will see when using the VPN, as
described in “Defining Custom Response Pages” on page 74.
7. Set up security policies for traffic flowing between the SSL VPN zone and other security
zones, as described in “About Security Policies” on page 122.
The settings on the SSL VPN tab control the firewall configuration. The settings on the Client
Configuration tab are pushed to the user’s computer to provide information on how to
connect to the network. To change an entry, click the link for the entry.
Primary DNS Enter the IP addresses of the primary and secondary Domain Name
Secondary DNS Service (DNS) servers that will be used on the clients.
Primary WINS Enter the IP addresses of the primary and secondary Windows Name
Secondary WINS Service (WINS) servers that will be used on the clients.
DNS Suffix Click Add to enter a suffix that the client should use locally when an
unqualified hostname is entered that it cannot resolve.
Suffixes are used in the order in which they are listed. To change the order
in which a suffix is listed, select an entry and click the Move Up and Move
Down buttons. To delete an entry, select it and click Remove.
IP Pool - Subnet/Range Use this section to create a range of IP addresses to assign to remote users.
When the tunnel is established, an interface is created on the remote user’s
computer with an address in this range.
Note: The IP pool must be large enough to support all concurrent connections.
IP address assignment is dynamic and not retained after the user disconnects.
Configuring multiple ranges from different subnets will allow the system to offer
clients an IP address that does not conflict with other interfaces on the client.
The SSL VPN Client page lists the available SSL VPN client releases. When the client
connects, the system checks the NetConnect version and installs the currently activated
version if it is different from the version that is on the client.
Note: For initial download and installation of the SSL VPN client, the user on the
client system must be logged in with administrator rights. For subsequent
upgrades of the SSL VPN client application, administrator rights are not required.
2. To activate a downloaded release, click the Activate link for the release. If an existing
version of the SSL VPN client software has already been downloaded and activated, a
pop-up message is displayed to indicate that the new version will be downloaded the
next time that the clients connect. Click OK to continue or Cancel to cancel the request.
3. To activate the SSL VPN client that was previously uploaded by way of the Upload
button, click the Activate from File button. A pop-up window opens. Select the file from
the drop-down list and click OK.
4. To remove a downloaded release of the SSL VPN client software from the firewall, click
the Remove icon in the rightmost column. Click Yes to confirm.
Use the Local Users page to add user information. Click New and configure the following
settings. To change an entry, click the link for the entry.
Use the Local User Groups page to add user group information. Click New and configure the
following settings. To change an entry, click the link for the entry.
This chapter describes how to configure quality of service (QoS) on the firewall:
• “About Firewall Support for QoS” in the next section
• For each interface, you can define QoS profiles that determine how the QoS traffic classes
are treated. You can set overall limits on bandwidth regardless of class and also set limits
for individual classes. You can also assign priorities to different classes. Priorities
determine how traffic is treated when contention occurs. Refer to “Defining QoS Profiles”
on page 214.
• On the QoS Policies page (Policies tab), you can configure the policies to activate the QoS
restrictions. Refer to “Defining QoS Policies” on page 215.
• Because traffic not marked by QoS defaults to Class 4, define Class 4 with a maximum
guaranteed bandwidth and give it a higher priority than other classes.
• Each firewall model supports a maximum number of ports that can be configured with
QoS:
– PA-4060: 6 ports
– PA-4050: 12 ports
– PA4020 : 12 ports
– PA-2050: 6 ports
– PA-500: 6 ports
Use the QoS page to configure QoS settings for firewall interfaces. Click New and specify the
following information.
To override the default profile for a specific tunnel, click the Tunneled
Traffic tab, click Add, and then click individual entries to configure the
following settings:
• Tunnel Interface—Select the tunnel interface on the firewall.
• QoS Profile—Select the QoS profile to apply to the specified tunnel
interface.
To remove a clear text or tunneled traffic entry, select the check box for
the entry and click Remove.
For each interface, you can define QoS profiles that determine how the QoS traffic classes are
treated. You can set overall limits on bandwidth regardless of class and also set limits for
individual classes. You can also assign priorities to different classes. Priorities determine how
traffic is treated in the presence of contention.
Note: Refer to “Configuring QoS for Firewall Interfaces” on page 212 for
information on configuring firewall interfaces for QoS and refer to “Defining QoS
Policies” on page 215 to configure the policies that will activate the QoS
restrictions.
To add a new profile, click New and specify the following information.
The QoS policy determines how traffic is classified for treatment when it passes through an
interface with QoS enabled. For each rule, you specify one of eight classes. You can also assign
a schedule to specify which rule is active. Unclassified traffic is automatically assigned to class
4.
Note: Refer to “Configuring QoS for Firewall Interfaces” on page 212 for
information on configuring firewall interfaces for QoS and refer to “Defining QoS
Profiles” on page 214 for information on configuring classes of service.
To view just the rules for a specific virtual system, select the system from the Virtual System
drop-down list and click Go. To apply a filter to the list, select from the Filter Rules drop-
down list. To view just the rules for specific zones, select a zone from the Source Zone and/or
Destination Zone drop-down lists, and click Filter by Zone.
Note: Shared polices pushed from Panorama are shown in green and cannot be
edited at the device level.
• Right-click on the number of a rule you want to copy, and select Clone Rule, or select a
rule by clicking the white space of the rule, and select Clone Rule at the bottom of the
page (a selected rule has a yellow background). The copied rule is inserted below the
selected rule, and the subsequent rules are renumbered.
To configure a rule, click the entry in the table that you want to configure and specify changes,
as described in the following table.
The table on the QoS Policies page indicates when QoS is enabled, and includes a link to
display QoS statistics. An example is shown in the following figure.
The left panel shows the QoS tree table, and the right panel shows data in the following tabs:
• QoS Bandwidth—Shows the real time bandwidth charts for the selected node and
classes. The information is updated every two seconds.
• Session Browser—Lists the active sessions of the selected node and/or class.
• Application View—Lists all active applications for the selected QoS node and/or class.
This chapter describes how to install the Panorama centralized management system (CMS):
• “Installing Panorama” in the next section
Note: Refer to “Central Management of Devices” on page 223 for information on using
Panorama.
Installing Panorama
Follow these instructions to install Panorama on a Windows system.
To install Panorama on a Windows system:
1. If you do not already have VMware installed on the designated Panorama server,
download and install VMware Player or VMware Server from
http://www.vmware.com/download.
2. Insert the CD and copy the Panorama Appliance directory from the CD to the server.
5. Select File > Open within VMware and browse to the Panorama Appliance directory that
was copied to the server.
8. If you want to use less than 1G of memory for the guest OS that runs Panorama, select
Edit virtual machine settings and adjust the amount of memory under the Memory
device.
10. A pop-up window opens for creating a new ID. Verify that Create a new identifier is
checked and click OK.
The Panorama system will boot and displays the login prompt.
11. Log in using the default login admin and password admin.
7. Enter settings for the new virtual disk and click Next.
A new SCSI disk appears in the list of devices for the virtual machine.
On the first start after adding the new disk, Panorama will initialize the new disk for use. This
process takes several minutes. When the system starts with the new disk, any existing logs on
the default disk are moved to the new disk, and all future logs are written to the new disk. If
the virtual disk is removed, Panorama sends logs back to the default internal 10GB disk.
3. Enter the following commands to assign and commit the network configuration for the
server:
username@hostname# set deviceconfig system ip-address <Panorama IP
address> netmask <netmask> default-gateway <gateway IP address>
username@hostname# commit
The browser automatically opens the Palo Alto Networks login page.
2. Enter admin in both the Name and Password fields, and click Login.
5. Enter a new password (case-sensitive, up to 15 characters) in the New Password field and
re-enter the password in the Confirm New Password field.
6. Click OK.
9. Verify that each managed device has the IP address of the Panorama server configured.
Refer to “Defining the Host Name and Network Settings” on page 66.
This chapter describes how to use the Panorama centralized management system (CMS) to
manage multiple firewalls:
• “Accessing the Panorama Interface” in the next section
The browser automatically opens the Palo Alto Networks login page.
2. Use the Panorama interface to add the devices. Refer to “Adding Devices” on page 227.
You can access all of the Panorama tabs whether or not devices are connected to the Panorama
server; however, you can only view device information on devices that are connected.
Panorama Tab
The Panorama tab is similar to the interface for the firewall and includes the pages described
in the following table. To access a page, click the page name link on the left pane.
Adding Devices
Panorama > Managed Devices
The Managed Devices page allows you to create a list of devices for centralized management.
Note: The Panorama server communicates with managed devices via SSL through
TCP port 3978.
To add devices:
1. Under the Panorama tab, click Managed Devices to open the Managed Devices page.
2. To group the devices according to device or device group, select from the Group by
drop-down list.
4. Enter the serial number of the device to be added, and click Add.
6. Click OK. The window closes and the Managed Devices page refreshes to show the
newly added devices.
7. To commit all shared policies to a device, click the icon in the Commit All column.
The devices initiate the connection with Panorama. When a communication link is
established, the host name and IP address are automatically added to the list, and the
Connected column indicates that the device is connected. The shared policies are pushed
to the device and committed. The currently running configuration on the device is
overridden.
8. To delete a device:
You can define device groups, which are treated as a single unit when applying policies in
Panorama. This page lists the device groups along with the following information.
To add a new device group, click New and specify the following information.
You can specify the access and responsibilities that should be assigned to administrative
users.
To define administrator roles click New and specify the following information.
Use the Access Domain page to specify the domains for administrator access to devices and
device groups. Click New and specify the following information.
To upgrade to a new release of Panorama software, you can view the latest versions of the
Panorama software available from Palo Alto Networks, read the release notes for each
version, and then select the release you want to download and install (a support license is
required).
To upgrade the Panorama software, click Refresh to view the latest software releases
available from Palo Alto Networks. To view a description of the changes in a release, click
Release Notes next to the release.
1. To install a new release:
a. Click Download next to the release to be installed. When the download is complete, a
checkmark is displayed in the Downloaded column.
Panorama automatically saves every committed configured from the managed firewalls. You
can configure the number of versions to keep on the Panorama device by using the
Management settings under Setup on the Panorama tab. The default is 100. For instructions
on configuring the number of versions, refer to “Defining the Host Name and Network
Settings” on page 66.
To manage backups on Panorama, click Manage in the Backups column for a device. A
window opens to show the saved and committed configurations for the device.
Click a Load to restore the selected configuration to the device. To remove a saved
configuration, click the icon.
Note: For information on importing and exporting custom response pages, refer to
“Defining Custom Response Pages” on page 74.
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<title>This is a test</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Microsoft Sans Serif";
</head>
<body lang=EN-US>
<div class=Section1>
</div>
</body>
</html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<title>This is a test</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Microsoft Sans Serif";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
h4
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Times New Roman";}
p.SanSerifName, li.SanSerifName, div.SanSerifName
{margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:10.0pt;
font-family:"Microsoft Sans Serif";
font-weight:bold;}
p.BoldNormal, li.BoldNormal, div.BoldNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
font-weight:bold;}
</head>
<body lang=EN-US>
<div class=Section1>
</div>
</body>
</html>
<pan_form/>
<hr>
<p id="continueText">If you feel this page has been incorrectly blocked, you
may click Continue to proceed to the page. However, this action will be
logged.</p>
<div id="formdiv">
<pan_form/>
</div>
<a href="#" onclick="history.back();return false;">Return to previous page</
a>
</div>
</body>
</html>
</style>
</HEAD>
<BODY bgcolor="#F2F6FA">
<table style="background-color: white; width:100%; height:45px; border-
bottom: 2px solid #888888;">
<tr style="background-image:url(/images/logo_pan_158.gif);
background-repeat: no-repeat">
<td align="left"> </td>
</tr>
</table>
<div align="center">
<h1>Palo Alto Networks - SSL VPN Portal</h1>
</div>
<div id="formdiv">
<pan_form/>
</div>
</BODY>
</HTML>
<head>
<title>Certificate Error</title>
<style>
#content{border:3px solid#aaa;background-
color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-
serif;font-size:12px;}
h1{font-size:20px;font-weight:bold;color:#196390;}
b{font-weight:bold;color:#196390;}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Certificate Error</h1>
<p>There is an issue with the SSL certificate of the server you are trying to
contact.</p>
</div>
</body>
</html>
– auth-service
– database
– erp-crm
– general-business
– infrastructure
– management
– office-program
– software-update
– storage-backup
• collaboration
– instant-messaging
– internet-conferencing
– internet-utility
– social-networking
– voip-video
– web-posting
• general-internet
– file-sharing
– internet-utility
• media
– audio-streaming
– gaming
– photo-video
• networking
– audio-streaming
– encrypted-tunnel
– infrastructure
– ip-protocol
– proxy
– remote-access
– routing
• unknown
Application Technologies
The following application technologies are supported.
Application Characteristics
The following application characteristics are supported.
• Accounts are locked after the number of failed attempts that is configured on the
Device > Setup > Management page. If the firewall is not in FIPS mode, it can be
configured so that it never locks out; however in FIPS mode, and lockout time is required.
• The firewall automatically determines the appropriate level of self-testing and enforces
the appropriate level of strength in encryption algorithms and cipher suites.
• Non-FIPS approved algorithms are not decrypted and are thus ignored during SSL
decryption.
• When configuring IPSec, a subset of the normally available cipher suites is available.
• Self-generated and imported certificates must contain public keys that are 2048 bits (or
more).
Some components of this product may be covered under one or more of the open source
licenses listed in this appendix:
• “Artistic License” on page 246
Artistic License
This document is freely plagiarised from the 'Artistic Licence', distributed as part of the Perl
v4.0 kit by Larry Wall, which is available from most major archive sites
This documents purpose is to state the conditions under which these Packages (See definition
below) viz: "Crack", the Unix Password Cracker, and "CrackLib", the Unix Password Checking
library, which are held in copyright by Alec David Edward Muffett, may be copied, such that
the copyright holder maintains some semblance of artistic control over the development of the
packages, while giving the users of the package the right to use and distribute the Package in
a more-or-less customary fashion, plus the right to make reasonable modifications.
Definitions:
A "Package" refers to the collection of files distributed by the Copyright Holder, and
derivatives of that collection of files created through textual modification, or segments thereof.
"Standard Version" refers to such a Package if it has not been modified, or has been modified
in accordance with the wishes of the Copyright Holder.
"Copyright Holder" is whoever is named in the copyright or copyrights for the package.
"You" is you, if you're thinking about copying or distributing this Package.
"Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication
charges, time of people involved, and so on. (You will not be required to justify it to the
Copyright Holder, but only to the computing community at large as a market that must bear
the fee.)
"Freely Available" means that no fee is charged for the item itself, though there may be fees
involved in handling the item. It also means that recipients of the item may redistribute it
under the same conditions they received it.
1. You may make and give away verbatim copies of the source form of the Standard Version
of this Package without restriction, provided that you duplicate all of the original copyright
notices and associated disclaimers.
2. You may apply bug fixes, portability fixes and other modifications derived from the Public
Domain or from the Copyright Holder. A Package modified in such a way shall still be
considered the Standard Version.
3. You may otherwise modify your copy of this Package in any way, provided that you insert
a prominent notice in each changed file stating how and when AND WHY you changed that
file, and provided that you do at least ONE of the following:
a) place your modifications in the Public Domain or otherwise make them Freely Available,
such as by posting said modifications to Usenet or an equivalent medium, or placing the
modifications on a major archive site such as uunet.uu.net, or by allowing the Copyright
Holder to include your modifications in the Standard Version of the Package.
b) use the modified Package only within your corporation or organization.
c) rename any non-standard executables so the names do not conflict with standard
executables, which must also be provided, and provide separate documentation for each non-
standard executable that clearly documents how it differs from the Standard Version.
d) make other distribution arrangements with the Copyright Holder.
4. You may distribute the programs of this Package in object code or executable form,
provided that you do at least ONE of the following:
a) distribute a Standard Version of the executables and library files, together with instructions
(in the manual page or equivalent) on where to get the Standard Version.
b) accompany the distribution with the machine-readable source of the Package with your
modifications.
BSD
The following copyright holders provide software under the BSD license:
• Julian Steward
• Nick Mathewson
• Niels Provos
• Dug Song
• Todd C. Miller
• University of Cambridge
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The names of the authors may not be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Activities other than copying, distribution and modification are not covered by this License;
they are outside its scope. The act of running the Program is not restricted, and the output
from the Program is covered only if its contents constitute a work based on the Program
(independent of having been made by running the Program). Whether that is true depends on
what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it,
in any medium, provided that you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer
to this License and to the absence of any warranty; and give any other recipients of the
Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option
offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a
work based on the Program, and copy and distribute such modifications or work under the
terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the
files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains
or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all
third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must
cause it, when started running for such interactive use in the most ordinary way, to print or
display an announcement including an appropriate copyright notice and a notice that there is
no warranty (or else, saying that you provide a warranty) and that users may redistribute the
program under these conditions, and telling the user how to view a copy of this License.
(Exception: if the Program itself is interactive but does not normally print such an
announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that
work are not derived from the Program, and can be reasonably considered independent and
separate works in themselves, then this License, and its terms, do not apply to those sections
when you distribute them as separate works. But when you distribute the same sections as
part of a whole which is a work based on the Program, the distribution of the whole must be
on the terms of this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written
entirely by you; rather, the intent is to exercise the right to control the distribution of
derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program
(or with a work based on the Program) on a volume of a storage or distribution medium does
not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object
code or executable form under the terms of Sections 1 and 2 above provided that you also do
one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a medium customarily used
for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party,
for a charge no more than your cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be distributed under the terms of
Sections 1 and 2 above on a medium customarily used for software interchange; or,
This section is intended to make thoroughly clear what is believed to be a consequence of the
rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by
patents or by copyrighted interfaces, the original copyright holder who places the Program
under this License may add an explicit geographical distribution limitation excluding those
countries, so that distribution is permitted only in or among countries not thus excluded. In
such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General
Public License from time to time. Such new versions will be similar in spirit to the present
version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version
number of this License which applies to it and "any later version", you have the option of
following the terms and conditions either of that version or of any later version published by
the Free Software Foundation. If the Program does not specify a version number of this
License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose
distribution conditions are different, write to the author to ask for permission. For software
which is copyrighted by the Free Software Foundation, write to the Free Software Foundation;
we sometimes make exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/
OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY
MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
When a program is linked with a library, whether statically or using a shared library, the
combination of the two is legally speaking a combined work, a derivative of the original
library. The ordinary General Public License therefore permits such linking only if the entire
combination fits its criteria of freedom. The Lesser General Public License permits more lax
criteria for linking other code with the library.
We call this license the "Lesser" General Public License because it does Less to protect the
user's freedom than the ordinary General Public License. It also provides other free software
developers Less of an advantage over competing non-free programs. These disadvantages are
the reason we use the ordinary General Public License for many libraries. However, the Lesser
license provides advantages in certain special circumstances.
For example, on rare occasions, there may be a special need to encourage the widest possible
use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free
programs must be allowed to use the library. A more frequent case is that a free library does
the same job as widely used non-free libraries. In this case, there is little to gain by limiting the
free library to free software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free programs enables a greater
number of people to use a large body of free software. For example, permission to use the
GNU C Library in non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating system.
Although the Lesser General Public License is Less protective of the users' freedom, it does
ensure that the user of a program that is linked with the Library has the freedom and the
wherewithal to run that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and modification follow. Pay close
attention to the difference between a "work based on the library" and a "work that uses the
library". The former contains code derived from the library, whereas the latter must be
combined with the library in order to run.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other program which contains a
notice placed by the copyright holder or other authorized party saying it may be distributed
under the terms of this Lesser General Public License (also called "this License"). Each licensee
is addressed as "you".
A "library" means a collection of software functions and/or data prepared so as to be
conveniently linked with application programs (which use some of those functions and data)
to form executables.
The "Library", below, refers to any such software library or work which has been distributed
under these terms. A "work based on the Library" means either the Library or any derivative
work under copyright law: that is to say, a work containing the Library or a portion of it,
either verbatim or with modifications and/or translated straightforwardly into another
language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it.
For a library, complete source code means all the source code for all modules it contains, plus
any associated interface definition files, plus the scripts used to control compilation and
installation of the library.
Activities other than copying, distribution and modification are not covered by this License;
they are outside its scope. The act of running a program using the Library is not restricted,
and output from such a program is covered only if its contents constitute a work based on the
Library (independent of the use of the Library in a tool for writing it). Whether that is true
depends on what the Library does and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's complete source code as you
receive it, in any medium, provided that you conspicuously and appropriately publish on
each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty; and distribute a copy of
this License along with the Library.
You may charge a fee for the physical act of transferring a copy, and you may at your option
offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Library or any portion of it, thus forming a
work based on the Library, and copy and distribute such modifications or work under the
terms of Section 1 above, provided that you also meet all of these conditions:
* a) The modified work must itself be a software library.
* b) You must cause the files modified to carry prominent notices stating that you changed
the files and the date of any change.
* c) You must cause the whole of the work to be licensed at no charge to all third parties
under the terms of this License.
* d) If a facility in the modified Library refers to a function or a table of data to be supplied
by an application program that uses the facility, other than as an argument passed when the
facility is invoked, then you must make a good faith effort to ensure that, in the event an
application does not supply such function or table, the facility still operates, and performs
whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely
well-defined independent of the application. Therefore, Subsection 2d requires that any
application-supplied function or table used by this function must be optional: if the
application does not supply it, the square root function must still compute square roots.)
These requirements apply to the modified work as a whole. If identifiable sections of that
work are not derived from the Library, and can be reasonably considered independent and
separate works in themselves, then this License, and its terms, do not apply to those sections
when you distribute them as separate works. But when you distribute the same sections as
part of a whole which is a work based on the Library, the distribution of the whole must be on
the terms of this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written
entirely by you; rather, the intent is to exercise the right to control the distribution of
derivative or collective works based on the Library.
In addition, mere aggregation of another work not based on the Library with the Library (or
with a work based on the Library) on a volume of a storage or distribution medium does not
bring the other work under the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this
License to a given copy of the Library. To do this, you must alter all the notices that refer to
this License, so that they refer to the ordinary GNU General Public License, version 2, instead
of to this License. (If a newer version than version 2 of the ordinary GNU General Public
License has appeared, then you can specify that version instead if you wish.) Do not make any
other change in these notices.
Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU
General Public License applies to all subsequent copies and derivative works made from that
copy.
This option is useful when you wish to copy part of the code of the Library into a program
that is not a library.
4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in
object code or executable form under the terms of Sections 1 and 2 above provided that you
accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for
software interchange.
If distribution of object code is made by offering access to copy from a designated place, then
offering equivalent access to copy the source code from the same place satisfies the
requirement to distribute the source code, even though third parties are not compelled to copy
the source along with the object code.
5. A program that contains no derivative of any portion of the Library, but is designed to work
with the Library by being compiled or linked with it, is called a "work that uses the Library".
Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside
the scope of this License.
However, linking a "work that uses the Library" with the Library creates an executable that is
a derivative of the Library (because it contains portions of the Library), rather than a "work
that uses the library". The executable is therefore covered by this License. Section 6 states
terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file that is part of the Library,
the object code for the work may be a derivative work of the Library even though the source
code is not. Whether this is true is especially significant if the work can be linked without the
Library, or if the work is itself a library. The threshold for this to be true is not precisely
defined by law.
If such an object file uses only numerical parameters, data structure layouts and accessors,
and small macros and small inline functions (ten lines or less in length), then the use of the
object file is unrestricted, regardless of whether it is legally a derivative work. (Executables
containing this object code plus portions of the Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may distribute the object code for the
work under the terms of Section 6. Any executables containing that work also fall under
Section 6, whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or link a "work that uses the
Library" with the Library to produce a work containing portions of the Library, and distribute
that work under terms of your choice, provided that the terms permit modification of the
work for the customer's own use and reverse engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the Library is used in it and
that the Library and its use are covered by this License. You must supply a copy of this
License. If the work during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference directing the user to the
copy of this License. Also, you must do one of these things:
* a) Accompany the work with the complete corresponding machine-readable source code
for the Library including whatever changes were used in the work (which must be distributed
under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with
the complete machine-readable "work that uses the Library", as object code and/or source
code, so that the user can modify the Library and then relink to produce a modified executable
containing the modified Library. (It is understood that the user who changes the contents of
definitions files in the Library will not necessarily be able to recompile the application to use
the modified definitions.)
* b) Use a suitable shared library mechanism for linking with the Library. A suitable
mechanism is one that (1) uses at run time a copy of the library already present on the user's
computer system, rather than copying library functions into the executable, and (2) will
operate properly with a modified version of the library, if the user installs one, as long as the
modified version is interface-compatible with the version that the work was made with.
* c) Accompany the work with a written offer, valid for at least three years, to give the same
user the materials specified in Subsection 6a, above, for a charge no more than the cost of
performing this distribution.
* d) If distribution of the work is made by offering access to copy from a designated place,
offer equivalent access to copy the above specified materials from the same place.
* e) Verify that the user has already received a copy of these materials or that you have
already sent this user a copy.
For an executable, the required form of the "work that uses the Library" must include any data
and utility programs needed for reproducing the executable from it. However, as a special
exception, the materials to be distributed need not include anything that is normally
distributed (in either source or binary form) with the major components (compiler, kernel, and
so on) of the operating system on which the executable runs, unless that component itself
accompanies the executable.
It may happen that this requirement contradicts the license restrictions of other proprietary
libraries that do not normally accompany the operating system. Such a contradiction means
you cannot use both them and the Library together in an executable that you distribute.
7. You may place library facilities that are a work based on the Library side-by-side in a single
library together with other library facilities not covered by this License, and distribute such a
combined library, provided that the separate distribution of the work based on the Library
and of the other library facilities is otherwise permitted, and provided that you do these two
things:
* a) Accompany the combined library with a copy of the same work based on the Library,
uncombined with any other library facilities. This must be distributed under the terms of the
Sections above.
* b) Give prominent notice with the combined library of the fact that part of it is a work
based on the Library, and explaining where to find the accompanying uncombined form of
the same work.
8. You may not copy, modify, sublicense, link with, or distribute the Library except as
expressly provided under this License. Any attempt otherwise to copy, modify, sublicense,
link with, or distribute the Library is void, and will automatically terminate your rights under
this License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full
compliance.
9. You are not required to accept this License, since you have not signed it. However, nothing
else grants you permission to modify or distribute the Library or its derivative works. These
actions are prohibited by law if you do not accept this License. Therefore, by modifying or
distributing the Library (or any work based on the Library), you indicate your acceptance of
this License to do so, and all its terms and conditions for copying, distributing or modifying
the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the Library), the recipient
automatically receives a license from the original licensor to copy, distribute, link with or
modify the Library subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein. You are not responsible for
enforcing compliance by third parties with this License.
11. If, as a consequence of a court judgment or allegation of patent infringement or for any
other reason (not limited to patent issues), conditions are imposed on you (whether by court
order, agreement or otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot distribute so as to satisfy
simultaneously your obligations under this License and any other pertinent obligations, then
as a consequence you may not distribute the Library at all. For example, if a patent license
would not permit royalty-free redistribution of the Library by all those who receive copies
directly or indirectly through you, then the only way you could satisfy both it and this License
would be to refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any particular
circumstance, the balance of the section is intended to apply, and the section as a whole is
intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property
right claims or to contest validity of any such claims; this section has the sole purpose of
protecting the integrity of the free software distribution system which is implemented by
public license practices. Many people have made generous contributions to the wide range of
software distributed through that system in reliance on consistent application of that system;
it is up to the author/donor to decide if he or she is willing to distribute software through any
other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the
rest of this License.
12. If the distribution and/or use of the Library is restricted in certain countries either by
patents or by copyrighted interfaces, the original copyright holder who places the Library
under this License may add an explicit geographical distribution limitation excluding those
countries, so that distribution is permitted only in or among countries not thus excluded. In
such case, this License incorporates the limitation as if written in the body of this License.
13. The Free Software Foundation may publish revised and/or new versions of the Lesser
General Public License from time to time. Such new versions will be similar in spirit to the
present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library specifies a version
number of this License which applies to it and "any later version", you have the option of
following the terms and conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a license version number, you
may choose any version ever published by the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free programs whose distribution
conditions are incompatible with these, write to the author to ask for permission. For software
which is copyrighted by the Free Software Foundation, write to the Free Software Foundation;
we sometimes make exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY
MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO
YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
MIT/X11
Copyright (C) 2001-2002 Daniel Veillard. All Rights Reserved.
Copyright (C) 2001-2002 Thomas Broyer, Charlie Bozeman and Daniel Veillard. All Rights
Reserved.
Copyright (C) 1998 Bjorn Reese and Daniel Stenberg.
Copyright (C) 2000 Gary Pennington and Daniel Veillard.
Copyright (C) 2001 Bjorn Reese <[email protected]>
Copyright (c) 2001, 2002, 2003 Python Software Foundation
Copyright (c) 2004-2008 Paramjit Oberoi <param.cs.wisc.edu>
Copyright (c) 2007 Tim Lauridsen <[email protected]>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
and associated documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
OpenSSH
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will
summarize and say that all components are under a BSD licence, or a licence more free than
that.
OpenSSH contains no GPL code.
1) Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
All rights reserved
As far as I am concerned, the code I have written for this software can be used freely for any
purpose. Any derived versions of this software must be clearly marked as such, and if the
derived work is incompatible with the protocol description in the RFC file, it must be called by
a name other than "ssh" or "Secure Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third
parties, and the software includes parts that are not under my direct control. As far as I know,
all included source code is used in accordance with the relevant license agreements and can be
used freely for any purpose (the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced
software components which he talks about have been removed from OpenSSH, i.e.,
-RSA is no longer included, found in the OpenSSL library
-IDEA is no longer included, its use is deprecated
-DES is now external, in the OpenSSL library
-GMP is no longer used, and instead we call BN code from OpenSSL
-Zlib is now external, in a library
-The make-ssh-known-hosts script is no longer included
-TSS has been removed
-MD5 is now external, in the OpenSSL library
-RC4 support has been replaced with ARC4 support from OpenSSL
-Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this software are publicly
available on the Internet and at any major bookstore, scientific library, and patent office
worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions.
Use only at your own responsibility. You will be responsible for any legal consequences
yourself; I am not making any claims whether possessing or using this is legal or not in your
country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/
OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI
S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
PSF
1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the
Individual or Organization ("Licensee") accessing and otherwise using Python 2.3 software in
source or binary form and its associated documentation.
2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a
nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or
display publicly, prepare derivative works, distribute, and otherwise use Python 2.3 alone or
in any derivative version, provided, however, that PSF's License Agreement and PSF's notice
of copyright, i.e., "Copyright (c) 2001, 2002, 2003 Python Software Foundation; All Rights
Reserved" are retained in Python 2.3 alone or in any derivative version prepared by Licensee.
3. In the event Licensee prepares a derivative work that is based on or incorporates Python 2.3
or any part thereof, and wants to make the derivative work available to others as provided
herein, then Licensee hereby agrees to include in any such work a brief summary of the
changes made to Python 2.3.
4. PSF is making Python 2.3 available to Licensee on an "AS IS" basis. PSF MAKES NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE,
BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR
WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE
OR THAT THE USE OF PYTHON 2.3 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 2.3
FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A
RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 2.3, OR ANY
DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
6. This License Agreement will automatically terminate upon a material breach of its terms
and conditions.
7. Nothing in this License Agreement shall be deemed to create any relationship of agency,
partnership, or joint venture between PSF and Licensee. This License Agreement does not
grant permission to use PSF trademarks or trade name in a trademark sense to endorse or
promote products or services of Licensee, or any third party.
8. By copying, installing or otherwise using Python 2.3, Licensee agrees to be bound by the
terms and conditions of this License Agreement.
PHP
The PHP License, version 3.01
Copyright (c) 1999 - 2009 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this
software without prior written permission. For written permission, please contact
[email protected].
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in
their name, without prior written permission from [email protected]. You may indicate that
your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it
"PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time.
Each version will be given a distinguishing version number. Once covered code has been
published under a particular version of the license, you may always continue to use it under
the terms of that version. You may also choose to use such covered code under the terms of
any subsequent version of the license published by the PHP Group. No one other than the
PHP Group has the right to modify the terms applicable to covered code created under this
License.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This
product includes PHP software, freely available from <http://www.php.net/software/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM
OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the
PHP Group.
The PHP Group can be contacted via Email at [email protected].
For more information on the PHP Group and the PHP project, please see <http://
www.php.net>.
PHP includes the Zend Engine, freely available at <http://www.zend.com>.
Zlib
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will
the authors be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial
applications, and to alter it and redistribute it freely, subject to the following restrictions:
1.The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the product
documentation would be appreciated but is not required.
2.Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
3.This notice may not be removed or altered from any source distribution.
Jean-loup Gailly [email protected]
Mark Adler [email protected]