Getting Started with Palo Alto Networks
UC Berkeley Information Security and Policy (ISP)
Recommended Training Modules for VSYS Administrators
The following training modules are recommended for VSYS (Virtual System/Firewall) administrators. To save time, it is recommended you focus on the modules that in bold as VSYS administrators will not need to manage the other features or will not have access to them.
To access this course, login to the PAN Support Portal at https://support.paloaltonetworks.com. Navigate to the Learning Center > Browse Online Learning and make sure you are enrolled in the Firewall 8.0 Essentials: Configuration and Management (EDU-110) course, then click Open Curriculum.
Firewall 8.0 Essentials: Configuration and Management (EDU-110):
- Hands-On Lab Guide – 5 mins
- Course Introduction – 10 mins
- Platform and Architecture – 26 mins
- Initial Configuration – 55 mins
- Interface Configuration – 55 mins
- Security and NAT Policies – 65 mins
- App-ID – 45 mins
- Content-ID – 60 mins
- URL Filtering – 38 mins
- Decryption – 54 mins
- WildFire – 57 mins
- User-ID – 45 mins
- GlobalProtect – 45 mins
- Site-to-Site VPNs – 25 mins
- Monitoring and Reporting – 35 mins
- Active/Passive High Availability – 40 mins
- What's Next – 23 mins
Key Highlights of the Palo Alto Networks Next Generation Firewall
App-ID
One of the main differences between legacy port-based firewalls and the Palo Alto Networks (PAN) Next Generation Firewall (NGFW), is that the NGFW can classify and identify applications traversing the network and apply firewall policies to that traffic. This PAN feature is known as App-ID, and it can identify applications irrespective or port or protocol.
This means that you can create firewall policies that match specific applications and take actions to either allow or deny that traffic. A traditional firewall rule might look like this:
| Action | Allow |
| Source | 192.168.1.1 |
| Destination | 192.168.2.1 |
| Port | 80 |
| Protocol | TCP |
This would allow any TCP network traffic from 192.168.1.1 to reach 192.168.2.1 on port 80.
In the PAN NGFW, you could specify a rule that looks more like this:
| Action | Allow |
| Source | 192.168.1.1 |
| Destination | 192.168.2.1 |
| Port | 80 |
| Protocol | TCP |
| App-ID | sharepoint-base |
By specifying the App-ID “sharepoint-base”, the NGFW will only permit traffic that it decodes and identifies as matching its “sharepoint-base” application signature. This means only traffic for Microsoft Sharepoint’s “base” functions would be permitted. However, these other Sharepoint functions for which there are separate App-ID signatures, and all other traffic, would be blocked by the firewall:
- sharepoint-admin
- sharepoint-calendar
- sharepoint-blog-posting
- sharepoint-wiki
- sharepoint-documents
App-ID gives you fine grained control over what applications are permitted to traverse your firewall. In a legacy port-based firewall, any TCP traffic destined for 192.168.2.1 port 80/TCP would be allowed through, including things like application or web server exploits. By utilizing App-ID, this type of traffic would not match the allowed application and would be blocked by the PAN NGFW.
Learn more about App-ID here:
- App-ID documentation for PAN-OS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id.html - App-ID Tech Brief:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/techbriefs/app-id-tech-brief - Browse App-ID Signatures:
https://applipedia.paloaltonetworks.com/ - Securing Your Network By Application (good reference for a phased approach planning and migrating port/protocol based policies to App-ID policies):
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/best-practices-application-visibility - App-ID Dependencies - Tips & Tricks:
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-is-Application-Dependency/ta-p/54270 - Applications with Implicit Support:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/applications-with-implicit-support
Zones
In Palo Alto Networks NGFWs, security zones are a way to group physical and virtual interfaces on the firewall in order to segment and control traffic on the network. Initially, your VSYS will be configured to have one security zone per network subnet. In the future, it may be possible to merge subnets into a single zone to simplify security policy where it makes sense.
Security policy rules are applied on traffic between zones. Key concepts:
- Inter-zone traffic (traffic traversing between two zones) will, by default, be denied. You must define security policy with a source and destination zone in order to allow or deny network traffic.
- Note: source and destination zones must be of the same type (e.g. both Layer 3 zones or both Layer 7 zones).
- Intra-zone traffic (traffic between hosts in the same zone) will be default allowed to flow freely.
VSYS administrators will not be able to configure their own zones and interfaces, this must be performed by the Network Operations and Services (NOS) team.
Learn more about security zones here:
- Security Zone Overview in PAN-OS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-zones/security-zone-overview - Segment Your Network Using Interfaces and Zones:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/segment-your-network-using-interfaces-and-zones
Security Profiles
Security profiles allow traffic and content on the network to be scanned for threats such as malware, spyware, viruses, and exploits.
Security profiles are not the same as security policy (or “firewall rules”), and must be attached to existing security policy in order to be applied. When a rule/policy matches traffic and a security profile is attached to that policy, the security profile is applied for further content inspection and scanning such as:
- Anti-Virus Profiles - Antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads.
- Anti-Spyware Profiles - Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers.
- Vulnerability Protection Profiles - Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems.
- URL Filtering Profiles - URL Filtering profiles enable you to monitor and control how users access the web over HTTP and HTTPS (only when SSL decryption has been authorized and configured).
- Data Filtering Profiles - Data filtering profiles prevent sensitive information such as credit card or social security numbers from leaving a protected network.
- File Blocking Profiles - The firewall uses file blocking profiles to block specified file types over specified applications and in the specified session flow direction (inbound/outbound/both).
- Wildfire Analysis Profiles - Unknown or suspicious files and links are forwarded to a public or private WildFire cloud for security analysis and to obtain a verdict on whether the file is dangerous and should be blocked or not.
- DoS Protection Profiles - DoS protection profiles provide detailed control for Denial of Service (DoS) protection policies.
- Zone Protection Profiles - Zone Protection Profiles provide additional protection between specific network zones in order to protect the zones against attack.
A security profile group is a set of security profiles that can be treated as a unit and then easily added to security policies. When you create new firewall policies, there will be a provided default security profile group that was configured by Information Security & Policy and attached to the new policy. The default security profile group will be applied to any new rule you create.
You’re encouraged to utilize the provided default security profile group, and only remove or customize it for troubleshooting purposes.
Firewall rules migrated from the Cisco ASAs will also have security profile attached to them. For more information, see the bSecure ISP Customer Handout which contains details on the default security profiles provisioned by ISP for bSecure customers.
Learn more about security profiles here:
- Security Profiles in PAN-OS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/security-profiles
Additional Resources
It is recommended that you subscribe to the PAN YouTube channel. It contains many useful tutorials and instructional videos:
Tips & Tricks: Filtering the Security Policy
Questions & Comments
For general questions about security within the Palo Alto Networks NGFW deployment, email security@berkeley.edu.
To request a new firewall service in the campus Data Center, or modification of an existing service, place a request via the Telecommunications Catalog at http://tc.berkeley.edu/. Support for existing firewall services can be obtained via Campus Shared Services at https://berkeley.service-now.com/ess/.