1. Home
Location
    Techdocs Logo Techdocs Logo
    • Documentation Home
    • Palo Alto Networks
    • Support
    • Live Community
    • Knowledge Base
    1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. App-ID
    5. App-ID Cloud Engine
    6. Commit Failure Due to Cloud Content Rollback
    Download PDF
    Last Updated:
    Mar 8, 2023
    Current Version:
    10.1
    • Version 11.0
    • Version 10.2
    • Version 10.1

    Table of Contents


    Filter icon
    Filter
    Getting Started
    Integrate the Firewall into Your Management Network
    Determine Your Access Strategy for Business Continuity
    Determine Your Management Strategy
    Perform Initial Configuration
    Set Up Network Access for External Services
    Register the Firewall
    Segment Your Network Using Interfaces and Zones
    Network Segmentation for a Reduced Attack Surface
    Configure Interfaces and Zones
    Set Up a Basic Security Policy
    Assess Network Traffic
    Enable Free WildFire Forwarding
    Best Practices for Completing the Firewall Deployment
    Subscriptions
    Subscriptions You Can Use With the Firewall
    Activate Subscription Licenses
    What Happens When Licenses Expire?
    Enhanced Application Logs for Palo Alto Networks Cloud Services
    Firewall Administration
    Management Interfaces
    Use the Web Interface
    Launch the Web Interface
    Configure Banners, Message of the Day, and Logos
    Use the Administrator Login Activity Indicators to Detect Account Misuse
    Manage and Monitor Administrative Tasks
    Commit, Validate, and Preview Firewall Configuration Changes
    Export Configuration Table Data
    Use Global Find to Search the Firewall or Panorama Management Server
    Manage Locks for Restricting Configuration Changes
    Manage Configuration Backups
    Save and Export Firewall Configurations
    Revert Firewall Configuration Changes
    Manage Firewall Administrators
    Administrative Role Types
    Configure an Admin Role Profile
    Administrative Authentication
    Configure Administrative Accounts and Authentication
    Configure a Firewall Administrator Account
    Configure Local or External Authentication for Firewall Administrators
    Configure Certificate-Based Administrator Authentication to the Web Interface
    Configure SSH Key-Based Administrator Authentication to the CLI
    Configure API Key Lifetime
    Configure Tracking of Administrator Activity
    Reference: Web Interface Administrator Access
    Web Interface Access Privileges
    Define Access to the Web Interface Tabs
    Provide Granular Access to the Monitor Tab
    Provide Granular Access to the Policy Tab
    Provide Granular Access to the Objects Tab
    Provide Granular Access to the Network Tab
    Provide Granular Access to the Device Tab
    Define User Privacy Settings in the Admin Role Profile
    Restrict Administrator Access to Commit and Validate Functions
    Provide Granular Access to Global Settings
    Provide Granular Access to the Panorama Tab
    Provide Granular Access to Operations Settings
    Panorama Web Interface Access Privileges
    Reference: Port Number Usage
    Ports Used for Management Functions
    Ports Used for HA
    Ports Used for Panorama
    Ports Used for GlobalProtect
    Ports Used for User-ID
    Ports Used for IPSec
    Ports Used for Routing
    Ports Used for DHCP
    Ports Used for Infrastructure
    Reset the Firewall to Factory Default Settings
    Bootstrap the Firewall
    USB Flash Drive Support
    Sample init-cfg.txt Files
    Prepare a USB Flash Drive for Bootstrapping a Firewall
    Bootstrap a Firewall Using a USB Flash Drive
    Device Telemetry
    Device Telemetry Overview
    Device Telemetry Collection and Transmission Intervals
    Manage Device Telemetry
    Enable Device Telemetry
    Disable Device Telemetry
    Enable Service Routes for Telemetry
    Manage the Data the Device Telemetry Collects
    Manage Historical Device Telemetry
    Monitor Device Telemetry
    Sample the Data that Device Telemetry Collects
    Authentication
    Authentication Types
    External Authentication Services
    Multi-Factor Authentication
    SAML
    Kerberos
    TACACS+
    RADIUS
    LDAP
    Local Authentication
    Plan Your Authentication Deployment
    Configure Multi-Factor Authentication
    Configure MFA Between RSA SecurID and the Firewall
    Configure MFA Between Okta and the Firewall
    Configure MFA Between Duo and the Firewall
    Configure SAML Authentication
    Configure Kerberos Single Sign-On
    Configure Kerberos Server Authentication
    Configure TACACS+ Authentication
    Configure RADIUS Authentication
    Configure LDAP Authentication
    Connection Timeouts for Authentication Servers
    Guidelines for Setting Authentication Server Timeouts
    Modify the PAN-OS Web Server Timeout
    Modify the Authentication Portal Session Timeout
    Configure Local Database Authentication
    Configure an Authentication Profile and Sequence
    Test Authentication Server Connectivity
    Authentication Policy
    Authentication Timestamps
    Configure Authentication Policy
    Troubleshoot Authentication Issues
    Certificate Management
    Keys and Certificates
    Default Trusted Certificate Authorities (CAs)
    Certificate Revocation
    Certificate Revocation List (CRL)
    Online Certificate Status Protocol (OCSP)
    Certificate Deployment
    Set Up Verification for Certificate Revocation Status
    Configure an OCSP Responder
    Configure Revocation Status Verification of Certificates
    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
    Configure the Master Key
    Master Key Encryption
    Configure Master Key Encryption Level
    Master Key Encryption on a Firewall HA Pair
    Master Key Encryption Logs
    Unique Master Key Encryptions for AES-256-GCM
    Obtain Certificates
    Create a Self-Signed Root CA Certificate
    Generate a Certificate
    Import a Certificate and Private Key
    Obtain a Certificate from an External CA
    Install a Device Certificate
    Deploy Certificates Using SCEP
    Export a Certificate and Private Key
    Configure a Certificate Profile
    Configure an SSL/TLS Service Profile
    Configure an SSH Service Profile
    Replace the Certificate for Inbound Management Traffic
    Configure the Key Size for SSL Forward Proxy Server Certificates
    Revoke and Renew Certificates
    Revoke a Certificate
    Renew a Certificate
    Secure Keys with a Hardware Security Module
    Set Up Connectivity with an HSM
    Set Up Connectivity with a SafeNet Network HSM
    Set Up Connectivity with an nCipher nShield Connect HSM
    Encrypt a Master Key Using an HSM
    Encrypt the Master Key
    Refresh the Master Key Encryption
    Store Private Keys on an HSM
    Manage the HSM Deployment
    High Availability
    HA Overview
    HA Concepts
    HA Modes
    HA Links and Backup Links
    HA Ports on Palo Alto Networks Firewalls
    Device Priority and Preemption
    Failover
    LACP and LLDP Pre-Negotiation for Active/Passive HA
    Floating IP Address and Virtual MAC Address
    ARP Load-Sharing
    Route-Based Redundancy
    HA Timers
    Session Owner
    Session Setup
    NAT in Active/Active HA Mode
    ECMP in Active/Active HA Mode
    Set Up Active/Passive HA
    Prerequisites for Active/Passive HA
    Configuration Guidelines for Active/Passive HA
    Configure Active/Passive HA
    Define HA Failover Conditions
    Verify Failover
    Set Up Active/Active HA
    Prerequisites for Active/Active HA
    Configure Active/Active HA
    Determine Your Active/Active Use Case
    Use Case: Configure Active/Active HA with Route-Based Redundancy
    Use Case: Configure Active/Active HA with Floating IP Addresses
    Use Case: Configure Active/Active HA with ARP Load-Sharing
    Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
    Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
    Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
    Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
    Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
    HA Clustering Overview
    HA Clustering Best Practices and Provisioning
    Configure HA Clustering
    Refresh HA1 SSH Keys and Configure Key Options
    HA Firewall States
    Reference: HA Synchronization
    What Settings Don’t Sync in Active/Passive HA?
    What Settings Don’t Sync in Active/Active HA?
    Synchronization of System Runtime Information
    Monitoring
    Use the Dashboard
    Use the Application Command Center
    ACC—First Look
    ACC Tabs
    ACC Widgets
    Widget Descriptions
    ACC Filters
    Interact with the ACC
    Use Case: ACC—Path of Information Discovery
    Use the App Scope Reports
    Summary Report
    Change Monitor Report
    Threat Monitor Report
    Threat Map Report
    Network Monitor Report
    Traffic Map Report
    Use the Automated Correlation Engine
    Automated Correlation Engine Concepts
    Correlation Object
    Correlated Events
    View the Correlated Objects
    Interpret Correlated Events
    Use the Compromised Hosts Widget in the ACC
    Take Packet Captures
    Types of Packet Captures
    Disable Hardware Offload
    Take a Custom Packet Capture
    Take a Threat Packet Capture
    Take an Application Packet Capture
    Take a Packet Capture for Unknown Applications
    Take a Custom Application Packet Capture
    Take a Packet Capture on the Management Interface
    Monitor Applications and Threats
    View and Manage Logs
    Log Types and Severity Levels
    Traffic Logs
    Threat Logs
    URL Filtering Logs
    WildFire Submissions Logs
    Data Filtering Logs
    Correlation Logs
    Tunnel Inspection Logs
    Config Logs
    System Logs
    HIP Match Logs
    GlobalProtect Logs
    IP-Tag Logs
    User-ID Logs
    Decryption Logs
    Alarms Logs
    Authentication Logs
    Unified Logs
    View Logs
    Filter Logs
    Export Logs
    Configure Log Storage Quotas and Expiration Periods
    Schedule Log Exports to an SCP or FTP Server
    Monitor Block List
    View and Manage Reports
    Report Types
    View Reports
    Configure the Expiration Period and Run Time for Reports
    Disable Predefined Reports
    Custom Reports
    Generate Custom Reports
    Generate Botnet Reports
    Configure a Botnet Report
    Interpret Botnet Report Output
    Generate the SaaS Application Usage Report
    Manage PDF Summary Reports
    Generate User/Group Activity Reports
    Manage Report Groups
    Schedule Reports for Email Delivery
    Manage Report Storage Capacity
    View Policy Rule Usage
    Use External Services for Monitoring
    Configure Log Forwarding
    Configure Email Alerts
    Use Syslog for Monitoring
    Configure Syslog Monitoring
    Syslog Field Descriptions
    Traffic Log Fields
    Threat Log Fields
    URL Filtering Log Fields
    Data Filtering Log Fields
    HIP Match Log Fields
    GlobalProtect Log Fields
    IP-Tag Log Fields
    User-ID Log Fields
    Decryption Log Fields
    Tunnel Inspection Log Fields
    SCTP Log Fields
    Authentication Log Fields
    Config Log Fields
    System Log Fields
    Correlated Events Log Fields
    GTP Log Fields
    Syslog Severity
    Custom Log/Event Format
    Escape Sequences
    SNMP Monitoring and Traps
    SNMP Support
    Use an SNMP Manager to Explore MIBs and Objects
    Identify a MIB Containing a Known OID
    Walk a MIB
    Identify the OID for a System Statistic or Trap
    Enable SNMP Services for Firewall-Secured Network Elements
    Monitor Statistics Using SNMP
    Forward Traps to an SNMP Manager
    Supported MIBs
    MIB-II
    IF-MIB
    HOST-RESOURCES-MIB
    ENTITY-MIB
    ENTITY-SENSOR-MIB
    ENTITY-STATE-MIB
    IEEE 802.3 LAG MIB
    LLDP-V2-MIB.my
    BFD-STD-MIB
    PAN-COMMON-MIB.my
    PAN-GLOBAL-REG-MIB.my
    PAN-GLOBAL-TC-MIB.my
    PAN-LC-MIB.my
    PAN-PRODUCT-MIB.my
    PAN-ENTITY-EXT-MIB.my
    PAN-TRAPS.my
    Forward Logs to an HTTP/S Destination
    NetFlow Monitoring
    Configure NetFlow Exports
    NetFlow Templates
    Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
    Monitor Transceivers
    User-ID
    User-ID Overview
    User-ID Concepts
    Group Mapping
    User Mapping
    Server Monitoring
    Port Mapping
    XFF Headers
    Username Header Insertion
    Authentication Policy and Authentication Portal
    Syslog
    GlobalProtect
    XML API
    Client Probing
    Enable User-ID
    Map Users to Groups
    Map IP Addresses to Users
    Create a Dedicated Service Account for the User-ID Agent
    Configure User Mapping Using the Windows User-ID Agent
    Install the Windows-Based User-ID Agent
    Configure the Windows User-ID Agent for User Mapping
    Configure User Mapping Using the PAN-OS Integrated User-ID Agent
    Configure Server Monitoring Using WinRM
    Configure User-ID to Monitor Syslog Senders for User Mapping
    Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener
    Configure the Windows User-ID Agent as a Syslog Listener
    Map IP Addresses to Usernames Using Authentication Portal
    Authentication Portal Authentication Methods
    Authentication Portal Modes
    Configure Authentication Portal
    Configure User Mapping for Terminal Server Users
    Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
    Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API
    Send User Mappings to User-ID Using the XML API
    Enable User- and Group-Based Policy
    Enable Policy for Users with Multiple Accounts
    Verify the User-ID Configuration
    Deploy User-ID in a Large-Scale Network
    Deploy User-ID for Numerous Mapping Information Sources
    Windows Log Forwarding and Global Catalog Servers
    Plan a Large-Scale User-ID Deployment
    Configure Windows Log Forwarding
    Configure User-ID for Numerous Mapping Information Sources
    Insert Username in HTTP Headers
    Redistribute Data and Authentication Timestamps
    Firewall Deployment for Data Redistribution
    Configure Data Redistribution
    Share User-ID Mappings Across Virtual Systems
    App-ID
    App-ID Overview
    Streamlined App-ID Policy Rules
    Create an Application Filter Using Tags
    Create an Application Filter Based on Custom Tags
    App-ID and HTTP/2 Inspection
    Manage Custom or Unknown Applications
    Manage New and Modified App-IDs
    Workflow to Best Incorporate New and Modified App-IDs
    See the New and Modified App-IDs in a Content Release
    See How New and Modified App-IDs Impact Your Security Policy
    Ensure Critical New App-IDs are Allowed
    Monitor New App-IDs
    Disable and Enable App-IDs
    Use Application Objects in Policy
    Create an Application Group
    Create an Application Filter
    Create a Custom Application
    Resolve Application Dependencies
    Safely Enable Applications on Default Ports
    Applications with Implicit Support
    Security Policy Rule Optimization
    Policy Optimizer Concepts
    Sorting and Filtering Security Policy Rules
    Clear Application Usage Data
    Migrate Port-Based to App-ID Based Security Policy Rules
    Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
    Add Applications to an Existing Rule
    Identify Security Policy Rules with Unused Applications
    High Availability for Application Usage Statistics
    How to Disable Policy Optimizer
    App-ID Cloud Engine
    Prepare to Deploy App-ID Cloud Engine
    Enable or Disable the App-ID Cloud Engine
    App-ID Cloud Engine Processing and Usage
    New App Viewer (Policy Optimizer)
    Add Apps to an Application Filter with Policy Optimizer
    Add Apps to an Application Group with Policy Optimizer
    Add Apps Directly to a Rule with Policy Optimizer
    Replace an RMA Firewall (ACE)
    Impact of License Expiration or Disabling ACE
    Commit Failure Due to Cloud Content Rollback
    Troubleshoot App-ID Cloud Engine
    SaaS App-ID Policy Recommendation
    Import SaaS Policy Recommendation
    Import Updated SaaS Policy Recommendation
    Remove Deleted SaaS Policy Recommendation
    Application Level Gateways
    Disable the SIP Application-level Gateway (ALG)
    Use HTTP Headers to Manage SaaS Application Access
    Understand SaaS Custom Headers
    Domains used by the Predefined SaaS Application Types
    Create HTTP Header Insertion Entries using Predefined Types
    Create Custom HTTP Header Insertion Entries
    Maintain Custom Timeouts for Data Center Applications
    Device-ID
    Device-ID Overview
    Prepare to Deploy Device-ID
    Configure Device-ID
    Manage Device-ID
    CLI Commands for Device-ID
    Threat Prevention
    Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
    Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
    DNS Security
    About DNS Security
    Cloud-Delivered DNS Signatures and Protections
    DNS Security Analytics
    Enable DNS Security
    DNS Security Data Collection and Logging
    Use DNS Queries to Identify Infected Hosts on the Network
    How DNS Sinkholing Works
    Configure DNS Sinkholing
    Configure DNS Sinkholing for a List of Custom Domains
    Configure the Sinkhole IP Address to a Local Server on Your Network
    See Infected Hosts that Attempted to Connect to a Malicious Domain
    Data Filtering
    Create a Data Filtering Profile
    Predefined Data Filtering Patterns
    WildFire Inline ML
    Configure WildFire Inline ML
    Set Up File Blocking
    Prevent Brute Force Attacks
    Customize the Action and Trigger Conditions for a Brute Force Signature
    Enable Evasion Signatures
    Monitor Blocked IP Addresses
    Threat Signature Categories
    Create Threat Exceptions
    Custom Signatures
    Monitor and Get Threat Reports
    Monitor Activity and Create Custom Reports Based on Threat Categories
    Learn More About Threat Signatures
    AutoFocus Threat Intelligence for Network Traffic
    AutoFocus Intelligence Summary
    Enable AutoFocus Threat Intelligence
    View and Act on AutoFocus Intelligence Summary Data
    Share Threat Intelligence with Palo Alto Networks
    Threat Prevention Resources
    Decryption
    Decryption Overview
    Decryption Concepts
    Keys and Certificates for Decryption Policies
    SSL Forward Proxy
    SSL Forward Proxy Decryption Profile
    SSL Inbound Inspection
    SSL Inbound Inspection Decryption Profile
    SSL Protocol Settings Decryption Profile
    SSH Proxy
    SSH Proxy Decryption Profile
    Profile for No Decryption
    SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
    Perfect Forward Secrecy (PFS) Support for SSL Decryption
    SSL Decryption and Subject Alternative Names (SANs)
    TLSv1.3 Decryption
    High Availability Not Supported for Decrypted Sessions
    Decryption Mirroring
    Prepare to Deploy Decryption
    Work with Stakeholders to Develop a Decryption Deployment Strategy
    Develop a PKI Rollout Plan
    Size the Decryption Firewall Deployment
    Plan a Staged, Prioritized Deployment
    Define Traffic to Decrypt
    Create a Decryption Profile
    Create a Decryption Policy Rule
    Configure SSL Forward Proxy
    Configure SSL Inbound Inspection
    Configure SSH Proxy
    Configure Server Certificate Verification for Undecrypted Traffic
    Decryption Exclusions
    Palo Alto Networks Predefined Decryption Exclusions
    Exclude a Server from Decryption for Technical Reasons
    Local Decryption Exclusion Cache
    Create a Policy-Based Decryption Exclusion
    Block Private Key Export
    Generate a Private Key and Block It
    Import a Private Key and Block It
    Import a Private Key for IKE Gateway and Block It
    Verify Private Key Blocking
    Enable Users to Opt Out of SSL Decryption
    Temporarily Disable SSL Decryption
    Configure Decryption Port Mirroring
    Verify Decryption
    Troubleshoot and Monitor Decryption
    Decryption Application Command Center Widgets
    Decryption Log
    Configure Decryption Logging
    Decryption Log Errors, Error Indexes, and Bitmasks
    Repair Incomplete Certificate Chains
    Custom Report Templates for Decryption
    Unsupported Parameters by Proxy Type and TLS Version
    Decryption Troubleshooting Workflow Examples
    Investigate Decryption Failure Reasons
    Troubleshoot Unsupported Cipher Suites
    Identify Weak Protocols and Cipher Suites
    Identify Untrusted CA Certificates
    Troubleshoot Expired Certificates
    Troubleshoot Revoked Certificates
    Troubleshoot Pinned Certificates
    Activate Free Licenses for Decryption Features
    URL Filtering
    About Palo Alto Networks URL Filtering Solution
    How Advanced URL Filtering Works
    URL Filtering Inline ML
    URL Filtering Use Cases
    URL Categories
    Security-Focused URL Categories
    Malicious URL Categories
    Verified URL Categories
    Policy Actions You Can Take Based on URL Categories
    Plan Your URL Filtering Deployment
    URL Filtering Best Practices
    Activate The Advanced URL Filtering Subscription
    Configure URL Filtering
    Test URL Filtering Configuration
    Configure URL Filtering Inline ML
    Monitor Web Activity
    Monitor Web Activity of Network Users
    View the User Activity Report
    Configure Custom URL Filtering Reports
    Log Only the Page a User Visits
    Create a Custom URL Category
    URL Category Exceptions
    Use an External Dynamic List in a URL Filtering Profile
    Allow Password Access to Certain Sites
    Prevent Credential Phishing
    Methods to Check for Corporate Credential Submissions
    Configure Credential Detection with the Windows User-ID Agent
    Set Up Credential Phishing Prevention
    Safe Search Enforcement
    Safe Search Settings for Search Providers
    Block Search Results When Strict Safe Search Is Not Enabled
    Transparently Enable Safe Search for Users
    URL Filtering Response Pages
    Customize the URL Filtering Response Pages
    HTTP Header Logging
    Request to Change the Category for a URL
    Troubleshoot URL Filtering
    Problems Activating Advanced URL Filtering
    PAN-DB Cloud Connectivity Issues
    URLs Classified as Not-Resolved
    Incorrect Categorization
    PAN-DB Private Cloud
    M-600 Appliance for PAN-DB Private Cloud
    Set Up the PAN-DB Private Cloud
    Configure the PAN-DB Private Cloud