pan edu 201 6.0b mod 1 platform

Administration and Management

Platforms and ArchitectureModule 1PAN-EDU-201Revision B PAN-OS 6.0

PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page1

Agenda Module 1Hardware PlatformsSingle-Pass ArchitectureControl Plane and Data PlaneFlow LogicInitial Configuration GUI, CLI, and APIModule 1 Lab Overview2 | 2014,Palo Alto Networks. Confidential and Proprietary


Next-Generation Firewalls and AppliancesThe PA-Series Hardware Platforms3 | 2014,Palo Alto Networks. Confidential and Proprietary


Hardware PlatformsPA-2000 SeriesPA-500PA-200

PA-3000 Series

Palo Alto Networks has built a next-generation firewall with several innovative technologiesenabling organizations to fix the firewall. These technologies bring business-relevant elements (applications, users, and content) under policy control on a high performance firewall architecture.

Delivered as a purpose-built appliance, every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page4

Hardware PlatformsPA-5000 SeriesPA-7050 Series


Delivered as a purpose-built appliance, every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line.

The Palo Alto Networks PA-7050 is designed to protect datacenters and high-speed networks with firewall throughput of up to 120 Gbps and full threat prevention at speeds of up to 100 Gbps. The PA-7050 is a modular chassis, allowing you to scale performance and capacity by adding up to six network processing cards as your requirements change; yet it is a single system, making it as easy to manage as all of our other appliances. PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page5

Next-Generation Appliances | Malware Management

WF-500 is a private cloudDesigned for organizations with regulatory or privacy concerns.

6 | 2014,Palo Alto Networks. Confidential and ProprietaryWF-500

Palo Alto Networks has built a next-generation firewall with several innovative technologiesenabling organizations to empower, enhance and fix some of the shortcomings within traditional firewalls. These innovative technologies bring business relevant elements (applications, users, and content) under policy control via a high performance firewall architecture.

Delivered as a purpose-built appliance every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall functions and features, including it Operation System, the PAN-OS, ensuring consistent operation across the entire line.

The WF-500 is specifically for organizations that prefer not to use public cloud applications due to regulatory and privacy concerns and so when using the WF-500 they can deploy WildFire as a private cloud.

Note: The WF-500 is fundamentally an X86 dual processor server, not a PA-series firewall. It uses a different architecture as opposed to the PA-Series firewalls which do have and use the Single-Pass Processing SP3 Architecture.


Next-Generation Appliances | Panorama7 | 2014,Palo Alto Networks. Confidential and Proprietary

Panorama management and logging functions on a dedicated appliancePanorama as a virtual appliance consolidate rack space.

Palo Alto Networks has built a next-generation firewall with several innovative technologiesenabling organizations to empower, enhance and fix some of the shortcomings within traditional firewalls. These innovative technologies bring business relevant elements (applications, users, and content) under policy control via a high performance firewall architecture.

Delivered as a purpose-built appliance every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall functions and features, including it Operation System, the PAN-OS, ensuring consistent operation across the entire line.

Here we will learn of the Panorama M-100 Virtual Appliance, its purpose and recommended use.


Next-Generation Firewalls | Virtualized Firewalls

Protect virtualized datacenters and East-West traffic using Palo Alto Networks VM-Series Next-generation firewalls. 8 | 2014,Palo Alto Networks. Confidential and Proprietary


Delivered as a purpose-built appliance, every Palo Alto Networks next-generation firewall utilizes dedicated, function specific processing that is tightly integrated with a single-pass software engine. This unique combination of hardware and software maximizes network throughput while minimizing latency. Each of the hardware platforms supports the same rich set of next-generation firewall features ensuring consistent operation across the entire line.

Here we will learn of the Panorama M-100 Virtual Appliance, its purpose and recommended use.


Palo Alto Networks ArchitectureThe Single-Pass ArchitectureThe Control Plane and Data PlaneFlow Logic Explained9 | 2014,Palo Alto Networks. Confidential and Proprietary


Single Pass Platform Architecture

10 | 2014,Palo Alto Networks. Confidential and Proprietary

Use the same language from the original SP3 slide,

Purpose built use a racing vehicle analogy any racing vehicle; a car, a motorcycle, whatever. They go fast because of the sum or their parts = engine, suspension, tires, body, driver.

We did the same thing built SW that was as efficient as possible, using a single pass to perform the heavy lifting (L7 classification and inspection) Operations once per packet - Traffic classification (app identification), Content scanning threats, URLs, confidential data = One policy.

then we married it to a HW platform that scales upwards and downwards using dedicated processors for NW, Security (cavium multi-core), threat and management. Separate data/control planes for built-in resiliency.


Single-Pass Parallel Processing (SP3) ArchitectureSingle PassOperations once per packetTraffic classification (app identification)User/group mappingContent scanning threats, URLs, confidential dataOne policyParallel ProcessingFunction-specific parallel processing hardware enginesSeparate data/control planes


The Palo Alto Networks firewall allows you to specify security policies based on a more accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports.

The strength of the Palo Alto Networks firewall is its Single Pass Parallel Processing (SP3) engine. Each of the current protection features in the device (Anti Virus, Spyware, Data Filtering and vulnerability protection) utilize the same stream-based signature format. As a result, the SP3 engine can search for all of these risks simultaneously.

The advantage of providing a stream based engine is that the traffic is scanned as it crosses the box with a minimal amount of buffering.

For further explanation, refer to the document Single_Pass_Parallel_Processing_Architecture.pdf on the Palo Alto Networks website. PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page11

Single Pass Architecture Engines

App-IDIdentify the application

Content-IDScan the content

User-IDIdentify the user


While a seemingly trivial and obvious approach, security software that looks at traffic in a single pass is unique to the Palo Alto Networks next-generation firewall. This approach to processing traffic ensures that each particular task is performed only once on a set of traffic. Key processing tasks are:

Networking and management functionality: at the foundation of all traffic processing is a common networking foundation with a common management structure.App-ID (Application identification): a combination of application signatures, protocol detection and decryption, protocol decoding, and heuristics to identify applications. This application identification is carried through to the Content-ID functionality to scan and inspect applications appropriate to their use as well as to the policy engine.Content-ID: a single hardware-accelerated signature matching engine that uses a uniform signature format to scan traffic for data (credit card numbers, social security numbers, and custom patterns) and threats (vulnerability exploits IPS, viruses, and spyware) plus a URL categorization engine to perform URL filtering.User-ID: maps IP addresses to active directory users and users to groups (roles) to enable visibility and policy enforcement by user and group.Policy engine: based on the networking, management, User-ID, App-ID, and Content-ID information, the policy engine is able to use a enforce a single security policy to traffic.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page12

Control Plane and Data PlaneControl PlaneData Plane

Signature Match ProcessorPalo Alto Networks uniform signaturesMultiple memory banks memory bandwidth scales performanceMulti-Core Security ProcessorHigh density processing for flexible security functionalityHardware-acceleration for standardized complex functions (SSL, IPSec, decompression)

Dedicated Control PlaneHighly available mgmtHigh speed logging and route updates

Signature Match ProcessorRAMRAMRAMRAM

Dual-coreCPURAMRAMHDD

Network ProcessorFront-end network processing offloads security processorsHardware accelerated QoS, route lookup, MAC lookup and NAT

CPU16. .SSLIPSecDe-CompressionCPU1CPU2RAMRAMCPU3

QoSRoute, ARP, MAC lookupNAT**** Implemented in software on PA-200 and PA-500**Implemented in software on the PA-200, PA-500, and PA-302013 | 2014,Palo Alto Networks. Confidential and Proprietary

With Palo Alto Networks single pass parallel processing architecture, hardware acceleration is provided for each of the major functionality blocks:

Networking tasks (per packet routing, flow lookup, stats counting, NAT, and similar functions) are performed on a dedicated network processor.User-ID, App-ID, and policy engine all occur on a multicore (up to 16 cores) security processor with hardware acceleration for encryption, decryption, and decompression.Content-ID performs the signature lookup via a dedicated FPGA with dedicated memory.Management functionality is provided via a dedicated control plane processor that drives the configuration management, logging, and reporting without touching data processing hardware.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page13

Flow Logic of the Next-Generation Firewall14 | 2014,Palo Alto Networks. Confidential and Proprietary

This diagram is a simplified version of the flow logic of a packet traveling through a Palo Alto Networks firewall. The course will reference this diagram to address where specific concepts fit into the packet processing sequence.

Refer to the document Packet Flow in PAN-OS on the KnowledgePoint site for a more complete understanding of the session flow through the Palo Alto next-generation firewall.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page14

Configuration and ManagementYour Initial Configuration15 | 2014,Palo Alto Networks. Confidential and Proprietary


Initial configurations must be performed over the dedicated out-of-band management interface (MGT) or a Console connection

The device has the following default values:MGT interface IP address: 192.168.1.1User name: adminPassword: admin

Initial Configuration - Hardware

Management Port


Palo Alto Network firewalls are built with a dedicated out-of-band management interface labeled MGT. This interface only passes management traffic for the device and cannot be configured as a standard traffic interface. Administrators use this interface for direct connectivity to the management plane of the firewall. By default, this interface has an IP address of 192.168.1.1.

Initial configuration of the firewall can be accomplished by connecting to the MGT interface address or through a console session on the firewall. The console interface is an RJ-45 connection for all devices except for the PA-4000 series which uses a serial interface instead.

The default username of admin has a default password of admin. A warning message will appear in both the GUI and the CLI until the default password is changed. The admin account cannot be deleted or disabled.

The system defaults can be restored by performing a factory-reset of the device from Maintenance Mode. Refer to the support website for instructions for this procedure.


Configuring the MGT interface - CLIConfigure the IP address on the Next Generation Firewall

> configureEntering configuration mode# set deviceconfig system ip-address 10.30.11.1 netmask 255.255.255.0 default-gateway 10.30.11.254 dns-setting servers primary 172.16.20.230# commit....10%....20%....30%....40%....50%....60%....70%....80%....90%....100%Configuration committed successfully

DNS: 172.16.20.230

Internet10.30.11.25410.30.11.110.30.11.0/24


This example shows the steps to configure the networking of the MGT interface of a PA-500 firewall for use in the training lab.

The MGT interface is for the management of the firewall only. If desired, the device can be configured to allow firewall management over the traffic interfaces. However, the MGT interface cannot be set up to pass regular traffic.

The device requires updates to software and to the databases to maintain the most current protection levels. The MGT interface or a traffic interface must be configured to allow these updates to be downloaded. The firewall requires DNS name resolution to connect to the update servers.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page17

Configuring the MGT interface - GUIDevice > Management


The MGT interface can also be set up with the GUI. Palo Alto Networks firewalls are configured with an IP address of 192.168.1.1 on the MGT interface by default.

Assign the Ethernet interface on your computer a 192.168.1.0/24 address and connect to the MGT interface with an Ethernet cable. Launch a web browser connection to https://192.168.1.1 and log in using the default user name and password. Click Device > Setup > Management then click the button on the Management Interface Settings panel. From this location, you can set the networking information for the MGT interface of your firewall.

The GUI is supported on Internet Explorer 7+, Firefox 3.6+, Safari 5+, and Chrome 11+.

By default, HTTP and telnet are disabled on the MGT interface but HTTPS, SSH, Ping, and SNMP are allowed. These settings can be configured as appropriate for your environment. For additional security, the Permitted IP Addresses field restricts administrative access to specific IP addresses.

If you experience intermittent GUI connectivity issues, changing the Speed attribute from auto-negotiate to match the settings of your network may alleviate the problem.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page18

Administrative Controls


Administrators have multiple options when configuring a Palo Alto Networks firewall.

The most common way of managing the device is through the web interface (GUI). Administrators can configure and monitor the firewall over HTTP/HTTPS from a web browser. This graphical interface provides detailed administrative and reporting tools in an intuitive web format.

The PAN-OS CLI allows you to access the firewall, view status and configuration information, and modify the configuration. Access to the PAN-OS CLI is provided through SSH, Telnet, or direct console access.

Palo Alto Networks also provides a Representational State Transfer (REST)-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at https:///api, where is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call.


Navigating the GUI

Functional Category TabsDisplay Tasks List20 | 2014,Palo Alto Networks. Confidential and Proprietary

The PAN-OS WebUI is consistent across all Palo Alto Networks firewall hardware types. Administrators will see the same interface when they connect to a PA-200 as when they connect to a PA-5050.

The management tools are grouped according to functional categories. These categories are listed as tabs at the top of the interface to allow for ease of switching between administrative tasks. Blue text indicates a link which can be clicked for additional information or to configure that feature.

The Tasks button at the bottom right of the screen provides a list of running and completed tasks for this firewall. This button is especially useful when verifying that configuration changes have been committed.

The Help button opens a HTML-formatted version of the PAN-OS Administrator Guide. This searchable manual provides information about the options shown on screen when it is clicked.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page20

Language Preference Setting


The web interface defaults to US English but can be set to other languages if desired. Currently supported languages are:Chinese TraditionalChinese SimplifiedEnglishFrenchJapaneseSpanish

Inform the Students Language selection is dynamic and does not require a commit operation or a reboot of the interface.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page21

GUI error prompts


The GUI provides guidance as you configure the firewall. Red underlines indicate tabs that there is at least one required field. Yellow highlights specify required fields. The OK button will be unavailable if the interface is missing required information.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page22

Application Command Center (ACC) TabDisplays highest counts for specific monitoring categories: Application, URL Filtering, Threat, Data FilteringShows counts for top addresses, countries, zones, and rules Used to create dynamic reports FilterSort

Links to log informationClick an icon to jump to the corresponding log in the Monitor tabFilters set in the ACC will be applied to the log after the jump


When analyzing network traffic, a good starting point is the Application Command Center (ACC)tab, which provides a high-level overview of network traffic based on application and threat visibility. The ACC displays the overall risk level for your network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame.

Risklevels range from 1 (low) to 5 (high) and indicate the applications relative security risk based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls.


Monitor tab - LogsPolicies generate information that is added to log databasesMonitor > Traffic


The Monitor tab contains the displays the logs for the Palo Alto Networks firewall. Log entries are added to the traffic database at end of session by default. All other logs are updated when a policy match occurs while processing network traffic.

The log in the Monitor tab show a summary of the event in the GUI. For a more detailed description of the event, click the magnifying glass icon on the left side of the entry.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page24

CLI ModesThe CLI has functional modes: Operational and Configuration Operational ModeDefault mode when you first log inRepresented by the > prompt on the interfaceInvolves actions which are executed immediatelyActions do not require a commit operation Configuration ModeIssue the configure command to transition from Operational to Configuration modeRepresented by the # prompt on the interfaceChanges will be stored in firewall memory until a commit operation is run


When you first log in, the PAN-OS CLI opens in Operational mode. Operational mode commands involve actions that are executed immediately. They do not involve changes to the configuration, and do not need to be saved or committed.

When you enter Configuration mode and enter commands to configure the firewall, you are modifying the candidate configuration. The modified candidate configuration is stored in firewall memory and maintained while the firewall is running. Each configuration command involves an action, and may also include keywords, options, and values. Entering a command makes changes to the candidate configuration.

The most common CLI response is invalid syntax due to incomplete command keywords entered.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page25

CLI ToolsCommands and options must be typed completelyThe Tab key and Space bar will auto-completeMost output can be piped through a match or except filter to limit results

Online help: ? or Tab keyOnline help will provide a list of available optionsIf no output is given, preceding option is invalidStandard help messages include: *This option is required>Additional nested options for this command+Additional command options can be added to this command|Pipe command output through match or except filter Command can be executed without further options


The built-in help function of the CLI allows the administrator to look up commands and options without leaving the interface.

For example, if an administrator was attempting to configure security rules and forgot the available options, this might be the output:

username@hostname# set rulebase security rules rule1 profiles ?+ virus Help string for virus+ spyware Help string for spyware+ vulnerability Help string for vulnerability+ group Help string for group Finish input[edit]PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page26

Find Command Overview It may be difficult to remember op commands or configuration hierarchiesThe Find command helps administrators locate keywords for operational commands within the command hierarchy Works for all admin roles though output is limited to the allowed commandsAll command combinations are pre-generated to provide a better user experience



CLI Find Command with KeywordFind commands in CLI (with or without quotes)

admin@PA-500> find command ?+ keyword CLI keyword Finish input

admin@PA-500> find command keyword fpgadebug device-server set config debug device-server unset config debug dataplane fpga set sw_aho debug dataplane fpga set sw_dfa debug dataplane fpga set sw_dlp debug dataplane fpga stateFind configurations in configure mode

admin@PA-500# find command keyword tcp asymmetric-pathset deviceconfig setting tcp asymmetric-path


Notice when searching for the keyword fpga there are a total of 6 different commands containing the keyword fpga.

Quotation marks are an optional way to search for a specific character string. Also use quotations to search for multiple words in a specified sequence. Example To search for a string of words such as tcp asymmetric-path above you must use quotations or you will receive an invalid syntax response.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page28

CLI Find Command w/o KeywordFind commands without keyword will display all commands

admin@PA-500> find commandtarget set target show schedule uar-report user user-group skip-detailed-browsing title period start-time end-time vsys schedule botnet-report period topn query clear arp |clear neighbor |clear mac |clear job id clear query id clear query all-by-session clear report id clear report all-by-session [...]


To conduct a search on all available commands you can use the find command option for a complete listing of commands. PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page29

Debug Quick ReferenceCLI commandsshow jobs allfind command keyword Debugsdebug device-server dump tag-table tag debug management-server on debugLogsless mp-log ms.log30 | 2014,Palo Alto Networks. Confidential and Proprietary


PAN-OS REST APIAllows an external system to execute commands remotely on a PAN firewall or a Panorama server

Used to:Read/Write firewall Configuration commandsImport dynamic and software updatesExport firewall information (e.g. configuration, certificates, logs) Extract data in XML format for use in other report writing systemsExecute Operational commands

REST API over SSLDevice Config / Report dataExternal System


PAN-OS provides a RESTful XML API to manage both the Firewall and Panorama devices. The API allows access to several types of data on the device so they can be easily integrated with and used in other systems. The API is provided as a web service that is implemented using HTTP requests and responses.

The API connection is treated as general administrator web access with the same source address restriction and timeout settings. For security, the connection requires a key generated with admin ID and password info or a current authenticated administrative session.

An XML API usage guide is available on the DevCenter online community at http://live.paloaltonetworks.com.PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page31

API BrowserAPI browser shows the XML and API formatted versions of selected CLI commandshttps://hostname/api


There is an API browser available on the firewall at https:///api, where is the host name or IP address of the firewall.

You need to be logged in to the devices web interface to be able to view the API browser. Once you have logged onto the firewall, change the URL to https://hostname/api.

You can use API browser to navigate different API requests that are available for use. For configuration commands, you can navigate to any path and view the corresponding xpath and API URL on the browser. For Operational commands and Commit commands, you can navigate to a specific command to see the xml body to use for the command parameter. For reports, you can view the report names for all the supported dynamic and predefined reports. PAN-EDU-201 Palo Alto Networks. Confidential and Proprietary. Mod 1-Page32

Questions?



Module 1Labs



pan edu 201 6.0b mod 1 platform

Documents

palo alto networks pa

series palo alto networks

highspeed networks

generation firewall

firewall throughput

proprietary panedu

generation firewalls

unique combination of