Best Practices for Completing the Firewall Deployment

Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
PAN-OS
PAN-OS Administrator's Guide
Getting Started
Best Practices for Completing the Firewall Deployment

Last Updated:

Mon Nov 22 18:50:33 PST 2021

Current Version:

7.1 (EoL)

Version 10.2
Version 10.1
Version 10.0 (EoL)
Version 9.1
Version 9.0 (EoL)
Version 8.1 (EoL)
Version 8.0 (EoL)
Version 7.1 (EoL)

End-of-Life (EoL)

Table of Contents

Search the Table of Contents

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Management Strategy

Perform Initial Configuration

Set Up Network Access for External Services

Register the Firewall

Activate Licenses and Subscriptions

Install Content and Software Updates

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Basic Threat Prevention Features

Enable Basic WildFire Forwarding

Scan Traffic for Threats

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection Profiles

Set Up File Blocking Profiles

Control Access to Web Content

Enable AutoFocus Threat Intelligence

Best Practices for Completing the Firewall Deployment

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Back Up a Configuration

Restore a Configuration

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure an Administrative Account

Configure Kerberos SSO and External or Local Authentication for Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure RADIUS Vendor-Specific Attributes for Administrator Authentication

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Authentication

Configure an Authentication Profile and Sequence

Configure Kerberos Single Sign-On

Configure Local Database Authentication

Configure External Authentication

Configure Authentication Server Profiles

Configure a RADIUS Server Profile

Set CHAP or PAP Authentication for RADIUS Servers

RADIUS Vendor-Specific Attributes Support

Configure a TACACS+ Server Profile

Configure an LDAP Server Profile

Configure a Kerberos Server Profile

Enable External Authentication for Users and Services

Test Authentication Server Connectivity

Run the Test Authentication Command

Test a Local Database Authentication Profile

Test a RADIUS Authentication Profile

Test a TACACS+ Authentication Profile

Test an LDAP Authentication Profile

Test a Kerberos Authentication Profile

Troubleshoot Authentication Issues

Certificate Management

Keys and Certificates

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Overview

HA Concepts

HA Modes

HA Links and Backup Links

HA Ports on the PA-7000 Series Firewall

Device Priority and Preemption

Failover

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

HA Timers

Session Owner

Session Setup

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Firewall States

Reference: HA Synchronization

What Settings Don’t Sync in Active/Active HA?

What Settings Don’t Sync in Active/Passive HA?

Synchronization of System Runtime Information

Monitoring

Use the Dashboard

Use the Application Command Center

ACC—First Look

ACC Tabs

ACC Widgets

Widget Descriptions

ACC Filters

Interact with the ACC

Use Case: ACC—Path of Information Discovery

App Scope

Summary Report

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

Monitor and Manage Logs

Log Types and Severity Levels

Traffic Logs

Threat Logs

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Config Logs

System Logs

HIP Match Logs

Alarms Logs

Unified Logs

Work with Logs

View Logs

Filter Logs

Export Logs

View AutoFocus Threat Data for Logs

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Manage Reporting

Report Types

View Reports

Configure the Report Expiration Period

Disable Predefined Reports

Custom Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

HIP Match Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

SNMP Support

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Walk a MIB

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

Supported MIBs

MIB-II

IF-MIB

HOST-RESOURCES-MIB

ENTITY-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

LLDP-V2-MIB.my

BFD-STD-MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-LC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

PAN-TRAPS.my

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

User-ID

User-ID Overview

User-ID Concepts

Group Mapping

User Mapping

Server Monitoring

Port Mapping

XFF Headers

Captive Portal

Syslog

GlobalProtect

XML API

Client Probing

Enable User-ID

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the User-ID Agent

Configure the User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure User-ID to Receive User Mappings from a Syslog Sender

Configure the Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Captive Portal

Captive Portal Authentication Methods

Captive Portal Modes

Configure Captive Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Services Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Configure Firewalls to Redistribute User Mapping Information

Firewall Deployment for User-ID Redistribution

Configure User-ID Redistribution

App-ID

App-ID Overview

Manage Custom or Unknown Applications

Manage New App-IDs Introduced in Content Releases

Review New App-IDs

Review New App-IDs Since Last Content Version

Review New App-ID Impact on Existing Policy Rules

Disable or Enable App-IDs

Prepare Policy Updates for Pending App-IDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Applications with Implicit Support

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Threat Prevention

Set Up Security Profiles and Policies

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Set Up Data Filtering

Set Up File Blocking

Prevent Brute Force Attacks

Customize the Action and Trigger Conditions for a Brute Force Signature

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

Best Practices for Application and Threat Content Updates

Enable DNS Proxy

Enable Passive DNS Collection for Improved Threat Intelligence

Use DNS Queries to Identify Infected Hosts on the Network

DNS Sinkholing

Configure DNS Sinkholing for a List of Custom Domains

Configure the Sinkhole IP Address to a Local Server on Your Network

Identify Infected Hosts

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

Use the CLI to End a Single Attacking Session

Identify Sessions That Use an Excessive Percentage of the Packet Buffer

Discard a Session Without a Commit

Content Delivery Network Infrastructure for Dynamic Updates

Threat Prevention Resources

Decryption

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Inbound Inspection

SSH Proxy

Decryption Exceptions

Decryption Mirroring

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Decryption Exceptions

Exclude Traffic from Decryption

Exclude a Server from Decryption

Enable Users to Opt Out of SSL Decryption

Configure Decryption Port Mirroring

Temporarily Disable SSL Decryption

URL Filtering

URL Filtering Overview

URL Filtering Vendors

Interaction Between App-ID and URL Categories

PAN-DB Private Cloud

M-500 Appliance for PAN-DB Private Cloud

Differences Between the PAN-DB Public Cloud and PAN-DB Private Cloud

URL Filtering Concepts

URL Categories

URL Filtering Profile

URL Filtering Profile Actions

URL Category Exception Lists

Basic Guidelines For URL Category Exception Lists

Wildcard Guidelines for URL Category Exception Lists

URL Category Exception List—Wildcard Examples

External Dynamic List for URLs

Safe Search Enforcement

Container Pages

HTTP Header Logging

URL Filtering Response Pages

URL Category as Policy Match Criteria

PAN-DB Categorization

PAN-DB URL Categorization Components

PAN-DB URL Categorization Workflow

Enable a URL Filtering Vendor

Enable PAN-DB URL Filtering

Enable BrightCloud URL Filtering

Determine URL Filtering Policy Requirements

Use an External Dynamic List in a URL Filtering Profile

Monitor Web Activity

Monitor Web Activity of Network Users

View the User Activity Report

Configure Custom URL Filtering Reports

Configure URL Filtering

Customize the URL Filtering Response Pages

Configure URL Admin Override

Enable Safe Search Enforcement

Block Search Results that are not Using Strict Safe Search Settings

Enable Transparent Safe Search Enforcement

Set Up the PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Configure the Firewalls to Access the PAN-DB Private Cloud

URL Filtering Use Case Examples

Use Case: Control Web Access

Use Case: Use URL Categories for Policy Matching

Troubleshoot URL Filtering

Problems Activating PAN-DB

PAN-DB Cloud Connectivity Issues

URLs Classified as Not-Resolved

Incorrect Categorization

URL Database Out of Date

Quality of Service

QoS Overview

QoS Concepts

QoS for Applications and Users

QoS Policy

QoS Profile

QoS Classes

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure QoS

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

QoS Use Cases

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPNs

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

IKE Gateway

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

IKE Phase 1

IKE Phase 2

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

IKEv2

Liveness Check

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

LSVPN Overview

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Prerequisite Tasks

Configure the Gateway

Configure the GlobalProtect Portal for LSVPN

Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Networking

Interface Deployments

Virtual Wire Deployments

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

High Availability Path Monitoring for a Virtual Wire Path Group

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure a Virtual Wire

Layer 2 Deployments

Layer 3 Deployments

Point-to-Point Protocol over Ethernet Support

DHCP Client

Tap Mode Deployments

Configure an Aggregate Interface Group

Use Interface Management Profiles to Restrict Access

Virtual Routers

Static Routes

RIP

OSPF

OSPF Concepts

OSPFv3

OSPF Neighbors

OSPF Areas

OSPF Router Types

Configure OSPF

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure BGP

BGP Confederations

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

ICMP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Prevent TCP Split Handshake Session Establishment

DHCP

DHCP Overview

Firewall as a DHCP Server and Client

DHCP Messages

DHCP Addressing

DHCP Address Allocation Methods

DHCP Leases

DHCP Options

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear Leases Before They Expire Automatically

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Overview

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution for Management Purposes