Getting Started with Palo Alto Networks
UC Berkeley Information Security Office (ISO)
Recommended Training Modules for VSYS Administrators
The following training modules are recommended for VSYS (Virtual System/Firewall) administrators.
To access this course, login to the PAN Training Portal at this webpage. Navigate to Digital Learning > Next-Generation Firewall course.
The following subsections of “Next-Generation Firewall” are the most relevant for vsys admins:
- Security Profiles and Security Policies
- App-ID
- User-ID
- Zone Security, Security and NAT Policies (specifically the Blocking Threats Using Security and NAT Policies subsection)
- Threat and Traffic Information
- Security Rule Tuning
- Policy optimization
Key Highlights of the Palo Alto Networks Next Generation Firewall
App-ID
One of the main differences between legacy port-based firewalls and the Palo Alto Networks (PAN) Next Generation Firewall (NGFW), is that the NGFW can classify and identify applications traversing the network and apply firewall policies to that traffic. This PAN feature is known as App-ID, and it can identify applications irrespective or port or protocol.
This means that you can create firewall policies that match specific applications and take actions to either allow or deny that traffic. A traditional firewall rule might look like this:
| Action | Allow |
| Source | 192.168.1.1 |
| Destination | 192.168.2.1 |
| Port | 80 |
| Protocol | TCP |
This would allow any TCP network traffic from 192.168.1.1 to reach 192.168.2.1 on port 80.
In the PAN NGFW, you could specify a rule that looks more like this:
| Action | Allow |
| Source | 192.168.1.1 |
| Destination | 192.168.2.1 |
| Port | 80 |
| Protocol | TCP |
| App-ID | sharepoint-base |
By specifying the App-ID “sharepoint-base”, the NGFW will only permit traffic that it decodes and identifies as matching its “sharepoint-base” application signature. This means only traffic for Microsoft Sharepoint’s “base” functions would be permitted. However, these other Sharepoint functions for which there are separate App-ID signatures, and all other traffic, would be blocked by the firewall:
- sharepoint-admin
- sharepoint-calendar
- sharepoint-blog-posting
- sharepoint-wiki
- sharepoint-documents
App-ID gives you fine grained control over what applications are permitted to traverse your firewall. In a legacy port-based firewall, any TCP traffic destined for 192.168.2.1 port 80/TCP would be allowed through, including things like application or web server exploits. By utilizing App-ID, this type of traffic would not match the allowed application and would be blocked by the PAN NGFW.
Learn more about App-ID here:
- App-ID documentation for PAN-OS 10.1
- App-ID Tech Brief
- Browse App-ID Signatures
- What is Application Dependency
- Applications with Implicit Support
Zones
In Palo Alto Networks NGFWs, security zones are a way to group physical and virtual interfaces on the firewall in order to segment and control traffic on the network. Initially, your VSYS will be configured to have one security zone per network subnet. In the future, it may be possible to merge subnets into a single zone to simplify security policy where it makes sense.
Security policy rules are applied on traffic between zones. Key concepts:
- Inter-zone traffic (traffic traversing between two zones) will, by default, be denied. You must define security policy with a source and destination zone in order to allow or deny network traffic.
- Note: source and destination zones must be of the same type (e.g. both Layer 3 zones or both Layer 7 zones).
- Intra-zone traffic (traffic between hosts in the same zone) will be default allowed to flow freely.
VSYS administrators will not be able to configure their own zones and interfaces, this must be performed by the Network Operations and Services (NOS) team.
Learn more about security zones here:
Security Profiles
Security profiles allow traffic and content on the network to be scanned for threats such as malware, spyware, viruses, and exploits.
Security profiles are not the same as security policy (or “firewall rules”), and must be attached to existing security policy in order to be applied. When a rule/policy matches traffic and a security profile is attached to that policy, the security profile is applied for further content inspection and scanning such as:
- Anti-Virus Profiles - Antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads.
- Anti-Spyware Profiles - Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers.
- Vulnerability Protection Profiles - Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems.
- URL Filtering Profiles - URL Filtering profiles enable you to monitor and control how users access the web over HTTP and HTTPS (only when SSL decryption has been authorized and configured).
- Data Filtering Profiles - Data filtering profiles prevent sensitive information such as credit card or social security numbers from leaving a protected network.
- File Blocking Profiles - The firewall uses file blocking profiles to block specified file types over specified applications and in the specified session flow direction (inbound/outbound/both).
- Wildfire Analysis Profiles - Unknown or suspicious files and links are forwarded to a public or private WildFire cloud for security analysis and to obtain a verdict on whether the file is dangerous and should be blocked or not.
- DoS Protection Profiles - DoS protection profiles provide detailed control for Denial of Service (DoS) protection policies.
- Zone Protection Profiles - Zone Protection Profiles provide additional protection between specific network zones in order to protect the zones against attack.
A security profile group is a set of security profiles that can be treated as a unit and then easily added to security policies. When you create new firewall policies, there will be a provided default security profile group that was configured by Information Security & Policy and attached to the new policy. The default security profile group will be applied to any new rule you create.
You’re encouraged to utilize the provided default security profile group, and only remove or customize it for troubleshooting purposes.
Firewall rules migrated from the Cisco ASAs will also have security profile attached to them. For more information, see the bSecure ISP Customer Handout which contains details on the default security profiles provisioned by ISP for bSecure customers.
Learn more about security profiles here:
Additional Resources
- It is recommended that you subscribe to the PAN YouTube channel. It contains many useful tutorials and instructional videos.
- Tips & Tricks: Filtering the Security Policy
Questions & Comments
For general questions about security within the Palo Alto Networks NGFW deployment, email security-firewall@berkeley.edu.
To request a new firewall service in the campus Data Center, or modification of an existing service, place a request via the Telecommunications Catalog at http://tc.berkeley.edu/. Support for existing firewall services can be obtained via Campus Shared Services.